“HIPAA 2003 & BEYO ND”

“HIPAA -- --

“BUILDING HIPAA COMPLIANCE” Beyond April 14, Beyond April 14, 2003”2003”

Health Insurance Portability and Accountability Act of 1996 Presented For: CAHF Quarterly

Location: Sacramento, California– Date: May 20, 2003

Presented by Rhonda Anderson, RHIA

–Anderson Health Systems, Inc.

–email: office@ahis.net –Phone: 714-558-3881–Fax.714-558-1302–Web Site: www.ahis.net

Q & A by: Juliana Glydon

Horizons West, Inc. Phone and emai:

– 916.624.6230 / info@horizonwest.coml

HIPAA TRANSACTION

HIPAA TRANSACTION

Who is involved: Administrator, Business Office Manager, HIM/Record Director, Nursing Management, IT resource, Business Associates

COMPLIANCE DATES

Electronic Transactions StandardsStandardized Code Sets –

10/16/02 or 10/16/03 published

COMPLIANCE DATES

Privacy Standards – 4/14/03Privacy Standards – 4/14/03 Security Standards – Due Security Standards – Due

February, 2005February, 2005

Enforcement Proposed Enforcement Proposed ‘date final??’‘date final??’

TRANSACTIONS AND CODE SET

DESIGNATED CODE SETS ICD-9-CM HCPCS - Health Care Financing

Administration Common Procedural Coding System (eliminates level III codes)

CPT is required for Physician’s and ancillary services

HCPCS- health care supplies, etc. J-Codes used for drugs – (from

HCPCS Codes)

WHAT DO THESE MEAN TO YOU? NDC - National Drug Codes –

Commercial Pharmacies Billing and other systems will need to be modified to include new standard IDs

UB - 92 will be replaced with 837- new claims form

Computer systems need to accommodate the required codes/changes

WHAT DO THESE MEAN TO YOU? -2

Compare current code sets to HIPAA standards–Must use standard code sets and code “by the book”

–May require modifications or upgrades to computerized coding systems

–Accuracy of coding is an issue!!!

WHAT DO THESE MEAN TO YOU? -3

Follow the Fiscal Intermediary Guidelines…..Be aware of the AHA Coding Clinic & AHIMA Coding recommendations

Watch for CMS Electronic Transmittals for guidance (No more paper transmittals)

TCS TESTING…

Testing of the Standardized Transactions required– Must begin testing by April

16, 2003– May begin testing sooner

PRIVACY

“SIX NEW PRIVACY RIGHTS”

Notice of Organizations “PHI” Privacy Practices

Request Restrictions on Disclosures to Others of their “PHI”

Request alternative means of communicating “PHI”

“SIX NEW Resident RIGHTS”-2

May (access) inspect and get a copy of “PHI”

May request Amendments to their “PHI”

Must be given an accounting of organization’s disclosures of their “PHI”

PRIVACY RULE: WHAT DOES IT DO?HIPAA regulates the use or HIPAA regulates the use or

disclosure of Protected Health disclosure of Protected Health Information (PHI)Information (PHI)

PRIVACY: KEY COMPONENTS PHI Notice of Privacy Practices Acknowledgement Uses & Disclosures Authorization Minimum Necessary Patient Rights

PRIVACY: KEY COMPONENTS-2

Amendment of Records Access To Records Accounting of Disclosure

PRIVACY: KEY COMPONENTS-3

Business Associates Marketing, Fundraising, and

Research Interaction with State privacy

and confidentiality laws-Preemption

PRIVACY: KEY COMPOENENTS-4

Administrative Requirements – Staff, Privacy Officer, Contact Department/Person. Security Officer, Training, Monitoring

Penalties

WHAT IS PHI?Health and demographic information about an individual that is transmitted or maintained in any medium where the information:

Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

Copyright 2002 HIPAA COW

WHAT IS PHI?

Relates to the past, present, or futurePhysical or mental health condition of an individual, or

Provision of health care to an individual, or

Payment for the provision of health care to an individual

PRIVACY NOTICES AND BEYOND

HIPAA DOES NOT END ON HIPAA DOES NOT END ON APRIL 14,2003APRIL 14,2003

THE ONLY THING YOU CAN THE ONLY THING YOU CAN COUNT ON IS CHANGECOUNT ON IS CHANGE

COMMON HIPAA MANDATES? Notice of Privacy Practices Acknowledgement Accounting of Disclosures Minimum Necessary Standard Access to Records

COMMON HIPAA MANDATES?-2

Amendment to Records Disclosure under authorizations Sanctions Audit Trails

WHAT IS COMMON?

Requests for PHIRequests for PHI Uses of PHIUses of PHI Disclosures of PHIDisclosures of PHI ““Minimum Necessary” – and can Minimum Necessary” – and can

it be consistent? Over – it be consistent? Over – dramatization – over correction. dramatization – over correction. REMEMBER RESIDENT CARE AND REMEMBER RESIDENT CARE AND TREATMENT!!TREATMENT!!

REQUESTING PHI –

Do you ever request/or receive PHIrequest/or receive PHI from outside the organization– Is the information for treatment– Is the information for payment– Is the information for operations

If not for TPO, why is the information used?

have you mapped who?

ACCESSING PHI WITHIN

Do you know who has access Do you know who has access to PHI within the organization to PHI within the organization and do you know who uses it.and do you know who uses it.

