1 / 28

HIPAA Compliance within DHH

12/8/2011. La Department of Health

Sophia
Download Presentation

HIPAA Compliance within DHH

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. HIPAA Compliance within DHH HIPAA Awareness Training for Louisiana Office of Public Health Ruth Kennedy, Medicaid Deputy Director Department of Health & Hospitals June 21, 2002

    2. 12/9/2011 La Department of Health & Hospitals 2

    3. 12/9/2011 La Department of Health & Hospitals 3 Dispelling Some HIPAA Myths Myth #1– “HIPAA will go away.” Myth #2– “They won’t enforce it; if they intended to, they would have funded it.” Myth #3– “It doesn’t include me.” Myth #4– “It’s just like Y2K.” Myth #5– “It’s just not that important to justify the expense.” Myth #6– “We still have time.”

    4. 12/9/2011 La Department of Health & Hospitals 4 DHH’s HIPAA Related “Lessons Learned” To Date HIPAA supercedes/pre-empts anything contrary to it Standards are being set by the private sector. DHHS, DHH, nor Medicaid has any special clout! A business process issue rather than an MMIS or “system” issue Far more complex/far greater impact than Y2K Case by case exceptions related to the standard formats and codes have been put to a very high test. It was initially difficult for states to understand that they are health plans and must comply to the same extent as everyone else.Case by case exceptions related to the standard formats and codes have been put to a very high test. It was initially difficult for states to understand that they are health plans and must comply to the same extent as everyone else.

    5. 12/9/2011 La Department of Health & Hospitals 5 A Historical Look at the Conception of HIPAA 1992—Clinton Health Plan Focus: Increasing access and decreasing health care costs 1994—Republican Congress Focus: Medicare “crisis”; fighting health care fraud and abuse 1996—Kennedy-Kassebaum Act also known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) What is now referred to as HIPAA all started a decade ago, long before we got our first e-mail accounts. In fact, we were just beginning to use fax machines to transmit data. The Health Care World as it existed in 1992 New technology such as “smart cards” just being developed; increasing demand for more information in less time. Opportunities for using the new technology were inconsistent with reality. Internally, great systems could be developed but major barriers across institutuions. No single entity had the market power to standardize. At the time, 12 states had laws making electronic billing illegal. Standardization was requested by the private sector—they were the driver Legislation introduced in 1993 was a simple bill—establish standards and require of these standards by all. It was originally about increasing access and decreasing costs. Administrative Simplification was seen as a means of achieving that as part of the Clinton Health Plan. The bill evolved into a bitter fight about whether all the data would be stored locallly or centrally, because of the major focus at that time on RESEARCH. The orgiinal sponsors of the bill actually abandoned it. By 1995, the Republicans had taken control of Congress and balancing the federal budget was agenda item A. Administrative Simplification was seen as a major means of fighting fraud and abuse. Flash forward to 1996—Senators Kennedy and Kassabaum were crafting bi-partisan health care legislation which addressed insurance portability among other issues, and Administrative Simplification was incorporated into that legislation, known as the Health Insurance Portability & Privacy or HIPAA. HIPAA is somewhat of a misnomer because Administrative Simplification has nothing to do with portability. The key is that Administrative Simplification maintained private support thought two bitter, partisan battles in Congress and the current version is fairly intact from the 1993 original framework. It is a bi-partisan effort which maintains the public-private partnership and creates a “national” system”What is now referred to as HIPAA all started a decade ago, long before we got our first e-mail accounts. In fact, we were just beginning to use fax machines to transmit data. The Health Care World as it existed in 1992 New technology such as “smart cards” just being developed; increasing demand for more information in less time. Opportunities for using the new technology were inconsistent with reality. Internally, great systems could be developed but major barriers across institutuions. No single entity had the market power to standardize. At the time, 12 states had laws making electronic billing illegal. Standardization was requested by the private sector—they were the driver Legislation introduced in 1993 was a simple bill—establish standards and require of these standards by all. It was originally about increasing access and decreasing costs. Administrative Simplification was seen as a means of achieving that as part of the Clinton Health Plan. The bill evolved into a bitter fight about whether all the data would be stored locallly or centrally, because of the major focus at that time on RESEARCH. The orgiinal sponsors of the bill actually abandoned it. By 1995, the Republicans had taken control of Congress and balancing the federal budget was agenda item A. Administrative Simplification was seen as a major means of fighting fraud and abuse. Flash forward to 1996—Senators Kennedy and Kassabaum were crafting bi-partisan health care legislation which addressed insurance portability among other issues, and Administrative Simplification was incorporated into that legislation, known as the Health Insurance Portability & Privacy or HIPAA. HIPAA is somewhat of a misnomer because Administrative Simplification has nothing to do with portability. The key is that Administrative Simplification maintained private support thought two bitter, partisan battles in Congress and the current version is fairly intact from the 1993 original framework. It is a bi-partisan effort which maintains the public-private partnership and creates a “national” system”

