The Health Insurance Portability and Accountability Act (HIPAA) is bringing significant changes to the way organizations transact billing functions, assure consumers' rights to their health information, and assure the confidentiality, integrity, and availability of health information. HIPAA's Administrative Simplification provisions provide requirements for financial and administrative transactions, code sets, and identifiers; privacy; and security.

INFORMATION VOID

Many radiologists may have heard about HIPAA's new privacy and security requirements, but information about the transaction requirements seems to be less prevalentand potentially more time-sensitive to address. The transaction requirements must be met at the latest by October 16, 2003 (if a request for extension is filed by October 15, 2002; use www.cms.gov/hipaa/hipaa2/ASCAForm.asp). This applies to all providers who transmit any of the transactions electronically, directly to a payor, or even indirectly via paper to a clearinghouse that converts them to electronic form for transmission to a payor. It will also apply for all Medicare claims submissions after October 16, 2003, unless the provider has obtained a waiver from the Centers for Medicare & Medicaid Services because it has fewer than 10 full-time equivalents.

"Transactions" refer to claims, inquiries made to determine an individual's eligibility or to obtain precertification for certain procedures, claims status inquiries, and remittance advice. Claims transactions are currently performed by using the HCFA 1500 claim either on paper or via some electronic transmission. The other transactionsif performed at allare done via a web site lookup, telephone call, fax, or postal mail to/from a health plan. Under HIPAA's transaction requirements, providers will be required to useat a minimumthe content requirements of the new claim standard (called the ASC X12N 837) when they transmit claims electronically either directly to a payor or through a clearinghouse. The content requirements of the 837 claim include both very specific and, generally, several more data elements than the current HCFA 1500. The 837 claim also requires the use of ICD-9-CM, CPT-4, and HCPCS Level II code setsand eliminates HCPCS Level III (or local) codes. Eventually, the transactions will also include adoption of new standard identifiers for providers (replacing the UPIN), health plans, and sponsors (eg, employers, commercial insurers, Medicaid, Medicare).

There are significant benefits to using the new formats to transmit the data content to the payors directly. Full utilization of the transactions can improve productivity because office staff will no longer have to hang on the telephone or repeatedly call back for eligibility or precertification information. Cash flow can be improved because co-payments can be collected up front and claims can be processed faster. Collection fees and bad debt may be reduced because financial counseling can be initiated sooner, claims will be processed on a more timely basis, and, because only one set of data goes to all payors, there should be fewer denials for missing information or late filings due to rework. Clearinghouse fees may even be eliminated when transactions are transmitted directly to health plans.

As with any other positive impact on cash, an investment must be made to achieve the maximum benefits. Radiologists should understand that, although their information systems vendors may supply an upgrade to their systems to support capture of the additional data elements and use of the code sets in order to send the new claims data to a clearinghouse, they will not necessarily supply the capability to format the data into the new claim and other transaction formats so you may transmit directly to the payor; norwithout additional feeswill they analyze your current data collection processes, revise your work flow and operations to adequately collect the new data, or supply the additional hardware and/or software necessary to transmit the formats directly to a payor. In addition, transmission of the new transactions will require not only internal testing, but end-to-end testing with the recipient. Radiology offices would be well advised to study the new data requirements and plan for changes to ensure complete and accurate capture of the data.

PRIVACY

Regulations relating to the privacy of health information must be addressed by April 14, 2003. While there are 58 privacy standards within the regulations, they can be summarized in three major categories:

Uses and disclosures of protected health information. The standards relate to the need to be cautious about how a patient's personal information is discussed, with whom it is shared, and when it is released. There are special provisions for when information can be made available for marketing, fund-raising, research, law enforcement, public health, and many other uses and disclosures.

n Individual privacy rights. Standards that ensure patients' rights to their information codify many current practices and potentially add new dimensions to current procedures. Under HIPAA, patients have the right to be informed of how their information is used and disclosed, access their personal health information, request amendment of their information, restrict access to their information, and have confidential communications.

Administrative procedures. Standards require a designated individual to serve as the information privacy official; opportunity for the public to file complaints concerning their information privacy; sanctions for misuse of protected health information; contracts with business associates to protect data when disclosed to them; and opportunity for affiliated entities to achieve economies of scale in responding to the privacy requirements.

Many providers are in the process of appointing a privacy official and reviewing/modifying their policies and procedures to address the specific requirements of the privacy standards. Some of the concerns include posting procedure schedules in public areas, discussing procedure preparation with patients in front of others, performing rounds in areas where others can overhear protected health information, or leaving films, reports, and records in areas where members of the public can see them or misappropriate them. There are also concerns about vendors who may have access to information by virtue of maintaining or upgrading a radiology information system (RIS) or PACS, or by assisting in training or evaluating use of radiology equipment. These individuals should be properly identified and have contractual obligations to protect the private health information to which they have access.

Caution must be applied, however, to approach the privacy regulations with a reasonable balance between privacy measures and patient care. Some have carried interpretation of HIPAA requirements so far as to suggest that providers cannot share information with other providers for treatment or that information cannot be faxed to another provider. HIPAA is intended to ensure that all providers afford equal privacy protection and give consumers rights with respect to their information.

SECURITY

The final security rule for HIPAA has not yet been published, but the privacy rule requires "administrative, physical, and technical safeguards," which are essentially security. Enhanced security is also a good business practice as more and more information is automated and exchanged electronically.

Security is intended to address not only confidentiality of private information, but to protect the integrity of that information and to ensure its availability. Hence, there are administrative security requirements to ensure that only those properly authorized can gain access to information systems, that information systems are physically safeguarded, and that data are regularly backed up and are transmitted over open networks only when encrypted.

Most hospitals and large ambulatory facilities have data centers with information technology (IT) staff to address many of the requirements. However, radiologists will be expected to ensure they use a unique user ID, have strong passwords for systems they access, report any security incidentssuch as viruses or misdirected emailsand use their workstations appropriately. Radiology groups can no longer have one person sign on to a workstation in the morning and permit all others to use the system throughout the day under that ID. IT staff will be installing stronger firewalls, conducting audits, and using email/Internet filters to protect data and ensure availability of information. If the radiology department has its own information server, there may be added measures to take in order to back up the server, plan for disaster recovery, and protect alteration. Many radiology departments outsource transcription services, or have telecommuters working from home. Enhanced security will be needed to ensure that their environments are not subject to breaches and that their transmissions are safeguarded.

ADMINISTRATIVE SIMPLIFICATION

On first blush, HIPAA may appear to be adding cost to the system rather than simplifying administration. Implementing greater privacy and security protections is a costbut there are serendipitous effects. Consumer confidence and satisfaction that their rights are being addressed have been observed. Use of remote connectivity has been enhanced through heightened security measures. Providers are more able to use electronic means to communicate with colleagues and patients if a secure web portal is available for such communication. Even more specific benefits have been achieved through consolidation of information systems services. Over the course of the next year, radiologists can expect to see changes around them and should contribute to the development and implementation of these changes to ensure they achieve their intended purposes without interfering with patient care.

Margret Amatayakul is president of an information management and systems consulting firm located in the Chicago area. She can be contacted via e-mail: MargretCPR@aol.com.