Responding to HIPAA Regulations: An Update on Electronic Transaction and Privacy Requirements

Transcription

1 Responding to HIPAA Regulations: An Update on Electronic Transaction and Privacy Requirements Ronald W. Manderscheid, Ph.D. and Marilyn J. Henderson, M.P.A. United States Center for Mental Health Services Sarah Wattenberg, M.S.W., and Mady Chalk, Ph.D. United States Center for Substance Abuse Treatment The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has brought many changes to behavioral healthcare. The changes include the ability to move one s health insurance coverage when one moves from one job to the next and the right to continue health insurance coverage after employment has ended. HIPAA also has provided the framework for discussions of parity between mental health insurance and general health insurance benefits that continue to this day. Much less discussed until the present are the administrative simplification requirements that were built into the HIPAA legislation and are currently being codified by the U.S. Department of Health and Human Services (DHHS) in a series of regulations. The current status of these regulations is described briefly below. However, before discussing the administrative simplification provision of HIPAA, it is necessary to define which entities are covered and therefore must abide by the regulations. Covered Entities: The first determination that must be made is whether one is a covered entity. Under the HIPAA regulations, a covered entity is a health care provider that engages in particular types of electronic health commerce with respect to any of the nine covered electronic transactions described below. In simple terms, for example, if a provider engages in electronic benefit checks, or processing of electronic bills or payments, then it is a covered entity. (Other entities who engage in such transactions, for example, health insurance plans and clearinghouses that process such data, are also covered entities.) Once an entity is covered under one regulation, then all of the administrative simplification requirements of HIPAA apply. DHHS will not make the determination of who is or is not a covered entity. States and other entities need to make this decision based on an internal consideration of the regulations and their definitions and through legal consultation, if possible. The immediate impulse of most providers and insurers will be to try to avoid being defined as a covered entity. The wisdom of this impulse should be explored. There are two reasons for not deciding that one is excluded from coverage. The first is that coverage may be forced upon one organization by another. For example, many insurers require electronic submission of claims. In this case, providers will only be paid if they submit claims electronically in the required HIPAA format. At the point of electronic submission, the provider will become a covered entity. Secondly, electronic commerce in the health sector is clearly becoming more prevalent as time progresses. Hence, if providers and insurers are to avoid becoming archaic islands of paper in a sea of electronic commerce, then providers should consider whether remaining a non-covered 1

2 entity is a reasonable decision (insurers have no choice). Electronic Transactions Requirements: Beginning on October 16, 2003, covered providers and health insurance companies will be required to use precisely defined variables when engaging in electronic commerce around insurance enrollment, insurance benefit checks, submission of claims, processing of payments, and coordination of insurance benefits. The original implementation date for electronic transactions was October 16, However, this date was moved back to October 16, 2003 by recent congressional legislation because it was felt that most entities would not be ready in As part of the legislation that modified the implementation date, a new requirement was imposed: covered providers and insurers must submit an implementation plan to DHHS by October 16, The plan requires information about implementation, including the financial and staff resources each business intends to commit to HIPAA implementation. Guidance for the implementation plan is anticipated from the Centers for Medicare and Medicaid Services (CMS) on behalf of DHHS by the end of March Privacy Requirements: Entities that are covered by the electronic transaction requirements are automatically covered under the HIPAA Privacy Rule. Currently, the DHHS privacy regulations are due to be implemented on April 14, The privacy requirements specify how organizations will protect written, oral and electronic health records of individuals. Organizations need to do a gap analysis to identify flaws in their privacy procedures and create a work plan to overcome these deficits. Although the privacy regulations apply to records maintained on all health, mental health, and substance abuse clients, they do not apply to psychotherapy notes maintained by mental health and substance abuse providers. It is important to note that the regulations have a narrow definition of psychotherapy notes they are the notes that are kept outside the health record for the sole use of the practitioner who created them. For individuals treated in substance abuse programs, the provisions of the federal confidentiality laws which govern substance abuse records (42 CFR part 2) are generally considered to be more stringent than HIPAA. However, there are some areas in which HIPAA presents requirements that are not contained in the substance abuse regulations. Therefore, both regulations must be read together. These privacy regulations preempt any state laws with lesser or contradictory requirements. Both civil and criminal penalties and fines can be invoked by DHHS when they are violated by covered entities. Security Requirements: The security requirements are a companion piece to the privacy requirements in that one cannot effectively address the privacy requirements unless one considers electronic security issues as well. A draft of the security regulations was circulated for comment to the health care field early in However, DHHS has yet to issue final security regulations. In general, the draft security requirements identified both organizational and information technology areas that represent potential security vulnerabilities. Like the privacy requirements, they specify procedures for organizations to address deficiencies. Electronic Patient Record Requirements: 2

