1 / 41

An Overview of HIPAA

An Overview of HIPAA. Health Insurance Portability and Accountability Act – 1996. Rosie Callender, RHIA HIPAA Project Manager Morehouse School of Medicine Compliance Office. TOPICS COVERED : What is HIPAA? HIPAA Overview Title II – Administrative Simplification Provisions

Download Presentation

An Overview of HIPAA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An Overview of HIPAA Health Insurance Portability and Accountability Act – 1996 Rosie Callender, RHIA HIPAA Project Manager Morehouse School of Medicine Compliance Office Rosie Callender, RHIA

  2. TOPICS COVERED: • What is HIPAA? • HIPAA Overview • Title II – Administrative Simplification Provisions • HIPAA Objectives • Who Must Comply with HIPAA – “Covered Entities” • Penalties For Non-compliance / Enforcement Agency • What information is protected by HIPAA • Permitted Uses and Disclosures • HIPAA Privacy Rule – Key Elements Rosie Callender, RHIA

  3. WHAT IS HIPAA Health Insurance Portability Accountability Act of 1996 Rosie Callender, RHIA

  4. HIPAA OVERVIEW Health Insurance Portability and Accountability Act ( HIPAA) Administrative Simplification (Accountability) Insurance Reform (Portability) Transactions, Code Sets, Compliance by10/16/03 National Provider Identifiers Published 1/23/04 Effective 5/23/05 Compliance by 5/23/07 Privacy Compliance Date: 4/14/2003 Security Final RegulationsPublished on 2/20/03 Compliance Date: 4/20/2005 Rosie Callender, RHIA

  5. TITLE II - ADMINSTRATIVE SIMPLIFICATION PROVISIONS Rosie Callender, RHIA

  6. HIPAA Objectives • Insurance portabilityand continuity- Protect insurability of individuals • Accountability - to reduce the potential for waste, fraud & abuse • Administrative Simplification – to apply uniform standards to electronic data transactions in a confidential and secure environment. Rosie Callender, RHIA

  7. Expected Results of Administrative Simplification • Reduce handling and processing time • Eliminate the risk of lost paper documents • Eliminate the inefficiencies of handling paper • documents • Improve overall data quality / fewer errors • Decrease administrative costs • Increase faith in the protection of patients’ personal • health information • Thus, improve quality of patient care! Rosie Callender, RHIA

  8. What is HIPAA? HIPAA = Health Insurance Portability and Accountability Act A Federal Law Created in 1996 H = Health I = Insurance P = Portability and A = Accountability A = Act Electronic Transactions Privacy HIPAA Administrative Simplification Security Code Sets Unique Identifiers Rosie Callender, RHIA

  9. Healthcare Fraud and Abuse on the Rise Patient Records Found on Street Healthcare costs out of control TEMP DUMP MEDICAL RECORDS Hospital Security Breach WHY HIPAA? Rosie Callender, RHIA

  10. Who must comply with HIPAA - “ COVERED ENTITIES” • Health care providers, that transmit or maintain patient identifiable information. • Health plans that provide or pay the cost of medical care including Medicare and Medicaid • Health care clearinghouses that process data elements or transactions • Employees ( indirectly) Rosie Callender, RHIA

  11. Covered Entity • Provides health care • Conducts one or more standard HIPAA transactions. • Transmits or receives standard transactions in electronic form. • Or • Performed through a Business Associate. Rosie Callender, RHIA

  12. HIPAA Privacy Rule – Key Elements • Business Associates (BA) • A person or entity that, on behalf of a Covered Entity, access and uses PHI to perform or assists in the performance of a function or activity for the CE. • Does not include a member of the workforce or volunteers. • Business Associate Agreement • Must have a contract requiring BA to keep PHI safeguarded; • Contract must have required elements described in the regulations; • Must include other HIPAA-related risk/liability; • Does not apply to disclosure of PHI to providers for treatment; • If the CE becomes aware of a violation by the BA and fails to act, it can • be penalized; • Existing contracts will not have to be compliant until 4/14/2004. Rosie Callender, RHIA

  13. HIPAA ELECTRONIC TRANSACTIONS • An entity id regulated by the Privacy Rule as a Covered Entity if it does any of the following electronically. • Claims or equivalent encounter Information • Payment and Remittance Advice • Claim Status Inquiry and Response • Eligibility Inquiry and Response • Referral Certification and Authorization Inquiry and Response • Enrollment and Disenrollment in a Health Plan • Health Plan Premium Payments • Coordination of Benefits Rosie Callender, RHIA

  14. Combination of HCPCS & CPT-4 • Physician Services and other Health Care Services • HCPCS – Medical supplies, Orthotics & other equipment • ICD-9-CM, Vols 1&2 • Conditions and other health problems & manifestations • Code on Dental Procedures and Nomenclature • Dental services - CDT • NDC – National Drug Codes - Drugs/Biologics • NOTE: Local codes are replaced by standard codes. STANDARD CODE SETS Rosie Callender, RHIA