    6. 12/9/2011 La Department of Health & Hospitals 6 1996 HIPAA Legislation Passes; Administrative Simplification Tags Along

    7. 12/9/2011 La Department of Health & Hospitals 7 Health Insurance Reform Title I of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs. Women’s Health Rights Mental Health Parity Hospital Stays for Mothers & Newborns

    8. 12/9/2011 La Department of Health & Hospitals 8 Administrative Simplification “Intended to reduce the costs and administrative burdens of health care by making possible the standardized, electronic transmission of many administrative and financial transactions that are currently carried out manually on paper.”

    9. 12/9/2011 La Department of Health & Hospitals 9 The Purpose of Administrative Simplification “To improve the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.”

    10. 12/9/2011 La Department of Health & Hospitals 10 What are the Causes of the “Administrative Burden?” Different billing forms for different “payers” Different codes Different claims attachments NO STANDARDS! Manual, electronic processing

    11. 12/9/2011 La Department of Health & Hospitals 11 How Cost Reduction Will (Eventually) Be Achieved Reduce overall health care costs by reducing administrative costs Reduce human intervention Reduce errors Reduce processing time Reduce Fraud Make EDI viable and “preferred” to manual processing

    12. 12/9/2011 La Department of Health & Hospitals 12 Administrative Simplification Reality Save money by setting standards and requirements for electronic transmissions. Public responsibility imposed additional purpose: protect security and privacy of individually identifiable health information.

    13. 12/9/2011 La Department of Health & Hospitals 13 Impact of Individual HIPAA Components on DHH Enterprise

    14. 12/9/2011 La Department of Health & Hospitals 14 HIPAA EDI Extension Law Administrative Simplification Compliance Act, aka H.R. 3323. May file a compliance plan with HHS by 10/16/2002 Testing must be planned to start by 4/16/2003 For those who file plans new compliance date for transactions 10/16/2003. No delay for privacy compliance 4/14/2003. All Medicare claims must be in standard electronic form by 10/16/2003 exception for very small providers.

    15. 12/9/2011 La Department of Health & Hospitals 15 HIPAA: The race to compliance is on!

    16. 12/9/2011 La Department of Health & Hospitals 16 Scope: Who is a HIPAA “Covered Entity”? “A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” Providers get a choice; made by conducting electronic transactions (or getting a business associate to). “A health plan.” Explicitly including government plans such as Medicaid & Medicare, VA, DoD, CHAMPUS, IHS, etc. All health plans are covered (or $ cannot be saved). Exceptions for some not primarily “health” plans. e.g., Workers Comp, property & casualty. “A health clearinghouse”

    17. 12/9/2011 La Department of Health & Hospitals 17 Use of Electronic Billing Transactions in Medicaid Louisiana Medicaid began electronic billing in 1991 More that 85% of Louisiana Medicaid claims are submitted electronically Even before 1991, some very large Louisiana providers were using magnetic tape billing.Even before 1991, some very large Louisiana providers were using magnetic tape billing.

