HIPAA Compliance: How to Get an Extension

The government will give you another year to comply with the transactions and code sets standards, but you have to ask for it.

David C. Kibbe, MD, MBA

Covered in FPM Quiz

Tool inside

I've got good news for you if you've been putting the Health Insurance Portability and Accountability Act (HIPAA) on the back burner. The deadline for complying with the HIPAA transactions and code sets standards has been extended another year. The Administrative Simplification Compliance Act (ASCA) ­ a bill signed into law in late December ­ extends the deadline to Oct. 16, 2003. The bill specifically does not change the deadline for complying with the HIPAA privacy rules. That remains April 14, 2003.

Unfortunately, along with this good news comes a catch: In order to qualify for the extension, "covered entities" (i.e., physicians, other providers, health plans and clearinghouses) must submit a summary of their compliance plan to the Centers for Medicare & Medicaid Services (CMS) by the original deadline of Oct. 16, 2002. Covered entities that do not submit a plan to CMS and are not fully compliant with the HIPAA transactions standards by the original deadline may be barred from participation in Medicare. In this article, I'll walk you through the steps of a compliance plan and simultaneously help you fill out a sample compliance form that will satisfy the federal requirement for gaining an extension. It's easy.

Step one: Decide whether you need the extension

The first step is to determine whether your practice will even need to obtain an extension. You will not need an extension if your practice will be compliant by the original deadline of Oct. 16, 2002, or your practice sends no patient-identifiable health-related information electronically to payers or clearinghouses ­ in other words, if your practice operates in a 100-percent paper billing and claims environment.

Most independent practices will find themselves hard pressed to be compliant with the transactions and code sets standards by the original deadline, if only because many of their "trading partners" (e.g., billing services, clearinghouses and health plans) won't be ready. To be compliant by October 2002, your practice should have already begun conducting an operational assessment. This would include performing a gap analysis (comparing the requirements for implementation with your practice's current state of readiness); working with payers to test translator software, which converts nonstandard formats into HIPAA-standard formats; and having discussions with your clearinghouses to ensure that transactions are being handled in a standard fashion. If you haven't started this type of assessment, proceed to the next step.

Step two: Begin filling out the form

Take a look at the "Electronic Health Care Transactions and Code Sets Standards Model Compliance Plan" form. You may use your own version of this form as long as it contains equivalent information. I suggest you use the form provided here as a "dry run" to help you understand the issues and formulate answers. Then you can either download a blank form from the CMS Web site and mail it in or complete it online (www.cms.hhs.gov/hipaa/hipaa2/ascaform.asp). Note that if you are a member of a group practice, an extension will be granted to all members of the group; it is not necessary to file separate forms for each physician. The act of submitting the form to CMS automatically grants you the one-year extension.

Section A asks for basic information about your practice. Question 5 asks for the name and title of the "authorized person," in other words, the individual responsible for certifying that the information on the form is accurate and correct. Most likely, it's a physician in your practice or the practice manager.

Section B asks for the reason(s) why you'll need more time to reach full compliance. Read the choices carefully and select all that apply to your situation. Section C asks how much you expect it will cost to implement the transactions and code sets standards in your practice. This is difficult to answer since no one really knows how much it will cost the average medical practice. Costs will depend on the size of the practice, the percentage of claims submitted electronically, the methods used to submit electronic claims and other HIPAA-standard transactions (e.g., directly versus through a clearinghouse or billing service) and the number of HIPAA-standard transactions the practice needs to implement. There are a total of eight HIPAA-standard transaction formats, but most practices will need to implement only a few. (For more information about the eight formats, see www.aafp.org/fpm/20011100/28what.html#box_a.)

One way to estimate implementation costs is to ask your software vendor the price of adding translation software to your current practice management software. (See Ask FPM, March 2002, page 53 for more information.) You may also need to query your billing service or clearinghouses to determine what additional fees they will charge to translate your claims and other transactions into HIPAA-standard formats. Finally, don't forget to add into the budget any expenses for HIPAA-related education and training, as well as any new hardware, software or networking costs that may be involved.

