MidAtlantic Health Initiative

1
Mid-Atlantic Health Initiative
2
Mid-Atlantic Health Initiative (MAHI)

• HIPAA 101
• Washington, D.C.
• October 18, 2002
• Tom Sadauskas, FHFMA, CHE, CPA
• Northrop Grumman Information Technology

3
The New Rules of the Game

• The Health Insurance Portability and
  Accountability Act of 1996 (HIPAA)
• History of HIPAA and Administrative
  Simplification
• Covered Entities
• Standard Transactions
• Code Sets
• Identifiers
• Privacy
• Security
• Implementation
• Compliance
• HIPAA Web Sites

4
eHealth HIPAA

• What if.
• Payment occurred when treatment was delivered
• Test orders and results were available online for
  all tests
• Data errors were drastically reduced
• Patients could query practitioners and plans
  online
• All health information systems were interoperable

5
HIPAA Value Proposition

• Cost-effective interoperable infrastructure
• Standard
• Reliable and secure
• One-time core infrastructure
• Strategic investment
• Customer and partner confidence
• More accountable

6
History

• Health Insurance Portability and Accountability
  Act (HIPAA) - P.L. 104-191 signed into law by
  President Clinton on August 21, 1996
• Kennedy-Kassebaum Bill (K2) or Kassebaum-Kennedy
  depending upon your party affiliation
• House of Representatives passed it 421-2
• Senate passed it Unanimously
• Legislation had multiple goals including
• Improve portability and continuity of health
  insurance coverage in the group and individual
  markets
• Combat waste, fraud, and abuse in health
  insurance and health care delivery (HIPDB
  created),
• Simplify the administration of health insurance
• (Subtitle F - Administrative Simplification)

7
Administrative Simplification

• Subtitle F - Administrative Simplification
  provisions
• EDI transaction standards
• Standardized codes sets
• Standardized identifiers - employers, health
  plans, providers and individuals
• Privacy legislation or regulations
• Security standards
• Eventual standards for an electronic medical
  record
• Intention is to reduce the costs and
  administrative burdens of health care by making
  possible the standardized, electronic
  transmission of many administrative and financial
  transactions that are currently carried out
  manually on paper and the adoption of security
  and privacy standards appropriate for the
  protection of individually identifiable health
  care information.

8
Covered Entities

• A health plan an individual or group plan that
  provides, or pays the cost of, medical care (PHS
  Act). Health plan includes, when applied to
  government funded programs, the components of the
  government agency administering the program.
  Health plan includes the following, singly or in
  combination
• Group health plan
• Health Insurance Issuer
• HMO
• Part A or Part B Medicare
• Medicaid
• Issuer of a Medicare Supplemental Policy
• Issuer of a Long-Term Care Policy (excluding a
  nursing home fixed indemnity policy)

9
Covered Entities

• health plan (continued)
• Health care Programs for Active military
  Personnel
• Veterans Health Care Programs
• Civilian Health and Medical Program
• Indian Health Service
• Employee Welfare Benefit Plan
• Federal Employees Health Benefit Program
• State Child Health Plan
• Medicare Choice
• Another other individual or group plan, or
  combination of individual or group plans, that
  providers or pays for the cost of medical care
  (PHS Act)

10
Covered Entities

• (2) A health care clearinghouse a public or
  private entity that does either of the following
• Processes or facilitates the processing of
  information received from another entity in a
  nonstandard format or containing nonstandard data
  content into standard data elements or a standard
  transaction.
• Receives a standard transaction from another
  entity and processes or facilitates the
  processing of information into nonstandard format
  or nonstandard data content for a receiving
  entity.

11
Covered Entities

• (3) A health care provider who transmits any
  health information in electronic form in
  connection with a standard transaction referred
  to in Section 1173(a)(1).

