400 likes | 626 Views
HIPAA Health Insurance Portability and Accountability Act. Presented to the NC Association on Aging Conference April 29, 2003 Sarah Brooks, MPA, RHIA, CPM Manager, NC DHHS HIPAA Office. AGENDA. What is HIPAA Who Must Comply with HIPAA Overview of Regulations Resources. What is HIPAA?.
E N D
HIPAAHealth Insurance Portability and Accountability Act Presented to the NC Association on Aging Conference April 29, 2003 Sarah Brooks, MPA, RHIA, CPM Manager, NC DHHS HIPAA Office Page 1NC DHHS HIPAA OFFICE
AGENDA • What is HIPAA • Who Must Comply with HIPAA • Overview of Regulations • Resources Slide 2NC DHHS HIPAA OFFICE
What is HIPAA? Page 3NC DHHS HIPAA OFFICE
Purpose of HIPAA Health Insurance Portability & Accountability Act of 1996 [Public Law 104-191] • Improve portability and continuity of health insurance coverage in the group and individual markets; • To combat waste, fraud, and abuse in health insurance and health care delivery; • To promote the use of medical savings accounts; • To improve access to long-term care services and coverage; and • To simplify the administration of health insurance • HHS was charged with promulgating rules Slide 4NC DHHS HIPAA OFFICE
How the Law is Structured • HIPAA is divided into five titles - each addresses a unique aspect of health insurance reform. • Title II is also known as Administrative Simplification • If Congress did not adopt legislation to enact Administrative Simplification, HHS was charged with promulgating rules • HHS was limited to enacting rules based on statutory language Slide 5NC DHHS HIPAA OFFICE
ADMINISTRATIVE SIMPLIFICATION • Establishes National Standards for • Electronic Transactions and Code Sets • Identifiers (Providers, Payers, Employers, Individuals) • Privacy • Security & Electronic Signature • Compliance • Provides Patients With Certain Rights • Cuts Administrative Costs • Preempts State Laws, Unless More Stringent • Potential Civil Monetary & Criminal Penalties • Potential Impacts on Business Continuity Slide 6NC DHHS HIPAA OFFICE
HIPAA vs. Y2K • Y2K impacted all information systems; HIPAA impacts health information systems that contain identifying patient data • Y2K did not require major business process changes; HIPAA will have major impacts on business practices in the healthcare industry • Once Y2K issues were resolved, consumers were not impacted; HIPAA will impact healthcare consumers • During Y2K, healthcare providers and payers relied on vendors, contractors or internal IS staff to resolve the Y2K issues; with HIPAA, the entire organization will be impacted by changes resulting from HIPAA implementation Slide 7NC DHHS HIPAA OFFICE
Wishful thinking about HIPAA • Congress will repeal HIPAA • There will be additional delays • There will be no HIPAA enforcement for many, many years • My vendor will take care of HIPAA • HIPAA is an IT project Slide 8NC DHHS HIPAA OFFICE
HIPAA Reality • Not a “one shot deal” • Not solely a technology or systems fix • Affects the culture of handling health information • Not an easy “return to normal operations” • Major impacts on policy and training • Affects business relationships Slide 9NC DHHS HIPAA OFFICE
Who Must Comply With HIPAA? Page 10NC DHHS HIPAA OFFICE
Terms You Should Know • To understand HIPAA, there are some important terms you must know • They are: • Covered Entity • Business Associate • Hybrid Entity Slide 11NC DHHS HIPAA OFFICE
Who is Impacted?Covered Entities • Health Plan(provides or pays the cost of medical care - e.g., Medicaid, HMOs, BC/BS, Medicare, Champus) • Health Care Clearinghouse(routes electronic data between payers & providers - e.g., billing services) • Health Care Provider who transmits any health information in an electronic transaction(e.g., Hospitals, Physicians, Public Health Departments, Group Homes, Home Health, Pharmacies, Laboratories) Slide 12NC DHHS HIPAA OFFICE
Who is Impacted?Business Associates • Definition: Person who performsa function or activity on behalf of a covered entity, involving the use and/or disclosure of PHI. • Excludes person who is part of the Covered Entity’s workforce(e.g., Employees, Physicians with Staff Privileges) • Must protect PHI and help Covered Entity comply with its obligations under the Privacy Rule • DO NOT have to comply with HIPAA Privacy Rules • Must abide by Business Associate Agreement with covered entity Slide 13NC DHHS HIPAA OFFICE
