590 likes | 726 Views
IOWA STATE ASSOCIATION OF COUNTIES Health Insurance Portability and Accountability Act of 1996 (HIPAA). Mary Knapp September 17 and 18, 2002. Changes Are Coming.
E N D
IOWA STATE ASSOCIATION OF COUNTIESHealth Insurance Portability and Accountability Act of 1996 (HIPAA) Mary KnappSeptember 17 and 18, 2002
Changes Are Coming This presentation should not be construed as legal advice or as pertaining to specific factual situations. The information, while believed correct at the time it was compiled, is subject to change as not all HIPAA security regulations have been finalized and interpretations and guidances continue to modify our analysis.
WHY HIPAA? • Insurance Reform • Improve portability and continuity of health insurance for employees • Extend Fraud And Abuse Prevention Measures • Dedicate additional resources to fraud and abuse enforcement (not just Medicare and Medicaid)
WHY HIPAA? (continued) • Administrative Simplification • Standardize how information is exchanged (transaction) between providers, health plans and employers using one format and one set of diagnostic/billing codes • Go electronic • Keep it private and secure
Effective Compliance Datesto Remember • Privacy Standards - April 14, 2003. • EDI Standards - October 16, 2003 (with the submission of an extension request which must be filed with the Secretary of the DHHS before October 16, 2002). • Proposed Security Standards - two years after final regulations are published.
Introducing … “HIPAA Standards for Privacy of Individually Identifiable Health Information”
Privacy Regulations December 28, 2000 • Privacy of Individually Identifiable Health Information FinalRule July 6, 2001 • Office for Civil Rights Technical Assistance March 27, 2002 • Notice of Proposed Rulemaking (NPRM) August 14, 2002 • Final Changes to the FinalRule
Who’s A Covered Entity Under HIPAA? • Health Plans • Health Care Clearinghouses • Health Care Providers • who transmit any health information in electronic form in connection with the following standard transactions . . .
Standard Transactions • Enrollment and Disenrollment in a Health Plan (834) • Health Care Premium Payments (820) • Health Care Eligibility Benefit Inquiry and Response (270/271) • Referral Certification and Authorization (278) • Health Care Claims or Equivalent Encounter Information (837) • Health Care Claim Status (276/277) • Health Care and Remittance Payment Advice (835) • Coordination of Benefits (837) • First Report of Injury (145) (Delayed) • Additional Claim Information (275) (Delayed)
“And now, let’s determine if we are a covered entity, affiliated single covered entity, hybrid covered entity or organized health care arrangement.”
Privacy Rule Intent • Give clients more control over their health information. • Set boundaries on the use and release of health records. • Establish appropriate safeguards to protect privacy of health information. • Hold violators accountable - civil and criminal penalties. • Strike a balance between privacy and public good.
Privacy Rule Requirements • Provide information to clients about their privacy rights and how their information can be used through a Notice of Privacy Practices. • Adopt clear privacy policies and procedures. • Train employees.
Privacy Rule Requirements(continued) • Designate privacy official and security officer to ensure that privacy and security procedures are adopted and followed. • Client records containing individually identifiable health information are secure to prevent access by those who do not need them.
“HIPAA Speak” • New foreign language created by legislation for the express purpose of making the learner feel as though they have landed in a parallel universe where basic common sense and plain language are unheard of.
Individually Identifiable Health Care Information (IIHI) • Demographic information that is created or received by a health care provider, a health plan, employer or health care clearinghouse; • Relates to the past, present or future physical or mental health or conditions of an individual; or • The provision of health care to an individual; and • Identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
“Protected Health Information” (PHI) Individually Identifiable Health Information that is: • Transmitted by electronic media • Maintained in electronic media • Transmitted or maintained in any other form (including oral or written PHI)
“Record” Any item, collection, or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for a covered entity.
Group of records maintained by or for a covered entity. Medical records and billing records about individuals. Used, in whole or in part, by or for the covered entity to make decisions about individuals. Enrollment, payment, claims adjudication and case or medical management records maintained by or for a health plan. Designated Records Set
Notice of Privacy Practices • Covered entities must . . . • Provide individuals with written notice of the uses and types of disclosures of PHI made by the covered entity • Also describe the individual’s rights and the covered entity’s obligations regarding PHI • Covered entities with direct treatment relationship must make a good faith effort to obtain an individual’s written acknowledgment of receipt of the provider’s notice of privacy practices.
Notice of Privacy Practices (continued) • Good faith effort - individual’s failure or refusal to sign or provide acknowledgment, despite covered entity’s good faith effort, would not preclude the provider’s ability to use or disclose PHI for treatment, payment or health care operations.
