HIPAA Administrative

Simplification and

Nebraska SNIP (Strategic National Implementation Process)

HIPAALaw & IntentWho is affectedStandardsCurrent issues to track Implementation Process (SNIP)Additional resources

HIPAA Administrative Simplification Law Health Insurance Portability and Accountability

Act of 1996 – HIPAA H.R. 3103 – Kasselbaum/Kennedy Bill

Title II – Subtitle F – Administrative Simplification

Signed into Law August 21, 1996 Public Law 104-191 Part C of Title XI of Social Security Act

Intent of HIPAA Reduce the costs and administrative burdens

of healthcare with standardized, electronic transmission of many administrative and financial transactions.

Protect the security and confidentiality of electronic health information.

Enable individual to control own health information.

Who is affected by HIPAA?ProvidersHealth Plans

Employers acting as Self Insured GroupsPayersThird Party AdministratorsClearinghousesAll trading partners of above

HIPAA StandardsTransactions & Code SetsPrivacySecurity Identifiers

Transactions and Code Sets Standards Final Rule Published in August 17, 2000

Federal Register Compliance is required by October 16, 2002

(October 16, 2003 by small health plans) NDC code retraction

On May 29, 2001, Tommy Thompson retracted the standard of using NDCs on institutional and professional claims.

Transaction standards Data Element

Required vs. Conditional

Formats Codes Values

Transaction Sets X12 Version 4010 Claim - 837 Payment/Remit - 835 Claim Status - 276/277 Eligibility 270/271 Referral - 278 Enrollment & benefits

Maintenance - 834 Premium Payments - 820 Claims Attachments - 275* First Report of Injury - 148* NCPDP

* expected later...

Code sets StandardsService & Diagnosis Codes

ICD-9-CM Volumes I, II & III CPT-4 HCPCS CDT NDC

No Local Codes will be allowed

Information Between Health Plans

Coordination of BenefitsClaims Processing

Is a provider required to send claims electronically?No, but if you do, they have to be

HIPAA compliant.You can use a clearinghouse to handle

the translation of the data from your current form into HIPAA compliant.

Failure to Comply with Transactions Standards

PenaltyJail

TimeOffense

$100 None Single Violation of a provision

Up to $25k None Multiple violations of an identical requirement or prohibition made during a calendar year

Privacy Standards Final Rule Published in December 28, 2000

Federal Register Compliance is required by April 14, 2003

(April 14, 2004 by small health plans) OCR issued guidance on July 6, 2001 Additional guidelines are expected

Privacy

Summary of Privacy regulation: Consumer Control over Health Information Use and Disclosure Boundaries Ensure the Security of Protected Health Information Establish Accountability for Use and Release Balancing Public Responsibility with Privacy

Protections Preserving Existing, Strong State Confidentiality

Laws

Definitions Privacy is what happens to information after

the appropriate person has it (I only use the data for the agreed purpose)

Confidentiality is the control of the information at all times, providing ‘need to know’ access to only those appropriate

Security is the enforcement and protection afforded information under both conditions

Consumer Control over Health Information

Notice of Privacy Practice Patient access to their health records and

right to amend Patient consent before information is

released Recourse if privacy protections are violated Accounting for release of health information

Use and Disclosure Boundaries Ensuring that health information is not used

for non-health purposes Providing the minimum amount of information

necessary

Ensure the Security of Protected Health Information

Adopt written privacy procedures Train employees on privacy Designate a privacy officer

Establish Accountability for Protected Health Information

PenaltyJail

TimeOffense

Up to $50k Up to 1 year Wrongful disclosure of individually identifiable health information

Up to $100k Up to 5 years

Wrongful disclosure of individually identifiable health info committed under false pretenses

Up to $250k Up to 10 years

Wrongful disclosure of individually identifiable health information committed under false pretenses with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm.

Balancing Public Responsibility with Privacy Protections In limited circumstances, the final rule

permits, but does not require, covered entities to continue existing disclosures of health information for specific public responsibilities without individual authorization.

Preserving Existing, Strong State Confidentiality Laws National "floor" of privacy standards that

protects all Americans, but in some states individuals enjoy additional protection.

Stronger state laws (like those covering mental health, HIV infection, and AIDS information) continue to apply.

Security StandardsProposed Rule Published in August 12,

1998 Federal RegisterFinal Rule expected this year

Security The security standard is a set of requirements with

implementation features that providers, plans, and clearinghouses must include in their operations to assure that electronic health information pertaining to an individual remains secure.

The standard does not reference or advocate specific technology.

The standard does not address the extent to which a particular entity should implement the specific features.