12
Standard Transactions

• Health claims or equivalent encounter
  information.
• Health Care Claim (837)
• NCPDP v5.1 Telecommunications v1.1 Batch
• Enrollment and disenrollment in a health plan.
• Benefit Enrollment and Maintenance (834)
• Eligibility for a health plan.
• Health Care Eligibility / Benefit Inquiry (270)
• Health Care Eligibility / Benefit Information
  (271)

13
Standard Transactions

• Claim Payment
• Health Care Claim Payment/Advice (835)
• Health Premium Payment (820)
• Health claim status.
• Health Care Claim Status request (276)
• Health Care Claim Status Notification (277)
• Referral certification and authorization.
• Health Care Service Information (278)
• Health claim attachments
• Additional Health Claim Information (275)

14
Standard Transactions

• Other Standards for voluntary use (not mandated
  yet)
• Health Care Benefit Coordination of Benefits
  Verification (269)
• Unsolicited Eligibility Roster (271)
• Unsolicited Health Care Claim Status (277)
• Provider Information (274)
• Services review notification (278)
• Healthcare Data Reporting Services (837 R)

15
Standard Transactions

• On October 16, 2000 the Final Rule for Electronic
  Transactions became effective with a compliance
  date of October 16, 2002.
• This rule adopts standards for eight electronic
  transactions and for the code sets to be used in
  those transactions. It also contains requirement
  concerning the use of these standard by health
  plans, health care clearinghouses, and certain
  health care providers.

16
ASCA

• Administrative Simplification Compliance Act
  (ASCA) (P.L. 107-105) signed into law
  December 27, 2001
• Allowed Covered Entities to submit a plan to DHHS
  by NLT October 15, 2002 and request a one year
  extension until October 16, 2003 for
  meeting EDI rules
• Testing of EDI transactions must begin NLT April
  16, 2003
• April 2003 Privacy Rule deadline NOT extended
• Require all Medicare claims to be submitted
  electronically in standard format after October
  16, 2003
• Small provider waiver service providers lt25
  FTEs and physicians, practitioners, facilities or
  suppliers lt10 FTEs
• Small provider waiver NOT an exemption from HIPAA
  Privacy or Security Rules

17
Transactions NPRMs

• Transaction Addenda NPRM published May 2002
• Modifications to the HIPAA Standard
  Implementation Guides
• Clarifications on the final rule
• Typos Corrected
• NDC NPRM published May 2002
• The codifying of national drugs
• J-Codes are being proposed to be used in
  conjunction with the pharmacy NDC codes.
• Notice of Proposed Rule Making

18
Code Sets

• DHHS has the authority to specify what data
  coding schemes can be used in the health care
  transactions.
• Medical Code Sets Defined by the Transactions
  final rule (FR p. 50370)
• International Classification of Diseases, 9th
  Edition, Clinical Modification, Vol. 12
  (ICD-9-CM)
• International Classification of Diseases, 9th
  Edition, Clinical Modification, Vol. 3 (ICD-9-CM
  including the Official ICD-9-CM Guidelines for
  Coding and Reporting)
• National Drug Code (NDC)
• Code on Dental Procedures and Nomenclature (CDT-3)

19
Code Sets

• The combination of Health Care Procedure Coding
  System (HCPCS) and Current Procedural
  Terminology, 4th Edition (CPT-4), for physician
  services and other health care services.
• The Healthcare Common Procedure Coding System
  (HCPCS) for all other substances, equipment,
  supplies, or other items used in health care
  services.
• NO MORE LOCAL CODES - Eliminates Level 3 HCPCS

20
Identifiers

• National Employer ID
• This final rule was published May 31, 2002 with
  an effective date of July 1, 2002, has been the
  least controversial of the NPRMs released so far.
• Intended to uniquely identify
• Employers
• Benefit Sponsors
• And others who use electronic exchanges to enroll
  members in health plans and to pay benefit
  premiums.

21
Identifiers

• National Health Plan ID
• This NPRM not been released yet.
• Intended to uniquely identify
• Medicare part A contractors
• Medicare part B contractors
• Medicaid Programs
• HMOs
• Private Health Plans
• Commercial Health Plans
• Intentions are that there would be a national
  payer registry, a payer database, and
  documentation on its use.

22
Identifiers

• National Provider ID (NPI)
• The NPRM (published on May 7, 1998) proposed a
  data-less 8-position alphanumeric identifier,
  with at check digit in the eight position.
• Likely final NPI will be a ten digit, all numeric
  identifier
• Identifier itself not include any information
  about practice locations
• Data in this national database be limited to the
  minimum needed to support the enumeration
  activities, and not include any credentialing or
  sanctions data.
• Enumerating process be placed outside the Federal
  Government.