Step three: Do your compliance planning

The last section of the sample form gets a little complicated, but filling it out will give you a very good sense of the detailed activities that your organization will need to carry out as it prepares to implement the HIPAA standards. Section D of the form is based on recommendations made by the Workgroup on Electronic Data Interchange (WEDI) Task Force for phased implementation of the transactions and code sets standards. As such, it is biased toward the large health care organizations that compose much of the WEDI membership. Nonetheless, it can be very useful for smaller organizations or practices to think about implementation in these terms:

Phase one: HIPAA awareness. The first step of the phased implementation process is familiarizing yourself with the HIPAA regulations and making sure that appropriate staff members have also been educated. The sample form contains three questions (12-14) about your general understanding of the transactions and code sets standards. If you've read the series of FPM articles about HIPAA, you've certainly begun to build the awareness required. Only you can determine when you've completed this phase, but assigning start and end dates is a good way to ensure that you won't get behind schedule.

Phase two: Operational assessment. The second step toward implementation is determining what additional resources you'll need to order to comply with the standards. Questions 15-18 ask very simple questions about your progress in this area. An operational assessment generally begins with a "gap analysis." The first step of performing a gap analysis is to identify the requirements for implementation and compare them with your practice's current state of readiness. This will help you determine what you'll need to do and prioritize your efforts accordingly. Question 16 refers to "45 C.F.R. Parts 160, 162." These are the actual HIPAA transactions and code sets regulations as published in the Aug. 17, 2000, Federal Register (available online at aspe.hhs.gov/admnsimp/final/txfinal.pdf). You'll want to download this document and review the definitions and administrative requirements on pages 55 through 62 in order to understand how the HIPAA transactions and code sets standards will change the way you do business with health plans, clearinghouses and insurance companies. Note that Question 18 asks whether you plan to use a contractor or vendor to help you achieve compliance. Most medical practices will need ­ at the very least ­ the assistance of their software vendors and clearinghouses and will want to answer "yes" to that question.

Phase three: Development and testing. The final portion of phased implementation includes installing and testing the translation software. Testing is a "two-way street" that will require you and your "trading partners" to send and receive test transactions in HIPAA-standard formats. Your trading partners could be payers, health plans, clearinghouses and other entities that exchange business information with your practice electronically, now or in the future. Note that each one of your trading partners must be contacted and asked about how they plan to facilitate HIPAA-standard exchanges with your practice.

The purpose of the testing is to ensure that the information systems on each end can handle the exchange without losing data, and to assure the integrity of the information on its "round trip" between practice and payer. There will almost certainly be problems encountered during testing, and it will take some time to work out the bugs. A third party will be required to perform testing and certification and several companies have emerged to fulfill this need, including Claredi (www.claredi.com), whose founder and CEO is a physician, and Foresight (www.foresightcorp.com). Almost no one in the health care industry has completed phase three of the implementation planning process; however, the ASCA legislation specifically requires that testing of the transactions begin no later than April 16, 2003.