Who is Impacted?Hybrid Entities • Defined as, “a single legal entity that is a covered entity and whose covered functions are not its primary functions.” • Most covered government agencies will be hybrid entities • Need to identify those health care components within the Hybrid Entity that perform covered functions and other components that would normally be a Business Associate Slide 14NC DHHS HIPAA OFFICE
Statewide Impact • Covered Entities • State Health Plan (includes HealthChoice for Children) • UNC Health Care • Business Associates • Department of Justice • Office of the State Auditor • Office of the Controller • Hybrid Entities • Dept of Administration • Dept of Correction • Dept of Health and Human Services • Office of Information Technology Services* • East Carolina University • University of NC at Chapel Hill • University of NC at Greensboro Slide 15NC DHHS HIPAA OFFICE
Medicaid Public health State Lab State Center for Health Statistics Local health services Children’s special health services Developmental education clinics (13) Education School for the blind (1) Schools for the deaf (2) Mental health, substance abuse State psychiatric hospitals, substance abuse, nursing (7) Mental retardation centers (5) Adolescent treatment (2) Other divisions Controller’s Office Information Resource Mgmt Public Affairs Internal Auditor Research, Demonstrations, and Rural Health Development DHHS Impact Slide 16NC DHHS HIPAA OFFICE
Division of Aging Impacts • Not a Health Care Provider - AAA’s may be providers but not the Division of Aging • Not a Health Plan - regulations exclude government funded programs whose primary purpose is not provision of health care • ARMS Implications - since Aging is not a Health Plan or Health Care Provider, ARMS does not have any HIPAA impacts Slide 17NC DHHS HIPAA OFFICE
Impact of Not Complying • Possible litigation • Potential withholding of federal Medicaid and Medicare funds • Federal Medicaid Share in NC in @ 4.5 billion • In DHHS, more than $300 million in revenues at risk • Penalties • Civil Monetary for violations of each standard • Wrongful disclosure of protected health information Slide 18NC DHHS HIPAA OFFICE
Overview of Regulations Page 19NC DHHS HIPAA OFFICE
Final RegulationTRANSACTIONS & CODE SETS • Electronic Health Transactions Standards (45 CFR Parts 160 & 162) • Compliance originally required 10/16/02 • With a plan filed, compliance extended to 10/16/03 • Revisions could be made on annual basis with 180 days to comply Slide 20NC DHHS HIPAA OFFICE
What Do Standard Transactions Cover? • The exchange of data between two parties to carry out financial or administrative activities related to health care. It includes the following types of information exchanges: • Health Care claims or equivalent encounter information. • Health Care payment and remittance advice. • Coordination of benefits. • Health Care claim status. • Enrollment and disenrollment in a health plan. • Eligibility for a health plan. • Health plan premium payments. • Referral certification and authorization. • First report of injury. • Health claims attachments. • Other transactions that the Secretary may prescribe by regulation. Slide 21NC DHHS HIPAA OFFICE
What Do Code Set Regulations Cover? • Establishes standard code sets used to identify diagnoses, procedures, etc. Standard Code Sets are: • International Classification of Diseases, Ninth Edition, Clinical Modification (ICD-9-CM ) • Health Care Procedural Coding System (HCPCS) • Current Procedural Terminology, Fourth Edition (CPT-4) • Current Dental Terminology (CDT) • National Drug Codes (NDC) Slide 22NC DHHS HIPAA OFFICE
Final RegulationPRIVACY • Privacy Standards (45 CFR Parts 160 & 164) • Final Regulations published 12/28/00 • Modifications published 4/14/01 • Significant legal interpretation required • Ongoing compliance monitoring • Compliance 4/14/03 Slide 23NC DHHS HIPAA OFFICE
Scope of Privacy Regulations • Includes all medical records and other health information maintained by a health care provider, clearinghouse or a health plan. • Covers information in any format • Paper • Electronic • Oral • Affects use and disclosure of all client health information Slide 24NC DHHS HIPAA OFFICE
What Do The Privacy Regulations Cover? • Establishes federal ‘floor’ for Privacy-Preempts state law unless state laws are more stringent • Permits use or disclose of Individually Identifying Health Information (IIHI) for treatment, payment, health care operations (without client consent) • Limits the amount of information to be used or disclosed to what is minimally necessary • Identifies use and disclosure for which an authorization is or is not required • Establishes requirements for de-identification of health information or limited data sets Slide 25NC DHHS HIPAA OFFICE
