Virginia Department of Medical Assistance Services Presentation On HIPAA to the Virginia COTS PSA Workgroup

1. Virginia Department of Medical Assistance Services Presentation On HIPAA to the Virginia COTS PSA Workgroup Frank G Guinan Craig Goeller November 7, 2000

2. Agenda • Brief Introduction to HIPAA • The Four Components of Administrative Simplification • Who does HIPAA Apply to? • Privacy Standards • Security Standards • Questions and Answers

3. Brief Introduction to HIPAA Health Insurance Portability & Accountability Act of 1996 (HIPAA) • Public law 104-191 • Portability: transfer of healthcare when employees change jobs • COBRA - Completed • Accountability: Fraud/Abuse & Administrative Simplification • Electronic Data Interchange (EDI) focus - Implementation In Process

4. The Four Components of Administrative Simplification • Transactions and Code Sets • Examples:Claims, Enrollment, Coordination of Benefits (COB’s) • Signed by the Secretary of HHS • Posted to the Federal Registrar on 8/16/00 • 60 Day Review, Congress could have modified • 24 months to Comply: 10/17/2002 Transactions Apply to health care organizations using Electronic Transmissions - Any media form (tapes, diskettes, real-time)

5. Administrative Simplification (cont.) • Unique Health Identifiers • Example: National Provider ID, National Employer ID, National Individual ID • Privacy • Focus on Policy and Procedures protecting Individuals rights, and audit trails of disclosures • Privacy Officer for Each Organization

6. Administrative Simplification (con’t) • Security Standards • Security and privacy standards for administrative procedures • technical security services against unauthorized access to data (electronic signature usage) • physical safeguards • Electronic Signature • Not required, but encouraged • Standards for electronic signature qualification and use are included in the recent published rules

7. Transaction Sets • ASC X12N Specifications for 9 transaction sets • Health Care Claim Dental (837) • Health Care Claim Professional (837) • Health Care Claim Institutional (837) • Eligibility Inquiry and Response (270/271) • Health Care Services Review (278) • Claim Status Request and Response (276/277) • Benefit Enrollment and Maintenance (834) • Health Care Claim Payment Advice (835) • Payroll Deducted and Other group Premiums (820)

8. Medical Code Sets HIPAA Uses Industry Code Sets for Standards Health Care Providers • ICD-9-CM:Diseases, Injuries, Impairments, and Actions Taken by Hospitals for Inpatients • NDC: Drugs and Biologics • The Code on Dental Procedures and Nomenclature: Dental Services • HCPCS andCPT- 4: Physician Services and Other Health Care Services • CPT- 4: Other Substances, Equipment, Supplies

9. Who does HIPAA Apply to? • Health Care Providers • All health care providers • Payers • Insurance Companies • HCFA (Medicare/Medicaid) • Collection Agencies • Prescription Drug Dispensing/Testing • Pharmaceuticals, Drug Stores, Labs • Clearinghouse/Donor organizations • CDC, Blood banks, Organ Donors

10. Privacy Standards • Notice of Proposed Rule Making (NPRM) November 3, 1999 • Comments received for 60 Days • Information Protected by the regulation • Information relating to an individual’s health, health care treatment, or payment for health care. • Protection continues as long as information in the hands of covered entity • Covered entity are encouraged to de-identify health information by removing, encoding, encrypting identifiers.

11. Privacy Standards • Covered Entity • Health care providers who transmit data electronically • Health Plans; and • Healthcare clearinghouses • Maydisclose Protected Health Information(PHI) to contractors, business partners, consultants, claims clearinghouses, and billing firms

12. Privacy Standards • Covered Entity must enter into a contract requiring that identifiable information be kept confidential • An exception is when a business partner is providing a referral or treatment consultation • Business partners are not permitted to use or disclose health information in ways that the covered entity can not

13. Privacy Standards • Individual Rights • Right to receive written notice of information practices from health plans and providers • Right to access their own health care information • Rightto request an amendment or correction of protected health information that is inaccurate or incomplete • Rightto receive accounting of when information had been disclosed for purposes other than treatment, payment and health care operations

