1 / 23

Part III – HIPAA Reference

Part III – HIPAA Reference. HIPAA – In General Background Why Employers Should Care ? Overview of Requirements EDI Transaction Standards Security Privacy HIPAA Compliance Implementation. Background In General.

bess
Download Presentation

Part III – HIPAA Reference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Part III – HIPAA Reference • HIPAA – In General • Background • Why Employers Should Care ? • Overview of Requirements • EDI Transaction Standards • Security • Privacy • HIPAA Compliance Implementation

  2. BackgroundIn General • Enacted in 1996, HIPAA was to incrementally address various issues within the health care industry • Major elements include: • Improved health coverage portability requirements • Prohibitions on discrimination based on health status • Increased fraud enforcement • Simplifying health care claim payment process to reduce administrative costs • Primarily by standardizing electronic data transactions, which raises security and privacy concerns

  3. Background Statutory Structure HIPAA Title I Title II Title III Title IV Title V Guarantees health insurance portability and renewal Administrative simplification Tax provision for medical savings accounts Enforcement of group health plan provisions Revenue offset provisions

  4. BackgroundWhy was HIPAA Needed? • Healthcare industry • Need for ease of data transfer • Move from paper to EDI (electronic data interchange) • Economic reasons • The “patient” as the “consumer’ • Increasing privacy and confidentiality concerns • Legislative issues • 50 different states, with different laws, lack of consistency with no minimum floor

  5. Why Employers Should Care?In General • Although not a covered entity, any employer that provides group health benefits will be at least indirectly affected • Employers with self-funded plans will be considered “hybrid” entities and their health plan operations will be directly subject to the rules • Company access to employee health plan records for employment reasons (including administration of other benefit plans and laws) will be further limited • Federal preemption of state laws will be limited to establishing minimum floor protection • Certain customary practices may have to be changed

  6. Federal Programs Exclusion from federalprograms anticipated Accreditation Accrediting organizations will require compliance in the future Wrongful Disclosure Each Offense (max.)$50,000 per offense1 year imprisonment False Pretenses$100,000 per offense5 years imprisonment Intent to Sell, Transfer or Use$250,000 per offense10 years imprisonment Why Employers Should Care? Penalties Civil Monetary Penalties $100 for each violation $25,000 maximum per year, per violation

  7. Why Employers Should Care?Compliance Deadlines • HIPAA’s administrative simplification incorporates three major distinct but overlapping components, each with different compliance deadlines: • Electronic transaction standards • Generally 10/16/03 • Privacy • Generally 4/14/03 • Security • Generally 4/21/05 • For more information: http://aspe.hhs.gov/adminsimp.Index.htm http://www.hhs.gov/ocr/hipaa http://www.ibiweb.org/news/HIPAA

  8. EDI Transaction StandardsIn General • HIPAA requires standardization of these electronic health care transactions: • Health claims or similar encounter information • Enrollment & disenrollment in a health plan • Eligibility for a health plan • Health care payment & remittance advice • Health plan premium payments • Health claim status • Referral certification & authorization • Health claims attachments (to be issued in the future) • First report of injury (to be issued in the future)

  9. Providers Treatment EDI Transaction Points of Contact Patient/Consumer Sponsors Payers Need HC Insurance (Form) Enrollment (834) Non-HIPAA Transaction Payroll Deduction Invoice (811) Premium Pmt (820) Eligibility (270) Response (271) Referral (278) Response (278) Claim (837) Need more info (277) Claim Inquiry (276) Response (277) Payment & EOB (835) EOB (Paper)

  10. EDI Transaction StandardsUnique Identifiers • Eventually HIPAA will require use of unique identifying numbers for employers and for covered entities (i.e., health plans, providers, and clearinghouses) • To date, only the employer identifier standards have been finalized (the employer’s federal tax identification number must be used) • The controversial use of an unique identifier for employees has been withdrawn

  11. SecurityIn General • Intended to minimize risk of intentional or accidental disclosure or misuse, or the loss or corruption of patient-identifiable health information • Sets a floor of minimum administrative, physical, and computer security standards to protect medical data • Reflects commonly accepted security safeguards widely used across many industries • Security measures to be tailored to organization’s risk analyses, technical environment, and business needs

  12. SecurityEmployer Implications • Typically, will require developing and/or modifying a number of IT/IS policies, procedures, and protocols with respect to individual health information that is generated, transmitted, or stored electronically • With respect to both the covered entity and its business associates • Thus, early involvement of IT/IS staff in an employer’s HIPAA compliance effort is critical • Not uncommon for employers to engage a specialized IT/IS consultant to help assess compliance gaps and implement corrective steps

