Joyce Ochs, MBA

Joyce Ochs, MBA

This past March, health care providers, health plans, and other organizations subject to HIPAA regulations were given some breathing space in their race to meet the Oct. 16, 2002, deadline for compliance with the HIPAA electronic transactions rule. The Centers for Medicare and Medicaid Services (CMS) — the agency within the Department of Health and Human Services (HHS) responsible for enforcing the transaction and code set standards that are part of HIPAA — allowed organizations to receive a one-year extension to Oct. 16, 2003 by filing a compliance plan.

The intent was to give providers and organizations more time to prepare for the transaction standards by making the extension process easy. Basically, covered entities received the extension automatically upon filing their compliance plan, which they could do via the CMS Web site. Health plans with less than $5 million in receipts and small institutional providers with less than $25 million in receipts were not subject to the extension, as their deadline for compliance has always been October 2003.

How many filed?

By late October, CMS had received around 550,000 extension applications.

This was considerably fewer than the 2 million plus providers and other health care entities that CMS had estimated were affected by HIPAA. According to CMS representatives, 2 million or more applications was too high a number to expect. Some organizations may have already been compliant and did not need an extension, while practices with fewer than 10 full-time employees that do not file any electronic transactions are exempt from the provisions.

Nevertheless, this was a disappointing response. Many attribute this to a lack of awareness by those subject to HIPAA provisions, even though CMS and many industry players have been sponsoring educational programs about HIPAA for some time.

Who filed? Who didn't?

"Among mid-sized and larger health plans, HIPAA compliance is high," notes Dawn Burris, vice president for HIPAA services at the TriZetto Group, a provider of software and consulting services to the health care industry. "The awareness level is lower among self-insured employers and health and welfare funds."

Karen Trudel, director of the HIPAA project staff at CMS, concurs. She says, "The larger, more aware health plans, the larger provider systems and those that deal with them are most likely to be in compliance." Those not in compliance are likely to be "small, unaffiliated, rural practitioners and some employers with ERISA plans."

Trudel calls the enforcement process "complaint driven." CMS is not going to search for groups or providers that are out of compliance. But a HIPAA-compliant organization may file a complaint against one that is noncompliant. If this happens, CMS will check to see if the noncompliant entity has filed an extension. It will then request that it become compliant. The goal of CMS and other interested parties, such as the American Academy of Family Physicians (AAFP), is to help providers and other organizations become compliant.

Where can you get help?

CMS has 10 regional offices working on HIPAA compliance. They are working with local groups to have at least one HIPAA meeting per state. In addition, every one to two months, CMS hosts a national audio HIPAA roundtable. Calls are free and are open to all. CMS also has prepared two video programs and outreach materials.

David Kibbe, MD, is director of health information technology for AAFP, the coauthor of the AMA Field Guide to HIPAA Implementation, and is writing a guide to security in medical offices. The AAFP provides HIPAA resources at «» under "practice management."

His goal is to develop a "knowledgeable consumer group."

What about software vendors?

Software vendors are not affected by HIPAA, although their customers are. Jeffrey Fusile, the partner at PriceWaterhouseCoopers who heads the HIPAA Advisory Services, claims that "vendors and clearinghouses have misled people to a fault. Vendors are telling their customers that their software will make them HIPAA compliant. Yet no vendor is telling providers that they also need to capture additional information."

In addition, there is a big difference between looking at HIPAA as a business issue and looking at it as a compliance issue, which is what vendors are doing. The insurance industry has done a lot of work, says Fusile, but has focused only on sending and accepting "technically correct, bare minimum transactions." For example, when a provider queries a health plan about a patient's status, the plan's response is likely to only confirm or deny coverage. It will not include any other information useful to the provider, such as copay or deductible amounts. These will require additional inquiries from the provider's office.

