HIPAA News
What is HIPAA?
One of the major issues that will be confronting every medical practice that utilizes electronic distribution of patient information is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The purpose of this series of regulations is to protect the confidentiality of patient information that travels in the public network and to standardize coding for electronically transmitted patient insurance claims, enrollment, and billing information.
Provider IDs
Continuing its effort to complete the HIPAA requirements, HHS has published the final rule for National Provider Identifiers (NPI). The rule went into effect May 23, 2005, the date when providers can apply for an ID number. Full compliance is required starting May 23, 2007. The NPI will be administered by the government and have ten digits (the tenth digit serves as a check digit). Individual providers will have a leading “1” in the number and institutions will have a leading “2.”
Electronic Claims
With the adoption of both the Privacy and the Transaction and Code Set (TCS) Rules, HIPAA marches on. While TCS went into effect on October 16, 2003, the low number of institutions ready to comply caused Centers for Medicare and Medicaid Services (CMS) to issue a contingency plan that will allow submission of non-compliant electronic claims for an undetermined period of time. Blue Cross/Blue Shield adopted a similar position. With few exceptions, claims must still be submitted electronically; paper claims will not be accepted.
If you are submitting claims, make sure your data fields are ready to meet the new requirements. The use of standardized Employer ID (Tax ID) numbers began on July 30, 2004.
Patient ID Numbers
The Institute of Medicine has called for reconsideration of standardized Patient ID numbers as a way to improve the sharing of healthcare information among providers. The controversial Patient ID had previously been tabled during revision of the HIPAA code set regulations.
ICD-10 Codes
The National Committee on Vital and Health Statistics has proposed the adoption of ICD-10 codes. While acknowledging improvements over ICD-9, many organizations, including Blue Cross/Blue Shield, claim that the high cost of upgrading computer systems to support the new codes would be prohibitive.
Sample Collection Dates
CMS has recently sent a program memorandum reminding physicians of the need to provide sample collection dates when submitting orders. Without a collection date, differences in the date of service submitted by the lab and by the physician could result in delayed or, possibly, denied reimbursement. Fortunately, for those locations using Orchard Harvest™ LIS, Orchard Harvest™ Webstation, or Orchard Copia®, compliance with this requirement is a snap.
New FAQ
The CMS Office of Civil Rights (OCR), the body responsible for the enforcement of HIPAA, has issued a new set of Frequently Asked Questions (FAQ) regarding the sharing of Protected Health Information (PHI). Go to the OCR website (www.hhs.gov/ocr/hipaa/) for more information about sharing PHI with patients’ relatives, sharing PHI for treatment, and many other topics. CMS also provides answers to many HIPAA questions on their own FAQ page, and you can even submit your own questions. Go to the CMS home page at www.cms.hhs.gov and follow the links.
On February 20, 2003, Centers for the Medicare & Medicaid Services (CMS) published the final HIPAA Security Rule (Federal Register Vol. 68, No. 34). In its final form, the rule is more closely aligned with the Privacy Rule and focuses on security management rather than technology. This means that it should be easier for institutions to adopt new technologies and appropriately apply the standards based on the size and complexity of individual operations.
The Rule requires policies and procedures to prevent, detect, contain, and correct security violations of electronic records. Paper records are not addressed in the Security Rule, but remain subject to all of the Privacy Rule requirements. Some of the standards covered by the rule now are deemed "required" and must be done, while others are labeled "addressable," allowing reasonable and appropriate measures for implementation.
The final Security Rule has a compliance date of April 20, 2005. But, its close association with the Privacy standards that took effect in April 2004 means that, for most organizations, implementation probably began much sooner.
For more information you can go to CMS' website (http://www.cms.hhs.gov)
or download Orchard's HIPAA guide from the Download Center on our website.
To access the Download Center, sign into
our website, and then click the Download Center link.
The implementation of HIPAA is already impacting many facets of the medical industry. However, with the official start date for one rule postponed a year, a second "final" rule likely to change again, and a third rule still unpublished, it is anyone's guess when HIPAA will be complete.
In the meantime, we offer some HIPAA highlights from 2002.
Obtain our Customer Guide to HIPAA from our online Download Center. To access the Download Center, log in to the customer-only area of our website.
In addition, you may access our sample HIPAA Business Associate Contract. This sample document may be used by any Orchard customer as a template for an agreement between Orchard Software and our customers to ensure the security and confidentiality of patient demographic and patient testing information.
October 15, 2002, was the deadline for filing a compliance plan to receive an extension for becoming compliant with the HIPAA Electronic Health Care Transactions and Code Sets standards. Visit the CMS site for the latest HIPAA information: http://www.cms.hhs.gov/HIPAAGenInfo/
In late December 2000, the Health and Human Services department published the HIPAA Final Rule: Privacy Standards in the Federal Register. You may view the press release in its entirety, or you may download a copy of the final regulation from the Health and Human Services website. If you do not want to download the 700 page document, you can order a copy of the regulation from the Superintendent of Documents at: (202) 512-2250.
Organizations will have 26 months from the release of a final rule to comply. It is critical that you evaluate all aspects of patient data access in your organization. The laboratory is only one component of the administration, security, and privacy of patient data that is touched by the HIPAA regulation.
We are advising you to continue to monitor HIPAA-related web sites and the trade press to watch for articles discussing the ramifications of this regulation.
Look for updates on our website and in our newsletter that will provide resources and additional information to help you prepare for HIPAA compliance.