HIPAA. Health Insurance Portability & Accountability Act Administrative Simplification FIVE THINGS YOU SHOULD KNOW ABOUT PAYMENTS AND HIPAA

Transcription

1 HIPAA Health Insurance Portability & Accountability Act Administrative Simplification FIVE THINGS YOU SHOULD KNOW ABOUT PAYMENTS AND HIPAA Steve Stone PNC Bank, N.A. October 14, 2009

2 Five Things You Should Know About Payments This presentation represents the personal views of the speaker and not necessarily those of NACHA or PNC Bank. It is not intended, and should not be taken, as legal advice. Please consult your own organization's legal and other professional advisers for guidance appropriate to your organization.

3 HIPAA Requirements HIPAA You Are Here Title I Portability Title II Administrative Simplification Titles III, IV, and V Transaction Standards Standard Code Sets Unique Health Identifiers Security Privacy Info Between Health Plans Data Element Required vs. Optional Format Codes Values Transaction Sets Service and Diagnosis Codes ICD-9-CM CPT-4 HCPCS CDT NDC NCPDP No local or J codes ANSI X12N Version mandated Eligibility - 270/271 Benefit Enrollment and Maintenance Referral Certification and Authorization Claims Claim Status - 276/277 Claim Payment and Remittance Advice Premium Payments Additional Information to Support Claims/Encounters First Report of Injury Final Rule on on Transactions and Code Sets Published August 17, 17, 2000, for for Implementation October 16, 16, Final Rule of of Privacy Published December 28, 28, 2000 for for Implementation April 14, 14, Provider Single NPI: 10 position numeric, one digit checksum (no location code) No embedded intelligence Employer 9 position numeric, one digit checksum Tax ID Number No embedded intelligence Health Plan 10+3 position numeric, one digit checksum Sub-ID may appear on health card & direct EDI No embedded intelligence 3 Administrative Safeguards Certification Internal Audit Training, P&P, etc. Technical Safeguards Access Control Authorization Data Authentication Entity Authentication Network Safeguards Basic Network Safeguards Integrity/Protection Physical Safeguards Secure Workstations Physical Access Controls Security Awareness Training Limitations Covers information transmitted or maintained in any form General Rules Protected Health Information data elements defined Business associates must also protect privacy of information Designated Privacy Officer Minimum necessary disclosure Notice of Information Practices Coordination of Benefits Claims Processing

4 HIPAA Requirements The transaction standards include the electronic premium payments between employer group and payer and health care payment advice between payer and provider. (ANSI X12N 4010A) All covered entities must migrate to version 5010 not later than January 1, /271 Inquiry/Response for Eligibility 275 Request for Additional Support for Claim 276/277 Inquiry/Response for Claims Status 277 Unsolicited Request for Additional Info 278 Authorizations and Referrals Inquiry/response for verification of an individual s eligibility, benefits and coverage. Request for additional information to support a health care claim and/ or encounter. This transaction has finalized the HL7 embedded portion of the standard but has not finalized the ANSI portion. Request/response for health claim status. Health care claim request for additional information needed to complete adjudication process. Receive and respond to requests for authorization or certification from providers. 820 Premium Payment/Order Remittance Advice Receive payroll deductions & other group premium payments from employers for insurance products. Additionally there is an 811 transaction (Consolidated Billing) that is complementary to the 820 transaction, but is not required as part of HIPAA. 834 Benefit and Enrollment Maintenance Receive enrollment information for insurance coverage benefits or policy from other sponsors of insurance coverage. 835 Health Care Payment/ Advice Payment of health care claims and transfer of admittance advice (EOB) to providers. 837 Health Care Claim Receive health care claims and encounters from providers. First Report of Injury This transaction set has not yet been finalized. 4

5 Five Things You Should Know About Payments 1. A financial institution handling PHI on behalf of a Covered Entity (Payer, Provider, or Clearinghouse) is generally a Business Associate. 5

6 What is Protected Health Information (PHI)? Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." Individually identifiable health information is information, including demographic data, that relates to: the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). 45 C.F.R

7 What is a payment? Payment means: (1) The activities undertaken by: i. A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or ii. A covered health care provider or health plan to obtain or provide reimbursement for the provision of health care 45 CFR

