View
219
Download
2
Category
Preview:
Citation preview
COMPONENTS OF HIPAA
SECUITY
PRIVACY
Title IHealth Insurance Access &
Portability
Transactions Code Sets Indentifiers
EDI
Title IIAdministrative Simplification
Title IIIMedical Savings Accounts &
Tax Deduction Provisions
Title IVGroup Health Plan Provisions
Title VRevenue Offset Provisions
Health Insurance Portability & Accountability Act of 1996
Health Insurance Portability and Accountability Act of 1996HIPAA
• Title I-Preexisting conditions-Prohibits discrimination based on health status
• Title II-Administrative Simplification-Transaction Standards (EDI)-Code Set Standards-National Unique Health Care Identifiers Standards-Security and Privacy Standards
• Title III-Medical Savings Accounts & Tax Deductions Provisions• Title IV-Group Health Plan Provisions• Title V-Revenue Offset Provisions
What Forms Of Records Does HIPAA Apply To?
HIPAA applies to all forms of patient healthinformation, including paper records,computerized records, e-mail transmissions,telephone transmissions and transactions, etc.
All modes of exchange of information and uses areaddressed in the HIPAA regulations, including theInternet, intranet, and all other modes of informationexchange.
Who Is Affected By HIPAA?• All healthcare providers;• Consulting physicians;• Managed Care Organizations;• Health Insurance companies;• Life Insurance Companies;• Self-insured Employers;• Pharmacies;• Pharmacy Benefits Managers;• Clinical Laboratories;• Accrediting Organizations;• Medical Information Bureaus
Purpose of Administrative Simplification Regulation
The regulation have three major purposes:• To protect and enhance the rights of consumers
by providing them access to their patient healthinformation and to protect inappropriate use ofthat information;
• To improve the quality of health care byrestoring trust in the health care system amongconsumers and health care professionals;
• To improve the efficiency and effectiveness ofhealth care delivery by creating a nationalframework for health care privacy protection bylocal, state, and federal entities.
HIPAA Advantages
• Opportunity to capitalize on e-commercebusiness environment;
• Improve cost-effectiveness of operations;• Improved patient care;• Long-term return on investment
HIPAA Benefits
• Reduced accounts receivable;• Improved quality of claims• Labor savings in enrollment verification, claims
management, and medical records compliance anddocumentation;
• Reduction in coding/charting errors;• Reduction in fraudulent claims;• Improved security and confidentiality of Patient
Health Information (PHI)
What Entities Must Comply With HIPAA?
• All healthcare clearinghouses, billingservices, and other entities that processpatient health information;
• All healthcare providers-hospitals;-physicians practices
• All health plans
Transaction Standards Regulation
Transaction standards are designed to reducethe cost and improve efficiency in all aspectsof the health care delivery system.Standard Transaction code sets are mandatedfor all providers.
Electronic Transaction Standards
Transaction• Health Claim• Health Claim & Remittance
Advise• Coordination of Benefits• Health Claim Status• Enrollment & Dis-enrollment
in a plan• Eligibility for a Health Plan• Referral Certification &
Authorization
StandardASC X 12N 837ASC X 12N 835
ASC X 12N 837ASC X 12N 276/277ASC X 12N 834
ASC X 12N 820ASC X 12N 278
HIPAA Code Set Requirements
NoneUse X12 StandardsYesNon-medical Codes
Required in futurephases
N/ANoLOINC Codes
UnknownNoneYesNDC Codes
CDT-3NoneYesCDT-2 Codes
N/AEliminatedNoHCPCS Level III
N/AIncorporated into CDTcodes
No“D” Codes
N/AReplaced by NDCCodes
No“J” Codes
NoneRemoval of “J” an “D”Codes
YesHCPCS Level II
Migrate to CPT-5NoneYesCPT-4
Migrate to ICD-10 PCSNoneYesICD-9-CM Procedure
Migrate to to ICD –10-CM
NoneYesICD-9-CM Diagnosis
Future ExpectationsChanges required forthe 1st phase fromcurrent code sets
Expected to berequired of initialphase
HIPAA Identifier Standards
National Provider
Identifier (NPI)8-digit alphanumeric
proposed
EmployerIdentificationNumber (EIN)
IRS code proposed
National HealthPlan Identifier
(NPR expected end of 2000)
Unique Identifier for individuals
(TBA)
Security Standards
Security standards are designed to protect all patienthealth information and to provide access toappropriate personnel. Measures to be taken include:• Administrative procedures
-Chain of trust agreements between business partners;-Formal policies and procedures defining level of access topatient data;-On-going internal audits of access-Formal security training for all employees andcontractors.
