Transactions

Compliance with HIPAA

Conclusion

Resource List

Confidentiality of patient information has been regulated or promoted by law and by professional standards since the Hippocratic Oath in the 4th century B.C. Most healthcare professionals are familiar with the JCAHO standards, federal statutes that regulate information dealing with drug and alcohol abuse and HIV, and the professional standards of their own professional group. Now they must also learn about HIPAA, the Health Insurance Portability and Accountability Act of 1996.

As a provider of occupational healthcare, you need to be familiar with HIPAA and how it affects your program. Two major topics covered by this act are the portability of healthcare coverage and standards for electronic communication of information. The portability portion of the law, which protects an employee’s coverage when he or she changes or loses jobs, went into effect immediately. The second portion of the law (Title II, Subtitle F, Administrative Simplification) addresses the standardization of electronic data interchange as well as the protection of health information and confidentiality.

HIPAA mandates the development of standards in the following areas:

• Electronic transactions

• Code sets for data elements supporting electronic transactions

• Unique health identifiers for patients, providers, and plans

• Security standards

• Electronic signature

• Privacy

Two of the standards, the Transaction and Code Set Standard and the Privacy Standard, now have Final Rules and as a result, have compliance dates finalized. The Privacy Standard became effective on April 14, 2001 and most health plans and healthcare providers must be in compliance by April 2003. The original compliance date for the Transaction and Code Set Standard was scheduled for October 16, 2002 but has recently been postponed until October 16, 2003 for any covered entity that submits plan for compliance with the regulation by October 15, 2002.

The remaining standards do not have compliance dates as of publication of this article. (A standard’s compliance date is typically two years from the Final Rule date. The exception is small health plans, which typically have a compliance date of three years from the Final Rule date.) This article deals with the two aforementioned standards that have a Final Rule.

 [top]

The Privacy Standard final regulations apply to health plans, healthcare clearing houses, and healthcare providers who handle or maintain individually identifiable health information regardless of the form or format of the information. Initially it referred to identifiable health information only in electronic form. The Office for Civil Rights issued Guidance for the Standards for Privacy of Individually Identifiable Health Information on July 6, 2001. (The guidance is posted on the Office for Civil Rights web site at www.hhs.gov/ocr/hipaa.)

The Privacy Rule creates national standards to protect an individual’s medical records and other personal health information. More specifically, it:

• enables patients to find out how their information may be used and what disclosures have been made;

• generally limits release of information to the minimum reasonably needed for the purpose of the disclosure;

• gives patients the right to examine and obtain a copy of their own health records and request corrections;

• holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights;

• strikes a balance when public responsibility requires disclosure of some forms of data, for example, to protect public health.

The average occupational health program is required to:

• safeguard protected health information from accidental or intentional use or disclosure that is a violation of the requirement of the Privacy Standard;

• provide information to patients in a document that discloses in clear language their privacy rights and how their information can be used;

• adopt clear privacy procedures that define who can access private information, how it will be used within the entity, and when information may be disclosed. The policy must also include a complaint provision;

• identify and ensure that its business associates protect the privacy of health information that is shared with them;

• train employees so they understand the procedures required by the Privacy Standard and how they affect their functions within the practice;

• designate an individual to be responsible for seeing that the privacy procedures are adopted and followed. This individual is also responsible for receiving, investigating, and resolving complaints;

• secure patient records containing individually identifiable health information, so that they are not readily available to those who do not need them.

Clinics are urged to perform a risk assessment of the clinic procedures that may violate the standard and establish an action plan with designated accountability to implement changes as soon as possible. This assessment should include:

• Review of confidentiality policy

• Patient registration procedure

• Security access of employees

• After-hours access to medical information

• Employee conversations in elevators and hallways

• Identification of possible business partners

• Faxing procedures

• Shredding procedures

• E-mail policies

• Recycling procedures

• Evaluation of written contracts with business partners

• Review of charge description masters and/or fee codes

• Review Patient Consent Form and Release of Medical Information Form

• Placement of any sign-in logs

• Review minimum necessary disclosure for protected health information

• Review of employee orientation procedure

• Development of additional policies necessary under the regulation

 [top]

There are actually two parts to the Transaction and Code Set Standard: transaction, which refers to the electronic exchange of administrative and financial healthcare information; and code set, which is any set of codes used to encode data elements. An example of a Code Set is an ICD-9 code.

On December 27, 2001 President Bush signed into law H.R. 3323, the Administrative Simplification Compliance Act (now known as Public Law 107-105). This law allows for a one-year extension of the date for complying with the HIPAA standard transactions and code set requirements for any covered entity that submits to the Secretary of Health and Human Services a plan for how the entity will come into compliance with the requirements by October 16, 2003. The plan must be submitted by October 15, 2002 and shall include:

• an analysis reflecting the extent to which and the reasons why the person is not in compliance;

• a budget, schedule, work plan and implementation strategy for achieving compliance;

• whether the person plans to use or might use a contractor or other vendor to assist the person in achieving compliance;

• a timeframe for testing that begins no later that April 16, 2003.