“THE STUDY”

Have you carried out any of the “due diligence” to the use and disclosure of PHI coming into the facility GOING OUT OF THE FACILITY???

HOW CAN YOU ASSURE THE MINIMUM NECESSARY use and MINIMUM NECESSARY use and disclosure?disclosure?

THE TEAM

WHAT NEEDS TO BE DONE??? Assure you know who has, uses and

discloses PHI Do you know which WorkForce

Members access PHI, Use/Disclose PHI Have you got documents to show this

information… Carried out “due diligence”

POLICIES AND PROCEDURES

USE AND USE AND DISCLOSURE FORDISCLOSURE FORTreatmentTreatmentPaymentPaymentHealth Care OperationsHealth Care Operations

Commonly known as “TPO”

USE AND DISCLOSURE

GENERAL POLICY AND GENERAL POLICY AND PROCEDURES – PROCEDURES – ADMINISTRATIVE, CLINICAL ADMINISTRATIVE, CLINICAL RECORDS, OTHER RECORDS, OTHER DEPARTMENTSDEPARTMENTS– Assure it meets your Assure it meets your

facility/agency requirementfacility/agency requirement:

DESIGNATED RECORD SET

NEW CONCEPT DRIVES POLICY PROCEDURE What is to be included?

Medical RecordsBilling RecordsPayment ClaimsCase Management records

(maintained for or by a health plan

NOTICE - PROCEDURE REQUIREMENTS Post Notice at the site, on the web Admission Policy and Procedure

USES & DISCLOSURES-1

PHI can be used/disclosed without consent, authorization, or opportunity to agree/object in the following instances as defined in 164.512

USES & DISCLOSURES-

2 EXCEPTIONS include:

– Required by law– Public Health activities– Victims of abuse, neglect or

domestic violence– Health oversight activities– Law enforcement purposes

USES & DISCLOSURES-3

EXCEPTIONS –cont.

– Judicial and administrative proceedings

– Decedents (coroners & medical examiners)

– Cadaveric organ, eye or tissue donation

– Research

USES & DISCLOSURES -4

EXCEPTIONS –cont.– Avert serious threat to health and

safety– Specialized government functions– Correctional institutions & other

law enforcement custodial situations

– Worker’s compensation

USE/DISCLOSURE- MINIMUM NECESSARY Requires reasonable efforts be

made to limit disclosure of ‘PHI’ to minimum necessary to accomplish the intended purpose of the use, disclosure or request.

RULE - MAINTAIN RECORDS

The requirement to maintain records and titles of persons responsible for processing request for access for 6 years

These are for those specific authorizations for request of protected health information

HIPAA – BUSINESS HIPAA – BUSINESS ASSOCIATESASSOCIATES

Who is involved: Those person/s companies who are not a part of your work force AND DO NOT PROVIDE TREATMENT

BUSINESS ASSOCIATES B.A. ---who works with you

and not your employee

ADMINISTRATIVE REQUIREMENTS

ADMINISTRATIVE

Designation of a Privacy Official Designation of Contact Person Employee Training H.O. #3

Training Grid Safeguards Complaint procedures Employee Sanctions

ADMINISTRATIVE -2

Documentation Requirements Refraining from intimidating or

retaliatory acts Policies and Procedures Mitigation of risks Waiver of rights Retention period

POLICY & PROCEDURES

See H.O. #1 Policy and Procedures

COMPLIANCE - PRIVACY Refer to Attached. H.O. #2

E-ISSUES

FAX – NOT addressed in HIPAA E-Mail – encryption required Internet vs. Intranet Security

– Or - PRIVACY

Or both??

IMPLEMENTATION STRATEGIES

IMPLEMENTATION

Understand the impact and liability in YOUR setting

Scalable solutions and applications Track regulations Review/Revise project plan Coordinate with professionals Determine the gap between what

is required and what you have

WHATS NEW – WHATS NOT

ENFORCEMENT

SECURITY IS NOT NEW, BUT FINALIZED

Security will focus on certain areas,.

SECURITY

Applies to health information in Applies to health information in manual or electronic form or manual or electronic form or information that had at one time information that had at one time been in electronic form.been in electronic form.

Operationally difficult to separate security and privacy

SECURITYCovered Entities must maintain reasonable & appropriate administrative, physical, & technical safeguards to:

Ensure the integrity & confidentiality of PHI

Protect against unauthorized access, use, or disclosures by employees or external parties

Protect the availability of PHI in emergency and disaster situations

Demonstrate compliance by officers and employees

KEY TO SECURITYKEY TO SECURITY

SECURITY: KEY COMPONENTSAdministrative Security

Procedures Physical SafeguardsTechnical Security ServicesCommunications SecurityElectronic Signature

ADMINISTRATIVE PROCEDURES Contingency and Disaster

Recovery Planning Information Access Control Internal Security Audit

Procedures

ADMINISTRATIVE PROCEDURES Personnel Security

TransfersTermination proceduresManagement of

authorization methodsPersonnel clearance

proceduresTraining in security

PHYSICAL SAFEGUARDS

Assigned Security Responsibility Media Controls Physical Access Controls Secure Workstation Location

TECHNICAL SECURITY SERVICES Access Controls Audit Controls Authorization Controls Data Authentication Entity Authentication

BEGIN IMPLEMENTATION…