HIPPA - NC DHHS Office of Privacy and Security

Download Report

Transcript HIPPA - NC DHHS Office of Privacy and Security

Healthcare Insurance Portability
and Accountability Act
HIPAA
Attorney General Office Staff Training
May 17, 2001
Presented By NCDHHS
HIPAA PMO Staff:
Sarah Brooks, MPA, RHIA
Business Operations Manager
TRAINING
OBJECTIVES
• Provide High Level Overview of HIPAA
Regulations
• Clarify DHHS Agencies Covered Under
HIPAA
• Explain Approach Adopted by NC DHHS to
Address HIPAA
• Identify HIPAA Resources
5/10/01
NCDHHS - HIPAA PMO
2
Addressing
the Health
Healthcare’s
Care
Tower
Babel
Tower
of of
Babel
The Health Insurance Portability
and Accountability Act of 1996
(HIPAA)
Pieter Bruegel
CURRENT INDUSTRY
LIMITATIONS / CONCERNS
– Over 400 different proprietary claim forms and/or
file formats dictated by payers
– Administrative overhead, including claims
processing, accounts for > 20¢ of every health care
dollar
– Average “Accounts Receivable” 60 days
– Increased computerization does not adequately
address privacy and security concerns
5/10/01
NCDHHS - HIPAA PMO
4
FEDERAL RESPONSE
Healthcare Insurance Portability and
Accountability Act (HIPAA)
– Public Law 104-191, August 21, 1996
– Amends Internal Revenue Service Code of 1986
5/10/01
NCDHHS - HIPAA PMO
5
WHAT DOES HIPPA ACCOMPLISH?
• Guarantees Health Coverage When Job Changes
• Reduces Fraud and Abuse (Medicare/Medicaid)
• Administrative Simplification
– Establishes national standards for:
• Electronic (EDI) transactions
• Security and privacy of health care information
• Identifiers such as provider, payer and employer Improved
efficiency of processing health care information
– Ultimately should lower administrative overhead
• Currently estimated at $300 Billion per year nationwide
• Preempts State Laws Unless More Stringent
5/10/01
NCDHHS - HIPAA PMO
6
ADMINISTRATIVE
SIMPLIFICATION REGULATIONS
• Title II, Subtitle F, Administrative Simplification
(FINAL RULES PUBLISHED)
– Electronic Health Transactions Standards
(45 CFR Parts 160 & 162)
• Federal Register, Vol. 65, p. 50312-50372
(published August 17, 2000)
– Privacy and Confidentiality Standards
(45 CFR Parts 160 & 164)
• Federal Register, Vol. 65, p. 82462 - 82829
(published December 28, 2000)
5/10/01
NCDHHS - HIPAA PMO
7
ADMINISTRATIVE
SIMPLIFICATION REGULATIONS
(continued)
(PROPOSED RULES - PUBLISHED)
– Security and Electronic Signature Standards
(45 CFR Part 142)
• Federal Register, Vol. 63, p. 43242-43280
(published August 12, 1998)
– Health Insurance Reform: National Standard
Employer Identifier (45 CFR Part 142)
• Federal Register, Vol. 63, p. 32784-32798
(published June 16, 1998)
– National Standard Health Care Provider Identifier
(45 CFR Part 142)
• Federal Register, Vol. 63, p. 25320-25357
(published May 7, 1998)
5/10/01
NCDHHS - HIPAA PMO
8
ADMINISTRATIVE
SIMPLIFICATION REGULATIONS
(continued)
(PROPOSED RULES - NOT PUBLISHED)
– National Health Plan Identifier (Payer ID)
Scheduled draft publication: Q2/2001
– Claims Attachments
Scheduled draft publication: Q3/2001
– Enforcement
Scheduled draft publication: Q4/2001
– First Report of Injury
Scheduled draft publication: Q4/2001
– National Individual Identifier
Scheduled draft publication: On Hold
5/10/01
NCDHHS - HIPAA PMO
9
REGULATION TIMEFRAMES
Final Standards:
EDI Transaction and Codes Sets Published: 8/17/2000
Final compliance: 10/16/2002
Includes transaction sets:
Claims and Remittance Advice
Enrollment
Eligibility, Inquiry and Response
Status Inquiry and Response
Request Review and Response
Payroll Deduction and Premium Payment
Privacy
Published: 12/28/2000
Final compliance: 4/16/2003
Proposed Rules:
National Provider Identifier
Draft published: 5/07/1998 Scheduled final rule: Q3/2001
National Employer Identifier Draft published: 6/16/1998 Scheduled final rule: Q3/2001
Security
Draft published: 8/12/1998 Scheduled final rule: Q2/2001
Proposed Rules not yet published:
National Health Plan Identifier
Scheduled draft publication: Q2/2001
Claims Attachments
Scheduled draft publication: Q3/2001
Enforcement
Scheduled draft publication: Q4/2001
First Report of Injury
Scheduled draft publication: Q4/2001
National Individual Identifier
Scheduled draft publication: On Hold
5/10/01
NCDHHS - HIPAA PMO
10
WHO IS AFFECTED?
