HIPAA

The Internet poses unique opportunities and challenges to the healthcare industry. It enables the industry to lower transaction and operational costs while providing better service to customers, partners, and physicians. Leveraging an open network such as the Internet also raises concerns about the privacy of individually identifiable patient information. To address these security concerns, the United States Congress passed HIPAA "The Health Insurance Portability and Accountability Act" - also known as Public Law 104-191-, a set of standards that simplify electronic transactions and define minimum requirements for network security. As healthcare organizations strive to leverage the Internet, they need to deploy a security architecture to meet government regulations and ensure the trust of patients.

The Administrative Simplification section of HIPAA is designed to improve the efficiency and effectiveness of the healthcare system by standardizing the electronic data for specified administrative and financial transactions, while protecting the security and confidentiality of that information.

• Insurance payers will be required to accept the standard transactions.
• Healthcare providers that uses electronic transactions must use the HIPAA standards
• Healthcare "clearinghouses" must meet HIPAA standards. Providers and health plans also have the option of using a claims clearinghouse, which can accept nonstandard claims and other transactions. The clearinghouse would then convert them to HIPAA standards.

HIPAA will require standards in all of the following areas:

• Transactions and code sets
• Identifiers
• Security
• Privacy

Currently, there is no common standard for the transfer of information between healthcare providers and payers. As a result, providers had to meet many different payer requirements. For some providers who submit claims to hundreds of payers, programming their computer systems to meet these requirements has been a difficult and expensive process. HIPAA will change this practice by requiring payers to accept the following transaction standards for EDI:

Nine electronic transaction standards:

• Health claims/encounters
• Claim payment and remittance advice
• Healthcare claim status
• Eligibility
• Referrals
• Healthcare enrollment
• Health plan premium payments
• First report of injury
• Claims attachments

The Accredited Standards Committee X12 (ASC X12) standards have been adopted for nearly all of these transactions. In particular, the standardized implementation guidelines developed by X12N will be adopted, starting with version 4010. These implementation guidelines can be found at www.wpc-edi.com/hipaa .

In order to support standard transactions, HIPAA will mandate the use of unique identifiers for:

• Providers. The proposed rule for the unique identifier for providers is the National Provider Identifier (NPI), originally intended for use in the Medicare system. The identifier will probably have 10 numeric positions with a check digit as the tenth digit. Implementation of this standard will require DHHS to establish a system to assign and deploy the identifiers.
• Health plans. The proposed rule for the unique identifier for health plans is expected to apply the work that HCFA did for a Medicare PayerID to all health plans nationwide. The identifier will probably have 10 numeric positions with a check digit in the tenth position.
• Employers. The employer identifier is based on the the Internal Revenue Service assigned Employer Identification Number (EIN). The EIN has nine numeric positions.
• Individuals receiving healthcare services (patients). The most controversial of the proposed identifiers, the patient identifier is on hold pending privacy legislation. However, industry experts speculate that the identifier will consist of approximately 10 numeric digits with a check digit.

The proposed security standards are technology neutral and and scaleable for the size and complexity of healthcare organizations.

At minimum, all health plans, clearinghouses and healthcare providers that transmit or maintain electronic health information must conduct a risk assessment and develop a security plan to protect this information.

They must also document these measures, keep them current, and train their employees on appropriate security procedures.

The proposed security standard is divided into four categories:

• Administrative procedures used to guard data integrity, confidentiality and availability. These are documented, formal procedures for selecting and executing information security measures. These procedures also address staff responsibilities for protecting data.
• Physical safeguards to guard data integrity, confidentiality and availability. These safeguards protect physical computer systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion. The use of locks, keys, and administrative measures used to control access to computer systems and facilities are also included.
• Technical data security services to guard data integrity, confidentiality and availability. These include the processes used to protect, control and monitor information access.
• Technical security mechanisms, including processes used to prevent unauthorized access to data transmitted over a communications network.

Uncertain of how safe and secure electronic transactions are, most patients are demanding healthcare organizations protect the individual's right to privacy. Privacy is a critical foundation for the ability to move toward electronic transactions and new e-health strategies.

These privacy rules outline specific rights for individuals regarding protected health information and obligations of healthcare providers, health plans, and health care clearinghouses. This rule would:

• Requires consent to use protected health information for treatment, payment and operations for healthcare;
• Allows health information to be disclosed without patient authorization for certain purposes (such as research, public health and oversight) but only under defined circumstances;
• Requires written authorization for use and disclosure of health information for other purposes;
• Creates a set of fair information practices to inform patients how their information is used and disclosed, ensure they have access to information about them; and
• Requires health plans and providers to maintain administrative and physical safeguards to protect the confidentiality of health information and guard it from unauthorized access.

Under the rule, healthcare providers, health plans and clearinghouses are prohibited from using or disclosing health information except as authorized by the patient or as specifically permitted by the regulation.

It's important to note that these protections are afforded to health information that identifies a specific individual. A healthcare provider, health plan or clearinghouse may use de-identified health information in any way it chooses, as long identifiers have been "stripped" and a key is not disclosed that would allow the information to be re-identified.

To review the proposed regulations in their entirety go to: aspe.os.dhhs.gov/admnsimp.

Sydasoft will provide you with extensive, yet simplified HIPAA training that can enable you to become a consultant for your clients on HIPAA issues. This training can help you a great deal during the marketing stage when you are presenting your services to potential clients.

Our HIPAA Training Includes the Following:

• HIPAA at a Glance Material
• HIPAA Model Compliance Plan
• HIPAA Quiz (Test your client's knowledge on HIPAA! Use as ice-breaker for presentations)
• Effective HIPAA Educational Flyer (To use when marketing your services)
• HIPAA Sample Consent Forms
• Simplified HIPAA Frequently Asked Questions
• HIPAA Resources
• One Full Hour of One-on-One Consulting with a Sydasoft HIPAA Professional