ADMINISTRATIVE SIMPLIFICATION

• Concept• Covered Entities• Transactions• Privacy• Security• Implementation

Inevitable Transformation...

• Today health data is keyed into a computer, printed, mailed or transmitted, re-keyed into another computer…

• The constant demand for more information in less time is pushing health care systems toward electronic data interchange, the computer-to-computer exchange of information in a standard format

• Institutions pursue electronic data interchange internally, but encounter barriers to sharing data externally, among institutions

Barriers to Transformation

• Lack of data standards—no single entity has the market power to move the health care industry toward a common electronic standard

• Legal ambiguity—antiquated state licensing laws make computerized medical records technically illegal in 12 states and legally ambiguous in 16 others

• Privacy concerns—health information is “private” today not because it is secure but because it is difficult to access—and making it more accessible makes it less secure

Standards Leverage Transformation

• Money as a standard replaced barter• East and West coast railroads needed a

standard gauge to meet at Promontory Point

• Appliances and motors were custom made before electrical current was standardized

• Electronic transaction standards have been the norm in banking for two decades

• Our century’s great innovation—the Internet—is a web of connection standards

Congress Acts

• The Health Care Modernization and Security Act of 1993 (or “Data Bill”)

• Sponsored by Sens. Kit Bond (R-MO) and Joseph Lieberman (D-CT) and Reps. Dave Hobson (R-OH) and Tom Sawyer (D-OH)

• Congress established a process to adopt standards for health information and required health plans to use the standards and transmit data electronically

Guiding Themes

• National Policy Framework—the barriers to modernizing health information systems are national in scope, and require national solutions

• Technology Neutral—encourage continued innovation and intentionally avoid “locking in” a technology today that could be useless tomorrow

• Private/public partnership—build on the extensive use of electronic data interchange in the private sector by adopting standards “already in use and generally accepted”

Broad Support

The Working Group for Healthcare Administrative Simplification

American Association of Retired People, American College of Physicians, American Hospital Association, American Association of Medical Colleges, American Health Information Management Association, American National Standards Institute, American Academy of Pediatrics, Ameritech, Association for Electronic Healthcare Transactions, Bellcore, Blue Cross/Blue Shield Association, CCH Inc, Center for Health Care Information Management, CIS Technologies, COB Clearinghouse, Digital Equipment, Dun & Bradstreet, Electronic Data Systems, ERIC, Federation of American Health Systems, First Health, Fleishman-Hillard Inc, Health Industry Manufacturers Association, Health Care Financial Management Association, Hewlett-Packard, Health Insurance Association of America, IBM, Information Industry Association, ITAA, JCAHO, MetPath, Mutual of Omaha, National Association of Medical Equipment Suppliers, National Association of Chain Drug Stores, National Electronic Information Corporation, Orkand Corporation, PCS Health Systems, Podesta Associates, Prudential, Public Health Foundation, Rossman Health Industry Consulting, SAIC, SmithKline Beecham, Society of Professional Benefits Administrators, Travelers, Davidson Colling Group, UNISYS

President Clinton’s Health Security Act

• Comprehensive health care reform dominated the national political agenda in 1992

• “Increasing access” vs. “decreasing costs”• Administrative simplification contributes to both• “Local storage” vs. “central storage”• The Clinton Administration’s emphasis on

research triggered a debate about how and who could use sensitive patient data and overwhelmed the effort to harmonize data standards

Medicare Reform

• Balancing the federal budget dominated the national political agenda in 1994

• Medicare was estimated to be bankrupt in four years

• Administrative simplification was refocused on eliminating Medicare fraud and catching the Medicare “secondary payer” problem up front, rather than recovering dollars after-the-fact

• Rolled back the scope to financial (not clinical) data

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• Administrative simplification reached its maturity along with incremental health insurance reform

• Bipartisan throughout two bitterly partisan debates• Broad-based, private-sector support• Enacted 421 to 2 in the House, 98 to 2 in the Senate,

and signed by President Clinton on August 21, 1996• The basic framework enacted by Congress passed to

the U.S. Department of Health and Human Services for rulemaking and implementation

HIPAA’s Three Purposes

• Health Insurance Portability—improve the portability and continuity of health insurance coverage for groups and individuals

• Accountability—combat waste, fraud, and abuse in health insurance and health care delivery

• Administrative Simplification—simplify health care billing by adopting standards that allow health plans to transmit data electronically