23
Identifiers

• Individual ID
• This NPRM not been released yet. This is the
  most controversial of the identifiers by far.
  Congress requires additional Congressional
  approval of any proposed individual
  identification plan. An anticipated Notice of
  Intent (NOI) on this initiative has been put on
  hold, additional hearings have been indefinitely
  postponed, and there is no currently available
  estimate of when or whether this initiative will
  get back on track. Therefore, this identifiers
  future is not certain. This is as far as most
  industry and political participants see for this
  identifier.

24
Privacy

• Final Rule became effective on April 14, 2001
  with a compliance date of April 14, 2003.
• Definitions
• Individually Identifiable Health Information
  (IIHI) any information including demographic
  information collected from an individual that
• Is created or received by a HIPAA Covered Entity
• Relates to the past, present, or future physical
  or mental health condition of an individual, the
  provision of health care to an individual or the
  past, present, or future payment for the
  provision of health care to an individual
• Identifies an individual
• There is a reasonable basis to believe that the
  information can be used to identify the
  individual.
• Patient Consent voluntary agreement to
  conditions of use, storage, and disclosure of
  information (Internal)

25
Privacy

• Definitions
• Patient Authorization voluntary agreement to
  conditions of use, storage and disclosure of
  information beyond that set forth in the notice
  (External) for a specified period of time.
• Chain of Trust A pattern of agreements that
  extend protection of health care data by
  requiring that each covered entity that shares
  health care data with another entity require that
  that entity, in turn, require that any other
  entities with which it shares the data satisfy
  the same requirements.
• Business Associate Not part of the covered
  entity's workforce but performs or assists in the
  performance of a function or activity involving
  the use or disclosure of IIHI, including claims
  processing or administration, data analysis,
  processing or billing, benefit management
  practice management, and repricing or any other
  function or activity regulated by this
  subchapter or provides legal, actuarial,
  accounting, consulting, data aggregation
  management, administrative, accreditation, or
  financial services.

26
Privacy

• Definitions
• Trading Partner While a Business Associate is
  an entity that performs certain business
  functions for a covered entity, a Trading Partner
  is an external entity, such as a customer, that
  does business with the covered entity. This
  relationship can be formalized via a Trading
  Partner Agreement. It is possible to be a
  Trading Partner of a covered entity for some
  purposes and a Business Associate of the same
  covered entity for other purposes.
• Disclosure to a Business Associate A covered
  entity may disclose protected health information
  to a business associate and may allow a business
  associate to create or receive protected health
  information on its behalf, if the covered entity
  obtains satisfactory assurance that the business
  associate will appropriately safeguard the
  information.

27
Privacy

• Definitions
• Info on Deceased Persons If under applicable
  law an executor, administrator, or other person
  has authority to act on behalf of a deceased
  individual or of the individuals estate, a
  covered entity must treat such person as a
  personal representative, with respect to
  protected health information relevant to such
  personal representation.
• Protected Health Information IIHI
• Transmitted or maintained with/by electronic
  media
• Excluded
• Educational records covered by FERPA (FR p.
  82805)
• Other records as described 20 U.S.C.
  1232g(a)(B)(iv).

28
Privacy

• Administrative Requirements
• Designation of a Privacy Official
• Training
• Safeguards
• Internal Complaint Process
• Sanctions for employees who do not comply
• Duty to mitigate
• Patient Rights
• Patients are entitled to adequate notice about
  how their IIHI will be routinely used, stored,
  and disclosed
• Written notice of information practices
• Access for inspections and copying
• Accounting of disclosures
• Amendment and correction
• The right to say no

29
Privacy

• Disclosure Conditions
• Minimum Necessary use and disclosure
• Not to use or disclose more than the minimum
  amount of information necessary to accomplish the
  intended purpose of the use or disclosure taking
  into consideration practical and technological
  limitations
• Does not apply to
• Requests from a patient
• Releases of information required by law to
  government entities
• Uses or disclosures requested for audit and
  related purposes
• Patient right to restrict uses and disclosures
• Application to business partners
• Application information about deceased persons
• Adherence to the notice of information practices

