A Readiness Workshop for the Small Provider presentation

About This Presentation

Transcript and Presenter's Notes

Title: A Readiness Workshop for the Small Provider

1
Implementing the HIPAA Regulations
A Readiness Workshop for the Small Provider
May 2003
2
Topics to be Covered

Part I Overview
Part II Understanding HIPAAs Electronic
Transactions and Code Sets
Part III Implementation of Electronic
Transactions in a Small Provider Office
Part IV Phases of HIPAA Implementation
Part V Testing and Certification
Part VI Security
Part VII Review and Resources

3
I. Overview

Background on Administrative Simplification
Benefits of HIPAA
HIPAA Oversight
Who must comply
Electronic /non-electronic methods for moving
data
What Medicare requires
Status of HIPAA Rules
Enforcement

4
HIPAA as an Opportunity

The Challenge
Over 1.3 trillion is spent annually in
healthcare
Over 15 (up to 30) goes to administration
Lack of e-commerce
Lack of coordination of care
The Opportunity
Retool tired processes
Become fitter, leaner, and better ready to meet
the challenges

5
Todays Healthcare System
Fragmented, inefficient, redundant, non-standard
6
What Is a HIPAA Transaction?

A method of moving data in a standard way
electronically between healthcare entities
HIPAA transactions expand on existing standards
Standard transactions provide more consistency
and efficiency

7
EDI Standards Have Benefited Other Industries

Retail/Grocery Industries Use of UPC codes
Travel Industry Paper to e-Tickets
Banks ATM machines
Healthcare opportunity to
Streamline operations
Reduce costs and errors
Accelerate reimbursements
Pharmacy is the role model for healthcare

8
Benefits of HIPAA EDI

Less manual handling/processing of administrative
transactions
Fewer errors, faster processing
Reduction in postage and other paper-related
expenses
Simplifies EDI now industry uses 400 different
claim formats will reduce to about 4

9
The Big Pay-Off

10
HIPAA Administrative Simplification Provisions
HIPAA Health Insurance Portability and
Accountability Act of 1996
Title I
Title II
Title III
Title IV
Title V
Administrative Simplification
Insurance Portability
Fraud and AbuseMedical Liability Reform
Tax RelatedHealth Provision
Group Health Plan Requirements
RevenueOff-sets
Security
Privacy
EDI
Transactions
Code Sets
Identifiers
11
Head Bones Connected to the Foot Bone.
Designated Standards Maintenance Organizations
HIPAA 1996
The Rules
ASC X-12N
Public Comment
Privacy
SSA Amend-ment
Implement- ation Guides
Other External Standards Makers
The Law and the Rules
The Standards
12
Who Oversees HIPAA?
The U.S. Department of Health Human Service

The Centers for Medicare
and Medicaid Services
Oversees
Transactions and Code Sets
Standard Unique Identifiers
Security
Contact info
http//www.cms.hhs.gov/hipaa/
hipaa2/
AskHIPAA_at_cms.hhs.gov
1-866-282-0659

The Office for Civil Rights Oversees
Privacy
Contact info
http//www.hhs.gov/ocr/hipaa/
OCRPrivacy_at_hhs.gov
1-866-627-7748

13
What is EDI?

Electronic Data Interchange
Standardized electronic exchange of data between
computers
Way of arranging data so a computer can read it
No human intervention
Transact business quickly, cost effectively

14
Why EDI, Security, and Privacy Requirements?

EDI Improves efficiency, effectiveness of
electronic exchange of administrative/financial
data
Electronic Transactions and Code Sets Mandates
standard codes and transaction formats
Unique Identifiers - Providers will have one ID
number
Security Defines process and technology
standards for electronic protected health
information
Privacy Defines rights of individuals and
responsibilities of providers, health plans

15
HIPAA Standard Transactions

Claims
Payment and remittance advice
Claim status inquiry and response
Referral certification and authorization inquiry
and response
Enrollment and disenrollment in a health plan
Health Plan premium payments
Coordination of benefits
Claims attachments (under development)
First report of injury (under development)

16
Why Are They Important to You?

Standard method for submitting claims
Standard method for getting paid
Use of transactions can greatly improve
efficiency and reduce paperwork
Real-time Eligibility/Benefits
Penalties for non-compliance
Non-compliance can result in a cash flow
disruption or improper payment

17
HIPAA Standard Code Sets

Medical code sets include
ICD-9CM
CPT-4/HCPCS
The Code (Dental)
NDC
Non-medical
Gender, race
Claim adjustment reason codes
No local codes

18
What Unique Identifiers Does HIPAA Standardize?

Employer Identifier Standard (adopted)
IRS Employer Identification Number (EIN)
A 9-digit identifier assigned by the IRS to
employers
Provider Identifier (not yet adopted Final Rule
forthcoming)
Health Plan Identifier (not yet adopted
Proposed Rule forthcoming)

19
Who Is Covered by HIPAA Administrative
Simplification Provisions?

Most healthcare providers
Most health plans
All healthcare clearinghouses

20
When Is a Provider a Covered Entity under HIPAA?

You are a covered entity provider if you
Meet the definition of a healthcare provider
Conduct one of the named HIPAA administrative
transactions
Conduct any of these transactions electronically
with a health plan who is a covered entity under
HIPAA

21
What is Electronically?

Electronic modes (include but are not limited
to)
Tapes, disks, CD, or data lines
Using a clearinghouse or billing service
Using a web application to conduct transactions
Using Direct Data Entry (DDE) applications
Using Point of Service applications
Using software provided to you

22
What is not Electronically?

Non-electronic modes
Mailing a paper form
Faxing a paper from a dedicated fax machine
Calling to obtain information
Voice response units on phone

23
Am I Covered if I Am Only Doing Some Business
Electronically?

YES
If you are a provider
Conducting only a small number of one or more of
the HIPAA transactions
Electronically
With one or more health plans
You are still covered!

