Embed Size (px)
Citation preview
HIPAA – Developing HIPAA – Developing an Understandingan Understanding
Robert C. BerginRobert C. Bergin
Ohio Department of Job and Ohio Department of Job and Family ServicesFamily Services
Title I – Health Care Access, Title I – Health Care Access, Portability, and RenewabilityPortability, and Renewability
Title I of HIPAA protects health insurance Title I of HIPAA protects health insurance coverage for workers and their familiescoverage for workers and their families• Limits exclusion for pre-existing conditionsLimits exclusion for pre-existing conditions• Prohibits discrimination based upon health Prohibits discrimination based upon health
factorsfactors• Provides special enrollment rightsProvides special enrollment rights• Defines creditable coverage and significant Defines creditable coverage and significant
breaksbreaks
Title II – Preventing Health Title II – Preventing Health Care Fraud and Abuse; Care Fraud and Abuse;
Administrative Simplification; Administrative Simplification; and Medical Liability Reformand Medical Liability Reform
Title II is intended to combat waste, fraud, Title II is intended to combat waste, fraud, and abuse in health insurance and and abuse in health insurance and healthcare deliveryhealthcare delivery• Simplify the administration of health insuranceSimplify the administration of health insurance• Promote “Administrative Simplification”Promote “Administrative Simplification”
Administrative Simplification Administrative Simplification
• Goals of Administrative SimplificationGoals of Administrative Simplification• Protect privacy of “Protected Health Information” – Protect privacy of “Protected Health Information” –
PHI PHI • Standardize electronic exchanges to improve Standardize electronic exchanges to improve
efficiencyefficiency• Secure data processing systemsSecure data processing systems• Implement standard identifiersImplement standard identifiers
• ProvidersProviders• EmployersEmployers• Health PlansHealth Plans
HIPAA RulesHIPAA Rules
Privacy Rule – 4/14/03Privacy Rule – 4/14/03 Transaction and Code Set Rule – 10/16/03Transaction and Code Set Rule – 10/16/03 Security Rule – 4/21/05Security Rule – 4/21/05 Standard IdentifiersStandard Identifiers
• National Employer Identifier Rule – 7/04National Employer Identifier Rule – 7/04• National Provider Identifier Rule - TBDNational Provider Identifier Rule - TBD• National Health Plan Identifier- TBD National Health Plan Identifier- TBD
Who Must Comply? Who Must Comply? Covered EntitiesCovered Entities
Health Plans – An individual or group plan that Health Plans – An individual or group plan that provides or pays the cost of medical careprovides or pays the cost of medical care Medicare Medicare MedicaidMedicaid Health insurance issuerHealth insurance issuer HMOHMO VA health care systemVA health care system OthersOthers
Health Plan General ExclusionsHealth Plan General Exclusions
Any government-funded program, other Any government-funded program, other than those specifically included, whose than those specifically included, whose principal purpose is other than providing or principal purpose is other than providing or paying the cost of health care but which do paying the cost of health care but which do incidentally provide such servicesincidentally provide such services For example, programs such as the Special For example, programs such as the Special
Supplemental Nutrition Program for Women, Supplemental Nutrition Program for Women, Infants and Children (WIC) are not considered Infants and Children (WIC) are not considered to be health plansto be health plans
Health Plan General Exclusions Health Plan General Exclusions ContinuedContinued
Any government-funded program whose Any government-funded program whose principal activity is the making of grants to principal activity is the making of grants to fund the direct provision of health care to fund the direct provision of health care to individualsindividuals For example, the Maternal/Child Health Block For example, the Maternal/Child Health Block
Grant Title V program Grant Title V program
Health Plan General ExclusionsHealth Plan General ExclusionsContinuedContinued
An agency that “determines eligibility for or An agency that “determines eligibility for or enrollment in a health plan that is a government enrollment in a health plan that is a government program providing public benefits, when that program providing public benefits, when that agency is not the agency that administers the agency is not the agency that administers the program”, is not a covered entity. program”, is not a covered entity. -“ For example, an agency that is not otherwise a -“ For example, an agency that is not otherwise a
Covered Entity, such as a local welfare agency, is not Covered Entity, such as a local welfare agency, is not considered to be a Covered Entity because it considered to be a Covered Entity because it determines eligibility or enrollment or collects determines eligibility or enrollment or collects enrollment information as authorized by law.”enrollment information as authorized by law.”
