Privacy and Security Redux

A sixty day comment period starts tommorrow on newly proposed regulations under HIPAA that would:

• expand individuals’ rights to access their information and restrict certain disclosures of protected health information to health plans, 
• extend the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, 
• establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and 
• prohibit the sale of protected health information without patient authorization. 

In addition, the proposed rule is designed to strengthen and expand Office of Civil Rights' ability to enforce HIPAA’s Privacy and Security provisions. These rules are mandated by HITECH.

“Giving more Americans the ability to access their health information wherever, whenever and in whatever form is a critical first step toward improving our health care system,” said ONC's David Blumenthal. “Empowering Americans with real-time and secure access to the information they need to live healthier lives is paramount.”

HHS also launched today a privacy website at http://www.hhs.gov/healthprivacy/index.html.

“HHS strongly believes that an individual’s personal information is to be kept private and confidential and used appropriately by the right people, for the right reasons,” said Joy Pritts, recently appointed Chief Privacy Officer. “Without such assurances, an individual may be hesitant to share relevant health information.”

HHS is also looking more closely at entities that are not covered by HIPAA rules to understand better how they handle personal health information and to determine whether additional privacy and security protections are needed for these entities.

PHRs will be covered under HIPAA, if they act on behalf of a covered entity.  The rule does not apply to PHR vendors that provide services on behalf of the patient instead of the covered entity (e.g., Google, Microsoft).

ICD-10 Regulations Are Final (again)

Upon taking office, White House Chief of Staff Rahm Emanuel called for a regulatory review that included ICD-10 and related transactions. That review is complete and the regulations stand as originally issued.

The March 5th notice from CMS states that "a determination has been made that the effective date will not be extended and the comment period will not be reopened for either of these rules. The first rule finalizes new code sets to be used for reporting diagnoses and procedures on health care transactions. This final rule replaces the ICD-9-CM code sets, developed nearly 30 years ago, with greatly expanded ICD-10 code sets. The second final rule adopts updated versions of the standards governing electronic transactions under the authority of HIPAA. The updated versions replace the current standards and will promote greater use of electronic transactions... The final rules provide compliance dates of Jan. 1, 2012 for the transaction standards and Oct. 1, 2013 for the ICD-10 code set."

For a more in-depth review of regulations, see ICD-10: No Time to Relax.

Best Links to HITECH

To understand the implications of the stimulus legislation on health IT in 3 clicks or less, here are the places to turn:

Health Care and the American Recovery and Reinvestment Act. New England Journal of Medicine. 2/17/2009.

Stimulus Bill dramatically modifies HIPAA rules. Wisconsin Technology Network. 2/18/2009

A Shared Vision and Roadmap for Health IT. By the chairs of the National eHealth Collaborative, HITSP and CCHIT. 2/10/2009.

ICD-10: No Time to Relax

Final rules were published on January 16 for ICD-10 codes and the related electronic transactions. The relaxed compliance dates offer no reason to relax.

ICD-10

The health care industry will switch to ICD-10 on October 1, 2013. Encounters and discharges occurring before October 1, 2013 will use ICD-9, and those occurring on or after that date will use ICD-10. The final rule suggests that compliance activities (gap analysis, design, development, internal testing) should begin in January 2011.

The fundamental driver for ICD-10 is financial - - the inability for ICD-9 to support the growing number of high-priced medical procedures. For more on this, see "More Painful than an Insect Bite? ICD-10 Cost-Benefit for Healthcare Providers".

ICD-10 will be used where ICD-9 is used today. More specifically, ICD-10-CM (Clinical Modification) will be used for diagnosis coding and ICD-10-PCS (Procedure Coding System) will be used for inpatient hospital procedure coding. CPT and HCPCS codes will continue to be used in an ambulatory setting.

According to HHS, ICD-10 will:

• "Support value-based purchasing and Medicare’s anti-fraud and abuse activities by accurately defining services and providing specific diagnosis and treatment information;
• Support comprehensive reporting of quality data;
• Ensure more accurate payments for new procedures, fewer rejected claims, improved disease management, and harmonization of disease monitoring and reporting worldwide; and
• Allow the United States to compare its data with international data to track the incidence and spread of disease and treatment outcomes..."