24
Is a provider who bills on paper a covered entity
if a health plan converts the paper claim to
electronic format?

No
Most, if not all, health plans transform the
paper claims they receive into electronic formats
for processing.

25
Do I have to implement HIPAA if I go back to
submitting claims on paper?

Providers who conduct any covered transactions
(not just claims) electronically must comply
with all HIPAA rules.
Cannot avoid HIPAA by hiring a billing service to
conduct these transactions electronically for
you.
Reverting back to paper could have negative
effects for most providers.

26
What Medicare Requires

The Administrative Simplification Compliance Act
(ASCA) prohibits HHS from paying Medicare claims
that are not submitted electronically after
October 16, 2003
Small providers are defined as providers of
services having fewer than 25 full time
equivalent employees or for physicians,
practitioners, facilities, or suppliers with
fewer than 10 employees

TIP The ASCA law can be accessed at
http//www.cms.hhs.gov/hipaa/hipaa2/regulations/a
sca/asca.pdf
27
What Medicare Requires (cont)

Most providers already submit to Medicare
electronically
Exception if you are a small provider or
considered one of the limited exceptions
HHS will publish proposed regulations to
implement this new authority. Stay tuned to your
Medicare Provider Bulletins for more information
At this time, there is no waiver for which to
apply if you think you are small

28
Issues for Medicare billers thinking of going
back to paper

Providers would experience delays in
getting paid, because by law Medicare cannot pay
paper claims until 28 days after receipt (as
opposed to 14 days for electronic claims).

29
HIPAA Enforcement Process

CMS is designated to enforce HIPAA administrative
simplification with the exception of privacy
OCR is designated to enforce Privacy
Enforcement activities will be complaint-driven
Notify provider about the complaint
Provider will have opportunity to demonstrate
compliance or submit a corrective action plan
Focus on obtaining voluntary compliance through
technical assistance
Penalties imposed as last resort

30
Filing a Complaint with CMS

Complaints concerning electronic transactions and
code sets should be directed to CMS
Complaints can be submitted online
athttp//www.cms.hhs.gov/hipaa/hipaa2/support/co
rrespondence/complaint/securitychoice.asp
Or, you can download form at http//www.cms.hhs.g
ov/hipaa/hipaa2/support/correspondence/complaint/c
omplaintform.pdf and mail it into
HIPAA Complaint
7500 Security Blvd
Mailstop C5-24-04
Baltimore, MD 21244

31
Filing a Privacy Complaint with OCR

Anyone can file a complaint by mail, fax, or
e-mail
Complaints should be directed to one of OCRs ten
regional offices depending upon where you are
located
More information can be found at their website
at
http//www.hhs.gov/ocr/howtofileprivacy.htm

32
Enforcement Interim Final Rule

Both CMS and OCR enforcement process will be
addressed in a single rule
The rule is the first installment. Next step, HHS
will publish a Notice of Proposed Rule Making
(NPRM)
NPRM will outline what constitutes a violation
and how to calculate a Civil Monetary Penalty
(CMP)

33
HIPAA Rules
Small Health Plans have an extra year to
comply Civil Monetary Penalties Interim
Final Rule first installment of Enforcement
Final Rule October 16, 2003 with ASCA
extension
34
Coming Attractions

More standards will be issued, such as
Claims Attachment
First Report of Injury
Others

35
Where should you be now?

? Assigned a HIPAA point person for your office
Determined if you are a covered entity
Completed an Action Plan
Communicated often with vendors, billing services
/ CHs, and payers concerning 10/16/03
Implemented privacy provisions
Testing Internally
Scheduled External Testing
Working toward completing your Gap Analysis
Staying abreast of upcoming deadlines and
requirements i.e. security

36
II. Understanding HIPAAs Electronic Transactions
and Code Sets

Understanding the Transactions Cycle
Adopted Electronic Transaction Standards
Changes to Your Current Business Processes
Adopted Code Sets Standards
Maintainers of Medical Code Sets
Non-medical Code Sets
General EDI Requirements
Trading Partners and Business Associates
Maintaining and Changing Standards

37
Why Are They Important to You?

Standard method for submitting claims
Standard method for getting paid
Use of transactions can greatly improve
efficiency and reduce paperwork
Real-time Eligibility/Benefits
Penalties for non-compliance
Non-compliance can result in a cash flow
disruption or improper payment

38
EDI - Transactions StandardsThe Healthcare EDI
Cycle

HIPAA required HHS adopt industry-developed
standards for EDI. These electronic transactions
are standardized

Transactions applicable to providers
39
EDI - Electronic Transactions Standards

HHS adopted
NCPDP - retail pharmacy drug transactions
ANSI X12N - all others

TIP The American National Standards Institutes
(ANSI) Accredited Standards Committee (ASC).
ASCs insurance committee, X 12N, is responsible
for development and maintenance of transaction
standards. And, the National Council for
Prescription Drug Programs (NCPDP) maintains a
number of standard formats for use by the retail
pharmacy industry.
40
EDI HIPAA Electronic Transactions Standards