Individual security requirements and which technology to use is a business decision that each organization must make.

HIPAA IS TECHNOLOGY NEUTRAL

SecurityBest Security is what we can do

ourselves75% of security breaches happen

inside.

SecurityAdministrative ProceduresPhysical SafeguardsTechnical Data Security Technical Security Mechanisms

Administrative ProceduresCertificationChain of Trust agreementContingency PlanFormal Mechanism for Processing

Records Information Access Control Internal Audit

Administrative ProceduresPersonnel SecuritySecurity Configuration ManagementSecurity Incident ProceduresSecurity Management ProcessTermination ProceduresTraining

Physical SafeguardsAssigned Security ResponsibilityMedia ControlsPhysical Access ControlsPolicy/Guideline on Workstation UseSecure Workstation LocationSecurity Awareness Training

Technical Data SecurityAccess ControlAudit ControlsAuthorization ControlsData AuthenticationEntity Authentication

Technical Security Mechanisms

Integrity controlsMessage authenticationAccess controls or EncryptionEntity authenticationEvent reporting

Technical Security Mechanisms In addition, if using a network for

communications, the following implementation features would be in place:

AlarmAudit trailEntity authenticationEvent reporting

Electronic SignatureDigital Signature -

Optional, but if used:NonrepudiationUser AuthenticationMessage integrity

Unique Health IdentifiersProvider

Will not replace TIN Will eventually replace the UPIN

Employer - Will be TINHealth Plan - may include Sub ID Patient - still under discussion

Status of IdentifiersNational Provider Proposed Rule

Published in May 7, 1998 Federal Register

National Employer Proposed Rule Published in June 16, 1998 Federal Register

Final Rules???

Status of IdentifiersMovement on this portion of HIPAA has

not occurredFocus is on implementation of

standards for data and on final privacy and security regulations

Current Issues To Track Federal legislation

H.R. 1975 and S. 836 are in the House and Senate to delay HIPAA’s administrative simplification provisions.

Some members of Congress are considering overturning the privacy rule

Case constitutionally challenging HIPAA SC Medical Assoc, Physicians Care Network, LA

State Medical Society vs. US Dept of Health and Human Services

AAPS vs. US Dept of Health and Human Services

Current Issues To TrackFinal rule on health data security

Due out this year – HHS must ensure the final security rule is compatible with the final privacy rule – published in late 2000 (and likely to undergo some changes)

Additional Guidance on Privacy Standards

Additional code changes as implementation progresses

NOW WHAT???

Where do I go from here ???

Compliance with HIPAA

Administrative Simplification

Nebraska SNIP

(Strategic National

Implementation Process)

Why collaborate?

Implementing HIPAA requires coordination and collaboration among trading partners

There is no competitive advantage to be ‘HIPAA Ready’, if your trading partners aren’t ready

Collaboration and coordination will limit costly implementation efforts

Avoid the ‘re-inventing the wheel all over again’ syndrome

Why collaborate?

Standards are dependant on consistent

policies, practices and technology among

business partners

Actions of a business partner may generate

liabilities for one’s own organization

Sloppy planning and inefficient implementation

will be costly to everyone

Key Elements for Collaborative Environment

Trust

Commitment

Clear Vision

Trust

Joint ownership

Joint accountability

No dominant player

Balanced interests

No hidden agendas

Neutral meeting ground

Commitment

NE Health and Human Services System

Key providers

Leading health plans/payers

Trade associations & societies

Key vendors

Clear Vision

Use HIPAA as an opportunity to redesign business process

Remember patient rights in process Improve efficiency of healthcare through

information technology

Regional Approaches

Implementation will occur locally

Healthcare crosses local political and

business boundaries

National coordination and guidance will

be exceedingly helpful

Nebraska SNIP Formation

Blue Cross and Blue Shield of Nebraska Health Data Management Mutual of Omaha NE Assn of Hospitals and Health Systems NE Health and Human Services System NE Medical Association

Nebraska SNIP

…is a collaborative healthcare industry-wide process resulting in the implementation of standards and furthering the development and implementation of future standards.

Nebraska SNIP

Promote general healthcare industry readiness to implement HIPAA standards.

Identify education and general awareness opportunities for the healthcare industry to utilize.

Recommend an implementation time frame for each component of HIPAA for each stakeholder and identify the best migration paths for trading partners.

Nebraska SNIP

Establish opportunities for collaboration, compile industry input, and document the industry “best practices”.

Identify resolution or next steps where there are interpretation issues or ambiguities within HIPAA standards.

Serve as a resource for the healthcare industry when resolving issues arising from HIPAA implementation.

