1 / 82

HIPAA Overview (Health Insurance Portability and Accountability Act 1996)

HIPAA Overview (Health Insurance Portability and Accountability Act 1996). VACSB HIPAA Committee. Training Objectives. To provide an overview of HIPAA Regs To review 4 Sections of HIPAA Regulations Privacy Rule requirements Security Rule requirements Administrative requirements

chaney
Download Presentation

HIPAA Overview (Health Insurance Portability and Accountability Act 1996)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Overview(Health Insurance Portability and Accountability Act 1996) VACSB HIPAA Committee Developed by CVCS

  2. Training Objectives • To provide an overview of HIPAA Regs • To review 4 Sections of HIPAA Regulations • Privacy Rule requirements • Security Rule requirements • Administrative requirements • Transaction/Code Sets requirements • To follow a CVCS “consumer” through our HIPAA compliant system • To problem solve around HIPAA concerns and questions

  3. What is HIPAA? Health Insurance Portability & Accountability Act of 1996 • Public Law 104-191 • Sponsored by - Kennedy & Kassebaum Five Titles: • Title 1: Insurability and Portability • Title 2: Administrative Simplification • Title 3: Tax Implications • Title 4: Group Health • Title 5: Revenue

  4. What is the purpose of HIPAA ? • Reduce health care costs/fraud/abuse • Control use/disclosure of “protected health information” (PHI) • Identify provider responsibilities and accountability • Increase consumer’s rights - PHI • Regulate how PHI is transferred/managed by technology, individuals, and agencies • Provide consistent standards • Assure privacy and security of confidential protected healthcare information (PHI)

  5. Covered Entities Who Must Comply Some healthcare organizations that capture & maintain individually identifiable healthcare data. Three categories: • Providers - conduct certain administrative and electronic transactions • Healthcare Plans • Clearinghouses

  6. Administrative Simplification HIPAA Regulations and Deadlines • Electronic Transaction/Code Sets - Sets uniform standards. Deadline: October 2003 with Extension • Privacy Regulations - Identifies what health care information is protected. Deadline April 14, 2003 • Security Regulations - Identifies how information is to be protected. Deadline: Pending • Identifier Standards - Employer, Payer, National. Deadline: Employer ID finalized/Others Pending

  7. HIPAA Definitions The nuts and bolts! Developed by CVCS

  8. Healthcare Operations Includes “general administrative and business functions” necessary for a covered entity to remain a viable business (i.e., audits, quality improvement functions, assessments)

  9. Health Information Any information recorded in any form or medium which: • Is created/received by a Covered Entity that creates, receives,uses, or transmits PHI; • Relates to the past, present, or future physical/mental health condition of an individual, their participation in, or payment for such services, and • Identifies the individual.

  10. Individually Identifiable Health Information • Identifies the individual, or • There is a reasonable basis to believe that the information can be used to identify the individual

  11. Protected Health Information (PHI) All individually identifiable health care data or information collected, maintained, or transferred by a Covered Entity

  12. Name Address Social Security # Birth Date Demographic info. (some) Email address Health Plan # License/Certificate # Vehicle identifiers Bio-metric identifiers Telephone numbers Place of employment Account numbers Protected Health Information (PHI)

  13. Consumer full-face photograph and any comparable images Fax number Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) Address Numbers Protected Health Information (PHI)

  14. De-identified information • Health information which is stripped of individual identifying elements • Someone with sufficient statistical expertise, using accepted statistical standards, says the probability is very low that the information would identify a consumer • In this form, remaining data would not be sufficient to identify the consumer

  15. Privacy Notice • Written document in plain language • Posted & shared with consumersat intake • Explains how their PHI will be used/disclosed by agency • Identifies consumer’s rights • Lists agency/provider duties to protect PHI, abide by the Privacy Notice • Identifies how changes in notice will be communicated

  16. Designated Record Set • A group of records maintained by or for a covered entity/agency • Includes any records used, in whole or in part, to make decisions, about the consumer’s treatment (medical record, billing, etc.)

