• E-mail
• Print
• PDF

Prepare now for upcoming HIPAA changes in 2006

Radiology Administrator's Compliance and Reimbursement Insider, March 1, 2006

If you thought your Health Insurance Portability and Accountability Act of 1996 (HIPAA) worries were over, think again, says Patricia Kroken, FACMPE, of Healthcare Resource Providers, LLC.

Several government initiatives on the horizon in 2006 should keep compliance officers and radiology managers searching for HIPAA enlightenment.

"Is it over yet? No. Not by a long shot," Kroken told the audience during the 2005 Radiology Society of North America (RSNA) annual conference in Chicago in December 2005.

Claims attachment standards, national provider identifiers (NPI), new security standards, vendor compliance concerns, and audit preparations represent a few of the HIPAA thoughts necessary for radiologists, Kroken said.

Compliance with such rules could make a big difference in your bottom line, said RACRI advisor Claudia A. Murray, of Provider Practice Analysis, LLC, in Baldwin, MD. Murray also spoke during the RSNA conference.

"Fraud control equals HIPAA," she said.

With nearly $6 billion recovered in healthcare fraud since the late '90s, Murray said HIPAA and associated healthcare regulations helped spur "an entire industry of compliance and regulatory study [comprised] of healthcare lawyers and consulting firms."

HIPAA issues should be a priority for radiology administrators and all healthcare providers, says RACRI advisor Michael F. Schaff, Esq., of Wilentz, Goldman & Spitzer in Woodbridge, NJ. "Consider these issues in your practice."

HIPAA history

In the early 1990s, healthcare industry leaders brainstormed ideas to reduce healthcare costs. They found the essential answer in electronic systems.

With personal information speeding along the information superhighway, public concern for privacy and security of personal health data grew. However, for such an electronic health system to work, the healthcare industry needed new privacy and reporting standards across the board. In response to these concerns, Congress passed HIPAA in 1996.

"So, how did we get HIPAA? We asked for it. We wanted to move to electronic records. We wanted to improve the system," Kroken said.

Writing privacy rules fell to the U.S. Department of Health and Human Services (HHS). Staff training, the appointment of a privacy officer, and the establishment of formal safeguards became priorities under the HIPAA Privacy Rule. HHS required compliance from all agencies, providers, plans, and clearinghouses by April 2004.

Once organizations put these pieces in place, many believed they'd completed their HIPAA puzzle.

But, as Kroken told the RSNA Chicago crowd, HIPAA is a process—it is not simply completed "so it can sit on a shelf somewhere."

New initiatives coupled with ongoing requirements means that "there's a lot for radiologists to be aware of," Kroken said.

Claims attachment standards

Formalizing electronic records processes for billing and basic patient information may seem like a no-brainer, but what happens when physicians attach labs, x-rays, or CT scans to documents and send them over the Internet?

The Federal Register published a proposal to standardize such electronic attachments last year. Comments on the proposal closed in November 2005.

The claims attachment rules work in tandem with the HIPAA Privacy Rule. They affect healthcare providers who electronically transmit information in connection with transactions normally covered by HIPAA.

The proposed standards include the use of certain transactions, messaging standards, and a new code set when electronically requesting additional information—and when providing information in response to the request.

"These HIPAA provisions make processing claims and other healthcare transactions much more efficient and in the long run [will help] save millions of dollars," HHS Secretary Mike Leavitt said in a September 2005 press release.

Embracing the NPI change

Today, healthcare providers find themselves with different identifier codes assigned by different health plans—and sometimes within the same health plan.

Throughout the healthcare industry providers based their identification numbers on location and type of practice. In the world of instantaneous access to information, such encrypted detail potentially reveals a wealth of knowledge to nefarious users.

In addition, incorrect provider identifiers often lead to inaccurate payments and improper billing practices, costing the healthcare industry millions of dollars.

As the sun sets on legacy identification numbers to classify physicians and practices, the dawn of NPIs rises.

Section 1173 of the HIPAA Administrative Simplification calls for "a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the healthcare system."

NPIs ensure that each provider owns one unique identifier for transactions with all health plans. Each provider must apply for a NPI number by visiting https://nppes.cms.hhs.gov/NPPES/.

"This is one of those things where the government tells you it's going to be easy, relatively painless," said Kroken, "And this really is. Go do it."

If you have a new NPI, don't ditch your old legacy number yet. Providers and other organizations must update their legacy information systems, administrative processes, reference files, and forms to ensure continuity between old provider identifiers and the new NPIs.

Some systems will require major overhauls to accommodate the new standard. Health plans, clearinghouses, and software vendors may have to perform software conversions to meet the requirements.

Vendor compliance concerns

Radiology facilities must ensure their own compliance with HIPAA regulations as well as the HIPAA compliance of vendors with whom they contract. "This can be a very cumbersome process," says Schaff.

For example, if a radiology facility contracts with a billing agency, that facility must have a business associate (BA) agreement with the billing agency. The BA agreement must require the billing agency to protect the radiology facility's patient health information by abiding by specific restrictions on the use and disclosure of such information.

The agreement must also require that any subcontractor of the billing agency agree to the same restrictions on the use and disclosure of patient health information to which the billing agency has agreed.

Generally, the radiology facility is not required to monitor or oversee how their business associates and their subcontractors protect the privacy of patient health information. However, if the radiology facility discovers a violation of the BA agreement, it must take reasonable steps to cure the breach.

Depending upon the nature and scope of the breach, corrective action may require termination of the arrangement with the billing agency. Failure by the radiology facility to cure such breaches could subject it to severe penalties and litigation.

"You need to make sure all the parties are complying with their respective obligations to ensure that the patient health information is protected," Schaff says.

Security standards

Keeping health records—electronic or otherwise—secure remains a challenge for radiology professionals and industry leaders across the healthcare continuum.

Many administrators expressed concern about proposals for an electronic signature standard.

Several forms of electronic signatures exist today, ranging from biometric devices to digital signature, according to the Federal Register. However, to satisfy the legal and time-tested characteristics of a written signature, an electronic signature must