460 likes | 603 Views
Briefing: The Impact of HIPAA on the Military Health System Date: 20 March 2007 Time: 1610 - 1700. Objectives. Brief review of the history of the Health Insurance Portability & Accountability Act (HIPAA) Learn what’s really required by HIPAA & what’s not
E N D
Briefing: The Impact of HIPAA on the Military Health System Date: 20 March 2007 Time: 1610 - 1700
Objectives • Brief review of the history of the Health Insurance Portability & Accountability Act (HIPAA) • Learn what’s really required by HIPAA & what’s not • Learn about the new HIPAA requirements on the horizon • Take advantage of HIPAA resources on the Internet
How Did We Get Here? • Move toward standard Electronic Data Interchange (EDI) Transactions and away from paper-based processes • Healthcare industry pushing this effort in early 1990s • Workgroup for EDI (WEDI) was taking the lead • Estimated $42 billion in net savings (1995-2000) - 1993 WEDI Report • Recognize the need to protect electronic health data • Role of “those privacy zealots"
History of HIPAA • Health Insurance Portability and Accountability Act (HIPAA) – P.L. 104-191 • Also known as Kennedy-Kassebaum Bill (K2) or Kassebaum-Kennedy, depending on your party affiliation • House of Representatives passed it 421-2 • Senate passed it unanimously • Signed into law on August 21, 1996, by President Clinton
HIPAA Components • Insurance Portability • Accountability (Fraud & Abuse) • Administrative Simplification
Intents of HIPAAAdministrative Simplification • Reduce Paperwork • Improve Efficiency of Health Systems • Protect Security and Confidentiality of Electronic Health Information
HIPAA Rule Making Process • Department of Health & Human Services (DHHS) publishes Notice of Proposed Rule Making (NPRM) • 60-day comment period • Receive written public input • Comments reviewed resulting in modifications to the Final Rule version • Final Rule published in Federal Register • Congress has 60 days to make changes • Two years before Final Rule becomes effective • Normally
HIPAA’s Original Timeline • HIPAA signed into law on August 21, 1996 • All Final Rules to be issued by February 21, 1998 • Eighteen months after signing into law • Full compliance to be achieved by April 22, 2000 • We’ve been under HIPAA for nearly 7 years!!! • What happened to the original timeline? • DHHS had three (3) Number One priorities • Y2K • Balanced Budget Act (BBA) of 1997 • HIPAA
Standard Notice of Proposed Rule Making (NPRM) Final Rule Publication Compliance Required Transactions & Codes Sets 05/07/1998 08/17/2000 10/16/2003 - with extension National Provider Identifier 05/07/1998 01/23/2004 05/23/2007 (2008<$5M) National Employer Identifier 06/16/1998 05/31/2002 07/30/2004 (2005<$5M) Security 08/12/1998 02/20/2003 04/20/2005 (2006<$5M) Privacy 11/03/1999 12/28/2000 04/14/2003 (2004<$5M) Timetable for Adoption of Standards
Who Must Use the Standards? • Covered Entities (CEs) Include: • Health Plan • Health Care Clearinghouse • Health Care Provider (who transmits any health information in electronic form in connection with any covered transaction) • MHS Direct Care System is considered to be a Health Care Provider • Congress directed DHHS to use existing standards wherever possible rather than develop new ones
Civil & Criminal Penalties • Civil penalty of $100 per violation, up to $25,000 maximum per year per HIPAA standard • Wrongful disclosure of Individually Identifiable Health Information (IIHI) • Fined not more than $50,000, imprisoned not more than 1 year, or both • If offense committed under false pretenses • Fined not more than $100,000, imprisoned not more than 5 years, or both —Continued—
Civil & Criminal Penalties • If offense committed with intent to sell, transfer, or use information for commercial advantage, personal gain, or malicious harm • Fined not more than $250,000, imprisoned not more than 10 years, or both
ANSI ASC X12N & IGs • ANSI – American National Standards Institute • ASC X12 – Accredited Standards Committee (ASC) chartered by ANSI to develop standards for inter-industry electronic business transactions (EDI) • X12N – is the Subcommittee for Insurance who developed the HIPAA EDI standards • IGs – Implementation Guides that provide detailed formats for implementing the HIPAA EDI standards • Version 4010A of the HIPAA IGs is the standard • National Council for Prescription Drug Programs (NCPDP) developed standards for retail pharmacy drug claims