• Covered Entities
– Health Plan (provides or pays the cost of medical care
- e.g., Medicaid, HMOs, BC/BS, Medicare, Champus)
– Health Care Clearinghouse (routes electronic data
between payers & providers - e.g., billing services )
– Health Care Provider who transmits any health
information in an electronic transaction (e.g.,
Hospitals, Physicians, Public Health Departments, Group
Homes, Home Health)
5/10/01
NCDHHS - HIPAA PMO
11
WHO IS AFFECTED?
(continued)
• Business Associates
– Definition: Person who performs a function or activity
on behalf of a covered entity
– Excludes person who is part of the Covered Entity’s
workforce (e.g., Employees, Physicians with Staff
Privileges)
– Contractual Agreements with Covered Entity (e.g.,
Area MH/DD/SAS Contract Agencies, S/W Vendors)
– Complies with HIPAA
• Health Care Providers Who Transmit Paper
Health Claims Must Use New Code Sets
5/10/01
NCDHHS - HIPAA PMO
12
WHY COMPLY WITH HIPAA?
• Avoid Denied and/or Delayed Reimbursements
– DHHS agencies process claims bringing in more than
$550 million in receipts annually
– Annual Medicaid disbursements totaling more than
$4.6 billion
• May Risk Accreditation (e.g., Joint Commission on
Accreditation of Health Care Organizations)
• Public Relations and Business Risk Issues
• Benefit from Long Term Health Care Cost
Reductions
• Imposes Severe Penalties for Non-compliance
5/10/01
NCDHHS - HIPAA PMO
13
IMPOSING COMPLIANCE
• General Civil Penalty for Failure to Comply
– $100/violation/person
– Not to exceed $25,000 in one calendar year
• Criminal Penalties (Privacy) - Person who knowingly and
wrongfully discloses individually identifiable health information is
subject to fines and imprisonment
– Simple Offense - Up to $50,000 &/or 1 year imprisonment
– If Committed under False Pretenses - Up to $100,000 &/or 5
years imprisonment
– If Committed with Intent to Sell, Transfer, or Use Individual
Identifiable Health Information for Commercial Advantage,
Personal Gain, or Malicious Harm - Up to $250,000 &/or 10
years imprisonment
5/10/01
NCDHHS - HIPAA PMO
14
REGULATIONS
OVERVIEW
Healthcare eBusiness Standardization
Electronic Data Interchange Transaction Sets
Standardized Codes Sets
Standardized Identifiers
(EDI/TCI)
5/10/01
NCDHHS - HIPAA PMO
15
EDI/TCI OBJECTIVES
• Definitions
– Trading Partner
– Transaction
– Standard Setting Organization (SSO)
• Transaction Sets
• Code Sets
• Unique Identifiers
5/10/01
NCDHHS - HIPAA PMO
16
TRADING PARTNER
In Electronic Data Interchange (EDI) this generally
applies to two parties engaged in the exchange of
business data through electronic means.
5/10/01
NCDHHS - HIPAA PMO
17
TRANSACTION
The exchange of data between two parties to carry out
financial or administrative activities related to health care.
It includes the following types of information exchanges:
(1) Health Care claims or equivalent encounter information.
(2) Health Care payment and remittance advice.
(3) Coordination of benefits.
(4) Health Care claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10)Health claims attachments.
(11)Other transactions that the Secretary may prescribe by
regulation.
