Virginia Department of Medical Assistance Services Presentation On HIPAA to the Virginia COTS PSA Workgroup Frank G Guinan Craig Goeller November 7, 2000

Agenda Brief Introduction to HIPAA The Four Components of Administrative Simplification Who does HIPAA Apply to? Privacy Standards Security Standards Questions and Answers

Brief Introduction to HIPAA Health Insurance Portability & Accountability Act of 1996 (HIPAA) –Public law Portability: transfer of healthcare when employees change jobs COBRA - Completed Accountability: Fraud/Abuse & Administrative Simplification Electronic Data Interchange (EDI) focus - Implementation In Process

The Four Components of Administrative Simplification Transactions and Code Sets –Examples: Claims, Enrollment, Coordination of Benefits (COB’s) –Signed by the Secretary of HHS –Posted to the Federal Registrar on 8/16/00 –60 Day Review, Congress could have modified –24 months to Comply: 10/17/2002 Transactions Apply to health care organizations using Electronic Transmissions - Any media form (tapes, diskettes, real-time)

Administrative Simplification (cont.) Unique Health Identifiers –Example: National Provider ID, National Employer ID, National Individual ID Privacy –Focus on Policy and Procedures protecting Individuals rights, and audit trails of disclosures –Privacy Officer for Each Organization

Administrative Simplification (con’t) Security Standards –Security and privacy standards for administrative procedures –technical security services against unauthorized access to data (electronic signature usage) –physical safeguards Electronic Signature –Not required, but encouraged –Standards for electronic signature qualification and use are included in the recent published rules

Transaction Sets ASC X12N Specifications for 9 transaction sets –Health Care Claim Dental (837) –Health Care Claim Professional (837) –Health Care Claim Institutional (837) –Eligibility Inquiry and Response (270/271) –Health Care Services Review (278) –Claim Status Request and Response (276/277) –Benefit Enrollment and Maintenance (834) –Health Care Claim Payment Advice (835) –Payroll Deducted and Other group Premiums (820)

Medical Code Sets HIPAA Uses Industry Code Sets for Standards Health Care Providers ICD-9-CM: Diseases, Injuries, Impairments, and Actions Taken by Hospitals for Inpatients NDC: Drugs and Biologics The Code on Dental Procedures and Nomenclature: Dental Services HCPCS and CPT- 4: Physician Services and Other Health Care Services CPT- 4: Other Substances, Equipment, Supplies

Who does HIPAA Apply to? Health Care Providers –All health care providers Payers –Insurance Companies –HCFA (Medicare/Medicaid) –Collection Agencies Prescription Drug Dispensing/Testing –Pharmaceuticals, Drug Stores, Labs Clearinghouse/Donor organizations –CDC, Blood banks, Organ Donors

Privacy Standards Notice of Proposed Rule Making (NPRM) November 3, 1999 Comments received for 60 Days Information Protected by the regulation –Information relating to an individual’s health, health care treatment, or payment for health care. –Protection continues as long as information in the hands of covered entity –Covered entity are encouraged to de-identify health information by removing, encoding, encrypting identifiers.

Privacy Standards Covered Entity –Health care providers who transmit data electronically –Health Plans; and –Healthcare clearinghouses May disclose Protected Health Information(PHI) to contractors, business partners, consultants, claims clearinghouses, and billing firms

Privacy Standards Covered Entity must enter into a contract requiring that identifiable information be kept confidential An exception is when a business partner is providing a referral or treatment consultation Business partners are not permitted to use or disclose health information in ways that the covered entity can not

Privacy Standards Individual Rights –Right to receive written notice of information practices from health plans and providers –Right to access their own health care information –Right to request an amendment or correction of protected health information that is inaccurate or incomplete –Right to receive accounting of when information had been disclosed for purposes other than treatment, payment and health care operations

