1 / 17

HIPAA Overview February 2001

HIPAA Overview February 2001. What is HIPAA?. HIPAA is the Health Insurance Portability and Accountability Act of 1996 (PL 104-191) Also referred to as the Kennedy-Kassebaum Act

Download Presentation

HIPAA Overview February 2001

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. HIPAA OverviewFebruary 2001

  2. What is HIPAA? • HIPAA is the Health Insurance Portability and Accountability Act of 1996 (PL 104-191) • Also referred to as the Kennedy-Kassebaum Act • HIPAA was enacted by the federal government on August 21, 1996 with the intent to assure health insurance portability, reduce healthcare fraud and abuse, guarantee security and privacy of health information and enforce standards for health information. Focus of this discussion

  3. When people talk about HIPAA, what they are referring to is… • Title II, Subtitle F • Administrative Simplification: • Data Standardization • Code Sets • Transactions • Identifiers • Security • Privacy

  4. Insurance Carrier Provider Office Employer Lab Member Hospital Bank Electronic Connectivity Pharmacy Credit Card Company Specialist Consultant Medical Library Third Party Administrator Pharmaceutical Company New Players Government Why Federal Regulations? Healthcare is 1/7 of the GNP 1. Effective healthcare delivery requires enormous administrative effort 2. The healthcare industry has the most to gain from recent technological advances 3. However, the healthcare Industry lags other industries in taking advantage of these technological advances 4. Some believe streamlining requires a mandate for massive and coordinated change

  5. Why Federal Regulations? Public Opinion - Privacy • 88% of consumers are concerned about their privacy* • 20% of consumers believe that their health information has been used or disclosed inappropriately** • 54% of consumers feel that electronic medical records are the greatest privacy threat** Sources: *Louis Harris & Assoc., 1998 **California Healthcare Foundation, 1999

  6. Who must comply with HIPAA? • Healthcare organizations • Providers • Health plans • Clearing houses that handle covered patient information - all confidentialpatient or member information in any form: electronic, written or verbal. • Other healthcare entities may be required to meet HIPAA standards based on the chain of trust agreement requirement. • Clinics • eHealth.coms • Employers (self insured) • Home Health • Hospice • Pharmacies • Physician Groups • Other Providers • Higher Education – Unique Considerations • Student Health Center and Counseling Center = Exempt Provider • Regulations define student health records as a FERPA protected education record when health record is used for other than medical treatment purpose, including release to individual Student who is subject of information • Employee Health Services = Provider • Research Hospitals = Provider • Research Involving Human Subjects

  7. Penalties for non-compliance • Data standardization penalties • $100 per person per violation • No more than $25,000 per person per year for violations of a single standard • Misuse of member health information • Not more than $50,000 and/or 1 year in prison • Under false pretenses, not more than $100,000 and /or 5 years in prison • With intent to sell, harm, etc, not more than $250,000 and /or 10 years in prisoneasdf • OCR charged with enforcement. OIG authorized to conduct criminal investigations • Industry Concern: HIPAA compliance may become accreditation criteria • Joint Commission of Accreditation for Healthcare Organizations • National Committee for Quality Assurance • Industry Concern: HIPAA compliance may become a requirement for participation with Federal funded programs

  8. HIPAA Administrative simplification impact Technology Issues Business Issues Electronic Transaction Standards & Unique Identifiers Code Sets & Claims Attachments Privacy Standards Security

  9. HIPAA timeline Mandatory Compliance Final Rule - 12/28/2000 26 months to comply February 26, 2003 Compliance Privacy Security Final Rule (estimate) - March 2001 26 months to comply Data Standards Final Rule - August 15, 2000 26 months to comply October 15, 2002 Compliance Title II January 1997 - Effective date of Title II All Subtitles Except Subtitle F HIPAA August 1996 - HIPAA Enacted

  10. Final Data Standardization requirements • Electronic transaction standard • X12N standards facilitate transactions by establishing a common, uniform business language for computers to communicate across town or around the world. • Electronic transactions to be standardized • Health care claims or equivalent encounter information. • Enrollment and de-enrollment in a health plan. • Eligibility for a health plan. • Health care payment and remittance advice. • Health plan premium payments. • Health care claim status. • Referral certification and authorizations. • Coordination of benefits. • Standard Claims Attachments

  11. Final Data Standardization requirements • Standard code sets • ICD-9-CM, International Classification of Diseases, 9th Rev., Clinical Modification • CPT-4, Physician Current Procedural Terminology • Alpha-numeric HCPCS, HCFA Procedure Code System • CDT-2, Current Dental Terminology • NDC, National Drug Codes • Unique identifiers - Proposed • Providers • Employers • Unique identifiers - Delayed • Plans • Patients

  12. Proposed Security requirements • Technical Security • Access control • Audit controls • Authorization control • Entity authentication • Electronic Transmission • Communication/Network controls • Electronic Signatures • Digital signatures • Administrative Security • Certification • Contingency plan • Information access control • Security configuration management • Security incident management • Security management process • Requires Security Officer • Physical Data Security • End user security awareness • Physical access control • Media • Secure workstation use and availability

  13. Highlights of the Final Privacy Regs • Published December 28, 2000 • Compliance required by February 26, 2003 • Preamble addresses 53,000 comments • The document uses the term “reasonable” 265 times

  14. Highlights • Regulations apply to covered entities (providers, clearing houses and health plans) • Applies to all member health information: electronic, paper and oral communications • Requires providers to obtain consent prior to treatment, payment and operations. May condition treatment or enrollment • Allows full disclosures to providers for purposes of treatment. Retains provision for minimum necessary requirements for routine, recurring and other, non-routine disclosures • Distinguishes between consent for treatment and authorization for other disclosures. Protects against unauthorized use of information for employment purposes • Allows legally separate, but affiliated covered entities to designate themselves as a single covered entity • Replaces ‘business partner’ with ‘business associate’ and reduces liability from ‘should have known’ to take action if aware • Requires Privacy Officer and Security Officers

  15. Highlights • Permits certain marketing and fundraising activities • Requires Notice of Information Practices • Requires training • Defines right to request restrictions on uses and disclosures • Defines right to receive accounting of disclosures • Defines right to access, inspect, copy and request amendments to records • HIPAA intended as a floor, not a ceiling. Whichever rule is more stringent, state or federal, applies. • Establishes whistleblower procedure - covered entities precluded from retaliating • Gives HHS Office of Civil Rights (OCR) enforcement responsibility

  16. AA HIPAA Assessment • Conduct high-level HIPAA gap analysis of business units and core business information systems • Identify gaps between current technology/practices with HIPAA’s • final data standardization and privacy requirements and • proposed security requirements • Develop remediation recommendations and a high-level workplan • Develop high-level cost estimates for remediation

  17. Assessment Alternatives – Office of Information and Educational Technology • University Hospital Consortium Contract (UCDMC) • SAIC • Cap Gemini/Ernst and Young • External HIPAA Specialists • Arthur Anderson • Computer Associates • KPMG • PricewaterhouseCoopers • Projected Initiation Date – Spring 2001

More Related