8 What is a healthcare payment? EFT Optional (format not defined in HIPAA) Moves money from Payer to Provider Includes a reassociation reference number ERA Mandatory (format defined in HIPAA 835) Includes specific information about patients, medical procedures and amounts paid for services Includes a reassociation reference number 8

9 What is a healthcare payment? The transmission of both parts of the standards are payment activities under this rule, and permitted subject to certain restrictions. Because a financial institution does not require the remittance advice or premium data parts to conduct funds transfers, disclosure of those parts by a covered entity to it (absent a business associate arrangement to use the information to conduct other activities) would be a violation of this rule Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations 9

10 What is a healthcare payment? The transmission of both parts of the standards are payment activities under this rule, and permitted subject to certain restrictions. Because a financial institution does not require the remittance advice or premium data parts to conduct funds transfers, disclosure of those parts by a covered entity to it (absent a business associate arrangement to use the information to conduct other activities) would be a violation of this rule Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations 10

11 What is a healthcare payment? The transmission of both parts of the standards are payment activities under this rule, and permitted subject to certain restrictions. Because a financial institution does not require the remittance advice or premium data parts to conduct funds transfers, disclosure of those parts by a covered entity to it (absent a business associate arrangement to use the information to conduct other activities) would be a violation of this rule Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations 11

12 Business Associate is a person to whom protected health information is disclosed so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. Includes any agent, contractor or other person working on behalf of the covered entity who receives protected health information from the covered entity. Does not include a person who is an employee of the covered entity. Source: Department of Health and Human Services 45 CFR Parts 160 Through 164: Standards for Privacy of Individually Identifiable Health Information; Final Rule: December 28,

13 Business Associate Agreement is used whenever PHI is processed by an entity other than the intended recipient or another Covered Entity. This contract defines the uses and controls over PHI as required by HIPAA. A BAA is required to make sure that those providing services to covered entities also protect the privacy and security of the PHI. 13

14 Five Things You Should Know About Payments 1. A financial institution handling PHI on behalf of a Covered Entity (Payer, Provider, or Clearinghouse) is generally a Business Associate. 2. If you translate electronic data from standard to nonstandard or vice versa, you are a Clearinghouse. 14

15 The Definition of a Clearinghouse (45 CFR ) Health care clearinghouse means a public or private entity including a billing service, repricing company, community health management information system or community health information system, and value-added networks and switches, that does either of the following: (1) Processes or facilitates the processing of information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. (2) Receives a standard transaction from another entity and processes or facilitates the processing of information into nonstandard format or nonstandard data content for a receiving entity. Standard Nonstandard 15

16 Five Things You Should Know About Payments 1. A financial institution handling PHI on behalf of a Covered Entity (Payer, Provider, or Clearinghouse) is generally a Business Associate. 2. If you translate electronic data from standard to nonstandard or vice versa, you are a Clearinghouse. 3. The Section 1179 carve-out allows payments processing. 16

17 Section 1179 HIPAA amended the Social Security Act by adding to Title XI a new Part C, Administrative Simplification Section 1179 of Title XI, Part C states To the extent that an entity is engaged in activities of a financial institution (as defined in section 1101 of the Right to Financial Privacy Act of 1978), or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part, and any standard adopted under this part, shall not apply to the entity with respect to such activities Consumer-initiated payments via check or card are covered under the Section 1179 exemption. 17

18 Section 1179 HIPAA makes a distinction between payment processing and the exchange of protected healthcare information (PHI) The preamble notes that diagnostic and treatment information is never necessary to process a payment transaction, and HIPAA requires that covered entities limit the exchange of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. (45 CFR (b)) In other words, a CCD is likely included in the Section 1179 exemption while a CTX transaction probably is not. 18

19 Where does it say that? Federal Register / Vol. 65, No. 160 / Thursday, August 17, 2000 / Rules and Regulations When the transfer of funds is part of paying a health care premium or a health care claim, the ACH transaction may continue to be used as a valid part of an ASC X12N 835 or 820 transaction where the other part of the transaction is sent to the health plan or health care provider, directly or indirectly (through a clearinghouse or financial institution). Although these standard transactions allow transmission of one or both parts through a financial institution, they do not require both parts to be sent to the financial institution and the financial institution is not required by this regulation to accept or forward such transactions. Health plans may continue to use the ACH transaction alone to authorize the transfer of funds (electronic funds transfer) when such transfer is not part of paying a health care premium or a health care claim for an individual, because such a transaction would not be a transaction covered under this part. The Department of the Treasury has confirmed that this standard does not conflict with their requirements for disbursements. 19