3 HIPAA requires that DHHS engage in a dialogue with the health care community and develop recommendations regarding the content and implementation of electronic patient health care records. Some initial discussions have been held by DHHS committees, but a broader consultation has not yet occurred. Together, these four areas comprise the administrative simplification provisions of the HIPAA legislation. Elaboration of Electronic Transaction and Privacy Requirements This section describes in more detail the electronic transaction requirements and the privacy requirements, as well as specific actions that the Substance Abuse and Mental Health Services Administration (SAMHSA) and its Centers are taking to help the field address these requirements. Electronic Transactions: Currently, the Center for Mental Health Services (CMHS) is preparing guidance for the behavioral health field that contains specifications of all the variables required for each type of covered electronic transaction. It is expected that these guides will be available in the spring of 2002, both in paper and electronic form. The guides for the nine transactions represent a major component of the data standards for a new information system for behavioral health, Decision Support 2000+, currently under development by CMHS. Persons wishing to learn more about Decision Support can do so at The Center for Substance Abuse Treatment (CSAT) is a partner in developing this new information system. Understanding the nature and content of the nine electronic transactions included in the HIPAA administrative simplification requirement is an important first step in becoming compliant with these requirements. Most providers and insurers will need to ask themselves whether or not they have electronic data defined in the specific ways required by the guides in order to successfully complete the transactions. In most instances, the answer will be no. If that is the case, an entity will need to decide either to change its electronic data collection protocols and make them compliant with the guides, or to establish a contract with a clearinghouse that will translate the organization s non-compliant data into the required data format. Some organizations may choose to do both if data for some required transactions is compliant and data for other transactions is not. One possibility is to begin collecting HIPAA-compliant data formats using Internet-based software specifically designed for this purpose. A number of firms are currently developing software for the nine electronic transactions. If an entity decides to use such software, it should be certified as being fully compliant with DHHS requirements. Of special note, the nine covered electronic transactions will use the ICD-9-CM diagnostic system rather than DSM-IV. Software is currently available to translate from DSM-IV to ICD-9-CM. In addition, CMHS and CSAT are currently supporting work to develop a new system of procedure codes for mental health and substance abuse services. These new codes will supplement the current HCPCS and CPT-4 procedure codes required by HIPAA. 3

4 It is probably safe to assume that most providers in the behavioral health field will not be able to successfully make the transition to the nine electronic transactions without external assistance of some type. This external assistance can range from help in understanding which electronic transactions apply to that entity (and how to incorporate those transactions in the ongoing work flow of the entity), to help in selecting internet-based software or a clearinghouse to process the required electronic transactions. As always, the concept of caveat emptor applies. Clearly, many consultants will be offering HIPAA related services. Not all of these services will be of equal quality. Following erroneous advice and submitting incorrect data will not relieve covered entities from submitting the required electronic transactions in the appropriate format with the correct content. Privacy: Since privacy has been a concern to the mental health and substance abuse fields since their inception, many stringent privacy practices were in place prior to HIPAA. As a result, implementing the HIPAA privacy requirements should not be too difficult for these entities. The HIPAA electronic transaction requirements will be more burdensome and require more consideration, as information technology is not generally an expertise of those trained in the mental health and substance abuse professions. Overall, the HIPAA privacy requirements have to do with several major activities. The first is assuring that internal organizational processes protect confidential patient information irrespective of the form in which the information is stored hand written, type written, paper copy of a fax, oral, electronic, etc. Covered entities need to conduct internal reviews of their routine business practices to assess how well the organization protects this information and prevents inappropriate disclosures. A number of checklists are available to aid entities in these internal reviews (see for examples). Second, once problems are detected, the organization needs to modify its business practices as appropriate, reflect those changes in their policies and procedures, and train the staff in the new procedures. Third, entities will need to work with consumers to inform them of their rights, counsel them about providing written authorizations for release of information, and describe the grievance procedures they can use if they feel that their privacy has been violated. Like the checklist for organizational procedures, guides are also being developed to help entities work with their consumers. As part of being compliant with the HIPAA privacy requirements, it will be important to clearly define the boundaries of what business practices will be done internally by the organization and which practices will be contracted out to another entity. For instance, a clearinghouse that processes transaction data can perform certain functions for the covered entity if they are under a Business Associate agreement with the organization. This type of agreement has clear definitions and regulations under HIPAA, which explain under what circumstances entities and business associates can appropriately receive and send identifiable and confidential client information. Five Important Steps Below are five steps that you should take immediately to address the HIPAA administrative 4

