HIPAA – Developing an Understanding Robert C. Bergin Ohio Department of Job and Family Services
Title I – Health Care Access, Portability, and Renewability Title I of HIPAA protects health insurance coverage for workers and their families Limits exclusion for pre-existing conditions Prohibits discrimination based upon health factors Provides special enrollment rights Defines creditable coverage and significant breaks
Title II – Preventing Health Care Fraud and Abuse; Administrative Simplification; and Medical Liability Reform Title II is intended to combat waste, fraud, and abuse in health insurance and healthcare delivery Simplify the administration of health insurance Promote “Administrative Simplification”
Administrative Simplification Goals of Administrative Simplification Protect privacy of “Protected Health Information” – PHI Standardize electronic exchanges to improve efficiency Secure data processing systems Implement standard identifiers Providers Employers Health Plans
HIPAA Rules Privacy Rule – 4/14/03 Transaction and Code Set Rule – 10/16/03 Security Rule – 4/21/05 Standard Identifiers National Employer Identifier Rule – 7/04 National Provider Identifier Rule - TBD National Health Plan Identifier- TBD
Who Must Comply? Covered Entities Health Plans – An individual or group plan that provides or pays the cost of medical care Medicare Medicaid Health insurance issuer HMO VA health care system Others
Health Plan General Exclusions Any government-funded program, other than those specifically included, whose principal purpose is other than providing or paying the cost of health care but which do incidentally provide such services For example, programs such as the Special Supplemental Nutrition Program for Women, Infants and Children (WIC) are not considered to be health plans
Health Plan General Exclusions Continued Any government-funded program whose principal activity is the making of grants to fund the direct provision of health care to individuals For example, the Maternal/Child Health Block Grant Title V program
Health Plan General Exclusions Continued An agency that “determines eligibility for or enrollment in a health plan that is a government program providing public benefits, when that agency is not the agency that administers the program”, is not a covered entity. -“ For example, an agency that is not otherwise a Covered Entity, such as a local welfare agency, is not considered to be a Covered Entity because it determines eligibility or enrollment or collects enrollment information as authorized by law.”
Is a private benefit plan a health plan? Is the plan an individual or group plan, or combination thereof, that provides, or pays for the cost of, medical care? NO STOP! The plan is a health plan NO YES Does the plan have both of the following characteristics: (a) it has fewer than 50 participants, and (b) it is self-administered? Is the plan a group health plan? YES YES NO Is the plan a health insurance issuer? NO YES NO STOP! The plan is not a health plan Is the plan an issuer of a Medicare supplemental policy? Does the plan provide only nursing home fixed- indemnity policies? YES NO NO YES Is the plan an HMO? Is the plan a multi-employer welfare benefit plan? Is the plan an issuer of long-term care policies? Does the plan provide only excepted benefits? NO NO NO
Is a government-funded program a health plan? Is the program one of the listed government health plans? STOP! The program is a health plan YES NO Does the program provide, or pay the cost of, medical care? YES NO Is the program a high risk pool? STOP! The program is not a health plan NO Is the plan an HMO? YES NO NO Is the principal activity of the program providing health care directly? NO Is the principal purpose of the program other than providing or paying the cost of health care (e.g., operating a prison system, running a scholarship or fellowship program)? Does the program provide only excepted benefits? Is the principal activity of the program the making of grants to fund the direct provision of health care (e.g., through funding a health clinic)? NO NO
Covered Entities - Continued Health Care Providers - A health care provider who transmits any health information in an electronic form in connection with a defined transaction covered by the law is a covered entity Physician Dentist Pharmacist Physical Therapist Others
Are You a Health Care Provider Under HIPAA? STOP! You are not a covered health care provider under HIPAA Do you furnish, bill, or receive payment for health care services in the normal course of business? (1) STOP! You are a covered health care provider under HIPAA NO YES YES Do you conduct covered transactions? Are any of the covered transactions transmitted in electronic form? YES
Covered Entities - Continued Health Care Clearinghouses- An entity that processes or facilitates the processing of information received from another entity in a nonstandard format or containing nonstandard data into standard data elements or a standard transaction Billing service Switch VAN
Are You a Health Care Clearinghouse? Do you process, or facilitate the processing of, health information from a nonstandard format or content into standard format or content or from a standard format or content into nonstandard format or content? YES YES Do you perform this function for another legal entity? STOP! You are a health care clearinghouse NO STOP! You are not a health care clearinghouse NO
Hybrid Covered Entities If “Covered Entity” functions are performed within a department or program, then the entity to which it belongs is a HIPAA hybrid entity HIPAA rules apply to the component that performs the covered entity function
