COMPLIANCE
Dermatologists face major changes over next two years as accountability aspects of law take effect
Did you think your electronic nightmare and compliance issues were finished when there wasn't a Y2K meltdown Dec. 31, 1999? Well there's another acronym that all of us in healthcare will have to contend with in the next few years, and that is HIPAA, or the Healthcare Information and Portability and Accountability Act.
Clay Countryman - an attorney with Roedel, Parsons law firm in Baton Rouge, La., and author of 'The HIPAA Compliance Handbook' (Aspen Publishers) - provided insight into the compliance issue.
If you are not familiar with HIPAA, you are with the majority of your medical colleagues. HIPAA was signed into law in 1996 and consists of 1,500-plus pages of bureaucratic verbiage that is barely understood by only a handful of attorneys and healthcare experts. At the present time only the 'portability' aspect of the law (which protects the ability of people with current or pre-existing medical conditions to get health insurance) has been fully implemented. Now the 'accountability' aspects of the law are beginning to be addressed. Its many provisions include stringent codes for the uniform transfer of electronic data, including billing and other routine exchanges; and new patient rights regarding personal health information, including the right to access this information and to limit its disclosure only to those who need medical assess to the records. Also outlined are specific physical, procedural, and technological security protections all healthcare organizations must take to ensure the confidentiality of patients' medical information.
What are the HIPAA standards?
Under the Administrative Simplification provisions of HIPAA, the Department of Health and Human Services is required to issue several regulations containing 'Standards' that are intended to simplify and streamline business operations of the healthcare delivery system. These Standards will affect physician practices by: establishing requirements for the use and disclosure of patient health information to other entities; setting requirements for filing electronic claims for all providers and payers; and requiring the use of a single code identifier for providers, payers, and health plans. Physician practices should plan ahead for the compliance effective dates for all of these standards.
For example, the Standards for electronic transactions and code sets that are intended to standardize the electronic data exchange of healthrelated information is Oct. 17, 2002.
What do the HIPAA standards mean to you and your practice? You will need to make major changes in how healthcare organizations handle all facets of information management, including reimbursement, coding, security, and patient records. Every practice in the United States will have to comply with these regulations and failure to do so will result in costly fines and possibly prison sentences for flagrant violations. According to Countryman, HIPAA will require more than an upgrade of current information systems, and the work cannot be outsourced to software vendors and consultants.
Estimates for converting to HIPAA standards range from $300 to $5,000 for a solo practitioner to $75,000 to $250,000 for 50-physician, multispe- ciality or group practices
Beginning in the fall of 2002, or early 2003 for small plans and practices, you will need to implement transactions standards or the rules standardizing electronic data exchange of health-related information.
Transaction regulations
Currently, there are hundreds of different formats available for the electronic processing of health claims. The HIPAA transaction rules will require that everyone use the same format to transmit health-related information. Now you will need to be certain that your software vendors have implemented the required HIPAA changes so they can send and receive information using the standard formats. This requirement may be a motivator to make electronic data interchange preferable to (i.e., less expensive than) paper processing for providers and health plans alike.
Privacy and security regulations
Every practice in the country is going to feel the impact of HIPAA's privacy and security regulations. Instituted to provide greater protection of patient confidentiality, the regulations will require that you take a number of administrative measures to ensure that any patient-identifiable information, referred to by HIPAA as 'protected health information' (PHI), in your practice is secure. Below are just a few of the ways you can expect the HIPAA privacy and security regulations to affect medical practices in the next 24 to 36 months:
* Access control. HIPAA regulations will require that medical practices obtain explicit patient consent to use PHI for the purposes of healthcare delivery, payment, and routine practice operations.
It will be almost impossible to control access to PHI using paper-based systems and processes. Consider the haphazard treatment of paper documents in most offices. They are passed from one person to the next, photocopied, occasionally misplaced and often left out in public view. The intent of the HIPAA standard is to discourage this practice. I believe the unmistakable legacy of HIPAA will be to encourage computerization of all personal health information, regardless of who creates, stores, or transmits it. How else can providers meet HIPAA's exhaustive requirements to document all releases of information, produce audit trails, and be able to inform patients about who has accessed their medical information? The alternative to computerizing patients' medical information will be to maintain massive paper logs kept under lock and key.
Although there is hype associated with HIPAA, there are going to be some benefits. Perhaps the best that can come from the HIPAA regulations will be to encourage computerization of all personal health information.
* Elimination of insurance companies using different computer software for claims filing, and providing eligibility and claim status information much more quickly than the current method of telephone authorizations.
* Single standardized forms and processes for authorization and consents to use a patient's health information.
* Single code identifiers for individuals and entities in the health care delivery process.
* Potentially reduce the staff in the business office and staff needed for registration of patients.
* Reduce errors in processing referrals and provide faster coordination between referring physicians for their patients.
* Increase speed of account resolution and payment.
* Enable more automation of accounts receivables and hopefully reduce the ARs for most practices.
Not one of us enjoyed the anxiety of Y2K and implementing the HIPAA standards into our practices. We cannot pretend that it doesn't exist, and all of us will need to take action on this subject in the very near future. Perhaps we can approach it as half of a glass of milk which can be viewed as full or half empty. If we assume the attitude that it is half full, then we can approach HIPAA as having benefits for our practices and provide better care and more protection for our patients. So do like your mother says, 'Drink your milk. It's good for you!'
[Author Affiliation]
BY NEIL H. BAUM, M.D. STAFF COLUMNIST
[Author Affiliation]
Neil H Baum, M.D., is a urologist in private practice in New Orleans. He is the author of 'Marketing Your Clinical Practice-- Ethically Effectively, and Economically.'
