HIPAA Is Not Done: How HIPAA & New Healthcare Initiatives Intersect
by Randa Upham, Consulting Editor, Phoenix Health Systems
Updated March 2006
Now that the April 2005 HIPAA Security Rule compliance deadline has passed, many covered entities seem to believe they have conquered the final frontier. Comments like the following are often heard in provider, payer, and clearinghouse environments:
· "Thank goodness we are through all that HIPAA stuff."
· "Yes, we are all set with HIPAA - did everything."
· "Our organization did that HIPAA training last year, we are compliant now!"
Indeed, covered entities have overcome enormous budgetary and operational challenges in the HIPAA implementation process. But the comments above share an underlying fallacy: HIPAA is not done! HIPAA is not an event or a target date, but rather, a process. The intent of HIPAA was that its requirements and underlying principles become an integral part of our healthcare culture - similar to other accepted values (or buzzwords) such as: confidentiality, patient safety, infection control, quality assurance, etc. There are at least two aspects of this "HIPAA process" to consider:
First, HIPAA compliance itself will continue to require ongoing implementation, updating, and monitoring. For example, HIPAA anticipated expansion of its applicability, particularly in the area of transactions and code sets (TCS), with the promise of a succession of new standards to further simplify healthcare business processes. In addition, as technology marches on, challenges related to information security will be a critical topic, and remain under the radar of the Security Rule. Further, we have yet to see the overall impact of privacy violations and threats on consumers - but thousands of formal complaints have been filed and there is no indication that filings will decrease. Just as significant are a number of over-arching factors: a political climate that is highly sensitive to security issues, and compliance with accrediting bodies, such as the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO) and the National Committee for Quality Assurance (NCQA), that have begun to focus on HIPAA. All of these factors signify that healthcare organizations must continually reevaluate and refine their HIPAA practices.
Second, a variety of significant healthcare industry initiatives that are currently underway will require integration of HIPAA precepts in order to succeed. There may have been "final rules" established for HIPAA, but the delivery and business of healthcare is ever changing. How will current innovative movements function within our existing "HIPAAtized" healthcare environment? How will the current HIPAA culture be changed?
Electronic Medical Record
In June of 2004, the President's Information Technology Advisory Committee issued its report, "Revolutionizing Health Care through Technology" (http://www.itrd.gov/pitac/reports/20040721_hit_report.pdf), providing recommendations for creating an information infrastructure that it claims will revolutionize medical records systems. The report cites the Department of Health and Human Services (HHS) Secretary Tommy Thompson's remark that "...the most remarkable feature of this twenty-first century health system is that we hold it together with nineteenth-century paperwork." The advisory committee's core recommendations included a universal electronic health record for all Americans with standardized data, computer-assisted clinical decision support, and computerized provider order entry (CPOE). The report clearly acknowledged HIPAA and specified its importance within the overall process of actually achieving the recommended objectives. The journey to realization of a true electronic medical record must navigate the entire set of HIPAA regulations.
National Health Information Initiative
The National Committee on Vital and Health Statistics (NCVHS) has urged Congress and the White House to prioritize the development of a comprehensive National Health Information Infrastructure (NHII) for the public and private sectors. As part of their appeal to the government, the NCVHS also urged that HIPAA be amended to address standards issues related to the NHII, including: "the portability of health information across information systems, plans, and providers to ensure continuity of care; promote the adoption of clinical data standards; and promote consumer/patient control of personal health information" (http://aspe.hhs.gov/sp/nhii/Documents/NHIIReport2001/report11.htm). Although the government was asked to take a leadership role in this initiative, it is assumed that all stakeholders will play an active role in establishing an NHII. To begin to envision the extensiveness of what the next phase of HIPAA might be if the NHII comes to be reality, just consider some of the recommendations that have been made relative to this enormous initiative:
· "The specific NHII-related roles and responsibilities of HHS agencies should be enhanced, with appropriately increased budgets, under the strategic oversight of the central NHII office."
· "Congress should supplement HIPAA to address standards issues related to the NHII. A 'Health Information Portability and Continuity Act' should provide for the portability of health information across information systems, plans, and providers to ensure continuity of care; promote the adoption of clinical data standards; and promote consumer/patient control of personal health information."
· "Federal health data agencies should collaborate with State and local government agencies and standards organizations to develop common data reporting formats and standardized methods of transmission of all pertinent health data."
These are just a few of the recommendations that NCVHS urges the government to address.
