Health Insurance Portability & Accountability Act (HIPAA)

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), was the result of efforts by the Clinton Administration and congressional healthcare reform proponents to reform healthcare. The goals and objectives of this legislation are to streamline industry inefficiencies, reduce paperwork, make it easier to detect and prosecute fraud and abuse and enable workers of all professions to change jobs, even if they (or family members) had pre-existing medical conditions.

The HIPAA legislation had four primary objectives:

  1. Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions
  2. Reduce healthcare fraud and abuse
  3. Enforce standards for health information
  4. Guarantee security and privacy of health information

The HIPAA legislation is organized as follows:

Title I: Guarantees health insurance access, portability and renewal

  • Guarantees coverage and renewal
  • Eliminates some pre-existing condition exclusions
  • Prohibits discrimination based on health status

Title II: Preventing healthcare fraud and abuse

  • Fraud and abuse controls
  • Administrative Simplification (AS) provisions (Subtitle)
  • Medical Liability Reform

Title III: Tax-related Provisions

  • Medical Savings Accounts
  • Health Insurance tax deduction for self-employed

Title IV: Application & Enforcement of Group Health Plan Requirements

  • Enforcement of group health plan provisions

Title V: Revenue offset provisions

  • Revenue offset provisions

However, when looking at HIPAA it is important to remember that the actual HIPAA rules and detail requirements that the healthcare industry have to follow stem from the Administrative Simplification (AS) provisions of HIPAA, which fall under Title II (Fraud and Abuse) of the HIPAA act itself. These provisions are intended to reduce the costs and administrative burdens of healthcare by making possible the standardized, electronic transmission of administrative and financial transactions that are currently executed manually and on paper.

The Administrative Simplification (AS) provisions specifically state what rules and standards the healthcare industry must implement in order to comply with HIPAA. The AS provisions also require specific implementation deadlines, based upon the date when the Final Rule (for a specific issue) is published in the Federal Register, plus the mandatory 60 day review period during which time the rule may be challenged and overturned or delayed on appeal. For example, The Final Rule for National Standards for Electronic Transactions (which include EDI Transaction and National Code Set standards for claims processing) was the first HIPAA compliance rule to publish on August 17, 2000. Therefore, the compliance date for this rule becomes April 14, 2003.

This rule requires healthcare organizations, insurers and payers that have been using any electronic means of storing patient data and performing claims submission (including faxes we are told), must comply with this new Final Rule for National Standards for Electronic Transactions.

Providers that use an electronic clearinghouses to process their transactions do not have to modify their systems at present to assure compliance, however the provider has to make sure that the clearinghouse, as a business partner, is compliant with the new regulations. In all likelihood, providers will have to make some modifications to ensure ancillary and departmental systems are capturing HIPAA required information and transmitting that data. Transmissions to their Admission, Discharge and Transfer (ADT) systems and billing systems in order for the clearinghouse to be able to create and send a HIPAA compliant transaction.
Additional provider, payer and insurance system modifications will also be required for Privacy and Security rules as mandated by the AS provisions, so having a clearinghouse does not preclude a provider, insurer or payer from having to make other computer system changes as part of their HIPAA compliance efforts.

At the risk of oversimplification, this rule requires providers, insurers, payers and to a small extent, employers to submit enrollments, eligibility and claims processing via Electronic Data Interchange or EDI transactions.

EDI is nothing new and has been commercially available since the 1980s. Many large companies have been using EDI for years to process orders, send invoices and issue, or receive payments with their electronic trading partners.

EDI is essentially a set of very specific rules governing how information will be packaged in order to send orders, invoices, statements, and payments electronically from one electronic trading partner to another.

The government has essentially adopted this standard as a good way of ensuring that everyone (providers, payers, insurers and employers) will use these excellent standards as a way of communicating and sending information to each other. Properly done, EDI transactions do not require human intervention and should process very quickly.

Therefore, providers should be able to submit electronic eligibility or benefit inquires and claims via EDI transactions to the payer whose claims system should process the EDI transaction quickly, returning a claim payment/advice electronically and without delay.

Other HIPAA compliance rules currently defined and proposed under the (AS) provisions, but not expected to be finalized until 4Q, 2000 or early 1Q, 2001, include:

  • Standards for Privacy of Individually Identifiable Health Information
  • National Provider Identifier
  • Employer Identifier
  • Security and Electronic Signatures

The Standards for Privacy of Individually Identifiable Health Information are designed to help guarantee privacy and confidentiality of patient medical records. These new Standards for Privacy are quite extensive. Healthcare providers, insurers, payers, and employers should review this rule and it is requirements in great detail with the intent to update and replace any current internal guidelines in order to insure HIPAA compliance.

The National Provider Identifier, the Employer Identifier and an earlier proposal for a National Individual Identifier were designed to help speed processing of enrollment, eligibility and claims processing by having a national set of identification numbers that the entire industry would use to identify a specific provider, insurer or patient. These same steps would also help identify fraud and abuse by eliminating situations where providers and individuals have multiple identifiers today, making it difficult to match and track claims to both providers and individuals, particularly where fraud is intended.

However, the National Individual Identifier conflicted with protests from civil libertarians and individuals concerned about big brother having the ability to identify, track and gain information about anyone in the country via a single identification number. As a result, the National Individual Identifier seems to have been put on the sidelines until such time as a reasonable compromise could be worked out that would assure all sides that there would be no abuses of such a system.

Achieving HIPAA compliance, particularly for healthcare providers, will not be easy and will be costly to the provider and payer organizations. Providers, payers, and insurers will have to educate and train their staffs to comply with the new requirements and then perform ongoing compliance monitoring and application of appropriate sanctions when necessary. Providers, unlike insurers, also have to deal with millions of family members, loved ones, and outside visitors from all walks of life in the course of performing daily business. These daily visitors, along with security challenges supplied in ample quantity by the Internet hackers, email viruses and the shear physical size of some organizations makes the protection of individually identifiable patient information a major challenge in itself.

Over time and once fully implemented, HIPAA should minimize the amount of paperwork and human intervention required to verify a patient’s eligibility and minimize the amount of human effort required to perform claims processing. The required eligibility and claims transactions should not require human intervention if submitted correctly and according to the transaction standards. Insurers or payers may only want to manually examine randomly submitted claims or claims for a specific individual or business as part of fraud or abuse detection. Since claims should be processed far more quickly, claims payments to the providers should also speed up (at least in theory), hopefully easing some of the cash flow burden for provider organizations. Security improvements to prevent deliberate or accidental accessing of unique or individually identifiable patient data will address concerns over privacy of patient data. Moreover, digital Electronic Signature (as proposed) will ensure that persons submitting fraudulent electronic insurance or Medicare/Medicaid claims, will not be able to deny submitting them in court later on.
While it is easy to get tangled up in the emotion of having the expenditures and work effort required to achieve HIPAA compliance, it is important to remember there are many positive features of HIPAA. The need for insurance portability is apparent. Protecting the patients’ right to the privacy of healthcare information has always been, and should remain a high priority. Reductions in fraud and abuse are certainly welcome, if not long overdue.

Quicker processing of eligibility and claims not only reduces the cost of these items to the hospital and the insurer/payer but provides better service to the patient as well. Although there may be some pain associated with the successful implementation of compliance rules, the result will ultimately be the improvements that the Clinton administration and Congress agreed upon and intended.