1. -ANANT VYAS PRIVACY IN DATA MANAGEMENT: CS295D UNIVERSITY OF CALIFORNIA,IRVINE CS295d:Privacy in Data Management University of California, Irvine 1

2. Why HIPAA?  More than 25 cents of every health-care dollar is spent on administration  More than 450 billing forms  National changes requested by providers  Increasing public concern around privacy  Highly public breaches of privacy CS295d:Privacy in Data Management University of California, Irvine 2

3. Health Insurance Portability & Accountability Act (HIPPA)  In August 1996, President Clinton signed into law the Public Law 104-91, Health Insurance Portability and Accountability Act (HIPAA).  The Act included provisions for health insurance portability, fraud and abuse control, tax related provisions, group health plan requirements, revenue offset provisions, and administrative simplification requirements. CS295d:Privacy in Data Management University of California, Irvine 3

4. HIPAA’s Intent  Improve efficiency and effectiveness of health care system  The HIPAA Privacy Rule for the first time creates national standards to protect the privacy of individuals’ medical records and other personal health information.  Creates standards for the security of health information  Creates standards for electronic exchange of health information CS295d:Privacy in Data Management University of California, Irvine 4

5. What HIPAA Doesn't do  It doesn't: force your employer to offer or pay for health insurance coverage.  guarantee that all those in the workforce will get health coverage.  control how much an insurance company can charge for group coverage.  force group health plans to offer specific benefits.  allow you to keep the exact same health insurance plan that you had at your old job when you go to a new job.  eliminate the use of pre-existing condition exclusions.  replace your specific state as the primary regulator of health insurance. CS295d:Privacy in Data Management University of California, Irvine 5

6. HIPAA SPEAK  Individually Identifiable Health Information(IIHI)  Related to an individual; the provision of health care to an individual; or payment for health care  and that identifies the individual  or a reasonable basis to believe the information can be used to identify the individual  Health information + Identifiers (18 defined) = IIHI CS295d:Privacy in Data Management University of California, Irvine 6

7. HIPAA SPEAK(contd.) 18 Identifiers:  (1) Names; (2) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code (3) All elements of date (except year) for dates directly related to an individual, including birth date etc (4) Telephone numbers; (5) Fax numbers; (6) Electronic mail addresses; (7) Social security numbers; (8) Medical record numbers; (9) Health plan beneficiary numbers; unique identifying number, characteristic, or code.  (10) Account numbers; (11) Certificate/license numbers; (12) Vehicle identifiers and serial numbers, including license plate numbers; (13) Device identifiers and serial numbers; (14) Web Universal Resource Locators (URLs); (15) Internet Protocol (IP) address numbers; (16) Biometric identifiers, including finger and voice prints; (17) Full face photographic images and any comparable images; and (18) Any other CS295d:Privacy in Data Management University of California, Irvine 7

8. HIPAA SPEAK (contd.)  Use (of IIHI) Sharing within the entity. For example, when members of the covered entity’s workforce share IIHI.  Disclosure (of IIHI) Sharing outside the entity. For example, sharing IIHI with someone who is not a member of the covered entity’s workforce. CS295d:Privacy in Data Management University of California, Irvine 8

9. HIPAA SPEAK (contd.)  Protected Health Information (PHI)  Individually Identifiable Health Information maintained by CE  Electronic, paper, oral  Created or received by a health care provider, public health authority, employer, school or university CS295d:Privacy in Data Management University of California, Irvine 9

10. HIPAA SPEAK (contd.)  Covered Entity  Health care provider/Health Plan/Health care clearing house who transmits any health information in electronic form in connection with HIPAA regulations CS295d:Privacy in Data Management University of California, Irvine 10

11. HI vs. IIHI vs. PHI: Difference? HI IIHI PHI CS295d:Privacy in Data Management University of California, Irvine 11

12. HIPAA: Title I  Health Care Access, Portability, and Renewability  Protects health insurance coverage for workers and their families when they change or lose their jobs  It amended the Employee Retirement Income Security Act, the Public Health Service Act, and the Internal Revenue Code. CS295d:Privacy in Data Management University of California, Irvine 12

13. HIPAA : Title II  Standards for Electronic Transactions  Implementation of a national standard for electronic health care transactions  All transactions to be processed using the same electronic format  Unique Identifiers Standards  All health car providers, plans and clearinghouses to use NPI(national provider identifier) CS295d:Privacy in Data Management University of California, Irvine 13

14. HIPAA : Title II Rules  Administrative Simplification rules  5 rules:  Privacy Rule,  Transactions and Code Sets Rule,  Security Rule,  Unique Identifiers Rule,  Enforcement Rule. CS295d:Privacy in Data Management University of California, Irvine 14

15. HIPAA Privacy Rule  The Privacy Rule took effect on April 14, 2003  Establishes regulations for the use and disclosure of Protected Health Information (PHI) CS295d:Privacy in Data Management University of California, Irvine 15

16. What does the HIPAA Privacy Rule do?  It gives patients more control over their health information.  It sets boundaries on the use and release of health records.  It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information. CS295d:Privacy in Data Management University of California, Irvine 16

17.  It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.  And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health. CS295d:Privacy in Data Management University of California, Irvine 17

18. HIPAA Security Rule:  Issued on February 20, 2003. It took effect on April 21, 2003.  Deals specifically with Electronic Protected Health Information (EPHI) i.e. individually identifiable information that is in electronic form. CS295d:Privacy in Data Management University of California, Irvine 18

19. HIPAA Security Rule(contd.):  Confidentiality?  Integrity?  Availability? CS295d:Privacy in Data Management University of California, Irvine 19

20. HIPAA Security Rule(contd.):  “ To ensure reasonable and appropriate administrative, technical, and physical safeguards that insure the integrity, availability and confidentiality of health care information, and protect against reasonably foreseeable threats to the security or integrity of the information.” CS295d:Privacy in Data Management University of California, Irvine 20

21. Security Rule: 4 Categories  Administrative Procedures  Physical Safeguards  Technical data security services  Technical security mechanisms CS295d:Privacy in Data Management University of California, Irvine 21

22. Administrative Procedures: 12 Requirements 1.Certification 2.Chain of Trust Agreements 3.Contingency Plan 4.Mechanism for processing records 5.Information Access Control 6.Internal Audit 7.Personnel Security 8.Security Configuration Management 9.Security Incident Procedures 10.Security Management Process 11.Termination Procedures 12.Training CS295d:Privacy in Data Management University of California, Irvine 22

23. Physical Safeguards: 6 Requirements 1.Assigned Security Responsibility 2.Media Controls 3.Physical Access Controls 4.Policy on Workstation Use 5.Secure Workstation Location 6.Security Awareness Training CS295d:Privacy in Data Management University of California, Irvine 23

24. Technical Data Security Services: 4 Requirements 1.Access Control 2.Audit Controls 4.Data Authentication 5.Entity Authentication CS295d:Privacy in Data Management University of California, Irvine 24

25. Guiding principles The Security Rule is based on several important principles.  Scalability  Comprehensiveness  Technology neutral  Internal and external security threats  Risk analysis CS295d:Privacy in Data Management University of California, Irvine 25

26. Non Compliance  CEs that do not comply with the Security Rule requirements are subject to a number of penalties.  Civil penalties are $100 per violation, up to $25,000 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail. CS295d:Privacy in Data Management University of California, Irvine 26

27. Transaction Rule  July 1, 2005  The transaction rule covers several key ED transactions  Although many companies were already developing standardized EDI’s, there still wasn’t an industry standard before the rule was put in place. CS295d:Privacy in Data Management University of California, Irvine 27

28. Transaction and Code Set Rule: “Speak the Same Language”  Health Care Claim or Encounter (837)  Health Care Claim Payment and Remittance (835)  Health Care Claim Status Inquiry/Response (276, 277)  Health Care Eligibility Inquiry/Response(270, 271)  Enrollment and Disenrollment in a Health Plan (834)  Referral Certification and Authorization (278)  Health Plan Premium Payments (820)  Health Care Claim Attachments (delayed)  First Report of Injury (delayed) CS295d:Privacy in Data Management University of California, Irvine 28

29. Compliance Deadlines:  Privacy: April 14, 2003  Security: Fall 2004  Transactions & Code Sets: October 16 2005  Identifiers : Fall 2004 CS295d:Privacy in Data Management University of California, Irvine 29

30. Some common reactions  HIPAA is an unfunded mandate.  It’s an IT issue (like Y2K)  It is someone else’s problem (State’s, Health’s, ITs)  Local agencies are waiting for direction from State, County, Fed…  Compliance issues CS295d:Privacy in Data Management University of California, Irvine 30

31. Compliance is Increasingly an Issue CS295d:Privacy in Data Management University of California, Irvine 31 The number of HIPAA Privacy Rule compliance and enforcement complaints have continually increased over the years1.

32. Complaints Are Consistently Related to Data Privacy  Three of the top five Privacy Rule Complaints are data privacy issues:  Impermissible uses and disclosures – e.g. providing PHI to external partners  Safeguards – e.g. PHI is not protected in computer systems  Access - e.g. PHI is accessible to those without a need to know CS295d:Privacy in Data Management University of California, Irvine 32

33. Examples of PHI Leaking Out  Example 1: Safeguards A flaw in a national health maintenance organization’s computer system sent explanation of benefits to a patient’s unauthorized family member. This flaw put the PHI of approximately 2000 families at risk in violation of the Privacy Rule.  Example 2: Impermissible Disclosures and Safeguard A municipal social service agency disclosed protected health information while processing Medicaid applications by sending consolidated data to computer vendors who were not business associates. This flaw was putting PHI in the hands of an uncovered entity who could have used it for a variety of harmful purposes  These examples ended with minimal public impact and were remedied with improved security procedures and controls.  But, what if this PHI had gotten into the wrong hands? CS295d:Privacy in Data Management University of California, Irvine 33

34. Worst Case Scenario: HIPAA Data Theft  The owner of a Florida claims handling system, Fernando Ferrer, Jr, was convicted of illegally buying PHI from a clinic employee and then submitting fraudulent claims to collect on the resulting payouts. The clinic employee downloaded the PHI of more than 1,100 patients and sold the information to Ferrer.  This theft resulted in the submission of more than $7 million in fraudulent Medicare claims with $2.5 million paid to providers and suppliers.  The risk for such a scenario increases substantially without the necessary controls in place to lock down and minimize the PHI in an enterprise CS295d:Privacy in Data Management University of California, Irvine 34

35. Conclusion?  HIPAA has had a large effect on the industry today  The type of health information being recorded is changing.  In the end a great act! CS295d:Privacy in Data Management University of California, Irvine 35

36. More Information:  Department of Health & Human Services – HIPAA: www.hhs.gov/ocr/hipaa  HIPAA.ORG  Overview HIPAA - General Information http://www.cms.hhs.gov/hipaaGenInfo/ CS295d:Privacy in Data Management University of California, Irvine 36