Transcript No Slide Title

BASIC HIPAA OVERVIEW
Health Insurance Portability and
Accountability Act
Presented by:
Julie Burton, Program Analyst
NC DHHS HIPAA Program Management Office
May 2003
Slide 1
NC DHHS HIPAA Office
INTRODUCTION

Objectives
– Provide an overview of HIPAA
– Provide an overview of the importance of privacy
– Present a usable privacy vocabulary
– Raise awareness of how health information may
be used and disclosed
– Introduction to DHHS Privacy Policies
– Understanding of Patients Rights
– Increased knowledge of privacy requirements
Slide 2
NC DHHS HIPAA Office
PURPOSE OF HIPAA

Health Insurance Portability and
Accountability Act of 1996
– Portability: Guarantees health coverage when
employees change jobs
– Accountability: Establishes National Standards
for protecting health data
Slide 3
NC DHHS HIPAA Office
ADMINISTRATIVE SIMPLIFICATION

Electronic Transactions and Code Sets
– Compliance first required 10-16-02
– Compliance extended to 10-16-03

Privacy
– Compliance 4-14-03

Security
– Compliance 4-21-05

Enforcement
– Interim Final Rule:Civil Money Penalties
• Comment Period ends 6-16-03
Slide 4
NC DHHS HIPAA Office
ELECTRONIC TRANSACTIONS &
CODE SETS RULE

Health Care Providers and Payers currently
use many different forms and formats for
billing and claims processing
– Confusing
– Inefficient
– Expensive

Standardized Transactions and Codes
– Consistency
– Accuracy
– Reduced paperwork
Slide 5
NC DHHS HIPAA Office
PRIVACY RULE
Applies to paper/oral/electronic records
 Sets boundaries on the Use and Disclosure of
health information
 Gives “patients” more control over their own
health information
 Establishes safeguards for protecting the
privacy of health information
 Holds providers and payers accountable for
violations of privacy requirements

Slide 6
NC DHHS HIPAA Office
SECURITY RULE

Applies to electronic records only
– Privacy Rule addresses security of paper records
Requirements for providers and payers to
assure that electronic health information
pertaining to individuals remains secure
 Technology-neutral
 Scalable
 Addresses administrative, technical and
physical safeguards

Slide 7
NC DHHS HIPAA Office
PRIVACY vs. SECURITY

Privacy and Security go hand-in-hand

Privacy is the “what”
– Patients have the right to have their health
information protected from unauthorized
disclosures

Security is the “how”
– Agencies must determine the procedures they will
put into place to protect health information
Slide 8
NC DHHS HIPAA Office
ENFORCEMENT RULE
First installment: Civil Money Penalties
(Enforced by CMS)
 Coming: Criminal Money Penalties (Enforced
by US Dept of Justice)
 Establishes procedures for imposing penalties
for violation of Administrative Simplification
Regulations
 Civil Money Penalties

– $100 per violation
– $25,000 cap per year/per violation
Slide 9
NC DHHS HIPAA Office
WHO HAS TO COMPLY WITH HIPAA?

Covered Entities
– Health Care Providers (who transmit any health
information in a standard electronic transaction)
– Health Care Plans (provides or pays for the cost
of medical care)
– Health Care Clearinghouses (routes electronic
data between providers and payers)
Slide 10
NC DHHS HIPAA Office
WHO IS IMPACTED BY HIPAA?

Professionals who provide services or
activities through a contractual agreement
with a health care provider/plan

Individuals/professionals who work directly for
a health care provider/plan

“Patients” who seek services from a health
care provider or health care plan
Slide 11
NC DHHS HIPAA Office
HOW IS DHHS IMPACTED?

DHHS is a “Hybrid Entity” (a single legal entity
whose primary function is something other
than health care) that has under its control
health care providers and health care plans

DHHS Divisions and Offices that are either
health care providers or health care plans that
are affected by HIPAA are called “Covered
Health Care Components”
Slide 12
NC DHHS HIPAA Office
DHHS COVERED COMPONENTS

DMA

– Medicaid


– State Psychiatric Hospitals,
Substance Abuse, Nursing (7)
– Mental Retardation
Centers (5)
– Adolescent Treatment (2)
DPH
– State Lab
– State Center for Health
Statistics
– Local Health Services
– Children’s Special Health
Services
– DEC’s (13)
DMH/DD/SAS

Office of Education Services
Other divisions/offices
–
–
–
–
–
– School for the Blind (1)
– Schools for the Deaf (2)NC DHHS HIPAA Office
Slide 13
Controller’s Office
Information Resource Mgmt
Office of Public Affairs
Office of the Internal Auditor
ORDRHD
IMPACT OF NOT COMPLYING
 Possible litigation
 Potential withholding of federal
Medicaid and Medicare funds
 Federal Medicaid Share in NC
in @ $ 4.5 billion
 In DHHS, more than $300
million in revenues at risk
 Penalties


