HIPAA: AN OVERVIEW September 2013



Similar documents
HIPAA Administrative Simplification and Privacy (AS&P) Frequently Asked Questions

ELECTRONIC HEALTH RECORDS

INTERMEDIATE ADMINISTRATIVE SIMPLIFICATION CENTERS FOR MEDICARE & MEDICAID SERVICES. Online Guide to: ADMINISTRATIVE SIMPLIFICATION

HIPAA Compliance. Saeed Rajput

Instructions for Completing the Initial System Assessment for Upcoming HIPAA Changes Due Date: (specify date)

Legislative & Regulatory Information

HIPAA Compliance Calendar

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Understanding the HIPAA standard transactions: The HIPAA Transactions and Code Set rule

HIPAA Glossary of Terms

HIPAA Frequently Asked Questions Free & Charitable Clinic HIPAA Toolbox May 2014

Meaningful Use, ICD-10 and HIPAA 5010 Overview, talking points and FAQs

Glossary of Terms. Account Number/Client Code. Adjudication ANSI. Assignment of Benefits

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles

HIPAA The Law Explained. Click here to view the HIPAA information.

RONALD V. MCGUCKIN AND ASSOCIATES Post Office Box 2126 Bristol, Pennsylvania (215) (215) (Fax) childproviderlaw.

HIPAA. Health Insurance Portability & Accountability Act Administrative Simplification FIVE THINGS YOU SHOULD KNOW ABOUT PAYMENTS AND HIPAA

Ross D. Seymour, MTPM

Health Insurance Portability and Accountability Act HIPAA. Glossary of Common Terms

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Transactions and Code Set Standards As of January Frequently Asked Questions

The HIPAA Standard Transaction Requirements: How do Health Plans Comply?

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Imagine that your practice could submit

Compliance Alert. New requirement for health plans: HIPAA Health Plan Identifier (HPID) August 29, 2014

Health Plan Certification of Compliance with HIPAA Electronic Transaction Standards

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

The benefits of electronic claims submission improve practice efficiencies

Data Breach, Electronic Health Records and Healthcare Reform

New ACA Mandate: HIPAA Health Plan Certification Proposed Rules. Christy Tinnes Groom Law Group February 21, 2014

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

CLAIMS Section 5. Overview. Clean Claim. Prompt Payment. Timely Claims Submission. Claim Submission Format

Title 40. Labor and Employment. Part 1. Workers' Compensation Administration

General HIPAA Implementation FAQ

HIPAA Compliance for Small Healthcare Providers

New HIPAA regulations require action. Are you in compliance?

HIPAA Enforcement Training for State Attorneys General

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.


Health Information Technology (IT) Simplified

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

FMH Benefit Services, Inc.

Business Associate Management Methodology

GENERAL OVERVIEW OF STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Part 160 and Subparts A and E of Part 164]

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule

HIPAA Security Rule Compliance

Billing and Claim Billing and Claim Submission Boot Camp Submission Boot Camp Beverly Remm Beverly Remm

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

3 Learning Objectives (cont d.)

HealthStream Regulatory Script

What it Means for You and Your Organization

PCPCC National Briefing/Webinar

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Transitioning to EDI HIPAA 5010 and ICD-10

Objectives 5/5/2015. Quality Health Associates (QHA) of ND

Legislative & Regulatory Information

Joe Dylewski President, ATMP Solutions

ICD -10 TRANSITION AS IT RELATES TO VISION. Presented by: MARCH Vision Care, 2013

HIPAA Changes Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

Implications of HIPAA Requirements on Healthcare Payment Processing

HIPAA. HIPAA and Group Health Plans

DRAFT. HIPAA Impact Determination Questionnaire (Gap Analysis)

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

This course has been awarded one (1.0) contact hour. This course expires on September 29, 2015.

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Santa Rosa Presents Webinar Series Electronic Health Records & Meaningful Use Incentives: Medicare & Medicaid

Signed into law on February 17, 2009, the Stimulus Package known

Finally! HHS Issues Proposed Rule Implementing Changes to the HIPAA Privacy, Security and Enforcement Rules under HITECH

HIPAA Privacy Keys to Success Updated January 2010

HEALTH INFORMATION TECHNOLOGY*

CROSSROADS HOSPICE HIPAA PRIVACY NOTICE

This information is current as of the training dates.

New HIPAA Certification Requirement & Other New Health Plan To Do Tasks under HIPAA Standard Transaction Rules

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Healthcare Applications and HIPAA. BA590-IT Governance Final Term Project Prof. Mike Shaw

The HIPAA Audit Program

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Health Insurance Portability and Accountability Act (HIPAA)

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

ELECTRONIC DATA INTERCHANGE (EDI) TRADING PARTNER INSTRUCTIONS

MEDICAL CLAIMS AND ENCOUNTER PROCESSING

HIPAA Compliance. Lakeshore Family Chiropractic. Page 1

Center for Medicaid, CHIP, and Survey & Certification SMDL # June 21, Re: Third Party Liability. Dear State Medicaid Director:

2012 HIPAA Privacy and Security Audits

ICD-10 Overview. The U.S. Department of Health and Human Services implementation deadline for compliance with ICD-10, Mandate is October 1, 2014.

