Statement
of the
Medical Group Management Association
to the
National Committee on Vital and Health Statistics
Subcommittee on Standards and Security

Presented by
Robert M. Tennant, MA
Government Affairs Manager

RE: IMPLEMENTATION OF THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT—THE PROVIDER PERSPECTIVE

July 13, 2000

Mr. Chairman and members of the Subcommittee, the Medical Group Management Association (MGMA) is pleased to submit our testimony to the National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Standards and Security. My name is Robert Tennant and I am the Government Affairs Manager at MGMA where I lead the association’s HIPAA implementation efforts. I am on the board of directors of the Workgroup for Electronic Data Interchange (WEDI) and the National Uniform Claim Committee (NUCC). In addition, I am a member of the executive committee of the HIPAA Security Summit and co-chair the Summit’s implementation subcommittee and I am on the steering committee of the Strategic National Implementation Process, better known as SNIP, and co-chair their education workgroup.

MGMA is the nation’s oldest and largest medical group practice organization representing 7,100 physician group practices in which over 185,000 physicians practice medicine. MGMA’s membership reflects the full diversity of physician organizational structures today, including large, world renowned, tax-exempt integrated delivery systems, taxable multi-specialty clinics, small, single specialty practices, hospital-based clinics, academic practice plans, integrated delivery systems, management service organizations, and physician practice management companies.

We are pleased that the NCVHS has invited MGMA to testify on the one of the most important topics in medicine today, the Health Insurance Portability and Accountability Act of 1996, or HIPAA. HIPAA has the capability to streamline administrative procedures, assist researchers assemble and analyze information from multiple data sources, paving the way for improved clinical decision-making, and ensure the protection of personal health information. However, before the health care world can reap the many potential benefits stemming from this standardization process, the provider community must be educated and compliant. Clearly, the implementation of HIPAA will not be an easy task.

In my testimony today, I will be outlining some of the implementation issues, concerns, and expectations that medical group practices have concerning this promising new direction in health care. In trying to address the concerns of the Subcommittee, I will first outline some of the general obstacles to HIPAA implementation. Later, I will discuss roadblocks to implementation stemming from several of the specific HIPAA provisions including electronic transactions and code sets, the National Provider Identifier (NPI), and security and privacy of health information. In addition, I will focus on the resources MGMA will be offering practice managers as they prepare to put into practice these complex and comprehensive regulations as well as discuss the role the federal government can play in the HIPAA implementation process. Finally, I would like to offer MGMA’s recommendations regarding the implementation of the HIPAA standards.

General Impediments to HIPAA Implementation

We all are aware of the many potential benefits of health care standardization. In the group practice setting, full implementation of HIPAA will result in more efficient office administration, consistent reporting, improved coordination of benefits, a simplified referral system, improved security of health information, faster reimbursement, and, most importantly, improved patient care. Similarly, HIPAA standardization will encourage ehealth particularly in the areas of improved benchmarking capabilities, enhanced communication, accurate identification, and reduction in medical errors .

Before we can begin to move toward the benefits of HIPAA and ehealth, it is important to note some of the general impediments that currently exist in the provider community. Of the many challenges to the rapid and successful implementation of the HIPAA standards, we have highlighted the following general concerns:

• Interoperability issues—The use and transmission of health information in an electronic form has been a part of the health care industry for many years. Countless proprietary systems are currently being utilized within the industry, creating problems when these various systems attempt to interact or “talk” to each other. Full interoperability between systems will take many years and all efforts to assist those seeking to identify and resolve interoperability issues should be supported. An excellent example of such a project is the WEDI/AFEHCT Internet Encryption Interoperability Pilot under the leadership of Dr. Kepa Zubeldia.
• Security/confidentiality issues—Perhaps the most “public” of all the implementation concerns, maintaining the security and confidentiality of personal health information is a serious challenge for those implementing HIPAA. Many consumers are apprehensive about having their personal health information sent over the Internet, and many providers are equally concerned about their corresponding legal liability.
• Lack of a Unique Patient Identifier—There has been a great deal of concern about the implications for privacy and security of information that the proposed use of a unique patient identifier might produce. Opponents of the identifier argue that the system has the potential to evolve into a huge national medical database and could lead to inappropriate access to personal health records. On the other hand, supporters point out that HIPAA does not mandate any national database for individual medical information and the use of a unique identifier could significantly lower administrative costs.
  
