What it Means for You and Your Organization

Transcription

1 HIPAA What it Means for You and Your Organization Wednesday, October 17, 2001 Mark J. Rich Jennifer Hillery, JD, CPC Colin J. Zick, Esq. Feeley & Driscoll, P.C. Feeley & Driscoll, P.C. Foley, Hoag & Eliot LLP October 17, 2001 FEELEY & DRISCOLL, P.C. Certified Public Accountants Business Consultants

2 Background Health Insurance Portability and Accountability Act of 1996 One of the most important pieces of public health legislation since the Social Security Amendments of 1965, which established the Medicare insurance program Signed into law by President Clinton on August 21,

3 Legislative Intent Safeguarding health insurance coverage for workers and their families when they change or lose their jobs Reduction of healthcare program fraud and abuse Administrative simplification Safeguarding the privacy of personal medical information 2

4 Administrative Simplification Intended to improve the Medicare and Medicaid programs in particular and the efficiency and effectiveness of the healthcare industry in general by encouraging the development of a health information system through the establishment of standards and requirements to facilitate the electronic transmission of information 3

5 Why is Simplification Necessary? Growing use of EDI Proliferation of non-standard formats and data variations Streamline and reduce costs Industry consensus 4

6 Privacy of Health Information First comprehensive Federal protection for the privacy of health information» Gives patients more control over their health information» Sets boundaries on use and release of health records» Establishes appropriate safeguards that providers and others must achieve to protect the privacy of health information» Holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients privacy rights» Strikes a balance when public responsibility requires disclosure of some forms of data October 17, 2001 FEELEY & DRISCOLL, P.C. Certified Public Accountants Business Consultants Visit us at Call us at

7 Regulatory Components Standards for Electronic Transactions/Code Sets» Administrative and financial transactions (e.g. claims, remittance advices, enrollment/disenrollment, referral certifications, etc.)» Code set = any set of codes to encode data elements (e.g. tables of terms, medical concepts, diagnosis codes, procedure codes, etc.) National Standard Identifiers (i.e. ID # s)» Providers» Employers» Health Plans» Individuals (on hold due to privacy concerns) 6

8 Regulatory Components Security and Signature Requirements» Security standards safeguard individual health info, while permitting appropriate access and use» Standard for e-signatures in transmission of HIPAA standard transactions Privacy of Individually Identifiable Health Info» Gives patients new rights and protections against misuse or disclosure of health records Enforcement» Establish penalties for violations (set within statutory guidelines) 7

9 Implementation Schedule Est. Date Proposed Final Effective Compliance Regulation Rule Rule Date Required Standards for Electronic Transactions and Code Sets 7-May Aug Oct Oct-02 National Standard Health Care Provider Identifier 7-May-98 National Standard Employer Identifier 16-Jun-98 Security and Signature Requirements 12-Aug-98 Privacy of Individually Identifiable Health Information 3-Nov Dec Apr Apr-03 National Health Plan Identifier Claims Attachments (Transaction Standard) First Report of Injury (Transaction Standard) Enforcement 8

10 Focus on Compliance 62% of compliance officers say HIPAA privacy regulation compliance is the biggest issue facing their organization today 84% selected HIPAA privacy regulation compliance as their top goal over the next 3 years 9

11 HIPAA: THE PRACTICAL IMPACT OF THESE NEW RULES FOR YOU AND YOUR ORGANIZATION

12 Are you within HIPAA? Are you a covered entity? These include:» Health care providers» Health plans» Health care clearinghouses Is there individually identifiable health information ( IIHI )? Is there transmission of IIHI (in any form?) October 17,

13 HIPAA Milestones: August 21, HIPAA becomes law May 7, HHS proposes standards for health care transactions June 16, HHS proposes national standard employer identifier August 11, HHS proposes security standards for electronic health data August 17, HHS publishes final rule on standards for electronic health care transactions December 28, 2000 HHS publishes privacy rule

14 Key HIPAA Deadlines: October 16, 2002 Deadline for compliance with standards for electronic health care transactions April 14, 2003 Deadline for compliance with HIPAA privacy rules

15 Dealing with HIPAA s Standards Understand the regulations (as painful as that may be) Talk to others within your organization about them Establish an internal HIPAA work group Join external HIPAA work groups

16 HIPAA Issues for 2002: 1) What to do in the face of uncertainty about the state of the regulations and their enforcement? 2) Operational issues under HIPAA: a) Means of transmission of health information b) Consent and authorization for use and disclosure of health information c) Patients and their interaction with their health information 3) Technical Issues a) Patient information b) Systems and transmission requirements

17 What to do about uncertainty about the fate of HIPAA? 1. Watch the finish line, not the race or the runners: a) It s now readily apparent that most lawyers and consultants don t know what is going to happen any more than you do! b) Don t spend your limited resources too early. 2. Embrace uncertainty: a) There will still be changes in how the regulations are enforced. b) Focus on general themes that existed pre-hipaa and are continued under HIPAA: confidentiality, consent and authorization for use and disclosure. c) Prepare your board and staff to act quickly when changes in the rules or their application occur.

