360 likes | 494 Views
Building a HIPAA-Readiness Agenda. Bob DeMarco Managing Principal Healthcare Business Solutions Compaq Global Services April 3, 2002. Introductions. Objectives. Learn about the Health Insurance Portability and Accountability Act (HIPAA) Discuss HIPAA components
E N D
Building a HIPAA-Readiness Agenda Bob DeMarco Managing Principal Healthcare Business Solutions Compaq Global Services April 3, 2002
Objectives • Learn about the Health Insurance Portability and Accountability Act (HIPAA) • Discuss HIPAA components • Electronic standards, code sets and identifiers • Procedures and policies regarding patient privacy • Security requirements • Discover HIPAA's effect on your environment • Budgets and organizational issues • Discuss how Compaq can help
Facts and fiction • Fiction • HIPAA laws will never be enforced • This is just like Y2K • The application vendors have already fixed this • A tool will repair any issues • An organization can be compliant • Facts • This is a business AND a technology issue • HIPAA is a complex business problem • But there are ways to justify the expense and reduce exposure • HIPAA is a 2-5 year process
You may have some questions . . . • What is HIPAA anyway? • HIPAA is huge – what do I do first? • How do I fund HIPAA readiness activities? • Does this really affect me? • The dates seem to be changing. • What are they now? • What is due and when? • Will the dates change again? • How do I meet compliance dates? and • How do I spell it? ???
U.S. HIPAA goals • U.S. 2000 – health care costs 13.9% of GDP • Reduce overall costs • Transactions over the Internet • Standardize • Ensure privacy of patient information Providers Standards Payers States Security Clearinghouses Privacy
Why HIPAA? • Improve efficiency and effectiveness of health care system • Standardize the electronic exchange of administrative and financial data • Reduce US healthcare costs • 13.9% of GDP; highest in world • Protect security and privacy of transmitted information • Goals: • Cut $73BB out of healthcare costs in U.S. (transactions) • Ensure patient privacy (privacy and security)
Whom does HIPAA affect? • Providers • Nursing homes • Skilled Nursing Facilities (SNF’s) • Doctors and hospitals • Payers • Clearinghouses • Governments • Universities • Schools • Biotech (Pharmaceuticals – Life Sciences) • Your local drug store • Red Cross • Any entity that deals with body parts/fluids • Any entity that touches patient information
It's not just an IT issue • Governing Body • Administration • Finance • Health Information Management • Patient Accounts • Physician Services • Admission • IT • Others
What are the milestones? • Compliance plans • 10/15/2002 • Security and privacy • 4/13/2003 • Transactions and code sets • 10/16/2003 Educational Requirements Transactions, Code Sets, Identifiers Policies and Procedures Security Compliance Planning Gap Analysis
And the likelihood of these dates changing? • Extremely slim • Transaction dates changed in response to September 11th tragedy
Penalties • Per transaction • $100 per violation • Not to exceed $25,000 for violations of the same requirement in a calendar year • Violations can add up quickly! • Security and privacy • "Knowing disclosure" • $50,000 to $25,000 in fines • 1-10 years in prison • Failure to establish security/privacy program may be construed as wrongful or knowing disclosure!
