Transcript HIPAA: Where Are We and Where Are We Going??
HIPAA: Where Are We and Where Are We Going??
A Survey of the Current HIPAA Landscape Gail Edson Halterman Lathrop & Gage L.C.
HCCA Region VII Conference August 1, 2003
August 1, 2003
► We have had: 109 Days of Privacy ► We have: 74 Days Until Standard Transactions and Medicare’s Required Electronic Claims Submission (October 16, 2003) 624 Days to Get Secure (April 21, 2005)
PRIVACY: Where are We?
► April 14, 2003: The ENFORCEMENT Date The Office of Civil Rights (OCR) is the ENFORCER OCR has received several hundred complaints ► Some Complaints were not properly filed ► Continual re-emphasis that OCR is the kinder, gentler enforcement agency No indication by OCR that Penalties have been imposed
PRIVACY: COMPLAINTS
► ► March 20, 2003 – HHS Issues Complaint Process in the Federal Register Complaints must: Be filed in writing, either on paper or electronically (OCR Form recommended) Name the entity that is the subject of the complaint and describe the acts or omissions in violation of the statute or regulations; Be filed within 180 days when the complainant knew or should have known that the act or omission occurred; Relate to violations that occurred AFTER April 14, 2003
PRIVACY: COMPLAINTS
► Complaints can be made by anyone – the regulations do not specify that it must be the subject of the information ► Complaints must be mailed, faxed or emailed to the OCR regional office in which the covered entity is located ► Region VII (IA, KS, MO or NE): OCR, 601 E 12 426-3686 or [email protected]
th Street, KC, MO 64106 (816) 426-7278, fax: (816)
PRIVACY: Enforcement
► General Approach to enforcement: HHS “intends to seek and promote voluntary compliance with the rules promulgated to carry out the HIPAA Provisions.” OCR “will seek the cooperation of covered entities in obtaining compliance. . .[and] will seek to resolve matters by informal means before issuing findings of non-compliance.
CMS “Enforcement Activities will focus on obtaining voluntary compliance through technical assistance. The process will be primarily complaint driven and will consist of progressive steps that will provide opportunities to demonstrate compliance or submit a corrective action plan.”
Enforcement
► Violations: Civil Penalties – ► up to $100 per violation, not to exceed $25,000 per year ► Defenses - no willfulness involvement; organization exercised reasonable diligence
Enforcement
Criminal Penalties ► applies in knowing violations of regulations ► Can be subject to fines of not more than $50,000 or jail time of not more than 1 year or both ► If the offense is committed under false pretenses, can be subject to fines of not more than $100,000 or imprisoned for not more than 5 years or both ► If the offense involves the intent to sell or transfer PHI for commercial gain or malicious harm, can be subject to fines of not more than $250,000 or jail time of 10 years or both.
PRIVACY: Enforcement
► Interim Rules related to civil money penalties (CMPs) issued April 17, 2003 ► Enforcement Regulations are applicable to investigations, imposition of penalties and hearings conducted as a result of proposed CMPs.
► Not a lot of new information ► Waiting for more!
PRIVACY: Enforcement
► Requires HHS to provide written notice to Covered Entity of proposed penalty ► Notice must contain: A description of the findings of fact Reasons why the penalty is being proposed Instructions for response to the Notice, including the right to request a hearing
PRIVACY: Enforcement
► If a hearing is requested, it is heard before an administrative judge.
► The request for hearing must meet certain specifications ► Secretary of HHS has authority to settle disputes
PRIVACY: Enforcement
► What We Know CMPs only for Knowing Violations CMPs can be reduced or waived 6 year statute of limitations on violations for CMP purposes Due process issues exist in current rule ► What We Don’t Know Does a HIPAA violation have an impact on compliance with Medicare Conditions of Participation?
