Washington County Health System

1. HIPAA–Amendment to Internal Revenue Code Washington County Health System

2. Washington County Health System H I P A A ealth nformation ortability & ccountability ct Amendment to Internal Revenue Code

3. Purpose of HIPAA Legislation “To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.” Preamble to Public Law 104-191 (“HIPAA”) Health Insurance Portability and Accountability Act of 1996

4. Title I – Health Access, Portability, Renewability Title II – Health Care Fraud & Abuse (subtitle F-Administrative Simplification) Title III – Tax Related Provisions Title IV – Application & Enforcement of Group Health Plan Requirements Title V – Revenue Offsets

5. Covers preexisting conditions may be covered No discrimination based on health status Guaranteed renewal clauses Requires certificate of coverage Exercise reasonable diligence in determining eligibility Title I Health Access, Portability, Renewability

6. Created Fraud & Abuse Control Program and Medicare Integrity Program Created incentives for beneficiaries to report suspected fraud & abuse Established penalties for program violations: Fines and returns of overpayments Criminal prosecution Exclusion from federal healthcare programs Title IIFraud & Abuse

7. Mandated national data collection effort on fraud & abuse Defined Civil Monetary Penalties (CMPs) for violations Revised criminal laws relating to healthcare fraud Title IIFraud & Abuse

8. Purpose of Subtitle FReasoning Behind HIPPA Administrative Simplifications Congress sought to reduce the administrative costs and burden associated with health care by standardizing data and facilitating electronic transmission of many administrative and financial transactions. Because of the belief that the electronic movement of health information creates patient privacy and security concerns, Congress also directed the Secretary of HHS to develop standards to protect the privacy and security of individually identifiable health information.

9. Established non-taxable Medical Savings Accounts to pay medical bills Increased income tax deduction for self-employed individuals who purchase their own health insurance Established income tax deduction for long-term care insurance premiums and defined policy requirements Title IIITax Related Provisions

10. Made accelerated death benefits tax-exempt—for example, a terminally ill individual receives the proceeds of their life insurance policy prior to death to pay end-of-life expenses. Made state-sponsored insurance programs for high-risk individuals exempt from income tax Established non-taxable Medical Savings Accounts to pay medical bills Title IIITax Related Provisions

11. Allowed penalty-free withdrawals from IRAs to pay “financially devastating medical expenses” Provided organ and tissue donation information with income tax refund payments Title IIITax Related Provisions

12. Requires that group health plans offer portability, access and renewability with similar stipulations as individual plans under Title I of HIPAA Imposes a penalty for failure to meet certain group health plan requirement Clarifies COBRA requirements for terminating employees with group health coverage Title IVApplication and Enforcement of Group Health Plan Requirements

13. Loans against company-owned life insurance policies Tax treatment of individuals who lose U.S. citizenship How financial institutions allocate interest Title VRevenue Offsets

14. Electronic transactions and code sets June 2000 Unique identifiers National providers January 2001 National employers January 2001 Health plan January 2001 Individuals On Hold Privacy January 2001 Security and E-Signatures January 2001 Claims attachments January 2001 Enforcement No Drafts Title IIAdministrative Simplification is the Following:

15. Electronic transactions & code sets - Standardize software & data elements - Standardize common diagnostic, therapeutic, and treatment codes Title IIAdministrative Simplification

16. PROVIDERS HEALTH PLANS SPONSORS Eligibility Verification 270 811 Enrollment Enrollment 271 834 820 Authorization & Referrals Pre-Certification 278 Claim / Encounter Claim Acceptance 837 275 Claim Status Inquiry 276 275 Adjudication 277 Remittance / Payment Accounts Payable 835 Title IIOverview of Transaction Exchange

17. 2. Unique Identifiers Provider – Replace UPIN number Employer – What to do with Federal Tax ID # ? Health Plans – Create new numbering system Individual – Purpose of ID is to link medical information between providers Title IIAdministrative Simplification

18. 3. Privacy May extend to paper document Must have patient’s permission to use their data for marketing or fund raising Title IIAdministrative Simplification

19. Security & Electronic Signature - Security Tracks - Administrative Procedures - Physical Safeguards (facilities) - Technical Security Services - Technical Security Mechanisms - Electronic Signatures Title IIAdministrative Simplification

20. Certification Chain of trust or business partner agreement Contingency plan (disaster recovery, testing, and verification) Formal mechanism for processing records Formal access control (procedures for granting access) Security RequirementsSecurity Tracks

21. Internal Audits Personnel security Security management (risk analysis, mgmt, sanction policy) Incident reporting, termination procedures, training … Security RequirementsAdministrative Procedures

22. Assigned security responsibility (accountability) Media controls Physical access controls (limited access) Policy/guidelines for workstation use Secure workstation location Security awareness training Security Requirements Physical Safeguards

23. Access control (emergency access, and one of context, role, or user based access; encryption is optional) Audit controls Authorization controls (role or user based access) Data authentication (hashing algorithms, MAC) Entity authentication (auto logoff, unique user id, and one biometric, password, PIN, telephone callback, or token) Security Requirements Technical Security Services

24. Private Networks Dial-Up, leased lines, extranets, intranets, VAN’s Requires: Integrity controls, message authentication, access controls, encryption Security Requirements Technical Security Mechanisms • Public Networks • Internet • Requires: All of the above and • In addition: Alarms, audit trails, entity authentication, event reporting, and encryption

25. Requirements Features that must be implemented: Message integrity, non-repudiation, User authentication Security Requirements Electronic Signatures • Optional features: • Ability to add attributes, continuity of signatures, Counter signatures, independent verifiability, Interoperability, multiple signatures, transportability, non-repudiation, User authentication

26. 5. Claims attachments – No proposal yet - Within the claims, some method of identifying any attachments Title IIAdministrative Simplification

27. 6. Enforcement - Fines $50,000 to $250,000 - Prison terms up to 10 years Title IIAdministrative Simplification

28. Issue Recognized September 1999 Education process started Budgeted for several initiatives Contingency budgeted P.I. Team Formed May 2000 Awaiting final regulations Next Steps

29. Awareness Training Security Assessment Evaluate Vulnerabilities Review Procedures & Update as Needed In Process Complete Requirements Assessment and Budget Resources December 2000 Next Steps