©2002 First Consulting Group F I R S T C O N S U L T I N G G R O U P HIPAA Education An Introduction to HIPAA

©2002 First Consulting Group

F I R S T C O N S U L T I N G G R O U P

HIPAA Education

An Introduction to HIPAA

2©2003 First Consulting Group

Presentation Agenda

An Overview of HIPAA Administrative Simplification Setting the Stage HIPAA EDI Standards HIPAA Security & Privacy Standards Organizational Impacts and Approaches Final Remarks and Questions Resources


Presentation Objectives

At the end of this presentation, you should: Have a good general understanding of HIPAA Understand the specific EDI, security and privacy

components and impacts of HIPAA Be able to determine your own organizational strategies

and next steps for tackling HIPAA



HIPAA Education

An Overview of Administrative Simplification


HIPAA Overview

Health Insurance Portability and Accountability Act

• Signed into law during August of 1996

• Original intent: To support the portability of health insurance To support the improved fraud and abuse protections

Administrative Simplification (Title II)

• Added under pressure by the industry

• Desires to reduce paperwork

• Desires for administrative efficiencies

• Desires to ensure the confidentiality of electronic information


HIPAA Overview

HIPAA

Title I Title II Title III Title IV Title VHealth insurance access, portability and renewal

Fraud and Abuse

Medical Liability Reform

Administrative Simplification

Medical Savings Accounts

Tax deduction provisions

Group health plan provisions

Revenue offset provisions

Electronic Transaction Standards (EDI)

Security Standards

PrivacyStandards

Nine payer transactions.

Clinical code sets.

Identifiers.

PHI protection.

Permissible PHI uses.


Evolution of HIPAA

Components proceed through the process independently Lack of forward movement for one component does not impede

the forward movement of other components

Reviewexisting

regulations

Obtain public input

Draft proposed

rule

Obtain public

comment

Redraft proposed

rule

Post final rule

Enforce Finalrule

26 MonthsAfter

publication

FederalRegister

60 days

Must reviewALL publiccomments

Preventduplication

Is there aNeed?

FederalRegister


Status of HIPAA

ComplianceFinalizedProposed

Electronic Transaction Standards (EDI)

Transactions& Code Sets

Provider ID Employer ID HealthPlan ID Patient ID

05/1998

05/1998 06/1998 Expected 2003 On hold

08/2000

Expected 2003 Expected 2003 Unknown On hold

10/16/2002, or 10/16/2003

PrivacyStandards

11/1999 12/2000 Verified 04/2001

04/14/2003

Security Standards

08/1998 02/20/2003 04/20/2005


Applicability

HIPAA applies to the following entities

• Health Plans (including self-insured employers)

• Clearinghouses

• Healthcare Providers HIPAA applies to the following circumstances

• EDI standards apply to PHI within specified transactions

• Security standards apply to all electronic PHI

• Privacy standards apply to all PHI Electronic Paper Oral


Applicability

HIPAA does NOT apply to the following:

• Aggregated, non-patient-identifiable information

• Business associates, trading partners, or third parties HIPAA requires covered entities to:

• Ensure all software vendors are prepared to deliver applications that support EDI and security requirements

• Hold business associates using PHI accountable

• Consider partnering with clearinghouses to effectively implement EDI transaction standards


Other Implications

Working with other organizations as well as trade and professional organizations will become paramount

• States and regional demonstration projects are underway (MA, MN, OR, WA and others)

• WEDI established the Strategic National Implementation Process (SNIP) to coordinate implementation of the transaction standards



HIPAA Education

Setting the Stage


Healthcare Preparedness

August 2002 HIMSS/Phoenix HIPAA Survey• Completion of gap assessments is taking longer than

projected; however, compliance efforts have moved into planning, implementation and training

• Organizations appear to be absorbing the impact of key privacy rule modifications proposed in March (and subsequently finalized in August)

• Less than half of all payer and vendor respondents will be ready by the October 2002 transactions deadline, all reported that they will be ready by October 2003

• 85% of responding clearinghouses will be ready to transmit all HIPAA-required transactions before the April 2003 testing deadline, all will be ready by October 2003