Covered Transactions • 837 – Health Care Claim (3 types) • Institutional • Professional • Dental • Retail Pharmacy Drug Claim • National Council for Prescription Drug Programs (NCPDP) Telecommunication Standard Implementation Guide, Version 5.1, September 1999 • NCPDP Batch Standard Batch Implementation Guide, Version 1.1, January 2000
Covered Transactions (con’t) • 270/271 – Health Care Eligibility Benefit Inquiry and Response • 276/277 – Health Care Claim Status Request and Response • 278 – Health Care Services Review • 820 – Payroll Deducted and Other Group Premium Payment for Insurance Products • 834 – Benefit Enrollment and Maintenance • 835 – Health Care Claim Payment/Advice • 837 – Coordination of Benefits
Mandated Code Sets • ICD-9-CM – International Classification of Diseases – Clinical Modification for Diagnoses, 9th Edition (Volumes 1 and 2) • ICD-9-CM – International Classification of Diseases – Clinical Modification for Inpatient Procedures, 9th Edition (Volume 3) • CPT-4 – Current Procedural Terminology, 4th Edition • CDT-3 – Code on Dental Procedures and Nomenclature, 3rd Edition • HCPCS – Healthcare Common Procedure Coding System
Impact of HIPAA EDI • Electronic claims just means faster rejections if data is incomplete or incorrect • Increasing emphasis on the need for quality data “the first time” • Personnel savings may need to be redeployed to other areas in order to improve data capture and quality • 837 is NOT JUST an electronic UB-92 or CMS 1500 • HIPAA transactions often require more data that is currently captured or stored • State Prompt Payment laws will still be needed • Electronic claims attachments (275) will be a big aid once they are available
Privacy vs. Security • Privacy – What needs to be protected • Protected Health Information (PHI) • Security – Methods by which we will protect it • Need to determine the desired balance among: • Confidentiality of the data • Integrity of the data • Availability of the data • Final Rules for Privacy issued December 2000 and August 2002 • Security Final Rule issued February 2003
Privacy Rule • December 2000 Privacy Rule required patients to give consent before their protected health information (PHI) could be used for treatment, payment, or health care operations (TPO) • August 2002 Privacy Rule dropped the consent requirement • Direct health care provider now just has to make a good faith effort to obtain an individual’s written acknowledgement of receipt of the provider’s Notice of Privacy Practices (NPP) • Copy of MHS NPP on TMA HIPAA Web Site
Privacy Rule (con’t) • Authorization by the individual is still required before a Covered Entity can release PHI for non-TPO purposes • Life insurance company seeking medical information regarding a policy applicant • Access without written authorization allowed for national and public health needs
Privacy Rule (con’t) • Individual’s right of access • Patient can see their medical record • Can request copies • Can request amendments to medical record • Provider does not have to make the amendment • Preemption – Final Rule can not supersede more stringent state privacy laws • Establishes the Federal floor of safeguards • You need to know which state privacy laws still apply (i.e., those that are more stringent)
What Is IIHI? • Individually identifiable health information (IIHI) is information that is a subset of health information, including demographic information collected from an individual, and: • Is created or received by a health care provider, health plan, employer, or health care clearinghouse • Relates to: • the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for health care received by an individual; and that • Either identifies the individual or provides a “reasonable basis” to believe the information can identify the individual
What Is PHI? • Protected Health Information (PHI) is IIHI that is: • Transmitted by electronic media • Maintained by electronic media • Transmitted or maintained in any other form or medium (includes written or oral communications) • PHI excludes IIHI in: • Education records covered by the Family Educational Rights and Privacy Act (FERPA) • Employment records held by a CE in its role as an employer
Real World Privacy Issues • “Anonymous” medical records identified in Massachusetts • Governor’s record included • Survey finds one out of six patients engage in “privacy protected behaviors” • Foreign transcriber threatens California medical center to release medical records on the Internet • Disagreement over back pay