The law also requires the department to develop and promulgate a model compliance form for the plan by March 31, 2002 and to allow for compliance plans to be submitted electronically. Watch for the department to provide details of the model form and submission procedures later.

The law does require that by October 16, 2003 providers stop submitting paper claims and submit claims electronically to Medicare. There are waivers for certain small providers.

The following transactions fall under control of the standard, according to the U.S. Department of Health and Human Services:

• Health claims or equivalent encounter information

• Health claims attachments

• Enrollment in and removal from a health plan

• Eligibility for a health plan

• Healthcare payment and remittance advice

• Health plan premium payments

• First reports of injury

• Health claim status

• Referral certification and authorization

Anyone who performs transactions electronically is required to comply with the standard. Currently healthcare providers and health plans that conduct business electronically use a variety of formats. There are currently about 400 different formats in place for health claims.

A new class of organization called a Designated Standard Maintenance Organization (DSMO) has been established to be the developers and keepers of the standard. The technical format would be familiar to those who have worked with X12 Electronic Data Interchange (EDI) standards from the Data Interchange Standards Association (DISA).

The Transaction Standard requires the use of certain medical data sets for diagnosis, procedures, drugs, and dental work. The data sets are summarized below.

• International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM), Volumes 1 and 2 as updated and distributed by HHS for the following conditions: diseases, injuries, impairments, other health-related problems and their manifestations, and causes of injury, disease, impairment, or other heath-related problems.

• International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM) Volume 3 Procedures, as updated and distributed by HHS for the following procedures or other actions taken for diseases, injuries, and impairments on hospital inpatients reported by hospitals: prevention, diagnosis, treatment, and management.

• National Drug Codes (NDC) as updated and distributed by HHS in collaboration with drug manufacturers for certain drugs and biologicals.

• Code on Dental Procedures and Nomenclature for dental services.

• Combination of Health Care Financing Administration Common Procedure Coding System (HCPCS) as updated and distributed by HHS and Current Procedural Terminology, 4th Edition (CPT-4), as updated and distributed by the American Medical Association for physician services and other health-related services.

• The Health Care Financing Administration Common Procedures Coding System (HCPCS) as updated and distributed for HCFA, HHS, and all other substances, equipment, supplies, or other items used in the healthcare services.

 [top]

Occupational health clinic employees that perform billing and coding are familiar with most of the above-mentioned code sets. Many states are not using the current CPT codes for their fee schedule. The Transaction and Code Data Standard exempts worker’s compensation claims from the standard. However, clinics are encouraged to prepare to meet the standards if they plan to bill other insurers.

After analyzing the code sets, clinic management must determine which sets affect any transactions they currently submit or plan to submit electronically. Review of the literature indicates that most healthcare organizations are only collecting 50% of the more than 300 data elements contained in the new claim format. Management needs to compare the information that is available electronically in their organization with the information required in HIPAA transaction standards. When missing data are identified, the location and method of acquiring the data need to be established. Management needs to work closely with venders to establish new processes or update old ones. Visit aspe.hhs.gov/admnsimp/lsnotify.htm to register to receive updated information on HIPAA by e-mail.

The Department of Health and Human Services issued the Privacy Standard under HIPAA; however, the Office for Civil Rights (OCR) is responsible for implementing and enforcing the privacy regulation. Covered entities that misuse personal health information are subject to civil penalties of $100 per violation up to $25,000 per person per year for each requirement violated. Federal criminal penalties of up to $50,000 and one year in prison have been established for obtaining or disclosing protected health information, while penalties of up to $250,000 and ten years in prison have been set for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm.

There has been much discussion on the use of NDC codes. The National Council for Prescription Drug Programs (NCPDP) has requested the recognition of UPC and HRI codes in addition to NDC codes for drug supply trnasactions. As of December 21, 2002 this change request was being processed by the DSMO. The National Committee on Vital and Health Statistics will be hearing testimony throughout 2002 on code set issues. More information is available at www.ncvhs.hhs.gov.

Compliance with HIPAA regulations is one of the major issues for occupational health clinic administration in the coming year. For those clinics that are a department of a hospital, the hospital’s HIPAA compliance team should keep you updated on the progress being made at your organization. Independent clinics need to educate themselves and begin their risk assessment in order to initiate an action plan. The next standard to be finalized is expected to be the Security and Electronic Signature Standard. The Tracker will continue to publish articles to keep readers updated on the effect of this law on the providers of occupational health services. In the meantime, a list of resources is provided below so that interested professionals will be able to obtain additional information.

Lanser, Ellen G., "Capitalizing on HIPAA Compliance," Healthcare Executive, Vol 16, No 3.

Martin, Renee, "First HIPAA Guidance Issued," Advance for Nurses, New England, October 8, 2001.

Singer, Peter, Portable Privacy, Occupational Health & Safety, www.stevenspublishing.com.

Withrow, Scott C., Managing HIPAA Compliance, Health Administration Press, Chicago, Illinois: 2001.

aspe.hhs.gov/admnsimp/index.htm

www.healthdatamanagement.com

www.hhs.gov/ocr/hipaa

www.hipaacomply.com

www.hipaadvisory.com

www.ncvhs.hhs.gov

 [top]