HIPAA: The View from 30,000 Feet - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

HIPAA: The View from 30,000 Feet

Description:

State abbreviations and ZIP codes. Telephone area codes. Race and ethnicity codes ... does NOT preempt 'more strict' state law. PRIVACY: Consents, Notices and ... – PowerPoint PPT presentation

Number of Views:90
Avg rating:3.0/5.0
Slides: 35
Provided by: SusanCol5
Category:

less

Transcript and Presenter's Notes

Title: HIPAA: The View from 30,000 Feet


1
HIPAA The View from 30,000 Feet

2
HIPAA
  • Health Insurance Portability and Accountability
    Act
  • One small section of law required HHS to make
    RULES for administrative simplification and to
    protect patient privacy and security of
    electronic medical records
  • Applies to COVERED ENTITIES

3
HIPAA COVERED ENTITIES
  • A health care provider who transmits health
    information in electronic form in connection with
    certain financial and administrative
    transactions
  • A health plan and
  • A health care clearinghouse

4
On-Line Help to Determine Covered Entity Status
  • http//fortress.wa.gov/dshs/maa/dshshipaa/de_matri
    x.htm Decision Matrix to Determine HIPAA
    Applicability

5
Hybrid Entities
  • Entities whose primary function is not a covered
    function
  • Entity must designate portions which carry on
    covered functions
  • Be sure to designate all functions that support
    hybrid entity covered functions (legal, IT, etc.)
  • This and other structural options to limit
    liability and ease administrative burdens are
    available

6
Business Associates
  • BA person or entity who performs a function
    involving the use or disclosure of Protected
    Health Information (PHI) on behalf of a covered
    entity
  • CE generally cannot disclose PHI to BA without
    satisfactory assurance that PHI will be
    safeguarded (written contract take action for
    breach)
  • Contracts between CE and BA must require BA
  • Only use PHI as specifically permitted in
    contract or under rule
  • Use appropriate safeguards to ensure safety of
    PHI
  • Report misuse of PHI to CE
  • Make PHI and accounting of disclosures available
    to individuals
  • Make books and records available to DHHS on
    request

7
HIPAA RULES 3 sets!
  • EDI (Electronic Data Interface) requires
    standard electronic format for all submissions,
    effective October 2, 2002 (unless 1 year
    extension applied for)
  • Privacy relates to how covered entities may use
    and must control patient PHI, effective April
    14, 2003
  • Security relates to physical/electronic
    protection of PHI records (no final
    regs/effective date)

8
Common Administrative Requirements
  • Chief Privacy Officer/Chief Security Officer
  • Safeguards/firewalls
  • Policies and procedures
  • Training

9
EDI
  • 45 CFR 162
  • Free downloads of HIPAA implementation guides
    http//www.wpc-edi.com/hipaa/HIPAA_40.asp
  • Info Technology for IT Professionals
    http//www.ready4hipaa.com/index.cfm
  • (proceed through tabs at top)
  • WEDI http//www.wedi.org/public/articles/index.c
    fm?Cat232

10
EDI Requirements
  • Use HIPAA standards for designated transactions
    no later than appropriate compliance date
    through
  • Internal system changes
  • Clearinghouse
  • Compliant business associate
  • Use appropriate code sets in transactions
  • Content-only exception for direct data entry

11
45 CFR Part 162
  • Sub-part A General provisions
  • Sub-part I General transaction provisions
  • Sub-part J Code sets
  • Sub-parts K-R Claims, eligibility, referral,
    claim status, enrollment disenrollment, payment
    remittance advice, premium payments and
    coordination of benefits

12
Sub-Part I General Requirements
  • Updates process
  • Requirements for covered entities and their
    business associates
  • Trading partner agreements
  • Exceptions process for testing proposed
    modifications

13
Business Associates/Trading Partners
  • BAs required to comply with all applicable
    requirements of the rule
  • Trading Partners may NOT
  • Change a standard definition, data condition, or
    use of data element or segment
  • Add data elements or segments to a maximum
    defined data set
  • Use non-standard code or data elements
  • Change the meaning or intent of the
    implementation specification

