HIPAA The What, When, Where, How, and Why of HIPAA for Agencies in the NC DHHS Family Presented By NCDHHS Sarah Brooks HIPAA PMO Staff: Julie Burton Susan

HIPAA

The What, When, Where, How, and Why of HIPAA for Agencies in the

NC DHHS Family

Presented By NCDHHS Sarah Brooks

HIPAA PMO Staff: Julie Burton

Susan Mitchell

NCDHHS - HIPAA PMO 2

TRAINING OBJECTIVES

• Provide High Level Overview of HIPAA Regulations

• Clarify Agencies Covered Under HIPAA

• Explain Approach Adopted by NC DHHS to Address HIPAA

• Identify Steps Agencies Can Begin Taking to Comply with HIPAA

• Identify HIPAA Resources

Addressing the Health Care Tower of Babel

The Health Insurance Portability and Accountability Act of 1996

(HIPAA)

Pieter BruegelPieter Bruegel

Healthcare’sHealthcare’sTower of BabelTower of Babel


CURRENT INDUSTRY LIMITATIONS / CONCERNS

– Over 400 different proprietary claim forms and/or file formats dictated by payers

– Administrative overhead, including claims processing, accounts for > 20¢ of every health care dollar

– Average “Accounts Receivable” 60 days

– Increased computerization does not adequately address privacy and security concerns


FEDERAL RESPONSE

Healthcare Insurance Portability and Accountability Act (HIPAA)

– Public Law 104-191, August 21, 1996

– Amends Internal Revenue Service Code of 1986


WHAT DOES HIPPA ACCOMPLISH?• Guarantees Health Coverage When Job Changes

• Reduces Fraud and Abuse (Medicare/Medicaid)

• Administrative Simplification– Establishes national standards for:

• Electronic (EDI) transactions

• Security and privacy of health care information

• Identifiers such as provider, payer and employer Improved efficiency of processing health care information

– Ultimately should lower administrative overhead• Currently estimated at $300 Billion per year nationwide

• Preempts State Laws Unless More Stringent


ADMINISTRATIVE SIMPLIFICATION REGULATIONS

• Title II, Subtitle F, Administrative Simplification (FINAL RULES PUBLISHED)

– Electronic Health Transactions Standards (45 CFR Parts 160 & 162)

• Federal Register, Vol. 65, p. 50312-50372 (published August 17, 2000)

– Privacy and Confidentiality Standards (45 CFR Parts 160 & 164)

• Federal Register, Vol. 65, p. 82462 - 82829 (published December 28, 2000)



(continued)(PROPOSED RULES - PUBLISHED)

– Security and Electronic Signature Standards (45 CFR Part 142)

• Federal Register, Vol. 63, p. 43242-43280 (published August 12, 1998)

– Health Insurance Reform: National Standard Employer Identifier (45 CFR Part 142)

• Federal Register, Vol. 63, p. 32784-32798 (published June 16, 1998)

– National Standard Health Care Provider Identifier (45 CFR Part 142)

• Federal Register, Vol. 63, p. 25320-25357(published May 7, 1998)



(continued)

(PROPOSED RULES - NOT PUBLISHED)– National Health Plan Identifier (Payer ID)

Scheduled draft publication: Q2/2001

– Claims Attachments Scheduled draft publication: Q3/2001

– Enforcement Scheduled draft publication: Q4/2001

– First Report of Injury Scheduled draft publication: Q4/2001

– National Individual IdentifierScheduled draft publication: On Hold


REGULATION TIMEFRAMESFinal Standards:

EDI Transaction and Codes Sets Published: 8/17/2000 Final compliance: 10/16/2002 Includes transaction sets:

Claims and Remittance AdviceEnrollmentEligibility, Inquiry and Response Status Inquiry and ResponseRequest Review and ResponsePayroll Deduction and Premium Payment

Privacy Published: 12/28/2000 Final compliance: 4/16/2003Proposed Rules:

National Provider Identifier Draft published: 5/07/1998 Scheduled final rule: Q3/2001National Employer Identifier Draft published: 6/16/1998 Scheduled final rule: Q3/2001Security Draft published: 8/12/1998 Scheduled final rule: Q2/2001

Proposed Rules not yet published:National Health Plan Identifier Scheduled draft publication: Q2/2001Claims Attachments Scheduled draft publication: Q3/2001Enforcement Scheduled draft publication: Q4/2001First Report of Injury Scheduled draft publication: Q4/2001National Individual Identifier Scheduled draft publication: On Hold


WHO IS AFFECTED?