5 simplification requirements. The steps are presented in the order that we recommend you carry them out. Step 1: Determine whether you are a covered entity under the HIPAA administrative simplification provisions. Although the issue has been described above, only you can make the determination. Step 2: Once you have determined that you are a covered entity, develop an understanding of the content of the electronic transaction implementation plan you will be required to submit to DHHS on or before October 16, Knowing requirements of this plan will help you determine the specific actions to be taken in subsequent steps. Step 3: Evaluate your business operations to determine which of the nine electronic transactions apply specifically to you. For most providers, at a minimum, this will include insurance benefit checks, claims submissions, and checking on claim status. As part of this step, also determine whether your current data systems are capable of providing the information required for these transactions in the HIPAA compliant format. Step 4: If your data systems are not capable of providing the required information in the required format for those covered electronic transactions you will use, then you should consider contracting with a clearinghouse to process the data that you currently have into the appropriate format. The data standards being developed as part of Decision Support should help you in determining with the clearinghouse which specific data elements apply to you for each of the transaction types. Step 5: Undertake an organizational analysis of your entity s current privacy practices and establish an internal team to make organizational modifications as necessary. The internal assessment should include reading the HIPAA regulations side-by-side with the federal Confidentiality of Alcohol and Drug Abuse Patient Records Regulations, as well as state laws that relate to privacy of patient information and related activities, such as data collection, utilization review, parental access to patient records of minors, etc. In addition, organizations should educate consumers about new consumer rights and responsibilities under HIPAA. Other Resources SAMHSA, through two of its Centers, CMHS and CSAT, is providing extensive technical assistance around the HIPAA administrative simplification provisions. You can visit the SAMHSA website, to review some of the resources being made available. You are also encouraged to visit the websites outlined in Figure 1 for further assistance. Conclusion Needless to say, this article will only help you get started with HIPAA it will not solve all of your HIPAA implementation concerns. For additional guidance, contact your own national professional associations and related entities for help in addressing the electronic transactions 5

6 and privacy requirements of HIPAA. If you are a public provider, try calling your state agency to see if they are providing HIPAA implementation support. Once the expected security regulations are released, you will need to conduct a security analysis for your entity around your information technology systems. If it is any consolation, additional requirements relating to electronic patient records are probably three to five years in the future. Figure 1 HIPAA Web sites Sponsoring Organization Department of Health and Human Services / Administrative Simplification (DHHS) Health Care Financing Administration (HCFA) Workgroups for Electronic Data Interchange (WEDI) Joint Healthcare Information Technology Alliance (JHITA) Electronic Healthcare Network Accreditation Commission (EHNAC) National Uniform Claims Committee (NUCC) National Uniform Billing Committee (NUBC) ANSI ASC X12N Strategic National Implementation Process (click on SNIP ) Privacy & Security Network 6

7 Association of Electronic Health Care Transactions Phoenix Health Systems (discussion groups & news alert) Joint Commission on Accreditation of Healthcare Organizations Assistant Secretary for Planning & Evaluation (Cost Benefit Tables) Beacon Partners Work Group for the Computerization of Behavioral Health and Human Services Information *Special thanks are due to One (Winter 2002), and the quarterly publication of CMHS Systems, Dublin, OH, for compiling this list of resource websites. 7