HIPAA Security Rule Background • Proposed Rule was issued August 12, 1998 covering Security and Electronic Signature Standards (39 pages) • Many security and privacy recommendations based on the National Research Council’s 1997 report entitled For The Record: Protecting Electronic Health Information • More than 2,300 comments submitted by individuals and organizations
HIPAA Security Rule Background (con’t) • Security Final Rule issued February 20, 2003 (48 pages) • Provisions apply ONLY to electronic Protected Health Information (PHI) • Does not cover electronic signatures • DHHS will issue separate NPRM • Awaiting recommendation from National Committee on Vital & Health Statistics (NCVHS) • Date unknown • Security Final Rule does not reference or advocate specific technology
HIPAA Security Rule Background (con’t) • Intentionally generic, scalable for both small and large organizations, technology neutral • Each affected entity must assess its own security needs and risks and devise, implement, and maintain appropriate security measures to address its business requirements • Measures must be documented and kept current • Challenge for the organization to assess their own security risks, weigh them, implement appropriate solutions
HIPAA Security Standards – General Rules • General requirements – Covered entities (CEs) must do the following: • Ensure the confidentiality, integrity, and availability of all electronic PHI the CE creates, receives, maintains, or transmits • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information • Protect against any reasonably anticipated uses or disclosures of such information • Ensure compliance by its workforce
Some Operational Challenges • Healthcare staff want to help others • We’re too trusting • Security system is only as good as its weakest link • 999 secure passwords out of 1000 users is NOT “good enough” • Hackers & Social Engineering • Attempt to exploit our desire to be helpful • Not enough to thwart them – need to report it to the right person so appropriate actions can be taken —Continued —
Some Operational Challenges • Don’t be a soft target • Hackers are lazy • Viruses and worms • Need to be alert/wary • Capability to track access to Protected Health Information (PHI) • Insurance company example • Harvard Community Health Plan • Patients can review who accessed their PHI
HIPAA Security Considerations • How do you dispose of your obsolete PCs? • Savannah River DOE example • Indianapolis hospital example • Do you allow providers to access your network from their home PCs? • Any penalties for violations? • Are they ever enforced? —Continued —
HIPAA Security Considerations • Have you outsourced medical transcription? If so, how is PHI transmitted/stored & protected when off-site? • Do your passwords contain both alpha and numeric characters as well as special characters/minimum length of at least 8 characters • How often are they updated? • No yellow Post-Its on the PC monitor or under the desktop keyboard
Changes on the Horizon • National Provider Identifier (NPI) • New paper forms (UB-04, revised CMS 1500) • Implement use of NPI • New draft HIPAA EDI transaction set • 275 – Electronic Claims Attachment • Future use of ICD-10
National Provider Identifier (NPI) • National Provider Identifier (NPI) • Health care providers began applying for NPIs beginning May 23, 2005 • Health care providers, health plans, and health care clearinghouses must begin using the NPI in standard transactions NLT May 23, 2007 • Small health plans have until NLT May 23, 2008 • Is a 10-position numeric identifier (last digit is a check figure) • Is an intelligence-free number • NPI Type 1 – for health care providers who are individual human beings • NPI Type 2 – for health care organizations
Use of the NPI Type 1 in the MHS • HA Policy 05-002 issued 26 January 2005 regarding NPI Type 1 • Requires “all Health Care Providers who furnish billable health care services or who may initiate and/or receive referrals must obtain an NPI Type 1.” • Services are responsible for ensuring all privileged/credentialed providers (including Reserve Component) obtain and submit their NPI to the TMA designated data base/repository prior to 23 May 2007 • Services SGs have issued Memoranda of Instruction detailing Service-specific instructions • As of 27 February 2007, 19,711 NPI Type 1 identifiers have been entered into DMHRSi • Still need an estimated 8,711 more NPI Type 1 identifiers! • Only 64 days remaining until 23 May 2007 deadline
