The trusted source for
healthcare information and
Technical changes require behavior modification
November and December 1999 brought significant privacy legislation changes to health information management department doors, but were likely lost in the frenzy of the new year.
HIPAA mandates standards for electronic data interchange (EDI) and code sets, establishes uniform health care identifiers, and seeks protections for confidentiality and security of patient data. The final standard for transactions and coding was expected in November 1999. The final standards for the National Provider Identifier, the National Employer Identifier, and security and electronic signatures were expected to be released in December. (For information about the standards for privacy of individually identifiable health information, see p. 3.)
Health care providers will be required to implement standards within two years of the effective date of the final rule, generally 60 days after publication of the rule. The effective date for the national provider identifier is planned to be no earlier than July 2000, however, to give the department enough time to develop the system for implementing the identifier.
Providers should not become too comfortable with this time frame. "Let’s not let [HIPAA] be another Y2K," says Christopher Assif, president and CEO of Health Ventures Network in Downers Grove, IL. "Let’s start planning for this today and start implementing solutions so that there isn’t a rush to the goal line in the last month or so before the mandate kicks in."
Accrediting bodies such as the Joint Commission on Accreditation of Healthcare Organizations in Oakbrook Terrace, IL, and the National Committee for Quality Assurance (NCQA) in Washington, DC, will be adding pressure for providers to be HIPAA compliant, too.
"The Joint Commission and NCQA have recently said that compliance with the standards is going to be a key element of an organization’s credentialing or accreditation," Assif says. "This obviously has a number of quality ramifications, but it has specific payment considerations, as well." For example, a health care provider that is not using HIPAA-mandated EDI might have its Joint Commission certification withheld and consequently lose reimbursement for its Medicare patients.
Even without the pressure of the accrediting agencies, implementing more electronic transactions will benefit providers in the long run. "We’ve demonstrated time and time again with studies from different university business schools that [EDI is] good for the provider community from a perspective of reducing costs and improving quality of service," Assif says.
Providers that aren’t using EDI now can start implementing it at a basic level and then work over the next two years toward implementing the broad breadth of EDI requirements that HIPAA is mandating, Assif says. "It’s like eating an elephant; the best way to do it is to take one bite at a time."
"Start with your claims, your eligibility, and your benefits — these are relatively easy to implement from an EDI perspective," he advises. "Do this now with as many health plans as you can."
Providers need to remember that complying with HIPAA standards requires more than just adapting to different technologies. It demands behavior modification and work flow changes, too.
"Modify your current paper business process, and get people off telephones, off fax machines. Let them start using technology at the point of service where patients present themselves," Assif says. Many university settings or large integrated delivery networks, for example, can have 150 registration points because of their clinics, emergency departments, radiology department, laboratories, and other departments that see patients directly. Some of the employees in these settings might not use PCs or have quick access to information in their paper-based systems.
"Go ahead and deploy technology in those locations now. Get [staff] familiar with it, and let them start doing [the transactions] before they’re a mandate," he says.
Before undertaking an effort toward HIPAA compliance, however, providers should add the effort to their strategic plan and identify key people in their organizations to spearhead it.
"It may be the same group who’s been charged with Y2K compliance," Brandt says. A number of organizations are considering using the resources that they had devoted to Y2K and switching them to HIPAA compliance once systems are up and running after the new year.
After establishing a HIPAA compliance team, providers can follow these recommendations for evaluating their ability to meet the HIPAA standards:
• Take a comprehensive inventory of your individually identifiable electronic health information.
"That could be a challenging task because you need to look at not only your major systems, but at your individual databases that contain electronic health information that identifies individual patients, too," says Mary Brandt, MBA, RRA, CHE, vice president for professional services in Quadramed’s health information solutions division in Houston. Quadramed is a health care consulting company.
Some of the databases may reside on PCs that are maintained by researchers and include cancer registries, cardiac registries, and trauma registries.
• Conduct a risk assessment.
"Look at potential risks and vulnerabilities," Brandt says. In addition to threats from inside users, providers should consider the possibility of outside attacks if their system has Internet access or dial-up access.
• Develop a work plan to address the identified risks.
"Put those in priority order so that you address the most significant risks first," she says. "You can’t fix everything at once."
• Evaluate the audit trails on your existing information systems.
There is no such thing as absolute security, Brandt says, but to give the best protection, audit trails should be recording every access to patient information. Many audit trails, however, record the access only if someone actually adds or deletes information.
• Keep your approach flexible and scalable.
According to the regulations, providers should use appropriate technology processes and procedures for the size and complexity of their organization, Brandt says.
• Keep procedures reasonable.
"I’m always concerned about clients who develop policies and procedures that are above and beyond what they can actually do in practice," she says.
• Evaluate new information security technologies.
"Many of us try so hard to do things through the same old passwords or PIN numbers," Brandt says. "We keep changing passwords on [employees] every 30 days. Or [we give employees] six different passwords for different systems, and the only way they can remember that step is to write it down. [When they do that], there goes your security."
Systems are now available that use biometric identifiers such as fingerprints, voiceprints, or retinal scans to securely authenticate users. "If I have to use my fingerprint to turn on the computer and get access to the programs that I’m assigned to, it’s hard for anyone else to borrow that identifier," she says.
• Make HIPAA compliance a group effort.
"I see a very strong role for the HIM professional in the organization because HIM professionals have been so closely tied to privacy and confidentiality issues," Brandt says. And other people who have been involved with Y2K from a technical perspective would be key to these efforts, too."