Here’s a wake-up call on EDI part of HIPAA

Many providers not aware,’ consultant says

With all the attention being given to the federal privacy rule — set for implementation in April 2003 — another key part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 apparently is failing to get the attention it deserves.

HIPAA’s electronic data interchange (EDI) provisions — with a much closer implementation deadline of Oct. 16, 2002 — have, in many cases, "fallen between the cracks," suggests Liz Johnson, RN, MSN, CHE, executive vice president and national HIPAA practice leader for Houston- based Healthlink, a health care consulting firm.

By that date, hospital access personnel — and their counterparts in physician offices — must have new transactions in place for billing, says Johnson, and collect new data in a different way.

When the proposed rules for EDI were put forth, she says, providers were so busy with concerns about the year 2000 (Y2K) computer issues "that they kind of missed it." When the privacy rules came around, providers "were all back awake again."

"A lot of people are not aware of this," she adds. "EDI is the first part [of HIPAA] that actually has to be in place. I speak almost daily on the subject and people are still like, You’re kidding,’ or Will you just send me a form?’"

What’s called for, Johnson emphasizes, is not a form but a new way of collecting information in an electronic manner.

Most health care billing today is done with the UB92 form (for hospitals) or the HCFA 1500 form (for physicians), she notes. Every payer can ask hospitals to fill out the UB92 a different way "so there are 400 different ways" to do it, Johnson adds. "Going forward, they will all accept [bills] in the same way, which is a big plus once we get there."

Under the new EDI standard for billing, providers will complete an 837I (institutional) or an 837P (professional) bill, she says. "The things [hospitals] collect today on the UB92 will not be the same data they collect when they complete the 837I. The world becomes complex."

Two components are required, Johnson explains. There must be a process in place to collect the new data, and technology will have to support the new data. One question to be asked, she says, is, "Do I have a field to put them in?" Another priority, Johnson adds, "is to work with vendors and say, When are you going to have this technology ready for me to put this new information in? I have to test it and I have to train my people on how to use it.’"

It’s important to point out, she says, that while large vendors are very cognizant of the new requirements, smaller vendors are not so aware. Hospitals with proprietary systems may have even more cause for concern, Johnson suggests.

"There are all kinds of vendor response issues to deal with," she says. "What if the guy down the street [who set up your system] is not going to do any more with that application? There are a number of vendors that are saying, We got ready for Y2K, but we aren’t doing this HIPAA thing. We have seven applications that do this, but we’re going to keep the top three and the other four are going away.’"

Such an approach is understandable, Johnson says, but it may put providers in a bind. "In a small hospital — or even in a big one — you don’t always get to have the latest and the greatest. There are decisions on what you can actually spend. Sometimes you buy the financial system and sometimes you buy the MRI."

Her recommendation to access managers, she says, is to take these steps:

Increase education and awareness. That involves not only enhancing your own personal knowledge, but educating your staff.

Determine the baseline. "Where are we today? What do we already collect? How can we tweak the process so it’s right for the future?"

Do remediation planning. Decide what you’re going to do. Set up a time line, including what actions vendors will take, and then implement that plan. There should also be a post-implementation plan, Johnson says, "because nothing ever goes as smoothly as you think it will."

Healthlink’s approach is to educate hospital personnel, and to make sure their physician offices are aware of the EDI requirements, she notes. "If [hospitals] own physician practices or do billing for them, they are impacted as well. Those covered by this law are providers, payers and clearinghouses."

One example of the new data that are called for, Johnson says, has to do with "getting more information and more specific information around the events that lead up to hospitalization. There is also more information [required] about accident sites and causality sites."

For as long as she’s been in the health care industry, Johnson points out, the letter "S" has meant "single." Going forward, she says, "the letter S’ means separated,’ and the letter I’ means individuals.’ For people out there who have been doing this for years, and for whom it’s gotten pretty routine, this is a big change."

There are a number of companies building "bridging" or "transition" strategies to assist health care providers with EDI implementation, Johnson notes, but she cautions against relying too much on that kind of help.

"They say, I’ll go out and get the data and put it in the right format,’" she adds, "but if you’re not collecting the data now, how will this electronic thing go out and get it, if it’s not there? It doesn’t matter how fancy or elaborate the bridging strategies, you can’t capture what has not been collected."

Healthlink has an assessment and project management tool called HIPAA TRAAC, Johnson says, that is aimed at helping hospitals determine if they’re ready for billing, and if not, what’s missing.

"It also allows you to find out [if your computer system] meets security requirements," she adds. "There is a questionnaire that says, It has to do this, it has to do this . . .’ [The tool] also lists all the security policies and procedures required by law. You can enter yours in the same table and see what you have. It’s a way of getting your baseline information in and then monitoring it to make sure you’re making progress toward getting compliant."

HIPAA TRAAC includes a "public library" of software applications and hardware interfaces, with information on what is happening with them, Johnson notes. "You can find out what McKesson is doing with STAR — what version is going to be compatible."

Information specific to an institution goes into its own "private library" in HIPAA TRAAC, she says.

[For more information about Healthlink or HIPAA TRAAC, call Louisa Dow at (800) 223-8956 or visit the company’s web site at]