P R O V II D E R H II P A A C H E C K L II S T Moving Toward Compliance The Administrative Simplification Requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will have a major impact on health care providers who do business electronically, as well as many of their health care business partners. Many changes involve complex computer system modifications. Providers need to know how to make their practices compliant with HIPAA. The Administrative Simplification Requirements of HIPAA consist of four parts: 1) Electronic transactions and code sets; 2) Security; 3) Unique identifiers; and 4) Privacy. IMPORTANT: It is up to you as the health care provider to see to it that your transactions are being conducted in compliance with HIPAA, whether or not you contract a third party biller or clearinghouse to conduct any of these transactions for you. HIPAA does not require a health care provider to conduct all transactions listed under #1 electronically. Rather, if you are going to conduct any one of these business transactions electronically they will need to be done in the standard format outlined under HIPAA. 1. Determine if you are covered by HIPAA Do you, or a third party billing company or clearinghouse, conduct any one of the following business transactions electronically? Claims or equivalent encounter information Payment and remittance advice Claim status inquiry/response Eligibility inquiry/response Referral authorization inquiry/response YES NO YOU ARE MOST LIKELY COVERED BY HIPAA. CONTINUE WITH THE CHECKLIST. YOU ARE MOST LIKELY NOT COVERED BY HIPAA. YOU DO NOT NEED TO CONTINUE WITH THE CHECKLIST. 2. If YES, assign a HIPAA Point Person who will be responsible for HIPAA Your HIPAA Point Person can be your office manager or any other individual who will be responsible for HIPAA related activities. Make sure your HIPAA Point Person is given the authority, resources, and time to prepare your office staff for the impact of HIPAA on your practice. The checklist on the next page is designed to help your HIPAA person plan and prepare for HIPAA s electronic transactions and code sets requirements. HIPAA Readiness Checklist 1 March, 2003
Provider HIPAA Checklist Checklist for HIPAA Point Person Familiarize yourself with the key HIPAA deadlines April 16, 2003 TESTING: You (or your software vendors) need to start testing your software and computer systems internally no later than this date. By testing this means ensuring your software is capable of sending and receiving the transactions you do electronically in the standard HIPAA format. October 16, 2003 COMPLIANCE DEADLINE: This is the date you must be ready to conduct transactions electronically in the standard HIPAA format with your health plans / payers. Know how HIPAA affects your office Determine if your software is ready for HIPAA (each health care provider is responsible for making sure the software they use will be compliant with HIPAA according to the key deadlines above). Speak with your practice management software vendors (or billing agent or clearing house if you use one) to assess which items under #1 you conduct on paper and which you conduct electronically. Determine what you will need to do differently. For instance, under HIPAA additional data may be required and data fields you use now may no longer be required. Ask your vendor how and when they will be making HIPAA changes and document this in your files. Remind your vendors you must start testing your systems no later than April 16, 2003. Similarly, if you use a third party biller or clearinghouse, remind them of this testing deadline. Talk to the health plans and payers you bill Ask them what they are doing to get ready for HIPAA and what they expect you to do. Ask them if they will have a HIPAA companion guide that specifies their coding and transaction requirements that are not specifically determined by HIPAA (while HIPAA mandates standard transactions, some health plans may not require data elements for every field). For instance, ask your payers for billing instructions on how to code for services that were previously billed using local codes (under HIPAA local codes are eliminated). Ask them whether they will have Trading Partner Agreements that specify transmission methods, volumes, and timelines as well as coding and transaction requirements that are not specifically determined by HIPAA. These may also specify how HIPAA compliance testing and certification are to be done. Ask them about testing your software to make sure, for instance, that they will be able to receive a claim you submit with your updated software. If you use software or systems provided by the health plan / payer (such as on-line direct data entry) to conduct transactions, ask whether they intend on continuing to support these systems. For more information on HIPAA please visit our website at http://www.cms. hhs.gov/hipaa/hipaa2, send us an e-mail at askhipaa@cms.hhs.gov, or call us at 1-866-282-0659. HIPAA Readiness Checklist 2 March, 2003
