ICD Codes Get a Makeover

ICD-10 hit the medical community on Oct. 1, 2015, after a yearlong delay in implementation. This is 10th revision of the International Classification of Diseases (ICD), a medical classification list from the World Health Organization (WHO). The list is extensive and contains codes for diseases, signs and symptoms, abnormal findings, complaints, social circumstances and external causes of injuries or diseases.

The use of ICD-10 is mandated by the federal government for all institutions that fall under HIPAA privacy guidelines, which were first implemented about a dozen years ago. But a lot of things have changed in medicine since then, most notably the rise of electronic health records (EHRs) to store patient information.

Transitioning to this updated code gives organizations a chance to evaluate their systems and procedures from a security point of view. Of course, HIPAA standards on what kinds of patient information must be protected will come into play, but these regulations can form a baseline for enhanced security. Acknowledging that security is not an afterthought but an integral and mandated part of a system that deals with patient information can only help the outcome of this evaluation effort.

Relatively simple ideas such as evaluating which members of the health care team truly need access to a patient’s ICD-10 information may seem obvious, but they can end up being structured and implemented in a haphazard manner. The overall process of controlling the data workflow around the new coding system must take into consideration the potential for the mishandling of patient information. Staff must be made aware of what is acceptable and what is not through training and security awareness programs.

Reviewing Current Systems

Computing systems that will be utilized in the coding changeover must also be reviewed for security. This review typically involves the suppliers of both software and hardware for a facility. Legacy systems that were once functional when paper records were king may need to be updated to live and thrive in an EHR world.

Evaluating if current software is up to the task of securely dealing with the greatly increased number of procedure codes in ICD-10 is important. The process of converting from ICD-9 codes to ICD-10 codes is disruptive enough by itself, and having to fight software that cannot handle the new format will doom the effort. Integrating a patient’s EHR data into the billing process must be facilitated by the EHR software itself or unnecessary friction will follow in the years to come.

How patient information is handled over a network must also be reviewed. Protected information that falls under HIPAA must be secured whether it is stored in-house or externally. Any communication between a facility and a payment clearinghouse, for example, should not be easily intercepted by third parties. Advanced encryption and other security measures can help achieve this, but it will likely require more of an effort on behalf of CISOs and security teams.

ICD-10 implementations offer a great opportunity to step back a bit and look at how security can be strengthened in the medical area. The new codes complement the rise of EHR systems, and savvy professionals will find ways to make these two work together in a secure and seamless manner.