Academic Medical Centers and Health Insurance Portability and Accountability Act of 1996 (HIPAA) Ken Klingenstein - Michael Pickett Rob Carter - Duke OIT Director of Systems Administration, Interim Institutional IT Security Officer David McKelvey - Duke Medical Center Information Systems Information Technology Security Organization
Agenda The legislation Regulations, consequences, and timeframes HHS and I2 Health/Security workshops Academic medical centers plans for addressing HIPAA DUHS responses; awareness, education, identification, organization, technology Discussion
Purpose of HIPAA Reduce costs of administrative overhead estimated at $.26 of every healthcare dollar Improve efficiency and effectiveness of national health system EDI estimated to save providers $9 billion - 10 years Estimated national health care savings $30 billion - 10 years Reduce fraud and abuse ($.11 of every healthcare dollar) Protect privacy of health information Protect patient rights Better quality of patient care from improved clinical data access Better information availability for decision making Security for Internet based technology
What Does the Law Say Hospitals may use personal health information to provide care, teach, train, conduct research and ensure quality. Information may not be used for non-health purposes like hiring, firing, determining promotions, or underwriting life insurance. Any non-approved verbal, written, or electronic disclosure is a violation
Some Background Who’s covered by the law/regs: healthcare providers, healthcare insurance plans, healthcare clearinghouses, those who receive covered information from these entities Key regulations defined now: –Standard Transactions and Coding Sets (8/00) –Standard Identifiers (actually 3 regulations) –Security –Privacy(12/00) When will other regulations be known? –By 01/01 – Security and provider/plan id (estimate) –By 12/01 – Standard identifiers for provider (These dates have a history of moving) –Others - National patient identifier
Penalties Civic fines - $100/incident - up to $25,000/person/year Federal Criminal Penalties –$50, year in prison for obtaining or disclosing –$100, years in prison for obtaining/disclosing under false pretenses –$250, years in prison for commercial/personal gain, malicious harm
HIPAA and the CAMPUS How does HIPAA effect the campus? Why should I care? Who’s making the money (remember Y2K)?
Additional Resources (downloadble presentations) ent/IndustriesHealthcareResourcesHIPAAAware nessPresentaton