Slide 14
Civil monetary for violations of
each standard
Wrongful disclosure of health
information
NC DHHS HIPAA Office
PRIVACY RULE

Privacy Requirements affect:
– Medical records
– Billing records
– Other records/documents with health information
– Paper records
– Electronic records
– Oral communications
Slide 15
NC DHHS HIPAA Office
PRIVACY TERMINOLOGY
Individually Identifiable Health Information
(IIHI)
 Protected Health Information (PHI)
 Treatment, Payment and Health Care
Operations (TPO)
 Use/Disclosure
 Business Associate/BA Agreement
 Minimum Necessary
 Safeguards

Slide 16
NC DHHS HIPAA Office
PRIVACY TERMINOLOGY (Cont)
De-identification
 Limited Data Set/Data Use Agreement
 Consent/Authorization
 Personal Representative
 Notice of Privacy Practices
 Patients’ Rights
 Designated Record Sets
 Privacy Officer/Privacy Official

Slide 17
NC DHHS HIPAA Office
INDIVIDUALLY IDENTIFIABLE
HEALTH INFORMATION (IIHI)

Any information about an individual that:
– Is created, received, or maintained by an agency
– Relates to past, present or future physical or
mental health or condition of an individual
– Relates to past, present or future treatment of an
individual
– Relates to past, present or future payment for
health care……….AND
– IDENTIFIES THE INDIVIDUAL
– (Also called PHI in Privacy Rule)
Slide 18
NC DHHS HIPAA Office
TREATMENT, PAYMENT AND
HEALTH CARE OPERATIONS

Treatment
– Provision, coordination, management of health
care and related services

Payment
– Billing and claims management
– Eligibility & coverage determination

Health Care Operations
– Business management
– Accreditation/certification/licensing
Slide 19
NC DHHS HIPAA Office
USE & DISCLOSURE

Use
– Staff sharing health information within a covered
component

Disclosure
– Releasing health information to a person or an
agency outside a covered component
Slide 20
NC DHHS HIPAA Office
BUSINESS ASSOCIATE

Business Associates
– Person/agency who performs a function or activity for
or on behalf of a covered entity that involves the use
of IIHI
– Must enter into a Business Associate Agreement or
Memorandum of Understanding with a covered entity
– DHHS agencies have both Internal (within the
department) and External (outside the department)
Business Associates
Slide 21
NC DHHS HIPAA Office
WHO IS A BUSINESS ASSOCIATE?

Examples:
– Collection Agency
– Private Attorney
– Auditing Firm
– Record Copying Service
– Recycling Service
Slide 22
NC DHHS HIPAA Office
MISCONCEPTION

All “contractors” will become “business
associates”
NOT TRUE!

Slide 23
In fact…very few contractors will become
business associates
NC DHHS HIPAA Office
DHHS BUSINESS ASSOCIATES

Internal Business Associates
– Division Business Associates (same division)
– DHHS Business Associates (another division)

External Business Associates
– State Government Business Associates (another
department)
– Private vendor
Slide 24
NC DHHS HIPAA Office
INCIDENTAL ACCESS TO IIHI

Access to IIHI is not required but may be
incidental in the performance of a service
such as:
– Housekeeping Service
– Recycling Service

Does not require Business Associate
Agreement
Slide 25
NC DHHS HIPAA Office
BUSINESS ASSOCIATE AGREEMENT

A covered component may disclose IIHI to a
Business Associate only after the covered
component receives “satisfactory assurance”
that the Business Associate will properly
safeguard the information it receives, creates
or discloses

“Satisfactory Assurance” is obtained via a
Business Associate Agreement
Slide 26
NC DHHS HIPAA Office
BA AGREEMENT REQUIREMENTS
Not to use or disclose IIHI other than as
permitted in agreement
 Must develop and implement appropriate
safeguards to protect IIHI
 Must report any violations to covered
component
 Must agree to provide client access when
requested by covered component

Slide 27
NC DHHS HIPAA Office
MINIMUM NECESSARY
Slide 28

When using or disclosing IIHI……make
reasonable efforts to limit the health
information to that which is needed to
accomplish the intended purpose

Nothing more

Does not apply to “treatment” or when
required by law
NC DHHS HIPAA Office
SAFEGUARDS

Requirements for:
– Administrative Safeguards
(Policies/Procedures)
– Physical Safeguards (Locked Files/Computer
Screens)
– Technical Safeguards (Passwords/Encryption)
Flexible
 Scalable

Slide 29
NC DHHS HIPAA Office
DE-IDENTIFICATION

Removing specific elements from IIHI that
could possibly identify the individual for whom
the health information was created (no longer
IIHI)

