Organizing for HIPAA
Download
Report
Transcript Organizing for HIPAA
HIPAA Administrative
Simplification
and
Nebraska SNIP
(Strategic National Implementation Process)
HIPAA
Law
& Intent
Who is affected
Standards
Current issues to track
Implementation Process (SNIP)
Additional resources
HIPAA Administrative
Simplification Law
Health Insurance Portability and Accountability
Act of 1996 – HIPAA
H.R. 3103 – Kasselbaum/Kennedy Bill
Title II – Subtitle F – Administrative
Simplification
Signed into Law August 21, 1996
Public Law 104-191
Part C of Title XI of Social Security Act
Intent of HIPAA
Reduce the costs and administrative burdens
of healthcare with standardized, electronic
transmission of many administrative and
financial transactions.
Protect the security and confidentiality of
electronic health information.
Enable individual to control own health
information.
Who is affected by HIPAA?
Providers
Health
Plans
Employers
acting as Self Insured Groups
Payers
Third
Party Administrators
Clearinghouses
All trading partners of above
HIPAA Standards
Transactions
Privacy
Security
Identifiers
& Code Sets
Transactions and Code Sets
Standards
Final Rule Published in August 17, 2000
Federal Register
Compliance is required by October 16, 2002
(October 16, 2003 by small health plans)
NDC code retraction
On May 29, 2001, Tommy Thompson retracted the standard
of using NDCs on institutional and professional claims.
Transaction standards
Data Element
Required vs.
Conditional
Formats
Codes
Values
Transaction
Sets
X12 Version 4010
Claim - 837
Payment/Remit - 835
Claim Status - 276/277
Eligibility 270/271
Referral - 278
Enrollment & benefits
Maintenance - 834
Premium Payments - 820
Claims Attachments - 275*
First Report of Injury - 148*
NCPDP
* expected later...
Code sets Standards
Service
& Diagnosis Codes
ICD-9-CM Volumes I, II & III
CPT-4
HCPCS
CDT
NDC
No Local Codes will be allowed
Information Between Health
Plans
Coordination
of Benefits
Claims Processing
Is a provider required to send
claims electronically?
No,
but if you do, they have to be HIPAA
compliant.
You can use a clearinghouse to handle
the translation of the data from your
current form into HIPAA compliant.
Failure to Comply with
Transactions Standards
Penalty
Jail
Time
Offense
$100
None
Single Violation of a provision
Up to $25k
None
Multiple violations of an identical requirement or
prohibition made during a calendar year
Privacy Standards
Final Rule Published in December 28, 2000
Federal Register
Compliance is required by April 14, 2003
(April 14, 2004 by small health plans)
OCR issued guidance on July 6, 2001
Additional guidelines are expected
Privacy
Summary of Privacy regulation:
Consumer Control over Health Information
Use and Disclosure Boundaries
Ensure the Security of Protected Health Information
Establish Accountability for Use and Release
Balancing Public Responsibility with Privacy
Protections
Preserving Existing, Strong State Confidentiality
Laws
Definitions
Privacy is what happens to information after
the appropriate person has it (I only use the
data for the agreed purpose)
Confidentiality is the control of the information
at all times, providing ‘need to know’ access
to only those appropriate
Security is the enforcement and protection
afforded information under both conditions
Consumer Control over Health
Information
Notice of Privacy Practice
Patient access to their health records and
right to amend
Patient consent before information is
released
Recourse if privacy protections are violated
Accounting for release of health information
Use and Disclosure
Boundaries
Ensuring that health information is not used
for non-health purposes
Providing the minimum amount of information
necessary
Ensure the Security of
Protected Health Information
Adopt written privacy procedures
Train employees on privacy
Designate a privacy officer
Establish Accountability for
Protected Health Information
Penalty
Jail
Time
Offense
Up to $50k
Up to 1 year
Wrongful disclosure of individually identifiable
health information
Up to $100k
Up to 5
years
Wrongful disclosure of individually identifiable
health info committed under false pretenses
Up to $250k
Up to 10
years
Wrongful disclosure of individually identifiable
health information committed under false
pretenses with intent to sell, transfer or use for
commercial advantage, personal gain or
malicious harm.
Balancing Public
Responsibility with Privacy
Protections
In limited circumstances, the final rule
permits, but does not require, covered entities
to continue existing disclosures of health
information for specific public responsibilities
without individual authorization.
Preserving Existing, Strong
State Confidentiality Laws
National "floor" of privacy standards that
protects all Americans, but in some states
individuals enjoy additional protection.
Stronger state laws (like those covering
mental health, HIV infection, and AIDS
information) continue to apply.
