IOWA STATE ASSOCIATION OF COUNTIES Health Insurance Portability and Accountability Act of 1996 (HIPAA) - PowerPoint PPT Presentation

Loading...

PPT – IOWA STATE ASSOCIATION OF COUNTIES Health Insurance Portability and Accountability Act of 1996 (HIPAA) PowerPoint presentation | free to download - id: 29f980-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

IOWA STATE ASSOCIATION OF COUNTIES Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Description:

Provide information to clients about their privacy rights and how their ... New foreign language created by legislation for the express purpose of making ... – PowerPoint PPT presentation

Number of Views:17
Avg rating:3.0/5.0
Slides: 60
Provided by: hipaaGmds
Learn more at: http://hipaa.gmdsolutions.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: IOWA STATE ASSOCIATION OF COUNTIES Health Insurance Portability and Accountability Act of 1996 (HIPAA)


1
IOWA STATE ASSOCIATION OF COUNTIESHealth
Insurance Portability and Accountability Act of
1996 (HIPAA)
  • Mary KnappSeptember 17 and 18, 2002

2
Changes Are Coming
  • This presentation should not be construed as
    legal advice or as pertaining to specific factual
    situations. The information, while believed
    correct at the time it was compiled, is subject
    to change as not all HIPAA security regulations
    have been finalized and interpretations and
    guidances continue to modify our analysis.

3
WHY HIPAA?
  • Insurance Reform
  • Improve portability and continuity of health
    insurance for employees
  • Extend Fraud And Abuse Prevention Measures
  • Dedicate additional resources to fraud and abuse
    enforcement (not just Medicare and Medicaid)

4
WHY HIPAA? (continued)
  • Administrative Simplification
  • Standardize how information is exchanged
    (transaction) between providers, health plans and
    employers using one format and one set of
    diagnostic/billing codes
  • Go electronic
  • Keep it private and secure

5
Effective Compliance Datesto Remember
  • Privacy Standards - April 14, 2003.
  • EDI Standards - October 16, 2003 (with the
    submission of an extension request which must be
    filed with the Secretary of the DHHS before
    October 16, 2002).
  • Proposed Security Standards - two years after
    final regulations are published.

6
Introducing
  • HIPAA Standards for Privacy of Individually
    Identifiable Health Information

7
Privacy Regulations
  • December 28, 2000
  • Privacy of Individually Identifiable Health
    Information Final Rule
  • July 6, 2001
  • Office for Civil Rights Technical Assistance
  • March 27, 2002
  • Notice of Proposed Rulemaking (NPRM)
  • August 14, 2002
  • Final Changes to the Final Rule

8
Everyone is affected
9
Whos A Covered Entity Under HIPAA?
  • Health Plans
  • Health Care Clearinghouses
  • Health Care Providers
  • who transmit any health information in electronic
    form in connection with the following standard
    transactions . . .

10
Standard Transactions
  • Enrollment and Disenrollment in a Health Plan
    (834)
  • Health Care Premium Payments (820)
  • Health Care Eligibility Benefit Inquiry and
    Response (270/271)
  • Referral Certification and Authorization (278)
  • Health Care Claims or Equivalent Encounter
    Information (837)
  • Health Care Claim Status (276/277)
  • Health Care and Remittance Payment Advice (835)
  • Coordination of Benefits (837)
  • First Report of Injury (145) (Delayed)
  • Additional Claim Information (275) (Delayed)

11
  • And now, lets determine if we are a covered
    entity, affiliated single covered entity, hybrid
    covered entity or organized health care
    arrangement.

12
Privacy Rule Intent
  • Give clients more control over their health
    information.
  • Set boundaries on the use and release of health
    records.
  • Establish appropriate safeguards to protect
    privacy of health information.
  • Hold violators accountable - civil and criminal
    penalties.
  • Strike a balance between privacy and public good.

13
Privacy Rule Requirements
  • Provide information to clients about their
    privacy rights and how their information can be
    used through a Notice of Privacy Practices.
  • Adopt clear privacy policies and procedures.
  • Train employees.

14
Privacy Rule Requirements(continued)
  • Designate privacy official and security officer
    to ensure that privacy and security procedures
    are adopted and followed.
  • Client records containing individually
    identifiable health information are secure to
    prevent access by those who do not need them.

15
HIPAA Speak
  • New foreign language created by legislation for
    the express purpose of making the learner feel as
    though they have landed in a parallel universe
    where basic common sense and plain language are
    unheard of.

16
Individually Identifiable Health Care Information
(IIHI)
  • Demographic information that is created or
    received by a health care provider, a health
    plan, employer or health care clearinghouse
  • Relates to the past, present or future physical
    or mental health or conditions of an individual
    or
  • The provision of health care to an individual
    and
  • Identifies the individual or with respect to
    which there is a reasonable basis to believe that
    the information can be used to identify the
    individual.

