Having problems with message search?
I established HIPAA-TCS Yahoo! group November 19, 2001. I invited 50 people to join who I believed were HIPAA TCS subject matter experts. Since then it has grown considerably. The members of HIPAA-TCS have been kind in answering my questions, providing comments, suggestions, and guidance. Much of the information in this email is a result of the information the group members shared with me. The opinions are mine and are a generalization of the initial steps to take to achieve HIPAA TCS compliance. They may not reflect your organization or be appropriate recommendations for your organization.
From a resource consultant perspective, I believe the following initial steps must be taken in order to determine the correct approach for HIPAA electronic Transactions and Code Sets (TCS) compliance.
Step 1 Determine if you are a CE, a Trading Partner, a Business Associate.
For more information, see the definitions of covered entity, health care provider, health plan and health care clearinghouse in 45 C.F.R.§160.103.
See also, the "Covered Entity Decision Tools" posted at
<http://www.cms.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp>.
These tools address the question of whether a person, business or agency is
a covered health care provider, health care clearinghouse or health plan.
If you have determined that you are a CE, then
Step 2 Determine which transactions you will need.
Step 3 Identify who your Trading Partners and Business Associates will be for these transactions
Step 4 Determine the HIPAA readiness and support of your Trading Partners and Business Associates
Step 5 Determine an approach.
Step 6 Test early, test often.
What are you? If this is not an easy question to answer, contact other organizations that do similar services, engage legal counsel, become familiar with the actual HIPAA rules, post your questions to HIPAA related listservs, get involved with associations specific to your niche in the healthcare industry.
What transactions will you need? Depending on how you presently handle business transactions, some HIPAA transactions will be your primary needs.
Others may be able to be addressed through present processes, and development of these may be able to wait until you have your primary transactions. For budgetary concerns, you may want to tackle HIPAA TCS compliance in a primary and secondary priority manner.
Who are your Trading Partners and Business Associate? Look at firms and individuals that you have received payment from, or have made payments to,
for the previous 2 or 3 years. Also review volunteers who are not considered workforce members. The WEDI/SNIP Business Associate Decision Tree may be found in the files section of ShareHIPAA.
How do you determine the readiness and support of your Trading Partners and Business Associates? You may want to consider sending out surveys, calling your account managers, communicating with other organizations that have the same Trading Partners and Business Associates. Ask the hard questions, and document when you requested information and when responses were received. If you are not getting a response, or you do not feel comfortable with the responses, consider realigning with those who are actively pursuing HIPAA compliance. I have attached the Top 10+ Questions to Ask about Transactions.
What approach should you use? That will depend on many variables. Here are some basic approaches I have seen being implemented.
Approach 1 Build a HIPAA TCS compliant system in-house. This can be further broken down into 2 primary strategies and 1 optional or temporary
strategy.
Strategy I Apply level I compliance for all data elements present in
existing applications and systems that reflect in edi transactions. Create a
data warehouse for those elements required but not currently present. Use a
data map, rules engine and integration engine to pull required data elements
from information systems and data warehouse. Apply compiled data to
translator. Transmit and receive compliant transactions.
This strategy is probably one of the more expensive means of achieving
compliance. Organizations that find this approach most advantageous may be
those organizations that:
1. Own the source code of their applications
2. Have developed their information systems in-house, or have custom built
systems
3. Have highly modified and customized vendor applications that would
require considerable expense to return to model.
4. Have determined that there is no or little support from their Trading
Partners or Business Associates in achieving HIPAA TCS Compliance.
5. Is a claims management application vendor or a payer or clearinghouse
that can spread the cost of compliance over many CEs.
Strategy II Do a gap analysis of present edi, and implement a secure
wrap-around to achieve Level 6 and Level 7 compliance, updating the wrapper as your
application vendors enhance their products and as changes are made to the
HIPAA rule.