  Providers must identify their patients now and the most common identification systems remain either a proprietary number, or more commonly, the social security number, with its own inherent security issues. Tracking patients electronically across disparate internal organizational systems and as they move from one location to another will be a critical factor in the expansion of ehealth.
• Implementation period and tracking—While twenty-four months may appear to be ample, for many in the industry, this period of time may not be sufficient to bring their practice into compliance. It is likely that for medical practices currently engaged in ehealth, with existing vendor contracts and sufficient budgets, HIPAA compliance within the two-year time frame should not be a problem. However, medical practices that have limited resources or initiate updating and testing of their electronic claims system well into the implementation period may not complete the process in time to meet the deadline.
  
  The NCVHS has been mandated to track and report on HIPAA implementation in the industry. This will not be an easy task. Self-reporting and survey data are likely to be overly optimistic, even more so than much of the Y2K data received from the industry in the months prior to January 2000. This is due, in part, to the nature of HIPAA as a “legal” issue with the potential for civil and criminal penalties for non-compliance. It is critical, however, to monitor the implementation progress of the industry.
• Securing provider “buy-in” —Many providers, especially those in smaller office settings, have not yet merged onto the ehealth highway. HIPAA may be viewed by many of these organizations as strictly an electronic issue and thus not pertinent to them as they submit paper claims and maintain a paper-based patient record system. HIPAA may be seen by these individuals as a reason to avoid moving to an electronic billing and record system. There must be educational outreach to explain the benefits of HIPAA specifically and ehealth in general. Finally, it must be explained that HIPAA regulations (primarily security and privacy) apply to many aspects of their current system and that HIPAA compliance is not optional.
• Few reliable cost/benefit analyses of HIPAA—The tables included in several of the NPRMs are believed by most observers to grossly underestimate the costs and benefits of HIPAA. With accurate costs and benefits, practices could not only begin to budget for implementation, but if the statistics indicated the potential for substantial savings, this information could be an incentive to move to ehealth and/or implement the HIPAA regulations promptly. Of course, should the analyses indicate, as some suggest, that the costs to implement HIPAA far outweigh the potential savings, this could deter many from implementing the regulations in an expedited fashion.
• Problem with staggering the roll-out of the regulations—By most accounts, the cost to upgrade practice management systems and claims software will be substantial. These costs will increase significantly if necessary changes cannot be undertaken at the same time by a single vendor.

Roadblocks to Implementing the Electronic Transactions and Code Sets Standards

The standards for electronic transactions and code sets will usher in a new era in electronic health. However, implementation of this regulation will have many challenges. These will include:

• Providers are concerned that the implementation process for electronic transactions will move faster than the corresponding electronic and paper forms can be modified. For example, the Health Care Financing Administration (HCFA) is proposing that NDC codes become the national standard for all types of transactions requiring drug codes and that “J” codes be deleted from alphanumeric HCPCS. The switch to NDC codes for electronic transactions would naturally lead to their use for paper claims as well. The current HCFA 1500 paper claim form, however, does not accommodate the 11-digit NDC codes. The hope in the provider community is that “J” codes will not be eliminated until both the electronic and paper HCFA 1500 claim forms can accommodate them. We on the NUCC HCFA 1500 Subcommittee have been wrestling with various prototype forms capable of accommodating the new HIPAA standards, but as of yet, we have not developed an appropriate replacement.
• There is apprehension that fines for non-compliance will be levied prior to full implementation and testing of all electronic transaction standards. Many providers support deferring enforcement until there is wide experience using the proposed standards, and that all future regulatory requirements subject to monetary penalties be explicitly identified. What HIPAA does not want to do is deter those wishing to move their current administrative systems from paper to electronic. Furthermore, there is concern in the industry that some entities will resort to reverting back to paper in order to avoid complying with the regulation.
• Similarly, in the NPRM, HCFA discusses the potential of temporary waivers for the purpose of testing these new standards, but they have suggested that an expensive cost-benefit analysis must be undertaken by any entity proposing new standards. HCFA should forgo this requirement and promote all new techniques that lead to a better process of exchanging health care data.

