Practicing medicine these days is like canoeing along the dangerous and uncharted waters of the Amazon River.
Physicians and healthcare businesses are being charged by a raging Hippopotamus named H.I.P.A.A. (The Health Insurance Portability
and Accountability Act of 1996).
The Federal Government envisions smoother and less costly healthcare reporting, Medicare payment and patient privacy. Many
Healthcare businesses and physicians see more government intrusion into healthcare decisions.
"Won't there simply be more disruption to medical institutions?" some ask. "Aren't we already harassed with too many
life or death human, civil, legal, technical and professional challenges?"
Boiling the waters, piranha-like, around America's harassed medical canoes are software and hardware companies, media consultants,
digital service companies, accounting firms, etc. It appears that physicians, hospitals and clinics are going to have to dump scads of fresh medical revenue in order to placate HIPAA and its accompanying
piranhas.
But how much revenue? And to what end? The currents of modern communication seem to change standards and methods at every turn and
eddy. And communication currents appear staid compared with the whims and gales of politics and prevailing privacy issues.
Codified Transactions
Soon, according to HIPAA, all healthcare organizations will have to
use standard code numbers that identify medical procedures being billed. Codes for all known office, clinical and hospital procedures (Transaction Codes) were finalized by the HIPAA committees August of 2000.
HIPAA allows 24 months to comply. So all medical canoes of physician offices, insurers, health authorities, billing agencies, service organizations, universities clinics, hospitals, etc. had until October, 2003
to drop the shad, change course and get in compliance.
Towing The Line
So how are all these organizations going to insure that everyone is
paddling together and using the same codes? Here's what federal authorities say medical canoes should do:
A. Build organizational awareness of HIPAA requirements.
B. Assess all current information security systems, policies and procedures for HIPAA compliance.
C. Develop an Action Plan with timetables for HIPAA implementation
D. Develop technical and management implementation infrastructures.
E. Implement the Action Plan with
1. New HIPAA compliant policies and processes
2. "Chain of trust" agreements with service organizations
3. A redesigned technical information infrastructure
4. A new, HIPAA compliant information system
5. Conforming internal communications
6. Training and enforcement.
What about Privacy?
Our raging Hippo, HIPAA, wants everybody to wade in the murky waters of individual privacy. Paddling unimpeded in the sunlight threatens his sense of importance. Our medical canoes must put on a shroud of HIPAA standards and aliases. These are:
I. Electronic Health Transaction Standards
II. Unique Identifiers
III. Security and Electronic Signature Standards
IV. Privacy and Confidentiality Standards
Let's take a closer look at each.
I. Electronic Health Transaction Standards include health claims, health plan eligibility, enrollment and disenrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits and related transactions. The various electronic form formats of all these transactions will have to be standardized according to the American National Standards Institute (ANSI).
A standard coding system that describes each disease, injury or other health problem or symptom must be followed. If a medical canoe doesn't support electronic forms it must submit written forms with the correct coding to an electronic clearing house for further processing.
II. Unique Identifiers for providers, employers, health plans and patients will be required by HIPAA. No more multiple IDs among different groups. As Americans have one social security number and corporations have one federal identification number so shall all medical canoes and patients have one unique identifier.
III. Security of Health Information and Electronic Signatures will be standardized so that a "uniform level" of protection will be provided. Housed or electronically transmitted information that pertains to any individual will have to meet the HIPAA standard ensuring message integrity, user authentication and non-repudiation. No specific technology is required, however, further complicating the decision process and leaving the door open to a multitude of abuses and implementation problems.
IV. Privacy and Confidentiality rules weren't finalized until late April, 2001. These rules authorized who has the right to access personally identifiable health information, whether or not the information is in electronic form. HIPAA privacy standards:
1. limit the non-consensual use and release of private health information;
2. give patients new rights to access their medical records and to know who else has accessed them;
3. restrict most disclosure of health information to the minimum needed for the intended purpose;
4. establish new criminal and civil sanctions for improper use or disclosure;
5. establish new requirements for access to records by researchers and others.
Basic HIPAA Principles
The above five privacy standards support the four basic HIPAA principles of:
Consumer Control of medical information.
Boundaries that limit disclosure of medical treatment and payment Accountability for violation of patient's rights with specific federal penalties.
Public Responsibility for protecting public health, conducting medical research, improving quality of care and fighting health care fraud or abuse.
Security of health information by organizations entrusted with that information.
Benefit and Danger of HIPAA Compliance
Under HIPAA, medical information will no doubt be processed faster and more securely. Whether it's at a lower cost will depend on technical and management expertise. Just as patients must trust physicians to be competent, physicians and medical administrators will have to find trustworthy individuals and companies to build, maintain and secure electronic infrastructures at reasonable costs.
And just as there is dispute about medical procedures and treatments, there is dispute about the most efficacious electronic technologies.
With the rapid development of biology and electronics, disputes and changes in both medical and technical arenas will only accelerate.
Never in history has monetary consideration played such a deciding role in the quality of health care. In attempting to level the playing field for all patients, HIPAA is opening the door to great abuse by making medical information inaccessible by law but more accessible to chosen administrative enforcers.
In the end, personal ethics and professional competence will be the deciding factor in all successful HIPAA implementation.
Medical Region Convergence seems to be a most cost effective and secure solution to electronic implementation. With so much state and federal moneys being spent on health care issues, a secure electronic infrastructure provided by metropolitan regions to healthcare providers would solve many security problems while reducing overall medical costs substantially. Wide Area Networks (WANs) and the new academic Internet 2 would enable procedures and transmissions to be
almost instantaneous and ubiquitous.
Current HIPAA Implementation Technologies
While there are no specific technologies required for HIPAA implementation, certain transmission protocols are necessary if documents are submitted electronically. TCP/IP enabled computers would suffice if encrypted HTTP, dial-up modem, VPN, or secure FTP is used.
There are several "best of breed" physician's practice management systems available that address the HIPAA required billing formats. If the system does not support electronic billing for HCFA, UB92, Worker's Comp or EDI direct, paper documents must be submitted to a clearinghouse in the standard HIPAA reporting formats with standard procedure codes.
Some practice management systems support custom reporting to state or federally funded subsidy agencies. Some also provide the ability to check on Medicare and Medicaid compliance.
Data storage is a critical component of electronic systems. HL7 data interchange techniques, direct interfaces to the Electronic Medical Records (EMR) software, and interfaces to wireless Personal Data Assistants (PDAs) through encrypted 802.11b or newer 802.11g protocols should be considered.
As electronic communications leave or enter the building they should pass firewalls in routers or switches on a Virtual Private Network (VPN). It is critical that data storage computers or mechanisms be redundant at a secure remote location manned by trusted technology administrators.
Personnel/patient training and follow-up is also key. A competent and technically savvy media marketing company will lower communication costs and bring better results through faster compliance and updating.
Offices not able to afford complete electronic HIPAA implementation should first make sure their current record assessment is complete. Then they should select a technical solutions and/or media marketing expert to develop Requests For Quotes (RFQs) for a segmented path to eventual electronic compliance.
© 2001-2006, Dev.Kinney/MediaGraphics
