HIPAA Developing an Understanding

1
HIPAA Developing an Understanding

• Robert C. Bergin
• Ohio Department of Job and Family Services

2
Title I Health Care Access, Portability, and
Renewability

• Title I of HIPAA protects health insurance
  coverage for workers and their families
• Limits exclusion for pre-existing conditions
• Prohibits discrimination based upon health
  factors
• Provides special enrollment rights
• Defines creditable coverage and significant
  breaks

3
Title II Preventing Health Care Fraud and
Abuse Administrative Simplification and Medical
Liability Reform

• Title II is intended to combat waste, fraud, and
  abuse in health insurance and healthcare delivery
• Simplify the administration of health insurance
• Promote Administrative Simplification

4
Administrative Simplification

• Goals of Administrative Simplification
• Protect privacy of Protected Health Information
  PHI
• Standardize electronic exchanges to improve
  efficiency
• Secure data processing systems
• Implement standard identifiers
• Providers
• Employers
• Health Plans

5
HIPAA Rules

• Privacy Rule 4/14/03
• Transaction and Code Set Rule 10/16/03
• Security Rule 4/21/05
• Standard Identifiers
• National Employer Identifier Rule 7/04
• National Provider Identifier Rule - TBD
• National Health Plan Identifier- TBD

6
Who Must Comply? Covered Entities

• Health Plans An individual or group plan that
  provides or pays the cost of medical care
• Medicare
• Medicaid
• Health insurance issuer
• HMO
• VA health care system
• Others

7
Health Plan General Exclusions

• Any government-funded program, other than those
  specifically included, whose principal purpose is
  other than providing or paying the cost of health
  care but which do incidentally provide such
  services
• For example, programs such as the Special
  Supplemental Nutrition Program for Women, Infants
  and Children (WIC) are not considered to be
  health plans

8
Health Plan General Exclusions Continued

• Any government-funded program whose principal
  activity is the making of grants to fund the
  direct provision of health care to individuals
• For example, the Maternal/Child Health Block
  Grant Title V program

9
Health Plan General ExclusionsContinued

• An agency that determines eligibility for or
  enrollment in a health plan that is a government
  program providing public benefits, when that
  agency is not the agency that administers the
  program, is not a covered entity.
• - For example, an agency that is not otherwise a
  Covered Entity, such as a local welfare agency,
  is not considered to be a Covered Entity because
  it determines eligibility or enrollment or
  collects enrollment information as authorized by
  law.

10
Is a private benefit plan a health plan?
Is the plan an individual or group plan, or
combination thereof, that provides, or pays for
the cost of, medical care?
NO
STOP! The plan is a health plan
NO
YES
Does the plan have both of the following
characteristics (a) it has fewer than
50 participants, and (b) it is self-administered?
Is the plan a group health plan?
YES
YES
NO
Is the plan a health insurance issuer?
NO
NO
STOP! The plan is not a health plan
YES
Is the plan an issuer of a Medicare
supplemental policy?
Does the plan provide only nursing home
fixed- indemnity policies?
YES
NO
NO
YES
Is the plan an HMO?
Does the plan provide only excepted benefits?
Is the plan a multi-employer welfare benefit
plan?
Is the plan an issuer of long-term care
policies?
NO
NO
NO
11
Is a government-funded program a health plan?
Is the program one of the listed government
health plans?
STOP! The program is a health plan
YES
NO
Does the program provide, or pay the cost of,
medical care?
YES
NO
Is the program a high risk pool?
STOP!The program is not a health plan
NO
YES
Is the plan an HMO?
NO
NO
Is the principal activity of the program
providing health care directly?
NO
Is the principal purpose of the program other
than providing or paying the cost of health care
(e.g., operating a prison system, running a
scholarship or fellowship program)?
Does the program provide only excepted benefits?
Is the principal activity of the program the
making of grants to fund the direct provision of
health care (e.g., through funding a health
clinic)?
NO
NO
12
Covered Entities - Continued

• Health Care Providers - A health care provider
  who transmits any health information in an
  electronic form in connection with a defined
  transaction covered by the law is a covered
  entity
• Physician
• Dentist
• Pharmacist
• Physical Therapist
• Others

13
Are You a Health Care Provider Under HIPAA?
STOP! You are not a covered health care provider
under HIPAA
Do you furnish, bill, or receive payment for
health care services in the normal course of
business? (1)
STOP! You are a covered health care provider
under HIPAA
NO






YES


YES
Are any of the covered transactions transmitted
in electronic form?
Do you conduct covered transactions?