HIPAA Administrative Simplification

• Transactions—adopt financial and administrative data standards and require health plans to use those standards to exchange information electronically

• Privacy—adopt standards for individually-identifiable health information that address the rights of individuals, procedures to exercise those rights, and uses and disclosures of information that are authorized or required

• Security—adopt standards to protect the confidentiality of health information, prevent threats or hazards to the security or integrity of the information, and prevent unauthorized uses or disclosures

Opportunities to Decrease Costs…

• Enable the use of the Internet instead of expensive, private networks

• Develop less costly “off-the-shelf” management information systems solutions

• Reduce unnecessary paperwork—estimated to add at least ten cents on every health care dollar

• Increase the speed and accuracy of transactions with other entities (faster third party collections, etc)

• Expose fraud in ways that are impossible under the current, confusing, disjointed paperwork system

Opportunities to Increase Quality…

• Strengthen privacy and confidentiality associated with personal health information

• Aggregate and compare data (non-standard code sets make this difficult to do today)

• Provide the data consumers need to compare the value of insurance plans and health services

• Forge stronger cooperative relationships with providers (“We’re all in this together”)

• Upgrade existing but outdated technology

Business Transformation

• Administrative Simplification is a business challenge—not just a technical problem, like Y2K

• Existing technology is applied to improve business practices—something most industries do already

• People, paper, and postage are replaced with electronic communications to reduce costs and improve services

• Health care organizations will either choose to treat administrative simplification as a conformance nuisance or use it as their catalyst to e-business

Business Transformation

Functional Area Impacted

EDI Identifiers

Code Sets

Privacy

Security

Billing and Patient Accounting

X X X X X

Medical Records X X X XClaims and Encounters X X X X XEnrollment X X X XEligibility X X X X XMedical Management X X X X XCase Management X X X X XCustomer Service X X X XMarketing X X XSales and Underwriting X X X X XBenefit Design X X X X XReporting and Analytics X X X XPhysician Contracting X X X X XNursing X X XPhysicians and Clinicians x X X XSource: GartnerGroup December 2000

ADMINISTRATIVE SIMPLIFICATION

• Concept

• Covered Entities• Transactions• Privacy• Security• Implementation

Covered Entities

• Health Plans—an individual or group plan that provides or pays the cost of medical care

• Health Care Clearinghouses—an entity that processes or facilitates processing of information received from another entity

• Health Care Providers—any provider of medical or other health services, and any other person furnishing health care services or supplies

Examples of Health Plans

• ERISA defined group health plan

• Health insurance issuer

• HMO• Medicare• Medicaid• Medicare supplement• Long-term care policy• VA health care system

• Employee welfare benefit plan

• Health plan for active military

• CHAMPUS• Indian Health

Services• Federal Employees

Health Benefit Plan• Or any combination

Health Plan Exclusions

• Workers’ Compensation programs• Correctional Institutions• Disability insurance programs• Automobile insurance carriers• Property and casualty insurers• Nursing home fixed-indemnity policies

Health Care Clearinghouse

• A Public or private entity that• Receives a non-standard transaction from

another entity and processes or facilitates the processing of health information into a standard format or standard data content or

• Receives a standard transaction from another entity and processes or facilities the processing of health information into a non-standard format or non-standard data content

Health Care Provider

• Any person or organization who furnishes, bills, or is paid for health care in the normal course of business

• Health care is defined as care, services or supplies related to the health of an individual, including:– Preventive, diagnostic, therapeutic, rehabilitative,

maintenance, or palliative care– Counseling, service, assessment, or procedure

with respect to physical or mental condition or functional status

– Sale or dispensing of a drug, device, equipment or other item in accordance with a prescription

Hybrid Covered Entities

• Determine if “covered entity” functions are performed within a department or program (evaluate each area separately according to their respective functions)

• If the component that provides the services is itself not a separate entity, then the entity to which it belongs is a “hybrid entity”

• HIPAA rules apply to the component that performs the covered function and requires a “wall” between the covered functions and the rest of the entity

• For example, the Ohio Department of Health runs a hemophilia program as a provider and a Black Lung clinic program as a health plan

Business Associates

• A person or entity to whom a covered entity discloses protected health information to perform a function on behalf of or to provide services to a covered entity

