Policy development has, by the design of enabling legislation, been state-specific in many areas.  This limits the applicability of national solutions, which must be based on a degree of policy uniformity across the states.  Actions of state legislatures, governors, or Medicaid directors have led to the implementation of new procedures, codes, and programs.  MMISs have been modified to incorporate these state-specific initiatives.

With standardized transactions and codes, states will have limited ability to implement policy not supported by the mandated coding structures.  Implementation of existing state-specific policy, then, must be limited to data that can be collected in state-specific fields in EDI standard formats, or state policy must change in order to use data elements, codes, and attachments that have been approved by HCFA.

Standards Updates

Updating the coding standards will be a challenge for HCFA and will create problems for most users.  Annual (or quarterly) updates to the various codes must be published well in advance of the effective dates.  Because the codes are national, and because they are effective on a fixed date, all organizations that use the codes will have to ensure that the updates are applied to their databases on a timely basis, with the mandated effective date.  For some organizations that have edits and audits with hard-coded procedures, it may be a significant challenge to identify and complete all of the necessary programming changes in a timely manner.  Untimely updates will create communication problems with providers and other payers.  Insofar as local codes are concerned, it appears that the biggest problems will be within the state Medicaid Agencies.  Statistics show that some Medicaid programs pay almost 20% of their claims using local codes.  Most programs with waivers pay for the specialized waiver services using local codes.  With no permitted local codes or substitutes for them, state Medicaid Agencies will have problems in recognizing specialized procedures and paying for them. 

Provider Enumeration and Enrollment

One of the most serious impacts of the HIPAA changes will be on provider enrollment activities.  Since a national provider identifier (NPI) will be issued by a HCFA contractor to virtually every provider, it is expected that re-enrollment of the entire provider population will be required.  Although the specifics of the NPI enumeration process are not yet known, it is likely that it will be a nationwide process.  Considerable effort will have to be dedicated to finding the matching Medicaid record for new NPI assignments, verifying that the provider is the same person on both files, then adding the NPI to the state’s database.

It is assumed that states will have access to the NPI nationwide file, therefore it may be possible to query this file for every enrolled state provider.  If such a query is possible, then the state Medicaid program might be able to systematically query the NPI master file and update the state-level records with the new numbers.  As most states now have several identification numbers (Medicare-assigned provider number, medical license number, state Medicaid ID number, Tax ID number, and Social Security Number) on their files, there should be no problem in locating a provider.

One of the more difficult tasks for state Medicaid programs will be processing claims during the transition period.  When a provider bills using the NPI, the state must be able to identify the provider as an enrolled provider.  Additionally, providers may bill with the “old” state Medicaid ID number if the new NPI assignment has not been made.  For Medicare Crossover claims, the Medicare provider number, the NPI, or perhaps even the Medicaid ID number, may be present.  The most likely approach will be the use of a cross-reference table that contains both identifiers.

Provider Relations

HCFA has indicated that they will offer a certain amount of provider training as related to HIPAA requirements.  A definitive plan for this training will need to be developed.

Provider Education

Most state Medicaid programs have billing manuals, instructions, handbooks, and regulations.  When HIPAA is implemented, most of this material will have to be modified to incorporate EDI standard formats and X-12 national codes.  All of these modifications will have to be included in the new provider billing and reconciliation manuals.  Also, if states operate eligibility verification systems, changes to that documentation will be required, along with fee schedules, instructions for pre-authorization, referrals, eligibility inquiries, and others.

For most Medicaid programs, new manuals, instructions and handbooks will require provider training and education efforts.  If all documentation has to be replaced, then almost all of the education programs will have to be revised and offered to providers.

Prior Authorization

Prior Authorization or pre-approval of certain procedures will require a significant amount of re-design for most Medicaid programs.  With the new transactions for requesting and authorizing certain procedures, the format for the process will be standardized throughout the country.  For MMIS systems that have been using non-standard data elements, redesign above and beyond use of the new record formats will be required.  Also, systems that require attachments, whether X-rays, dental molds, or other paper documents, will have to develop alternatives that comply with the new attachment standards, and yet-to-be-published regulations.  With new transaction formats mandated for implementation well in advance of the attachment regulations, the prior authorization subsystem will be challenged to adequately support the attachment requirements without significant modification. 