Security Standards
Proposed
Rule Published in August 12,
1998 Federal Register
Final Rule expected this year
Security
The security standard is a set of requirements with
implementation features that providers, plans, and
clearinghouses must include in their operations to assure that
electronic health information pertaining to an individual remains
secure.
The standard does not reference or advocate specific
technology.
The standard does not address the extent to which a particular
entity should implement the specific features.
Individual security requirements and which technology to use is
a business decision that each organization must make.
HIPAA IS TECHNOLOGY NEUTRAL
Security
Best
Security is what we can do
ourselves
75% of security breaches happen
inside.
Security
Administrative
Procedures
Physical Safeguards
Technical Data Security
Technical Security Mechanisms
Administrative Procedures
Certification
Chain
of Trust agreement
Contingency Plan
Formal Mechanism for Processing
Records
Information Access Control
Internal Audit
Administrative Procedures
Personnel
Security
Security Configuration Management
Security Incident Procedures
Security Management Process
Termination Procedures
Training
Physical Safeguards
Assigned
Security Responsibility
Media Controls
Physical Access Controls
Policy/Guideline on Workstation Use
Secure Workstation Location
Security Awareness Training
Technical Data Security
Access
Control
Audit Controls
Authorization Controls
Data Authentication
Entity Authentication
Technical Security
Mechanisms
Integrity
controls
Message authentication
Access controls or Encryption
Entity authentication
Event reporting
Technical Security
Mechanisms
In
addition, if using a network for
communications, the following
implementation features would be in
place:
Alarm
Audit trail
Entity authentication
Event reporting
Electronic Signature
Digital
Signature -
Optional, but if used:
Nonrepudiation
User Authentication
Message integrity
Unique Health Identifiers
Provider
Will
not replace TIN
Will eventually replace the UPIN
Employer
- Will be TIN
Health Plan - may include Sub ID
Patient - still under discussion
Status of Identifiers
National
Provider Proposed Rule
Published in May 7, 1998 Federal
Register
National Employer Proposed Rule
Published in June 16, 1998 Federal
Register
Final Rules???
Status of Identifiers
Movement
on this portion of HIPAA has
not occurred
Focus is on implementation of
standards for data and on final privacy
and security regulations
Current Issues To Track
Federal legislation
H.R. 1975 and S. 836 are in the House and
Senate to delay HIPAA’s administrative
simplification provisions.
Some members of Congress are considering
overturning the privacy rule
Case constitutionally challenging HIPAA
SC Medical Assoc, Physicians Care Network, LA
State Medical Society vs. US Dept of Health and
Human Services
AAPS vs. US Dept of Health and Human Services
Current Issues To Track
Final
rule on health data security
out this year – HHS must ensure the
final security rule is compatible with the
final privacy rule – published in late 2000
(and likely to undergo some changes)
Due
Additional
Guidance on Privacy
Standards
Additional code changes as
implementation progresses
NOW WHAT???
Where do I go from here ???
Compliance with HIPAA
Administrative Simplification
Nebraska SNIP
(Strategic National
Implementation Process)
Why collaborate?
Implementing HIPAA requires coordination and
collaboration among trading partners
There is no competitive advantage to be ‘HIPAA
Ready’, if your trading partners aren’t ready
Collaboration and coordination will limit costly
implementation efforts
Avoid the ‘re-inventing the wheel all over again’
syndrome
Why collaborate?
Standards are dependant on consistent
policies, practices and technology among
business partners
Actions of a business partner may generate
liabilities for one’s own organization
Sloppy planning and inefficient implementation
will be costly to everyone
Key Elements for Collaborative
Environment
Trust
Commitment
Clear Vision
Trust
Joint ownership
Joint accountability
No dominant player
Balanced interests
No hidden agendas
Neutral meeting ground
Commitment
NE Health and Human Services System
Key providers
Leading health plans/payers
Trade associations & societies
Key vendors
Clear Vision
Use
HIPAA as an opportunity to redesign
business process
Remember patient rights in process
Improve efficiency of healthcare through
information technology
Regional Approaches
Implementation
will occur locally
Healthcare
crosses local political and
business boundaries
National
coordination and guidance will
be exceedingly helpful
Nebraska SNIP Formation
Blue Cross and Blue Shield of Nebraska
Health Data Management
Mutual of Omaha
NE Assn of Hospitals and Health Systems
NE Health and Human Services System
NE Medical Association
Nebraska SNIP
…is a collaborative healthcare
industry-wide process resulting in
the implementation of standards
and furthering the development
and implementation of future
standards.
Nebraska SNIP
Promote general healthcare industry
readiness to implement HIPAA standards.
Identify education and general awareness
opportunities for the healthcare industry to
utilize.
