HIPAA Compliance: How to Get an Extension
The government will give you another year to comply with the transactions and code sets standards, but you have to ask for it.
Fam Pract Manag. 2002 May;9(5):52-56.
I’ve got good news for you if you’ve been putting the Health Insurance Portability and Accountability Act (HIPAA) on the back burner. The deadline for complying with the HIPAA transactions and code sets standards has been extended another year. The Administrative Simplification Compliance Act (ASCA) – a bill signed into law in late December – extends the deadline to Oct. 16, 2003. The bill specifically does not change the deadline for complying with the HIPAA privacy rules. That remains April 14, 2003.
Unfortunately, along with this good news comes a catch: In order to qualify for the extension, “covered entities” (i.e., physicians, other providers, health plans and clearing-houses) must submit a summary of their compliance plan to the Centers for Medicare & Medicaid Services (CMS) by the original deadline of Oct. 16, 2002. Covered entities that do not submit a plan to CMS and are not fully compliant with the HIPAA transactions standards by the original deadline may be barred from participation in Medicare. In this article, I’ll walk you through the steps of a compliance plan and simultaneously help you fill out a sample compliance form that will satisfy the federal requirement for gaining an extension. It’s easy.
Step one: Decide whether you need the extension
The first step is to determine whether your practice will even need to obtain an extension. You will not need an extension if your practice will be compliant by the original deadline of Oct. 16, 2002, or your practice sends no patient-identifiable health-related information electronically to payers or clearinghouses – in other words, if your practice operates in a 100-percent paper billing and claims environment.
Most independent practices will find themselves hard pressed to be compliant with the transactions and code sets standards by the original deadline, if only because many of their “trading partners” (e.g., billing services, clearinghouses and health plans) won’t be ready. To be compliant by October 2002, your practice should have already begun conducting an operational assessment. This would include performing a gap analysis (comparing the requirements for implementation with your practice’s current state of readiness); working with payers to test translator software, which converts nonstandard formats into HIPAA-standard formats; and having discussions with your clearinghouses to ensure that transactions are being handled in a standard fashion. If you haven’t started this type of assessment, proceed to the next step.
Step two: Begin filling out the form
Take a look at the “Electronic Health Care Transactions and Code Sets Standards Model Compliance Plan” form, which can be downloaded below. You may use your own version of this form as long as it contains equivalent information. I suggest you use the form provided here as a “dry run” to help you understand the issues and formulate answers. Then you can either download a blank form from the CMS Web site and mail it in or complete it online (www.cms.hhs.gov/hipaa/hipaa2/ascaform.asp). Note that if you are a member of a group practice, an extension will be granted to all members of the group; it is not necessary to file separate forms for each physician. The act of submitting the form to CMS automatically grants you the one-year extension.
Section A asks for basic information about your practice. Question 5 asks for the name and title of the “authorized person,” in other words, the individual responsible for certifying that the information on the form is accurate and correct. Most likely, it’s a physician in your practice or the practice manager.
Section B asks for the reason(s) why you’ll need more time to reach full compliance. Read the choices carefully and select all that apply to your situation. Section C asks how much you expect it will cost to implement the transactions and code sets standards in your practice. This is difficult to answer since no one really knows how much it will cost the average medical practice. Costs will depend on the size of the practice, the percentage of claims submitted electronically, the methods used to submit electronic claims and other HIPAA-standard transactions (e.g., directly versus through a clearing-house or billing service) and the number of HIPAA-standard transactions the practice needs to implement. There are a total of eight HIPAA-standard transaction formats, but most practices will need to implement only a few. (For more information about the eight formats, see www.aafp.org/fpm/20011100/28what.html.)
Health care providers and organizations that electronically transmit patient-identifiable health information will now have until Oct. 16, 2003, to comply with the HIPAA transactions and code sets standards.
In order to receive the one-year extension, a summary compliance plan must be submitted to the Centers for Medicare & Medicaid Services.
Failure to submit a plan to CMS or to be fully compliant with the HIPAA transactions standards by Oct. 16, 2002, may result in being barred from participation in Medicare.
One way to estimate implementation costs is to ask your software vendor the price of adding translation software to your current practice management software. (See Ask FPM, March 2002, page 53 for more information.) You may also need to query your billing service or clearinghouses to determine what additional fees they will charge to translate your claims and other transactions into HIPAA-standard formats. Finally, don’t forget to add into the budget any expenses for HIPAA-related education and training, as well as any new hardware, software or networking costs that may be involved.