• Covered Entities– Health Plan (provides or pays the cost of medical care

- e.g., Medicaid, HMOs, BC/BS, Medicare, Champus)

– Health Care Clearinghouse (routes electronic data between payers & providers - e.g., billing services )

– Health Care Provider who transmits any health information in an electronic transaction (e.g., Hospitals, Physicians, Public Health Departments, Group Homes, Home Health)


WHO IS AFFECTED? (continued)• Business Associates

– Definition: Person who performs a function or activity on behalf of a covered entity

– Excludes person who is part of the Covered Entity’s workforce (e.g., Employees, Physicians with Staff Privileges)

– Contractual Agreements with Covered Entity (e.g., Area MH/DD/SAS Contract Agencies, S/W Vendors)

– Complies with HIPAA

• Health Care Providers Who Transmit Paper Health Claims Must Use New Code Sets


WHY COMPLY WITH HIPAA?• Avoid Denied and/or Delayed Reimbursements

– DHHS agencies process claims bringing in more than $550 million in receipts annually

– Annual Medicaid disbursements totaling more than $4.6 billion

• May Risk Accreditation (e.g., Joint Commission on Accreditation of Health Care Organizations)

• Public Relations and Business Risk Issues• Benefit from Long Term Health Care Cost

Reductions• Imposes Severe Penalties for Non-compliance


IMPOSING COMPLIANCE• General Civil Penalty for Failure to Comply

– $100/violation/person

– Not to exceed $25,000 in one calendar year

• Criminal Penalties (Privacy) - Person who knowingly and wrongfully discloses individually identifiable health information is subject to fines and imprisonment

– Simple Offense - Up to $50,000 &/or 1 year imprisonment

– If Committed under False Pretenses - Up to $100,000 &/or 5 years imprisonment

– If Committed with Intent to Sell, Transfer, or Use Individual Identifiable Health Information for Commercial Advantage, Personal Gain, or Malicious Harm - Up to $250,000 &/or 10 years imprisonment

QUESTIONS


REGULATIONS OVERVIEW

LEARNING THE ROPES

Healthcare eBusiness Standardization

Electronic Data Interchange Transaction Sets

Standardized Codes Sets

Standardized Identifiers

(EDI/TCI)


EDI/TCI OBJECTIVESEDI/TCI OBJECTIVES

• Definitions– Trading Partner

– Transaction

– Standard Setting Organization (SSO)

• Transaction Sets

• Code Sets

• Unique Identifiers


TRADING PARTNER

In Electronic Data Interchange (EDI) this generally applies to two parties engaged in the exchange of business data through electronic means.


TRANSACTION

(1) Health Care claims or equivalent encounter information.

(2) Health Care payment and remittance advice.(3) Coordination of benefits.(4) Health Care claim status.(5) Enrollment and disenrollment in a health plan.(6) Eligibility for a health plan.(7) Health plan premium payments.(8) Referral certification and authorization.(9) First report of injury.(10)Health claims attachments.(11)Other transactions that the Secretary may prescribe

by regulation.

The exchange of data between two parties to carry out financial or administrative activities related to health care.

It includes the following types of information exchanges:


STANDARD SETTING ORGANIZATION

An organization accredited by the American National Standards Institute (ANSI) that develops and maintains standards for information transactions or data elements, or any other standard that is necessary for, or will facilitate the implementation of HIPAA

•ASC X12•NCPDP•HL7•UN/EDIFACT (Interactive Claim)


TRANSACTION SETS

HIPAA Mandated Transaction Sets


TRANSACTION SETS(ASCx12)

148 First Report of Injury

270/271 Health Care Eligibility Benefit Inquiry and Response

278 Health Care Services Review - Request for Review and Response

276/277 Health Care Claim Status Request and Response

820 Payroll Deducted and Other Group Premium Payment for Insurance Products

275 Additional Information to Support a Health Care Claim or Encounter

834 Benefit Enrollment and Maintenance

835 Health Care Claim Payment/Advice

837 Health Care Claim (Institutional, Professional, Dental)

National Council for Prescription Drug Program (NCPDP V 5.1 & 1.0 )

