1 / 47

Making HIPAA Happen in DHH

1/27/2012. La Department of Health

Jimmy
Download Presentation

Making HIPAA Happen in DHH

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Making HIPAA Happen in DHH HIPAA Awareness Overview For DHH Employees Ruth Kennedy, Medicaid Deputy Director Department of Health & Hospitals August 13, 2002

    2. 1/27/2012 La Department of Health & Hospitals 2 I Just Want to be Left Alone!

    3. 1/27/2012 La Department of Health & Hospitals 3 A Historical Look at the Conception of HIPAA 1992—Clinton Health Plan Focus: Increasing access and decreasing health care costs 1994—Republican Congress Focus: Medicare “crisis”; fighting health care fraud and abuse 1996—Kennedy-Kassebaum Act also known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) What is now referred to as HIPAA all started a decade ago, long before we got our first e-mail accounts. In fact, we were just beginning to use fax machines to transmit data. The Health Care World as it existed in 1992 New technology such as “smart cards” just being developed; increasing demand for more information in less time. Opportunities for using the new technology were inconsistent with reality. Internally, great systems could be developed but major barriers across institutuions. No single entity had the market power to standardize. At the time, 12 states had laws making electronic billing illegal. Standardization was requested by the private sector—they were the driver Legislation introduced in 1993 was a simple bill—establish standards and require of these standards by all. It was originally about increasing access and decreasing costs. Administrative Simplification was seen as a means of achieving that as part of the Clinton Health Plan. The bill evolved into a bitter fight about whether all the data would be stored locallly or centrally, because of the major focus at that time on RESEARCH. The orgiinal sponsors of the bill actually abandoned it. By 1995, the Republicans had taken control of Congress and balancing the federal budget was agenda item A. Administrative Simplification was seen as a major means of fighting fraud and abuse. Flash forward to 1996—Senators Kennedy and Kassabaum were crafting bi-partisan health care legislation which addressed insurance portability among other issues, and Administrative Simplification was incorporated into that legislation, known as the Health Insurance Portability & Privacy or HIPAA. HIPAA is somewhat of a misnomer because Administrative Simplification has nothing to do with portability. The key is that Administrative Simplification maintained private support thought two bitter, partisan battles in Congress and the current version is fairly intact from the 1993 original framework. It is a bi-partisan effort which maintains the public-private partnership and creates a “national” system”What is now referred to as HIPAA all started a decade ago, long before we got our first e-mail accounts. In fact, we were just beginning to use fax machines to transmit data. The Health Care World as it existed in 1992 New technology such as “smart cards” just being developed; increasing demand for more information in less time. Opportunities for using the new technology were inconsistent with reality. Internally, great systems could be developed but major barriers across institutuions. No single entity had the market power to standardize. At the time, 12 states had laws making electronic billing illegal. Standardization was requested by the private sector—they were the driver Legislation introduced in 1993 was a simple bill—establish standards and require of these standards by all. It was originally about increasing access and decreasing costs. Administrative Simplification was seen as a means of achieving that as part of the Clinton Health Plan. The bill evolved into a bitter fight about whether all the data would be stored locallly or centrally, because of the major focus at that time on RESEARCH. The orgiinal sponsors of the bill actually abandoned it. By 1995, the Republicans had taken control of Congress and balancing the federal budget was agenda item A. Administrative Simplification was seen as a major means of fighting fraud and abuse. Flash forward to 1996—Senators Kennedy and Kassabaum were crafting bi-partisan health care legislation which addressed insurance portability among other issues, and Administrative Simplification was incorporated into that legislation, known as the Health Insurance Portability & Privacy or HIPAA. HIPAA is somewhat of a misnomer because Administrative Simplification has nothing to do with portability. The key is that Administrative Simplification maintained private support thought two bitter, partisan battles in Congress and the current version is fairly intact from the 1993 original framework. It is a bi-partisan effort which maintains the public-private partnership and creates a “national” system”

    4. 1/27/2012 La Department of Health & Hospitals 4 1996 HIPAA Legislation Passes; Administrative Simplification Tags Along!!

    5. 1/27/2012 La Department of Health & Hospitals 5 HIPAA Health Insurance Reform Title I of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs. Women’s Health Rights Mental Health Parity Hospital Stays for Mothers & Newborns

    6. 1/27/2012 La Department of Health & Hospitals 6 Administrative Simplification Title II of HIPAA “Intended to reduce the costs and administrative burdens of health care by making possible the standardized, electronic transmission of many administrative and financial transactions that are currently carried out manually on paper.”

    7. 1/27/2012 La Department of Health & Hospitals 7 Individual Components of DHH Administrative Simplification

    8. 1/27/2012 La Department of Health & Hospitals 8 Original Purpose of HIPAA “Administrative Simplification” “To improve the efficiency and effectiveness of the health care system-- by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.”