The seemingly easy way to compliance is to use a clearinghouse that will translate existing electronic transmission into HIPAA-compliant transmissions. However, this way is also expensive, as the clearinghouse fee per transaction will be between 35 cents and $1. Such fees will drive up the overhead of medical practices. If health care organizations and providers take the time to look at the costs and benefits, they may find that in the long run it is cheaper to buy and install new HIPAA-compliant software and bypass the clearinghouse altogether.

Software alone is not the whole answer. Dawn Burris of the TriZetto group points out that HIPAA compliance is not just about information technology. HIPAA privacy regulations, which go into effect in April 2003, also affect how people handle information. Although TriZetto markets transaction software and a HIPAA electronic gateway, these are not enough to make its customers HIPAA-compliant. As Burris describes it, a HIPAA-compliant company must have privacy and security procedures that "wrap around" the transaction and conform to HIPAA regulations, including having an appointed HIPAA privacy officer.

Where do we stand?

Although no one will say it on the record, everyone concerned realizes that 100 percent industrywide compliance by the 2003 deadlines will not happen. The important thing is that all providers and organizations affected by HIPAA continue to work toward that goal. The pressure from trading partners will probably be a more effective incentive than any official sanction.

Information is readily available in print and on the Web. In addition to the AAFP Web site, PriceWaterhouseCoopers has much useful information at «». A Web search for HIPAA software vendors produced 29,900 citations in 30 seconds.

Ultimately, adoption of industry transaction standards will reduce processing costs as it has in other industries, and that should be a step in keeping health care affordable.

Managed Care’s Top Ten Articles of 2016

There’s a lot more going on in health care than mergers (Aetna-Humana, Anthem-Cigna) creating huge players. Hundreds of insurers operate in 50 different states. Self-insured employers, ACA public exchanges, Medicare Advantage, and Medicaid managed care plans crowd an increasingly complex market.

Major health care players are determined to make health information exchanges (HIEs) work. The push toward value-based payment alone almost guarantees that HIEs will be tweaked, poked, prodded, and overhauled until they deliver on their promise. The goal: straight talk from and among tech systems.

They bring a different mindset. They’re willing to work in teams and focus on the sort of evidence-based medicine that can guide health care’s transformation into a system based on value. One question: How well will this new generation of data-driven MDs deal with patients?

The surge of new MS treatments have been for the relapsing-remitting form of the disease. There’s hope for sufferers of a different form of MS. By homing in on CD20-positive B cells, ocrelizumab is able to knock them out and other aberrant B cells circulating in the bloodstream.

A flood of tests have insurers ramping up prior authorization and utilization review. Information overload is a problem. As doctors struggle to keep up, health plans need to get ahead of the development of the technology in order to successfully manage genetic testing appropriately.

Having the data is one thing. Knowing how to use it is another. Applying its computational power to the data, a company called RowdMap puts providers into high-, medium-, and low-value buckets compared with peers in their markets, using specific benchmarks to show why outliers differ from the norm.
Competition among manufacturers, industry consolidation, and capitalization on me-too drugs are cranking up generic and branded drug prices. This increase has compelled PBMs, health plan sponsors, and retail pharmacies to find novel ways to turn a profit, often at the expense of the consumer.
The development of recombinant DNA and other technologies has added a new dimension to care. These medications have revolutionized the treatment of rheumatoid arthritis and many of the other 80 or so autoimmune diseases. But they can be budget busters and have a tricky side effect profile.

Shelley Slade
Vogel, Slade & Goldstein

Hub programs have emerged as a profitable new line of business in the sales and distribution side of the pharmaceutical industry that has got more than its fair share of wheeling and dealing. But they spell trouble if they spark collusion, threaten patients, or waste federal dollars.

More companies are self-insuring—and it’s not just large employers that are striking out on their own. The percentage of employers who fully self-insure increased by 44% in 1999 to 63% in 2015. Self-insurance may give employers more control over benefit packages, and stop-loss protects them against uncapped liability.