Janury 22, 2007
Chasing Compliance: HIPAA’s Electronic Data Interchange Requirements
By April D. Robertson, MPA, RHIA, CHP
For The Record
Vol. 19 No. 1 P. 16
More than three years after it went into effect, this component of HIPAA is still running circles around the healthcare industry.
The electronic data interchange (EDI) requirements defined under HIPAA have presented the healthcare industry with one of its greatest challenges. Although progress has been made since these requirements were scheduled to take effect in late 2003, compliance remains an issue.
A Brief History
The purpose of the HIPAA/EDI provision is to improve the healthcare system’s efficiency and effectiveness through standardization and simplification. Previously, different payers required that providers use thousands of different definitions, formats, and data values when processing payment claims. The electronic transactions and code sets rule, part of HIPAA’s administrative simplification section, was designed to provide a consistent, standard set of definitions that all payers and providers nationwide would use.
As a whole, HIPAA’s administrative simplification requirements were expected to act as the catalyst for many operational improvements within payer and provider organizations alike, including the following:
• faster, more efficient, and more accurate exchange of information, such as eligibility, prior authorization, and referral information; claims submission and status information; and electronic remittance advice;
• reduction in claim denials;
• quick and accurate “auto-posting” of payments;
• reduction in the overall cost of claims processing;
• enhanced security and privacy of healthcare information; and
• the ability to free valuable staff resources for other activities.1
Initially, many in the healthcare community anticipated that the new HIPAA requirements and their expected benefits would lead to growth in the adoption of EDI for claims-related and other electronic transactions. However, one year after the initial deadline, full compliance had not yet been achieved.
Thus, the Centers for Medicare & Medicaid Services (CMS) began an open-ended “contingency period.” Although penalties for noncompliance were not levied, all parties were expected to make a “good-faith effort” to become compliant, and CMS set the end of the contingency period for Medicare at July 1, 2005. After that point, most medical providers that filed electronically had to file their electronic claims using the HIPAA standards in order to be paid. This new deadline forced people into action.
Understanding and Playing by the Rules
The requirements of the electronic transactions and code sets rule appear deceptively simple. If a covered entity (ie, an entity that must comply with HIPAA’s requirements) conducts any of the electronic transactions designated in the rule in the process of transferring healthcare information, it must comply with the HIPAA standards for that transaction.
The electronic transactions covered by this rule are as follows:
• claim status;
• referral certification;
• health plan premium payments; and
• coordination of benefits.
HIPAA refers to code sets as medical codes or nonmedical codes.2 Typically maintained by professional societies and other organizations, medical code sets translate a series of letters and/or digits into the procedures, services, diagnoses, drugs, equipment, and other supplies that pertain to a patient encounter.
The medical code sets that have been approved under HIPAA are as follows:
• International Classification of Diseases, Ninth Revision, Clinical Modification (ICD-9-CM), Volumes 1 and 2: codes that describe conditions;
• ICD-9-CM, Volume 3: codes that describe procedures or other actions taken on hospital inpatients;
• National Drug Codes: codes that describe drugs and biologics from retail pharmacies;
• Current Dental Terminology, Code on Dental Procedures and Nomenclature, Version 3: codes that describe dental services;
• Healthcare Common Procedural Coding System (HCPCS) and Current Procedural Terminology, Fourth Edition: combined codes that describe physician and other healthcare services; and
• HCPCS: codes that describe all other substances, equipment, supplies, or other items used in delivering healthcare services.
Used to capture general administrative information, nonmedical code sets range from the very simple—state abbreviations, zip codes, telephone area codes—to the more comprehensive and complex, such as codes that describe provider areas of specialization, payment policies, claim status, and reasons why claims have been adjusted or denied.
Standard nonmedical code sets approved under HIPAA are the following:
• provider taxonomy codes, which identify the provider type and area of specialization for all healthcare providers (and which will be dropped when the provider identifier is adopted);
• claim adjustment reason codes, which explain why a claim was paid differently than it was billed;
• remittance advice remark codes, which describe claim adjustments in greater detail;
• claim status category codes, which indicate information such as whether a claim has been received, pended, paid, or denied; and
• claim status codes, which provide more detail about the reasons behind claim status.
