HIPAA and the States Critical Issues & Compliance Strategies

HIPAA and the StatesHIPAA and the States

Critical Issues & Compliance StrategiesCritical Issues & Compliance Strategies

Presented byPresented by

Robert J. BurnsRobert J. BurnsNational Governors AssociationNational Governors AssociationCenter for Best PracticesCenter for Best Practices

Regional Technical Assistance MeetingsRegional Technical Assistance MeetingsSubstance Abuse and Mental Health Services AdministrationSubstance Abuse and Mental Health Services Administration

April 18, 2002April 18, 2002Phoenix, AZPhoenix, AZ

May 2, 2002May 2, 2002Atlanta, GAAtlanta, GA

May 16, 2002May 16, 2002Chicago, ILChicago, IL

June 20, 2002June 20, 2002Boston, MABoston, MA

© 2002 National Governors Association© 2002 National Governors Association

About NGAAbout NGA

Professional association of, by, and for the nation’s Governors

NonpartisanUnique relationship with Governors/StatesOrganization

– NGA Committee (“voice” in DC)– NGA Center for Best Practices

(technical assistance to states)


FY2002 Budget OverviewFY2002 Budget Overview

Revenue nearly 4 percent below expectations

By end of June, shortfall will reach $40 to $50 billion (4 to 5 percent of total state budgets)

Post-9/11 activities responsible for $5 to $7 billion in state costs


How States Are CopingHow States Are Coping

First tier cuts: hiring freezes, delaying new capital projects, delaying payments, salary freezes

Recent tier cuts: across-the-board slashes, halting road projects, eliminating new and some existing programs, some job cuts


Revenue EnhancementsRevenue Enhancements

Few states calling for tax increases– IN (cigarettes, gambling)– KS (fuel, sales, cigarettes)

Some tax cuts postponed (FL, MD)Other revenue sources tapped

– Rainy day funds (drained)– Some bonds (borrowing at record levels)– Lottery funds


Top Gubernatorial PrioritiesTop Gubernatorial Priorities

Bolstering Homeland Security

Fostering Economic Recovery

Maintaining Education Initiatives

Containing Health Care Costs


Top State Health PrioritiesTop State Health Priorities

Containing Pharmaceutical Costs

Medicaid Reform– Enhancing waiver authority– Overall reform

Emerging Issues– Workforce– Malpractice– HIPAA compliance


Why Just Now “Emerging?”Why Just Now “Emerging?” Legally Complex

– PHI definitions– Covered entities, business associates, trading partners– Minimum amount necessary, reasonable efforts– Preemption, exemptions

Technically Complex– Transactions, codes, identifiers, data format– Electronic data interchange

Poor Guidance– CMS underestimated Medicaid costs– No data on fiscal impact outside Medicaid– Program differences among states


Regulation StatusRegulation StatusProposed

Rule

Final

Rule

Compliance Deadline†

Privacy 11/99 8/02‡ 4/03

Security 8/98 — —

Transactions and Codes 5/98 10/00 10/02*

National Provider Identifier 5/98 — —

Health Plan Identifier — — —

Employer Identifier 6/98 7/02 7/04

Enforcement — — —† Small health plans have one additional year following this date to be compliant.‡ HHS proposed modifications to the privacy rule on March 27, 2002. The modifications were finalized on August 14, 2002. The compliance deadline will not change.* The compliance deadline may be extended by one year if a compliance plan is submitted to HHS before October 16, 2002. Small health plans are not eligible for the conditional extension.


The Ripple EffectThe Ripple Effect Community-based providers

(“safety net”) Public hospitals/clinics Mental health facilities Substance abuse treatment

centers State/local health departments Academic medical/research

centers Organ donation

Law enforcement and corrections (coroners, medical examiners)

School-based health programs (immunizations, dental)

SAPT-funded programs MCH programs (Title V) HIV/AIDS (“Ryan White”) TANF-funded programs State employee benefits Worker’s compensation Health policy offices


HIPAA Cost EstimatesHIPAA Cost Estimates

MedicaidMedicaid Non-MedicaidNon-Medicaid

CaliforniaCalifornia $100 million

PennsylvaniaPennsylvania $50-$200 million

IndianaIndiana $160 million


Critical IssuesCritical IssuesLiability

– Privacy and Security– Lawsuits– Civil, criminal penalties

Operational Disruption– Electronic Transactions & Codes (and Identifiers)– Enrollment, eligibility, billing, payment, etc.– Reporting, budgeting, research, etc.

Funding


Compliance StrategiesCompliance Strategies Oversight commission or committee

– Governor’s office– Budget Director, State CIO– Attorney General, General Counsel– Directors of affected (or likely affected) agencies

Designated HIPAA office– Medicaid agency– Privacy or IT office– Special project office (HIPAA-specific)– Leadership (and authority)

Specialty workgroups Multi-year business plan


North CarolinaNorth CarolinaHIPAA Statewide Assessment TeamHIPAA Statewide Assessment Team

Collaborative Leadership– Oversight committee

Centralized Management– Housed within DHHS

Decision Making Authority– Legislature– Governor– Budget director, IT office

Clear Mission – Assess statewide impact– Build awareness– Develop strategic plan,

compliance tools– Coordinate state activities

•Governor

•Other State Agencies•Office of State

•Budget & Management

•Department of Health &•Human Services (DHHS)

