1 / 30

HIPAA Administrative Simplification: Overview Presentation

HIPAA Administrative Simplification: Overview Presentation . November 2001. Overview. What is HIPAA? Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kennedy/Kassebaum Act

brent
Télécharger la présentation

HIPAA Administrative Simplification: Overview Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Administrative Simplification: Overview Presentation November 2001

  2. Overview • What is HIPAA? • Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kennedy/Kassebaum Act • Primary purpose was to improve health insurance accessibility for people changing employers or leaving the workforce • HIPAA also included “Administrative Simplification” provisions to encourage and protect the electronic transmission of health-related data

  3. Overview • What are the HIPAA Administrative Simplification Provisions? 1. National standards for electronic data transmission 2. Unique health identifiers for providers, employers, plans, and individuals 3. Security standards to protect electronically maintained health information 4. Privacy and confidentiality provisions for individually identifiable health care data

  4. Overview • What are the objectives of the Administrative Simplification Provisions? • Improve efficiency of national health system • Reduce administrative overhead costs • Reduce fraud and abuse • Protect patient rights, including the privacy of patient health data • Improve quality of care through access to consistent clinical data • Improve information available for decision-making • Establish security standards for Internet-based technology

  5. Overview • Why was legislation needed? • Technological advancements have impacted the electronic transmission of health data, including: • Rapid growth of health care Internet and intranet applications to transmit and share patient information, such as diagnoses, radiological images, lab tests, and prescriptions • Advancements in the computerization of patient medical records • Increasing use of electronic prior authorizations for provider services, as well as claims submission and payments • Use of e-mail as a communication tool between caregivers and their patients

  6. Overview • Why was legislation needed? (continued) • Lack of standardization for the collection, storage, and transmission of health data  increased administrative costs AND decreased utility of data • Increasing health care costs  demand for uniform health care data to evaluate alternative coverage and treatment approaches

  7. Overview • Why was legislation needed? (continued) Public concerns about privacy bring demands for greater security: • 20% of consumers believe their health information has been used or disclosed inappropriately. • 17% of Americans report that they have taken action to avoid the inappropriate use of their information, including providing inaccurate information to health care providers, changing physicians, or avoiding care altogether. • The Association of American Physicians and Surgeons reports that 78% of its members have withheld information from a patient’s record due to privacy concerns and 87% of its members have had a patient request that information be withheld.

  8. Overview • Why was legislation needed? (continued) “We have laws in this country to protect the personal information contained in bank, credit card, and other financial records. Our citizens must not wait any longer for protection of the most personal of all information—their health records. “This rule makes sure that private health information doesn't fall victim to the progress of the information and technology age, where an array of data is readily available in computer systems and too often is just a keystroke away from being accessed.” Statement by Tommy G. ThompsonSecretary, U.S. Department of Health and Human ServicesApproving the Patient Privacy Rule April 12, 2001

  9. Overview • Who must comply with HIPAA? 1. Health care providers or any other person or organization that furnishes, bills, or is paid for health care in its normal course of business 2. Health plans that provide or pay the cost of medical care, including Medicare and Medicaid 3. Health care clearinghouses that process data elements or transactions

  10. Provision 1: National Standards • Electronic Data Interchange standards have been adopted for: • Health claims/encounter information • Enrollment/disenrollment in a health plan • Eligibility for a health plan • Health care payment and remittance advice • Health plan premium payments • Health claim status • Referral certification and authorization • Coordination of benefits Standards for claims attachments and first report of injury are required but have not yet been adopted.

  11. Provision 1: National Standards • Electronic Data Interchange (continued) • American National Standards Institute (ANSI) ASC X12N standards have been adopted for most transactions. • For retail pharmacy, the National Council of Prescription Drug Programs (NCPDP) Telecommunications Standard Format Version 5.1 and equivalent NCPDP Batch Standard Version 1.0 both set the standards.

