Title: VIRGINIA DEPARTMENT OF MENTAL HEALTH, MENTAL RETARDATION AND SUBSTANCE ABUSE SERVICES
1VIRGINIA DEPARTMENT OF MENTAL HEALTH, MENTAL
RETARDATION AND SUBSTANCE ABUSE SERVICES
- Miranda Turner, Director of Risk and Liability
Affairs Dave Burhop, Agency CIO - September, 10, 2001
2What is HIPAA?
- Regulations
- Standards
- Administrative Simplification
- Increased Industry Focus On Privacy And Security
- Federal Mandate
3Why do we have HIPAA?
- Reduce Healthcare Costs
- Reduce Healthcare Fraud
- Technology
4Who Must Comply?
- Covered Entities
- Organizations That Capture Patient Identifiable
Electronic Data - Providers
- Healthcare Plans
- Clearing Houses
5HIPAA Regulations
- Transactions/Code Sets
- Privacy
- Security
- Identifiers
6Transaction/Code Set Standards
- Transactions
- Healthcare Claim Or Encounter (837)
- Healthcare Claim Status (276)
- Claim Payment And Remittance Advice (835)
- Eligibility For A Health Plan (270-271)
- Referral Certification And Authorization (277)
- Enrollment/Disenrollment In Health Plan (834)
- Premium Payments (820)
- First Report Of Injury (148)
7Transaction/Code Sets Standards
- Code Sets
- ICD 9
- CPT 4
- HCPCS
- Final Ruling On Transaction/Code Sets 8/15/2000
- Compliance Deadline 10/15/2002
8HIPAA Privacy Rule
- Applies To Protected Healthcare Information (PHI)
- Does Not Prohibit The Exchange Of PHI For
Treatment, Payment or Healthcare Operations (TPO) - Deals With What Needs To Be Protected
9HIPAA Privacy Rule (continued)
- Privacy Rule Impacts
- Business Associate Contracts
- Trading Partner Agreements
- Human Resources
- Consents/Notifications/Authorizations
- Uses And Disclosures
- Healthcare Operations
10HIPAA Privacy Rule (continued)
- Individual Access And Complaint Process
- Statutory/Regulatory Comparison And Analysis
- Final Ruling on 4/14/01
- Compliance Deadline 4/14/03
11HIPAA Security Rule
- Final Rule Pending HHS Approval
- Deals With How Privacy Can Be Ensured
- Draft Rule Impacts
- Access Controls
- Audit Trails
- Minimum Disclosure
- Encryption/Digital Signatures/PKI
12HIPAA Security Rule (continued)
- Background Checks
- Physical Security
- Security Incident Procedures
- START NOW!
13HIPAA Identifier Standards
- Final Rule Pending HHS Approval
- Draft Rule Impacts
- Employer ID
- Patient ID
- Provider ID
- Payor ID
- Final Rule Is Months, Perhaps Years, Away
14Who Created The Standards
- X12
- HHS
- WEDI
- SAMHSA
- Office For Civil Rights
15HIPAA Privacy Rule Sanctions
- Civil Penalties - 25,000 Per Incident
- Criminal Penalties
- 1 To 10 Years Prison Time
- 50,000 - 250,000 In Fines
- Significant Penalties For Non-Compliance
- Enforcement By Office For Civil Rights
16Definition of Treatment
- The provision, coordination, or management of
health care and related services by one or more
health care providers including - the coordination or management of health care by
a health care provider with a third party - consultation between health care providers
relating to a patient - the referral of a patient for health care from
one health care provider to another
17Definition of Payment
- The activities undertaken by
- A health plan to obtain premiums or to determine
or fulfill its responsibility for coverage and
provision of benefits under the health plan - A covered health care provider or health plan to
obtain or provide reimbursement for the provision
of health care
18Definition of Healthcare Operations
- Carrying out the following activities of the
covered entity to the extent that the activities
are related to covered functions and activities
of an organized health care arrangement in which
the covered entity participates - QA Activities
- Qualifications of health care professionals
19Definition of Healthcare Operations(continued)
- Underwriting and premium rating
- Medical review, legal services and auditing
functions - Business planning and development
- Business management and general administrative
activities (i.e., customer service)
20Definition of Consent
- That which is given, via a signed form, by a
patient/client allowing identifiable data to be
used for treatment, payment, or healthcare
operations within the covered entity or the
covered entitys business associate(s).
21Definition of Authorization
- That which is given, via a signed form, by a
patient/client for purposes other than treatment,
payment, or healthcare operations within the
covered entity or the covered entitys business
associate(s) e.g., research, marketing, etc.
22Definition of Uses
- Patient/client identifiable information that is
used within the covered entity or the covered
entitys business associate(s).
23Definition of Disclosure
- As permitted by the signed consent or
authorization, patient/client identifiable
information that is willfully given by the
covered entity or the covered entitys business
associate(s).
24Issues
- What is the HIPAA defined relationship between
DMHMRSAS and the CSB? - What is the difference between consent and
authorization? - How much will all this cost?
- What methods will best achieve compliance?
- How do state laws impact the regulations?
25Consent Exceptions
- The following are situations in which consents
are not required - Indirect treatment relationship
- Inmates
- Required by law to treat
- Substantial barriers to communicate
- Emergency treatment (must obtain a consent as
soon as reasonably practicable after treatment)
26Privacy Preemption
- HIPAA will preempt state laws relating to the
privacy of individually identifiable information
except for those that are contrary to and more
stringent than the federal HIPAA requirements.
27More Stringent Than
- Disclosure more limited use or disclosure
(except if to HHS or to the individual) - Info to the patient re use, disclosure, etc.
greater amount of information - Any other matter GREATER PRIVACY FOR THE
INDIVIDUAL
28Resources
- HIPAA Comply web site
- www.HIPAAcomply.com
- WEDI web site
- www.wedi.org
- EFECT web site
- www.efect.org
- EHNAC web site
- www.ehnac.org
29Resources
- DHHS Administrative Simplification
- aspe.dhhs.gov/admnsimp/index.htm
- DHHS Data Council Web Site
- aspe.dhhs.gov/datacncl/
- NCVHS Web Site
- ncvhs.hhs.gov