1 / 31

HTH937: Sybase Healthcare and Industry Standards

HTH937: Sybase Healthcare and Industry Standards. Bill Moroz Technical Director, Healthcare bill.moroz@sybase.coml / 708 301 9580 August 5, 2003. Course Outline. Overview of Healthcare Standards Government (HIPAA) Standards Development Organizations De Facto Vendor Sybase Solutions

donar
Download Presentation

HTH937: Sybase Healthcare and Industry Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HTH937:Sybase Healthcare and Industry Standards Bill MorozTechnical Director, Healthcare bill.moroz@sybase.coml / 708 301 9580 August 5, 2003

  2. Course Outline • Overview of Healthcare Standards • Government (HIPAA) • Standards Development Organizations • De Facto • Vendor • Sybase Solutions • HIPAA Standards for Transaction Compliance • HIPAA Standards for Privacy • HIPAA Standards for Security • Standards-Based Integration

  3. Government Healthcare Standards • Health Insurance Portability and Accountability Act of 1996 (HIPAA) under the control of HCFA • National Library of Medicine that supports the Unified Medical Language System (UMLS), a system linking together various medical vocabularies • Health Care Financing Association (HCFA) that controls Medicare and Medicaid

  4. Standards Development Organizations (SDO) • ANSI (American National Standards Institute) • X12 • CPT • ASTM (the American Society for Testing and Materials) that produces a standard for the CPR • American Medical Association that produces CPT-4 codes for reporting medical services and procedures. • ANSI Health Informatics Standards Planning Panel (HISPP) - coordinate standards from other organizations • HL7 • DICOM • EDIFACT for healthcare data interchange • Health Care Financing Association (HCFA)

  5. International Standards • Telematics • CENT51 • IMIA became IHIA • WHO • ANSI-HISB • Ministry of Health Canada • IT/14 – Standards Australia • MEDIS-DC within Ministry of Trade (Japan) • ISO IAeG (InterAgency EDI Group of ISO)

  6. Sybase Participates in Healthcare Standards Organizations

  7. Public Law 104-191August 21, 1996 HIPAA – What is it? “To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.” Health Insurance Portability and Accountability Act of 1996. De Facto HIPAA Mascot

  8. HIPAA – Who is affected? • Healthcare Providers • Healthcare Clearinghouses • Health Plans • Commercial insurances • Third-party administrators. • Some large employers (self-insured) • Government Agencies • Public Health, Child & Family Services ect. • Healthcare consumers (patients)

  9. HIPAA Enacted Administrative Simplification Compliance Act Signed Final Security RuleTCS Addendum Mandatory Compliance: Privacy Mandatory Compliance: EDI Enforcement Regulation Mandatory Compliance: Security HIPAA – When does it happen? August 1996 December 2001 February 2003 April 2003 October 2003 November 2003 April 2005

  10. HIPAA EDI Transactions 834 Plan Sponsors, Employers Providers Payers Enrollment Eligibility Verification Enrollment 270 820 271 834 Precertification and Adjudication Pre-treatment Authorization and Referrals 278 837 (+ 275/HL7) Claim Acceptance Service Billing/ Claim Submission (277) (275/HL7) Adjudication 276 Claim Status Inquiries Coordination of Benefits 277 275 Not shown: NCPDP Retail Pharmacy 837 Accounts Receivable Accounts Payable 835

  11. The goal is to have all plans use identical transactions. In reality there are some variations, although greatly reduced by HIPAA E.g. Claim 88% same post HIPAA/ <60% pre HIPAA Content Variations E.g. coding of procedures, taxonomy,837I vs. 837P Noncontent variations 997 errors, Transport (Internet vs. dial up), FTP vs. HTTP, authentication HIPAA/Transactions

  12. HIPAA/Transactions • Mandatory Compliance by Oct 16, 2003 • What does compliance mean? • Business vs. Legal issues If one claim out of a whole batch of 5000 isn’t “HIPAA Compliant” should you reject the entire batch?