In a bit of a stretch, HHS contends that "ICD-10 will also improve claims processing and payment, and, through the use of health care technology that utilizes ICD-10, assist health care practitioners in making treatment decisions by more precisely matching diagnoses and procedures to the appropriate code. For example:

• Pressure ulcers are a common condition in elderly Medicare beneficiaries with chronic illnesses. Under the current ICD-9-CM system, health care practitioners can identify the severity or location of a pressure ulcer but the coding system cannot link those elements if the patient has more than one ulcer. Under a single ICD-10 code, a patient’s medical history will identify the severity and location of each pressure ulcer;
• ICD-9 has only one code for angioplasty, the widely used procedure for widening a narrowed or obstructed blood vessel. ICD-10 provides 1,170 coded descriptions, with a granularity that pinpoints the location of the blockage and the device used for each patient;
• ICD-9 codes do not provide sufficient detail to distinguish whether a condition occurred on a patient’s left or right side. ICD-10 will improve care by providing that basic type of information; and
• ICD-9 includes separate codes for medication errors and other external causes of injury, which are reported separately from the actual condition. Under ICD-10, information about medication errors and external causes of injury will be embedded in the code for the condition. Therefore a single, more informative code will provide a ready source of information to help medical professionals prevent medical errors and improve quality of care."

PQRI and other quality measures will also be affected by these standards. CMS makes it clear in the final rule that there will be ICD-10 updates to the quality measures in regulations to follow.

CDC and CMS are good sources of information on ICD-10-CM and ICD-10-PCS guidelines and cross-mappings, even including a mapping from ICD-10 (international) to ICD-10 (U.S.).

Electronic Transactions

The HIPAA electronic transaction standards also get a refresh with a compliance date of January 1, 2012. The 5010 version supports the ICD-10 code sets and applies to claims, remittance, eligibility, referrals/authorization, and other transactions . In addition to ICD-10 support, 5010 changes "include structural, front matter, technical, and data content improvements... (and) addresses ... unmet business needs including ... providing on institutional claims an indicator for conditions that were 'present on admission.' " The target date for covered entities to complete internal testing is December 2010, so testing among trading partners can begin January 2011.

The NCPDP standard for electronic pharmacy-related transactions is upgraded to version D.0 to better support Medicare's Part D prescription drug benefit claims processing, including coordination of benefits. The compliance data is also January 1, 2012. In addition, Version D.0:

• "Provides more complete eligibility information for Medicare Part D and other insurance coverage;
• Better identifies patient responsibility, benefits stages, and coverage gaps on secondary claims; and
• Facilitates the billing of multiple ingredients in processing claims for compounded drugs."
  

A Medication subrogation standard is adopted with the same compliance date as the other transactions for all but small health plans (the subrogation process allows Medicaid to recover payments from a payer that has primary financial responsibility).

Costs and Benefits

CMS estimated costs and benefits as follows (click on the picture to expand):

News Analysis

Eight years after the original HIPAA rule was issued, use of electronic transactions remains stubbornly and abysmally low (see Healthcare's Indefensible Administrative Costs). This suggests a major industry challenge in updating the electronic transactions and preparing for cutover to ICD-10.

Systems changes will be required across the health system to accommodate the coordinated cutover of the electronic transactions. Then, on a single date for the industry, process and system changes will go into effect to support two code sets (ICD-9 for events before the date and ICD-10 after). Many systems will require iterative major upgrades to effectively support these requirements, each with full deployment to their customer base in fairly tight timeframes.

This suggests a level of execution and capability that has only happened once before. That event was Y2K - - which caused one CEO to ruefully recount how he gave his CIO an unlimited budget, yet the CIO managed to exceed it. And which will now cause healthcare technology companies to ponder how they avoid a repeat of the sales collapse that immediately followed.