Roadblocks to Implementing the National Provider Identifier/National Provider System (NPI/NPS)

The NPI can be viewed as an important factor in enhancing physician to physician and physician to payer communication. MGMA has identified several important issues that may impact successful implementation of the NPI/NPS:

• Concern exists within the provider community that HCFA may attempt to offset their administrative costs of enumerating providers and developing the NPS by charging providers to obtain an NPI or to update their information in the NPS. MGMA recommended previously that HCFA institute no fees to enumerate providers or update their information in the NPS. We believe a HCFA-imposed fee would slow the dissemination of NPIs and deter those seeking to update their NPS information.
• Should the transition from the Unique Physician Identification Number (UPIN) to the NPI not proceed smoothly and quickly, there could be a substantial implementation setback. Many providers are worried with the potential of long delays in their receiving their new number, especially for those providers that are not currently enrolled in Medicare or Medicaid. This concern is a result of HCFA’s repeated claims regarding their lack of administrative funds to disseminate the NPI.
• HCFA’s recommendation in the NPRM that providers be enumerated through a combination of federal and state registries is thought by many in the industry to be a cumbersome and inefficient method of registering providers and would probably result in higher costs and a slower rate of provider enumeration.
• There is no consensus within the industry over whether each group practice should be assigned just one NPI or have several NPIs. While some maintain that one NPI per group practice would simplify the system for billing purposes, in general providers would like the option of having multiple NPIs to reflect different entities within the same organization. Should the final rule not allow multiple NPIs per organization, there could be implementation problems as larger group practices could potentially be forced to restructure their organizations to accommodate a single NPI.
• One of the concerns with the proposed NPS was that HCFA planned to capture more information (primarily demographic) regarding providers than was needed for legitimate business purposes. MGMA maintains that only the minimum amount of information should be collected, stored, and disseminated. It is highly unlikely that the provider community will support the registry and update their information in a timely manner, should this database be used for other purposes.

Roadblocks to Implementing the Security and Privacy Provisions

The standards for health data security and privacy will have the most onerous impact the on business operations of every medical practice in the nation. Implementation may be delayed for many organizations simply due to the large number of physical security and access control requirements that will necessitate extensive modifications to existing systems. In addition, there are several policy issues inherent in these regulations that may impact the ability of group practices to implement them quickly and successfully.

· Both the security and privacy proposed rules discuss relationships between business partners vis-à-vis ensuring the protection of health information. This business partner agreement, or “chain of trust,” maintains that a medical practice could be liable for any health information security breeches by parties with whom practices contract. It is impractical and unrealistic to expect a medical practice to monitor a business partners compliance with the contract's provisions and the requirements of the regulation. It is common for group practices to contract with a large number of third parties (often one hundred or more payers for larger groups). In addition, considering the number of laboratories and hospitals that a group practice might interact with, the task of overseeing the protection of health information in all of these entities can only be seen as daunting.

As currently crafted in the proposed rule, a covered entity would be liable if the covered entity "…knew or reasonably should have known of a material breach of the contract by a business partner…." Should the government ultimately decide to retain the liability provision, the language "reasonably should have known" could be a major impediment for implementation. This language is simply too ambiguous and would be too difficult for group practices to ensure. Under the proposed rule, providers are forced to rely on these third-parties to "self-assess" their own compliance levels. Providers will have enormous difficulty monitoring the security compliance of all third-party contractors without developing an independent certification system.

· The privacy proposed rule stated that a covered entity must make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure. While the intent behind "minimum necessary" is commendable, the "minimum necessary" determination is extremely vague and confusing, with HCFA providing little, if any specific guidance regarding how to make this determination.

Common sense would dictate that the entity requesting information for a particular purpose would be in a better position to know how much and what information is necessary to carry out the purpose. It is impossible to determine in advance what information may be necessary for another caregiver who may be seeing the patient for another reason. For example, an emergency department physician may request the entire medical record for a patient, even though it may be determined later that only a small portion of the record was needed. What may appear unnecessary to some may be essential for the physician's diagnosis of the patient's condition. This subjective standard could lead to the withholding of information critical to patient care. This confusion could slow implementation and may lead to court challenges—further delaying implementation.

