Frequently Asked Questions   page 1   l   page 2    l    page 3

21. Is HIPAA really a Law and why is it so important to my organization?

Yes, HIPAA is a Federal Law. In that respect, HIPAA is set up in a similar manner to the Internal Revenue Act or the Occupational Health and Safety Act. There are: a Federal Enforcement Mandates, Compliance Requirements, Criminal Penalties, Civil Penalties and possibly adjudication which could result in exclusion from continuation in the handling of Protected Health Information. In addition to complying with federal law, implementing HIPAA standards makes good business sense!

22. When must we implement HIPAA requirements?

The most critical deadline was passed on October 16, 2003. Except for those who filed for and received an extension or the few entities with later deadlines, October 16 was the critical date.  Standards are required to be implemented within 2 years of the effective date of the final rule; generally 60 days after publication of the rule. HIPAA is now effective.

23. How does HIPAA compliance decrease cost?

Converting to electronic transaction standards and ensuring network security allows almost all complying entities reap financial benefits. Industry providers will significantly benefit by real time access to eligibility, enrollment, and claims status information as well as improved cash flow. For example, one provider was able to reduce the number of nurses required to do hospital pre-certifications by two thirds using secure e-mail. Office administration is typically reduced by a similar amount.

24. Why is there so much focus on Electronic compliance in the HIPAA Law?

Electronic Data Interchange is the prevalent mode of interchange.  As providers are consolidating, integrated delivery systems are building more expansive networks and exchanging information with many more organizations. These providers are struggling with security and exposing themselves to greater risks for breeches of confidentiality and compromised data integrity. For example, without secure transmission, auditable records and anti-intrusion detection built into a network, the result of an altered laboratory test could result in a major lawsuit.
 

25. Who must implement HIPAA requirements?

All health plans, clearinghouses, providers, and business associates who exchange data electronically must implement HIPAA requirements. These requirements do not pertain only to providers receiving federal funds.
 

26. What information would be useful to brief the organization's executives on the scope of HIPAA?

• Because HIPAA covers all healthcare organizations, implementation itself is substantially a non-competitive issue. Coordinating and co-implementing HIPAA mandated changes among providers, payers, and IT solutions (especially in Secure Internet based platforms) will minimize the cost, confusion and disruption involved in the transition
• HIPAA implementation is required by Federal law, Federal regulation, and related regulatory and accreditation bodies.
• Failure to implement HIPAA will result in significant monetary penalties. The consequences of knowingly disclosing individually identifiable patient information are criminal penalties.
• Implementing HIPAA will affect how healthcare entities organize and staff to achieve and monitor implementation with patient privacy/confidentiality needs. HIPAA implementation is a Business Issue rather than an Information Technology issue, although IT will play a major role in compliant systems.
• HIPAA will affect how independent providers deal with managing both electronic transactions (claims, referrals, remittance) and medical records.
• Large and medium sized organizations will need executive sponsorship and dedicated resources to lead the HIPAA implementation effort. Implementation-related activities may compete with other major projects.
• HIPAA's requirements may cause significant changes in process, organization, and/or staffing in the area of claims management.
• HIPAA's requirements are meant to encourage healthcare organizations to move patient information handling activities from manual to electronic systems in order to improve security, lower costs, and lower the error rate. These resources need to be planned for.
• HIPAA mandates will require changes in the policies, processes and administration governing patient specific health information. Similarly, it will require updates of all information systems that use or collect patient data, and will require the introduction of new features and functions.
• Implementing HIPAA will improve security of healthcare information. Patient privacy and the security of all medical records will be more routinely assured. Information systems will have an improved general resistance to operational disruptions. It may be useful to consolidate off-network medical record information to a secure network. 

27. If Congress does not pass a privacy bill this year, how will that impact the requirements for security standards?

It will not impact the security standards required under HIPAA. Most deadlines are already passed. A national privacy law would define rights with respect to confidentiality and access to health information. The security standards in HIPAA address administrative procedures, physical safeguards, technical security services, and technical security mechanisms to guard data integrity, confidentiality, and availability.
 

28. How will implementation of HIPAA standards be monitored and enforced?

Initially, complaints filed with the Office for Civil Rights (OCR) will trigger an investigation similar to a tax audit by the Internal Revenue Service. Complaints may be filed by patients, employees, competitors, or any interested party. The OCR will use the competitive marketplace to enforce implementation. Organizations will also find that electronic transmission of claims using standard transactions will improve cash flow, increasing the business reason for implementation. Accrediting and licensing organizations will also be incorporating implementation of the standards into their processes.
Section 203 of HIPAA requires the secretary of health and human services to implement a program that will encourage people to report information about health care fraud.
 

29. We do not exchange data electronically with other enterprises, only within our enterprise. We batch claims and mail a disk to the clearinghouse. Do the standards apply to us?

Yes, the security standards apply to exchange of all electronic health information within an enterprise as well as across enterprises. Transmissions over the Internet, an extranet, leased lines, dial-up lines, and private networks are included. All electronic media are included - even when the information is physically moved (e.g., through the postal service) from one location to another using magnetic tape, disk, or compact disc. Telephone voice response and "faxback" are about the only systems not included.

30. What are the mandated standard code sets? Where can I get more information about code sets?

ICD-9-CM: Official version is available on CD-ROM from the Government Printing Office (GPO) at 202-512-1800 or FAX: 202-512-2250. The CD-ROM contains the ICD-9-CM classification and coding guidelines. Versions of ICD-9-CM are also available from several private sector vendors.

CPT-4: Official version is available from the American Medical Association. Versions are also available from several private sector vendors.

HCPCS: Information about HCPCS is available from the CMS web site.

Code on Dental Procedures and Nomenclature: Official version is available from the American Dental Association at 800-947-4746.

NDC: Official versions of the files are available on-line. NDC codes are also published in the Physicians' Desk Reference under the individual drug product listings and "How supplied." The supplements are available quarterly on diskette from the National Technical Information Service at 703-487-6430.