HIPPA

Download Report

Transcript HIPPA 

HIPAA
The What, When, Where, How, and
Why of HIPAA for Agencies in the
NC DHHS Family
Presented By NCDHHS
HIPAA PMO Staff:
Sarah Brooks
Julie Burton
Susan Mitchell
TRAINING
OBJECTIVES
• Provide High Level Overview of HIPAA
Regulations
• Clarify Agencies Covered Under HIPAA
• Explain Approach Adopted by NC DHHS to
Address HIPAA
• Identify Steps Agencies Can Begin Taking to
Comply with HIPAA
• Identify HIPAA Resources
NCDHHS - HIPAA PMO
2
Addressing
the Health
Healthcare’s
Care
Tower
Babel
Tower
of of
Babel
The Health Insurance Portability
and Accountability Act of 1996
(HIPAA)
Pieter Bruegel
CURRENT INDUSTRY
LIMITATIONS / CONCERNS
– Over 400 different proprietary claim forms and/or
file formats dictated by payers
– Administrative overhead, including claims
processing, accounts for > 20¢ of every health care
dollar
– Average “Accounts Receivable” 60 days
– Increased computerization does not adequately
address privacy and security concerns
NCDHHS - HIPAA PMO
4
FEDERAL RESPONSE
Healthcare Insurance Portability and
Accountability Act (HIPAA)
– Public Law 104-191, August 21, 1996
– Amends Internal Revenue Service Code of 1986
NCDHHS - HIPAA PMO
5
WHAT DOES HIPPA ACCOMPLISH?
• Guarantees Health Coverage When Job Changes
• Reduces Fraud and Abuse (Medicare/Medicaid)
• Administrative Simplification
– Establishes national standards for:
• Electronic (EDI) transactions
• Security and privacy of health care information
• Identifiers such as provider, payer and employer Improved
efficiency of processing health care information
– Ultimately should lower administrative overhead
• Currently estimated at $300 Billion per year nationwide
• Preempts State Laws Unless More Stringent
NCDHHS - HIPAA PMO
6
ADMINISTRATIVE
SIMPLIFICATION REGULATIONS
• Title II, Subtitle F, Administrative Simplification
(FINAL RULES PUBLISHED)
– Electronic Health Transactions Standards
(45 CFR Parts 160 & 162)
• Federal Register, Vol. 65, p. 50312-50372
(published August 17, 2000)
– Privacy and Confidentiality Standards
(45 CFR Parts 160 & 164)
• Federal Register, Vol. 65, p. 82462 - 82829
(published December 28, 2000)
NCDHHS - HIPAA PMO
7
ADMINISTRATIVE
SIMPLIFICATION REGULATIONS
(continued)
(PROPOSED RULES - PUBLISHED)
– Security and Electronic Signature Standards
(45 CFR Part 142)
• Federal Register, Vol. 63, p. 43242-43280
(published August 12, 1998)
– Health Insurance Reform: National Standard
Employer Identifier (45 CFR Part 142)
• Federal Register, Vol. 63, p. 32784-32798
(published June 16, 1998)
– National Standard Health Care Provider Identifier
(45 CFR Part 142)
• Federal Register, Vol. 63, p. 25320-25357
(published May 7, 1998)
NCDHHS - HIPAA PMO
8
ADMINISTRATIVE
SIMPLIFICATION REGULATIONS
(continued)
(PROPOSED RULES - NOT PUBLISHED)
– National Health Plan Identifier (Payer ID)
Scheduled draft publication: Q2/2001
– Claims Attachments
Scheduled draft publication: Q3/2001
– Enforcement
Scheduled draft publication: Q4/2001
– First Report of Injury
Scheduled draft publication: Q4/2001
– National Individual Identifier
Scheduled draft publication: On Hold
NCDHHS - HIPAA PMO
9
REGULATION TIMEFRAMES
Final Standards:
EDI Transaction and Codes Sets Published: 8/17/2000
Final compliance: 10/16/2002
Includes transaction sets:
Claims and Remittance Advice
Enrollment
Eligibility, Inquiry and Response
Status Inquiry and Response
Request Review and Response
Payroll Deduction and Premium Payment
Privacy
Published: 12/28/2000
Final compliance: 4/16/2003
Proposed Rules:
National Provider Identifier
Draft published: 5/07/1998 Scheduled final rule: Q3/2001
National Employer Identifier Draft published: 6/16/1998 Scheduled final rule: Q3/2001
Security
Draft published: 8/12/1998 Scheduled final rule: Q2/2001
Proposed Rules not yet published:
National Health Plan Identifier
Scheduled draft publication: Q2/2001
Claims Attachments
Scheduled draft publication: Q3/2001
Enforcement
Scheduled draft publication: Q4/2001
First Report of Injury
Scheduled draft publication: Q4/2001
National Individual Identifier
Scheduled draft publication: On Hold
NCDHHS - HIPAA PMO
10
WHO IS AFFECTED?
