|
|
|
Online Security, a global provider of computer forensics and information technology risk mitigation since 1997
|
|
Go back
| |
 |
The HIPAA Implementation Newsletter Issue #31 - April 5, 2002
|
|
| |
The HIPAA Implementation Newsletter
Issue #31 – April 5, 2002
| Transactions Extension | Transaction Test | Employers | Security |
Consulting |
Posted: Apr 23 2002
Hal Amens
Transactions: Filing for Extension
On March 28, 2002, the US Department of Health & Human Services released the model form to request an extension for complying with the HIPAA Transaction & Code Set rules. There are four sections to the form:
Section A: Contact Information. Section B: Reason for Filing for This Extension, requires selecting one or more options from a list. Section C: Implementation Budget, again offers a list including “Don’t Know.” Section D: Implementation Strategy is
* Awareness: To compete this phase you should
- obtain information regarding HIPAA Electronic Transactions and Code Sets Standards;
- discuss this information with your vendors; and
- conduct preliminary staff education.
* Operations Assessment: To compete this phase you should
- inventory the HIPAA gaps in your organization;
- identify internal implementation issues and
develop a workplan to address them; and
- consider and decide whether or not to use a
vendor or other contractor to assist you.
* Development and Testing: To compete this phase you should
- finalize development of applicable software and install it;
- complete staff training on how to use the software; and
- start and finish all software and systems testing.
Should you file?
Davis Wright Tremaine LLP notes, “Among other things, a covered entity cannot be in TCS compliance unless all its HIPAA business associate-trading partners are also in compliance. Because the TCS standards are going to change, and because most of the industry will seek the extension, chances are good that many business associates will not in fact meet the TCS standards in Oct. 2002. That would be trouble for any covered entity that did not seek the extension and that has trading partner relationships with non-TCS compliant business associates.
“Moreover … there is no regulatory or business disadvantage to seeking an extension. It costs nothing. The form is streamlined and extremely easy to complete. And grant of the extension is automatic upon filing.”
Filing for an extension for transactions does not affect the compliance dates for privacy or related security. CMS will shortly provide means to file plans electronically, and plans do not need to be filed until October 16, 2002.
More at: www.cms.gov
The form in PDF: www.cms.gov
More at: www.dwt.com
Transactions and Third Party Testing
There are a large number of entities that have to participate in HIPAA related transaction testing: 695,000 providers, 3,000 payers, 50,000 self administered payers and 2,550,000 other employer health plans (see following article.) Gartner estimates 2.2 transactions per relationship. The numbers and time required for testing are staggering. The issue is even worse, because it takes two entities to test, which creates a scheduling nightmare. If you wait until the April 2003 deadline to start testing ( the deadline
specified by H.R. 3323) you may not be able to successfully complete your testing in time to be compliant. If you are a large organization there may not be enough time and if you are a small organization, you may find that the large organizations are using all of the available resources.
An early start will give you more time to make any needed corrections, provides some flexibility in scheduling tests, and make better use of limited IT resources. But you need someone to test with and you probably do not want to test with trading partners until you are reasonably certain you have addressed all the basic issues. Kepa Zubeldia of Claredi suggests you start testing with a neutral third party testing facility that is ready now and will be understanding about any problems you may encounter. SNIP recommends the following six levels of testing, all of which can be conducted with a third party:
– X12 syntax integrity
– Implementation Guide requirements, e.g., loops, valid segments, elements, codes
– Balancing of amounts, e.g., claim, remittance, COB, etc.
– Code sets, e.g., X12, ICD-9, CPT4, HCPCS, Reason Codes, others
– Situational requirements, e.g., inter-segment dependencies
– Specialty or Line of Business, e.g., oxygen, spinal manipulation, ambulance, etc.
When you are certain your transactions are compliant, you can test with trading partners to test telecom, special contract requirements, etc.
Testing with trading partners should go well or the number of problems will be limited and easier to fix.
“And, if you think your vendor or clearinghouse will take care of [testing] for you, you need to wake up. Vendors and clearinghouses cannot make up data when it is not there. Even if the vendor or clearinghouse has a totally compliant system, it is up to the users of that system to make sure they are using it in a compliant way.
“The providers and payers need to make sure they have the data for each one of their business scenarios. The vendors will help, but you need to do your part. An example in the security area: the system provides HIPAA compliant individual accounts with individual passwords, but everybody in the office shares a handful of accounts with common passwords. In the EDI area: the system allows the capture of the TaxID of the referring physician along with the UPIN. But the office does not capture the TaxID, only the UPIN of the
referring physician. All of a sudden that compliant system is producing non compliant transactions because the implementation guide requires the TaxID (or SSN) of the referring physician to be sent along with the UPIN. A vendor
or clearinghouse cannot fix these issues for you.” [hipaalive] TCS: Testing and Certification Kepa Zubeldia, Claredi
More on transaction testing at:
lpf.com
More on third party testing at:
www.ehcca.com
HIPAA Privacy Impact on Employers
“Employers may not know that any employer that provides healthcare coverage to its employees, either through a fully insured or self-insured health plan, will be affected by the Privacy Rule and will be required to change its operations to comply with the Rule. … the scope of necessary changes to operations could be quite burdensome for many. “Subject to certain exceptions, below are the major steps that an employer will need to take in order to comply with the Privacy Rule with respect to use and disclosure of PHI between the group health plan and the plan sponsor:
1. Create privacy policies and procedures that ensure that all PHI relating to employees is adequately protected to comply with the Privacy Rule,
2. Amend group health plan documents to specify how the use of PHI will be restricted to the purposes permitted by the Privacy Rule,
3. Establish policies and procedures to ensure that consent is obtained from an employee prior to using PHI for purposes such as enrollment in a group health plan,
4. Establish "firewalls" between personnel (and workspace) associated with handling PHI for purposes of administering the group health plan and the rest of the employer's personnel and operations.