· The lack of uniformity may cause delayed implementation. Since HIPAA does not strictly apply to paper records, there will essentially be two different standards within the same medical organization. This could lead to confusion over how staff should handle information in various media.

MGMA HIPAA Resources

MGMA is moving forward with an array of educational programs and products to assist practice managers as they prepare for HIPAA implementation. All the latest news, educational programs, and MGMA products are available on the MGMA web site (mgma.com). National audio conferences will be offered, with the first, an introduction to HIPAA, scheduled for July 27. Additional programs will be broadcast as the HIPAA final rules are released. Other planned educational programs include an Internet-based set of HIPAA courses, and face-to-face presentations at MGMA sectional conferences and at our annual conference in Atlanta later this year. In addition, we will be offering a HIPAA Primer with a comprehensive checklist for medical practices.

Federal Government Implementation Assistance

MGMA would like to recognize the hard work and dedication of the many individuals at HHS and HCFA who have had the difficult task of developing and shepherding HIPAA through the regulatory process. We are very appreciative of the willingness of these individuals to engage the health care industry in constructive dialogue and solicit the views of providers prior to deciding implementation policy positions. The only way HIPAA will be fully and successfully realized is with the full cooperation and support of the very sectors of the industry that will be impacted by the law.

There are, however, concerns within the industry that the government has not done enough to prepare the health care community for this new approach to health care. Nor is there the sense that the federal government has committed sufficient resources to ensure that the transition to HIPAA is smooth and successful. In stark contrast to the resources and manpower allocated by the federal government to prepare the health care industry for Y2K, HIPAA has received scant attention. In many ways, Y2K and HIPAA share a common implementation approach with similar challenges and resource allocation requirements.

MGMA was pleased to participate in many of the Y2K initiatives undertaken by the federal government, and it is our belief that many of the same programs could be instituted to assist providers in readying their practices for HIPAA. For example, HCFA dedicated a large section of their web site to educate providers on the problem of Y2K, offered a toll-free “hotline” to answer questions, and mailed several letters to millions of providers explaining how Y2K could affect their practices and how best to prepare. Well attended Y2K “town hall” meetings were held, both face-to-face and via teleconference, and HCFA partnered with KPMG to produce several hundred thousand copies of the “Y2K Jumpstart Kit,” a valuable tool that included a comprehensive check-list to assist providers prepare for January 2000.

Despite these and many other outreach programs, it was clear that many in the provider community were not prepared for Y2K. Now the federal government wants these same providers to institute an even more complex and comprehensive set of business and technical modifications, but without that same level of assistance. We contend that most, if not all, of these federal Y2K educational initiatives could be employed for HIPAA.

Recommendations

1. Increase HCFA/HHS involvement in the HIPAA implementation process. The federal government should adopt a similar approach to HIPAA as they did with Y2K. MGMA recommends that HCFA institute a toll-free number for providers with questions on HIPAA regulations and/or implementation issues. In addition, provider outreach programs should include mailed HIPAA awareness bulletins, national conference calls, a speakers bureau for conferences, enhanced web site dedicated to HIPAA implementation, and “HIPAA Jumpstart Kits” to assist providers in complying with the regulations.
2. Release the rules for Electronic Claim Attachments and Electronic Medical Records as soon as possible. In the current environment, claim attachments in support of an electronic claim must be submitted on paper—thus increasing costs and delaying payment. The Health Level Seven standard for electronic claim attachments, already developed, would streamline this important transaction and should be published for public comment as soon as feasible.
   
