This section addresses The Health Insurance Portability and Accountability Act of 1996 (HIPAA, which was the result of efforts by the Clinton Administration and congressional healthcare reform proponents to reform healthcare in a way that would streamline industry inefficiencies, reduce paperwork, make it easier to detect and prosecute fraud and abuse and enable workers of all professions to change jobs, even if they (or family members) had pre-existing medical conditions.
The Department of Health and Human Services The Secretary adopted version 5010 to replace the current version of the X12 standard that covered entities (health plans, health care clearinghouses, and certain health care providers) must use when conducting electronic transactions including: claims (professional, institutional and dental), claims status requests and responses, payment to providers, eligibility requests and responses, referral requests and responses, enrollment and disenrollment in a health plan, Coordination of Benefits and premium payments.
The Secretary also adopted version D.0 to replace the current version of the NCPDP standard covered entities must use for pharmacy and supplier transactions including: claims, eligibility requests and responses, referral certification and authorization and Coordination of Benefits.
The current versions of the standards (the Accredited Standards Committee X12 Version 4010/4010A1 for health care transactions and the NCPDP Version 5.1 for pharmacy and supplier transactions) are widely recognized as lacking certain functionality that the health care industry needs.
ICD-10-CM codes are the ones designated for use in documenting diagnoses. They are 3-7 characters in length and total 68,000, while ICD-9-CM diagnosis codes are 3-5 digits in length and number over 14,000. The ICD-10-PCS are the procedure codes and they are alphanumeric, 7 characters in length, and total approximately 87,000, while ICD-9-CM procedure codes are only 3-4 numbers in length and total approximately 4,000 codes.
Before the ICD-10 codes can be used however, physicians and others in the health care community must start using the new version of HIPAA transaction standards known as 5010 by January 1, 2012, as the current version, 4010, does not accommodate use of the ICD-10 codes.
Need ICD10 conversion help? See: http://www.icd10data.com/Convert for a nifty code converter for ICD9 to 10 Code Suggestions.
CMS STATEMENT ~ FOR IMMEDIATE RELEASE
Thursday, November 17, 2011
Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services Announces 90-Day Period of Enforcement Discretion for Compliance with New HIPAA Transaction Standards
Original Implementation Timeline For all covered entities:
Effective Date of the regulation: March 17th, 2009
Level I* compliance to begin by: December 31st, 2010
Level II** Compliance by: December 31st, 2011
All covered entities have to be fully compliant on:
Current CMS Regulatory Implementation Dates.
Effective (Implementation) Date
Operating rules for eligibility and claim status
July 1, 2011
Jan. 1, 2013 (one year after 5010, nine months before ICD-10)
Operating rules for remittance advice and EFT
July 1, 2011
Jan. 1, 2014
Operating rules for claims, enrollment and dis-enrollment, premium payments and referrals
July 1, 2014
Jan. 1, 2016
Final rule for Unique Health Plan Identifier
Oct. 1, 2012
Standard for electronic funds transfer
Jan. 1, 2012
Jan. 1, 2014 (same date for operating rule)
Standard and operating rules for claims attachment
Jan. 1, 2014
Jan. 1, 2016
Health plans file statement that their systems are in compliance with standards and operating rules for EFT, eligibility, claims, status, and payment and remittance advice.
Dec. 31, 2013
Level I compliance means "that a covered entity can demonstrably create and receive compliant transactions, resulting from the compliance of all design/build activities and internal testing." We expect covered entities to be testing throughout calendar year 2011, and to schedule testing as early as possible, to ensure sufficient time for corrective actions and re-testing.
Level II compliance means "that a covered entity has completed end-to-end testing with each of its trading partners, and is able to operate in production mode with the new versions of the standards."
Medicaid agencies sometimes pay pharmacy claims for which another payer is liable for payment. A new standard for Medicaid subrogation for pharmacy claims, known as NCPDP Version 3.0, was adopted in the Modifications rule, along with Version 5010, D.0 and ICD-10. Medicaid agencies will use the subrogation standard to pursue reimbursement from other payers. The compliance date for the Medicaid subrogation standard is also January 1, 2012, except for small health plans, which will have until January 1, 2013 to come into compliance.
The requirement to adopt transaction standards originated from the 1996 Health Insurance Portability and Accountability Act (HIPAA). The Transactions and Code Sets final rule published on Aug. 17, 2000, adopted standards for the statutorily identified transactions, some of which were modified in a subsequent final rule published on Feb. 20, 2003. On January 16, 2009, HHS published a final rule that replaces the current Version 4010/4010A and NCPDP Version 5.1 with Version 5010 and Version D.0, respectively, and adopted NCPDP Version 3.0 as well.