H II P A A II N F O R M A T II O N S E R II E S 1. HIPAA 101 For Health Care Providers Offices HIPAA A Challenge and Opportunity for the Health Care Industry INFORMATION SERIES TOPICS 1. HIPAA 101 2. Are you a covered entity? 3 Key HIPAA dates and tips for getting ready 4. What electronic transactions and code sets are standardized under HIPAA? 5. Is your software vendor or billing service ready for HIPAA? 6. What to expect from your health plans 7. What you need to know about testing 8. Trading Partner Agreements 9. Final steps for compliance with Electronic Transactions and Code Sets 10. Enforcement The Challenge The health care industry has experienced dramatic change over the years. As new technologies are adopted and our system has become more complex, so has the administration of health care. Most payers of health care claims have developed their own standards for claims and many other health care transactions. The result is added administrative costs for providers, hundreds of different claims forms and procedures to deal with daily, and complicated computer programs. As a health care provider you know that a provider s office can be required to submit many different types of forms for payment. A process that can frustrate everyone involved - patients, insurers, employers and providers. Opportunities for change have seemed out of reach - until now. HIPAA promotes The Opportunity standardization and efficiency in the The law known as HIPAA stands for the Health health care industry. Insurance Portability and Accountability Act of 1996. Congress passed this landmark law to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry. While HIPAA covers a number of important health care issues, this informational series focuses on the Administrative Simplification portion of the law specifically HIPAA s Electronic Transactions and Code Sets requirements. There are four parts to HIPAA s Administrative Simplification: Electronic transactions and code sets standards requirements Privacy requirements Security requirements National identifier requirements This is the first in a series of informational papers designed to help health care professionals with the realities of HIPAA. Collectively, the papers provide information, suggestions, tips, guidance, and checklists to assist health care providers in understanding what they need to focus on to become HIPAA compliant. Each paper provides a general overview of topics that will help guide you through the HIPAA requirements. From determining whether or not you are a covered entity - to outlining specific deadlines - to implementation - to ultimately the enforcement of the rule - this series aims to provide information and resources that will help ensure you are compliant with HIPAA s Electronic Transactions and Code Sets Standards requirements. Volume 1 Paper 1 1 May, 2003
HIPAA 101 For Providers Offices Standard Transactions Why HIPAA Administrative Simplification? 1. Claims or equivalent encounter information 2. Payment and remittance advice 3. Claim status inquiry and response 4. Eligibility inquiry and response 5. Referral certification and authorization inquiry and response 6. Enrollment and disenrollment in a health plan 7. Health plan premium payments 8. Coordination of benefits Pending approval: 9. Claims attachments 10. First report of injury Code Sets 1. Physician services/ other health services- both HCPCS and CPT-4 2. Medical supplies, orthotics, and DME- HCPCS 3. Diagnosis codes- ICD-9-CM,Vols 1&2 4. Inpatient hospital procedures ICD-9-CM,Vol 3 5. Dental services Code on dental procedures and nomenclature 6. Drugs/biologics NDC for retail pharmacy HIPAA calls for changes designed to streamline the administration of health care. It promotes uniformity by adopting transaction standards for several types of electronic health information transactions. No longer can every insurer have unique requirements for the processing of claims. Everyone covered by HIPAA will be required to TIP: With HIPAA local codes are replaced by standard national codes provide the same information -- standard formats for processing claims and payments; as well as for the maintenance and transmission of electronic health care information and data. In the short term, HIPAA will require effort, resources and commitment on the part of certain providers offices and other covered entities offices. In the long run, however, this law has major benefits. Right now, there are over 400 different ways to submit a claim. With HIPAA there will be one way to conduct electronic claims. With these standards in place, your office staff may spend less time on the phone getting information they need. As a result, the standardization of submitting claims and simplification of processes should make getting paid quicker and easier and less costly. The requirements mandated by HIPAA should also help providers take advantage of new technologies and ultimately improve their overall business practices. Electronic Transactions and Code Sets Requirements Transactions are activities involving the transfer of health care information for specific purposes. Under HIPAA Administration Simplification if a health care provider engages in one of the identified transactions, they must comply with the standard for that transaction. HIPAA