1 / 65

HIPAA Administrative Simplification and Nebraska SNIP (Strategic National Implementation Process)

HIPAA Administrative Simplification and Nebraska SNIP (Strategic National Implementation Process). HIPAA. Law & Intent Who is affected Standards Current issues to track Implementation Process (SNIP) Additional resources. HIPAA Administrative Simplification Law.

jetta
Download Presentation

HIPAA Administrative Simplification and Nebraska SNIP (Strategic National Implementation Process)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Administrative Simplification andNebraska SNIP (Strategic National Implementation Process)

  2. HIPAA • Law & Intent • Who is affected • Standards • Current issues to track • Implementation Process (SNIP) • Additional resources

  3. HIPAA Administrative Simplification Law • Health Insurance Portability and Accountability Act of 1996 – HIPAA • H.R. 3103 – Kasselbaum/Kennedy Bill • Title II – Subtitle F – Administrative Simplification • Signed into Law August 21, 1996 • Public Law 104-191 • Part C of Title XI of Social Security Act

  4. Reduce the costs and administrative burdens of healthcare with standardized, electronic transmission of many administrative and financial transactions. Protect the security and confidentiality of electronic health information. Enable individual to control own health information. Intent of HIPAA

  5. Who is affected by HIPAA? • Providers • Health Plans • Employers acting as Self Insured Groups • Payers • Third Party Administrators • Clearinghouses • All trading partners of above

  6. HIPAA Standards • Transactions & Code Sets • Privacy • Security • Identifiers

  7. Transactions and Code Sets Standards • Final Rule Published in August 17, 2000 Federal Register • Compliance is required by October 16, 2002 (October 16, 2003 by small health plans) • NDC code retraction • On May 29, 2001, Tommy Thompson retracted the standard of using NDCs on institutional and professional claims.

  8. Data Element Required vs. Conditional Formats Codes Values Transaction Sets X12 Version 4010 Claim - 837 Payment/Remit - 835 Claim Status - 276/277 Eligibility 270/271 Referral - 278 Enrollment & benefits Maintenance - 834 Premium Payments - 820 Claims Attachments - 275* First Report of Injury - 148* NCPDP * expected later... Transaction standards

  9. Code sets Standards • Service & Diagnosis Codes • ICD-9-CM Volumes I, II & III • CPT-4 • HCPCS • CDT • NDC • No Local Codes will be allowed

  10. Information Between Health Plans • Coordination of Benefits • Claims Processing

  11. Is a provider required to send claims electronically? • No, but if you do, they have to be HIPAA compliant. • You can use a clearinghouse to handle the translation of the data from your current form into HIPAA compliant.

  12. Failure to Comply with Transactions Standards

  13. Privacy Standards • Final Rule Published in December 28, 2000 Federal Register • Compliance is required by April 14, 2003 (April 14, 2004 by small health plans) • OCR issued guidance on July 6, 2001 • Additional guidelines are expected

  14. Privacy Summary of Privacy regulation: • Consumer Control over Health Information • Use and Disclosure Boundaries • Ensure the Security of Protected Health Information • Establish Accountability for Use and Release • Balancing Public Responsibility with Privacy Protections • Preserving Existing, Strong State Confidentiality Laws

  15. Definitions • Privacy is what happens to information after the appropriate person has it (I only use the data for the agreed purpose) • Confidentiality is the control of the information at all times, providing ‘need to know’ access to only those appropriate • Security is the enforcement and protection afforded information under both conditions

  16. Consumer Control over Health Information • Notice of Privacy Practice • Patient access to their health records and right to amend • Patient consent before information is released • Recourse if privacy protections are violated • Accounting for release of health information

  17. Use and Disclosure Boundaries • Ensuring that health information is not used for non-health purposes • Providing the minimum amount of information necessary

  18. Ensure the Security of Protected Health Information • Adopt written privacy procedures • Train employees on privacy • Designate a privacy officer

  19. Establish Accountability for Protected Health Information

  20. Balancing Public Responsibility with Privacy Protections • In limited circumstances, the final rule permits, but does not require, covered entities to continue existing disclosures of health information for specific public responsibilities without individual authorization.

  21. Preserving Existing, Strong State Confidentiality Laws • National "floor" of privacy standards that protects all Americans, but in some states individuals enjoy additional protection. • Stronger state laws (like those covering mental health, HIV infection, and AIDS information) continue to apply.