YES
14
Covered Entities - Continued

• Health Care Clearinghouses- An entity that
  processes or facilitates the processing of
  information received from another entity in a
  nonstandard format or containing nonstandard data
  into standard data elements or a standard
  transaction
• Billing service
• Switch
• VAN

15
Are You a Health Care Clearinghouse?
Do you process, or facilitate the processing of,
health information from a nonstandard format or
content into standard format or content or from
a standard format or content into nonstandard
format or content?
YES
YES
Do you perform this function for another
legal entity?
STOP! You are a health care clearinghouse
NO
STOP! You are not a health care clearinghouse
NO
16
Hybrid Covered Entities

• If Covered Entity functions are performed
  within a department or program, then the entity
  to which it belongs is a HIPAA hybrid entity
• HIPAA rules apply to the component that performs
  the covered entity function

17
Hybrid Entity - Implications

• The importance of being a hybrid entity is that
  HIPAA requires the entity to build walls between
  the covered functions and the rest of the entity,
  so that the non-covered portions do not have
  access to PHI

18
Business Associates

• Business Associate is a person or entity who on
  behalf of a covered entity performs a function or
  activity that involves the use or disclosure of
  Protected Health Information (PHI)
• A covered entity may disclose PHI to its Business
  Associates if it obtains a written contract
  specifying that the Business Associate will
  appropriately safeguard the information

19
Privacy Rule - Background

• Traditionally, health information has been
  private not because it is secure but because it
  has been difficult to access
• As the ease of exchanging Protected Health
  Information (PHI) increases, there is a
  corresponding need to increase privacy protection
• The privacy rule defines what information you
  must protect, as contrasted with the security
  rule which defines how you must protect
  information

20
Privacy Rule - Definitions

• Protected Health Information (PHI) is
  individually-identifiable health information that
  is transmitted or maintained in any form or
  medium
• Health Information includes any information,
  oral or recorded, relating to the health of an
  individual, the health care provided, or payment
  for services rendered to the individual

21
Privacy Rule Definitions Continued

• Privacy Noticedescribes how an individuals
  medical information may be used and disclosed,
  and of the individuals rights and the covered
  entitys duties with respect to that medical
  information
• Patient Authorizationis required for the use of
  information not related to treatment, payment, or
  health care operations

22
Privacy Rule Definitions Continued

• Public Health Authority is an agency that is
  responsible for public health matters as part of
  its official mandate
• Limited use and disclosure are permitted without
  consent or authorization when there is an
  overriding public interest
• Generally, the rule does not apply to
  de-identified information as long as there is no
  mechanism for re-identification

23
Privacy Rule Patient Rights

• Right to adequate notice of privacy practices
• Right to access health information
• Right to request amendment of health information
• Right to an accounting of disclosures
• Right to request restriction of uses and
  disclosures

24
Privacy Rule Administrative Requirements

• A designated privacy official
• A privacy contact person
• A defined complaint process
• Individuals can request additional restrictions
  entities must have a process for responding, but
  are not required to agree to the request
• Entity must verify the identity and legal
  authority of any person requesting PHI

25
Privacy Rule Administrative Requirements
Continued

• Employer must provide training on privacy
  policies and procedures to each person who has
  contact with PHI
• Covered entities are required to document that
  training requirements have been satisfied
• Employees and Business Associates who violate
  policies and/or HIPAA regulations must be subject
  to defined sanctions

26
Standard Transactions

• Transaction and Code Set Rule compliance October
  16, 2003 ( Public Law 107-105)
• Health Care Claim or Encounter (837)
• Health Care Claim Payment and Remittance (835)
• Health Care Claim Status Inquiry/Response (276,
  277)
• Health Care Eligibility Inquiry/Response(270,
  271)
• Enrollment and Disenrollment in a Health Plan
  (834)
• Referral Certification and Authorization (278)
• Health Plan Premium Payments (820)

27
Code Sets

• HIPAA has mandated the use of national standard
  code sets
• Elimination of Level III local codes and the
  limited expansion of Level II HCPCS codes
• Nationally, Medicaid programs are being forced to
  crosswalk local codes into limited Level II
  HCPCS codes

28
HIPAA Security Regulations

• Security regulations require
• Covered Entity (CE) must ensure the
  confidentiality, integrity, and availability of
  electronic PHI that the CE creates, receives,
  maintains, or transmits
• CE must protect against any reasonably
  anticipated threats or hazards to the security or
  integrity of PHI under its control
• CE must protect against reasonably anticipated
  uses or disclosures that are not permitted or
  required by the privacy rule
• CE must ensure compliance by its workforce

29
Security Physical Safeguards

• Facility access controls
• Policies governing the receipt and removal of
  hardware and electronic media that contains PHI
  into and out of the facility, as well as movement
  within the facility
• Policies on workstation area control and
  workstation use

30
Security Administrative Safeguards

• Documented security management process
• Assigned security responsibility
• Workforce security policies
• Information access controls
• Emergency contingency plans
• Security awareness and training programs
• Security incident reporting procedures
• Periodic evaluations

31
Security Technical Safeguards

• Technical access controls limiting access to
  authorized persons or software
• Audit controls to examine activity in information
  systems
• Policies and procedures to protect PHI from
  improper alteration or destruction
• Person or entity authentication procedures
• Technical transmission security measures to
  protect against unauthorized access

32
Preemption of State Law

• Federal regulations preempt all contrary state
  laws, unless a state law is more stringent
• State law is more stringent if it
• Further limits the use or disclosure of PHI
• Provides individuals with greater rights of
  access, or more information about their rights
• Enhances protections afforded by an authorization
• Imposes greater record keeping requirements
• Otherwise enhances privacy protection

33
HIPAA Resources

• Web Sites
• www.nhvship.org
• www.hhs.gov/ocr/hipaa
• www.wpc-edi.com/default40.asp
• www.aspe.hhs.gov/admnsimp/index.htm
• www.state.oh.us/hipaa

34
Questions?