HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003

2 Overview Passed by Congress in 1996 to reform the insurance market and simplify health care administrative processes. Passed by Congress in 1996 to reform the insurance market and simplify health care administrative processes. Health Insurance Portability and Accountability Act

3 Past... Present... Future A Look at HIPAA

4 HIPAA - Title I Insurance Portability Insurance Portability  Effective in 1997  Deals with accessibility and portability  Allows for non-federal governmental plans to opt out of certain provisions

5 HIPAA – Title II Administrative Simplification Administrative Simplification  Improve efficiency by standardizing electronic data interchange (EDI)  Protect the confidentiality & security of identifiable health information (electronic and paper) through setting and enforcing standards

6 HIPAA – Key Terms Covered Entity Covered Entity Business Associate Business Associate Protected Health Information (PHI) Protected Health Information (PHI) Small Health Plan Small Health Plan

7 HIPAA – Key Terms Covered Entity Covered Entity  Health plan – employee welfare benefit plan including insured and self-insured plans  Health care provider – person or entity that furnishes, bills, or is paid for health care in the normal course of business  Health care clearinghouse – public or private entity that processes health information from another entity from non-standard into standard format All covered entities must comply with HIPAA All covered entities must comply with HIPAA

8 What’s a Health Plan Included Plans Included Plans  Health  Dental  Health FSA  Vision  EAP

9 What’s a Health Plan Excluded Plans Excluded Plans  Automobile medical payment insurance  Disability  Liability insurance, including general liability insurance & auto liability insurance  Life Insurance  Workers’ compensation

10 What’s a Health Plan Employer in its entirety is not subject to HIPAA Employer in its entirety is not subject to HIPAA Employer may declare itself a hybrid entity which defines and isolates individuals dealing with the health plan Employer may declare itself a hybrid entity which defines and isolates individuals dealing with the health plan “Firewalls” must be created between covered and non-covered functions “Firewalls” must be created between covered and non-covered functions  Information cannot be used for employment purposes or for purposes of administering any other plan (i.e. disability or workers’ compensation) Designated health plan personnel dealing with PHI are subject to HIPAA Designated health plan personnel dealing with PHI are subject to HIPAA

11 HIPAA – Key Terms Business Associate Business Associate  Performs certain functions on behalf of a covered entity  Third Party Administrator (TPA)  Benefits Consultant  Attorney  Utilization Review Vendor  Pharmacy Benefits Manager

12 HIPAA – Key Terms Protected Health Information (PHI) Protected Health Information (PHI)  Individually identifiable health information  Relates to the past, present or future physical or mental health or condition of an individual  Specifically identifies the individual or reasonable belief that the information can be used to identify an individual

13 HIPAA – Key Terms Permitted usage of PHI Permitted usage of PHI  To the individual  For treatment, payment, or health care operations  Certain public policy exceptions  Other uses require individual authorizations

14 HIPAA – Key Terms Small Health Plan Small Health Plan  Plans with receipts under $5M

15 E E lectronic D D ata I I nterchange Proposed May 1998 Final Rule Published August 2000 Compliance deadline (with extension) October 14, 2003 Rule Amended February 2003

16 EDI Transactions Transactions  Health claims and equivalent encounter information  Enrollment and disenrollment in a health plan  Eligibility for a health plan  Health care payment and remittance advice  Health plan premium payments  Health claim status  Referral certification and authorization  Coordination of benefits.

17 EDI Code Sets Code Sets  Standardization of medical codes  Unique Identifiers  Employer – EIN was adopted May 2002  Health Plan  Provider

18 EDI Health Plans Health Plans  Mandated to have the capability to to accept and send electronic transactions via designated standard transactions, using the standard code sets and unique identifiers Providers Providers  If they choose to use electronic transactions, they must use all the designated transactions, code sets and identifiers

19 PRIVACY Proposed November 1999 Final Rule Published August 2002 Compliance deadline April 14, 2003 Small health plans April 14, 2004

20 Privacy Creates national standards to protect individuals’ medical records Creates national standards to protect individuals’ medical records  Gives patients more control over their health information  Sets boundaries on the use and release of health records  Establishes safeguards that healthcare providers and others must achieve to protect the privacy of health information  Holds violators accountable with civil and criminal penalties

21 Privacy Allows patients to find out how their information may be used Allows patients to find out how their information may be used Generally limits release of information to the minimum reasonably needed for the purpose of the disclosure Generally limits release of information to the minimum reasonably needed for the purpose of the disclosure Gives patients the right to examine and obtain a copy of their own health records and request corrections Gives patients the right to examine and obtain a copy of their own health records and request corrections Empowers individuals to control certain uses and disclosures of their health information Empowers individuals to control certain uses and disclosures of their health information

22 Administrative Requirements Privacy officer Privacy officer Notice of Privacy Practice Notice of Privacy Practice Privacy compliance policies and procedures Privacy compliance policies and procedures Privacy training for employees Privacy training for employees Problem reporting system Problem reporting system Sanctions for covered entities and business partners Sanctions for covered entities and business partners

