380 likes | 513 Views
HIPAA FOR SELF-INSURED EMPLOYERS –WHAT YOU DON’T KNOW C AN HURT YOU AICC 2003 Spring Meeting San Antonio, TX SCOTT R. HARRISON KPMG LLP MARCH 27, 2003. OVERVIEW. Health Insurance Portability and Accountability Act (HIPAA) Signed into law August 21, 1996. OVERVIEW.
E N D
HIPAA FOR SELF-INSURED EMPLOYERS –WHAT YOU DON’T KNOW CAN HURT YOU AICC 2003 Spring Meeting San Antonio, TX SCOTT R. HARRISON KPMG LLP MARCH 27, 2003
OVERVIEW • Health Insurance Portability and Accountability Act (HIPAA) • Signed into law August 21, 1996 1
OVERVIEW • Health Insurance Portability and Accountability Act (HIPAA) • Signed into law August 21, 1996 • Principle objectives: • Improve portability and continuity of health coverage for employed Americans • Limits exclusions for preexisting conditions • Provides credit against maximum pre-existing condition exclusion periods for prior health coverage 2
OVERVIEW • Health Insurance Portability and Accountability Act (HIPAA) • Signed into law August 21, 1996 • Principle objectives: • Improve portability and continuity of health coverage for employed Americans • Ensure that protected health information is not used to discriminate in employment decisions 3
OVERVIEW • Health Insurance Portability and Accountability Act (HIPAA) • Signed into law August 21, 1996 • Principle objectives: • Improve portability and continuity of health coverage for employed Americans • Ensure that protected health information is not used to discriminate in employment decisions • Administrative simplification • Standardized transaction code sets • Encourage electronic processing of claims 4
OVERVIEW • Health Insurance Portability and Accountability Act (HIPAA) • Signed into law August 21, 1996 • Principle objectives: • Improve portability and continuity of health coverage for employed Americans • Ensure that protected health information is not used to discriminate in employment decisions • Administrative simplification • Standardized transaction code sets • Encourage electronic processing of claims • Establish privacy and security guidelines for protected health information • Most significant requirements for employers and plans 5
HIPAA AT A GLANCE Security HIPAA Administrative Simplification Requirements Code Sets Identifiers Transactions (EDI) Privacy Goals • Improve Efficiency • Reduce Costs • Improve Quality • Protect Personal Health Information 6
ENTITIES AFFECTED BY HIPAA • Health insurers (includes HMO’s and others) • Data transaction “clearinghouses” • Third party administrators • Self –Insured Employers • Self-insured ERISA health plans are “Covered Entities” and therefore subject to HIPAA 7
EMPLOYERS AND HIPAA • The plan, not the employer, is subject to HIPPA’s requirements • The employer is not a Covered Entity, nor is it a “Business Associate” • Even if it is the plan sponsor! • Business associate contract with plan is not required 8
BENEFITS TO EMPLOYERS & PLANS • Reduced paperwork • Improvements in eligibility processing • Improvements in claims processing • Reduced administrative time & effort • Better data • $ savings 9
REMEMBER! • For self-insured employers, HIPAA is about how you manage your relationship with your employees • What you know about their health status • What you do with that information 10
HIPAA’S PRINCIPLE ELEMENTS • PRIVACY • SECURITY • TRANSACTION CODE SETS • This Presentation Focuses on Privacy and Security 11
Security Privacy Security is the process and mechanism to limit and provideaccess to data. Preventing unauthorized access Privacy is what is afforded personal health information. Treatment given to protected information DISTINGUISHING BETWEEN PRIVACY & SECURITY VS. 12
HIPAA PRIVACY • Objectives • Limits employer access to and use of Protected Health Information (PHI) • Limits what health-related information an employer is permitted to know about an employee • Prohibit using PHI to discriminate against an individual based on eight (8) protected health factors • Affects what an employer is able to do with health related information 13
HIPAA PRIVACY • First, what is PHI? 14
PHI INCLUDES • Names • All geographic subdivisions smaller than States • All elements of Dates excluding year • Telephone numbers • Fax numbers • Electronic mail addresses • Social security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/License numbers • Vehicle identifiers • Device identifiers and serial numbers • WEB universal resource locator (URL) • Internet protocol address number (IP) • Biometric identifier • Any other unique identifying number, characteristic, or code 15