    18. 12/9/2011 La Department of Health & Hospitals 18 Dealing with Ambiguity— the “Covered Entity” Question DHH has certain programs and functions which may not legally be required to comply with EDI Medicaid is a named health plan—health plans are required to comply with Standard Codes and Transactions Programs offices have health care provider functions and also may have programs & functions that meet the HIPAA definition of a functional health plan (any program that pays for medical care or assists in joint administration of a plan) Clearinghouses are the third classification of covered entities named in the law Consideration must also be given to whether a program or function is a business associate of another “covered entity” and therefore required to comply with HIPAA principles

    19. 12/9/2011 La Department of Health & Hospitals 19 DHH Compliance Strategy: We’re All in the Boat Together Legal opinion is that DHH is the “covered entity”—Department wide compliance with privacy component is required Voluntary compliance even for those programs and functions not mandated to comply is good business practice

    20. 12/9/2011 La Department of Health & Hospitals 20 Possible DHH Approaches to HIPAA Implementation Option A It’s a federal mandate Technically comply and nothing more Option B Evaluate and update business practices Update in a HIPAA compliant manner We are working to meet the real needs of our stakeholders and the state—not just minimally comply.We are working to meet the real needs of our stakeholders and the state—not just minimally comply.

    21. 12/9/2011 La Department of Health & Hospitals 21 HIPAA Opportunities for DHH Contain growth of health care administrative costs Better ability to aggregate and compare data Modernize outdated business practices Faster, more consistent claims payment & processing Why promote Electronic Data Interchange? It was estimated by the Clinton Health Care initiative that 15 – 22% of health care costs are attributable to administration. Use of standards will facilitate the development of benchmarks and evaluation that is currently not possible when you’re not comparing “apples to apples” We are using the opportunity to update business processes, update provider manuals, and implement improvements in Medicaid administration.Why promote Electronic Data Interchange? It was estimated by the Clinton Health Care initiative that 15 – 22% of health care costs are attributable to administration. Use of standards will facilitate the development of benchmarks and evaluation that is currently not possible when you’re not comparing “apples to apples” We are using the opportunity to update business processes, update provider manuals, and implement improvements in Medicaid administration.

    22. 12/9/2011 La Department of Health & Hospitals 22 Introducing Business Associates to the Equation Only covered entities are subject to the rules. this limit doesn’t make sense because healthcare uses outsourcing extensively and these other entities would not be required by law to safeguard our health information … … so ‘business associate agreements’ were invented to obligate outsource agents, vendors, and contractors to safeguard the health information they need to do their jobs.

    23. 12/9/2011 La Department of Health & Hospitals 23 “Covered Entities” for Purposes of HIPAA Applicability

    24. 12/9/2011 La Department of Health & Hospitals 24 Definition of a “Business Associate” A person who On behalf of DHH, Performs or assists in performance of healthcare activity involving the use of disclosure of individually identifiable health information DHH employee is not a “Business Associate” Health care provider who submits claims to DHH or Medicaid for payment is not a “Business Associate”

    25. 12/9/2011 La Department of Health & Hospitals 25 DHH Must Monitor Contract Compliance We would be found “out of compliance” with the privacy rule requirement if we knew of a “pattern of activity or practice” by a business associate that violated our contract, unless we were taking steps to end the violation If business associate can’t “cure” the violation, we must-- Terminate the contract If not feasible to terminate the contract, report the problem to the Secretary of DHHS

    26. 12/9/2011 La Department of Health & Hospitals 26 What DHH Doesn’t Have to Do for “Business Associates” Require them to appoint a privacy official Actively monitor how they safeguard PHI Oversee their other privacy processes or procedures Train their staff in the whys and wherefores of the privacy rule

    27. 12/9/2011 La Department of Health & Hospitals 27 HIPAA Challenges for DHH Rapidly approaching deadline for Standard Transactions & Codes Medicaid local codes must be replaced Cost issues Trending may be lost We are keenly aware that legislation is pending in both the U.S. Senate—S 836 sponsored by Senator Larry Craig (R-Idaho) and the House—H.R. 1975 sponsored by Representative John Shadegg (R-Arizona)—which would provide for a more lengthy implementation schedule for HIPAA Administrative Simplification regulations. Our workplan assumes there will be no delay. Local codes are a real issue. We are keenly aware that legislation is pending in both the U.S. Senate—S 836 sponsored by Senator Larry Craig (R-Idaho) and the House—H.R. 1975 sponsored by Representative John Shadegg (R-Arizona)—which would provide for a more lengthy implementation schedule for HIPAA Administrative Simplification regulations. Our workplan assumes there will be no delay. Local codes are a real issue.

