New Jersey Law Journal May 27, 2002
Copyright 2002 NLP IP Company - American Lawyer Media
May 27, 2002
HEADLINE: Deadline for HIPAA Compliance is Fast Approaching
BYLINE: By JonathanBick
The author is of counsel to Brach, Eichler, Rosenberg, Silver, Bernstein, Hammer & Gladstone of Roseland and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also the author of 101 Things You Need To Know About Internet Law (Random House 2000).
The deadline for compliance with the Health Insurance Portability and Accountability Act of 1996 is Oct. 16, 2002, not April 2003, as some have been led to believe by Congress' extensive implementation debates. However, covered entities can delay compliance with the Transactions and Code Sets Rule until Oct. 16, 2003, if they properly file a compliance plan.
To qualify for the deadline extension, entities must submit a compliance plan to the secretary of the U.S. Department of Health and Human Services by Oct. 16, 2002. The plan must adequately detail an implementation budget, implementation schedule, implementation work plan and an implementation strategy. HIPAA is a federal law that sets forth certain requirements for keeping electronic patient data secure and private, and for communicating that data to hospitals and other health-care organizations. The HIPAA regulations cover a large variety of entities: payers, including health maintenance organizations and preferred provider organizations; providers, such as hospitals and physicians; and clearinghouses.
Although not directly covered, HIPAA-mandated regulations will coerce procedural changes for state agencies, laboratories, billing agencies, IT vendors, consultants, employers and universities. HIPAA requires the HHS to adopt national standards for conducting health-care transactions electronically to ensure consistency throughout the industry.
Some have described HIPAA as a moving target. To be specific, the HHS delivered the final regulations in August 2000, setting a deadline of Oct. 16, 2002, for compliance. Smaller payers -- those with less than $5 million per year in revenue -- have an extra year to comply. Subsequently, Congress has passed legislation that enables entities covered by HIPAA to delay compliance with the Transactions and Code Sets Rule until Oct. 16, 2003, provided they file a compliance plan.
Consequently, health-care companies know they have to do something but, without set rules, they are hesitating. Typically, a hospital administrator will ask "Why do something if you don't have to and if you don't know what the rules will be?" Nevertheless, the task of dealing with HIPAA compliance, is part of their core business and action must be taken.
Starting Oct. 16, 2002, federal regulators will be checking for compliance.
For the most current information about the status of HIPAA implementation,
If you are a covered entity and will not be compliant with the HIPAA Electronic Health Care Transactions and Code Sets standards by Oct. 16, 2002, you must file a compliance plan.
A covered entity is a health plan, a health-care clearinghouse or a health-care provider who transmits health information in electronic form in connection with one or more transactions for which the secretary of the HHS Administration has adopted standards at 45 C.F.R. Part 162. The term "health care provider" includes individual physicians, physician group practices, dentists, other health-care practitioners, hospitals, nursing facilities and others.
If you are a member of a group practice, the extension will be granted to all physicians/practitioners who are members of that practice. It is not necessary to file separate compliance plans for each physician in the practice if the practice files all claims on your behalf. However, if you submit claims for payment outside of the group's claims processing system, you need to file your own compliance plan.
Compliance plans must be submitted electronically no later than Oct. 15, 2002. Paper submissions should be postmarked no later than Oct. 15, 2002.
Preparing an implementation budget, an implementation schedule, an implementation work plan and an implementation strategy for achieving compliance will require a lot of technical evaluation, systems integration and management work. However, the actual implementation of HIPAA will be much more costly.
Failure to do either by Oct. 16, 2002, will be more costly still. Health-care organizations that fail to achieve compliance or properly file for an extension face stiff fines and loss of government payments, including Medicare and Medicaid.
As an aside, complying with HIPAA makes good business sense. The use of standard formats for health-care transactions will reduce costs primarily by giving health-care organizations access to digital information that can be used to improve operations and make better business decisions.
