HIPAA 5010 (aka HIPAA X12) is the new standard regulating electronic transmission of health care transactions, which is slated to start January 1, 2012. CMS (Center for Medicare and Medicaid Services) has granted a grace period of 90 days before enforcement of this new transmission standard in a CMS Statement dated Thursday, November 17, 2011. The official document can be viewed online: http://www.cms.gov/ICD10/Downloads/CMSStatement5010EnforcementDiscretion111711.pdf The transactions specified in the HIPAA 5010 standards are as follows:
270/271 Eligibility Benefit
276/277 Claim Statuses
820 Payroll deductions and group premium payments for insurance
834 Benefit Enrollments & Maintenance
835 Health Care Claims Payment Advice
837 Health Care Claims (Professional, Institution, and Dental)
The following entities required to upgrade are physicians, hospitals, payers, clearinghouses, pharmacies and dentists. Software vendors will need to upgrade their products to support the new 5010 compliant transmission standard. Practices must communicate with their vendors to determine what technology upgrades will take place, plus any additional costs incurred for these upgrades. The Center for Medicare & Medicaid Services provides an implementation guide and more details on 5010, which can be downloaded online at http://www.cms.gov/ElectronicBillingEDITrans/18_5010D0.asp which will assist practices in conducting a gap analysis and compares the old 4010 standard to the new 5010 standard.
The American Medical Association provides a wealth of resources available for free at www.ama-assn.org/go/5010. The AMA’s preparatory fact sheet on planning and tactical implementation of the HIPAA 5010 standard is as follows:
1. Impact Analysis – Conduct an internal impact analysis to determine how much of a change the switch to 5010 will have on your current business practices and systems.
2. Contact your Vendors, Payers, Billing Service and Clearinghouse – Contact vendors for specific details regarding system upgrades, and ask them about when they expect their upgrades to be completed, and when they’ll be able to accept 5010
transactions.
3. Installation of Vendor Upgrades – Schedule the system upgrades according to your vendor’s readiness, and ensure the installation of upgrades is complete.
4. Internal Testing and Staff Training – Once upgrades are completed, conduct internal testing of your systems to ensure you can generate and handle the 5010
transactions. Leave a margin of time for issue resolution and staff training on the
new system.
5. External Testing with Clearinghouse, Billing Service and Payers – Contact your vendors to conduct external testing with them to ensure you can send and receive transactions properly.
6. Make the Switch to 5010 – After completing external testing, you may switch to
using only 5010 transactions.
Any claims or bills your practice submits after Jan1, 2012 that are not in compliance with the new HIPAA 5010 format will get rejected, but this grace period of enforcement will allow your practice to resubmit the appropriate HIPAA 5010 compliant format without being subject to a penalty. Smaller payers and Medicaid carriers will probably especially welcome this grace period. Physician groups, as well as hospitals, may have to continue to file some claims in the 5010 compliant format plus the current 4010 format, unless clearinghouses can translate claims back to the 4010 format.
HIPAA Best Practices for Covered Entities:
- Have sound company policies in place and well documented. This includes (but is not limited to) data management, security (administrative, physical, & technical), hiring policies as well as outsourcing to third party policy and guideline. Doing this from the ground up will save your practice money in the future by building a solid foundation to run your practice as well as tying into HIPAA compliance.
- Have a sound electronic usage policy in place, and require all staff to read the policy and sign / date it and keep this in personnel files.
- Document and follow a sound password policy (computer logins, access to ePHI (Electronic Protected Health Information), etc.
- Have a remote device policy in place. Laptops, smart phones, USB drives and other remote devices should be required to be encrypted. Encryption techniques and mechanisms of sensitive information should be known to only a select few in the organization.
- Document a disaster recovery plan as well as business continuity plan.
- Have an IT disposal policy in place (what you do with obsolete equipment). If you outsource your information technology, make sure they follow HIPAA guidelines. This includes, but is not limited to, doing DOD 5220.22-M (Department of Defense) wipes on the hard drives before redeploying a workstation that previously contained ePHI or other sensitive information on it. This includes copiers and fax machines, which have hard drives in them. You would be surprised at how many copiers and fax machines wind up being returned to the leasing company (after the lease expires) with sensitive data on that hard drive. Most of these copiers and fax machines are resold on the market after they have reached their operating potential, and data on the hard drive is easily recovered by anyone with the know how.
No comments:
Post a Comment