The trusted source for
healthcare information and
Sweeping changes coming in medical records
The Health Insurance Portability and Account ability Act (HIPAA) of 1996 requires everyone in the health care industry to overhaul their methods of handling medical records electronically — and the effects are likely to be much more costly and far-reaching than the Y2K problem.
HIPAA includes regulations that standardize all electronic data interchange of health information and require protection of the security of electronic medical records. The standards, part of the Administra tive Simplification portion of the act, apply to any health care provider or health plan that electronically maintains or transmits health information.
The U.S. Department of Health and Human Services (HHS) is expected to issue final rules for HIPAA compliance by early 2000. (For a proposed schedule of HIPAA regulations, see table on p. 181.) Providers will be expected to be in full compliance within two years after the final rules are issued.
|HIPAA Regulation Schedule|
|The U.S. Department of Health and Human Services has issued a schedule for Health Insurance Portability and Accountability Act regulations. First, the department will issue a Notice of Proposed Rule Making (NPRM), which is the draft of the regulations. The time between the NPRM and the publication of the final rule is used to review and analyze the comments received before the final rule is made. The standards will be implemented within two years of the effective date of the final rule, which is generally 60 days after publication.|
|NPRM Published||Final Rule Expected|
|Standard Transactions and Coding||5/7/98||11/99|
|National Provider Identifier||5/7/98||12/99|
|National Employer Identifier||6/16/98||12/99|
|NPRM in Development|
|National Health Plan Identifier||12/99||5/2001|
|National Individual Identifier||?||?|
"HIPAA will have significant impact on every player in the health care industry," says Bill Braithwaite, PhD, senior advisor on health information policy at HHS.
HIPAA will set standards for health care providers that use electronic data interchange (EDI) solutions for common administrative functions. The rules will set out regulations for transactions and coding, national provider identifiers, national employer identifiers, and security. HIPAA does not mandate electronic data transmission, but providers who use EDI must follow the act’s standards, or risk heavy penalties.
The law is intended to encourage development of standardized electronic transactions among all segments of the health care industry and to improve the efficiency and effectiveness of the health care system. Currently, more than 20 cents of every health care dollar is spent on administrative overhead, according to General Accounting Office estimates. HIPAA aims to cut those costs.
When the standards are in place, health care providers will be able to submit a standard transaction to every health plan, whether it’s to check eligibility of a patient, authorization for treatment, request for a referral, or a claim. This means your clinical, billing, and financial applications should be simplified, and the cost of doing business should be cut.
In fact, providers should expect to save $9 billion annually and the health care industry as a whole can save $26 billion a year by using EDI, predicts the Workgroup on Electronic Data Interchange, an industry association located in Reston, VA, appointed to help HHS develop EDI standards.
However, before that happens, the health care industry has a lot of work to do. Providers have spent an enormous amount of money and time dealing with the Y2K issue. They’ve overhauled their computer systems and beefed up services just to be able to stay in business beyond Jan. 1. But now, those efforts are likely to be eclipsed by the effort required to become HIPAA-compliant.
"One of the hot issues for the year 2000 and beyond is going to be HIPAA compliance," says John Knapp, an attorney specializing in health care issues with the Philadelphia law firm of Cozen and O’Connor.
Under HIPAA, all health care organizations will have to make changes in the technology they use to exchange electronic health care transactions. The rules to be issued by HHS will set national standards for administrative and financial transactions, procedure and diagnosis code sets, unique identifiers for providers, employers, and health plans. New security rules will be issued to ensure that individually identifiable health information and records are accessible only to authorized people.
If you don’t understand HIPAA and the implications it will have for your practice, you’re not alone.
When Jim Klein, director of compliance services for Plano, TX-based information technology service firm EDS, talks to provider groups, he always asks how many people in the audience have heard of HIPAA. The results are not encouraging. Usually only one or two out of 50 people raise their hands.
"People simply aren’t aware of what they’re going to have to do," says Klein. "When I try to get the attention of the information services people and chief financial officers to get them to start thinking about HIPAA, I find that they are preoccupied with Y2K and that they feel that since Congress didn’t pass any legislation, there is no law to comply with," Knapp says.
However, he adds, after the final rules go into effect early in 2000, providers will have just 24 months to put security measures in place, upgrade their practice management systems, and take other steps to make sure they are in full compliance with the regulations.