    28. 12/9/2011 La Department of Health & Hospitals 28 HIPAA &Public Health Data Collection/Reporting Issues Format and definitions of reported information could change data being collected Real and perceived risk of penalties for wrongful disclosure could result in refusals to report Absence of clear and specific legal authority for public health data reporting could jeopardize surveillance programs

    29. 12/9/2011 La Department of Health & Hospitals 29 Potential Indirect Effects of HIPAA on Public Health Public Health may need to provide assurances to their reporters and the public that data sharing for public health purposes is still appropriate Public Health may need improved documentation, policies, and procedures, to demonstrate that data falls within the public health purposes exception

    30. 12/9/2011 La Department of Health & Hospitals 30 “Local Codes” Issue for Medicaid (and OPH) La Medicaid gap analysis revealed more than 1200 local codes (“X” and “Z” codes) Impacts Medicaid’s ability to customize coverage and reimbursement policy Codes will dictate policy, rather than vice versa—(e.g., family planning) DHH cannot electronically process a claim for service if standard code does not exist Over $11M in local code Medicaid billings by OPH “X” codes and “Y” codes must be crosswalked or mapped to standard code Medicaid provides services not includes in other health plans, for example the various waiver services, and EPSDT Could require amendments to our Medicaid State Plan“X” codes and “Y” codes must be crosswalked or mapped to standard code Medicaid provides services not includes in other health plans, for example the various waiver services, and EPSDT Could require amendments to our Medicaid State Plan

    31. 12/9/2011 La Department of Health & Hospitals 31 November 2003 Worst Imaginable Scenario Great confusion among providers—internal as well as external Providers elect to submit paper claims rather than bill electronically, overwhelming the Medicaid claims system Paper claims Cost more Take longer Intensify provider frustration We clearly recognize and appreciate the value of electronic billing and are working diligently to keep this scenario from becoming a reality.We clearly recognize and appreciate the value of electronic billing and are working diligently to keep this scenario from becoming a reality.

    32. 12/9/2011 La Department of Health & Hospitals 32 Philosophy for Future of Privacy Privacy is the right to be unknown. Ability to remain unknown in big city environments. Real fear of discrimination based on misuse of information. Increasing risk to privacy as more information is collected. Information more sensitive - Genetics only the beginning.

    33. 12/9/2011 La Department of Health & Hospitals 33 HIPAA Privacy is Primarily About Organizational Change Privacy behavior must be habit. Confidentiality has been an important part of the social contract with healthcare providers for over 2000 years. Dispersion of information and responsibility to hundreds of people without such historical ‘values’ increases risk. Privacy (and security) rules seem onerous because they require us to change and document what we do. Eventually (soon), confidentiality will become ingrained habit, not onerous.

    34. 12/9/2011 La Department of Health & Hospitals 34 HIPPA Privacy Compliance-- DHH’s Partial “To Do” List Design new forms Privacy Policy Disclosure Notice Consent Form Authorization Form Designate Privacy official(s) Revise our written Privacy policy Determine “minimum necessary” Arrange for initial and ongoing privacy training for our employees Modify systems to track all PHI disclosures for six years as required by the regulation. Modify contracts with “business associates”

    35. 12/9/2011 La Department of Health & Hospitals 35 HIPAA Enforcement ? Watching and Listening

    36. 12/9/2011 La Department of Health & Hospitals 36 Some Last Words of Wisdom on Privacy “Common sense and reasonable behavior can take you a long way” We intend to be able to demonstrate we have shown due diligence. We have arranged for an independent validation and verification assessment in early 2002.We intend to be able to demonstrate we have shown due diligence. We have arranged for an independent validation and verification assessment in early 2002.

    37. 12/9/2011 La Department of Health & Hospitals 37 BE REASONABLE!

    38. 12/9/2011 La Department of Health & Hospitals 38 Working Together

    39. 12/9/2011 La Department of Health & Hospitals 39 DHH HIPAA Compliance Project Team

    40. 12/9/2011 La Department of Health & Hospitals 40 DHH HIPAA Implementation Primary Contacts

    41. 12/9/2011 La Department of Health & Hospitals 41 Helpful HIPAA Websites www.hipaagives.org www.wedi.org www.sharpworkgroup.com www.cms.gov www.hipaadvisory.com

    42. 12/9/2011 La Department of Health & Hospitals 42 Don’t get left behind …

More Related