How are business functions are impacted?

HIPAA has far reaching impact on the functions, processes, and systems that store or generate health information. It requires a fundamental change in how providers and payers conduct their business. HIPAA adds a set of new risks and legal liabilities or healthcare organizations. The affected organizations are required to make significant administrative and operational changes, implement new information standards, upgrade existing systems and infrastructure for security and ensure the privacy of protected health information.

The existing information systems would require extensive changes and upgrades to implement HIPAA EDI standards. Accrediting agencies such as JCAHO and NCQA will demand compliance as a requirement for accreditation. Organizations must formally appoint or designate HIPAA privacy officer. Although one of the goals of HIPAA is to reduce cost, impacted organizations can expect to initially invest substantial amount of time and resources. HIPAA standards apply to 5 broad areas:

  • Transactions - Electronic Data Interchange (EDI) standards for the mandated administrative and Financial transactions
  • Code Sets
  • Unique National Health Identifiers
  • Security and Electronic signatures
  • Privacy regulations

The table below depicts the impact of HIPAA on the business functions within an organization:

Business Function

EDI

Code Sets

Identifiers

Security

Privacy

Electronic Data
Interchange Standards.

Code sets are to provide uniformity.

Unique National Health identifiers are provided to service orgs.

Security measures are both electronic and administrative.

Privacy regulations require specific procedures.

Patient Accounting

X

X

X

X

X

Medical Records

 

X

X

X

X

Claims / Encounters

X

X

X

X

X

Enrollment

X

 

X

X

X

Eligibility

X

X

X

X

X

Medical Management

X

X

X

X

X

Case Management

X

X

X

X

X

Customer Service

X

 

X

X

X

Marketing

 

 

X

X

X

Sales / Underwriting

X

X

X

X

X

Benefit Design

X

X

X

X

X

Compliance in these five areas will necessitate a 3-prong approach encompassing Management, Operations, and Technology.

Transactions, Code Sets, and Identifiers compliance will involve changing software applications and programs. Although Security and Privacy compliance will require operational and process changes, eventual implementation on many aspects under these two areas will have to be carried out through information technology (IT). For example, HIPAA privacy regulation gives patients the right to access and, if necessary, amend certain information that a provider collects and stores. Implementing this requirement will involve programmatic changes that IT will have to carry out. HIPAA Privacy and Security requirements, although largely driven by policies and procedures will need the support of information technology for compliance.

Transactions - EDI
Regulations for transaction standards were finalized on August 17, 2000 with compliance required by October 16, 2003. The standards will facilitate automation and connectivity in the fragmented healthcare industry, thereby reducing cost and improving efficiency. Many providers and health plans do not currently use some of the standards and will be required to make IT investments and business process changes to handle the new transactions. The chosen standards do not map to the UB92 and HCFA1500 forms and hence a careful review of systems and interfaces will be necessary. In some cases, multiple fields from the UB92 and HCFA1500 forms will map to a single ANSI standard segment and in other cases, field do not match at all.

HIPAA requires adoption of the chosen standards, ANSI X12N version 4010, for the following 9 administrative and financial transactions:

1. Healthcare Claim or equivalent encounter information: The transmission of either of the following - a) a request to obtain payment and the necessary accompanying information for a healthcare provider to a health plan, for healthcare; or b) if there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting healthcare. Coordination of Benefits transaction is also included here and involves transmission from any entity to a health plan for the purpose of determining the relative payment responsibilities of the health plan.
2. Healthcare Claim Status Inquiry and Response: the transmission of an inquiry to determine the status of a healthcare claim or a response regarding the status of the claim.
3. Healthcare Payment and Remittance Advice: the transmission of either of the following for healthcare - a) a payment information about the transfer of funds, or payment processing information from a health plan to a healthcare provider's financial institution; or b) explanation of benefits or remittance advice from a health plan to a healthcare provider.
4. Healthcare Referral, Authorization, Certification: the transmission of a) a request for the review of healthcare to obtain an authorization for the delivery of care, b) a request to obtain authorization for referring an individual to another healthcare provider, c) a response to a request described in a) or b).
5. Health Plan Enrollment/Dis-enrollment: the transmission of healthcare subscriber information to establish enrollment in a health plan or terminate subscription from a plan.
6. Health Plan Eligibility Verification Inquiry and Response: for the purpose of verifying health plan eligibility for the enrollee, the transmission between health plans or between healthcare provider and health plan, of either of the following a) eligibility to receive healthcare under the health plan, b) coverage of healthcare under the health plan, c) benefits associated with the health plan. The response from a health plan to another health plan or healthcare provider against the inquiry request.
7. Health Plan Premium Payment: the transmission of either of the following from the entity that is sponsoring the provisions of the care or is providing coverage payments for an individual to a health plan, a) a payment, b) information about the transfer of funds, c) detailed remittance information about individuals for whom premiums are being paid, d) payment processing information to transmit healthcare premium payments including payroll deduction, other group premium payments and associated information.
8. First Report of Injury* : the transmission to report a transaction that pertains to injury, illness or incident to entities interested in the information for statistical, legal, claims, and risk processing requirements. The final regulations did not address this transaction as a standard was not proposed, A separate proposed rule is expected.
9. Healthcare Claim Attachment* : the transmission of healthcare service information such as subscriber, patient, demographic, diagnosis or treatment data for the purpose of a request for review, certification, notification, or reporting the outcome of a healthcare services review. A separate proposed rule is expected on this as the legislation has given the secretary an additional year to finalize this standard.