Claim or encounter ANSI ASC X12N
-- Professional 837-P 4010 and 4010A1
-- Institutional 837-I 4010 and 4010A1
-- Dental 837-D 4010 and 4010A1
-- Retail Pharmacy NCPDP
Telecommunications
Standard 5.1 and Batch 1.1
Claim payment and remittance 835 4010 and
4010A1
Coordination of Benefits 837 4010 and 4010A1
Eligibility Request Response 270/271 4010 and
4010A1
Authoriz./Certific. Req,/Resp. 278 4010 and
4010A1
Claim Status Inquiry Response 276/277 4010
and 4010A1
Enrollment/Dis-enrollment 834 4010 and 4010A1
Premium Payment 820 4010 and 4010A1

TIP 004010 Version and A1 Includes the
addendum adopted in the HIPAA Modifications Rule
(discussed in Part III)
41
ISA00 00 ZZ003000 ZZWHY
INC 0205241718U004010000000010T GSHC000
3000WHY INC2003011416151X004010X098 ST837
0001 BHT001900000120030141645CH REF87004
010X098 MN1412MARY SMITH CLEARINGHOUSE46
0003000 PERICMARY SMITHTE9135551234FX612333
4567ED6125559876 NM!402MEDICARE PART
B46 WHY INC HL1201 MNI852EYEBALL
SURGERY ASSOCIATES24123456789 N3PO BOX
1234 NSALISBURYMO660453565US REF1C09876
PER1CBILLING PROVIDER CONTACT OFFICE
NURSETE9135551234FX 6123334567TE
6125559876 HL21220 SBRP18MEDICARE PART
BMB NM!IL1BENNINGCARRIEMI134-56-789
0A N3PO BOX 123 N4NEOMAMO67799US DMBD819
330324M MN1PR2MEDICARE PART
BPI00065 N31000 MAIN ST NST
LOUISMO66666US CLMMEDBGOOD-MIS11500111
YCYYBP REX432D1234567 NTEADDCLAIM
NOTE TEXT HIBK3999 NM1DN1FOLLARDBENJM.D
.24-111223333 PRVRFZZ101Y00000N RED1CB1127
7 NM!821TREPEDHOWARD2488899-1111 PRVPE
ZZ101Y00000N RED1C2327870 LX1 SV1HC992131
5000UN1111N DTP472DB81298399 REX4
32D1234567 SE360001 GE11 IEA1000000001
What Your Computer Sees During an 837
Transaction
42
(No Transcript)
43
HIPAA Transactions and Changes to Your Business

The structure of the Claim
Limits on the variability between Payers
Linking claim transactions to payment
transactions
Situational data elements
Defined agreements up front on the nature and
routing of transactions

44
EDI - Code Sets Standards

Today
Providers maintain multiple code sets (including
local codes) to meet different payer requirements
HIPAA
No local codes
Standard codes for all payers
Only standard code sets can be transmitted in the
mandated transactions
More efficient
They are an integral part of electronic
transactions used to describe both clinical and
administrative activities
HIPAA code sets are either medical / clinical or
non-medical
External and internal Code Sets (to the
Implementation Guides)

45
HIPAA Medical Codes

International Classification of Diseases Covenant
Provision, Clinical Modification (ICD-9-CM)
Current Procedural Terminology (CPT)
Alphanumeric Healthcare Common Procedure Coding
System (HCPCS) now termed Health Care Common
Procedure Coding System
Current Dental Terminology (CDT)
National Drug Codes (NDC)

46
HIPAA Non- medical Codes

Country Codes
Claim Adjustment Reason
Patient Status
Remittance Remark Codes
DRGs
Revenue Codes

Place of Service
Type of Bill
Postal codes
Claims Status
Admission Type
Languages

47
EDI Maintainers of Code Sets
NOTE Local codes go away under HIPAA
48
General EDI HIPAA Requirements

Covered entities MUST use the electronic
transaction standards code sets
Providers dont need to conduct all transactions
electronically
Individual agreements between trading partners
must conform
Covered entities can use business associates to
conduct transactions if they choose

49
Business Associates Trading Partners

Business Associates
An individual or organization that performs, or
assists in the performance of, a function or
activity on behalf of the covered entity,
involving the use or disclosure of PHI
Example A billing service who processes claims
for a provider is a business associate
Trading Partners
An organization with whom a covered entity
exchanges information electronically using a
named transaction standard
Example - A provider and a clearinghouse are
trading partners

50
Where are the Directions for Building a Standard
Transaction?

Implementation Guides
Recipe books that include ingredients and
directions for how to conduct the transactions
according to HIPAA standards
However, payers have some discretion on how to
conduct each transaction

51
Implementation Guide
52
Real Time vs. Batch Transactions

Batch Grouped together in large quantities and
processed en-masse. No continued connectivity
Real Time Requires an immediate response.
Submitter remains connected awaiting response
Payers may choose to reject an entire batch or
just a single claim not a HIPAA requirement.
Payers business decision.

