HIPAA

1
HIPAA
2
Health Insurance Portability and Accountability
Act
HIPAA
Multnomah County Health Department Communication
Presentation August 2001 Tracy Gay and Joy
Allen
3
Health Departments HIPAA Commencement
1st Step Communication plan

• Establish HIPAA awareness

• Create a general understanding of HIPAA goals and
  policies.  

• Create an understanding of timelines

• Create high level understanding for what needs to
  be done to accomplish mandated compliance  

4
What is HIPAA?
HIPAA is the acronym for the Health Insurance
Portability and Accountability Act, passed by
Congress in 1996.

• Goals of the HIPAA Act

• Improve portability and continuity of health
  insurance coverage in the group and individual
  markets,

• Protect health insurance coverage for workers who
  change or lose their jobs.

• Improve the efficiency and effectiveness of the
  healthcare system by standardizing the electronic
  transmission of patient healthcare and billing
  data,

• Protect the security and privacy of electronic
  patient healthcare information.

5
Two Sections of the HIPAA Act

TITLE I

• HEALTH CARE ACCESS,
• PORTABILITY, AND
• RENEWABILITY

TITLE II

• PREVENTING HEALTH CARE FRAUD AND ABUSE
• ADMINISTRATIVE SIMPLIFICATION
• MEDICAL LIABILITY REFORM

6
HIPAA Timelines

• Attain HIPAA published rules compliance by
  establishing internal policy and procedures prior
  to required HIPAA compliance dates.
•  

• Maintain Business Partner relationships for
  billing, grant reporting, outcome tracking, etc.
  by responding to current and ongoing required
  HIPAA compliance regulations as they are
  implemented and mandated by our Business
  Partners.

7
Proposed Rules

• Transaction and Code Sets October 2002
• Privacy April 2003
• Security
• Provider Identifier
• Employer Identifier
• Health Plan Identifier
• Claim Attachments
• Individual Identifier
• Enforcement-Preventing Fraud Abuse
• First Report of Injury

8
Transactions and Code Sets Implementation to be
completed by October 2002
 

• Modify systems to communicate with payers and
  other business partners using HIPAA mandated
  transactions and code sets.

9
Transactions and Code Sets - continued

• Examples of specific tasks
• Coding
• Modify the way FQHC, Targeted Case Management,
  and FPEP are billed to comply with standardized
  billing procedures.
• Changes to encounter forms.
• Review of new HCPCS and CPT codes
• Claims Payments
• Coding Policies related to claims processing
• Requirements to electronically receive and pay
  claims
• Electronic Billing and Remittance Format
• Verify format requirements and timelines with
  payers.
• Modify systems to meet required formats.
• Electronic Data Exchange with External Partners
• Contract issues for confidentiality
• Modify systems to meet required formats.

10
Privacy  Implementation to be completed by April
2003  
Develop strategy and policies to ensure patient
confidentiality is maintained following mandated
HIPAA privacy rules.

• Examples of specific tasks
• Medical Records/Clinic Management
• Consent to use health information to treat.
• Access to Patient information policies.
• Faxing policies and procedures.
• Patient education and awareness.
• Authorization of release of information forms.
• Human Resources
• Tracking HIPAA training.
• Training
• HIPAA training plan.

11
Privacy - continued  Implementation to be
completed by April 2003  

• Examples of specific tasks
• JCAHO
• Review of JCAHO requirements and modifications as
  necessary.
• Network and PC
• Policies for user accounts.
• Disaster plan for e-mail virus.
• Written Policies and Procedures for Access to
  Server Rooms.
• Contracts
• Modification of boilerplates and existing
  contracts for confidentiality and chain of trust.
• Access Database and Software Applications
• Policies for user accounts.
• Tracking who view data.
• Client identifiable data must be stored on PC or
  server in Network server room.

12
Security Final rule has not been published.
This rule proposes standards for the security of
individual health information and electronic
signature use by health plans, health care
clearinghouses, and health care providers.

• The proposed security standard addresses the
  following policies, practices, and procedures
  that were listed under Recommendation 1 in the
  proposed security guidelines

• Technical Practices and Procedures
• Individual authentication of users
• Access controls
• Audit trails
• Physical security and disaster recovery
• Protection of remote access points
• Protection of external electronic communications
• System assessment.

• Organizational Practices
• Information Security Officer
• Policy and Procedures

13
Provider Identifier Final rule has not been
published.

• The proposed rule for a standard provider
  identifier called for a new way of standardizing
  provider identifiers.
• This identifier should replace the various Id
  numbers that we currently use for pharmacy
  prescriptions as well as Medicaid and Medicare
  billing.
• Once the final rule is published, we will know
  what the provider identifier will look like (how
  many digits, etc.) and the process for assignment
  to providers.
• When the final rule is published, we need to be
  prepared to understand our responsibilities to
  apply for, receive, and use these new
  identifiers.

14
Employer Identifier Number (EIN) Final rule has
not been published.

• Health care providers submitting health claims to
  health plans electronically might use the EIN to
  identify the employers of the participants in
  health plans.
• Employers might use their EINs to identify
  themselves in electronic transactions making
  health plan premium payments to health plans on
  behalf of their employees.
• Employers and health care providers might use the
  EIN to identify the employer as the source or
  receiver of information about eligibility.
• Employers would use their EINs to identify
  themselves in electronic transactions to enroll
  or disenroll their employees in a health plan.

15
Health Plan Identifier Final rule has not been
published.

• This rule proposes a standard for a national
  health plan identifier and requirements
  concerning its use by health plans,
  clearinghouses, and providers.

• Examples of specific tasks
• Determine need for Health Plan Identifier for
  Multicare Dental and or Healthsource programs.
• Determine process and implementation as necessary

16
Claim Attachments No date has been set for when
final rules will be published.
Standards have not yet been published
17
Individual Identifier This provision was
withdrawn as of April 2001
This HIPAA requirement was one that would have
created the greatest simplification, but was the
most controversial and had the greatest potential
for abuse. It would have improved the
collaboration of sharing patient information
between health care providers. It would have
benefited outcomes research and improved patient
care.
18
Enforcement-Preventing Fraud Abuse No date has
been set for when final rules will be published.
Standards for Enforcement have not yet been
published, but other published rules carry
criminal and financial penalties (up to 10 years
and 250,000) to employers and employees. The
office of Civil Rights within the Department of
Health and Human Services has been tasked with
establishing a Fraud and Abuse unit that will
monitor the enforcement of HIPAA regulations.
19
First Report of Injury No date has been set for
when final rules will be published.
Standards have not yet been published
20

• Next steps

• Designate HIPAA Coordinator/Privacy
  Officer/Security Officer

• Create HIPAA High Level Oversight Team

• Create Individual Work Teams to work on specific
  HIPAA related procedures and policies and
  practices.

21
HIPAA
HIPAA
HIPAA