• Covered Entities
– Health Plan (provides or pays the cost of medical care
- e.g., Medicaid, HMOs, BC/BS, Medicare, Champus)
– Health Care Clearinghouse (routes electronic data
between payers & providers - e.g., billing services )
– Health Care Provider who transmits any health
information in an electronic transaction (e.g.,
Hospitals, Physicians, Public Health Departments, Group
Homes, Home Health)
NCDHHS - HIPAA PMO
11
WHO IS AFFECTED?
(continued)
• Business Associates
– Definition: Person who performs a function or activity
on behalf of a covered entity
– Excludes person who is part of the Covered Entity’s
workforce (e.g., Employees, Physicians with Staff
Privileges)
– Contractual Agreements with Covered Entity (e.g.,
Area MH/DD/SAS Contract Agencies, S/W Vendors)
– Complies with HIPAA
• Health Care Providers Who Transmit Paper
Health Claims Must Use New Code Sets
NCDHHS - HIPAA PMO
12
WHY COMPLY WITH HIPAA?
• Avoid Denied and/or Delayed Reimbursements
– DHHS agencies process claims bringing in more than
$550 million in receipts annually
– Annual Medicaid disbursements totaling more than
$4.6 billion
• May Risk Accreditation (e.g., Joint Commission on
Accreditation of Health Care Organizations)
• Public Relations and Business Risk Issues
• Benefit from Long Term Health Care Cost
Reductions
• Imposes Severe Penalties for Non-compliance
NCDHHS - HIPAA PMO
13
IMPOSING COMPLIANCE
• General Civil Penalty for Failure to Comply
– $100/violation/person
– Not to exceed $25,000 in one calendar year
• Criminal Penalties (Privacy) - Person who knowingly and
wrongfully discloses individually identifiable health information is
subject to fines and imprisonment
– Simple Offense - Up to $50,000 &/or 1 year imprisonment
– If Committed under False Pretenses - Up to $100,000 &/or 5
years imprisonment
– If Committed with Intent to Sell, Transfer, or Use Individual
Identifiable Health Information for Commercial Advantage,
Personal Gain, or Malicious Harm - Up to $250,000 &/or 10
years imprisonment
NCDHHS - HIPAA PMO
14
QUESTIONS
REGULATIONS OVERVIEW
LEARNING THE ROPES
Healthcare eBusiness Standardization
Electronic Data Interchange Transaction Sets
Standardized Codes Sets
Standardized Identifiers
(EDI/TCI)
NCDHHS - HIPAA PMO
16
EDI/TCI OBJECTIVES
• Definitions
– Trading Partner
– Transaction
– Standard Setting Organization (SSO)
• Transaction Sets
• Code Sets
• Unique Identifiers
NCDHHS - HIPAA PMO
17
TRADING PARTNER
In Electronic Data Interchange (EDI) this generally
applies to two parties engaged in the exchange of
business data through electronic means.
NCDHHS - HIPAA PMO
18
TRANSACTION
The exchange of data between two parties to carry out
financial or administrative activities related to health care. It
includes the following types of information exchanges:
(1) Health Care claims or equivalent encounter information.
(2) Health Care payment and remittance advice.
(3) Coordination of benefits.
(4) Health Care claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10)Health claims attachments.
(11)Other transactions that the Secretary may prescribe by
regulation.
NCDHHS - HIPAA PMO
19
STANDARD SETTING
ORGANIZATION
An organization accredited by the American National
Standards Institute (ANSI) that develops and maintains
standards for information transactions or data elements,
or any other standard that is necessary for, or will
facilitate the implementation of HIPAA
•ASC X12
•NCPDP
•HL7
•UN/EDIFACT (Interactive Claim)
NCDHHS - HIPAA PMO
20
TRANSACTION SETS
HIPAA Mandated
Transaction Sets
NCDHHS - HIPAA PMO
21
TRANSACTION SETS
(ASCx12)
148 First Report of Injury
270/271 Health Care Eligibility Benefit Inquiry and Response
275 Additional Information to Support a Health Care Claim or
Encounter
276/277 Health Care Claim Status Request and Response
278 Health Care Services Review - Request for Review and
Response
820 Payroll Deducted and Other Group Premium Payment for
Insurance Products
834 Benefit Enrollment and Maintenance
835 Health Care Claim Payment/Advice
837 Health Care Claim (Institutional, Professional, Dental)
National Council for Prescription Drug Program (NCPDP V 5.1 & 1.0 )
Healthcare Data Element Dictionary
NCDHHS - HIPAA PMO
22
X12 TRANSACTIONS FLOW
Health Care Plans
Health Care Providers
834 Enrollment
270 Eligibility Request
Eligibility
Verification
271 Eligibility Response
Employers
Member
Services
820 Premium Payment
Enrollment
278 Referral Request
Precertification
and Referrals
Service Billing /
Claim Submission
278 Referral Response
837 Claim
275 Additional Information
277 Claim Status Response
Eligibility
Verification
Claim Receipt
and Routing
276 Claim Status Request
Claim
Reconciliation
277 Claim Status Response
Accounts
Receivable
835 Claim Payment Advice
Claim
Status
Adjudication
NCDHHS - HIPAA PMO
23
HIPAA TRANSACTIONS BUSINESS
PRACTICES EFFECTS
•
•
•
•
•
Backend Reporting
Coordination of Benefits
Claim Status
Electronic Remittance Advice
Maximum Data Set
NCDHHS - HIPAA PMO
24
IMPLEMENTATION
TIMELINE
The Compliance Date for the
Transaction Sets and Code Sets is
October 16, 2002
NCDHHS - HIPAA PMO
25
PROPOSED IMPLEMENTATION
TIMELINE - WEDI/SNIP
Transaction
Groups
Beta/Pilot
Testing
Period
Payer
Readiness
Date
Migration
Completion
Group 1
837
835
Jul 1, 2001
Oct 1, 2001
Oct 16, 2002
Group 2
270/271
834
Dec 1,
2001
Mar 1,
2002
Oct 16,
2002
Group 3
276/277
Group 4
278
Group 5
820
Feb 1,
2002
Mar 1,
2002
May 1, 2002
May 1,
2002
June 1,
2002
Aug 1, 2002
Oct 16,
2002
Oct 16,
2002
Oct 16, 2002
NCDHHS - HIPAA PMO
26
HIPAA IMPLEMENTATION
GUIDES
X12 Transactions - Washington Publishing Inc.
