Transcript HIPAA Overview (Health Insurance Portability and

HIPAA Overview
(Health Insurance Portability and
Accountability Act 1996)
May 2002
VACSB - HIPAA Committee
Training Objectives







Provide an overview of HIPAA regulations.
Review Privacy Rule requirements.
Review Security Rule requirements.
Review Administrative requirements.
Provide HIPAA Committee “draft” templates.
Summarize most current proposed changes.
Learn how to insert a Hippo into your next
presentation.
What is HIPAA?
Fed. Regulation/law - Kennedy & Kassebaum
 Improve “portability and continuity” of
health insurance coverage.
 Provide administrative simplification and
consistency - Standard Code Sets and
Transactions.
 Assure privacy and security of confidential
protected health care information (PHI).
 Increase provider accountability - PHI.
 Increase consumer rights - PHI.
What is the purpose of HIPAA ?
 Identify provider responsibilities around PHI.
 Reduce health care costs.
 Reduce health care fraud and abuse.
 Control use and disclosure of “protected
health information” (PHI).
 Regulate how PHI is transferred and
managed by technology, individuals, and
agencies.
Covered Entities Who Must Comply
Health care organizations that capture &
maintain individually identifiable health
care data.
Three categories:
 Providers - conduct certain administrative and
electronic transactions
 Health care Plans
 Clearinghouses
Covered Entities
Provider
i.e., CSB
Plan
i.e., Medicaid,
Blue Cross/
Shield
Clearinghouse
i.e., Billing
Company
Timelines for Compliance
 Transactions and Code Sets October 2003 (With Extension)
 Privacy Regulations April 2003
 Security Regulations Final regs. pending (Spring
2004?)
HIPAA Regulations
 Electronic Transaction/Code Sets - Sets
uniform standards (Administrative
Simplification.)
 Privacy Regulations - Identifies what health
care information is protected.
 Security Regulations - Identifies how
information is to be protected.
 Identifiers - Employer, Payer, National.
Health Care Operations
Includes “general administrative and business
functions” necessary for a covered entity to
remain a viable business (i.e., audits, quality
improvement functions, assessments.)
Health Information
Any information recorded in any form or
medium which:
 Is created/received by a Covered Entity that
creates, receives, uses, or transmits PHI,
 Relates to the past, present, or future
physical/mental health condition of an
individual, their participation in, or payment
for such services, and
 Identifies the individual.
Protected Health Information (PHI)
All individually identifiable health data
or information collected, maintained,
or transferred by a Covered Entity.
Protected Health Information (PHI)
 Name
 Address
 Social Security #
 Birth Date
 Demographic info.
 Medical Record #
 Email address
 Account numbers








License/Certificate #
Vehicle identifiers
Bio-metric identifiers
Telephone numbers
Place of employment
Full face photograph
Fax number
Health Plan number
De-identified information
 Health information which
is stripped of individual
identifying elements.
 In this form, remaining
data would not be
sufficient to identify the
consumer.
Privacy Notice *
 Written document - plain
language.
 Posted & shared with
consumers.
 Explains how PHI will be
used/disclosed by provider.
 Identifies consumer rights.
 Lists provider duties to
protect PHI.
Use vs. Disclosure
Use
Sharing, utilization,
examination, &
analysis of PHI
maintained internally
within the provider.
Disclosure
Release, transfer,
access to, or sharing
in any manner PHI
outside the entity
maintaining the
information.
Minimum Necessary Rule
Rule applies to Uses/Disclosures
 Essential element of privacy protections.
 Covered Entities must make reasonable
efforts to limit use, disclosure, and request
for PHI to the “minimum necessary” to
accomplish the intended purpose.
Minimum Necessary Rule
Asks - How much information is needed to
achieve your purpose?
 Applies to all forms of communication.
 Use - Requires policies & procedures (P&P)
classifying staff by role/position.
 Disclosure - Requires P&P addressing criteria
to limit disclosure & reviewing of requests.
 With request - Must limit request to that which
is necessary.
Access to PHI (Protected Health
Info.)
 Opportunity to approach, inspect, review,
and make use of data or information.
 Actions by a consumer or health care
provider with appropriate
authorization.
Consent and Authorization
Consent
 Document gives
provider consent
to carry out
treatment,
payment, or health
care operations
(TPO).
Authorization *
 AKA - “Release of
Information.”
 Document used for
purposes other than
TPO.
Electronic Transaction &
Code Set Standards
 National Electronic Standards - provides
automated transfer of certain health care
data between health care payers, plans,
and providers.
 Replaces nonstandard formats and code
sets - with standard electronic transactions
and codes sets.
Which Administrative & Financial
Transactions?









Health claim or encounter information.
Eligibility for a health plan inquiry.
Referral certification & authorization.
Health care claim status.
Health care payment and remittance advice.
Health plan premium payments.
Enrollment & dis-enrollment in a health plan.
First report of injury.
Health claim attachments.
And - Coordination of Benefits
Transaction/Code Sets Standards
Code Sets Examples:
 ICD - 9
 CPT - 4
 HCPCS
 DSM IV
Compliance
Deadline with
Extension: October
15, 2003
Benefits of Standardization of
Electronic Transactions/Code Sets
 Standardized Formats – Will reduce number of
formats used for health care administrative and
financial transactions nation-wide.
 Billing becomes more efficient.
 Internal administrative savings related to
staffing, response to complaint calls, and
billing reconciliation.
Privacy Rule
 Applies to all protected health
information (PHI).
 Does not prohibit the exchange of
PHI for treatment, payment, or
health care operations (TPO)
within agency.
 Written Consent is required.
Privacy Rule Impacts






