Healthcare providers have survived to see the dawn of the 21st Century despite Y2K, false cost reports, laboratory unbundling, DRG 72-hour window, pneumonia upcoding, IL-372, kickbacks, Stark, qui tam lawsuits and the implementation of compliance programs. As providers begin to peer out of their bunkers, the next compliance crunch looms on the horizon. It is known as “Administrative Simplification.”
The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) (“HIPAA”) included “Subtitle F-Administrative Simplification.” Congress sought to improve the efficiency and effectiveness of the federal healthcare system by encouraging the establishment of standards and requirements for the electronic transmission of certain health information. The statute called for the development of standards in the following areas:
- electronic transactions (e.g., health claims, payments and certifications);
- code sets for data elements supporting electronic transactions (e.g., description of encounter, diagnosis, complications, etc.);
- unique health identifiers for patients, providers and plans;
- security standards; and
- electronic signature.
All standards were supposed to be consistent with the objective of reducing the administrative cost of providing and paying for healthcare.
Congress also recognized that with the increased ease of transmitting and sharing individually identifiable health information, Americans had become more concerned about privacy and confidentiality issues. In Subtitle F of HIPAA, Congress mandated the development of concomitant privacy standards covering:
- personal rights regarding individually identifiable health information;
- procedures for the exercise of such rights; and
- authorized or required uses and disclosures of such information.
Overview of Regulations
The Department of Health and Human Services (“HHS”) has issued proposed regulations detailing most of the Administrative Simplification areas, which HHS will begin to finalize in March 2000. HIPAA specified that all affected persons must comply with the standards within 24 months after formal adoption (60 days after publication of the final regulations in the Federal Register), except that “small health plans” with fewer than 50 participants have 36 months to comply. Thus, all providers and large health plans must comply with the Administrative Simplification regulations commencing in May 2002, and all affected persons should begin preparations for compliance immediately.
Electronic Transactions and Code Sets
The regulations regarding electronic transactions and code sets seek to establish standards that facilitate electronic data interchange (“EDI”) in healthcare. Currently, there are about 400 different formats used for electronic healthcare claims in the United States. Standard EDI format would permit data interchange without the need to program for multiple formats. HIPAA charged HHS with the task of developing standards for the following transactions: health claims, health encounter information, health claims attachments, health plan enrollments and disenrollments, health plan eligibility, healthcare payment and remittance, health plan premium payments, first report of injury, health claim status and referral certification and authorization.
HHS looked to the American National Standards Institute (“ANSI”) as the source for standards in most of these areas. ANSI chartered the X12 Accredited Standards Committee (“ASC”) a number of years ago to design national electronic standards for a wide range of business applications. A separate ANSI X12N Subcommittee was in turn chartered to develop electronic standards specific to the insurance industry, including healthcare insurance. Volunteer members of the ASC X12N Subcommittee include healthcare providers, health plans, bankers and vendors involved in software development for healthcare applications. The proposed regulations pervasively use the “ANSI ASC X12N” shorthand as a reference to this Insurance Subcommittee of the X12 Accredited Standards Committee of the American National Standards Institute. The proposed regulations are accompanied by addenda which appear in the Federal Register, but will not appear in the Code of Federal Regulations, specifying the standard data elements for healthcare transactions covered by HIPAA.
Stupefying Reporting Requirements
Rather than promoting “Administrative Simplification,” the proposed regulations establish reporting requirements that are simply stupefying. The regulations describe roughly 500 separate data elements that support a single electronic healthcare claim. Imbedded in these 500 data elements are dozens of code sets for both medical and nonmedical data requiring the provider to convert commonly understood words and terms into literally thousands of possible alpha-numeric codes.
The productivity gains promised by EDI are being limited to possible savings in postage stamps and paper, and are coming at a substantial cost as providers and their staff have to furnish more and more information to the government and other insurers to get paid for providing healthcare services. True administrative simplification would lessen these reporting burdens, enabling providers to improve healthcare quality by spending more time with their patients and on professional education.
Unique Health Identifiers
HIPAA required the adoption of a system for assigning a standard unique health identifier for each individual, employer, health plan and healthcare provider. For employers, the proposed regulations simply adopt the employer’s federal employer identification number as assigned by the Internal Revenue Service (e.g., 00-0000000). For individuals and health plans, proposed regulations remain unissued. HHS is expected to adopt the existing system for Social Security Numbers for individuals (e.g., 000-00-0000), possibly modified to add another digit or two to the current nine-digit numbers to accommodate future growth.
For healthcare providers, the regulations propose an entirely new system that would assign to each healthcare provider a unique eight-character alpha-numeric number that would accommodate approximately 20 billion unique identifiers. While the administrative details remain to be worked out, the estimated maximum direct cost of establishing such a system is $50 per provider. HHS projects that indirect conversion costs from adopting the new system will be more than offset by savings resulting in EDI efficiencies within a five-year time frame.
The proposed regulations require all health plans and each healthcare provider who electronically transmits or maintains health information to develop, implement and maintain appropriate security measures. The regulations specify twelve security requirements and provide some detailed procedures that must be implemented in each area. These security requirements are analogous to the seven basic elements of a healthcare compliance program: written standards (Requirements 2, 4, 5 and 11), designated officer (Requirement 7), education and training (Requirement 12), audits and other monitoring (Requirements 1, 6 and 8), internal reporting processes (Requirement 9), disciplinary mechanisms (Requirement 10) and investigation/remediation (Requirement 9).
HHS recognizes that the appropriate level of security will depend upon the size of the affected party and the systems that it employs. For example, a PC-based small physician office may rely on virus checking software furnished on new personal computers and internal auditing capabilities of its practice management software. It may satisfy workstation security requirements by locating equipment in areas that are generally populated by office staff and have some degree of physical separation from the public, without constructing a separate locked-off area.
The proposed regulations further require providers to use some form of encryption if transmitting or receiving health information over open networks, such as the Internet. Providers will have to procure and use commercial software to encrypt the data in order to provide the required protection over electronic health information transmitted or received over open networks. On the other hand, encryption is optional for health information transmitted over private wires and even dial-up connections tied directly to healthcare clearinghouses, rather than transmitted over the Internet.
On the subject of electronic signature, the proposed regulations adopt the digital signature as the only acceptable technology for electronic signing at this time. The digital signature is a method for authenticating a signer’s identity by electronic transmissions which are encrypted and decrypted using the signer’s private and public keys. Here’s how it works: To sign a message, Jill does a computation involving both her private key and the message itself; the output is called the digital signature and is attached to the message, which is then sent. To verify the signature, Jack does some computation involving the message, the purported signature, and Jill’s public key. If the results properly hold in a simple mathematical relation, the signature is verified as genuine.
Digital signature technology has recently become commercially available on the Internet for a nominal charge. While HIPAA does not require the use of electronic signatures, this capability is necessary for a completely paperless environment.
Administrative Simplification’s most burdensome provisions are contained in the proposed regulations on privacy. HHS issued 149 Federal Register pages of proposed regulations and explanation on November 3, 1999, and the comment period was extended until February 17, 2000 to give interested parties additional time to review this massive proposal. See Administrative Simplification Part 2: The Not-So-Private Privacy Regulations for a discussion on the multi-billion dollar compliance impact of the privacy regulations.