www.wpc-edi.org
NCPDP Transactions – National Council of Prescription
Drug Programs
www.ncpdp.org
HL7 Standards – Health Level 7
www.hl7.org
NCDHHS - HIPAA PMO
27
REQUESTING CHANGES TO
TRANSACTION SET STANDARDS
Join the Appropriate Standards Development Organization
Contact an Industry Group with Representation on a
Standards Development Group
Expect a 2 to 3 Year Lead Time for Request Implementation
in HIPAA
NCDHHS - HIPAA PMO
28
BASIC HIPAA CODE SETS
FUNCTIONS
• Diagnosis
• Medical Procedures
• Drugs
NCDHHS - HIPAA PMO
29
HIPAA MANDATED CODE SETS
• International Classification of Diseases, Ninth
Edition, Clinical Modification (ICD-9-CM )
• Health Care Procedural Coding System
(HCPCS)
• Current Procedural Terminology, Fourth
Edition (CPT-4)
• Current Dental Terminology (CDT)
• National Drug Codes (NDC)
NCDHHS - HIPAA PMO
30
TWO TYPES OF HIPAA
MANDATED CODE SETS
• Explicit Code Sets
– Defined in the rules
– CDT, HCPCS, ICD-9-CM, NDC
• Implicit Code Sets
– Referenced in the Transaction
Implementation guides such as the codes that
specify a patient’s relationship to an insured
subscriber
NCDHHS - HIPAA PMO
31
ELIMINATION OF
HOMEGROWN CODES
(NC Medicaid ‘Y’ Codes)
Homegrown
Codes
NCDHHS - HIPAA PMO
32
SAMPLE HEALTH CARE FUNCTIONS
THAT USE CODE SETS
• Claim Processing
• Utilization Management
• Disease Management
• Enrollment
NCDHHS - HIPAA PMO
33
REQUESTING CHANGES TO
CODE SET STANDARDS
•Join the Appropriate Standards
Development Organization if Possible
•For HCPCS Contact HCFA
•Not Applicable for NDCs
•For CDT Codes Contact ADA
NCDHHS - HIPAA PMO
34
UNIQUE IDENTIFIERS
• National Identifier for Individuals
• National Health Care Identifier of
Employers
• National Standard for Identifiers of Health
Plans
• National Provider Identifier
NCDHHS - HIPAA PMO
35
NATIONAL INDIVIDUAL
IDENTIFIER
• Currently on Hold
• Proposed Rule Is Not Expected to Be
Published in the Near Future
• Pending Congressional Privacy Legislation
NCDHHS - HIPAA PMO
36
NATIONAL EMPLOYER
IDENTIFIER
• Employer ID Will Be The Employer’s Tax ID
• The Internal Revenue Service (IRS) Will Maintain
the Assignment and Reference Facilities
• Nine Digits
NCDHHS - HIPAA PMO
37
NATIONAL HEALTH
PLAN IDENTIFIER
• Plan IDs Will Be Issued to Health Plans
 Plan ID Identifies Three Different Types of Entities:
Payers, Group Health Plans, and Provider Networks
 Payers and Administrators
 ERISA Group Health Plan, Taft-Hartley Trust,
METs, and Other Group Plans
 PPOs and Similar Organizations
• Proposed Rule Not Yet Published
NCDHHS - HIPAA PMO
38
NATIONAL PROVIDER
IDENTIFIER
•Identifying An Individual
 An individual provider ( such as a physician, dentist,
nurse, or therapist) receives an NPI that never changes
 If the individual is a health care provider in two
different capacities, it is expected that there will still
be only a single NPI
NCDHHS - HIPAA PMO
39
NATIONAL PROVIDER
IDENTIFIER
(continued)
• Identifying An Organization
– Organizational health care providers, such as:
•
•
•
•
•
•
Hospitals
Clinics
Laboratories
Physician group practices
Home health care agencies
Pharmacies
•10 Digits with Right Most Digit Being a
Check Digit (Proposed)
NCDHHS - HIPAA PMO
40
HIPAA TRANSACTIONS, CODE
SETS AND UNIQUE IDS
• Code Sets are Used in the Transactions
• Unique IDs are Used in the
Transactions with Proprietary Values
until They are Defined
• Required Use of Standards
NCDHHS - HIPAA PMO
41
QUESTIONS
REGULATIONS OVERVIEW
PRIVACY
NCDHHS - HIPAA PMO
43
BASIC PRINCIPLES
• First Comprehensive Federal Law to Protect
the Privacy of Individually Identifiable Health
Information
– HIPAA Protections
• Importance
– To Patients
– To Healthcare Providers/Plans/Clearinghouses
• Protected Health Information (PHI)
– Past, Present, Future Health Information
– Electronic/Paper/Oral
– Best Practice
NCDHHS - HIPAA PMO
44
PROTECTED HEALTH
INFORMATION (PHI)
• Individually Identifiable Information
–
–
–
–
–
–
–
–
Name
Address
Social Security Number
Names of Relatives
Unique Identifiers
Telephone/Fax/Other Numbers
Geographic Designation Smaller than State
Photograph
NCDHHS - HIPAA PMO
45
GENERAL PROVISIONS
• HIPAA Preempts State Laws
– Provides uniform “floor” for protection
– More stringent current state laws will stand
– More stringent future state laws allowed
