An Overview of HIPAA

1
An Overview of HIPAA

• Health Insurance Portability and Accountability
  Act 1996

Rosie Callender, RHIA HIPAA Project
Manager Morehouse School of Medicine Compliance
Office
2

• TOPICS COVERED
• What is HIPAA?
• HIPAA Overview
• Title II Administrative Simplification
  Provisions
• HIPAA Objectives
• Who Must Comply with HIPAA Covered Entities
• Penalties For Non-compliance / Enforcement Agency
• What information is protected by HIPAA
• Permitted Uses and Disclosures
• HIPAA Privacy Rule Key Elements

3

• WHAT IS HIPAA
• Health
• Insurance
• Portability
• Accountability
• Act of 1996

4
HIPAA OVERVIEW
Health Insurance Portability and Accountability
Act ( HIPAA)
Administrative Simplification (Accountability)
Insurance Reform (Portability)
Transactions, Code Sets, Compliance
by10/16/03 National Provider Identifiers
Published 1/23/04 Effective 5/23/05 Compliance by
5/23/07
Privacy Compliance Date 4/14/2003
Security Final Regulations Published on
2/20/03 Compliance Date 4/20/2005
5
TITLE II - ADMINSTRATIVE SIMPLIFICATION
PROVISIONS
6
HIPAA Objectives

• Insurance portability and continuity- Protect
  insurability of individuals
• Accountability - to reduce the potential for
  waste, fraud abuse
• Administrative Simplification to apply uniform
  standards to electronic data transactions in a
  confidential and secure environment.

7
Expected Results of Administrative Simplification

• Reduce handling and processing time
• Eliminate the risk of lost paper documents
• Eliminate the inefficiencies of handling paper
• documents
• Improve overall data quality / fewer errors
• Decrease administrative costs
• Increase faith in the protection of patients
  personal
• health information
• Thus, improve quality of patient care!

8
What is HIPAA?
Electronic Transactions
Privacy

• HIPAA Health Insurance Portability and
  Accountability Act
• A Federal Law Created in 1996
• H Health
• I Insurance
• P Portability and
• A Accountability
• A Act

HIPAA Administrative Simplification
Security
Code Sets
Unique Identifiers
9
Healthcare Fraud and Abuse on the Rise
Patient Records Found on Street
Healthcare costs out of control
TEMP DUMP MEDICAL RECORDS
Hospital Security Breach
WHY HIPAA?
10
Who must comply with HIPAA - COVERED ENTITIES

• Health care providers, that transmit or
  maintain patient identifiable information.
• Health plans that provide or pay the cost of
  medical care including Medicare and Medicaid
• Health care clearinghouses that process data
  elements or transactions
• Employees ( indirectly)

11
Covered Entity

• Provides health care
• Conducts one or more standard HIPAA
  transactions.
• Transmits or receives standard transactions in
  electronic form.
• Or
• Performed through a Business Associate.

12
HIPAA Privacy Rule Key Elements

• Business Associates (BA)
• A person or entity that, on behalf of a Covered
  Entity, access and uses PHI to perform or assists
  in the performance of a function or activity for
  the CE.
• Does not include a member of the workforce or
  volunteers.
• Business Associate Agreement
• Must have a contract requiring BA to keep PHI
  safeguarded
• Contract must have required elements described
  in the regulations
• Must include other HIPAA-related
  risk/liability
• Does not apply to disclosure of PHI to
  providers for treatment
• If the CE becomes aware of a violation by the
  BA and fails to act, it can
• be penalized
• Existing contracts will not have to be compliant
  until 4/14/2004.

13
HIPAA ELECTRONIC TRANSACTIONS

• An entity id regulated by the Privacy Rule as a
  Covered Entity if it does any of the following
  electronically.
• Claims or equivalent encounter Information
• Payment and Remittance Advice
• Claim Status Inquiry and Response
• Eligibility Inquiry and Response
• Referral Certification and Authorization Inquiry
  and Response
• Enrollment and Disenrollment in a Health Plan
• Health Plan Premium Payments
• Coordination of Benefits

14
STANDARD CODE SETS

• Combination of HCPCS CPT-4
• Physician Services and other Health Care
  Services
• HCPCS Medical supplies, Orthotics other
  equipment
• ICD-9-CM, Vols 12
• Conditions and other health problems
  manifestations
• Code on Dental Procedures and Nomenclature
• Dental services - CDT
• NDC National Drug Codes - Drugs/Biologics
• NOTE Local codes are replaced by standard codes.