This strategy is most suitable for those organizations that:
1. Do not own the source code of their information systems.
2. Use "best-of-breed", or have several vendor applications.
3. Have many facilities using different information systems, but billing
and claims management is handled centrally.
4. Want to minimize change processes to system users.
5. Want to maintain a flexible HIPAA TCS solution to allow for expected
application vendor upgrades.
Strategy III Use DDE options provided by payers.
This strategy is probably the least expensive solution to implement. In
most cases there is no set up costs and training requirements are minimal.
Most of the DDE options require internet access where the submitter accesses
the payers claims system through a web interface. Proficient data entry
clerks average 1 minute per claim submission. A major draw back to this
strategy is that not all business transactions can be addressed by DDE. Not
all payers provide this option. Each payer will have their own DDE system.
In most cases DDE should be viewed as a "bridge" to HIPAA TCS compliance, or
a nice to have option to back up for claims submission or eligibility
certification.
This strategy is best suited for those CEs that:
1. Have payers that provide DDE options.
2. Have low volume of claims on an average daily basis.
3. Need a quick solution for submitting claims to provide breathing room to
find a complete HIPAA TCS solution.
4. Providers using other strategies may want to take a look at DDE for
exceptionally large claims that occur near the end of a payer's revenue
cycle.
Approach 2 Align with a service that can take your existing data, and
provide compliant transactions on your behalf and receive transaction
information in a format that is easily integrated back to your existing
information systems.
There are some clearinghouses that provide "drop-in" transaction management
software that may work independently of existing applications, or can be
integrated with existing applications to minimize changes to existing
business processes. Some clearinghouses offer like services on an ASP
model. Some clearinghouses provide DDE like services, however the
clearinghouse provides HIPAA TCS compliant transactions on behalf of the
provider to the various payers. Some vendors license these electronic
clearinghouse systems to a CE. Approach II may be most suitable for those
CEs that:
1. Have no, or little technology infrastructure
2. Are small stand-alone hospitals, medical clinics, or practices.
3. View HIPAA TCS as a black box but desire the benefits of rapid claims
processing.
4. Do not have the capability to make a large initial investment in
technology and would prefer to pay for compliance on a cost per transaction
basis.
I have seen blends of all of these, and CEs that use an approach and
strategy for one part of their enterprise may be using a different approach
and strategy for other parts. Each CE must apply considerable diligence in
ensuring that the approach they select will meet their business needs and
can be integrated into the culture of their organization.
Testing needs to be done as soon as possible and needs to be done often to ensure that your HIPAA TCS solution is viable. Some clearinghouses and
payers provide testing at a marginal cost or for free. Ask your Trading Partners if they are capable of providing an analysis of your test transactions for Level I through Level 6 compliance. If so, this may be an inexpensive and quick means of identifying your present transaction capabilities and changes that need to be made before addressing the business edits of your trading partners.
Developing a guesstimate of the cost of achieving HIPAA TCS compliance is dependent on a host of factors and issues:
CEs may want to look at the following:
Basic resources:
Do you have good project managers?
Do you have subject matter experts in privacy, security and edi?
Do you have financial resources for research, development, implementation, and testing?
Does your organization actively participate in local, state, regional, or national organizations that are actively addressing HIPAA TCS compliance?
Existing culture:
Do you have prudent contract management (do you hold contractors and vendors accountable for contract requirements, do you have a handle on the contract
specifications)?
Do you have commitment from Top Management?
Are you current on all pre-HIPAA compliance mandates?
Do you have cutting edge technology?
Do you have high turn-over or a stable workforce?
Are you multi-site, multi-entity, multi-function?
Does your workforce embrace change or does it tend to resist change?
Are your current policies and procedures formalized or implied?
Present processes:
Are you going through technology upgrades?
Are you stable, downsizing, or growing?
Is management or technology operations out-sourced?