17
Protected Health Information (PHI)
  • Individually Identifiable Health Information that
    is
  • Transmitted by electronic media
  • Maintained in electronic media
  • Transmitted or maintained in any other form
    (including oral or written PHI)

18
Record
  • Any item, collection, or grouping of information
    that includes PHI and is maintained, collected,
    used or disseminated by or for a covered entity.

19
Designated Records Set
  • Group of records maintained by or for a covered
    entity.
  • Medical records and billing records about
    individuals.
  • Used, in whole or in part, by or for the covered
    entity to make decisions about individuals.
  • Enrollment, payment, claims adjudication and case
    or medical management records maintained by or
    for a health plan.

20
Notice of Privacy Practices
  • Covered entities must . . .
  • Provide individuals with written notice of the
    uses and types of disclosures of PHI made by the
    covered entity
  • Also describe the individuals rights and the
    covered entitys obligations regarding PHI
  • Covered entities with direct treatment
    relationship must make a good faith effort to
    obtain an individuals written acknowledgment of
    receipt of the providers notice of privacy
    practices.

21
Notice of Privacy Practices (continued)
  • Good faith effort - individuals failure or
    refusal to sign or provide acknowledgment,
    despite covered entitys good faith effort, would
    not preclude the providers ability to use or
    disclose PHI for treatment, payment or health
    care operations.

22
Notice of Privacy Practices Individual Rights
23
Right to Access own Protected Health Information
(PHI)
  • Regardless of who created the information.
  • Form and format can be requested by the
    individual.
  • Fees must be agreed upon in advance.
  • Must be in a timely manner.
  • May require written request (included in Notice
    of Privacy Practices).

24
Right to Request Additional Protections
  • Right to request additional privacy protections
  • Covered entity may refuse
  • If covered entity agrees, they must always do it
  • Right to request to receive communications in
    alternate fashion
  • Accommodate reasonable request

25
Individuals Right to Request Amendment
  • The covered entity may require individuals to
    make requests for amendment in writing and to
    provide a reason to support the requested
    amendment.
  • Covered entity must inform the individual in
    advance of requirements.

26
Right to Request Amendment
  • A client has the right to request amendment of
    PHI maintained in the designated record set.
  • The covered entity will have 60 days to respond
    to an individuals request.
  • The final regulations specify certain required
    processes and standards for managing this process.

27
Right to an Accounting of Disclosures
  • Covered entity must account for disclosures made
    within six years prior to the request
  • Excludes disclosures that are
  • Authorized
  • Limited data set
  • Incidental
  • Treatment, Payment or Operations (TPO)
  • Other (i.e., national security, law enforcement)

28
Right to an Accounting of Disclosures
(continued)
  • An accounting to the individual of the
    disclosures of his/her PHI must include
  • Date of each disclosure
  • Name and, if known, address of party that
    received the PHI
  • Brief description of the PHI disclosed
  • The purpose for which the PHI was disclosed, or a
    copy of an individuals authorization, or a copy
    of the request for disclosure

29
HIPAA Consent
  • Consent for disclosure of PHI for treatment,
    payment, and health care operations (TPO) on the
    part of all covered entities is now optional.

30
Authorization
  • An authorization is a more customized document
    that gives the covered entities permission to
    use specified PHI for specified purposes, which
    are generally other than TPO, or to disclose PHI
    to a third party specified by the individual.

31
Authorization (continued)
  • Plain language describing information in specific
    and meaningful fashion
  • Name of person(s) authorized to make the
    requested use/disclosure and to receive request
  • Expiration date, signature, date and copy
  • Statement of each purpose of the disclosure or
    use
  • Individuals right to revoke in writing

32
Limited Data Set
  • A covered entity may use and disclose a limited
    data set for research, public health, or health
    care operations.
  • A limited data set is PHI that has been stripped
    of 16 identifiers of individuals and their
    relatives, household members and employers.
  • A covered entity must obtain a data use
    agreement from the intended recipient of the
    limited data set before disclosing the data to
    the recipient.

33
Oral Communications
  • Covered entities must reasonably safeguard all
    PHI (including oral information) from any
    intentional or unintentional use or disclosure
    that is in violation of the rule.

34
Oral Communications(continued)
  • Certain incidental uses and disclosures are
    permissible as long as they are secondary
    disclosures that
  • could not reasonably be prevented
  • are limited in nature
  • are the by-product of an otherwise permissible
    use or disclosure

35
Minimum Necessary
  • Requires covered entities to take reasonable
    steps to limit the use or disclosure of, and
    requests for, PHI to the minimum necessary
    information needed to accomplish the intended
    purpose.

36
Government Access to Health Information
  • The Privacy Rule allows disclosures that are
    required by law. For example, all states have
    laws that require providers to report cases of
    specific diseases to public health officials.

37
Work With Vendors
38
Business Associates
  • Business Associates are not a member of the
    covered entitys workforce
  • Employees
  • Volunteers
  • Trainees
  • Others under direct control

39
Business Associates(continued)
  • Person or entity who provides certain functions,
    activities, or services on behalf of, or to a
    covered entity that involves the use and/or
    disclosure of PHI.
  • Covered entities can operate under their current
    written contracts until those contracts are up
    for renewal or until April 14, 2004, whichever is
    sooner if they exist before October 13, 2002.