  13. HIPAA - Privacy Standards • Effective as of April 14, 2003. • Provides regulations on the usage and disclosure of Protected Healthcare information (PHI). • Individuals must be informed of institution’s privacy policy in writing. • Asserts that patients have control over all disclosures of treatment, payment and healthcare operations (TPO). • The “Minimum Necessary” principle • Right to examine & amend a person’s own information • Provisions for disclosure of “De-identified” data

  14. HIPAA/Privacy - Why? • Tammy Wynette’smedical records were sold to tabloid publications by a medical center employee. This was done in spite of the fact that she had entered the hospital under an assumed name to protect her privacy. • An HIV positive patient used a local pharmacy to keep his condition private. When the pharmacy was purchased by CVS, he requested to not have his information transferred. CVS not only disregarded his/her request but distributed the information to many of its marketing partners. • A list of cancer patientswas obtained by a banker who was on the state health commission. He cross referenced the list against his customer list and promptly called in their loans.

  15. What is Protected Healthcare Information (PHI)

  16. HIPAA/Privacy Challenges • Information must be kept 6 years • Requests can be generated through various communications channels • phone, fax, email, web sites and claims systems. • PHI may (and mostly does) reside on many storage types: • medical records systems, claims systems, adjudications systems, filing cabinets, data warehouses.

  17. HIPAA/Privacy

  18. HIPAA/Privacy- Accounting of Disclosures • Covered Entities must document and retain: • Date of request • Name/Address of person who received PHI • A brief description of PHI disclosed • A statement about the purpose of the disclosure • The written accounting is provided to the individual • The titles of the persons or offices for receiving and processing the request for an accounting by individuals.

  19. HIPAA/Privacy - Authorizations

  20. HIPAA/Privacy - Authorizations • Patient Authorizations Required • Marketing, • Research, • Psychotherapy notes • Activities other than treatment, payment and hospital operations (TPO) • Manage Status (Signed, Revoked, Expired) • Integration with Disclosure Management

  21. HIPAA/Privacy - Restrictions

  22. HIPAA/Security Rule - § 164.306 • Published February 13, 2003 • Mandatory April 21 2005 (2006 for smaller plans) • General rules • Ensure the confidentiality, integrity, and availability of all electronicprotected health information the covered entity creates, receives, maintains, or transmits. • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under [the privacy regulation] • Ensure compliance with this subpart by its workforce.

  23. HIPAA/Security - Implementation Specifications • Specifications are defined as either “Required or Addressable” (22 of 42 are “addressable”) Required: • Security Assessments • Disaster Recovery Plan Addressable: (e.g. Integrity controls and encryption) • Reasonable and appropriate within your framework • E.g. Small Physician Practice vs. Large Health Plan • Integrity controls and encryption • Depends on existing measures, cost, and risk mitigation • Locked up room vs. data center with retinal eye scan Big Technical Issue: Lack of Technical Standards or specificity. e.g, § 164.312(e)(2)(ii): “Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”

  24. Standards Sections Implementation Specifications Security Management Process 164.308(a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility 164.308(a)(2) (R) Workforce Security 164.308(a)(3) Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) Information Access Management 164.308(a)(4) Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) Security Awareness and Training 164.308(a)(5) Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Security Incident Procedures 164.308(a)(6) Response and Reporting (R) Contingency Plan 164.308(a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation 164.308(a)(8) (R) Business Associate Contracts 164.308(b)(1) Written Contract or Other Arrangement (R) and Other Arrangement The Security Regulation At a Glance (R)=Required (A)=Addressable

  25. HIPAA/Security Strategies for Database Availability Switchingand WarmStandbyReplication ColdStandby DisasterRecovery Catastrophic HighAvailabilityClusters HighAvailability Unplanned Severity of Database Downtime OfflineMaintenance Planned OnlineMaintenance No Downtime ContinuousAvailability Latency of Database Recovery

  26. HIPAA/Security Warm Standby

  27. HIPAA/Security – A Heterogeneous Environment Primary Sites ReplicateSites • Adaptive Servers/IQ/ Anywhere/ Enterprise Replication Agents Replication Server • DB2 • AS/400 • Oracle • ODBC • Informix • MS SQL • UDB DirectCONNECT OmniCONNECT • OS/390 DB2 • Adaptive Server Enterprise • Adaptive Server Anywhere • Replication Toolkit for MVS • Oracle • Informix • Microsoft SQL Server • IBM DB2 Universal Database Mobile Users SA SQL Remote Adaptive Server Anywhere

  28. HIPAA/Security - Failover Replication Server and OpenSwitch

  29. Standards-Base Integration • HIPAA Standards for Transaction Compliance • HIPAA Standards for Privacy • HIPAA Standards for Security • Standards-Based Integration

More Related