  17. Privacy Preemption & More Stringent Rules • HIPAA will preempt state laws relating to the privacy of PHI except for those that are more stringent (provide more privacy or consumer control over their PHI) than the federal HIPAA requirements

  18. Use Sharing, utilization, examination, & analysis of PHI maintained internally within the agency Disclosure Release, transfer, access to, or sharing in any manner PHI outside the agency maintaining the information Use vs. Disclosure

  19. Minimum Necessary Rule Rule applies to Uses/Disclosures • Covered Entities must make reasonable efforts to limit use, disclosure, & requests for PHI to the “minimum necessary” in order to accomplish the intended purpose except when an authorization is obtained

  20. Minimum Necessary Rule • Amount of information needed to achieve the purpose • Applies to all forms of communication • Use- Requires policies & procedures classifying staff by role/position and the PHI to which they may have access • Disclosure- Requires policies & procedures addressing criteria to limit disclosure & reviewing of requests • Must limit requests to that which is necessary • Does not apply to consumer requests/authorizations, disclosures required by law or healthcare provider for treatment purposes

  21. Access to PHI (Protected Health Information) • Opportunity to approach, inspect, review, and make use of data or information • Actions by a consumer or healthcare provider with appropriate authorization

  22. Acknowledgement Document gives provider permission to carry out treatment, payment, or healthcare operations (TPO) Authorization AKA - “Release of Information” Document used for purposes other than TPO Acknowledgement & Authorization

  23. Electronic Transaction & Code Set Standards Developed by CVCS

  24. Electronic Transaction & Code Set Standards • National Electronic Standards - relates to the automated transfer of certain healthcare data between healthcare payers, plans, and providers • Replaces nonstandard formats and code sets with standard electronic transactions and codes sets

  25. Administrative & Financial Transactions • Health claim or encounter information • Eligibility for a health plan inquiry • Referral certification & authorization • Healthcare claim status • Healthcare payment and remittance advice. • Health plan premium payments • Enrollment & dis-enrollment in a health plan • First notice of claim • Health claim attachments • Coordination of Benefits

  26. Transaction/Code Sets Standards Code Sets Examples: • ICD - 9 - CM • CPT - 4 • HCPCS • DSM IV - TR Compliance Deadline with Extension: October 15, 2003

  27. Benefits of Standardization of Electronic Transactions/Code Sets • Standardized Formats – Will reduce number of formats used for healthcare administrative and financial transactions nationwide • Billing becomes more efficient • Internal administrative savings related to staffing, response to complaint calls, and billing reconciliation

  28. HIPAA’s Privacy Rule Developed by CVCS

  29. Privacy Rule • Applies to all protected healthcare information (PHI) • Does not prohibit the exchange of PHI for treatment, payment, or health care operations (TPO) within the agency • Written Acknowledgement required

  30. Privacy Rule Impacts • Acknowledgement/Authorization • Privacy Notifications • Uses & Disclosures of PHI • Healthcare Operations • Consumer Rights • Consumer Access/Amendment of PHI • Business Associate Agreements • Provider Responsibilities

  31. Privacy Rule Highlights Protects privacy of medical records and covers: • Electronic records & printouts of records • Written records • Oral communications Consumer acknowledgement that PHI may be used for routine purposes (TPO) Privacy Notice - Documents consumer’s rights and the agency’s responsibilities to protect and manage PHI

  32. Consumers’ Rights under HIPAA Consumers may: • Inspect/copy their medical record information • Request to amend information if they believe it to be inaccurate or incomplete • Request must to be in writing • Agency must respond within 15 days (VA law) • If request is denied - consumer may appeal this decision to the CSB or federal government

