No Slide Title
Download
Report
Transcript No Slide Title
BASIC HIPAA OVERVIEW
Health Insurance Portability and
Accountability Act
Presented by:
Julie Burton, Program Analyst
NC DHHS HIPAA Program Management Office
May 2003
Slide 1
NC DHHS HIPAA Office
INTRODUCTION
Objectives
– Provide an overview of HIPAA
– Provide an overview of the importance of privacy
– Present a usable privacy vocabulary
– Raise awareness of how health information may
be used and disclosed
– Introduction to DHHS Privacy Policies
– Understanding of Patients Rights
– Increased knowledge of privacy requirements
Slide 2
NC DHHS HIPAA Office
PURPOSE OF HIPAA
Health Insurance Portability and
Accountability Act of 1996
– Portability: Guarantees health coverage when
employees change jobs
– Accountability: Establishes National Standards
for protecting health data
Slide 3
NC DHHS HIPAA Office
ADMINISTRATIVE SIMPLIFICATION
Electronic Transactions and Code Sets
– Compliance first required 10-16-02
– Compliance extended to 10-16-03
Privacy
– Compliance 4-14-03
Security
– Compliance 4-21-05
Enforcement
– Interim Final Rule:Civil Money Penalties
• Comment Period ends 6-16-03
Slide 4
NC DHHS HIPAA Office
ELECTRONIC TRANSACTIONS &
CODE SETS RULE
Health Care Providers and Payers currently
use many different forms and formats for
billing and claims processing
– Confusing
– Inefficient
– Expensive
Standardized Transactions and Codes
– Consistency
– Accuracy
– Reduced paperwork
Slide 5
NC DHHS HIPAA Office
PRIVACY RULE
Applies to paper/oral/electronic records
Sets boundaries on the Use and Disclosure of
health information
Gives “patients” more control over their own
health information
Establishes safeguards for protecting the
privacy of health information
Holds providers and payers accountable for
violations of privacy requirements
Slide 6
NC DHHS HIPAA Office
SECURITY RULE
Applies to electronic records only
– Privacy Rule addresses security of paper records
Requirements for providers and payers to
assure that electronic health information
pertaining to individuals remains secure
Technology-neutral
Scalable
Addresses administrative, technical and
physical safeguards
Slide 7
NC DHHS HIPAA Office
PRIVACY vs. SECURITY
Privacy and Security go hand-in-hand
Privacy is the “what”
– Patients have the right to have their health
information protected from unauthorized
disclosures
Security is the “how”
– Agencies must determine the procedures they will
put into place to protect health information
Slide 8
NC DHHS HIPAA Office
ENFORCEMENT RULE
First installment: Civil Money Penalties
(Enforced by CMS)
Coming: Criminal Money Penalties (Enforced
by US Dept of Justice)
Establishes procedures for imposing penalties
for violation of Administrative Simplification
Regulations
Civil Money Penalties
– $100 per violation
– $25,000 cap per year/per violation
Slide 9
NC DHHS HIPAA Office
WHO HAS TO COMPLY WITH HIPAA?
Covered Entities
– Health Care Providers (who transmit any health
information in a standard electronic transaction)
– Health Care Plans (provides or pays for the cost
of medical care)
– Health Care Clearinghouses (routes electronic
data between providers and payers)
Slide 10
NC DHHS HIPAA Office
WHO IS IMPACTED BY HIPAA?
Professionals who provide services or
activities through a contractual agreement
with a health care provider/plan
Individuals/professionals who work directly for
a health care provider/plan
“Patients” who seek services from a health
care provider or health care plan
Slide 11
NC DHHS HIPAA Office
HOW IS DHHS IMPACTED?