• Includes lawyers, accountants, consultants, and accrediting agencies

• Must have a contract obligating them to safeguard protected health information

Business Associate Contracts

• Must establish the permitted and required uses and disclosures of protected health information by the business associate and may not authorize further disclosure in violation of the regulations

• If the covered entity knows of a practice or pattern of activity that constitutes a material breach of the business associate’s obligations under the contract, the covered entity must take reasonable steps to ensure cure of the breach or terminate the contract or report the problem to the Secretary

Business Associate Obligations

• Must not use or disclose protected health information in violation of the law or contract

• Implement safeguards against improper use or disclosure

• Ensure that any agents or subcontractors agree to fulfill contractual and legal obligations

• Afford individual access to records; make available records for amendment by the individual; account to the individual for use or disclosure other than for payment, treatment, or operations

• At termination of the contract, return or destroy protected health information

ADMINISTRATIVE SIMPLIFICATION

• Concept• Covered Entities

• Transactions• Privacy• Security• Implementation

Transaction Standards Enable Electronic Data Interchange

• Health care electronic data interchange is commonly used and generally accepted—HHS estimates that at least 400 formats are used in the United States for health care claims processing

• However, the lack of a standard format makes it difficult for vendors to develop software, inhibits potential efficiencies, and increases costs for health care providers and health plans

• In order to perform electronic data interchange using a common interchange and data structure a widely adopted use of standards is required.

Adopting Transaction Standards

• HIPAA requires HHS to adopt standards for health care transactions that are:– Consistent with reducing the administrative

costs of providing and paying for health care– Already “in use and generally accepted”– Developed or modified by a private sector

standard development organization like the American National Standards Setting Institute

• All of the current code sets have been developed by a private sector standard development organization

Required Transaction Standards

American National Standards Institute (ANSI)Accredited Standards Committee (ASC)

Insurance Subcommittee (X12N) • Health care claim or encounter (837)• Health care claim payment and remittance (835)• Health care claim status inquiry/response (276,

277)• Health care eligibility inquiry/response (270/271)• Benefit enrollment and maintenance (834)• Referral certification and authorization (278)• Payment order and remittance (820)

Required Code Sets

• Diseases, injuries, impairments, and other health related problems

• Prevention, diagnosis, treatment, management• Drugs and biologicals• Dental Services• Physician services, physical and occupational

therapy services, radiological procedures, clinical laboratory tests, other medical diagnostic procedures, hearing and vision services, transportation services including ambulance

Local Codes

• HCFA Common Procedural Coding System (HCPCS) identifies health care procedures, equipment and supplies for billing purposes– Level I: AMA-owned physician CPT codes– Level II: CMS-maintained “other”– Level III: State Medicaid program local codes

• Today states rely heavily on local codes• Local codes are scheduled to be eliminated

(or rolled into level II) effective October 2002

Migrating Local Codes

• State programs forced to “crosswalk” local codes into a limited number of level II codes

• Particularly challenging for waiver programs• National work underway to identify current

or modified level III codes for addition to the level II code set

• From over 30,000 to approximately 2000 of which about 100-200 are waiver codes

Local Code Policy

• Standardization of local codes may impair the payer’s ability to customize policies

• Coding decisions shape coverage and reimbursement policies

• A payer cannot cover a service for which a code does not exist

• Congress did not intend to dictate health care policy or limit state policy discretion

Implementation Strategies

1. Organization-wide general education and awareness

2. Risk assessment and gap analysis3. Complete a cost/benefit analysis,

strategic plan, and select tools4. Update policies and procedures, and

install tools and applications5. Complete testing and audits and verify

third-party compliance

Transaction Compliance

• Final transaction rule in effect August 2000 (HHS guidance published May 2001)

• Most covered entities are required to comply by October 2002 (October 2003 for “small” health plans)

• Covered entities may comply directly or use a health care clearinghouse

• Penalties for non-compliance are $100 per incident up to $25,000 per standard per year

System Readiness

• Current timeframe to comply with transaction standards is unrealistic

• Great confusion among providers• Could lead to the election of paper

claims and overwhelm state payment systems—which today are 85 percent electronic

• Paper claims cost more, take longer, and intensify provider frustration

Staggered Release of Final Rules

• Staggered effective dates make it difficult to plan• The transaction and code set rule is final but most

individual code sets have not been determined• The compliance clock is ticking—but covered

entities don’t have the information they need to implement

• Covered entities will be required to move protected health information electronically beginning October 2002—six months ahead of new privacy standards and at least one year ahead of security standards