Use of the NPI Type 2 in the MHS • HA Policy 05-012 issued 1 August 2005 regarding NPI Type 2 • Requires all organizational health care providers within the MHS to obtain an NPI Type 2. These include: • MTFs that bill third party insurers • Pharmacy dispensing sites • The Services are responsible for ensuring all applicable organizational health care providers obtain NPI Type 2 identifiers prior to 23 May 2007 • As of 27 February 2007 • 128 NPI Type 2 identifiers for MTFs have been entered into DMHRSi • 600 NPI Type 2 identifiers for Pharmacy Dispensing Sites have been entered into DMHRSi • Only 64 days remaining until 23 May 2007 deadline
New Paper Bill Forms • Use of new revised CMS 1500 Form required beginning 1 February 2007 • Use of new UB-04 Form required beginning 23 May 2007 • Both new forms require use of NPIs beginning 23 May 2007 • MHS System Change Requests (SCRs) have been submitted for making changes to TPOCS and the CHCS MSA module to support the new paper claim formats • CHCS software change package to support the UB-04 will be available for MTFs to load beginning in early May 2007 • MTFs need to start ordering the new UB-04 and CMS 1500 forms
275 – Electronic Claim Attachment • Claims Attachment NPRM issued 23 September 2005 • Will simultaneously use both ANSI X12 and HL7 EDI standards • Six different attachment types proposed • Clinical Reports • Laboratory Results • Medications • Rehabilitation Services • Ambulance Service • Emergency Department
ICD-10 Implementation • ICD-10s likely coming in 2009 – 2010 • AHIMA & AMIA support October 2009 date • TMA monitoring status of ICD-10 implementation in U.S. • Changes will be made in MHS automated information systems to support the new code set once it is mandated
Truisms Regarding HIPAA Compliance • Changing the organizational privacy & security culture will be the BIGGEST challenge • HIPAA compliance has no finish line • National Committee on Vital & Health Statistics (NCVHS) recommended in February 2002 more clinical messaging formats as potential HIPAA standards for an electronic medial record (EMR) • New transaction sets will continue to be added (e.g., 275 – Electronic Claims Attachment)
HIPAA Resources on the Internet • TMA HIPAA Web site • http://www.tricare.mil/hipaa/ • HA Policy 05-002 – NPI Entity – Type 1 • http://www.ha.osd.mil/policies/2005/default.cfm • HA Policy 05-012 – NPI Entity – Type 2 • http://www.ha.osd.mil/policies/2005/default.cfm • National Uniform Billing Committee (NUBC) • http://www.nubc.org/new.html • National Uniform Claim Committee (NUCC) • http://www.nucc.org —Continued —
HIPAA Resources on the Internet • CMS HIPAA Web site • http://www.cms.hhs.gov/hipaageninfo/01_overview.asp? • For the Record: Protecting Electronic Health Information, The National Academies Press, 1997 • http://www.nap.edu or 1-800-624-6242 • View free on-line version of For the Record • http://books.nap.edu/books/0309056977/html/index.html • DHHS Office of Civil Rights (OCR) • http://www.hhs.gov/ocr/hipaa —Continued —
HIPAA Resources on the Internet • Washington Publishing Company – HIPAA EDI Implementation Guides • http://www.wpc-edi.com/hipaa/HIPAA_40.asp • Workgroup for Electronic Data Interchange (WEDI) • http://www.wedi.org • National Council for Prescription Drug Programs (NCPDP) • http://www.ncpdp.org • National Committee on Vital & Health Statistics (NCVHS) • http://www.ncvhs.hhs.gov
Summary • History of HIPAA • It’s been a law since 1996! • What’s really required by HIPAA & what’s not • Need to separate truth from fiction • New HIPAA requirements on the horizon • NPIs, new paper forms (UB-04, revised CMS 1500) • Additional covered transactions (e.g., 275) • Future use of ICD-10 • Take advantage of HIPAA resources on the Internet • No need to “reinvent the wheel!”
Summary • History of the Health Insurance Portability & Accountability Act (HIPAA) • What’s really required by HIPAA & what’s not • New HIPAA requirements on the horizon • HIPAA resources on the Internet
Quiz • How do you spell HIPAA and what do the letters stand for? • Who/what needs to get an NPI Type 1? • Who/what needs to get an NPI Type 2? • What form is replacing the UB-92? • What form is replacing the CMS 1500?