53
Web and Direct Data Entry Transactions

Trend to web-enable large payer systems for
transaction submission
All web and direct data entry systems must meet
the data content HIPAA transaction standard

54
Where Can I Find Implementation Guides?

ANSI standards can be downloaded for free at the
Washington Publishing Company website -
www.wpc-edi.com/hipaa
Retail Pharmacy Drug Claim standard
www.ncpdp.org

55
Companion Guides to Implementation Guides

Payers may provide a companion document
defining required situational data elements
Medicare (through its carriers and fiscal
intermediaries), Medicaid, and other payers are
producing companion documents
Available from their web sites

56
Who Maintains the Standards?

DSMOs

Advisory Groups
Rule Making Authority
WEDI
DHHS
NCVHS
ADA
DeCC of ADA

ANSI Standards Development Organization (SDO)
Data Content Committee (DCC)

57
Modifications to Transactions and Code Sets
Standards

August 17, 2000 Final Electronic Transactions and
Code Sets Rule
Requests to modify standards submitted by the
industry to DSMOs
The National Committee on Vital and Health
Statistics (NCVHS) holds public hearings on the
requested changes

58
Recent Modifications

Changes to technical formats of current EDI
transactions
Changes to non-medical codes
New required data elements are added
New situational elements added
New business rules are imbedded in the
transaction
Repealed adoption of NDC code standard for
non-retail pharmacy transactions

59
The Addenda

Some examples of changes include
Usage of certain data elements from required to
situational such as the ASC X12N 837 usage of
Provider Taxonomy Codes.
Changing the requirement to report HCPCS codes
for all outpatient services to requiring that
HCPCS codes be reported on outpatient services
when a HCPCS code is available for the service.

60
Should I Be Implementing ASC X12N 4010 or ASC
X12N 4010A1?

Both
The Addenda are modifications to the Transactions
final rule of August 2000
The newly adopted standards to be used by October
16, 2003 are the ASC X12N 4010 and the ASC X12N
4010A1 implementation guides.

61
Which code set do I use for drugs and biologics
if I am not a retail pharmacy or not conducting
retail pharmacy transactions?

The NDC standard is not required the non-retail
industry has NO standard
There are only only two codes sets which can be
used NDC and HCPCS

62
III. Implementation of Electronic Transactions in
a Small Provider Office

Points of Impact
Business Processes
System Changes
Policy Changes
Claim Submission / Payment, Eligibility,
Referrals, and Claim Status
Changes to Payer Systems
Medicare and Private Payers
Top Questions to Ask Clearinghouse / Vendor

63
Points of Impact

Review existing workflows per transaction
Can workflow be improved/automated?
Can information returned be better
utilized/automated?
Do you use non-standard codes in these processes?
Can you incorporate standard codes or do you need
to crosswalk?
Is there value in implementing HIPAA transactions
which you dont currently conduct electronically?
Is there value in implementing transactions not
currently required by HIPAA?
Incorporate Privacy/Security provisions into
processes

64
Business Processes

HIPAA Transactions Aid in Streamlining Business
Processes
270/271 (Eligibility Request and Response)
Rosters
Internal databases of eligibility information
276/277 (Claim Status Inquiry Response)
Unsolicited 277s for pended claims
278 (Authorization/Certification
Request/Response)
Time/money savings due to lack of human
intervention?
835 (Claim payment and remittance)
Post to accounts receivable systems, NCPDP claim
payments on 835s
837 (Coordination of Benefits)

65
System Changes

Will your vendor be HIPAA compliant by the
mandated deadlines?
Will the software be compliant with Addenda?
If not, can a clearinghouse/translator solve your
Transaction/Code Set issues?
Do you have a crosswalk from standard code sets
to ones used by your internal systems?
Do you plan on internalizing standard code sets?

66
Policy Changes

Have you made changes to your business processes
to streamline and reduce costs?
How can you take advantage of HIPAA? Example
Eligibility Verification
Check each time
Build internal database
Real time versus batch mode (daily appointment
schedule or as patients arrive?)

67
Policy Changes

External Changes
Most providers submit claims to more than one
payer
Payers may have individual companion guides
Syntax, format of transactions remain the same
Field values required for completion of
transaction may vary
Standard Identifiers

68
Policy Changes

Trading Partner Agreements
Define exactly how two entities who exchange
transactions will do business
Communication methods
Submitter/Receiver IDs
Delimiters
Frequency
Turnaround Expectations
What transactions will be exchanged?
What X12N version will be utilized?

69
Claim Submission

Electronic transactions must use HIPAA standards
Paper forms will continue to exist
UB92/HCFA1450 ? UB02 (by 2004)
CMS-1500 Form (formerly HCFA1500) to be continued
unchanged

70
Claim Payment

Paper claim payment (check) and paper remittance
advice will continue to be supported by some
plans
Electronic Remittance Advice must meet national
transaction standard (835)
Most payers web applications will allow
web-based access to remittance advice information

71
Eligibility, Referrals, Claim Status

Will continue to be supported by paper, fax,
phone by many payers
Well-suited for web-based applications
Most payers applications will support both
interactive and batch submission/response on
their web-based systems

72
Changes to Payer Systems

Major changes in all payers direct data entry
systems
Data content (data elements) must meet the data
content portion of the national electronic
standard
Systems will also need to be capable of receiving
data transfers (directly or through a
clearinghouse) from providers
If provider chooses to send data electronically,
payer must accept

73
Medicare

Major changes on current direct data entry system
Standardized Trading partner agreement coming up
Companion document establishing Medicare-required
situational data elements
Free/low cost HIPAA-compliant software available
from carriers and fiscal intermediaries for
providers to submit Medicare claims
electronically
Free PC-print software for electronic Medicare
remittance advice (835) transactions
http//www.cms.gov/providers/edi

74
Medicare (cont)

Medicare software allows providers to create a
HIPAA-compliant claim. Cannot be used for other
payers
For other HIPAA transactions, providers are
expected to obtain own software
Clearinghouses offer an alternative