Medicare Crossover Systems

Medicare Crossover systems are beneficial to the providers of service and to the state Medicaid Agencies.  The providers need only bill the Medicare carrier (or it’s intermediary) and both the Medicare payment and the Medicaid-paid coinsurance and deductibles are covered.  For the state Medicaid Agency, there is positive knowledge of the amounts approved and paid by Medicare.  HIPAA will make Medicare Crossover systems far easier to develop and maintain.  Examples of benefits through HIPAA are:

1.      The uniform provider number will eliminate the need for difficult to maintain crosswalks between the Medicare and Medicaid provider numbering systems.  With a provider number accepted by all payers, the need for crosswalks will disappear.

2.      With a uniform insurer/payer number, crossover systems will be able to forward claims to Medicare carriers if the claim is billed to the state and the state Medicaid Agency since the claims can be easily forwarded between payers.  In addition, if the beneficiary has a Medicare supplemental policy, the state Medicaid Agency can forward the Medicare adjudicated invoice directly to the supplemental insurer, simply by using the uniform payer ID number.

3.      The transaction sets will allow the state Medicaid Agency to have all required data on claims crossed over from the carrier or intermediary.  Eligibility verification between the Medicaid agency and the carrier or intermediary can be accomplished on-line through the use of the eligibility inquiry and response transactions, eliminating the need for batch file matches between the parties.  These transactions can be used to verify Medicare supplemental insurance as well.

4.      Because all payers will use the same remittance transactions and coding, providers may be able to use a single program to post the payments to their accounts receivable systems.  With common message codes, providers will have a far better understanding of problems with their invoices.  Direct deposit of provider payments will also be beneficial, since the cost of printing and mailing checks will be eliminated.

These benefits come at a significant cost in terms of redesign of the crossover process, retraining providers to use and understand this process, and cooperation with Medicare carriers and intermediaries.  Passing adjudicated Medicare claims to the state agencies, as well as state agencies passing claims for which Medicare is the primary payer, may require major modifications to existing crossover systems.

Third Party Processing

Third Party Liability systems (TPL) have been an emphasis of HCFA for some time. TPL systems work by using cost avoidance to deny claims that should be paid for by another insurer, and by using recovery to recoup Medicaid funds that another insurer should have paid.  Both these processes require that the state maintain a very large database to keep track of their enrollees third party insurance coverage.  Since this database is not static, the TPL staff is continually trying to maintain database integrity.  Updates come from the social services agency responsible for the enrollment of Medicaid enrollees, tracking down leads provided by the medical community, and by sharing files and data with other insurers such as Medicare and Worker's Compensation agencies. 

HIPAA mandates will require most TPL systems to be retrofitted from the ground up. Since there are payer and insurer IDs, identification of a particular insurer and forwarding claims to that insurer will be facilitated.

For TPL staff, verification of enrollment by an insurer will be simplified since there are unique transactions for this purpose.  Currently if a third party resource appears to be end-dated on the TPL database, it is difficult to determine if there is a true end-date or if the TPL file is simply out-of-date.  With the new transactions, queries can be sent to the insurer to ascertain if the coverage is still in effect. 

CONVERSION APPROACHES

The selected HIPAA conversion approach will be directly affected by the Gap Analysis, the priority of other initiatives in which the state Medicaid program is involved, and the degree to which the state decides to change its adjudication policy for HIPAA compliance. 

The MMIS system architecture may have a significant impact on the scope of the work and the approach that is selected.  One example is the extent to which master keys are used with intelligence imbedded in the field.  Since the HIPAA NPI is not intelligent, MMISs that rely on an intelligent provider key will have a higher degree of change required.  Also, provider and recipient Medicaid identifiers may or may not contain a check digit in the current MMIS.  In this case, conversion of the new national identifiers will be more complex, since the use of a check digit will be required.  Additionally, most large systems have processing designs to facilitate throughput, including partial processing by provider and then by recipient identifier, with subsequent merging of the results.

