Briefing: The Impact of HIPAA on the Military Health System - PowerPoint PPT Presentation

1 / 46
About This Presentation
Title:

Briefing: The Impact of HIPAA on the Military Health System

Description:

Briefing: The Impact of HIPAA on the Military Health System Date: 20 March 2007 Time: 1610 - 1700 Objectives Brief review of the history of the Health Insurance ... – PowerPoint PPT presentation

Number of Views:382
Avg rating:3.0/5.0
Slides: 47
Provided by: lrit1
Category:

less

Transcript and Presenter's Notes

Title: Briefing: The Impact of HIPAA on the Military Health System


1
  • Briefing The Impact of HIPAA on the Military
    Health System
  • Date 20 March 2007
  • Time 1610 - 1700

2
Objectives
  • Brief review of the history of the Health
    Insurance Portability Accountability Act
    (HIPAA)
  • Learn whats really required by HIPAA whats
    not
  • Learn about the new HIPAA requirements on the
    horizon
  • Take advantage of HIPAA resources on the Internet

3
How Did We Get Here?
  • Move toward standard Electronic Data
    Interchange (EDI) Transactions
    and away from paper-based processes
  • Healthcare industry pushing this effort in early
    1990s
  • Workgroup for EDI (WEDI) was taking the lead
  • Estimated 42 billion in net savings (1995-2000)
    - 1993 WEDI Report
  • Recognize the need to protect electronic health
    data
  • Role of those privacy zealots"

4
History of HIPAA
  • Health Insurance Portability and Accountability
    Act (HIPAA) P.L. 104-191
  • Also known as Kennedy-Kassebaum Bill (K2) or
    Kassebaum-Kennedy, depending on your party
    affiliation
  • House of Representatives passed it 421-2
  • Senate passed it unanimously
  • Signed into law on August 21, 1996, by President
    Clinton

5
HIPAA Components
  • Insurance Portability
  • Accountability (Fraud
  • Abuse)
  • Administrative Simplification

6
Intents of HIPAAAdministrative Simplification
  • Reduce Paperwork
  • Improve Efficiency of Health Systems
  • Protect Security and Confidentiality of
    Electronic Health Information

7
HIPAA Rule Making Process
  • Department of Health Human Services (DHHS)
    publishes Notice of Proposed Rule Making (NPRM)
  • 60-day comment period
  • Receive written public input
  • Comments reviewed resulting in modifications to
    the Final Rule version
  • Final Rule published in Federal Register
  • Congress has 60 days to make changes
  • Two years before Final Rule becomes effective
  • Normally

8
HIPAAs Original Timeline
  • HIPAA signed into law on August 21, 1996
  • All Final Rules to be issued by February 21, 1998
  • Eighteen months after signing into law
  • Full compliance to be achieved by April 22, 2000
  • Weve been under HIPAA for nearly 7 years!!!
  • What happened to the original timeline?
  • DHHS had three (3) Number One priorities
  • Y2K
  • Balanced Budget Act (BBA) of 1997
  • HIPAA

9
Timetable for Adoption of Standards
10
Who Must Use the Standards?
  • Covered Entities (CEs) Include
  • Health Plan
  • Health Care Clearinghouse
  • Health Care Provider (who transmits any health
    information in electronic form in connection with
    any covered transaction)
  • MHS Direct Care System is considered to be a
    Health Care Provider
  • Congress directed DHHS to use existing standards
    wherever possible rather than develop new ones

11
Civil Criminal Penalties
  • Civil penalty of 100 per violation, up to
    25,000 maximum per year per HIPAA standard
  • Wrongful disclosure of Individually Identifiable
    Health Information (IIHI)
  • Fined not more than 50,000, imprisoned not more
    than 1 year, or both
  • If offense committed under false pretenses
  • Fined not more than 100,000, imprisoned not more
    than 5 years, or both
  • Continued

12
Civil Criminal Penalties
  • If offense committed with intent to sell,
    transfer, or use information for commercial
    advantage, personal gain, or malicious harm
  • Fined not more than 250,000, imprisoned not more
    than 10 years, or both

13
ANSI ASC X12N IGs
  • ANSI American National Standards Institute
  • ASC X12 Accredited Standards Committee (ASC)
    chartered by ANSI to develop standards for
    inter-industry electronic business transactions
    (EDI)
  • X12N is the Subcommittee for Insurance who
    developed the HIPAA EDI standards
  • IGs Implementation Guides that provide detailed
    formats for implementing the HIPAA EDI standards
  • Version 4010A of the HIPAA IGs is the standard
  • National Council for Prescription Drug Programs
    (NCPDP) developed standards for retail pharmacy
    drug claims