Nebraska SNIP Approach

Facilitate planning among: Providers Health Plans State Government Vendors

Trade associations and professional societies playing a key role.

NE SNIP Steering Committee

Goal:Develop overall strategy for addressing HIPAA compliance in an orderly & effective manner

Defined Work Groups:

Transactions, Codes and Identifiers

Privacy

Security

Awareness, Education and Training

Transactions, Codes and Identifiers Work Group

Goal:Develop consensus on sequence and timing for implementation of transactions & codes

Activities

Issue and publicize Target Date Guidelines

Build critical mass of providers, health plans, clearinghouses, vendors and gov’t agencies for transaction testing

Privacy Work Group

Goal:Understand impact of final regulations

Activities: Develop working knowledge of Privacy

regulations and impact

Determine organization’s current level of HIPAA privacy compliance

Develop gap analysis, checklists, and guidelines for policies & procedures to implement Privacy Standards

Security Work Group

Goals:Understand HIPAA requirements for security of data and communications

Activities:

Investigate secure transaction & interoperability among trading partners

Develop self-assessment checklist / tool to determine organization’s current level of HIPAA security compliance - gap analysis

Awareness, Education & Training Work Group

Goals: Develop programs to share HIPAA information. Collaborate with professional groups and agencies

to promote and deliver programs.

Activities: Survey to determine awareness and readiness. Leverage current planned activity in NE Develop Nebraska SNIP communication and

information sharing

Steering Committee Contacts

Brenda Block

Health Data Management Corp.

402-965-8158 bblock@hdmcorp.com

Kevin Conway

NE Assn of Hospitals & Health Systems

402-458-4910, kconway@nahhsnet.org

NESNIPSTEERING@yahoogroups.com

Transactions, Code Sets & Identifiers Contacts

Don Butler

Blue Cross and Blue Shield of Nebraska

402-398-3843, don.butler@bcbsne.com

NESNIPTRANSACTIONS@yahoogroups.com

NESNIPTRANSACTIONS-subscribe@yahoogroups.com

Privacy ContactsLori Umberger, RN, BSN

Creighton Cardiac Center

402-280-4603, lumberg@cardiac.creighton.edu

Kathleen Zeitz

Methodist Health System

402-354-2174, kzeitz@nmhs.org

NESNIPPRIVACY@yahoogroups.com

NESNIPPRIVACY-subscribe@yahoogroups.com

Security ContactsSusan Heider

Regional West Medical Center

308-635-3711, heiders@rwmc.net

Sue Huenniger

Mutual of Omaha

402-351-8622, sue.huenniger@mutualofomaha.com

NESNIPSECURITY@yahoogroups.com

NESNIPSECURITY-subscribe@yahoogroups.com

Awareness, Education and Training Contacts

Brenda L. Block

Health Data Management Corp.

402-965-8158, bblock@hdmcorp.com

Rick Hain

BryanLGH Medical Center

402-481-8521, rick.hain@bryanlgh.org

NESNIPAWARENESS @yahoogroups.com

NESNIPAWARENESS -subscribe@yahoogroups.com

Nebraska SNIP Activities

First Meeting March 15, 2001 HIPAA background Other regional efforts NE SNIP mission NE SNIP organization Next NE SNIP Meeting

Next NE SNIP MeetingSeptember 18, 2001, Kearney

Work Group and sub group meetings

Additional HIPAA Resources Health Insurance Portability and Accountability Act of 1996

Public law 104-191, 104th Congress, August 21, 1996 aspe.hhs.gov/admnsimp/pl104191.htm

Department of Health and Human ServicesAdministrative Simplification aspe.hhs.gov/admnsimp/index.htm

Centers For Medicare and Medicaid Services (HCFA) www.hcfa.gov/hipaa/hipaahm.htmHCFA fact sheet on HIPAA’s provisions www.hcfa.gov/facts/f9702as.htm

HIPAA Security Accreditation information www.ehnac.org/securityaccreditation/default.html

HIPAA Resources cont... Workgroup for Electronic Data Interchange

www.wedi.org/ Washington Publishing Company

ANSI, ASC and X12N HIPAA Implementation Guides www.wpc-edi.com/hipaa

Data Interchange Standards Association (DISA) www.disa.org/

Designated Standard Maintenance Organization (DSMO) www.hipaa-dsmo.org

ANSI X12 Committee www.x12.org

HIPAA Resources cont... HIPAA Comply - security and privacy compliance

www.hipaacomply.com Welcome to HIPAA Directory.com

www.hipaadirectory.com HHS Office of Civil Rights

www.hhs.gov/ocr/hipaa/ Nebraska SNIP

www.nesnip.org