HIPAA Reloaded

Look on the bright side. The end result of HIPAA will (we hope) be better than dealing with the hundreds of different code sets and monkey-knots of EDI standards currently in place in health insurance companies. In fact, based on the adoption of a single code set and the elimination of paper-based claims, the Department of Health and Human Services (HHS) has estimated the net savings to the health care industry to be nearly $30 billion over 10 years.

The benefits to society will be enormous down the road, says Edward Jones, executive committee chair-elect of the Workgroup for Electronic Data Interchange (WEDI). The impact of these regulations will affect other behaviors in the health care industry, and will lead to other efficiencies and cost-effective processes.

Insurance carriers who are well into HIPAA compliance work also see the financial light at the end of the tunnel. We now support a variation of all sorts of different file layouts, says Cindy Thomas, HIPAA project manager at Capital Blue Cross, who describes Capital as right on track in its compliance efforts, which began in 1999. Going to one standard [data] format, just from a maintenance, staffing, and cost perspective will be a definite benefit, she says.

Tick, Tick, Tick

Despite being signed into law seven years ago, the first HIPAA deadline has yet to take effect. (See the sidebar, What, When?) And Congress granted procrastinators a huge favor when it offered the chance for a deadline extension for compliance with transaction standards.

Nevertheless, bringing systems into compliance with HIPAAmeaning generating the X12 code required by the transaction standardsis no small undertaking. Is there hope for carriers whove been asleep at the switch?

Yes, says William R. Braithwaite, MD, PhD, director of the health care consulting practice and member ofthe national HIPAA team at PricewaterhouseCoopers. Of course it can be done, but it will cost more because well have to apply a lot more external resources to it. [However], if an insurer isnt aware of what needs to be done, hasnt done any work yet, then theyre in trouble. They probably really dont realize how complex this is if theyve only just woken up.

But if youre coming late to the party, take heartyoure not alone. Most of my clients, frankly, are in the awareness and education phase, says Miriam Paramore, president of the health care e-commerce consulting firm PCI. Very few are in implementation. The bigger you are, the farther you are down the lifecycle. But certainly regional payers are not very far.

10-Step Program

As a technology publication, we make our living distilling complex problems into 3,000 words. But even were not vain enough to pretend to be able to sort through the thousands of pages of regulations and the myriad of systems issues in a few pages. We can, however, point to some guiding principles regardless of where you are on the HIPAA-readiness scalefrom just getting started to nearing completion.

1. File for an extension. Due to numerous concerns about how to implement several of the transaction standards, Congress recently gave insurers (and all HIPAA-covered entities) the option to request an extension of the HIPAA transaction deadline, the net effect being that carriers have until October 2002 to file a transaction compliance plan, until April 2003 to start testing transactions, and until October 16, 2003 to complete implementation.

HHS had until March 31, 2002 to have the procedure for obtaining an extension on the transaction guidelines in place. As of press time that procedure wasnt yet developed, but sources at the Centers for Medicare and Medicaid Services (CMS)the bureau of HHS responsible for overseeing transaction complianceassured us they would be done on time and posted to the CMS web site, www.hcfa.gov.

Everyone who applies for an extension will get one, the consultants we spoke to recommended filing for one, and the insurers we contacted indicated theyd do so. However, filing for an extension doesnt give you a free pass for the next twelve months; rather, you need to come up with a plan that you intend to stick to for addressing your transactional deficiencies.

Its important that people do put thought into developing the plans or completing the form, says Karen Trudel of the CMS. Congress wanted to give covered entities an incentive to sit down and think about what it was going to take for them to become compliant. You have another year, but thats all you have, and your compliance plan should show how youre going to get there.

2. Start at the top. Practically every project management how to guide says how important it is to involve top brass in a significant IT project to help ensure its success. But if HIPAA is a government mandate, why is executive buy-in needed?

Because unlike Y2K, to which HIPAA has often been compared, achieving compliance is not just about hardware and whether or not a system will function or crash. Transactions are obviously the most systems-intensive component of HIPAA, but privacy touches not only technology issues but workflow requirementsregarding, for example, the way employees handle confidential information and business issues of relationships with trading partners.

This is not an IT exercise. This is a business competitiveness exercise, and one that has the potential for great risk, says Jones. Youll be changing the way the business operates, changing budgets, changing the way divisions within a company relate. You have to get decision makers acquainted with whats going on, particularly since civil and criminal penalties (see Whos Goin to Jail?) put insurers at risk. Its really an investment in the future of the company, Jones says. Those who make that investment and do it early will be the ones that prosper going forward.

