"I

t's 2003 already!" "It's really going to happen!" "Are we ready?" That's how many providers feel about the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Providers are well advised to focus their efforts on developing a workable strategy for their facilities and move toward HIPAA compliance.

Overview of the Health Insurance Portability and Accountability Act of 1996
       The purpose of HIPAA is to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and healthcare delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, and to simplify the administration of health insurance. Within the law, there are two titles--Title I and II. Title I, known as Insurance Reform, protects health insurance coverage for workers and their families when they change or lose their jobs.
       Title II, known as Administrative Simplification, is the act that will fundamentally change the way extended care facilities handle patient information. It aims to improve the efficiency and effectiveness of the American healthcare system by adopting national standards for electronic healthcare transactions. The law also requires the adoption of security and privacy standards in order to protect personal healthcare information. Administrative Simplification includes the following major regulations:1
I. Electronic Transaction and Code Sets Standards (final rule issued)
II. Health Information Privacy (final rule issued)
III. Security Requirements (proposed rule issued; final rule in development)
IV. Identifier Requirements
       a. Unique identifier for employers (final rule issued)
       b. Unique identifier for providers (proposed rule issued; final rule in development)
       c. Unique identifier for health plans (proposed rule in development)
       d. Unique health identifier for individuals (indefinitely postponed)
V. Enforcement Procedures (proposed rule in development)2

Overview of Administrative Simplification
I. Electronic Transaction and Code Sets Standards
       The Department of Health and Human Services (HHS) estimates that currently there are about 400 formats for electronic health claims being used in the United States. This lack of standardization minimizes efficiency of the healthcare system and makes it difficult and expensive to develop and maintain software. HIPAA requires every provider who does business electronically to use standardized healthcare transactions, code sets, and identifiers. Standardization creates a common language that encourages development of information systems based on the exchange of standard management and financial data using Electronic Data Interchange (EDI).
       EDI is an acronym that describes the electronic transfer of information, such as electronic media health claims, in a standard format between trading partners. EDI allows entities within the healthcare system to exchange medical, billing, and other information and to process transactions in a manner that is fast and cost effective. EDI can eliminate the inefficiencies of handling paper documents, which will significantly reduce administrative burden, lower operating costs, and improve overall data quality.3 In fact, HHS estimates that these standards will provide a net savings to the healthcare industry of $29.9 billion over 10 years (HHS' projected implementation costs are $17.6 billion over 10 years).4

II. Health Information Privacy
       Prior to HIPAA, personal health information could be distributed--without either notice or authorization--for reasons that had nothing to do with a patient's medical treatment or healthcare reimbursement. Consequently, HIPAA provisions were made to mandate the adoption of Federal privacy protections for individually identifiable health information. These regulations require covered entities to implement standards to protect and guard against the misuse of individually identifiable health information.
       The HIPAA Privacy Rule for the first time creates national standards to protect an individual's medical records and other personal health information. As such:
* It gives patients more control over their health information.
* It sets boundaries on the use and release of health records.
* It establishes appropriate safeguards that healthcare providers and others must achieve to protect the privacy of health information.
* It holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights.
* It strikes a balance when public responsibility supports disclosure of some forms of data, for example, to protect public health.
       For patients, it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used. As such:
* It enables patients to find out how their information may be used and about certain disclosures of their information that have been made.
* It generally limits release of information to the minimum amount reasonably needed for the purpose of the disclosure.
* It generally gives patients the right to examine and obtain copies of their own health records and request corrections.
* It empowers individuals to control certain uses and disclosures of their health information.5

III. Security Requirements
       The proposed security standard, different from the privacy standard, consists of the requirements that a healthcare entity must address in order to safeguard the integrity, confidentiality, and availability of its electronic data. It requires that each healthcare entity engaged in electronic maintenance or transmission of health information assess potential risks and vulnerabilities to the individual health data in its possession in electronic form and develop, implement, and maintain appropriate security measures. Most importantly, these measures must be documented and kept current.6

IV. Identifier Requirements
       HIPAA will require that employers, providers, and health plans have standard national numbers that identify them on standard transactions. Effective July 30, 2002, the Employer Identification Number (EIN), issued by the Internal Revenue Services (IRS), was selected as the identifier for employers. The remaining identifiers for providers and health plans are expected to be determined in the coming year.7

V. Enforcement Procedures
       Although the final rule for Enforcement Procedures is still being developed, some enforcement determinations have been made. HHS has announced that the Centers for Medicare and Medicaid Services (CMS) will have responsibility for enforcing the transactions and code set standards, as well as security and identifier standards when those are published. CMS will also continue to enforce the insurance portability requirements under Title I of HIPAA. The Office for Civil Rights (OCR) in HHS will enforce the privacy standards.8
       The HIPAA law provides for significant monetary and civil penalties for violations.
       Failure to comply with the Electronic Transaction and Code Sets Standards may result in the following:
* Each violation: $100.00
* Maximum penalty for all violations may not exceed $25,000/year.
       Failure to comply with the Health Information Privacy Standards may result in the following:
* Wrongful disclosure offense: $50,000, imprisonment of not more than one year, or both
* Under false pretenses: $100,000, imprisonment of not more than five years, or both
* With intent to sell information: $250,000, imprisonment of not more than 10 years, or both.1

Getting Started
       Due to the sweeping impact and lack of clarity and finalization in some portions, moving toward HIPAA compliance has been tremendously challenging and complex. Despite this, the compliance deadlines, with possible substantial civil monetary and/or Federal criminal penalties, are looming. Covered entities must begin the journey toward HIPAA compliance. The following strategies and resources, although not an exhaustive list, may help you.

