HIPAA: The Next Phase

Ever since the Health Insurance Portability and Accountability Act (HIPAA) came to play a major role in the way physicians operate their practices, we've all been hearing stories about how practices have had to change -- or have chosen not to change -- in the name of compliance with the HIPAA privacy rules. It seems as though we are constantly reading about practices that have either gone overboard, or have misunderstood the regulations and have not made the necessary changes.

Did you hear the one about the practice that gave waiting patients numbers instead of calling out names for fear of breaking HIPAA privacy rules? Or the practice that decided not to comply with HIPAA at all because it figured potential fines would cost less than to make changes needed to comply with the regulations?

Inconsistency abounds, and in some cases, common sense seems to have left the premises altogether. In one physician office, we overheard the receptionist telling a patient that she would have to reschedule her appointment for that day because her referring physician had not sent some needed paperwork. The patient asked the receptionist whether her physician could fax over the documents. The receptionist replied that using the fax to transmit health information was not permitted by the new HIPAA regulations. The patient was sent home. Less than five minutes later, the same receptionist proceeded to ask another patient about his last colonoscopy -- in the middle of the waiting room, with other patients listening in.

(To set the record straight, faxes can be used to transmit protected health information as long as reasonable and appropriate measures have been taken to ensure confidentiality. But it is not appropriate to ask for a patient's medical history in front of other individuals if it can be avoided.)

While the deadline for compliance with the privacy rules came and went on April 14, 2003, it is important to keep in mind some of the lessons learned as the deadline for compliance with HIPAA's electronic transaction and code set standards closes in on October 16.

The Department of Health and Human Services (DHHS) enacted the electronic transaction and code set standards to streamline claims processing, reduce the volume of paperwork, and provide better service for physicians, insurers, and patients. The new regulations establish standard data content, codes, and formats for submitting electronic health claims, health plan eligibility, enrollment and disenrollment, payments of care and health plan premiums, claim status, first injury reports, coordination of benefits, and related transactions. Under these new requirements, physicians will (theoretically) experience faster, more reliable payment, and fewer rejections/denials of claims.

It is essential that you understand some common misconceptions about these standards so that your practice does not make some of the compliance mistakes we saw as the privacy rules came into effect.

Myth 1: Implementing the HIPAA electronic transaction and code set standards will be similar to the Y2K process.

Reality: People are comparing HIPAA to Y2K because they perceive it as the next big computer and administrative hassle. But when it comes to compliance preparation, the new HIPAA regulations will not be anything like Y2K. For one thing, it does not affect every computer in every industry. It is just about medical billing. However, if practices do not prepare for the new regulations, the repercussions could be serious. If you expect to get paid for services rendered, you'll need to comply.

What you can do: Begin testing your electronic transactions immediately if you have not already done so. Physician practices that continue to submit noncompliant claims after the October 16 deadline will likely have payments denied. Ask your software vendor whether your system is capable of handling all transactions (eligibility verification, coordination of benefits, etc.) needed at your practice, whether the system can process both old and new code sets, and whether they will provide support for testing the new system. You should also check with payers to make sure they will be able to accept your claims after the compliance deadline. While most payers are following the new federal guidelines, some may have individual tweaks. Have a contingency plan in place to ensure uninterrupted service and payment.

Myth 2: Physician practices do not have to worry about the new standards.

Reality: While software vendors and payers will have to do most of the work, physician practices are responsible for ensuring that they are HIPAA compliant. That means you may have to start putting new, and probably unfamiliar, types of patient data into your claim forms. Practices must also make sure that their computer systems are ready to process the new data elements.

What you can do: The first step is to make sure that charge tickets reflect the correct codes. CPT-4 codes should be used for procedures; ICD-9CM codes should be used for diagnoses; HCPCS codes should be used for all other substances, equipment, and supplies. Local codes -- such as the local codes used by your state's Medicaid program -- can no longer be used. You will need to assess your current use of these nonstandard codes. In some states, certain specialties such as OB/GYN and pediatrics may be largely impacted if they are treating a high volume of Medicaid patients. Physicians and any staff members who code medical services should be trained on the new coding requirements.

After charge tickets have been updated, develop a variety of scenarios, cases, and scripts to test the transaction format to determine if field lengths, placement, and other information is correct, and that all data elements are being captured and transmitted. It may also be useful to contact your local industry work group (groups of regional health plans that discuss issues related to the HIPAA requirements). These groups are often helpful in supplying instructional material to providers as well. One good source is www.wedi.org; there, you can find regional contacts for HIPAA implementation information.

Myth 3: HIPAA disallows the submission of paper-based claims using UB92 and CMS1500.

Reality: The new HIPAA standards do allow the submission of paper-based claims and the use of paper-based remittances. However, HIPAA does require that the electronic transaction and code set standards be followed whenever transactions are conducted electronically. But take note: Under the Administrative Simplification Compliance Act (ASCA) of 2001, physician practices with 10 or more full-time equivalent employees are required to submit Medicare claims electronically.

