HIPAA Overview (Health Insurance Portability and Accountability Act 1996) May 2002 VACSB - HIPAA Committee

Training Objectives  Provide an overview of HIPAA regulations.  Review Privacy Rule requirements.  Review Security Rule requirements.  Review Administrative requirements.  Provide HIPAA Committee “draft” templates.  Summarize most current proposed changes.  Learn how to insert a Hippo into your next presentation.

What is HIPAA? Fed. Regulation/law - Kennedy & Kassebaum  Improve “portability and continuity” of health insurance coverage.  Provide administrative simplification and consistency - Standard Code Sets and Transactions.  Assure privacy and security of confidential protected health care information (PHI).  Increase provider accountability - PHI.  Increase consumer rights - PHI.

What is the purpose of HIPAA ?  Identify provider responsibilities around PHI.  Reduce health care costs.  Reduce health care fraud and abuse.  Control use and disclosure of “protected health information” (PHI).  Regulate how PHI is transferred and managed by technology, individuals, and agencies.

Covered Entities Who Must Comply Health care organizations that capture & maintain individually identifiable health care data. Three categories:  Providers - conduct certain administrative and electronic transactions  Health care Plans  Clearinghouses

Covered Entities Plan i.e., Medicaid, Blue Cross/ Shield Provider i.e., CSB Clearinghouse i.e., Billing Company

Timelines for Compliance  Transactions and Code Sets - October 2003 (With Extension)  Privacy Regulations - April 2003  Security Regulations - Final regs. pending (Spring 2004?)

HIPAA Regulations  Electronic Transaction/Code Sets - Sets uniform standards (Administrative Simplification.)  Privacy Regulations - Identifies what health care information is protected.  Security Regulations - Identifies how information is to be protected.  Identifiers - Employer, Payer, National.

Health Care Operations Includes “general administrative and business functions” necessary for a covered entity to remain a viable business (i.e., audits, quality improvement functions, assessments.)

Health Information Any information recorded in any form or medium which:  Is created/received by a Covered Entity that creates, receives, uses, or transmits PHI,  Relates to the past, present, or future physical/mental health condition of an individual, their participation in, or payment for such services, and  Identifies the individual.

Protected Health Information (PHI) All individually identifiable health data or information collected, maintained, or transferred by a Covered Entity.

Protected Health Information (PHI)  Name  Address  Social Security #  Birth Date  Demographic info.  Medical Record #  address  Account numbers  License/Certificate #  Vehicle identifiers  Bio-metric identifiers  Telephone numbers  Place of employment  Full face photograph  Fax number  Health Plan number

De-identified information  Health information which is stripped of individual identifying elements.  In this form, remaining data would not be sufficient to identify the consumer.

Privacy Notice *  Written document - plain language.  Posted & shared with consumers.  Explains how PHI will be used/disclosed by provider.  Identifies consumer rights.  Lists provider duties to protect PHI.

Use vs. Disclosure Use Sharing, utilization, examination, & analysis of PHI maintained internally within the provider. Disclosure Release, transfer, access to, or sharing in any manner PHI outside the entity maintaining the information.

Minimum Necessary Rule Rule applies to Uses/Disclosures  Essential element of privacy protections.  Covered Entities must make reasonable efforts to limit use, disclosure, and request for PHI to the “minimum necessary” to accomplish the intended purpose.

Minimum Necessary Rule Asks - How much information is needed to achieve your purpose?  Applies to all forms of communication.  Use - Requires policies & procedures (P&P) classifying staff by role/position.  Disclosure - Requires P&P addressing criteria to limit disclosure & reviewing of requests.  With request - Must limit request to that which is necessary.

Access to PHI (Protected Health Info.)  Opportunity to approach, inspect, review, and make use of data or information.  Actions by a consumer or health care provider with appropriate authorization.

Consent and Authorization Consent  Document gives provider consent to carry out treatment, payment, or health care operations (TPO). Authorization *  AKA - “Release of Information.”  Document used for purposes other than TPO.

Electronic Transaction & Code Set Standards  National Electronic Standards - provides automated transfer of certain health care data between health care payers, plans, and providers.  Replaces nonstandard formats and code sets - with standard electronic transactions and codes sets.

Which Administrative & Financial Transactions?  Health claim or encounter information.  Eligibility for a health plan inquiry.  Referral certification & authorization.  Health care claim status.  Health care payment and remittance advice.  Health plan premium payments.  Enrollment & dis-enrollment in a health plan.  First report of injury.  Health claim attachments. And - Coordination of Benefits

Transaction/Code Sets Standards Code Sets Examples:  ICD - 9  CPT - 4  HCPCS  DSM IV Compliance Deadline with Extension: October 15, 2003

Benefits of Standardization of Electronic Transactions/Code Sets  Standardized Formats – Will reduce number of formats used for health care administrative and financial transactions nation-wide.  Billing becomes more efficient.  Internal administrative savings related to staffing, response to complaint calls, and billing reconciliation.

