1 / 46

Briefing: The Impact of HIPAA on the Military Health System Date: 20 March 2007 Time: 1610 - 1700

Briefing: The Impact of HIPAA on the Military Health System Date: 20 March 2007 Time: 1610 - 1700. Objectives. Brief review of the history of the Health Insurance Portability & Accountability Act (HIPAA) Learn what’s really required by HIPAA & what’s not

asta
Download Presentation

Briefing: The Impact of HIPAA on the Military Health System Date: 20 March 2007 Time: 1610 - 1700

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Briefing: The Impact of HIPAA on the Military Health System Date: 20 March 2007 Time: 1610 - 1700

  2. Objectives • Brief review of the history of the Health Insurance Portability & Accountability Act (HIPAA) • Learn what’s really required by HIPAA & what’s not • Learn about the new HIPAA requirements on the horizon • Take advantage of HIPAA resources on the Internet

  3. How Did We Get Here? • Move toward standard Electronic Data Interchange (EDI) Transactions and away from paper-based processes • Healthcare industry pushing this effort in early 1990s • Workgroup for EDI (WEDI) was taking the lead • Estimated $42 billion in net savings (1995-2000) - 1993 WEDI Report • Recognize the need to protect electronic health data • Role of “those privacy zealots"

  4. History of HIPAA • Health Insurance Portability and Accountability Act (HIPAA) – P.L. 104-191 • Also known as Kennedy-Kassebaum Bill (K2) or Kassebaum-Kennedy, depending on your party affiliation • House of Representatives passed it 421-2 • Senate passed it unanimously • Signed into law on August 21, 1996, by President Clinton

  5. HIPAA Components • Insurance Portability • Accountability (Fraud & Abuse) • Administrative Simplification

  6. Intents of HIPAAAdministrative Simplification • Reduce Paperwork • Improve Efficiency of Health Systems • Protect Security and Confidentiality of Electronic Health Information

  7. HIPAA Rule Making Process • Department of Health & Human Services (DHHS) publishes Notice of Proposed Rule Making (NPRM) • 60-day comment period • Receive written public input • Comments reviewed resulting in modifications to the Final Rule version • Final Rule published in Federal Register • Congress has 60 days to make changes • Two years before Final Rule becomes effective • Normally

  8. HIPAA’s Original Timeline • HIPAA signed into law on August 21, 1996 • All Final Rules to be issued by February 21, 1998 • Eighteen months after signing into law • Full compliance to be achieved by April 22, 2000 • We’ve been under HIPAA for nearly 7 years!!! • What happened to the original timeline? • DHHS had three (3) Number One priorities • Y2K • Balanced Budget Act (BBA) of 1997 • HIPAA

  9. Standard Notice of Proposed Rule Making (NPRM) Final Rule Publication Compliance Required Transactions & Codes Sets 05/07/1998 08/17/2000 10/16/2003 - with extension National Provider Identifier 05/07/1998 01/23/2004 05/23/2007 (2008<$5M) National Employer Identifier 06/16/1998 05/31/2002 07/30/2004 (2005<$5M) Security 08/12/1998 02/20/2003 04/20/2005 (2006<$5M) Privacy 11/03/1999 12/28/2000 04/14/2003 (2004<$5M) Timetable for Adoption of Standards

  10. Who Must Use the Standards? • Covered Entities (CEs) Include: • Health Plan • Health Care Clearinghouse • Health Care Provider (who transmits any health information in electronic form in connection with any covered transaction) • MHS Direct Care System is considered to be a Health Care Provider • Congress directed DHHS to use existing standards wherever possible rather than develop new ones

  11. Civil & Criminal Penalties • Civil penalty of $100 per violation, up to $25,000 maximum per year per HIPAA standard • Wrongful disclosure of Individually Identifiable Health Information (IIHI) • Fined not more than $50,000, imprisoned not more than 1 year, or both • If offense committed under false pretenses • Fined not more than $100,000, imprisoned not more than 5 years, or both —Continued—

  12. Civil & Criminal Penalties • If offense committed with intent to sell, transfer, or use information for commercial advantage, personal gain, or malicious harm • Fined not more than $250,000, imprisoned not more than 10 years, or both