Means of de-identifying:
– Removing
– Coding
– Encrypting
Slide 30
NC DHHS HIPAA Office
IDENTIFYING ELEMENTS
Name
 Geographic subdivisions smaller than a state

– Street Address
– City
– County
– Precinct
– Zip code

All elements of dates (except year) related to
an individual
Slide 31
NC DHHS HIPAA Office
IDENTIFYING ELEMENTS (Cont)
Telephone/Fax Numbers
 E-mail Address
 Social Security Number
 Medical Record Numbers
 Health Plan Beneficiary Numbers
 Account Numbers
 Certificate/License Numbers
 Vehicle Identifiers/License Plate Number

Slide 32
NC DHHS HIPAA Office
IDENTIFYING ELEMENTS (Cont)
Device Identifiers and Numbers
 Web Universal Resource Locators (URLs)
 Internet Protocol (IP) Address Numbers
 Biometric Identifiers (finger, eye, voice)
 Full Face Photograph
 Other Identifying Numbers, Codes

Slide 33
NC DHHS HIPAA Office
LIMITED DATA SET

Health information wherein all identifying
elements have been removed except for:
– State, county, city, town, precinct
– Parts of zip codes
– Dates exclusive of year (month/day)
– Gender
– Race
– Ethnicity
– Marital status
Slide 34
NC DHHS HIPAA Office
LIMITED DATA SET

Information wherein all identifying elements
have been removed except for specific
elements

Primarily used in:
– Research
– Public Health
– Health Care Operations
Slide 35
NC DHHS HIPAA Office
DATA USE AGREEMENT

Agreement between covered component and
requester of information that the information
(with limited identifying data) will be used or
disclosed only as stipulated in this agreement
(similar to Business Associate Agreement)

Minimum Necessary Rule applies

DUA does not apply if required by law
Slide 36
NC DHHS HIPAA Office
CONSENT & AUTHORIZATION

Consent from client to use IIHI for Treatment,
Payment and Health Care Operations (TPO)
– Permission from client to use IIHI within the
agency
– (HIPAA no longer requires…strongly suggested)
– Required in Mental Health Law

Authorization from client to disclose IIHI for
purposes other than TPO
Slide 37
NC DHHS HIPAA Office
PERSONAL REPRESENTATIVE

Person who is authorized by the court or by
state or federal law to act on behalf of a client
regarding the individual’s health information

Examples:
– Person with “health care power of attorney”
– Parent
– Guardian
– Person acting “in loco parentis”
Slide 38
NC DHHS HIPAA Office
PRIVACY RULE HIGHLIGHTS

Establishes a federal law that mandates
privacy protections for health information

Simplifies sharing of health information for
treatment purposes among health care
professionals

Limits information to be shared to that which is
minimally necessary (except for treatment)
Slide 39
NC DHHS HIPAA Office
PRIVACY RULE HIGHLIGHTS (Cont)

Establishes requirements for de-identification
of health information

Allows limited data sets for research, public
health and health care operations

Requires administrative, physical and
technical safeguards for protecting health
information
Slide 40
NC DHHS HIPAA Office
PRIVACY RULE HIGHLIGHTS (Cont)

Requires contracting professionals to
safeguard health information in the same way
as covered components

Requires agencies to classify workforce
members and to determine the level of access
to health information they should have

Requires agencies to develop privacy policies
and procedures
Slide 41
NC DHHS HIPAA Office
PRIVACY RULE HIGHLIGHTS (Cont)

Requires agencies to develop a notice of their
privacy practices and to make a good faith
effort to inform their clients of ways their
health information could be used or disclosed

Mandates privacy training for workforce

Establishes rights of patients regarding their
health information
Slide 42
NC DHHS HIPAA Office
PRIVACY RULE HIGHLIGHTS (Cont)

Requires agencies to identify a privacy official
and a contact person for complaints

Establishes requirements for using and
disclosing health information

Establishes rights of clients
Slide 43
NC DHHS HIPAA Office
NOTICE OF PRIVACY PRACTICES

Who
– Covered health care components

What
– Must develop a document that describes the ways
health information may be used and to whom it
could be disclosed, including examples of each

Why
– So that patients are more aware of who might
have access to their health information and for
what reasons
Slide 44
NC DHHS HIPAA Office
NOTICE OF PRIVACY PRACTICES

How
– Each covered component must determine its privacy
practices, develop a Notice and give each patient a
copy of the Notice
– Components must also post their Notice in the facility
and on their public web site, if available

When
– Providers: At their first treatment encounter after
4-14-03
– Plans: At enrollment
Slide 45
NC DHHS HIPAA Office
NOTICE OF PRIVACY PRACTICES

Contacts
– Notices must identify a person in the agency to
contact for more information or for complaints
– Notices must inform clients about contacting US
DHHS to report violations of privacy practices

Rights
– Notices must inform patients of their rights
Slide 46
NC DHHS HIPAA Office
PATIENTS RIGHTS