Details of how CMPs will be determined
PRIVACY: Certification of Business Associates
► ► ► ► Joint Commission on Accreditation of Health Care Organizations (JCAHO) and the National Committee or Quality Assurance (NCQA) will be certifying business associates 8 Organizations have committed to seeking certification Any type of BA is eligible for certification Once certification application is submitted, a survey of practices is conducted to see compliance with JCAHO and NCQA standards
PRIVACY: Certification
► ► Standards for Certification of Business Associates issued and are intended to address: Privacy protections the business associate uses for oral, written and electronic health information Employee training in protecting PHI Consumer access to health information held by the business associate Contracting between covered entities and the business associate Standards were not available at the time of presentation material deadline
PRIVACY: IMPLEMENTATION QUESTIONS
► Biggest areas of questions/concerns thus far: BUSINESS ASSOCIATES ► Are they or aren’t they?
► Remember “extension” deadline for all contracts is April 14, 2004 RESEARCH ► When can we use PHI for Reviews Preparatory to Research RESPONDING TO SUBPOENAS ACCOUNTING OF DISCLOSURES LAW ENFORCEMENT COMMUNICATIONS
BUSINESS ASSOCIATES
► No need for Business Associate Agreement in TREATMENT situations ► COVERED ENTITY has the obligation to obtain the Business Associate Agreement ► TWO PART TEST: Do they perform a service or function on behalf of a COVERED ENTITY?
Do they receive PHI in doing so?
REVIEWS PREPARATORY TO RESEARCH
► A covered entity can use or disclose PHI to a researcher IF the researcher represents: The use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for a similar purpose; The PHI will not be removed from the covered entity in the course of the review (including notes of the researcher); and The PHI requested is necessary for the researcher
RESPONDING TO SUBPOENAS
► Generally – No disclosure pursuant to a subpoena UNLESS: Qualified Protective Order Written assurances from party seeking the information: ► Of a good faith attempt to provide notice to the subject and no objection was made; or ► That a request for a Qualified Protective Order has been submitted to the Court.
► Workers Compensation If state law allows party issued subpoenas – may disclose PHI pursuant to subpoena
ACCOUNTING FOR DISCLOSURES
► Right to an Accounting patient may request accounting of uses and disclosures made within the last 6 years (beginning 4/14/03).
An Accounting must be given within 60 days of request.
Disclosures NOT included in Accounting
► ► ► ► Disclosures made for TPO Disclosures for which there has been an opportunity to object (as permitted) Disclosures made incidental to permissible disclosures Disclosures made pursuant to an authorization
Disclosures NOT included in Accounting
► ► ► ► Disclosures for national security or intelligence purposes Disclosures made to correctional institutions and law enforcement officials Disclosures made as part of a limited data set Disclosures that occurred prior to 4/14/03
► ►
So What Must Be Included in an Accounting?!
Uses or Disclosures made by mistake (i.e. violations) Most of the PERMITTED uses and disclosures: Except for disclosures made: ► For National Security or Intelligence Purposes ► ► To Law Enforcement To Correctional Facilities
So What Must Be Included in an Accounting?!
► PERMITTED DISCLOSURES = all other disclosures (not included in an exception above) listed in 45 CFR § 164.512
LAW ENFORCEMENT COMMUNICATIONS
► Can Provide PHI to Law Enforcement IF: Required by Law to Do So (e.g. reporting gunshot wounds) In compliance with court, grand jury or administrative agency ordered warrant or subpoena or request Limited info for identification and location purposes (suspect, fugitive, material witness or missing person) Victim of a Crime and individual agrees or it is in the best interest of the individual For purposes of alerting to the death of individual if death resulted from crime Reporting a crime on the premises Reporting crime in emergencies
TRANSACTIONS & CODE SETS
Transactions and Code Sets A Quick Overview
► ► The Standards regulate the transmission of electronic data and require standard formatting for the transmissions.
Accredited Standards Committee’s Insurance Subcommittee (ANSI X12N): define how electronic data is to be structured to accurately and consistently represent data contained in paper based documents.
Transactions and Code Sets
► ► Any time you are engaging in these 8 activities electronically (or someone is on your behalf) you must comply.
