The Health Insurance Portability and Accountability Act (HIPAA) was “top of mind” only a few years ago, and since then, there have been rapid changes and updates in technology. HIPAA has evolved as well, and many operational questions initially subject to speculation have been answered or are in the process of interpretation and en-forcement.

Since 2003 (when the first of the HIPAA implementation deadlines began to impact how the business of radiology was conducted), numerous physicians and radiology managers have also entered the field so it is worth quickly reviewing some of the key points of HIPAA compliance and its history.

HIPAA actually occurred in response to demands by the health care industry to simplify the chaotic processes involved in claims submission, since there was no standardization among insurance companies and, as a result, hundreds of variations in formats were used for filing electronic claims. Congress agreed with the concept of standardization, but along the way concerns grew regarding the confidentiality of patient information so regulations regarding Protected Health Information (PHI) were developed as well.

Because HIPAA applied to a broad scope of “covered entities,” from the small physician’s office to the largest health care systems and insurance companies, the regulations were often vague and communicated the expected end results but not necessarily the means for achieving them. And due to the complexity of the entire Administrative Simplification Act, the various elements of HIPAA were rolled out in phases with a 2-year implementation window once each Final Rule was announced. It was anything but simple, and delays occurred from time to time. And unlike Medicare fraud and abuse-based compliance programs, HIPAA was mandatory.

Elements and deadlines were (and are) as follows and in each case, there was an added year for small health plans to come into compliance:

Transactions and Code Sets Standards (TCS): October 16, 2003. TCS established how various transactions such as submission, verification of claims status, and remittance would be structured. They also defined the language of the transactions by mandating standard “code sets,” such as procedure codes (CPT-4/HCPCS) and diagnosis codes (ICD-9). Since the code sets were already in use for radiology, this aspect of the regulations represented the least disruptive change, but vendors, clearinghouses, and payors all struggled to meet the deadlines, especially since Medicare announced it would accept only electronic transactions as of a specific date (unless very restrictive circumstances occurred).

Privacy Rule: April 14, 2004. The Privacy Rule covered the permissible uses of PHI in any form, whether electronic or paper, and defined the patient’s rights in terms of how PHI was created, secured, shared between entities, stored, and destroyed. The Privacy Rule impacted nearly every aspect of radiology operations.

Employer Identifier Standard: July 30, 2004. Added to the standard language of the health care industry by establishing a common identifier for covered entities.

Security Standards: April 20, 2005. The Security Standards involved electronic versions of PHI and set expectations for how electronic data would be protected.

National Provider Identifier (NPI): May 23, 2007. Replaced the Medicare Unique Physician Identification Number (UPIN) with a new methodology and assigned NPIs to other entities as well.


The vast scope of the regulations also made them challenging to enforce and early concerns about the “HIPAA police” were allayed by the announcement that HIPAA enforcement would primarily be complaint-driven. The Centers for Medicare and Medicaid Services (CMS) is charged with enforcement of the Transactions and Code Sets Standards as well as the Security Standards, which are governed by the Office of E-Health Standards and Services within CMS. The Privacy Rule is under the purview of the Office for Civil Rights (OCR).

On July 17, 2008, the Department of Health and Human Services (HHS) announced the first enforcement actions of this scope under HIPAA. Providence Health & Services agreed to a settlement with a fine of $100,000 and implementation of a detailed Corrective Action Plan in response to security breaches that occurred in 2005 and 2006. While the press release stated more than 6,700 Privacy and Security cases had been resolved by the OCR and CMS, this was the first Resolution Agreement required from a covered entity.

The announcement stated “on several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients.” Providence had reported the thefts according to state notification laws, and the investigation centered on the failure of the system to implement policies and procedures to safeguard the PHI.

As radiology has continued to evolve technologically, there are definite operational implications in terms of how images and related information are transmitted, viewed, and stored. The Providence Corrective Action Plan required implementation of policies and procedures regarding “physical and technical safeguards” (encryption of information) and off-site transport and storage of electronic media containing PHI, including the training of its workforce regarding the safeguards.

We are seeing a rapid adoption of new technology, including the use of laptop computers to retrieve images for interpretation via the Internet and the use of wireless technology. Companies are also announcing access to medical records and communications via iPhonehone.