Healthcare Preparedness

Electronic Transactions• Organizations are now scrambling to “get smart” and get ready for EDI

• Many healthcare delivery organizations have relied on vendors and clearinghouses – and are expected to continue to rely on them for the compliance deadline – to transact their electronic business

• Savvy organizations have either taken transactions “in house” or have formed regional partnerships to implement and test transactions

Privacy & Security • Most healthcare organizations have traditionally expounded on the

importance of patient privacy; however, their policies, procedures, training, and funding have not historically been adequate

• Recent events affecting online privacy and disaster recovery have forced organizations to pay increased attention to privacy and security

• Savvy organizations are seeking technologies that can increase security while decreasing burdens on clinical staff (single sign-on, biometrics)


Costs of not Complying

Civil and criminal penalties will likely apply:• Providing PHI knowingly:

$50,000 and/or up to 1 year imprisonment

• Providing PHI under false pretenses: $100,000 and/or up to 5 years imprisonment

• Providing PHI for malicious intent or financial gain: $250,000 and/up to 10 years imprisonment

No enforcement body has been indicated

JCAHO and NCQA are incorporating HIPAA compliance elements into their accreditation requirements

Courts are beginning to rule in favor of patients harmed by breaches of privacy


Potential Savings

$400 billion annually is spent on healthcare administrative costs 1

• In 2002, standardizing electronic processing will result in savings of $3.1 billion - roughly split between payers and providers 2

Paper claims cost $7 - 12 each in direct expenses3

Electronic claims cost $1.50 - $3.00 each 4

A typical practice generating 30 – 40 referrals per day spends $28.50 per referral5

Automated referral process costs $.93 per referral 5

Customer service inquiry costs typically range from $5 - 7 per inquiry 6

Costs for electronic inquiry can be 5¢ - 25¢

1BancBoston Robertson Stephens 2HHS 3AMA 4American Medical Billing Association5Health Data Management 6FCG client experience

A Northeast BCBS plan realized 200% ROI by automating transactions. 97% of referral submission and eligibility and 70% of claims status checks are now done electronically

A New England Medicaid HMO was able to reduce the time it takes to generate a referral by more than 50% by using an Extranet for automated web authorization

A Texas-based clinic processing 400-500 claims/week reduced reimbursement lag time 50% by using the Internet to submit its claims

A Northeast BCBS plan realized 200% ROI by automating transactions. 97% of referral submission and eligibility and 70% of claims status checks are now done electronically

A New England Medicaid HMO was able to reduce the time it takes to generate a referral by more than 50% by using an Extranet for automated web authorization

A Texas-based clinic processing 400-500 claims/week reduced reimbursement lag time 50% by using the Internet to submit its claims

Case Examples


1995 – Daughter of a hospital employee uses her mother’s password to look up medical records then call patients with falsely positive HIV results

1995 – Newton, MA hospital employee and convicted child rapist accesses records to make obscene phone calls

1996 – Tampa health department worker mails HIV list to press

2000 – Dutch hackers steal 5,000 patient record files from an academic medical center in Seattle

2001 – Drug maker inadvertently divulges e-mail addresses of 600 patients with depression, bulimia or obsessive-compulsive disorder

2001 – Detailed psychological records for more than 60 children accidentally posted on university website; removed 8 days later

1995 – Daughter of a hospital employee uses her mother’s password to look up medical records then call patients with falsely positive HIV results

1995 – Newton, MA hospital employee and convicted child rapist accesses records to make obscene phone calls

1996 – Tampa health department worker mails HIV list to press

2000 – Dutch hackers steal 5,000 patient record files from an academic medical center in Seattle

2001 – Drug maker inadvertently divulges e-mail addresses of 600 patients with depression, bulimia or obsessive-compulsive disorder

2001 – Detailed psychological records for more than 60 children accidentally posted on university website; removed 8 days later

Case Examples

Privacy & Security Risks

Primary sources of data loss or destruction:

• Computer viruses

• Physical disaster

• Poor organizational practices

• Internal breachesAssociated risks to the organization:

• Loss or destruction of data

• Loss of productivity and revenue

• Inability to provide care and/or inappropriate care rendered

• Public embarrassment and legal risk



HIPAA Education

Transactions, Code Sets, and Identifiers


HIPAA: The EDI Standards

Transaction standards:

• Claims: ASC X12N 837 Pharmacy NCPDP Batch Standard V1.1

• Claim status: ASC X12N 276/277

• Enrollment/disenrollment: ASC X12N 834

• Eligibility: ASC X12N 270/271 Pharmacy NCPDP Batch Standard V1.1

• Payment/remittance advice: ASC X12N 835

• Health plan premium payment: ASC X12N 820

• Coordination of benefits: ASC X12N 837 Pharmacy NCPDP Batch Standard V1.1

• Referral and authorization: ASC X12N 278 Pharmacy NCPDP Batch Standard V1.1

A standard for Claims Attachments has not yet been officially released, it is expected to be: ASC X12N 275 + HL7



Clinical data code sets standards:

• ICD-9 for diseases

• CPT-4 for services and procedures

• HCPCS for medical equipment, injectable drugs, and transportation services

• CDT-2 for dental services

• Prescription drugs and biologics – not officially designated; can be NDC or HCPCS

These standards apply only to the administrative and financial electronic transactions – though feeder systems may also be impacted by migration to these standards



Standards for unique national identifiers:

• Health Care Providers (NPI - National Provider Identifier): Originally proposed to be an 8-digit alphanumeric identifier; expected to be finalized as a 10-digit numeric.

• Employers (EIN - Employer Identification Number): The IRS Employer Identification Number (currently 9 digits: 00-0000000).

• Health Plans (HealthPlanID): Identifier yet to be announced. Likely to be a 9-digit number assigned to all health plans, including TPAs, IPAs, PPOs, etc.

• Individuals (UHID): Currently on hold.

Use of these identifiers technically applies only to the administrative and financial electronic transactions



HIPAA does not mandate the electronic exchange of health care data for provider-based organizations• Provider-based organizations that choose to conduct these transactions

electronically either directly or through a clearinghouse must comply. Transmissions within a corporate entity are not required to comply

with the standards (except where the entity is acting as both a payer and a provider and those transactions are among the 9 that are covered).

Simply storing electronic patient identifiable information or externally transmitting that information for purposes other than one of the 9 covered transactions doesn’t alone dictate that an organization is covered under HIPAA

Providers and payers may submit non-standard transactions to a health care clearinghouse for the sole purpose of translating them into standard transactions for electronic submission.



Under HIPAA legislation, if a provider chooses to conduct a standard electronic transaction with a health plan:

• The health plan may not refuse to conduct such transactions as standard transactions.

• The plan may not delay such transactions or adversely affect the submitter or transaction (though some state laws now require prompt payment).

• The information transmitted and received in connection with the transaction must be in the form of standard data elements.

If a Health Plan is currently engaged in a business function today that is one of the HIPAA-specified transactions – even if the Plan is not currently conducting that transaction electronically – it must be able to support that function electronically using the standard.



HIPAA Education

Privacy and Security Introduction


Privacy and Security Intentions

In drafting the privacy and security rules, HHS has intended for organizations to maintain reasonable and appropriate operational, technical, and physical safeguards

Prevent unauthorized use or disclosure

• Protect against external threats and physical hazards

• Limit/eliminate improper internal uses Key considerations:

• Reasonable and appropriate are not explicitly defined

• Standards are intended to protect against both external and internal threats

• Standards include both technical and operational measures

• Organizations must determine the risks and their associated response or approach in order to make the rules “real”


Privacy vs. Security

Privacy - Rules governing access and use of data

Who gets access and who doesn’t

Security: Mechanisms for protecting electronic data

Preventing unauthorized individuals from gaining

access



HIPAA Education

Privacy


The Privacy Debate

Key issues:

• Privacy issues are receiving increased attention The FTC has been focused on Internet privacy The EU has accused the US of lax privacy protections Consumer reports of privacy breaches appear to be on the rise

• In healthcare, several camps of dissatisfied constituents exist: Patient privacy advocates who want patient consent reinstated Researchers who seek improvements to make research easier

• By and large, payers, hospitals and their lobbying organizations have supported the latest version of the final privacy rule