5/10/01
NCDHHS - HIPAA PMO
18
STANDARD SETTING
ORGANIZATION
An organization accredited by the American National
Standards Institute (ANSI) that develops and maintains
standards for information transactions or data elements,
or any other standard that is necessary for, or will
facilitate the implementation of HIPAA
•ASC X12
•NCPDP
•HL7
•UN/EDIFACT (Interactive Claim)
5/10/01
NCDHHS - HIPAA PMO
19
TRANSACTION SETS
HIPAA Mandated
Transaction Sets
5/10/01
NCDHHS - HIPAA PMO
20
X12 TRANSACTIONS FLOW
Health Care Plans
Health Care Providers
834 Enrollment
270 Eligibility Request
Eligibility
Verification
271 Eligibility Response
Employers
Member
Services
820 Premium Payment
Enrollment
278 Referral Request
Precertification
and Referrals
Service Billing /
Claim Submission
278 Referral Response
837 Claim
275 Additional Information
277 Claim Status Response
Eligibility
Verification
Claim Receipt
and Routing
276 Claim Status Request
Claim
Reconciliation
277 Claim Status Response
Accounts
Receivable
835 Claim Payment Advice
5/10/01
Claim
Status
Adjudication
NCDHHS - HIPAA PMO
21
IMPLEMENTATION
TIMELINE
The Compliance Date for the
Transaction Sets and Code Sets is
October 16, 2002
5/10/01
NCDHHS - HIPAA PMO
22
PROPOSED IMPLEMENTATION
TIMELINE - WEDI/SNIP
Transaction
Groups
Beta/Pilot
Testing
Period
Payer
Readiness
Date
Migration
Completion
5/10/01
Group 1
837
835
Jul 1, 2001
Oct 1, 2001
Oct 16, 2002
Group 2
270/271
834
Dec 1,
2001
Mar 1,
2002
Oct 16,
2002
Group 3
276/277
Group 4
278
Group 5
820
Feb 1,
2002
Mar 1,
2002
May 1, 2002
May 1,
2002
June 1,
2002
Aug 1, 2002
Oct 16,
2002
Oct 16,
2002
Oct 16, 2002
NCDHHS - HIPAA PMO
23
HIPAA IMPLEMENTATION
GUIDES
X12 Transactions - Washington Publishing Inc.
www.wpc-edi.org
NCPDP Transactions – National Council of Prescription
Drug Programs
www.ncpdp.org
HL7 Standards – Health Level 7
www.hl7.org
5/10/01
NCDHHS - HIPAA PMO
24
BASIC HIPAA CODE SETS
FUNCTIONS
• Diagnosis
• Medical Procedures
• Drugs
5/10/01
NCDHHS - HIPAA PMO
25
HIPAA MANDATED CODE SETS
• International Classification of Diseases, Ninth
Edition, Clinical Modification (ICD-9-CM )
• Health Care Procedural Coding System
(HCPCS)
• Current Procedural Terminology, Fourth
Edition (CPT-4)
• Current Dental Terminology (CDT)
• National Drug Codes (NDC)
5/10/01
NCDHHS - HIPAA PMO
26
ELIMINATION OF
HOMEGROWN CODES
(NC Medicaid ‘Y’ Codes)
Homegrown
Codes
5/10/01
NCDHHS - HIPAA PMO
27
UNIQUE IDENTIFIERS
• National Identifier for Individuals
• National Health Care Identifier of
Employers
• National Standard for Identifiers of Health
Plans
• National Provider Identifier
5/10/01
NCDHHS - HIPAA PMO
28
NATIONAL INDIVIDUAL
IDENTIFIER
• Currently on Hold
• Proposed Rule Is Not Expected to Be
Published in the Near Future
• Pending Congressional Privacy Legislation
5/10/01
NCDHHS - HIPAA PMO
29
NATIONAL EMPLOYER
IDENTIFIER
• Employer ID Will Be The Employer’s Tax ID
• The Internal Revenue Service (IRS) Will Maintain
the Assignment and Reference Facilities
• Nine Digits
5/10/01
NCDHHS - HIPAA PMO
30
NATIONAL HEALTH
PLAN IDENTIFIER
• Plan IDs Will Be Issued to Health Plans
 Plan ID Identifies Three Different Types of Entities:
Payers, Group Health Plans, and Provider Networks
 Payers and Administrators
 ERISA Group Health Plan, Taft-Hartley Trust,
METs, and Other Group Plans
 PPOs and Similar Organizations
• Proposed Rule Not Yet Published
5/10/01
NCDHHS - HIPAA PMO
31
NATIONAL PROVIDER
IDENTIFIER
•Identifying An Individual
 An individual provider ( such as a physician, dentist,
nurse, or therapist) receives an NPI that never changes
 If the individual is a health care provider in two
different capacities, it is expected that there will still
be only a single NPI
5/10/01
NCDHHS - HIPAA PMO
32
NATIONAL PROVIDER
IDENTIFIER
(continued)
• Identifying An Organization
– Organizational health care providers, such as:
•
•
•
•
•
•
Hospitals
Clinics
Laboratories
Physician group practices
Home health care agencies
Pharmacies
•10 Digits with Right Most Digit Being a
Check Digit (Proposed)
5/10/01
NCDHHS - HIPAA PMO
33
HIPAA TRANSACTIONS, CODE
SETS AND UNIQUE IDS
• Code Sets are Used in the Transactions
• Unique IDs are Used in the