  12. Provision 1: National Standards • Code Sets Specific code sets have been adopted: • ICD-9-CM, Volumes 1&2 • ICD-9-CM, Volume 3 • Combination of HCPCS and CPT-4 • HCPCS (other substances, equipment, supplies, other items) • National Drug Codes • CDT-2 (dental services) NOTE: All local codes will be eliminated.

  13. Provision 1: National Standards • What do they mean for providers? • All electronic transactions must be converted to the standard format. • DHHS cost estimates for non-hospital providers range from $0 (providers with no electronically processed patient claims or encounters) to $10,000 to cover software/system upgrades. • Additional provider costs not calculated in these estimates could include: • Personnel training • Possible payment delays while billers and payers convert to the new standardized system

  14. Provision 1: National Standards • What do they mean for providers? (continued) • DHHS estimates savings per electronically processed claim at $1.49 for physicians and $0.83 for all others. Total savings for non-hospital providers are estimated to range from $0 to over $70,000 between 2002 and 2011. • Additional potential administrative savings not calculated in these estimates could include: • Elimination of multiple transaction formats • Common data sets which will facilitate data sharing among entities • Possible cash flow increase if providers’ ability to electronically bill and collect is substantially improved

  15. Provision 2: Unique Health Identifiers • HIPAA requires unique national health identifiers for employers, providers, health plans, and individuals: • Employer Identifier: expected to be the Employer Identification Number (issued by the Internal Revenue Service) • National Provider Identifier: developed by HCFA for use in the Medicare system • Health Plan Identifier: expected to be the HCFA Medicare PayerID assigned to all health plans nationwide • Individual Identifier: development is on hold

  16. Provision 2: Unique Health Identifiers • What do they mean for providers? • If the National Provider Identifier (NPI) is selected, Medicare, Medicaid, and other federal health plan providers would be assigned an NPI automatically. • Other providers would have to apply to a federally directed registry for an NPI. • Providers will need to modify their billing and other systems to include the new standard Ids.

  17. Provision 3: Security Standards • Security standards for all patient-specific information that is or has been electronically stored and/or transmitted can be grouped into four categories: 1. Administrative procedure safeguards—comprehensive security policies and procedures 2. Physical safeguards—data integrity, backup, access, workstation location and security training 3. Technical security mechanisms—security measures to guard against unauthorized access to data 4. Technical security services—measures to protect patient information and control individual access to such information

  18. Provision 3: Security Standards Security standards (continued): • The standards establish a minimum threshold for compliance in each of the four categories. • However, the security standards do not specify particular technology requirements—each organization must assess its own “risk” and develop security measures accordingly. • Organizations must certify their security programs (either through a self-certification or by a private accreditation entity or vendor). The certification process has not yet been specifically defined.

  19. Provision 3: Security Standards • What do they mean for providers? • Procedures and systems must be updated to ensure that health care data is protected. • Written security policies and procedures must be created and/or reviewed to ensure compliance. • Employees must receive training on those policies and procedures. • Access to data must be controlled through appropriate mechanisms (for example: passwords, automatic tracking of when patient data has been created, modified, or deleted). • Security procedures/systems must be certified (self-certification is acceptable) to meet the minimum standards.

  20. Provision 4: Privacy Regulations • Consent/Authorization Provisions • Individually identifiable health information may not be used or disclosed unless authorized by the patient or is specifically permitted under HIPAA. • Patient consent is required for the use or disclosure of information for three purposes: treatment, payment, and other health care operations. • The privacy rule refers to both patient consent and authorization. In general, patient consent relates to information used for treatment-related purposes whereas patient authorization refers to disclosure of information for non-treatment purposes (such as employers, underwriters, or researchers).

  21. Provision 4: Privacy Regulations • Other Key Provisions • Use of health information for non-treatment purposes must be limited to the “minimum necessary.” • A written agreement must be in place that provides for appropriate safeguarding of health information with all “business associates.” This standard does not apply when information is being shared for treatment purposes. • Development of policies and procedures: Each entity must designate a privacy officer, develop privacy policies and procedures, and provide staff training to ensure that health information is protected.