Capital Blue Cross did just that, involving top management early onand with success. We started the process [with] the education of our corporate leadership team, says Thomas. That was a huge help, so everyone understood and was on the same page. We also had tremendous support for our executive management, and that certainly made our jobs easier.

3. Plug the gaps. Carriers need to assess how both their business practices and systems align with requirementsthat is, a gap assessment. What kind of assessment depends on a carriers stage in the HIPAA compliance, and time is no longer on your side.

If someone tells a health [insurer] they need 90 days to do a gap analysis, you need to find another vendor. You dont have that time anymore. You need to move on, says Paramore. In fact, Paramore recommends a snapshot gap analysis to get you started on the compliance patha path that can be modified and altered as the project progresses.

[O]ur jumpstart is positioned tohelp people who are behind the curve, she says. You dont need to spend an inordinate amount of time and money on that piece. Then you need to move into serious project planning at the enterprise level.

Late starters can also make use of gap assessment tools HealthFlash, PrivaPlan, or RiskWatch, for example (www.healthflash.com, www.privaplan .com, and www.riskwatch.com, respectively) that have emerged over the past 18 months to help shorten the analysis and planning processes.

4. X12Generate or Translate? Insurers need to find a way to get their own systems to generate the version of X12 code required by HIPAA, or use a translation tooleither a new translation system or a reconfiguration of a system they may have previously installed for EDI. While some insurers have taken HIPAA as an opportunity to upgrade their legacy systems, the general consensus is to use a translator, especially at this stage in the HIPAA timetable.

Its the build or buy question they have to make at every stage, says Braithwaite. But its getting to the point where several different sources of translators are available [and] costs are reasonable versus doing it yourself. He points out that commercial sources are also in a position to maintain and update the translator over time as standards change and as new requirements come on line, such as for electronically submitted claims attachments.

Claims attachments [are] not only an X12 transaction, but buried inside the transaction is a small HL7 message, Braithwaite explains. Many commercial translators will take care of both X12 and HL7, so rather than having to learn about even the simple version of HL7, the translator can take care of that.

Insurers looking for translators have many choicesSeeBeyonds e-Gate, Paperfree by Sybase, Mercators Integration Broker, and Navicure are a few examples.

Capital Blue Cross, which needed to update its technologies to support real-time EDI, chose to both upgrade its database from VSAM to Oracle and to bring in MQ Series middleware to translate. We have quite a multitude of systems, says Thomas, but weve been fortunate to use our own staff to do a lot of the analysis, and thats worth its weight in gold.

5. Consider Clearinghouses. Using a clearinghousean electronic bridge between insurers and health care providerdhas often been described as a last-resort choice. But some experts point out that clearinghouses can be good options not just for insurers who are highly paper-based or behind the curve in HIPAA compliance, but for other carriers as well.

There are lots of advantages to using a clearinghouse as the interface [with a provider or partner] because clearinghouses have the expertise and the connectivity, says Kepa Zubeldia, M.D., president and CEO of Claredi, which performs testing and certification for HIPAA transaction compliance. We feel that those in the industry that are now starting their HIPAA implementation should go with clearinghouses or commercial translators with built-in HIPAA maps, because our experience has shown when [insurers] develop it on their own, they find the process much longer and more complicated than they imagined.

However, he says, Ultimately it comes down to competitivenesshow you respond to the market. A large company will have huge volumes of transactions, and it will behoove them to not outsource that for a large period of time.

6. Cry Uncle! Dont be afraid to ask for helpbut expect to pay for it. There are compilations of good information and laundry lists of FAQs on various government and industry Web sites. (See some of them in the box Government and Other Resources.) And you can drop the HHS an e-mail or two.

But dont expect too much help from Uncle Sam. As one HHS contact quipped, Theres no phone bank here. Particularly when it comes to transaction questions, the CMS will refer you to one of the associations involved in creating the standards: WEDI, the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), and the American Dental Association (ADA).

Expect to engage HIPAA consultants, from technologists to attorneys, at various points throughout the analysis, action, testing, and monitoring stages of your HIPAA projects. Outside assistance is particularly useful for privacy, where regulations are lengthy, penalties are severe, and where you need to educate your staff and keep them trained.

