Providers, Plans Misinformed About Vendor Software Capability

This past March, health care providers, health plans, and other organizations subject to HIPAA regulations were given some breathing space in their race to meet the Oct. 16, 2002, deadline for compliance with the HIPAA electronic transactions rule. The Centers for Medicare and Medicaid Services (CMS) — the agency within the Department of Health and Human Services (HHS) responsible for enforcing the transaction and code set standards that are part of HIPAA — allowed organizations to receive a one-year extension to Oct. 16, 2003 by filing a compliance plan.

The intent was to give providers and organizations more time to prepare for the transaction standards by making the extension process easy. Basically, covered entities received the extension automatically upon filing their compliance plan, which they could do via the CMS Web site. Health plans with less than $5 million in receipts and small institutional providers with less than $25 million in receipts were not subject to the extension, as their deadline for compliance has always been October 2003.

How many filed?

By late October, CMS had received around 550,000 extension applications.

This was considerably fewer than the 2 million plus providers and other health care entities that CMS had estimated were affected by HIPAA. According to CMS representatives, 2 million or more applications was too high a number to expect. Some organizations may have already been compliant and did not need an extension, while practices with fewer than 10 full-time employees that do not file any electronic transactions are exempt from the provisions.

Nevertheless, this was a disappointing response. Many attribute this to a lack of awareness by those subject to HIPAA provisions, even though CMS and many industry players have been sponsoring educational programs about HIPAA for some time.

Who filed? Who didn’t?

“Among mid-sized and larger health plans, HIPAA compliance is high,” notes Dawn Burris, vice president for HIPAA services at the TriZetto Group, a provider of software and consulting services to the health care industry. “The awareness level is lower among self-insured employers and health and welfare funds.”

Karen Trudel, director of the HIPAA project staff at CMS, concurs. She says, “The larger, more aware health plans, the larger provider systems and those that deal with them are most likely to be in compliance.” Those not in compliance are likely to be “small, unaffiliated, rural practitioners and some employers with ERISA plans.”

Trudel calls the enforcement process “complaint driven.” CMS is not going to search for groups or providers that are out of compliance. But a HIPAA-compliant organization may file a complaint against one that is noncompliant. If this happens, CMS will check to see if the noncompliant entity has filed an extension. It will then request that it become compliant. The goal of CMS and other interested parties, such as the American Academy of Family Physicians (AAFP), is to help providers and other organizations become compliant.

Where can you get help?

CMS has 10 regional offices working on HIPAA compliance. They are working with local groups to have at least one HIPAA meeting per state. In addition, every one to two months, CMS hosts a national audio HIPAA roundtable. Calls are free and are open to all. CMS also has prepared two video programs and outreach materials.

David Kibbe, MD, is director of health information technology for AAFP, the coauthor of the AMA Field Guide to HIPAA Implementation, and is writing a guide to security in medical offices. The AAFP provides HIPAA resources at «» under “practice management.”

His goal is to develop a “knowledgeable consumer group.”

What about software vendors?

Software vendors are not affected by HIPAA, although their customers are. Jeffrey Fusile, the partner at PriceWaterhouseCoopers who heads the HIPAA Advisory Services, claims that “vendors and clearinghouses have misled people to a fault. Vendors are telling their customers that their software will make them HIPAA compliant. Yet no vendor is telling providers that they also need to capture additional information.”

In addition, there is a big difference between looking at HIPAA as a business issue and looking at it as a compliance issue, which is what vendors are doing. The insurance industry has done a lot of work, says Fusile, but has focused only on sending and accepting “technically correct, bare minimum transactions.” For example, when a provider queries a health plan about a patient’s status, the plan’s response is likely to only confirm or deny coverage. It will not include any other information useful to the provider, such as copay or deductible amounts. These will require additional inquiries from the provider’s office.

The seemingly easy way to compliance is to use a clearinghouse that will translate existing electronic transmission into HIPAA-compliant transmissions. However, this way is also expensive, as the clearinghouse fee per transaction will be between 35 cents and $1. Such fees will drive up the overhead of medical practices. If health care organizations and providers take the time to look at the costs and benefits, they may find that in the long run it is cheaper to buy and install new HIPAA-compliant software and bypass the clearinghouse altogether.

Software alone is not the whole answer. Dawn Burris of the TriZetto group points out that HIPAA compliance is not just about information technology. HIPAA privacy regulations, which go into effect in April 2003, also affect how people handle information. Although TriZetto markets transaction software and a HIPAA electronic gateway, these are not enough to make its customers HIPAA-compliant. As Burris describes it, a HIPAA-compliant company must have privacy and security procedures that “wrap around” the transaction and conform to HIPAA regulations, including having an appointed HIPAA privacy officer.

Where do we stand?

Although no one will say it on the record, everyone concerned realizes that 100 percent industrywide compliance by the 2003 deadlines will not happen. The important thing is that all providers and organizations affected by HIPAA continue to work toward that goal. The pressure from trading partners will probably be a more effective incentive than any official sanction.

Information is readily available in print and on the Web. In addition to the AAFP Web site, PriceWaterhouseCoopers has much useful information at «». A Web search for HIPAA software vendors produced 29,900 citations in 30 seconds.

Ultimately, adoption of industry transaction standards will reduce processing costs as it has in other industries, and that should be a step in keeping health care affordable.