I think this goes back to who certifies the certifier and what certification really is. I suggest that what you did was produce a valid test file through a system that has never been certified. While it sounds like you have done some of the full system testing that would be required to certify your HIPAA compliance, as you have experienced yourself, you are not compliant. Yet, I notice on your Web site that it says you are. Down in the lower right had corner where there is the seal of approval from your third party certifier that says "HIPAA Compliant EDI". Is this not somewhat misleading to the industry? Not that that is any fault of yours of course.
I know of a company that in the last 13 months has spent 18K in order to certify. They have access to a testing and validation tool that is free to them and with which they are extremely pleased but they must certify in order to satisfy a market that believes certification is part of due diligence. Despite this cost, the entity, their clients and the public can't be certain that they are HIPAA or trading partner compliant. If this same waste is occurring throughout the industry, we are spending millions and millions on something that is not giving us what the industry seems to think it's paying for. Marcallee Jackson Long Beach, CA 562-438-6613 -----Original Message----- From: John Carter [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 12:25 AM To: WEDI SNIP Testing Subworkgroup List Subject: RE: NCQA Certifies Compliance SNIP Comes Up Short Let me first say that our company will continue to use "Third-Party Certification" because it is a very useful TOOL for us. The only better possible tool would be an OPEN SOURCE application that can be used for testing/certification of transactions by everyone for free. You are correct when you say certifying a transaction is easy (when all you do is tweak your output). In our case, we made a point to create a cross section of all types of encounters from every provider on our network. We have been using "Third-Party Certification" for over a year. We have "Certified" all of the approved transactions we create. We have also beta-tested and/or true-tested with several payers. In every case I can create a file that will pass certification but will not be acceptable by the payers system. Two examples are (1) Bugs in the certifiers system and (2) Different interpretation of the IG (e.g. include '001' revcode or not). In both of these cases the only problem was that the "Third-Party Certification" was either wrong or had a different interpretation of the guides. Neither of the covered entities were wrong. You a correct in saying that what we call "certification" today doesn't really mean the interoperability it was proposed to foster. And now my point... Third-Party Certification is a useful TOOL. The relatively young IG's have too many problems for any certification to guarantee interoperability. My concern is that Third-Party Certification is being over hyped and the white papers related to it serve the business of Third-Party Certification more than the serve the health care industry at large. Moving too quickly to require more and more certification is great if you are in the certification business. John Carter [EMAIL PROTECTED] -----Original Message----- From: Marcallee Jackson [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 12:50 AM To: WEDI SNIP Testing Subworkgroup List Cc: 'WEDI SNIP Transactions Workgroup List'; 'WEDI Business Issues Subworkgroup List' Subject: NCQA Certifies Compliance SNIP Comes Up Short I think that the NCQA program for certification shows how much work we have in store for us here at WEDI-SNIP. To date, our testing and certification white paper focuses on a process that "certifies" TCS compliance based on a single isolated event. I maybe wrong, but I don't think this is correct. The successful test of a single transaction set could very well be meaningless in the big picture. For example, clearinghouses have been certifying transactions for months now based on our recommendation to the industry that they do so. To not certify with Claredi today would be near suicide for a clearinghouse. But has their certification moved the industry further toward compliance? Is it much more than costly PR fluff? When a clearinghouse announces to its clients it has achieved certification, it does so in order to show compliance and put their client's minds at ease but should it? A clearinghouse that is able to exchange standard transactions is not necessarily anywhere near compliance and neither are many/most of its customers! For a clearinghouse, testing and certifying a standard transaction is easy. It's getting the standard transaction or non-standard equivalent for translation from their client that's the hard part. If a clearinghouse hasn't validated they're ability to translate non-standard to standard for a wide range of provider types, they should not be "certified" as HIPAA compliant. But how often are covered entities told they should ask their clearinghouse if they are "certified"? How often are they told what that certification will really mean to them? A similar situation exists with vendors. Sure the vendor can test and show that at one point he was able to submit a file that passed a set of edits but does that mean his users will achieve compliance? No. Even if the software is tested and proven