hipaa summit september 22, - ehcca.comjan 1, 2013 (overlap with 5010 and icd‐10) ifr published...

HIPAA Summit WestSeptember 22, 2011

Sept 22, 2011 Nachimson Advisors, LLC 1


New HIPAA Standards Oct 1,2011 Jan 1,2012 1-Jan-14Adoption Dates Health Plan ID EFT Attachements

New HIPAA Standards Health Plan ID (10/1/12) EFTImplementation

Meaningful Use Stage 1 Stage 2 Stage 3Incentive payments May be delayed to 1/1/2014

Accounting for Disclosures and Jan 1 if DRS acquired Jan 1 if DRS acquiredAccess Reports NPRM after 1/1/2009 before 1/1/2009

Privacy Final Rule for PublicationBusiness Associates

Health Plan Certification 31‐Dec‐13 31‐Dec‐15Dates Elig, Claims Status, EFT, RA Claims, Enrollment, Prem Pay,

ACOs

New versions of HIPAA standardsAn “upgrade” to make things better


Improvements to data, functionality, and consistency3 years to implementAnd a “rolling implementation period” to ease the transition


Major upgrade of the current ICD‐9 diagnoses and inpatient hospital code sets.5‐10 times as many codes, greater specificity, changes in structure and meaningImpact far beyond IT, impacts on virtually every business process and certainly on revenue for providers.Regulation gave industry almost 5 years to implement.How has the industry responded?


Several timelines indicated that this is a long term and difficult project.Much more difficult than any HIPAA efforts or Y2KShould have started almost immediatelySurvey indicate delays in starting which may have severely jeopardized ability to effectively meet the deadline.Scrambling to understand full impact of the change.CMS indicating no delay.Key area may be revenue impact – how to predict.Need for cooperation between plans and providers.


Part of the “stimulus package”Attempt to encourage the adoption of EHRs by providersSignificant HIPAA security and privacy changes.


Established Medicare/Medicaid EHR incentive program for hospital and “eligible professionals”(and disincentives in 2015)Needed to adopt a “certified EHR” and show “Meaningful Use” to receive incentivesSignificant dollar incentivesFinal rule published July 2010Stage 1 of meaningful use established and available in Oct 2010 for hospitals and Jan 2011 for physicians.Only need 90 days for first yearAttestation site available


Recommendation for one year delay of Stage 2ReasonsNeed for assessing Stage 1 implementationOverlap with ICD‐10

Look for NPRM from CMS.


Applies provisions of security regulation to business associatesSets requirements for breach notificationsApplies certain provisions of privacy rule to business associatesAllows patients to restrict reporting of PHI to health plans if the patient pays in full, even if for TPORequires the Secretary to provide guidance on “minimum necessary”Requires accounting of disclosures for TPO from EHRsApplies breach notification requirements to PHR vendorsRequires privacy violations due to “willful neglect” to be penalty liableSets tiered CMPs for privacy violationsAllows State Attorneys General to bring enforcement actions


OCR has recently issued large penalties to several hospitals and plans for security/privacy violations.Represents an aggressive stanceLook for more of these and potential proactive audits.


Breach notification requirements issuedNPRM on many of the changes regarding business associates and other provisions published July 2010; awaiting final ruleNPRM on accounting for disclosures published May 2011.Proposed rule required a report on all disclosures from automated record systems –who accessed the data.


Many HIT provisions included in this Act.Represents Congress instructing HHS to get moving on several provisions and to get more serious on enforcement.Provides for a more streamlined update process


Operating Rules“the necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation specifications as adopted’’

Operating rules have been championed by CORE, but the law did not require the adoption of CORE’s operating rules


The Act requires that standards and operating rules: “to the extent feasible and appropriate, enable determination of an individual’s eligibility and financial responsibility for specific services prior to or at the point of care;”

and “provide for timely acknowledgment, response, and status reporting that supports a transparent claims and denial management process (including adjudication and appeals)”

NCVHS beginning to look at acknowledgements


Operating rules to be developed by a non‐profit entity that meets several qualifications:Multi stakeholderConsensus basedGuiding principlesFocused on administrative simplificationAllows for public review

Can there several of these?