Hybrid Entity - Implications The importance of being a hybrid entity is that HIPAA requires the entity to build walls between the covered functions and the rest of the entity, so that the non-covered portions do not have access to PHI
Business Associates Business Associate is a person or entity who on behalf of a covered entity performs a function or activity that involves the use or disclosure of Protected Health Information (PHI) A covered entity may disclose PHI to its Business Associates if it obtains a written contract specifying that the Business Associate will appropriately safeguard the information
Privacy Rule - Background Traditionally, health information has been “private” not because it is secure but because it has been difficult to access As the ease of exchanging Protected Health Information (PHI) increases, there is a corresponding need to increase privacy protection The privacy rule defines what information you must protect, as contrasted with the security rule which defines how you must protect information
Privacy Rule - Definitions “Protected Health Information” (PHI) is individually-identifiable health information that is transmitted or maintained in any form or medium “Health Information” includes any information, oral or recorded, relating to the health of an individual, the health care provided, or payment for services rendered to the individual
Privacy Rule – Definitions Continued “Privacy Notice”describes how an individual’s medical information may be used and disclosed, and of the individual’s rights and the covered entity’s duties with respect to that medical information “Patient Authorization”is required for the use of information not related to treatment, payment, or health care operations
Privacy Rule – Definitions Continued “Public Health Authority” is an agency that is responsible for public health matters as part of its official mandate Limited use and disclosure are permitted without consent or authorization when there is an overriding public interest Generally, the rule does not apply to de-identified information as long as there is no mechanism for re-identification
Privacy Rule – Patient Rights Right to adequate notice of privacy practices Right to access health information Right to request amendment of health information Right to an accounting of disclosures Right to request restriction of uses and disclosures
Privacy Rule – Administrative Requirements A designated privacy official A privacy contact person A defined complaint process Individuals can request additional restrictions – entities must have a process for responding, but are not required to agree to the request Entity must verify the identity and legal authority of any person requesting PHI
Privacy Rule – Administrative Requirements Continued Employer must provide training on privacy policies and procedures to each person who has contact with PHI Covered entities are required to document that training requirements have been satisfied Employees and Business Associates who violate policies and/or HIPAA regulations must be subject to defined sanctions
Standard Transactions Transaction and Code Set Rule compliance October 16, 2003 ( Public Law 107-105) Health Care Claim or Encounter (837) Health Care Claim Payment and Remittance (835) Health Care Claim Status Inquiry/Response (276, 277) Health Care Eligibility Inquiry/Response(270, 271) Enrollment and Disenrollment in a Health Plan (834) Referral Certification and Authorization (278) Health Plan Premium Payments (820)
Code Sets HIPAA has mandated the use of national standard code sets Elimination of Level III local codes and the limited expansion of Level II HCPCS codes Nationally, Medicaid programs are being forced to “crosswalk” local codes into limited Level II HCPCS codes
HIPAA Security Regulations Security regulations require: Covered Entity (CE) must ensure the confidentiality, integrity, and availability of electronic PHI that the CE creates, receives, maintains, or transmits CE must protect against any reasonably anticipated threats or hazards to the security or integrity of PHI under its control CE must protect against reasonably anticipated uses or disclosures that are not permitted or required by the privacy rule CE must ensure compliance by its workforce
Security – Physical Safeguards Facility access controls Policies governing the receipt and removal of hardware and electronic media that contains PHI into and out of the facility, as well as movement within the facility Policies on workstation area control and workstation use
Security – Administrative Safeguards Documented security management process Assigned security responsibility Workforce security policies Information access controls Emergency contingency plans Security awareness and training programs Security incident reporting procedures Periodic evaluations
Security – Technical Safeguards Technical access controls limiting access to authorized persons or software Audit controls to examine activity in information systems Policies and procedures to protect PHI from improper alteration or destruction Person or entity authentication procedures Technical transmission security measures to protect against unauthorized access
Preemption of State Law Federal regulations preempt all “contrary” state laws, unless a state law is more stringent State law is more stringent if it: Further limits the use or disclosure of PHI Provides individuals with greater rights of access, or more information about their rights Enhances protections afforded by an authorization Imposes greater record keeping requirements Otherwise enhances privacy protection
HIPAA Resources Web Sites www.nhvship.org www.hhs.gov/ocr/hipaa www.wpc-edi.com/default40.asp www.aspe.hhs.gov/admnsimp/index.htm www.state.oh.us/hipaa
Questions?