Is a private benefit plan a Is a private benefit plan a health plan?health plan?
Is the plan an individual or group plan, or combination thereof, that provides, or pays
for the cost of, medical care?
YES
Is the plan a grouphealth plan?
NO
Is the plan a health insuranceissuer?
NO
Is the plan an HMO?
NO
YES
Is the plan a multi-employer
welfare benefit plan?NO
Is the plan an issuer of long-term
care policies?NO
Does the planprovide only
excepted benefits?
YES
Does the plan have both of the following characteristics: (a) it has
fewer than 50participants, and (b) it is
self-administered?
NO
STOP!The plan is a health plan
STOP! The plan is nota health plan
NO
YES
YES
Does the plan provide onlynursing home fixed-indemnity policies?
NO
YESNO
Is the plan an issuer of a Medicare supplemental
policy?
NO
Is a government-funded program Is a government-funded program a health plan?a health plan?
Is the program one of the listed government health
plans?
NO
Does the program provide, or pay the cost of,
medical care?
YES
Is the program ahigh risk pool?
NO
Is the principal activity of the program providing health
care directly?
NO
Is the principal activity of the program the making of grants to fund the direct provision of health care
(e.g., through funding a health clinic)?
YES
NO
YES
NO
Is the principal purpose of the programother than providing or paying the
cost of health care (e.g., operating a prisonsystem, running a scholarship or
fellowship program)?
NODoes the program
provide only excepted benefits?
STOP!The program
is a health plan
STOP!The program
is not ahealth plan
NO
Is the plan an HMO?
NO
Covered Entities - ContinuedCovered Entities - Continued Health Care Providers - A health care provider Health Care Providers - A health care provider
who transmits any health information in an who transmits any health information in an electronic form in connection with a defined electronic form in connection with a defined transaction covered by the law is a covered transaction covered by the law is a covered entityentity PhysicianPhysician DentistDentist PharmacistPharmacist Physical TherapistPhysical Therapist OthersOthers
Are You a Health Care Are You a Health Care Provider Under HIPAA?Provider Under HIPAA?
STOP! You are a covered
health care provider under HIPAA
STOP!You are not a covered
health care provider under HIPAA
NO
Do you conduct covered transactions?
YES
Do you furnish, bill, or receivepayment for health care services in the normal course of business? (1)
Are any of the covered transactions transmitted in
electronic form? YES
YES
Covered Entities - ContinuedCovered Entities - Continued
Health Care Clearinghouses- An entity Health Care Clearinghouses- An entity that processes or facilitates the processing that processes or facilitates the processing of information received from another entity of information received from another entity in a nonstandard format or containing in a nonstandard format or containing nonstandard data into standard data nonstandard data into standard data elements or a standard transactionelements or a standard transaction Billing serviceBilling service SwitchSwitch VANVAN
Are You a Are You a Health Care Clearinghouse?Health Care Clearinghouse?
Do you process, or facilitate the processing of,
health information from a nonstandard formator content into standard format or content or from a standard format or content into
nonstandard format or content?
NO
STOP! You are not a health care
clearinghouse
NO
Do youperform this function
for another legalentity?