   Similarly, standards for electronic medical records should be published as soon as possible. There are literally thousands of proprietary EMR systems currently available on the market—each with their own standards and uses. While HIPAA should not mandate the EMR interfaces, it can standardize the information included in a patient record. A single industry standard should reduce vendor development costs, thus lowering purchase prices and increasing availability.
3. Move forward with the unique patient identifier. Since the release of the privacy regulation is expected shortly, HCFA should recommence their work on this important element of HIPAA. A Notice of Intent should be published as quickly as possible and public comment solicited.
4. Disseminate the national provider identifier as soon as possible and do not impose fees to populate or update the provider database. The NPI is a critical identifier that will quickly be adopted in the industry. However, significant confusion will result if providers must use both NPIs and UPINs while the new system is being implemented. Similarly, delay in provider acceptance and implementation will result if user fees are imposed.
5. Adopt a single federal registry to assign NPIs. MGMA contends that HCFA should adopt a single federal registry and automatically enumerate those providers who are already in Medicare and Medicaid databases. Coordinating state-level registries would impose logistical difficulties and could result in long delays in NPI assignment. In addition, in order to reduce the NPI/UPIN overlap, all non-Medicare or Medicaid providers should be enumerated as quickly as possible.
6. Ensure that flexibility and scalability are integral elements of the security regulations. MGMA fully supports the Security NPRM’s recognition that smaller and rural providers will be able to “scale” the regulation to best fit the size and scope of their practice. MGMA contends that the decision regarding how best to implement the security regulation should be left up to each individual practice..
7. State preemption should be the standard for all HIPAA provisions. There is concern within the provider community that individual states will have the option of imposing different standards—primarily in the area of confidentiality of medical information. This could be a major challenge to medical practices that conduct business in more than one state, and to all organizations that contract with third parties located in other states. Opting out of HIPAA should not be an option for any state.
8. Comprehensively assess industry implementation levels at the 12 and 18 month milestones. It will be important for government and industry to periodically assess the state of HIPAA readiness. Once armed with this knowledge, specific health care sectors that are lagging behind can be targeted for educational programs. In addition, should the industry as a whole fail to meet targeted implementation dates, the government may need to alter compliance deadlines.
9. Support industry efforts to facilitate implementation. While HIPAA is mandated by the government, the majority of implementation assistance is expected to come from industry sources. Industry efforts such as interoperability pilot projects, state-level implementation initiatives, and industry-wide HIPAA coalitions, should be encouraged and supported by the government.
   
   One group in particular, the Strategic National Implementation Process (SNIP), created by WEDI, has been established to meet the immediate need of assessing the industry-wide HIPAA administrative simplification implementation readiness and bringing about the national coordination necessary for successful compliance. One of the major goals of SNIP is to identify industry "best practices" for implementation of HIPAA standards and identify coordination issues leading to their resolution. In addition, SNIP will adopt a process that includes an outreach to current industry initiatives, an information gap analysis, and recommendations on additional initiatives to fill these gaps.
10. Federal support of the development of new standards. There is an understanding within the health care industry that the private sector must continue developing new transaction standards. It is vital that the federal government encourage the development of these new standards, test their applicability, and make these test results available to the industry. While the Memorandum of Understanding (MOU) process to adjudicate requests to add, delete, or modify standards has been signed by the six Standards Developing Organizations (SDOs), there is still neither a central portal to process these requests nor assistance forthcoming from the federal government to develop such a portal. MGMA encourages the federal government to actively participate with the SDOs in developing a user-friendly communications vehicle.
11. Encourage the adoption of HIPAA and ehealth through supporting prompt payment initiatives. One important incentive to move the provider community toward HIPAA and eheath is the adoption by private payers of the current Medicare 14 day window for paying a clean electronic claim. In addition, payers should be required to notify providers within 10 days if and why a claim has been determined to be “not clean.”
12. HIPAA as one step toward the overall goal of administrative simplification of the health care system. The health care industry currently spends in excess of 20 cents of every dollar on administration—more than double the costs incurred by health systems in other nations. While HIPAA is an important step, the government must continue to work with industry to further reduce Medicare and private administrative cost and complexity.

Conclusion

In conclusion, MGMA is highly supportive of the development and use of national standards for the health care industry. Standards for the collection and transmission of electronic health data will improve the quality of health care, while at the same time lower the cost of providing health care to our communities. While MGMA is confident that HIPAA will ease administrative burdens and facilitate improved data interchange within the health care community, roadblocks exist that must be addressed before full implementation can be achieved. We appreciate the Committee’s interest in this important topic and thank the Subcommittee for inviting us to present our views on this issue.