30
Privacy

• Disclosure Conditions
• Creation of de-identified information
• Covered entities may use and disclose
  de-identified information in any way provided the
  covered entity reasonably believes the
  information will not result in the use or
  disclosure of protected health information.
• Allowed information
• Age with dates limited to a year
• Age over 90 aggregated
• Aggregated three-digit ZIP codes to include at
  least 20K people
• Gender, race, ethnicity, marital status

31
Privacy

• Disclosure Conditions
• Creation of de-identified information
• Information Not Allowed

• Names
• All geographic locations
• All elements of Date (except year) for dates
  directly related to an individual.
• Electronic mail addresses
• Social Security Numbers
• Medical Record Numbers

• Health Plan Beneficiary Numbers
• Account Numbers
• Certificate or License Numbers
• Vehicle identifiers
• Device identifiers and serial number
• Web URLs

32
Privacy

• Disclosure Conditions
• Creation of de-identified information
• Information Not Allowed (contd)
• IP Addresses
• Biometric Identifiers
• Full face photographic images and any comparable
  images
• Any other unique identifying number,
  characteristic, or code

33
Privacy

• Authorization Requirements
• Authorization is required for purposes other than
  Treatment, Payment, or Health Care Operations
  (TPO).
• Authorization is NOT required

• Health oversight activities
• Public Health activities
• Judicial and Admin Procedures
• Law Enforcement
• Individual requested access to own info
• CE Data for enforcement of Security and Privacy
  policies that implement HIPAA

• Governmental health data systems
• Disclosure for directory information
• Disclosure for banking and payment processes
• Uses and disclosure for research, emergency
  circumstances, next-of-kin, and as required by
  other laws.

34
Privacy

• State Laws are preempted except
• State Laws relating to the privacy of
  individually identifiable health information that
  are more stringent than the federal requirements
  (HIPAA sets a minimum federal floor for privacy)
• State laws that the Secretary of DHHS determines
  are necessary for certain purposes such as fraud
  and abuse, insurance regulations, public health
  and safety, and controlled substances
• Certain reporting, surveillance, investigation,
  and intervention requirements and
• Health plan auditing, licensure, and oversight.

35
Security

• NPRM published Aug. 12, 1998.
• Security is the How To Protect and Privacy is
  the What to Protect.
• Applies to Covered Entities who
• electronically maintain or transmit any health
  information pertaining to an individual

36
Security

• What is to be secured?
• Personal Workstations
• Enhanced Access controls
• Enhanced Audit Trails
• Inside Secure Network Data at Rest
• Secure Networks
• Secure Sign-on
• Secure VPN
• Data in Motion with persistence
• CAs, PKI, Trustdata, Others (UPS, FedEX)
• DRM and the hope for PHI

37
Security

• Electronic Signatures (rumored to be removed from
  the final rule and an additional NPRM to be
  issued specifically for electronic signatures)
• Electronic Signature
• Digital Signature
• Certificate Policies
• Certification Authorities
• Electronic Medical Records

38
HIPAA Security Matrix

• Administrative Safeguards
• Certification
• Chain of trust
• Contingency planning
• Formal Record processing mechanisms
• Information access controls
• Internal Audit
• Personnel security
• Security configuration management
• Security incident process
• Security management process
• Termination procedures
• Training

• Physical safeguards
• Assigned security responsibility
• Media controls
• Physical access controls
• Policy/guideline on workstation use
• Secure workstation location
• Security awareness training
• Technical Security Services (Data at
  Rest)
• Access controls
• Audit controls
• Authorization controls
• Data authentication
• Entity authentication
• Technical Security Mechanisms/ Communications/netw
  ork controls (Data in Motion)
• Digital Signature (optional)

39
Timetable for Adoption of Standards
40
Implementation

• Strategic National Implementation Process
• Provide forum for discussion of HIPAA issues
• Recommend sequence EDI schedule
• Identify security / privacy tools
• Coordinate industry recommendations
• Education
• Awareness
• Best Practices discussions
• Support of State Regional efforts
• http//snip.wedi.org

41
Implementation

• Implementation Steps
• Designate management sponsor for EDI Team
• Become familiar with ANSI X12N Standards
• Download implementation guides
• Inventory data repositories
• Determine financial resources needed to become
  compliant
• Identify payers, providers, clearinghouse your
  organization deals with and determine how and
  when they will begin accepting/sending standard
  formats and code sets.
• Develop an implementation strategy start with
  most complex claims
• Discuss Migration plan to new standard testing,
  target dates, contingency plans.
• Derived from the AHAs Executive Checklist for
  Transactions, Identifiers, Code Sets
• Hospitals Health Networks, December 2000.

