HTH937: Sybase Healthcare and Industry Standards

1
HTH937 Sybase Healthcare and Industry Standards
Bill MorozTechnical Director, Healthcare bill.mor
oz_at_sybase.coml / 708 301 9580 August 5, 2003
2
Course Outline

• Overview of Healthcare Standards
• Government (HIPAA)
• Standards Development Organizations
• De Facto
• Vendor
• Sybase Solutions
• HIPAA Standards for Transaction Compliance
• HIPAA Standards for Privacy
• HIPAA Standards for Security
• Standards-Based Integration

3
Government Healthcare Standards

• Health Insurance Portability and Accountability
  Act of 1996 (HIPAA) under the control of HCFA
• National Library of Medicine that supports the
  Unified Medical Language System (UMLS), a system
  linking together various medical vocabularies
• Health Care Financing Association (HCFA) that
  controls Medicare and Medicaid

4
Standards Development Organizations (SDO)

• ANSI (American National Standards Institute)
• X12
• CPT
• ASTM (the American Society for Testing and
  Materials) that produces a standard for the CPR
• American Medical Association that produces CPT-4
  codes for reporting medical services and
  procedures.
• ANSI Health Informatics Standards Planning Panel
  (HISPP) - coordinate standards from other
  organizations
• HL7
• DICOM
• EDIFACT for healthcare data interchange
• Health Care Financing Association (HCFA)

5
International Standards

• Telematics
• CENT51
• IMIA became IHIA
• WHO
• ANSI-HISB
• Ministry of Health Canada
• IT/14 Standards Australia
• MEDIS-DC within Ministry of Trade (Japan)
• ISO IAeG (InterAgency EDI Group of ISO)

6
Sybase Participates in Healthcare Standards
Organizations
7
HIPAA What is it?

• Public Law 104-191August 21, 1996

To amend the Internal Revenue Code of 1986 to
improve portability and continuity of health
insurance coverage in the group and individual
markets, to combat waste, fraud, and abuse in
health insurance and health care delivery, to
promote the use of medical savings accounts, to
improve access to long-term care services and
coverage, to simplify the administration of
health insurance, and for other purposes.
Health Insurance Portability and
Accountability Act of 1996.
De Facto HIPAA Mascot
8
HIPAA Who is affected?

• Healthcare Providers
• Healthcare Clearinghouses
• Health Plans
• Commercial insurances
• Third-party administrators.
• Some large employers (self-insured)
• Government Agencies
• Public Health, Child Family Services ect.
• Healthcare consumers (patients)

9
HIPAA When does it happen?
August 1996
December 2001
February 2003
April 2003
October 2003
November 2003
April 2005
10
HIPAA EDI Transactions
834
Plan Sponsors, Employers
Payers
Providers
Enrollment
Eligibility Verification
Enrollment
270
820
271
834
Precertification and Adjudication
Pre-treatment Authorization and Referrals
278
837 ( 275/HL7)
Claim Acceptance
Service Billing/ Claim Submission
(277)
(275/HL7)
Adjudication
276
Claim Status Inquiries
Coordination of Benefits
277
275
Not shown NCPDP Retail Pharmacy
837
Accounts Receivable
Accounts Payable
835
11
HIPAA/Transactions

• The goal is to have all plans use identical
  transactions.
• In reality there are some variations, although
  greatly reduced by HIPAA
• E.g. Claim 88 same post HIPAA/ lt60 pre HIPAA
• Content Variations
• E.g. coding of procedures, taxonomy,837I vs. 837P
• Noncontent variations
• 997 errors, Transport (Internet vs. dial up), FTP
  vs. HTTP, authentication

12
HIPAA/Transactions

• Mandatory Compliance by Oct 16, 2003
• What does compliance mean?
• Business vs. Legal issues
• If one claim out of a whole batch of 5000 isnt
  HIPAA Compliant should you reject the entire
  batch?

