The Health Insurance Portability and Accountability Act of 1996 HIPAA

1
The Health Insurance Portability and
Accountability Act of 1996HIPAA
Public Law 104-191
2
The Health Insurance Portability and
Accountability Act of 1996(Public Law 104-191)
HIPAA
Purpose Congressional attempt at incremental
health care reform portability
administrative simplification

• 1996 passage of HIPAA gave Congress 36 months to
  pass legislation or
• DHHS was to promulgate final regulations
• Congress did not act by the deadlines, so

3
The Health Insurance Portability and
Accountability Act of 1996(Public Law 104-191)
HIPAA

• DHHS published proposed standards for individual
  identifiable health information on November 3,
  1999 (Federal Register)
• No common standard for the transfer of
  information between providers and payers (no
  electronic data interchange standard EDI)

4
Intent of HIPAA

• Ensure confidentiality and integrity
• Prevent unauthorized use or disclosure
• Protect against threat or physical hazards
• Save money through Simplification

5
HIPAA Mandate

• Adoption of new security standards to protect an
• individuals health information while permitting
  the
• appropriate access and use of the information by
• Providers
• Clearinghouses
• Health Plans

6
HIPAA Mandate (contd.)

• Permit health information to be used and shared
• Require written authorization for use and
  disclosure
• Establish fair information practices
• Ensure patient access

7
HIPAA Mandate (contd.)

• Require Providers to establish administrative and
  physical safeguards
• Allow de-identified info to be used in any way as
  long as it is stripped
• Require Payers to accept EDI standards
• Mandate the use of unique identifiers

8
Impact

• All health care organizations that maintain or
  transmit electronic health information
• Time frame is short
• Y2K has diverted attention
• Significant criminal and civil penalties
• No quick fix

9
What is Administrative Simplification?

• Administrative Simplification aspect of the law
  requires DHHS to develop standards and
  requirements for maintenance and transmission of
  health information that identifies individual
  patients.

10
Why have standards?

• Standards are designed to
• Improve efficiency and effectiveness by
  standardizing interchange of electronic data for
  specific financial and administrative
  transactions
• Protect the security and confidentiality of
  electronic health information

11
Standards
What is the main focus?

• Standards for electronic data transmission
• Transactions (EDI)
• Code Sets
• Unique National Identifiers
• Standards for electronic data protection
• Security
• Privacy

12
Security Standards

• Administrative
• Physical
• Technical
• Network

13
Administrative

• Policies and procedures
• Certification
• Chain of trust
• Contingency plan (Emergency)
• Formal records processing
• Access policy
• Internal auditing

14
Administrative (contd.)

• Personnel security
• Security configuration management
• Incident reporting
• Security management
• Termination procedures
• Training

15
Physical

• Protection of computer systems and buildings
• Assignment of security responsibilities
• Medial controls
• Physical access
• Workstation use
• Security workstation location
• Security awareness training

16
Technical

• Identification, authentication, and authorization
• Automatic logoff
• Data integrity
• Protecting data in transit
• Secure remote access

17
Technical (contd.)

• System/network certification
• Disaster recovery/business continuity
• Virus protection
• Minimum necessary access de-identification of
  data

18
Network

• Process to guard against unauthorized access data
  in transit
• Integrity controls
• Message authentication
• Access controls or encryption
• Alarm system
• Audit trail
• Entity authentication
• Event reporting

19
What is the time frame for implementation?

• Small practice plans - 36 months
• All others - 24 months

20
Covered Entities

• Providers
• Clearinghouses
• Health Plans
• Subsidiary Operations
• Business Partners

21
What is our implementation strategy?

• Executive commitment
• Assign responsibility
• Establish steering committee
• Gap analysis and risk assessment
• Develop a system-wide approach
• Provide awareness and training

22
HIPAA Organization
23
What is our structure, who will be involved, and
who will coordinate the Medical Center efforts?
Organizational Structure

• Executive
• Public Relations
• Compliance
• Medical Records
• Risk Management
• All Departments

• Legal
• Personnel
• Purchasing
• Information Systems

24
HIPAA Framework
Information Services
Audit
Policies
Training
Departments
Administrative Standards
Physical Standards
Technical Standards
Network Standards
25
Administrative Simplification - Benefits

• Simplification
• Reduction in time
• Reduces administrative costs
• Improved customer satisfaction
• Investment in the future

26
HIPAA Compliance
Penalties

• Monetary
• Each violation 100 - 25,000
• Potential Waivers
• Reasonable Cause - due diligence
• Not Willful Neglect - corrected in 30 days
• Excessive penalty related to the failure

27
HIPAA Compliance
Penalties

• Criminal Liability
• Knowingly or willfully obtaining or disclosing
  individual identifiable health information.
• Fine not to exceed 50,000 and not more than
  one year imprisonment or both
• Under False Pretenses - Fine not more than
  100,000 and not more than five years
  imprisonment or both

28
HIPAA Compliance

• Penalties (contd.)
• With intent to sell, transfer or use for
  commercial advantage, personal gain or malicious
  harm - 250,000 and not more than ten years for
  both

29
Suggestions

• Mike Walker WFU Compliance Officer
• 716-5252
• John Hart NCBH Internal Audit
• 716-3002

30
Summary Myths

• Congress will repeal HIPAA
• HIPAA is a Clinton Program
• HIPAA will not be enforced for years
• Vendors will take care of HIPAA
• HIPAA is just an IT Project
• Compliance is optional