With the October 1 deadline looming for physicians and hospitals to transition from the current ICD-9 medical coding system to the ICD-10 coding system, many patient care organizations still are not fully prepared to make the change. The transition is a complex one, industry experts warn, not one that involves a simple switch of information systems, but rather a very involved set of processes involving education, training, testing, and other elements. One industry expert who has very strong views on all this is Rita Bowen, RHIA, who has been involved in the health information management (HIM) profession for over 30 years. Bowen, who was president in 2010 of the American Health Information Management Association (AHIMA), spent decades as an HIM professional. This summer, she is co-presenting with Adam Greene at a series of AHIMA HITECH Privacy Symposia, in a variety of cities nationwide. Some of what the symposia are covering has to do with the so-called “Omnibus Rule” that was issued in January by the Department of Health & Human Services (HHS), and that affects compliance with the patient protection elements in the HIPAA (Health Insurance Portability and Accountability Act of 1996) Act. Bowen’s current position is senior vice president of health information and privacy officer for the Alpharetta, Ga.-based Healthport, where she focuses on patient information disclosure management. She spoke recently with HCI Editor-in-Chief Mark Hagland about the ICD-10 transition. Below are excerpts from that interview.
What are you telling the AHIMA members who attend your presentations this summer?
We've been giving them an overview of the HITECH [Health Information Technology for Economic and Clinical Health] Act, and Adam spends a good deal of time on the compliance enforcement; he used to be at OCR [the Office of Civil rights of the federal Department of Health and Human Services]; now he’s a private consultant. I go into the access issues—patients have the right to receive their information in an electronic form [under stage 2 of the meaningful use program]. I go into that, and the fees, and the time limitations; it used to be 60 days with a 30-day extension; now 60 days is the upper limit.
We talk a lot about the requests for restrictions [on the sharing of patient information with outside entities, including health plans]. And that’s probably going to be one of the stickiest wickets of all, so we spend a lot of time on telling people how to test systems. For example, the rule doesn’t say you have to sequester particular information, only that you have to flag it in a way so that it won’t flow to the health plan. So if you have it set up so that it flags the information, and the information goes to radiology, then you have to be able to flag that for them as well. Let’s say I want to have a cardiac catheterization, and you don’t want the health plan to know, the hospital has to be able to accommodate that.
So we spend a good bit of time talking about that. There were about 90 attendees in St. Louis [in June], and only one had actually tested their system [for transition readiness]. So the testing has actually been very limited. In one case, one of our attendees was with a medical group, and they thought they had created the flag in their system, but when the information flowed to the radiologist, it flowed over to the health plan anyway. That was just a test. But was the only person there who had actually done a test, and I thought it was telling that either the AHIMA members there didn’t know that testing was being done, or that the testing hadn’t even been done in their organizations.
We also spend time talking about childhood immunizations. And if there’s a state law that you have to have your child immunized before they start school, you as the parent have to call and give consent to release that information. And documentation has to be maintained that you got verbal consent; it doesn’t have to be in the EHR [electronic health record]; it could be in e-mail.
Remind us of the dates involved again in what is known as the “Omnibus Rule” under HIPAA?
It was published on January 17, and went into effect on March 26, and the compliance date is September 24.
So after September 24, you can be fined?
Yes, that’s correct.
What are the areas of most inadequate preparedness right now in this area?
The ability to restrict information if someone wanted to pay cash; the rule doesn’t say it has to be an entire encounter.
A situation where a patient would pay cash in order to keep a transaction private?
Yes, they may want everything else going to their health plan, except for one item.
Like HIV testing or pregnancy testing, for example?
Yes. So that would be top of my list. The second on my list would be the need for analysis of a breach. If you can prove, for example, that there’s minimal harm, using four factors, you wouldn’t have to report a breach to a patient. The four: you have to prove that minimal information has been breached; you have to specify what’s in that information (you have to go through the 19 items considered protected health information); and was it acquired and viewed, or just acquired? For example, if you mailed something to the wrong address and it was sent back to you unopened, then there was no harm; but if it was opened, that raises it to a different level of risk. And the other component… You have to look at all of those. Risk of harm takes you over the threshold.
What kinds of collaboration will needed between HIT and HIM people?