Healthcare Data Element Dictionary


X12 TRANSACTIONS FLOW

270 Eligibility Request

837 Claim

275 Additional Information

277 Claim Status Response

820 Premium Payment

834 Enrollment

835 Claim Payment Advice

271 Eligibility Response

278 Referral Request

278 Referral Response

Eligibility Verification

Precertification and Referrals

Service Billing / Claim Submission

Claim Reconciliation

Accounts Receivable

Claim Status

Adjudication

Claim Receipt and Routing

Eligibility Verification

Member Services

Enrollment

276 Claim Status Request

277 Claim Status Response

Health Care Providers Health Care Plans Employers


HIPAA TRANSACTIONS BUSINESS PRACTICES EFFECTS

• Backend Reporting

• Coordination of Benefits

• Claim Status

• Electronic Remittance Advice

• Maximum Data Set


IMPLEMENTATION TIMELINE

The Compliance Date for the Transaction Sets and Code Sets is

October 16, 2002


PROPOSED IMPLEMENTATION TIMELINE - WEDI/SNIP

Group 1 Group 2 Group 3 Group 4 Group 5TransactionGroups

837835

270/271834

276/277 278 820

Beta/PilotTestingPeriod

Jul 1, 2001 Dec 1,2001

Feb 1,2002

Mar 1,2002

May 1, 2002

PayerReadinessDate

Oct 1, 2001 Mar 1,2002

May 1,2002

June 1,2002

Aug 1, 2002

MigrationCompletion

Oct 16, 2002 Oct 16,2002

Oct 16,2002

Oct 16,2002

Oct 16, 2002


HIPAA IMPLEMENTATION GUIDES

X12 Transactions - Washington Publishing Inc.

www.wpc-edi.org

NCPDP Transactions – National Council of Prescription Drug Programs

www.ncpdp.org

HL7 Standards – Health Level 7

www.hl7.org


REQUESTING CHANGES TO TRANSACTION SET STANDARDS

Join the Appropriate Standards Development Organization

Contact an Industry Group with Representation on a Standards Development Group

Expect a 2 to 3 Year Lead Time for Request Implementation in HIPAA


• Diagnosis

• Medical Procedures

• Drugs

BASIC HIPAA CODE SETS FUNCTIONS


HIPAA MANDATED CODE SETS

• International Classification of Diseases, Ninth Edition, Clinical Modification (ICD-9-CM )

• Health Care Procedural Coding System (HCPCS)

• Current Procedural Terminology, Fourth Edition (CPT-4)

• Current Dental Terminology (CDT)• National Drug Codes (NDC)


• Explicit Code Sets – Defined in the rules– CDT, HCPCS, ICD-9-CM, NDC

• Implicit Code Sets– Referenced in the Transaction Implementation guides such as the

codes that specify a patient’s relationship to an insured subscriber

TWO TYPES OF HIPAA MANDATED CODE SETS


ELIMINATION OF HOMEGROWN CODES

(NC Medicaid ‘Y’ Codes)

Homegrown Codes


SAMPLE HEALTH CARE FUNCTIONS THAT USE CODE SETS

• Claim Processing

• Utilization Management

• Disease Management

• Enrollment


REQUESTING CHANGES TO CODE SET STANDARDS

•Join the Appropriate Standards Development Organization if Possible

•For HCPCS Contact HCFA

•Not Applicable for NDCs

•For CDT Codes Contact ADA


UNIQUE IDENTIFIERS

• National Identifier for Individuals

• National Health Care Identifier of Employers

• National Standard for Identifiers of Health Plans

• National Provider Identifier


NATIONAL INDIVIDUAL IDENTIFIER

• Currently on Hold

• Proposed Rule Is Not Expected to Be Published in the Near Future

• Pending Congressional Privacy Legislation


NATIONAL EMPLOYER IDENTIFIER

• Employer ID Will Be The Employer’s Tax ID

• The Internal Revenue Service (IRS) Will Maintain the Assignment and Reference Facilities

• Nine Digits


NATIONAL HEALTH PLAN IDENTIFIER

• Plan IDs Will Be Issued to Health Plans Plan ID Identifies Three Different Types of Entities: Payers,