  22. Provision 4: Privacy Regulations • Patients’ Rights Provisions • Covered entities must provide a “notice of privacy practice” to each patient describing his/her rights regarding protected health information. • Patients have the right to inspect and receive a copy of their medical records and to request amendments to their records. Though providers have the right to deny inclusion of an amendment, the patient has the right to file a Statement of Disagreement, which becomes part of the record. The provider can file a rebuttal to the Statement, should s/he so choose. • Patients also have the right to receive an accounting of disclosures of protected information. Individuals may request restrictions on the use and disclosure of information that go beyond those provided in the rule, but providers are not required to comply with those requests.

  23. Provision 4: Privacy Regulations • What do they mean for providers? • Consent is required for disclosure of identifiable information for treatment, payment, or health care operations (for example: quality assessment and improvement activities, physician qualifications and competence evaluations, medical reviews, and audits). • Health care providers may refuse treatment if they do not receive an individual’s consent. • Consent is not required for sharing a patient’s medical records with another physician when referring the patient to that physician or when billing a patient referred for a specialty consultation.

  24. Provision 4: Privacy Regulations • What do they mean for providers? Privacy regulations will require authorization for disclosure of identifiable information in all cases when used for ancillary purposes such as: • Research, such as clinical or market • Employers or employer groups • Pre-enrollment underwriting Authorizations must be written in specific terms and must identify: • The information to be disclosed • Persons authorized to make the disclosure • Persons authorized to receive the information • “Expiration date” of authorization

  25. Provision 4: Privacy Regulations • What do they mean for providers? • If an individual refuses to give authorization, providers generally still must provide treatment. • “National priority” activities are exempt from obtaining either consents or authorizations from individual patients. These include, public health emergencies, law enforcement, and judicial and administrative proceedings.

  26. Preparing for HIPAA • First Steps Identify project lead and establish HIPAA steering committee: • Project lead should be someone from management with a broad operational background. • HIPAA steering committee will need key managers from most, if not all, departments/units, as well as legal counsel. Begin building awareness: • Conduct briefings for executive management/department heads and clinical practice leadership. • Schedule regular “HIPAA Update” sessions where project lead will provide current news (such as the adoption of final rules, key operational issues/challenges, etc.). Commit resources needed to begin implementation.

  27. Preparing for HIPAA • Next Steps: National Standards/Code Sets • Identify the transactions you currently send/receive electronically. • Identify the “trading partners” (organizations with whom your organization shares health information electronically, such as health plans and state medical programs) and vendors you use to prepare/submit such transactions. • Contact your trading partners and vendors to determine their HIPAA compliance status. • Compare existing data sets to those defined in the implementation guides for each transaction standard. • Compare current code sets to HIPAA standards. Remember that local codes are not permitted under HIPAA.

  28. Preparing for HIPAA • Next Steps: Security Standards • Gap Analysis. Compare current security program to the HIPAA standard to identify gaps and develop action plans. • Risk Analysis. Identify the likelihood and impact of adverse actions such as inappropriate disclosure, corruption, or loss of patient information. • Based on the gap analysis and risk analysis, determine what additional security measures are appropriate and develop a plan for implementation. • Proposed standards require a “risk assessment,” which includes a cost/benefit analysis of security measures.

  29. Preparing for HIPAA • Next Steps: Security Standards (continued) A critical element of the security standards is the development of comprehensive policies and procedures that govern access to electronic health care information. There are two broad categories of required policies and procedures: 1. Personnel – Use of patient information by individuals employed by your organization or third parties with authorized access (such as billing vendors) 2. Systems – System security and maintenance of patient data

  30. Preparing for HIPAA • Next Steps: Privacy Regulations • Appoint someone in your organization to review the existing policies and procedures against the new regulations to identify gaps. • Conduct preliminary staff training. Even if your existing policies will not meet all HIPAA requirements, it is good practice to review privacy procedures to protect against inadvertent disclosures of information. • Watch for Bush Administration implementation guidelines that may influence the regulations.

More Related