• Allows Consumer Control
– Establish rights of patients regarding their
confidential health information
• Recognizes Public Responsibility
– Balance of individual privacy and the public need
to know
NCDHHS - HIPAA PMO
46
GENERAL PROVISIONS
• Healthcare Provider Responsibilities
– Protect health information
– Secure health information
– Provide complete information to other Healthcare
Providers
– Provide “minimum necessary” information to other
requesters
– Create De-identified information when feasible
–
–
–
–
Remove
Code
Encrypt
Eliminate/conceal
NCDHHS - HIPAA PMO
47
GENERAL PROVISIONS
• Healthcare Provider Responsibilities (continued)
– Establish an Internal Complaint Process that
provides individuals with means to lodge
complaints about the entity’s information practices,
and maintain a record of any complaints
– Develop a system of sanctions for members of the
workforce and business partners who violate the
entity’s policies
– Enforcement and Compliance
NCDHHS - HIPAA PMO
48
NOTICE
• Notice of Information Practices
– Brochure
– Pamphlet
– Posted on Wall
• Notice must include anticipated uses and
disclosures of protected health information
without the patient’s written authorization
NCDHHS - HIPAA PMO
49
PATIENT’S RIGHTS
•
•
•
•
•
•
•
•
•
•
Right to be informed through NOTICE
Right to inspect and review record
Right to receive copies
Right to amend/correct copies
Right to add supplemental information
Right to restrict Use and Disclosure of information
Right to Accounting of Disclosures
Right to a personal representative
Right to revoke authorization
Right to appeal
NCDHHS - HIPAA PMO
50
ACCESS TO RECORD
• Healthcare Provider Provides Access
– 60 days after receiving request
– Extended 30 more days without reason
– Provide patient with a summary of records if
agreed upon in advance
– Recover cost-based fee for providing patient
with a copy, explanation or summary of
records
NCDHHS - HIPAA PMO
51
DENIED ACCESS
• Healthcare Provider Denial of Access with
Opportunity for Review when in the Opinion
of a Licensed Health Care Professional that:
– Information would endanger life or safety of
patient or others
– References to others is reasonably likely to cause
substantial harm to that other person
– Request was made by the patient’s personal
representative and access would likely cause
substantial harm to that person or others.
NCDHHS - HIPAA PMO
52
DENIED ACCESS
• Healthcare Provider Denial of Access
Without Opportunity for Review
– Psychotherapy Notes
– Information compiled for civil, criminal or
administrative actions
– Inmate request that would jeopardize health or
safety of inmate or others
– Research that includes treatment
– Information obtained from an anonymous source
under a promise of confidentiality
NCDHHS - HIPAA PMO
53
USE AND DISCLOSURE OF PHI
• Use: Protected Health Information is
“used” when shared, examined, applied or
analyzed within the covered entity that
maintains the information
• Disclosure: Protected Health information
is disclosed” when released, transferred,
been given access to or divulged outside
the entity holding the information.
NCDHHS - HIPAA PMO
54
USES AND DISCLOSURES WITH
INDIVIDUAL AUTHORIZATION
• A General Consent is required for use or
disclosure of information for treatment,
payment and health operations.
• A more specific Authorization is required
for use or disclosure of information for
purposes other than treatment, payment or
health operations.
NCDHHS - HIPAA PMO
55
USES AND DISCLOSURES WITHOUT
INDIVIDUAL AUTHORIZATION
• Disclosures For:
–
–
–
–
–
–
–
–
–
Public health activities
Health oversight activities
Judicial and administrative proceedings
Governmental health data systems
Research, emergency circumstances, next of kin,
and as required by other laws
Coroners and Medical Examiners
Law Enforcement
Directory information
Banking and payment processes
NCDHHS - HIPAA PMO
56
BUSINESS ASSOCIATES
• Application to Business Associates
– Establish contracts that ensure Business
Associates exercise an appropriate level of
care related to privacy and conform to
HIPAA regulations
– Must treat PHI the same as the covered
entity
– Covered entity must take action if it is
learned that Business Associate is not
protecting PHI.