Where You Want To Be
       The first step in any journey is to know your destination. Provide everyone a clear picture of exactly where the facility is headed. For example:
* Find out if you need to be on the pathway to HIPAA compliance by determining whether you are a "Covered Entity." To help you, CMS has available on the Web "Covered Entity Decision Tools." These tools are available at http://www.cms.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp.
* Assign a HIPAA team and team leader to direct the way. Depending on the size of your facility, the team may be divided by function--Electronic Transaction and Code Sets, Health Information Privacy, and Security. Once the team is appointed, the team should perform a needs assessment for the team--have objectives been defined? Have team member roles been defined? Does the team have the requisite tools, such as allocated resources and funding? Is there a firm commitment of resources from management?
* Depending on the size of your facility, break the HIPAA team into groups of two to three individuals. Obtain the rules (see Table 1) and assign one set of rules to each group to analyze and determine its impact on business processes and systems. Encourage the groups to look for the positive changes that will occur consequent to these regulations. Keep in mind, the HIPAA team will eventually share this information and motivate the other staff members.
* Use other reliable sources of information to clarify questions, to guide efforts, and to keep abreast of HIPAA. The Web provides a plethora of information. To avoid getting "run over" on the Electronic Superhighway, begin your search at the CMS website (http://www.cms.gov/hipaa/hipaa2/default.asp). This site answers frequently asked questions and links to other reliable sources of information that are both internal and external to HHS. The OCR provides information on the Privacy Standard called, "Guidance Explaining Significant Aspects of the Privacy Rule," which is available at http://www.hhs.gov/ocr/hipaa/privacy.html.
* Sign up on a "free" listserv (e-mail communication list). This will keep you current on the latest HIPAA developments. There are many listserv lists available. CataList is one listserv directory that provides a register of 13 public listserv lists related to HIPAA (http://www.lsoft.com/ lists/listref.html). For instructions about how to join HHS' listserv, visit http://aspe.os.dhhs.gov/admnsimp/lsnotify.htm.
* Network with groups that deal with HIPAA issues. Contact your professional organization or your CMS regional office to identify HIPAA efforts at the local level. "Virtual" resources available include the Strategic National Implementation Process (SNIP, http://www.wedi.org/ snip/index.htm), Workgroup for Electronic Data Interchange (WEDI, http://www.wedi.org/), and HIPAA Implementation Guides for Transactions and Code Set Standards from the Washington Publishing Company (http://www.wpc-edi.com/hipaa/HIPAA_40.asp) (this is not an all-inclusive list of Web resources).

Where You Are
       Once you have determined where you want to be, you will be prepared to move further along the HIPAA journey. For example:
* Determine where you are by conducting a gap analysis. Compare your current transaction, privacy, and security policies with the requirements. Are your policies compliant with HIPAA? Do they need to be modified to be brought into compliance? Do you need to adopt new policies? Do you need to eliminate old policies?
* Continue the gap analysis by comparing your current transaction, privacy, and security practices with the requirements. Are your practices compliant with HIPAA? Do they need to be modified to be brought into compliance? Do you need to adopt new practices? Do you need to eliminate old practices? For example, for your electronic systems, can your data be translated into an 837 format for claims submission? And once the data is submitted to a payer, can it be translated or remitted back into an 835 format, uploaded, and posted into your account receivable system?
* Speak to your outside contacts to determine their HIPAA implementation and testing plans, the level of support they plan to provide, and associated costs. Include health plans, payers, vendors, business associates, etc. Do not rely exclusively on any one of these outside entities to make your entity HIPAA compliant. Remember, the Electronic Transaction Standards are only one portion of HIPAA. Even if the Electronic Transaction Standards were the only set of new regulations, the facility would still be responsible for gathering the right information at the right time and entering it in the right format for an electronic transaction to occur.

Getting from Where You Are to Where You Want to Be
       Take a deep breath--you are on your way. Now that you have established where you want to be and where you are, consider the following:
* Prepare an action plan and time line for reaching HIPAA compliance. Prioritize based on your areas of greatest vulnerability. Make sure everyone is aware of the HIPAA Administrative Simplification Compliance Deadlines (see Table 2). Assign responsibilities and target dates. Constantly monitor progress toward compliance--be prepared for questions, obstacles, and possibly resistance. Obtain written progress reports at regularly scheduled times.
* Educate. Offer training sessions about the Privacy and Security Standards to all staff and the Electronic Transaction and Code Sets as applicable. CMS offers useful training resources. For example, they have recently released Part One of a 10-part information series on Electronic Transactions and Code Sets called "HIPAA 101," which is available online. Document your training sessions.

Once You Are There
       Pat yourself and the team on the back. You've made it! But don't stop there: Make monitoring compliance to HIPAA part of your ongoing Quality Assurance Program. Reaching compliance by the deadlines is not the end of the journey--it is just the beginning!

Conclusion
       Perhaps in the future, thoughts of your journey toward HIPAA compliance will be as fleeting as thoughts of Y2K. By then, hopefully, our industry will have reached our destination and have a system capable of detecting waste, fraud, and abuse with greater efficiency, privacy, and security and lower operating costs.