Notice of Privacy Practices Individual Rights
Right to Access own Protected Health Information (PHI) • Regardless of who created the information. • Form and format can be requested by the individual. • Fees must be agreed upon in advance. • Must be in a timely manner. • May require written request (included in Notice of Privacy Practices).
Right to Request Additional Protections • Right to request additional privacy protections • Covered entity may refuse • If covered entity agrees, they must always do it • Right to request to receive communications in alternate fashion • Accommodate reasonable request
Individual’s Right to Request Amendment • The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support the requested amendment. • Covered entity must inform the individual in advance of requirements.
Right to Request Amendment • A client has the right to request amendment of PHI maintained in the designated record set. • The covered entity will have 60 days to respond to an individual’s request. • The final regulations specify certain required processes and standards for managing this process.
Right to an Accounting of Disclosures • Covered entity must account for disclosures made within six years prior to the request • Excludes disclosures that are: • Authorized • Limited data set • Incidental • Treatment, Payment or Operations (TPO) • Other (i.e., national security, law enforcement)
Right to an Accounting of Disclosures (continued) • An accounting to the individual of the disclosures of his/her PHI must include: • Date of each disclosure • Name and, if known, address of party that received the PHI • Brief description of the PHI disclosed • The purpose for which the PHI was disclosed, or a copy of an individual’s authorization, or a copy of the request for disclosure
HIPAA Consent • Consent for disclosure of PHI for treatment, payment, and health care operations (TPO) on the part of all covered entities is now optional.
Authorization • An authorization is a more customized document that gives the covered entities permission to use specified PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual.
Authorization (continued) • Plain language describing information in specific and meaningful fashion • Name of person(s) authorized to make the requested use/disclosure and to receive request • Expiration date, signature, date and copy • Statement of each purpose of the disclosure or use • Individual’s right to revoke in writing
Limited Data Set • A covered entity may use and disclose a “limited data set” for research, public health, or health care operations. • A limited data set is PHI that has been stripped of 16 identifiers of individuals and their relatives, household members and employers. • A covered entity must obtain a “data use agreement” from the intended recipient of the limited data set before disclosing the data to the recipient.
Oral Communications • Covered entities must reasonably safeguard all PHI (including oral information) from any intentional or unintentional use or disclosure that is in violation of the rule.
Oral Communications(continued) • Certain incidental uses and disclosures are permissible as long as they are secondary disclosures that: • could not reasonably be prevented • are limited in nature • are the by-product of an otherwise permissible use or disclosure
“Minimum Necessary” Requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the minimum necessary information needed to accomplish the intended purpose.
Government Access to Health Information The Privacy Rule allows disclosures that are required by law. For example, all states have laws that require providers to report cases of specific diseases to public health officials.
Business Associates • Business Associates are not a member of the covered entity’s workforce • Employees • Volunteers • Trainees • Others under direct control
Business Associates(continued) • Person or entity who provides certain functions, activities, or services on behalf of, or to a covered entity that involves the use and/or disclosure of PHI. • Covered entities can operate under their current written contracts until those contracts are up for renewal or until April 14, 2004, whichever is sooner if they exist before October 13, 2002.
Introducing … “HIPAA Security and Electronic Signature Standards: Proposed Rule”
Areas Covered By Security Standard • Administrative Procedures • Physical Safeguards • Technical Security Services • Technical Security Mechanisms
Administrative Procedures Documented, Formal Practices & Procedures for: • Recovering lost information • How information flows through your department • Controlling access to information
Administrative Procedures (continued) Documented, Formal Practices & Procedures for: • Reporting security breaches • Maintaining security throughout personnel changes • Security awareness training
Physical Safeguards • Keeping floppy disks, CDs, backup tapes secure. • Controlling access to areas and departments. • Logging off workstation when finished. • Providing a secure location for workstations. Protect physical computer systems, related buildings, and equipment:
Technical Security Services • Processes to protect information and control individual access: • Providing for emergency access to secure information • Automatic logoff • Unique user ID and password
Technical Security Mechanisms Processes to guard against unauthorized access to data transmitted over a communications network: • Confidential information sent over the Internet must be encrypted. • Verify information that is sent arrives unmodified. • Determine who accessed what information and when.
Introducing … “HIPAA Electronic Data Interchange -- Transactions and Code Sets: Final Rule and Postponement”
Streamlining Payment • Create national standards for the storage and transmission of electronic health information • Over 400 different formats for e-submission of health care claims in the US today • EDI standards will require uniform codes for all payers • Uniformity = Cost Savings
The Origins of EDI “Now, while we’re dancing, let’s all be thinking how we can step up doll production, cut costs in the toy car division, and eliminate waste in all departments.”