Transactions with Proprietary Values
until They are Defined
• Required Use of Standards
5/10/01
NCDHHS - HIPAA PMO
34
REGULATIONS
OVERVIEW
PRIVACY
5/10/01
NCDHHS - HIPAA PMO
35
BASIC PRINCIPLES
• First Comprehensive Federal Law to Protect
the Privacy of Individually Identifiable Health
Information
– HIPAA Protections
• Importance
– To Patients
– To Healthcare Providers/Plans/Clearinghouses
• Protected Health Information (PHI)
– Past, Present, Future Health Information
– Electronic/Paper/Oral
– Best Practice
5/10/01
NCDHHS - HIPAA PMO
36
PROTECTED HEALTH
INFORMATION (PHI)
• Individually Identifiable Information
–
–
–
–
–
–
–
–
Name
Address
Social Security Number
Names of Relatives
Unique Identifiers
Telephone/Fax/Other Numbers
Geographic Designation Smaller than State
Photograph
5/10/01
NCDHHS - HIPAA PMO
37
GENERAL PROVISIONS
• HIPAA Preempts State Laws
– Provides uniform “floor” for protection
– More stringent current state laws will stand
– More stringent future state laws allowed
• Allows Consumer Control
– Establish rights of patients regarding their
confidential health information
• Recognizes Public Responsibility
– Balance of individual privacy and the public need
to know
5/10/01
NCDHHS - HIPAA PMO
38
GENERAL PROVISIONS
• Healthcare Provider Responsibilities
– Protect health information
– Secure health information
– Provide complete information to other Healthcare
Providers
– Provide “minimum necessary” information to other
requesters
– Create De-identified information when feasible
–
–
–
–
5/10/01
Remove
Code
Encrypt
Eliminate/conceal
NCDHHS - HIPAA PMO
39
GENERAL PROVISIONS
• Healthcare Provider Responsibilities (continued)
– Establish an Internal Complaint Process that
provides individuals with means to lodge
complaints about the entity’s information practices,
and maintain a record of any complaints
– Develop a system of sanctions for members of the
workforce and business partners who violate the
entity’s policies
– Enforcement and Compliance
5/10/01
NCDHHS - HIPAA PMO
40
NOTICE
• Notice of Information Practices
– Brochure
– Pamphlet
– Posted on Wall
• Notice must include anticipated uses and
disclosures of protected health information
without the patient’s written authorization
5/10/01
NCDHHS - HIPAA PMO
41
PATIENT’S RIGHTS
•
•
•
•
•
•
•
•
•
•
Right to be informed through NOTICE
Right to inspect and review record
Right to receive copies
Right to amend/correct copies
Right to add supplemental information
Right to restrict Use and Disclosure of information
Right to Accounting of Disclosures
Right to a personal representative
Right to revoke authorization
Right to appeal
5/10/01
NCDHHS - HIPAA PMO
42
ACCESS TO RECORD
• Healthcare Provider Provides Access
– 60 days after receiving request
– Extended 30 more days without reason
– Provide patient with a summary of records if
agreed upon in advance
– Recover cost-based fee for providing patient
with a copy, explanation or summary of
records
5/10/01
NCDHHS - HIPAA PMO
43
DENIED ACCESS
• Healthcare Provider Denial of Access with
Opportunity for Review when in the Opinion
of a Licensed Health Care Professional that:
– Information would endanger life or safety of
patient or others
– References to others is reasonably likely to cause
substantial harm to that other person
– Request was made by the patient’s personal
representative and access would likely cause
substantial harm to that person or others.
5/10/01
NCDHHS - HIPAA PMO
44
DENIED ACCESS
• Healthcare Provider Denial of Access
Without Opportunity for Review
– Psychotherapy Notes
– Information compiled for civil, criminal or
administrative actions
– Inmate request that would jeopardize health or
safety of inmate or others
– Research that includes treatment
– Information obtained from an anonymous source
under a promise of confidentiality
5/10/01
NCDHHS - HIPAA PMO
45
USE AND DISCLOSURE OF PHI
• Use: Protected Health Information is
“used” when shared, examined, applied or
analyzed within the covered entity that
maintains the information
• Disclosure: Protected Health information
is disclosed” when released, transferred,
been given access to or divulged outside
the entity holding the information.