YES
YES
STOP!You are a health care
clearinghouse
Hybrid Covered EntitiesHybrid Covered Entities
If “Covered Entity” functions are performed If “Covered Entity” functions are performed within a department or program, then the within a department or program, then the entity to which it belongs is a HIPAA entity to which it belongs is a HIPAA hybrid entityhybrid entity
HIPAA rules apply to the component that HIPAA rules apply to the component that performs the covered entity functionperforms the covered entity function
Hybrid Entity - ImplicationsHybrid Entity - Implications
The importance of being a hybrid entity is The importance of being a hybrid entity is that HIPAA requires the entity to build that HIPAA requires the entity to build walls between the covered functions and walls between the covered functions and the rest of the entity, so that the non-the rest of the entity, so that the non-covered portions do not have access to covered portions do not have access to PHIPHI
Business AssociatesBusiness Associates
Business Associate is a person or entity who on Business Associate is a person or entity who on behalf of a covered entity performs a function or behalf of a covered entity performs a function or activity that involves the use or disclosure of activity that involves the use or disclosure of Protected Health Information (PHI)Protected Health Information (PHI)
A covered entity may disclose PHI to its A covered entity may disclose PHI to its Business Associates if it obtains a written Business Associates if it obtains a written contract specifying that the Business Associate contract specifying that the Business Associate will appropriately safeguard the informationwill appropriately safeguard the information
Privacy Rule - BackgroundPrivacy Rule - Background
Traditionally, health information has been Traditionally, health information has been “private” not because it is secure but because it “private” not because it is secure but because it has been difficult to accesshas been difficult to access
As the ease of exchanging Protected Health As the ease of exchanging Protected Health Information (PHI) increases, there is a Information (PHI) increases, there is a corresponding need to increase privacy corresponding need to increase privacy protectionprotection
The privacy rule defines what information you The privacy rule defines what information you must protect, as contrasted with the security rule must protect, as contrasted with the security rule which defines how you must protect informationwhich defines how you must protect information
Privacy Rule - DefinitionsPrivacy Rule - Definitions
““Protected Health Information” (PHI) is Protected Health Information” (PHI) is individually-identifiable health information that is individually-identifiable health information that is transmitted or maintained in transmitted or maintained in any form or mediumany form or medium
““Health Information” includes any information, Health Information” includes any information, oral or recordedoral or recorded, relating to the health of an , relating to the health of an individual, the health care provided, or payment individual, the health care provided, or payment for services rendered to the individualfor services rendered to the individual
Privacy Rule – Definitions Privacy Rule – Definitions ContinuedContinued
““Privacy Notice”describes how an individual’s Privacy Notice”describes how an individual’s medical information may be used and disclosed, medical information may be used and disclosed, and of the individual’s rights and the covered and of the individual’s rights and the covered entity’s duties with respect to that medical entity’s duties with respect to that medical informationinformation
““Patient Authorization”is required for the use of Patient Authorization”is required for the use of information not related to treatment, payment, or information not related to treatment, payment, or health care operationshealth care operations
Privacy Rule – Definitions Privacy Rule – Definitions ContinuedContinued
““Public Health Authority” is an agency that is Public Health Authority” is an agency that is responsible for public health matters as part of responsible for public health matters as part of its official mandateits official mandate
Limited use and disclosure are permitted without Limited use and disclosure are permitted without consent or authorization when there is an consent or authorization when there is an overriding public interestoverriding public interest
Generally, the rule does not apply to de-Generally, the rule does not apply to de-identified information as long as there is no identified information as long as there is no mechanism for re-identificationmechanism for re-identification
Privacy Rule – Patient RightsPrivacy Rule – Patient Rights
Right to adequate notice of privacy Right to adequate notice of privacy practicespractices
Right to access health informationRight to access health information Right to request amendment of health Right to request amendment of health
informationinformation Right to an accounting of disclosuresRight to an accounting of disclosures Right to request restriction of uses and Right to request restriction of uses and
disclosuresdisclosures
Privacy Rule – Administrative Privacy Rule – Administrative RequirementsRequirements
A designated privacy officialA designated privacy official A privacy contact personA privacy contact person A defined complaint processA defined complaint process Individuals can request additional restrictions – Individuals can request additional restrictions –
entities must have a process for responding, but entities must have a process for responding, but are not required to agree to the requestare not required to agree to the request
Entity must verify the identity and legal authority Entity must verify the identity and legal authority of any person requesting PHIof any person requesting PHI
Privacy Rule – Administrative Privacy Rule – Administrative Requirements ContinuedRequirements Continued