  15. PENALTIES For Non-compliance Rosie Callender, RHIA

  16. Enforcement Agency • Department of Health and Human Services Office of Civil Rights (OCR) will: • will investigate complaints • enforce compliance • impose civil monetary penalties • Department of Justice will: • enforce criminal penalties • Center for Medicare and Medicaid (CMS) will • oversee compliance with Transaction Code Sets and • Identifiers Rosie Callender, RHIA

  17. HIPAA PRIVACY RULE – Key Elements • WHAT IS COVERED? • Protected Health Information (PHI) • individually identifiable health information • transmitted or maintained in any form or medium. • Individually Identifiable Health Information • Health information, including demographic information • Created or received by a covered entity • Relates to the individual’s physical or mental health or provision of, • or payment for health care. • Identifies the individual Rosie Callender, RHIA

  18. HIPAA PRIVACY RULE – Key Elements Individually Identifiable Health Information Rosie Callender, RHIA

  19. HIPAA PRIVACY RULE – Key Elements • WHAT IS NOT COVERED? • Not PHI • Employment records • Family Educational Rights and Privacy Act (FERPA) records • De-identified Records: • Removal of certain identifiers so that the individual who is • subject of the PHI will not longer be identified. • Statistical expert determined that risk of identification is small • Facility may assign code of other means to allow for re- identification Rosie Callender, RHIA

  20. HIPAA PRIVACY RULE – Scope • Consumer control of information • Patient privacy rights defined • Boundaries of Medical Record Usage • Access controls to information • Security measures for patient information • Assignment of Privacy Officer • Business Associate contracts Rosie Callender, RHIA

  21. IMPACT ON PROVIDERS New Administrative and Clinical Procedures (EXAMPLE: Billing, Operations Coding, Claims Processing) OPERATIONAL Contracts and/or Chain of Trust Agreements(Example: providers, Payers, clearinghouses, other healthcare service companies) • Leadership & Support • New or Revised Policies and Procedures • Training of Staff MANAGERIAL • Interoperability (hardware, Software, Connectivity) • Vendor Management • Security Infrastructure TECHNOLOGICAL Rosie Callender, RHIA

  22. Maintain a HIPAA-compliant Environment • Make obvious changes as soon as possible • Protect your patients privacy and rights • Don’t leave medical information where people can see • Control access to your department • Don’t’ leave information on desktops • Use a screen saver • Identify patients properly before giving information • Lock your desktop when you leave it, even to run to the copier • Can others overhear PHI when you speak on the telephone? • Can passers-by easily read your computer screen? Rosie Callender, RHIA

  23. HIPAA Privacy Rule – Key Elements • Notice of Privacy Practices • An individual has a right to adequate written notice of: • uses and disclosures of PHI that may be made by the covered entity, and. • individual’s rights and covered entity’s legal duties with respect to PHI • Must be given by direct treatment providers on first service delivery after compliance date • Written Acknowledgement of Receipt of Notice Rosie Callender, RHIA

  24. HIPAA Privacy Rule – Key Elements • Individual Rights • Access, copy, inspect • Request amendments/corrections • Restrict disclosures • Request confidential communications • Accounting of disclosures • Information on how to file a complaint Rosie Callender, RHIA

  25. HIPAA Privacy Rule – Key Elements • Designated Record Set • A group of records maintained by or for a covered entity that may include: • Medical records • billing records • Enrollment, payment, claims adjudication • case or medical management records systems • Used for the covered entity to make decisions about individuals Rosie Callender, RHIA

  26. HIPAA Privacy Rule – Key Elements • Uses and disclosure for PHI. • Required Disclosures • To individuals who request access, and accounting of disclosures. • To HHS to investigate or determine compliance with Privacy Rule. • Permitted Disclosures • To individuals • For treatment, payment and health care operations • Public policy purposes • Family, friends & advocates / opportunity for individual to agree/ object • Incidental disclosures • Limited Data Set • Authorized Disclosures • For other uses or disclosures not required nor permitted. • Special rules for marketing and psychotherapy notes Rosie Callender, RHIA

  27. Commonly Used Terminology TPO • Treatment of patients • Payment for treatment • Health Care Operations Rosie Callender, RHIA

  28. Commonly Used Terminology • Health Care Operations • Activities related to the Covered Entity’s functions: • Quality assessment and improvement activities • Reviewing the competence and qualifications of health care professionals • Conduct training programs in which students, trainees learn under • supervision • Conducting medical reviews, legal services, and auditing functions • Business planning and development • Business management and general administrative activities • Customer service • Resolution of grievances • Creating de-identified information or limited data set. Rosie Callender, RHIA

