THE GOVERNMENT'S MOVE TO REGULATE HEALTH care privacy issues through the Health Insurance Portability and Accountability Act has started the clock ticking toward the April 14, 2003, implementation deadline. And that gives home medical equipment providers a little more than a year and a half to devise an administrative structure to comply with the new regulations. But is anyone really working on that now — and should they be?

HomeCare talked with consultants and HME industry leaders and discovered that opinions vary widely as to how HIPAA should be approached.

Going With the Flow

Five months have elapsed since the Department of Health and Human Services announced the HIPAA privacy standards, and consultants say that by now, providers should have at least become familiar with what they are and what they will require. Providers also should have started planning an implementation strategy, they say.

“It's always easy to accomplish something the more time you have to plan it out,” says Cara Bachenheimer, an attorney at Epstein, Becker & Green in Washington, D.C. “Planning to plan, that's the stage people should be in right now. In other words, they should be planning their implementation plan. And starting to plan is really mapping out the flow of health care information.”

That is best done, Bachenheimer says, by making a diagram of how a patient's information progresses through a company. From order intake, she suggests literally drawing a picture that tracks precisely where the information goes, which staff members come into contact with it and how it is eventually recorded in the computer system. In addition to the internal flow, providers should track the external flow of patient information both into and out of the company.

Some providers are already working on that.

“We're trying to figure out who all the people are that we need to send notification out to regarding what our practices are going to be as far as the privacy portion of it goes,” says Missy Cross, assistant utilization manager at Sandusky, Ohio-based O.E. Meyer. “Anybody that is deemed to be a business partner, we have to submit some information to, letting them know what we could be or are doing with the information. So with all our contractors, insurance companies, patients, referral sources, physicians, we're just trying to pin down who exactly needs to be involved in that process and who needs to get the information.”

Who's In Charge?

The other matter that providers should have addressed by now is appointing someone within the company as a privacy officer, consultants say. That person would primarily be responsible for coordinating and overseeing the privacy plan.

“The privacy official should already have been designated, and if not, providers should designate that person as soon as possible,” says James Pyles, an attorney at Powers, Pyles, Sutter & Verville in Washington, D.C. “You're required under the regulations to have a privacy officer for two reasons: to develop and implement the privacy policies and procedures, but also to answer complaints and questions from the public.

“It's really in the interest of every company to have a privacy official,” he adds. “And certainly that individual should be collecting all of the company's privacy policies and procedures that they currently have and beginning a review process to see if they are generally in compliance with the HIPAA regulations.”

While some providers have named privacy officers, others have appointed an entire department to handle all matters related to HIPAA.

“We've at least identified the area that we believe is going to be the patient accounting center that will be responsible for the compliance,” says Mario LaCute, president of Andover, Ohio-based Seeley Medical. “Our patient accounting center is primarily our reimbursement billing and patient finances department, and since they're the ones that typically are responsible for the information as it relates to reimbursement, it's natural that they will maintain the data. So we'll need to make sure that we're clear on what the policies are there.”

He said his company would also name a compliance officer, and that person would likely be the same employee responsible for Food and Drug Administration and Occupational Safety and Health Administration issues.

Collecting Information

Despite consultants' recommendations that providers should now be in the initial planning stages for HIPAA, some have yet to do so. Rather, they are still in the information collection stage, gathering documents about HIPAA and trying to figure out what the regulations require.

“I'm in the process of trying to find as many Web sites as I can about HIPAA,” says Roger Miller, president of Broadview, Ill.-based Dependicare. “All of us basically want to get the information down into a workable document, and I'm going to spend most of my time trying to reference and cross-reference Web sites that get me a working knowledge and some working documents that I could use.

“I don't want a 300-page document,” he adds. “I don't have time to go through that. I need to try to find reference materials that speak to me in a language that I can understand. So I'm going to spend my time trying to do that, and basically it's going to be going from Web site to Web site, trying to take what information I get and what I can boil down into finite pieces.”

A Wait and See Attitude

One reason many providers have been reluctant to dive head first into planning for HIPAA is that they believe the rules will change.

They could be right. As he announced the implementation of HIPAA, Tommy Thompson, secretary of the Department of Health and Human Services, said HHS would “begin the process of issuing guidelines on how this rule should be implemented. The guidelines will allow us to clarify some of the confusion regarding the impact this rule might have on health care delivery and access.”

