By Bruce D. Armon, Esq. & Shardul Mehta
Most physician practices are computerized in some fashion. The level of computerization may range from simple billing functions and patient scheduling to electronic medical records and entire practice management activities.
By now, most of the health care industry has heard of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA does not require practices to purchase computer systems. However, the installation of a HIPAA-compliant software system may actually help a practice reduce its administrative costs. Two of the principal areas of a physician’s practice affected by HIPAA are the practice’s billing software and practice management software.
HIPAA includes six sets of rules related to the format of electronic transactions; protection of patient’s privacy; ensuring the security of patients’ health information; and defining universal identifiers for individuals, health care providers and employers.
The timeline for compliance for two components of HIPAA is rapidly approaching. These are the Transactions and Code Set Standard (Transaction Standards) and the Privacy Standards, which have already been finalized and are set to take effect in October 2002 and April 2003, respectively.
President Bush recently extended the deadline for compliance with the Transaction Standards to October 2003. However, this is not a blanket extension of the deadline. Congress recognized that this extension had the potential to result in an indefinite delay in the implementation of the Transaction Standards. Therefore, HIPAA-covered entities (this includes physicians and their practices) must get approval for an extension from the Secretary of HHS. The covered entity must explain how it plans to use the extra year to achieve compliance. HHS is required to provide a model compliance form for covered entities seeking an extension by March 31, 2002, though a covered entity is not required to use this model form when making its request for an extension. If no extension is sought, all covered entities that can reasonably meet the original October 2002 deadline are expected to continue their efforts to do so.
Regardless of whether a physician practice seeks an extension, it must begin internally evaluating its own practice and its relationships with its various vendors now to ensure a smooth HIPAA-compliant transition.
According to the 2000 edition of Guide to Medical Practice Software published by Harcourt, there are more than 1,500 active practice management software vendors. The medical practice software industry has revenues exceeding $4 billion per year.
Hence, how does a physician practice evaluate its current software system for HIPAA compliance? If the practice is in the market for a new software system, how should it evaluate various vendors in terms of HIPAA compliance?
Make sure the vendor understands the requirements of the Transaction Standards. The Transaction Standards has specified ANSI ASC X12 as the standard for electronic transactions, including billing, payment, eligibility verification and preauthorization. This means, for example, that a physician must make sure the electronic claims sent to payers are in ANSI ASC X12 format. According to HHS, there are approximately 400 different formats currently in place for electronic health transactions.
Therefore, whether a practice is evaluating its current computer vendor or shopping for a new one, it should make sure that the vendor is not only aware of the Transaction Standards, but is able to speak intelligently about how their systems are, or will be, compliant with the Transaction Standards. Here are two examples of the potential impact of the Transaction Standards on a physician’s computer system.
Dr. A uses a computer system that prepares claim information in an electronic file to be submitted to a clearinghouse. Once the system prepares the electronic file, Dr. A dials into the bulletin board service (BBS) provided by the clearinghouse and uploads the electronic file. Some time later, Dr. A dials back into the BBS and downloads an electronic remittance file. Dr. A’s software reads this file and automatically posts payment information.
In this example, Dr. A will get maximum value for his or her computer software if both the electronic claim file prepared by the computer system and the electronic remittance file provided by the clearinghouse are in standard ANSI format. This is possible only if both Dr. A’s system and the clearinghouse accept and submit standard transactions.
Dr. B uses a computer system that prepares claim information in an electronic file to be submitted directly to a payer (e.g., Medicare). Dr. B dials into the payer’s BBS and uploads the electronic file. Some time later, Dr. B dials back into the payer’s BBS and downloads an electronic remittance file. Dr. B’s software reads this file and automatically posts payment information.
In this example, both Dr. B’s system and the payer must support standard transactions, since Dr. B and the payer are transacting directly with each other.
A physician will get maximum value if his or her billing or practice management system is able to prepare, send, receive and process ANSI standard electronic transactions.
Note that HIPAA does not apply to the format in which data is stored. Computer systems are free to use any data format of their choosing in order to store data. HIPAA only applies to the format in which data is transmitted.
Check if the vendor is able to assist the practice in complying with the Privacy Rule. The Privacy Rule imposes numerous requirements upon physicians and their practices. For instance, prior to disclosing a patient’s protected health information (PHI) for the purposes of treatment, payment or health care operations (TPO), a physician practice must obtain the patient’s consent. In addition, a physician practice must obtain a patient’s authorization to use or disclose PHI for purposes other than TPO. An authorization is more detailed and specific, and has a definite expiration date.
A practice management system can ease the administrative headaches a physician practice may encounter in complying with the Privacy Rule with a few simple mouse clicks. For example, the practice management system could provide the following functions:
• Tracking the date that the patient’s consent was obtained.
• Maintaining electronic copies of the signed consent and authorization forms.
• Tracking patient requests for restrictions on use and disclosure of PHI, whether the physician agreed to the request, and if so, retaining a copy of the modified consent.
• Tracking whether and when the consent was revoked by the patient.
• Tracking when patient authorizations were obtained, what they were obtained for, and their expiration dates.
The Privacy Standards provide that a patient may request an accounting of all disclosures made by a covered entity (which includes a physician) within the preceding six years. The accounting of the disclosure must include, among other items, the date, name and address (if available) of the person or entity that received the information, and a description of the PHI disclosed.
Practice management software designed in compliance with the Privacy Standards could make all of this information available to the physician’s office by viewing the main “window” or connected “windows” related to that particular patient, rather than having to undertake a manual review of the hard copy of the file.
Note that a software vendor is not required to provide all of these services. However, it is in the best interest of a physician practice to partner with a vendor who is willing to work with the practice in achieving HIPAA compliance.
Be aware that, if a practice contracts with an entity considered a “business associate” as described by the Privacy Standards, the practice should make sure that the agreement between them includes certain protections as defined in the Privacy Standards. This includes a requirement that the business associate use appropriate safeguards to prevent use of disclosure of PHI other than as provided in the agreement.
During the course of the upcoming months physicians will be bombarded with requests and reminders to ensure their practices are HIPAA-compliant. Because so many physician practices now rely on sophisticated computer systems to assist them with their day-to-day office activities, physicians need to start reviewing their current practice management and billing systems. Doing so can save them time, money and administrative headaches in the long run.
If a physician finds that his or her current vendor is unable or unwilling to help it meet the HIPAA standards, then now is time to begin shopping for a new vendor whose products and services can help the physician’s practice achieve HIPAA compliance before the HIPAA compliance date.
Bruce D. Armon, Esq., is a member of the Health Law Practice of Saul Ewing LLP in its Philadelphia office. Shardul Mehta is Product Manager at InfoQuest Systems, Inc., a full service provider of health care information management systems.