14
Covered Transactions
  • 837 Health Care Claim (3 types)
  • Institutional
  • Professional
  • Dental
  • Retail Pharmacy Drug Claim
  • National Council for Prescription Drug Programs
    (NCPDP) Telecommunication Standard Implementation
    Guide, Version 5.1, September 1999
  • NCPDP Batch Standard Batch Implementation Guide,
    Version 1.1, January 2000

15
Covered Transactions (cont)
  • 270/271 Health Care Eligibility Benefit Inquiry
    and Response
  • 276/277 Health Care Claim Status Request and
    Response
  • 278 Health Care Services Review
  • 820 Payroll Deducted and Other Group Premium
    Payment for Insurance Products
  • 834 Benefit Enrollment and Maintenance
  • 835 Health Care Claim Payment/Advice
  • 837 Coordination of Benefits

16
Mandated Code Sets
  • ICD-9-CM International Classification of
    Diseases Clinical Modification for Diagnoses,
    9th Edition (Volumes 1 and 2)
  • ICD-9-CM International Classification of
    Diseases Clinical Modification for Inpatient
    Procedures, 9th Edition (Volume 3)
  • CPT-4 Current Procedural Terminology, 4th
    Edition
  • CDT-3 Code on Dental Procedures and
    Nomenclature, 3rd Edition
  • HCPCS Healthcare Common Procedure Coding System

17
Impact of HIPAA EDI
  • Electronic claims just means faster rejections if
    data is incomplete or incorrect
  • Increasing emphasis on the need for quality data
    the first time
  • Personnel savings may need to be redeployed to
    other areas in order to improve data capture and
    quality
  • 837 is NOT JUST an electronic UB-92 or CMS 1500
  • HIPAA transactions often require more data that
    is currently captured or stored
  • State Prompt Payment laws will still be needed
  • Electronic claims attachments (275) will be a big
    aid once they are available

18
Privacy vs. Security
  • Privacy What needs to be protected
  • Protected Health Information (PHI)
  • Security Methods by which we will protect it
  • Need to determine the desired balance among
  • Confidentiality of the data
  • Integrity of the data
  • Availability of the data
  • Final Rules for Privacy issued December 2000 and
    August 2002
  • Security Final Rule issued February 2003

19
Privacy Rule
  • December 2000 Privacy Rule required patients to
    give consent before their protected health
    information (PHI) could be used for treatment,
    payment, or health care operations (TPO)
  • August 2002 Privacy Rule dropped the consent
    requirement
  • Direct health care provider now just has to make
    a good faith effort to obtain an individuals
    written acknowledgement of receipt of the
    providers Notice of Privacy Practices (NPP)
  • Copy of MHS NPP on TMA HIPAA Web Site

20
Privacy Rule (cont)
  • Authorization by the individual is still required
    before a
    Covered Entity can release PHI for non-TPO
    purposes
  • Life insurance company seeking medical
    information regarding a policy applicant
  • Access without written authorization allowed for
    national and public health needs

21
Privacy Rule (cont)
  • Individuals right of access
  • Patient can see their medical record
  • Can request copies
  • Can request amendments to medical record
  • Provider does not have to make the amendment
  • Preemption Final Rule can not supersede more
    stringent state privacy laws
  • Establishes the Federal floor of safeguards
  • You need to know which state privacy laws still
    apply (i.e., those that are more stringent)

22
What Is IIHI?
  • Individually identifiable health information
  • (IIHI) is information that is a subset of health
  • information, including demographic information
    collected from an individual, and
  • Is created or received by a health care provider,
    health plan, employer, or health care
    clearinghouse
  • Relates to
  • the past, present, or future physical or mental
    health condition of an individual the provision
    of health care to an individual or the past,
    present, or future payment for health care
    received by an individual and that
  • Either identifies the individual or provides a
    reasonable basis to believe the information can
    identify the individual

23
What Is PHI?
  • Protected Health Information (PHI) is IIHI
    that is
  • Transmitted by electronic media
  • Maintained by electronic media
  • Transmitted or maintained in any other form or
    medium (includes written or oral communications)
  • PHI excludes IIHI in
  • Education records covered by the Family
    Educational Rights and Privacy Act (FERPA)
  • Employment records held by a CE in its role as an
    employer

24
Real World Privacy Issues
  • Anonymous medical records identified in
    Massachusetts
  • Governors record included
  • Survey finds one out of six patients engage in
    privacy protected behaviors
  • Foreign transcriber threatens California medical
    center to release medical records on the Internet
  • Disagreement over back pay