5. Implement a compliance program for employees which includes appointing a privacy officer, training employees likely to come into contact with PHI, and creating a process to sanction employees who violate the employer's
privacy policies and procedures.
“In connection with implementing a compliance program (see point 5), group health plans are exempt from these requirements if they provide health benefits solely through an insurance contract with a health insurance issuer or an HMO and they do not create or receive PHI except for summary health information, or information regarding the status of an individual's enrollment, or disenrollment from the HMO or health insurance issuer.
“Lastly, employers must be aware of the potential penalties for noncompliance with the requirements discussed above. The Secretary of HHS
may investigate any complaints filed regarding group health plans that have allegedly violated the Privacy Rule. A finding of noncompliance can impose large burdens on the employer, with civil penalties ranging from $100 per violation to $25,000 per person per violation in a single calendar year. Criminal penalties range from $50,000 and/or one year imprisonment for a
knowing violation up to $250,000 and/or ten years imprisonment for a violation with intent to sell, transfer, or use PHI for commercial gain.”
More at: www.healthleaders.com
Security: Firewall Configuration
“According to analysts, the biggest challenges surrounding corporate firewalls involve proper configuration. ‘Corporate firewalls work as well as they ever did. It's never been a cure-all. There are plenty of threats and problems that a firewall's not going to help you with -- that doesn't mean they're doing any less.’
“The Yankee Group's Kovar said that while firewalls should account for 30 percent to 50 percent of an overall security solution, the defense mechanisms they provide are somewhat limited. ‘What firewalls are not able to do is go to the next level and look for malicious activity. They don't check to see what types of things are going on.’ Russell echoed other experts who stressed that computer and network security are multifaceted and should adhere to a ‘minimum set of standards,’ including a firewall, an intrusion detection system (IDS) and, in most cases, antivirus mail filtering and antivirus protection on individual machines.
“Analysts also agreed that the biggest challenges for firewall users are proper configuration, up-to-date patching and Interoperability with other applications.
More at: ecommercetimes.com
Consulting Services Demand
A survey of consultants by TechRepublic ranked “government” as the industry with the greatest demand for consulting services in 2002 36%; followed by healthcare at 30%. The remaining 34% was split among financial institutions at 20%; manufacturing 10% and utilities 4%.
Gartner has predicted that the healthcare industry will increase its spending on IT external services from $11.6 billion in 2000 to $21.6 billion in 2005. "HIPAA will place greater pressure on the management of administrative tasks and as the trend toward national health chains continues, there will be a greater payer market consolidation. Patient rights legislation will place renewed focus on customer care in the payer segment and on quality of care in the provider segment.
More at:
www.techrepublic.com
Free registration required.
Update
We have added links to the model for requesting a delay in compliance with transaction codes at http://lpf.com/hipaa/text.html#model-compliance-text and a new category, Research Material, at
lpf.com; the first item is The United
States Healthcare Directory
HIPAA Conferences
The Fourth Nationa HIPAA Summit April 24-26, 2002 Washington, D.C. The nation's leading federal and state regulators and HIPAA experts will convene to discuss the status of major healthcare privacy and security regulatory initiatives, including HIPAA and Gramm Leach Blyley at the Summit's National Town Meeting on Regulating Healthcare Privacy and Security
on Thursday, April 25 features Ruben King-Shaw of CMS; Adair, Azar, Eden, Fyffe and Trudel from DHHS; Fielding of NAIC re GLB; Beales of FTC; Corrigan of the Institute of Medicine; Wetzel of the Leapfrog Group; MHDC, NAHDO, NCHICA, and SHARP from the states; and representatives of AFEHCT, AHA, AMA, BCBSA, HIAA, HLC, Johns Hopkins, and Oracle.
www.hipaasummit.com
Emerging Technologies and Healthcare Innovations Congress – ETHIC 2002 June 19-21, 2002 Washington D.C. Includes a HIPAA Compliance track
www.ethic2002.com
___________
The HIPAA Implementation Newsletter is published periodically by Lyon, Popanz & Forester. Copyright 2001, All Rights Reserved. Issues are posted on the Web at lpf.com concurrent with email distribution. Past
issues are also available there. Edited by Hal Amens hal@lpf.com
Information in the HIPAA Implementation newsletter is based on our experience as management consultants and sources we consider reliable. There are no further warranties about accuracy or applicability. It contains neither legal nor financial advice. For that, consult appropriate professionals.
Lyon, Popanz & Forester http://lpf.com is a management consulting firm that designs and manages projects that solve management problems. Planning, program management offices and project management for HIPAA are areas of special interest.
Go Top
|
|
|
|