ADMINISTRATIVE SIMPLIFICATION

• Concept• Covered Entities• Transactions

• Privacy• Security• Implementation

Electronic Transactions Require Additional Privacy Protection

• “Privacy” defines what information to protect

• As the ease of exchanging individually-identifiable health information increases, there is a corresponding need to increase privacy protection

• The new federal privacy rule provides a national standard “floor” to address the fundamental privacy rights of individuals

No Change in Existing Federal Law

• Privacy Act• Substance Abuse laws and regulations• Fraud and abuse prevention

requirements• Medicare Act for dual eligibles• Medicaid beneficiary privacy protections

– Section 1902(a)(7) of the Social Security Act– Regulations at 42 CFR 431.300– 35 years of guidance and practice

State Privacy Law Preempted

• In general “contrary” State privacy laws are preempted by the new federal privacy rules

• State law prevails if the HHS Secretary determines it is necessary for public health or State regulatory reporting

• State law prevails if it is contrary to and more stringent than the HIPAA privacy rule

Examples of More Stringent State Laws

• Further limit the use or disclosure of protected health information

• Provide individuals with greater rights of access or more information about their rights

• Enhance protections afforded by an authorization

• Impose greater record keeping requirements• Otherwise enhance privacy protection

Protected Health Information

• Individually Identifiable Health Information that

• Relates to the past, present, or future– Physical or mental health or condition of an

individual;– Provision of health care to the individual;– Payment for the provision of health care to an

individual

• Regardless of form• Excluding certain student records

Consent and Authorization

• In general a covered entity may use or disclose protected health information only– With the consent of the individual for

treatment, payment, or health care operations

– With the authorization of the individual for all other uses or disclosures

– As permitted under the rule for certain public policy purposes

No Consent or Authorization Required

• Public health disclosures• FDA requirements• Work related injuries• Reports of abuse or neglect• Upon reasonable inference by a health

care provider that the individual would not object to the disclosure of protected health information to a relative or personal friend (may be preempted)

Privacy Rights of Individuals

• Receive notice of information practices• See and copy own records• Request corrections• Obtain accounting of disclosures• Request restrictions and confidential

communications• File complaints

Administrative Requirements

• Covered entities are required to have:– A designated privacy official and a privacy contact person– A defined complaint process– A process for responding to individual’s request for

additional restrictions (not required to agree to the request)

– A process for verifying the identity and legal authority of any person requesting personal health information

– Training on privacy policies and procedures for each person who has contact with personal health information

– Documentation that training requirements are satisfied– A process to sanction employees and business associates

who violate protected health information

Record Requirements

• Covered entities are required to have:– Copies of signed authorizations– Log of non-routine disclosures– Written statements of denial of requests for

information– Responses to requests for corrections– Notices of disagreement from individuals– Contracts with business associates– Signed employee compliance statements

Restrictions on Marketing

• Covered entities must obtain authorization before using or disclosing protected health information for marketing

• Health care providers must secure consent for use of disclosure of protected health information for operations (including marketing)

• There are specific limits on the use of protected health information for fundraising

Implementation Strategies

1. Assess the application of the new privacy rule to your organization

2. Assess the application of more stringent State privacy requirements

3. Assess your current privacy policies and practices to identify gaps

4. Seek legal assistance to resolve ambiguity5. Apply the new federal or more stringent

State privacy standards to your organization

Privacy Compliance

• Final privacy rule in effect April 2001 (HHS guidance published July 2001)

• Most covered entities are required to comply by April 2003 (February 2004 for “small” health plans)

• Criminal penalties of up to $250,000 and 10 years imprisonment for use of protected health information for commercial gain

ADMINISTRATIVE SIMPLIFICATION

• Concept• Covered Entities• Electronic Transactions• Privacy

• Security• Implementation

Additional Privacy Requires More Secure Systems

• “Security” defines how to protect information

• Security is an outcome, not a technology• Covered entities must be able to:

– Control access to data– Protect data from accidental or intentional

disclosure to unauthorized persons– Protect information from alteration,

destruction, or loss

Administrative Requirements

• Covered entities are required to have:– Documented security management process– Computer system/network accreditation– Contingency and disaster recover plans– Data processing policies and information

access controls– Internal audit function– Security incident reporting procedures– Adequate supervision and training for staff

