HIPAA
Compliance FAQ
1. What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability
Act signed into law in 1996. Its primary purpose is
to provide continuous insurance coverage for workers
who change jobs. An Administrative Simplification section
in the law requires adoption of standards for security,
privacy and electronic healthcare transactions.
[TOP]
2. Why is
HIPAA important to my organization?
In addition to being in compliance with federal law,
HIPAA standards make good business sense!
While converting to electronic transaction standards
and ensuring network security will initially be a cost
to the industry, providers will significantly benefit
by real time access to eligibility, enrollment, and
claims status information as well as improved cash flow.
It is not too early to reap the benefits. For example,
one provider was able to reduce the number of nurses
required to do hospital pre-certifications by two thirds
using secure e-mail.
As providers are consolidating, integrated delivery
systems are building more expansive networks and exchanging
information with many more organizations. These providers
are struggling with the need for unique identifiers
and exposing themselves to greater risks for breeches
of confidentiality and compromised data integrity. For
example, without anti-intrusion detection built into
a network, the result of an altered laboratory test
could result in a major lawsuit.
[TOP]
3. Who must
comply with HIPAA requirements?
All health plans, clearinghouses, and providers who
choose to exchange data electronically must comply with
HIPAA requirements. These requirements do not pertain
only to providers receiving federal funds.
[TOP]
4. When
must we comply with HIPAA requirements?
Standards are required to be implemented within 2
years of the effective date of the final rule; generally
60 days after publication of the rule.
[TOP]
5. What
information would be useful to brief the organization's
executives on the scope of HIPAA?
- HIPAA compliance will be a multi-year, large cost,
institution-wide effort that will be required by Federal
law, Federal regulation, and related regulatory and
accreditation bodies within the next 2-4 years.
- Failure to comply will result in significant monetary
penalties. The consequences of knowingly disclosing
individually identifiable patient information are
criminal penalties.
- Implementing HIPAA will affect how healthcare entities
organize and staff to achieve and monitor compliance
with patient privacy/confidentiality needs. HIPAA
compliance is better focused as a business issue than
as an Information Technology issue, although IT will
play a major role in implementing compliant systems.
- HIPAA will affect how independent providers deal
with managing both electronic transactions (claims,
referrals, remittance) and medical records.
- Large and medium sized organizations will need executive
sponsorship and dedicated resources to lead the HIPAA
compliance effort. Compliance-related activities may
compete with other major projects.
- HIPAA's requirements may cause significant changes
in process, organization, and/or staffing in the area
of claims management.
- HIPAA's requirements are meant to encourage healthcare
organizations to move patient information handling
activities from manual to electronic systems in order
to improve security, lower costs, and lower the error
rate. These resources need to be planned for.
- HIPAA mandates will require substantial changes
in the policies, processes and administration governing
patient specific health information. Similarly, it
will require updates of all information systems that
use or collect patient data, and will require the
introduction of new features and functions.
- Implementing HIPAA will improve security of healthcare
information. Patient privacy and the security of all
medical records will be more routinely assured. Information
systems will have an improved general resistance to
operational disruptions. It may be useful to consolidate
off-network medical record information to a secure
network.
- Because HIPAA covers all healthcare organizations,
compliance itself is substantially a non-competitive
issue. Coordinating and co-implementing HIPAA mandated
changes among providers, payers, and IT vendors (especially
in claims management) will minimize the cost, confusion
and disruption involved in the transition.
[TOP]
6. If Congress
does not pass a privacy bill this year, how will that
impact the requirements for security standards?
It will not impact the security standards required
under HIPAA. A national privacy law would define rights
with respect to confidentiality and access to health
information. The security standards in HIPAA address
administrative procedures, physical safeguards, technical
security services, and technical security mechanisms
to guard data integrity, confidentiality, and availability.
[TOP]
7. How will
compliance with HIPAA standards be monitored?
Initially, organizations will use the competitive
marketplace to mutually enforce compliance. Organizations
will also find that electronic transmission of claims
using standard transactions will improve cash flow,
increasing the business reason for compliance. Accrediting
and licensing organizations will also be incorporating
compliance with the standards into their processes.
[TOP]
8. We do
not exchange data electronically with other enterprises,
only within our enterprise. We batch claims and mail
a disk to the clearinghouse. Do the standards apply
to us?
Yes, the security standards apply to exchange of all
electronic health information within an enterprise as
well as across enterprises. Transmissions over the Internet,
an extranet, leased lines, dial-up lines, and private
networks are included.
All electronic media are included - even when the information
is physically moved (e.g., through the postal service)
from one location to another using magnetic tape, disk,
or compact disc.
Telephone voice response and "fax back" systems
are not included.
[TOP]
9. Which
electronic healthcare transactions are affected by the
rules?
Based on current information, eleven transaction standards
are scheduled for implementation:
- Health Care Claim (837)
- Coordination of Benefits (837)
- Payment and Remittance Advice (835)
- Electronic Funds Transfer
- Claims Status Inquiry/Response (276/277)
- Eligibility Inquiry/Response (270/271)
- Health Care Service Review (278)
- Patient Information Attachment (275)
- Enrollment (834)
- Premium Payment (820)
- First Report of Injury
Organizations need to thoroughly assess their transaction
systems to assure a smooth transition to mandated transaction
standards. Start now to review your current systems and
developing proper procedures.
[TOP] 10.
What are the mandated standard code sets? Where can
I get more information about code sets?
ICD-9-CM: Official version is available on CD-ROM
from the Government Printing Office (GPO) at 202-512-1800
or FAX: 202-512-2250. The CD-ROM contains the ICD-9-CM
classification and coding guidelines. Versions of ICD-9-CM
are also available from several private sector vendors.
CPT-4: Official version is available from the American
Medical Association. Versions are also available from
several private sector vendors.
Code on Dental Procedures and Nomenclature: Official
version is available from the American Dental Association
at 800-947-4746.
NDC: Official versions of the files are available on-line
NDC codes are also published in the Physicians' Desk
Reference under the individual drug product listings
and "How supplied." The supplements are available
quarterly on diskette from the National Technical Information
Service at 703-487-6430.
[TOP]
|
