Transcript Strategic HIPPA Implementation Plan: An Introduction to HIPPA
An Introduction to HIPAA
Kathy A. Bizarro Executive Vice President New Hampshire Hospital Association
An Introduction to HIPAA
What is NHVSHIP?
NHVSHIP is a volunteer organization of hospitals, physicians, other health care providers, health plans, state health departments, and vendors. Members are working together to improve the understanding of and compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Membership is open to any organization that expresses a desire to work in a collaborative, non commercial environment.
(Check us out on the web: www.nhvship.org
)
An Introduction to HIPAA
HIPAA Introduction What is HIPAA?
HIPAA
= The Health Insurance Portability and Accountability Act … A Federal Law Created in 1996
H
=
I P
= =
A
=
A
= Health Insurance Portability and Accountability Act
It is considered the MOST significant healthcare legislation since Medicare in 1965!!!
HIPAA OVERVIEW Health Insurance Portability and Accountability Act (HIPAA)
Administrative Simplification
[Accountability] Transactions, Code Sets, & Identifiers
Compliance Date: 10/16/2002 Or 10/16/03
Privacy
Compliance Date: 4/14/2003
Security
Compliance Date: 2005 Insurance Reform
[ Portability]
An Introduction to HIPAA
HIPAA Introduction
Who’s Affected?
Providers
HIPAA
Clearinghouses Hospitals Health Plans Billing Agencies Pharmacies Laboratories Etc...
Indirect Applicability: All organizations that exchange data with those directly covered under the HIPAA through Chain of Trust Agreements and/or contracts
An Introduction to HIPAA
Pre-HIPAA FACTS
No standards existed to guide organizations in how to store, process, communicate, or secure data Management and clinical information software differed from organization to organization, even if it was purchased from the same vendor Lack of standard data format proven to be a barrier, too costly and complex for most organization to overcome Over 450 different electronic claim formats exist Lack of transaction uniformity among existing standards makes it difficult for communication to occur
An Introduction to HIPAA
WHAT IF WE DO NOT COMPLY?
Non-Compliance
$100 for each violation Maximum of $25,000 per year per specific provision
Unauthorized Disclosure or Misuse of Patient Information
Penalties up to $250,000 Prison time up to 10 years
An Introduction to HIPAA Transactions, Code Sets, Identifiers
TRANSACTION = The exchange of information between two parties to carry out financial or administrative activities related to health care
CODE SET = Any set of codes used to encode data elements, such as table of terms, medical concepts, medical diagnostic or procedure codes. A code set includes the codes and descriptor of the codes
IDENTIFIER = Standard, unique health identifiers (numbers/digits/alphanumeric) for each health care provider, employer, health plan, and individual (patient)
An Introduction to HIPAA
PRIVACY vs. SECURITY
What’s the Difference?:
PRIVACY
Refers to
WHAT
is protected — Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information
SECURITY
Refers to
HOW
private information is safeguarded —Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss.
An Introduction to HIPAA
PRIVACY
OVERVIEW:
Due to the constraints imposed by scope of HIPAA, privacy regulation is applicable only to:
“Covered” Entities
electronic health information, Health Plans, and Clearinghouses — Healthcare Providers that transmit
“Protected” Health Information (PHI)
— Transmitted or maintained in any form or medium (includes paper and oral)
PRIVACY COMPLIANCE DATE = April 14, 2003
An Introduction to HIPAA
HIPAA Privacy Definitions… just a few… “Protected Health Information” “Authorization” “Treatment, Payment, Healthcare Operations” “Patient Notice” “Uses & Disclosures” “Minimum Necessary” “Business Associate Agreements”
An Introduction to HIPAA
Protected Health Information
Individual (Patient) identifiable health information relating to the past, present or future health conditions of the individual.
This covers all information, whether maintained electronically, in paper form or communicated orally.
PHI cannot be released unless authorized by the patient or for treatment, payment, or healthcare operations.
An Introduction to HIPAA
Authorization
A covered entity may not use or disclose protected health information without a valid written authorization from the individual.
An authorization must be specific and cannot be combined with other documents.
An Introduction to HIPAA
Treatment, Payment & Operations Treatment - the provision, coordination or management of health care and related services by one or more health care providers, including consultation or referral Payment - collection of premiums, reimbursement, coverage determinations, risk adjusting, billing, claims management, medical necessity determinations, utilization review, and pre-authorization of services Health Care Operations - specified activities by or for a health plan or health care provider that are related to its “covered functions,” including quality assessment and improvement; peer review, training and credentialing of providers; business planning; and business management.
An Introduction to HIPAA
Patient Notice
Description of uses and disclosures of protected health information made by the covered entity.
Every patient will receive a copy of the Patient Notice and will be asked to sign an “Acknowledgement”.
An Introduction to HIPAA
Uses & Disclosures
Use – Employment, application, utilization, examination or analysis of information
within
a covered entity that holds the information.
Disclosure – Release, transfer, provision of access to, or divulging in any other manner of information
outside
the covered entity holding the information.
An Introduction to HIPAA
Minimum Necessary
A covered entity must make reasonable efforts to limit uses, disclosures, and requests for protected health information to the minimum necessary to accomplish the intended purpose (except uses and disclosures for treatment purposes).
For internal uses of protected health information, workforce members must be classified on a “need-to-know” basis with appropriate controls over access to PHI for each class.
For routine and recurring disclosures, standard protocols may be used to determine the minimum necessary amount of PHI required.
For non-routine disclosures, a covered entity must develop and apply criteria for determining the minimum necessary amount required.
An Introduction to HIPAA
SECURITY
OVERVIEW: Purpose: To protect both the system and the information it contains from unauthorized access & misuse Encompasses: All safeguards in a covered entities structure including:
•
Information systems (hardware/software)
•
Personnel policies
•
Information practice policies
•
Disaster Preparedness SECURITY
FINAL RULE JUST PUBLISHED In effect April 2005
An Introduction to HIPAA
SECURITY
Administrative Procedures: Physical Safeguards: Technical Security Services Technical Security Mechanisms To ensure security plans, policies, procedures, training, and contractual agreements exist To provide assigned security responsibility and controls over all media and devices To provide specific authentication, authorization, access, & audit controls to prevent improper access to electronically stored information To establish communications/network controls to avoid the risk of interception and/or alteration during electronic transmission of information
An Introduction to HIPAA FINAL NOTE on PRIVACY & SECURITY The privacy and security rules are flexible and scalable to account for the nature of each organization’s culture, size, and resources.
Each organization will determine its own privacy policies and security practices within the context of the HIPAA requirements and its own capabilities and needs.
An Introduction to HIPAA
DISCLAIMER
This (article) is Copyright© 2001 by NHVSHIP. It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This article is provided “as is” without and express or implied warranty. While all information in this Article is believed to be correct at the time of writing, this article is for educational purposes only and does not purport to provide legal advice. If you require legal advice, you should consult with an attorney.
An Introduction to HIPAA