HIPAA 101: Overview An Introduction to the HIPAA Regulations

2 Presentation Agenda At the end of this presentation, you should: w Know what HIPAA is and where it came from w Know why we should care about it w Have a basic understanding of the HIPAA standards and their impact on the culture of the organization w Know what your biggest challenges will be w Know your role in HIPAA compliance

What is HIPAA? w HIPAA is the Health Insurance Portability and Accountability Act w It was originally intended to support: - The portability of health insurance - Improved fraud and abuse protections w The Administrative Simplification provisions were added to lower administrative health care costs by conducting more business electronically

4 HIPAA Title ITitle IITitle IIITitle IVTitle V n Health insurance access, portability and renewal n Fraud and Abuse n Medical Liability Reform n Administrative Simplification n Medical Savings Accounts n Tax deduction provisions n Group health plan provisions n Revenue offset provisions Electronic Transaction Standards (EDI) Security Standards Privacy Standards n For 9 key payor transactions n Includes clinical code sets n Includes key identifiers n For protecting electronic health information n To spell out permissible uses of patient identifiable healthcare information

Background: Where Did HIPAA Come From?

6 Cost Concerns w The U.S. spends about $400 billion each year on administrative services related to health care w The Congress estimated that approximately $87 billion could be saved annually if administrative efficiencies could be improved by: –Requiring more health care transactions to be conducted electronically, which would reduce paperwork, and –By standardizing health care transactions

7 Privacy Concerns w As more business is conducted electronically, it becomes more difficult to protect the privacy of the data –A Wall Street Journal/ABC poll on September 16, 1999 survey revealed that the greatest concern of Americans in this century is the loss of personal privacy. –The increasing availability of information on the Internet adds to people’s fears –The case of Arthur Ashe –The case of Robert Bork –The inappropriate use of DNA is a growing concern

8 Breaches of Patient Privacy w These sample published accounts of privacy breaches are only a fraction of all cases. –A bank accesses records and calls in loans of cancer patients –A medical student sells “promising” cases to a malpractice lawyer –A hospital ED employee shares patient information with an ambulance chaser for financial gain

Why Should You Care About HIPAA?

10 Why should you care about HIPAA? w First Reason: HIPAA is the law w Second Reason: all indications are that HIPAA regulations will be incorporated into existing accreditation standards and annual audit procedures. w Third Reason: Many of the HIPAA regulations make good common business sense.  Every employee will be impacted by HIPAA

11 How Does HIPAA Benefit Hospitals? w It reduces paperwork w The accuracy of documentation is improved w It could reduce the turnaround time for getting claims paid

12 Banking Has Led the Way w During the 1970s, the banking industry led the way in standardizing financial transactions. w Standardization enables us to use our credit cards, make withdrawals and deposit money to our bank accounts all over the world.

HIPAA Standards for Electronic Transactions

14 HIPAA: The Electronic Transaction Standards w Standards were developed for nine administrative and financial transactions (such as healthcare claims, claims payment, eligibility determination) to accomplish the following: –Require payers to accept those electronic transactions for health care services in a standardized format –Establish standard codes to be used for those electronic transactions –Develop universal identifiers for health care providers, employers and individuals

HIPAA Privacy and Security Standards

16 Privacy: rules governing use and disclosure of data Security: mechanisms for protecting access to systems and data Privacy vs. Security First: some definitions - How can patient information be used Preventing unauthorized individuals from gaining access

HIPAA Privacy Standards

18 Protected Health Information w The privacy standards were developed to limit the ways in which information that can be used to identify an individual can be used or disclosed w Protected health information is individually identifiable health information that is maintained or transmitted electronically, or in any other form or medium w That means that information transmitted orally is protected, as well as information that is maintained or transmitted electronically or on paper

19 Approach to Privacy Rule w In developing the final Privacy Rule, the Department of Health and Human Services: –Sought to create a balance between the patient’s right to information privacy and with the public’s responsibility to provide health care services –Established accountability for breaches of privacy and delegated responsibility to the Department’s Office for Civil Rights for enforcement –Developed penalties for individuals who violate the Privacy Rule

20 The Bottom Line w Civil monetary and criminal penalties: –Failure to comply with transaction standards  $100 per person, per transaction, up to an annual maximum of $25,000 –If knowingly providing information  $50,000 and/or up to 1 year imprisonment –Under false pretenses  $100,000 and/or up to 5 years imprisonment –Intent to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm  $250,000 and/up to 10 years imprisonment w Every employee is at risk

21 Privacy Regulations Provide Consumer Control over Health Information w The hospital is required to give patients a clear written explanation of how they can use, keep, and disclose their health information. This is called a Notice of Privacy Practices, and the regulations identify specific information that it must contain. w While patients cannot alter the existing content of their medical records, they do have the right to request that the hospital amend their records, by adding information to those records. w The hospital may refuse that request if, among other things, it determines that the information in dispute is accurate and complete.