  33. Consumer’s Rights under HIPAA Consumers may: • Request a Disclosure History • Request confidential communications through alternative addresses/phone numbers • Have access to a designated individual or Office of Civil Rights at Health & Human Services to report violations of their rights • Request restriction on use/disclosure of their PHI

  34. Business Associate Agreements • Business Associates - An entity that does things on our behalf and with whom we share/give access to PHI • Business Associate Agreement - Establishes permitted uses, disclosures, and safeguards for PHI Examples: CSB Attorney, CARF, social services, auditors…

  35. Privacy Regulations • Allow flow of PHI for treatment, payment, & related health care operations (TPO) • Prohibit flow of PHI unless voluntarily authorized by the consumer • Allow consumer to know who is accessing their PHI outside of TPO use • Allow consumers to obtain access to their records & request amendment of records if the consumer feels they are inaccurate or incomplete

  36. Provider Responsibilities • Provide formal complaint handling system • Office of Consumer Services • Allow use of de-identified data • Follow “minimum necessary” requirements • Establish Business Associate Agreements • Duty to mitigate damage if violations occur • Establish sanctions for HIPAA violations • CVCS Standards of Conduct & CVCS HIPAA Sanction Policy

  37. Privacy Penalties Wrongful DisclosureOffense: $50,000 fine, imprisonment of not more than one year, or both. Offense Under False Pretenses: $100,000, imprisonment, or not more than 5 years, or both. Offense with Intent to Sell Information: $250,000 fine, imprisonment of not more than 10 years, or both.

  38. Uses/Disclosures not requiring Authorization • To the consumer or legally authorized representative of the consumer • To health oversight agencies • To the Department of Health & Human Services for investigation and enforcement purposes • By court order (as outlined in CFR 42 - strictest)

  39. Uses/Disclosures not requiring Authorization • To U.S. Public Health Authorities - to prevent or control disease, injury, or disability • In following disclosure procedures for deceased consumers as outlined in VA law • To consumers exposed to communicable disease or at risk of contracting or spreading disease - under law & public health intervention/investigation

  40. Uses/Disclosures not requiring Authorization • For reports of suspected child abuse or neglect to the appropriate authority • For reports about an adult victim of abuse, neglect, or domestic violence State’s mandatory reporting laws • Inform the individual of the report • Seek the individual’s agreement when possible • Can report without the individual’s agreement

  41. Uses/Disclosures not requiring Authorization Healthcare Oversight Activities Authorized by Law: • Audits • Investigations (as permitted by CFR 42) • Inspections (i.e., Health Inspection of facilities) • Civil/criminal/administrative proceeding/action by a properly executed court order (CFR 42) • Other appropriate oversight actions: • Government regulatory programs • Government benefit programs - for eligibility

  42. Privacy Preemption HIPAA Will preempt other federal or state laws relating to PHI (Except for those more stringent than HIPAA)

  43. Security Regulations Developed by CVCS

  44. Security Rule Deals with how PHI is secured: • Access to PHI • Minimum Disclosure Rule • Encryption/digital signatures • Background checks • Physical (facility) security

  45. Organizational Practices - Security • Policies/procedures for workstation use • Security of workstation locations • Security Incident Reporting • Termination procedures • Media controls • Audit trails • Encryption

  46. Organizational Practices - Security • Role based access • Remote site access • Electronic/wireless devices (laptops and PDAs) • Authentication of users through passwords • pASs379worD

  47. HIPAA Identifier Standards Developed by CVCS

  48. HIPAA Identifier Standards HIPAA Regulation: • Employer ID = Tax ID # Other Final Identifiers Pending: • Provider ID • Payor ID

  49. Mr. Hipp goes to CVCS Scenario Under HIPAA Law Putting It All Together Developed by CVCS

  50. Admission/Intake Mr. Hipp arrives at CVCS and is given a copy of our Privacy Notice, which is also posted in the lobby. Mr. Hipp completes the admission paperwork including the Acknowledgement of receipt of the Privacy Notice.

More Related