Privacy Rule  Applies to all protected health information (PHI).  Does not prohibit the exchange of PHI for treatment, payment, or health care operations (TPO) within agency.  Written Consent is required.

Privacy Rule Impacts  HR - employee PHI  Consents/Authorization  Privacy Notifications  Uses & Disclosures  Health care operations  Consumer access to & amendment of PHI  Business Associate Agreements  Provider responsibilities

Privacy Rule Highlights Protects privacy of medical records and covers:  Electronic records & printouts of records  Written records  Oral communications Consumers give Consent for routine PHI release purposes (TPO). Privacy Notice - documents consumer’s rights and the provider’s responsibilities.

Consumers Rights under HIPAA  Inspect/copy information (medical record).  Request to amend information if inaccurate or incomplete.  If request is denied - consumers may file a complaint with CSB or federal government.  Consumers may request Disclosure History - Disclosure other than those covered by TPO

Business Associate Agreements  Business Associates - Those entities that do things on our behalf with whom we share/give access to PHI.  Business Associate Agreements - Establish permitted uses, disclosures, and safeguards for PHI.

Privacy Compliance Will  Allow flow of PHI for treatment, payment, and related health care operations (TPO).  Prohibit flow of PHI unless voluntarily authorized by the consumer.  Allow consumers to know who is accessing their PHI outside of TPO use.  Allow consumers to obtain access to their records & request amendment of records if inaccurate or incomplete.

Provider Responsibilities  Provide formal complaint handling system.  Allow use of de-identified data.  Follow “minimum necessary” requirements.  Establish Business Associate Agreements.  Duty to mitigate damage if violations occur.  Establish sanctions for HIPAA violations.

Privacy Penalties Civil Penalty: $100 -$25,000 maximum/year/person/same/violation. Criminal Penalty: $50,000 - $250,000 Fines and 1-10 years in prison. Commercial Advantage/Personal Gain: $250,000 and 10 years in prison.

Consent Exceptions Consents not required for:  Indirect treatment relationships.  Inmates.  When required by law to treat (i.e., Court Ordered).  In case of substantial communication barriers.  In cases of emergencies.

Privacy Preemption HIPAA Will preempt state laws relating to PHI Except for those contrary to & more stringent than HIPAA.

Organizational Practices - Security  Staff training.  Role based access.  Remote access site security issues.  Electronic/wireless devices (i.e., laptops).  Gap Assessment. *  Authentication of users.

Organizational Practices - Security  Policies/procedures for workstation use.  Security of workstation locations.  Security Incident Reporting.  Termination procedures.  Media controls.  Audit trails.  Encryption.

Security Rule Deals with how PHI is secured:  Access to PHI.  Minimum Disclosure Rule.  Encryption/digital signatures.  Background checks.  Physical (facility) security. Final Security Rule – Pending.

HIPAA Identifier Standards Pending HIPAA Regulation  Employer ID  Provider ID  Payor ID Final Identifier Rule: Pending in HHS

Required Administrative Procedures  Designate Privacy & Security Officers.  Complete gap analysis. *  Develop a plan for HIPAA compliance.  Identify Business Associates and establish agreements.  Revise/develop P&P for HIPAA.  Provide & document HIPAA training.  Address access control issues.  Have internal audit processes in place.

Required Administrative Procedures  Develop formal Consumer Complaint Syst.  File - Extension: Code Sets/Transactions.  HIPAA Compliance Certification (IT)  Develop Disaster/Contingency Plans.  Identify security incident procedures.  Meet personnel security requirements.  Develop a security management system.  Identify Sanctions for violations.  Test your system.

Summary: Vocabulary  Covered Entity  PHI  TPO  Privacy Notice *  Consent  Authorization *  Minimum Necessary  Business Associate Agreement  De-identification of PHI

Proposed Changes  Strengthen Privacy Notice provisions.  Eliminate Consent - Acknowledge receipt of Privacy Notice.  Maintain “minimum necessary rule” while allowing treatment-related conversations.  Assure appropriate parental access to their children’s records. (state law will govern)  Prohibits use of records for marketing.  Assure privacy without impeding research.  Provide model business associate provisions.

Resources     

Resources     

For more information or questions on HIPAA please contact: Demetrios Peratsakis Executive Director Western Tidewater CSB or

HIPAA Committee Deliverables Drafts - Pending Attn.General’s Review  Policy  Fax Policy  Privacy Notice  Authorization Form  Extension Template –Trans./Code Sets  Internet Policy  Gap Analysis Survey Tools (3)  Glossary of HIPAA Terms

HIPAA Committee Deliverables Future Documents to be Released  Minimum Necessary Policy  Compliance Process Policy  Business Associate Agreement Template

Remember!!! Together we are making a difference... 8 May-02

As promised - How to insert a Hippo in your next PowerPoint Presentation: In MS PowerPoint  Go to “Insert”  Choose “Picture/Clip Art”  Type - “Hippopotamus.”  Pick your hippo and choose “Insert.”