Expansion of Required Transactions & Code Sets
ASC X12N 275
The HIPAA standard transaction for "electronic healthcare claims attachment" presents huge ramifications for the capture and protection of clinical documentation in accordance with the three major HIPAA rules. Seen as the next HIPAA "opportunity," the electronic claims attachment transaction offers a bridge between administrative and clinical records; and is viewed as a major milestone toward a true electronic record. As the most complex of the transactions to date, it will require extensive collaboration between all covered entities and vendors. Significant format considerations and technical requirements are involved in the implementation of the 275 - not to mention adherence to the privacy and security standards for all components of protected health information (PHI). The 275 may create our greatest HIPAA challenge to date. In June of 2004, the Association for Electronic Health Care Transactions (AFEHCT) hosted an audio conference (co-sponsored by CMS, HL7, X12, HIMSS and WEDI) for a joint Claims Attachment Educational Effort. The sponsors voiced the opinion that vendors are the key to the implementation of the standards (http://www.afehct.org/pdfs/claimattachmay04.pdf). It is this type of cooperation among HIPAA stakeholders that will encourage realization of the HIPAA benefits.
Unique Patient Identifier
Although it was mandated by HIPAA Administrative Simplification legislation since 1996, the national patient identifier was placed on hold by Congress because of the complexity of its implementation. In November of 2003, a committee of the Institute of Medicine urged legislators to revisit the issue. The committee maintained that the lack of universal patient IDs could hamper realization of administrative simplification and adversely affect patient safety (http://www.hipaadvisory.com/news/NewsArchives/dec03.htm#1202hdm). Indeed, the concept of a universal electronic health record for all Americans includes some manner of uniquely identifying individual patients. In spite of the fact that HHS has no current plans to pursue development of this HIPAA-mandated data element, the issue of a unique patient identifier will likely continue to elicit controversy.
ICD-10
From the very beginning of the development of the HIPAA TCS regulations, the recommended code set for use in the standard transactions was ICD-10. Although the requirement for using ICD-10 was delayed, NCVHS has urged HHS to quickly transition from ICD-9 to ICD-10. No definitive requirement has yet been agreed upon, but this transition is expected to occur and will need to be integrated into operational processes.
New Transactions
When the TCS final rule identified the required HIPAA standard transactions, it was only the beginning of Administrative Simplification. Although the industry has a distance to go in implementing the standard transactions currently required, it should be remembered that the intent behind TCS was to adopt many more standard transactions than the initial ones identified in the final rule in order to streamline business processes. For information on the standards development schedule, reference the website of the X12N/TG2 Healthcare task group (http://www.disa.org/x12org/).
Patient Safety
A primary and ubiquitous healthcare initiative is patient safety. Improvement of patient safety has been a major topic on organizational agendas for years. Many facets of patient safety involve the capture of patient data to both monitor and research key indicators related to patient care. Since much of this data includes PHI, its use will need to address HIPAA privacy and security compliance, along with issues related to standardized coding and reporting formats. It is realistic to expect that HIPAA-related assessment and implementation tasks will be necessary for years to come as we evolve more extensive and aggressive patient safety measures across the industry:
· In an article for HealthLeaders Magazine, medical errors expert Richard Wachter, MD, called for the establishment of information technology that provides universal access to standardized patient information so that all practitioners providing care to a patient are on the same page (http://www.healthleaders.com/news/feature57663.html).
· Stating that the "aggregation of data from many healthcare organizations about their medical/healthcare errors and the root causes of these errors is necessary in order to set priorities for error reduction activities," the JCAHO encouraged the creation of "an effective medical/healthcare error reporting system." (http://www.jcaho.org/accredited+organizations/patient+safety/medical+errors+disclosure/).
· In its set of Informational Standards for Patient Safety, URAC, the American Accreditation HealthCare Commission, recommended using "patient safety features in automated tracking and decision support tools" to identify and analyze actual (or potential) medical errors (http://www.urac.org/documents/modelpatientsafetystandards060704drft_001.pdf).
· Many healthcare leaders, including the Institute of Medicine (IOM) (http://www.iom.edu/report.asp?id=16663), NCQA (http://www.ncqa.org/sohc2003/sohc_2003_executivesummary.htm), and HIMSS (http://www.himss.org/content/files/IOMreportv411-20.pdf), offered recommendations for remedying our medical error crisis through technological means of capturing data related to medical errors.