14
Sub-Part J Code Sets
  • Medical Data Code Sets (by Secy HHS)
  • ICD-9-CM for diagnosis
  • ICD-9-CM for inpatient procedures
  • NDC for drugs and biologics
  • CDT for dental svcs
  • HCPCS CPT4 for physician and similar svcs
  • HCPCS for non-physician outpatient items
  • Non-medical Code Sets (implementation standards)
  • State abbreviations and ZIP codes
  • Telephone area codes
  • Race and ethnicity codes
  • Measurement systems
  • And many, many more

15
Sub-Parts K-R Two Part Transaction Standards
  • Defines each transaction in terms of
  • Action or purpose
  • Party or parties
  • Adopts a particular implementation guide
  • Generally, or
  • For each of several specific sectors (e.g.,
    retail pharmacy, institutional)
  • Batch, real-time or interactive

16
PRIVACY
  • 45 CFR 164.104 Comply no later than April 14,
    2003
  • COMPREHENSIVE regulation on how Protected Health
    Information must be treated within
    institution/may be released
  • Affects covered entity component
  • But, does NOT preempt more strict state law

17
PRIVACY Consents, Notices and Authorizations
  • Signed consent is optional
  • (Providers)Required written acknowledgement of
    receipt of Notice of Privacy Practices
  • Relates solely to Treatment, Payment and Health
    Operations (TPO) uses of PHI
  • Cannot be combined with an authorization
  • Must be obtained no later than first service
  • Must be retained for 6 years
  • Almost all non-TPO uses require authorizations
  • Standardized authorization must contain certain
    core elements and notification statements
  • Special requirements for psychotherapy notes,
    marketing and research authorizations
  • Disclosures OTHER THAN TPO or by authorization
    must be tracked--and accounted for to patient at
    patients request

18
Authorizations
  • Core elements include
  • Description of information to be used
  • Identification of person(s) authorized to make
    the use or disclosure
  • Identification of authorized recipient(s)
  • Description of purpose of use or disclosure
  • Expiration date or event
  • Signature and date
  • Personal representatives authority (if
    applicable)

19
Authorizations (contd)
  • Three Required Notification Statements (in
    addition to core elements)
  • 1) Individual has right to revoke authorization
    and either
  • Exceptions to right and a description of how to
    revoke or
  • Reference to the Notice of Privacy Practices
  • 2) Treatment, payment, enrollment, or eligibility
    for benefits may not be conditioned on obtaining
    the authorization if prohibited by the Privacy
    Rule. If conditioning is permitted, the
    consequences to the individual for refusing to
    sign the authorization.
  • 3) The potential for the information to be
    subject to redisclosure by the recipient and no
    longer be protected by the Privacy Rule.

20
Minimum Necessary Requirement
  • Privacy Rule requires Covered Entity to make
    reasonable efforts to limit the use or disclosure
    of, and requests for, PHI to the minimum
    necessary to accomplish the intended purpose.
  • Privacy Rule requires Covered Entity to develop
    and implement policies and procedures appropriate
    to the Covered Entitys business practice and
    workforce to reasonably minimize the amount of
    PHI used, disclosed and requested.
  • Exception for disclosures to or requests by a
    health care provider for treatment but NOT for
    uses or disclosures for payment or health care
    operations.

21
Minimum Necessary (contd)
  • Minimum necessary requirements do not apply,
    among other things, to disclosures made to the
    individual or pursuant to any authorizations,
    including
  • Authorizations requested by a Covered Entity for
    its own use and disclosure
  • Authorizations requested by a Covered Entity for
    disclosure to others
  • Authorizations involving PHI created for research
    that includes treatment of an individual
  • For requests not made on a routine and recurring
    basis, rule requires CE to develop criteria
    designed to limit PHI to minimum necessary to
    accomplish the intended purpose creates
    consistency with routine and recurring requests
    and disclosures.
  • DHHS commits to issue further guidance to clarify
    issues, as well as additional technical
    assistance material to help CEs implement the
    provisions.