8 Standard Transactions health care claims or equivalent encounter information (including Medicaid claims) (837); eligibility for a health plan (270/271); referral certification or authorization (278); health care claim status (276/277);
Transactions and Code Sets
► 8 Standard Transactions (con’t): enrollment and disenrollment in a health plan (834); health care payment and remittance advice (835); health plan premium payments (820); and coordination of benefits (837)
Code Sets Required
► ► ► ► ► Current Procedure Terminology (CPT-4) For Physician and other related services International Classification of Diseases, Clinical Modification (ICD-9-CM) For diagnosis and inpatient hospital services HCFA Common Procedure Coding Systems (HCPCS) For physician and other related services Code on Dental Procedures and Nomenclature (CDT-2) For dental services NCPDP OR NDC For Retail Drug Claims
Code Sets Indirectly Recognized
► ► ► UB-92 HCFA 1500 Non-medical codes (revenue codes, etc.)
Electronic Transactions
► After October 16, 2003, Medicare will no longer accept paper claims (some exceptions apply) ► Likely Medicaid and Private Payors will follow!
Implementation Guides
► What are they?
Format: how information should be arranged Content: what information should be included Code Sets: how information should be reported Order or Download from: ► http://www.wpc-edi.com/hipaa/HIPAA_40.asp
► Many, many pages (For example: Implementation Guide for 837 Professional Claims is 768 pages)
TRANSACTIONS & CODE SETS
► ► ► ► 74 days until the “TRAIN WRECK” AHA and other associations have great concern about the ability to go about our business on and after October 16, 2003 and have urged Congress to consider another extension, or at least remedial efforts to address payment issues National Committee on Vital and Health Statistics recommends no delay but “flexible enforcement” Where are you in your readiness?
RESOURCES
► Resource: Strategic National Implementation Process: SNIP www.wedi.org/snip (National) www.mosnip.com
www.hark.info
(Missouri) (Kansas) www.iowasnip.org
www.nesnip.org
(Iowa) (Nebraska)
THE SECURITY RULE
SECURITY: The New Kid On the Block
► ► ► Enforcement Date: April 21, 2005 Requires physical, administrative and technical safeguards be in place to protect ELECTRONIC PHI (EPHI) HOWEVER – Privacy Rule requires that covered entities have physical, administrative and technical safeguards in place to protect PHI in any form or medium
SECURITY
► No answer from HHS as to whether standards for security will be required for privacy RIGHT NOW.
Intent of the Security Rule
► ► ► Ensure confidentiality, integrity and availability of all electronic PHI Protect against reasonably anticipated threats or hazards Protect against any reasonably anticipated use or disclosure not required or permitted by the Privacy Rule
Intent of Security Rule
► Use any security measure deemed appropriate by the entity to reasonably implement the Security standards – Each entity MUST make documented security implementation decisions that take into account its Risk analysis Structure, etc.
Cost Technical capabilities
Security Regulations Overview
► Requires Standards and Implementation Specifications for: Administrative Safeguards Physical Safeguards Technical Safeguards
Security Regulations Overview
► ► ► ► All standards are required (18) Some implementation specifications are required, some are merely “addressable” (i.e. suggested) “Addressable”
should
allow for flexibility There is no distinction between data at rest and data in transmission
Security Regulations Overview
► Paper-to-paper faxes, person-to-person telephone calls, video teleconferencing, or messages left on voicemail are not covered by the Security Regulations
Standards: Administrative Safeguards
► Standard: A covered entity must implement policies and procedures to prevent, detect, contain and correct security violations ► REQUIRED Implementation: Risk Analysis Risk Management Sanctions Policy Information System Activity Review (i.e. internal audit)
Standards: Administrative Safeguards
► Standard: Assign Security Responsibility ► REQUIRED Implementation: Identify the security official who is responsible for the security practices
► Standard: Workforce Security
Standards: Administrative Safeguards
Implement policies and procedures to ensure workforce has appropriate access ► ADDRESSABLE Implementation: Authorization and/or supervision Workforce clearance Termination procedures (when employees exit)
►
Standards: Administrative Safeguards
Standard: Information Access Management Implement policies and procedures for authorizing access consistent with the Privacy Rule ► REQUIRED Implementation: Isolating health care clearinghouse functions ► ADDRESSABLE Implementation: Access authorization Access establishment and modification
