HIPAA & EDI

This section addresses The Health Insurance Portability and Accountability Act of 1996 (HIPAA, which was the result of efforts by the Clinton Administration and congressional healthcare reform proponents to reform healthcare in a way that would streamline industry inefficiencies, reduce paperwork, make it easier to detect and prosecute fraud and abuse and enable workers of all professions to change jobs, even if they (or family members) had pre-existing medical conditions.


The Department of Health and Human Services The Secretary adopted version 5010 to replace the current version of the X12 standard that covered entities (health plans, health care clearinghouses, and certain health care providers)  must use when conducting electronic transactions including:  claims (professional, institutional and dental), claims status requests and responses, payment to providers, eligibility requests and responses, referral requests and responses, enrollment and disenrollment in a health plan, Coordination of Benefits and premium payments. 

The Secretary also adopted version D.0 to replace the current version of the NCPDP standard covered entities must use for pharmacy and supplier transactions including:  claims, eligibility requests and responses, referral certification and authorization and Coordination of Benefits. 


The current versions of the standards (the Accredited Standards Committee X12 Version 4010/4010A1 for health care transactions and the NCPDP Version 5.1 for pharmacy and supplier transactions) are widely recognized as lacking certain functionality that the health care industry needs. 


Implementation Timeline

For all covered entities:


Effective Date of the regulation:                        March 17, 2009

Level I* compliance to begin by:                        December 31, 2010

Level II** Compliance by:                                 December 31, 2011

All covered entities have to be fully compliant on: January 1, 2012


Level I compliance means "that a covered entity can demonstrably create and receive compliant transactions, resulting from the compliance of all design/build activities and internal testing."  We expect covered entities to be testing throughout calendar year 2011, and to schedule testing as early as possible, to ensure sufficient time for corrective actions and re-testing.


Level II compliance means "that a covered entity has completed end-to-end testing with each of its trading partners, and is able to operate in production mode with the new versions of the standards."

Medicaid agencies sometimes pay pharmacy claims for which another payer is liable for payment.  A new standard for Medicaid subrogation for pharmacy claims, known as NCPDP Version 3.0, was adopted in the Modifications rule, along with Version 5010, D.0 and ICD-10.   Medicaid agencies will use the subrogation standard to pursue reimbursement from other payers. The compliance date for the Medicaid subrogation standard is also January 1, 2012, except for small health plans, which will have until January 1, 2013 to come into compliance.


The requirement to adopt transaction standards originated from the 1996 Health Insurance Portability and Accountability Act (HIPAA).  The Transactions and Code Sets final rule published on Aug. 17, 2000, adopted standards for the statutorily identified transactions, some of which were modified in a subsequent final rule published on Feb. 20, 2003. On January 16, 2009, HHS published a final rule that replaces the current Version 4010/4010A and NCPDP Version 5.1 with Version 5010 and Version D.0, respectively, and adopted NCPDP Version 3.0 as well.


What is HIPAA

White Paper by Bruce Fraser and Tom Stevens


The Health Insurance Portability and Accountability A ct of 1996 (HIPAA), was the result of efforts by the Clinton Administration and congressional healthcare reform proponents to reform healthcare in a way that would streamline industry inefficiencies, reduce paperwork, make it easier to detect and prosecute fraud and abuse and enable workers of all professions to change jobs, even if they (or family members) had pre-existing medical conditions.


The HIPAA legislation had four primary objectives:


  1. Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions
  2. Reduce healthcare fraud and abuse
  3. Enforce standards for health information
  4. Guarantee security and privacy of health information

The HIPAA legislation is organized as follows:


Title I: Guarantees health insurance access, portability and renewal


    • Guarantees coverage and renewal
    • Eliminates some pre-existing condition exclusions
    • Prohibits discrimination based on health status

Title II: Preventing healthcare fraud and abuse


    • Fraud and abuse controls
    • Administrative Simplification (AS) provisions (Subtitle)
    • Medical Liability Reform

Title III: Medical Savings Accounts

    • Health Insurance tax deduction for self-employed


Title IV: Enforcement of group health plan provisions


Title V: Revenue offset provisions


However, when looking at HIPAA it is important to remember that the actual HIPAA rules and detail requirements that the healthcare industry have to follow stem from the Administrative Simplification (AS) provisions of HIPAA, which fall under Title II (Fraud and Abuse) of the HIPAA act itself. These provisions are intended to reduce the costs and administrative burdens of healthcare by making possible the standardized, electronic transmission of administrative and financial transactions that are currently executed manually and on paper.


