Part III

1
Part III HIPAA Reference

• HIPAA In General
• Background
• Why Employers Should Care ?
• Overview of Requirements
• EDI Transaction Standards
• Security
• Privacy
• HIPAA Compliance Implementation

2
BackgroundIn General

• Enacted in 1996, HIPAA was to incrementally
  address various issues within the health care
  industry
• Major elements include
• Improved health coverage portability requirements
• Prohibitions on discrimination based on health
  status
• Increased fraud enforcement
• Simplifying health care claim payment process to
  reduce administrative costs
• Primarily by standardizing electronic data
  transactions, which raises security and privacy
  concerns

3
Background Statutory Structure
HIPAA
Title I
Title II
Title V
Title IV
Title III
Guarantees health insurance portability and
renewal
Administrative simplification
Tax provision for medical savings accounts
Enforcement of group health plan provisions
Revenue offset provisions
4
BackgroundWhy was HIPAA Needed?

• Healthcare industry
• Need for ease of data transfer
• Move from paper to EDI (electronic data
  interchange)
• Economic reasons
• The patient as the consumer
• Increasing privacy and confidentiality concerns
• Legislative issues
• 50 different states, with different laws, lack of
  consistency with no minimum floor

5
Why Employers Should Care?In General

• Although not a covered entity, any employer that
  provides group health benefits will be at least
  indirectly affected
• Employers with self-funded plans will be
  considered hybrid entities and their health
  plan operations will be directly subject to the
  rules
• Company access to employee health plan records
  for employment reasons (including administration
  of other benefit plans and laws) will be further
  limited
• Federal preemption of state laws will be limited
  to establishing minimum floor protection
• Certain customary practices may have to be changed

6
Why Employers Should Care? Penalties
Civil Monetary Penalties
100 for each violation 25,000 maximum per
year, per violation
7
Why Employers Should Care?Compliance Deadlines

• HIPAAs administrative simplification
  incorporates three major distinct but overlapping
  components, each with different compliance
  deadlines
• Electronic transaction standards
• Generally 10/16/03
• Privacy
• Generally 4/14/03
• Security
• Generally 4/21/05
• For more information
• http//aspe.hhs.gov/adminsimp.Index.htm
• http//www.hhs.gov/ocr/hipaa
• http//www.ibiweb.org/news/HIPAA

8
EDI Transaction StandardsIn General

• HIPAA requires standardization of these
  electronic health care transactions
• Health claims or similar encounter information
• Enrollment disenrollment in a health plan
• Eligibility for a health plan
• Health care payment remittance advice
• Health plan premium payments
• Health claim status
• Referral certification authorization
• Health claims attachments (to be issued in the
  future)
• First report of injury (to be issued in the
  future)

9
EDI Transaction Points of Contact
Patient/Consumer
Payers
Sponsors
Need HC Insurance (Form)
Enrollment (834)
Non-HIPAA Transaction
Payroll Deduction
Invoice (811)
Premium Pmt (820)
Eligibility (270)
Response (271)
Referral (278)
Response (278)
Claim (837)
Need more info (277)
Claim Inquiry (276)
Response (277)
Payment EOB (835)
EOB (Paper)
10
EDI Transaction StandardsUnique Identifiers

• Eventually HIPAA will require use of unique
  identifying numbers for employers and for covered
  entities (i.e., health plans, providers, and
  clearinghouses)
• To date, only the employer identifier standards
  have been finalized (the employers federal tax
  identification number must be used)
• The controversial use of an unique identifier for
  employees has been withdrawn

11
SecurityIn General

• Intended to minimize risk of intentional or
  accidental disclosure or misuse, or the loss or
  corruption of patient-identifiable health
  information
• Sets a floor of minimum administrative, physical,
  and computer security standards to protect
  medical data
• Reflects commonly accepted security safeguards
  widely used across many industries
• Security measures to be tailored to
  organizations risk analyses, technical
  environment, and business needs

12
SecurityEmployer Implications

• Typically, will require developing and/or
  modifying a number of IT/IS policies, procedures,
  and protocols with respect to individual health
  information that is generated, transmitted, or
  stored electronically
• With respect to both the covered entity and its
  business associates
• Thus, early involvement of IT/IS staff in an
  employers HIPAA compliance effort is critical
• Not uncommon for employers to engage a
  specialized IT/IS consultant to help assess
  compliance gaps and implement corrective steps

13
PrivacyIn General

• Rules apply to all individually
  patient-identifiable health information whether
  in paper or electronic form
• Key terms
• Protected Health Information (PHI)
• Covered Entity
• Business Associate