• Congress continues to debate Internet privacy in general; while action does not appear to be imminent, future legislation could affect HIPAA rules


Key Elements of Privacy Rule

The Privacy Rule:

• Covers electronic, paper-based and oral information

• Allows information to be used with few restrictions for treatment, payment and health care operations

• Supports routine disclosure with patient permission under defined circumstances for certain national priority purposes such as research, public health, law enforcement and oversight

• Requires patient authorization for the use and disclosure of health information for other purposes

• Gives patients greater access to and control over their health information

• Requires that organizations maintain safeguards for protecting patients’ health information and preventing unauthorized access (includes policies, procedures and training)


More Specifics on Privacy Rule

Covered entities are obligated to use only the “minimum necessary” information for payment and healthcare operations

A covered entity’s business associates are required to sign a contract ensuring that they, too, will protect patient information

• Organizations will likely get an additional year to convert business associate contracts already in place

Use of patient information for marketing purposes is specifically addressed

• Disease management, marketing of nominal products/services and other organization-sponsored initiatives that benefit the patient are permitted, though patients can opt out

• Selling or otherwise turning over patient information to external entities for their own marketing is not permitted

Use of patient information for fundraising is also specifically allowed under certain circumstances


Patient Impacts of the Privacy Rule

Provider organizations must give patients a notice of privacy practices outlining the general uses, disclosures and protections of patient information by the organization

• Organizations must make a “good faith effort” to obtain written acknowledgement from patients that they’ve received the notice

Patients can:

• Request restrictions to the use or disclosure of their health information – though the covered entity is not obligated to comply

• Amend – but not correct – their records

• Request an accounting of the disclosures of their health information to outside entities

• File a complaint if they believe their privacy rights have been violated



HIPAA Education

Security


Key Points

Security is a business issue and a technical issue It is applicable to all electronic protected health information (PHI)

regardless of format It is a FLOOR not a CEILING. Value-Added or more stringent

standards should be applied as appropriate Its standards are technology and vendor neutral as well as scalable

and flexible It is the National security standard for data in transit and at rest It requires the healthcare community to adopt security processes,

procedures and technological solutions that balance availability and costs with size and risks of the covered entity

Its standards seek to safeguard and provide appropriate availability of PHI


Structure

Safeguards for electronic PHI within the following basic categories• Administrative Safeguards – Formal practices to manage

workforce security business processes

• Physical Safeguards – Formal practices for managing facilities housing information systems or electronically stored media

• Technical Safeguards – Formal practices for managing information systems and networks

• Organizational Requirements – Formal practices for establishing and managing contracts and relationships with electronic PHI

• Documentation Requirements – Formal practices for managing policies, procedures, and documentation


Key Specifics

Organizations must document their assurances of the safeguarding of all electronic PHI

Security is an extension of privacy with guidelines that enhance privacy measures

Coherent organizational security management practices are required

Assignment of a security official is required Organizations must implement several written contingency

plans Organizations must education the entire workforce Implementation of encryption, decryption, or other

technical solutions is required



HIPAA Education

Security

This section is helpful for HD clients.

This section is helpful for HD clients.


Context

This is a starter list of operational impacts and should not be considered exhaustive

Specific impacts and corresponding responses will vary depending on an organization’s:

• Specific information systems

• Size, complexity and operations

• HIPAA compliance approach


Registration & Scheduling

Area/Function Key Impact(s) Consideration(s)

Eligibility Verification

If accomplished electronically, must use HIPAA standard

Good opportunity for administrative savings if function is integrated with HIS

Patient Registration Logical place for distributing patient privacy notice, getting patient acknowledgement and addressing any questions; could lengthen the registration process

Most patients are not aware of or concerned with privacy issues – and staff will need training on how to best discuss the topic with them

Must make “reasonable attempt” to get patient’s acknowledgement of receipt of the privacy notice

Patient Scheduling Patient schedules may contain personal health information

May need to segregate or secure sensitive information


Care Delivery


Direct Care All caregivers and their support staff are governed under the privacy rules

All caregivers and their support staff must undergo training and adhere to same privacy policies and procedures