Code Sets
HIPAA also gives the DHHS the authority to specify what data coding schemes can be used in the health care transactions. Regulations for code sets were finalized on August 17, 2000 with compliance required by October 16, 2003. A code set is any set of codes for encoding data elements. Examples are, sex, race, religion, medical diagnosis codes, procedure codes, etc. Codes can be broadly classified as "medical" or "administrative".

The code sets proposed under HIPAA standards are all de facto standards already in use by most healthcare organizations as far as "medical" codes are concerned. Examples are ICD-9-CM, CPT-4, CDT-3, etc
The "administrative" codes have local flavors. There are national standard schemes for types of providers, types of services, place of service, claim status, claim adjudication results, and so on. These would all have to be used in place of proprietary coding schemes when using any of the mandated transactions. Some of these schemes are already in widespread use, while others would require substantial changes in business practices.

One of the more challenging requirements will be that all payers use the national standard Claim Adjustment Reason Codes, rather than proprietary codes, in their electronic payment and COB transactions. The potential effects extend well beyond the boundaries of electronic commerce. If covered entities have to use these codes in their electronic exchanges, they may also need to use them on their hardcopy forms and reports as well. Otherwise they end up with dual coding schemes, which would complicate both their internal processing and our external education and support activities.As for the "medical" coding schemes, the Notice For Proposed Rule Making (NPRM) proposed the following:

  • ICD-9-CM (volume I and II): These are the diagnosis codes. The International Classification of Diseases, 9th edition, Clinical Modification codes are for most diseases, injuries, impairments, other health problems and causes of injury, disease, and impairment. ICD-9-CM (volume III): This code set will be used for inpatient and hospital services.
  • CPT4: The Current Procedural Terminology level 4 code set will be used for physician services.
  • HCPCS: The HCPCS will be used for physician services and certain other healthcare services and for substances, durable medical equipment, supplies, and other items.
  • CDT3: This code set will be used for Dental services.
  • NDC: the National Drug Codes will be used for drugs and biologicals.
  • Other: The "administrative" code set.

It is proposed to remove both the CDT and the drug codes from HCFA (now CMS) Common Procedural Coding System (HCPCS). Also that HCPCS Level III (local) codes be assigned nationally, rather than locally, but this may be reconsidered.

The standardization of the ICD-9-CM, CPT-4, CDT, NDC, and HCPCS code sets and the other "administrative" code set will ensure accurate and efficient data exchange between the various healthcare organizations. The payers will need to have the ability to receive and process all standard codes. Standardization of code sets will simplify claim submissions for healthcare providers who deal with multiple health plans. It will also improve the quality of data. Health plans will need to modify their systems to process the transactions with standardized code sets. These modifications could be extensive depending on the extent to which 'local codes' have been used. Changing code sets will also have a significant impact on the coding staff that will need re-training and initially, may lead to slower claims processing until staff becomes familiar with the new code sets. ICD-10 and CPT-5 code sets are on the horizon. However, as the law stipulates that changes cannot be made to the initial regulations for at least one year, regulations that would move the standards to ICD-10 and CPT-5 are not expected until later this year or quite possibly in 2002 or perhaps later.

Unique National Identifiers
HIPAA directs the DHHS to specify unique national healthcare identifiers for Providers, Health Plans, Employers, and Individuals (patients). It is also predicted that the patient identifier will not be finalized at all.