The Administrative Simplification (AS) provisions specifically state what rules and standards the healthcare industry must implement in order to be in compliance with HIPAA. The AS provisions also require specific implementation deadlines, based upon the date when the Final Rule (for a specific issue) is published in the Federal Register, plus the mandatory 60 day review period during which time the rule may be challenged and overturned or delayed on appeal. For example, The Final Rule for National Standards for Electronic Transactions (which include EDI Transaction and National Code Set standards for claims processing) was the first HIPAA compliance rule to publish on August 17, 2000 and therefore the compliance date for this rule becomes October 16, 2002 (2003 for small health plans).


This rule requires healthcare organizations, insurers and payors that have been using any electronic means of storing patient data and performing claims submission (including faxes we are told), must comply with this new Final Rule for National Standards for Electronic Transactions. 


Providers that use an electronic clearinghouses to process their transactions do not have to modify their systems at present to assure compliance, however the provider has to make sure that the clearinghouse, as a business partner, is compliant with the new regulations. In all likelihood, providers will at least have to make some modifications to ensure ancillary and departmental systems are capturing HIPAA required information and transmitting that data to their Admission, Discharge and Transfer (ADT) systems and billing systems in order for the clearinghouse to be able to create and send a HIPAA compliant transaction.


Additional provider, payor and insurance system modifications will also be required for Privacy and Security rules as mandated by the AS provisions , so having a clearinghouse does not preclude a provider, insurer or payor from having to make other computer system changes as part of their HIPAA compliance efforts.


At the risk of oversimplification, this rule requires providers, insurers, payors and to a small extent, employers to submit enrollments, eligibility and claims processing via Electronic Data Interchange or EDI transactions.


EDI is nothing new and has been commercially available since the 1980s. Many large companies have been using EDI for years to process orders, send invoices and issue or receive payments with their electronic trading partners.


EDI is essentially a set of very specific rules governing how information will be packaged in order to send orders, invoices, statements and payments electronically from one electronic trading partner to another.


The government has essentially adopted this standard as a good way of ensuring that everyone (providers, payors, insurers and employers) will use these excellent standards as a way of communicating and sending information to each other. Properly done, EDI transactions do not require human intervention and should process very quickly. Therefore, providers should be able to submit electronic eligibility or benefit inquires and claims via EDI transactions to the payor whose claims system should process the EDI transaction quickly, returning a claim payment/advice electronically and without delay.


Other HIPAA compliance rules currently defined and proposed under the (AS) provisions, but not expected to be finalized until 4Q, 2000 or early 1Q, 2001, include:


    • Standards for Privacy of Individually Identifiable Health Information
    • National Provider Identifier
    • Employer Identifier
    • Security and Electronic Signatures

The Standards for Privacy of Individually Identifiable Health Information are designed to help guarantee privacy and confidentiality of patient medical records. These new Standards for Privacy are quite extensive. Healthcare providers, insurers, payors and employers should review this rule and it's requirements in great detail with the intent to update and replace any current internal guidelines in order to insure HIPAA compliance.


The National Provider Identifier, the Employer Identifier and an earlier proposal for a National Individual Identifier were designed to help speed processing of enrollment, eligibility and claims processing by having a national set of identification numbers that the entire industry would use to identify a specific provider, insurer or patient. These same steps would also help identify fraud and abuse by eliminating situations where providers and individuals have multiple identifiers today, making it difficult to match and track claims to both providers and individuals, particularly where fraud is intended.


However, the National Individual Identifier ran afoul of protests from civil libertarians and individuals concerned about big brother having the ability to identify, track and gain information about anyone in the country via a single identification number. As a result, the National Individual Identifier seems to have been put on the sidelines until such time as a reasonable compromise could be worked out that would assure all sides that there would be no abuses of such a system.