If youre just starting HIPAA compliance work, outside help is likely essential. If youre currently knee deep in HIPAA, a consultant can help you identify areas youve overlooked and help move the project along. Many people get stuck in hunting and gathering because of the sheer magnitude of work that overwhelms them, says Paramore.

How to choose a consultant? Start with Decisions, Decisions in our February issue. One added caveat for HIPAA, however: Watch out for what Zubeldia calls HIPAA Hype. When you go to a consultant, there is a high probability of that consultant trying to sell you expertise in an area you dont need but that is the consultants expertise, he says. The payers [insurers] need to question whenever a consultant proposes something thats a dramatic change in business processes.

And watch out for firms who oversell themselves. There are a lot of consultants selling security expertise, and even HIPAA-compliant security products, but there is no such thing as HIPAA-compliant security, because the final rules arent published yet, Zubeldia says. Beware of anyone who claims they will make you HIPAA compliant.

7. Test. Its up to insurers to determine whether their system is compliant. So, along the way and before you go live with X12, you need to follow the good testing practices youd normally do in any installation or conversion.

The Strategic National Implementation Process (SNIP) recommends transaction testing among six different categories prior to going live; see snip.wedi.org. Many insurers turn to third-party testing services (such as Claredi) to test their transactions for HIPAA EDI compliance. Keep in mind, however, that there is no HHS certification for testing vendors, just as there is no certification for insurers themselves.

8. Share the joy. Regardless of how far along you are with HIPAA, it always pays to learn from others who have gone before you. Use the IT grapevine to discover how other companies have solved their own HIPAA issues.

Capital Blue Cross, for example, solved the problem of generating X12 from disparate systems but putting a repository on the front end to store data, and to serve outgoing transactions without making changes on the back end. One of the biggest challenges is on the institutional claims, says Thomas. We had some fixed-length files before, and there was no way we could store that information. The new front-end repository gave it the flexibility they needed but was still a cost savings over upgrading a host of back end systems.

9. Dont do anything you dont have to. Particularly if youre behind in your HIPAA work, focusing on the essentials is important to meeting deadlines. People get stuck because they assume too much, says Paramore. [Insurers] dont need to feel they have a shotgun to their head. We try to say, What do you have to do? then make choices about reasonable and scalable. Because a $5 million insurer versus a $5 billion insurer has different compliance burdens.

Insurers with many business units can also avoid project creep by focusing on covered units as defined by HIPAA. This is what weve coined the covered entity identity crisis, Paramore says. The key question is, Am I a covered entity, and what kind of covered entity am I? And if youre big, you have to ask that several times across all your subsidiaries and the businesses you have partial ownership in.

All insurers can help keep projects in scale and on track by applying a similar practice to transactions. Not everything is a standard transaction, even at a covered entity, and not every standard transaction has to be done in X12.

Theres risk in drawing too fine a line, and the definitions are unarguably complex. Confused? See Get help.

10. Dont forget about your partners. Bear in mind also that insurers face compliance risk not only through their own operations, but also via those of their trading partners. Business-associate agreements are especially important for compliance with privacy provisions.

The problem for some insurers, however, is a lack of centralization of business contracts, or even a lack of knowledge of all contracts that exist. That requires, again, a thorough analysis among all business units. One simple trick is to go through your accounts payable, see everyone you pay, and see if theyre a business associate, says Paramore.

Insurers may also need to obtain data and documents from trading partners to provide individuals with requested information within the timeframes prescribed by HIPAA. Compliance may include a technological component. For example, Capital Blue Cross anticipates installing a tracking database to keep track of medical information requests and to help ensure regulatory compliance.

In the end, says Braithwaite, the key to implementing HIPAA in the most effective way is committing to an ongoing analysis throughout the project of all the impacts and information flowsboth technological and businessHIPAA will have. This involves much more than getting claims in through EDI versus getting them in via paper, he says.

Dont take this as a government mandate, take this as an opportunity to make your business processes better and to actually simplify the administration of health care, Zubeldia says. Dont let HIPAA drive your businessmake HIPAA work for you.

Whos Goin to Jail?

How does a $250,000 fine and ten years in prison sound?

The fines for violating provisions of administrative simplification vary from this severe criminal penalty to, on the other side of the scale of justice, civil penalties as low as $100. Also, criminal penalties (the ones that can land you in jail) do not apply to violations of the 62 pages of HIPAAs transaction regulations, but do apply to willful violations of the 369 pages of the privacy regulations.

