Transcript HIPAA - AGRiP

HIPAA
The Hidden Beast
June Kissinger
Director, Risk Management Support Services
March 12, 2003
Overview
Health Insurance Portability and Accountability Act

Passed by Congress in 1996
to reform the insurance
market and simplify health
care administrative
processes.
2
A Look at HIPAA
Past . . . Present . . . Future
3
HIPAA - Title I

Insurance Portability
 Effective in 1997
 Deals with accessibility and portability
 Allows for non-federal governmental
plans to opt out of certain provisions
4
HIPAA – Title II

Administrative Simplification
 Improve efficiency by standardizing
electronic data interchange (EDI)
 Protect the confidentiality & security of
identifiable health information (electronic
and paper) through setting and enforcing
standards
5
HIPAA – Key Terms
Covered Entity
 Business Associate
 Protected Health Information (PHI)
 Small Health Plan

6
HIPAA – Key Terms


Covered Entity
 Health plan – employee welfare benefit plan
including insured and self-insured plans
 Health care provider – person or entity that
furnishes, bills, or is paid for health care in the
normal course of business
 Health care clearinghouse – public or private
entity that processes health information from
another entity from non-standard into standard
format
All covered entities must comply with HIPAA
7
What’s a Health Plan

Included Plans
 Health
 Dental
 Health FSA
 Vision
 EAP
8
What’s a Health Plan

Excluded Plans
 Automobile medical payment insurance
 Disability
 Liability insurance, including general
liability insurance & auto liability
insurance
 Life Insurance
 Workers’ compensation
9
What’s a Health Plan




Employer in its entirety is not subject to HIPAA
Employer may declare itself a hybrid entity which
defines and isolates individuals dealing with the
health plan
“Firewalls” must be created between covered and
non-covered functions
 Information cannot be used for employment
purposes or for purposes of administering any
other plan (i.e. disability or workers’
compensation)
Designated health plan personnel dealing with PHI
are subject to HIPAA
10
HIPAA – Key Terms

Business Associate
 Performs certain functions on behalf of a
covered entity
 Third Party Administrator (TPA)
 Benefits Consultant
 Attorney
 Utilization Review Vendor
 Pharmacy Benefits Manager
11
HIPAA – Key Terms

Protected Health Information (PHI)
 Individually identifiable health
information
 Relates to the past, present or future
physical or mental health or condition
of an individual
 Specifically identifies the individual or
reasonable belief that the information
can be used to identify an individual
12
HIPAA – Key Terms

Permitted usage of PHI
 To the individual
 For treatment, payment, or health care
operations
 Certain public policy exceptions
 Other uses require individual
authorizations
13
HIPAA – Key Terms

Small Health Plan
 Plans with receipts under $5M
14
Electronic
Data
Interchange
Proposed May 1998
Final Rule Published August 2000
Compliance deadline (with extension) October 14, 2003
Rule Amended February 2003
15
EDI

Transactions

Health claims and equivalent encounter
information

Enrollment and disenrollment in a health plan

Eligibility for a health plan

Health care payment and remittance advice

Health plan premium payments

Health claim status

Referral certification and authorization

Coordination of benefits.
16
EDI

Code Sets
 Standardization of medical codes
 Unique Identifiers
 Employer – EIN was adopted May 2002
 Health Plan
 Provider
17
EDI


Health Plans
 Mandated to have the capability to to accept
and send electronic transactions via designated
standard transactions, using the standard code
sets and unique identifiers
Providers
 If they choose to use electronic transactions,
they must use all the designated transactions,
code sets and identifiers
18
PRIVACY
Proposed November 1999
Final Rule Published August 2002
Compliance deadline April 14, 2003
Small health plans April 14, 2004
19
Privacy

Creates national standards to protect individuals’
medical records
 Gives patients more control over their health
information
 Sets boundaries on the use and release of health
records
 Establishes safeguards that healthcare providers
and others must achieve to protect the privacy
of health information
 Holds violators accountable with civil and
criminal penalties
20
Privacy




