HIPAA expert says ask vendors for extension

Extra time isn’t automatic; you have to request it

Despite a bill extending the deadline for implementation of the Health Insurance Portability and Accountability Act’s (HIPAA) electronic data interchange (EDI) provisions from Oct. 16, 2002, to Oct. 16, 2003, don’t assume you actually have the extension.

Hospitals still have to file for it, cautions Liz Johnson, RN, MSN, CHE, executive vice president and national HIPAA practice leader for Houston-based Healthlink, a health care consulting firm. U.S. House bill 3323 also requires that the extension request be accompanied by a proposed budget for HIPAA, she adds.

Providing specific dollar amounts would be difficult, Johnson notes, because the extension has to be filed by Oct. 16, 2002. Providers may not know how much they’ll need to spend, she says. "If the vendors can’t tell us how much it will cost, how can we tell the government?"

"I think the point [of that requirement] is that you are recognizing there is a potential need to spend money," Johnson says. "Are you prepared, if appropriate, to spend budgetary resources?"

Because the bill does not provide for the review of budgets, Johnson says she suspects that what will be required is "some kind of attestation or affidavit that you’re going to do these things."

The Centers for Medicare and Medicaid Services (CMS) was to have provided a template for EDI transactions by March 31, 2002, Johnson says. "CMS is pushing hard to have entities file electronically."

Computer software vendors, meanwhile, are doing better in terms of HIPAA preparation, she adds, noting that Healthlink is monitoring the status of 910 vendors. "I feel better about the action we’re seeing from major vendors. They’re realizing they’re going to have to do it. We’re getting more substantial answers and are seeing things I think are reliable."

Still, Johnson says, the situation comes down to two primary questions: How much will it cost providers to make the necessary system modifications, and exactly when will it happen?

"Some [vendors] say, We’ll be ready,’ but it’s like, You’ll be ready for what? Are you going to do strictly claims submission for institutional claims, or are you ready to do whatever we can do?’" Johnson says she suspects most major vendors will be ready to submit claims (forms 837I, 837P, and 837D) and receive electronic remittance advice (form 835).

Providers need to pay particular attention to the fact that the new process calls not only for a new format, but for additional information to be gathered, she notes.

"What’s interesting is that the 837I [the form hospitals will complete under the new EDI billing standard] has 160 elements we’ve never collected before," Johnson says. "That’s more than just reformatting. Providers need to collect those."

Don’t assume vendors will do it all

That means vendors will need to provide a place to record the new data and a process for doing so, she points out. "[Providers] need to list the new data elements and then have the vendor tell them where they will go in the system. What’s being perceived out there is a simplification of what really has to be done.

"Some [providers] think the vendors will do it all," Johnson adds. "But many vendors don’t realize how many new elements there are." Another issue, she says, is where the data will be collected. "Most of it will happen at registration, but some information is clinical in nature."

The prevalent perception of hospital personnel with whom she works is, "’It’s not an issue — my vendor will get me what I need,’" Johnson says. "But the question is whether the vendor even knows."

Providers should inform their vendors that they will begin testing for HIPAA compliance by April 2003, determining their ability to send a bill to a payer electronically, she suggests.

Johnson advises access managers and other hospital professionals not to think of the EDI deadline extension as a delay. "It really only buys you six extra months [because of the need to do testing], and you need the time because the vendors are not really ready," she explains. "Take the opportunity to get your organization ready and be cognizant of [the vendor issue]."

"We’re still getting sunset notices [from some vendors]," Johnson adds, "telling [providers] they’re not going to support changes. You need to verify that your vendor will be ready."

Providers should work out a schedule with payers, ensuring that they will cooperate in the testing process, she notes. "You can’t just test a system without being able to send to somebody."

Despite widespread speculation that the effective date of the HIPAA privacy rule would be delayed along with the EDI standard, Johnson says that will not happen. "The bill specifically states that it will not be delayed," she explains. Implementation of the privacy standard is set for April 13, 2003.

Since the Sept. 11 terrorist attacks, Johnson says, the government’s focus has understandably been on national security, and work on HIPAA slowed down for a time. But the need for individuals to protect their personal information "is even clearer today," she says.

As far as implementation of the HIPAA privacy provisions is concerned, Johnson says it’s time to swing into action. "We know the first deadline is for privacy now, and [providers] need to move into that mode, recognizing the need for policy and procedure changes and new authorization and consent procedures."

"When you get those figured out," she adds, "you need to train people. So don’t stop anything you’re doing for EDI, but also get ready for this part. It all goes hand in hand now, so you really have to work on both concurrently."