NCVHS responsibilities:A) advise the Secretary as to whether a nonprofit entity meets the requirements under paragraph (2); (B) review the operating rules developed and recommended by such nonprofit entity; (C) determine whether such operating rules represent a consensusview of the health care stakeholders and are consistent with and do not conflict with other existing standards; (D) evaluate whether such operating rules are consistent with electronic standards adopted for health information technology; and (E) submit to the Secretary a recommendation as to whether the Secretary should adopt such operating rules.


Secretary can then adopt rules based on NCVHS recommendation (and after ensuring that providers were consulted) via an Interim Final Rule

IFR means that rules are considered final upon effective date, but can be commented on and revised.

Timelines for Operating Rule AdoptionClaims status and eligibility – adopted by July 2011, effective by Jan 1, 2013 (overlap with 5010 and ICD‐10)▪

IFR published July 8th. Most CORE rules, but not acknowledgements.Remittance advice and EFT ‐ adopted by July 2012 and effective by January 1, 2014 ▪

CORE/NACHA are the operating rule entity recommended by NCVHS▪

Operating rule development going on now.

Other transactions ‐ adopted not later than July 1, 2014, and effective not later than January 1, 2016.


Secretary can use IFR for adoption of any standard or operating rule recommended by NCVHSAllows for a 60 day comment period, but no requirement to revise rule.No more NPRM and comment period required.Implication – need for earlier awareness and participation.


Review committee (which may be NCVHS) to be established by Jan 1, 2014Beginning April 1, 2014, and no less than every two years, committee will hold hearings to review the standards and operating rules and recommend changes.Recommended changes must be adopted via IFR within 90 days of the committee reportIndustry has 27 months to implement (close of 60 day comment period + 25 months.


This means standards updates approximately every two years.We need a process in place to manage these updates and assure timely implementationPlanningAssessmentRemediationTestingCommunication


Standards and Operating Rules for Unique Health Plan Identifier, EFT, and AttachmentsHPI – effective by 1/1/2012EFT – adopted 1/1/2012 and effective 1/1/2014Attachments – adopted 1/1/2014 and effective 1/1/2016


Health plans must file certification statements that they are in compliance with standards and operating rules:By 12/31/2013 for EFT, eligibility, claims status, and payment and remittance adviceBy 12/31/2015 for claims, enrollment and disenrollment, premium payments, claims attachments, and referral certification/authorization


Must include supporting documentation which includesProof of full complianceCompletion of end‐to‐end testing with providers

Also must ensure that any entities that provide services pursuant to a contract with health plan shall comply with any applicable certification and compliance requirements (and provide the Secretary with adequate documentation of such compliance).


The Secretary may designate independent, outside entities to certify that a health plan has complied with these the compliance requirements.For any revised standards or new standards, health plans must file certification statements by the effective date of the new requirements.The Secretary is to do audits of health plans to ensure their compliance.


$1 per covered life for each day the plan is not in compliance with the certification and documentation requirements.Maximum penalty, per year, is $20 per covered lifePenalties double if inaccurate or incomplete information has been provided in the compliance documentation.


Additional requirements during the 5010/ICD‐10 implementationSeveral new committees/organizations that must be monitoredIFR’s require that organizations stay aware of new versions being developed by SDOsRegularly scheduled updates will require management and regular process to follow.


ACOsWill require significant exchange of clinical dataParticipants will need to be meaningful users

Expansion of MedicaidSignificant additions to the rolls

Insurance ExchangesMovement in and out of different insurance plans and Medicaid.


Health Information Exchanges (Local level)Meant to facilitate the exchange of clinical data among providers.Some successful, but many still struggling to establish a viable sustainability model without grants and government supportSome are eyeing administrative transactions, either via partnership or on their ownRecent report on successful HIEs (from EHI)


NWHIN (formerly NHIN)No longer a formal systema set of standards, services and policies that enable secure health information exchange over the Internet. (from ONC)Direct Project (secure email) is a first attempt▪

Opportunity for clearinghouses to move into

exchanging clinical data?


Quality based paymentsPhysician (PQRI)HospitalsOthers


Stanley NachimsonPrincipal, Nachimson Advisors, [email protected]‐935‐7084www.nachimsonadvisors.com

Sept 22, 2011 Nachimson

Advisors, LLC 32

mailto:[email protected]

hipaa summit september 22, - ehcca.comjan 1, 2013 (overlap with 5010 and icd‐10) ifr published...

Documents