HIPAA Overview (Health Insurance Portability and
Download
Report
Transcript HIPAA Overview (Health Insurance Portability and
HIPAA Overview
(Health Insurance Portability and
Accountability Act 1996)
May 2002
VACSB - HIPAA Committee
Training Objectives
Provide an overview of HIPAA regulations.
Review Privacy Rule requirements.
Review Security Rule requirements.
Review Administrative requirements.
Provide HIPAA Committee “draft” templates.
Summarize most current proposed changes.
Learn how to insert a Hippo into your next
presentation.
What is HIPAA?
Fed. Regulation/law - Kennedy & Kassebaum
Improve “portability and continuity” of
health insurance coverage.
Provide administrative simplification and
consistency - Standard Code Sets and
Transactions.
Assure privacy and security of confidential
protected health care information (PHI).
Increase provider accountability - PHI.
Increase consumer rights - PHI.
What is the purpose of HIPAA ?
Identify provider responsibilities around PHI.
Reduce health care costs.
Reduce health care fraud and abuse.
Control use and disclosure of “protected
health information” (PHI).
Regulate how PHI is transferred and
managed by technology, individuals, and
agencies.
Covered Entities Who Must Comply
Health care organizations that capture &
maintain individually identifiable health
care data.
Three categories:
Providers - conduct certain administrative and
electronic transactions
Health care Plans
Clearinghouses
Covered Entities
Provider
i.e., CSB
Plan
i.e., Medicaid,
Blue Cross/
Shield
Clearinghouse
i.e., Billing
Company
Timelines for Compliance
Transactions and Code Sets October 2003 (With Extension)
Privacy Regulations April 2003
Security Regulations Final regs. pending (Spring
2004?)
HIPAA Regulations
Electronic Transaction/Code Sets - Sets
uniform standards (Administrative
Simplification.)
Privacy Regulations - Identifies what health
care information is protected.
Security Regulations - Identifies how
information is to be protected.
Identifiers - Employer, Payer, National.
Health Care Operations
Includes “general administrative and business
functions” necessary for a covered entity to
remain a viable business (i.e., audits, quality
improvement functions, assessments.)
Health Information
Any information recorded in any form or
medium which:
Is created/received by a Covered Entity that
creates, receives, uses, or transmits PHI,
Relates to the past, present, or future
physical/mental health condition of an
individual, their participation in, or payment
for such services, and
Identifies the individual.
Protected Health Information (PHI)
All individually identifiable health data
or information collected, maintained,
or transferred by a Covered Entity.
Protected Health Information (PHI)
Name
Address
Social Security #
Birth Date
Demographic info.
Medical Record #
Email address
Account numbers
License/Certificate #
Vehicle identifiers
Bio-metric identifiers
Telephone numbers
Place of employment
Full face photograph
Fax number
Health Plan number
De-identified information
Health information which
is stripped of individual
identifying elements.
In this form, remaining
data would not be
sufficient to identify the
consumer.
Privacy Notice *
Written document - plain
language.
Posted & shared with
consumers.
Explains how PHI will be
used/disclosed by provider.
Identifies consumer rights.
Lists provider duties to
protect PHI.
Use vs. Disclosure
Use
Sharing, utilization,
examination, &
analysis of PHI
maintained internally
within the provider.
Disclosure
Release, transfer,
access to, or sharing
in any manner PHI
outside the entity
maintaining the
information.
Minimum Necessary Rule
Rule applies to Uses/Disclosures
Essential element of privacy protections.
Covered Entities must make reasonable
efforts to limit use, disclosure, and request
for PHI to the “minimum necessary” to
accomplish the intended purpose.
Minimum Necessary Rule
Asks - How much information is needed to
achieve your purpose?
Applies to all forms of communication.
Use - Requires policies & procedures (P&P)
classifying staff by role/position.
Disclosure - Requires P&P addressing criteria
to limit disclosure & reviewing of requests.
With request - Must limit request to that which
is necessary.
Access to PHI (Protected Health
Info.)
Opportunity to approach, inspect, review,
and make use of data or information.
Actions by a consumer or health care
provider with appropriate
authorization.
Consent and Authorization
Consent
Document gives
provider consent
to carry out
treatment,
payment, or health
care operations
(TPO).
Authorization *
AKA - “Release of
Information.”
Document used for
purposes other than
TPO.
Electronic Transaction &
Code Set Standards
National Electronic Standards - provides
automated transfer of certain health care
data between health care payers, plans,
and providers.
Replaces nonstandard formats and code
sets - with standard electronic transactions
and codes sets.
Which Administrative & Financial
Transactions?
Health claim or encounter information.
Eligibility for a health plan inquiry.
Referral certification & authorization.
Health care claim status.
Health care payment and remittance advice.
Health plan premium payments.
Enrollment & dis-enrollment in a health plan.
First report of injury.
Health claim attachments.
And - Coordination of Benefits
Transaction/Code Sets Standards
Code Sets Examples:
ICD - 9
CPT - 4
HCPCS
DSM IV
Compliance
Deadline with
Extension: October
15, 2003
Benefits of Standardization of
Electronic Transactions/Code Sets
Standardized Formats – Will reduce number of
formats used for health care administrative and
financial transactions nation-wide.
Billing becomes more efficient.
Internal administrative savings related to
staffing, response to complaint calls, and
billing reconciliation.
Privacy Rule
Applies to all protected health
information (PHI).