18 HIPAA s Impact on Providers: New standards for health care transactions, data and information privacy This means:» Review of billing systems» Review of billing procedures» Review of clinical procedures» Education of physicians and administrative staff» New forms and rules for patients

19 Implementing HIPAA Standards General Issues Identify key internal players and delegate responsibility Designate a privacy officer Plan internal educational programs Prepare patient communications

20 HIPAA Implementation Issues Under the Privacy Rules: 1) Envision the future and the big picture 2) Outline specific HIPAA implications: a) Initiate security analyses b) Redesign processes, policies and procedures c) Training implications d) Contracting issues e) New release and intake forms

21 Implementing HIPAA Standards Action Plan 1) Identify compliance leader, and key staff to include in Task Force, such as a) Security Officer b) Director of Information Systems c) Director of Medical Records d) Director of Patient Accounting e) Director of Patient Registration/Admitting f) System owners, analysts, key users

22 Implementing HIPAA Standards Action Plan (con t) 2) Assess compliance levels for: a) System security and functionality b) Third party transactions c) Privacy

23 Implementing HIPAA Standards Action Plan (con t) 3) Issues for health care administrators (e.g., human resources, finance): a) Physicals b) Drug tests c) Verification of benefits

24 A. Means of transmission issues: HIPAA provides an opportunity to review the uses of new or growing technologies and their impact on health information: 1) Facsimile 2) /Voice mail 3) Cellular telephones and pagers 4) Laptops/PDAs (e.g., Palm Pilots, Visors)

25 1) Facsimile issues: a) Why are you faxing it? b) Do you need consent/authorization? c) What are you faxing? i. Is it IIHI? ii. Is it PHI? d) To whom are you faxing it? e) Where will it be received?

26 2) /Voic issues: a) Risks of redisclosure are greater than with faxes is it the minimum necessary disclosure you can make? b) Accounting for disclosures how do you know it was received properly? c) How secure is your server? How and where is it backed-up?

27 3) Cellular phone/pager issues: a) How do you safeguard them? i. Control/limit use b) Specific concerns: i. Group pages ii. Public discussions

28 4) Laptop/PDA issues: a) Safeguarding becomes a bigger problem than with voice/pagers because of visual access b) Accounting for disclosures: i. Password-protect ii. Can you track every last hotsync and every bit of beaming? Must you?

29 B. Consent and authorization for use and disclosure: 1) How does HIPAA impact consent and authorization? 2) Practical impact: a) Changing release forms b) Intra-institution usage c) Vendors ( business associates )

30 C. Patient interaction with PHI 1) Dealing with the demands of the difficult patient: a) Requests to correct the record b) Individuals for whom review of health information could be harmful

31 Key Steps Organize by assigning responsibility for tracking development of regulations» Read Proposed Rules and Internet Security Policy» Develop informational resources Inform key personnel of HIPAA updates

32 Key Steps (con t) Educate staff Evaluate risk» Perform Gap Analysis of existing policies compared to proposed standards. Develop action plan Implement plan

33 Management Information Systems-Transactions Electronic Transmissions Only» Disk/CD Media/Magnetic Tape» Internet/Intranet/Extranet» Dial-up lines» Virtual Provider Networks Transactions Include» Submitting claims» Receiving remittance advices» Querying patient eligibility» Checking claims status» Requesting prior authorization for some DME items» Requesting payment for certain drugs

34 EDI Transaction Standards- Professional, Institutional, and Dental Claims ASC X12N 837 Remittance Advice ASC X12N 835 Coordination of Benefits ASC X12N 837 Healthcare Claims Status» ASC X12N 276 for the request» ASC X12N 277 for the response

35 Key Steps (con t) Enrollment/disenrollment ASC X12N 834 Eligibility» ASC X12N 270 for the inquiry» ASC X12N 271 for the response Referrals ASC X12N 278

36 Code Sets Appropriate Code Sets» ICD-9 (Vol 1, 2) For Diagnosis» CPT-4, ICD-9 (Vol 3), CDT (Dental) For Charges» HCPCS (Not Drugs),NDC (Drugs) For Charges Okay to use clearinghouse to convert nonstandard codes to standard codes Eliminated Codes» J Codes» Local Codes (HCPCS Level III)» Payor Specific Codes

37 Identifier Standards for HIPAA Provider Identifier» 8- or 10-position alpha numeric identifier with a check digit Employer Identifier» 9-digit identifier with the first two digits separated by a hyphen; initial plans to use the EIN (Tax ID) issued by the IRS. Patient Identifier National Health Plan ID

38 What to do: Obtain specifications Review systems for cross-walks; map nonstandard codes to standard codes Ensure systems accommodate code sets and identifiers Review forms/ systems to ensure there are fields to capture all necessary data Speak with vendors about their readiness Develop implementation plan Research preparedness of payors 37

39 Management Information Systems-Security Need to know basis Review current security levels of users. Determine if access is appropriate for responsibilities Create User Categories by position and assign appropriate security level to categories Map each employee to appropriate category Assess security of technology Implement written policies and procedures for the use, storage and transmission of health information FEELEY & DRISCOLL, P.C. Certified Public Accountants Business Consultants Visit us at Call us at

40 Privacy Applies to all activity, not just electronic transactions Review Policy & Procedure manual for monitoring patient information Adopt written privacy procedures that address:» Who» How» When PHI may be disclosed

41 Privacy (con t) Conduct Privacy Training for:» Employees» Contractors» Volunteers» Medical and Professional Staff» Business Associates Initiate agreements with business associates in accordance with HIPAA mandate» Permitted uses and disclosures» Safeguards» Report of security breach

42 Consent and Authorization Consent» Consent required for use and disclosure of PHI for treatment, payment, or health care operations» Refers patient to privacy notice» Perpetual consent until revoked in writing Authorization» Authorization required for use and disclosure of PHI for purposes other than treatment, payment, or health care operations [Example: employment determination]

43 Consent and Authorization (cont d) Authorization cont d» Describe information specifically and meaningfully» Identify class of people to whom the information will be disclosed» Expiration date / event» Clause for right of revocation» Purpose

44 Websites Department of Health and Human Services» Strategic National Implementation Process» Washington Publishing Company»

45 Things Change Take steps to make the process easier! HIPAA