Local, State, Federal

by Elaine Sanchez

Health Care Providers Have 3 Months to Obtain NPI Number
Hospitals Receive HIPAA Wake-Up Call from Security Firm

Health Care Providers Have 3 Months to Obtain NPI Number

The clock is winding down for health care providers who have yet to obtain and use their 10-digit numeric identifier when filing claims.

By May 23, providers enrolled in the Medicare program will be required to use their National Provider Identifier (NPI) instead of their previously used legacy number as the sole identifier employed in standard transactions. The deadline marks the end of a 12-month contingency period that CMS set up after concerns were raised on the feasibility of meeting the initial 2007 date.

A number of recent developments indicate increasing compliance by the medical community with the NPI, which was mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Last October, the CMS reported that 84% of the overall claims submitted came with NPI numbers, and a month earlier, the National Plan and Provider Enumeration System (NPPES) data system became functional. Just before the New Year, reports showed that about 2.4 million providers had obtained their numbers. Since January 1, NPIs have been required in Medicare electronic and paper institutional claims, and claims containing only old legacy identifiers will be rejected, though health providers can continue to use legacy numbers to identify secondary providers.

Helen Olkaba, an economic analyst with the American College of Radiology (ACR), explained that the NPI system was designed “to improve the effectiveness and efficiency of the Medicare program and the overall health care system by simplifying the administration of the health care system and enabling efficient electronic transmission of certain health information.”

However, despite its intentions, a number of issues—specifically dealing with privacy and cash flow—have been raised during the NPI’s implementation phase.

“Individual and organization health providers have been hesitant to share their NPI numbers with other providers due to privacy concerns,” Olkaba said, adding that the identifier is a requirement for reimbursement of services.

Additionally, those in the industry have pointed to the NPPES crosswalk database, which matches a health care provider’s old legacy number with its new NPI number, as a possible privacy liability. To quell these fears, CMS will not disclose Social Security information, the Internal Revenue Service individual tax identification numbers, or birth dates in the database, Olkaba said.

Another issue dealt with a possible cash flow setback resulting from the process taking longer than expected. Health care providers who missed the application deadline would not be reimbursed for their services. Also, providers not participating in the Medicare program, and therefore not required to obtain an NPI number, would run into a problem when they order tests or refer Medicare patients, Olkaba said. This was one of the reasons behind CMS’ extended deadline, she explained.

Olkaba said that in the future, the NPI will likely be used by more in the industry, such as private health plans, federal and state agencies, and nonparticipating providers.

In the meantime, the ACR will continue to educate its membership on the use of NPI and will relay concerns to CMS. The college has been following the NPI’s progress and continues to work closely with CMS, Olkaba said. Updates are posted on the college’s Web site, www.acr.org, as well as in its publications, such as the ACR Radiology Coding Source and the AMA/ACR Clinical Examples in Radiology Bulletin.

Applications can no longer be downloaded and must be requested via telephone at (800) 465-3203.

By March 1, claims submitted using CMS-1500 and FFS 837P forms must include an NPI number in the primary fields, and legacy identifiers can be used only to identify secondary providers.

Hospitals Receive HIPAA Wake-Up Call from Security Firm

They wear fake badges and slip into lab coats, walk into restricted areas, and successfully steal tons of protected health information (PHI) from unattended computer stations.

And so far, they haven’t been caught.

While hospitals needn’t worry about the thievery credited to Ken Stasiak and his team at SecureState, an assessment firm based in Cleveland, administrators are looking to find out how they managed to pilfer the data. In fact, that’s why they hire the company: to steal PHI.

SecureState performs detailed risk assessments and provides clients with a risk management road map like the one shown here.

“Since the inception of HIPAA in 1996, customers have been looking for advice and guidance on complying with the government act,” said Stasiak, president and CEO of SecureState. “Customers want to know that they’re complying with the law and are providing their patients with the best amount of privacy with their protections around their health care information.”

Stasiak said his group essentially aims to emulate a criminal’s frame of mind, taking note of camera locations, dress codes, and the busiest hours. After planning a mode of attack, they execute it in one shot. What they come away with are patient health records and other sensitive information, much of which is taken from fax machines and infiltrated computer systems. Vulnerabilities are found using a variety of proprietary and commercial tools that a common hacker would use.

“We haven’t seen any hospital come close to being HIPAA compliant,” Stasiak said. “The biggest violation we’ve seen is the technical safeguards that hospitals have been avoiding. Generally, it’s who has access to the information.”

For their health care clients, SecureState performs detailed risk assessments with regard to HIPAA. Interviews are conducted with key physicians, nurses, IT staff, senior management, legal counsel, and risk and facilities management, in order to determine who has access to PHI and how the information can be compromised. Once process-mapping is complete, SecureState can revamp the facility’s lax operations. “Once you know where the information is, it’s a lot easier to secure it and apply controls,” Stasiak said.

Additionally, all of SecureState’s customers receive tailored, high-level road maps that help them become HIPAA compliant. The firm recommends data backup, disaster recovery and emergency operation plans, as well as testing and revision procedures and application and data criticality analysis.

Ultimately, the company offers a three-tiered approach, what Stasiak refers to as the notion of a current state, a desired state, and a secure state. In the current state, Stasiak’s firm assesses an organization’s holes and weaknesses, while in the desired state, his team hands customers their road maps. Lastly, health care facilities will hopefully have reached a secure state, when Stasiak’s firm continues to monitor security and provide ongoing assessments.

Part of the problem with the HIPAA regulation is that companies are confused about how it actually applies to their organization. “Since the beginning, there have not been many examples of what the HHS’ Office of Inspector General is looking for when going in to do an audit,” Stasiak said, adding that facilities potentially face fines and lawsuits for not complying with HIPAA standards.

Because of the first HIPAA?audit done in June 2007, SecureState has received a reinvigorated demand for HIPAA assessments from facilities looking to find internal holes and implement security, according to Stasiak. And his clients gush about the help they receive in achieving compliance.

“The nice thing about it is that this is the big wake-up call for our customers,” Stasiak said.