25
HIPAA Security Rule Background
  • Proposed Rule was issued August 12, 1998
    covering Security and
    Electronic Signature
    Standards (39 pages)
  • Many security and privacy recommendations based
    on the National Research Councils 1997 report
    entitled For The Record Protecting Electronic
    Health Information
  • More than 2,300 comments submitted by individuals
    and organizations

26
HIPAA Security Rule Background (cont)
  • Security Final Rule issued February 20, 2003 (48
    pages)
  • Provisions apply ONLY to electronic Protected
    Health Information (PHI)
  • Does not cover electronic signatures
  • DHHS will issue separate NPRM
  • Awaiting recommendation from National Committee
    on Vital Health Statistics (NCVHS)
  • Date unknown
  • Security Final Rule does not reference or
    advocate specific technology

27
HIPAA Security Rule Background (cont)
  • Intentionally generic, scalable for both small
    and large organizations, technology neutral
  • Each affected entity must assess its own security
    needs and risks and devise, implement, and
    maintain appropriate security measures to address
    its business requirements
  • Measures must be documented and kept current
  • Challenge for the organization to assess their
    own security risks, weigh them, implement
    appropriate solutions

28
HIPAA Security Standards General Rules
  • General requirements Covered entities (CEs)
    must do the following
  • Ensure the confidentiality, integrity, and
    availability of all electronic PHI the CE
    creates, receives, maintains, or transmits
  • Protect against any reasonably anticipated
    threats or hazards to the security or integrity
    of such information
  • Protect against any reasonably anticipated uses
    or disclosures of such information
  • Ensure compliance by its workforce

29
Some Operational Challenges
  • Healthcare staff want to help others
  • Were too trusting
  • Security system is only as good as its weakest
    link
  • 999 secure passwords out of 1000 users is
  • NOT good enough
  • Hackers Social Engineering
  • Attempt to exploit our desire to be helpful
  • Not enough to thwart them need to report it to
    the right person so appropriate actions can be
    taken
  • Continued

30
Some Operational Challenges
  • Dont be a soft target
  • Hackers are lazy
  • Viruses and worms
  • Need to be alert/wary
  • Capability to track access to Protected Health
    Information (PHI)
  • Insurance company example
  • Harvard Community Health Plan
  • Patients can review who accessed their PHI

31
HIPAA Security Considerations
  • How do you dispose of your obsolete PCs?
  • Savannah River DOE example
  • Indianapolis hospital example
  • Do you allow providers to access your network
    from their home PCs?
  • Any penalties for violations?
  • Are they ever enforced?
  • Continued

32
HIPAA Security Considerations
  • Have you outsourced medical transcription?
    If so, how is PHI
    transmitted/stored protected when off-site?
  • Do your passwords contain both alpha and numeric
    characters as well as special characters/minimum
    length of at least 8 characters
  • How often are they updated?
  • No yellow Post-Its on the PC monitor or under the
    desktop keyboard

33
Changes on the Horizon
  • National Provider Identifier (NPI)
  • New paper forms (UB-04, revised CMS 1500)
  • Implement use of NPI
  • New draft HIPAA EDI transaction set
  • 275 Electronic Claims Attachment
  • Future use of ICD-10

34
National Provider Identifier (NPI)
  • National Provider Identifier (NPI)
  • Health care providers began applying for NPIs
    beginning May 23, 2005
  • Health care providers, health plans, and health
    care clearinghouses must begin using the NPI in
    standard transactions NLT May 23, 2007
  • Small health plans have until NLT May 23, 2008
  • Is a 10-position numeric identifier (last digit
    is a check figure)
  • Is an intelligence-free number
  • NPI Type 1 for health care providers who are
    individual human beings
  • NPI Type 2 for health care organizations

35
Use of the NPI Type 1 in the MHS
  • HA Policy 05-002 issued 26 January 2005
    regarding NPI Type 1
  • Requires all Health Care Providers who furnish
    billable health care services or who may initiate
    and/or receive referrals must obtain an NPI Type
    1.
  • Services are responsible for ensuring all
    privileged/credentialed providers (including
    Reserve Component) obtain and submit their NPI to
    the TMA designated data base/repository prior to
    23 May 2007
  • Services SGs have issued Memoranda of Instruction
    detailing Service-specific instructions
  • As of 27 February 2007, 19,711 NPI Type 1
    identifiers have been entered into DMHRSi
  • Still need an estimated 8,711 more NPI Type 1
    identifiers!
  • Only 64 days remaining until 23 May 2007 deadline