requires every provider who does business electronically to use the same health care transactions, code sets, and identifiers. HIPAA has identified ten standard transactions for Electronic Data Interchange (EDI) for the transmission of health care data. Claims and encounter information, payment and remittance advice, and claims status and inquiry are several of the standard transactions. Review all of the electronic transactions required by HIPAA (listed in the box to the left of this page) and determine what transactions are used by your office. Code sets are the codes used to identify specific diagnosis and clinical procedures on claims and encounter forms. The CPT-4 and ICD-9 codes that you are familiar with are examples of code sets for procedure and diagnosis coding. Other code sets adopted under the Administrative Simplification provisions of HIPAA include codes sets used for claims involving medical supplies, dental services, and drugs. Volume 1 Paper 1 2 May, 2003
HIPAA 101 For Providers Offices Information & Tools Available at the CMS Web Site http://www.cms.hhs.gov/hipaa/ hipaa2 Covered entity decision tool Provider readiness checklist CMS Outreach ListServe HIPAA roundtable audio conference dates HHS HIPAA links Instructional CDs & videos HIPAA FAQs & compliance dates Complaint form For HIPAA Privacy inquires http://www.hhs.gov /ocr/hipaa/ or call the Privacy hotline at : 1-866-627-7748 Other HIPAA Administrative Simplification Requirements Privacy Requirements: The privacy requirements govern disclosure of patient protected health information (PHI), while protecting patient rights. Security Requirements: The security regulation adopts administrative, technical, and physical safeguards required to prevent unauthorized access to protected health care information. The Department of Health & Human Services published final instructions on security requirements in the Federal Register on February 20, 2003. The deadlines for compliance are April 20, 2005, and April 20, 2006 for small health plans. National Identifier Requirements: HIPAA will require that health care providers, health plans, and employers have standard national numbers that identify them on standard transactions. The Employer Identification Number (EIN), issued by the Internal Revenue Service (IRS), was selected as the identifier for employers and was adopted effective July 30, 2002. The remaining identifiers, such as the national patient identifier, are expected to be determined in the coming year. Who is affected by HIPAA? The law applies directly to three groups referred to as covered entities. TIP: Ask your billing or software vendor if they are ready for HIPAA. Health Care Providers: Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which standard requirements have been adopted. Health Plans: Any individual or group plan that provides or pays the cost of health care. Health Care Clearinghouses: A public or private entity that transforms health care transactions from one format to another. HIPAA, however, indirectly affects many others in the health care field. For instance, software billing vendors and third party billing services that do not qualify as clearinghouses or some other covered entity, are not covered by HIPAA. They may however need to change their business operations if they are trading partners or business associates of a covered entity. Volume 1 Paper 1 3 May, 2003
HIPAA 101 For Providers Offices HIPAA Deadlines April 14, 2003 Was the Privacy Deadline First steps towards HIPAA electronic transactions and code sets compliance If you have not been preparing for HIPAA, it is time to get started. Find out if HIPAA applies to you. Visit the CMS web site and review the second paper in this series, Are you a covered entity? April 16, 2003 Testing You should have begun testing your software no later than April 16, 2003. October 16, 2003 Electronic Transactions & Code Sets Deadline NOTE: All Medicare claims must be submitted electronically by this deadline, with the exception of those from small providers and under certain limited circumstances. April 20, 2005 Security Deadline (April 20, 2006 for small health plans) Call your health plans, payers and clearinghouse and ask about their HIPAA testing and HIPAA implementation plans. If you are using a billing service, find out if they are prepared for HIPAA. Talk with your provider associations about HIPAA. Find out about regional HIPAA efforts from your regional Strategic National Implementation Process (SNIP) representatives. They are local groups with extensive knowledge of HIPAA. FOR MORE INFORMATION ABOUT HIPAA E-mail your questions to askhipaa@cms.hhs.gov or call our CMS HIPAA HOTLINE 1-866-282-0659 Log onto the CMS HIPAA web site: http:/www.cms.hhs.gov/hipaa/hipaa2 Sign up to learn about the latest CMS Administrative Simplification outreach materials and events: http://list.nih.gov/archives/hipaa-outreach-l.html Sign up for our HIPAA Regulations ListServe for free email notification: http://www.cms.hhs.gov/hipaa/hipaa2/regulations/lsnotify.asp Find out about your local SNIP at: http://www.wedi.org/snip Volume 1 Paper 1 4 May, 2003