5/10/01
NCDHHS - HIPAA PMO
46
USES AND DISCLOSURES WITH
INDIVIDUAL AUTHORIZATION
• A General Consent is required for use or
disclosure of information for treatment,
payment and health operations.
• A more specific Authorization is required
for use or disclosure of information for
purposes other than treatment, payment or
health operations.
5/10/01
NCDHHS - HIPAA PMO
47
USES AND DISCLOSURES WITHOUT
INDIVIDUAL AUTHORIZATION
• Disclosures For:
–
–
–
–
–
–
–
–
–
Public health activities
Health oversight activities
Judicial and administrative proceedings
Governmental health data systems
Research, emergency circumstances, next of kin,
and as required by other laws
Coroners and Medical Examiners
Law Enforcement
Directory information
Banking and payment processes
5/10/01
NCDHHS - HIPAA PMO
48
BUSINESS ASSOCIATES
• Application to Business Associates
– Establish contracts that ensure Business
Associates exercise an appropriate level of
care related to privacy and conform to
HIPAA regulations
– Must treat PHI the same as the covered
entity
– Covered entity must take action if it is
learned that Business Associate is not
protecting PHI.
5/10/01
NCDHHS - HIPAA PMO
49
ADDITIONAL PROVISIONS
• Application to Information About Deceased
Persons
– Same as if person was alive
• Application to Covered Entities That Are
Components of Organizations That Are Not
Covered Entities
– Hybrid Entity (Covered functions are not the
primary functions of the entity)
5/10/01
NCDHHS - HIPAA PMO
50
IMPLEMENTATION
REQUIREMENTS
• Policies and Practices must be developed
and documented
• Scalability
– Appropriate to the nature and scope of the
business that enables protection of health
information in accordance with the rules
5/10/01
NCDHHS - HIPAA PMO
51
IMPLEMENTATION
REQUIREMENTS
• Designation of Privacy Officer
• Provide Privacy Initial & On-going
Training to Workforce
• Develop internal policies and forms
• Implement Safeguards
– To protect health information from intentional
or accidental misuse
• Audit and QA
5/10/01
NCDHHS - HIPAA PMO
52
IMPLEMENTATION TIMELINE
The Compliance Date
for the Privacy is
April 14, 2003
5/10/01
NCDHHS - HIPAA PMO
53
REGULATIONS
OVERVIEW
SECURITY
5/10/01
NCDHHS - HIPAA PMO
54
SECURITY OBJECTIVE
To Protect the Confidentiality, Integrity
and Availability of Individual
Health Information, While Permitting
the Appropriate Access and Use of
That Information by Healthcare
Providers, Healthcare Plans and
Healthcare Clearinghouses.
5/10/01
NCDHHS - HIPAA PMO
55
SCOPE OF SECURITY
REGULATIONS
• Applies to Healthcare Providers, Plans and
Clearinghouses
• Applies to All Size Organization (Physician
Offices, Medical Centers, County Public
Health Departments, HMOs, Medicaid, etc.)
• Applies to All Health Information Pertaining
to an Individual That Is Electronically
Created, Received, Transmitted or Maintained.
5/10/01
NCDHHS - HIPAA PMO
56
PRIVACY vs. SECURITY
PRIVACY is the right of an individual to
keep his/her individual health information
from being disclosed.
SECURITY is the mechanism in place to
protect individual health information.
5/10/01
NCDHHS - HIPAA PMO
57
SECURITY STANDARD IMPACTS
ELECTRONICALLY MAINTAINED
AND TRANSMITTED DATA
• Data on Magnetic Tape or Disk
• Entry of Patient Information in Computers
• Transmission of Treatment Data to a Healthcare
Plan
• Claims Printed From a Healthcare Clearinghouse
• Records Transcribed and Stored in a Word Processor
• Lab Results Sent by Modem to a Printer at an Office
• Etc.