NCDHHS - HIPAA PMO
57
ADDITIONAL PROVISIONS
• Application to Information About Deceased
Persons
– Same as if person was alive
• Application to Covered Entities That Are
Components of Organizations That Are Not
Covered Entities
– Hybrid Entity (Covered functions are not the
primary functions of the entity)
NCDHHS - HIPAA PMO
58
IMPLEMENTATION
REQUIREMENTS
• Policies and Practices must be developed
and documented
• Scalability
– Appropriate to the nature and scope of the
business that enables protection of health
information in accordance with the rules
NCDHHS - HIPAA PMO
59
IMPLEMENTATION
REQUIREMENTS
• Designation of Privacy Officer
• Provide Privacy Initial & On-going
Training to Workforce
• Develop internal policies and forms
• Implement Safeguards
– To protect health information from intentional
or accidental misuse
• Audit and QA
NCDHHS - HIPAA PMO
60
IMPLEMENTATION TIMELINE
The Compliance Date
for the Privacy is
April 14, 2003
NCDHHS - HIPAA PMO
61
REGULATIONS OVERVIEW
SECURITY
NCDHHS - HIPAA PMO
62
SECURITY OBJECTIVE
To Protect the Confidentiality, Integrity
and Availability of Individual
Health Information, While Permitting
the Appropriate Access and Use of
That Information by Healthcare
Providers, Healthcare Plans and
Healthcare Clearinghouses.
NCDHHS - HIPAA PMO
63
SCOPE OF SECURITY
REGULATIONS
• Applies to Healthcare Providers, Plans and
Clearinghouses
• Applies to All Size Organization (Physician
Offices, Medical Centers, County Public
Health Departments, HMOs, Medicaid, etc.)
• Applies to All Health Information Pertaining
to an Individual That Is Electronically
Created, Received, Transmitted or Maintained.
NCDHHS - HIPAA PMO
64
PRIVACY vs. SECURITY
PRIVACY is the right of an individual to
keep his/her individual health information
from being disclosed.
SECURITY is the mechanism in place to
protect individual health information.
NCDHHS - HIPAA PMO
65
SECURITY STANDARD IMPACTS
ELECTRONICALLY MAINTAINED
AND TRANSMITTED DATA
• Data on Magnetic Tape or Disk
• Entry of Patient Information in Computers
• Transmission of Treatment Data to a Healthcare
Plan
• Claims Printed From a Healthcare Clearinghouse
• Records Transcribed and Stored in a Word Processor
• Lab Results Sent by Modem to a Printer at an Office
• Etc.
NCDHHS - HIPAA PMO
66
SECURITY STANDARD
• Does Not Identify or Require Specific
Technologies
• Allows Healthcare Industry to Implement
Different Solutions Depending Upon Needs
and Technologies in Place
• Mandates Safeguards for Physical Storage
and Maintenance, Transmission and Access
to Individual Health Information
NCDHHS - HIPAA PMO
67
GUARDING DATA INTEGRITY,
CONFIDENTIALITY AND
AVAILABILITY
1. Administrative Procedures
2. Physical Safeguards
3. Technical Security Services
4. Technical Security Mechanisms
5. Electronic Signature
NCDHHS - HIPAA PMO
68
ADMINISTRATIVE PROCEDURES
(Policies and Procedures)
1. Certification of Data Systems to Evaluate
Security
2. “Chain of Trust” Agreement
3. Contingency Plan in Case of Emergency
4. Formal Data Processing Protocols
5. Controlling Access to Data
6. Internal Audit Procedures
NCDHHS - HIPAA PMO
69
ADMINISTRATIVE PROCEDURES
(Policies and Procedures)
7. Security Activities by Personnel
8. Overall Security of Hardware, Software,
and Virus Checking
9. Protocols for Reporting and Responding to
Breaches of Security
10. Risk Management and Sanctions
11. Security Procedures in Event of Personnel
Terminations
12. Security Training Programs
NCDHHS - HIPAA PMO
70
PHYSICAL SAFEGUARDS
(Buildings and Equipment)
1. Designate Security Responsibilities
2. Develop Controls on Access and Manipulations of
Hardware Components (Disk, Keyboard, Monitor)
3. Develop Disaster/Intrusion Response and Recovery
Plans
4. Implement Personnel Identification for Access
5. Maintain Maintenance Records
6. Enforce Security Clearances (Need-to Know Basis)
7. Develop Protocols Regarding Activities and
Security at the Work Station Level
NCDHHS - HIPAA PMO
71
TECHNICAL SECURITY
MEASURES
(Software Controls)
1. Regulate Access (Includes Emergency Access)
2. Audits and Controls
3. Data Authentication (Security of Stored Data)
4. Ensure User Authentication and Access Control
(User ID, Automatic Log-off)
NCDHHS - HIPAA PMO
72
TECHNICAL SECURITY
MECHANISMS
(Transmission of Data)
1. Storage and Transmission of Health Information
Cannot Easily Be Accessed or Interpreted by
Unauthorized Third Parties
2. Ensure Messages Sent and Received Are
the Same
3. Access Control to Transmission (Dedicated
Lines)
4. Encryption
NCDHHS - HIPAA PMO
73
ELECTRONIC SIGNATURE
(On Hold)
1. Ensure Identity of the Signer
2. Ensure Unaltered Transmission and
Receipt of the Data
3. Must Prevent a Signer from Successfully
Denying the Signature
Proposed standard explicitly notes that a Digital
Signature is the only technology that satisfies
these requirements.