HR - employee PHI
Consents/Authorization
Privacy Notifications
Uses & Disclosures
Health care operations
Consumer access to &
amendment of PHI
 Business Associate Agreements
 Provider responsibilities
Privacy Rule Highlights
Protects privacy of medical records and covers:
 Electronic records & printouts of records
 Written records
 Oral communications
Consumers give Consent for routine PHI release
purposes (TPO).
Privacy Notice - documents consumer’s rights
and the provider’s responsibilities.
Consumers Rights under HIPAA
 Inspect/copy information (medical record).
 Request to amend information if inaccurate
or incomplete.
 If request is denied - consumers may file a
complaint with CSB or federal government.
 Consumers may request Disclosure History
- Disclosure other than those covered by TPO
Business Associate Agreements
 Business Associates - Those entities that
do things on our behalf with whom we
share/give access to PHI.
 Business Associate Agreements Establish permitted uses, disclosures,
and safeguards for PHI.
Privacy Compliance Will
 Allow flow of PHI for treatment, payment,
and related health care operations (TPO).
 Prohibit flow of PHI unless voluntarily
authorized by the consumer.
 Allow consumers to know who is accessing
their PHI outside of TPO use.
 Allow consumers to obtain access to their
records & request amendment of records if
inaccurate or incomplete.
Provider Responsibilities
 Provide formal complaint handling system.
 Allow use of de-identified data.
 Follow “minimum necessary”
requirements.
 Establish Business Associate Agreements.
 Duty to mitigate damage if violations occur.
 Establish sanctions for HIPAA violations.
Privacy Penalties
Civil Penalty:
$100 -$25,000
maximum/year/person/same/violation.
Criminal Penalty:
$50,000 - $250,000
Fines and 1-10 years in prison.
Commercial Advantage/Personal Gain:
$250,000 and 10 years in prison.
Consent Exceptions
Consents not required for:
 Indirect treatment relationships.
 Inmates.
 When required by law to treat (i.e., Court
Ordered).
 In case of substantial communication
barriers.
 In cases of emergencies.
Privacy Preemption
HIPAA
Will preempt
state laws relating to
PHI
Except for those
contrary to &
more stringent
than HIPAA.
Organizational Practices - Security
 Staff training.
 Role based access.
 Remote access site
security issues.
 Electronic/wireless
devices (i.e., laptops).
 Gap Assessment. *
 Authentication of
users.
Organizational Practices - Security





Policies/procedures for workstation use.
Security of workstation locations.
Security Incident Reporting.
Termination procedures.
Media controls.
 Audit trails.
 Encryption.
Security Rule
Deals with how PHI is secured:
 Access to PHI.




Minimum Disclosure Rule.
Encryption/digital signatures.
Background checks.
Physical (facility) security.
Final Security Rule – Pending.
HIPAA Identifier Standards
Pending HIPAA Regulation
 Employer ID
 Provider ID
 Payor ID
Final Identifier Rule:
Pending in HHS
Required Administrative Procedures








Designate Privacy & Security Officers.
Complete gap analysis. *
Develop a plan for HIPAA compliance.
Identify Business Associates and
establish agreements.
Revise/develop P&P for HIPAA.
Provide & document HIPAA training.
Address access control issues.
Have internal audit processes in place.
Required Administrative Procedures









Develop formal Consumer Complaint Syst.
File - Extension: Code Sets/Transactions.
HIPAA Compliance Certification (IT)
Develop Disaster/Contingency Plans.
Identify security incident procedures.
Meet personnel security requirements.
Develop a security management system.
Identify Sanctions for violations.
Test your system.
Summary: Vocabulary








Covered Entity
PHI
TPO
Privacy Notice *
Consent
Authorization *
Minimum Necessary
Business Associate
Agreement
 De-identification of PHI
Proposed Changes
 Strengthen Privacy Notice provisions.
 Eliminate Consent - Acknowledge receipt of
Privacy Notice.
 Maintain “minimum necessary rule” while
allowing treatment-related conversations.
 Assure appropriate parental access to their
children’s records. (state law will govern)
 Prohibits use of records for marketing.
 Assure privacy without impeding research.
 Provide model business associate provisions.
Resources





http://aspe.hhs.gov/admnsimp/index
http://www.hhs.gov/ocr/hipaa
http://www.ahima.org/hot.topics
http://www.wedi.org/
http://www.samhsa.gov/hipaa
Resources





http://www.afehct.org
http://www.healthprivacy.org
http://www.hipaalert.com
http://himinfo.com/news/hipaa
http://www.hipaadvisory.com/regs/
For more information or questions on
HIPAA please contact:
Demetrios Peratsakis
Executive Director
Western Tidewater CSB
757-925-2406
or
[email protected]
HIPAA Committee Deliverables
Drafts - Pending Attn.General’s Review








Email Policy
Fax Policy
Privacy Notice
Authorization Form
Extension Template –Trans./Code Sets
Internet Policy
Gap Analysis Survey Tools (3)
Glossary of HIPAA Terms
HIPAA Committee Deliverables
Future Documents to be Released
 Minimum Necessary Policy
 Compliance Process Policy
 Business Associate Agreement Template
Remember!!!
Together
we are
making a
difference...
8 May-02
As promised - How to insert a Hippo in
your next PowerPoint Presentation:
In MS PowerPoint
Go to “Insert”
Choose “Picture/Clip
Art”
Type - “Hippopotamus.”
Pick your hippo and
choose “Insert.”