5/10/01
NCDHHS - HIPAA PMO
58
SECURITY STANDARD
• Does Not Identify or Require Specific
Technologies
• Allows Healthcare Industry to Implement
Different Solutions Depending Upon Needs
and Technologies in Place
• Mandates Safeguards for Physical Storage
and Maintenance, Transmission and Access
to Individual Health Information
5/10/01
NCDHHS - HIPAA PMO
59
GUARDING DATA INTEGRITY,
CONFIDENTIALITY AND
AVAILABILITY
1. Administrative Procedures
2. Physical Safeguards
3. Technical Security Services
4. Technical Security Mechanisms
5. Electronic Signature
5/10/01
NCDHHS - HIPAA PMO
60
ADMINISTRATIVE PROCEDURES
(Policies and Procedures)
1. Certification of Data Systems to Evaluate
Security
2. “Chain of Trust” Agreement
3. Contingency Plan in Case of Emergency
4. Formal Data Processing Protocols
5. Controlling Access to Data
6. Internal Audit Procedures
5/10/01
NCDHHS - HIPAA PMO
61
ADMINISTRATIVE PROCEDURES
(Policies and Procedures)
7. Security Activities by Personnel
8. Overall Security of Hardware, Software,
and Virus Checking
9. Protocols for Reporting and Responding to
Breaches of Security
10. Risk Management and Sanctions
11. Security Procedures in Event of Personnel
Terminations
12. Security Training Programs
5/10/01
NCDHHS - HIPAA PMO
62
PHYSICAL SAFEGUARDS
(Buildings and Equipment)
1. Designate Security Responsibilities
2. Develop Controls on Access and Manipulations of
Hardware Components (Disk, Keyboard, Monitor)
3. Develop Disaster/Intrusion Response and Recovery
Plans
4. Implement Personnel Identification for Access
5. Maintain Maintenance Records
6. Enforce Security Clearances (Need-to Know Basis)
7. Develop Protocols Regarding Activities and
Security at the Work Station Level
5/10/01
NCDHHS - HIPAA PMO
63
TECHNICAL SECURITY
MEASURES
(Software Controls)
1. Regulate Access (Includes Emergency Access)
2. Audits and Controls
3. Data Authentication (Security of Stored Data)
4. Ensure User Authentication and Access Control
(User ID, Automatic Log-off)
5/10/01
NCDHHS - HIPAA PMO
64
TECHNICAL SECURITY
MECHANISMS
(Transmission of Data)
1. Storage and Transmission of Health Information
Cannot Easily Be Accessed or Interpreted by
Unauthorized Third Parties
2. Ensure Messages Sent and Received Are
the Same
3. Access Control to Transmission (Dedicated
Lines)
4. Encryption
5/10/01
NCDHHS - HIPAA PMO
65
ELECTRONIC SIGNATURE
(On Hold)
1. Ensure Identity of the Signer
2. Ensure Unaltered Transmission and
Receipt of the Data
3. Must Prevent a Signer from Successfully
Denying the Signature
Proposed standard explicitly notes that a Digital
Signature is the only technology that satisfies
these requirements.
5/10/01
NCDHHS - HIPAA PMO
66
SECURITY OFFICER
• Serves As Internal Information Security
Consultant in Agency
• Documents Security Policies and Procedures
• Provides Risk Assessments
• Functions As Internal Auditor
• Monitors Compliance With Standards
5/10/01
NCDHHS - HIPAA PMO
67
SECURITY BOUNDARIES
• Identifies “What”
• Does Not Identify “How”
• Scalability (allows agency to define and
implement security appropriate to size and
activities of the agency)
5/10/01
NCDHHS - HIPAA PMO
68
SECURITY ASSESSMENT
• Not Just a Technology Issue
– 40% Information Technology
– 60% Business Issues
• Security and Privacy Go Hand-in-Hand
• Integrate Both Standards
5/10/01
NCDHHS - HIPAA PMO
69
ENFORCEMENT
• RESPONSIBILITY: U.S. DHHS Office for
Civil Rights
–
–
–
–
–
–
5/10/01
Assist with voluntary compliance efforts
Respond to questions, interpretation, guidance
Respond to states’ requests for exceptions
Investigate complications
Conduct compliance surveys
Seek criminal prosecution for non-compliance
efforts
NCDHHS - HIPAA PMO
70
COMPLIANCE DATE
Expected to Become Effective
in Late 2001
5/10/01
NCDHHS - HIPAA PMO
71
QUESTIONS
NCDHHS
IMPACT IN DHHS
APPROACH FOR
ADDRESSING HIPAA
5/10/01
NCDHHS - HIPAA PMO
73
