HIPAA RULES Workshop Compaq
What is HIPAA • Health Insurance Portability and Accountability Act, enacted by Congress in 1996 • HIPAA contains an administrative simplification section, in which Congress mandated the Secretary of the DHHS to publish regulations to standardize heath care EDI
Purpose of HIPAA • Improve efficiency and effectiveness of health care system by standardizing the electronic exchange of administrative and financial data • Protect security and privacy of transmitted information
HIPAA • Title I – Insurance portability • Title II - Fraud and Abuse/Medical Liability Reform • Administrative Simplification • Privacy • Security • EDI • Transactions • Code Sets • Identifiers • Title III – Tax Related Health Provision • Title IV – Group Health Plan Requirements • Title V – Revenue Off-sets
Federal Rule Making Process • Role of NUCC (National Uniform Claim Committee), NUBC (National Uniform Billing Committee), WEDI (Workgroup for Electronic Data Interchange), ADA (American Dental Association) • Role of NCVHS (National Council for Vital and Health Statistics) & HHS (Health and Human Services) Data Council • Draft NPRM (Notice of Proposed Rule Making) • HHS Internal Clearance process
Federal Rule Making Process • Publication in the Federal Register • Comment Period • Answering comments • Modifications to NPRM • Final Rule – Congressional review period
American National Standards Institute (ANSI) • X12 – Chosen transactions except pharmacy • NCPDP – Retail Pharmacy • HL7 – Used inside X12 transactions
X12 • X12N Subcommittee Develops Insurance Transactions • TG2 is Healthcare • Implementation Guides
Status of Final Rules & NPRM’s • Transactions and code sets • October 16, 2002 Compliance • Identifiers • Provider & Employer pending final rule • National Health Plan Identifier pending NPRM • National Individual Identifier – On Hold • Security • Pending final Rule • Privacy • April 26, 2003
Differences between NPRM & Final Rules • Exception for direct data entry • Eliminated exception for corporate boundaries • Definitions • Small Health Plan • Maintenance vs modifications • Business Associate
Data Standards Maintenance Organization (DSMO) • A Memorandum Of Understanding was presented to DHHS which addressed future maintenance of the data content within the HIPAA transactions. • The Final Rule then named the organizations listed below as the DATA STANDARDS MAINTENANCE ORGANIZATIONS • HHS - Health and Human Services • Accredited Standards Committee X12N • NUCC - National Uniform Claim Committee • NUBC - National Uniform Billing Committee • ADA - American Dental Association • HL7 - Health Level 7 • NCPDP
Modifications to Transactions “Once we publish the final rule in the Federal Register and it is effective, there will be no additional data element or record/segment content modifications in any of the transactions for at least one year.” * * Department of Health and Human Services - Most Frequently asked questions (http://aspe.hhs.gov/admnsimp/)
Data Content There are two aspects of data content standardization addressed in the HIPAA rules: • standardization of data elements, including their formats and definition, and • standardization of the code sets or values that can appear in selected data elements. • ICD Diagnosis Codes • CPT Procedure Codes • HCPCS Procedure Codes • CDT Procedure Codes • NDC Drug Codes • Others
COVERED ENTITIES - Health care providers who transmit health information electronically in connection with standard transactions - All Health Plans - All Health Care Clearinghouses
HIPAA Impact to Providers “All health care providers who elect to conduct these specific transactions electronically must conduct them according to the standards as well. Health care providers may also contract with a clearinghouse to conduct standard transactions for them.” * * Department of Health and Human Services - Most Frequently asked questions
HIPAA Impact to Health Plans “Health plans may not refuse to accept standard transactions submitted electronically (on their own or through clearinghouses). Further, health plans may not delay payment because the transactions are submitted electronically in compliance with the standards.” * * Department of Health and Human Services - Most Frequently asked questions (http://aspe.hhs.gov/admnsimp/)
Clearinghouse • May act on behalf of either the provider or the plan
Connectivity P P Clearinghouse Billing Service Payer P P Provider P VAN VAN Clearinghouse Provider Payer
Vendors • Will need to develop standard transactions in order to stay competitive • Must use compliant standard code sets within the standard transactions • May need to ‘certify’ compliance and intent to stay current with regs
Who is not a covered entity • Employers • Vendors
Covered Transactions • Claims – Professional, Institutional and Dental • 837 4010x098 • 837 4010x096 • 837 4010x097 • Coordination of Benefits – in above • Remittance Advise – Including EFT • 835 4010x091 • Enrollment • 834 4010x095
Covered Transactions con’t • Eligibility • 270/271 4010x092 • Claim Status • 276/277 4010x093 • Premium Payment • 820 4010x061 • Health Care Services Review • 278 4010x094
Transactions Covered Two transactions did not make it into law during the first round of HIPAA • Report of first injury • Claim attachment
Patient information Subscriber Patient information Subscriber information Premium Payment Premium Payment Prior Authorization/ Referral/CMN Prior Authorization/ Referral/CMN Claim/ Encounter Claim/ Encounter Claim Status Claim Status Sponsor Payer Provider Eligibility Inquiry 270 Enrollment 834 Eligibility Response 271 Premium Payment 820 Request for Review 278 Review Response 278 HIPAA Transactions ASC X12N TG3 GW2 Summary of HIPAA Transactions Claim/Encounter 837 COB Claim Remittance Advice 835 Need more data Attachments 275 Status Inquiry 276 Status Response 277
Provider-to-Payer-to-Provider COB Model 835 RA from Payer A Payer A Primary First 837 Claim Provider Second 837 Claim Payer B Secondary Payer B Secondary 835 RA from Payer B
835 RA from Payer A Second 837 Claim Provider-to-Payer-to-Payer COB Model Payer A Primary First 837 Claim Provider Includes all information on other insurers involved in this claim. Payer B Secondary 835 RA from Payer B Claim has been reformatted to place Payer B information in “Destination Payer” position and Payer A information in COB loops.