White Paper by Bruce Fraser and Tom Stevens
The Health Insurance Portability and Accountability A ct of 1996 (HIPAA), was the result of efforts by the Clinton Administration and congressional healthcare reform proponents to reform healthcare in a way that would streamline industry inefficiencies, reduce paperwork, make it easier to detect and prosecute fraud and abuse and enable workers of all professions to change jobs, even if they (or family members) had pre-existing medical conditions.
The HIPAA legislation had four primary objectives:
The HIPAA legislation is organized as follows:
Guarantees health insurance access, portability and renewal
Preventing healthcare fraud and abuse
Enforcement of group health plan provisions
Revenue offset provisions
However, when looking at HIPAA it is important to remember that the actual HIPAA rules and detail requirements that the healthcare industry have to follow stem from the Administrative Simplification (AS) provisions of HIPAA, which fall under Title II (Fraud and Abuse) of the HIPAA act itself. These provisions are intended to reduce the costs and administrative burdens of healthcare by making possible the standardized, electronic transmission of administrative and financial transactions that are currently executed manually and on paper.
The Administrative Simplification (AS) provisions specifically state what rules and standards the healthcare industry must implement in order to be in compliance with HIPAA. The AS provisions also require specific implementation deadlines, based upon the date when the Final Rule (for a specific issue) is published in the Federal Register, plus the mandatory 60 day review period during which time the rule may be challenged and overturned or delayed on appeal. For example, The Final Rule for National Standards for Electronic Transactions (which include EDI Transaction and National Code Set standards for claims processing) was the first HIPAA compliance rule to publish on August 17, 2000 and therefore the compliance date for this rule becomes October 16, 2002 (2003 for small health plans).
This rule requires healthcare organizations, insurers and payors that have been using any electronic means of storing patient data and performing claims submission (including faxes we are told), must comply with this new Final Rule for National Standards for Electronic Transactions.
Providers that use an electronic clearinghouses to process their transactions do not have to modify their systems at present to assure compliance, however the provider has to make sure that the clearinghouse, as a business partner, is compliant with the new regulations. In all likelihood, providers will at least have to make some modifications to ensure ancillary and departmental systems are capturing HIPAA required information and transmitting that data to their Admission, Discharge and Transfer (ADT) systems and billing systems in order for the clearinghouse to be able to create and send a HIPAA compliant transaction.
Additional provider, payor and insurance system modifications will also be required for Privacy and Security rules as mandated by the AS provisions , so having a clearinghouse does not preclude a provider, insurer or payor from having to make other computer system changes as part of their HIPAA compliance efforts.
At the risk of oversimplification, this rule requires providers, insurers, payors and to a small extent, employers to submit enrollments, eligibility and claims processing via Electronic Data Interchange or EDI transactions.
EDI is nothing new and has been commercially available since the 1980s. Many large companies have been using EDI for years to process orders, send invoices and issue or receive payments with their electronic trading partners.
EDI is essentially a set of very specific rules governing how information will be packaged in order to send orders, invoices, statements and payments electronically from one electronic trading partner to another.
The government has essentially adopted this standard as a good way of ensuring that everyone (providers, payors, insurers and employers) will use these excellent standards as a way of communicating and sending information to each other. Properly done, EDI transactions do not require human intervention and should process very quickly. Therefore, providers should be able to submit electronic eligibility or benefit inquires and claims via EDI transactions to the payor whose claims system should process the EDI transaction quickly, returning a claim payment/advice electronically and without delay.
Other HIPAA compliance rules currently defined and proposed under the (AS) provisions, but not expected to be finalized until 4Q, 2000 or early 1Q, 2001, include:
The Standards for Privacy of Individually Identifiable Health Information are designed to help guarantee privacy and confidentiality of patient medical records. These new Standards for Privacy are quite extensive. Healthcare providers, insurers, payors and employers should review this rule and it's requirements in great detail with the intent to update and replace any current internal guidelines in order to insure HIPAA compliance.
The National Provider Identifier, the Employer Identifier and an earlier proposal for a National Individual Identifier were designed to help speed processing of enrollment, eligibility and claims processing by having a national set of identification numbers that the entire industry would use to identify a specific provider, insurer or patient. These same steps would also help identify fraud and abuse by eliminating situations where providers and individuals have multiple identifiers today, making it difficult to match and track claims to both providers and individuals, particularly where fraud is intended.