HIPAA IMPACT ON DHHS
• Standardized Transactions
– Initial Assessment - 26 Systems Process Health
Care Transactions
•
•
•
•
•
•
Public Health - 10 Systems
Mental Health/dev Disabilities/sub Abuse - 7 Systems
Vocational Rehabilitation - 3 Systems
Services for Blind - 1 System
Medical Assistance - 1 System
Shared (Multiple DHHS Agencies) - 4 Systems
– Local Agencies (E.G., MH/DD/SAS Area
Programs) Must Modify Their Information
Systems
5/10/01
NCDHHS - HIPAA PMO
74
HIPAA IMPACT ON DHHS
(continued)
• Privacy and Security Standards
– Secure and Protect Electronic and Paper
Records
• DHHS Serves “at Risk” Population
– Establish Policies and Procedures
– Establish Documentation and Audit Processes
5/10/01
NCDHHS - HIPAA PMO
75
HIPAA IMPACT ON DHHS
(continued)
• Agencies Directly Impacted by HIPAA
– Public Health (including 86 county/regional
health departments, State Laboratory, Medical
Examiner’s Office)
– Mental Health, Developmental Disabilities
and Substance Abuse Services (4 psychiatric
hospitals, 5 mental retardation centers, 2 alcohol
and drug abuse treatment centers, 1 extended care
facility, 2 schools for emotionally disturbed
children, 39 area programs)
5/10/01
NCDHHS - HIPAA PMO
76
HIPAA IMPACT ON DHHS
(continued)
• Agencies Directly Impacted by HIPAA
– Medical Assistance (Medicaid program)
– Early Intervention and Education (18
Developmental Evaluation Centers, 3 schools for
Deaf and Hard of Hearing, 1 school for Blind)
– Vocational Rehabilitation (72 local offices)
– Social Services (100 county offices)
– Services for the Blind (serve >35,000 North
Carolinians each year)
– Child Development
5/10/01
NCDHHS - HIPAA PMO
77
HIPAA IMPACT ON DHHS
(continued)
• Agencies Indirectly Impacted by HIPAA
– Research, Demonstrations and Rural Health
Development
– Division of Aging (may be covered entity)
– Facility Services (may be covered entity)
– Human Resources
– Internal Auditor
– Public Affairs (Communications)
– Citizen Services
5/10/01
NCDHHS - HIPAA PMO
78
DHHS REACTION
• Provide Centralized Management
Response
– Establishment of HIPAA Program
Management Office (PMO)
• Appoint HIPAA Coordinators
• Designate HIPAA Attorney
- Marc Lodge
• Develop Communications Plan
5/10/01
NCDHHS - HIPAA PMO
79
DHHS REACTION
(continued)
• Identify Funding Sources
– No Federal Funds Appropriated for HIPAA
Implementation
– Submission of Expansion Budget Request
– Developed Cost Allocation Models to Maximize
Federal Funding for Systems/Programs
– Currently Investigating
•
•
•
•
5/10/01
Availability of grants
Other opportunities for maximizing federal funds
Sharing vendor costs with other states
Collaborative efforts with vendors
NCDHHS - HIPAA PMO
80
DHHS REACTION
(continued)
• Partner with Other Organizations/States to
Share Information/Deliverables
– NC Health Care Information and Communications
Alliance (NCHICA)
– Government Information Value Exchange for
States (GIVES)
– Southern HIPAA Administrative Regional Process
(SHARP)
5/10/01
NCDHHS - HIPAA PMO
81
PMO TASKS
• Research HIPAA Requirements
• Determine Impact of Requirements on
DHHS
• Serve as HIPAA Resource Center
• Correlate DHHS HIPAA activities with
HIPAA Coordinators
• Establish and Coordinate Focus Groups
– Business Operations
– Security
– EDI/TCI
5/10/01
NCDHHS - HIPAA PMO
82
PMO TASKS
(continued)
• Disseminate HIPAA Information
throughout DHHS
• Develop Enterprise Policies, Procedures,
Tools, Processes, Forms, Implementation
Guidelines, Contracts, Agreements
• Develop Best Practice Models
• Promote Business Process Reengineering
• Provide Technical, Operational and
Management Support
• Provide Overall Project Monitoring and
DHHS HIPAA Status Reporting
5/10/01
NCDHHS - HIPAA PMO
83
PMO TASKS
(continued)
• Provide Levels of HIPAA Training
–
–
–
–
Awareness
Core
Intermediate
Expert
• Develop Job Classifications/Descriptions for
Security and Privacy Officers