National Identifiers

• Unique national identifiers will be required for providers, employers, and health plans

• National identifiers will not include embedded information

• Delayed adoption of national identifiers is making it difficult for covered entities to plan system requirements

Implementation Strategies

1. Assign security responsibility to a specific individual or group

2. Develop and maintain physical access controls

3. Develop and maintain policies for workstation use and control

4. Develop policies for personnel authorization control, data authentication, and entity authentication

Security Compliance

• Final security rule is expected early in 2002 (it is expected to be similar to the proposed rule published in August 1998)

• Covered entities will be required to comply two years after the rule becomes final

• Penalties capped at $25,000 in a calendar year for each standard violated, unless patient data is disclosed, then penalties for privacy violations apply

ADMINISTRATIVE SIMPLIFICATION

• Concept• Covered Entities• Transactions• Privacy• Security

• Implementation

Organizational Objectives

• Assure compliance with HIPAA administrative simplification requirements

• Assure that technical systems and business processes are integrated across agencies

• Develop work products and tools to promote cost effective implementation

• Develop effective education and outreach programs

• Promote a consistent national legislative and policy agenda

Ohio’s Participating Agencies

• Governor’s Office• Auditor of State• Attorney General• Administrative

Services• Aging• Alcohol and Drug

Addiction Services• Budget and

Management• Health

• Mental Health• Job and Family

Services• Mental Retardation

and Developmental Disabilities

• Rehabilitation and Corrections

• Workers’ Compensation

• Veterans’ Services

Ohio’s Organizational Model (similar approaches in CA, MN, NC,

WA)Governor’s Office

Sponsor

Cabinet Director Executive Leadership

CommitteeDeputy Director Project

Management Team

Privacy Workgrou

p

Technical Partners

Committee

Business Partners Committee

                 

  

Security Workgrou

p

Contracts Workgrou

p

Education Workgrou

p

Code Set Workgrou

p

Organizational Leadership

• Governor’s Office—project sponsor and primary coordination among agencies

• Cabinet-Level Executive Leadership Committee—project champions and oversight; make final business decisions; coordinate national issues

• Deputy-Level Project Management Team—develop and maintain strategic plan; receive and review recommendations; assess resources for budget requirements

Organizational Assignments

• Business Partners Committee (policy and program experts)—define and validate functional requirements; formulate workgroups; resolve policy issues; formulate recommendations for the Executive Leadership Committee (ELC)

• Technology Partners Committee (information technology experts)—determine optimal technical platform; determine tool development, testing, and production; formulate workgroups; resolve information technology issues; formulate recommendations for the ELC

Organizational Workgroups

• Privacy—develop statewide, HIPAA-compliant, baseline privacy standards

• Security—develop statewide, HIPAA-compliant, baseline security standards, both technical and related to personnel

• Code Sets—provide a forum for agencies to identify and resolve interagency code issues and “work arounds”

• Education—identify stakeholders and their educational needs and develop training materials

• Contracts—identify and analyze existing contracts in light of HIPAA regulations and develop “template” agreements

Implementation Challenges

• Enterprise-wide Transformation• Engaging Business Associates• Converting Local Codes• System Readiness• Staggered Release of Rules• Funding

Funding

• Enhanced federal financial participation is available for systems remediation (90/10)

• “Systems remediation” sends a signal that administrative simplification is like Y2K—just another technical problem

• A greater commitment of resources is needed for “business transformation”

• Difficult to estimate implementation costs• Initially, costs will far exceed savings

Congressional UpdateH.R. 3323

• Allow covered entities to delay compliance for transactions and code sets until October 2003

• But only if the entity submits a plan to HHS that certifies progress toward compliance

• Any entity that does not meet original deadlines or submit a plan cannot participate in Medicare

• Privacy takes effect April 2003 as planned• After October 2003 Medicare will charge certain

providers a $1 fee for every paper claim

Implementation Resources

• U.S. Department of Health and Human Services HIPAA Home Pagehttp://aspe.os.dhhs.gov/admnsimp/

• HHS Office of Civil Rightshttp://www.os.dhhs.gov/ocr/hipaa/

• HHS Center for Medicare and Medicaid Serviceshttp://www.hcfa.gov/hipaa/hipaahm.htm

• HHS links to other resourceshttp://aspe.hhs.gov/admnsimp/aslinks.htm

• HIPAA Ohiohttp://www.state.oh.us/hipaa/index.htm