However, the National Individual Identifier ran afoul of protests from civil libertarians and individuals concerned about big brother having the ability to identify, track and gain information about anyone in the country via a single identification number. As a result, the National Individual Identifier seems to have been put on the sidelines until such time as a reasonable compromise could be worked out that would assure all sides that there would be no abuses of such a system.
Electronic Signatures will come into play at some point in the future, but when is difficult to predict at this time. Electronic Signatures may be required for persons submitting healthcare claims and claims attachments through the use of a digitally encrypted key "signature", that requires a "private key" to create and send the "signed document". The document and electronic signature can then be authenticated as only having been sent by that individual, by a person using a public key to decipher and open the document, typically a payor or insurer who would be processing the claim and attachments. This eliminates the possibility of persons submitting false or fraudulent claims later denying that they were the person that sent the claim.
However, for a uniform encrypted key system to work absolutely and without the possibility of error (that could lead to deniability) for the entire health industry in theUnited States, there must be a national organization that could be universally trusted to assign, distribute and manage keys on a national basis and without error. Such an organization has yet to be established. Therefore, this HIPAA rule seems somewhat more distant than the others, in terms of implementation.
However, these rules fall short of requiring specific technology or specific vendor solutions to address such issues as security and protection of individually identifiable patient information through the use of biometric devices (palm print readers, retinal scanners, finger print readers, etc.) for workstation security, enterprise wide network security or the security of data transmission of claims information to insurers or payors for claims processing. By not defining specific technology or vendor solutions, The Department of Health and Human Services (DOHSS) has left enough wiggle room to say that the AS provisions are technology neutral, thereby passing the responsibility of evaluating and justifying appropriate technological solutions into the laps of each individual healthcare institution, based upon their unique business requirements.
Healthcare organizations under tremendous financial pressure and having enough difficulty fielding enough qualified nurses for a single shift will have trouble justifying the expense of retinal scanners on their workstations and servers or encrypting their entire hospital data network in order to ensure the protection of individually identifiable patient data. As a result, there will be a distinct lack of uniformity in HIPAA compliance and implementation at the institutional level, based upon what each organization can justify and/or afford.
Achieving HIPAA compliance, particularly for healthcare providers, will not be easy and will be costly to the provider and payer organizations. Providers, payors and insurers will have to educate and train their staffs to be in compliance with the new requirements and then perform ongoing compliance monitoring and application of appropriate sanctions when necessary. Providers, unlike insurers, also have to deal with millions of family members, loved ones and outside visitors from all walks of life in the course of performing daily business. These daily visitors, along with security challenges supplied in ample quantity by the Internet hackers, email viruses and the shear physical size of some organizations makes the protection of individually identifiable patient information a major challenge in itself.
Like most federally mandated programs, there are no provisions for the recovery of HIPAA compliance implementation costs or the ongoing costs to train new staff and monitor HIPAA compliance after initial implementation. Sadly, it is the author's opinion that more institutions will close as a result of not being able to achieve HIPAA compliance for a variety of reasons. Currently, some experts are estimating the costs of achieving initial HIPAA compliance (not counting ongoing compliance training and monitoring once implemented) at over $66 billion dollars and climbing.
However, there is a long-term, bright side to HIPAA compliance. Over time and once fully implemented, HIPAA should minimize the amount of paperwork and human intervention required to verify a patient's eligibility and minimize the amount of human effort required to perform claims processing since the required eligibility and claims transactions should not require human intervention if submitted correctly and according to the transaction standards. Insurers or payors may only want to manually examine randomly submitted claims or claims for a specific individual or business as part of fraud or abuse detection. Since claims should be processed far more quickly, claims payments to the providers should also speed up (at least in theory), hopefully easing some of the cash flow burden for provider organizations. Security improvements to prevent deliberate or accidental accessing of unique or individually identifiable patient data will address concerns over privacy of patient data. Moreover, digital Electronic Signature (as proposed) will ensure that persons submitting fraudulent electronic insurance or Medicare/Medicaid claims, will not be able to deny submitting them in court later on.
While it is easy to get tangled up in the emotion of having the expenditures and work effort required to achieve HIPAA compliance, it is important to remember there are many positive features of HIPAA. The need for insurance portability is apparent. Protecting the patients' right to the privacy of healthcare information has always been, and should remain a high priority. Reductions in fraud and abuse are certainly welcome, if not long overdue. Quicker processing of eligibility and claims not only reduces the cost of these items to the hospital and the insurer/payor but provides better service to the patient as well. Although there may be some pain associated with the successful implementation of compliance rules, the result will ultimately be the improvements that the Clinton administration and Congress agreed upon and intended.