The Health Insurance Portability and Accountability Act — known as HIPAA — has been around for four years, but are healthcare providers really complying with all aspects?

In April 2003, everyone focused on HIPAA Privacy, in which:

• Staff and physicians were trained to recognize and handle PHI (protected health information).

• Practices focused on improving the medical record release and tracking process, educating patients about medical records and gaining greater control over their records. In 2003, very few practices in our area had electronic medical records (EMRs), so the focus hinged on management and control of paper documents.

• Anyone besides the healthcare provider who performs a duty or function on behalf of the provider, who is not a W-2 employee and who has exposure to your patients’ PHI is required to have a Business Associate Agreement.

• Notice of privacy practices were required to be given to patients.

Now that four years have passed, what else has happened and what has fallen by the wayside?

Medical Records
Many practices now keep patient data either in a digital image management system (DIMS) or EMR environment. The training that occurred in 2003 may not fit the new environment, so protocol needs to be reviewed and modified, if necessary. The new digital patient documents are just as easy, if not easier, to misplace, release inappropriately or not track as well as paper documents. New employees must be trained, along with other employees, to work with material changes to the documentation. All training must be documented.

Electronic Claims
In late 2003, the healthcare industry changed the way it handles claims. Physician offices that had billed insurers using paper claims began utilizing clearinghouses for claims processing or purchasing software that allowed direct access to the big three payers in Alabama (Blue Cross, Medicare and Medicaid). Four years later, we all take for granted that claims are transmitted electronically. Physicians are sending claims in consistent formats and are being paid more quickly. The average wait for payment after date of service has been greatly reduced. Despite the extra work to implement the electronic claims portion of HIPAA, it was worth it.

HIPAA Security
HIPAA Security, implemented in April 2005, shifted the focus from paper records to digital records. Physicians also began to face the fact that patients want electronic access to physician offices. They want refills via e-mail, and they want to ask questions or schedule appointments without calling the office. HIPAA Security addressed the way electronic communication could travel between the physician and the patient without the risk of interception by an outside party. There is still much work to do in this area, but groups are slowly seeing more electronic access across healthcare.

Security Standards
The individual HIPAA Security standards were developed with a required or an addressable status and with the requirement that policies and procedures be documented. Due to rapidly changing electronic formats in healthcare, your practice’s documents need to be updated to reflect current plans, protocols and practices related to your electronic files and transactions.

National Provider Identifier (NPI)
One of the final goals of HIPAA was to transition from a provider number for each insurance company to one provider number that follows a physician throughout a career. Think of your NPI as a “super UPIN” or a professional identification number.

• In May of 2007, physicians everywhere were encouraged to use it, know it and share it. The change to NPIs has not been smooth in practice, and groups continue to work through the period where insurers can use old legacy provider numbers along with the new NPI numbers.

• In May of 2008, all referring physician NPIs will need to be listed on claims. For example, if you are a specialist, each of your claims will show the NPI of the primary care physician who referred the patient. Which leads to the big question: Where do you find all of those NPI numbers?

NPI Registry
In early September, all NPI numbers will be available through the NPI Registry. The large database will allow other healthcare providers to find NPI numbers for use on claims, hospital visits, referrals, etc. Important note: If you listed confidential information when your initial NPI application was completed, that information will also be available to anyone searching the registry.

Privacy
What started out as Privacy has really come a long way toward creating a more consistent environment in healthcare. But take a few minutes to review your practice’s current policies and procedures to confirm that all HIPAA-required actions are being handled appropriately. Remember that part of the program is an annual review and monitoring, including a review to be conducted by the Privacy Officer and reported to the organization’s leadership. At minimum, the Privacy Officer should assess the following areas:

• Notice of Privacy Practices to ascertain any changes in the management of PHI.

• Complaint Identification and Tracking Log to record occurrences and trends. Based on the findings, appropriate operational changes can be recommended to the physician leadership.

• Training Sign-in Sheets for frequency and attendance of training programs. An annual training program should be conducted for all employees.

• Practice Operational Changes to determine if any new methods of PHI management are required. Targeted areas will include marketing, research, automation or computer enhancements, and additional locations.

• Business Associate Agreements must be renewed and monitored for compliance with the use and disclosure of PHI.

• Pending or Finalized Legislation/Regulations that impact the group and recommendations for implementing policies and procedures to adhere to the rules.

Be sure your practice is in compliance!

September 2007