Diamond Medical Services - HIPAA Readiness Disclosure Statement

Diamond Medical Services and its affiliates have been diligently following the evolution of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) since its inception in 1996. Our goal is to ensure our systems, supporting business processes, policies, and procedures can successfully meet the implementation standards and deadlines mandated by the United States Department of Health and Human Services (DHHS).

To achieve this goal, we have or are in the process of accomplishing the following:

Formation of an Executive HIPAA Steering Committee
Establishment of a HIPAA Program Management Office
Completion of an impact assessment on business processes and systems
Development and implementation of HIPAA Education and Awareness programs
Identification of specific remediation projects necessary to mitigate actual or potential exposures
Assessment of the impact the HIPAA requirements may have on our products and services
Evaluation of business processes and best practices to realize the benefits of Administrative Simplification

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into Federal Law on August 21, 1996 to improve the efficiency of health care delivery. HIPAA mandates standards for Electronic Data Interchange (EDI) transactions and code sets. It establishes uniform health care identifiers for providers, health plans, and employers. Compliance with HIPAA requires the use of ANSI ASC X12N (Version 4010) transaction standards and implementation guides. It also addresses privacy and security.

The final rules for transactions and code sets were published in the Federal Register on August 17, 2000. The effective date of this rule is October 16, 2000, and covered entities will have 24 months after that date to comply with the regulation or be subject to financial penalties which will be defined under the pending Enforcement Regulation.

The final rule for Privacy Standards was published in the Federal Register on December 28, 2000. The compliance date is April 14, 2003.

HIPAA Applicability

Under the terms of HIPAA, the rules and regulations apply to health plans, health care clearinghouses, and health care providers who transmit any health information in any electronic form in connection with transactions covered under HIPAA, and who receive, maintain, or disclose individually identifiable health information in any form or medium. All covered entities must comply with the standards adopted by HIPAA by the applicable compliance dates. If a provider chooses to conduct a standard electronic transaction with a health plan, the health plan may not refuse to conduct, or delay such transactions. The modes of electronic transmission covered under HIPAA include the Internet, extranets, leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media.

HIPAA Privacy and Security

Privacy
- Standards describe who should have access to patient information and circumstances for which patient consent or authorization is required
  - Health Plans are not required to obtain patient consent to use or disclose health information for treatment, payment and health care operations
  - Other purposes require patient authorization
  - Disclosure must be tracked
- Patients are granted the right to:
  - Obtain, inspect and correct or amend their health information
  - Know how their health information is disclosed or used for purposes other than treatment, payment or health care operations
  - Receive notice about an organization’s information handling and disclosure practices
Security (Final Rules Pending)
- Four categories of the proposed requirement to guard data integrity and availability:
  - Administrative procedures: documented and formal practices to manage the selection and execution of security measures
  - Physical safeguards: protection of physical computers and equipment, locks, keys and administrative measures to control access to computer systems
  - Technical security services: processes that are put in place to protect, control and monitor information access
  - Technical security mechanisms: processes that are put in place to prevent unauthorized access to data that is transmitted over a communications network

HIPAA Transaction Standards

The transactions that are required to use the HIPAA standards under this regulation are:

Transaction Name	ASC X12 Transaction	NCPDP Transaction
Health Claims and Equivalent Encounter Information	837	NCPDP 5.1/Batch 1.0
Enrollment and Disenrollment in a Health Plan	834
Eligibility Inquiry/Response for a Health Plan	270/271	NCPDP 5.1/Batch 1.0
Health Care Payment/Remittance Advice (EFT/ERA)	835	NCPDP 5.1/Batch 1.0
Health Plan Premium Payments	820
Health Claim Status	276/277
Referral Certification and Authorization	278
Coordination of Benefits	837	NCPDP 5.1/Batch 1.0
Electronic Attachments	275/HL7LOINC

HIPAA Code Sets

Under HIPAA, a “code set” is any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnosis codes, or medical procedure codes. Code sets for medical data are required for data elements in the administrative and financial health care transaction standards adopted under HIPAA for diagnoses, procedures, and drugs. The following code sets have been adopted as the standard medical data code sets:

The combination of Health Care Financing Administration Common Procedure Coding System (HCPCS), as updated and distributed by the DHHS and Current Procedural Terminology, Fourth Edition (CPT-4), as updated and distributed by the American Medical Association for physician services and other health related services.
International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM), Volumes 1 and 2 (including the Official ICD-9-CM Guidelines for Coding and Reporting), as updated and distributed by the DHHS.
International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM), Volume 3 Procedures (including the Official ICD-9-CM Guidelines for Coding and Reporting), as updated and distributed by the DHHS.
Drug and Biologic Codes - Currently under review by DHHS
Dental Procedures and Nomenclature, as updated and distributed by the American Dental Association, for dental services.

HIPAA Identifiers (Final Rules Pending)

Following are the proposed HIPAA identifiers:

National Provider Identifier (NPI) *: proposed to be a ten-position numeric identifier

Employer Identification Number (EIN): proposed to be the nine-digit IRS Tax Identification Number

Health Plan Identifier (PAYERID): not yet announced but likely to be a nine-digit number assigned to all health plans for the routing of electronic transactions.

Diamond Medical Services Industry Involvement

Diamond Medical Services has been involved in HIPAA since 1997 and has an early start on transaction development. Diamond Medical Services has also worked extensively with the following organizations:

WEDi (Workgroup for Electronic Data Interchange) *
EHNAC (Electronic Healthcare Network Accreditation Commission) *
HPAG (Blue Cross/Blue Shield Association HIPAA Policy Advisory Group)
CAHP (California Association of Health Plans)
CALINX (California Information Exchange)
ANSI (American National Standards Institute)
WEDi SNIP (WEDi’s Strategic National Implementation Process)
ICE (Industry Collaboration Effort) Co-Chair
NCPDP (National Council of Prescription Drug Programs)

How to Prepare for HIPAA

There is a wealth of information being published to keep the health care community informed of what is happening on the HIPAA front. The following government and health care organization Web sites are available for assistance with HIPAA implementation: