If you thought your Health Insurance Portability and Accountability Act (HIPAA) of 1996 worries were over, think again. Several U.S. government initiatives this year should keep compliance officers and radiology managers searching for more HIPAA enlightenment.
"Is it over yet? No, not by a long shot," said Patricia Kroken, principal of Albuquerque, NM-based consulting firm Healthcare Resource, during a presentation at the 2005 RSNA conference in Chicago.
Claims attachment standards, national provider identifiers (NPI), new security standards, vendor compliance concerns, and audit preparations represent a few of the HIPAA issues that radiologists will need to address, Kroken said.
Compliance with such rules could make a big difference in your bottom line, concurred Claudia Murray of Provider Practice Analysis, a Baldwin, MD-based healthcare consulting firm specializing in Medicare rules, regulations, and compliance.
"Fraud control equals HIPAA," Murray said during her RSNA talk.
With nearly $6 billion recovered in healthcare fraud since the late '90s, Murray said HIPAA and associated healthcare regulations helped spur "an entire industry of compliance and regulatory study (comprised) of healthcare lawyers and consulting firms."
HIPAA issues should be a priority for radiology administrators and all healthcare providers, echoed Michael Schaff, an attorney with the law firm Wilentz, Goldman, and Spitzer in Woodbridge, NJ. "Consider these issues in your practice."
HIPAA history
In the early 1990s, healthcare industry leaders brainstormed ideas to reduce healthcare costs. They found the essential answer in electronic systems.
With personal information speeding along the Internet, public concern for privacy and security of personal health data grew. However, for such an electronic health system to work, the healthcare industry needed new privacy and reporting standards across the board. In response to these concerns, Congress passed HIPAA in 1996.
"So, how did we get HIPAA? We asked for it. We wanted to move to electronic records. We wanted to improve the system," Kroken said.
Writing privacy rules fell to the U.S. Department of Health and Human Services (HHS). Staff training, the appointment of a privacy officer, and the establishment of formal safeguards became priorities under the HIPAA Privacy Rule. HHS required compliance from all agencies, providers, plans, and clearinghouses by April 2004.
Once organizations put these pieces in place, many believed they'd completed their HIPAA puzzle.
But as Kroken pointed out, HIPAA is a process -- it is not simply completed "so it can sit on a shelf somewhere."
New initiatives coupled with ongoing requirements means that "there's a lot for radiologists to be aware of," Kroken said.
Claims attachment standards
Formalizing electronic records processes for billing and basic patient information may seem like a no-brainer, but what happens when physicians attach labs, x-rays, or CT scans to documents and send them over the Internet?
The Federal Register published a proposal to standardize such electronic attachments last year. Comments on the proposal closed in November 2005.
The claims attachment rules work in tandem with the HIPAA Privacy Rule. They affect healthcare providers who electronically transmit information in connection with transactions normally covered by HIPAA.
The proposed standards include the use of certain transactions, messaging standards, and a new code set when electronically requesting additional information -- and when providing information in response to the request.
"These HIPAA provisions make processing claims and other healthcare transactions much more efficient and in the long run (will help) save millions of dollars," HHS Secretary Mike Leavitt said in a September 2005 press release.
Embracing the NPI change
Today, healthcare providers find themselves with different identifier codes assigned by different health plans -- and sometimes within the same health plan.
Throughout the healthcare industry, providers based their identification numbers on location and type of practice. In the world of instantaneous access to information, such encrypted detail potentially reveals a wealth of knowledge to nefarious users.
In addition, incorrect provider identifiers often lead to inaccurate payments and improper billing practices, costing the healthcare industry millions of dollars. As the sun sets on legacy identification numbers to classify physicians and practices, the dawn of NPIs rises.
NPIs are defined in Section 1173 of the HIPAA Administrative Simplification document, which calls for "a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the healthcare system."
NPIs ensure that each provider owns one unique identifier for transactions with all health plans. Each provider must apply for a NPI number by visiting its Web site.
"This is one of those things where the government tells you it's going to be easy, relatively painless," Kroken said. "And this really is. Go do it."
If you have a new NPI, don't ditch your old legacy number yet. Providers and other organizations must update their legacy information systems, administrative processes, reference files, and forms to ensure continuity between old provider identifiers and the new NPIs.
Some systems will require major overhauls to accommodate the new standard. Health plans, clearinghouses, and software vendors may have to perform software conversions to meet the requirements.
Vendor compliance concerns
Radiology facilities must ensure compliance with HIPAA regulations as well as the HIPAA compliance of vendors with whom it contracts. "This can be a very cumbersome process," Schaff said.
For example, if a radiology facility contracts with a billing agency, that facility must have a business associate (BA) agreement with the billing agency. The BA agreement must require the billing agency to protect the radiology facility's patient health information by abiding by specific restrictions on the use and disclosure of such information.
The agreement must also require that any subcontractors of the billing agency agree to the same restrictions on the use and disclosure of patient health information to which the billing agency has agreed.
Generally, the radiology facility is not required to monitor or oversee how its business associates and its subcontractors protect the privacy of patient health information. However, if the radiology facility discovers a violation of the BA agreement, it must take reasonable steps to cure the breach.
Depending on the nature and scope of the breach, corrective action may require termination of the arrangement with the billing agency. Failure by the radiology facility to correct such breaches could subject it to severe penalties and litigation.
"You need to make sure all the parties are complying with their respective obligations to ensure that the patient health information is protected," Schaff said.
Security standards
Keeping health records secure -- electronic or paper -- remains a challenge for radiology professionals and industry leaders across the healthcare continuum.
Many administrators have expressed concern about proposals for an electronic signature standard.
Several forms of electronic signatures exist today, ranging from biometric devices to digital signature, according to the Federal Register. However, to satisfy the legal and time-tested characteristics of a written signature, an electronic signature must do the following:
- Identify the signatory individual.
- Ensure the integrity of a document's content.
- Provide for nonrepudiation (i.e., strong and substantial evidence that will make it difficult for the signer to claim that the electronic representation is not valid).
Currently, only the digital signature meets those criteria.
HHS postponed final ruling on electronic signatures and additional details are pending. For more information regarding the pending security standards, visit the agency's Web site.
Audit preparations
Keeping up with HIPAA audits may seem like just another task, but Kroken says it's important to keep your HIPAA policies up-to-date and your staff trained about the HIPAA changes.
"Things creep around in an office. You want to make sure they are where they say they are," Kroken said.
By Melissa Varnavas
AuntMinnie.com contributing writer
April 6, 2006
This article originally appeared in the Radiology Administrator's Compliance & Reimbursement Insider, a monthly newsletter published by HC Pro that is designed specifically for radiology administrators. For a free trial subscription, please click here.
Related Reading
HIPAA enforcement Final Rule published, February 17, 2006
Hitting the ceiling over HIPAA-required walls, December 6, 2005
HIPAA compliance efforts wilt in summer survey, August 24, 2005
CMS sets final date for HIPAA TCS compliance, August 5, 2005
HIPAA compliance still a distant goal as deadline looms, April 1, 2005
Copyright © 2006 HC Pro