Developing the
Regulations
The law itself required extensive
consultation with industry groups regarding what standards should be used, and
the government made an impressive effort to comply with both the letter and
spirit of those requirements. There were numerous public hearings and
briefings, and the government asked selected organizations to consult with
their members and make recommendations regarding many issues that arose during
the development of the rules.
The rulemaking delays were welcomed to the
extent that they allowed the industry to postpone related changes until after
Y2K work was completed. But, as they continued, they made it difficult for
everyone, including the Federal Government, to make realistic plans and budgets
for accommodating the HIPAA requirements. But they were legislated mandates,
not voluntary initiatives, and they appeared unlikely to be repealed or
abandoned, and nearly all of the initiatives were still moving forward. Thus,
the industry needed to make the best business plans that it could for use of
the proposed data formats. And those plans would have been formed around, but
not conditioned on, the HIPAA regulatory schedule.
The provisions of
HIPAA had come to dominate nearly all aspects of the health care data standards
development process. HIPAA was forcing all of the standards developers and many
industry sectors to rethink their plans, and, in many cases, to redefine their
roles.
Security and
Privacy
The DHHS published a Security NPRM (Notice of
Proposed Rule Making) on August 12, 1998. The NPRM was essentially a
compilation of the typical recommendations of the many different industry
standards groups. The most typical complaint was that, while the goals
described were terrific, the NPRM was far too specific regarding how they
should be achieved.
The DHHS published a Privacy NPRM on November 3,
1999. The law itself anticipated additional Congressional action in this area
by August 21, 1999, but gave DHHS the authority to issue regulations if no
action was taken. Most sources in and out of government preferred that Congress
pass new legislation, rather than leave this up to the Administration. The
Privacy NPRM's provisions were quite wide-ranging, and estimates are that it
will cost the health care industry over 40 billion dollars to comply. Also,
many of the provisions are similar to those included in many recently enacted
state privacy laws.
Enforcement
Congress has
prescribed penalties for noncompliance with any provision of the HIPAA
mandates. This includes civil fines of up to $100 per occurrence, with a
maximum of $25,000 per calendar year for "... all violations of an identical
requirement or prohibition...". Thus, with nine transactions included in the
mandate, with four new national identifiers, and with a separate mandate on
security and privacy, these penalties can total as much as $350,000 per year
for up to 14 violations.
DHHS interpreted the transaction mandates as
worth up to four penalties each, with separate penalties for not using a
transaction, for not using the standard data elements within a transaction, for
not using the standard data values (or code sets) within the data elements, and
for not using the transaction as described in the associated Implementation
Guide. This interpretation gives you maximum annual penalties of up to (4 x 9 +
4 + 1) = 41 x $25,000 = $1,025,000 and counting. It was also proposed that
separate fines be imposed for each major component of the security requirements
that is violated. There are 25 such components.
Administrative & Medical Code
Sets
HIPAA also gives the DHHS the authority to specify
what data coding schemes can be used in the health care transactions. People
usually think of this in terms of what medical coding schemes can be used, but
the authority is broader than that. There are national standard schemes for
types of providers, types of services, claim status, claim adjudication
results, and so on. These are commonly referred to as "administrative coding
schemes", to distinguish them from the more specific "medical schemes". These
all have to be used in place of proprietary coding schemes when using any of
the mandated transactions. Some of these schemes are already in widespread use,
while others require substantial changes in business practices.
And So It
Began
HIPAA was eventually born and, at a minimum,
everyone in the health care industry and all related industries and vendors are
faced with a huge continuing education effort. If the provisions are to work,
every sector of the industry will have to repeatedly re-evaluate how it does
business, and make continuous efforts to maintain the standards as set forth in
HIPAA. It is an objective here at the CAL HIPAA to assist in the ongoing HIPAA
educational and information disemination process as well as provide data
security and implementation solutions to all California health care
providers. |
 |
|