42
Implementation

• Implementation Steps
• Evaluate business unit modifications to
  procedures for compliance and effective
  implementation.
• Inventory current business associate arrangements
  (particularly for methods to handle and dispose
  of received info.)
• Review adjust letters of agreement and
  contracts with business associates to reflect
  mandated criteria for info use.
• Review business process and workflow modeling.
• Continuously test and adjust as applications
  change internal external interfaces.
• Derived from the AHAs Executive Checklist for
  Transactions, Identifiers, Code Sets
• Hospitals Health Networks, December 2000.

43
Implementation

• Issues
• Getting There
• Incomplete definitions/interpretations
• Incomplete Identifiers
• Code Set Inadequacies
• Data source issues
• Interim solutions have a way of become long term
• Direct Entry vs. Legacy Integration
• Internet Data Entry (Quick Solution) Payer
  Provided?
• EDI content, format, identifiers and Secure
  transmissions?
• Lack of Integration with provider systems

44
Implementation

• Issues
• Communication Technologies
• Mixing communication links
• Authentication Verification
• Role of Clearinghouse
• Legacy Integration
• Ideal Vendor provides compliant solution
  (native ability to send/receive EDI).
• Internal transformational systems
• Claim Scrubber Software
• Interface engine (HIE, STC, SMS, etc.)
• Indexing engine (HIE, STC, etc.)
• E-commerce engine (Mercator, Sybase, etc.)
• External transformational systems
• Clearinghouses (Envoy, NDC, etc.)
• ASP delivered solutions

45
Implementation

• Issues
• Cost of EDI
• Training
• Remediation (if necessary)
• Environmental upgrades
• Implementation
• AHA estimates of 22 billion is for privacy
  securityHas anyone really validated costs of
  all?
• Transaction Fees (ongoing?)
• Return on Investment
• Who defines reasonable communications costs?
• Budget realities for all healthcare entities

46
HIPAA Compliance

• Compliance
• The Secretary may conduct compliance reviews to
  determine whether covered entities are complying
  with the applicable requirements of this part 160
  and the applicable standards, requirements, and
  implementation specifications of subpart E of
  part 164 of the subchapter. (Privacy Rule FR p.
  82820)
• Enforcement
• The privacy regulation is to be enforced by the
  DHHS Office for Civil Rights, which will provide
  assistance to providers, plans, and health care
  clearinghouses in meeting the requirements of the
  regulations. (From the DHHS Privacy Fact Sheet)

47
HIPAA Compliance

• Penalties
• Prohibits health plans from refusing to process,
  or from delaying processing of, a transaction
  that is presented in standard format (Section
  1175).
• Civil Monetary penalties for violation of the
  provisions, subject to several limitations.
  Penalties may not be more than 100.00 per person
  per violation and not more than 25,000 per
  person for violations of a single standard for a
  calendar year (Section 1176).
• Criminal penalties for any person that knowingly
  uses a unique health identifier, or obtains or
  discloses IIHI. Subject to fines up to 250K and
  or imprisonment up to 10 years. (Section 1177).

48
HIPAA Web Sites

• WEDi/SNIP
  http//snip.wedi.org
• AFEHCT
  http//www.afehct.org
• HL7
  
  http//www.hl7.org
• Washington Publishing Company
  http//www.wpc-edi.com
• NCPDP National Council for Prescription Drug
  Programs
  http//www.ncpdp.org
• MAHI
  http//www.mahicentral.org
  

49
HIPAA Web Sites

• Health Privacy Project
  http//www.healthprivacy.org
• CMS (formerly HCFA)
  http//www.cms.gov
• DHHS HIPAA Web Site
  http//aspe.os.dhhs.gov/adminsimp/
• P.L. 104-191 (HIPAA) http//aspe.hhs.gov/admnsimp
  /pl104191.htmSubtitle
• P.L. 105-107 (ASCA) http//frwebgate.access.gpo.go
  v/cgi-bin/ getdoc.cgi?dbname107_cong_public_laws
  docidfpubl105.107.pdf

50
Questions?

• Questions?