What you can do: Contact your payers and ask if they will continue to support nonstandard transactions, such as paper claims, and whether they will require providers to submit some or all transactions electronically in the future.

Myth 4: Paper claims do not have enough data to be made HIPAA-compliant.

Reality: This depends on your practice's needs. Simple data claims probably have all the data required for HIPAA. Complex claims will most likely need to be electronically transmitted in compliance with HIPAA's electronic transaction and code set standards.

What you can do: HIPAA does not mandate changes to paper claims, although changes are inevitable. To get paid for paper claims, the code sets must still be in compliance with the new HIPAA regulations. Likewise, DHHS has decided to require the same information on paper claims as on electronic transactions, whenever fields are available. Therefore, practices may have additional fields to complete on paper claims.

It is important to note that filing electronic claims is much more efficient than filing paper claims. With electronic claims, you will receive confirmation of receipt of the claim in a timely fashion, and you will be promptly notified if a claim has not been completed properly for processing and payment. Electronic claims are also more cost effective: paper transactions cost anywhere from $5 to $15 each compared to $0.85 to $1.25 for electronic transactions, according to DHHS. Furthermore, if a clean electronic claim is submitted to Medicare, it will be paid within 14 days, compared to 26 days for a paper-based claim.

Myth 5: Practices must use a healthcare clearinghouse to comply with the HIPAA electronic transaction and code set standards.

Reality: Physician practices can become HIPAA compliant on their own, but the process may require a lot of time and preparation.

What you can do: Practices should have already conducted a gap analysis to determine whether they can comply with HIPAA without contracting with a clearinghouse. In other words, identify where you are now in terms of compliance and what you have left to do. That is your gap. Then decide what resources you need to become compliant and assign responsibility to an individual or a team for testing the transactions systems and ensuring compliance by October 16. The processes that you put in place to test your transaction capabilities should be documented.

Given the late date, if you have not begun this process already, you can use a clearinghouse to start and consider bringing the process back in-house once your own compliance effort is complete.

Myth 6: Clearinghouse fees will drop due to the higher volume of transactions that will come through them.

Reality: If a healthcare clearinghouse is taking a practice's nonstandard format data and transferring it into standard format data in the outgoing direction, and then transferring standard format data into nonstandard format data in the incoming direction, you could be charged more than double your current fees.

What you can do: Call your clearinghouse and ask whether incoming and outgoing transactions are charged separately, and what the prices are for each transaction. Determine whether the quoted price and your expected volume are within your budget. If the price surpasses your allotted budget, it is wise to shop around for competitive prices on clearinghouse contracts and budget more appropriately in the future.

Myth 7: By contracting with a clearinghouse, your practice will be HIPAA compliant.

Reality: There is more to the electronic transaction and code set requirements than transaction formats. Clearinghouses and other vendors who say you will ensure compliance with HIPAA simply by contracting with them show a lack of understanding of the regulations. Regardless of whether physician practices contract with a clearinghouse, they will need to take steps to ensure their own compliance with HIPAA.

What you can do: In order for your clearinghouse to convert the nonstandard data into the standard HIPAA-compliant format, all of the needed data fields must be present. Therefore, practices must ensure that new data elements are collected and submitted, which may involve purchasing new billing software to manage the additional data fields. Practices must also train staff on the new medical and non-medical codes. In addition, practices may consider requesting a copy of a trading partner agreement which outlines the contract between payers and clearinghouses with respect to technical requirements, liability, and other issues related to HIPAA, as well as a companion guide, which is an instructional document of matrices provided by many payers to practices or clearinghouses advising them about data field arrangements.
Some organizations may have these available online (for an example, see https://provider.blueshieldca.com/edi_docs/Section1CompanionGuide.pdf). Trading partner agreements and companion guides are specific to electronic data interchange transactions and billing; by contrast, business associate agreements are related to the privacy and security regulations of HIPAA.

The bottom line

The biggest repercussion of not complying with the HIPAA electronic transaction and code set standards is that your practice will not get paid quickly or, perhaps, accurately. It is best to be prepared so your practice can avoid the costly administrative burdens of resubmitting claims. It is also beneficial to have a contingency plan -- including having cash on hand should problems arise and payments for services get denied or processed later than expected. Some organizations are asking their major payers for a prospective payment system based on historic payments for an interim basis until the kinks of implementation of the electronic transaction and code set standards are worked out.

If you keep these myths in mind and follow the suggested steps toward compliance, your practice can avoid becoming an example of what not to do.

Mikele Bunce and Richard Sinaiko can be reached at editor@physicianspractice.com.

This article originally appeared in the October 2003 issue of Physicians Practice.