Recommend an implementation time frame
for each component of HIPAA for each
stakeholder and identify the best migration
paths for trading partners.
Nebraska SNIP
Establish opportunities for collaboration,
compile industry input, and document the
industry “best practices”.
Identify resolution or next steps where there
are interpretation issues or ambiguities
within HIPAA standards.
Serve as a resource for the healthcare
industry when resolving issues arising from
HIPAA implementation.
Nebraska SNIP Approach
Facilitate planning among:
Providers
Health Plans
State Government
Vendors
Trade
associations and professional
societies playing a key role.
NE SNIP Steering Committee
Goal:
Develop overall strategy for addressing HIPAA
compliance in an orderly & effective manner
Defined Work Groups:
Transactions, Codes and Identifiers
Privacy
Security
Awareness, Education and Training
Transactions, Codes and
Identifiers Work Group
Goal:
Develop consensus on sequence and timing for
implementation of transactions & codes
Activities
Issue and publicize Target Date Guidelines
Build critical mass of providers, health plans,
clearinghouses, vendors and gov’t agencies for
transaction testing
Privacy Work Group
Goal:
Understand impact of final regulations
Activities:
Develop working knowledge of Privacy
regulations and impact
Determine organization’s current level of HIPAA
privacy compliance
Develop gap analysis, checklists, and guidelines
for policies & procedures to implement Privacy
Standards
Security Work Group
Goals:
Understand HIPAA requirements for security of data
and communications
Activities:
Investigate secure transaction & interoperability
among trading partners
Develop self-assessment checklist / tool to
determine organization’s current level of HIPAA
security compliance - gap analysis
Awareness, Education &
Training Work Group
Goals:
Develop programs to share HIPAA information.
Collaborate with professional groups and agencies
to promote and deliver programs.
Activities:
Survey to determine awareness and readiness.
Leverage current planned activity in NE
Develop Nebraska SNIP communication and
information sharing
Steering Committee
Contacts
Brenda Block
Health Data Management Corp.
402-965-8158 [email protected]
Kevin Conway
NE Assn of Hospitals & Health Systems
402-458-4910, [email protected]
[email protected]
Transactions, Code Sets &
Identifiers Contacts
Don Butler
Blue Cross and Blue Shield of Nebraska
402-398-3843, [email protected]
[email protected]
[email protected]
Privacy Contacts
Lori Umberger, RN, BSN
Creighton Cardiac Center
402-280-4603, [email protected]
Kathleen Zeitz
Methodist Health System
402-354-2174, [email protected]
[email protected]
[email protected]
Security Contacts
Susan Heider
Regional West Medical Center
308-635-3711, [email protected]
Sue Huenniger
Mutual of Omaha
402-351-8622, [email protected]
[email protected]
[email protected]
Awareness, Education and
Training Contacts
Brenda L. Block
Health Data Management Corp.
402-965-8158, [email protected]
Rick Hain
BryanLGH Medical Center
402-481-8521, [email protected]
NESNIPAWARENESS @yahoogroups.com
NESNIPAWARENESS [email protected]
Nebraska SNIP Activities
First Meeting March 15, 2001
HIPAA background
Other regional efforts
NE SNIP mission
NE SNIP organization
Next NE SNIP Meeting
Next NE SNIP Meeting
September 18, 2001, Kearney
Work Group and sub group meetings
Additional HIPAA Resources
Health Insurance Portability and Accountability Act of 1996
Public law 104-191, 104th Congress, August 21, 1996
aspe.hhs.gov/admnsimp/pl104191.htm
Department of Health and Human Services
Administrative Simplification
aspe.hhs.gov/admnsimp/index.htm
Centers For Medicare and Medicaid Services (HCFA)
www.hcfa.gov/hipaa/hipaahm.htm
HCFA fact sheet on HIPAA’s provisions
www.hcfa.gov/facts/f9702as.htm
HIPAA Security Accreditation information
www.ehnac.org/securityaccreditation/default.html
HIPAA Resources cont...
Workgroup for Electronic Data Interchange
www.wedi.org/
Washington Publishing Company
ANSI, ASC and X12N HIPAA Implementation Guides
www.wpc-edi.com/hipaa
Data Interchange Standards Association (DISA)
www.disa.org/
Designated Standard Maintenance Organization (DSMO)
www.hipaa-dsmo.org
ANSI X12 Committee
www.x12.org
HIPAA Resources cont...
HIPAA Comply - security and privacy compliance
www.hipaacomply.com
Welcome to HIPAA Directory.com
www.hipaadirectory.com
HHS Office of Civil Rights
www.hhs.gov/ocr/hipaa/
Nebraska SNIP
www.nesnip.org