What can you do now? • Put in place the right structures • HIPAA steering committee • HIPAA Privacy Officer, Privacy and Security Officer, etc. • HIPAA assessment, gap analysis and compliance plan • HIPAA educational teams, programs, etc. • A HIPAA management consultant/strategic partner • A HIPAA budget
What is in the plan? • Analysis on the extent and reason for HIPAA non-compliance • Budget, schedule, work plan and implementation strategy for compliance • Timeframe for transaction testing to begin by April 4, 2003 • Documentation on plans to use vendors to assist with compliance
Relationship between Privacy & Security • Security • The ability to control access and protect information from • Accidental or intentional disclosure to unauthorized persons • From alteration, destruction or loss • Privacy • Controlling who is authorized to access information • The right of individuals to keep information about themselves from being disclosed • Some redundancy – Privacy reiterates the requirement for security safeguards
Purpose of HIPAA Privacy Regulations • Protect and enhance to rights of consumers • Provide them access to their health information • Control the inappropriate use of that information • Improve the quality of healthcare in the US • Restore trust in the healthcare system among consumers, healthcare professionals and the multitude of organizations and individuals committed to the delivery of care • Improve the efficiency and effectiveness of healthcare delivery • Create a national framework for health privacy protection • Build on efforts by states, health systems and individual organizations and individuals
Application • Who • Health Plans • Health Care Providers • Health Care Clearinghouses • Anyone who electronically transmits health information in connection with a standard transaction named in HIPAA • What • Individually identifiable health information transmitted or maintained in any form or medium (electronic or non-electronic) that is held or transmitted by a covered entity
Permitted Uses and Disclosures • To an Individual • With Proper Consent • Without Consent If: • Indirect Relationship • Inmate • Valid Authorization • With Oral Consent for: • Facility Directories • To Next of Kin
Where it is NOT applied • Required by Law • Public Health Activities • Victims of Abuse • Health Oversight Activities • Judicial and Administrative Proceedings • Law Enforcement Purposes • About Decedents • Organ Donation Purposes • Research (with a list provisions) • To Avert Serious Threat of Health Safety • Specialized Government Functions • Worker’s Compensation
Required disclosures • When an individual requests access to their records (with exceptions) • When an individual requests an accounting of disclosures (with exceptions) • When requested by the Secretary to investigate compliance • Entities are required to limit disclosure to "just what's necessary"
Some key administrative requirements • Must designate Privacy Official • Must designate contact person/office for complaints • Must document and train policies and procedures, job titles, etc. • Document retention requirements • Many others
Security standards • Comprehensive framework of security requirements • Scalable requirements to meet small to large business needs at reasonable cost • Technology-neutral implementation features
Security overview • Administrative Procedures, for example: • Certification (Internal or External) • Chain of Trust Agreement • Contingency Plan • Formal Mechanism for Processing Records (Documented) • Information Access Control and Audits • Etc. • Physical Safeguards • Assigned Security Responsibility • Formal, Documented Policies and Education • Technical Security Services • Access, Audit, and Authorization Control • Data and Entity Authentication • Technical Security Mechanisms • Integrity Controls • Message Authentication • Access Controls or Encryption • Abnormality Alarm • Audit Trail • Entity Authentication • Event Reporting
Covered Transactions • Claims – Professional, Institutional and Dental • 837 4010x098 • 837 4010x096 • 837 4010x097 • Coordination of Benefits – in above • Remittance Advice – Including EFT • 835 4010x091 • Enrollment • 834 4010x095 • Eligibility • 270/271 4010x092 • Claim Status • 276/277 4010x093 • Premium Payment • 820 4010x061 • Health Care Services Review • 278 4010x094
Identifiers • Employers • Providers • Plans • Individuals – On Hold
Standardized Code Sets • Major code sets • Impact of Standardized Code Sets
Proposed impacts • Lower cost of software development and maintenance • Assure purchasers that software will work with all payers and plans • Lower cost of administrative transactions by eliminating time and expense of handling paper • Pave way for cost-effective, uniform, fair and confidential health information practices • Pave the way for standards which can do the same for electronic medical records systems • Pave the way for high quality health care
How Compaq can help • Health and human services team • Team members 20+ years of practical health care and government experience • Clinical, management, financial, operational • Nationally recognized providers and governmental entities • Complex technology, business and financial health care management • HIPAA experience since 1998 • Partners • Nationally branded HIPAA experts • Health care expertise and technologies • Capabilities • Technology and program management • Customer, managed and consulting/SI services • Compaq Financial Services • CGS product • Hardware and platforms • CGS experience in health care
What we bring • A suite of business and technology services, provided by: • Experts in health care, pharmaceuticals and life sciences • Providing a “just enough” solution • Architected for technical agility • Reducing overall costs • Unsurpassed architectural and program management skills • Providing • The single source for health care solutions • Consulting and systems integration services • Hardware and software • Enabling regulatory and governmental compliance Plus • The right mix of health care systems and technology partners • A vendor who can quickly create and assemble a team A vendor who innovates . . .
Helping remove cost barriers – CFS • What do you get? • Flexible payment structures and fixed rates for the term of the lease • Variable end-of-lease options • Inclusion of "soft costs" in total cost of lease • Customer benefits • More technology and services • Conserve capital • Preserve established credit lines • Contacting CFS • See your sales representative