    9. 1/27/2012 La Department of Health & Hospitals 9 How Cost Reduction Will (Eventually) Be Achieved Reduce overall health care costs by reducing administrative costs Reduce human intervention Reduce errors Reduce processing time Reduce Fraud Make EDI viable and “preferred” to manual processing

    10. 1/27/2012 La Department of Health & Hospitals 10 Exactly What Electronic Transactions Does HIPAA Apply To? Transactions Health Claims (X12N 837) Enrollment/Dis-enrollment in Health Plan (X12 834) Eligibility for Health Plan Inquiry and Response (X12N 270-271) Health Care Payment/Remittance Advice (X12N 835) Health Plan Premium Payments (X12 820) Health Claim Status-Inquiry and Response (X12N 276-277) Coordination of Benefits (X12N 837) Referral Certification (X12N 278) Referral Authorization (X12N 278)

    11. 1/27/2012 La Department of Health & Hospitals 11 Exactly What Code Sets Does HIPAA Apply To? Code Sets ICD-9-CM (Diagnosis and Procedures) CPT-4 (Physician Procedures) HCPCS (Ancillary Services/Procedures) CDT-2 (Dental Terminology) NDC (National Drug Codes)

    12. 1/27/2012 La Department of Health & Hospitals 12 HIPAA EDI Extension Law Administrative Simplification Compliance Act, aka H.R. 3323 May file a compliance plan with HHS by 10/15/2002 Testing must be planned to start by 4/16/2003 For those who file plans new compliance date for transactions 10/16/2003 No delay for privacy compliance 4/14/2003 All Medicare claims must be in standard electronic form by 10/16/2003 exception for very small providers

    13. 1/27/2012 La Department of Health & Hospitals 13 HIPAA– The Race to Compliance is On!

    14. 1/27/2012 La Department of Health & Hospitals 14 Scope: Who is a HIPAA “Covered Entity”? “A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” Providers get a choice; made by conducting electronic transactions (or getting a business associate to). “A health plan.” Explicitly including government plans such as Medicaid & Medicare, VA, DoD, CHAMPUS, IHS, etc. All health plans are covered (or $ cannot be saved). Exceptions for some not primarily “health” plans. e.g., Workers Comp, property & casualty. “A health clearinghouse”

    15. 1/27/2012 La Department of Health & Hospitals 15 Dealing with Ambiguity— the “Covered Entity” Question DHH has certain programs and functions which may not legally be required to comply with EDI Medicaid is a named health plan—health plans are required to comply with Standard Codes and Transactions Programs offices have health care provider functions but most also have programs & functions that meet the HIPAA definition of a functional health plan (any program that pays for medical care or assists in joint administration of a plan) Clearinghouses are the third classification of covered entities named in the law Consideration must also be given to whether a program or function is a business associate of another “covered entity” and therefore required to comply with HIPAA principles

    16. 1/27/2012 La Department of Health & Hospitals 16 DHH Compliance Strategy: We’re All in the Boat Together Legal opinion is that DHH is the “covered entity”—Department wide compliance with privacy component is required Voluntary compliance even for those programs and functions not legally mandated to comply is good business practice

    17. 1/27/2012 La Department of Health & Hospitals 17 DHH’s Strategy for HIPAA Privacy Compliance

    18. 1/27/2012 La Department of Health & Hospitals 18 Working Together

    19. 1/27/2012 La Department of Health & Hospitals 19 Possible DHH Approaches to HIPAA Implementation Option A It’s a federal mandate Technically comply and nothing more Option B Evaluate and update business practices Update in a HIPAA compliant manner We are working to meet the real needs of our stakeholders and the state—not just minimally comply.We are working to meet the real needs of our stakeholders and the state—not just minimally comply.

    20. 1/27/2012 La Department of Health & Hospitals 20 HIPAA Opportunities for DHH Contain growth of health care administrative costs Better ability to aggregate and compare data Modernize outdated business practices Faster, more consistent claims payment & processing Why promote Electronic Data Interchange? It was estimated by the Clinton Health Care initiative that 15 – 22% of health care costs are attributable to administration. Use of standards will facilitate the development of benchmarks and evaluation that is currently not possible when you’re not comparing “apples to apples” We are using the opportunity to update business processes, update provider manuals, and implement improvements in Medicaid administration.Why promote Electronic Data Interchange? It was estimated by the Clinton Health Care initiative that 15 – 22% of health care costs are attributable to administration. Use of standards will facilitate the development of benchmarks and evaluation that is currently not possible when you’re not comparing “apples to apples” We are using the opportunity to update business processes, update provider manuals, and implement improvements in Medicaid administration.