75
Private Payers

Updating web sites to allow interactive
transactions
Developing companion documents to define
requirements for the situational data elements
Providing trading partner agreements

76
Implementation of HIPAA Transactions by Small
Providers
Implementing Transactions via a Clearinghouse
Physician or Provider
Health Plan B
Claim Data (any Format)
Claim Data (Any Format)
Claim Data ANSI 837 Req.
Claim Payment (any Format)
Claim Payment (Any Format)
Claim Payment ANSI 835 Req.
Contract b/w Hosp A Ch X
Contract b/w HP B Ch Y
Clearinghouse X
Clearinghouse Y
77
Implementation of HIPAA Transactions by Small
Providers
Direct Exchange Between Providers and Health Plans
Health Plan
Claim - ANSI 837 Req.
RTF - A
Claim Payment - ANSI 835 Req.
Claim Data (Any Format)
Claim - ANSI 837 Req.
Claim Payment (Any Format)
RTF - B
Claim Payment ANSI 835 Req.
Health Plans Clearinghouse
78
Top Questions to Ask Your Software Vendor

What software updates are needed for HIPAA
compliance?
What release (version, patch) of your product
supports the HIPAA claim (837) and remittance
(835) transactions?
Does my practice / facility have to be at a
particular release level to implement the HIPAA
release or is this a complete upgrade from our
current version?
What are your service level agreements for
continued support?
New versions of transactions
Newly mandated transactions
Does the software support strip and store
requirements?

79
Top Questions to Ask Your Software Vendor (cont)

How does your product support collecting the
required and situational claim data via the
screens used by our staff as they interact with
patients or is this done on-line at a later time?
Will you support the required code sets?
Will the software let the practice exchange these
transactions directly with payers, or do they
have to go through a specific clearinghouse?
How much will this upgrade or new version cost
our practice based upon the answers to the above
questions?
When will the software updates be available?
How much lead time is required to install and
test the software?
What is the minimum hardware requirement for
servers and workstations to run the HIPAA
compliant version?

80
Top Questions to Ask Your Software Vendor (cont)

What training, support and services are available
to help my office?
Are there training and or consulting services
available to help me test the HIPAA release?
What are your contingency plans if you cannot be
ready on time?
Who specifically can I contact for HIPAA
transactions questions?
Do you have crosswalks for my payers or your
affiliated clearinghouses?
Can we choose a clearinghouse with the new
version?
Do you have the companion guides for my payers
with whom I file directly?

81
Top Questions to Ask Your Software Vendor (cont)

Do you have a list of the HIPAA data elements
supported by the product?
Is this list transaction specific?
Does this list map to the current 1500 or
UB92/1450 so we can see what new data we must
develop?
Will your product or clearinghouse support HIPAA
specific business edits?

82
Top Questions to Ask Your Software Vendor (cont)

How is the production of the 837 supported by
your product?
Can I upgrade to the various standards
incrementally?

83
Top Questions to Ask Your Software Vendor (cont)

Does the product support automatic posting using
the 835-remittance transaction?
Do you belong to any of the HIPAA-related
workgroups? How do you remain current on the
latest HIPAA developments?
Has your testing process included all of the
seven types recommended by WEDI SNIP?
Has the software received third-party
certification that it can generate HIPAA
compliant transactions?
Will you send me a testing schedule that
includes
Internal testing
Testing with Medicare
Testing with commercial payers
Testing with a clearinghouse (if applicable)

84
Top Questions to Ask Your Clearinghouse

Will you be certified by a third-party vendor?
When will you be able to test HIPAA-compliant
transactions?
When will you be capable of conducting
HIPAA-compliant transactions?
When will you support the required code sets?
Will you be able to continue processing claims in
existing electronic formats while testing the new
formats?
What telecommunication methods can you use to
access the clearinghouse?
What are your contingency plans?
Who can I contact in your organization with HIPAA
questions?

85
Top Questions to Ask Your Clearinghouse (cont)

Do you have the companion guides for my payers ?
Do you support strip and store?
Do you have crosswalks for my payers?
Will you support HIPAA specific business edits?
Have you tested with my payers?
Have you used any third party certification
service?
Will you help us with any new EDI enrollment
requirements?

86
IV. Phases of HIPAA Implementation

EDI Gap Analysis
Transaction Sequencing
Trading Partner Agreements

87
EDI Gap Analysis

Purpose
Identify deficiencies or gaps in processes and
data
Compare data available electronically in your
systems with the data required for HIPAA

88
Core Transaction Gap Analysis Steps

Step 1 Assessment of Transactions
Step 2 Assessment of Data Format
Step 3 Assessment of Data Content
Step 4 Assessment of Data Sources
Step 5 Assessment of Data Systems
Step 6 Assessment of Trading Partners

89
Step 1

Assessment of Transactions
Conducted by provider
Which HIPAA transactions are you currently doing?
What are the transaction volumes?
Which transactions do you conduct on paper now?
Which could be conducted electronically?

90
Electronic Transaction Assessment Matrix (Step 1)
Claim Claim Elig Referral Claim
COB Subm Paym
Status
- Format - Content - Volume
Medicare Medicaid BCBS Payer X Payer Y
91
Steps 2 and 3

Step 2 - Assessment of Data Format
Conducted by provider
Which electronic formats are you using now to
send transactions?
To how many payers?
What formats? (ask your vendor)
Step 3 - Assessment of Data Content
Ask your vendor/CH to conduct
What data elements are you missing that are
required for the standard?
What sources of data can you use to fill gap?
What is your interpretation of situational data
elements?

