Transcript HEATH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Part III – HIPAA Reference
 HIPAA – In General
– Background
– Why Employers Should Care ?
 Overview of Requirements
– EDI Transaction Standards
– Security
– Privacy
 HIPAA Compliance Implementation
Background
In General
 Enacted in 1996, HIPAA was to incrementally address
various issues within the health care industry
 Major elements include:
–
–
–
–
Improved health coverage portability requirements
Prohibitions on discrimination based on health status
Increased fraud enforcement
Simplifying health care claim payment process to reduce
administrative costs
• Primarily by standardizing electronic data transactions, which raises
security and privacy concerns
Background
Statutory Structure
HIPAA
Title I
Guarantees
health
insurance
portability and
renewal
Title II
Administrative
simplification
Title III
Tax provision for
medical savings
accounts
Title IV
Enforcement of
group health
plan provisions
Title V
Revenue offset
provisions
Background
Why was HIPAA Needed?
 Healthcare industry
– Need for ease of data transfer
– Move from paper to EDI (electronic data interchange)
– Economic reasons
 The “patient” as the “consumer’
– Increasing privacy and confidentiality concerns
 Legislative issues
– 50 different states, with different laws, lack of consistency with
no minimum floor
Why Employers Should Care?
In General
 Although not a covered entity, any employer that provides
group health benefits will be at least indirectly affected
– Employers with self-funded plans will be considered “hybrid”
entities and their health plan operations will be directly
subject to the rules
 Company access to employee health plan records for
employment reasons (including administration of other
benefit plans and laws) will be further limited
 Federal preemption of state laws will be limited to
establishing minimum floor protection
 Certain customary practices may have to be changed
Why Employers Should Care?
Penalties
Federal Programs
Exclusion from federal
programs anticipated
Accreditation
Accrediting organizations will require
compliance in the future
Each Offense (max.)
$50,000 per offense
1 year imprisonment
Wrongful Disclosure
False Pretenses
Intent to Sell, Transfer or Use
$100,000 per offense
$250,000 per offense
5 years imprisonment
10 years imprisonment
Civil Monetary Penalties
$100 for each violation
$25,000 maximum per year, per violation
Why Employers Should Care?
Compliance Deadlines
 HIPAA’s administrative simplification incorporates three
major distinct but overlapping components, each with
different compliance deadlines:
– Electronic transaction standards
• Generally 10/16/03
– Privacy
• Generally 4/14/03
– Security
• Generally 4/21/05
 For more information:
http://aspe.hhs.gov/adminsimp.Index.htm
http://www.hhs.gov/ocr/hipaa
http://www.ibiweb.org/news/HIPAA
EDI Transaction Standards
In General
 HIPAA requires standardization of these electronic health
care transactions:
–
–
–
–
–
–
–
–
–
Health claims or similar encounter information
Enrollment & disenrollment in a health plan
Eligibility for a health plan
Health care payment & remittance advice
Health plan premium payments
Health claim status
Referral certification & authorization
Health claims attachments (to be issued in the future)
First report of injury (to be issued in the future)
EDI Transaction Points of Contact
Patient/Consumer
Need HC Insurance (Form)
Sponsors
Payers
Providers
Enrollment (834)
Payroll Deduction
Invoice (811)
Non-HIPAA
Transaction
Premium Pmt (820)
Treatment
Eligibility (270)
Response (271)
Referral (278)
Response (278)
Claim (837)
Need more info (277)
Claim Inquiry (276)
Response (277)
EOB (Paper)
Payment & EOB (835)
EDI Transaction Standards
Unique Identifiers
 Eventually HIPAA will require use of unique
identifying numbers for employers and for covered
entities (i.e., health plans, providers, and
clearinghouses)
– To date, only the employer identifier standards have been
finalized (the employer’s federal tax identification number
must be used)
 The controversial use of an unique identifier for
employees has been withdrawn
Security
In General
 Intended to minimize risk of intentional or accidental
disclosure or misuse, or the loss or corruption of patientidentifiable health information
 Sets a floor of minimum administrative, physical, and
computer security standards to protect medical data
 Reflects commonly accepted security safeguards widely
used across many industries
 Security measures to be tailored to organization’s risk
analyses, technical environment, and business needs
Security
Employer Implications
 Typically, will require developing and/or modifying a
number of IT/IS policies, procedures, and protocols with
respect to individual health information that is generated,
transmitted, or stored electronically
– With respect to both the covered entity and its business
associates
– Thus, early involvement of IT/IS staff in an employer’s HIPAA
compliance effort is critical
 Not uncommon for employers to engage a specialized
IT/IS consultant to help assess compliance gaps and
implement corrective steps
Privacy
In General
 Rules apply to all individually patient-identifiable
health information whether in paper or electronic
form
 Key terms
– Protected Health Information (PHI)
– Covered Entity
– Business Associate
Privacy
Protected Health Information
 PHI = individually identifiable health information + created
or received by a covered entity
– Individually identifiable health information
