Transcript Slide 1

HIPAA Transmission, Privacy and
Nondiscrimination Rules 2007
Presented by
Elena Chan, UCSF Pharm.D. Candidate
Tiffany Jew, USC Pharm.D. Candidate
PRO PHARMA
PHARMACEUTICAL CONSULTANTS, INC.
March 14, 2007
HIPAA
Health Insurance Portability &
Accountability Act of 1996
HIPAA
Title I
Health Insurance Portability
Title II
Administrative Simplification
Unique Identifiers
Security Standards
Elec. Signatures
Standard Transactions & Code Sets
Privacy Regulations
Title III, IV, V
Other Provisions
HIPAA Compliance

Issues
Portability
 Nondiscrimination
 Privacy
 Electronic Transactions
 Security

Privacy – “Protected Health
Information”





Individually identifiable Health Information
Created by “Covered Entity” or Employer
Health and Demographic Information
Relates to past, present, future physical or
mental health or condition of Individual or
Payment
Regardless of format, if Entity ever engages
in covered transactions
Who is Covered?

Covered entities





Health Plans
Health Care Providers
Health Care Clearinghouses
HHS has no authority to regulate many
key stakeholders who receive PHI from
a Covered Entity
Business Associates must comply
Covered Entities Must







Provide information on Privacy Rights
Adopt Privacy Procedures
Appoint a Privacy Official
Establish Grievance Procedures
Amend plan to include specific provisions
Provide Privacy Training to Employees
Have safeguards to prevent disclosure
Rule’s Limited Scope
“…once PHI leaves a Covered
Entity, the Department no
longer has jurisdiction under
the statue to apply protections
to the information.”
Business Associates








Claims Processing /
Administration
Data Analysis
Processing or
Administration
Utilization Review
Quality Assurance
Billing
Benefit Management
Practice
Management and Repricing









Legal
Actuarial
Accounting
Consulting
Data aggregation
Management
services
Administrative
services
Accreditation
services
Financial services
Business Associate Contract






Will not disclose PHI
Appropriate safeguards
Disclosure of non-contract PHI
Assure that agents / subcontractors
agree to same restrictions
Accounting of all disclosures
Contract termination if Breach of
Confidentiality
Oversight of Business Associates







Training program
Reporting mechanism for violations
Corrective actions / Mitigate Damages
Contract termination
Policies & Procedures
Auditing annually
Government Fines:
-up to $100/violation/person
-up to $25K / year
Consents and Authorizations


Not required for treatment, payment,
health care operations (TPO)
Otherwise consent or authorization must
be obtained for purposes other than TPO:


Marketing
To release medical records to life insurer
Authorization Requirements

Must be very specific and written in plain
language:






Describe PHI – “all Health Information”
Name or ID of person authorized to release
Name or ID of person/class to whom PHI goes
Expiration date or event
Individual’s right to revoke
PHI may be reused and is no longer protected
“Minimum Necessary”


Covered entities must have
policies/procedures to limit disclosures
to minimum necessary
Doesn’t apply to:



PHI given to the individual or their
personal representative
PHI authorized by the individual
Information for treatment purposes
Security Standards
Administrative Safeguards





Covered entities must adopt a written
set of policies/procedures
Designate a privacy officer
ID employees who will have access to
PHI
Ongoing training program
Contingency plan for emergencies or
security breaches
Physical Safeguards




Controlled access to media
Limit to authorized people
Keep away from plain sight or high
traffic areas
Dispose of PHI properly
Technical Safeguards



Controlled access
Encryption
Authentication



Employer ID number
National Provider ID
Unique Identifier (for individuals)
Electronic Transactions


National standards to simplify and
improve efficiencies
Transaction Inclusions:





Claims Submissions
Enrollment / Disenrollment
Coordination of Benefits
Patient Eligibility Request / Response
Claim Status Request / Response
Electronic Transactions Standards

ANSI ASC X12N, version 4010




Providers
Disease Management
DME
NCPDP 5.1


Product claims transactions
DUR
Electronic Transactions –
Coding Standards






ICD-9: Diagnoses & Inpatient Services
CPT-4: Professional Services
CDT-3: Dental Services
NDC: Drugs
HCPCS / J CODES: Injectables (Not
Self-Administered) and Procedures
Providers: NPI
Privacy Rule – A Summary





Notify patients about their privacy rights
Adopt and implement privacy
procedures for a practice, hospital, or
plan
Train employees
Designate a Privacy Officer
Implement security standards for PHI
HIPAA
Health Insurance Portability &
Accountability Act of 1996
HIPAA
Title I
Health Insurance Portability
Title II
Administrative Simplification
Unique Identifiers
Security Standards
Elec. Signatures
Standard Transactions & Code Sets
Privacy Regulations
Title III, IV, V
Other Provisions
HIPAA INFORMATION





http://www.hhs.gov/ocr/hipaa/
http://www.hipaa.org/
Guide to Medical Privacy & HIPAA,
Thompson Publishing Group
HIPAA Portability & Privacy, EBIA
The Institute for Community Pharmacy:
818-549-2285
PRO PHARMA
PHARMACEUTICAL CONSULTANTS, INC.
Any Questions?