92
Step 4 5

Step 4 - Assessment of Data Sources
Ask your vendor/CH to conduct
Do you know what data systems feed the
transactions?
What are the sources of the new data needed to
fill any data gaps?
Step 5 Assessment of Data Systems
Ask your vendor/CH to conduct
Will hardware/software applications be ready to
comply with HIPAA requirements?
Is the vendor offering HIPAA-compliant system
modifications?

93
Step 6 Assessment of Trading Partners

Conducted by provider
Who are you doing what with, and how?
Survey your trading partners to understand their
HIPAA compliance plans
Discuss their interpretation of situational
elements
Review trading partner agreements with legal
counsel

94
Transaction Gap Analysis Outcomes

Prioritize transactions
Prioritize trading partners
Identify data format gaps
Steps for redefining data formats
Identify data content gaps
Existing/new sources for filling data gaps

95
Transaction Sequencing

Transaction sequencing is payer-driven
Each transaction needs a plan for development,
testing, and implementation
Multiple transactions require a well planned
schedule for planning and implementation
Multiple trading partners require significant
coordination

96
Trading Partner Agreements

An agreement related to the exchange of
information in electronic transactions
May specify the duties and responsibilities of
each party to the agreement in conducting a
standard transaction
Not required but strongly recommended

97
What should be included in a trading partner
agreement?

Expected response time
Testing requirements
Interpretation of HIPAA guides
Optional functions
Security requirements

98
V. Testing and Certification

When do you start?
Elements of Testing
Translators and Clearinghouses
Three Categories of Testing
7 Compliance Testing Steps Recommended by WEDI
Certification
Vendor Risk
Tracking Vendor Progress

99
Testing Guidelines

Work with your system vendor or billing service
to determine what needs to be tested
Test your systems internally before testing with
your payers
Know your payers testing schedules

100
When do you start?

Now!
Lots to do very little time
Failure will not make the problem go away
HIPAA transactions are here to stay
The health care industry is moving toward
electronic transactions
Test early, test often, test now!

101
Elements of Testing

Telecommunications
Security, authentication, access
Data format issues
Data content issues
Generic HIPAA requirements
Trading partner specific requirements
Business rules
HIPAA rule payer-specific requirements

102
Translators

Map your current transaction formats to and from
HIPAA-compliant transactions
Act as front and back end of your system
Usually reside in-house
Vendor supplies testing applications
Validate and verify syntax, format, internal code
sets
Implementation guide rules are incorporated into
vendor-supplied formats

103
Clearinghouses

Transform proprietary transaction formats into
HIPAA-compliant formats and vice versa
Perform both translation and routing functions
Help customer to develop mapping rules and
processes
Map to a clearinghouse common format, then
translate to HIPAA-mandated format
Charge a per transaction fee
If payer mandates use of a specific
clearinghouse, payer pays fees in excess of
telecommunications

104
Types of Testing

Internal Systems Testing
Test your information systems / billing software
compliance
Compliance/Certification Testing
Third party test of your computer systems
ability to create, send, or receive HIPAA
compliant transactions
Business-to-Business (B2B) Testing
Test with your individual payers
End-to-End Testing
Coordinated testing between provider/payer
Tests transaction from provider to payer and
response

105
SNIP 6 Levels of Compliance Testing
Integrity Syntax Test
106
Levels 7 and 8
Level 7
Level 8
End-to-End Testing
Integrity Syntax Test
Trading Partner Testing
Test Cycle Repeats
Level 7(optional) Trading partner testing
tests the communication of transactions between
specific partners (payers) Level 8 (optional)
Coordinated test from provider to payer and payer
to provider
TIP WEDI white paper on this topic which can be
found at http//www.wedi.org/snip/public/articles
/testing_whitepaper082602.pdf
107
Software Testing

Do you know what your vendor plans for testing?
Can your vendor help you with your office
testing?
Is your vendor following WEDI SNIP recommended
testing guidelines?
Is your vendor testing with your payers?
Are you involved in the testing?
Do you ask to see the results of the testing?

108
What is Third-Party Transaction Certification?
109
Certification Service Inbound Test
Provider System
Provider System
110
Certification Service Outbound Test
TRANSLATOR /
Transactions
Billing System
Back End of Billing System
Outgoing
Analysis Results
Certification
Service
Notice of
Analyze Transactions /
Certification
Report Results
Public
111
Track Vendor Progress

Hold regularly planned status meetings
Decide upon change management process prior to
start of testing
Ask to review the vendors test plans/cases
Build your own test plans/cases
Follow up on vendors weak/missed items
Verify vendors meeting deadlines/milestones
Stay informed of action items to get back on
track with plan

112
VI. Security

Purpose and scope
Major concepts
Required vs. Addressable specifications
Administrative, technical, and physical
safeguards
Relationship to Privacy Requirements
Small Provider Implementation

113
Purpose of the Security Rule

Ensure integrity, confidentiality, and
availability of EPHI
Protect against reasonably anticipated threats
and improper use or disclosure

TIP The Security Final Rule can be found at
http//a257.g.akamaitech.net/7/257/2422/14mar20010
800/edocket.access.gpo.gov/2003/pdf/03-3877.pdf
114
Scope of the Security Rule

All Electronic Protected Health Information
(EPHI) versus Privacy which covers paper, oral,
AND electronic PHI
Data in motion AND at rest Stored data and
transmitted data
All covered entities
Ensures ongoing appropriate access