ELECTRONIC HEALTH CARE TRANSACTIONS AND CODE SETS STANDARDS MODEL COMPLIANCE PLAN Section A: Covered Entity and Contact Information  A PDF version of this document is available. Download PDF now (2 pages/ 56 KB). More information on using PDF files. 1. Name of Covered Entity 2. Tax Identification Number 3. Medicare Identification Number(s) ___________________________ ________________________ ______________________________ ___________________________ ________________________ ______________________________ Type of Covered Entity (Check all that apply) Health Care Clearinghouse Health Plan Health Care Provider Dentist DME Supplier Home Health Agency Hospice Hospital Nursing Home Pharmacy Physician/Group Practice Other_____________ Authorized Person ______________________________________________________ Title ______________________________________________________ Street ______________________________________________________ City _____________________________________________ State ____________ Zip ________ Telephone Number ( ______ ) ______________________ Section B: Reason for Filing for This Extension Please check the box next to the reason(s) that you do not expect to be compliant with the HIPAA Electronic Health Care Transactions and Code Sets standards (45 C.F.R. Parts 160, 162) by October 16, 2002. Multiple boxes may be checked. Need more money Need more staff Need to buy hardware Need more information about the standards Waiting for vendor(s) to provide software Need more time to complete implementation Waiting for clearinghouse/billing service to update my system Need more time for testing Problems implementing code set changes Problems completing additional data requirements Need additional clarification on standards Other ______________________________________ Section C: Implementation Budget This question relates to the general financial impact of the HIPAA Electronic Health Care Transactions and Code Sets standards (45 C.F.R. Parts 160,162) on your organization. Select the range of your estimated cost of compliance with the HIPAA Electronic Health Care Transactions and Code Sets standards (45 C.F.R. Parts 160,162): Less than $10,000 $10,000 - $100,000 $100,000 - $500,000 $500,000 - $1 million Over $1 million Don't know Section D: Implementation Strategy This Implementation Strategy section encompasses HIPAA Awareness, Operational Assessment, and Development and Testing. For more details on completing each of these subsections, refer to the model compliance plan instructions at www.cms.hhs.gov/hipaa. Implementation Strategy Phase One ­ HIPAA Awareness These questions relate to your general understanding of the HIPAA Electronic Health Care Transactions and Code Sets standards (45 C.F.R. Parts 160, 162). 12. Please indicate whether you have completed this Awareness phase of the Implementation Strategy: Yes No If yes, skip to (14), and then to Phase Two ­ Operational Assessment. If no, please answer both (13) and (14). Have you determined a: 13. Projected/Actual Start Date: _______ / _______     MONTH   YEAR           14. Projected/Actual Completion Date: _______ / _______     MONTH   YEAR           Implementation Strategy Phase Two ­ Operational Assessment These questions relate to HIPAA operational issues and your progress in this area. Please indicate whether you have completed this Operational Assessment phase of the Implementation Strategy: Yes No If yes, proceed to (20) and then Phase Three ­ Development and Testing. If no, please answer all the following questions. Have you: Reviewed current processes against HIPAA Electronic Health Care Transactions and Code Sets standards (45 C.F.R. Parts 160, 162) requirements? Yes No Initiated But Not Completed 17. Identified internal implementation issues and developed a workplan? Yes No Initiated But Not Completed 18. Do you plan to or might you use a contractor/vendor to help achieve compliance? Yes No Undecided 19. Projected/Actual Start Date: _______ / _______     MONTH   YEAR 20. Projected/Actual Completion Date: _______ / _______     MONTH   YEAR Implementation Strategy Phase Three ­ Development and Testing These questions relate to HIPAA development and testing issues. ASCA legislation requires that testing begin no later than April 16, 2003. For more details, refer to the model compliance plan instructions at www.cms.hhs.gov/hipaa. Please indicate whether you have completed this Development and Testing phase of the Implementation Strategy. Yes No If yes, proceed to (26). If no, please answer all the following questions. Have you: Completed software development/installation? Yes No Initiated But Not Completed Completed staff training? Yes No Initiated But Not Completed 24. Projected/Actual Development Start Date: _______ / _______     MONTH   YEAR 25. Projected/Actual Initial Internal Software Testing Start Date: _______ / _______     MONTH   YEAR 26. Projected/Actual Testing Completion Date: _______ / _______     MONTH   YEAR

Step four: Submit your form

Once you've completed the form required for the one-year extension, the final step is to send it to CMS. You can mail your completed form to:

Attention: Model Compliance Plans
Centers for Medicare & Medicaid Services
PO Box 8040
Baltimore, MD 21244-8040

Forms must be postmarked no later than Oct. 15, 2002. It's a good idea to send the form registered mail because CMS will not provide confirmation that your form arrived. You will also be able to complete and submit the form electronically by going to www.cms.gov/hipaa/hipaa2/ascaform.asp. Forms submitted electronically must be sent by Oct. 15, 2002. Online users will receive confirmation of receipt.

What does CMS intend to do with the information they gather from the extension form? Right now they plan to review only a sample of the forms and share the information with the National Committee on Vital and Health Statistics (NCVHS) in order to identify barriers to compliance. Befittingly, CMS is assuring all parties that any information shared with NCVHS will have all identifying information removed.

Dr. Kibbe is a family physician and co-founder of Canopy Systems, Inc., an Internet clinical software application and services firm based in Chapel Hill, N.C. He is also the AAFP's director of health information technology and a contributing editor to Family Practice Management. Dr. Kibbe served on the task force of the Strategic National Implementation Process Workgroup on Electronic Data Interchange (WEDI) that helped develop the sample HIPAA compliance form referenced in this article. Conflicts of interest: none reported.

Send comments to fpmedit@aafp.org.