  22. Security Standards • Proposed Rule Published in August 12, 1998 Federal Register • Final Rule expected this year

  23. Security • The security standard is a set of requirements with implementation features that providers, plans, and clearinghouses must include in their operations to assure that electronic health information pertaining to an individual remains secure. • The standard does not reference or advocate specific technology. • The standard does not address the extent to which a particular entity should implement the specific features. • Individual security requirements and which technology to use is a business decision that each organization must make. HIPAA IS TECHNOLOGY NEUTRAL

  24. Security • Best Security is what we can do ourselves • 75% of security breaches happen inside.

  25. Security • Administrative Procedures • Physical Safeguards • Technical Data Security • Technical Security Mechanisms

  26. Administrative Procedures • Certification • Chain of Trust agreement • Contingency Plan • Formal Mechanism for Processing Records • Information Access Control • Internal Audit

  27. Administrative Procedures • Personnel Security • Security Configuration Management • Security Incident Procedures • Security Management Process • Termination Procedures • Training

  28. Physical Safeguards • Assigned Security Responsibility • Media Controls • Physical Access Controls • Policy/Guideline on Workstation Use • Secure Workstation Location • Security Awareness Training

  29. Technical Data Security • Access Control • Audit Controls • Authorization Controls • Data Authentication • Entity Authentication

  30. Technical Security Mechanisms • Integrity controls • Message authentication • Access controls or Encryption • Entity authentication • Event reporting

  31. Technical Security Mechanisms • In addition, if using a network for communications, the following implementation features would be in place: • Alarm • Audit trail • Entity authentication • Event reporting

  32. Electronic Signature • Digital Signature - • Optional, but if used: • Nonrepudiation • User Authentication • Message integrity

  33. Unique Health Identifiers • Provider • Will not replace TIN • Will eventually replace the UPIN • Employer - Will be TIN • Health Plan - may include Sub ID • Patient - still under discussion

  34. Status of Identifiers • National Provider Proposed Rule Published in May 7, 1998 Federal Register • National Employer Proposed Rule Published in June 16, 1998 Federal Register • Final Rules???

  35. Status of Identifiers • Movement on this portion of HIPAA has not occurred • Focus is on implementation of standards for data and on final privacy and security regulations

  36. Current Issues To Track • Federal legislation • H.R. 1975 and S. 836 are in the House and Senate to delay HIPAA’s administrative simplification provisions. • Some members of Congress are considering overturning the privacy rule • Case constitutionally challenging HIPAA • SC Medical Assoc, Physicians Care Network, LA State Medical Society vs. US Dept of Health and Human Services • AAPS vs. US Dept of Health and Human Services

  37. Current Issues To Track • Final rule on health data security • Due out this year – HHS must ensure the final security rule is compatible with the final privacy rule – published in late 2000 (and likely to undergo some changes) • Additional Guidance on Privacy Standards • Additional code changes as implementation progresses

  38. NOW WHAT??? Where do I go from here ???

  39. Compliance with HIPAA Administrative SimplificationNebraska SNIP (Strategic National Implementation Process)

  40. Why collaborate? • Implementing HIPAA requires coordination and collaboration among trading partners • There is no competitive advantage to be ‘HIPAA Ready’, if your trading partners aren’t ready • Collaboration and coordination will limit costly implementation efforts • Avoid the ‘re-inventing the wheel all over again’ syndrome

  41. Why collaborate? • Standards are dependant on consistent policies, practices and technology among business partners • Actions of a business partner may generate liabilities for one’s own organization • Sloppy planning and inefficient implementation will be costly to everyone

  42. Key Elements for Collaborative Environment • Trust • Commitment • Clear Vision

  43. Trust • Joint ownership • Joint accountability • No dominant player • Balanced interests • No hidden agendas • Neutral meeting ground

  44. Commitment • NE Health and Human Services System • Key providers • Leading health plans/payers • Trade associations & societies • Key vendors

  45. Clear Vision • Use HIPAA as an opportunity to redesign business process • Remember patient rights in process • Improve efficiency of healthcare through information technology

  46. Regional Approaches • Implementation will occur locally • Healthcare crosses local political and business boundaries • National coordination and guidance will be exceedingly helpful

  47. Nebraska SNIP Formation • Blue Cross and Blue Shield of Nebraska • Health Data Management • Mutual of Omaha • NE Assn of Hospitals and Health Systems • NE Health and Human Services System • NE Medical Association

  48. Nebraska SNIP …is a collaborative healthcare industry-wide process resulting in the implementation of standards and furthering the development and implementation of future standards.

  49. Nebraska SNIP • Promote general healthcare industry readiness to implement HIPAA standards. • Identify education and general awareness opportunities for the healthcare industry to utilize. • Recommend an implementation time frame for each component of HIPAA for each stakeholder and identify the best migration paths for trading partners.

  50. Nebraska SNIP • Establish opportunities for collaboration, compile industry input, and document the industry “best practices”. • Identify resolution or next steps where there are interpretation issues or ambiguities within HIPAA standards. • Serve as a resource for the healthcare industry when resolving issues arising from HIPAA implementation.

More Related