Group Health Plans, and Provider Networks

Payers and Administrators

ERISA Group Health Plan, Taft-Hartley Trust, METs, and Other Group Plans

PPOs and Similar Organizations

• Proposed Rule Not Yet Published


NATIONAL PROVIDER IDENTIFIER

•Identifying An Individual An individual provider ( such as a physician, dentist,

nurse, or therapist) receives an NPI that never changes

If the individual is a health care provider in two different capacities, it is expected that there will still be only a single NPI


• Identifying An Organization– Organizational health care providers, such as:

•Hospitals•Clinics•Laboratories•Physician group practices•Home health care agencies•Pharmacies

•10 Digits with Right Most Digit Being a Check Digit (Proposed)

NATIONAL PROVIDER IDENTIFIER (continued)


HIPAA TRANSACTIONS, CODE SETS AND UNIQUE IDS

• Code Sets are Used in the Transactions

• Unique IDs are Used in the Transactions with Proprietary Values until They are Defined

• Required Use of Standards

QUESTIONS



PRIVACY


BASIC PRINCIPLES • First Comprehensive Federal Law to Protect the

Privacy of Individually Identifiable Health Information– HIPAA Protections

• Importance– To Patients– To Healthcare Providers/Plans/Clearinghouses

• Protected Health Information (PHI)– Past, Present, Future Health Information– Electronic/Paper/Oral– Best Practice


PROTECTED HEALTH INFORMATION (PHI)

• Individually Identifiable Information– Name– Address– Social Security Number– Names of Relatives– Unique Identifiers– Telephone/Fax/Other Numbers– Geographic Designation Smaller than State– Photograph


GENERAL PROVISIONS• HIPAA Preempts State Laws

– Provides uniform “floor” for protection

– More stringent current state laws will stand

– More stringent future state laws allowed

• Allows Consumer Control– Establish rights of patients regarding their confidential

health information

• Recognizes Public Responsibility– Balance of individual privacy and the public need to know


• Healthcare Provider Responsibilities– Protect health information– Secure health information– Provide complete information to other Healthcare Providers– Provide “minimum necessary” information to other requesters– Create De-identified information when feasible

– Remove

– Code– Encrypt– Eliminate/conceal

GENERAL PROVISIONS


• Healthcare Provider Responsibilities (continued)

– Establish an Internal Complaint Process that provides individuals with means to lodge complaints about the entity’s information practices, and maintain a record of any complaints

– Develop a system of sanctions for members of the workforce and business partners who violate the entity’s policies

– Enforcement and Compliance

GENERAL PROVISIONS


• Notice of Information Practices

– Brochure– Pamphlet– Posted on Wall

• Notice must include anticipated uses and disclosures of protected health information without the patient’s written authorization

NOTICE


• Right to be informed through NOTICE• Right to inspect and review record• Right to receive copies• Right to amend/correct copies• Right to add supplemental information• Right to restrict Use and Disclosure of information• Right to Accounting of Disclosures• Right to a personal representative• Right to revoke authorization• Right to appeal

PATIENT’S RIGHTS


• Healthcare Provider Provides Access– 60 days after receiving request– Extended 30 more days without reason– Provide patient with a summary of records if

agreed upon in advance – Recover cost-based fee for providing patient

with a copy, explanation or summary of records

ACCESS TO RECORD


• Healthcare Provider Denial of Access with Opportunity for Review when in the Opinion of a Licensed Health Care Professional that:– Information would endanger life or safety of

patient or others– References to others is reasonably likely to cause

substantial harm to that other person– Request was made by the patient’s personal

representative and access would likely cause substantial harm to that person or others.

DENIED ACCESS


• Healthcare Provider Denial of Access Without Opportunity for Review– Psychotherapy Notes– Information compiled for civil, criminal or

administrative actions– Inmate request that would jeopardize health or

safety of inmate or others– Research that includes treatment– Information obtained from an anonymous source

under a promise of confidentiality

DENIED ACCESS


• Use: Protected Health Information is “used” when shared, examined, applied or analyzed within the covered entity that maintains the information

• Disclosure: Protected Health information is disclosed” when released, transferred, been given access to or divulged outside the entity holding the information.

USE AND DISCLOSURE OF PHI


USES AND DISCLOSURES WITH INDIVIDUAL AUTHORIZATION

• A General Consent is required for use or disclosure of information for treatment, payment and health operations.

