IOWA STATE ASSOCIATION OF COUNTIES Health Insurance Portability
IOWA STATE ASSOCIATION OF COUNTIES Health Insurance Portability and Accountability Act of 1996 (HIPAA) Mary Knapp September 17 and 18, 2002 1 © HIPAA Pros 2002 All rights reserved
Changes Are Coming This presentation should not be construed as legal advice or as pertaining to specific factual situations. The information, while believed correct at the time it was compiled, is subject to change as not all HIPAA security regulations have been finalized and interpretations and guidances continue to modify our analysis. 2 © HIPAA Pros 2002 All rights reserved
WHY HIPAA? l Insurance Reform – Improve portability and continuity of health insurance for employees l Extend Fraud And Abuse Prevention Measures – Dedicate additional resources to fraud and abuse enforcement (not just Medicare and Medicaid) 3 © HIPAA Pros 2002 All rights reserved
WHY HIPAA? (continued) l Administrative Simplification – Standardize how information is exchanged (transaction) between providers, health plans and employers using one format and one set of diagnostic/billing codes – Go electronic – Keep it private and secure 4 © HIPAA Pros 2002 All rights reserved
Effective Compliance Dates to Remember l Privacy Standards - April 14, 2003. l EDI Standards - October 16, 2003 (with the submission of an extension request which must be filed with the Secretary of the DHHS before October 16, 2002). l Proposed Security Standards - two years after final regulations are published. 5 © HIPAA Pros 2002 All rights reserved
Introducing … “HIPAA Standards for Privacy of Individually Identifiable Health Information” 6 © HIPAA Pros 2002 All rights reserved
Privacy Regulations December 28, 2000 – Privacy of Individually Identifiable Health Information Final Rule July 6, 2001 – Office for Civil Rights Technical Assistance March 27, 2002 – Notice of Proposed Rulemaking (NPRM) August 14, 2002 – Final Changes to the Final Rule 7 © HIPAA Pros 2002 All rights reserved
Everyone is affected 8 © HIPAA Pros 2002 All rights reserved
Who’s A Covered Entity Under HIPAA? l Health Plans l Health Care Clearinghouses l Health Care Providers – who transmit any health information in electronic form in connection with the following standard transactions. . . 9 © HIPAA Pros 2002 All rights reserved
Standard Transactions l Enrollment and Disenrollment in a Health Plan (834) l Health Care Premium Payments (820) l Health Care Eligibility Benefit Inquiry and Response (270/271) l Referral Certification and Authorization (278) l Health Care Claims or Equivalent Encounter Information (837) l Health Care Claim Status (276/277) l Health Care and Remittance Payment Advice (835) l Coordination of Benefits (837) l First Report of Injury (145) (Delayed) l Additional Claim Information (275) (Delayed) 10 © HIPAA Pros 2002 All rights reserved
“And now, let’s determine if we are a covered entity, affiliated single covered entity, hybrid covered entity or organized health care arrangement. ” 11 © HIPAA Pros 2002 All rights reserved
Privacy Rule Intent l Give clients more control over their health information. l Set boundaries on the use and release of health records. l Establish appropriate safeguards to protect privacy of health information. l Hold violators accountable - civil and criminal penalties. l Strike a balance between privacy and public good. 12 © HIPAA Pros 2002 All rights reserved
Privacy Rule Requirements l Provide information to clients about their privacy rights and how their information can be used through a Notice of Privacy Practices. l Adopt clear privacy policies and procedures. l Train employees. 13 © HIPAA Pros 2002 All rights reserved
Privacy Rule Requirements (continued) l Designate privacy official and security officer to ensure that privacy and security procedures are adopted and followed. l Client records containing individually identifiable health information are secure to prevent access by those who do not need them. 14 © HIPAA Pros 2002 All rights reserved
“HIPAA Speak” l New foreign language created by legislation for the express purpose of making the learner feel as though they have landed in a parallel universe where basic common sense and plain language are unheard of. 15 © HIPAA Pros 2002 All rights reserved
Individually Identifiable Health Care Information (IIHI) l Demographic information that is created or received by a health care provider, a health plan, employer or health care clearinghouse; l Relates to the past, present or future physical or mental health or conditions of an individual; or l The provision of health care to an individual; and l Identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. 16 © HIPAA Pros 2002 All rights reserved
“Protected Health Information” (PHI) Individually Identifiable Health Information that is: l. Transmitted by electronic media l. Maintained in electronic media l. Transmitted or maintained in any other form (including oral or written PHI) 17 © HIPAA Pros 2002 All rights reserved
“Record” Any item, collection, or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for a covered entity. 18 © HIPAA Pros 2002 All rights reserved
Designated Records Set l Group of records maintained by or for a covered entity. l Medical records and billing records about individuals. l Used, in whole or in part, by or for the covered entity to make decisions about individuals. l Enrollment, payment, claims adjudication and case or medical management records maintained by or for a health plan. 19 © HIPAA Pros 2002 All rights reserved