Cost reduction may also result form sharing of information among different parts of an organization.
Making sure that regulations are interpreted accurately and transactions are conducted properly will be a major challenge. Standardized HIPAA compliance programs are more cost-effective than customized programs.
Thus, the most practical way to proceed for most health-care organizations
is to wait and figure out which turnkey compliance programs they can
use. In order to buy some time, preparation of a compliance plan to
get the one-year extension makes business sense.
An implementation strategy simply describes in broad terms how a health-care provider will move from its existing system to a compliant system. A compliant system supports the 12 mandated HIPAA transaction sets that must be implemented by Oct. 16, 2002, for those who choose not to prepare and submit a compliance plan.
Typically the strategy section will state that a survey of all governmental agencies (including federal, state and local agencies) will be conducted to determine what payment programs are in place as well as what information sharing is in place. This section should also state that a similar survey will be conducted to determine what existing data analysis and information-sharing processing are in use to track health-care claims.
In addition, a strategy section normally goes on to state that surveys of payer organizations that are covered entities for HIPAA transactions will be conducted to determine the extent of the health-care transactions performed by payer organizations using paper. Analogously, a survey of the rest of the payers (who use electronic transactions) would be conducted to determine the nature of the proprietary document formats.
Simultaneously, surveys of provider organizations, including hospitals and physicians, would be conducted to determine the existing nature of requests and claim submissions.
It should be specified that charting and diagramming the survey responses
will occur, as well as standard formatting of transactions that achieve
and continually maintain compliance with the Electronic Data Interchange
health-care transaction standards mandated by HIPAA.
The implementation work plan section describes how a health-care organization will implement the strategy section. The customary content of the work plan section states how X12N EDI Implementation Guides adopted under HIPAA will be applied to specific transactions.
The work plan section must address each of the HIPAA Implementation Guides including 270: Health Care Eligibility/Benefit Inquiry; 271: Health Care Eligibility/Benefit Information Response; 276: Health Care Claim Status Request; 277: Health Care Claim Status Response; 278: Health Care Services Review-Request for Review; 278: Health Care Services Review-Response; 820: Payroll Deducted and Other Group Premium Payment for Insurance Products; 834: Benefit Enrollment and Maintenance; 835: Health Care Claim Payment/Advice; 837: Health Care Claim-Institutional; 837: Health Care Claim-Dental; and 837: Health Care Claim-Professional.
Administrative and financial systems in the health-care industry consist primarily of paper-based transactions. The work plan section should show how Electronic Data Interchange health-care transaction standards would be adopted. In particular, this section should describe in detail what work will be done.
Many implementation work plans have similar elements. For example, most work plan sections state "front end manual or automated mapping of the existing transactions to the EDI transactions as set forth in the Implementation Guides to build segment translation tables is contemplated."
Similarly, a majority of work plan sections go on to state "since the X12 family of standards make use of coded fields to further define their meaning, segment translation tables will be used convey name information. (So, for example, when a data segment contains the qualifying element 'BT,' the X12 standard signifies a bill-to name and the qualifying element 'ST' signifies a ship-to name)."
Implementation work plans usually deal with inbound information by stating "inbound HIPAA X12N EDI documents are translated for processing, prior to being incorporated them into e-commerce applications."
Because large numbers of health-care facilities now use the Health
Level Seven (HL7) standard to transmit millions of clinical health-care
communications every day, most work plan sections state that "implementing
Health Level Seven (HL7) standard functionality is a requirement for
complying with HIPAA, consequently, translation tables that support
all 2.x versions of HL7 and HL7 v 3.0 when it is approved for all HL7
data types, message types and segments, is contemplated."
Following the application of the X12N EDI Implementation Guides to the transaction in the implementation work plan section, the implementation schedule section is usually prepared. This section is generally divided into three parts: the platform and systems effort; the application programming undertaking; and documentation and testing endeavor.
A typical implementation schedule to implement a HIPAA solution is about 90 days in length, including planning and deployment.
