In spite of the spectacular advancements in medical technology and breathtaking innovations in information technology, the health care industry has been unable to use automation to achieve the benefits that? other industries have achieved. Grappling with cost containment for decades, health care has lagged behind other industries in automation. Throughout the 1990s, numerous industry work groups and reports focused on the ways to address these problems.
The United States Government Accounting Office (GAO) report “Automated Medical Records Holds Promise to Improve Patient Care,” published in January 1991, insisted that standards must be in place to record and share information inside and outside an organization. In July 1991, the Institute of Medicine (IOM), in its report “Computer-based Patient Record-an Essential Technology for Healthcare,” identified the lack of standards as one of the five barriers to a computer-based patient record (CPR) and recommended the development of uniform national standards.
In November 1991, the Secretary of the Department of Health and Human Resources (DHHS) convened a forum of national health care leaders to identify ways to solve these problems. This forum organized four industry work groups. Its surveys and studies identified the lack of uniform health care informatics standards as one of the major barriers to achieving successful automation. In July 1992, the Workgroup on Electronic Data Interchange (WEDI) reported that $36 billion could be saved by using the existing electronic data interchange (EDI) standards and called for Congressional action.
In April 1993, the Work Group on Computerization of Patient Records identified the standards needed for the National Healthcare Information Infrastructure (NHII), which included data interchange, coding and vocabulary, content, security, and identifier standards.
In April 1993, the GAO issued another report, “Leadership Required to Expedite Standards Development.” It echoed the findings and recommendations of the Work Group on Computerization of Patient Records. In February 1994, the Computer-based Patient Record Institute (CPRI) presented a proposal to accelerate the development of health care information standards.
In essence the industry called on Congress and the President to pass legislation to adopt uniform national data standards to improve the efficiency of the national health care system, reduce cost, and protect the privacy of patient information.? As a result, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and President Bill Clinton signed it into law on August 21, 1996.?
Part III of HIPAA, known as “Administrative Simplification,” addresses the various informatics standards.
Objectives of HIPAA
The primary objectives of the Administrative Simplification provisions are to use electronic data standards to improve the efficiency and effectiveness of the national health care system, reduce costs, and protect patient privacy. In order to meet these objectives, HIPAA directed the Secretary of the DHHS to issue regulations mandating national standards for electronic exchange of information, identifiers, code sets, security, and electronic signature. It charged the National Committee on Vital and Health Statistics (NCVHS) to recommend standards for medical record information and their electronic exchange. The Secretary was also directed to issue privacy regulations, if? Congress failed to pass? privacy legislation within 36 months.
With regard to administrative and financial transactions, HIPAA followed WEDI’s recommendations and HHS adopted the ANSI X12 Standards as recommended by WEDI. HIPAA also mandates supporting standards that include standards for identifiers, code sets, security, electronic signature, and privacy protection. Listed below are the nine different categories of standards mandated by HIPAA:
1. EDI standards for administrative and financial transactions such as enrollment, eligibility, claims, attachment, and payment-sec 1173 (a)(2)
2. Unique Health Identifiers for providers, health plans, employers, and individuals-sec 1173 (b)
3. Code sets for medical concepts such as diagnosis, procedures, medication, etc-sec 1173 (c)
4. Security standards for access control, encryption, and electronic signature-sec 1173 (d)
5. Electronic signature standards-sec 1173 (e)
6. EDI standards for coordination of benefit among health plans-sec 1173 (f)
7. Privacy regulations to protect the health information of individuals-sec 264
8. Standards recommendation and legislative proposal from NCVHS to HHS Secretary on uniform patient medical record data and their exchange-sec 263
Penalty. HIPAA stipulates substantial civil and criminal penalties for noncompliance. The penalty for the violation of security/privacy regulations is up to 10-year imprisonment and $250,000 in fines. The penalty for the violation of standards for each of the transaction types can add up to $250,000 in fines.
Proposed and Final HIPAA Regulations. HHS issued its Notices of Proposed Rule Making (NPRM) during 1998-1999 for most of the HIPAA mandated standards. The final rules for transaction standards and code sets were published on August 17, 2000, and the final rule for privacy was issued on December 28, 2000. The current HHS administration in response to industry requests has once again opened the rule for comments until March 31, 2001, and a revised final rule is expected after the review of comments received. A table in the online version of this article at www.imagingeconomics.com lists the various HIPAA standards included in the HHS rules.
These standards address the exchange of administrative and financial information among employers, providers, and health plans for enrollment, eligibility, claims, payment, coordination of benefit, etc. Covered entities must modify their information systems to implement these standards, which in some cases may require the entry and processing of additional information not included in the current processing.
HIPAA standards are intended to simplify clinical billing and reimbursement, and significantly reduce the administrative overhead, which is estimated at more than 25% of the total cost of health care. The industry estimates a $9 billion saving per year in administrative overhead. The security and EDI standards are to guard against fraud, eliminate human errors and unauthorized use, provide timely access to information, and improve the quality of care. The identifier, code set, and electronic medical record standards have the potential to finally make the electronic medical record a reality and maximize the use of patient and business information. Together, HIPAA standards are expected to move the health care industry into the electronic era. System developers will be required to develop software based on HIPAA standards, and providers will be able to buy from any vendors with the assurance that it will work with any payor system.