115
Overall Final Security Rule Standards Concepts

Flexible, Scalable
Permits standards to be interpreted and
implemented appropriately from the smallest
provider to the largest health plan
Technology Neutral
Can utilize future technology advances in this
fast-changing field
Comprehensive
Administrative safeguards (policies and
procedures)
Physical safeguards (restricting access,
providing backups)
Technical safeguards (authentication, integrity
controls, access)

116
Security Rule Concepts

Flexible, Scalable works for small to large
providers and health plans
Technology Neutral allows for new technology
Comprehensive
Administrative Safeguards
Physical Safeguards
Technical Safeguards

117
Required vs. Addressable

Required specifications are mandatory
Addressable specifications must be used if risk
analysis shows they are needed
If entity does not meet an addressable standard,
must document why and what else is being done in
its place

118
Whats in the Security Rule ..
Title I
Administrative Safeguards
Physical Safeguards
Technical Safeguards
119
Administrative Safeguards

Security Management
Risk Analysis
Risk Management
Sanction Policy
Information System Activity

120
Administrative Safeguards (cont)

Assigned Security Responsibility
Workforce Security
Information Access Management

121
Administrative Safeguards (cont)

Security Awareness Training
Incident Reporting
Contingency Planning
Technical Evaluation
Business Associate Contracts

122
Physical Safeguards

Facility Access Controls
Limit physical access
Safeguard facility and equipment
Access control and validation
Maintenance Records

123
Physical Safeguards (cont)

Workstation Use
Workstation Security
Device and Media Controls
Disposal
Media Re-use
Accountability
Data Backup and storage

124
Technical Safeguards

Access Control
Unique User ID
Emergency Access
Encryption and Decryption
Audit Control

125
Technical Safeguards

Integrity Controls
Person or Entity Authentication
Transmission Security
Integrity Controls
Encryption

126
Relationship of Privacy and Security

Both rules are closely linked
Privacy is the Who, What, and When and
Security is the How
Definitions and many administrative requirements
now aligned with the Privacy regulations
Privacy covers PHI on paper and in electronic
form, while Security covers only electronic PHI
Security enables Privacy by requiring safeguards
so that only those authorized to access data are
able to do so.
Covered entities are required to detail in
business associate agreements or other contracts
how they and their business partners will protect
the integrity, confidentiality, and availability
of the data exchanges. Contracts such as these
must be entered into with business associates

127
Implementation by Small Providers

May implement the security standards using any
security measures that allow them to reasonably
and appropriately implement the standards.
Consider size, capabilities, and costs
Assess security risks and vulnerabilities
Determine additional measures necessary, taking
into account your capabilities and the cost of
those measures.
CMS will be publishing security outreach
materials in the future stay tuned to our
website

128
Implementation Strategies

Take an organizational approach
Share ideas/experiences with others
Join regional work groups

129
VII. Review / Resources

EDI Deadlines and Rules
CMS Information Series on Electronic Transactions
and Code Sets
Checklist for Getting Ready
Security Deadlines and Rule
HIPAA Listserves
CMS Contacts
Privacy Deadlines and Rule
Contacts

130
EDI

HIPAA DEADLINES
April 16, 2003 Begin testing HIPAA compliant
software
October 16, 2003 Implement electronic
transactions and code sets
July 30, 2004 Implement Employer Identifier
August 1, 2005 - Small Health Plans implement
Employer Identifier
RULES
Standards for Electronic Transactions and Code
Sets Final Rule
http//aspe.hhs.gov/admnsimp/final/txfin00.htm
(Preamble to Rule)
http//aspe.hhs.gov/admnsimp/final/txfin01.htm
(Rule itself)
Modifications to Electronic Transactions and Code
Sets Final Rule
http//www.cms.hhs.gov/regulations/hipaa/cms0003-
5/0003ofr2-10.pdf

131
CMS HIPAA Information Series on Electronic
Transactions and Code Sets

HIPAA 101
Are you a covered entity?
Key HIPAA dates and tips for getting ready
What electronic transactions and code sets are
standardized under HIPAA?
Is your software vendor or billing service
ready for HIPAA?
What to expect from your health plans
What you need to know about testing
Trading Partner Agreements
Final steps for compliance with Electronic
Transactions and Code Sets
Enforcement

TIP Series can be found on our website at
http//www.cms.hhs.gov/hipaa/hipaa2/education/info
serie/. Series also available in Spanish. Not
all papers may be available but coming soon.
132
Check List - Transactions
?

Learn about the HIPAA transactions and what they
do.
Gather reference material.
Prioritize implementation of transactions based
on risk and benefit analysis for your practice.
Identify required data elements not used by your
vendor system.

?
?
?
133
Check List - Transactions
?

Identify situational data elements not currently
collected.
Establish how you will collect situational
elements.
Confirm that you can collect unique identifiers.
Identify and train staff on all new rules related
to the transaction that may impact operations.

?
?
?
134
Check List - Code Sets
?

Define which of the HIPAA codes sets you use.
Identify current service codes that are not HIPAA
approved codes.
Determine the new codes needed to replace
non-compliant codes.
Calculate the dollar impact of the switch to
HIPAA-compliant codes

?
?
?
135
Check List - Code Sets
?

Identify other code changes, e.g., place of
service, relationship, claim adjustment codes,
claims status, medical management codes
Educate employees about all coding changes and
how they will be applied
Identify which of the provider taxonomy codes
apply to your providers

?
?
136
Check List - Code Sets
?