The schedule section is combined with cost data to create an implementation budget section. This budget usually includes sufficient detail to permit a reasonability audit.
Pricing for an implementation budget is a function of what must be done and who is scheduled to do it. Standardized solutions such as Microsoft's BizTalk Accelerator for HIPAA Solution cost about $4,000 per processor.
Needless to say, the number of processors is a function of the size of an organization and the expected service level. A hospital should plan on spending $20,000 for a Microsoft's BizTalk Accelerator for HIPAA enterprise license.
In addition, to implement the Microsoft's BizTalk Accelerator for HIPAA application, other Microsoft products, such as Windows 2000 Server Software, Microsoft Internet Explorer, Microsoft SQL Server 7.0 and more, are required.
Hardware costs associated with increased memory and more CPU speed
should be anticipated. In addition, the use of "Redundant Array
of Inexpensive Disks" disk configurations that rely on hardware
caching RAID controllers will typically be need to implement HIPAA-related
The Centers for Medicare & Medicaid Services is a federal agency within the HHS that runs the Medicare and Medicaid programs. It issued a model compliance plan that will allow health plans, health-care clearinghouses and health-care providers to receive the one-year extension to comply with the new rule governing electronic health-care transactions.
Its model compliance form requires the following information:
Section A: Covered Entity and Contact Information
1. Name of Covered Entity.
2. Tax Identification Number.
3. Medicare Identification Number.
4. Type of Covered Entity.
5. Authorized Person.
9. Telephone Number.
Section B: Reason for Filing for This Extension
10. Please describe the reason(s) that you do not expect to be compliant with the HIPAA Electronic Health Care Transactions and Code Sets standards (45 C.F.R. Parts 160, 162) by Oct. 16, 2002.
Section C: Implementation Budget
11. Estimated cost of compliance with the HIPAA Electronic Health Care Transaction and Code Sets standards (45 C.F.R.,Parts 160,162).
This question relates to the general financial impact of the HIPAA Electronic Health Care Transactions and Code Sets standards (45 C.F.R. Parts 160,162) on your organization.
Section D: Work Plan/Implementation Strategy/Testing Schedule
This section encompasses HIPAA awareness, operational assessment, development and testing, all of which are collectively referred to as the Transactions and Code Sets Implementation Process.
Phase One -- HIPAA Awareness
These questions relate to your general understanding of the HIPAA Electronic Health Care Transactions and Code Sets standards (45 C.F.R. Parts 160,162).
12. Please indicate whether you have completed this Awareness phase of the Implementation Process.
13. Projected/Actual Start Date.
14. Projected/Actual Completion Date.
Phase Two -- Operational Assessment
These questions relate to HIPAA operational issues and your progress in this area.
15. Please indicate whether you have completed this Operational Assessment phase of the Implementation Process.
16. Reviewed current processes against HIPAA Electronic Health Care Transactions and Code Sets(45 C.F.R. Parts 160,162) requirements.
17. Identified internal implementation issues and developed work plan.
18. Decided whether to use the services of a vendor or other contractor?
19. Projected/Actual Start Date.
20. Projected/Actual Completion Date.
Phase Three -- Development and Testing
These questions relate to development and testing issues under HIPAA's Administrative Simplification Compliance Act, which requires that testing begin no later than April 16, 2003.
21. Please indicate whether you have completed this Development and Testing phase of the implementation process.
22. Completed software development/installation?
23. Completed staff training?
24. Projected/Actual Development Start Date.
25. Projected/Actual Initial Internal Software Testing Start Date.
26. Projected/Actual Testing Completion Date.
The model compliance plan and instructions are expected to be published in the Federal Register. Electronic submission capability is also expected.
Nonelectronic submissions that provide equivalent information must be mailed to ATTENTION: Model Compliance Plans, Centers for Medicare & Medicaid Services, P.O. Box 8040, Baltimore, MD 21244-8040.