to have the capability of handling standards, without the required data elements for a claim, a compliant 837 is not possible. System remediation is only a part of the compliance effort. Operational remediation is also a must. In addition, few systems being certified are capable of rejecting transactions or transaction sets that are not fully compliant. If the system cannot differentiate between a non-compliant inbound transaction and reject it, and it accepts and processes non-compliant transactions, is it a HIPAA compliant system? So it's clear our paper doesn't suggest real certified compliance for these entities or their clients and we haven't even begun to look at the compliance of the certifier. Who are these people to be certifying in the first place? What are their qualifications? What methodologies do they follow and who decided that theirs was the one that was right? If a provider tested and certified with one entity and later was found to be non-compliant, does that mean that all the entities certifying with that certifier now have questionable certification? When you look at the level of detail that goes into the NCQA certification process and really think through what is needed for TCS compliance, not just in terms of HIPAA compliance but in terms of compliance with other business requirements too (requirements that would ensure interoperability for example), it is easy to see that we come up very short and have perhaps, unintentionally mislead the industry into believing that they got something from TCS certification that they did not, certification of HIPAA compliance. I think we need to stop and ask ourselves, does SNIP really have the time, resources and expertise to develop a proper HIPAA Transactions and Code Sets Compliance Certification Program? Can we do it in the timeframe in which it needs to be done? Or is our goal really something less than certification? Is it really validation? Webster's defines certification as 1. to attest as certain 2. to guarantee; endorse - but the one entity who has published its process of certification offers no guarantee and no warranty. Validate is defined as to make valid; substantiate. Substantiate is defined as to establish by proof or competent evidence. It seems pretty clear that our recommended process for testing can only result in validation of testing compliance not certification of HIPAA TCS and Code Set compliance. I am new to the testing list. Maybe this whole issue was put to bed a long time ago. If it has, I apologize to the group but ask that we run through it one more time for the benefit of the newcomers. Why are we stuck on "certification"? What's wrong with "validation"? Seems to me one of our vendors has already described for our list an excellent process for validation but the issue seems to be they call their process certification. A rose by another name doesn't stink. Does validation bring less value to the industry? No, because validation brings the savings we have been talking about, shorter testing. Does certification bring greater value to the industry, quite likely it does but I would submit that certification, as it is actually defined and as a methodology, has not been our real focus here to-date. I know there are people who have a great many years of experience in testing and certification looking at our process now and finding it lacking. I think these folks may have a pretty good case. I have seen a white paper derailed when one of our groups could not form consensus and a well articulated and perhaps valid argument was presented by a group similar to the one that is forming against our interpretation of certification. Can we afford to have our paper on testing derailed because of one word? Especially when it seems we have to bend the meaning of that word in order to make it fit? I encourage the group to ask themselves, are we listening? Are we open to contrary opinions and interpretations on this issue? How are we addressing them? Are we using some formal method to do so? I think we need to be careful to cross our t's and dot our i's because when an industry who thinks they paid for certification ends up only with validation, we could be the ones to blame. Marcallee Jackson Long Beach, CA 562-438-6613 P.S. Because this issue is so critical and for the benefit of other members, I have copied the Transaction and Business Issues lists. If you receive duplicate messages, please excuse the inconvenience. -----Original Message----- From: Miriam Paramore [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 3:48 PM To: WEDI SNIP Testing Subworkgroup List Subject: FW: Public Comment: NCQA Releases Draft Standards for Privacy Certification Program For Business Associates In a recent post during the discussion of certification, I mentioned this program that NCQA is doing. Notice they use the word "certification". Even though this is for Privacy, it shows that groups like WEDI are trying to set the bar. Best Regards, Miriam J. Paramore President & CEO PCI: e-commerce for healthcare 9001 Shelbyville Road iTRC Building Louisville, KY 40222 502-429-8555 www.hipaasurvival.com --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-testing as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-testing as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-testing as: [email protected] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
