There is a dirty little secret in the healthcare information technology community: Billing software may not help a practice meet HIPAA requirements for transactions and code sets. In fact, vendors appear to be pushing HIPAA compliance costs onto providers by making them go through clearinghouses and other middlemen, said David Kibbe, MD, director of health IT for the American Academy of Family Physicians in Leawood, Kan.
“People looking after their own business interests here may be trying to save a buck” by not investing heavily in HIPAA upgrades, Kibbe said.
“I think that’s entirely accurate,” said Jim Brady, president and CEO of Richmond, Va.-based Payerpath, which hosts Web portals linking payers and providers. Brady said that as an alternative, billing software vendors are searching for claims processors to partner with in order to help their customers meet the HIPAA transaction guidelines.
HIPAA.org Can Help
Providers needing vendor help do have someplace to turn, however. HIPAA.org is a directory of practice management software companies that was launched in October by 14 medical specialty societies and provider-run HIPAA compliance workgroups.
Vendors use the site to report on the HIPAA readiness of their products. The voluntary listings are not evaluated, rated or endorsed by the Web site sponsors, but the vendors can indicate if their products have received certification from an independent HIPAA testing firm. Only 19 of the 57 companies listed at www.HIPAA.org/pmsdirectory as of Dec. 10 had products that did not require a clearinghouse for practices to send and receive both the X12 835 and X12 837 code sets -remittance advice and claims, respectively. Of the 57, only 36 supported these two transactions even with a clearinghouse.
Let the Buyer Beware
“From what I have seen, all of the developers for the most part have bowed out of the transaction side of HIPAA and they have concentrated more on the logging (privacy) and security pieces,” said Matt Petty, associate vice president of IT for Surgis, a vendor of billing and scheduling software for surgical centers in Nashville, Tenn.
One vendor listed in the directory gives a blunt assessment of the situation. The Web site of Charlottesville, Va.-based Health Data Services states: “Make no mistake; the responsibility for HIPAA compliance rests squarely on the shoulders of providers… The truth is the vendor has no legal responsibility to assure your practice is compliant and because HIPAA is so broad in scope, any software application-in and of itself-can’t provide a solution.”
“It’s entirely caveat emptor,” said Kibbe, a founder of HIPAA.org and the founder of Canopy Systems, Chapel Hill, N.C., a developer of case management software. “The key (HIPAA) bottleneck for the practice is the practice management billing system.”
According to Kibbe, there is no such thing as HIPAA-compliant software. Technology vendors are not covered entities under HIPAA and do not have a legal obligation to meet the Oct. 16, 2003, HIPAA transaction deadline.
But healthcare providers and payers do. Kibbe advises physician leaders to use HIPAA.org as a starting place. “As you put together your plans, look up your vendor,” Kibbe said. “If your vendor is not there, call your vendor,” he said. “If they don’t list in a month or so, I would get worried. I would start looking for another vendor.”
Donald Michaels, a Boston-based partner in the healthcare consulting practice of PricewaterhouseCoopers, advises even those practices using products touted as HIPAA-compliant to double-check. “A lot of vendors have claimed that their software is HIPAA-compliant, but a lot of times we are finding that these programs are being customized by the clients” to make them compliant, Michaels said.
Nonstandard Issue
The problem will be more pronounced for small physician practices than for large groups or hospitals that have their own IT departments. Payerpath’s Brady said small practices “are going to have a tremendous amount of cost to bear to get ready.”
Some vendors are providing tool kits to “map” or translate the nonstandard identifiers common in the claim forms of major payers into HIPAA code because the software may not be capturing all the information the HIPAA transaction rule requires. For example, the new rules call for electronic claims to be more specific than “self,” “spouse,” “child” or “other” in describing a patient’s relationship to the insured.
“Unless the provider captures all the data in that relationship, the vendor cannot make that up,” said Kepa Zubeldia, MD, president and CEO of Claredi, a Kaysville, Utah, company that certifies products for HIPAA transaction readiness.
“Providers need to understand what is required so they can capture the data,” Zubeldia said. “The vendor could provide the best software in the world, but if the provider does not capture the necessary data, the provider will not be compliant.”
Neil Versel is a reporter for Modern Physician.
© 2003 Modern Physician. Reprinted by permission.