Provider Identifier: Proposed rules were published in May, 1998. The rules include the development of a new unique identification number called a national provider identifier (NPI) for all healthcare providers. The NPI is a 10 position alphanumeric identifier with a checksum digit. The number will not carry any embedded intelligence. NPI will not replace the tax identification number but will eventually replace the Universal Provider Identification Number (UPIN). NPI will be issued by the National Provider System (NPS) based on information entered into the NPS by one or more organizations known as "enumerators". Enumerators would enter identifying information about a healthcare provider into the system, perform data validation, notify a healthcare provider of it NPI and update information about a healthcare provider.

Health Plan Identifier: Proposed rules have not been published for health plan identifiers. It is likely to be a 10 position alphanumeric identifier with a checksum digit. This identifier is expected to carry no embedded intelligence. The number will be assigned to health plans, including TPAs, IPAs, PPOs, etc.

Employer Identifier: Proposed rules were published in June, 1998. The DHHS proposes using the Employer Identification number (EIN), the taxpayer identifying number of employers that is assigned by the Internal revenue Service (IRS). The IRS has agreed to the use of the EIN.

Individual Identifier: The DHHS has put the development of individual health identifiers until legislation is enacted specifically approving the standard. Individual identifiers have been controversial because of the perception that access to all information on an individual could be obtained through a single identifier and due to the intense pressure from various interest groups, its development has been put on indefinite hold.
Lack of unique identifiers often results in delays in exchanging data among system and between the healthcare organizations. It also results in redundancy in data collection. This data duplication can be expensive. Incorrect provider data could hamper coordination of benefits and also impede fraud and abuse detection efforts.

Unique identifiers, once in place will hasten efficiency and effectiveness of he system along with the transactions and code sets.

HIPAA Security
HIPAA mandates a set of rules to be implemented by health providers, payers, government benefit authorities, pharmacy benefits managers, claims processors, and clearinghouses to protect an individual's health information. Although HIPAA Security and Privacy standards are separate, they are closely linked. Privacy concerns what information is covered, and security is the mechanism to protect it. The privacy and the proposed security standard of HIPAA apply to any individual health information (the information identifies the individual or can be used to identify the individual) whether it is oral or recorded in any form or medium. This is also known as the protected health information or PHI. This definition of PHI is much broader than the draft rules that covered only electronic information. As such, it will require a significant change in the way health information is handled, disseminated, communicated, accessed, and stored.

The security standard was developed with the intent of remaining technologically neutral in order to facilitate adoption of the latest and most promising technology and to meet the needs of healthcare entities of different size and complexity. The security standards at this time are still awaiting finalization. The standard is a compendium of security requirements that must be satisfied. The solution will vary from entity to entity, with each entity meeting the basic requirements. The security standard mandates safeguards for physical storage and maintenance, transmission, and access to individual health information. The standard also requires safeguards, such as encryption as well security mechanisms to guard against unauthorized access to data transmitted over a network. HIPAA provides a common sense approach to implementing recommended and required security procedures. It mandates that security standards must be applied to four main areas:

  • Administrative Procedures
  • Physical Safeguards
  • Technical Security Services
  • Technical Security Mechanisms

HIPAA Privacy
The HIPAA Privacy regulation defines standards to protect the privacy of individually identifiable health information. The privacy rules present standards with respect to the rights of individuals who are the subjects of this information, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information. Covered entities less than 5 million in gross have to comply with the privacy rule by April 2004. The privacy rule describes in detail the various issues related to privacy of protected information with regard to use and disclosure of the same in various circumstances, consents required for using protected health information, patient rights with respect to access and amendment of the information and administrative procedures to be followed by the organization to comply with the regulations. The key elements in the privacy rule are:

  • Covers Protected Health Information (PHI) stored or transmitted irrespective of the medium - electronic, paper, or oral
  • Minimum Necessary Disclosure and use
  • No authorization necessary when PHI used for permitted healthcare operations. Authorization required for all non-routine use
  • Designated privacy officer and business associate contracts
Legal Disclaimer

All information provided in this web site is believed to be accurate and up to date; however, the Geomar Computers assumes no responsibility for the use of this information. This web site links to web sites maintained by other entities. Reasonable precautions are taken to link only to web sites which are appropriate, accurate and maintained by reputable organizations. However, those web pages are not under Geomar Computers control. Geomar Computers is not responsible for the information or opinions expressed in those linked sites. The recommendations and analyses on this site are intended simply to provide assistance and guidance. They may not be relied upon as authority for compliance with legal requirements, nor as a source of legal advice. It is up to you to seek out legal counsel and official government documentation to protect your rights.