PROTECTED HEALTH FACTORS • Health status • Medical condition • Claims experience • Receipt of health care • Medical history • Genetic information • Evidence of insurability • Disability 16
HIPAA RESRICTS DISCLOSURE OF PHI TO EMPLOYER Disclosure of PHI to an Employer requires: • Notice and disclosure to plan participants • Certification • Amendment to Summary Plan Document(SPD) and data shared only for the designated purpose 17
EMPLOYER CERTIFICATION • Prohibits use or disclosure of PHI other than as permitted by the Summary Plan Document • Ensure subcontractors and/or agents agree to same restrictions • Precludes use of any PHI in employment-related decisions • Report to Group Health Plan any impermissible uses or disclosures • Makes available to plan participants an accounting of the plan’s disclosures of PHI as provided in the Privacy rule 18
PHI – ERISA Health Plan may… • …disclose PHI to Employer for defined administrative functions only • …not disclose PHI to Employer for employment-related decisions • …provide summary health information to plan sponsor for purpose of obtaining premium bids on health insurance • …provide notice of privacy practices 19
SECURITY • Basic Requirements: • Assigned Security Responsibility • Physical Access Controls • Facility security plan • Media control • Authorization procedures • Visitor escort policy • Workstation & Laptop Use • Physical access • Security software/hardware controls • Encryption • Security Awareness Training • Gap Analysis 20
AS Standard Applicable Final Standard Expected Compliance Deadline Security and Electronic Standards Yes January - February 2001- Estimated Two Years after Final Standard Health Care Transactions and Code Sets Need to Evaluate Effective Date: October 16, 2000 for Final Rules on Transactions and Code Sets October 16, 2002/3 National Provider Identifier Need to Evaluate Spring 2001 Spring 2003 National Employer Identifier Need to Evaluate Early Summer 2001 Summer 2003 Privacy Yes Effective Date: April 14, 2001 April 2003 Health Plan ID Need to Evaluate Spring 2001 Spring 2003 Attachments Need to Evaluate Spring/Summer 2001 Spring/Summer 2003 HIPAA OVERVIEW: AS STANDARDS 21
HIPAA EMBRACES MULTIPLE BUSINESS REALMS: • Information Systems Management • Business Processes Management/Operations • Assurance/Audit/Compliance • Legal aspects and ramifications 24
HIPAA’S BUSINESS IMPACT AND CONSIDERATIONS • Strategic Challenges • People • Processes • Technology • Relationships 25
HIPAA’S BUSINESS IMPACT AND CONSIDERATIONS • Strategic Challenges: • How can your organization most effectively control costs associated with your HIPAA Project? How strong are project management skills? • What are the objectives of the organization’s HIPAA Project? What do you want to get out of it? What can you get out of it? Are there opportunities for: • Identifiable and measurable return on investment • More reliable, trusted business processes • Opportunities to offer new or enhanced communication channels • Are HIPAA efforts aligned and integrated with overall business strategies and initiatives? 26
HIPAA’S BUSINESS IMPACT AND CONSIDERATIONS • People: • Are employees aware of their responsibility and accountability for protecting personally identifiable health information. Are policies clearly communicated? Is education and awareness appropriate. • Have you identified individual(s) responsible for the organization’s security and privacy? • What is the organization’s culture? Is there a resistance to change? • Will more stringent security and privacy measures negatively impact employee performance? 27
HIPAA’S BUSINESS IMPACT AND CONSIDERATIONS • Processes: • How are HIPAA transactions conducted today? Are there opportunities to realize efficiencies by leveraging standards and automating processes? Can we streamline processes, enhance data quality, improve access to information, and establish trust? • What new or changing processes will need to be in place to address privacy and security requirements? • Where and how does the organization obtain, maintain and monitor consents and authorizations? • What policies must be put in place to address HIPAA’s requirements? What is the impact of rolling out these new policies? 28
HIPAA’S BUSINESS IMPACT AND CONSIDERATIONS • Technology: • What are your organization’s current technical capabilities? Will changes be necessary? Are there opportunities to put in place more flexible, scalable, enterprise solutions? Can current technologies be leveraged by using complementary technologies? • What is the role and ability of vendors to enable compliance? • Have you built HIPAA’s requirements into current and future development efforts? 29