• A more specific Authorization is required for use or disclosure of information for purposes other than treatment, payment or health operations.


USES AND DISCLOSURES WITHOUT INDIVIDUAL AUTHORIZATION

• Disclosures For:– Public health activities– Health oversight activities– Judicial and administrative proceedings– Governmental health data systems– Research, emergency circumstances, next of kin, and

as required by other laws– Coroners and Medical Examiners– Law Enforcement– Directory information– Banking and payment processes


• Application to Business Associates– Establish contracts that ensure Business

Associates exercise an appropriate level of care related to privacy and conform to HIPAA regulations

– Must treat PHI the same as the covered entity– Covered entity must take action if it is learned

that Business Associate is not protecting PHI.

BUSINESS ASSOCIATES


• Application to Information About Deceased Persons– Same as if person was alive

• Application to Covered Entities That Are Components of Organizations That Are Not Covered Entities– Hybrid Entity (Covered functions are not the

primary functions of the entity)

ADDITIONAL PROVISIONS


• Policies and Practices must be developed and documented

• Scalability – Appropriate to the nature and scope of the

business that enables protection of health information in accordance with the rules

IMPLEMENTATION REQUIREMENTS


IMPLEMENTATION REQUIREMENTS

• Designation of Privacy Officer

• Provide Privacy Initial & On-going Training to Workforce

• Develop internal policies and forms

• Implement Safeguards – To protect health information from intentional

or accidental misuse

• Audit and QA


The Compliance Date

for the Privacy is

April 14, 2003

IMPLEMENTATION TIMELINE



SECURITY


SECURITY OBJECTIVE

To Protect the Confidentiality, Integrity and Availability of Individual

Health Information, While Permitting the Appropriate Access and Use of

That Information by Healthcare Providers, Healthcare Plans and

Healthcare Clearinghouses.


SCOPE OF SECURITY REGULATIONS

• Applies to Healthcare Providers, Plans and Clearinghouses

• Applies to All Size Organization (Physician Offices, Medical Centers, County Public Health Departments, HMOs, Medicaid, etc.)

• Applies to All Health Information Pertaining to an Individual That Is Electronically Created, Received, Transmitted or Maintained.


PRIVACY vs. SECURITY

PRIVACY is the right of an individual to keep his/her individual health information from being disclosed.

SECURITY is the mechanism in place to protect individual health information.


SECURITY STANDARD IMPACTSELECTRONICALLY MAINTAINED

AND TRANSMITTED DATA

• Data on Magnetic Tape or Disk

• Entry of Patient Information in Computers

• Transmission of Treatment Data to a Healthcare Plan

• Claims Printed From a Healthcare Clearinghouse

• Records Transcribed and Stored in a Word Processor

• Lab Results Sent by Modem to a Printer at an Office

• Etc.


SECURITY STANDARD

• Does Not Identify or Require Specific Technologies

• Allows Healthcare Industry to Implement Different Solutions Depending Upon Needs and Technologies in Place

• Mandates Safeguards for Physical Storage and Maintenance, Transmission and Access to Individual Health Information


GUARDING DATA INTEGRITY, CONFIDENTIALITY AND

AVAILABILITY

1. Administrative Procedures

2. Physical Safeguards

3. Technical Security Services

4. Technical Security Mechanisms

5. Electronic Signature


ADMINISTRATIVE PROCEDURES(Policies and Procedures)

1. Certification of Data Systems to Evaluate Security

2. “Chain of Trust” Agreement

3. Contingency Plan in Case of Emergency

4. Formal Data Processing Protocols

5. Controlling Access to Data

6. Internal Audit Procedures


ADMINISTRATIVE PROCEDURES(Policies and Procedures)

7. Security Activities by Personnel

8. Overall Security of Hardware, Software, and Virus Checking

9. Protocols for Reporting and Responding to Breaches of Security

10. Risk Management and Sanctions

11. Security Procedures in Event of Personnel Terminations

12. Security Training Programs


PHYSICAL SAFEGUARDS(Buildings and Equipment)

1. Designate Security Responsibilities

2. Develop Controls on Access and Manipulations of Hardware Components (Disk, Keyboard, Monitor)

3. Develop Disaster/Intrusion Response and Recovery Plans

4. Implement Personnel Identification for Access

5. Maintain Maintenance Records

6. Enforce Security Clearances (Need-to Know Basis)

7. Develop Protocols Regarding Activities and Security at the Work Station Level


TECHNICAL SECURITY MEASURES

(Software Controls)