Notice of Privacy Practices l Covered entities must. . . – Provide individuals with written notice of the uses and types of disclosures of PHI made by the covered entity – Also describe the individual’s rights and the covered entity’s obligations regarding PHI l Covered entities with direct treatment relationship must make a good faith effort to obtain an individual’s written acknowledgment of receipt of the provider’s notice of privacy practices. 20 © HIPAA Pros 2002 All rights reserved
Notice of Privacy Practices (continued) l Good faith effort - individual’s failure or refusal to sign or provide acknowledgment, despite covered entity’s good faith effort, would not preclude the provider’s ability to use or disclose PHI for treatment, payment or health care operations. 21 © HIPAA Pros 2002 All rights reserved
Notice of Privacy Practices Individual Rights 22 © HIPAA Pros 2002 All rights reserved
Right to Access own Protected Health Information (PHI) l Regardless of who created the information. l Form and format can be requested by the individual. l Fees must be agreed upon in advance. l Must be in a timely manner. l May require written request (included in Notice of Privacy Practices). 23 © HIPAA Pros 2002 All rights reserved
Right to Request Additional Protections l Right to request additional privacy protections – Covered entity may refuse – If covered entity agrees, they must always do it l Right to request to receive communications in alternate fashion – Accommodate reasonable request 24 © HIPAA Pros 2002 All rights reserved
Individual’s Right to Request Amendment l The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support the requested amendment. l Covered entity must inform the individual in advance of requirements. 25 © HIPAA Pros 2002 All rights reserved
Right to Request Amendment l A client has the right to request amendment of PHI maintained in the designated record set. l The covered entity will have 60 days to respond to an individual’s request. l The final regulations specify certain required processes and standards for managing this process. 26 © HIPAA Pros 2002 All rights reserved
Right to an Accounting of Disclosures l Covered entity must account for disclosures made within six years prior to the request l Excludes disclosures that are: – Authorized – Limited data set – Incidental – Treatment, Payment or Operations (TPO) – Other (i. e. , national security, law enforcement) 27 © HIPAA Pros 2002 All rights reserved
Right to an Accounting of Disclosures (continued) l An accounting to the individual of the disclosures of his/her PHI must include: – Date of each disclosure – Name and, if known, address of party that received the PHI – Brief description of the PHI disclosed – The purpose for which the PHI was disclosed, or a copy of an individual’s authorization, or a copy of the request for disclosure 28 © HIPAA Pros 2002 All rights reserved
HIPAA Consent l Consent for disclosure of PHI for treatment, payment, and health care operations (TPO) on the part of all covered entities is now optional. 29 © HIPAA Pros 2002 All rights reserved
Authorization l. An authorization is a more customized document that gives the covered entities permission to use specified PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. 30 © HIPAA Pros 2002 All rights reserved
Authorization (continued) l Plain language describing information in specific and meaningful fashion l Name of person(s) authorized to make the requested use/disclosure and to receive request l Expiration date, signature, date and copy l Statement of each purpose of the disclosure or use l Individual’s right to revoke in writing 31 © HIPAA Pros 2002 All rights reserved
Limited Data Set l A covered entity may use and disclose a “limited data set” for research, public health, or health care operations. l A limited data set is PHI that has been stripped of 16 identifiers of individuals and their relatives, household members and employers. l A covered entity must obtain a “data use agreement” from the intended recipient of the limited data set before disclosing the data to the recipient. 32 © HIPAA Pros 2002 All rights reserved
Oral Communications l Covered entities must reasonably safeguard all PHI (including oral information) from any intentional or unintentional use or disclosure that is in violation of the rule. 33 © HIPAA Pros 2002 All rights reserved
Oral Communications (continued) l Certain incidental uses and disclosures are permissible as long as they are secondary disclosures that: – could not reasonably be prevented – are limited in nature – are the by-product of an otherwise permissible use or disclosure 34 © HIPAA Pros 2002 All rights reserved
“Minimum Necessary” Requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the minimum necessary information needed to accomplish the intended purpose. 35 © HIPAA Pros 2002 All rights reserved
Government Access to Health Information The Privacy Rule allows disclosures that are required by law. For example, all states have laws that require providers to report cases of specific diseases to public health officials. 36 © HIPAA Pros 2002 All rights reserved
Work With Vendors 37 © HIPAA Pros 2002 All rights reserved
Business Associates l Business Associates are not a member of the covered entity’s workforce – Employees – Volunteers – Trainees – Others under direct control 38 © HIPAA Pros 2002 All rights reserved
Business Associates (continued) l Person or entity who provides certain functions, activities, or services on behalf of, or to a covered entity that involves the use and/or disclosure of PHI. l Covered entities can operate under their current written contracts until those contracts are up for renewal or until April 14, 2004, whichever is sooner if they exist before October 13, 2002. 39 © HIPAA Pros 2002 All rights reserved