What Do The Privacy Regulations Cover? • Establishes client rights • Right to request access to their health information with limitations on denial of such request • Right to request amendment to health information • Right to receive an accounting of disclosures • Right to receive a Notice of Privacy Practices • Requires appropriate administrative, technical and physical safeguards to protect health information • Establishes a protocol for using protected health information for marketing and fundraising • Requires designation of a privacy official and a contact person for complaints Slide 26NC DHHS HIPAA OFFICE
What Do The Privacy Regulations Cover? • Requires identification of workforce members needing access to health information limiting access to the minimum necessary • Requires training of all staff members • Establishes content or documentation requirements for policies, procedures, notices, authorizations, amendments, accounting of disclosures, complaints and compliance • Addresses penalties for unauthorized disclosures Slide 27NC DHHS HIPAA OFFICE
Final RegulationSECURITY • Security Standards (45 CFR Parts 160, 162 & 164) • Final Regulations published 2/20/03 • Compliance 4/21/05 • Written to conform to Privacy Regulations Slide 28NC DHHS HIPAA OFFICE
Scope and Purpose of Security Regs • Scope: Electronic Protected Health Information (in motion and at rest) • Purpose: • Ensure integrity, confidentiality and availability of electronic protected health information • Protect against reasonably anticipated threats of hazards, and improper use or disclosure Slide 29NC DHHS HIPAA OFFICE
What Do Security Regulations Cover? • Standards to Guard Data Integrity, Confidentiality, and Availability • Administrative Safeguards (Policies/Procedures) • Physical Safeguards • Technical Safeguards • Flexible, Scalable • Technology Neutral • Consistency with Privacy Regulations (Requires Business Associate Agreements) Slide 30NC DHHS HIPAA OFFICE
Security vs. Privacy • Privacy and Security go hand-in-hand • Privacy - What • Defines who is authorized to access information (the right of individuals to keep information about themselves from being disclosed) • Security - How • Ability to control access to and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction, or loss Slide 31NC DHHS HIPAA OFFICE
Final RegulationNational Employer Identifier • National Standard Employer Identifier (45 CFR Part 160 and 162) • Final Regulations published 5/31/02 • Compliance 7/30/04 • Utilizes Employer Tax ID • Required in any standard transactions that transmit employer-related information Slide 32NC DHHS HIPAA OFFICE
HIPAAProposed Rules Published • Electronic Signature Standards (45 CFR Part 142) • Draft published August 12, 1998 with Security rules draft • Not included in final Security rule - will be sent out as separate regulation • National Standard Health Care Provider Identifier (45 CFR Part 142) • Draft published May 7, 1998 Slide 33NC DHHS HIPAA OFFICE
HIPAAProposed Rules Not Published • National Health Plan Identifier (Payer ID) • Claims Attachments • Enforcement • First Report of Injury • National Individual Identifier • NOTE: Once published, 26 months to comply Slide 34NC DHHS HIPAA OFFICE
HIPAA Resources Page 35NC DHHS HIPAA OFFICE
DHHS HIPAA Websitehttp://dirm.state.nc.us/hipaa/ Slide 36NC DHHS HIPAA OFFICE
NCHICA • NC Healthcare Information and Communications Alliance, Inc. • Membership is from public and private sectors • HIPAA Workgroups in areas of Privacy and Confidentiality; Security; Training; Transactions/Code Sets Slide 37NC DHHS HIPAA OFFICE
NCHICA Deliverables • www.nchica.org • Privacy and Security Training Modules • HIPAA EarlyView™ Security • HIPAA EarlyView™ Privacy • Security Policy and Procedures Matrix • Privacy Models (Notice of Privacy Practices, Authorization, Business Associate Agreement, Data Use Agreement) • Minimum Necessary Decision Tree • Review of NC Statutes • Guidance for Identifying Designated Record Sets • HIPAA Privacy Checklists Slide 38NC DHHS HIPAA OFFICE
Resources • US HHS / HIPAAaspe.hhs.gov/adminsimp • Office of Civil Rights http://www.hhs.gov/ocr/hipaa/ • AHIMA www.ahima.org • Institute of Govt http://www.medicalprivacy.unc.edu/ • HIPAA Privacy Joint Info Ctr http://www.bricker.com/hipaa/ • Mass Health Data Consortium http://www.mahealthdata.org/ • Administration on Aging http://www.aoa.dhhs.gov/ Slide 39NC DHHS HIPAA OFFICE
Questions ??????? Slide 40NC DHHS HIPAA OFFICE