22
Unintended/Incidental Uses and Disclosures
  • CE must take reasonable steps to limit incidental
    use/disclosure
  • Incidental use or disclosure is
  • A secondary use or disclosure that cannot be
    reasonably prevented
  • Limited in nature
  • Occurs as a by-product of an otherwise permitted
    use or disclosure
  • NOT permissible disclosure as incidental
  • Use or disclosure that occurs as a result of
    failure to implement the minimum necessary
    standard
  • Permitting employee unlimited access to records
    when not necessary to do their job
  • Erroneous uses or disclosures from mistake or
    neglect
  • Posting patient PHI on website
  • Sending PHI to the wrong person by email

23
SECURITY
  • 63 FR 43245
  • Final regulations expected by years end
  • Most IT driven regulation
  • Final regs may include hybrid entity concept (not
    currently included)
  • IT professional doubts as to whether non-unified
    standard is technically feasible

24
SECURITY GOALS
  • Confidentiality
  • Integrity
  • Availability
  • Goals are flexible, scalable, technology neutral
  • Devise, implement and maintain appropriate
    security for business requirements
  • Based on good business practice

25
Security Standards Big Picture
  • Procedures and systems must be updated to ensure
    that health care data are protected
  • Written security policies and procedures must be
    created or reviewed to ensure compliance
  • Employees must be trained on PPs
  • Access to data must be controlled through
    appropriate mechanisms (e.g., passwords,
    automatic tracking when patient data has been
    created, modified or deleted)
  • Security procedures must be certified
    (self-certification is OK) to meet the minimum
    standards

26
Security Compliance Areas
  • Training and awareness
  • Policy and Procedure review/creation
  • System review
  • Documentation review
  • Contract review
  • Infrastructure and Connectivity review
  • Access controls
  • Authentication
  • Media controls

27
Security Compliance Areas (contd)
  • Workstation
  • Emergency mode access
  • Audit trails
  • Automatic removal of accounts
  • Event reporting
  • Incident reporting
  • Sanctions

28
Security Measures
  • In general, can be grouped as
  • Administrative
  • Physical
  • Technical (data in transit and data at rest)

29
Security Standards (proposed rule)
  • Administrative Requirements (12)
  • Physical Requirements (6)
  • Technical Requirements data at rest (5)
  • Technical Requirements data in transit (1)
  • Electronic signature
  • Implementation Features (70)

30
Standard Areas of Business Security BS 7799/ISO
17799
  • Security policy
  • Security organization
  • Asset classification and control
  • Personnel security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Systems development and maintenance
  • Business continuity management
  • Compliance

31
HIPAA Security The Final Rule
  • What to expect
  • Streamlining same core values-more specificity
    as to mandatory (must do)/discretionary (should
    do)
  • Fewer standards
  • Paper (?) as well as electronic media
  • Business Associate contracts/Chain of Trust
  • Synchronize with Privacy rules

32
The Final Rule (contd)
  • Dont expect Electronic Signature
  • Comments to proposed rule indicated lack of
    consensus industry continues to work on
    monitoring by NCVHS
  • NCVHS necessary before regulation developed
  • Proposed rule specified digital signature
    (authentication, message integrity,
    non-repudiation requirements)
  • Probably developed by NIST, not DHHS
  • PKI-HealthKey Bridge effort

33
DONT PANIC (Its too late for that!)
  • Many on-line resources exist
  • Workgroup for Electronic Data Interchange (WEDI)
    site http//www.wedi.org/
  • Link to all states websites http//fortress.wa.
    gov/dshs/maa/dshshipaa/links.htm
  • AAMC http//www.aamc.org/members/gir/gasp/start.
    htm
  • North Carolina Healthcare Information and
    Communications Alliance, Inc. (NCHICA)
    http//www.nchica.org/HIPAAResources/Samples/Porta
    l.asp
  • Loyola University HIPAA site http//www.luhs.org
    /feature/hipaa/index.htm
  • University of Alabama/Birmingham HIPAA site
    http//www.hrm.uab.edu/HIPAA/home.html
  • HIPAA information related to banks/banking (which
    may be business associates of covered entities)
    http//www.hipaabanking.org/
  • Compilation of HIPAA links http//pweb.netcom.co
    m/ottx4/HIPAA.htm
  • Miscellaneous topics on HIPAA
    http//www.hipaadvisory.com/
  • HCFA 1998 Internet security policy
    http//world.std.com/goldberg/TLhcfainet.pdf

34
HIPAA The View from 30,000 Feet
  • QUESTIONS?
Write a Comment
User Comments (0)
About PowerShow.com