Privacy Standards Obligations of health care plans and providers –Develop a Notice of Information Practices Providers give to each patient after rule enacted and post at place of business Plans provide notice at enrollment and every 3 years –Allow individuals to access and copy information for a reasonable costs –Develop mechanism for accounting for all disclosures –Accommodate requests for amendments or corrections –Designate a Privacy Officer responsible for privacy activities

Privacy Standards Obligations of health care plans and providers –Provide Training to all staff who have access to PHI –Establish administrative, technical, and physical safeguards –Establish Policies and Procedures –Develop and apply sanctions from re-training to reprimand to termination –Have available documentation with the regulation requirements –Develop methods to disclose minimum amount of PHI –Develop and use contracts with business partners

Privacy Standards Disclosures without patient authorization –Purposes of effecting treatment, payment, and health care operations –Certain federal, state, and other oversight activities, public health, emergencies, judicial proceedings, banking and payment processes, and health research – Disclosure of PHI for research must be approved by an Institutional Review Board or Privacy Board

Privacy Standards Disclosures with patient authorization: –Covered entities could use or disclose PHI with individual’s consent for lawful purposes –Authorizations must specify information to be disclosed, who would receive it, and when it would expire. Individuals could revoke anytime. –Covered entities would be prohibited from conditioning treatment or payment upon an individual’s agreeing to authorize disclosure of information for other purposes

Privacy Standards Guidelines and Costs –Minimum necessary use and disclosure –Scalability –Costs are estimated for covered entities for 5 year compliance to be $3.8 billion Preemption: Provides a “floor” of privacy protection. State laws that are “less protective” of privacy are preempted. States are free to enact “more stringent”statutes.

Privacy Standards Penalties and Enforcement –For each provision violated the Secretary of HHS can penalize up to $25,000 in any calendar year –Criminal penalties are fines up to $50,000 for more if “malicious harm” occurs for selling information –Regulation does not include a “private right of action”, patients cannot sue for privacy violations

Security Standards Background Regulation is expected to be released in Fall 2000 by Federal DHHS Must be implemented within 24 months after effective date Set the minimum level or “Floor” of security for individual identifiable health information maintained in or transmitted by health care organizations Business Impact Analysis Supersedes contrary state laws

Security Standards Five Major Security Categories To Guard Data Integrity, Confidentiality, & Availability 1.Administrative Procedures 2.Physical Safeguards 3.Technical Security Services 4.Technical Security Mechanisms 5.Electronic Signature Requirements (Optional as of initial draft)

Security Standards Business Impact Analysis –Determine magnitude of the regulatory impact on an organization and establish the scope of compliance –Organization Awareness and initial roles/responsibilities –Executive and senior management buy-in –Develop initial awareness program for all affected staff –Establish the HIPAA security implementation team –Baseline Assessment –GAP Analysis: Current Environment versus Regulatory Requirements

Security Standards Administrative Procedures Certification Chain-of-Trust Partner Agreement Contingency PlanFormal Record Processing Mechanisms Internal Audit Information Access Controls Personnel Security Security Configuration Management Termination Procedures Security Incident Procedures TrainingSecurity Management Process

Security Standards Physical Safeguards –Assigned Security Responsibility –Electronic Media Controls –Physical Access Controls –Workstation Use –Workstation Location –Security Awareness Training

Security Standards Technical Security Services –Access Control –Audit Controls –Authorization Control (Role or User-based access) –Data Authentication –Entity Authentication o Unique UID and one of the following –1.Token System –2.Biometric System –3.PIN –4.Password oAutomatic Log Off

Security Standards Technical Security Mechanisms (Transmission over Com Network) –Integrity –Message Authentication –Encryption or Access Controls –Network Communications require Entity Authentication Audit Trails Alarm Event Reporting

Security Standards If Electronic Signature employed, Digital Signature Technology is required! 1.User Authentication 2.Message Integrity 3.Non-repudiation (Non-alterability)

Security Standards Optional Digital Signature Features 1.Multiple Signatures 2.Independent Verifiability 3.Interoperability 4.Ability to add attribute 5. Continuity of signature capability

Q & A Internet References: