Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part III – HIPAA Reference

Published bySuzan McGee Modified over 9 years ago

Similar presentations

Presentation on theme: "Part III – HIPAA Reference"— Presentation transcript:

1 Part III – HIPAA Reference
HIPAA – In General Background Why Employers Should Care ? Overview of Requirements EDI Transaction Standards Security Privacy HIPAA Compliance Implementation

2 Background In General Enacted in 1996, HIPAA was to incrementally address various issues within the health care industry Major elements include: Improved health coverage portability requirements Prohibitions on discrimination based on health status Increased fraud enforcement Simplifying health care claim payment process to reduce administrative costs Primarily by standardizing electronic data transactions, which raises security and privacy concerns Before we dive in completely, let’s take a step back for a minute, and try to put HIPAA into perspective. What worthy goals was Congress trying to achieve when they dreamed up this madness.

3 Background Statutory Structure
HIPAA Title I Title II Title III Title IV Title V Guarantees health insurance portability and renewal Administrative simplification Tax provision for medical savings accounts Enforcement of group health plan provisions Revenue offset provisions Note that Titles III through V are miscellaneous provisions, and that the primary substance of HIPAA is contained in Titles I and II. In turn, the Title I portability and renewal provisions became effective a few years ago. Thus, it is just the Title II administrative simplification provisions that has everyone worried now.

4 Background Why was HIPAA Needed?
Healthcare industry Need for ease of data transfer Move from paper to EDI (electronic data interchange) Economic reasons The “patient” as the “consumer’ Increasing privacy and confidentiality concerns Legislative issues 50 different states, with different laws, lack of consistency with no minimum floor Market forces are resulting in more and more business being conducted electronically, especially in the financial services and health care industries. In turn, however, most health care payers have developed proprietary and incompatible electronic systems, and there was no single market leader large enough to force system standardization on to the industry. What’s in it for the health care industry? Once the EDI transaction standards are fully implemented, then it is estimated that the average accounts receivable for a provider will drop from days under the current system to about 10 days. At the same time, with more and more data being collected, stored, and transmitted electronically, concerns about privacy increased dramatically. It is one thing to open a paper file one at a time to look at something improperly, but a completely different story when thousands of records can be electronically transferred at a push of a button. The stories of violations of health care privacy are rampant, with one of my favorites being the pharmaceutical company that got a download of files from a pharmacy and sent free samples of Prosac to every individual who was already on anti-depressant medication. Finally, there is tremendous inconsistency among state privacy laws across the U.S., with the states on the West Coast tending to have the most severe restrictions.

5 Why Employers Should Care? In General
Although not a covered entity, any employer that provides group health benefits will be at least indirectly affected Employers with self-funded plans will be considered “hybrid” entities and their health plan operations will be directly subject to the rules Company access to employee health plan records for employment reasons (including administration of other benefit plans and laws) will be further limited Federal preemption of state laws will be limited to establishing minimum floor protection Certain customary practices may have to be changed The bottom line here is that employers should care, because it is not going to be “business as usual.” In turn, everybody (employers, employees, and vendors) is going to get frustrated as they try to hack themselves through this new jungle. In particular, feathers are going to be ruffled when certain individuals within companies realize that they no longer have the right to “take a peek under the tent” with respect to their health plan data whenever they want.

6 Why Employers Should Care?
Penalties Federal Programs Exclusion from federal programs anticipated Accreditation Accrediting organizations will require compliance in the future Wrongful Disclosure Each Offense (max.) $50,000 per offense 1 year imprisonment False Pretenses $100,000 per offense 5 years imprisonment Intent to Sell, Transfer or Use $250,000 per offense 10 years imprisonment A couple of points to note about HIPAA penalties: While some of these penalties look pretty severe, there are primarily directed toward (and will be likely enforced against) health care providers and clearinghouses, more so than employers. (2) These penalties will be assessed by Civil Rights Office of HHS. HIPAA does not create any private right of action by individuals against covered entities. However, such private right of action may exist under an applicable state privacy law, or another federal law. (3) Thus, in most situations, the primary enforcement mechanism with respect to employers will be the avoidance of bad publicity and undermining employee morale, if an employer does not take its HIPAA responsibilities seriously and screws up. Thus, while there are clearly some potentially harsh penalties incorporated into HIPAA, employers should not necessarily be “scared” into compliance solely for that reason. Nobody is going to be 100% HIPAA compliant by April 14th. You just need to start working on developing, documenting, and implementing a compliance strategy that will get you where you need to be. At the same time, you should keep in mind that HHS has made it clear that the application of most of HIPAA is scalable, depending on the size, structure, and frequency of how an entity utilizes PHI, and that their interpretations and enforcement will be reasonable. Civil Monetary Penalties $100 for each violation $25,000 maximum per year, per violation

7 Why Employers Should Care? Compliance Deadlines
HIPAA’s administrative simplification incorporates three major distinct but overlapping components, each with different compliance deadlines: Electronic transaction standards Generally 10/16/03 Privacy Generally 4/14/03 Security Generally 4/21/05 For more information: Note that small health plans (those with less than $5 million dollars in receipts) have extended deadlines for compliance with the EDI standards and privacy requirements. What does $5 million dollars in receipts mean? For fully-insured plans, it is total premiums paid for health benefits. For self-insured plans, it is the total amount paid for health care claims (but not counting stop-loss premiums). If the health plan files its own tax returns, then there are slightly different standards. Note that it appears that the $5 million dollar threshold applies to each group health plan separately, but be careful if you use a wrap plan to consolidate your Form 5500 filings. Due to the long lead times involved in becoming compliant and the fact that health providers and insurers will ramp up for compliance by April 2003, small health plans need to start developing their compliance strategies even if they may have an extra year before they legally have to comply.

8 EDI Transaction Standards In General
HIPAA requires standardization of these electronic health care transactions: Health claims or similar encounter information Enrollment & disenrollment in a health plan Eligibility for a health plan Health care payment & remittance advice Health plan premium payments Health claim status Referral certification & authorization Health claims attachments (to be issued in the future) First report of injury (to be issued in the future) These are 9 basic transactions for which electronic standards are being established. Implementation guides for the transaction standards that have been issued to date are available from the HHS web site.

9 Need HC Insurance (Form)
EDI Transaction Points of Contact Patient/Consumer Providers Treatment Sponsors Payers Need HC Insurance (Form) Enrollment (834) Non-HIPAA Transaction Payroll Deduction Invoice (811) Premium Pmt (820) Eligibility (270) Response (271) Referral (278) Response (278) Claim (837) Need more info (277) Note that only plan sponsors typically are directly involved with only two types of transactions (enrollment and premium payments). Thus, unless an employer handles the administration for its only self-funded plan, then the direct impact of the EDI standards on employers should be minimal. Nevertheless, this slide is useful to help illustrate the complexity involved in operating a group health plan and the different players and transactions involved. We can visualize the processes if we follow a patient through the health care process. First, a patient needs health insurance. They may fill out a form with their employer or other plan sponsor. The sponsor then ‘enrolls’ the patient into a health plan using a HIPAA standard “834” transaction. The health plan will then send a paper or electronic invoice back to the plan sponsor. The sponsor may or may not bill the patient for this coverage. Note that the invoice is not unique to HIPAA, and is not a HIPAA transaction. The plan sponsor can then pay the premium using either a paper check or via a HIPAA standard “820,” containing the patient’s personal information. At some point, the patient will likely seek treatment from a health care provider. The provider will want to know if the patient has insurance, and what their deductibles are. The “270” and “271” will exchange the request and answer between the provider and the payer. If a provider needs a referral, they can send a “278” to the payer, who will either authorize or reject it, then return it. At some point, the provider will file a claim for payment. This claim may include information for the one patient, but it may also contain multiple claims for many patients. Sometimes the payer will request additional information through the use of a “277.” If a long period of time has passed since the claim was filed, the provider may send a “276” claims inquiry. The payer must provide a “277” response. Eventually, the payer will send the payment and the “remittance advice” to the provider using a “835.” The last step in this process is when the patient gets their paper copy of the Explanation of Benefits, normally in the mail. Claim Inquiry (276) Response (277) Payment & EOB (835) EOB (Paper)

10 EDI Transaction Standards Unique Identifiers
Eventually HIPAA will require use of unique identifying numbers for employers and for covered entities (i.e., health plans, providers, and clearinghouses) To date, only the employer identifier standards have been finalized (the employer’s federal tax identification number must be used) The controversial use of an unique identifier for employees has been withdrawn

11 Security In General Intended to minimize risk of intentional or accidental disclosure or misuse, or the loss or corruption of patient-identifiable health information Sets a floor of minimum administrative, physical, and computer security standards to protect medical data Reflects commonly accepted security safeguards widely used across many industries Security measures to be tailored to organization’s risk analyses, technical environment, and business needs

12 Security Employer Implications
Typically, will require developing and/or modifying a number of IT/IS policies, procedures, and protocols with respect to individual health information that is generated, transmitted, or stored electronically With respect to both the covered entity and its business associates Thus, early involvement of IT/IS staff in an employer’s HIPAA compliance effort is critical Not uncommon for employers to engage a specialized IT/IS consultant to help assess compliance gaps and implement corrective steps

13 Protected Health Information (PHI) Covered Entity Business Associate
Privacy In General Rules apply to all individually patient-identifiable health information whether in paper or electronic form Key terms Protected Health Information (PHI) Covered Entity Business Associate Now, let’s start to get “down and dirty” with respect to HIPAA privacy. In order to understand the discussion, it is important that everyone understands certain key terms before we can get a feel for the areas of permitted use of PHI.

14 Privacy Protected Health Information
PHI = individually identifiable health information + created or received by a covered entity Individually identifiable health information Any information that relates to an individual’s past, present, or future physical or mental condition, or the provision or payment of health care, and That specifically identifies the individual (or there is a reasonable belief that the individual can be identified), AND WHICH IS Created or received by a covered entity Can be in any form (oral, written, or electronic) Examples: claims data, and (depending on source) enrollment data, and employee contribution information The key aspect of the definition of PHI is to remember that: The health information must individually identifiable, and Must be created or received by a covered entity. Note the “grayness” around whether enrollment data and employee contribution information is PHI or not. Technically, it depends on the source of the information. If it comes from the employer in its capacity as the employer, then it is not PHI. For example, during open enrollment for someone who has not been covered under the plan before. However, once the data goes into the plan, then it becomes PHI, so subsequent open enrollments potentially could be tainted.

15 Privacy De-Identification Requirements
Covered entities are permitted to use PHI to create de-identified information for its own unlimited use or for unlimited use by another entity without authorization from individuals De-identified information = health care information which does not identify the individual or that which the covered entity has no reasonable basis to believe can be used to identify the individual While use of such generic information may be useful for certain types of broad based trend studies, it is probably not useful to achieve most other business objectives Use of certain types of partially de-identified information (summary information or “limited data sets”) allowed for specific limited purposes Enrollment/disenrollment data Aggregate claims history / expenses / types of claims data for coverage renewals and plan design changes

16 Privacy Covered Entity
All health care providers All health care payers (including managed care organizations, carriers, and self-funded employers) All health care clearinghouses that process claims, or route electronic claims Certain health plans Health insurers (including HMO’s), and Group health plans with 50+ participants or administered by an entity other than the employer that established and maintains the plan

17 Privacy Covered Entity (cont.)
Employers, as a whole, typically are not covered entities Thus, most employers are not directly subject to HIPAA privacy regulations However, certain components of an employer might constitute a covered entity (e.g., self-funded group health plan) Hybrid employers will be subject to various requirements and obligations “Firewalls” must be created between covered and non-covered functions Plan cannot share PHI with non-health plan component of employer unless plan sponsor certifies plan has been amended to limit use and disclosure of PHI and that safeguards are in place Exceptions for limited enrollment activities

18 Privacy Business Associates
Business associate = any outside entity to which covered entities disclose PHI to perform necessary functions E.g., third-party administrators, case managers, attorneys, collection agencies, claims auditors, consultants Does not include plan sponsors, insurers, disclosures from a covered entity to a health care provider for treatment of an individual Covered entities must have agreements in place to contractually bind BAs to limit use of PHI to designated purposes and to comply with covered entity-type of confidentiality rules Dealing with business associates may be one of the most time consuming aspects of HIPAA compliance if the employer maintains numerous group health plans that are served by a wide array of third-party vendors.

19 Privacy Business Associates (cont.)
Covered entities have potential civil and criminal liability exposure for breaches by BAs Thus, there is an obligation to monitor your BAs’ activities Under final regulations, however, action needs to be taken only if there is actual knowledge of material violation Compliance deadline Generally, all BA agreements must be in place by 4/14/03 However, any BA agreements in place prior to 10/15/02 will be deemed sufficient until 4/14/04 (unless the agreement terminates or is modified in any way prior to that date)

20 Privacy Basic Requirements
Patients have the right to understand and control how their health information is being used Providers and health plans to give individuals clear, written notice of how they use, keep, and disclose their health information Individuals have right to access their medical records (to view, make copies, request amendments, and obtain accounting for non-routine disclosures) Individual authorizations required before information is released in most non-routine situations Covered entities accountable for use and release of information, with recourse available if privacy is violated Now, let’s pull together the key terms and concepts and go over the basic requirements of the HIPAA privacy rules. As we go through these requirements, note the re-occurring themes that keep coming back. * * * * * * Note the IT burden imposed on both the plan and business associates with respect to viewing, copying, requesting changes, and tracking PHI.

21 Privacy Basic Requirements (cont.)
Use of individual health information generally limited to health purposes PHI cannot be used for purposes other than treatment, payment, or health care operations without individual authorization Individual authorizations must be informed and voluntary Reasonable efforts must be undertaken to limit release of information to “minimum necessary amount” Minimum necessary amount requirement applies to use of protected health information for payment or health plan operations, but not for treatment purposes Note that the “minimum necessary amount” requirement is rather vaguely set forth in the regulations. Thus, it appears to be a good faith, best judgment standard.

22 Privacy Basic Requirements (cont.)
Minimum privacy safeguard standards established for covered entities (with similar requirement applicable to BAs by contract and plan sponsor by plan amendment) Adoption of written privacy procedures, with safeguards and sanctions specified Periodic distribution of privacy notice Training of employees on handling PHI Designation of a privacy officer (covered entities only) Establishment of a grievance / complaint procedure Recordkeeping with respect to PHI disclosures

23 HIPAA Implementation Basic Phases
Phase I Awareness / Education Preliminary scope assessment Budgeting Task force team selection Phase II Detailed current PHI flow and use analysis Detailed compliance gap analysis Phase III Implementation of prioritized action item list

Download ppt "Part III – HIPAA Reference"

Similar presentations

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.

1 The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees.
1 Health Insurance Portability and Accountability Act of 1996 IS&C Expo October 16 & 17, 2002 John Wagner Governor’s Office of Technology.

1 Health Insurance Portability and Accountability Act of 1996 IS&C Expo October 16 & 17, 2002 John Wagner Governor’s Office of Technology.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics.

HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.

HIPAA The Hidden Beast June Kissinger Director, Risk Management Support Services March 12, 2003.

Similar presentations

Ads by Google