1. Regulate Access (Includes Emergency Access)

2. Audits and Controls

3. Data Authentication (Security of Stored Data)

4. Ensure User Authentication and Access Control (User ID, Automatic Log-off)


TECHNICAL SECURITY MECHANISMS

(Transmission of Data)

1. Storage and Transmission of Health Information Cannot Easily Be Accessed or Interpreted by Unauthorized Third Parties

2. Ensure Messages Sent and Received Are the Same

3. Access Control to Transmission (Dedicated Lines)

4. Encryption


ELECTRONIC SIGNATURE(On Hold)

1. Ensure Identity of the Signer

2. Ensure Unaltered Transmission and Receipt of the Data

3. Must Prevent a Signer from Successfully Denying the Signature

Proposed standard explicitly notes that a Digital Signature is the only technology that satisfies these requirements.


SECURITY OFFICER

• Serves As Internal Information Security Consultant in Agency

• Documents Security Policies and Procedures

• Provides Risk Assessments

• Functions As Internal Auditor

• Monitors Compliance With Standards


SECURITY BOUNDARIES

• Identifies “What”

• Does Not Identify “How”

• Scalability (allows agency to define and implement security appropriate to size and activities of the agency)


GETTING STARTED• Baseline Assessment

– Current Security Environment• Policies

• Procedures

• Technology

– Information Systems

• GAP Analysis– Compare Current Environment With Security Requirements

– Determine “GAPS”

• Risk Assessment– Analyze likely and unlikely scenarios in terms of

probability of occurrence and impact on agency


SECURITY ASSESSMENT

• Not Just a Technology Issue– 40% Information Technology– 60% Business Issues

• Security and Privacy Go Hand-in-Hand

• Integrate Both Standards


ENFORCEMENT

• RESPONSIBILITY: U.S. DHHS Office for Civil Rights– Assist with voluntary compliance efforts– Respond to questions, interpretation, guidance– Respond to states’ requests for exceptions– Investigate complications– Conduct compliance surveys– Seek criminal prosecution for non-compliance efforts


COMPLIANCE DATE

Expected to Become Effective in Late 2001

QUESTIONS


NCDHHS

IMPACT IN DHHS

APPROACH FOR ADDRESSING HIPAA


HIPAA IMPACT ON DHHS• Standardized Transactions

– Initial Assessment - 26 Systems Process Health Care Transactions

• Public Health - 10 Systems

• Mental Health/dev Disabilities/sub Abuse - 7 Systems

• Vocational Rehabilitation - 3 Systems

• Services for Blind - 1 System

• Medical Assistance - 1 System

• Shared (Multiple DHHS Agencies) - 4 Systems

– Local Agencies (E.G., MH/DD/SAS Area Programs) Must Modify Their Information Systems


HIPAA IMPACT ON DHHS (continued)

• Privacy and Security Standards– Secure and Protect Electronic and Paper Records

• DHHS Serves “at Risk” Population

– Establish Policies and Procedures– Establish Documentation and Audit Processes



• Agencies Directly Impacted by HIPAA– Public Health (including 86 county/regional

health departments, State Laboratory, Medical Examiner’s Office)

– Mental Health, Developmental Disabilities and Substance Abuse Services (4 psychiatric hospitals, 5 mental retardation centers, 2 alcohol and drug abuse treatment centers, 1 extended care facility, 2 schools for emotionally disturbed children, 39 area programs)



• Agencies Directly Impacted by HIPAA – Medical Assistance (Medicaid program)

– Early Intervention and Education (18 Developmental Evaluation Centers, 3 schools for Deaf and Hard of Hearing, 1 school for Blind)

– Vocational Rehabilitation (72 local offices)

– Social Services (100 county offices)

– Services for the Blind (serve >35,000 North Carolinians each year)

– Child Development



• Agencies Indirectly Impacted by HIPAA– Research, Demonstrations and Rural Health

Development– Division of Aging– Facility Services – Human Resources– Internal Auditor– Public Affairs (Communications)– Citizen Services


DHHS REACTION

• Provide Centralized Management Response– Establishment of HIPAA Program

Management Office (PMO)

