Health Insurance Portability and Accountability Act of 1996 (PL 104-191) (HIPAA) Southern Regional Conference On Mental Health Statistics November 8, 2000
Do I have to learn something from this? • Well, not if you don’t want to. • But if you DO pay attention, you COULD leave with an understanding of: • What HIPPA is • It’s purpose and areas of coverage • Status of implementation • Some of the problems involved • How it might affect you and your agency • Plus you’ll get a bunch of acronyms to toss around in meetings when you get back home.
So what is HIPAA? • Health Insurance Portability and Accountability Act of 1996 (PL 104-191) • FEDERAL legislation • It’s actually an amendment to the Internal Revenue Code of 1986 which should tell you all you want to know
What’s its purpose? • Assure portability and continuity of health care • Combat fraud and abuse • Promote medical savings accounts • Improve Long Term Care access & coverage • Simplify the administration of health insurance
Administrative Simplification Promote the electronic exchange of healthcare information by establishing standards for its: • transmission • storage and • handling
“We’re the Private Sector and we’re here to help you.” Unknown
HIPAA standards will regulate: • Format • Content • Privacy • Security ALL health plans, including Medicare and Medicaid, must comply within 2 years of standards adoption (there are exceptions for certain plans based on size).
A Few Acronyms The WEDI (Workgroup for Electronic Data Interchange) has created a SNIP (Strategic National Implementation Process) to address HIPAA issues on an industry-wide basis. The ANSI (American National Standards Institute) has chartered the ASC X12 (Accredited Standards Committee X12) and given it responsibility for cross-industry standards for electronic documents.
Where are we headed? • Electronic Data Interchange (EDI) • 1-1.5 million providers • 7,000+ hospitals • Thousands of health plans • Hundreds of other entities involved (third party vendors, clearinghouses, etc.) • With EVERYONE doing basic things the same way
Will it cost money? • Need to convert and upgrade systems • Need to train staff • Start up costs in manuals, materials, etc. • Testing • Troubleshooting
So, the answer is: “Yes Virginia, It WILL Cost Money.” But HHS, playing the role of Santa Claus, estimates about $30 billion in net savings over a 10 year period, not taking into account ancillary benefits such as new industry springing up to deal with HIPAA problems.
Administrative Simplification Standards address basic areas of: • Transactions • Code Sets • Identifiers • Security • Privacy
Proposed Transaction Standards • Claims & Encounters • Enrollment • Coordination of Benefits • Claim Status • Premium Payment • Eligibility • Referral certification and authorization • Payment Remittance Advice • Claim Attachment • First report of Injury
Proposed Transaction Formats I • ASC X12N 837 X096 • Institutional Claims (replaces UB 92, NF forms) • ASC X12N 837 X097 • Dental • ASC X12N 837 X098 • Professional Services (Replaces HCFA 1500) • ASC X12N 835 X091 • Health Care Claim Payment Advice (no suspended claims)
Proposed Transaction Formats II • ASC X12N 276/277 • Claims status request and response • ASC X12N 270/271 X092 • Eligibility Inquiry and Response • NCPDP v5.1 or batch v1.0 • Retail pharmacy eligibility, PA, claims, etc. • ASC X12N 278 X094 • Used to request PA and to respond to request.
Proposed Transaction Formats III • ASC X 12N 820 X061 • Premium payments to health plans for insurance • ASC X 12N 834 X095 • Electronic benefit enrollment primarily for managed care
Code Sets • ICD-9-CM: Diseases, injuries, impairments, other health problems, causes of above. • ICD-9_CM, Vol. 3: Procedures for prevention, diagnosis, treatment, and management. • National Drug Codes (NDC): Drugs and biologics. • Code on Dental Procedures and Nomenclature: Dental. • HCPCS and CPT4: Physician and other health care services • HCPCS: Substances, equipment, and supplies used.
Proposed Identifiers • Provider • Employer • Health Plan • Individual
Provider ID • Physicians currently have a “UPIN” (Unique Physician Identifier Number). • Under HIPAA EVERY individual provider will need to have one. • Original proposal 8-position alpha numeric • Final expected to be 10 digit numeric • NO embedded intelligence • Due out January, 2001 (pending $ for national registry)
Employer ID • Who gets one? • Person or organization for whom an individual performs or performed any service as the employee of that person or organization. • What will it look like? • Still pending, but due out January 2001. Latest proposal is 9 digit IRS-issued EIN.
Health Plan ID • All Health plans will get one, but there is still discussion of “what is a health plan?”. • What will it look like? • Unknown but 9 digit numeric identifier has been proposed. Due out February, 2001.
Security and Privacy • NOT the same thing under HIPAA. • PRIVACY refers to policy to determine what is disclosable, to whom, and under what circumstances. • SECURITY deals with tools and processes to be put in place to insure privacy in the electronic world.