NCDHHS - HIPAA PMO
74
SECURITY OFFICER
• Serves As Internal Information Security
Consultant in Agency
• Documents Security Policies and Procedures
• Provides Risk Assessments
• Functions As Internal Auditor
• Monitors Compliance With Standards
NCDHHS - HIPAA PMO
75
SECURITY BOUNDARIES
• Identifies “What”
• Does Not Identify “How”
• Scalability (allows agency to define and
implement security appropriate to size and
activities of the agency)
NCDHHS - HIPAA PMO
76
GETTING STARTED
• Baseline Assessment
– Current Security Environment
• Policies
• Procedures
• Technology
– Information Systems
• GAP Analysis
– Compare Current Environment With Security Requirements
– Determine “GAPS”
• Risk Assessment
– Analyze likely and unlikely scenarios in terms of
probability of occurrence and impact on agency
NCDHHS - HIPAA PMO
77
SECURITY ASSESSMENT
• Not Just a Technology Issue
– 40% Information Technology
– 60% Business Issues
• Security and Privacy Go Hand-in-Hand
• Integrate Both Standards
NCDHHS - HIPAA PMO
78
ENFORCEMENT
• RESPONSIBILITY: U.S. DHHS Office for
Civil Rights
–
–
–
–
–
–
Assist with voluntary compliance efforts
Respond to questions, interpretation, guidance
Respond to states’ requests for exceptions
Investigate complications
Conduct compliance surveys
Seek criminal prosecution for non-compliance
efforts
NCDHHS - HIPAA PMO
79
COMPLIANCE DATE
Expected to Become Effective
in Late 2001
NCDHHS - HIPAA PMO
80
QUESTIONS
NCDHHS
IMPACT IN DHHS
APPROACH FOR
ADDRESSING HIPAA
NCDHHS - HIPAA PMO
82
HIPAA IMPACT ON DHHS
• Standardized Transactions
– Initial Assessment - 26 Systems Process Health
Care Transactions
•
•
•
•
•
•
Public Health - 10 Systems
Mental Health/dev Disabilities/sub Abuse - 7 Systems
Vocational Rehabilitation - 3 Systems
Services for Blind - 1 System
Medical Assistance - 1 System
Shared (Multiple DHHS Agencies) - 4 Systems
– Local Agencies (E.G., MH/DD/SAS Area
Programs) Must Modify Their Information
Systems
NCDHHS - HIPAA PMO
83
HIPAA IMPACT ON DHHS
(continued)
• Privacy and Security Standards
– Secure and Protect Electronic and Paper
Records
• DHHS Serves “at Risk” Population
– Establish Policies and Procedures
– Establish Documentation and Audit Processes
NCDHHS - HIPAA PMO
84
HIPAA IMPACT ON DHHS
(continued)
• Agencies Directly Impacted by HIPAA
– Public Health (including 86 county/regional
health departments, State Laboratory, Medical
Examiner’s Office)
– Mental Health, Developmental Disabilities
and Substance Abuse Services (4 psychiatric
hospitals, 5 mental retardation centers, 2 alcohol
and drug abuse treatment centers, 1 extended care
facility, 2 schools for emotionally disturbed
children, 39 area programs)
NCDHHS - HIPAA PMO
85
HIPAA IMPACT ON DHHS
(continued)
• Agencies Directly Impacted by HIPAA
– Medical Assistance (Medicaid program)
– Early Intervention and Education (18
Developmental Evaluation Centers, 3 schools for
Deaf and Hard of Hearing, 1 school for Blind)
– Vocational Rehabilitation (72 local offices)
– Social Services (100 county offices)
– Services for the Blind (serve >35,000 North
Carolinians each year)
– Child Development
NCDHHS - HIPAA PMO
86
HIPAA IMPACT ON DHHS
(continued)
• Agencies Indirectly Impacted by HIPAA
– Research, Demonstrations and Rural Health
Development
– Division of Aging
– Facility Services
– Human Resources
– Internal Auditor
– Public Affairs (Communications)
– Citizen Services
NCDHHS - HIPAA PMO
87
DHHS REACTION
• Provide Centralized Management
Response
– Establishment of HIPAA Program
Management Office (PMO)
• Appoint HIPAA Coordinators
• Designate HIPAA Attorney
- Marc Lodge
• Develop Communications Plan
NCDHHS - HIPAA PMO
88
DHHS REACTION
(continued)
• Identify Funding Sources
– No Federal Funds Appropriated for HIPAA
Implementation
– Submission of Expansion Budget Request
– Developed Cost Allocation Models to Maximize
Federal Funding for Systems/Programs
– Currently Investigating
•
•
•
•
Availability of grants
Other opportunities for maximizing federal funds
Sharing vendor costs with other states
Collaborative efforts with vendors
NCDHHS - HIPAA PMO
89
DHHS REACTION
(continued)
• Partner with Other Organizations/States to
Share Information/Deliverables
– NC Health Care Information and Communications
Alliance (NCHICA)
– Government Information Value Exchange for
States (GIVES)
– Southern HIPAA Administrative Regional Process
(SHARP)
NCDHHS - HIPAA PMO
90
PROGRAM MANAGEMENT OFFICE
HIPAA Oversight Committee
Karen Tomczak
PMO Director
Sarah Brooks
Ivey Palmer
Business Operations Mgr.