• Appoint HIPAA Coordinators

• Designate HIPAA Attorney - Marc Lodge

• Develop Communications Plan


DHHS REACTION (continued)

• Identify Funding Sources– No Federal Funds Appropriated for HIPAA

Implementation– Submission of Expansion Budget Request– Developed Cost Allocation Models to Maximize

Federal Funding for Systems/Programs– Currently Investigating

• Availability of grants

• Other opportunities for maximizing federal funds

• Sharing vendor costs with other states

• Collaborative efforts with vendors


DHHS REACTION (continued)

• Partner with Other Organizations/States to Share Information/Deliverables– NC Health Care Information and Communications

Alliance (NCHICA)

– Government Information Value Exchange for States (GIVES)

– Southern HIPAA Administrative Regional Process (SHARP)


PROGRAM MANAGEMENT OFFICE

Dwala Johnson

Technical Writer

Susan Mitchell

Business Analyst

Julie Burton

Business Specialist

Frances Taylor

Business Specialist

Cynthia Wagnor

Team Lead

Joyce Young

Technical Writer

Bruce Chao

Web Developer

Ivey Palmer

Tactical Operations Mgr.

Security TeamEDI Team

Karen Tomczak

PMO Director

Operations Support

Sarah Brooks

Business Operations Mgr.

Stephen Fraser

Technical Writer

HIPAA Oversight Committee


PMO TASKS• Research HIPAA Requirements• Determine Impact of Requirements on

DHHS• Serve as HIPAA Resource Center • Correlate DHHS HIPAA activities with

HIPAA Coordinators • Establish and Coordinate Focus Groups

– Business Operations – Security– EDI/TCI


PMO TASKS (continued)

• Disseminate HIPAA Information throughout DHHS

• Develop Enterprise Policies, Procedures, Tools, Processes, Forms, Implementation Guidelines, Contracts, Agreements

• Develop Best Practice Models• Promote Business Process Reengineering• Provide Technical, Operational and

Management Support• Provide Overall Project Monitoring and

DHHS HIPAA Status Reporting


PMO TASKS (continued)

• Provide Levels of HIPAA Training – Awareness– Core– Intermediate– Expert

• Develop Job Classifications/Descriptions for Security and Privacy Officers

• Maintain PMO Web Site for Communications

http://dirm.state.nc.us/hipaa/


DHHS WEBSITE


USER LOGIN


PMO DELIVERABLES• Presentations

• Tools to Assess HIPAA Impact– Information Flow Assessment Database– Questionnaires (e.g., Early View) – Reviews of Statutes, Rules, Policies, Procedures

• NCHICA Privacy and Confidentiality Focus Group

• Attorney General’s Office - HIPAA Legal Resources

• Department/Division/Agency Review

– Gap Analyses– Risk Assessments


PMO DELIVERABLES (continued)

• Tools for HIPAA Remediation– Work Plans– Checklists– Processes– Sample Policies, Procedures, Forms, Notices,

Contracts, Chain of Trust Agreements

• Tools for HIPAA Testing and Training– Testing Processes/Procedures– Staff Training Courses– Other Training Courses


PMO DELIVERABLES (continued)

• Tools for HIPAA Compliance– Self-Certification Tools– Quality Assurance Audits– On-going Awareness Training

• Staff• Others (Business Associates, Vendors)

– New Employee Orientations– Business Continuity Plans


DELIVERABLE PROCESS• PMO

– Develops Deliverables

• Business Operations Focus Group – Reviews Deliverables with Their Divisions/Local

Agency Staff

• Selected Pilot Agencies/Institutions – Test Deliverables

– Recommend Modifications

• Enterprise Dissemination– Distribute via web site, HIPAA Coordinators and Focus

Group


PMO OUTREACH• HIPAA Awareness Seminars

• Professional Groups/Organizations with HIPAA Interests– NC Association of Local Health Directors

• Technology Committee

– NC Health Information Management Association

• Behavioral Health Section

– HEARTS User Group

• Local Agencies, Institutions, Groups

QUESTIONS


GETTING STARTED• Designate HIPAA Coordinator

• Establish HIPAA Implementation Team

• Participate in HIPAA Training Opportunities

• Present HIPAA Awareness Program to Management and Staff

• Develop and Implement HIPAA Work Plan– Work Plan Template on PMO Web Site

• Conduct Information Flow Assessment


PMO TOOL• Information Flow Assessment

– Status of Current Information Flow– Web Based Database– Individual Division/Office Customization– Comprehensive Evaluation of Information Flow– Ease of Use– Report Generation– Due Diligence– Pinpoint Areas of HIPAA Impact


WHY DO A INFORMATION FLOW ASSESSMENT?