So why has adoption of these standards been slow? The primary reason is that HIPAA changed, added, or eliminated data that providers were previously using in their standard transactions, causing a great deal of confusion and implementation difficulty. Payers had developed their own local codes to handle unique circumstances; for example, many health plans, including state Medicaid programs, had adopted local codes in response to specific variations in their programs or business rules. In addition, a number of new codes were added to HCPCS to accommodate items that had not had codes before.
Further slowing progress is the fact that code sets (or data elements) are classified as “required,” “situational,” or “optional.” Each payer defines its own unique process requirements, the specific data elements it requires, and when it requires them to be used, as well as specific process options.
HIPAA implementation guides—developed to assist providers and their vendors—define the specific activities related to each transaction, list the nonmedical standardized code sets, and provide directions for how data should be moved electronically. There are also hundreds of payer companion guides that detail how individual payers want their claims formatted.
Managing HIPAA-Compliant Transactions
Undoubtedly, there are good reasons for healthcare providers to perform HIPAA-compliant EDI. Consider the following example:
1. A provider initiates a transaction by electronically asking a payer whether a patient is eligible for a specific service on a certain day.
2. The payer responds immediately, allowing the provider to make a treatment decision on the spot.
3. A claim is then submitted electronically to the payer’s adjudication system.
4. The system acknowledges receipt of the claim and identifies any potential problems that would lead to the claim being rejected.
5. The payer adjudicates the accepted claim process and electronically remits payments with an explanation of benefits.
6. All information is stored by the provider and can be used to submit electronic claims to a secondary payer.
This example clearly demonstrates how EDI can deliver more accurate and efficient transactions that can possibly impact patient care and speed up the processing and payment of claims. However, it also reveals that any technology used to facilitate EDI demands attention to detail, constant review and supervision, and complete accuracy to be successful. One small error could result in hours of troubleshooting—all of which results in lost time and revenue.
Keep in mind, too, that HIPAA specifies different formats for different functions, such as eligibility inquiries vs. remittance responses. Claims must be compliant in their content, which creates problems when a physician uses an old or rudimentary practice management system for patient records and billing information. Fixing these errors requires intensive technical work between the involved parties.
Healthcare providers can choose to manage EDI internally with their own resources or outsource transactions completely. Many considerations factor into the decision, including budget and level of staff expertise. Both approaches have advantages and disadvantages, which can vary depending on where a provider is on the adoption curve. Either option will generally mean that a provider can avoid use of the implementation guides for the HIPAA standards because EDI technology vendors and clearinghouses are required to incorporate the standards into their software.
Managing EDI in house can be cost-effective and give a provider greater control of the process. However, the HIPAA standards are complex and require programming and data mapping, so a provider’s internal team would need not only EDI expertise but also the ability to translate implementation guides that outline the HIPAA requirements. In addition, an installed EDI system can be costly and require a number of experts to implement and maintain. Without staff who possess extensive EDI knowledge, a provider risks expensive errors, such as investments in inappropriate hardware and software or an inability to provide a reliable solution.
Thus, outsourcing EDI may be an attractive option. Providers can send all claims to one location with one telephone call, as well as have the clearinghouses check claims for missing information, valid procedure and diagnosis codes, and payer-specific edits to improve claims acceptance. The clearinghouse will forward accepted claims directly to the payer along with a report to the provider on the status of submitted and rejected claims.
On the negative side, outsourcing may not always be cost-effective; traditionally, clearinghouses have notoriously charged high transaction fees. Quality may be a concern here as well, with complaints surfacing about lost transactions and long wait times. Many large clearinghouses struggle with HIPAA compliance themselves, making their added value questionable.