A list of factors that should be evaluated when selecting the appropriate conversion approach suitable for a specific state: 

1.      Use of the National Provider ID

2.      Elimination of any embedded intelligence in keys affected by national standards

3.      Use of a National Employer ID

4.      Use of the National Health Plan/Payer ID

5.      Use of National Individual ID (when specified)

6.      Use of Provider Taxonomy

7.      Impact of enrollment/eligibility determination using only the 834 data

8.      Incorporating use of 270/271

9.      Incorporating/converting to use of ICD-10

10.  Incorporating a HIPAA-compliant version of NCPDP

11.  Eliminating state-specific HCPCS codes

12.  Use of Health Care Claim Adjustment Codes

13.  Use of Health Care Claim Status Codes

14.  Use of Health Care Claim Status Category Codes

15.  Problems with planning for maintaining all 837 data in case a claim must be forwarded to another payer

Depending on the level of changes that must be accomplished within a fixed amount of time, each state must then select the best option at an acceptable level of risk. Three options are outlined below.

Complete Conversion

This option requires the redesign and new development of the MMIS to become compliant with the HIPAA requirements.  The costs for such an undertaking are significant in both resources and time.  It is anticipated that costs could approach the transfer of or the development of a new MMIS.  Any state undertaking such a solution could look into implementing other improvements to their MMIS at the same time. 

One of the advantages of developing an MMIS that is internally HIPAA compliant includes the long-term benefits of lowered operational costs, and such initiatives as data warehousing.  Maintenance of codes and form changes will have to be developed by the fiscal agent under the direct control of the state.  Furthermore, this high level of new development would qualify a state for FFP at 90%.  However, implementing a substantially new MMIS entails a higher risk, including a significant increase in up-front costs, the time necessary to develop an RFP/Project Specification, the time required to conduct the procurement process, and the substantially increased workloads that must be assumed simultaneously with the continued maintenance of the existing MMIS. 

Additionally, a significant consideration in relation to total conversion is how to handle paper input.  Since the HCFA1500 and the UB92 will probably not change, the only information that can be required from paper billers is essentially the same information that they are now providing.  Of course, such things as the HIPAA-compliant procedure, modifier, place of service, revenue, and occurrence codes, along with the NPI (if the provider has been assigned one) can be required on those forms as well.

It is not certain at this time whether paper billers will be assigned NPIs, since the NPI is a function of electronic billing.  If they are not, then an additional crosswalk will be required in the system, and the provider database structure will have to take this into account.  Other fields possible in the 837 format may or may not be able to be accommodated on the paper form, and any requirements for fields that are unique in the 837 format will have to be handled on an exception basis for paper claims.  A thorough analysis of how to handle paper claims should be made prior to a commitment on the total conversion option.

This complete conversion option implies the development of a new MMIS in most cases.  HIPAA requirements applied in full internally to an MMIS will affect virtually every processing facet.  Master files will need to be redesigned, historical files will require conversion, and a method must be derived in order to handle the interfaces with other outside entities (EDI).  The entire project could be so resource and time intensive that phased implementation will be required.  Affected areas are:

¨      Provider Subsystem:

Ø      National Provider Identifier

Ø      Provider Taxonomy

Ø      Unintelligent provider number

Ø      Impacts from using EDI 274

 

¨                  Recipient Subsystem:

Ø      National Individual Identifier (when specified)

Ø      Impacts of Provider identifier changes

Ø      Impacts from using EDI 834 for enrollment/eligibility transactions

Ø      Impacts from using EDI 270/271

¨      Reference Subsystem:

Ø      Converting to ICD-10

Ø      Eliminating state-specific HCPCS codes

¨      Claims Subsystem:

Ø      Use of national standard identifiers

Ø      Incorporating new codes (e.g., ICD-10)

Ø      Impacts from eliminating state-specific coding

Ø      Impacts from service requests (EDI 278/277/275)

Ø      Claim/Encounter processing (EDI 837/835)

Ø      Status inquiry (EDI 276/277)

Ø      Premiums (EDI 820)

Ø      Prior Authorization

Other subsystems (MARS, SURS, EPSDT, TPL) must be modified and tested because of redesigned files and revised coding structured.
 