REVISION, PROCEDURE CODING SYSTEM (ICD-10-PCS) VERSION 2.Ø

The Transition to Version 5010 and ICD-10

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

Summary of the Proposed Rule for the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program (Eligible Professionals only)

CMS AND ONC FINAL REGULATIONS DEFINE MEANINGFUL USE AND SET STANDARDS FOR ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM

Meaningful Use Rules Proposed for Electronic Health Record Incentives Under HITECH Act By: Cherilyn G. Murer, JD, CRA

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

CoreSource, Inc. HIPAA Transaction Electronic Data Interchange (EDI) Implementation Guide. For Health Care Providers

Transcription:

HIPAA: AN OVERVIEW September 2013 Introduction The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, was enacted on August 21, 1996. The overall goal was to simplify and streamline the burdens of healthcare. The original law had four key components: Insurance market reforms to limit exclusions for pre-existing conditions and to guarantee the renewal of group and individual insurance A Medical Savings Account demonstration project (which has since been replaced by other programs) Expanded enforcement of fraud and abuse Administrative Simplification provisions mandating electronic handling of health insurance transactions and information. It is the Administrative Simplification provisions that have the greatest impact on medical practices. The Administrative Simplification provisions of HIPAA established national standards for electronic health care transactions and national identifiers for providers and employers. It also addresses the security and privacy of health data. Developments in technology and the ability to gain easy access to personal health information have driven efforts to streamline diverse state regulations and insurance company requirements into a single regulation. The passage of HIPAA and later the Health Information Technology for Economic and Clinical Health (HITECH) Act occurred, in part, to improve the efficiency and effectiveness of the healthcare system by standardizing the transmission of certain administrative and financial transactions and by protecting the privacy and security of personal health information. However, in January 2013, the U.S. Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) announced a final omnibus rule implementing revisions to HITECH Act and to strengthen the privacy and security protections for health information established HIPAA. This guide summarizes how medical practices are affected by the Administrative Simplification regulations for privacy, security, electronic transactions and code sets, and breach notification. This overview also attempts to address the changes that have occurred since the various rules took effect, including and especially the Omnibus Rule of January 2013. Administrative Simplification Although the Administrative Simplification provisions appear in the last section of HIPAA (Title II, Section F), they are the most widely known portion of the law. The Department of Health and Human Services (DHHS) is responsible for the development of the following administrative simplification regulations:

1. Standardization of electronic patient health, administrative and financial data, including claims, remittance advice, electronic funds transfer, and so on. 2. Unique health identifiers for individuals, employers, health plans and health care providers. 3. Security standards protecting the confidentiality and integrity of individually identifiable health information. The requirements outlined by the HIPAA law and supporting regulations produced by the DHHS require compliance from all healthcare organizations that maintain or transmit electronic health information. This includes physician offices, as well as hospitals, health plans, and healthcare clearinghouses. The Office of Civil Rights (OCR) is responsible for enforcement of the Privacy and Security Rules while CMS is responsible for the Transactions and Codes Sets and Identifier Rules. Noncompliance can be costly so it is important for practices to understand their responsibilities under HIPAA. Electronic Transactions and Code Sets Before the enactment of HIPAA, there was no common standard for the transfer of information between healthcare providers and payers. Consequently over 400 electronic data interchange (EDI) formats were used by various payers. The HIPAA electronic transactions regulations were an effort to reduce paper work and increase efficiency and accuracy through the use of standardized financial and administrative transactions and data elements for transactions. The electronic transactions regulation requires that whatever information is transmitted electronically, specifically health claims and encounter information, enrollment and disenrollment information, eligibility information, payment and remittance advice, health plan premium payments, claim status, eligibility, and referrals and authorizations, must use a standard format and code sets. Providers may still submit paper claims, but all electronic submissions must be compliant, even if submitted through a clearinghouse. HIPAA requires all payers to accept the following transaction standards for EDI: Claims/encounters, eligibility verification, enrollment, and related transactions: American National Standards Institute (ANSI) X12N version 5010. Physician services: Current Procedural Terminology (CPT-4) Diagnoses and inpatient hospital services: International Classification of Diseases, 9 th edition, Clinical Modification (ICD-9-CM). However, ICD10 CM (diagnosis) and PCS (inpatient hospital procedures) will replace ICD9 on October 1, 2014. Ancillary services/procedures: HCFA Common Procedural Coding System (HCPCS) Pharmacy transactions: National Council for Prescription Drug Programs (NCPDP) Dental services: Current Dental Terminology (CDT) HIPAA adopted standards for unique identifiers for employers, providers, and health plans which must also be used in all transactions, as required by the standard. 2