DHHS is a “Hybrid Entity” (a single legal entity
whose primary function is something other
than health care) that has under its control
health care providers and health care plans
DHHS Divisions and Offices that are either
health care providers or health care plans that
are affected by HIPAA are called “Covered
Health Care Components”
Slide 12
NC DHHS HIPAA Office
DHHS COVERED COMPONENTS
DMA
– Medicaid
– State Psychiatric Hospitals,
Substance Abuse, Nursing (7)
– Mental Retardation
Centers (5)
– Adolescent Treatment (2)
DPH
– State Lab
– State Center for Health
Statistics
– Local Health Services
– Children’s Special Health
Services
– DEC’s (13)
DMH/DD/SAS
Office of Education Services
Other divisions/offices
–
–
–
–
–
– School for the Blind (1)
– Schools for the Deaf (2)NC DHHS HIPAA Office
Slide 13
Controller’s Office
Information Resource Mgmt
Office of Public Affairs
Office of the Internal Auditor
ORDRHD
IMPACT OF NOT COMPLYING
Possible litigation
Potential withholding of federal
Medicaid and Medicare funds
Federal Medicaid Share in NC
in @ $ 4.5 billion
In DHHS, more than $300
million in revenues at risk
Penalties
Slide 14
Civil monetary for violations of
each standard
Wrongful disclosure of health
information
NC DHHS HIPAA Office
PRIVACY RULE
Privacy Requirements affect:
– Medical records
– Billing records
– Other records/documents with health information
– Paper records
– Electronic records
– Oral communications
Slide 15
NC DHHS HIPAA Office
PRIVACY TERMINOLOGY
Individually Identifiable Health Information
(IIHI)
Protected Health Information (PHI)
Treatment, Payment and Health Care
Operations (TPO)
Use/Disclosure
Business Associate/BA Agreement
Minimum Necessary
Safeguards
Slide 16
NC DHHS HIPAA Office
PRIVACY TERMINOLOGY (Cont)
De-identification
Limited Data Set/Data Use Agreement
Consent/Authorization
Personal Representative
Notice of Privacy Practices
Patients’ Rights
Designated Record Sets
Privacy Officer/Privacy Official
Slide 17
NC DHHS HIPAA Office
INDIVIDUALLY IDENTIFIABLE
HEALTH INFORMATION (IIHI)
Any information about an individual that:
– Is created, received, or maintained by an agency
– Relates to past, present or future physical or
mental health or condition of an individual
– Relates to past, present or future treatment of an
individual
– Relates to past, present or future payment for
health care……….AND
– IDENTIFIES THE INDIVIDUAL
– (Also called PHI in Privacy Rule)
Slide 18
NC DHHS HIPAA Office
TREATMENT, PAYMENT AND
HEALTH CARE OPERATIONS
Treatment
– Provision, coordination, management of health
care and related services
Payment
– Billing and claims management
– Eligibility & coverage determination
Health Care Operations
– Business management
– Accreditation/certification/licensing
Slide 19
NC DHHS HIPAA Office
USE & DISCLOSURE
Use
– Staff sharing health information within a covered
component
Disclosure
– Releasing health information to a person or an
agency outside a covered component
Slide 20
NC DHHS HIPAA Office
BUSINESS ASSOCIATE
Business Associates
– Person/agency who performs a function or activity for
or on behalf of a covered entity that involves the use
of IIHI
– Must enter into a Business Associate Agreement or
Memorandum of Understanding with a covered entity
– DHHS agencies have both Internal (within the
department) and External (outside the department)
Business Associates
Slide 21
NC DHHS HIPAA Office
WHO IS A BUSINESS ASSOCIATE?
Examples:
– Collection Agency
– Private Attorney
– Auditing Firm
– Record Copying Service
– Recycling Service
Slide 22
NC DHHS HIPAA Office
MISCONCEPTION
All “contractors” will become “business
associates”
NOT TRUE!
Slide 23
In fact…very few contractors will become
business associates
NC DHHS HIPAA Office
DHHS BUSINESS ASSOCIATES
Internal Business Associates
– Division Business Associates (same division)
– DHHS Business Associates (another division)
External Business Associates
– State Government Business Associates (another
department)
– Private vendor
Slide 24
NC DHHS HIPAA Office
INCIDENTAL ACCESS TO IIHI
Access to IIHI is not required but may be
incidental in the performance of a service
such as:
– Housekeeping Service
– Recycling Service
Does not require Business Associate
Agreement
Slide 25
NC DHHS HIPAA Office
BUSINESS ASSOCIATE AGREEMENT
A covered component may disclose IIHI to a
Business Associate only after the covered
component receives “satisfactory assurance”
that the Business Associate will properly
safeguard the information it receives, creates
or discloses
“Satisfactory Assurance” is obtained via a
Business Associate Agreement
Slide 26
NC DHHS HIPAA Office
BA AGREEMENT REQUIREMENTS
Not to use or disclose IIHI other than as
permitted in agreement
Must develop and implement appropriate
safeguards to protect IIHI
Must report any violations to covered
component
Must agree to provide client access when
requested by covered component
Slide 27
NC DHHS HIPAA Office
MINIMUM NECESSARY
Slide 28
When using or disclosing IIHI……make