  13. ANSI ASC X12N & IGs • ANSI – American National Standards Institute • ASC X12 – Accredited Standards Committee (ASC) chartered by ANSI to develop standards for inter-industry electronic business transactions (EDI) • X12N – is the Subcommittee for Insurance who developed the HIPAA EDI standards • IGs – Implementation Guides that provide detailed formats for implementing the HIPAA EDI standards • Version 4010A of the HIPAA IGs is the standard • National Council for Prescription Drug Programs (NCPDP) developed standards for retail pharmacy drug claims

  14. Covered Transactions • 837 – Health Care Claim (3 types) • Institutional • Professional • Dental • Retail Pharmacy Drug Claim • National Council for Prescription Drug Programs (NCPDP) Telecommunication Standard Implementation Guide, Version 5.1, September 1999 • NCPDP Batch Standard Batch Implementation Guide, Version 1.1, January 2000

  15. Covered Transactions (con’t) • 270/271 – Health Care Eligibility Benefit Inquiry and Response • 276/277 – Health Care Claim Status Request and Response • 278 – Health Care Services Review • 820 – Payroll Deducted and Other Group Premium Payment for Insurance Products • 834 – Benefit Enrollment and Maintenance • 835 – Health Care Claim Payment/Advice • 837 – Coordination of Benefits

  16. Mandated Code Sets • ICD-9-CM – International Classification of Diseases – Clinical Modification for Diagnoses, 9th Edition (Volumes 1 and 2) • ICD-9-CM – International Classification of Diseases – Clinical Modification for Inpatient Procedures, 9th Edition (Volume 3) • CPT-4 – Current Procedural Terminology, 4th Edition • CDT-3 – Code on Dental Procedures and Nomenclature, 3rd Edition • HCPCS – Healthcare Common Procedure Coding System

  17. Impact of HIPAA EDI • Electronic claims just means faster rejections if data is incomplete or incorrect • Increasing emphasis on the need for quality data “the first time” • Personnel savings may need to be redeployed to other areas in order to improve data capture and quality • 837 is NOT JUST an electronic UB-92 or CMS 1500 • HIPAA transactions often require more data that is currently captured or stored • State Prompt Payment laws will still be needed • Electronic claims attachments (275) will be a big aid once they are available

  18. Privacy vs. Security • Privacy – What needs to be protected • Protected Health Information (PHI) • Security – Methods by which we will protect it • Need to determine the desired balance among: • Confidentiality of the data • Integrity of the data • Availability of the data • Final Rules for Privacy issued December 2000 and August 2002 • Security Final Rule issued February 2003

  19. Privacy Rule • December 2000 Privacy Rule required patients to give consent before their protected health information (PHI) could be used for treatment, payment, or health care operations (TPO) • August 2002 Privacy Rule dropped the consent requirement • Direct health care provider now just has to make a good faith effort to obtain an individual’s written acknowledgement of receipt of the provider’s Notice of Privacy Practices (NPP) • Copy of MHS NPP on TMA HIPAA Web Site

  20. Privacy Rule (con’t) • Authorization by the individual is still required before a Covered Entity can release PHI for non-TPO purposes • Life insurance company seeking medical information regarding a policy applicant • Access without written authorization allowed for national and public health needs

  21. Privacy Rule (con’t) • Individual’s right of access • Patient can see their medical record • Can request copies • Can request amendments to medical record • Provider does not have to make the amendment • Preemption – Final Rule can not supersede more stringent state privacy laws • Establishes the Federal floor of safeguards • You need to know which state privacy laws still apply (i.e., those that are more stringent)

  22. What Is IIHI? • Individually identifiable health information (IIHI) is information that is a subset of health information, including demographic information collected from an individual, and: • Is created or received by a health care provider, health plan, employer, or health care clearinghouse • Relates to: • the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for health care received by an individual; and that • Either identifies the individual or provides a “reasonable basis” to believe the information can identify the individual

  23. What Is PHI? • Protected Health Information (PHI) is IIHI that is: • Transmitted by electronic media • Maintained by electronic media • Transmitted or maintained in any other form or medium (includes written or oral communications) • PHI excludes IIHI in: • Education records covered by the Family Educational Rights and Privacy Act (FERPA) • Employment records held by a CE in its role as an employer

  24. Real World Privacy Issues • “Anonymous” medical records identified in Massachusetts • Governor’s record included • Survey finds one out of six patients engage in “privacy protected behaviors” • Foreign transcriber threatens California medical center to release medical records on the Internet • Disagreement over back pay

