Health Insurance Portability and Accountability Act of 1996HIPAA

What It Is And How It Affect Us

COMPONENTS OF HIPAA

SECUITY

PRIVACY

Title IHealth Insurance Access &

Portability

Transactions Code Sets Indentifiers

EDI

Title IIAdministrative Simplification

Title IIIMedical Savings Accounts &

Tax Deduction Provisions

Title IVGroup Health Plan Provisions

Title VRevenue Offset Provisions

Health Insurance Portability & Accountability Act of 1996

HIPAA Compliance Dates

• Transaction StandardsOctober 16, 2002

• Privacy StandardsApril 14, 2003

Health Insurance Portability and Accountability Act of 1996HIPAA

• Title I-Preexisting conditions-Prohibits discrimination based on health status

• Title II-Administrative Simplification-Transaction Standards (EDI)-Code Set Standards-National Unique Health Care Identifiers Standards-Security and Privacy Standards

• Title III-Medical Savings Accounts & Tax Deductions Provisions• Title IV-Group Health Plan Provisions• Title V-Revenue Offset Provisions

What Forms Of Records Does HIPAA Apply To?

HIPAA applies to all forms of patient healthinformation, including paper records,computerized records, e-mail transmissions,telephone transmissions and transactions, etc.

All modes of exchange of information and uses areaddressed in the HIPAA regulations, including theInternet, intranet, and all other modes of informationexchange.

Who Is Affected By HIPAA?• All healthcare providers;• Consulting physicians;• Managed Care Organizations;• Health Insurance companies;• Life Insurance Companies;• Self-insured Employers;• Pharmacies;• Pharmacy Benefits Managers;• Clinical Laboratories;• Accrediting Organizations;• Medical Information Bureaus

Purpose of Administrative Simplification Regulation

The regulation have three major purposes:• To protect and enhance the rights of consumers

by providing them access to their patient healthinformation and to protect inappropriate use ofthat information;

• To improve the quality of health care byrestoring trust in the health care system amongconsumers and health care professionals;

• To improve the efficiency and effectiveness ofhealth care delivery by creating a nationalframework for health care privacy protection bylocal, state, and federal entities.

HIPAA Advantages

• Opportunity to capitalize on e-commercebusiness environment;

• Improve cost-effectiveness of operations;• Improved patient care;• Long-term return on investment

HIPAA Benefits

• Reduced accounts receivable;• Improved quality of claims• Labor savings in enrollment verification, claims

management, and medical records compliance anddocumentation;

• Reduction in coding/charting errors;• Reduction in fraudulent claims;• Improved security and confidentiality of Patient

Health Information (PHI)

What Entities Must Comply With HIPAA?

• All healthcare clearinghouses, billingservices, and other entities that processpatient health information;

• All healthcare providers-hospitals;-physicians practices

• All health plans

Transaction Standards Regulation

Transaction standards are designed to reducethe cost and improve efficiency in all aspectsof the health care delivery system.Standard Transaction code sets are mandatedfor all providers.

Electronic Transaction Standards

Transaction• Health Claim• Health Claim & Remittance

Advise• Coordination of Benefits• Health Claim Status• Enrollment & Dis-enrollment

in a plan• Eligibility for a Health Plan• Referral Certification &

Authorization

StandardASC X 12N 837ASC X 12N 835

ASC X 12N 837ASC X 12N 276/277ASC X 12N 834

ASC X 12N 820ASC X 12N 278

HIPAA Code Set Requirements

NoneUse X12 StandardsYesNon-medical Codes

Required in futurephases

N/ANoLOINC Codes

UnknownNoneYesNDC Codes

CDT-3NoneYesCDT-2 Codes

N/AEliminatedNoHCPCS Level III

N/AIncorporated into CDTcodes

No“D” Codes

N/AReplaced by NDCCodes

No“J” Codes

NoneRemoval of “J” an “D”Codes

YesHCPCS Level II

Migrate to CPT-5NoneYesCPT-4

Migrate to ICD-10 PCSNoneYesICD-9-CM Procedure

Migrate to to ICD –10-CM

NoneYesICD-9-CM Diagnosis

Future ExpectationsChanges required forthe 1st phase fromcurrent code sets

Expected to berequired of initialphase

HIPAA Identifier Standards

National Provider

Identifier (NPI)8-digit alphanumeric

proposed

EmployerIdentificationNumber (EIN)

IRS code proposed

National HealthPlan Identifier

(NPR expected end of 2000)

Unique Identifier for individuals

(TBA)

Security Standards

Security standards are designed to protect all patienthealth information and to provide access toappropriate personnel. Measures to be taken include:• Administrative procedures

-Chain of trust agreements between business partners;-Formal policies and procedures defining level of access topatient data;-On-going internal audits of access-Formal security training for all employees andcontractors.

