Plans, Providers Should Use HIPAA Breathing Room Wisely

Michael Levin-Epstein

Washington Watch

HMOs may delay compliance with HIPAA electronic transactions and code reporting requirements for one year under legislation passed by Congress late last year. However, the new law doesn’t affect information privacy requirements slated to take effect in 2003. If health plans want to forge ahead with compliance, federal regulators aren’t going to object one single bit.

President Bush signed the Administrative Simplification Compliance Act (ASCA) into law Dec. 27.

The act requires that, by Oct. 16, 2002, health plans and hospitals must either be in compliance with the electronic transactions and code set standards under the Health Insurance Portability and Accountability Act, or submit a summary plan to the secretary of health and human services describing how they’ll come into full compliance with the standards by Oct. 16, 2003.

However, HHS does not have to approve the summary plan. Under the law, the secretary has discretion to impose a new penalty — exclusion from the Medicare program — on any entity that isn’t fully compliant or that doesn’t submit a compliance plan by this October’s deadline.

In the original legislation, the Medicare program exclusion was a mandatory penalty; hospitals and health plans argued that it should be left to the discretion of the secretary.

Bottom line on compliance

The law doesn’t affect what hospitals and health plans are being required to do — only the schedule for compliance. “The new law keeps us on track to realize the cost savings of the original administrative simplifications provisions enacted into law in 1996,” says Republican David Hobson of Ohio, sponsor of the legislation.

Hobson says the landmark HIPAA legislation includes a series of administrative simplification provisions to streamline the processing of medical information and financial transactions. By standardizing information for electronic transmission, “the law is expected to reduce paperwork, fraud and abuse, and help contain health care costs.”

Hobson explains the reason for the delay: “Some sectors of the health industry and state governments said they needed extra time to make the changes necessary to be compliant.

“Smaller health care providers and state governments now will have the additional time needed to upgrade their information technology for the new processing system, while those entities ready to realize the savings now can move forward.”

Bush’s action is “a good example of the federal government being able to help bring about real improvements in our health care system,” Hobson contends. “The government has put together a workable solution to bring savings, simplification, and uniformity to a fragmented marketplace.”

The bill also authorizes $44.2 million for HHS to adopt additional HIPAA standards and to provide technical assistance, education, and outreach to the health care industry.

A spokesman for the Centers for Medicare and Medicaid Services (CMS, formerly HCFA) says no decisions have been made yet as to how those assistance and education programs will operate.

Congress encourages covered entities that “reasonably can become compliant with the transactions standards” by the 2002 deadline to “continue their compliance efforts already underway.”

In addition, Congress encourages HHS to “not penalize a compliant entity that must send noncompliant transactions because their trading partners have filed for the extension” — explicitly identifying that as “good cause” for noncompliance with the transactions and code sets requirement under Section 1176(3) of HIPAA.

Technology gap

The new law doesn’t affect the April 14, 2003, deadline for complying with the medical privacy requirements. Instead, providers (including hospitals and health care clearinghouses) that transmit electronically any protected health information in connection with a transaction between April 14, 2003, and Oct. 16, 2003 must comply with the privacy standards — even if their electronic transactions are not conducted in HIPAA-standard formats during this period.

Margaret Trudel, director of the HIPAA project staff at CMS, says that the extension was prompted by the concerns of several provider and health plan groups that said they could do a better job of complying with the requirements if they received more time.

Congress responded to those concerns, Trudel says, adding that the change also may provide some benefits to the agency.

“We’re viewing this as extra testing time that can be very useful for our provider community,” she says. CMS is moving ahead with putting Medicare fee-for-service transactions into the electronic reporting system “pretty much on the same schedule,” she says.

The Health Insurance Association of America favored the extension. “We think the time frames that were set were unrealistic — probably impossible to meet for some people,” says Joe Luchok, a HIAA spokesman. “I think that the effect on health plans is that they have time to take a breath, and have time to implement procedures that will work — that they don’t have to rush.”

That doesn’t mean, Luchok adds, that all the concerns by health care plans about the program — and certainly not about the privacy regulations — have been resolved.

“It doesn’t mean that we will not have concerns as the process continues,” he comments.

Dan Boston, vice president of legislative affairs for the Federation of American Hospitals, believes most hospitals were ready to meet the requirements, and that the delay was largely to accommodate state Medicaid programs and the Blues.

However, some Medicaid managed care plans and some small hospitals also might not have had the technological capacity to get their electronic transactions into compliance in time, Boston says. “It could be that the delay will help some hospitals be even more prepared. The feedback we got was this was driven largely by different Blues plans.”

Overall, Boston says, “This merely gives providers the opportunity to apply for one-year extensions, should they want to apply.”

However, he notes, what he regards as “the major meat” of the HIPAA privacy regulations “has yet to go into effect, and has yet to be finalized.”

Like other representatives of hospitals and health plans, the federation remains concerned about the privacy provisions that take effect in 2003. “We have been pushing the administration to finalize privacy rules for the last couple of years,” says Boston.

He says that administration officials had indicated that those rules would probably be coming out at the end of last year, but now they’re looking at this month [January] or next. “It’s really in the administration’s court,” he says.

Some members of Congress also have indicated they don’t want the delay to be seen as a retreat from implementing the HIPAA provisions.

For example, Democratic Rep. Tom Udall of New Mexico, before the vote on HR 3323, voiced his concerns “over the fact that some plans, providers, and other types of companies affected by the HIPAA rules” have gone to great lengths to be compliant with the original deadline, and “now stand to face financial losses as a result of the delay.”