14. Privacy Standards • Obligations of health care plans and providers • Develop a Notice of Information Practices • Providers give to each patient after rule enacted and post at place of business • Plans provide notice at enrollment and every 3 years • Allow individuals to access and copy information for a reasonable costs • Develop mechanism for accounting for all disclosures • Accommodate requests for amendments or corrections • Designate a Privacy Officer responsible for privacy activities

15. Privacy Standards • Obligations of health care plans and providers • Provide Training to all staff who have access to PHI • Establish administrative, technical, and physical safeguards • Establish Policies and Procedures • Develop and apply sanctions from re-training to reprimand to termination • Have available documentation with the regulation requirements • Develop methods to disclose minimum amount of PHI • Develop and use contracts with business partners

16. Privacy Standards • Disclosures without patient authorization • Purposes of effecting treatment, payment, and health care operations • Certain federal, state, and other oversight activities, public health, emergencies, judicial proceedings, banking and payment processes, and health research • Disclosure of PHI for research must be approved by an Institutional Review Board or Privacy Board

17. Privacy Standards • Disclosures with patient authorization: • Covered entities could use or disclose PHI with individual’s consent for lawful purposes • Authorizations must specify information to be disclosed, who would receive it, and when it would expire. Individuals could revoke anytime. • Covered entities would be prohibited from conditioning treatment or payment upon an individual’s agreeing to authorize disclosure of information for other purposes

18. Privacy Standards • Guidelines and Costs • Minimum necessary use and disclosure • Scalability • Costs are estimated for covered entities for 5 year compliance to be $3.8 billion • Preemption: Provides a “floor” of privacy protection. State laws that are “less protective” of privacy are preempted. States are free to enact “more stringent”statutes.

19. Privacy Standards • Penalties and Enforcement • For each provision violated the Secretary of HHS can penalize up to $25,000 in any calendar year • Criminal penalties are fines up to $50,000 for more if “malicious harm” occurs for selling information • Regulation does not include a “private right of action”, patients cannot sue for privacy violations

20. Security Standards • Background • Regulation is expected to be released in Fall 2000 by Federal DHHS • Must be implemented within 24 months after effective date • Set the minimum level or “Floor” of security for individual identifiable health information maintained in or transmitted by health care organizations • Business Impact Analysis • Supersedes contrary state laws

21. Security Standards • Five Major Security Categories To Guard Data Integrity, Confidentiality, & Availability 1.Administrative Procedures 2. Physical Safeguards 3. Technical Security Services 4. Technical Security Mechanisms 5. Electronic Signature Requirements (Optional as of initial draft)

22. Security Standards • Business Impact Analysis • Determine magnitude of the regulatory impact on an organization and establish the scope of compliance • Organization Awareness and initial roles/responsibilities • Executive and senior management buy-in • Develop initial awareness program for all affected staff • Establish the HIPAA security implementation team • Baseline Assessment • GAP Analysis: Current Environment versus Regulatory Requirements

23. Security Standards • Administrative Procedures Certification Chain-of-Trust Partner Agreement Contingency Plan Formal Record Processing Mechanisms Internal Audit Information Access Controls Personnel Security Security Configuration Management Termination Procedures Security Incident Procedures Training Security Management Process

24. Security Standards • Physical Safeguards • Assigned Security Responsibility • Electronic Media Controls • Physical Access Controls • Workstation Use • Workstation Location • Security Awareness Training

25. Security Standards • Technical Security Services • Access Control • Audit Controls • Authorization Control (Role or User-based access) • Data Authentication • Entity Authentication o Unique UID and one of the following • 1. Token System • 2. Biometric System • 3. PIN • 4. Password o Automatic Log Off

26. Security Standards • Technical Security Mechanisms (Transmission over Com Network) • Integrity • Message Authentication • Encryption or Access Controls • Network Communications require • Entity Authentication • Audit Trails • Alarm • Event Reporting

27. Security Standards • If Electronic Signature employed, Digital Signature Technology is required! 1. User Authentication 2. Message Integrity 3. Non-repudiation (Non-alterability)

28. Security Standards • Optional Digital Signature Features 1. Multiple Signatures 2. Independent Verifiability 3. Interoperability 4. Ability to add attribute 5. Continuity of signature capability

29. Q & A • Internet References: • http://aspe.hhs.gov/admnsimp/ • http://www.himss.org/ • http://hipaa.wpc-edi.com/HIPAA_40.asp • http://www.hipaadvisory.com/