Security Standards – Cont.• Physical safeguards to guard data integrity

-Formal appointment of a security “czar”;-Policies and procedures for disposal of all computer media;-Anti-virus and disaster recovery plan;-Physical access controls to data sites;-Formal protocols regarding activities and security at work stationlevel

• Technical Security-Security techniques to verify users;-Audit controls to track system activities;-Provide data authentication to prove data is and has not been alteredinappropriately-Ensure user authentication and access control (i.e. automatic log off);

• Encryption is required for information transmitted outside of theorganization.

Privacy StandardsPrivacy standards are designed to regulate the use ofand patient health information. These standards definewhat information can be disclosed with and withoutpatient consent or authorization.• Consent is required for:

-treatment, payment, and healthcare operations, withthe exception of psychotherapy notes or researchunrelated to treatment cannot be disclosed.

• Release of patient health information for publichealth issues and law enforcement is permissiblewithout consent

Privacy Standards-Cont.

• Written authorization is required for marketing uses,transfers to non-health related entities, employmentdetermination, fundraising efforts;

• All consents and authorization must be written in PlainEnglish;

• Separate authorizations are needed for each encounter;• Prohibitions on authorization conditioning related to

treatment and/or payment;• All consents and authorizations must have an expiration

date.

Privacy and Patient Rights

• Patients have the right to view their medical records;• Right to obtain copies of all medical related information;• Right to have all errors corrected;• Right to know who has access to their records• Right to review provider’s policies and procedures on

patient privacy and security;• Right to know when corrections are made• Right to revoke all consents and authorizations;

Administrative Safeguards

• Formal privacy and security training for all employees,contract labor, etc.;

• Safeguards against accidental or intentional disclosures;• Sanctions for violations;• Policies and procedures addressing privacy and security

regulations;• Public notices posted concerning privacy and security of

patient health information;• All records must be maintained for a minimum of 6 years.

Penalties for Non-Compliance• HIPAA sets forth penalties for failure to comply

with requirements and for wrongful disclosure ofindividually identifiable health information;

• Failure to comply with transaction standards willcarry fines up to $100 per person, per transaction,up to an annual maximum of $25,000;

• Penalties of knowing misuse of individuallyidentifiable health information will be up to$250,000 and/or imprisonment of up to ten years.

What Do We Need To Do Now?

• Conduct an information system assessment-Disaster Recovery Plan;-Encryption Capabilities of affected systems;-Evaluate Access Control of Systems and Data;-Fire Wall Evaluation;-Virus Protection Evaluation;-Disposal of Computer Media

• Conduct a business service assessment-Conduct a gap of analysis of current UB 92 data and the new formatsfor claims submission, remittance advice, etc.-Evaluate all code sets for compliance with regulations;-Work with _____ and IS personnel for facilitate readiness andultimate compliance with regulations.

What Does We Need To Do Now?

• Conduct health information assessment-Review, evaluate, revise, and create policies and procedures onconfidentiality, privacy, and disclosure of patient health information;-Assist with development of new policies and procedures complyingwith HIPAA;-Participate in the auditing of access, use, and disclosure of patienthealth information;-Participate in the review and creation of consent and authorizationforms complying with HIPAA regulations;-Other

Proposed HIPAA Organizational Chart

Multidiscipline Task Force *

*Representation from business services, information systems, medical records,health information management, finance, clinical, compliance, and others asneeded.

TransactionSub Group

Code SetSub Group

SecuritySub Group

PrivacySub Group

Project Team

(Facility)

Project Team

(Facility)

Project Team

(Facility)

Project Team

(Facility)

HIPAA Dir./Mgr.TBD

Corporate Compliance & HIPAA Officer

Senior ManagementLeadership Team