Security • Applies only to information stored or transmitted electronically. • Divided into 4 main areas: • Administrative Procedures • Physical safeguards • Technical security services • Technical security mechanisms. • Standards due out January, 2001
Administrative Procedures • Chain of trust partner agreement • Contingency plan • Information access controls • Training • Termination procedures
Physical Safeguards • Must have an assigned security officer • Media controls • Physical access controls • Security awareness training
Technical Security SERVICES • Access control • Audit Controls • Authorization controls • Entity authentication
Technical Security MECHANISMS • Does not require a SPECIFIC technology. • Communications/network controls • Message authentication, alarms, audit trails, entity authentication, event reporting. • Electronic Signature • Not currently required • Any one used must comply with HIPAA standard • Cryptographically-based digital standard.
Privacy Protect the privacy of individually identifiable health information maintained or transmitted in connection with certain administrative and financial transactions
HIPAA says that congress will enact privacy legislation for healthcare by 8/99………but if they fail, it becomes HCFA’S job. • Congress failed and HCFA issued proposed regulatory text November 3, 1999
If you’re interested in privacy, you can go to this website: http://erm.aspe.hhs.gov/ora_web/plsql/erm_rule.rule?user_id=&rule_id=228
What’s covered under privacy? • Electronically transmitted or maintained information only at the current time • Includes when electronic information is printed or discussed orally • Covers the information ITSELF and is not restricted by the media on which it is kept so privacy applies to the original paper version also
Who is subject to rules? • Health plans, including Medicare and Medicaid • Health care providers • Clearinghouses
Basic Requirements • Designate a privacy official • Document policies and procedures • Train employees at least every 3 years • Develop and enforce sanctions for non-compliance • Establish a grievance process
Other Privacy Notes • Disclosure applies to individually identifiable health info. that SOMETIME DURING ITS LIFE has been electronic • Agencies must have policies to disclose a minimum amount necessary for whatever the task at hand is • Business partners must also comply. YOU are responsible for THEIR mistakes.
That’s HIPAA in a big nutshell. Now, how does it affect you?
No local codes for Medicaid • Currently one of the biggest concerns of Medicaid and SHOULD be big concern of MH Authorities • What are “local codes”? Codes that allow providers to bill and be paid for non-traditional services, many unique to a single state.
Why do we need them? • As an example, in RI we generate about $12 million for local code X0342 which is our PACT model program. If there is no Medicaid CODE for this program: • We can’t BILL or PAY for it. • Our XIX agency doesn’t know which state account to tap for the state share. • The MH agency can’t track spending, determine which client received which specific service, etc.
What’s happening in this area? • NASMD formed NMEH (National Medicaid EDI HIPAA Workgroup) • The group solicited local codes from all states. As of a month or so ago, they had gotten in a mere 27,000 • NY and CA are now working to crosswalk these and come up with maybe 1,000 common ones which HHS will be asked to add • Trust me when I tell you that MH specific ones are not likely way up on the list
State MH Program Directors, State DD Directors, and State Medicaid Directors met within the last week or so and have an agreement that Medicaid Directors will share MH and DD specific codes collected with the other groups. • This will allow more specific work in the field, but will NOT garner the thousands of OTHER codes in place for non-Medicaid services.
Anything else? • NASMHPD is actively trying to educate Commissioners on the subject. • NASMHPD is joining with other national groups to proactively work on the hill. • NGA wrote to Donna Shalala asking her to define the implementation period as beginning only after all relevant regulations have been finalized. Given the furor over client UID, this could take a while. • Individual states are all working on schemes to mitigate the effects.
Privacy and Security • Been to privacy/security training lately? • Leave any files with client/patient names on them on your desk or unlocked somewhere in your office overnight and have they EVER touched the electronic system? • Send patient names, SSN, etc. in email? As a file attachment? By fax? Meet security/privacy standards? • Scrutinize data that you DO send out to insure that you give absolute MINIMUM necessary to accomplish the task? • Wanna talk to the HIPAA police?
In the words of an old philosopher: It ain’t over till it’s over.
If you’re a SMHA that relies on any Medicaid billing, your state Medicaid agency has been working on this “stuff” for a while. Get back and get in your two-cents or you WILL suffer the consequences. • If you’re a state paying FFS, the burden falls on you and it will fall quickly so get back and get working. • And even if you don’t PAY FFS, the privacy and security requirements will apply to you just the same if you use a computer. • If you’re in private practice, or work for a community agency, you need to at least stay up to date on what you’re going to be required to do.
Or you could be getting a visit from this guy
Questions? Ron Tremper RI Dept MHRH firstname.lastname@example.org