HIPAA Overview (Health Insurance Portability and

Accountability Act 1996)

May 2002VACSB - HIPAA Committee

Training Objectives

Provide an overview of HIPAA regulations. Review Privacy Rule requirements. Review Security Rule requirements. Review Administrative requirements. Provide HIPAA Committee “draft”

templates. Summarize most current proposed

changes. Learn how to insert a Hippo into your

next presentation.

What is HIPAA?

Fed. Regulation/law - Kennedy & Kassebaum

Improve “portability and continuity” of health insurance coverage.

Provide administrative simplification and consistency - Standard Code Sets and Transactions.

Assure privacy and security of confidential protected health care information (PHI).

Increase provider accountability - PHI. Increase consumer rights - PHI.

What is the purpose of HIPAA ? Identify provider responsibilities

around PHI. Reduce health care costs. Reduce health care fraud and abuse. Control use and disclosure of

“protected health information” (PHI). Regulate how PHI is transferred and

managed by technology, individuals, and agencies.

Covered Entities Who Must Comply

Health care organizations that capture &

maintain individually identifiable health

care data. Three categories:

Providers - conduct certain administrative and electronic transactions

Health care Plans Clearinghouses

Covered Entities

Plani.e., Medicaid,

Blue Cross/Shield

Provideri.e., CSB

Clearinghousei.e., Billing Company

Timelines for Compliance

Transactions and Code Sets - October 2003 (With Extension)

Privacy Regulations -

April 2003

Security Regulations -

Final regs. pending (Spring 2004?)

HIPAA Regulations

Electronic Transaction/Code Sets - Sets uniform standards (Administrative Simplification.)

Privacy Regulations - Identifies what health care information is protected.

Security Regulations - Identifies how information is to be protected.

Identifiers - Employer, Payer, National.

Health Care Operations

Includes “general administrative and business

functions” necessary for a covered entity to

remain a viable business (i.e., audits, quality

improvement functions, assessments.)

Health Information

Any information recorded in any form or

medium which: Is created/received by a Covered Entity

that creates, receives, uses, or transmits PHI,

Relates to the past, present, or future physical/mental health condition of an individual, their participation in, or payment for such services, and

Identifies the individual.

Protected Health Information (PHI)

All individually identifiable health data

or information collected, maintained,

or transferred by a Covered Entity.

Protected Health Information (PHI)

NameAddressSocial Security #Birth DateDemographic info.

Medical Record #

Email addressAccount numbers

License/Certificate # Vehicle identifiers Bio-metric

identifiers Telephone numbers Place of employment Full face photograph Fax number Health Plan number

De-identified information

Health information which is stripped of individual identifying elements.

In this form, remaining data would not be sufficient to identify the consumer.

Privacy Notice *

Written document - plain language.

Posted & shared with consumers.

Explains how PHI will be used/disclosed by provider.

Identifies consumer rights. Lists provider duties to

protect PHI.

Use vs. Disclosure

Use Sharing, utilization,examination, & analysis of PHImaintained

internallywithin the provider.

Disclosure Release, transfer,access to, or

sharingin any manner

PHI outside the entitymaintaining theinformation.

Minimum Necessary Rule

Rule applies to Uses/Disclosures

Essential element of privacy

protections. Covered Entities must make

reasonable efforts to limit use, disclosure, and request for PHI to the “minimum necessary” to accomplish the intended purpose.

Minimum Necessary RuleAsks - How much information is needed to achieve your purpose? Applies to all forms of communication. Use - Requires policies & procedures

(P&P) classifying staff by role/position. Disclosure - Requires P&P addressing

criteria to limit disclosure & reviewing of requests.

With request - Must limit request to that which is necessary.

Access to PHI (Protected Health Info.)

Opportunity to approach, inspect, review, and make use of data or information.

Actions by a consumer or health care provider with appropriateauthorization.

Consent and Authorization

Consent Document gives

provider consent to carry out treatment, payment, or health care operations (TPO).

Authorization *

AKA - “Release

of Information.”

Document used for purposes other than TPO.

Electronic Transaction & Code Set Standards

National Electronic Standards - provides automated transfer of certain health care data between health care payers, plans, and providers.

Replaces nonstandard formats and code sets - with standard electronic transactions and codes sets.

Which Administrative & Financial Transactions?

Health claim or encounter information. Eligibility for a health plan inquiry. Referral certification & authorization. Health care claim status. Health care payment and remittance

advice. Health plan premium payments. Enrollment & dis-enrollment in a health

plan. First report of injury. Health claim attachments.

And - Coordination of Benefits

Transaction/Code Sets Standards

Code Sets Examples: ICD - 9 CPT - 4 HCPCS DSM IV

ComplianceDeadline with

Extension: October15, 2003

Benefits of Standardization of Electronic Transactions/Code Sets

Standardized Formats – Will reduce number of formats used for health care administrative and financial transactions nation-wide.

Billing becomes more efficient.

Internal administrative savings related to staffing, response to complaint calls, andbilling reconciliation.

Privacy Rule

Applies to all protected healthinformation (PHI).

Does not prohibit the exchange of PHI for treatment, payment, or health care operations (TPO) within agency.

Written Consent is required.

