When your mom let you out of cleaning your room, your professor postponed that big exam, the office called to reschedule your colonoscopy and the CMS relaxed your looming compliance deadline, the feeling is the same.
Relief, followed by anxiety for what still must be done.
Healthcare leaders of various stripes have welcomed the news
that the CMS, in effect, pushed back by up to one year the May 23 deadline to comply with the national provider identifier requirements of the Health Insurance Portability and Accountability Act.
The reprieve, despite affected parties already having had nearly two years to get ready, came late in the afternoon Monday.
"CMS made the decision to announce this guidance on its enforcement approach after it became apparent that many covered entities would not be able to fully comply with the NPI standard by May 23, 2007," according to a CMS statement. "This guidance would protect covered entities from enforcement action if they continue to act in good faith to come into compliance, and they develop and implement contingency plans to enable them and their trading partners to continue to move toward compliance."
The long-delayed NPI has been a requirement under HIPAA, which passed in 1996, but the final rule adopting the NPI was not published until Jan. 23, 2004, and didn't become "effective" until May 23, 2005, when the clock finally started on what was supposed to have been a two-year ramp up to implementation.
Some parts of the program have gone well.
One industry expert, Craig Schlusberg, a director with First Consulting Group, warned in an interview
last June that the NPI program might be heading for trouble, citing a number of reasons, including that after a year of open enrollment, only about 400,000 individuals and organizations had signed up for NPIs out of the 2 million estimated to need them.
According to the latest CMS figures, the pace of enrollment has picked up substantially since then. From May 23, 2005, when the "enumeration" began through March 26 of this year, about 1,488,000 individuals and 436,000 organizations have been issued NPIs.
Most welcome extension
Several industry experts contacted for this story support what those numbers suggest—that most providers, payers and other organizations have signed up. Getting other aspects of the system to work, however, remains problematic.
"The state of Massachusetts and the Board of (Registration in) Medicine was really proactive and applied for NPIs on behalf of every physician in the state," said John Halamka, the physician chief information officer of the CareGroup Healthcare System, Boston, and Harvard Medical School. "You have to ensure all your claim systems can use the new number and the vendors can provide you with patches (computer system upgrades). The problem is some of the payers in our area are still testing. Payer organizations will want some additional time for testing and verification, so I think it's reasonable that they've extended the deadline."
Most payers and providers in New England got a jump-start on updating their systems, said Halamka, who also serves as chairman of the New England Healthcare EDI Network, or NEHEN, a regional exchange set up to coordinate the processing of healthcare claims data.
"A year ago, NEHEN put together a working group of payers and providers and had a statewide action plan to make sure every payer and provider was compliant," Halamka said. "That was good to get everyone on board. This (compliance extension) gives us a little bit of latitude to run in dual mode to make sure everything works."
CareGroup, meanwhile, is ready to roll, Halamka said. "We have our provider IDs for every physician and we've modified our system so we can run in dual mode, with the NPI and our old legacy system identifiers."
George Arges, senior director of the health data management group at the American Hospital Association, said most AHA member hospitals have signed up and received their NPIs.
"We have been surveying our hospitals for this information and a very high level of our members have an NPI. It's probably around 97%," Arges said. Nevertheless, "We welcome the extension."
"It's a question of whether they've been able to test," he said. "The other issue for our members is the fact that they need to work with the physicians and identify the physicians as part of this process. Making sure the physicians have their NPIs is a difficult task. For their staff (physicians), they probably have more leverage. The difficulty really is when you have physicians outside of your hospitals and they do referrals and don't have that information readily available. It is a time-consuming process to track down their NPIs."
Arges said the AHA made its views known to the CMS about the NPI deadline and pushed for the delay.
"We submitted written testimony and worked with a provider coalition to send a letter," he said, adding, "We met with CMS in early November last year to basically talk with them about NPI progress."
One serious problem on the government's end, he said, is its failure to come up with a policy on how it is going to share NPIs among healthcare industry trading partners, and then, providing access among those partners to its NPI database. The government has contracted with Fox Systems to be its NPI "enumerator."
Hospitals can cross-reference their own legacy identifiers with their own new NPIs, but unless they have access to the national master NPI database, they can't thoroughly check if their partners' numbers are correct and their systems are functioning properly. "That needs to be moved out to the public," Arges said.
George Roman, director of health policy for the American Medical Group Association, said of the extension, "On the face of it, I think it is a good thing. Our members are among the largest medical group practices and IPAs in the country. I think a lot of them are going to be prepared, but I do not think a lot of them are going to be shedding any tears that they've been given time to do testing."
"I think that two years seems like an inordinately long time, and it is a long time, but this is complex," Roman said. "Sometimes, when CMS implements things, they don't have a good handle on how complex things really are."
Robert Tennant, senior policy adviser for health informatics at the Medical Group Management Association, agreed, saying the data dissemination policy should have been out a year ago. By not making the policy and the database available to end users, CMS has helped gum up the works on its own rollout.
"That does a number of things," Tennant said of the as yet unreleased policy. "It tells people what they can and cannot do and how providers and health plans gain access to the NPIs. So, you now have this database filled with numbers, but they (providers) don't have access to these other provider IDs. In many cases, you need the referring physician's NPI to bill."