Access to varying levels of patient information will – and should – vary by role and their need to access information

Patients are permitted to ask to restrict the use or sharing of their information

Significant effort would be required to track who is authorized to hear/see patient information if the organization agrees to the restriction

Indirect Care Secondary caregivers (pathologists, radiologists) are covered under the patient consent for primary caregiver

Treatment is covered rather broadly; a separate patient consent is not required


Support Services


Laboratory, Radiology, Pharmacy

Sensitive patient data reside on key ancillary systems

Ancillary systems must have mechanisms to restrict access to patient information

Laboratory and pharmacy data may reflect sensitive diseases (AIDS, mental health)

Ancillary staff must directly receive requests for release-of-information

HIM/Medical Records

HIM is typically the department most affected by release of information and patient privacy issues

HIM staff are often thrust into expanded roles managing privacy across the organization

One of the primary contact points for patients regarding privacy policies, release of information, accounting of disclosures and complaints is HIM

Transcriptionists qualify as business associates

Business associate contract and privacy protections must be in place


Financial Services

Area/Function Key Impact(s) Consideration(s)Authorization & ReferralBilling

If accomplished electronically, must use HIPAA standard

Huge area of potential cost savingsMost payers and vendors cannot

accomplish electronic authorizations

Must adhere to “minimum necessary use” requirements

Staff typically don’t need full access to patient clinical information

Claims Submission If accomplished electronically, must use HIPAA standard

Claims submission is the biggest volume HIPAA transaction at present

Requires payer collaboration

Must adhere to “minimum necessary use” requirements

Payers must seek only minimum necessary information to pay claims

Billing Billing agencies qualify as business associates

Business associate contract and privacy protections must be in place

Clinical and ancillary need to use HIPAA-standard codes (i.e., ICD-9)


Information Systems


EDI Information systems play major role in EDI compliance efforts

EDI systems strategy, approach and design need to be articulated

Additional costs may be incurred, especially related to clearinghouses

Security Additional security technologies and approaches will be required

Different security technologies (biometrics, tokens, passwords) might be appropriate for different systems or in different situations

Some clinical systems have minimal user authentication, data segregation and audit tracking mechanisms

Staff IS staff play significant role in security protections

The skill set and reporting relationship/visibility for the security officer are important

Appropriate internal IS controls must be in place


Other Healthcare Operations

Area/Function Key Impact(s) Consideration(s)Patient Information Desk

Need to confirm with patients how their status information can be shared

Uses must be disclosed in patient privacy notice

Special requirements for clergy, law enforcement officials

Clinical Research Must use IRB or similar structure

Aggregated patient information or IRB waiver doesn’t require authorization

Decentralized research databases and data downloads create significant impacts for patient authorization and audit tracking

Audit, Legal, Risk Management, Compliance & Quality Improvement

Functions are covered under “healthcare operations” for privacy purposes


Uses must adhere to minimum necessary use requirement

Audit, Risk Management and Compliance may be most effective functions for overseeing compliance


Other Healthcare Operations


Accreditation External accreditation organizations are covered as business associates


Uses must adhere to minimum necessary use requirement

Must maintain business associate contract

Marketing & Fundraising

Only internal marketing (i.e., for disease management purposes) is allowed


Organizational fundraising is permitted under certain circumstances

Sale of patient identifiable information or marketing by external entities for their own purposes must be authorized by patient



HIPAA Education

Organizational Approaches

Customize for client.

Customize for client.


Organizational Approaches

Two important points:

• Recall that HIPAA originally began as an industry-led effort to increase levels of electronic processing and reduce associated administrative complexity

Our beliefs:

• Organizations that set out to merely achieve HIPAA compliance will have missed opportunities to streamline their business, eliminate complex processes, save money and achieve a competitive advantage

• Establishing a privacy-conscious organization requires a strong leadership commitment and a culture that reinforces doing the right thing


Key Steps to Achieving HIPAA Compliance

For starters, we recommend conducting the following key steps:

• Educate senior management on key issues and discuss overall strategy

• Assign responsibility and accountability

• Educate key staff on details of HIPAA requirements

• Conduct baseline readiness assessment

• Integrate requirements into organization’s overall plans, assign resources and plan budget