Privacy Rule Impacts

HR - employee PHI Consents/Authorization Privacy Notifications Uses & Disclosures Health care operations Consumer access to &

amendment of PHI Business Associate

Agreements Provider responsibilities

Privacy Rule Highlights

Protects privacy of medical records and covers: Electronic records & printouts of records Written records Oral communications

Consumers give Consent for routine PHI

releasepurposes (TPO).

Privacy Notice - documents consumer’s rightsand the provider’s responsibilities.

Consumers Rights under HIPAA

Inspect/copy information (medical record).

Request to amend information if inaccurate or incomplete.

If request is denied - consumers may file a complaint with CSB or federal government.

Consumers may request Disclosure History

- Disclosure other than those covered by TPO

Business Associate Agreements Business Associates - Those

entities that do things on our behalf with whom we share/give access to PHI.

Business Associate Agreements - Establish permitted uses, disclosures, and safeguards for PHI.

Privacy Compliance Will Allow flow of PHI for treatment, payment,

and related health care operations (TPO).

Prohibit flow of PHI unless voluntarily authorized by the consumer.

Allow consumers to know who is accessing their PHI outside of TPO use.

Allow consumers to obtain access to their records & request amendment of records if inaccurate or incomplete.

Provider Responsibilities

Provide formal complaint handling system.

Allow use of de-identified data. Follow “minimum necessary”

requirements. Establish Business Associate Agreements. Duty to mitigate damage if violations

occur. Establish sanctions for HIPAA violations.

Privacy Penalties

Civil Penalty: $100 -$25,000 maximum/year/person/same/

violation.

Criminal Penalty: $50,000 - $250,000Fines and 1-10 years in prison.

Commercial Advantage/Personal Gain:

$250,000 and 10 years in prison.

Consent Exceptions

Consents not required for:

Indirect treatment relationships. Inmates. When required by law to treat

(i.e., Court Ordered). In case of substantial

communication barriers. In cases of emergencies.

Privacy Preemption

HIPAA Will preempt

state laws relating to PHI

Except for those contrary to &

more stringent than HIPAA.

Organizational Practices - Security Staff training. Role based access. Remote access site

security issues. Electronic/wireless

devices (i.e., laptops).

Gap Assessment. * Authentication of

users.

Organizational Practices - Security

Policies/procedures for workstation use. Security of workstation locations. Security Incident Reporting. Termination procedures. Media controls. Audit trails. Encryption.

Security Rule

Deals with how PHI is secured:

Access to PHI. Minimum Disclosure Rule. Encryption/digital

signatures. Background checks. Physical (facility) security.

Final Security Rule – Pending.

HIPAA Identifier Standards

Pending HIPAA Regulation

Employer ID Provider ID Payor ID

Final Identifier Rule:

Pending in HHS

Required Administrative Procedures

Designate Privacy & Security Officers. Complete gap analysis. * Develop a plan for HIPAA

compliance. Identify Business Associates and

establish agreements. Revise/develop P&P for HIPAA. Provide & document HIPAA training. Address access control issues. Have internal audit processes in

place.

Required Administrative Procedures

Develop formal Consumer Complaint Syst.

File - Extension: Code Sets/Transactions.

HIPAA Compliance Certification (IT) Develop Disaster/Contingency Plans. Identify security incident procedures. Meet personnel security requirements. Develop a security management

system. Identify Sanctions for violations. Test your system.

Summary: Vocabulary

Covered Entity PHI TPO Privacy Notice * Consent Authorization * Minimum Necessary Business Associate

Agreement De-identification of

PHI

Proposed Changes Strengthen Privacy Notice provisions. Eliminate Consent - Acknowledge receipt of

Privacy Notice. Maintain “minimum necessary rule” while

allowing treatment-related conversations. Assure appropriate parental access to their

children’s records. (state law will govern) Prohibits use of records for marketing. Assure privacy without impeding research. Provide model business associate

provisions.

Resources

http://aspe.hhs.gov/admnsimp/index

http://www.hhs.gov/ocr/hipaa http://www.ahima.org/

hot.topics http://www.wedi.org/ http://www.samhsa.gov/hipaa

Resources

http://www.afehct.org http://www.healthprivacy.org http://www.hipaalert.com http://himinfo.com/news/hipaa http://www.hipaadvisory.com/

regs/

For more information or questions on HIPAA please

contact:Demetrios Peratsakis

Executive DirectorWestern Tidewater CSB

757-925-2406or

dperatsakis@wtcsb.org

HIPAA Committee Deliverables

Drafts - Pending Attn.General’s Review

Email Policy Fax Policy Privacy Notice Authorization Form Extension Template –Trans./Code Sets Internet Policy Gap Analysis Survey Tools (3) Glossary of HIPAA Terms

HIPAA Committee Deliverables

Future Documents to be Released

Minimum Necessary Policy Compliance Process Policy Business Associate Agreement

Template

Remember!!!

Together we are

making a

difference...8 May-02

As promised - How to insert a Hippo in your next PowerPoint Presentation:

In MS PowerPoint

Go to “Insert”

Choose “Picture/Clip Art”

Type - “Hippopotamus.”

Pick your hippo and choose “Insert.”