RBMA president says it’s time to make HIPAA critical

SCOTTSDALE, AZ — Just 18 months ago, year 2000 worries had the healthcare industry scrambling to check its Y2K compliance. In retrospect, those efforts may seem Lilliputian compared with the task of implementing Health Insurance Portability and Accountability Act (HIPAA) regulations by 2003.

"Sweeping changes to transaction, security, and privacy standards will be rolling out over the next two years, and the impact will be felt by every sector of the health industry," said Patricia Kroken in her closing remarks at the Radiology Business Management Association 2001 summit on Wednesday. As president of the RBMA, Kroken urged the 400-plus attendees to make HIPAA compliance a top priority.

"HIPAA is not going to go away. It was passed into law in October 1996 and its transaction standards must be implemented by December 2002. That’s just 18 months away," Kroken cautioned.

The risks of not planning and preparing for HIPAA are severe. In addition to legal actions such as business malpractice and patient-driven lawsuits resulting from noncompliance, HIPAA entails substantial civil and criminal penalties.

"HIPAA requirements are approximately 75% administrative and 25% technical," said Kroken. The administrative portion that falls on managers’ shoulders includes documented policies and procedures, training, and direction of staff as new workflow standards are introduced. The technical portion of compliance is made up of applications such as security mechanisms and electronic transaction technology.

With such a tight timeframe for implementation, budgeting and planning should begin sooner rather than later, Kroken said. She recommended that business managers look at what can be handled in house, and what will need to be outsourced. The sooner implementation begins, the lower the cash-flow impact of compliance, she said.

"If you wait [until] six months before the deadline to start it will be much more expensive," Kroken said.

The upcoming transaction standard is the most information-technology-intensive. It defines standards and formats for submission of healthcare claims, and related transactions such as eligibility and benefits coordination. It also contains unique health identifiers and code sets.

Because of these provisions, and an expectation that codes will have longer field lengths, all billing software needs to be certified by its vendor, in writing, that it’s HIPAA compliant before the December 2002 deadline. Business managers will need to have this documentation on site and available for inspection.

"I wouldn’t procrastinate on implementing transaction standards too long, because the other standards are coming behind it like a freight train," said Kroken.

"The privacy standard brings up an interesting question," she said. "How do you bring patients from a waiting room into the procedure area if, for privacy reasons, you can’t call out their name because other patients might hear it?"

Privacy and security standards are going to have the biggest impact on the work culture of radiology practices, Kroken predicted. Computer security may need to include biometric devices, such as thumbprint scanners, to access a system. If passwords are used, they will have to be changed regularly, and can no longer be simple, easy-to-remember words and phrases.

Computer systems may no longer be able to be used in an area where patients or passersby may see data on a monitor. Devices such as copiers, printers, and removable media drives will have to be in secure areas that can only be accessed by authorized personnel. Non-medical personnel, such as a cleaning service, may be required to sign medical privacy agreements.

All personnel who have access to medical records will have to log their usage. While this will encourage electronic business processes and paper reduction, it will cost practices that haven't yet implemented paperless procedures. There’s not a single radiology practice that’s completely paperless, Kroken said.

"Change management is going to be the biggest challenge to implementing HIPAA. Your facility will feel the least impact if you implement policies and procedures gradually and steadily. The cultural change of how we handle information is going to be immense," said Kroken.

A timeline for implementation is a valuable planning tool that every business manager should consider. Kroken said that beginning immediately, each facility should break down HIPAA compliance into four six-month segments covering:

• Assessment
• Preparation
• Testing
• Implementation