Security Standards – Cont.• Physical safeguards to guard data integrity
-Formal appointment of a security “czar”;-Policies and procedures for disposal of all computer media;-Anti-virus and disaster recovery plan;-Physical access controls to data sites;-Formal protocols regarding activities and security at work stationlevel
• Technical Security-Security techniques to verify users;-Audit controls to track system activities;-Provide data authentication to prove data is and has not been alteredinappropriately-Ensure user authentication and access control (i.e. automatic log off);
• Encryption is required for information transmitted outside of theorganization.
Privacy StandardsPrivacy standards are designed to regulate the use ofand patient health information. These standards definewhat information can be disclosed with and withoutpatient consent or authorization.• Consent is required for:
-treatment, payment, and healthcare operations, withthe exception of psychotherapy notes or researchunrelated to treatment cannot be disclosed.
• Release of patient health information for publichealth issues and law enforcement is permissiblewithout consent
Privacy Standards-Cont.
• Written authorization is required for marketing uses,transfers to non-health related entities, employmentdetermination, fundraising efforts;
• All consents and authorization must be written in PlainEnglish;
• Separate authorizations are needed for each encounter;• Prohibitions on authorization conditioning related to
treatment and/or payment;• All consents and authorizations must have an expiration
date.
Privacy and Patient Rights
• Patients have the right to view their medical records;• Right to obtain copies of all medical related information;• Right to have all errors corrected;• Right to know who has access to their records• Right to review provider’s policies and procedures on
patient privacy and security;• Right to know when corrections are made• Right to revoke all consents and authorizations;
Administrative Safeguards
• Formal privacy and security training for all employees,contract labor, etc.;
• Safeguards against accidental or intentional disclosures;• Sanctions for violations;• Policies and procedures addressing privacy and security
regulations;• Public notices posted concerning privacy and security of
patient health information;• All records must be maintained for a minimum of 6 years.
Penalties for Non-Compliance• HIPAA sets forth penalties for failure to comply
with requirements and for wrongful disclosure ofindividually identifiable health information;
• Failure to comply with transaction standards willcarry fines up to $100 per person, per transaction,up to an annual maximum of $25,000;
• Penalties of knowing misuse of individuallyidentifiable health information will be up to$250,000 and/or imprisonment of up to ten years.
What Do We Need To Do Now?
• Conduct an information system assessment-Disaster Recovery Plan;-Encryption Capabilities of affected systems;-Evaluate Access Control of Systems and Data;-Fire Wall Evaluation;-Virus Protection Evaluation;-Disposal of Computer Media
• Conduct a business service assessment-Conduct a gap of analysis of current UB 92 data and the new formatsfor claims submission, remittance advice, etc.-Evaluate all code sets for compliance with regulations;-Work with _____ and IS personnel for facilitate readiness andultimate compliance with regulations.
What Does We Need To Do Now?
• Conduct health information assessment-Review, evaluate, revise, and create policies and procedures onconfidentiality, privacy, and disclosure of patient health information;-Assist with development of new policies and procedures complyingwith HIPAA;-Participate in the auditing of access, use, and disclosure of patienthealth information;-Participate in the review and creation of consent and authorizationforms complying with HIPAA regulations;-Other
Proposed HIPAA Organizational Chart
Multidiscipline Task Force *
*Representation from business services, information systems, medical records,health information management, finance, clinical, compliance, and others asneeded.
TransactionSub Group
Code SetSub Group
SecuritySub Group
PrivacySub Group
Project Team
(Facility)
Project Team
(Facility)
Project Team
(Facility)
Project Team
(Facility)
HIPAA Dir./Mgr.TBD
Corporate Compliance & HIPAA Officer
Senior ManagementLeadership Team
Recommended