• Any information that relates to an individual’s past, present,
or future physical or mental condition, or the provision or
payment of health care, and
• That specifically identifies the individual (or there is a
reasonable belief that the individual can be identified), AND
WHICH IS
– Created or received by a covered entity
• Can be in any form (oral, written, or electronic)
 Examples: claims data, and (depending on source)
enrollment data, and employee contribution information
Privacy
De-Identification Requirements
 Covered entities are permitted to use PHI to create deidentified information for its own unlimited use or for
unlimited use by another entity without authorization from
individuals
 De-identified information = health care information which
does not identify the individual or that which the covered
entity has no reasonable basis to believe can be used to
identify the individual
– While use of such generic information may be useful for certain types of
broad based trend studies, it is probably not useful to achieve most other
business objectives
 Use of certain types of partially de-identified information (summary
information or “limited data sets”) allowed for specific limited purposes
– Enrollment/disenrollment data
– Aggregate claims history / expenses / types of claims data for coverage
renewals and plan design changes
Privacy
Covered Entity
 All health care providers
 All health care payers (including managed care
organizations, carriers, and self-funded employers)
 All health care clearinghouses that process claims, or
route electronic claims
 Certain health plans
– Health insurers (including HMO’s), and
– Group health plans with 50+ participants or administered by
an entity other than the employer that established and
maintains the plan
Privacy
Covered Entity (cont.)
 Employers, as a whole, typically are not covered entities
– Thus, most employers are not directly subject to HIPAA privacy
regulations
– However, certain components of an employer might constitute a
covered entity (e.g., self-funded group health plan)
 Hybrid employers will be subject to various requirements
and obligations
– “Firewalls” must be created between covered and non-covered
functions
– Plan cannot share PHI with non-health plan component of
employer unless plan sponsor certifies plan has been amended to
limit use and disclosure of PHI and that safeguards are in place
– Exceptions for limited enrollment activities
Privacy
Business Associates
 Business associate = any outside entity to which covered
entities disclose PHI to perform necessary functions
– E.g., third-party administrators, case managers, attorneys,
collection agencies, claims auditors, consultants
– Does not include plan sponsors, insurers, disclosures from
a covered entity to a health care provider for treatment of an
individual
 Covered entities must have agreements in place to
contractually bind BAs to limit use of PHI to designated
purposes and to comply with covered entity-type of
confidentiality rules
Privacy
Business Associates (cont.)
 Covered entities have potential civil and criminal liability
exposure for breaches by BAs
– Thus, there is an obligation to monitor your BAs’ activities
– Under final regulations, however, action needs to be taken
only if there is actual knowledge of material violation
 Compliance deadline
– Generally, all BA agreements must be in place by 4/14/03
– However, any BA agreements in place prior to 10/15/02 will
be deemed sufficient until 4/14/04 (unless the agreement
terminates or is modified in any way prior to that date)
Privacy
Basic Requirements
 Patients have the right to understand and control how
their health information is being used
– Providers and health plans to give individuals clear, written notice
of how they use, keep, and disclose their health information
– Individuals have right to access their medical records (to view,
make copies, request amendments, and obtain accounting for
non-routine disclosures)
– Individual authorizations required before information is released in
most non-routine situations
– Covered entities accountable for use and release of information,
with recourse available if privacy is violated
Privacy
Basic Requirements (cont.)
 Use of individual health information generally limited to
health purposes
– PHI cannot be used for purposes other than treatment,
payment, or health care operations without individual
authorization
– Individual authorizations must be informed and voluntary
– Reasonable efforts must be undertaken to limit release of
information to “minimum necessary amount”
• Minimum necessary amount requirement applies to use of
protected health information for payment or health plan
operations, but not for treatment purposes
Privacy
Basic Requirements (cont.)
 Minimum privacy safeguard standards established for
covered entities (with similar requirement applicable to
BAs by contract and plan sponsor by plan amendment)
– Adoption of written privacy procedures, with safeguards and
sanctions specified
– Periodic distribution of privacy notice
– Training of employees on handling PHI
– Designation of a privacy officer (covered entities only)
– Establishment of a grievance / complaint procedure
– Recordkeeping with respect to PHI disclosures
HIPAA Implementation
Basic Phases
 Phase I
–
–
–
–
Awareness / Education
Preliminary scope assessment
Budgeting
Task force team selection
 Phase II
– Detailed current PHI flow and use analysis
– Detailed compliance gap analysis
 Phase III
– Implementation of prioritized action item list