•General Assembly•(SB 1005)

•Office of Information Technology Services

•Statewide HIPAA Assessment

•Project Manager

•Other Agency Offices & Divisions•(Designated HIPAA Coordinators)

•

•


New YorkNew YorkCentral HIPAA Coordination ProjectCentral HIPAA Coordination Project

Collaborative Leadership– Steering Committee

Centralized Management– Led by IT office

Decision Making Authority– Governor– Budget director– Agency directors

Clear Mission – Assess statewide impact– Build awareness– Develop compliance tools– Provide technical support

Governor

Office for Technology Other State Agencies

HIPAA Executive Steering Committee

Designated Agency HIPAA Coordinator(s)

Central HIPAA Coordination Project Management Office

Technical Workgroup

Legal Workgrou

p

Human Resources Workgrou

p

Education Workgrou

p

Division of the Budget Office of the Comptroller


OhioOhioEngagement Management StructureEngagement Management Structure

Collaborative Leadership – Governor, Cabinet

Centralized Management– Deputy Directors Team

Decision Making Authority– Governor– Agency Directors

Clear Mission– Assess statewide impact– Build awareness– Develop strategic plan,

compliance tools– Coordinate state activities

Governor(Sponsor)

Executive Leadership Committee (ELC)

(Cabinet-Level)

Deputy Director Project Management Team (DP)Governor’s Office

Department of Administrative ServicesDepartment of Aging

Department of Alcohol and Drug Addiction ServicesDepartment of Health

Department of Job and Family ServicesDepartment of Mental Health

Department of Mental Retardation and Developmental DisabilitiesDepartment of Rehabilitation and Corrections

Attorney GeneralAuditor of State

Office of Management and BudgetBureau of Worker’s Compensation

Ohio Veterans Home

Business Partners Committee(A committee of policy and program experts

from the affected agencies)

PrivacyWorkgroup

SecurityWorkgroup

Code SetsWorkgroup

EducationWorkgroup

Contracts & Legal

Workgroup

Technology Partners Committee(A committee of information technology

experts from the affected agencies)


Public-Private PartnershipsPublic-Private Partnerships

Hawaii HIPAA Readiness CollaborativeNew Hampshire & Vermont Strategic

HIPAA Implementation Plan (NHVSHIP)North Carolina Healthcare Information and

Communications Alliance (NCHICA)Southern HIPAA Administrative Regional

Process (SHARP)Washington State HIPAA Partnership


Impact Assessment ToolsImpact Assessment Tools Covered Entity Screening Tools

– Covered Entity Screening Tool (OH)– HIPAA Impact Assessment (NY)

Organizational Impact Assessments– HIPAA Awareness Self-Assessment Checklist (WA)– HIPAA Facilities Checklist (CA)– A Guide to Privacy Readiness (MD)– HIPAA EarlyView Privacy (NC)– Business Information Flow Assessment (NC)– Electronic Data Interchange Assessment (NC)


Model Forms &Model Forms &Educational MaterialsEducational Materials

Business Associate Agreement (OH)

Patient Consent/Authorization Form (OH)

Monthly HIPAA Newsletter (NC)

HIPAA Awareness Brochure (OH)


KentuckyKentuckyCabinet-Level Awareness SurveyCabinet-Level Awareness Survey

Developed by Governor’s Office for Technology

Cabinet Awareness

Cabinet Impact

Costs, budget needs

1. Please select your cabinet/agency: (Click here to choose)

2. Will HIPAA impact the business processes, data, or IT systems in your Cabinet?

Yes No Don't Know

If Yes, please answer the following:

3. Which agencies in your Cabinet will be most affected?

Cabinet/Department is not aware of HIPAA requirements.

Cabinet/Department is aware of HIPAA. Some preliminary assessment has taken place.

Cabinet/Department is actively changing business processes and IT systems to meet HIPAA requirements.

4. Assess your agency's HIPAA compliance status:

Cabinet/Department has completed HIPAA compliance activities and actively monitors Federal regulation development.

5. What do you estimate the total cost and time required to achieve HIPAA compliance in your Cabinet?

$ months

6. Are these funds included in your current budget? No Yes ... How Much $

7. Are these funds expected to be requested in the FY2003-FY2005 biennial budget?

No Yes ... How Much $

8. Please identify your HIPAA coordinator or manager: Name

Address

Phone number

Click to Submit HIPAA


Building Support & AwarenessBuilding Support & Awareness

Difficult to estimate implementation costs Initially, costs will exceed savings“Systems remediation” signals that

administrative simplification is like Y2K—just another technical problem

“Business transformation” implies that a greater commitment of resources is needed


NGA Center ActivitiesNGA Center Activities(www.nga.org/center)(www.nga.org/center)

Issue Brief (HIPAA)Executive-level technical assistance

meeting (late summer)Internet broadcast (fall)State-specific technical assistance (via

Governor’s office)


NGA Center for Best PracticesNGA Center for Best Practices(www.nga.org/center)(www.nga.org/center)

Robert J. BurnsPolicy AnalystHealth Policy Studies Division

National Governors AssociationCenter for Best Practices

444 North Capitol Street, Suite 267Washington, DC 20001-1512

(202) 624-7729fax: (202) 624-5313email: [email protected]

Documents

HIPAA and the States Critical Issues & Compliance Strategies