Standards: Administrative Safeguards
► Standard: Security Awareness and Training Implement security awareness training program for all members of the workforce (including management) ► ADDRESSABLE Implementation: Security Reminders Protection from Malicious Software Log-in Monitoring Password Management
►
Standards: Administrative Safeguards
Standard: Security Incident Procedures Implement policies and procedures to address security incidents ► REQUIRED Implementation: Response and Reporting (instructions for reporting and responding to security breaches and documentation of security incidents and their outcomes)
►
Standards: Administrative Safeguards
Standard: Contingency Plan Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence that damages systems that contains PHI ► ► REQUIRED Implementation: Data Backup Plan Disaster Recovery, Emergency Mode Operations Plan ADDRESSABLE Implementation: Testing and Revision Procedures Applications and Data Criticality Analysis
Standards: Administrative Safeguards
► Standard: Evaluation Perform periodic technical and non technical evaluation in response to environmental or operational changes ► No Implementation Specifications, but examples include: Updating software Evaluating performance of system and make necessary adjustments
Standards: Administrative Safeguards
► Business Associate Contracts No more “Chain of Trust” Satisfactory Assurances that business associate will appropriately safeguard information ► REQUIRED Implementation: Written Contract ► Ensure security is also covered in privacy Business Associate Agreement
►
Standards: Physical Safeguards
Standard: Facility Access Control Implement policies and procedures to limit physical access to electronic information ► ADDRESSABLE Implementation: Contingency Operations Facility Security Plan Access control and validation Maintenance Records
►
Standards: Physical Safeguards
Standard: Workstation Use Implement policies and procedures that specify functions, physical attributes of surroundings and manner in which functions performed ► No Implementation Specifications, but examples include: Moving screens away from common areas, etc.
Standards: Physical Safeguards
► Standard: Workstation Security Safeguards for access ► No Implementation Specifications, but examples include: Restricting Access to authorized users Using Password protections, etc.
►
Standards: Physical Safeguards
Standard: Device and Media Controls Govern the receipt and removal of hardware and electronic media into and out of facility, and movement within facility ► ► REQUIRED Implementation: Disposal (where do your hard drives go?) Media re-use ADDRESSABLE Implementation: Accountability Data backup and storage
►
Standards: Technical Safeguards
Standard: Access Control Technical safeguards to limit access ► ► REQUIRED Implementation: Unique User Identification Emergency Access Procedures ADDRESSABLE Implementation: Automatic Logoff Encryption and Decryption
Standards: Technical Safeguards
► Standard: Audit Controls Implement mechanisms that record and examine activity in information systems ► No Implementation Specifications, but examples include Using network intrusion detection Performing system wide evaluation
General Safeguards
► ► Standard: Draft Policies and Procedures Standard: Documentation ► REQUIRED Implementation: Record retention of policies and procedures – at least 6 years Availability Updates
Standards: Technical Safeguards
► Standard: Integrity Implement safeguards to protect electronic PHI from improper alteration or destruction ► ADDRESSABLE Implementation: Mechanisms that corroborate that information has not been altered or destroyed
Standards: Technical Safeguards
► Standard: Person or Entity Authentication No Implementation Specifications, but examples include: Verifying that persons or entities seeking access are the ones claimed
►
Standards: Technical Safeguards
Standard: Transmission Security Implement technical security measures to guard against unauthorized access transmitted over an electronic communications network ► ADDRESSABLE Implementation: Integrity Controls Encryption
GET STARTED
► SECURITY RISK ANALYSIS Identify potential threats to the organization Evaluate the likelihood that the threat will occur Estimate the harm from such an occurrence Determine whether planned or existing controls exist to reduce or eliminate the risk
Contact Information
Gail Edson Halterman Lathrop & Gage L.C.
2345 Grand Boulevard, Suite 2400 Kansas City, Missouri 64108 [email protected]
816.460.5404
816.292.2001 (fax)