170 likes | 396 Vues
HIPAA Overview February 2001. What is HIPAA?. HIPAA is the Health Insurance Portability and Accountability Act of 1996 (PL 104-191) Also referred to as the Kennedy-Kassebaum Act
E N D
What is HIPAA? • HIPAA is the Health Insurance Portability and Accountability Act of 1996 (PL 104-191) • Also referred to as the Kennedy-Kassebaum Act • HIPAA was enacted by the federal government on August 21, 1996 with the intent to assure health insurance portability, reduce healthcare fraud and abuse, guarantee security and privacy of health information and enforce standards for health information. Focus of this discussion
When people talk about HIPAA, what they are referring to is… • Title II, Subtitle F • Administrative Simplification: • Data Standardization • Code Sets • Transactions • Identifiers • Security • Privacy
Insurance Carrier Provider Office Employer Lab Member Hospital Bank Electronic Connectivity Pharmacy Credit Card Company Specialist Consultant Medical Library Third Party Administrator Pharmaceutical Company New Players Government Why Federal Regulations? Healthcare is 1/7 of the GNP 1. Effective healthcare delivery requires enormous administrative effort 2. The healthcare industry has the most to gain from recent technological advances 3. However, the healthcare Industry lags other industries in taking advantage of these technological advances 4. Some believe streamlining requires a mandate for massive and coordinated change
Why Federal Regulations? Public Opinion - Privacy • 88% of consumers are concerned about their privacy* • 20% of consumers believe that their health information has been used or disclosed inappropriately** • 54% of consumers feel that electronic medical records are the greatest privacy threat** Sources: *Louis Harris & Assoc., 1998 **California Healthcare Foundation, 1999
Who must comply with HIPAA? • Healthcare organizations • Providers • Health plans • Clearing houses that handle covered patient information - all confidentialpatient or member information in any form: electronic, written or verbal. • Other healthcare entities may be required to meet HIPAA standards based on the chain of trust agreement requirement. • Clinics • eHealth.coms • Employers (self insured) • Home Health • Hospice • Pharmacies • Physician Groups • Other Providers • Higher Education – Unique Considerations • Student Health Center and Counseling Center = Exempt Provider • Regulations define student health records as a FERPA protected education record when health record is used for other than medical treatment purpose, including release to individual Student who is subject of information • Employee Health Services = Provider • Research Hospitals = Provider • Research Involving Human Subjects
Penalties for non-compliance • Data standardization penalties • $100 per person per violation • No more than $25,000 per person per year for violations of a single standard • Misuse of member health information • Not more than $50,000 and/or 1 year in prison • Under false pretenses, not more than $100,000 and /or 5 years in prison • With intent to sell, harm, etc, not more than $250,000 and /or 10 years in prisoneasdf • OCR charged with enforcement. OIG authorized to conduct criminal investigations • Industry Concern: HIPAA compliance may become accreditation criteria • Joint Commission of Accreditation for Healthcare Organizations • National Committee for Quality Assurance • Industry Concern: HIPAA compliance may become a requirement for participation with Federal funded programs
HIPAA Administrative simplification impact Technology Issues Business Issues Electronic Transaction Standards & Unique Identifiers Code Sets & Claims Attachments Privacy Standards Security
HIPAA timeline Mandatory Compliance Final Rule - 12/28/2000 26 months to comply February 26, 2003 Compliance Privacy Security Final Rule (estimate) - March 2001 26 months to comply Data Standards Final Rule - August 15, 2000 26 months to comply October 15, 2002 Compliance Title II January 1997 - Effective date of Title II All Subtitles Except Subtitle F HIPAA August 1996 - HIPAA Enacted
Final Data Standardization requirements • Electronic transaction standard • X12N standards facilitate transactions by establishing a common, uniform business language for computers to communicate across town or around the world. • Electronic transactions to be standardized • Health care claims or equivalent encounter information. • Enrollment and de-enrollment in a health plan. • Eligibility for a health plan. • Health care payment and remittance advice. • Health plan premium payments. • Health care claim status. • Referral certification and authorizations. • Coordination of benefits. • Standard Claims Attachments
Final Data Standardization requirements • Standard code sets • ICD-9-CM, International Classification of Diseases, 9th Rev., Clinical Modification • CPT-4, Physician Current Procedural Terminology • Alpha-numeric HCPCS, HCFA Procedure Code System • CDT-2, Current Dental Terminology • NDC, National Drug Codes • Unique identifiers - Proposed • Providers • Employers • Unique identifiers - Delayed • Plans • Patients
Proposed Security requirements • Technical Security • Access control • Audit controls • Authorization control • Entity authentication • Electronic Transmission • Communication/Network controls • Electronic Signatures • Digital signatures • Administrative Security • Certification • Contingency plan • Information access control • Security configuration management • Security incident management • Security management process • Requires Security Officer • Physical Data Security • End user security awareness • Physical access control • Media • Secure workstation use and availability
Highlights of the Final Privacy Regs • Published December 28, 2000 • Compliance required by February 26, 2003 • Preamble addresses 53,000 comments • The document uses the term “reasonable” 265 times
Highlights • Regulations apply to covered entities (providers, clearing houses and health plans) • Applies to all member health information: electronic, paper and oral communications • Requires providers to obtain consent prior to treatment, payment and operations. May condition treatment or enrollment • Allows full disclosures to providers for purposes of treatment. Retains provision for minimum necessary requirements for routine, recurring and other, non-routine disclosures • Distinguishes between consent for treatment and authorization for other disclosures. Protects against unauthorized use of information for employment purposes • Allows legally separate, but affiliated covered entities to designate themselves as a single covered entity • Replaces ‘business partner’ with ‘business associate’ and reduces liability from ‘should have known’ to take action if aware • Requires Privacy Officer and Security Officers
Highlights • Permits certain marketing and fundraising activities • Requires Notice of Information Practices • Requires training • Defines right to request restrictions on uses and disclosures • Defines right to receive accounting of disclosures • Defines right to access, inspect, copy and request amendments to records • HIPAA intended as a floor, not a ceiling. Whichever rule is more stringent, state or federal, applies. • Establishes whistleblower procedure - covered entities precluded from retaliating • Gives HHS Office of Civil Rights (OCR) enforcement responsibility
AA HIPAA Assessment • Conduct high-level HIPAA gap analysis of business units and core business information systems • Identify gaps between current technology/practices with HIPAA’s • final data standardization and privacy requirements and • proposed security requirements • Develop remediation recommendations and a high-level workplan • Develop high-level cost estimates for remediation
Assessment Alternatives – Office of Information and Educational Technology • University Hospital Consortium Contract (UCDMC) • SAIC • Cap Gemini/Ernst and Young • External HIPAA Specialists • Arthur Anderson • Computer Associates • KPMG • PricewaterhouseCoopers • Projected Initiation Date – Spring 2001