• Determine if a Covered Entity

• Identify:– Business Associates

– Types & methods of information handling

– Code Sets currently in use

– Systems/applications in use

– Systems/applications for remediation

– Flow and routing of information

– Short and long term storage of information

– Areas of privacy/security weaknesses

– Current contracts and Agreements

• Documentation for Due Diligence


PMO TOOL• Information Flow Assessment

– What Information Flows Within and Without an Agency

– Types of Information (personal, financial, medical)

– Who Accesses Information – How is Information Transmitted– When is Information Shared– Where is Information Stored (temporary and

permanent)– How is Information Disposed


A. Information Received, Sent and/or CreatedPlease specify the type of health information currently or planned to be received, sentand/or created in your area (select all that apply):

NON-MEDICAL

1. Administrative

None (go to next question)

Demographic Information Investigative Reports

Non-identifying statistical data Incident Reports

Birth Certificate/Death Certificate Applications (Admissions, Client,Employment, etc)

Legal Papers Complaint Information

Custody/Guardianship Papers Correspondence (Internal & External)

Parent Questionnaires Meeting Minutes/Notes

Logs (Shift, Insurance, Staff notes, etc.) Photographs

OtherAdministration_____________________________________________________________

2. Education


Individual Education Plan (IEP) Immunization Records

Psychological Records School Questionnaires

Behavior Rating Scales Child Symptom Inventory Checklist

Other Education______________________________________________________________

3. Financial


Information for filing insurance claim Medicaid Eligibility

Assets and Liabilities (Ability to Pay) Billing Information

Medicaid Liability Banking Information

Entitlement Information Direct Deposit Information

Financial Questionnaires Funding Justifications with Details

Reports/Data (UR, Financial, etc.) CAP or Respite determinations

Financial Correspondence

Other Financial______________________________________________________________

INFORMATION FLOW ASSESSMENT


GETTING STARTED (continued)

• If Covered Entity, Identify Business Associates and Trading Partners

• Evaluate Systems/Applications for HIPAA Remediation– Utilize Y2K Inventory Data

– Contact Software Vendors

– Review Implementation Guides

• Evaluate Current Security of Protected Health Information (PHI)– Door Locks, Paper Storage/Disposal, Location of

Fax/Copiers/Shredders, System Security



• Analyze Data Collection Process– Registration

– Coding

– Discharge

• Compile Current Information for Remediation to HIPAA Compliance– Policies

– Procedures

– Forms

– Contracts



• Submit Budget Based on Anticipated IT and Business Changes (Budget Questionnaire)

• Work Your HIPAA Work Plan

• Monitor DHHS HIPAA Web Site

• Utilize HIPAA PMO/HIPAA Coordinators as Resources for HIPAA Implementation


RESOURCES• Attachments to Slide Presentation

Materials– HIPAA Related Web Sites– HIPAA Glossary and Acronym References– DHHS Division HIPAA Coordinators– NCHICA HIPAA Committees– NCHICA HIPAA Privacy Regulation Work

Groups– NCHICA Top 10 Planning Points for HIPAA

Compliance– HIPAA Regulations


SUMMARY• HIPAA - A Health Care Paradigm

– Affects Payers, Providers, Employers, Medical Manufacturers, Pharmaceutical Companies, Employees, Clearinghouses, Patients.

– Requires Redesign of Business Processes, Staffing Plans, Workflow

– Requires Changes to Business Applications, Technology Architecture, Facilities

– Shifts Power in Provider/Consumer Relationship

– Presents Change Management Challenges

– Introduces New Legal Liabilities

– Provides Patients with Rights

– Conveys Severe Civil and Criminal Penalties


SUMMARY

• HIPAA Is Not Going Away– Heath Care Industry Wants Standardization– Consumers Want Health Information to Be

Protected

• HIPAA Is Not an Option

• HIPAA Is Doing Business in the ‘New Millennium

• Implementation Cost Is Short-term

• Operational Benefit Is Long-term

QUESTIONS