CMS Provides a provider readiness checklist aimed at individual, or the smaller health care provider community. It may be found at: http://cms.hhs.gov/hipaa/hipaa2/readinesschklst.pdf
For those who may just be getting started I have attached a Layman's view of Level VI Compliance Testing and an illustration provided by Frank Hannaford, Solutions Manager, f3 Solutions Group, LLC, Omaha, NE. This picture is worth 1,000 words. It helps to show how electronic information is transmitted throughout the health care industry.
Step 1 Determine if you are a CE, a Trading Partner, a Business Associate.
For more information, see the definitions of covered entity, health care provider, health plan and health care clearinghouse in 45 C.F.R.§160.103.
See also, the "Covered Entity Decision Tools" posted at
<http://www.cms.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp>.
These tools address the question of whether a person, business or agency is
a covered health care provider, health care clearinghouse or health plan.
If you have determined that you are a CE, then
Step 2 Determine which transactions you will need.
Step 3 Identify who your Trading Partners and Business Associates will be for these transactions
Step 4 Determine the HIPAA readiness and support of your Trading Partners and Business Associates
Step 5 Determine an approach.
Step 6 Test early, test often.
What are you? If this is not an easy question to answer, contact other organizations that do similar services, engage legal counsel, become familiar with the actual HIPAA rules, post your questions to HIPAA related listservs, get involved with associations specific to your niche in the healthcare industry.
What transactions will you need? Depending on how you presently handle business transactions, some HIPAA transactions will be your primary needs.
Others may be able to be addressed through present processes, and development of these may be able to wait until you have your primary transactions. For budgetary concerns, you may want to tackle HIPAA TCS compliance in a primary and secondary priority manner.
Who are your Trading Partners and Business Associate? Look at firms and individuals that you have received payment from, or have made payments to,
for the previous 2 or 3 years. Also review volunteers who are not considered workforce members. The WEDI/SNIP Business Associate Decision Tree may be found in the files section of ShareHIPAA.
How do you determine the readiness and support of your Trading Partners and Business Associates? You may want to consider sending out surveys, calling your account managers, communicating with other organizations that have the same Trading Partners and Business Associates. Ask the hard questions, and document when you requested information and when responses were received. If you are not getting a response, or you do not feel comfortable with the responses, consider realigning with those who are actively pursuing HIPAA compliance. I have attached the Top 10+ Questions to Ask about Transactions.
What approach should you use? That will depend on many variables. Here are some basic approaches I have seen being implemented.
Approach 1 Build a HIPAA TCS compliant system in-house. This can be further broken down into 2 primary strategies and 1 optional or temporary
strategy.
Strategy I Apply level I compliance for all data elements present in
existing applications and systems that reflect in edi transactions. Create a
data warehouse for those elements required but not currently present. Use a
data map, rules engine and integration engine to pull required data elements
from information systems and data warehouse. Apply compiled data to
translator. Transmit and receive compliant transactions.
This strategy is probably one of the more expensive means of achieving
compliance. Organizations that find this approach most advantageous may be
those organizations that:
1. Own the source code of their applications
2. Have developed their information systems in-house, or have custom built
systems
3. Have highly modified and customized vendor applications that would
require considerable expense to return to model.
4. Have determined that there is no or little support from their Trading
Partners or Business Associates in achieving HIPAA TCS Compliance.
5. Is a claims management application vendor or a payer or clearinghouse
that can spread the cost of compliance over many CEs.
Strategy II Do a gap analysis of present edi, and implement a secure
wrap-around to achieve Level 6 and Level 7 compliance, updating the wrapper as your
application vendors enhance their products and as changes are made to the
HIPAA rule.
This strategy is most suitable for those organizations that:
1. Do not own the source code of their information systems.
2. Use "best-of-breed", or have several vendor applications.
3. Have many facilities using different information systems, but billing
and claims management is handled centrally.
4. Want to minimize change processes to system users.
5. Want to maintain a flexible HIPAA TCS solution to allow for expected
application vendor upgrades.
Strategy III Use DDE options provided by payers.
This strategy is probably the least expensive solution to implement. In
most cases there is no set up costs and training requirements are minimal.