reasonable efforts to limit the health
information to that which is needed to
accomplish the intended purpose
Nothing more
Does not apply to “treatment” or when
required by law
NC DHHS HIPAA Office
SAFEGUARDS
Requirements for:
– Administrative Safeguards
(Policies/Procedures)
– Physical Safeguards (Locked Files/Computer
Screens)
– Technical Safeguards (Passwords/Encryption)
Flexible
Scalable
Slide 29
NC DHHS HIPAA Office
DE-IDENTIFICATION
Removing specific elements from IIHI that
could possibly identify the individual for whom
the health information was created (no longer
IIHI)
Means of de-identifying:
– Removing
– Coding
– Encrypting
Slide 30
NC DHHS HIPAA Office
IDENTIFYING ELEMENTS
Name
Geographic subdivisions smaller than a state
– Street Address
– City
– County
– Precinct
– Zip code
All elements of dates (except year) related to
an individual
Slide 31
NC DHHS HIPAA Office
IDENTIFYING ELEMENTS (Cont)
Telephone/Fax Numbers
E-mail Address
Social Security Number
Medical Record Numbers
Health Plan Beneficiary Numbers
Account Numbers
Certificate/License Numbers
Vehicle Identifiers/License Plate Number
Slide 32
NC DHHS HIPAA Office
IDENTIFYING ELEMENTS (Cont)
Device Identifiers and Numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) Address Numbers
Biometric Identifiers (finger, eye, voice)
Full Face Photograph
Other Identifying Numbers, Codes
Slide 33
NC DHHS HIPAA Office
LIMITED DATA SET
Health information wherein all identifying
elements have been removed except for:
– State, county, city, town, precinct
– Parts of zip codes
– Dates exclusive of year (month/day)
– Gender
– Race
– Ethnicity
– Marital status
Slide 34
NC DHHS HIPAA Office
LIMITED DATA SET
Information wherein all identifying elements
have been removed except for specific
elements
Primarily used in:
– Research
– Public Health
– Health Care Operations
Slide 35
NC DHHS HIPAA Office
DATA USE AGREEMENT
Agreement between covered component and
requester of information that the information
(with limited identifying data) will be used or
disclosed only as stipulated in this agreement
(similar to Business Associate Agreement)
Minimum Necessary Rule applies
DUA does not apply if required by law
Slide 36
NC DHHS HIPAA Office
CONSENT & AUTHORIZATION
Consent from client to use IIHI for Treatment,
Payment and Health Care Operations (TPO)
– Permission from client to use IIHI within the
agency
– (HIPAA no longer requires…strongly suggested)
– Required in Mental Health Law
Authorization from client to disclose IIHI for
purposes other than TPO
Slide 37
NC DHHS HIPAA Office
PERSONAL REPRESENTATIVE
Person who is authorized by the court or by
state or federal law to act on behalf of a client
regarding the individual’s health information
Examples:
– Person with “health care power of attorney”
– Parent
– Guardian
– Person acting “in loco parentis”
Slide 38
NC DHHS HIPAA Office
PRIVACY RULE HIGHLIGHTS
Establishes a federal law that mandates
privacy protections for health information
Simplifies sharing of health information for
treatment purposes among health care
professionals
Limits information to be shared to that which is
minimally necessary (except for treatment)
Slide 39
NC DHHS HIPAA Office
PRIVACY RULE HIGHLIGHTS (Cont)
Establishes requirements for de-identification
of health information
Allows limited data sets for research, public
health and health care operations
Requires administrative, physical and
technical safeguards for protecting health
information
Slide 40
NC DHHS HIPAA Office
PRIVACY RULE HIGHLIGHTS (Cont)
Requires contracting professionals to
safeguard health information in the same way
as covered components
Requires agencies to classify workforce
members and to determine the level of access
to health information they should have
Requires agencies to develop privacy policies
and procedures
Slide 41
NC DHHS HIPAA Office
PRIVACY RULE HIGHLIGHTS (Cont)
Requires agencies to develop a notice of their
privacy practices and to make a good faith
effort to inform their clients of ways their
health information could be used or disclosed
Mandates privacy training for workforce
Establishes rights of patients regarding their
health information
Slide 42
NC DHHS HIPAA Office
PRIVACY RULE HIGHLIGHTS (Cont)
Requires agencies to identify a privacy official
and a contact person for complaints
Establishes requirements for using and
disclosing health information
Establishes rights of clients
Slide 43
NC DHHS HIPAA Office
NOTICE OF PRIVACY PRACTICES
Who
– Covered health care components
What
– Must develop a document that describes the ways
health information may be used and to whom it
could be disclosed, including examples of each
Why
– So that patients are more aware of who might
have access to their health information and for
what reasons
Slide 44
NC DHHS HIPAA Office
NOTICE OF PRIVACY PRACTICES
How
– Each covered component must determine its privacy
practices, develop a Notice and give each patient a
copy of the Notice
