HIPAA Overview (Health Insurance Portability and Accountability Act 1996) May 2002 VACSB - HIPAA Committee
HIPAA Overview (Health Insurance Portability and
Accountability Act 1996)
May 2002VACSB - HIPAA Committee
Training Objectives
Provide an overview of HIPAA regulations. Review Privacy Rule requirements. Review Security Rule requirements. Review Administrative requirements. Provide HIPAA Committee “draft”
templates. Summarize most current proposed
changes. Learn how to insert a Hippo into your
next presentation.
What is HIPAA?
Fed. Regulation/law - Kennedy & Kassebaum
Improve “portability and continuity” of health insurance coverage.
Provide administrative simplification and consistency - Standard Code Sets and Transactions.
Assure privacy and security of confidential protected health care information (PHI).
Increase provider accountability - PHI. Increase consumer rights - PHI.
What is the purpose of HIPAA ? Identify provider responsibilities
around PHI. Reduce health care costs. Reduce health care fraud and abuse. Control use and disclosure of
“protected health information” (PHI). Regulate how PHI is transferred and
managed by technology, individuals, and agencies.
Covered Entities Who Must Comply
Health care organizations that capture &
maintain individually identifiable health
care data. Three categories:
Providers - conduct certain administrative and electronic transactions
Health care Plans Clearinghouses
Covered Entities
Plani.e., Medicaid,
Blue Cross/Shield
Provideri.e., CSB
Clearinghousei.e., Billing Company
Timelines for Compliance
Transactions and Code Sets - October 2003 (With Extension)
Privacy Regulations -
April 2003
Security Regulations -
Final regs. pending (Spring 2004?)
HIPAA Regulations
Electronic Transaction/Code Sets - Sets uniform standards (Administrative Simplification.)
Privacy Regulations - Identifies what health care information is protected.
Security Regulations - Identifies how information is to be protected.
Identifiers - Employer, Payer, National.
Health Care Operations
Includes “general administrative and business
functions” necessary for a covered entity to
remain a viable business (i.e., audits, quality
improvement functions, assessments.)
Health Information
Any information recorded in any form or
medium which: Is created/received by a Covered Entity
that creates, receives, uses, or transmits PHI,
Relates to the past, present, or future physical/mental health condition of an individual, their participation in, or payment for such services, and
Identifies the individual.
Protected Health Information (PHI)
All individually identifiable health data
or information collected, maintained,
or transferred by a Covered Entity.
Protected Health Information (PHI)
NameAddressSocial Security #Birth DateDemographic info.
Medical Record #
Email addressAccount numbers
License/Certificate # Vehicle identifiers Bio-metric
identifiers Telephone numbers Place of employment Full face photograph Fax number Health Plan number
De-identified information
Health information which is stripped of individual identifying elements.
In this form, remaining data would not be sufficient to identify the consumer.
Privacy Notice *
Written document - plain language.
Posted & shared with consumers.
Explains how PHI will be used/disclosed by provider.
Identifies consumer rights. Lists provider duties to
protect PHI.
Use vs. Disclosure
Use Sharing, utilization,examination, & analysis of PHImaintained
internallywithin the provider.
Disclosure Release, transfer,access to, or
sharingin any manner
PHI outside the entitymaintaining theinformation.
Minimum Necessary Rule
Rule applies to Uses/Disclosures
Essential element of privacy
protections. Covered Entities must make
reasonable efforts to limit use, disclosure, and request for PHI to the “minimum necessary” to accomplish the intended purpose.
Minimum Necessary RuleAsks - How much information is needed to achieve your purpose? Applies to all forms of communication. Use - Requires policies & procedures
(P&P) classifying staff by role/position. Disclosure - Requires P&P addressing
criteria to limit disclosure & reviewing of requests.
With request - Must limit request to that which is necessary.
Access to PHI (Protected Health Info.)
Opportunity to approach, inspect, review, and make use of data or information.
Actions by a consumer or health care provider with appropriateauthorization.
Consent and Authorization
Consent Document gives
provider consent to carry out treatment, payment, or health care operations (TPO).
Authorization *
AKA - “Release
of Information.”
Document used for purposes other than TPO.
Electronic Transaction & Code Set Standards
National Electronic Standards - provides automated transfer of certain health care data between health care payers, plans, and providers.
Replaces nonstandard formats and code sets - with standard electronic transactions and codes sets.
Which Administrative & Financial Transactions?
Health claim or encounter information. Eligibility for a health plan inquiry. Referral certification & authorization. Health care claim status. Health care payment and remittance
advice. Health plan premium payments. Enrollment & dis-enrollment in a health
plan. First report of injury. Health claim attachments.
And - Coordination of Benefits
Transaction/Code Sets Standards
Code Sets Examples: ICD - 9 CPT - 4 HCPCS DSM IV
ComplianceDeadline with
Extension: October15, 2003
Benefits of Standardization of Electronic Transactions/Code Sets
Standardized Formats – Will reduce number of formats used for health care administrative and financial transactions nation-wide.
Billing becomes more efficient.
Internal administrative savings related to staffing, response to complaint calls, andbilling reconciliation.
Privacy Rule
Applies to all protected healthinformation (PHI).
