Dr. Yaseen Hayajneh Health Insurance Portability and Accountability Act Yaseen HayajnehYaseen Hayajneh RN, MPH, PhD
Dr. Yaseen Hayajneh HIPAA The Health Insurance Portability and Accountability Act of AKA Kassebaum-Kennedy Act, after the two senators who spearheaded the bill. Passed in 1996 to help people buy and keep health insurance, even when they have serious health conditions. Generally, HIPAA restricts the use of preexisting condition exclusions, creates special enrollment periods and prohibits discrimination based on health-status related conditions in enrollment and premiums.
Dr. Yaseen Hayajneh HIPAA The federal law which establishes standards for the privacy and security of health information, as well as standards for electronic data interchange (EDI) of health information. HIPAA has two main goals: – making health insurance more portable when persons change employers, and – making the health care system more accountable for costs -- trying especially to reduce waste and fraud.
Dr. Yaseen Hayajneh HIPAA: Administrative Simplification HIPAA aims to improve accountability in part through what it calls administrative simplification -- a term that translates, roughly, as "promoting efficiency.“ Administrative Simplification is a subtitle of the Health Insurance Portability and Accountability Act of The principal means of promoting efficiency is better use of information technology. Broader use of computer systems increased concerns about misuse of patient's health information, hence the inclusion of privacy and security provisions as part of HIPAA along with EDI standards.
Dr. Yaseen Hayajneh Health Insurance Portability and Accountability Act Administrative Simplification (Accountability) Insurance Reform (Portability) Transactions & Code Sets PrivacySecurity National Identifier
Dr. Yaseen Hayajneh What is Privacy? The condition of being concealed or hidden Right of an individual to be left alone For purposes of the HIPAA Privacy Rule, privacy means an individual's interest in limiting who has access to personal health care information.
Dr. Yaseen Hayajneh HIPAA Privacy Rule Effective April 14, The Privacy Rule sets standards for how protected health information (PHI) " in any form or medium " should be controlled. HIPAA's other rules cover only electronic information. HIPAA sets a federal floor for PHI, but: – States may have more stringent privacy protections, and – The more stringent law (HIPAA or state) governs. Remember in " in any form or medium "
Dr. Yaseen Hayajneh Protected Health Information (PHI) Privacy Rule protects health information identifying a person (or information that can be used to identify a person): – All individually identifiable health information that provider creates, uses or receives. – Includes information about: » Past, present or future physical or mental health of a person, » Provision of health care to that person, and » Payment for care received. – Includes information in written, electronic or oral form.
Dr. Yaseen Hayajneh Protected Health Information (PHI) Name Social Security Number Medical record numbers Telephone numbers Fax numbers Full face photographs Geographic subdivisions smaller than state (street address, city, county, precinct, zip code, equivalent geo-codes except first 3 digits of a zip code) All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death, and ages over 89 Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Biometric identifiers (including finger or voice prints) URL (Web Universal Resource Locator) addresses Internal Protocol (IP) address numbers Any other unique identifying number, characteristic, or code
Dr. Yaseen Hayajneh Privacy Rule: What does it do? For the first time creates national standards to protect individuals' medical records and other personal health information. It gives patients more control over their health information. It sets boundaries on the use and release of health records. It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information. It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients' privacy rights. And it strikes a balance when public responsibility requires disclosure of some forms of data - for example, to protect public health.
Dr. Yaseen Hayajneh Privacy Rule Requirements For the average health care provider or health plan, the Privacy Rule requires activities, such as: – Providing information to patients about their privacy rights and how their information can be used. – Adopting clear privacy procedures for its practice, hospital, or plan. – Training employees so that they understand the privacy procedures. – Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed. – Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.
Dr. Yaseen Hayajneh Privacy Rule: Covered Entities Health plans, Health care clearinghouses Health care providers who conduct certain financial and administrative transactions electronically. – Covered entities are bound by the privacy standards even if they contract with others to perform some of their essential functions.
Dr. Yaseen Hayajneh Privacy Rule: Use vs. Disclosure Use:Use: Sharing within the entity. Disclosure:Disclosure: Sharing outside the entity. TreatmentPaymentOperations Privacy rule allows use and disclosure without specific authorization for Treatment, Payment, and Operations (TPO). Research is not considered to be treatment, payment or operations
Dr. Yaseen Hayajneh Health Insurance Portability and Accountability Act Administrative Simplification (Accountability) Transactions & Code Sets PrivacySecurity National Identifier
Dr. Yaseen Hayajneh Security Rule The Security Rule's requirements are divided into: – Administrative safeguards. – Physical safeguards. – Technical safeguards. Each category includes various standards and implementation specifications that provide instructions for putting in place the components of the three categories.
