Transcript Health Insurance Portability and Accountability Act (HIPAA

b
Healthcare
HIPAA Overview
February 2001
What is HIPAA?



HIPAA is the Health Insurance Portability and Accountability Act of 1996 (PL 104-191)
Also referred to as the Kennedy-Kassebaum Act
HIPAA was enacted by the federal government on August 21, 1996 with the intent to
assure health insurance portability, reduce healthcare fraud and abuse, guarantee
security and privacy of health information and enforce standards for health information.
Focus of this
discussion
2
When people talk about HIPAA,
what they are referring to is…

Title II, Subtitle F

Administrative Simplification:
– Data Standardization
Code Sets
Transactions
Identifiers
– Security
– Privacy
3
Why Federal Regulations?
Healthcare is
1/7 of the GNP
1. Effective healthcare
delivery requires
enormous administrative
effort
Lab
Provider
Office
Insurance
Carrier
2. The healthcare industry has the most
to gain from recent technological
advances
Employer
Member
Hospital
Bank
Pharmacy
Electronic
Connectivity
Credit Card
Company
Specialist
Consultant
Medical
Library
3. However, the healthcare
Industry lags other
industries in taking
advantage of these
technological advances
Third Party
Pharmaceutical
New
Administrator
Company Government
Players
4. Some believe
streamlining requires a
mandate for massive and
coordinated change
4
Why Federal Regulations?
Public Opinion - Privacy

88% of consumers are concerned about their privacy*

20% of consumers believe that their health information has been used or
disclosed inappropriately**

54% of consumers feel that electronic medical records are the greatest
privacy threat**
Sources:
*Louis Harris & Assoc., 1998
**California Healthcare Foundation, 1999
5
Who must comply with HIPAA?

Healthcare organizations
– Providers
– Health plans
– Clearing houses that handle covered patient information - all confidential patient or member information in any
form: electronic, written or verbal.

Other healthcare entities may be required to meet HIPAA standards based on the chain of trust
agreement requirement.
–
–
–
–
–
–
–
–

Clinics
eHealth.coms
Employers (self insured)
Home Health
Hospice
Pharmacies
Physician Groups
Other Providers
Higher Education – Unique Considerations
– Student Health Center and Counseling Center = Exempt Provider

Regulations define student health records as a FERPA protected education record when health record is
used for other than medical treatment purpose, including release to individual Student who is subject of
information
– Employee Health Services = Provider
– Research Hospitals = Provider
– Research Involving Human Subjects
6
Penalties for non-compliance

Data standardization penalties
– $100 per person per violation
– No more than $25,000 per person per year for violations of a single standard

Misuse of member health information
– Not more than $50,000 and/or 1 year in prison
– Under false pretenses, not more than $100,000 and /or 5 years in prison
– With intent to sell, harm, etc, not more than $250,000 and /or 10 years in prisoneasdf

OCR charged with enforcement. OIG authorized to conduct criminal investigations

Industry Concern: HIPAA compliance may become accreditation criteria


Joint Commission of Accreditation for Healthcare Organizations

National Committee for Quality Assurance
Industry Concern: HIPAA compliance may become a requirement for participation with
Federal funded programs
7
HIPAA Administrative simplification impact
Technology
Issues
Electronic
Transaction
Standards &
Unique
Identifiers
Business
Issues
Code Sets &
Claims
Attachments
Security
8
Privacy
Standards
HIPAA timeline
Mandatory Compliance
Final Rule - 12/28/2000
26 months to comply
Final Rule (estimate) - March 2001
Final Rule - August 15, 2000
26 months to comply
Data
Standards
Security
January 1997 - Effective date of Title II
All Subtitles Except Subtitle F
August 1996 - HIPAA Enacted
26 months to comply
October 15, 2002 Compliance
Title II
HIPAA
Privacy
February 26, 2003
Compliance
Final Data Standardization requirements

Electronic transaction standard
–

X12N standards facilitate transactions by establishing a common, uniform business
language for computers to communicate across town or around the world.
Electronic transactions to be standardized
–
–
–
–
–
–
–
–
–
Health care claims or equivalent encounter information.
Enrollment and de-enrollment in a health plan.
Eligibility for a health plan.
Health care payment and remittance advice.
Health plan premium payments.
Health care claim status.
Referral certification and authorizations.
Coordination of benefits.
Standard Claims Attachments
10
Final Data Standardization requirements
 Standard code sets
– ICD-9-CM, International Classification of Diseases, 9th Rev., Clinical Modification
– CPT-4, Physician Current Procedural Terminology
– Alpha-numeric HCPCS, HCFA Procedure Code System
– CDT-2, Current Dental Terminology
– NDC, National Drug Codes
 Unique identifiers - Proposed
– Providers
– Employers
 Unique identifiers - Delayed
– Plans
– Patients
11
Proposed Security requirements

–
–
–
–
–
–
–

 Technical Security
Administrative Security
Certification
Contingency plan
Information access control
Security configuration management
Security incident management
Security management process
Requires Security Officer
– Access control
– Audit controls
– Authorization control
– Entity authentication
 Electronic Transmission
– Communication/Network
Physical Data Security
–
–
–
–
controls
End user security awareness
Physical access control
Media
Secure workstation use and availability
12
 Electronic Signatures
– Digital signatures
Highlights of the Final Privacy Regs
•
Published December 28, 2000
•
Compliance required by February 26, 2003
•
Preamble addresses 53,000 comments
•
The document uses the term “reasonable” 265 times
13
Highlights
•
Regulations apply to covered entities (providers, clearing houses and health plans)
•
Applies to all member health information: electronic, paper and oral communications
•
Requires providers to obtain consent prior to treatment, payment and operations. May
condition treatment or enrollment
•
Allows full disclosures to providers for purposes of treatment. Retains provision for
minimum necessary requirements for routine, recurring and other, non-routine disclosures
•
Distinguishes between consent for treatment and authorization for other disclosures.
Protects against unauthorized use of information for employment purposes
•
Allows legally separate, but affiliated covered entities to designate themselves as a single
covered entity
•
Replaces ‘business partner’ with ‘business associate’ and reduces liability from ‘should
have known’ to take action if aware
•
Requires Privacy Officer and Security Officers
14
Highlights
•
Permits certain marketing and fundraising activities
•
Requires Notice of Information Practices
•
Requires training
•
Defines right to request restrictions on uses and disclosures
•
Defines right to receive accounting of disclosures
•
Defines right to access, inspect, copy and request amendments to records
•
HIPAA intended as a floor, not a ceiling. Whichever rule is more stringent, state or
federal, applies.
•
Establishes whistleblower procedure - covered entities precluded from retaliating
•
Gives HHS Office of Civil Rights (OCR) enforcement responsibility
15
AA HIPAA Assessment

Conduct high-level HIPAA gap analysis of business units and core business
information systems

Identify gaps between current technology/practices with HIPAA’s
– final data standardization and privacy requirements and
– proposed security requirements

Develop remediation recommendations and a high-level workplan

Develop high-level cost estimates for remediation
16
Assessment Alternatives – Office of Information and Educational Technology


University Hospital Consortium Contract (UCDMC)
–
SAIC
–
Cap Gemini/Ernst and Young
External HIPAA Specialists
–
–
–
–

Arthur Anderson
Computer Associates
KPMG
PricewaterhouseCoopers
Projected Initiation Date – Spring 2001
17