Employer must provide training on privacy Employer must provide training on privacy policies and procedures to each person who has policies and procedures to each person who has contact with PHIcontact with PHI
Covered entities are required to document that Covered entities are required to document that training requirements have been satisfiedtraining requirements have been satisfied
Employees and Business Associates who violate Employees and Business Associates who violate policies and/or HIPAA regulations must be policies and/or HIPAA regulations must be subject to defined sanctionssubject to defined sanctions
Standard TransactionsStandard Transactions
Transaction and Code Set Rule compliance Transaction and Code Set Rule compliance October 16, 2003 ( Public Law 107-105)October 16, 2003 ( Public Law 107-105)
• Health Care Claim or Encounter (837)Health Care Claim or Encounter (837)• Health Care Claim Payment and Remittance (835)Health Care Claim Payment and Remittance (835)• Health Care Claim Status Inquiry/Response (276, Health Care Claim Status Inquiry/Response (276,
277) 277) • Health Care Eligibility Inquiry/Response(270, 271)Health Care Eligibility Inquiry/Response(270, 271)• Enrollment and Disenrollment in a Health Plan (834)Enrollment and Disenrollment in a Health Plan (834)• Referral Certification and Authorization (278)Referral Certification and Authorization (278)• Health Plan Premium Payments (820)Health Plan Premium Payments (820)
Code SetsCode Sets
HIPAA has mandated the use of national HIPAA has mandated the use of national standard code sets standard code sets
Elimination of Level III local codes and the Elimination of Level III local codes and the limited expansion of Level II HCPCS limited expansion of Level II HCPCS codescodes
Nationally, Medicaid programs are being Nationally, Medicaid programs are being forced to “crosswalk” local codes into forced to “crosswalk” local codes into limited Level II HCPCS codeslimited Level II HCPCS codes
HIPAA Security RegulationsHIPAA Security Regulations
Security regulations require:Security regulations require: Covered Entity (CE) must ensure the confidentiality, Covered Entity (CE) must ensure the confidentiality,
integrity, and availability of electronic PHI that the CE integrity, and availability of electronic PHI that the CE creates, receives, maintains, or transmitscreates, receives, maintains, or transmits
CE must protect against any reasonably anticipated CE must protect against any reasonably anticipated threats or hazards to the security or integrity of PHI threats or hazards to the security or integrity of PHI under its controlunder its control
CE must protect against reasonably anticipated uses CE must protect against reasonably anticipated uses or disclosures that are not permitted or required by or disclosures that are not permitted or required by the privacy rulethe privacy rule
CE must ensure compliance by its workforceCE must ensure compliance by its workforce•
Security – Physical SafeguardsSecurity – Physical Safeguards
Facility access controlsFacility access controls Policies governing the receipt and removal Policies governing the receipt and removal
of hardware and electronic media that of hardware and electronic media that contains PHI into and out of the facility, as contains PHI into and out of the facility, as well as movement within the facility well as movement within the facility
Policies on workstation area control and Policies on workstation area control and workstation useworkstation use
Security – Administrative Security – Administrative SafeguardsSafeguards
Documented security management processDocumented security management process Assigned security responsibilityAssigned security responsibility Workforce security policies Workforce security policies Information access controlsInformation access controls Emergency contingency plans Emergency contingency plans Security awareness and training programsSecurity awareness and training programs Security incident reporting procedures Security incident reporting procedures Periodic evaluationsPeriodic evaluations
Security – Technical Security – Technical SafeguardsSafeguards
Technical access controls limiting access to Technical access controls limiting access to authorized persons or software authorized persons or software
Audit controls to examine activity in information Audit controls to examine activity in information systemssystems
Policies and procedures to protect PHI from Policies and procedures to protect PHI from improper alteration or destructionimproper alteration or destruction
Person or entity authentication proceduresPerson or entity authentication procedures Technical transmission security measures to Technical transmission security measures to
protect against unauthorized accessprotect against unauthorized access
Preemption of State LawPreemption of State Law
Federal regulations preempt all “contrary” Federal regulations preempt all “contrary” state laws, unless a state law is more state laws, unless a state law is more stringentstringent
State law is more stringent if it:State law is more stringent if it:• Further limits the use or disclosure of PHIFurther limits the use or disclosure of PHI• Provides individuals with greater rights of access, Provides individuals with greater rights of access,
or more information about their rightsor more information about their rights• Enhances protections afforded by an authorizationEnhances protections afforded by an authorization• Imposes greater record keeping requirementsImposes greater record keeping requirements• Otherwise enhances privacy protectionOtherwise enhances privacy protection
HIPAA ResourcesHIPAA Resources
Web SitesWeb Sites
• www.nhvship.orgwww.nhvship.org• www.hhs.gov/ocr/hipaawww.hhs.gov/ocr/hipaa• www.wpc-edi.com/default40.aspwww.wpc-edi.com/default40.asp• www.aspe.hhs.gov/admnsimp/index.htmwww.aspe.hhs.gov/admnsimp/index.htm• www.state.oh.us/hipaawww.state.oh.us/hipaa
Questions?Questions?
