View
218
Download
0
Tags:
Embed Size (px)
Citation preview
HIPAA 101: HIPAA 101: OverviewOverview
An Introduction tothe HIPAA Regulations
2
Presentation Agenda
At the end of this presentation, you should: Know what HIPAA is and where it came from Know why we should care about it Have a basic understanding of the HIPAA
standards and their impact on the culture of the organization
Know what your biggest challenges will be Know your role in HIPAA compliance
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act
It was originally intended to support:- The portability of health insurance- Improved fraud and abuse
protections The Administrative Simplification provisions
were added to lower administrative health care costs by conducting more business electronically
4
HIPAA
Title I Title II Title III Title IV Title V Health
insurance access, portability and renewal
Fraud and Abuse
Medical Liability Reform
Administrative Simplification
Medical Savings Accounts
Tax deduction provisions
Group health plan provisions
Revenue offset provisions
Electronic Transaction Standards (EDI)
Security Standards
PrivacyStandards
For 9 key payor transactions Includes clinical code sets Includes key identifiers
For protecting electronic health information
To spell out permissible uses of patient identifiable healthcare information
Background: Where Did HIPAA Come From?
6
Cost Concerns
The U.S. spends about $400 billion each year on administrative services related to health care
The Congress estimated that approximately $87 billion could be saved annually if administrative efficiencies could be improved by:– Requiring more health care transactions to be
conducted electronically, which would reduce paperwork, and
– By standardizing health care transactions
7
Privacy Concerns
As more business is conducted electronically, it becomes more difficult to protect the privacy of the data
– A Wall Street Journal/ABC poll on September 16, 1999 survey revealed that the greatest concern of Americans in this century is the loss of personal privacy.
– The increasing availability of information on the Internet adds to people’s fears
– The case of Arthur Ashe– The case of Robert Bork– The inappropriate use of DNA is a growing concern
8
Breaches of Patient Privacy
These sample published accounts of privacy breaches are only a fraction of all cases.
– A bank accesses records and calls in loans of cancer patients
– A medical student sells “promising” cases to a malpractice lawyer
– A hospital ED employee shares patient information with an ambulance chaser for financial gain
Why Should You Care About HIPAA?
10
Why should you care about HIPAA?
First Reason: HIPAA is the law Second Reason: all indications are that HIPAA
regulations will be incorporated into existing accreditation standards and annual audit procedures.
Third Reason: Many of the HIPAA regulations make good common business sense.
Every employee will be impacted by HIPAA
11
How Does HIPAA Benefit Hospitals?
It reduces paperwork The accuracy of documentation is improved It could reduce the turnaround time for getting
claims paid
12
Banking Has Led the Way
During the 1970s, the banking industry led the way in standardizing financial transactions.
Standardization enables us to use our credit cards, make withdrawals and deposit money to our bank accounts all over the world.
HIPAA Standards for Electronic Transactions
14
HIPAA: The Electronic Transaction Standards
Standards were developed for nine administrative and financial transactions (such as healthcare claims, claims payment, eligibility determination) to accomplish the following: – Require payers to accept those electronic
transactions for health care services in a standardized format
– Establish standard codes to be used for those electronic transactions
– Develop universal identifiers for health care providers, employers and individuals
HIPAA Privacy and Security Standards
16
Privacy: rules governing use and disclosure of data
Security: mechanisms for protecting access to systems and data
Privacy vs. Security
First: some definitions -
How can patient
information be used
Preventing unauthorized
individuals from gaining access
HIPAA Privacy Standards
18
Protected Health Information
The privacy standards were developed to limit the ways in which information that can be used to identify an individual can be used or disclosed
Protected health information is individually identifiable health information that is maintained or transmitted electronically, or in any other form or medium
That means that information transmitted orally is protected, as well as information that is maintained or transmitted electronically or on paper
19
Approach to Privacy Rule
In developing the final Privacy Rule, the Department of Health and Human Services:– Sought to create a balance between the patient’s
right to information privacy and with the public’s responsibility to provide health care services
– Established accountability for breaches of privacy and delegated responsibility to the Department’s Office for Civil Rights for enforcement
– Developed penalties for individuals who violate the Privacy Rule
20
The Bottom Line
Civil monetary and criminal penalties:– Failure to comply with transaction standards
$100 per person, per transaction, up to an annual maximum of $25,000
– If knowingly providing information $50,000 and/or up to 1 year imprisonment
– Under false pretenses $100,000 and/or up to 5 years imprisonment
– Intent to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm
$250,000 and/up to 10 years imprisonment
Every employee is at risk
21
Privacy Regulations Provide Consumer Control over Health Information
The hospital is required to give patients a clear written explanation of how they can use, keep, and disclose their health information. This is called a Notice of Privacy Practices, and the regulations identify specific information that it must contain.