15
PENALTIES For Non-compliance
Monetary Penalty Term of Imprisonment Offense
CIVIL PENALTIES 100 N/A Single violation of provision
CIVIL PENALTIES Up to 25,000 N/A Multiple violations of identical requirement or prohibition made during the calendar year
CRIMINAL PENALTIES Up to 50,000 Up to one year Wrongful disclosure of individually identifiable health information
CRIMINAL PENALTIES Up to 100,000 Up to five years Wrongful disclosure of individually identifiable health information committed under false pretenses
CRIMINAL PENALTIES Up to 250,000 Up to 10 years Wrongful disclosure of individually identifiable health information committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm
16
Enforcement Agency

• Department of Health and Human Services Office of
  Civil Rights (OCR) will
• will investigate complaints
• enforce compliance
• impose civil monetary penalties
• Department of Justice will
• enforce criminal penalties
• Center for Medicare and Medicaid (CMS) will
• oversee compliance with Transaction Code Sets
  and
• Identifiers

17
HIPAA PRIVACY RULE Key Elements

• WHAT IS COVERED?
• Protected Health Information (PHI)
• individually identifiable health information
• transmitted or maintained in any form or
  medium.
• Individually Identifiable Health Information
• Health information, including demographic
  information
• Created or received by a covered entity
• Relates to the individuals physical or
  mental health or provision of,
• or payment for health care.
• Identifies the individual

18
HIPAA PRIVACY RULE Key Elements
Individually Identifiable Health Information

Name All geographic subdivisions smaller than state Birth date Telephone/Fax numbers E-mail addresses Social Security Number Medical Record Number Health Plan Number Account Number Certificate / license number Vehicle identifier/serial number Device identifier/serial number Uniform Resource Locators (URLs) IP addresses Biometric identifiers Photos Other unique characteristics Full face photograph
19
HIPAA PRIVACY RULE Key Elements

• WHAT IS NOT COVERED?
• Not PHI
• Employment records
• Family Educational Rights and Privacy Act
  (FERPA) records
• De-identified Records
• Removal of certain identifiers so that the
  individual who is
• subject of the PHI will not longer be
  identified.
• Statistical expert determined that risk of
  identification is small
• Facility may assign code of other means to
  allow for re- identification

20
HIPAA PRIVACY RULE Scope

• Consumer control of information
• Patient privacy rights defined
• Boundaries of Medical Record Usage
• Access controls to information
• Security measures for patient information
• Assignment of Privacy Officer
• Business Associate contracts

21
IMPACT ON PROVIDERS
New Administrative and Clinical Procedures
(EXAMPLE Billing, Operations Coding, Claims
Processing)
OPERATIONAL
Contracts and/or Chain of Trust Agreements
(Example providers, Payers, clearinghouses,
other healthcare service companies)

• Leadership Support
• New or Revised Policies and Procedures
• Training of Staff

MANAGERIAL

• Interoperability (hardware, Software,
  Connectivity)
• Vendor Management
• Security Infrastructure

TECHNOLOGICAL
22
Maintain a HIPAA-compliant Environment

• Make obvious changes as soon as possible
• Protect your patients privacy and rights
• Dont leave medical information where people can
  see
• Control access to your department
• Dont leave information on desktops
• Use a screen saver
• Identify patients properly before giving
  information
• Lock your desktop when you leave it, even to run
  to the copier
• Can others overhear PHI when you speak on the
  telephone?
• Can passers-by easily read your computer screen?

23
HIPAA Privacy Rule Key Elements

• Notice of Privacy Practices
• An individual has a right to adequate written
  notice of
• uses and disclosures of PHI that may be made by
  the covered entity, and.
• individuals rights and covered entitys legal
  duties with respect to PHI
• Must be given by direct treatment providers on
  first service delivery after compliance date
• Written Acknowledgement of Receipt of Notice

24
HIPAA Privacy Rule Key Elements

• Individual Rights
• Access, copy, inspect
• Request amendments/corrections
• Restrict disclosures
• Request confidential communications
• Accounting of disclosures
• Information on how to file a complaint

25
HIPAA Privacy Rule Key Elements

• Designated Record Set
• A group of records maintained by or for a covered
  entity that may include
• Medical records
• billing records
• Enrollment, payment, claims adjudication
• case or medical management records systems
• Used for the covered entity to make decisions
  about individuals

26
HIPAA Privacy Rule Key Elements

• Uses and disclosure for PHI.
• Required Disclosures
• To individuals who request access, and
  accounting of disclosures.
• To HHS to investigate or determine compliance
  with Privacy Rule.
• Permitted Disclosures
• To individuals
• For treatment, payment and health care operations
• Public policy purposes
• Family, friends advocates / opportunity for
  individual to agree/ object
• Incidental disclosures
• Limited Data Set
• Authorized Disclosures
• For other uses or disclosures not required nor
  permitted.
• Special rules for marketing and psychotherapy
  notes

27
Commonly Used Terminology
TPO

• Treatment of patients
• Payment for treatment
• Health Care Operations

28
Commonly Used Terminology

• Health Care Operations
• Activities related to the Covered Entitys
  functions
• Quality assessment and improvement activities
• Reviewing the competence and qualifications of
  health care professionals
• Conduct training programs in which students,
  trainees learn under
• supervision
• Conducting medical reviews, legal services, and
  auditing functions
• Business planning and development
• Business management and general administrative
  activities
• Customer service
• Resolution of grievances
• Creating de-identified information or limited
  data set.