40
Introducing
  • HIPAA Security and Electronic Signature
    Standards
  • Proposed Rule

41
The computer expert is here, Mr. Rumson.
42
Areas Covered By Security Standard
  • Administrative Procedures
  • Physical Safeguards
  • Technical Security Services
  • Technical Security Mechanisms

43
Administrative Procedures
Documented, Formal Practices Procedures for
  • Recovering lost information
  • How information flows through your department
  • Controlling access to information

44
Administrative Procedures (continued)
  • Documented, Formal Practices Procedures for
  • Reporting security breaches
  • Maintaining security throughout personnel changes
  • Security awareness training

45
Physical Safeguards

Protect physical computer systems, related
buildings, and equipment
  • Keeping floppy disks, CDs, backup tapes secure.
  • Controlling access to areas and departments.
  • Logging off workstation when finished.
  • Providing a secure location for workstations.

46
Technical Security Services
  • Processes to protect information and control
    individual access
  • Providing for emergency access to secure
    information
  • Automatic logoff
  • Unique user ID and password

47
Technical Security Mechanisms
  • Processes to guard against unauthorized access to
    data transmitted over a communications network
  • Confidential information sent over the Internet
    must be encrypted.
  • Verify information that is sent arrives
    unmodified.
  • Determine who accessed what information and when.

48
Introducing
  • HIPAA Electronic Data Interchange --
    Transactions and Code Sets
  • Final Rule and Postponement

49
Streamlining Payment
  • Create national standards for the storage and
    transmission of electronic health information
  • Over 400 different formats for e-submission of
    health care claims in the US today
  • EDI standards will require uniform codes for all
    payers
  • Uniformity Cost Savings

50
The Origins of EDI
  • Now, while were dancing, lets all be thinking
    how we can step up doll production, cut costs in
    the toy car division, and eliminate waste in all
    departments.

51
HIPAA National Electronic Transaction Standards
  • Enrollment and Disenrollment in a Health Plan
    (834)
  • Health Care Premium Payments (820)
  • Health Care Eligibility Benefit Inquiry and
    Response (270/271)
  • Referral Certification and Authorization (278)
  • Health Care Claims or Equivalent Encounter
    Information (837)
  • Health Care Claim Status (276/277)
  • Health Care and Remittance Payment Advice (835)
  • Coordination of Benefits (837)
  • First Report of Injury (145) (Delayed)
  • Additional Claim Information (275) (Delayed)

52
HIPAA Code Sets
  • International Classification of Diseases, 9th
    Edition, Clinical Modification (ICD-9-CM).
  • Current Procedural Terminology, 4th Edition
    (CPT-4).
  • Health Care Financing Administration Common
    Procedure Coding System (HCPCS).
  • Code on Dental Procedures and Nomenclature, 2nd
    Edition (CDT-2).

53
Next StepsStarting Now and Ending Never
  • EDI Extension
  • Covered Entity Analysis
  • Risk Gap Analysis
  • Team Assignments

54
Next Steps (continued)
  • Privacy Official and Security Officer Appointment
  • PHI Policies and Procedures
  • Notice of Privacy Practices and Forms
  • Business Associates

55
Next Steps (continued)
  • HIPAA Training
  • Privacy Implementation
  • EDI Testing
  • Reached Milestone 1
  • April 14, 2003

56
HIPAA Penalties - Civil
  • Up to 100 per violation to a maximum of 25,000
    per year for all violations of an identical
    requirement
  • Civil penalties may not be imposed if
  • person did not know, and would not have known
    with exercise of reasonable diligence, that
    he/she violated the provision
  • the failure was due to reasonable cause, not the
    result of willful neglect, and is corrected
    within 30 days of the first date the person knew,
    or by exercising reasonable diligence would have
    known, that the failure to comply occurred
  • May be mitigated by existence of a HIPAA
    compliance program
  • May not be imposed for an act that may be
    punishable under HIPAAs criminal penalty
    provisions
  • HHS is authorized to seek injunctions against
    covered entities to stop use/disclosure of PHI
    until compliance is achieved

57
HIPAA Penalties - Criminal
  • Knowingly using , obtaining or disclosing
    individually identifiable health information
    raises available penalties from civil fines to
    criminal sanctions
  • Three levels of criminal penalties
  • Up to 25,000 and/or up to 2 years in prison for
    a simple violation knowingly obtaining or
    disclosing individually identifiable health
    information in violation of HIPAA
  • Up to 5 years in prison and/or up to a 50,000
    fine for knowingly obtaining individually
    identifiable health information under false
    pretenses
  • Up to 10 years in prison and/or up to a 250,000
    fine for knowingly using or disclosing
    individually identifiable health information for
    commercial advantage, personal gain, or malicious
    harm

58
(No Transcript)
59
QuestionAnswer
About PowerShow.com