36
Use of the NPI Type 2 in the MHS
  • HA Policy 05-012 issued 1 August 2005
    regarding NPI Type 2
  • Requires all organizational health care providers
    within the MHS to obtain an NPI Type 2. These
    include
  • MTFs that bill third party insurers
  • Pharmacy dispensing sites
  • The Services are responsible for ensuring all
    applicable organizational health care providers
    obtain NPI Type 2 identifiers prior to 23 May
    2007
  • As of 27 February 2007
  • 128 NPI Type 2 identifiers for MTFs have been
    entered into DMHRSi
  • 600 NPI Type 2 identifiers for Pharmacy
    Dispensing Sites have been entered into DMHRSi
  • Only 64 days remaining until 23 May 2007 deadline

37
New Paper Bill Forms
  • Use of new revised CMS 1500 Form required
    beginning 1 February 2007
  • Use of new UB-04 Form required beginning 23 May
    2007
  • Both new forms require use of NPIs beginning 23
    May 2007
  • MHS System Change Requests (SCRs) have been
    submitted for making changes to TPOCS and the
    CHCS MSA module to support the new paper claim
    formats
  • CHCS software change package to support the
    UB-04 will be available for MTFs to load
    beginning in early May 2007
  • MTFs need to start ordering the new UB-04 and
    CMS 1500 forms

38
275 Electronic Claim Attachment
  • Claims Attachment NPRM issued 23 September 2005
  • Will simultaneously use both ANSI X12 and HL7 EDI
    standards
  • Six different attachment types proposed
  • Clinical Reports
  • Laboratory Results
  • Medications
  • Rehabilitation Services
  • Ambulance Service
  • Emergency Department

39
ICD-10 Implementation
  • ICD-10s likely coming in 2009 2010
  • AHIMA AMIA support October 2009 date
  • TMA monitoring status of ICD-10 implementation in
    U.S.
  • Changes will be made in MHS automated information
    systems to support the new code set once it is
    mandated

40
Truisms Regarding HIPAA Compliance
  • Changing the organizational privacy
    security culture will
    be the BIGGEST challenge
  • HIPAA compliance has no finish line
  • National Committee on Vital Health Statistics
    (NCVHS) recommended in February 2002 more
    clinical messaging formats as potential HIPAA
    standards for an electronic medial record (EMR)
  • New transaction sets will continue to be added
    (e.g., 275 Electronic Claims Attachment)

41
HIPAA Resources on the Internet
  • TMA HIPAA Web site
  • http//www.tricare.mil/hipaa/
  • HA Policy 05-002 NPI Entity Type 1
  • http//www.ha.osd.mil/policies/2005/default.cfm
  • HA Policy 05-012 NPI Entity Type 2
  • http//www.ha.osd.mil/policies/2005/default.cfm
  • National Uniform Billing Committee (NUBC)
  • http//www.nubc.org/new.html
  • National Uniform Claim Committee (NUCC)
  • http//www.nucc.org
  • Continued

42
HIPAA Resources on the Internet
  • CMS HIPAA Web site
  • http//www.cms.hhs.gov/hipaageninfo/01_overview.as
    p?
  • For the Record Protecting Electronic Health
    Information, The National Academies Press, 1997
  • http//www.nap.edu or 1-800-624-6242
  • View free on-line version of For the Record
  • http//books.nap.edu/books/0309056977/html/index.h
    tml
  • DHHS Office of Civil Rights (OCR)
  • http//www.hhs.gov/ocr/hipaa
  • Continued

43
HIPAA Resources on the Internet
  • Washington Publishing Company
  • HIPAA EDI Implementation Guides
  • http//www.wpc-edi.com/hipaa/HIPAA_40.asp
  • Workgroup for Electronic Data Interchange (WEDI)
  • http//www.wedi.org
  • National Council for Prescription Drug Programs
    (NCPDP)
  • http//www.ncpdp.org
  • National Committee on Vital Health Statistics
    (NCVHS)
  • http//www.ncvhs.hhs.gov

44
Summary
  • History of HIPAA
  • Its been a law since 1996!
  • Whats really required by HIPAA whats not
  • Need to separate truth from fiction
  • New HIPAA requirements on the horizon
  • NPIs, new paper forms (UB-04, revised CMS 1500)
  • Additional covered transactions (e.g., 275)
  • Future use of ICD-10
  • Take advantage of HIPAA resources on the Internet
  • No need to reinvent the wheel!

45
Summary
  • History of the Health Insurance Portability
    Accountability Act (HIPAA)
  • Whats really required by HIPAA whats not
  • New HIPAA requirements on the horizon
  • HIPAA resources on the Internet

46
Quiz
  • How do you spell HIPAA and what do the letters
    stand for?
  • Who/what needs to get an NPI Type 1?
  • Who/what needs to get an NPI Type 2?
  • What form is replacing the UB-92?
  • What form is replacing the CMS 1500?
Write a Comment
User Comments (0)
About PowerShow.com