HIPAA – Past, Present, and Future

HIPAA – Past, Present, and Future

Karl Richards

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ushered in a new age of modernizing the United States healthcare system. The goal of HIPAA was to simplify healthcare administration to improve efficiency and cost effectiveness. Sound familiar?
Although HIPPA became law in 1996, the legislation did not have a significant impact until 2003 when CMS mandated the use of electronic data interchange (EDI) and established standards for healthcare information privacy and security. HIPAA called for the implementation of ASC X12 standard EDI transactions (Table 1) among healthcare providers, insurers, purchasers, and financial institutions. Consumers felt the impact of HIPAA as mandates took effect that drove significant improvements to the security and privacy of personal healthcare information. More recently, the same HIPAA act brought us a new National Provider Identifier (NPI) system, creating unique identifiers for physicians and healthcare organizations across the United States. With all the progress that the industry has made, outsiders might conclude that healthcare administration simplification is nearing completion, but in fact, the transformation has just begun.
Table 1 – Original HIPAA Electronic Transactions

Transaction Description ASC X12 Identifier
1. Health claims, encounter information, or coordination of benefits 837
2. Health care payment and explanation of benefit remittance advice 835
3. Enrollment and disenrollment in a health plan 834
4. Health care benefits and eligibility inquiry / response 270 / 271
5. Health plan premium payments 820
6. Health claim status inquiry / response 276 / 277
7. Referral certification and authorization. 278
8. EDI Functional Acknowledgement Transaction Set 997

Introducing HIPAA 5010
Presently the healthcare industry is feverishly working to prepare for the updated EDI standards mandated by the Department of Health and Human Services (DHS) final rules adopted in January 2009. These new rules call for the replacement of the current ASC X12 Version 4010/4010A (medical) and NCPDP Version 5.1 (pharmacy) standards with updated X12 Version 5010 and NCPDP Version D.0 standards, collectively called HIPAA 5010. Table 2 provides an overview of compliance milestones for the new mandates.
Table 2 – HIPAA 5010 Compliance Milestones

Milestone Description Compliance Date
Effective Date of the regulation March 17, 2009
Level I Compliance Demonstrably compliant transactions December 31, 2010
Level II Compliance Completed testing with trading partners and in production December 31, 2011
All covered entities fully compliant Dual use of new and legacy standards no longer permitted January 1, 2012

The big driver behind HIPAA 5010 is the need to accommodate the new international classification of diseases coding standards version 10 (ICD-10). On January 16, 2009, DHS released the HIPAA Administrative Simplification ICD-10 Final Rule (CMS-0013-F), which requires the healthcare community to adopt ICD-10 by October 1, 2013. ICD-10 is a complete topic on its own, but in summary, the current ICD-9 coding standards, first published in 1977, require significant modifications to meet the needs of our modern healthcare system. HIPAA 5010 is a required first step in ICD-10 adoption, updating the HIPAA EDI transactions to accommodate ICD-10.
A secondary, but important driver for HIPAA 5010 is the recognition that certain functionality in the HIPAA EDI transactions is lacking, which has reduced the effectiveness and full adoption of the transactions. Besides accommodating ICD-10, the new EDI standards will be more specific in requiring the data elements needed, collected, and transmitted with the goal of reducing ambiguities in the transactions. As a result, significant changes will be required to many of the existing HIPAA transactions and more changes are just around the corner.
Looking Ahead
HIPAA 5010 and ICD-10 will have a very significant impact on the industry, both in terms of implementation costs and downstream benefits. These latest changes though are by no means the end of changes in the way the healthcare industry conducts business. Efforts are underway, both voluntary and mandated, to continue to drive healthcare system efficiency.
The Council for Affordable Quality Healthcare (CAQH) launched its CORE initiative with the goal of enhancing interoperability among volunteering providers and payers by streamlining eligibility, benefits, and claim data transactions. The CORE initiative goes beyond HIPAA by advocating upgraded transaction standards, which could substantially increase their usefulness and adoption.
On the mandates front, as the federal government works toward a final version of healthcare reform legislation, it appears very likely that the new legislation will call for additions and modifications to healthcare EDI again. For example, section 1173A of the new house bill H.R. 3962 states that the secretary of Health and Human Services shall have two years to adopt and regularly update (EDI) standards that:

  • Are authoritative, permitting no additions or constraints (much stricter standards)
  • Are comprehensive and requiring minimal augmentation by paper (more standard EDI transactions)
  • Enable the real-time or near real-time determination of an individual’s financial responsibility at the point of service (current heath care EDI is typically not real-time)
  • Provide for the determination of eligibility for a specific service with a specific physician
  • Include utilization of a machine-readable health plan beneficiary identification card to enable near real-time adjudication of claims including timely status acknowledgment.

Presuming health care reform legislation is approved in 2009 or early 2010 and the standards language in H.R. 3962 remains intact, we can expect another substantial set of changes soon after HIPAA 5010 and ICD-10. On the bright side, we do have a relatively well-defined 3-5 year roadmap in front of us and the key as always is to be prepared.
Strategic View
Like most industries today, change in heath care is just a normal part of everyday business and the rate of change continues to accelerate. Health care executives must look strategically at their organizations and ensure they are making the necessary long-term investments in people, processes, and technology to respond to HIPAA, ICD-10, healthcare reform, and myriad other forces shaping our industry. One good way to start is review your strategic plan to see if it adequately addresses these key questions:

  • Do we have a clear roadmap to achieve HIPAA 5010 and ICD-10 compliance?
  • Do our current information systems and surrounding technology architecture provide the ability to respond quickly to market or regulatory demands? Keep in mind that ICD-11 is already in the works.
  • Do our plans look beyond just meeting compliance mandates, seeking to provide true business value and positive ROI?
  • Will our integration infrastructure support highly available near real-time electronic transactions, including card swipe technology?
  • Does our organization have the controls, processes and technology infrastructure to ensure the security and privacy of our healthcare data?
  • Will the investments we are making now, both prepare us for the immediate wave of changes and build a solid foundation for the future?

If your organization can answer yes to all these questions, chances are you are ahead of the pack and well positioned. Many organizations are at various stages along the path and still have much work ahead. A consulting engagement may be very useful to jump-start strategy development and implementation planning, but careful due diligence is essential. Many vendors see this as an important new business opportunity and expect to see significant variation in offerings and quality. The key is to plan early and make plans that provide your organization the agility required to thrive in this rapidly changing business environment.
More Information

Karl Richards is an Information Technology executive experienced in healthcare and healthcare financing. Karl has led the implementation of several HIPAA initiatives and participated on Governor Doyle`s eHealth Care Quality and Patient Safety Board. Karl can be reached at karl@karlrichards.info or on Linkedin.com at http://www.linkedin.com/in/karlrichards.
The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of Wisconsin Technology Network, LLC. WTN accepts no legal liability or responsibility for any claims made or opinions expressed herein.