Countdown Begins for Compliance With HIPAA Electronic Standards

Washington Watch

If you thought a lot of time and money was spent on Y2K readiness, you ain’t seen nothin’ yet. Complying with the new rules for electronic transaction standards under the Health Insurance Portability and Accountability Act (HIPAA) is expected to exceed Y2K in terms of dollars and work hours.

Some estimates peg the cost to health plans, physicians, hospitals, and other providers at $8 billion.

The clock is ticking: Providers and most health plans have until October 2002 (smaller health plans get an extra 12 months) to adopt — and adapt their information systems to — the new national standards. Those standards cover these administrative aspects and financial transactions in health care:

  • Health claims and encounter information
  • Health claim status
  • Health plan enrollment/disenrollment
  • Health plan eligibility
  • Health care payment and remittance advice
  • Certification and authorization of referrals
  • Coordination of benefits
  • Premium payments to health plans

Almost nobody is immune. All health plans and state Medicaid agencies must comply — in fact, health plans will have to accept the standard electronic claim form, without requiring changes or additions to it, if a provider wants to file one. For their part, providers that want to do business electronically with health plans will have to follow the standards, too — although nothing in the law says physicians will have to run out and invest in new computer systems. Providers and health plans can still use paper forms if they want.

Still a messy business

While the new standards won’t be cheap to implement, they’re expected to pay off in the long run — saving (over 10 years) $30 billion in administrative gyrations that still occur in an industry that clings to long-outdated manual and electronic procedures. Though the health care community agrees that standardization is a necessary step toward more cost-effective care, physicians still submit transactions in whatever form health plans require — in part because health plans had been unable to agree on a standard that didn’t give competitors some sort of market advantage. For health care claims alone, about 400 formats now exist. The new law reduces that number to one.

While implementation won’t be easy or cheap, it’s not as if health care hasn’t seen this coming. Under HIPAA, passed in 1996, HHS was required to adopt standards that would reduce the expense of administrative and financial transactions in health care. A preliminary rule was published in 1998, and HHS subsequently evaluated 17,000 comments before publishing the 68,000-word final rule, which took up 60 pages in the Federal Register.

Six standards-setting organizations were given an official role in controlling the content of claims and other HIPAA-mandated transactions: National Council for Prescription Drug Programs, National Uniform Billing Committee, National Uniform Claim Committee, Accredited Standards Committee X12 (ANSI), ADA’s Dental Content Committee, and Health Level Seven.

The regulation was expected out in June, but its complexity delayed its release. Sharon Cohen, senior vice president for federal affairs at the Health Insurance Association of America, thinks the delay demonstrates that “while [HIPAA regulation] may have seemed to be easy three years ago, it’s increasingly evident that a lot of this stuff is hugely complicated.” HIAA members are concerned over the potential costs of compliance, which are likely to include new hardware and software, staff training, establishing interfaces with providers, and determining what information will have to be provided to customers, consumers, and patients, and in what form — online, in advertising materials, and in contracts, Cohen says. “We’re concerned there may be a real overreach in what Congress had intended” in HIPAA.

Trouble ahead?

That could mean exposure to litigation, as well as compliance problems, Cohen explains. Privacy issues addressed in HIPAA are embedded in the new electronic standards, though HHS will subsequently issue specific rules about security and privacy. Privacy efforts, however, aren’t coordinated at federal and state levels, and “may be going off in too many directions,” she says. “Unfortunately, different pieces of the law are being amended, and we may be on a collision course [with the new standards].”

The Rx2000 Institute, a not-for-profit information clearinghouse, says large health plans and manufacturers will make out all right, but is concerned that smaller physician practices and clinics may not have the financial resources to make this investment. Its executive director, Joel Ackerman, has challenged government, foundations, and business to set up private-public partnerships to prevent health care’s so-called digital divide from becoming “a new form of rationing.”

Similarly, the Medical Group Management Association, which thinks implementation will cost far more than HHS predicts, has called on the federal government to make funds available to help group practices comply.

The clinical ramifications of the law, though, should compel any provider or health plan to strive for compliance. Theoretically, establishing a set of standard encounter data that providers and health plans can access and share (privacy issues notwithstanding) should improve coordination of care, make for better risk assessment, and streamline processes for accreditation or HEDIS. Until then, though, implementation will be a challenge — so it wouldn’t be much of a surprise to see the deadline extended. “In all fairness, these are very complex issues,” one veteran Washington observer comments. “It’s taking a long time to resolve these things because health care is not a simple thing.”

—Michael Levin-Epstein
and Michael D. Dalzell