Introducing … “HIPAA Security and Electronic Signature Standards: Proposed Rule” 40 © HIPAA Pros 2002 All rights reserved
“The computer expert is here, Mr. Rumson. ” 41 © HIPAA Pros 2002 All rights reserved
Areas Covered By Security Standard l Administrative Procedures l Physical Safeguards l Technical Security Services l Technical Security Mechanisms 42 © HIPAA Pros 2002 All rights reserved
Administrative Procedures Documented, Formal Practices & Procedures for: l Recovering lost information l How information flows through your department l Controlling access to information 43 © HIPAA Pros 2002 All rights reserved
Administrative Procedures (continued) Documented, Formal Practices & Procedures for: l. Reporting security breaches l. Maintaining security throughout personnel changes l. Security awareness training 44 © HIPAA Pros 2002 All rights reserved
Physical Safeguards Protect physical computer systems, related buildings, and equipment: l Keeping floppy disks, CDs, backup tapes secure. l Controlling access to areas and departments. l Logging off workstation when finished. l Providing a secure location for workstations. 45 © HIPAA Pros 2002 All rights reserved
Technical Security Services l Processes to protect information and control individual access: – Providing for emergency access to secure information – Automatic logoff – Unique user ID and password 46 © HIPAA Pros 2002 All rights reserved
Technical Security Mechanisms Processes to guard against unauthorized access to data transmitted over a communications network: l Confidential information sent over the Internet must be encrypted. l Verify information that is sent arrives unmodified. l Determine who accessed what information and when. 47 © HIPAA Pros 2002 All rights reserved
Introducing … “HIPAA Electronic Data Interchange -- Transactions and Code Sets: Final Rule and Postponement” 48 © HIPAA Pros 2002 All rights reserved
Streamlining Payment l Create national standards for the storage and transmission of electronic health information – Over 400 different formats for e-submission of health care claims in the US today l EDI standards will require uniform codes for all payers l Uniformity = Cost Savings 49 © HIPAA Pros 2002 All rights reserved
The Origins of EDI 50 “Now, while we’re dancing, let’s all be thinking how we can step up doll production, cut costs in the toy car division, and eliminate waste in all departments. ”
HIPAA National Electronic Transaction Standards l Enrollment and Disenrollment in a Health Plan (834) l Health Care Premium Payments (820) l Health Care Eligibility Benefit Inquiry and Response (270/271) l Referral Certification and Authorization (278) l Health Care Claims or Equivalent Encounter Information (837) l Health Care Claim Status (276/277) l Health Care and Remittance Payment Advice (835) l Coordination of Benefits (837) l First Report of Injury (145) (Delayed) l Additional Claim Information (275) (Delayed) 51 © HIPAA Pros 2002 All rights reserved
HIPAA Code Sets l International Classification of Diseases, 9 th Edition, Clinical Modification (ICD-9 -CM). l Current Procedural Terminology, 4 th Edition (CPT -4). l Health Care Financing Administration Common Procedure Coding System (HCPCS). l Code on Dental Procedures and Nomenclature, 2 nd Edition (CDT-2). 52 © HIPAA Pros 2002 All rights reserved
Next Steps Starting Now and Ending Never l EDI Extension l Covered Entity Analysis l Risk Gap Analysis l Team Assignments 53 © HIPAA Pros 2002 All rights reserved
Next Steps (continued) l Privacy Official and Security Officer Appointment l PHI Policies and Procedures l Notice of Privacy Practices and Forms l Business Associates 54 © HIPAA Pros 2002 All rights reserved
Next Steps (continued) l HIPAA Training l Privacy Implementation l EDI Testing Reached Milestone #1 April 14, 2003 55 © HIPAA Pros 2002 All rights reserved
HIPAA Penalties - Civil l Up to $100 per violation to a maximum of $25, 000 per year for all violations of an identical requirement l Civil penalties may not be imposed if – person did not know, and would not have known with exercise of reasonable diligence, that he/she violated the provision – the failure was due to reasonable cause, not the result of willful neglect, and is corrected within 30 days of the first date the person knew, or by exercising reasonable diligence would have known, that the failure to comply occurred l May be mitigated by existence of a HIPAA compliance program l May not be imposed for an act that may be punishable under HIPAA’s criminal penalty provisions l HHS is authorized to seek injunctions against covered entities to stop use/disclosure of PHI until compliance is achieved 56 © HIPAA Pros 2002 All rights reserved
HIPAA Penalties - Criminal l Knowingly using , obtaining or disclosing individually identifiable health information raises available penalties from civil fines to criminal sanctions l Three levels of criminal penalties: – Up to $25, 000 and/or up to 2 years in prison for a simple violation = knowingly obtaining or disclosing individually identifiable health information in violation of HIPAA – Up to 5 years in prison and/or up to a $50, 000 fine for knowingly obtaining individually identifiable health information under “false pretenses” – Up to 10 years in prison and/or up to a $250, 000 fine for knowingly using or disclosing individually identifiable health information for commercial advantage, personal gain, or malicious harm 57 © HIPAA Pros 2002 All rights reserved
58 © HIPAA Pros 2002 All rights reserved
Question & Answer 59 © HIPAA Pros 2002 All rights reserved
- Slides: 59