Electronic Signatures will come into play at some point in the future, but when is difficult to predict at this time.  Electronic Signatures may be required for persons submitting healthcare claims and claims attachments through the use of a digitally encrypted key "signature", that requires a "private key" to create and send the "signed document".  The document and electronic signature can then be authenticated as only having been sent by that individual, by a person using a public key to decipher and open the document, typically a payor or insurer who would be processing the claim and attachments. This eliminates the possibility of persons submitting false or fraudulent claims later denying that they were the person that sent the claim.


However, for a uniform encrypted key system to work absolutely and without the possibility of error (that could lead to deniability) for the entire health industry in theUnited States, there must be a national organization that could be universally trusted to assign, distribute and manage keys on a national basis and without error. Such an organization has yet to be established. Therefore, this HIPAA rule seems somewhat more distant than the others, in terms of implementation.


However, these rules fall short of requiring specific technology or specific vendor solutions to address such issues as security and protection of individually identifiable patient information through the use of biometric devices (palm print readers, retinal scanners, finger print readers, etc.) for workstation security, enterprise wide network security or the security of data transmission of claims information to insurers or payors for claims processing. By not defining specific technology or vendor solutions, The Department of Health and Human Services (DOHSS) has left enough wiggle room to say that the AS provisions are technology neutral, thereby passing the responsibility of evaluating and justifying appropriate technological solutions into the laps of each individual healthcare institution, based upon their unique business requirements.


Healthcare organizations under tremendous financial pressure and having enough difficulty fielding enough qualified nurses for a single shift will have trouble justifying the expense of retinal scanners on their workstations and servers or encrypting their entire hospital data network in order to ensure the protection of individually identifiable patient data. As a result, there will be a distinct lack of uniformity in HIPAA compliance and implementation at the institutional level, based upon what each organization can justify and/or afford.


Achieving HIPAA compliance, particularly for healthcare providers, will not be easy and will be costly to the provider and payer organizations. Providers, payors and insurers will have to educate and train their staffs to be in compliance with the new requirements and then perform ongoing compliance monitoring and application of appropriate sanctions when necessary.  Providers, unlike insurers, also have to deal with millions of family members, loved ones and outside visitors from all walks of life in the course of performing daily business. These daily visitors, along with security challenges supplied in ample quantity by the Internet hackers, email viruses and the shear physical size of some organizations makes the protection of individually identifiable patient information a major challenge in itself.

Like most federally mandated programs, there are no provisions for the recovery of HIPAA compliance implementation costs or the ongoing costs to train new staff and monitor HIPAA compliance after initial implementation. Sadly, it is the author's opinion that more institutions will close as a result of not being able to achieve HIPAA compliance for a variety of reasons. Currently, some experts are estimating the costs of achieving initial HIPAA compliance (not counting ongoing compliance training and monitoring once implemented) at over $66 billion dollars and climbing.


However, there is a long-term, bright side to HIPAA compliance.  Over time and once fully implemented, HIPAA should minimize the amount of paperwork and human intervention required to verify a patient's eligibility and minimize the amount of human effort required to perform claims processing since the required eligibility and claims transactions should not require human intervention if submitted correctly and according to the transaction standards. Insurers or payors may only want to manually examine randomly submitted claims or claims for a specific individual or business as part of fraud or abuse detection. Since claims should be processed far more quickly, claims payments to the providers should also speed up (at least in theory), hopefully easing some of the cash flow burden for provider organizations. Security improvements to prevent deliberate or accidental accessing of unique or individually identifiable patient data will address concerns over privacy of patient data.  Moreover, digital Electronic Signature (as proposed) will ensure that persons submitting fraudulent electronic insurance or Medicare/Medicaid claims, will not be able to deny submitting them in court later on.


While it is easy to get tangled up in the emotion of having the expenditures and work effort required to achieve HIPAA compliance, it is important to remember there are many positive features of HIPAA. The need for insurance portability is apparent.  Protecting the patients' right to the privacy of healthcare information has always been, and should remain a high priority. Reductions in fraud and abuse are certainly welcome, if not long overdue. Quicker processing of eligibility and claims not only reduces the cost of these items to the hospital and the insurer/payor but provides better service to the patient as well. Although there may be some pain associated with the successful implementation of compliance rules, the result will ultimately be the improvements that the Clinton administration and Congress agreed upon and intended.