Privacy and Security Congress recognized the need for patient-record privacy and security standards when they enacted HIPAA. The information protected by this section of the law includes all medical records and other individually identifiable health information whether electronic, written, or oral. With few exceptions, an individual s health information may only be used for treatment, payment, or operations purposes. The final rules established standards for physicians to meet but allowed some flexibility in the design of policies and procedures in order to meet those standards. The original compliance date for the Privacy Rule was April 14, 2003, and for the Security Rule was April 21, 2005. Since that time, the Office of Civil Rights (OCR), which is in charge of enforcement, has issued clarifications and FAQs regarding how to implement various aspects of the privacy rules. The issuance of HITECH and now the Omnibus rule have resulted in further changes. The most notable changes to previous privacy and security rules resulting from the Omnibus rules effective September 23, 2013 are as follows: Business associates (BA) are now directly responsible for privacy and security of protected health information, especially when it comes to uses and disclosures. BA agreements must be revised accordingly by September 30, 2014, or when the agreement is otherwise renewed or modified prior to that time, whichever is first. The definition of marketing for which patient authorization is needed was expanded. While more information can now be used for fundraising, patients may opt out of fundraising activities. The omnibus rule changed the definition of what constitutes a breach of personal health information (PHI). Now, any disclosure of PHI that is a violation of the Privacy rule is considered a breach unless it can be demonstrated by a risk assessment that the breach meets certain criteria. Patients who pay out of pocket may request that PHI not be sent to their health plan. Upon request, practices that store PHI electronically must provide the patient with an electronic copy of the records within a specific time frame and for a reasonable cost. The Notice of Privacy Practices must be updated to include these changes by September 23, 2013. The PHI of deceased patients is protected for 50 years. If the patient wishes are unknown, then family members who were involved in the care and payment are authorized and others are not. Unique Identifiers HIPAA mandates the use of unique identifiers for providers, health plans, employers, and individuals receiving health care services (i.e. patients). The National Employer Identifier has been in use since July 30, 2004. The employer identifier is 3

based on the de facto standard, the Internal Revenue Service assigned Employer Identification Number (EIN), which has nine numeric positions. The National Provider Identifier (NPI) has been in effect since May 23, 2007. A unit of CMS, the National Plan and Provider Enumeration System (NPPES), issues the unique 10-digit numeric NPI for all health care providers, including physicians, group practices, hospitals, and other providers of healthcare services designated as covered entities under HIPAA. The NPI replaced all other identifiers. Physicians may apply online through NPPES: https://nppes.cms.hhs.gov/nppes/welcome.do. The national Health Plan Identifier (HPID) final rule was released August 24, 2012. This rule establishes a unique identifier for health plans and for other entities that are not providers, health plans, or individuals that need to be identified in standard transactions. Health plans, excluding small health plans, are required to obtain HPIDs by 2 years after the effective date, in 2014. Small health plans are required to obtain HPIDs 3 years after the effective date, in 2015. All covered entities are required to use HPIDs where they identify health plans that have HPIDs in standard transactions 4 years after the effective date, in 2016. The patient identifier is currently on hold and there is no speculation on when a new rule will be released regarding patient identifiers. HITECH Act and HIT Incentives The Health Information Technology for Economic and Clinical Health Act (HITECH Act) of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111 5), was enacted on February 17, 2009. The HITECH Act included provisions to improve health care quality, safety, and efficiency through the promotion of health information technology (HIT) and the electronic exchange of health information. HITECH included new privacy and security requirements, the most well-known being the EHR incentive programs. For a good summary of these programs, go here: http://www.cms.gov/regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/Beginners_Guide.pdf. Affordable Care Act (ACA) The Administrative Simplification provisions of the Affordable Care Act of 2010 (ACA), build on HIPAA with several new, expanded, or revised provisions, including requirements for: Operating rules for each of the HIPAA transactions (including ICD-10) Enumeration of a unique, standard Health Plan Identifier (HPID) New standards for electronic funds transfer (EFT), electronic remittance advice (ERA), and electronic health care claims attachments. Claims attachment rules are not expected before 2014 or later. Health plans to certify compliance with the standards and operating rules. Penalties for health plans that fail to comply or to certify their compliance with applicable standards and operating rules. Eligibility Determination, Electronic Funds Transfer (EFT) and Electronic Remittance 4

Advice (ERA) On July 8, 2011, HHS published a regulation, an interim final rule that adopted operating rules for two electronic health care transactions to make it easier for physician practices and hospitals to determine whether a patient is eligible for coverage and the status of a health care claim submitted to a health insurer. The effective date for operating rules for eligibility for health plan and health claims status transactions was January 1, 2013. On January 10, 2012, HHS published another interim final rule adopting standards for health care claim payments made via EFT and for ERA. The compliance date for the EFT and ERA operating rule is January 1, 2014. Other Administrative Simplification Rules Still to Come Future administrative simplification rules will address the adoption of: A standard unique identifier for health plans; A standard for claims attachments; and Requirements that health plans certify compliance with all HIPAA standards and operating rules. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information