  29. HIPAA Privacy Rule – Key Elements • Minimum Necessary Standard • Must make reasonable efforts to limit the use or disclosure of, and • request for, PHI to minimum necessary to accomplish intended use. • Exceptions: • Treatment, • Disclosure to the individual, • Disclosure to HHS/OCR or • Required by law • Permits incidental uses or disclosures as long as reasonable • safeguards are in place. • Role-based access. In the work place access to health information • should be on a need to know basis. Rosie Callender, RHIA

  30. HIPAA Privacy Rule – Key Elements Privacy Complaints • CE must provide a process for individuals to make complaints concerning CE’s policies and procedures and its compliance with the privacy rule. • Complaints can be filed with the CE or DHHS/OCR Rosie Callender, RHIA

  31. HIPAA Privacy Rule – Key Elements Other Requirements: • Privacy Training • Safeguards • Mitigation process • Policies and procedures in place • Sanction process Rosie Callender, RHIA

  32. HIPAA & RESEARCH • Access to PHI by researchers : • With Authorization obtained from patient; • Without Authorization: • Documented IRB approval of a Waiver of Authorization • Submit justification Preparatory to research; • Research on PHI of Decedents; • Limited Data Sets with a Data Use Agreement; • De-Identified Information ( not covered by HIPAA) Rosie Callender, RHIA

  33. HIPAA & RESEARCH References: • MSM HIPAA Website: http://www.msm.edu/hipaa/index.htm • Office of Civil Rights (OCR) http://www.hhs.gov/ocr/hipaa • National Institutes of Health: http://privacyruleandresearch.nih.gov • American Health Information Management Association – http://www.ahima.org. • OCR Frequently Asked Questions – http://www.hhs.gov/ocr/hipaa/whatsnew.html • Summary of HIPAA Privacy Rule – http://www.hhs.gov/ocr/privacysummary.pdf Rosie Callender, RHIA

  34. Specific Security in Privacy • Effective compliance with the Privacy regulations is dependent on security of patient’s PHI. • Role-based access required under minimum necessary rule • Verification and authentication of individuals and authorities requesting PHI • Security required by Privacy Rule applies to PHI in all forms Rosie Callender, RHIA

  35. Definitions for Privacy & Security • Privacy is the right of an individual to keep information about him/her from being disclosed to others. • Confidentiality is the obligation of another party to respect privacy by: • -Protecting personal information they receive and • -Preventing it from being used or disclosed without the subject’s knowledge or permission. • Security is the means used to protect integrity, availability and confidentiality of information. • Physical, technical and administrative safeguards Rosie Callender, RHIA

  36. Specific Security in Privacy • HIPAA Security standards address organizational and facility security, not just Information Systems • Requirements in four areas will address health • care data integrity, confidentiality and availability: • Administrative procedures • Physical safeguards • 3. Technical security services • 4. Technical security mechanisms • The HIPAA Security standards protects all e-PHI • (electronic protected health information) Rosie Callender, RHIA

  37. What is Information Security? All protections in place to ensure that PHI is: kept confidential (confidentiality) not improperly altered or destroyed (integrity) readily available to authorized users (availability) These principles represent the heart of any information security program. HIPAA Security(cont’d) Rosie Callender, RHIA

  38. HIPAA Security (cont’d) • The HIPAA Security standards provides the mechanisms that support efforts to protect privacy. • It covers information: • on hard drives • on removable/transportable digital memory medium (magnetic tape/disk) • transported electronically via the internet, e-mail or other means. Rosie Callender, RHIA

  39. YOUR RESPONSIBILITIES • Properly manage your password; • Prevent the spread of viruses; • Properly dispose of material with PHI (hard copy); • Contact DITS to clear disks and hard drives of all PHI; before selling or giving computer to another user; • Protect system from outside threats ( hackers, malicious software); • Do not use unauthorized software or hardware; • Follow the organizations policies regarding the use of PDAs and Laptops. • Be familiar with the organizations Information Security policies. • Use common sense-security Rosie Callender, RHIA

  40. HIPAA Web Sites HHS Administrative Simplification Page http://aspe.os.dhhs.gov/admnsimp American Health Information Management Association http://www.AHIMA.org Office of Civil rights - HIPAA http://www.hhs.gov/ocr/hipaa/privacy.html CMS Website http://www.cms.hhs.gov/hipaa/hipaa2/ Workgroup for Electronic Data Interchange http://www.wedi.org OCR Guidelines to Final Regulations (12/04/2002 http://www.hhs.gov/ocr/hipaa/guidelines/AllSectionsCombined.doc MSM HIPAA Website http://www.msm.edu/hipaa/index.htm Rosie Callender, RHIA

  41. QUESTIONS? QUESTIONS? Rosie Callender, RHIA HIPAA Project Manager Morehouse School of Medicine Compliance Office 22 Piedmont Road Atlanta, GA 30303 (404) 756-1345 rcallend@msm.edu Rosie Callender, RHIA

More Related