While patients cannot alter the existing content of their medical records, they do have the right to request that the hospital amend their records, by adding information to those records.
The hospital may refuse that request if, among other things, it determines that the information in dispute is accurate and complete.
22
Boundaries on Medical Information Use
Protected health information can be used without patient consent only for purposes of treatment, payment and health care operations.
Disclosures for any other reason require a written authorization from the patient.
Patients will be able to revoke an authorization (but not retroactively)
Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure.
23
Other Allowable Disclosures
Covered entities may disclose some information without consent, for example: – Oversight of the health care system, including
quality assurance activities– Public health– Emergency circumstances– For facility patient directories– For activities related to national defense and
security
24
Administrative Requirements
Covered entities must– Designate a privacy official with responsibility to
develop and implement privacy policies and procedures, and address patient complaints.
– Implement policies and procedures with respect to protected health information. Must also keep P&Ps and patient notices updated with changes in the law.
– Train all members of the workforce on those P&Ps before April 14, 2003
– Document and apply sanctions to members of its own workforce for privacy breaches.
– Covered entities must mitigate any harmful effects.– Establish written contracts with business associates
who perform or assist in the performance of a function or activity on behalf of a covered entity involving the use or disclosure of protected health information
25
DHHS Privacy Guidelines
HHS has issued two guidance documents on the patient privacy rule answering common questions and clarifying key areas of confusion. For example:– Pharmacies need not obtain a patient’s consent
before allowing a friend or relative to pick up a prescription
– Hospitals need not remove medical charts from patients’ bedsides, isolate x-ray light boards or be retrofitted with soundproof walls
– In general, common sense and practicality win out over a strict interpretation of the rule
26
DHHS Privacy Guidelines
The Privacy Rule states that the regulations are scalable, and that covered entities should do what is reasonable to implement them, considering the size and resources available to the organization
HIPAA Security Standard
28
Security Standards
Require covered entities to “maintain reasonable and appropriate administrative, technical, and physical safeguards”
The HIPAA security standards are organized into four categories– Administrative procedures to ensure that threats or violations can be
prevented, detected and resolved (security training, hiring practices, system audits)
– Physical safeguards to protect PHI from fire, disaster and unauthorized access (locks, keys, storage protection)
– Technical security services to control and monitor access (passwords, audit trails, automatic logoff)
– Network security to protect unauthorized access to data transmitted over a network (encryption, detection systems)
Standards were also proposed for electronic signatures, but will now be released under a separate rule
HIPAA Implementation Update
What’s the Current Status of HIPAA?
30
Deadline
Covered Entities must be in compliance by:
2002/2003
Deadline for compliance
• October 16, 2002 / 2003 - EDI transaction standards
• April 14, 2003 - Privacy standards
Other final rules are expected to be released throughout 2002
The Biggest Challenges Will Be:
Developing policies and procedures for privacy
Documenting compliance with your P&Ps
Modifying the culture to comply with HIPAA
Your Greatest Risk Exposure Will Be:
Disgruntled patients who feel that the privacy of their personal health information has been compromised
Your Role in HIPAA Compliance
Make every reasonable effort to protect the privacy of our patients’ health information Report any concern about suspected violations of patient privacy to the hospital Privacy Officer
Questions
35
Post-Test - Questions
The hospital may use the patient’s health information for whatever purposes that it deems necessary. True_____ False_____
Patients have the right to alter information contained in their medical records under HIPAA. True_____ False_____
All clinical staff may have access to any patient records under HIPAA. True_____ False_____
All employees within the hospital system will be impacted by HIPAA.True_____ False_____
Hospital employees can be individually penalized for violating the confidentiality of patient information. True_____ False_____
36
Post-Test - Answers
The hospital may use the patient’s health information for the purposes that it deems necessary. True_____ False__X__ The hospital may use the patient’s health information for treatment, payment and hospital operations only, unless a separate, specific purpose authorization is signed.
Patients have the right to alter information contained in their medical records under HIPAA. True_____ False_X_ Patients have the right to request that their records be amended, by adding to them.
All clinical staff may have access to patient records under HIPAA.True_____ False__X__ Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure.
All employees within the hospital system will be impacted by HIPAA.True_X_ False_____
Hospital employees can be individually penalized for violating the confidentiality of patient information. True__X__ False_____ See slide #24 for penalties