The trusted source for
healthcare information and
Your best bet is to start before final rules are set
If you thought the dawning of the year 2000 means you don’t have to worry about your computer systems anymore, you’d better think again. Even if your lights come on and your computers still work on Jan. 1, you still have the Health Insurance Portability and Accountability Act (HIPAA) to deal with. And some experts predict that’s an exercise that will make Y2K compliance look like a cakewalk.
Even though HIPAA’s administrative simplification and security and confidentiality measures won’t be required until 2002, the regulations will be so comprehensive that you’d better board the compliance train as soon as possible, say experts in the field of electronic data transmission.
"The best time to have planted a tree was 50 years ago. The next best time is now," says Christopher Assif, CEO of Health Network Ventures of Chicago, operator of Health.Net, an on-line network for medical professionals and office staff.
"Our approach is that there are a lot of electronic data interchange and security measures you can refine or implement now to prepare you better for the future," Assif adds.
Taking these steps sooner rather than later will help you spread the cost over the next two years, he says. Even if there are changes in the requirements, you can make those over time.
The first step is to begin exploring electronic data transmission instead of paper documentation.
"Health care providers need to act more like a business and cut their administrative costs. If providers continue to be paper-based, the outstanding days in receivables will do nothing but go up," Assif says.
While the new regulations will hit the entire health care industry, physician offices are likely to be the most vulnerable, because fewer than 20% of them are even connected to the Internet, Assif asserts. He advises physicians to start integrating electronic data interchange capabilities into their everyday activities right now.
"The most important thing people can do is to become familiar with the standards that are on the horizon. They are expected to be adopted within the next month or two, but the drafts have been out for quite some time," says Jim Klein, director of HIPAA compliance services for EDS in Plano, TX.
Klein suggests that providers go to government Web sites and study the standards, particularly those relating to security regulations, identifiers, code sets, and transaction standards. (For a list of Internet sources of information on HIPAA, see p. 182.)
Even though you might not know the specifics of the regulations, there is enough information on the generalities for you to start your own internal compliance efforts.
Here are some tips for getting ready for HIPAA compliance:
• If you are already using software, find out what you need to do to be HIPAA-compliant.
"Our suggestion is that physician offices select a partner to supply them with electronic data interchange capabilities," Assif says.
If you have a practice management system in place, your vendor may be able to provide those services. Or, look for vendors that offer electronic data services and can provide you with a system that will meet your needs.
• Keep your Y2K compliance teams intact and shift their responsibilities to dealing with HIPAA compliance, advises John Knapp, an attorney with the Philadelphia law firm of Cozen and O’Connor.
• Get your staff involved. Make sure everyone in your organization understands the implications of HIPAA.
• Contact any practice management systems you deal with and ask them what they are doing to make sure they are HIPAA-compliant.
"They will play a key role in assuring that providers become compliant in the two-year time period," Klein says.
• Start working now to develop security policies and procedures so you will be in compliance with HIPAA’s confidentiality and privacy provisions.
Even though the details of the regulations have not been disclosed, you can assume that you need to decide what categories of employees and staff need access to what information and how you are going to protect patient records, Knapp says. (For more on security issues, see related story, at right.)
Strictly speaking, health care providers are not required to comply with HIPAA regulations. If your practice is totally paper-based, you may be able to avoid jumping through the hoops the act will mandate.
But, for practical purposes, almost every physician in America is going to have to comply if they use computerized records in any way, shape, or form.
If you are using information technology, you fall within the guidelines and will need to implement additional controls and requirements.
"Everyone is going to have to comply with HIPAA. Virtually every doctor’s office has a computer with a database that is used for appointment scheduling and billing records," points out Knapp.
Many health insurers are already mandating electronic transmission of medical records.
"Ultimately, providers will get into a situation where they won’t get paid if they don’t subscribe to HIPAA," says Assif.
It will get to the point that if you want to do business, you’ll have to do it electronically, and that means being compliant with HIPAA, says Jon Zimmerman, solutions manager for Shared Medical Systems Corporation, a supplier of information systems and professional services for health care providers in Malvern, PA.