    21. 1/27/2012 La Department of Health & Hospitals 21 HIPAA Challenges for DHH Rapidly approaching deadlines for both Standard Transactions/Codes and Privacy Medicaid local codes must be replaced Cost issues—money and manpower Trending may be lost We are keenly aware that legislation is pending in both the U.S. Senate—S 836 sponsored by Senator Larry Craig (R-Idaho) and the House—H.R. 1975 sponsored by Representative John Shadegg (R-Arizona)—which would provide for a more lengthy implementation schedule for HIPAA Administrative Simplification regulations. Our workplan assumes there will be no delay. Local codes are a real issue. We are keenly aware that legislation is pending in both the U.S. Senate—S 836 sponsored by Senator Larry Craig (R-Idaho) and the House—H.R. 1975 sponsored by Representative John Shadegg (R-Arizona)—which would provide for a more lengthy implementation schedule for HIPAA Administrative Simplification regulations. Our workplan assumes there will be no delay. Local codes are a real issue.

    22. 1/27/2012 La Department of Health & Hospitals 22 Possible HIPAA Headaches for Public Health Real and perceived risk of penalties for wrongful disclosure could result in refusals to report Public Health may need to provide assurances to their reporters and the public that data sharing for public health purposes is still appropriate Public Health may need improved documentation, policies, and procedures, to demonstrate that data falls within the public health purposes exception

    23. 1/27/2012 La Department of Health & Hospitals 23 “Local Codes” I$$ue for Louisiana Medicaid La Medicaid gap analy$i$ revealed more than 1500 local codes (“X” and “Z” codes) Impact$ Medicaid’s ability to cu$tomize coverage and reimbur$ement policy Code$ will dictate policy, rather than vice ver$a DHH cannot electronically proce$$ a claim for $ervice if a national $tandard code doe$ not exi$t “X” codes and “Y” codes must be crosswalked or mapped to standard code Medicaid provides services not includes in other health plans, for example the various waiver services, and EPSDT Could require amendments to our Medicaid State Plan“X” codes and “Y” codes must be crosswalked or mapped to standard code Medicaid provides services not includes in other health plans, for example the various waiver services, and EPSDT Could require amendments to our Medicaid State Plan

    24. 1/27/2012 La Department of Health & Hospitals 24 November 2003 Worst Imaginable Scenario Great confusion among providers—internal as well as external Providers elect to submit paper claims rather than bill electronically, overwhelming the Medicaid claims system Paper claims Cost more Take longer Intensify provider frustration We clearly recognize and appreciate the value of electronic billing and are working diligently to keep this scenario from becoming a reality.We clearly recognize and appreciate the value of electronic billing and are working diligently to keep this scenario from becoming a reality.

    25. 1/27/2012 La Department of Health & Hospitals 25 Administrative Simplification Reality Save money by setting standards and requirements for electronic transmissions. Public responsibility imposed additional purpose: protect security and privacy of individually identifiable health information.

    26. 1/27/2012 La Department of Health & Hospitals 26 Philosophy for Future of Privacy Privacy is the right to be unknown. Ability to remain unknown in big city environments. Real fear of discrimination based on misuse of information. Increasing risk to privacy as more information is collected. Information more sensitive - Genetics only the beginning.

    27. 1/27/2012 La Department of Health & Hospitals 27

    28. 1/27/2012 La Department of Health & Hospitals 28 Deadline for HIPAA Privacy Compliance is 8 Months Away! Final Rule published in Federal Register 12/20/00 Bush administration delayed effective date Official effective date was 4/14/01 Compliance date is 4/14/03 (4/14/04 for small health plans, which we are NOT) Major modifications in rule to be made “official” 8/14/02

    29. 1/27/2012 La Department of Health & Hospitals 29 What is Current Louisiana Law Relative to Health Information Privacy? Patients are entitled to a copy of medical records upon written request and payment of a fee. Hospital Records and Retention Act [La Rev.Stat. Ann. § 40:2144] HMO’s may not disclose health information without patient’s expressed consent. [La Rev .Stat. Ann. § 40:2144]

    30. 1/27/2012 La Department of Health & Hospitals 30 HIPAA Privacy Regulations Create a Healthy Respect for Lawyers!!! Regulations are contained in hundreds of pages of “fine print” HIPAA regulations are subject to multiple interpretations State privacy/confidentiality laws will still be applicable if they are more restrictive than the HIPAA Privacy regulations DHH Legal has an integral role in the Department’s HIPAA Privacy compliance efforts Exercise caution in what you say or distribute to persons outside the Department; if in doubt, get a legal opinion!

