1. 1 HIPAA�Administrative Simplification Standards Yesterday, Today, and Tomorrow ��Stanley Nachimson�CMS Office of HIPAA Standards��
2. 2 Brief History HIPAA signed into law August 1996
Major publicity around insurance portability
Transactions and Code Sets Proposed Rule
Published May 1998
Lots of comments, but who really paid attention to the standards?
3. 3 Brief History Final rule published August 2000
Described who must use the standards and when
Adopted specific standards for transactions, NCPDP and X12
Adopted specific code sets
Required implementation by Oct 2002
Who was paying attention?
4. 4 Brief History Industry finally reacts – says need more time
ASCA statute in December 2001 provides for an additional year – no more – to implement. New date October 16, 2003
Law also requires covered entities to develop plans to meet the new date
April 16 is a testing deadline
Also required billing to Medicare be done electronically, making providers covered entities.
5. 5 Brief History Modifications to standards issued February 2002
Based on critical problems with the initial standards
NDC code no longer required, except for retail pharmacies
6. 6 Where Are We Today? We are less than 6 months from Oct 16
Testing should have started, at least internally
Vendors should have provided software to their customers so testing could be begin
Clearinghouses should have test plans and packages available for customers
7. 7 Where are we today? Health plans should be scheduling testing with providers
Most Medicare contractors are already doing this.
Providers should be looking for plans to test with.
External certification is a business decision each entity must make.
8. 8 Reminders for Oct 16 HIPAA standard transaction and code sets must be used.
All covered entities must participate.
Providers still have the option for paper (except for Medicare).
We want this to work – cash flow disruption is not an option for many providers
9. 9 Key is Cooperation Plans, providers, clearinghouses, vendors must work together
Coordinate testing schedules
Coordinate information campaigns
Test early to discover problems
Work together to fix them
Look at solutions others have already found
10. 10 Opportunities for Learning Take advantage
CMS web site (www.cms.hhs.gov/hipaa/hipaa2)
National conference calls
Regional conference calls
Askhipaa emails
Regional SNIP affiliates
SNIP web site (snip.wedi.org)
11. 11 Enforcement of Administrative �Simplification Standards CMS named to enforce HIPAA transactions and code sets
OCR continues to enforce HIPAA privacy
CMS creates Office of HIPAA Standards
12. 12 Office of HIPAA Standards Outreach
Regulations and Policy
Enforcement
13. 13 Enforcement Responsibilities Establish enforcement process
Develop regulations
14. 14 Enforcement Reality CMPs may not be more than -
- $100/violation
- $25,000/calendar year for violation of an identical requirement or prohibition
We need to determine what is a violation.
15. 15 Enforcement Authority Two provisions of HIPAA government enforcement
- § 1176: civil monetary penalties (CMPs)
- § 1177: criminal penalties
HHS has authority to assess CMPs
DOJ has authority for criminal penalties
16. 16 Enforcement Regulation HHS lead on developing enforcement regulation
Simplifies and standardizes the enforcement process
Provides a predictable process
17. 17 Enforcement Regulation Notice of what constitutes a violation and how penalties will be determined
Hapless vs. Willful
Rulemaking process allows for public input
18. 18 From Complaint �To Compliant Complaint driven
Voluntary compliance
Technical assistance
Corrective action plan
Progressive Steps
19. 19 Complaint Driven Complaints
- web submittal
- download and mail
Notification in writing
20. 20 Voluntary Compliance Opportunity to demonstrate compliance
Good faith efforts go a long way
21. 21 Corrective Action Plan Opportunity to submit corrective action plan
Demonstrate and document efforts to become compliant
Exercise reasonable diligence, make efforts to correct problem
22. 22 Progressive Steps Compliance FIRST
Corrective Action MIDDLE
Tied for LAST:
- CMPs
- Exclusion from Medicare
Access to care and patient safety
23. 23 Future Standards Security
Attachments
Identifiers
24. 24 Regulation Dates Published February 20, 2003
Effective Date April 21, 2003
Compliance Date:
April 21, 2005 for all covered entities except small health plans
April 21, 2006 for small health plans (as HIPAA requires)
25. 25 General Requirements�(164.306(a)) Ensure
Confidentiality (only the right people see it)
Integrity (the information is what it is supposed to be – it hasn’t been changed)
Availability (the right people can see it when needed)
26. 26 General Requirements Applies to Electronic Protected Health Information
That a Covered Entity Creates, Receives, Maintains, or Transmits
27. 27 General Requirements Protect against reasonably anticipated threats or hazards to the security or integrity of information
Protect against reasonably anticipated uses and disclosures not permitted by privacy rules
Ensure compliance by workforce
28. 28 Regulation Themes Scalability/Flexibility
Covered entities can take into account:
Size
Complexity
Capabilities
Technical Infrastructure
Cost of procedures to comply
Potential security risks
29. 29 Regulation Themes Technologically Neutral
What needs to be done, not how
Comprehensive
Not just technical aspects, but behavioral as well
30. 30 How Did We Accomplish This Standards Are Required but:
Implementation specifications which provide more detail can be either required or addressable.
31. 31 Addressability If an implementation specification is addressable, a covered entity can:
Implement, if reasonable and appropriate
Implement an equivalent measure, if reasonable and appropriate
Not implement it
Based on sound, documented reasoning from a risk analysis
32. 32 What are the Standards? Three types:
Administrative
Physical
Technical
33. 33 Administrative Standards Security Management
Risk analysis (R)
Risk management (R)
Assigned Responsibility
Workforce Security
Termination procedures (A)
Clearance Procedures (A)
34. 34 Administrative Standards Information Access Management
Isolating Clearinghouse (R)
Access Authorization (A)
Security Awareness and Training
Security Incident Procedures
Contingency Plan
Evaluation
Business Associate Contracts
35. 35 Physical Standards Facility Access Controls
All addressable specifications
Contingency operations
Facility Security Plan
Access control
Maintenance Records
Workstation Use (no imp specs)
Workstation Security
Device and Media Controls
36. 36 Technical Standards Access Control
Unique User Id (R)
Emergency Access (R)
Automatic Logoff (A)
Encryption and Decryption (A)
Audit Controls
Integrity
Person or Entity Authentication
Transmission Security
37. 37 Chart in Regulation At end of the regulation, this chart lists each standard, its associated implementation specifications, and if they are required or addressable
38. 38 Basic Changes from NPRM Aligned with Privacy (Definitions, requirements for business associates)
Encryption now addressable
No requirement for certification
Standards simplified and redundancy eliminated.
39. 39 Implementation Approach Do Risk Analysis – Document
Based on Analysis, determine how to implement each standard and implementation specification – Document
Develop Security Policies and Procedures – Document
Train Workforce
Implement Policies and Procedures
Periodic Evaluation
40. 40 Summary Scalable, flexible approach
Standards that make good business sense
Two years for implementation
First step is risk analysis
41. 41 Claims Attachments Will provide standards for sending claims attachments (medical records, lab reports, xrays) electronically
All health plans will be required to support these.
Expect proposed rule later this year.
42. 42 Identifiers National Provider Identifier
Final rule later this year
Will have minimum two years to implement
National Plan Identifier
Proposed rule later this year.
43. 43 Questions?