  25. HIPAA Security Rule Background • Proposed Rule was issued August 12, 1998 covering Security and Electronic Signature Standards (39 pages) • Many security and privacy recommendations based on the National Research Council’s 1997 report entitled For The Record: Protecting Electronic Health Information • More than 2,300 comments submitted by individuals and organizations

  26. HIPAA Security Rule Background (con’t) • Security Final Rule issued February 20, 2003 (48 pages) • Provisions apply ONLY to electronic Protected Health Information (PHI) • Does not cover electronic signatures • DHHS will issue separate NPRM • Awaiting recommendation from National Committee on Vital & Health Statistics (NCVHS) • Date unknown • Security Final Rule does not reference or advocate specific technology

  27. HIPAA Security Rule Background (con’t) • Intentionally generic, scalable for both small and large organizations, technology neutral • Each affected entity must assess its own security needs and risks and devise, implement, and maintain appropriate security measures to address its business requirements • Measures must be documented and kept current • Challenge for the organization to assess their own security risks, weigh them, implement appropriate solutions

  28. HIPAA Security Standards – General Rules • General requirements – Covered entities (CEs) must do the following: • Ensure the confidentiality, integrity, and availability of all electronic PHI the CE creates, receives, maintains, or transmits • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information • Protect against any reasonably anticipated uses or disclosures of such information • Ensure compliance by its workforce

  29. Some Operational Challenges • Healthcare staff want to help others • We’re too trusting • Security system is only as good as its weakest link • 999 secure passwords out of 1000 users is NOT “good enough” • Hackers & Social Engineering • Attempt to exploit our desire to be helpful • Not enough to thwart them – need to report it to the right person so appropriate actions can be taken —Continued —

  30. Some Operational Challenges • Don’t be a soft target • Hackers are lazy • Viruses and worms • Need to be alert/wary • Capability to track access to Protected Health Information (PHI) • Insurance company example • Harvard Community Health Plan • Patients can review who accessed their PHI

  31. HIPAA Security Considerations • How do you dispose of your obsolete PCs? • Savannah River DOE example • Indianapolis hospital example • Do you allow providers to access your network from their home PCs? • Any penalties for violations? • Are they ever enforced? —Continued —

  32. HIPAA Security Considerations • Have you outsourced medical transcription? If so, how is PHI transmitted/stored & protected when off-site? • Do your passwords contain both alpha and numeric characters as well as special characters/minimum length of at least 8 characters • How often are they updated? • No yellow Post-Its on the PC monitor or under the desktop keyboard

  33. Changes on the Horizon • National Provider Identifier (NPI) • New paper forms (UB-04, revised CMS 1500) • Implement use of NPI • New draft HIPAA EDI transaction set • 275 – Electronic Claims Attachment • Future use of ICD-10

  34. National Provider Identifier (NPI) • National Provider Identifier (NPI) • Health care providers began applying for NPIs beginning May 23, 2005 • Health care providers, health plans, and health care clearinghouses must begin using the NPI in standard transactions NLT May 23, 2007 • Small health plans have until NLT May 23, 2008 • Is a 10-position numeric identifier (last digit is a check figure) • Is an intelligence-free number • NPI Type 1 – for health care providers who are individual human beings • NPI Type 2 – for health care organizations

  35. Use of the NPI Type 1 in the MHS • HA Policy 05-002 issued 26 January 2005 regarding NPI Type 1 • Requires “all Health Care Providers who furnish billable health care services or who may initiate and/or receive referrals must obtain an NPI Type 1.” • Services are responsible for ensuring all privileged/credentialed providers (including Reserve Component) obtain and submit their NPI to the TMA designated data base/repository prior to 23 May 2007 • Services SGs have issued Memoranda of Instruction detailing Service-specific instructions • As of 27 February 2007, 19,711 NPI Type 1 identifiers have been entered into DMHRSi • Still need an estimated 8,711 more NPI Type 1 identifiers! • Only 64 days remaining until 23 May 2007 deadline