• Provide HIGH Level Impact Assessment in
all State Agencies
• Maintain PMO Web Site for
Communications
http://dirm.state.nc.us/hipaa/
5/10/01
NCDHHS - HIPAA PMO
84
DHHS WEBSITE
5/10/01
NCDHHS - HIPAA PMO
85
USER LOGIN
5/10/01
NCDHHS - HIPAA PMO
86
PMO DELIVERABLES
• Presentations
• Tools to Assess HIPAA Impact
– Information Flow Assessment Database
– Questionnaires (e.g., Early View)
– Reviews of Statutes, Rules, Policies, Procedures
• NCHICA Privacy and Confidentiality Focus Group
• Attorney General’s Office - HIPAA Legal Resources
• Department/Division/Agency Review
– Gap Analyses
– Risk Assessments
5/10/01
NCDHHS - HIPAA PMO
87
PMO DELIVERABLES
(continued)
• Tools for HIPAA Remediation
–
–
–
–
Work Plans
Checklists
Processes
Sample Policies, Procedures, Forms, Notices,
Contracts, Chain of Trust Agreements
• Tools for HIPAA Testing and Training
– Testing Processes/Procedures
– Staff Training Courses
– Other Training Courses
5/10/01
NCDHHS - HIPAA PMO
88
PMO DELIVERABLES
(continued)
• Tools for HIPAA Compliance
– Self-Certification Tools
– Quality Assurance Audits
– On-going Awareness Training
• Staff
• Others (Business Associates, Vendors)
– New Employee Orientations
– Business Continuity Plans
5/10/01
NCDHHS - HIPAA PMO
89
DELIVERABLE PROCESS
• PMO
– Develops Deliverables
• Business Operations Focus Group
– Reviews Deliverables with Their Divisions/Local
Agency Staff
• Selected Pilot Agencies/Institutions
– Test Deliverables
– Recommend Modifications
• Enterprise Dissemination
– Distribute via web site, HIPAA Coordinators and
Focus Group
5/10/01
NCDHHS - HIPAA PMO
90
PMO OUTREACH
• HIPAA Awareness Seminars
• Professional Groups/Organizations with
HIPAA Interests
– NC Association of Local Health Directors
• Technology Committee
– NC Health Information Management
Association
• Behavioral Health Section
– HEARTS User Group
• Local Agencies, Institutions, Groups
5/10/01
NCDHHS - HIPAA PMO
91
WHY DO A INFORMATION FLOW
ASSESSMENT?
• Determine if a Covered Entity
• Identify:
–
–
–
–
–
–
–
–
–
Business Associates
Types & methods of information handling
Code Sets currently in use
Systems/applications in use
Systems/applications for remediation
Flow and routing of information
Short and long term storage of information
Areas of privacy/security weaknesses
Current contracts and Agreements
• Documentation for Due Diligence
5/10/01
NCDHHS - HIPAA PMO
92
PMO TOOL
• Information Flow Assessment
– What Information Flows Within and Without an
Agency
– Types of Information (personal, financial,
medical)
– Who Accesses Information
– How is Information Transmitted
– When is Information Shared
– Where is Information Stored (temporary and
permanent)
– How is Information Disposed
5/10/01
NCDHHS - HIPAA PMO
93
RESOURCES
• Attachments to Slide Presentation
Materials
–
–
–
–
–
HIPAA Related Web Sites
HIPAA Glossary and Acronym References
DHHS HIPAA PMO Contacts
NCHICA HIPAA Committees
NCHICA HIPAA Privacy Regulation Work
Groups
5/10/01
NCDHHS - HIPAA PMO
94
SUMMARY
• HIPAA - A Health Care Paradigm
– Affects Payers, Providers, Employers, Medical
Manufacturers, Pharmaceutical Companies, Employees,
Clearinghouses, Patients.
– Requires Redesign of Business Processes, Staffing Plans,
Workflow
– Requires Changes to Business Applications, Technology
Architecture, Facilities
– Shifts Power in Provider/Consumer Relationship
– Presents Change Management Challenges
– Introduces New Legal Liabilities
– Provides Patients with Rights
– Conveys Severe Civil and Criminal Penalties
5/10/01
NCDHHS - HIPAA PMO
95
SUMMARY
• HIPAA Is Not Going Away
– Heath Care Industry Wants Standardization
– Consumers Want Health Information to Be
Protected
• HIPAA Is Not an Option
• HIPAA Is Doing Business in the ‘New
Millennium
• Implementation Cost Is Short-term
• Operational Benefit Is Long-term
5/10/01
NCDHHS - HIPAA PMO
96
QUESTIONS