14
PrivacyProtected Health Information

• PHI individually identifiable health
  information created or received by a covered
  entity
• Individually identifiable health information
• Any information that relates to an individuals
  past, present, or future physical or mental
  condition, or the provision or payment of health
  care, and
• That specifically identifies the individual (or
  there is a reasonable belief that the individual
  can be identified), AND WHICH IS
• Created or received by a covered entity
• Can be in any form (oral, written, or electronic)
• Examples claims data, and (depending on source)
  enrollment data, and employee contribution
  information

15
PrivacyDe-Identification Requirements

• Covered entities are permitted to use PHI to
  create de-identified information for its own
  unlimited use or for unlimited use by another
  entity without authorization from individuals
• De-identified information health care
  information which does not identify the
  individual or that which the covered entity has
  no reasonable basis to believe can be used to
  identify the individual
• While use of such generic information may be
  useful for certain types of broad based trend
  studies, it is probably not useful to achieve
  most other business objectives
• Use of certain types of partially de-identified
  information (summary information or limited data
  sets) allowed for specific limited purposes
• Enrollment/disenrollment data
• Aggregate claims history / expenses / types of
  claims data for coverage renewals and plan design
  changes

16
PrivacyCovered Entity

• All health care providers
• All health care payers (including managed care
  organizations, carriers, and self-funded
  employers)
• All health care clearinghouses that process
  claims, or route electronic claims
• Certain health plans
• Health insurers (including HMOs), and
• Group health plans with 50 participants or
  administered by an entity other than the employer
  that established and maintains the plan

17
PrivacyCovered Entity (cont.)

• Employers, as a whole, typically are not covered
  entities
• Thus, most employers are not directly subject to
  HIPAA privacy regulations
• However, certain components of an employer might
  constitute a covered entity (e.g., self-funded
  group health plan)
• Hybrid employers will be subject to various
  requirements and obligations
• Firewalls must be created between covered and
  non-covered functions
• Plan cannot share PHI with non-health plan
  component of employer unless plan sponsor
  certifies plan has been amended to limit use and
  disclosure of PHI and that safeguards are in
  place
• Exceptions for limited enrollment activities

18
PrivacyBusiness Associates

• Business associate any outside entity to which
  covered entities disclose PHI to perform
  necessary functions
• E.g., third-party administrators, case managers,
  attorneys, collection agencies, claims auditors,
  consultants
• Does not include plan sponsors, insurers,
  disclosures from a covered entity to a health
  care provider for treatment of an individual
• Covered entities must have agreements in place to
  contractually bind BAs to limit use of PHI to
  designated purposes and to comply with covered
  entity-type of confidentiality rules

19
PrivacyBusiness Associates (cont.)

• Covered entities have potential civil and
  criminal liability exposure for breaches by BAs
• Thus, there is an obligation to monitor your BAs
  activities
• Under final regulations, however, action needs to
  be taken only if there is actual knowledge of
  material violation
• Compliance deadline
• Generally, all BA agreements must be in place by
  4/14/03
• However, any BA agreements in place prior to
  10/15/02 will be deemed sufficient until 4/14/04
  (unless the agreement terminates or is modified
  in any way prior to that date)

20
PrivacyBasic Requirements

• Patients have the right to understand and control
  how their health information is being used
• Providers and health plans to give individuals
  clear, written notice of how they use, keep, and
  disclose their health information
• Individuals have right to access their medical
  records (to view, make copies, request
  amendments, and obtain accounting for non-routine
  disclosures)
• Individual authorizations required before
  information is released in most non-routine
  situations
• Covered entities accountable for use and release
  of information, with recourse available if
  privacy is violated

21
PrivacyBasic Requirements (cont.)

• Use of individual health information generally
  limited to health purposes
• PHI cannot be used for purposes other than
  treatment, payment, or health care operations
  without individual authorization
• Individual authorizations must be informed and
  voluntary
• Reasonable efforts must be undertaken to limit
  release of information to minimum necessary
  amount
• Minimum necessary amount requirement applies to
  use of protected health information for payment
  or health plan operations, but not for treatment
  purposes

22
PrivacyBasic Requirements (cont.)

• Minimum privacy safeguard standards established
  for covered entities (with similar requirement
  applicable to BAs by contract and plan sponsor by
  plan amendment)
• Adoption of written privacy procedures, with
  safeguards and sanctions specified
• Periodic distribution of privacy notice
• Training of employees on handling PHI
• Designation of a privacy officer (covered
  entities only)
• Establishment of a grievance / complaint
  procedure
• Recordkeeping with respect to PHI disclosures

23
HIPAA ImplementationBasic Phases

• Phase I
• Awareness / Education
• Preliminary scope assessment
• Budgeting
• Task force team selection
• Phase II
• Detailed current PHI flow and use analysis
• Detailed compliance gap analysis
• Phase III
• Implementation of prioritized action item list