Most of the DDE options require internet access where the submitter accesses
the payers claims system through a web interface. Proficient data entry
clerks average 1 minute per claim submission. A major draw back to this
strategy is that not all business transactions can be addressed by DDE. Not
all payers provide this option. Each payer will have their own DDE system.
In most cases DDE should be viewed as a "bridge" to HIPAA TCS compliance, or
a nice to have option to back up for claims submission or eligibility
certification.
This strategy is best suited for those CEs that:
1. Have payers that provide DDE options.
2. Have low volume of claims on an average daily basis.
3. Need a quick solution for submitting claims to provide breathing room to
find a complete HIPAA TCS solution.
4. Providers using other strategies may want to take a look at DDE for
exceptionally large claims that occur near the end of a payer's revenue
cycle.
Approach 2 Align with a service that can take your existing data, and
provide compliant transactions on your behalf and receive transaction
information in a format that is easily integrated back to your existing
information systems.
There are some clearinghouses that provide "drop-in" transaction management
software that may work independently of existing applications, or can be
integrated with existing applications to minimize changes to existing
business processes. Some clearinghouses offer like services on an ASP
model. Some clearinghouses provide DDE like services, however the
clearinghouse provides HIPAA TCS compliant transactions on behalf of the
provider to the various payers. Some vendors license these electronic
clearinghouse systems to a CE. Approach II may be most suitable for those
CEs that:
1. Have no, or little technology infrastructure
2. Are small stand-alone hospitals, medical clinics, or practices.
3. View HIPAA TCS as a black box but desire the benefits of rapid claims
processing.
4. Do not have the capability to make a large initial investment in
technology and would prefer to pay for compliance on a cost per transaction
basis.
I have seen blends of all of these, and CEs that use an approach and
strategy for one part of their enterprise may be using a different approach
and strategy for other parts. Each CE must apply considerable diligence in
ensuring that the approach they select will meet their business needs and
can be integrated into the culture of their organization.
Testing needs to be done as soon as possible and needs to be done often to ensure that your HIPAA TCS solution is viable. Some clearinghouses and
payers provide testing at a marginal cost or for free. Ask your Trading Partners if they are capable of providing an analysis of your test transactions for Level I through Level 6 compliance. If so, this may be an inexpensive and quick means of identifying your present transaction capabilities and changes that need to be made before addressing the business edits of your trading partners.
Developing a guesstimate of the cost of achieving HIPAA TCS compliance is dependent on a host of factors and issues:
CEs may want to look at the following:
Basic resources:
Do you have good project managers?
Do you have subject matter experts in privacy, security and edi?
Do you have financial resources for research, development, implementation, and testing?
Does your organization actively participate in local, state, regional, or national organizations that are actively addressing HIPAA TCS compliance?
Existing culture:
Do you have prudent contract management (do you hold contractors and vendors accountable for contract requirements, do you have a handle on the contract
specifications)?
Do you have commitment from Top Management?
Are you current on all pre-HIPAA compliance mandates?
Do you have cutting edge technology?
Do you have high turn-over or a stable workforce?
Are you multi-site, multi-entity, multi-function?
Does your workforce embrace change or does it tend to resist change?
Are your current policies and procedures formalized or implied?
Present processes:
Are you going through technology upgrades?
Are you stable, downsizing, or growing?
Is management or technology operations out-sourced?
CMS Provides a provider readiness checklist aimed at individual, or the smaller health care provider community. It may be found at: http://cms.hhs.gov/hipaa/hipaa2/readinesschklst.pdf
For those who may just be getting started I have attached a Layman's view of Level VI Compliance Testing and an illustration provided by Frank Hannaford, Solutions Manager, f3 Solutions Group, LLC, Omaha, NE. This picture is worth 1,000 words. It helps to show how electronic information is transmitted throughout the health care industry.
Barbara McGowin, CPC
Executive Recruiter
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.
Executive Recruiter
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.
Offline 
Send Email