23 Privacy Officer Must be designated and named in the Notice of Privacy Practice given to your employees Must be designated and named in the Notice of Privacy Practice given to your employees Responsible for development of policy and procedures for the entity Responsible for development of policy and procedures for the entity

24 Notice of Privacy Practice Each employee must receive a copy of this notice Each employee must receive a copy of this notice Notice must contain Notice must contain  Rights – the individual’s rights  Duties – your legal duties regarding protected health information (PHI)

25 Policies & Procedures Each covered entity must have written privacy and security policies and procedures Each covered entity must have written privacy and security policies and procedures Must include details regarding the use of PHI Must include details regarding the use of PHI Must reflect your effort to limit the disclosure of PHI to the minimum information necessary to accomplish the intended purpose Must reflect your effort to limit the disclosure of PHI to the minimum information necessary to accomplish the intended purpose Document each scenario of how your staff handles each type of PHI (claims, reports..) from the point of entry until it reaches its final destination Document each scenario of how your staff handles each type of PHI (claims, reports..) from the point of entry until it reaches its final destination Document how PHI is kept secure Document how PHI is kept secure

26 Training Covered entities must provide training to employees on the entity’s policies and procedures Covered entities must provide training to employees on the entity’s policies and procedures Must be documented for each person, but a signed certificate is not required Must be documented for each person, but a signed certificate is not required Must be documented in your privacy policies and procedures Must be documented in your privacy policies and procedures

27 Problem Reporting System Must have a way to track any problems/complaints regarding the use of PHI Must have a way to track any problems/complaints regarding the use of PHI Must be documented in your privacy policies and procedures Must be documented in your privacy policies and procedures

28 Sanctions Privacy policies and procedures must contain sanctions for a covered entity and/or business partner in the event of unauthorized disclosure of PHI Privacy policies and procedures must contain sanctions for a covered entity and/or business partner in the event of unauthorized disclosure of PHI

29 SECURITY Proposed August 1999 Final Rule Published February 2003 Compliance deadline April 21, 2005 Small health plans April 21, 2006

30 Where to from here?

31 You need to…… Determine your privacy compliance effective date. Are you a small health plan, with receipts under $5M, or a large health plan. Determine your privacy compliance effective date. Are you a small health plan, with receipts under $5M, or a large health plan. Contact your TPA or Administrator to find out their HIPAA plans Contact your TPA or Administrator to find out their HIPAA plans Designate a Privacy Officer Designate a Privacy Officer

32 You need to…… Perform assessment and analysis Perform assessment and analysis  Map the workflow and storage for PHI  Identify third party vendors (business associates) with access to PHI Review security requirements Develop privacy and security policies and procedures which include a separation between employment records and your health plan Develop privacy and security policies and procedures which include a separation between employment records and your health plan Develop a Notice of Privacy Practice Develop a Notice of Privacy Practice

33 You need to…… Develop and sign Business Associate Agreements Develop and sign Business Associate Agreements Develop monitoring and reporting system Develop monitoring and reporting system Train all employees with access to PHI Train all employees with access to PHI Distribute Notice of Privacy Practice to all employees and amend plan document Distribute Notice of Privacy Practice to all employees and amend plan document

34 How to avoid some restrictions A TPA may disclose summary health information to a group health plan without invoking all aspects of HIPAA privacy restrictions A TPA may disclose summary health information to a group health plan without invoking all aspects of HIPAA privacy restrictions  Summarizes the claims history, expenses or types of claims  Does not contain names, address, dates (except year), social security numbers, etc.

35 What if you don’t comply?

36 Civil Penalties Levied for failure to comply with requirements Levied for failure to comply with requirements $100 fine for each violation $100 fine for each violation Maximum of $25,000 per calendar year for each standard violation within an organization Maximum of $25,000 per calendar year for each standard violation within an organization

37 Criminal Penalties Improper use of health identifiers, or improperly obtaining or disclosing PHI is subject to both fines and imprisonment. Improper use of health identifiers, or improperly obtaining or disclosing PHI is subject to both fines and imprisonment. Enforcement has been assigned to DHHS Office of Civil Rights Enforcement has been assigned to DHHS Office of Civil Rights Penalties are graduated, increasing if the offense is committed under false pretenses, or to reap personal gain Penalties are graduated, increasing if the offense is committed under false pretenses, or to reap personal gain

38 Helpful Resources  HHS Administrative Simplification Website  HHS Privacy & Security Website links to the rules  HHS Office of Civil Rights Website  HHS Privacy Rule Guidance and FAQ  Model Business Associate Agreement

39 HIPAA Humor What do you call someone who complains incessantly about HIPAA? What do you call someone who complains incessantly about HIPAA?  A HIPAA condriac!!! What do you call someone who pretends they like HIPAA, but say terrible things about it in private?? What do you call someone who pretends they like HIPAA, but say terrible things about it in private??  A HIPAA cryte!!! What is the effect of today’s presentation? What is the effect of today’s presentation?  HIPAA nosis!!!

40 Questions????