Tactical Operations Mgr.
Julie Burton
Frances Taylor
Business Specialist
Business Specialist
Susan Mitchell
Dwala Johnson
Cynthia Wagnor
Joyce Young
Bruce Chao
Business Analyst
Technical Writer
Team Lead
Technical Writer
Web Developer
EDI Team
Security Team
Operations Support
Stephen Fraser
Technical Writer
NCDHHS - HIPAA PMO
91
PMO TASKS
• Research HIPAA Requirements
• Determine Impact of Requirements on
DHHS
• Serve as HIPAA Resource Center
• Correlate DHHS HIPAA activities with
HIPAA Coordinators
• Establish and Coordinate Focus Groups
– Business Operations
– Security
– EDI/TCI
NCDHHS - HIPAA PMO
92
PMO TASKS
(continued)
• Disseminate HIPAA Information
throughout DHHS
• Develop Enterprise Policies, Procedures,
Tools, Processes, Forms, Implementation
Guidelines, Contracts, Agreements
• Develop Best Practice Models
• Promote Business Process Reengineering
• Provide Technical, Operational and
Management Support
• Provide Overall Project Monitoring and
DHHS HIPAA Status Reporting
NCDHHS - HIPAA PMO
93
PMO TASKS
(continued)
• Provide Levels of HIPAA Training
–
–
–
–
Awareness
Core
Intermediate
Expert
• Develop Job Classifications/Descriptions for
Security and Privacy Officers
• Maintain PMO Web Site for
Communications
http://dirm.state.nc.us/hipaa/
NCDHHS - HIPAA PMO
94
DHHS WEBSITE
NCDHHS - HIPAA PMO
95
USER LOGIN
NCDHHS - HIPAA PMO
96
PMO DELIVERABLES
• Presentations
• Tools to Assess HIPAA Impact
– Information Flow Assessment Database
– Questionnaires (e.g., Early View)
– Reviews of Statutes, Rules, Policies, Procedures
• NCHICA Privacy and Confidentiality Focus Group
• Attorney General’s Office - HIPAA Legal Resources
• Department/Division/Agency Review
– Gap Analyses
– Risk Assessments
NCDHHS - HIPAA PMO
97
PMO DELIVERABLES
(continued)
• Tools for HIPAA Remediation
–
–
–
–
Work Plans
Checklists
Processes
Sample Policies, Procedures, Forms, Notices,
Contracts, Chain of Trust Agreements
• Tools for HIPAA Testing and Training
– Testing Processes/Procedures
– Staff Training Courses
– Other Training Courses
NCDHHS - HIPAA PMO
98
PMO DELIVERABLES
(continued)
• Tools for HIPAA Compliance
– Self-Certification Tools
– Quality Assurance Audits
– On-going Awareness Training
• Staff
• Others (Business Associates, Vendors)
– New Employee Orientations
– Business Continuity Plans
NCDHHS - HIPAA PMO
99
DELIVERABLE PROCESS
• PMO
– Develops Deliverables
• Business Operations Focus Group
– Reviews Deliverables with Their Divisions/Local
Agency Staff
• Selected Pilot Agencies/Institutions
– Test Deliverables
– Recommend Modifications
• Enterprise Dissemination
– Distribute via web site, HIPAA Coordinators and
Focus Group
NCDHHS - HIPAA PMO
100
PMO OUTREACH
• HIPAA Awareness Seminars
• Professional Groups/Organizations with
HIPAA Interests
– NC Association of Local Health Directors
• Technology Committee
– NC Health Information Management
Association
• Behavioral Health Section
– HEARTS User Group
• Local Agencies, Institutions, Groups
NCDHHS - HIPAA PMO
101
QUESTIONS
GETTING STARTED
• Designate HIPAA Coordinator
• Establish HIPAA Implementation Team
• Participate in HIPAA Training Opportunities
• Present HIPAA Awareness Program to
Management and Staff
• Develop and Implement HIPAA Work Plan
– Work Plan Template on PMO Web Site
• Conduct Information Flow Assessment
NCDHHS - HIPAA PMO
103
PMO TOOL
• Information Flow Assessment
–
–
–
–
–
–
–
–
Status of Current Information Flow
Web Based Database
Individual Division/Office Customization
Comprehensive Evaluation of Information Flow
Ease of Use
Report Generation
Due Diligence
Pinpoint Areas of HIPAA Impact
NCDHHS - HIPAA PMO
104
WHY DO A INFORMATION FLOW
ASSESSMENT?