Right to confidential communications
 Right to adequate notice of use & disclosures
 Right to paper copy of Notice
 Right to request access, inspect and copy health
information
 Right to request amendment of health information
 Right to accounting of health information
disclosures
 Right to request privacy restrictions
 Right to contact person
Slide 47
NC DHHS HIPAA Office
DESIGNATED RECORD SETS

Records to which patients may have access

Identifying Designated Record Sets
– Each covered component must identify categories
of records that are used to make decisions about
patients

Examples
– Medical Records
– Billing Records
– Financial Records
Slide 48
NC DHHS HIPAA Office
PRIVACY OFFICER/OFFICIAL

Privacy Officer
– DHHS has designated a position in the DHHS
HIPAA Office to serve as interim DHHS Privacy
Officer

Privacy Officials
– Each agency that maintains IIHI is required to
designate a Privacy Official to oversee the
agency’s privacy practices; may also be agency’s
contact person for privacy issues
Slide 49
NC DHHS HIPAA Office
POLICIES & PROCEDURES

Privacy Policies
– DHHS is developing privacy policies for HIPAA
covered health care components, some of which
apply to non-covered agencies as well

Security & Privacy Manual
– Policies are published online at
http://dirm.state.nc.us/hipaa/hipaa2002/privacy/pri
vacy.html#c5
Slide 50
NC DHHS HIPAA Office
POLICIES & PROCEDURES

Privacy Policies include:
– Privacy Protections (List of policies)
– Privacy Official (Requirement to identify Official)
– Workforce (Who is workforce/requirements)
– Safeguards (Privacy protections)
– Privacy Complaints (How to file a complaint)
– Business Associates (Who/What they need to do)
– Authorizations (Requirements and Form)
– De-identification (What/How/When)
Slide 51
NC DHHS HIPAA Office
POLICIES & PROCEDURES

Privacy Policies Continued:
– Minimum Necessary (What/When to use)
– Notice of Privacy Practices (What/How/When)
– Client Rights (What/How to implement)
– Personal Representative (What/Who/Duties)
– Designated Record Sets (What/When to use)
– Use and Disclosure (What/When/How)
– Legal Occurrences (Laws/Regulations/Rules)
– Accounting of Disclosures (What/How)
Slide 52
NC DHHS HIPAA Office
POLICIES & PROCEDURES

Privacy Policies Continued:
– Research (What/When/How)
– Marketing and Fundraising (What/Limitations)
Slide 53
NC DHHS HIPAA Office
PRIVACY IMPACTS TO DATA
SYSTEMS

Access Controls
– Identification of users
– Classification of users
– Minimum Necessary access
Slide 54
NC DHHS HIPAA Office
Y2K vs. HIPAA


Y2K
– Impacted all information
systems
– Did not require major business
process changes
– Did not directly impact
consumers
– Involved most vendors and IS
staff to resolve issues
Slide 55
HIPAA
– Impacts “health information
systems” that contain
identifying patient data
– Will have major impacts on
business practices in the
health care industry
– Will affect health care
consumers
– Affects the entire organization
by changes resulting from
implementation
NC DHHS HIPAA Office
WISHFUL THINKING ABOUT HIPAA
– Congress will repeal HIPAA
– There will be additional delays
– There will be no real enforcement for many, many
years
– Vendor(s) will take care of agency’s HIPAA issues
– HIPAA is an IT project
– Organization really does not have to do anything
new or different
– Patients won’t understand enough about HIPAA to
know what their rights are
Slide 56
NC DHHS HIPAA Office
HIPAA REALITY
– Not a “one shot deal”
– Not solely a technology or system fix
– Affects the way we use and disclose health
information
– Major impact on privacy policies and procedures
– Affects our relationship with other providers and
vendors
– Affects our relationship with our clients
– Requires us to look at our current protections for
health care information and adjust as needed
Slide 57
NC DHHS HIPAA Office
HIPAA WEB RESOURCES


DHHS HIPAA
– dirm.state.nc.us/hipaa/

UNC Institute of
Government
– www.medicalprivacy.unc.edu/in
dex.html
NCHICA (NC Healthcare
Information and
Communications Alliance, Inc)  AHIMA (American Health
– www.nchica.org/
Information Mgmt Assoc)
– www.ahima.org/

US DHHS/HIPAA
– aspe.os.dhhs.gov/admnsimp/

HHS Office of Civil Rights
– www.hhs.gov/ocr/hipaa/
Slide 58

HIPAA GIVES
(Government Information
Value Exchange for States)
– www.hipaagives.org/
NC DHHS HIPAA Office
DHHS HIPAA WEBSITE

TEXT
Slide 59
NC DHHS HIPAA Office
HIPAA
QUESTIONS
??????
Slide 60
NC DHHS HIPAA Office