Tennant, too, says "a very, very high percentage" of MGMA members have NPIs, "but that doesn't automatically mean they can submit their NPI to their payer or claims clearinghouse. They have to rely on their practice-management system to be upgraded to handle the NPI, and we've heard from some of our members their systems aren't ready."
Another advisory on the way?
Tennant said rumors are circulating that the CMS will soon issue a second advisory, with a different, possibly shorter extension for compliance with the NPI provisions for transactions with the Medicare program.
"I've heard that as well," said Arges of the AHA. "That doesn't surprise me that CMS might exert its size and get people to move faster. I think the thing for everyone is to keep a cool head."
Jeff Micklos, senior vice president of business operations and general counsel at the Federation of American Hospitals, said the delay "is a good thing in the short term. Clearly, CMS is reacting to information from the field that not every part of the industry is ready to go. One thing I thought was important, too, is CMS acknowledges that if one actor isn't ready, it puts others in jeopardy."
Like other provider association leaders, Micklos said FAH members have been planning for the deadline and are ready. The payers, he said, are the primary beneficiaries of the leeway given by the government because they have a wide variety of provider networks to handle.
According to Micklos, it would be wrong to assume there is a get-out-of-jail-free card for covered individuals and organizations, however. The CMS says it will be looking for stragglers. "There is a compliance mechanism and they say they will investigate," Micklos said. "They do have a legal responsibility to implement civil monetary penalties and they've set out guidance on how they are going to pursue that and I think the process is a reasonable one."
Talk of the government requiring that patient privacy controls be built into healthcare IT systems is part of the current buzz, but Deborah Peel, an Austin, Texas psychiatrist and founder of the Patient Privacy Rights Foundation, wouldn't say the delay in implementing the NPI was a good thing or a bad thing.
In an e-mail statement, Peel said many physicians, particularly those in solo practice or in small offices, and many psychiatrists and psychoanalysts are not "covered entities" as defined by HIPAA because they choose not to submit bills electronically. Many, she said, "do not want to become covered entities in order to avoid having to comply with HIPAA, as a protest against what they see as an unfunded mandate and/or as federal regulations that eliminate patient consent and violate medical ethics, stronger state laws, and the Hippocratic oath, which protect patient privacy."
Peel concedes that "an NPI number could be used to authenticate physicians when patients give a certain physician consent to access their personal health records.” But, Peel said, “other numbers/numbering schemes could be used as physician identifiers in electronic health networks."
Tom Leary, director of federal affairs at the Healthcare Information and Management Systems Society, said he reads the new CMS policy as only a reprieve.
"They don't have the cover of (a) legislative extension, so by law they have to keep moving forward from May 23," Leary said. "They are looking at their numbers (on NPI enumeration) and they're close, but they are hearing a lot of issues if they reach May 23 and the dollars don't flow. Nobody wants to see 'Dr. X' not being reimbursed on May 24. Who wants to be on the cover of Modern Healthcare
or the Washington Post
on May 24? They're avoiding a nightmare. I think this is a responsible decision by CMS."
All systems go?
Pam Matthews, director of business information systems at HIMSS, said that while the trade group for IT system users and developers hasn't done a definitive survey of its member vendors, she's not sure that IT vendors have let the side down in terms of not having their systems ready to handle the NPI by the May 23 deadline.
"I don't have concrete evidence to say all of the software systems are ready, but you hear anecdotally that everyone is saying our systems are ready," Matthews said. "If you speak with vendors, they'll say my system is 'compliant' or they have a plan on how they're going to handle the NPI, and if you talk to clearinghouses you'll hear the same thing. Where I'm hearing there are problems is with testing. That is where the rubber meets the road. What happens when that bill actually hits the clearinghouse or when it hits the payer? It's having the NPI and having it flow cleanly, that testing, is what we're hearing is the challenge that is still left, because it's not until you test will you know what really happens."
Matthews said if vendors had access to the NPI national database, it would facilitate testing, but, technically, they do not need the availability of that database to complete their job.
So how is it that, after all this time, we've come only this far and are not ready?
"Human behavior," Matthews said. "We've had some of our members testify at the National Committee on Vital and Health Statistics meeting (Jan. 24) and what came out loud and clear was human behavior. The industry has had two years to get ready for this, but human behavior is to wait until the last minute."
The NPI is only the second of four identification numbers called for in HIPAA. An employer ID was required in 2004. A health plan ID was put on hold last year and a patient ID was spiked by both former Vice President Al Gore and Congress in 1998.
At bottom, when all this enumerating is completed under the guise of HIPAA "administrative simplification," it may not be worth the trouble, according to Arges.
"I don't know what the cost would be," he said, "but if one looks at how much time has been spent thus far, it's more than having added an NPI, it's adding other numbers such as the provider taxonomy numbers and the full nine-digit ZIP code and it raises the questions, what did we gain by this?"
"These are recommendations that were really lifted from the WEDI (Workgroup for Electronic Data Interchange) 1993 and 1994 reports that were prepared under (HHS) Secretary (Louis) Sullivan that were the basis for the HIPAA legislation," Arges said. A lot of people are beginning to question whether those recommendations are still appropriate, he said.
"Time will tell whether it will do away with the other numbers," he said. Even "if everybody is up and running, I'm not sure you'll gain a whole lot."
What do you think? Write us with your comments at firstname.lastname@example.org. Please include your name, title and hometown.