Step three: Do your compliance planning
The last section of the sample form gets a little complicated, but filling it out will give you a very good sense of the detailed activities that your organization will need to carry out as it prepares to implement the HIPAA standards. Section D of the form is based on recommendations made by the Workgroup on Electronic Data Interchange (WEDI) Task Force for phased implementation of the transactions and code sets standards. As such, it is biased toward the large health care organizations that compose much of the WEDI membership. Nonetheless, it can be very useful for smaller organizations or practices to think about implementation in these terms:
Phase one: HIPAA awareness. The first step of the phased implementation process is familiarizing yourself with the HIPAA regulations and making sure that appropriate staff members have also been educated. The sample form contains three questions (12–14) about your general understanding of the transactions and code sets standards. If you’ve read the series of FPM articles about HIPAA, you’ve certainly begun to build the awareness required. Only you can determine when you’ve completed this phase, but assigning start and end dates is a good way to ensure that you won’t get behind schedule.
Phase two: Operational assessment. The second step toward implementation is determining what additional resources you’ll need to order to comply with the standards. Questions 15–18 ask very simple questions about your progress in this area. An operational assessment generally begins with a “gap analysis.” The first step of performing a gap analysis is to identify the requirements for implementation and compare them with your practice’s current state of readiness. This will help you determine what you’ll need to do and prioritize your efforts accordingly. Question 16 refers to “45 C.F.R. Parts 160, 162.” These are the actual HIPAA transactions and code sets regulations as published in the Aug. 17, 2000, Federal Register (available online at aspe.hhs.gov/admnsimp/final/txfinal.pdf). You’ll want to download this document and review the definitions and administrative requirements on pages 55 through 62 in order to understand how the HIPAA transactions and code sets standards will change the way you do business with health plans, clearinghouses and insurance companies. Note that Question 18 asks whether you plan to use a contractor or vendor to help you achieve compliance. Most medical practices will need – at the very least – the assistance of their software vendors and clearinghouses and will want to answer “yes” to that question.
Phase three: Development and testing. The final portion of phased implementation includes installing and testing the translation software. Testing is a “two-way street” that will require you and your “trading partners” to send and receive test transactions in HIPAA-standard formats. Your trading partners could be payers, health plans, clearinghouses and other entities that exchange business information with your practice electronically, now or in the future. Note that each one of your trading partners must be contacted and asked about how they plan to facilitate HIPAA-standard exchanges with your practice.
The purpose of the testing is to ensure that the information systems on each end can handle the exchange without losing data, and to assure the integrity of the information on its “round trip” between practice and payer. There will almost certainly be problems encountered during testing, and it will take some time to work out the bugs. A third party will be required to perform testing and certification and several companies have emerged to fulfill this need, including Claredi (www.claredi.com), whose founder and CEO is a physician, and Foresight (www.foresightcorp.com). Almost no one in the health care industry has completed phase three of the implementation planning process; however, the ASCA legislation specifically requires that testing of the transactions begin no later than April 16, 2003.
Step four: Submit your form
Once you’ve completed the form required for the one-year extension, the final step is to send it to CMS. You can mail your completed form to:
Attention: Model Compliance Plans
Centers for Medicare & Medicaid Services
PO Box 8040
Baltimore, MD 21244-8040
Forms must be postmarked no later than Oct. 15, 2002. It’s a good idea to send the form registered mail because CMS will not provide confirmation that your form arrived. You will also be able to complete and submit the form electronically by going to www.cms.gov/hipaa/hipaa2/ascaform.asp. Forms submitted electronically must be sent by Oct. 15, 2002. Online users will receive confirmation of receipt.
What does CMS intend to do with the information they gather from the extension form? Right now they plan to review only a sample of the forms and share the information with the National Committee on Vital and Health Statistics (NCVHS) in order to identify barriers to compliance. Befittingly, CMS is assuring all parties that any information shared with NCVHS will have all identifying information removed.
Dr. Kibbe is a family physician and co-founder of Canopy Systems, Inc., an Internet clinical software application and services firm based in Chapel Hill, N.C. He is also the AAFP’s director of health information technology and a contributing editor to Family Practice Management. Dr. Kibbe served on the task force of the Strategic National Implementation Process Workgroup on Electronic Data Interchange (WEDI) that helped develop the sample HIPAA compliance form referenced in this article.
Conflicts of interest: none reported.
Send comments to email@example.com.
Copyright © 2002 by the American Academy of Family Physicians.
This content is owned by the AAFP. A person viewing it online may make one printout of the material and may use that printout only for his or her personal, non-commercial reference. This material may not otherwise be downloaded, copied, printed, stored, transmitted or reproduced in any medium, whether now known or later invented, except as authorized in writing by the AAFP. Contact firstname.lastname@example.org for copyright questions and/or permission requests.
Want to use this article elsewhere? Get Permissions