The industry asked for HIPAA, but as the mandates snake through the committee labyrinths of Washington, the healthcare industry grows impatient--and apathetic.
HIPAA is unique in that it mandates the use of standards that the federal government has not created and does not plan to control. It is pervasive, extending far beyond Medicare and Medicaid to embrace all health plans, clearinghouses and providers that transmit information electronically. Eventually, its final rules will have the force of federal law.
No orphans, please
HIPAA also sets a precedent. Under the act, the government formally adopts de facto transaction standards such as X12N, ICD-9, CPT-4, CDT-2 and NDC. In doing so Washington receives the blessings of designated professional and industry groups, namely the NUBC (National Uniform Billing Committee), NUCC (National Uniform Claim Committee), WEDI (Workgroup on Electronic Data Interchange) and ADA (American Dental Association). And before the secretary decrees this national adoption program, the NCVHS (National Committee on Vital and Health Statistics), a public-sector advisory group, and the HHS Data Council comprised of senior-level DHHS officials must approve.
With security issues, HIPAA has attacked the problem entirely differently. HIPAA’s proposals set the bar by defining the technical and administrative parameters of a secure environment. This gives local organizations a freedom to choose the policies and protocols that best meet the needs of their individual institutions so long as the end result satisfies the proposed security guidelines. As a concept, it’s not all that different from other accreditation processes already in widespread use. Nonetheless, this mandate will require a concerted effort at the local level to evaluate current security measures and plan protection measures. It’s none too early to begin.
When originally proposed, HIPAA authors intended Congress to set the cornerstone with privacy legislation. Everything else depends upon it. And the deadlines for having privacy regulations in place are set: If Congress doesn’t get its act together and enact general privacy legislation by August 1999, the deed falls to the secretary. HIPAA law gives the secretary another six months to issue regulations--but only to protect information in electronic administrative transactions. Read: weaker rules if Congress defaults.
While deadlines to implement privacy rules are fixed, the standards adoption timeline has shifted. Simply put, the secretary didn’t meet the February 1998 deadline. While some elements of HIPAA remain tied up in the proposal process, Transactions and Code Set Standards, National Provider Identifier and the National Standard Employer Identifier are already out of the starting gate and in the home stretch. These standards may be done by the end of the year--at which time the clock starts ticking.
Adoption first, then decree for compliance. The good news is that deadlines for compliance are floating dates, so the longer it takes for the government adoption process, the more time you have to comply. Larger organizations take note: you’re first. With a two-year window, you should plan to be ready by the end of the year 2000. Small plans have an additional year to comply. To those dismayed at the prospect of lining up electronically, the bad news is that there will be no exceptions. The road map points to one big HIPPA family.
Charlene Marietti is senior technology writer at Healthcare Informatics.