What does this mean? Too often the ability to move information with new technology and connectivity is outpacing the ability to do so securely. A January 21, 2008, article posted on addresses the vulnerability of laptops and mobile media such as cell phones, PDAs, and USB flash drives, citing a 2006 Ponemon Institute study reporting an 81% increase in companies reporting stolen laptops between 2005 and 2006, including equipment stolen in the office. The article also notes La Guardia airport has accumulated more than 70,000 unclaimed laptops in its lost and found, and Accenture stated, “10 to 15 percent of all handheld computers, PDAs, mobile phones, and pagers are eventually lost by their owners.”

On August 15, HHS announced the proposed regulation that would replace the ICD-9 codes with ICD-10 effective October 1, 2011. In addition, the Transaction Standard would be updated to X-12, Version 5010 so ICD-10 can be used for claims submission, remittance advice, claims status determinations, eligibility verification, referral authorization, and other types of electronic transactions. Compliance with the 5010 Transaction Standard would be required by April 1, 2010, or 2 years after adoption of the Final Rule.

To say the impact on radiology will be significant is an understatement. Radiology coding is already complex, and the industry has worked hard to train and certify its coders, with Radiology Certified Coders in great demand. ICD-10 is not an update to the current system; rather it totally changes how coding is done, migrating from the current system of approximately 17,000 diagnosis codes to more than 155,000 new codes and a different system of classification.

The American Health Information Management Association (AHIMA) has been a long-time advocate of the change to ICD-10 and has published several articles and books about preparing for the restructuring—and it is a total restructuring. For example, an article from the AHIMA archives entitled “Planning and Implementing ICD-10, Using a Team Approach” provides examples of the changes.

ICD-9: minimum of 3 digits, maximum of 5 digits, decimal point after the third digit; numeric except for supplementary V and E codes; structure of injury designated by wound type; no laterality (left versus right)

Example: 438.11 late effects of cerebrovascular disease, speech and language deficits, aphasia

ICD-10: minimum of 3 digits, maximum of 7 digits, and a decimal point after the third digit (includes a one-digit “extender” for certain codes); alphanumeric with all codes using alphabetic lead character (V and E codes eliminated and incorporated into main code set); structure of injury designated by body part; laterality

Example: I69.320 speech and language deficits following cerebral infarction, aphasia following cerebral infarction

All relevant articles reference the intense learning curve required and warn of loss of productivity, vendor/insurance company processing issues, and planning for a reduction in revenue during the transition. Both coders and billing staff must be educated and skills updated as the more detailed and specific codes replace the current lexicon. Another article states:

“There will also be a resistance to change. For some, it will be a matter of finding the time and patience to learn a new system before they can realize the advantages. For others, however, the change may be too great. In fact, some predict the challenge of updating skills will be enough to drive some coders out of the profession rather than adapt to the new system. Of course, the need to update skills isn’t limited to coders. The medical staff must also be educated in the new system so it includes the proper level of specificity in its documentation.”1

The articles goes on to note implementation can take more than 2 years, beginning with the evaluation of coders’ baseline knowledge in anatomy, physiology, medication, and medical terminology. Once the upgrade of the broad base of knowledge has occurred, the shift can begin to address the documentation training process. The organization should then plan for a significant drop in productivity once ICD-10 is implemented.

Both Canada and Australia have migrated to ICD-10 and provide a road map for implementation and anticipated problems. In addition, there are numerous books available on the topic of preparing for ICD-10. There is one universal recommendation, however—start early!


HIPAA has represented a shock to the health care system in terms of migrating to the electronic world. New technology will continue to test the initial concepts of HIPAA in terms of securing patient information and massive change still lies ahead. Whether or not the Final Rule for ICD-10 is modified further, that change appears to have moved from the discussion/prediction stage and into the implementation phase. HIPAA will continue to be in our vocabulary and on our minds.

Patricia (Pat) Kroken, FACMPE, CRA, is a radiology-specific business consultant to radiology practices, billing companies, software vendors, and hospitals for Healthcare Resource Providers, Albuquerque, NM. She is a Fellow in the American College of Medical Practice Executives and a Certified Radiology Administrator. For more information, contact .


  1. Nagel S. The migration to ICD-10-CM: preparing for the inevitable. June 14, 2004.