· The National Coordinating Council for Medication Error Reporting and Prevention (NCC MERP), which includes many of the industry leaders noted in this article, mounted a nationwide campaign for medication error reporting and prevention. Although not focused specifically on technology-based solutions, the Council recognizes that "for error reporting systems to be effective, they must be non-punitive, provide appropriate confidentiality and legal protections, and facilitate learning about errors and their solutions" (http://www.nccmerp.org/press/press2003-11-25.html).
E-Prescribing
Although e-prescribing is often identified within patient safety initiatives, it stands on its own as both a valuable clinical tool and a work-flow enhancement methodology. The industry has been moving towards e-prescribing and CPOE for years and, in spite of the many barriers to overcome, they will eventually be included in normal healthcare processes.
· When asked what types of healthcare IT investment are most likely to improve health in America, David Brailer, MD, (appointed as the first National Health IT Coordinator by HHS) first identified "e-prescribing technologies" (http://www.healthcare-informatics.com/newsclips/newsclips06_3_04.htm).
· On July 21, 2004, the Centers for Medicare & Medicaid Services (CMS) took a strong stand on the industry's need to give top priority to e-prescribing when it was identified by CMS as an important initiative to "improve the quality and reduce the costs of healthcare, and to provide more personalized services for beneficiaries" (http://www.cms.hhs.gov/media/press/release.asp?Counter=1117).
· A common myth is the notion that doctors are opposed to provider order entry. Many physicians disagree, including Patricia Hale, MD, an internist who testified to NCVHS on behalf of the American College of Physicians that, "Physicians are not opposed to e-prescribing. We absolutely want these things" (http://www.ncvhs.hhs.gov/040527p1.htm).
· In contrast, according to online eWEEK Enterprise News and Reviews, physicians are taking a time-will-tell approach to the new CafeRx consortium dedicated to accelerating electronic prescribing (http://www.eweek.com/article2/0,1759,1635866,00.asp). CafeRx was formed as the consortium of nine well-recognized entities, including high-tech and e-prescribing companies, to promote common standards and government support of e-prescribing.
Whether it takes until 2009 (the date when the Medicare Modernization Act of 2003 mandates that HHS have standards for electronic prescribing ready for voluntary nationwide adoption) for it to become mainstream, e-prescribing is on the way. We hardly need to mention that, because of the focus on patient information, e-prescribing implementations must adhere to HIPAA privacy and security regulations.
National Security Issues
Since 9/11, terrorism, biological warfare, emergency preparedness, and homeland security have climbed to the top of the country's "hot topics" list. These concerns are bringing healthcare-related issues - and new initiatives - to the forefront. How we integrate the HIPAA regulations (both current and new) presents overwhelming challenges for the healthcare industry.
The Centers for Disease Control (CDC) sponsored an initiative to establish a Health Alert Network whose mission is to "ensure that each community has rapid and timely access to emergent health information; a cadre of highly-trained professional personnel; and evidence-based practices and procedures for effective public health preparedness, response, and service on a 24/7 basis" (http://www.phppo.cdc.gov/han/Index.asp). This huge endeavor has some very interesting ramifications relative to HIPAA. The current regulations cite a number of specific circumstances when covered entities are required to submit/report PHI for "national security" purposes. It is assumed that the establishment of a Health Alert Network would fall under the HIPAA privacy standard for "uses and disclosures for specialized government functions" (164.512k) but covered entities will likely need to expand their policies and their practices in order to address the mandates for reporting information to the network.
It is noteworthy that the basic tenets of HIPAA, namely standardization and security of health information, are also essential criteria for homeland security. In order for homeland security processes to function smoothly, appropriate access to personal information is necessary and, in certain circumstances, will involve PHI covered by HIPAA. Covered entities must ensure that HIPAA practices already in place will be responsive to any homeland security initiatives. During times of crisis, it is essential that medical practitioners have access to health information in order to treat patients effectively and safely. It is also essential that the security of that same health information is maintained to protect it from access by terrorist forces.
Personal Health Record Technologies
According to the Informatics Review, personal health records (PHRs) include "any internet-accessible application that enables a patient (or care provider for a patient, e.g., the 'mom') to create, review, annotate, or maintain a record of any aspect(s) of their health condition, medications, medical problems, allergies, vaccination history, visit history, or communications with their healthcare providers" (http://www.informatics-review.com/records.html). There are numerous commercial ventures offering the consumer options for maintaining a personal health record on the internet. This current trend in healthcare opens the door for both innovative technologies in healthcare record-keeping, as well as potential risks for the confidentiality of patient information.