13
HIPAA - Privacy Standards

• Effective as of April 14, 2003.
• Provides regulations on the usage and disclosure
  of Protected Healthcare information (PHI).
• Individuals must be informed of institutions
  privacy policy in writing.
• Asserts that patients have control over all
  disclosures of treatment, payment and healthcare
  operations (TPO).
• The Minimum Necessary principle
• Right to examine amend a persons own
  information
• Provisions for disclosure of De-identified data

14
HIPAA/Privacy - Why?

• Tammy Wynettes medical records were sold to
  tabloid publications by a medical center
  employee. This was done in spite of the fact that
  she had entered the hospital under an assumed
  name to protect her privacy.
• An HIV positive patient used a local pharmacy to
  keep his condition private. When the pharmacy was
  purchased by CVS, he requested to not have his
  information transferred. CVS not only
  disregarded his/her request but distributed the
  information to many of its marketing partners.
• A list of cancer patients was obtained by a
  banker who was on the state health commission.
  He cross referenced the list against his customer
  list and promptly called in their loans.

15
What is Protected Healthcare Information (PHI)
16
HIPAA/Privacy Challenges

• Information must be kept 6 years
• Requests can be generated through various
  communications channels
• phone, fax, email, web sites and claims systems.
  
• PHI may (and mostly does) reside on many storage
  types
• medical records systems, claims systems,
  adjudications systems, filing cabinets, data
  warehouses.

17
HIPAA/Privacy
18
HIPAA/Privacy- Accounting of Disclosures

• Covered Entities must document and retain
• Date of request
• Name/Address of person who received PHI
• A brief description of PHI disclosed
• A statement about the purpose of the disclosure
• The written accounting is provided to the
  individual
• The titles of the persons or offices for
  receiving and processing the request for an
  accounting by individuals.

19
HIPAA/Privacy - Authorizations
20
HIPAA/Privacy - Authorizations

• Patient Authorizations Required
• Marketing,
• Research,
• Psychotherapy notes
• Activities other than treatment, payment and
  hospital operations (TPO)
• Manage Status (Signed, Revoked, Expired)
• Integration with Disclosure Management

21
HIPAA/Privacy - Restrictions
22
HIPAA/Security Rule - 164.306

• Published February 13, 2003
• Mandatory April 21 2005 (2006 for smaller plans)
• General rules
• Ensure the confidentiality, integrity, and
  availability of all electronic protected health
  information the covered entity creates, receives,
  maintains, or transmits.
• Protect against any reasonably anticipated
  threats or hazards to the security or integrity
  of such information.
• Protect against any reasonably anticipated uses
  or disclosures of such information that are not
  permitted or required under the privacy
  regulation
• Ensure compliance with this subpart by its
  workforce.

23
HIPAA/Security - Implementation Specifications

• Specifications are defined as either Required or
  Addressable (22 of 42 are addressable)
• Required
• Security Assessments
• Disaster Recovery Plan
• Addressable (e.g. Integrity controls and
  encryption)
• Reasonable and appropriate within your framework
• E.g. Small Physician Practice vs. Large Health
  Plan
• Integrity controls and encryption
• Depends on existing measures, cost, and risk
  mitigation
• Locked up room vs. data center with retinal eye
  scan
• Big Technical Issue Lack of Technical Standards
  or specificity.
• e.g, 164.312(e)(2)(ii) Encryption
  (Addressable). Implement a mechanism to encrypt
  electronic protected health information whenever
  deemed appropriate.

24
The Security Regulation At a Glance
(R)Required
(A)Addressable
25
(No Transcript)
26
(No Transcript)
27
HIPAA/Security Strategies for Database
Availability
Switchingand WarmStandbyReplication
ColdStandby
DisasterRecovery
Catastrophic
HighAvailabilityClusters
HighAvailability
Unplanned
Severity of Database Downtime
OfflineMaintenance
Planned
OnlineMaintenance
No Downtime
ContinuousAvailability
Latency of Database Recovery
28
HIPAA/Security Warm Standby
29
HIPAA/Security A Heterogeneous Environment
Replicate Sites
Primary Sites

• Adaptive Servers/IQ/ Anywhere/ Enterprise

Replication Agents
Replication Server

• DB2
• AS/400
• Oracle
• ODBC

• Informix
• MS SQL
• UDB

DirectCONNECT OmniCONNECT

• OS/390 DB2
• Adaptive Server Enterprise
• Adaptive Server Anywhere
• Replication Toolkit for MVS
• Oracle
• Informix
• Microsoft SQL Server
• IBM DB2 Universal Database

Mobile Users
SA
SQL Remote
Adaptive Server Anywhere
30
HIPAA/Security - Failover Replication Server and
OpenSwitch
31
Standards-Base Integration

• HIPAA Standards for Transaction Compliance
• HIPAA Standards for Privacy
• HIPAA Standards for Security
• Standards-Based Integration