It's time for practitioners
to begin familiarizing themselves with the upcoming federal rules
for electronic transmission, privacy and security.
BY KATHRYN FOXHALL
Monitor staff
When the Health Insurance Portability and Accountability Act (HIPAA) passed in 1996, it called for the creation of national standards and requirements for the electronic transmission of health information. The purpose of the "administrative simplification" provisions of the law was to standardize claims processes and procedures, for example, by requiring insurers to use and accept the same form. In seeking to streamline the Byzantine world of health claims and other health-care reimbursement information, the goal was to simplify administrative matters for providers and patients.
The sponsors of the original legislation, Sens. Edward Kennedy (DMass.) and Nancy Kassebaum (RKan.), believed that for electronically driven streamlining to catch on, it was necessary to have sufficient privacy and security protections as part of the national standards. Yet the transition to greater reliance on electronic transmission in the health-care system is proving more complex than even those who first envisioned it had thought. The Department of Health and Human Services (HHS) is in the midst of a six-to-eight year marathon of developing and publishing a series of extensive regulations on the various parts of HIPAA's administrative simplification. Of an expected five or six sets of rules, two major rules already have been published: the first was on electronic transactions and the latest provided for new federal standards for the privacy of individually identifiable patient information.
Oct. 16, 2002, is the date the first of the series of federal regulations is set to go into effect under HIPAA. This regulation mandates uniform standards for electronic health-care transactions. The second regulation, which will likely have more impact on psychologists, deals with privacy of information and recently took effect with compliance required in April 2003.
The "administrative simplification" provisions of HIPAA require that health-care payers--including managed-care companies, other insurers, Medicare, Medicaid and other government programs use--and accept the same specific form for all electronic claims, as well as uniform forms for transactions including enrollment and disenrollment in a plan, claim status advice and coordination of benefits among insurers.
The rule itself does not require psychologists and other providers to use electronic transactions. But if health professionals do, they will be required to use these standard forms and abide by all the other HIPAA rules, including those aimed at ensuring patient privacy and record security.
Many health-care experts observing the process say psychology practitioners will want to transmit electronically because the revamped system could offer significant advantages. For one, providers would no longer have to learn--or have staff to learn--multiple submission processes for various insurers. And, probably of most interest, claims for reimbursement should move faster.
Practitioners who have not heard of, much less started working on, these HIPAA requirements, should realize they are not alone. The Gartner Group, a computer consulting firm, found recently that three-quarters of health-care organizations had not assessed what HIPAA will require them to do.
There's no need to panic, but practitioners need to start now to familiarize themselves with the rules, and assess what they need to do to comply. The Practice Directorate is helping with the process.
"We're initiating a series of strategic efforts to raise awareness and educate practitioners about HIPAA compliance," said Russ Newman, PhD, JD, APA's executive director for practice.
In addition, the federal government is expected to provide guidance for psychologists and other health professionals in the next several months.
Impetus for change
The HIPAA system was born of a request in the early 1990s from the major players in health care who went to HHS and to Congress seeking to bring to health care some of the electronic efficiencies that have been so successful in the banking industry. The belief was, and remains, that electronic transactions will lower health-care system costs.
For example, armed with automatic teller machines and a host of other technologies, banks can instantaneously process thousands of transactions across the country because they have long had uniform standards for electronic transmissions. Compare that to health care, where submitting, receiving, approving and paying claims are an industry within an industry and can take weeks or months to be settled--an administrative jumble that eats up as much as a quarter of the health-care dollar.
HHS has been working since the law was passed in 1996 to set up the standards, but has been delayed by the complexity of both the system and of getting it through the regulatory approval process.
Thomas Sullivan, MD, vice president of the Massachusetts Medical Society, who has given presentations on HIPAA to the American Medical Association, says that although many people inside and outside of the health-care industry now understand that the development of the rules is more complex than previously thought, "most of the players know that it is the right thing to do."
Transaction rules
Most of the implementation of the basic electronic transmission standards is going to be a matter for computer experts.
However, psychologists should be aware of the standards and those who plan to use electronic transactions should be talking with their software vendors about whether and when their systems
will be HIPAA-compliant.
The transaction standards involve more than just the basic form. One reason the transaction rules have been delayed is that the coding and other systems for filling in the blanks on the forms are also spelled out by the regulations, say government officials.
For example, HHS adopted the widely used ICD-9-CM for diagnoses codes and CPT-4 for physicians' services and other health-related services. But in addition, systems are being set up to give a unique identifier number to each provider, each health plan and each employer to be used on all electronic transactions. The unique identifier for every patient has been put on hold, so far, due to privacy concerns.
Ensuring privacy
The rules for health-care privacy mandated under HIPAA were essential to implementing electronic transmission, but they could also present a sea of change for health-care and psychology practitioners.
Delayed briefly by the Bush administration, the privacy rules are now moving forward in the form finalized by the Clinton administration last December, although HHS Secretary Tommy Thompson has said the department will offer guidelines and possible modifications.
Compliance will be required by April 14, 2003. The rules mandate that providers
get patients' consent to share records for even routine purposes such as treatment, payment or health-care operations. Beyond that patients must give separate authorization for release of psychotherapy notes--what practicing psychologists typically refer to as "process notes"--to parties beyond the treating provider, thereby affording heightened protection for these notes.
Further, when records are disclosed for nontreatment purposes, the law requires that only the minimum information necessary be disclosed. The law also gives patients the right to see and get copies of their records, and to get a history of any nonroutine disclosures of their records.
The administrative requirements of the privacy rule are "scalable." According to Doug Walter, JD, legislative counsel on the Practice Directorate's government relations staff, this means that a covered entity "reasonably" meets the requirements according to its size and type of activities related to records transactions. For example, an entity covered by this rule must train all members of its workforce on the policies and procedures to protect individually identifiable patient information. The HHS has recognized that training must be flexible, leaving it to the covered entity to decide the nature and method of training to achieve this requirement.
As another example, a covered entity is required to designate a privacy officer responsible for developing policies and procedures. A reasonable analysis of the scalability principle would suggest that a psychologist may identify herself or himself as the privacy official in solo practice, whereas in a large insurance company, the privacy official may constitute a full-time staff position.
Security rules
The security rules are another change under HIPAA's administrative simplification that will affect psychologists. HHS regulations to implement those requirements, aimed at guarding against improper access to electronically stored information, were proposed in the Federal Register, Aug. 12, 1998. People close to the HIPAA process expect that the final standards will be published in the next few months.
The proposed rules require any health-care provider who transmits records in electronic form to have:
* Documented administrative procedures to guard data integrity, confidentiality and availability.
* Physical safeguards for protecting data, including protection from fire and other hazards and intrusions. This covers use of locks, keys and administrative control over access to computer systems and facilities.
* Technical security processes to restrict access to data to employees with a business need for it. This includes aspects such as passwords, personal identification and automatic logoff.
* Technical security mechanisms to guard data transmitted over a communications network so that it cannot easily be intercepted or accessed.
It's important to note that the security standards, like the privacy standards, also will be "scalable." That means that what will be required to create the same level of security will be easier for small practices than for large organizations. For purposes of its discussion, HHS describes "a small or rural provider" as one-to-four physicians [apparently the same for psychologists] with two-to-five additional employees. HHS states, "For example, in a small physician practice, a contingency plan for system emergencies might be only a few pages long and cover issues such as where backup disks should be stored, and the location of the backup personal computer."
Practitioners may want to read the "Small or rural provider example" printed as part of the discussion of the rule, in the Aug. 12, 1998 Federal Register, page 43255, www.access.gpo.gov.
Email this article to a friend or colleague