    31. 1/27/2012 La Department of Health & Hospitals 31 Each HIPAA Privacy Regulation Requires DHH Response(s)

    32. 1/27/2012 La Department of Health & Hospitals 32 We Must Have a Comprehensive Privacy Policy for DHH Estimate prepared for state of Oregon is that policy will be ~ 150 pages Generic for DHH, but customizable to meet needs of individual program offices and facilities/locations

    33. 1/27/2012 La Department of Health & Hospitals 33 HIPAA Allowed Uses & Disclosures of Health Information Treatment, payment, and health care operations Requires that opportunity be provided to either agree or object Specific public purposes Other uses, if authorized by the individual

    34. 1/27/2012 La Department of Health & Hospitals 34 We Must Develop New Privacy Forms & Revise Existing Forms Notice of our Privacy Policy Acknowledgement of Receipt of Privacy Policy Authorization to Disclose Personal Health Information (PHI) Form Letters to Respond to Requests to-- View PHI Amend PHI Restrict Access to PHI

    35. 1/27/2012 La Department of Health & Hospitals 35 Accountability of Disclosures Upon request from a patient/client, covered entities must provide for disclosures with the previous six years: Dates of disclosures Recipients of disclosures Description of PHI information disclosed Purpose of disclosure

    36. 1/27/2012 La Department of Health & Hospitals 36 Privacy Training for All DHH Employees Training on DHH’s new (HIPAA compliant) privacy polices for every member of the workforce will be necessary prior to 4/14/03—yes, this will include you Training will be “scalable” and length of training will be determined by role/access to PHI Training on DHH’s Privacy policies will be required for all new employers Refresher training in Privacy policy will need to be established for the DHH workforce Training must be documented

    37. 1/27/2012 La Department of Health & Hospitals 37 HIPAA Privacy is Primarily About Organizational Change Privacy behavior must be habit. Confidentiality has been an important part of the social contract with healthcare providers for over 2000 years. Dispersion of information and responsibility to hundreds of people without such historical ‘values’ increases risk. Privacy (and security) rules seem onerous because they require us to change and document what we do. Eventually (soon), confidentiality will become ingrained habit, not onerous.

    38. 1/27/2012 La Department of Health & Hospitals 38 Introducing Business Associates to the Equation Only covered entities are subject to the rules. this limit doesn’t make sense because healthcare uses outsourcing extensively and these other entities would not be required by law to safeguard our health information … … so ‘business associate agreements’ were invented to obligate outsource agents, vendors, and contractors to safeguard the health information they need to do their jobs.

    39. 1/27/2012 La Department of Health & Hospitals 39 Definition of a “Business Associate” A person who On behalf of DHH, Performs or assists in performance of healthcare activity involving the use of disclosure of individually identifiable health information DHH employee is not a “Business Associate” Health care provider who submits claims to Medicaid or DHH Program Office for payment is not a “Business Associate”

    40. 1/27/2012 La Department of Health & Hospitals 40 “Covered Entities” for Purposes of HIPAA Applicability

    41. 1/27/2012 La Department of Health & Hospitals 41 DHH Must Monitor Contract Compliance We would be found “out of compliance” with the privacy rule requirement if we knew of a “pattern of activity or practice” by a business associate that violated our contract, unless we were taking steps to end the violation If business associate can’t “cure” the violation, we must-- Terminate the contract If not feasible to terminate the contract, report the problem to the Secretary of DHHS

    42. 1/27/2012 La Department of Health & Hospitals 42 What DHH Doesn’t Have to Do for “Business Associates” Require them to appoint a privacy official Actively monitor how they safeguard PHI Oversee their other privacy processes or procedures Train their staff in the whys and wherefores of the privacy rule

    43. 1/27/2012 La Department of Health & Hospitals 43 HIPAA Enforcement ? Watching and Listening

    44. 1/27/2012 La Department of Health & Hospitals 44 Some Last Words of Wisdom on Privacy “Common sense and reasonable behavior can take you a long way” We intend to be able to demonstrate we have shown due diligence. We have arranged for an independent validation and verification assessment in early 2002.We intend to be able to demonstrate we have shown due diligence. We have arranged for an independent validation and verification assessment in early 2002.

    45. 1/27/2012 La Department of Health & Hospitals 45 Be Reasonable!

    46. 1/27/2012 La Department of Health & Hospitals 46 What About Security??? Rules for privacy are out but not for security States know what to protect but not how to protect it Generally held view is that the final security rule will be essentially unchanged from the proposed rule issued in August 1998, except for updating to conform with the final privacy rule

    47. 1/27/2012 La Department of Health & Hospitals 47 Helpful HIPAA Websites www.hipaagives.org www.wedi.org www.sharpworkgroup.com www.cms.gov www.hipaadvisory.com

    48. 1/27/2012 La Department of Health & Hospitals 48 Don’t get left behind …

More Related