Copyright Fleisher & Associates A HIPAA PRIMER FOR PUBLIC HEALTH PEOPLE CPHA-N Conference 2003 January 30, 2003 Presented by: Steven M. Fleisher, J.D. Fleisher & Associates CMA HIPAA Consultant

Copyright Fleisher & Associates The Plan  15 Minute HIPAA overview for public health people, especially providers  You will not become a HIPAA expert  Assume no prior HIPA training  If you want more, come to the workshop

Copyright Fleisher & Associates HIPAA The Health Insurance Portability and Accountability Act of 1996 –“Insurance Portability:” eliminating job lock –“Accountability” (Fraud and Abuse): even more draconian penalties –Administrative Simplification: the last minute HIPAA mandate Deal: promote uniform electronic transactions in exchange for enhanced privacy and security

Copyright Fleisher & Associates Who is Covered by HIPAA? Health plans: organizations/entities that provide or pay the cost of medical care, including Medicare and Medicaid Health care clearinghouses: organizations that process data elements or transactions Health care providers: –any person or entity that furnishes, bills, or is paid for health care –uses electronic means to transmit any of the “covered transactions”

Copyright Fleisher & Associates Who is Covered?  “Electronic Means:” includes the internet, extranet, leased lines, dial-up lines, private networks, and transmissions physically moved from one place to another using CD, disk, etc.  Covered Transactions: –Health claims and equivalent encounter information –Enrollment in and disenrollment from a health plan –Eligibility for a health plan –Healthcare payment and remittance advice –Health plan premium payments –Health claim status –Referral certification and authorization –Coordination of benefits

Copyright Fleisher & Associates Provider Coverage –Most, but not all, Providers will be covered Faxing (payers vs. clearinghouses) Transmitting PHI vs a covered transaction –As health plans begin to require Providers to submit claims electronically, few will be able to escape the grasp of HIPAA. –Medicare will require electronic claims by October 16, 2003 for most Providers ( if  10 FTEs) No “small practice” exemption from HIPAA; just from Medicare)

Copyright Fleisher & Associates Protected Information (“PHI”) –HIPAA privacy rules will cover all “use or disclosure” of “Protected Health Information” (“PHI”) whether in paper, electronic or oral. –PHI: –Relates to health of individual –Can be used to identify individual –Excludes educational records

Copyright Fleisher & Associates The HIPAA Administrative Simplification Standards  1. Electronic Data Transactions –A. Transactions –B. Code sets –C. Identifiers (Plan, Provider and Employer) Providers: National Unique Healthcare Provider Identifier Plans: National Standard for Identifiers for Health Plans Employers: EIN  2. Privacy  3. Security

Copyright Fleisher & Associates HIPAA Administrative Simplification Rules Effective Dates 1. Privacy standards: April 14, Transaction Standards & Code Sets: October 16, 2003 (if plan filed by CE) 3. Unique identifiers (plan, provider, employer): (final plan & provider: 2/03; effective 4/05) 4. Security standards: (final 2/03; effective 5/05??) 5. Claims Attachment: proposed 2/03 6. Enforcement Standards: ? 7. Medicare Exclusion Rule: ?

Copyright Fleisher & Associates Transaction Rule  Uniform standards apply to the following transactions as of October 16, 2003: –Health claims and equivalent encounter information. –Enrollment in and disenrollment from a health plan. –Eligibility for a health plan. –Healthcare payment and remittance advice. –Health plan premium payments. –Health claim status. –Referral certification and authorization. –Coordination of benefits. Standards for claims attachments expected in Feb ‘03 Report of First Injury still under development

Copyright Fleisher & Associates Transaction Rule: Potential Benefits f or Providers Elimination of claim form and coding variations (content and format) –No need to train staff on multiple payor requirements –No denials based on failure to comply with arcane, unique rules –No unanticipated changes in the rules (uniform, annual update) Elimination of “telephone tag” –Electronic eligibility –Electronic referrals. –Electronic verification of receipt Fewer “lost” Claims Conclusion: improved bottom line

Copyright Fleisher & Associates Privacy Rule: Doing the Right Thing –Basic principles enhance patients’ control over their PHI enhance providers’ obligations to protect –Duties are reasonable and scalable –Regulation uses “reasonable” >250 times!

Copyright Fleisher & Associates Patient’s Rights Right to Notice of Privacy Practices –Detailed statement of uses, disclosures & rights –Direct providers must make good faith effort to get signed acknowledgment of receipt –Administrative hassle Right to inspection and copies –Follow California law on times and charges Right to amend/append –HIPAA similar to existing state law

Copyright Fleisher & Associates Additional Rights Right to request restrictions on use –Discretionary with provider –Asking for something different from Notice of Privacy Practices –E.g., no students in exam room; no malpractice quality audits Right to request alternative channels of communication –Grant if reasonable; can require costs be paid Right to complain to provider or HHS –Complaint driven enforcement!

Copyright Fleisher & Associates Additional Privacy Concepts  Minimum Necessary –Disclose only what is needed to third parties Applies to payment and operations, not treatment Develop standard protocols for office –Disclose only what is needed to office staff Develop job descriptions in larger practices  Incidental Disclosures –If proper policies in place, disclosures incidental to permitted disclosures not a violation (e.g., overheard conversations, sign-in sheets) –Not reasonably preventable and limited in nature –Doesn’t apply to mistakes

Copyright Fleisher & Associates Provider Responsibilities  Assess risks and take reasonable measures to protect privacy and security of PHI  Adopt and implement policies & procedures to implement patient rights, including notification  Educate and Train Providers and Staff  Appoint Privacy Official  Enter into Business Associate Agreements

Copyright Fleisher & Associates The Better Way to Go: CMA’s CD HIPAA TookKit  Complete provider-focused compliance –Policies, procedures & forms customized for California law by CMA attorneys –Other products are national and HIPPA generic –Training for physicians & staff –Implementation planning –Regular updates –Available at or call CMAwww.cmanet.org  Low cost alternative to HIPAA consultants  $325 for members; $495 for non-members  One per practice

Copyright Fleisher & Associates Contact Information  Steven M. Fleisher, JD  Fleisher & Associates –Chief HIPAA Consultant, California Medical Association –35 Corwin Drive, Alamo, Ca –