20 Five Things You Should Know About Payments 1. A financial institution handling PHI on behalf of a Covered Entity (Payer, Provider, or Clearinghouse) is generally a Business Associate. 2. If you translate electronic data from standard to nonstandard or vice versa, you are a Clearinghouse. 3. The Section 1179 carve-out allows payments processing. 4. In its current form, the ACH network is not suitable for the conveyance of PHI. 20

21 Today s healthcare flow Clearinghouse Payor Provider Dollars PHI 21

22 Using the ACH for dollars and data Payor Provider ODFI ACH RDFI Dollars PHI 22

23 Can the ACH be used to move PHI? Yes I094101ALL ACH ITEMS BY ACCT EPNCBANK, PGH ABC HEALTH PLANS CTXPAYMENTS MERCY MEDICAL CENTER ISA*00* *00* *01*TEST 835==>CTX *01* *030128* *U*00200* *0*P*>~GS*HP*TEST 835 * * *1003*245*X*004010~ ST*835*245023~BPR*X*14958*C*ACH**01* *DA* * **01* *DA* * ~TRN*1* * ~REF*EV*BANK~DTM*097* * ~N1*PR*ABC HEALTH PLANS*FI* ~N3*123 EASY STREET~N4*TAMPA*FL* ~PER*CX**TE* ~N1*PE*MERCY MEDICAL CENTER*FI* ~N3*PO BO X 12345~N4*TOLEDO*OH*88888~LX*23~TS3*999999*NO* *3* ****99999~CLP* *1* *1118**HM* *21~NM1*QC*1*SMITH*WALTER**** MI* ~REF*G2*999999~AMT*1Z*-91.76~SVC*HC>RMBRD* *1118**1~DTM*472* ~CAS* PR*3*50~CAS*CO*42* ~CLP* *1* *6832**HM* *21~NM1*QC *1*SMITH*NATALIA****MI* ~REF*G2*999999~AMT*1Z* ~SVC*HC>RMNEW* *6832**17~DTM*472* ~CAS*CO*42* ~CLP* *1* *7008**H M* *21~NM1*QC*1*SMITH*ROBERT****MI* ~REF*G2*999999~AMT*1Z* ~SVC*HC>RMBRD* *7008**6~DTM*472* ~CAS*CO*42* ~SE*37* ~GE*1*245~IEA*1* ~ Yellow data = ACH information Aqua data = Table 1 information Green data = Table 2 information (PHI) 23

24 Can the ACH be used to move PHI? Yes, but There are no Business Associate Agreements (or equivalents) binding all ACH participants to HIPAA compliance Data generally not encrypted at rest RDFI could receive PHI without any advance warning There are often Third Party Processors involved Might be addressable through a Rules change, but would require support from HHS. A potential issue under HIPAA as a party other than the intended recipient might get access to PHI. RDFI would be denied the opportunity to implement appropriate compliance steps. A new, opt-in SEC needed? Complicates the BAA issue and security controls

25 Other ACH Issues Are there other drawbacks to using the ACH? Not every financial institution is equally capable of handling complex transactions like healthcare CTX s. Therefore, Providers may have more options for receiving remittance information from a clearinghouse than from a financial institution. The ACH system can handle only two of the eight approved transactions (820 s and 835 s) so alternate arrangements need to be made for the other transactions. Most financial institutions are not capable of validating 820 s/835 s for compliance with the HIPAA I.G. 25

26 Five Things You Should Know About Payments 1. A financial institution handling PHI on behalf of a Covered Entity (Payer, Provider, or Clearinghouse) is generally a Business Associate. 2. If you translate electronic data from standard to nonstandard or vice versa, you are a Clearinghouse. 3. The Section 1179 carve-out allows payments processing. 4. In its current form, the ACH is not a suitable network for the conveyance of PHI. 5. Multiple agencies might be involved in regulatory oversight for HIPAA Health and Human Services OCC/Federal Reserve State Attorneys General (under HITECH) 26