Does not prohibit the exchange of
PHI for treatment, payment, or
health care operations (TPO)
within agency.
Written Consent is required.
Privacy Rule Impacts
HR - employee PHI
Consents/Authorization
Privacy Notifications
Uses & Disclosures
Health care operations
Consumer access to &
amendment of PHI
Business Associate Agreements
Provider responsibilities
Privacy Rule Highlights
Protects privacy of medical records and covers:
Electronic records & printouts of records
Written records
Oral communications
Consumers give Consent for routine PHI release
purposes (TPO).
Privacy Notice - documents consumer’s rights
and the provider’s responsibilities.
Consumers Rights under HIPAA
Inspect/copy information (medical record).
Request to amend information if inaccurate
or incomplete.
If request is denied - consumers may file a
complaint with CSB or federal government.
Consumers may request Disclosure History
- Disclosure other than those covered by TPO
Business Associate Agreements
Business Associates - Those entities that
do things on our behalf with whom we
share/give access to PHI.
Business Associate Agreements Establish permitted uses, disclosures,
and safeguards for PHI.
Privacy Compliance Will
Allow flow of PHI for treatment, payment,
and related health care operations (TPO).
Prohibit flow of PHI unless voluntarily
authorized by the consumer.
Allow consumers to know who is accessing
their PHI outside of TPO use.
Allow consumers to obtain access to their
records & request amendment of records if
inaccurate or incomplete.
Provider Responsibilities
Provide formal complaint handling system.
Allow use of de-identified data.
Follow “minimum necessary”
requirements.
Establish Business Associate Agreements.
Duty to mitigate damage if violations occur.
Establish sanctions for HIPAA violations.
Privacy Penalties
Civil Penalty:
$100 -$25,000
maximum/year/person/same/violation.
Criminal Penalty:
$50,000 - $250,000
Fines and 1-10 years in prison.
Commercial Advantage/Personal Gain:
$250,000 and 10 years in prison.
Consent Exceptions
Consents not required for:
Indirect treatment relationships.
Inmates.
When required by law to treat (i.e., Court
Ordered).
In case of substantial communication
barriers.
In cases of emergencies.
Privacy Preemption
HIPAA
Will preempt
state laws relating to
PHI
Except for those
contrary to &
more stringent
than HIPAA.
Organizational Practices - Security
Staff training.
Role based access.
Remote access site
security issues.
Electronic/wireless
devices (i.e., laptops).
Gap Assessment. *
Authentication of
users.
Organizational Practices - Security
Policies/procedures for workstation use.
Security of workstation locations.
Security Incident Reporting.
Termination procedures.
Media controls.
Audit trails.
Encryption.
Security Rule
Deals with how PHI is secured:
Access to PHI.
Minimum Disclosure Rule.
Encryption/digital signatures.
Background checks.
Physical (facility) security.
Final Security Rule – Pending.
HIPAA Identifier Standards
Pending HIPAA Regulation
Employer ID
Provider ID
Payor ID
Final Identifier Rule:
Pending in HHS
Required Administrative Procedures
Designate Privacy & Security Officers.
Complete gap analysis. *
Develop a plan for HIPAA compliance.
Identify Business Associates and
establish agreements.
Revise/develop P&P for HIPAA.
Provide & document HIPAA training.
Address access control issues.
Have internal audit processes in place.
Required Administrative Procedures
Develop formal Consumer Complaint Syst.
File - Extension: Code Sets/Transactions.
HIPAA Compliance Certification (IT)
Develop Disaster/Contingency Plans.
Identify security incident procedures.
Meet personnel security requirements.
Develop a security management system.
Identify Sanctions for violations.
Test your system.
Summary: Vocabulary
Covered Entity
PHI
TPO
Privacy Notice *
Consent
Authorization *
Minimum Necessary
Business Associate
Agreement
De-identification of PHI
Proposed Changes
Strengthen Privacy Notice provisions.
Eliminate Consent - Acknowledge receipt of
Privacy Notice.
Maintain “minimum necessary rule” while
allowing treatment-related conversations.
Assure appropriate parental access to their
children’s records. (state law will govern)
Prohibits use of records for marketing.
Assure privacy without impeding research.
Provide model business associate provisions.
Resources
http://aspe.hhs.gov/admnsimp/index
http://www.hhs.gov/ocr/hipaa
http://www.ahima.org/hot.topics
http://www.wedi.org/
http://www.samhsa.gov/hipaa
Resources
http://www.afehct.org
http://www.healthprivacy.org
http://www.hipaalert.com
http://himinfo.com/news/hipaa
http://www.hipaadvisory.com/regs/
For more information or questions on
HIPAA please contact:
Demetrios Peratsakis
Executive Director
Western Tidewater CSB
757-925-2406
or
[email protected]
HIPAA Committee Deliverables
Drafts - Pending Attn.General’s Review
Email Policy
Fax Policy
Privacy Notice
Authorization Form
Extension Template –Trans./Code Sets
Internet Policy
Gap Analysis Survey Tools (3)
Glossary of HIPAA Terms
HIPAA Committee Deliverables
Future Documents to be Released
Minimum Necessary Policy
Compliance Process Policy
Business Associate Agreement Template
Remember!!!
Together
we are
making a
difference...
8 May-02
As promised - How to insert a Hippo in
your next PowerPoint Presentation:
In MS PowerPoint
Go to “Insert”
Choose “Picture/Clip
Art”
Type - “Hippopotamus.”
Pick your hippo and
choose “Insert.”