– Components must also post their Notice in the facility
and on their public web site, if available
When
– Providers: At their first treatment encounter after
4-14-03
– Plans: At enrollment
Slide 45
NC DHHS HIPAA Office
NOTICE OF PRIVACY PRACTICES
Contacts
– Notices must identify a person in the agency to
contact for more information or for complaints
– Notices must inform clients about contacting US
DHHS to report violations of privacy practices
Rights
– Notices must inform patients of their rights
Slide 46
NC DHHS HIPAA Office
PATIENTS RIGHTS
Right to confidential communications
Right to adequate notice of use & disclosures
Right to paper copy of Notice
Right to request access, inspect and copy health
information
Right to request amendment of health information
Right to accounting of health information
disclosures
Right to request privacy restrictions
Right to contact person
Slide 47
NC DHHS HIPAA Office
DESIGNATED RECORD SETS
Records to which patients may have access
Identifying Designated Record Sets
– Each covered component must identify categories
of records that are used to make decisions about
patients
Examples
– Medical Records
– Billing Records
– Financial Records
Slide 48
NC DHHS HIPAA Office
PRIVACY OFFICER/OFFICIAL
Privacy Officer
– DHHS has designated a position in the DHHS
HIPAA Office to serve as interim DHHS Privacy
Officer
Privacy Officials
– Each agency that maintains IIHI is required to
designate a Privacy Official to oversee the
agency’s privacy practices; may also be agency’s
contact person for privacy issues
Slide 49
NC DHHS HIPAA Office
POLICIES & PROCEDURES
Privacy Policies
– DHHS is developing privacy policies for HIPAA
covered health care components, some of which
apply to non-covered agencies as well
Security & Privacy Manual
– Policies are published online at
http://dirm.state.nc.us/hipaa/hipaa2002/privacy/pri
vacy.html#c5
Slide 50
NC DHHS HIPAA Office
POLICIES & PROCEDURES
Privacy Policies include:
– Privacy Protections (List of policies)
– Privacy Official (Requirement to identify Official)
– Workforce (Who is workforce/requirements)
– Safeguards (Privacy protections)
– Privacy Complaints (How to file a complaint)
– Business Associates (Who/What they need to do)
– Authorizations (Requirements and Form)
– De-identification (What/How/When)
Slide 51
NC DHHS HIPAA Office
POLICIES & PROCEDURES
Privacy Policies Continued:
– Minimum Necessary (What/When to use)
– Notice of Privacy Practices (What/How/When)
– Client Rights (What/How to implement)
– Personal Representative (What/Who/Duties)
– Designated Record Sets (What/When to use)
– Use and Disclosure (What/When/How)
– Legal Occurrences (Laws/Regulations/Rules)
– Accounting of Disclosures (What/How)
Slide 52
NC DHHS HIPAA Office
POLICIES & PROCEDURES
Privacy Policies Continued:
– Research (What/When/How)
– Marketing and Fundraising (What/Limitations)
Slide 53
NC DHHS HIPAA Office
PRIVACY IMPACTS TO DATA
SYSTEMS
Access Controls
– Identification of users
– Classification of users
– Minimum Necessary access
Slide 54
NC DHHS HIPAA Office
Y2K vs. HIPAA
Y2K
– Impacted all information
systems
– Did not require major business
process changes
– Did not directly impact
consumers
– Involved most vendors and IS
staff to resolve issues
Slide 55
HIPAA
– Impacts “health information
systems” that contain
identifying patient data
– Will have major impacts on
business practices in the
health care industry
– Will affect health care
consumers
– Affects the entire organization
by changes resulting from
implementation
NC DHHS HIPAA Office
WISHFUL THINKING ABOUT HIPAA
– Congress will repeal HIPAA
– There will be additional delays
– There will be no real enforcement for many, many
years
– Vendor(s) will take care of agency’s HIPAA issues
– HIPAA is an IT project
– Organization really does not have to do anything
new or different
– Patients won’t understand enough about HIPAA to
know what their rights are
Slide 56
NC DHHS HIPAA Office
HIPAA REALITY
– Not a “one shot deal”
– Not solely a technology or system fix
– Affects the way we use and disclose health
information
– Major impact on privacy policies and procedures
– Affects our relationship with other providers and
vendors
– Affects our relationship with our clients
– Requires us to look at our current protections for
health care information and adjust as needed
Slide 57
NC DHHS HIPAA Office
HIPAA WEB RESOURCES
DHHS HIPAA
– dirm.state.nc.us/hipaa/
UNC Institute of
Government
– www.medicalprivacy.unc.edu/in
dex.html
NCHICA (NC Healthcare
Information and
Communications Alliance, Inc) AHIMA (American Health
– www.nchica.org/
Information Mgmt Assoc)
– www.ahima.org/
US DHHS/HIPAA
– aspe.os.dhhs.gov/admnsimp/
HHS Office of Civil Rights
– www.hhs.gov/ocr/hipaa/
Slide 58
HIPAA GIVES
(Government Information
Value Exchange for States)
– www.hipaagives.org/
NC DHHS HIPAA Office
DHHS HIPAA WEBSITE
TEXT
Slide 59
NC DHHS HIPAA Office
HIPAA
QUESTIONS
??????
Slide 60
NC DHHS HIPAA Office