Partial Conversion

An additional option is partial revision of the MMIS.  In this option, claims that are currently submitted electronically, such as the National Standards Format (NSF), would be required to change and be submitted through EDI, while claim types that are currently submitted on paper would continue to be submitted in paper format.  The advantage to this type of option is the ability to meet the constrained HIPAA implementation time frame. 

Other interface transactions that interact with outside systems would also have to be converted to the appropriate EDI transaction. Resident systems translators would then crosswalk new coding structures to the old codes that have not been converted with this approach. Codes that are converted on a one for one basis could also be converted at this time.  The risks associated with this process could be mitigated through the use of a translator, EDI transaction and simple code conversions, while developing the new, HIPAA-compliant system.  In any case, the mapping effort needs to be accomplished and the translator code could then be used for the totally HIPAA compliant MMIS that will be developed at a later time. 

This method will require the development of crosswalks for national identifiers that are not selected for full integration into the MMIS.  Detailed analysis is required to formulate implementation rules concerning the capture and maintenance of HIPAA-mandated EDI transactions that are not in the legacy system.

Use of the partial conversion methodology will use EDI translators for national/state code conversions and simple code conversion inside the MMIS.  It will provide states with sufficient time for required HIPAA compliance at a low level of risk. This method also facilitates phased integration of HIPAA-based changes into the MMIS.

Clearinghouse

It should be noted that in the event that a state wants to totally postpone internal system compliance for HIPAA a Clearinghouse approach should be used, since the need for HIPAA compliance with outside entities is still a necessity.  For instance, interface transactions that interact with outside systems must still be converted to the appropriate EDI transaction including standard codes. Systems translators would then crosswalk new coding structures to the old codes that have not been converted inside the MMIS. The risks associated with this approach are then mitigated through the use of these translators, while the internal system remains the same.  The mapping system effort and the translator code can then be used for the conversion to a totally HIPAA compliant MMIS at a later time. 

The benefits of this interim solution include the continued use of the existing MMIS through the use of translators and EDI transactions.  Since inside codes and formats do not change, no history conversion is necessary.  Impacts on the MMIS and the health community would therefore be minimized.  Considerable development efforts will still be necessary in the application of this limited conversion option; however, it will provide states with sufficient time to achieve HIPAA compliance at a low level of risk.  This method also facilitates phased integration of HIPAA-based changes into the MMIS.  

OPTIONS

The difference between using a Clearinghouse translator and a translator developed by the Fiscal Agent is in the entity that operates and maintains it. HCFA will have to ensure that the service provided by a Clearinghouse, or by a Fiscal Agent, is at an adequate level of compliance regardless of the providing entity. To ensure this, HCFA and the states must request specific development, implementation and operation services through detailed project specifications.  Again, detail planning and oversight and verification during development and implementation should be required to ensure an acceptable level of resulting service.

Each alternative option must be evaluated in terms of risk (strain) on the current MMIS's data structures, risks due to developing a new MMIS, risks due to the modifications to the MMIS, risks in meeting schedules, and risks of incorrect payments.  For project management to minimize risk, careful development planning, test planning, regression testing, interface testing, file conversion, implementation planning and operation verification must be planned and accomplished.

SECURITY AND PRIVACY CONSIDERATIONS

The implementation of HIPAA must address security, confidentiality, and privacy requirements.  The original law required Congress to pass privacy legislation by August of 1999.  Since legislation has not been passed, rules for security and confidentiality should be promulgated in early 2000.  The Notice of Public Rule Making regarding the Proposed Standards for Privacy of Individually Identifiable Health Information was published on November 3, 1999, and the comment period was extended to February 17, 2000. 