Over the last few years, the trend has been toward providers submitting their own claims directly over the Internet and forgoing the use of a clearinghouse. To lure providers back, many clearinghouses have expanded their service offerings to include Web-based products.
As a third alternative, providers can opt for a hosted solution from an Application Service Provider (ASP), ideal for those who prefer not to control their EDI processes internally and yet do not want to fully relinquish the task to another company. Web-based solutions save time and money by providing one interface for managing claims for almost all government and commercial payers, from start to finish. Various tools and options allow providers to view claims inventory, aid decision support, view dashboard snapshots of claims inventory, manage workflow, and prioritize resources.
A hosted solution eliminates the large expense associated with purchasing hardware and software and decreases labor requirements to manage an internal system. This may be the ideal choice for many providers trying to find the solution that meets both their compliance and budget needs.
Although a hosted solution may be a fine choice for many, it won’t be for everyone. If a provider has already spent a lot of money on hardware, software licenses, or personnel, it may be an uphill battle to convince management to move to an ASP. Another issue is a perceived loss of control because data and applications reside with the ASP. Service-level agreements are therefore critical to holding the vendor accountable. The agreement should provide minimum standards for data and application security, accessibility, downtime, and responsiveness, as well as remedies when problems occur. Timing and notification processes for software upgrades should also be included so users aren’t surprised by new fields or functions. Making sure the agreement spells out everything in detail, including any special regulatory requirements, can help alleviate concerns about lack of control.
HIPAA Compliance Today
Although more options, technology, and implementation guides are available today than in the past, compliance with the HIPAA/EDI rules still remains a challenge for many. The “US Healthcare Industry HIPAA Compliance Survey Results” report indicates that compliance with the transactions and code sets rule—including actual conversion to HIPAA-standard transactions—has shown little, if any, improvement over the past year.3
According to the survey, although 84% of providers indicated they were fully compliant with the rule in January 2006, only 72% reported full compliance in July 2006. Additionally, only 42% (down from 46% in January 2006) of providers reported conducting all HIPAA-standard transactions and 65% indicated they were conducting approximately one half of the standard transactions.
Demonstrating the significance of industry collaboration in this effort, providers cited not having received compliant software from vendors and many payers’ lack of readiness (as well as perceived ambiguities in HIPAA transaction requirements) as impediments to progress.
The survey participants were also asked whether their organizations had realized any direct return on investments in adhering to the transactions and code sets rule. Approximately 4% of both providers and payers said they had achieved significant return on investment. Twenty-one percent of providers and 29% of payers indicated they had realized little or no return, while 47% of providers and 25% of payers had not measured the impact.
Finally, reported examples of initiatives underway include moving to totally electronic transactions, conversion to electronic medical records, educating employees, performing activities formerly handled by clearinghouses, reducing use of postage and paper, ensuring faster billing and collections, and creating better prebilling reports to reduce file rejections.
Even though progress has been slow and the benefits largely remain to be seen, the industry has clearly learned major lessons, made significant progress, and demonstrated its commitment to continue forward motion in this important area. A greater level of collaboration between providers, payers, software vendors, and clearinghouses is the key to successful EDI and the enormous benefits it promises to deliver.
— April D. Robertson, MPA, RHIA, CHP, is corporate compliance officer for ChartOne, Inc., a vendor of patient chart management technology and services based in Burlington, Mass. She is past-president of the California Health Information Association and an AHIMA board member.
1. Centers for Medicare & Medicaid Services. HIPAA Information Series, Volume 1, Paper 9. “Final Steps for Compliance.” May 2003. Available at: http://www.dhs.state.ri.us/dhs/hipaa/final_steps.pdf
2. Centers for Medicare & Medicaid Services. HIPAA Information Series, Volume 1, Paper 4. “Overview of Electronic Transactions and Code Sets.” May 2003. Available here.
3. HIMSS/Phoenix Health Systems. “HIPAAdvisory: US Healthcare Industry HIPAA Compliance Survey Results: Summer 2006.” Available at: http://www.hipaadvisory.com/action/surveynew