Some providers even believe the Bush administration could repeal the act and HIPAA will simply just go away. And others are gun-shy after pouring big bucks into becoming Year 2000 compliant.

“Our industry is a pretty volatile industry,” says Cross. “Changes, whether we like them or not, are always coming our way. We've just gone through Y2K. That took a big chunk of money out of a lot of companies, and people still have Y2K on their minds. They really put forth this effort to be Y2K-compliant and nothing happened. At the same time, a lot of other people waited on the Y2K thing before they did anything, and they survived it. So that's still fresh in people's minds, and they're thinking, ‘Maybe I don't need to rush into this right now. Maybe I can wait and see if any of these changes are made and see if it goes away.’”

Consultants, however, are quick to discourage such thinking. The current political climate favors patient privacy, they say, and HIPAA is not going away. Providers that have not done anything toward becoming HIPAA-compliant need to act now or risk landing in big trouble, they say.

“People should not have their heads stuck in the sand with this issue, thinking that it is somehow magically going to go away, because it's not,” says Bachenheimer. “It may eventually look a little bit different, but in some fairly similar shape and form, on or about that compliance date, it will happen.

“And there's a reason the government gave two years for everybody to comply with it because it will take a significant effort,” she adds. “The government never gives two years for an industry to comply with something. That's fairly unprecedented, and that should be a signal in and of itself. But it's certainly not time to panic. Providers still have time — but they shouldn't delay any further.”

Additional information about HIPAA can be found in HomeCare's March 2001 and May 2001 issues. Just log on to www.homecaremag.com and pull up the back issue archive.

Technically Speaking

SOFTWARE VENDORS are playing an important role in helping home medical equipment providers in their efforts toward becoming HIPAA-compliant. They're redesigning software to accommodate new rules regarding electronic claims and working on ways to deal with the problematic privacy regulations. Many are also offering free upgrades to purchasers of their systems.

The redesigns offer some challenges, according to manufacturers, not the least of which is finding a way to make the software useful for all HME providers.

“The thing that we struggle with is we have to be flexible enough for the small users as well as the larger users because with HIPAA being function driven, one of the aspects we're looking at is you only need to see the information pertaining to your job function,” says Dan Greyn, manager of billing management at Billings, Mont.-based Computers Unlimited. “So some of our customers' employees will do multiple tasks, while others have very specific jobs and they'll only do one task.

“It would be great if we could just say that a biller is only going to see this information and that's all they need to see,” he adds. “But maybe they're going to be a biller and also do front-end order entry. In which case, they would have to see diagnosis. So the software has got to be flexible enough for the small customer as well as the large customer.”

For Harrisburg, Pa.-based Computer Applications Unlimited, the challenge has been in the testing. “We're kind of in a holding pattern,” says Brian Williams, media management/marketing supervisor for CAU. CAU's software has already been approved for the new electronic claims transfer format. But while the company is prepared to test its updated software designed to meet the ANSI 4010 specifications, it hasn't been able to find a payer ready to do so.

While it waits for a ready payer, CAU is channeling some of its efforts into educating providers about HIPAA by offering seminars, says Williams.

“I believe that there are some [dealers] out there that still don't know what they need to do,” says Williams. “We're trying to play the education partner and steer them to what they need to know.”

In addition to the seminars, he says, CAU has links on its Web site to point providers to HIPAA information.

While upgrading software systems is a vital part of becoming HIPAA-compliant, software makers point out that it is not the only thing.

“HIPAA compliance means a lot more than just a product that you are using within your business,” says Rick Long, president of Nashville, Tenn.-based Team DME!. “The HIPAA regulations extend to the communications that you have with your vendors, with us as your software providers, such as signing confidentiality agreements between us if we are able to see your data … So it's not something you're going to be able to buy and say, ‘OK, I've done it.’ It's going to affect all areas of your company. Buying the software is only one piece to the puzzle, but it's not the complete solution.”

Although HIPAA is a formidable challenge for both manufacturers and providers, it will ultimately serve the industry well, Williams says.

“In the long run, it's going to be a whole lot easier for everyone. Everyone will be using a unified standard. Finally,” he says, “standard will mean standard.”
— R.P.