Allows patients to find out how their information
may be used
Generally limits release of information to the
minimum reasonably needed for the purpose of
the disclosure
Gives patients the right to examine and obtain a
copy of their own health records and request
corrections
Empowers individuals to control certain uses and
disclosures of their health information
21
Administrative Requirements
Privacy officer
 Notice of Privacy Practice
 Privacy compliance policies and procedures
 Privacy training for employees
 Problem reporting system
 Sanctions for covered entities and business
partners

22
Privacy Officer
Must be designated and named in the Notice
of Privacy Practice given to your employees
 Responsible for development of policy and
procedures for the entity

23
Notice of Privacy Practice
Each employee must receive a copy of this
notice
 Notice must contain
 Rights – the individual’s rights
 Duties – your legal duties regarding
protected health information (PHI)

24
Policies & Procedures





Each covered entity must have written privacy and
security policies and procedures
Must include details regarding the use of PHI
Must reflect your effort to limit the disclosure of
PHI to the minimum information necessary to
accomplish the intended purpose
Document each scenario of how your staff handles
each type of PHI (claims, reports..) from the point
of entry until it reaches its final destination
Document how PHI is kept secure
25
Training
Covered entities must provide training to
employees on the entity’s policies and
procedures
 Must be documented for each person, but a
signed certificate is not required
 Must be documented in your privacy
policies and procedures

26
Problem Reporting System
Must have a way to track any
problems/complaints regarding the use of
PHI
 Must be documented in your privacy
policies and procedures

27
Sanctions

Privacy policies and procedures must
contain sanctions for a covered entity and/or
business partner in the event of
unauthorized disclosure of PHI
28
SECURITY
Proposed August 1999
Final Rule Published February 2003
Compliance deadline April 21, 2005
Small health plans April 21, 2006
29
Where to from here?
30
You need to……
Determine your privacy compliance
effective date. Are you a small health
plan, with receipts under $5M, or a large
health plan.
 Contact your TPA or Administrator to
find out their HIPAA plans
 Designate a Privacy Officer

31
You need to……



Perform assessment and analysis
 Map the workflow and storage for PHI
 Identify third party vendors (business
associates) with access to PHI Review security
requirements
Develop privacy and security policies and
procedures which include a separation between
employment records and your health plan
Develop a Notice of Privacy Practice
32
You need to……
Develop and sign Business Associate
Agreements
 Develop monitoring and reporting system
 Train all employees with access to PHI
 Distribute Notice of Privacy Practice to all
employees and amend plan document

33
How to avoid some restrictions

A TPA may disclose summary health information
to a group health plan without invoking all aspects
of HIPAA privacy restrictions
 Summarizes the claims history, expenses or
types of claims
 Does not contain names, address, dates (except
year), social security numbers, etc.
34
What if you don’t
comply?
35
Civil Penalties
Levied for failure to comply with
requirements
 $100 fine for each violation
 Maximum of $25,000 per calendar year for
each standard violation within an
organization

36
Criminal Penalties
Improper use of health identifiers, or
improperly obtaining or disclosing PHI is
subject to both fines and imprisonment.
 Enforcement has been assigned to DHHS
Office of Civil Rights
 Penalties are graduated, increasing if the
offense is committed under false pretenses,
or to reap personal gain

37
Helpful Resources





http://aspe.os.dhhs.gov/admnsimp/
 HHS Administrative Simplification Website
http://aspe.hhs.gov/admnsimp/bannerps.htm
 HHS Privacy & Security Website links to the
rules
http://www.hhs.gov/ocr/
 HHS Office of Civil Rights Website
http://www.hhs.gov/ocr/hipaa/privacy.html
 HHS Privacy Rule Guidance and FAQ
http://www.hhs.gov/ocr/hipaa/contractprov.html
 Model Business Associate Agreement
38
HIPAA Humor
What do you call someone who complains
incessantly about HIPAA?
 A HIPAA condriac!!!
 What do you call someone who pretends
they like HIPAA, but say terrible things
about it in private??
 A HIPAA cryte!!!
 What is the effect of today’s presentation?
 HIPAA nosis!!!

39
Questions????
40