The state Medicaid Agencies and their MMIS must comply with the security, privacy, and confidentiality provisions.  Changes will be required, and individuals will have more discretion concerning the use of their health care information.  The states will have to adopt and implement the provisions concerning security, confidentiality and privacy as a minimum. States must also develop regulations that are more stringent than they are at the current time.

HIPAA Security Requirements

Because of the new HIPAA security requirements, every organization that creates, handles, processes, or stores any medical data will have to ensure that the data is secure.  In order to emphasize the requirements to employees, an ongoing security awareness program will have to be created.  This program should consist of a regularly published newsletter, supplemented with posters and other security reminders.  Initial security training must be conducted for all employees who will then have to acknowledge that they received the training and are aware of the pertinent security requirements. 

HIPAA security requirements mandate that every agency, provider, or contractor who has access to confidential information, appoint a security officer to coordinate and control the security issues within that organization.  In addition, the following steps need to be accomplished:

·        All internal security procedures will have to be rewritten to comply with the new requirements. 

·        Any software that enforces the new requirements will also require revision. 

·        Staff will have to be trained on the new requirements.  Also, employees will have to certify that they will comply with all security procedures.

·        Passwords will have to be changed not less than every 30 days.

·        Employee records must be updated with the level of security appropriate for that individual’s job needs. 

·        Physical security will have to be checked and access to sensitive areas limited to those who need access to perform their duties. 

·        External access to sensitive data will have to be limited and if the Internet is used, 128 bit encryption must be used. 

·        Data security agreements must be reached with all providers that have direct access to patient data.

The above requirements are a sample of the things that must be accomplished, and of the new security regulations that will place a significant additional burden on most state Medicaid Agencies.  Proposed security requirements will have varying cost impacts based on the degree of compliance already present in the current MMIS.  Requirements affect the current MMIS in the following areas: 

·        Integrity controls

·        Message authentication

·        Access controls and/or encryption

·        Open network safeguards, including alarms, audit trails, entity authentication, denied access where identity can not be established, event reporting, and use of electronic signatures

HIPAA Privacy Requirements

With new privacy regulations, state Medicaid Agencies will face additional challenges.  Although privacy has always been a priority within most state Medicaid Agencies, the new requirements will create additional problems.  Privacy will have to be actively supported by the internal security system to ensure that unauthorized access is not permitted in confidential areas.

Release of medical information from a beneficiary/recipient will rely on the establishment of HIPAA compliant processes.  If Internet data transmission is anticipated, encryption using a 128 bit algorithm will be required. 

As with security, privacy must be emphasized with employees and contractors.  Business partners will have to comply with all of the requirements of the agency, and the agency will be responsible to ensure that the business partner does so.  For most agencies, a thorough review or audit of existing privacy processes should be undertaken to highlight the additional steps that need to be taken to ensure compliance with the new regulations.

The new privacy regulations require significant MMIS and procedural modifications to ensure adequate levels of protection.  This will create challenges for every state Medicaid Agency.  Proposed privacy regulations will impact agency operations and rules more than MMIS technology.  For example:

·        Medicaid Systems already report by client, so satisfying requests for review of computer-based materials concerning an individual should be available in current MMISs.

·        Privacy safeguards should already have been implemented in all MMISs.

·        Identification of the "minimum disclosure" contents needs to be accomplished, but should involve national guidelines that allow more stringent state standards.

·        De-identification of nineteen potential identifiers is required, but appears substantially based on Freedom of Information and Privacy Act experience.  Many MMISs will already be at least partially compliant.

 CONCLUSION

The options outlined in this document range from total conversion to limited conversion.  In all options, the amount of work is considerable.  Taking into account recent MMIS modification/upgrade history, the sheer level of effort may require HCFA to consider only the limited conversion option.

Limited conversion within the HIPAA mandated time frame can then be followed by complete conversion, including the incorporation of all HIPAA requirements internal to the MMIS.  This phased approach seems best suited to meeting the HCFA time frame with an acceptable level of risk.

Any conversion option will require significant new design, programming, and regression testing activities.  The new nature of the HIPAA requirements indicates that the work involved should be covered at the 90% level by HCFA.  To meet HIPAA mandated time frames, planning must start now.