Dr. Yaseen Hayajneh Security Rule The HIPAA Security Rule applies to covered entities -- defined as (a) health plans, (b) health care clearinghouses, and (c) health care providers who transmit any protected health information (PHI) in "electronic form." The Security Rule does not include any standards for PHI in non-electronic forms. Such information is, however, covered by the HIPAA Privacy Rule, which extends to PHI in "any form or medium."
Dr. Yaseen Hayajneh Security Rule: Administrative Safeguards Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic PHI and to manage the conduct of the covered entity's workforce in relation to the protection of that information.“ – Examples » Security management process » Assigned security responsibility » Workforce security » Information access management » Security awareness and training » Security incident procedures » Business associate contracts and other arrangements » Documentation
Dr. Yaseen Hayajneh Security Rule: Physical Safeguards Physical measures, policies and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. – Examples: » Facility access controls; » Workstation use » Workstation security » Device and media controls
Dr. Yaseen Hayajneh Security Rule: Technical Safeguards the technology and the policy and procedures for its use that protect electronic protected health information [PHI] and control access to it.“ – Examples » Access control » Integrity » Audit controls » Person or entity authentication » Transmission security
Dr. Yaseen Hayajneh Health Insurance Portability and Accountability Act Administrative Simplification (Accountability) Transactions & Code Sets PrivacySecurity National Identifier
Dr. Yaseen Hayajneh Identifier Rule HIPAA requires the Department of Health and Human Services (HHS) to develop standard, unique identifiers for every – Health care provider; – Employer; – Health plan; and – Patient
Dr. Yaseen Hayajneh National Provider Identifier (NPI) Historically, – Health plans have independently assigned identifiers to health care providers. – These identifiers are not standardized within plans or across plans. – As a result, providers can have multiple billing numbers, significantly complicating the submission of claims, and coordination of benefits. A standard, unique provider identifier would assist in overcoming these difficulties. – The Final Rule adopting the HIPAA standard unique health identifier for health care providers was published on January – Health care providers can begin applying for NPIs on the effective date of the final rule, which is May 23, – All health care providers are eligible to be assigned NPIs; – Covered entities must obtain and use NPIs. – Covered entities must use NPIs by the compliance dates
Dr. Yaseen Hayajneh Standard Unique Employer Identifier This rule establishes a standard for a unique employer identifier and requirements concerning its use by health plans, health care clearinghouses, and health care providers. The health plans, health care clearinghouses, and health care providers must use the identifier, among other uses, in connection with certain electronic transactions. The use of this identifier will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general, by simplifying the administration of the system and enabling the efficient electronic transmission of certain health information.
Dr. Yaseen Hayajneh Identifier Rule: Plan & Patient National Health Plan Identifier – A national health plan identifier would apply to "health plans," defined by HIPAA as an individual or group plan that provides for or pays the cost of medical care. A proposed plan identifier has not yet been issued. – Under development; not yet available National Patient Identifier – The requirement that HHS issue a national identifier for individuals has been extremely controversial because of issues such as privacy and what model of identifier should by used.
Dr. Yaseen Hayajneh Health Insurance Portability and Accountability Act Administrative Simplification (Accountability) Transactions & Code Sets PrivacySecurity National Identifiers
Dr. Yaseen Hayajneh Transactions & Code Sets TCS Rule mandate uniform electronic interchange formats for all covered entities. This rule adopts standards for eight electronic transactions and for code sets to be used in those transactions. The use of these standard transactions and code sets will improve the effectiveness and efficiency of the health care industry, by simplifying the administration of the system and enabling the efficient electronic transmission of certain health information. This standardization along with the Identifier rule is expected to produce the lion's share of the efficiency savings of "administrative simplification."
Dr. Yaseen Hayajneh Transaction standards: Claims Payment and remittance Eligibility for Health plan Enrollment / disenrollment Premium payments Claim status Coordination of benefits Referral and authorization
Dr. Yaseen Hayajneh Clinical data code sets standards: 1.ICD-9 for diseases 2.CPT-4 for services and procedures 3.HCPCS for medical equipment, injectable drugs, and transportation services 4.CDT-2 for dental services 5.NDC for prescription drugs These apply only to the administrative and financial electronic transactions
Dr. Yaseen Hayajneh HIPAA Views & Issues CEO: Cost, effective delivery of healthcare services. CFO: Initial Capital costs, Return on Investment Health Professionals: Improve patient care and information access. CIO: Compliance, Vendor solutions, Security & Privacy