Impact. HIPAA impacts all functions, processes, and systems that store, handle or generate health information. It affects payors, providers, employers, medical device manufacturers, pharmaceutical companies, health care information systems (HIS) developers and vendors, consultants, business partners, government agencies, and regulatory bodies. HIPAA introduces new legal liabilities and requires the redesign of business processes, staffing plan, work flow, business applications, technology architecture, and facilities. The current information systems would require extensive changes and upgrades to implement HIPAA standards, including EDI transactions, attachments, identifiers, code sets, security, encryption, digital certificates, electronic signature, and privacy requirements. Provider organizations will be required to renegotiate their vendor contracts to satisfy the HIPAA regulations. The changes include the following:
1) Provider organizations must make sure that they comply with the final rules relating to the transaction standards (ASC X12N/NCPDP) and code sets (ICD-9-CM, CPT 4, CDT 3, NDC, and National HCPCS codes). They must adhere to their format and capture the information required by these standards. Those who use a clearinghouse or a vendor must still enable such formats in their backend systems.
2) Provider organizations must ensure that their electronic and manual systems comply with the unique health identifier standards such as NPI, PlanID, FEIN, and individual ID (to be adopted in the future).
3) HHS regulations spell out the specific tasks that must be carried out before selecting and implementing security standards, tools, and technologies. They include a baseline assessment of current operations, gap analysis, risk assessment, and cost/benefit analysis.
4) Based on the result of the above analyses, organizations must modify their existing policies and processes or establish new policies and processes.
5) Security standards, tools, services and technology must be chosen and implemented based on the risk of confidentiality breaches and the level of an organization’s vulnerability.
6) The greatest risk comes from the internal staff members who have access to protected information. DHHS regulations require top management commitment and responsibility toward staff training, formal audit control, corrective actions, sanctions, and termination procedures.
7) HIPAA restricts the use and disclosure of information to the? “minimum necessary” (eg, specific document that is required vs entire chart) to accomplish the intended purpose. Organizations must develop appropriate minimum necessary standards criteria and related policies and processes to enforce this standard.
8) Although electronic signature is not mandated, those who choose to use it must use digital signature and assure message integrity, nonrepudiation, and user authentication.
9) Organizations must create the necessary policies and processes for patients to exercise their rights including the issue of notice of information practice, facilitation of access to their information, and procedures to request and obtain corrections/amendments, and to restrict disclosures.
10) The privacy protection must always stay with the information regardless of media or format. Therefore, organizations must use formal chain of trust provisions with their business associates and vendors that have access to patient information in order to ensure accountability and the protection of privacy. Such business associate agreements must in turn require them to have similar agreements with their business associates/subcontractors.
11) The legislative language specifically provides for establishing a federal “floor” of protections where states can enact more stringent health information privacy protections. Therefore, covered entities must comply with both federal and state privacy laws.
12) Covered entities must formally assign the HIPAA compliance responsibility to specific individuals within the organization including the appointment of Security Officers and Privacy Officials to govern how identifiable patient information is used and disclosed.
Other requirements include: creation of de-identified information; authorization for use and disclosure for purposes other than treatment, payment, or health care operation; audit trail and accounting for external disclosures; internal complaint procedures; duty to mitigate; policies and procedures for sanctions and terminations; access control; authentication; incident reporting; security management; internal audit; and training. The security criteria consist of three key elements, namely, confidentiality, integrity, and availability. HIPAA compliance is 80% administrative and 20% technical, per HHS.
HIPAA’s objectives are aimed at increasing the efficiency of health care organizations to fulfill their business and operational needs. Therefore, a thorough understanding of the legislation, a careful review of the various provisions of the HHS’ regulations, and a detailed analysis of the requirements of the mandated standards are critical to successfully develop and implement a compliance plan. Although the DHHS has selected the standards for areas such as administrative and financial transactions, code sets, and identifiers, its regulations require the covered entities themselves to select the standards and technology for information security and privacy protection. Health care organizations must justify their decisions and selections with adequately documented analysis such as baseline assessment, gap analysis, and risk assessment.
HIPAA establishes an ongoing standards adoption process. It provides an effective framework through which the industry can adopt standards initially and, then, on an ongoing basis, improve them. HIPAA has defined the role of Standards Maintenance? Organizations, NCVHS, and other industry organizations such as WEDI. It has established the process through which the industry can send its input to HHS for the purpose of adopting standards. The NCVHS Hearings and the federal NPRMs are some of the examples. Yet, the most critical role that the industry can play in this process is its active participation in the very development of the needed standards. HHS is required to adopt the industry-developed standards. Participation in the standards development will ensure that the standards adopted by HHS fulfill the needs of health care.
Soloman I. Appavu is director of systems planning, Cook County Hospital and Cook County Bureau of Health Services, Chicago, and has served as a consultant to the US Department of Health and Human Services on the adoption of a unique health identifier.