How the payer will use the provider taxonomy
codes for adjudication purposes
Do the provider taxonomy codes in the payer
system list your provider correctly

?
137
Check List - Trading Partners
?

Identify key trading partners
Evaluate the flow of your data to/from your
trading partners
Learn the capabilities of your trading partners
Identify trading partner agreements and companion
documents
Determine if the trading partner agreements and
companion documents violate HIPAA requirements

?
?
?
?
138
Check List - Trading Partners
?

Identify any additional contractual changes in
the trading partner agreements that may have
nothing to do with HIPAA but may impact you
business contract with a payer
Define a process to maintain trading partner
specific requirements related to the method of
transmission or other specific rules around the
transaction
Assess which trading partners require business
associate agreements

?
?
139
Check List - Trading Partners
?

Identify how your trading partners will confirm
that transactions have successfully reached their
proper destinations
Determine how your trading partner will assure
the privacy and security of the transactions you
send them
Determine the level of testing that has occurred
between all of the trading partners that are
involved in your transaction

?
?
140
Check List - Trading Partners
?

Identify a process to verify that both contract
and HIPAA compliance rules are followed
consistently
Determine which codes your payers are
cross-walking in their systems and request copies
of the cross-walks

?
141
Check List - Billing/Practice Management Vendors
?

Determine which of the transactions your system
can send and/or receive
Identify which of your trading partners your
vendor has engaged to test transactions
Define the types of tests your vendor has used
Confirm that your system supports the collection
of all new required and situational elements

?
?
?
142
Check List - Billing/PM Vendors
?

Confirm that your system has controls to prevent
the entry of non-compliant values
Has your system look-up fields for codes and
other values been updated to current HIPAA
required code standards
Determine the maintenance and update schedule for
all codes sets
Identify the type of security your system uses to
transmit and receive transactions

?
?
?
143
Check List - Billing/PM Vendors
?

Identify how your system will match outgoing and
incoming transactions for posting and
reconciliation
Assure that your system is placing the claim and
line item identifiers in the right place
Assure that your system is receiving the claim
and line item identifiers in your 835 or
remittance advice
Confirm that all the lines that were sent return
with the 835 or remittance advice

?
?
?
144
Check List - Other
?

Determine if your payer will send money directly
to your bank
Identify how you will reconcile the remittance
advice or 835 with the electronic funds transfer
Identify how you will address issues related to
failure of HIPAA compliance
Identify any charges that may be associated with
clearing house functions and your responsibility
for those charges

?
?
?
145
Check List - Other
?

Determine how your partners plan to convert old
data to new HIPAA codes and data element
definitions for utilization and other reporting
purposes
If you receive capitation, identify how codes
changes will affect the capitated service or fund
pool definitions
Prepare for a cash flow interruption that could
be substantial for 3 months or more

?
?
146
Security
UPCOMING SECURITY COMPLIANCE DEADLINES April 21,
2005 Compliance deadline for meeting security
standards. April 21, 2006 Small health plans
have an additional year to comply with security
standards RULES Security Final Rule -
http//a257.g.akamaitech.net/7/257/2422/14mar20010
800/edocket. access.gpo.gov/2003/pdf/03-3877.pdf
147
Stay Tuned..

Sign up for two list serves.
They are free!
They are sponsored by the government
They automatically send you e-mails with the
latest on HIPAA
Regulations list serve Notifies you when new
HIPAA rules are published
http//www.cms.hhs.gov/hipaa/hipaa2/regulations/ls
notify.asp
Outreach list serve - Communicates announcements
on events, tools, and resources on HIPAA
http//list.nih.gov/archives/hipaa-outreach-l.html

148
CMS Contacts

HIPAA Hotline (non-privacy questions)
866-282-0659
E-mail
Askhipaa_at_cms.hhs.gov
Website
www.cms.hhs.gov/hipaa/hipaa2

149
Privacy
UPCOMING PRIVACY COMPLIANCE DEADLINES April 14,
2003 is the Privacy deadline. Small Health Plans
(less than 5M in annual receipts) have an
additional year, until April 14, 2004 to comply
with Privacy Requirements April 14, 2004
Compliance deadline for small health plans
RULES Privacy Final Rule - http//www.hhs.gov/o
cr/hipaa/finalreg.html
150
Privacy

HHS Office for Civil Rights (OCR) oversees
HIPAAs Privacy Requirements
Contact info
OCRPrivacy_at_hhs.gov
1-866-627-7748
Resources
http//www.hhs.gov/ocr/hipaa
Privacy Final Rule / Privacy Modifications Rule
Model Business Associate Agreement
http//www.hhs.gov/ocr/hipaa/contractprov.html
Guidance Explaining Significant Aspects of the
Privacy Rule at
http//www.hhs.gov/ocr/hipaa/privacy.html
Frequently Asked Questions
http//www.hhs.gov/ocr/hipaa/whatsnew.html

151
Bottom Line

HIPAA is the law
If you havent started preparing, start now
There are deadlines for compliance
There are civil and criminal penalties for
non-compliance
Affects all partners and requires cooperation
HIPAA is not simply an IT issue it has
implications for your entire practice
Could have major impact on operations
Has impact on future business strategies
CMS has lots of free resources available to help
you prepare!

Write a Comment

User Comments (0)

About PowerShow.com

A Readiness Workshop for the Small Provider PowerPoint PPT Presentation