Aside from the penalties outlined in the law itself, however, its difficult to evaluate the complete risks faced by insurers because the enforcement regulations have not yet been published. The Department of Health and Human Services (HHS) and, in some cases, the regulation text itself, determines who is responsible for enforcing transactionsright now, thats the Centers for Medicare and Medicaid Services (CMS) for transactions, and the HHS Office of Civil Rights (OCR) for privacy.

And no one yet knows just how that enforcement will be carried out. We talked to many sources at the HHS, CMS, and OCR but, due to the evolving nature of the enforcement process, no one would go on record regarding standards for fines and penalty assessment. Regulations allow for complaints to be brought to the HHS, but how those complaints should be made hasnt been determined. The HHS may also conduct compliance audits, but hasnt decided if, when, or how to do so. And criminal violations will be referred to the Department of Justice, but on a case-by-case basis that cant be characterized in advance.

The common theme, however, seems to be that a good faith effort, coupled with response to any corrective measures dictated by the department, will go a long way toward keeping insurers on the right side of the law. As one source noted, the intent of the law is to help the insurance industry, not to handcuff it, and its certainly not in the public interest to have an insurer cease operations. The bottom line is that the difference between civil and criminal offenses will likely be a matter of intent, so those who would commit willful violations of the privacy regulations be warned that an 8-by-10 cell and a new and different lifestyle could await.

Be Reasonable

Sources who work closely with the HHS were able to shed a little more light on the subject. The OCR has told us several times that if a HIPAA compliance plan is documented and is being worked in that fashion, privacy enforcement will be lenient during the first year or so, says Miriam Paramore of PCI. In the privacy guidance that came out last summer, they started to use the term prudent business judgment. They dont want [carriers] to go out of business because theyre not in compliance with HIPAA because [their] cost of infrastructure has gone through the ceiling. But reasonable and scalable is something [insurers] still have to figure out for themselves.

There are lots of things that can be done before you get your $100 speeding ticket, particularly if the reasons you violate it are accidental, says William Braithwaite of PricewaterhouseCoopers. The critical thing with privacy is to make sure your company isnt doing anything intentional to violate that rule. And then get busy to set into place those projects necessary to come up with the appropriate policies and procedures and so forth to meet the requirements.

Universally agreed, however, was that the best enforcement mechanism of all will be the demands by firms in the healthcare space to do business with insurers who are HIPAA-compliant. The best sanction of all [is] the marketplace, Paramore says. MPV

What, When?
HIPAA regulations and their status include:

Transactions and Code Sets: Compliance deadline October 16, 2002; extension available till October 16, 2003
Privacy: Compliance deadline April 14, 2003
Security: Preliminary rule published; final publication expected shortly per HHS
National Provider Identifier: Preliminary rule published; final publication date unknown
National Employer Identifier: Preliminary rule published; final publication date unknown
National Individual Identifier: Rule on hold pending legislative review
National Health Plan Identifier: Preliminary rule not yet published
Claims Attachments: Preliminary rule not yet published

Government and Other Resources
www.hcfa.gov: Centers for Medicare and Medicaid Services
aspe.hhs.gov/admnsimp: Health and Human Services HIPAA information page
www.hhs.gov/ocr: Office of Civil Rights of the HHS
www.hipaalive.com: sponsored by Phoenix Health Systems consultancy; contains forums, discussions, and HIPAA information
www.hiaa.org: Health Insurance Association of America
www.hcca-info.org: Health Care Compliance Association
snip.wedi.org: Strategic National Information Process testing information

E-Mail Updates
To sign up from e-mail updates on HIPAA regulations: Send e-mail to listserv@list.nih.gov with a blank subject line and the following in the body: subscribe HIPAA-REGS first-name last-name

Click Here
Claredi: www.claredi.com
HealthFlash: www.healthflash.com
Paramore Consulting Inc. (PCI): www.hipaasurvival.com
Mercator: www.mercator.com
Microsoft: www.microsoft.com/solutions/hipaa
Navicure: www.navicure.com
Paperfree (Sybase): www.paperfree.com
PrivaPlan: www.privaplan.com
PricewaterhouseCoopers: www.pwcglobal.com
Riskwatch: www.riskwatch.com
SeeBeyond: www.seebeyond.com
Workgroup for Electronic Data Interchange: www.wedi.org