29
HIPAA Privacy Rule Key Elements

• Minimum Necessary Standard
• Must make reasonable efforts to limit the use
  or disclosure of, and
• request for, PHI to minimum necessary to
  accomplish intended use.
• Exceptions
• Treatment,
• Disclosure to the individual,
• Disclosure to HHS/OCR or
• Required by law
• Permits incidental uses or disclosures as long
  as reasonable
• safeguards are in place.
• Role-based access. In the work place access to
  health information
• should be on a need to know basis.

30
HIPAA Privacy Rule Key Elements

• Privacy Complaints
• CE must provide a process for individuals to make
  complaints concerning CEs policies and
  procedures and its compliance with the privacy
  rule.
• Complaints can be filed with the CE or DHHS/OCR

31
HIPAA Privacy Rule Key Elements

• Other Requirements
• Privacy Training
• Safeguards
• Mitigation process
• Policies and procedures in place
• Sanction process

32
HIPAA RESEARCH

• Access to PHI by researchers
• With Authorization obtained from patient
• Without Authorization
• Documented IRB approval of a Waiver of
  Authorization
• Submit justification Preparatory to research
• Research on PHI of Decedents
• Limited Data Sets with a Data Use Agreement
• De-Identified Information ( not covered by HIPAA)

33
HIPAA RESEARCH

• References
• MSM HIPAA Website http//www.msm.edu/hipaa/index
  .htm
• Office of Civil Rights (OCR) http//www.hhs.gov/oc
  r/hipaa
• National Institutes of Health http//privacyrulea
  ndresearch.nih.gov
• American Health Information Management
  Association http//www.ahima.org.
• OCR Frequently Asked Questions
  http//www.hhs.gov/ocr/hipaa/whatsnew.html
• Summary of HIPAA Privacy Rule
  http//www.hhs.gov/ocr/privacysummary.pdf

34
Specific Security in Privacy

• Effective compliance with the Privacy regulations
  is dependent on security of patients PHI.
• Role-based access required under minimum
  necessary rule
• Verification and authentication of individuals
  and authorities requesting PHI
• Security required by Privacy Rule applies to PHI
  in all forms

35
Definitions for Privacy Security

• Privacy is the right of an individual to keep
  information about him/her from being disclosed to
  others.
• Confidentiality is the obligation of another
  party to respect privacy by
• -Protecting personal information they receive and
  
• -Preventing it from being used or disclosed
  without the subjects knowledge
  or permission.
• Security is the means used to protect integrity,
  availability and confidentiality of information.
• Physical, technical and administrative safeguards

36
Specific Security in Privacy

• HIPAA Security standards address organizational
  and facility security, not just Information
  Systems
• Requirements in four areas will address health
• care data integrity, confidentiality and
  availability
• Administrative procedures
• Physical safeguards
• 3. Technical security services
• 4. Technical security mechanisms
• The HIPAA Security standards protects all e-PHI
• (electronic protected health information)

37
HIPAA Security (contd)
What is Information Security? All protections
in place to ensure that PHI is kept
confidential (confidentiality) not
improperly altered or destroyed (integrity)
readily available to authorized users
(availability) These principles represent the
heart of any information security program.
38
HIPAA Security (contd)

• The HIPAA Security standards provides the
  mechanisms that support efforts to protect
  privacy.
• It covers information
• on hard drives
• on removable/transportable digital memory
  medium (magnetic tape/disk)
• transported electronically via the internet,
  e-mail or other means.

39
YOUR RESPONSIBILITIES

• Properly manage your password
• Prevent the spread of viruses
• Properly dispose of material with PHI (hard
  copy)
• Contact DITS to clear disks and hard drives of
  all PHI before selling or giving computer to
  another user
• Protect system from outside threats ( hackers,
  malicious software)
• Do not use unauthorized software or hardware
• Follow the organizations policies regarding the
  use of PDAs and Laptops.
• Be familiar with the organizations Information
  Security policies.
• Use common sense-security

40
HIPAA Web Sites
HHS Administrative Simplification
Page http//aspe.os.dhhs.gov/admnsimp American
Health Information Management Association http//w
ww.AHIMA.org Office of Civil rights -
HIPAA http//www.hhs.gov/ocr/hipaa/privacy.html C
MS Website http//www.cms.hhs.gov/hipaa/hipaa2/ W
orkgroup for Electronic Data Interchange http//ww
w.wedi.org OCR Guidelines to Final Regulations
(12/04/2002 http//www.hhs.gov/ocr/hipaa/guideline
s/AllSectionsCombined.doc MSM HIPAA
Website http//www.msm.edu/hipaa/index.htm
41
QUESTIONS?
QUESTIONS? Rosie Callender, RHIA HIPAA Project
Manager Morehouse School of Medicine Compliance
Office 22 Piedmont Road Atlanta, GA 30303 (404)
756-1345 rcallend_at_msm.edu