Vol. 20 •Issue 16 • Page 20
Home Care
HIPAA: Are Home Care Providers Ready?
Privacy and security of protected financial data are vitally important to all of us. But in health care, the safeguarding of health information is paramount. To meet that goal, Congress passed Public Law 104-191, more commonly known as the Health Insurance Portability & Accountability Act (HIPAA) of 1996.
That legislation, which amended the Internal Revenue Service Code of 1986, requires all health care organizations, including home care providers, to implement and be compliant with various policies or face stiff fines and possible imprisonment.
During one of my lobbying trips to our nation’s capital in 2003 to mitigate the effects of federal employees health benefit plan cuts, I saw a large binder with the term HIPAA on the spine in the offices of former Rep. Bill Thomas (R-Calif.).
“What else do they have in store for us?” I wondered.
The answer: plenty. And most of it will come to fruition soon. In the face of all of the challenges we’re tasked to deal with as an industry, we now must be compliant with additional rules by specified deadlines—or else.
A bit of HIPAA history. The first Bush Administration convened a consortium of health care experts in the early 1990s to discuss how health care administrative costs could be reduced. The group concluded the best way would be to increase the use of electronic data interchanged across the industry.
I actually agreed with this because data simplification through relational databases is the single most important efficiency home care providers can implement.
Many of the recommendations made by the group were subsequently included in the Clinton Health Plan, which failed to pass initially; but they were eventually included in the House version of HIPAA under the sponsorship of Rep. David Hobson (R-Ohio). Ultimately the act was signed into law on Aug. 21, 1996.
Deadlines imposed by HIPAA are as follows: the Transactions Rule was published on Aug. 17, 2000, with a compliance date of Oct. 16, 2003.
The Privacy Rule became effective April 14, 2001, with a compliance date of April 14, 2003. The Standard Unique Employer Identifier rule was published on May 31, 2002, with a compliance date of July 30, 2004. The Security Rule was published April 21, 2003, with compliance required as of April 21, 2005. The final rule establishing the National Provider Identifier (NPI) was published Jan. 23, 2004, with a compliance date as of May 23 of this year.
Unfortunately, because of all the changes, providers must not only prepare for competitive bidding and restructuring of their businesses to improve efficiencies to deal with the cuts, but also ensure compliance with HIPAA too.
Despite the act’s intent to improve efficiency in health care delivery by standardizing electronic data interchange, protecting and securing confidential health data and reducing administrative costs, I believe implementation will have heavy side effects.
HIPAA requirements have actually increased administration costs for all health care providers. In a report published in the New England Journal of Medicine in 2003, authors from the Department of Medicine, Cambridge Hospital and Harvard Medical School noted health care administrative costs in the U.S. were much higher than in Canada.
For home care agencies, 35 percent of total expenditures were for administration ($11.6 billion totally or $42 per capita). These costs have slowly crept up since then.
Home care providers must also use the NPI in standard transactions.
The National Plan and Provider Enumeration System (NPPES) Data Dissemination Notice (CMS-6060-N) described the policy to be used for making NPI provider data available to the public by June 28 of last month. The essential problem now is providers who do not have an NPI will not be reimbursed for claims submitted to Medicare.
Providers must have reviewed their NPPES data and made any necessary updates or corrections to their NPI data and conducted testing prior to the deadline to ensure their information is accurate when disclosed by CMS and that the NPI works.
Many providers have already received and tested their NPI; however, many others have not. Providers who do not have a NPI or did not invest the time and efforts to test the data will face not being reimbursed for the services and equipment they provided after the compliance deadline.
Home care providers had 30 days from the compliance May 23 deadline to verify their information is accurate and matches their IRS-designated organization name.
CMS was slated to post the information on its Web site following the 30-day testing and review period and home care providers must make sure the information associated with their organization is accurate.
For the home care industry, changes are creating a tough bottom line: Providers must ensure they are fully compliant with all the mandates imposed by HIPAA or risk going out of business or facing penalties for non-compliance.
Vernon R. Pertelle is senior director/assistant vice president for Tri-City Healthcare District, Home Care, Occupational Health & Wellness and Rehabilitation Services, Center for Wound Care & Hyperbaric Medicine. He can be reached at [email protected].