  13. PrivacyIn General • Rules apply to all individually patient-identifiable health information whether in paper or electronic form • Key terms • Protected Health Information (PHI) • Covered Entity • Business Associate

  14. PrivacyProtected Health Information • PHI = individually identifiable health information + created or received by a covered entity • Individually identifiable health information • Any information that relates to an individual’s past, present, or future physical or mental condition, or the provision or payment of health care, and • That specifically identifies the individual (or there is a reasonable belief that the individual can be identified), AND WHICH IS • Created or received by a covered entity • Can be in any form (oral, written, or electronic) • Examples: claims data, and (depending on source) enrollment data, and employee contribution information

  15. PrivacyDe-Identification Requirements • Covered entities are permitted to use PHI to create de-identified information for its own unlimited use or for unlimited use by another entity without authorization from individuals • De-identified information = health care information which does not identify the individual or that which the covered entity has no reasonable basis to believe can be used to identify the individual • While use of such generic information may be useful for certain types of broad based trend studies, it is probably not useful to achieve most other business objectives • Use of certain types of partially de-identified information (summary information or “limited data sets”) allowed for specific limited purposes • Enrollment/disenrollment data • Aggregate claims history / expenses / types of claims data for coverage renewals and plan design changes

  16. PrivacyCovered Entity • All health care providers • All health care payers (including managed care organizations, carriers, and self-funded employers) • All health care clearinghouses that process claims, or route electronic claims • Certain health plans • Health insurers (including HMO’s), and • Group health plans with 50+ participants or administered by an entity other than the employer that established and maintains the plan

  17. PrivacyCovered Entity (cont.) • Employers, as a whole, typically are not covered entities • Thus, most employers are not directly subject to HIPAA privacy regulations • However, certain components of an employer might constitute a covered entity (e.g., self-funded group health plan) • Hybrid employers will be subject to various requirements and obligations • “Firewalls” must be created between covered and non-covered functions • Plan cannot share PHI with non-health plan component of employer unless plan sponsor certifies plan has been amended to limit use and disclosure of PHI and that safeguards are in place • Exceptions for limited enrollment activities

  18. PrivacyBusiness Associates • Business associate = any outside entity to which covered entities disclose PHI to perform necessary functions • E.g., third-party administrators, case managers, attorneys, collection agencies, claims auditors, consultants • Does not include plan sponsors, insurers, disclosures from a covered entity to a health care provider for treatment of an individual • Covered entities must have agreements in place to contractually bind BAs to limit use of PHI to designated purposes and to comply with covered entity-type of confidentiality rules

  19. PrivacyBusiness Associates (cont.) • Covered entities have potential civil and criminal liability exposure for breaches by BAs • Thus, there is an obligation to monitor your BAs’ activities • Under final regulations, however, action needs to be taken only if there is actual knowledge of material violation • Compliance deadline • Generally, all BA agreements must be in place by 4/14/03 • However, any BA agreements in place prior to 10/15/02 will be deemed sufficient until 4/14/04 (unless the agreement terminates or is modified in any way prior to that date)

  20. PrivacyBasic Requirements • Patients have the right to understand and control how their health information is being used • Providers and health plans to give individuals clear, written notice of how they use, keep, and disclose their health information • Individuals have right to access their medical records (to view, make copies, request amendments, and obtain accounting for non-routine disclosures) • Individual authorizations required before information is released in most non-routine situations • Covered entities accountable for use and release of information, with recourse available if privacy is violated

  21. PrivacyBasic Requirements (cont.) • Use of individual health information generally limited to health purposes • PHI cannot be used for purposes other than treatment, payment, or health care operations without individual authorization • Individual authorizations must be informed and voluntary • Reasonable efforts must be undertaken to limit release of information to “minimum necessary amount” • Minimum necessary amount requirement applies to use of protected health information for payment or health plan operations, but not for treatment purposes

  22. PrivacyBasic Requirements (cont.) • Minimum privacy safeguard standards established for covered entities (with similar requirement applicable to BAs by contract and plan sponsor by plan amendment) • Adoption of written privacy procedures, with safeguards and sanctions specified • Periodic distribution of privacy notice • Training of employees on handling PHI • Designation of a privacy officer (covered entities only) • Establishment of a grievance / complaint procedure • Recordkeeping with respect to PHI disclosures

  23. HIPAA ImplementationBasic Phases • Phase I • Awareness / Education • Preliminary scope assessment • Budgeting • Task force team selection • Phase II • Detailed current PHI flow and use analysis • Detailed compliance gap analysis • Phase III • Implementation of prioritized action item list

More Related