  36. Use of the NPI Type 2 in the MHS • HA Policy 05-012 issued 1 August 2005 regarding NPI Type 2 • Requires all organizational health care providers within the MHS to obtain an NPI Type 2. These include: • MTFs that bill third party insurers • Pharmacy dispensing sites • The Services are responsible for ensuring all applicable organizational health care providers obtain NPI Type 2 identifiers prior to 23 May 2007 • As of 27 February 2007 • 128 NPI Type 2 identifiers for MTFs have been entered into DMHRSi • 600 NPI Type 2 identifiers for Pharmacy Dispensing Sites have been entered into DMHRSi • Only 64 days remaining until 23 May 2007 deadline

  37. New Paper Bill Forms • Use of new revised CMS 1500 Form required beginning 1 February 2007 • Use of new UB-04 Form required beginning 23 May 2007 • Both new forms require use of NPIs beginning 23 May 2007 • MHS System Change Requests (SCRs) have been submitted for making changes to TPOCS and the CHCS MSA module to support the new paper claim formats • CHCS software change package to support the UB-04 will be available for MTFs to load beginning in early May 2007 • MTFs need to start ordering the new UB-04 and CMS 1500 forms

  38. 275 – Electronic Claim Attachment • Claims Attachment NPRM issued 23 September 2005 • Will simultaneously use both ANSI X12 and HL7 EDI standards • Six different attachment types proposed • Clinical Reports • Laboratory Results • Medications • Rehabilitation Services • Ambulance Service • Emergency Department

  39. ICD-10 Implementation • ICD-10s likely coming in 2009 – 2010 • AHIMA & AMIA support October 2009 date • TMA monitoring status of ICD-10 implementation in U.S. • Changes will be made in MHS automated information systems to support the new code set once it is mandated

  40. Truisms Regarding HIPAA Compliance • Changing the organizational privacy & security culture will be the BIGGEST challenge • HIPAA compliance has no finish line • National Committee on Vital & Health Statistics (NCVHS) recommended in February 2002 more clinical messaging formats as potential HIPAA standards for an electronic medial record (EMR) • New transaction sets will continue to be added (e.g., 275 – Electronic Claims Attachment)

  41. HIPAA Resources on the Internet • TMA HIPAA Web site • http://www.tricare.mil/hipaa/ • HA Policy 05-002 – NPI Entity – Type 1 • http://www.ha.osd.mil/policies/2005/default.cfm • HA Policy 05-012 – NPI Entity – Type 2 • http://www.ha.osd.mil/policies/2005/default.cfm • National Uniform Billing Committee (NUBC) • http://www.nubc.org/new.html • National Uniform Claim Committee (NUCC) • http://www.nucc.org —Continued —

  42. HIPAA Resources on the Internet • CMS HIPAA Web site • http://www.cms.hhs.gov/hipaageninfo/01_overview.asp? • For the Record: Protecting Electronic Health Information, The National Academies Press, 1997 • http://www.nap.edu or 1-800-624-6242 • View free on-line version of For the Record • http://books.nap.edu/books/0309056977/html/index.html • DHHS Office of Civil Rights (OCR) • http://www.hhs.gov/ocr/hipaa —Continued —

  43. HIPAA Resources on the Internet • Washington Publishing Company – HIPAA EDI Implementation Guides • http://www.wpc-edi.com/hipaa/HIPAA_40.asp • Workgroup for Electronic Data Interchange (WEDI) • http://www.wedi.org • National Council for Prescription Drug Programs (NCPDP) • http://www.ncpdp.org • National Committee on Vital & Health Statistics (NCVHS) • http://www.ncvhs.hhs.gov

  44. Summary • History of HIPAA • It’s been a law since 1996! • What’s really required by HIPAA & what’s not • Need to separate truth from fiction • New HIPAA requirements on the horizon • NPIs, new paper forms (UB-04, revised CMS 1500) • Additional covered transactions (e.g., 275) • Future use of ICD-10 • Take advantage of HIPAA resources on the Internet • No need to “reinvent the wheel!”

  45. Summary • History of the Health Insurance Portability & Accountability Act (HIPAA) • What’s really required by HIPAA & what’s not • New HIPAA requirements on the horizon • HIPAA resources on the Internet

  46. Quiz • How do you spell HIPAA and what do the letters stand for? • Who/what needs to get an NPI Type 1? • Who/what needs to get an NPI Type 2? • What form is replacing the UB-92? • What form is replacing the CMS 1500?

More Related