Identifiers • Employers • Providers • Plans • Individuals – On Hold
Standardized Code Sets • 5 Major Codes Sets • Code Sets Specific to X12 • Internal • External • Impact of Standardized Code Sets
Effect of HIPAA Standards • Lower cost of software development and maintenance • Assure purchasers that software will work with all payers and plans • Lower cost of administrative transactions by eliminating time and expense of handling paper • Pave way for cost-effective, uniform, fair and confidential health information practices • Pave the way for standards which can do the same for electronic medical records systems • Pave the way for high quality health care
Internet Transactions • Internet transactions will be treated the same as other electronic transactions • Format exception for “Direct Data Entry” into a payers system • Standard transactions must be used inside a Corporate Entity
Final Rules Published Compliance Dates Established Compliance date for signed rules is 10/16/2002 Small Payers 10/16/2003
Sequence and Schedule Proposal Pharmacy still under discussion
Penalties • Penalties are $100 per violation • Penalties may not exceed $25,000 for violations of one requirement per calendar year
Relationship between Privacy & Security • Security is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss • Privacy is defined as controlling who is authorized to access information (the right of individuals to keep information about themselves from being disclosed) • Some redundancy – Privacy reiterates the requirement for security safeguards
Status of Privacy Rule • Final Rule Published 12/28/01 • Original Effective Date 2/26/01 • Effective Date 4/14/01
Purpose of HIPAA Privacy Regulations • To protect and enhance to rights of consumers by providing them/us access to their/our health information and controlling the inappropriate use of that information. • To improve the quality of healthcare in the US by restoring trust in the healthcare system among consumers, healthcare professionals and the multitude of organizations and individuals committed to the delivery of care. • To improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems and individual organizations and individuals.
Who Does it Apply To? The Privacy Regulation applies to Health Plans, Health Care Providers, and Health Care Clearinghouses that electronically transmit health information in connection with a standard transaction named in HIPAA.
What Health Information is Covered? The regulation protects individually identifiable health information transmitted or maintained in any form or medium (electronic or non-electronic) that is held or transmitted by a covered entity.
Overview of Privacy Rule • Uses & Disclosures • Patient Rights • Administrative Requirements
Permitted Uses and Disclosures of Protected Health Information • To an Individual • With Proper Consent • Without Consent If: • Indirect Relationship • Inmate • Valid Authorization • With Oral Consent for: • Facility Directories • To Next of Kin
Permitted Uses and Disclosures of Protected Health Information Cont’ • Consent or Authorization is NOT required when: • Required by Law • Public Health Activities • Victims of Abuse • Health Oversight Activities • Judicial and Administrative Proceedings • Law Enforcement Purposes • About Decedents • Organ Donation Purposes • Research (with a list provisions) • To Avert Serious Threat of Health Safety • Specialized Government Functions • Worker’s Compensation
Required Disclosures of Protected Health Information • When an individual requests access to their records (with exceptions) • When an individual requests an accounting of disclosures (with exceptions) • When requested by the Secretary to investigate compliance.
Disclosing the Minimum Necessaryto Accomplish a Specific Purpose When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
Names Geographic Subdivisions All Elements of Date, Except Year Telephone Fax Email Social Security Number Medical Record Number Health Plan Beneficiary Number Account Numbers Certificate/License Number Vehicle Identifiers Device Identifiers URLs IP Addresses Biometric Identifiers Full Face Photograph Images Any other identifying number, characteristic or code Disclosure of De-identifiedHealth Information
Disclosure to Business Associates A business associate is someone who performs or assists the covered entity to perform a function of the covered entity. A covered entity may disclose protected health information to its business associates without further authorization if it obtains satisfactory assurances, through a written contract, that the business associate will appropriately safeguard the information.
Disclosures Consistent with Notice of Privacy Practices The purpose of the notice is to inform the recipients about their rights and how protect health information collected about them may be used or disclosed.
Consent for Uses & Disclosure A covered health care provider must obtain the individual’s consent prior to using or disclosing protected health information for the purpose of carrying out treatment, payment or healthcareoperations.
Authorization for Uses & Disclosure An authorization is required for use or disclosure of PHI other than for treatment, payment or healthcare operations. The authorization must contain a description specifically identifying the use and/or disclosure of the the information.
Patient’s Rights • Right to Adequate Notice • Right to Request Restrictions • Right to Access Health Information • Right to Amend Protected Health Information • Right to Receive An Accounting of Disclosures
Notice of Privacy Practices Must Include: • Description of Uses & Disclosure Expected to be made without Individual Authorization • Statements that other disclosures would only be made with the patients authorization • Description of Patient Rights • Statement about the entity’s legal requirement to protect privacy