• Determine if a Covered Entity
• Identify:
–
–
–
–
–
–
–
–
–
Business Associates
Types & methods of information handling
Code Sets currently in use
Systems/applications in use
Systems/applications for remediation
Flow and routing of information
Short and long term storage of information
Areas of privacy/security weaknesses
Current contracts and Agreements
• Documentation for Due Diligence
NCDHHS - HIPAA PMO
105
PMO TOOL
• Information Flow Assessment
– What Information Flows Within and Without an
Agency
– Types of Information (personal, financial,
medical)
– Who Accesses Information
– How is Information Transmitted
– When is Information Shared
– Where is Information Stored (temporary and
permanent)
– How is Information Disposed
NCDHHS - HIPAA PMO
106
INFORMATION FLOW ASSESSMENT
A. Information Received, Sent and/or Created
Please specify the type of health information currently or planned to be received, sent
and/or created in your area (select all that apply):
NON-MEDICAL
1.
Administrative
 None (go to next question)
 Demographic Information
 Non-identifying statistical data
 Birth Certificate/Death Certificate
 Investigative Reports
 Incident Reports
 Applications (Admissions, Client,
Employment, etc)
 Legal Papers
 Custody/Guardianship Papers
 Parent Questionnaires
 Logs (Shift, Insurance, Staff notes, etc.)
 Other
 Complaint Information
 Correspondence (Internal & External)
Meeting Minutes/Notes
 Photographs
Administration_____________________________________________________________
2.
Education
 None (go to next question)
 Individual Education Plan (IEP)
 Immunization Records
 Psychological Records
 School Questionnaires
 Behavior Rating Scales
 Child Symptom Inventory Checklist
 Other Education______________________________________________________________
3.
Financial
 None (go to next question)
 Information for filing insurance claim
 Medicaid Eligibility
 Assets and Liabilities (Ability to Pay)
 Billing Information
 Medicaid Liability
 Banking Information
 Entitlement Information
 Direct Deposit Information
Financial
Questionnaires

 Funding Justifications with Details
 Reports/Data (UR, Financial, etc.)
 CAP or Respite determinations
 Financial Correspondence
 Other Financial______________________________________________________________
NCDHHS - HIPAA PMO
107
GETTING STARTED
(continued)
• If Covered Entity, Identify Business Associates
and Trading Partners
• Evaluate Systems/Applications for HIPAA
Remediation
– Utilize Y2K Inventory Data
– Contact Software Vendors
– Review Implementation Guides
• Evaluate Current Security of Protected Health
Information (PHI)
– Door Locks, Paper Storage/Disposal, Location of
Fax/Copiers/Shredders, System Security
NCDHHS - HIPAA PMO
108
GETTING STARTED
(continued)
• Analyze Data Collection Process
– Registration
– Coding
– Discharge
• Compile Current Information for
Remediation to HIPAA Compliance
–
–
–
–
Policies
Procedures
Forms
Contracts
NCDHHS - HIPAA PMO
109
GETTING STARTED
(continued)
• Submit Budget Based on Anticipated IT and
Business Changes (Budget Questionnaire)
• Work Your HIPAA Work Plan
• Monitor DHHS HIPAA Web Site
• Utilize HIPAA PMO/HIPAA Coordinators as
Resources for HIPAA Implementation
NCDHHS - HIPAA PMO
110
RESOURCES
• Attachments to Slide Presentation
Materials
–
–
–
–
–
HIPAA Related Web Sites
HIPAA Glossary and Acronym References
DHHS Division HIPAA Coordinators
NCHICA HIPAA Committees
NCHICA HIPAA Privacy Regulation Work
Groups
– NCHICA Top 10 Planning Points for HIPAA
Compliance
– HIPAA Regulations
NCDHHS - HIPAA PMO
111
SUMMARY
• HIPAA - A Health Care Paradigm
– Affects Payers, Providers, Employers, Medical
Manufacturers, Pharmaceutical Companies, Employees,
Clearinghouses, Patients.
– Requires Redesign of Business Processes, Staffing Plans,
Workflow
– Requires Changes to Business Applications, Technology
Architecture, Facilities
– Shifts Power in Provider/Consumer Relationship
– Presents Change Management Challenges
– Introduces New Legal Liabilities
– Provides Patients with Rights
– Conveys Severe Civil and Criminal Penalties
NCDHHS - HIPAA PMO
112
SUMMARY
• HIPAA Is Not Going Away
– Heath Care Industry Wants Standardization
– Consumers Want Health Information to Be
Protected
• HIPAA Is Not an Option
• HIPAA Is Doing Business in the ‘New
Millennium
• Implementation Cost Is Short-term
• Operational Benefit Is Long-term
NCDHHS - HIPAA PMO
113
QUESTIONS