First up: compliance with HIPAA privacy requirements (required by April 14, 2003)


HIPAA Assessment: Goals and Objectives

There are a number of key objectives organizations should seek in undertaking a HIPAA assessment:

• Understand key organizational strategies and specific initiatives

• Identify the impact of HIPAA will have on the organization’s: Corporate strategies Key projects Information systems Business processes Trading partners/business associates

• Outline strategies to comply with HIPAA and provide recommendations for a governance and project structure to support ongoing HIPAA compliance

• Develop an approach, tactical plans and cost estimates to shape next steps

Note: use this slide only for Assessment engagements

Note: use this slide only for Assessment engagements


HIPAA Assessment: Key Steps

Review Findings

4. HIPAA Approach & Recommendations

Present Recommendations

1. Project Initiation

Project Kickoff

2. HIPAA Education and Strategy

Conduct HIPAAEducation

Validate HIPAA Strategy

3. HIPAA Baseline Assessment

Assess CurrentEnvironment

Review CorporateStrategies and

Initiatives

Document Results

These are the high-level steps we associate with a typical HIPAA assessment:


HIPAA Assessment: Key Activities

Key Activities

• Develop final deliverable

• Present final recommenda-tions

• Outline next steps

• Develop workplan & communication plan

• Confirm approach and structure

• Identify workgroup participants

• Define framework for final deliverable

• Schedule work-group sessions

• Conduct Kickoff

• Modify Interview and knowledge capture tools

• Schedule interviews

• Conduct information gathering

• Finalize workgroup structure

• Conduct Education Sessions

• Revise & finalize assessment tools

• Conduct workshop sessions

• Workgroups complete assessment

• Document assessment findings

• Compile findings

• Review findings with team

• Formulate recommend-ations

• Develop Approach and Cost Model

Project Kick-off & Organization

HIPAA Education & Strategy

Undertake HIPAA Assessment

HIPAA Approach and Plan

Final Recommend-ations



HIPAA Education

Final Remarks


Contact Information

1. Vice President, CSE, or DSE <Email> <Vmail>

2. Project Manager <Email> <Vmail>

3. Consultant <Email> <Vmail>


Questions and Discussion

?????

???



HIPAA Education

Resources


Resources

AFEHCT (Association for Electronic Health Care Transactions)

www.afehct.org

AHIMA (American Health Information Management Association)

www.ahima.org/hipaa

ASTM (American Society for Testing and Materials) www.astm.org

CHIM (Center for Healthcare Information Management)

www.chim.org

CPRI (Computer-based Patient Record Institute) www.cpri-host.org

DHHS (Department of Health and Human Services) aspe.hhs.gov/admnsimp/index

EHNAC (Electronic Healthcare Network Accreditation Commission)

www.ehnac.org


Resources

Email Subscriptionswww.hcfa.gov/medicare/edi/admnlist

“For the Record, Protecting Electronic Health Information”

www.nap.edu

Greely Education (800) 650-6787

Health Privacy Forum www.healthprivacy.org

“Protecting the Security and Confidentiality of Healthcare Information” (V.12, No.1, Spring 1998)

www.himss.org

JHITA (Joint Healthcare Information Technology Alliance)

www.jhita.org

Medicare EDI www.hcfa.gov.medicare/edi/edi


Resources

National Uniform Billing Committee www.nubc.org

National Uniform Claims Committee www.nucc.org

Transaction Implementation Guides www.wpc-edi.com

WEDI (Workgroup for Electronic Data Interchange) www.wedi.org

Miscellaneous Linkwww.va.gov/meetings/hhs980720/noiwp1.htm

Miscellaneous Linkwww.naic.org/1news/testimonies/4-23grte.htm

Miscellaneous Linkwww.hcfa.gov/hipaa/hipaahm.htm


Resources

Miscellaneous Linkwww.wedi.org/htdocs/securitymatrix.htm

Miscellaneous Link www.jhita.org/hipaarule.htm

Miscellaneous Link www.mahealthdata.org

Documents

©2002 First Consulting Group F I R S T C O N S U L T I N G G R O U P HIPAA Education An Introduction to HIPAA