HIPAA’S BUSINESS IMPACT AND CONSIDERATIONS • Relationships: • What systems, data and resources do business associates have access to? What data do we provide or receive from them? • How will we hold business associates accountable to adequately protect personally identifiable health information (e.g., business associate agreements)? • Do opportunities exist for more cost-effective communication channels? 30
HIPAA Getting There from Start to Finish STRATEGIC AREAS FOR ASSESSMENT • Assess how employee and dependent PHI is currently obtained, filed, stored and used. • Determine which units/departments perform covered functions, and qualify as Covered Entities. • Determine what systems, both electronic and paper, are involved with the creation, maintenanceand transfer of PHI, who has system access, current system security, current system confidentiality policies and procedures. • Review and revise Plan documents.Review all health/medical care insurance coverage, including stop-loss or reinsurance policies. • Re-structure human resources or benefits department to ensure that only certain specified individuals or groups of individuals with responsibility for plan administration have accessto Plan participants and beneficiaries. Develop privacy policies, training programs and disciplinary mechanisms. 31
HIPAA Getting There from Start to Finish STRATEGIC AREAS FOR ASSESSMENT • Review current procedures for maintaining employee records containing PHI, and, if necessary, revise to ensure that such information cannot be used in employment-related decisions. • Review all plan-related relationships to determine if business associate agreements are needed. Re-negotiate contracts where necessary. • Review enrollment and dis-enrollment practices. • Review all computer systems involved in Plan administration to ensure that Plan can be compliant with HIPAA’s electronic standards 32
APPROACHING COMPLIANCE • Know the law • Appoint Knowledge Champions • Know your parameters (budget, geography, personnel) • Have an understanding of your current compliance status • Know the long range goals of your organization beyond HIPAA 33
COMPLIANCE PROGRAM • Essential Elements: • Designate a Privacy Official to manage HIPAA • Perform risk assessment and gap analysis • Institute and document policies and procedures to comply with Privacy rule • Train and document employees on all PHI policies and procedures • Have in place appropriate administrative, technical and physical safeguards to protect privacy of PHI • Apply and document sanctions against workers who violate privacy policies 34
KPMG’s HIPAA Life Cycle PHASE II PHASE III PHASE IV PHASE V PHASE I HIPAA APPLICABILITY & AWARENESS TRAINING HIPAA AWARENESS & GAP ANALYSIS HIPAA IMPLEMENTATIONPLANNING HIPAA IMPLEMENTATION & COMPLIANCE MONITORING HIPAA PROJECT PLANNING • Determine approaches and scope • Establish initial responsibilities • Schedule initial project activities • Develop initial project time lines and work plans • Develop status reporting arrangements • Perform HIPAA Applicability Study • Identify groups with key HIPAA compliance roles • Identify & match initial training needs with audiences • Examine training alternatives including e-training • Conduct initialtraining • Assess current state compliance • Complete gap analysis & develop action plan • Identify opportunities for cost savings, efficiencies or risk reduction • Perform risk assessment and prioritization of safeguards • E-Survey supplement & HIPAA Watch • Develop Privacy and Security frameworks • Evaluate cost/benefit and risk reduction alternatives • Consider process improvements • Select compliance alternatives • Develop EDI test plan • Change management • Opportunities for cost savings and/or margin enhancement • Implement Privacy and Security safeguards • Test/implement EDI andcode set standards • Develop/implement compliance monitoringand metrics programs • Conduct ongoing risk management program • Continue with ongoing training and updates Project management, risk management, quality assurance throughout the compliance lifecycle Project planning and scoping experience Training content & delivery, including e-training Analysis experience cost/benefit & risk calculation help Process analysis, design of safeguards evaluation of choices Metrics, compliance measures, risk management 35
Questions Discussion & 36
kpmg Contacts If you have any questions concerning this presentation please contact: Scott R. Harrison KPMG LLP 2001 M Street, NW Washington, DC 20036 202-533-3092 srharrison@kpmg.com 37