b Healthcare HIPAA Overview February 2001

2 What is HIPAA?  HIPAA is the Health Insurance Portability and Accountability Act of 1996 (PL )  Also referred to as the Kennedy-Kassebaum Act  HIPAA was enacted by the federal government on August 21, 1996 with the intent to assure health insurance portability, reduce healthcare fraud and abuse, guarantee security and privacy of health information and enforce standards for health information. Focus of this discussion

3 When people talk about HIPAA, what they are referring to is…  Title II, Subtitle F  Administrative Simplification: –Data Standardization  Code Sets  Transactions  Identifiers –Security –Privacy

4 Why Federal Regulations? Electronic Connectivity Insurance Carrier Employer Member Bank Credit Card Company Consultant Third Party Administrator New Players Government Pharmaceutical Company Medical Library Specialist Pharmacy Hospital Lab Provider Office Healthcare is 1/7 of the GNP 2. The healthcare industry has the most to gain from recent technological advances 3. However, the healthcare Industry lags other industries in taking advantage of these technological advances 4. Some believe streamlining requires a mandate for massive and coordinated change 1. Effective healthcare delivery requires enormous administrative effort

5 Why Federal Regulations? Public Opinion - Privacy  88% of consumers are concerned about their privacy*  20% of consumers believe that their health information has been used or disclosed inappropriately**  54% of consumers feel that electronic medical records are the greatest privacy threat** Sources:*Louis Harris & Assoc., 1998 **California Healthcare Foundation, 1999

6 Who must comply with HIPAA?  Healthcare organizations –Providers –Health plans –Clearing houses that handle covered patient information - all confidential patient or member information in any form: electronic, written or verbal.  Other healthcare entities may be required to meet HIPAA standards based on the chain of trust agreement requirement. –Clinics –eHealth.coms –Employers (self insured) –Home Health –Hospice –Pharmacies –Physician Groups –Other Providers  Higher Education – Unique Considerations –Student Health Center and Counseling Center = Exempt Provider  Regulations define student health records as a FERPA protected education record when health record is used for other than medical treatment purpose, including release to individual Student who is subject of information –Employee Health Services = Provider –Research Hospitals = Provider –Research Involving Human Subjects

7  Data standardization penalties –$100 per person per violation –No more than $25,000 per person per year for violations of a single standard  Misuse of member health information –Not more than $50,000 and/or 1 year in prison –Under false pretenses, not more than $100,000 and /or 5 years in prison –With intent to sell, harm, etc, not more than $250,000 and /or 10 years in prison easdf  OCR charged with enforcement. OIG authorized to conduct criminal investigations  Industry Concern: HIPAA compliance may become accreditation criteria  Joint Commission of Accreditation for Healthcare Organizations  National Committee for Quality Assurance  Industry Concern: HIPAA compliance may become a requirement for participation with Federal funded programs Penalties for non-compliance

8 HIPAA Administrative simplification impact Technology Issues Business Issues Electronic Transaction Standards & Unique Identifiers Security Code Sets & Claims Attachments Privacy Standards

January Effective date of Title II All Subtitles Except Subtitle F HIPAA timeline Title II HIPAA Data Standards Privacy Security August HIPAA Enacted Final Rule - August 15, months to comply October 15, 2002 Compliance Final Rule (estimate) - March 2001 Final Rule - 12/28/ months to comply Mandatory Compliance February 26, 2003 Compliance

10 Final Data Standardization requirements  Electronic transaction standard – X12N standards facilitate transactions by establishing a common, uniform business language for computers to communicate across town or around the world.  Electronic transactions to be standardized – Health care claims or equivalent encounter information. – Enrollment and de-enrollment in a health plan. – Eligibility for a health plan. – Health care payment and remittance advice. – Health plan premium payments. – Health care claim status. – Referral certification and authorizations. – Coordination of benefits. – Standard Claims Attachments

11  Standard code sets –ICD-9-CM, International Classification of Diseases, 9th Rev., Clinical Modification –CPT-4, Physician Current Procedural Terminology –Alpha-numeric HCPCS, HCFA Procedure Code System –CDT-2, Current Dental Terminology –NDC, National Drug Codes  Unique identifiers - Proposed –Providers –Employers  Unique identifiers - Delayed –Plans –Patients Final Data Standardization requirements

12 Proposed Security requirements  Administrative Security –Certification –Contingency plan –Information access control –Security configuration management –Security incident management –Security management process –Requires Security Officer  Physical Data Security –End user security awareness –Physical access control –Media –Secure workstation use and availability  Technical Security –Access control –Audit controls –Authorization control –Entity authentication  Electronic Transmission –Communication/Network controls  Electronic Signatures –Digital signatures

13 Highlights of the Final Privacy Regs Published December 28, 2000 Compliance required by February 26, 2003 Preamble addresses 53,000 comments The document uses the term “reasonable” 265 times

14 Highlights Regulations apply to covered entities (providers, clearing houses and health plans) Applies to all member health information: electronic, paper and oral communications Requires providers to obtain consent prior to treatment, payment and operations. May condition treatment or enrollment Allows full disclosures to providers for purposes of treatment. Retains provision for minimum necessary requirements for routine, recurring and other, non-routine disclosures Distinguishes between consent for treatment and authorization for other disclosures. Protects against unauthorized use of information for employment purposes Allows legally separate, but affiliated covered entities to designate themselves as a single covered entity Replaces ‘business partner’ with ‘business associate’ and reduces liability from ‘should have known’ to take action if aware Requires Privacy Officer and Security Officers

15 Highlights Permits certain marketing and fundraising activities Requires Notice of Information Practices Requires training Defines right to request restrictions on uses and disclosures Defines right to receive accounting of disclosures Defines right to access, inspect, copy and request amendments to records HIPAA intended as a floor, not a ceiling. Whichever rule is more stringent, state or federal, applies. Establishes whistleblower procedure - covered entities precluded from retaliating Gives HHS Office of Civil Rights (OCR) enforcement responsibility

16 AA HIPAA Assessment  Conduct high-level HIPAA gap analysis of business units and core business information systems  Identify gaps between current technology/practices with HIPAA’s –final data standardization and privacy requirements and –proposed security requirements  Develop remediation recommendations and a high-level workplan  Develop high-level cost estimates for remediation

17 Assessment Alternatives – Office of Information and Educational Technology  University Hospital Consortium Contract (UCDMC) – SAIC – Cap Gemini/Ernst and Young  External HIPAA Specialists – Arthur Anderson – Computer Associates – KPMG – PricewaterhouseCoopers  Projected Initiation Date – Spring 2001