HIPAA-hooray!

by Talk Business & Politics ([email protected]) 80 views 

Dragged into the electronic age by a federal mandate, the health care industry has less than a year to comply with HIPAA regulations. Since the rules were published in their final form only last year, health care organizations are playing an expensive game of beat the clock.

Hype over HIPAA, the Health Insurance Portability and Accountability Act of 1996, has prompted companies to fast track for the mandate’s staggered deadlines. (See compliance schedule below.) Area companies such as Mercy Health System of Northwest Arkansas Inc. in Rogers and Washington Regional Medical System in Fayetteville have already started aggressive training initiatives.

Paul Cunningham, executive vice president of the Arkansas Hospital Association in Little Rock, said the real question remains whether HIPAA’s long-term cost savings will offset the initial layout facing health care providers, health plans and the industry’s bill clearinghouses.

The AHA, which has 103 member institutions statewide, estimates HIPAA will cost the state’s hospitals $100 million-$150 million, mostly in training and technology upgrades.

The new standards — which require industrywide standard codes in treatment, billing and information compilation — will require massive amounts of data entry and reformatting.

“If one of the long-term results is that we come up with a truly standard form for billing, then there certainly will be large cost savings for the industry,” Cunningham said. “That’s the big hope.”

HIPAA, born of the 1993 President Clinton health care reform proposals, is intended to streamline access to health insurance, reduce administrative costs and limit fraud and abuse.

But the new rules say patients must give consent for doctors or hospitals to release their medical information. And the health organization will have to keep records on who received the information.

“Basically every institutional system and every doctor’s office system is going to have to be upgraded in some way,” said Lynda Johnson, a partner with Friday Eldredge & Clark LLP of Fayetteville and Little Rock.

“But if you believe the government, that money will come back.”

Johnson, a 16-year veteran of health care litigation, is helping about three dozen clients integrate the new regulations.

Local Progress

Executives at Springdale’s Northwest Health System Inc., which operates the Northwest Medical Centers of Washington and Benton counties, weren’t ready to comment on their degree of HIPAA preparedness. A spokesman at St. Edward Mercy Medical Center in Fort Smith said it’s on schedule.

Randy Wyatt is executive director of the Arkansas Health Care Association, a member organization for the state’s long-term care facilities. He said the AHCA is getting ready by starting HIPAA classes for its member institutions.

“We already spend more time with patient assessment and paperwork than we spend on any other portion of long-term care,” Wyatt said. “If the HIPAA regs increase that paperwork, then that stress is going to put even more pressure on the nursing shortage.”

Carolyn Crook is the corporate compliance officer for Washington Regional. She said her organization has conducted a survey of all of its employees regarding security and other HIPAA compliance issues.

The entire staff will be pulled together on June 12 to hear what policies have resulted from that assessment.

“We already have a lot of practices in place that protect privacy but not a policy that says these are our practices,” Crook said. “Really the biggest problem with HIPAA implementation is education, and we’re rolling that out as we incorporate several changes for our move to a new facility in August.”

Washington Regional Hospital, which is moving in August across Fayetteville from College Avenue to a new 345,000-SF facility on Northhills Boulevard, also has a July 1 en masse training session scheduled to review its new systems and practices.

Both Washington Regional and Mercy have assembled HIPAA compliance teams composed of executives and employee representatives.

A spokesman for Mercy said the system has completed its assessment and “gap analysis” through weekly HIPAA team meetings.

Despite the added headaches, Mercy President and CEO Susan Barrett said she believes HIPAA can help health organizations continually improve service delivery.

“Privacy and security of patient information has been a part of hospital operations for a long time,” Barrett said. “We feel that HIPAA will help us better protect our patients’ information in light of increasing computerized data and electronic transmission capabilities.”

Outside Assistance

Johnson, the health care lawyer, has company in the out-sourced HIPAA business.

A handful of medical billing firms in Northwest Arkansas plan to help hospitals and physician networks expedite their compliance through technical support and services. Ross Medical Billing Solutions in Fayetteville, which opened March 18, is the area’s licensed agent for Island Automated Medical Systems Inc. of St. Petersburg, Fla.

James Ross, co-owner of the business with his wife, Shana, said Ross Medical offers everything from filing insurance claims for doctors, dentists and chiropractors to full-practice data management.

The company is still in the marketing phase, but Ross said he has been conducting needs assessments with potential client practices.

“We saw a need here and jumped on it,” Ross said. “We’re doing some free insurance codes analysis with our software to see how accurate claims are being filed. You would be amazed to see how many invalid or accidentally deleted claims we’re finding.

“We’re telling the practices, ‘Hey, you’re missing out on some money here.'”

Ross guarantees payment in seven to 21 days, thanks to a bill clearinghouse it outsources. He said doctors are figuring out they can process claims cheaper through third-party billing services than by paying a full-time employee to run claims down.

“When you figure overhead, benefits, training and turnover, doctors are probably spending $10-$12 per claim,” Ross said. “We can do it for $2-$5.”

Mark Friedman contributed to this report.

Compliance Countdown

HIPAA covers three types of entities, including health care providers, health plans and health care clearinghouses. Here’s the compliance timeline they face:

• Oct. 16, 2002 — Transactions and code regulations for billing via electronic format take effect. Covered entities must either be in compliance or file for a one-year extension. (Nearly all hospitals are expected to file for an extension).

• April 14, 2003 — Privacy regulations designed to protect patients medical histories take effect.

• August, 2004 — In August, the government will publish its HIPAA security regulations in their final form, and covered entities will have two years from the published date to comply.

Source: Friday Eldredge & Clark LLP of Fayetteville and Little Rock

HIPAA Penalty Box

The HIPAA law provides for significant financial penalties to health care firms for violations. They include:

General penalties for failure to comply:

• Each violation: $100.

• Maximum penalty for all violations of an identical requirement: May not exceed $25,000.

Wrongful disclosure of individually identifiable health information:

• Wrongful disclosure offense: $50,000, imprisonment of not more than one year, or both.

• Offense under false pretenses: $100,000, imprisonment of not more than 5 years, or both.

• Offense with intent to sell information: $250,000, imprisonment of not more than 10 years, or both.

Source: QuadraMed Corp., an health care information-technology company in San Rafael, Calif.