Does not prohibit the exchange of PHI for treatment, payment, or health care operations (TPO) within agency.
Written Consent is required.
Privacy Rule Impacts
HR - employee PHI Consents/Authorization Privacy Notifications Uses & Disclosures Health care operations Consumer access to &
amendment of PHI Business Associate
Agreements Provider responsibilities
Privacy Rule Highlights
Protects privacy of medical records and covers: Electronic records & printouts of records Written records Oral communications
Consumers give Consent for routine PHI
releasepurposes (TPO).
Privacy Notice - documents consumer’s rightsand the provider’s responsibilities.
Consumers Rights under HIPAA
Inspect/copy information (medical record).
Request to amend information if inaccurate or incomplete.
If request is denied - consumers may file a complaint with CSB or federal government.
Consumers may request Disclosure History
- Disclosure other than those covered by TPO
Business Associate Agreements Business Associates - Those
entities that do things on our behalf with whom we share/give access to PHI.
Business Associate Agreements - Establish permitted uses, disclosures, and safeguards for PHI.
Privacy Compliance Will Allow flow of PHI for treatment, payment,
and related health care operations (TPO).
Prohibit flow of PHI unless voluntarily authorized by the consumer.
Allow consumers to know who is accessing their PHI outside of TPO use.
Allow consumers to obtain access to their records & request amendment of records if inaccurate or incomplete.
Provider Responsibilities
Provide formal complaint handling system.
Allow use of de-identified data. Follow “minimum necessary”
requirements. Establish Business Associate Agreements. Duty to mitigate damage if violations
occur. Establish sanctions for HIPAA violations.
Privacy Penalties
Civil Penalty: $100 -$25,000 maximum/year/person/same/
violation.
Criminal Penalty: $50,000 - $250,000Fines and 1-10 years in prison.
Commercial Advantage/Personal Gain:
$250,000 and 10 years in prison.
Consent Exceptions
Consents not required for:
Indirect treatment relationships. Inmates. When required by law to treat
(i.e., Court Ordered). In case of substantial
communication barriers. In cases of emergencies.
Privacy Preemption
HIPAA Will preempt
state laws relating to PHI
Except for those contrary to &
more stringent than HIPAA.
Organizational Practices - Security Staff training. Role based access. Remote access site
security issues. Electronic/wireless
devices (i.e., laptops).
Gap Assessment. * Authentication of
users.
Organizational Practices - Security
Policies/procedures for workstation use. Security of workstation locations. Security Incident Reporting. Termination procedures. Media controls. Audit trails. Encryption.
Security Rule
Deals with how PHI is secured:
Access to PHI. Minimum Disclosure Rule. Encryption/digital
signatures. Background checks. Physical (facility) security.
Final Security Rule – Pending.
HIPAA Identifier Standards
Pending HIPAA Regulation
Employer ID Provider ID Payor ID
Final Identifier Rule:
Pending in HHS
Required Administrative Procedures
Designate Privacy & Security Officers. Complete gap analysis. * Develop a plan for HIPAA
compliance. Identify Business Associates and
establish agreements. Revise/develop P&P for HIPAA. Provide & document HIPAA training. Address access control issues. Have internal audit processes in
place.
Required Administrative Procedures
Develop formal Consumer Complaint Syst.
File - Extension: Code Sets/Transactions.
HIPAA Compliance Certification (IT) Develop Disaster/Contingency Plans. Identify security incident procedures. Meet personnel security requirements. Develop a security management
system. Identify Sanctions for violations. Test your system.
Summary: Vocabulary
Covered Entity PHI TPO Privacy Notice * Consent Authorization * Minimum Necessary Business Associate
Agreement De-identification of
PHI
Proposed Changes Strengthen Privacy Notice provisions. Eliminate Consent - Acknowledge receipt of
Privacy Notice. Maintain “minimum necessary rule” while
allowing treatment-related conversations. Assure appropriate parental access to their
children’s records. (state law will govern) Prohibits use of records for marketing. Assure privacy without impeding research. Provide model business associate
provisions.
Resources
http://aspe.hhs.gov/admnsimp/index
http://www.hhs.gov/ocr/hipaa http://www.ahima.org/
hot.topics http://www.wedi.org/ http://www.samhsa.gov/hipaa
Resources
http://www.afehct.org http://www.healthprivacy.org http://www.hipaalert.com http://himinfo.com/news/hipaa http://www.hipaadvisory.com/
regs/
For more information or questions on HIPAA please
contact:Demetrios Peratsakis
Executive DirectorWestern Tidewater CSB
757-925-2406or
HIPAA Committee Deliverables
Drafts - Pending Attn.General’s Review
Email Policy Fax Policy Privacy Notice Authorization Form Extension Template –Trans./Code Sets Internet Policy Gap Analysis Survey Tools (3) Glossary of HIPAA Terms
HIPAA Committee Deliverables
Future Documents to be Released
Minimum Necessary Policy Compliance Process Policy Business Associate Agreement
Template
Remember!!!
Together we are
making a
difference...8 May-02
As promised - How to insert a Hippo in your next PowerPoint Presentation:
In MS PowerPoint
Go to “Insert”
Choose “Picture/Clip Art”
Type - “Hippopotamus.”
Pick your hippo and choose “Insert.”