22 Boundaries on Medical Information Use w Protected health information can be used without patient consent only for purposes of treatment, payment and health care operations. w Disclosures for any other reason require a written authorization from the patient. w Patients will be able to revoke an authorization (but not retroactively) w Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure.

23 Other Allowable Disclosures w Covered entities may disclose some information without consent, for example: –Oversight of the health care system, including quality assurance activities –Public health –Emergency circumstances –For facility patient directories –For activities related to national defense and security

24 Administrative Requirements w Covered entities must –Designate a privacy official with responsibility to develop and implement privacy policies and procedures, and address patient complaints. –Implement policies and procedures with respect to protected health information. Must also keep P&Ps and patient notices updated with changes in the law. –Train all members of the workforce on those P&Ps before April 14, 2003 –Document and apply sanctions to members of its own workforce for privacy breaches. –Covered entities must mitigate any harmful effects. –Establish written contracts with business associates who perform or assist in the performance of a function or activity on behalf of a covered entity involving the use or disclosure of protected health information

25 DHHS Privacy Guidelines w HHS has issued two guidance documents on the patient privacy rule answering common questions and clarifying key areas of confusion. For example: –Pharmacies need not obtain a patient’s consent before allowing a friend or relative to pick up a prescription –Hospitals need not remove medical charts from patients’ bedsides, isolate x-ray light boards or be retrofitted with soundproof walls –In general, common sense and practicality win out over a strict interpretation of the rule

26 DHHS Privacy Guidelines  The Privacy Rule states that the regulations are scalable, and that covered entities should do what is reasonable to implement them, considering the size and resources available to the organization

HIPAA Security Standard

28 Security Standards w Require covered entities to “maintain reasonable and appropriate administrative, technical, and physical safeguards” w The HIPAA security standards are organized into four categories –Administrative procedures to ensure that threats or violations can be prevented, detected and resolved (security training, hiring practices, system audits) –Physical safeguards to protect PHI from fire, disaster and unauthorized access (locks, keys, storage protection) –Technical security services to control and monitor access (passwords, audit trails, automatic logoff) –Network security to protect unauthorized access to data transmitted over a network (encryption, detection systems) w Standards were also proposed for electronic signatures, but will now be released under a separate rule

HIPAA Implementation Update What’s the Current Status of HIPAA?

30 Deadline w Covered Entities must be in compliance by: 2002/2003 Deadline for compliance October 16, 2002 / EDI transaction standards April 14, Privacy standards Other final rules are expected to be released throughout 2002

The Biggest Challenges Will Be: w Developing policies and procedures for privacy w Documenting compliance with your P&Ps w Modifying the culture to comply with HIPAA

Your Greatest Risk Exposure Will Be: w Disgruntled patients who feel that the privacy of their personal health information has been compromised

Your Role in HIPAA Compliance w Make every reasonable effort to protect the privacy of our patients’ health information w Report any concern about suspected violations of patient privacy to the hospital Privacy Officer

Questions

35 Post-Test - Questions w The hospital may use the patient’s health information for whatever purposes that it deems necessary. True_____ False_____ w Patients have the right to alter information contained in their medical records under HIPAA. True_____ False_____ w All clinical staff may have access to any patient records under HIPAA. True_____ False_____ w All employees within the hospital system will be impacted by HIPAA. True_____ False_____ w Hospital employees can be individually penalized for violating the confidentiality of patient information. True_____ False_____

36 Post-Test - Answers w The hospital may use the patient’s health information for the purposes that it deems necessary. True_____ False__X__ The hospital may use the patient’s health information for treatment, payment and hospital operations only, unless a separate, specific purpose authorization is signed. w Patients have the right to alter information contained in their medical records under HIPAA. True_____ False_X_ Patients have the right to request that their records be amended, by adding to them. w All clinical staff may have access to patient records under HIPAA. True_____ False__X__ Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure. w All employees within the hospital system will be impacted by HIPAA. True_X_ False_____ w Hospital employees can be individually penalized for violating the confidentiality of patient information. True__X__ False_____ See slide #24 for penalties