hipaa & the states new federalism for a new century hipaa centers for disease control and...

HIPAA & the StatesHIPAA & the StatesNew Federalism for a New CenturyNew Federalism for a New Century

HIPAA & the StatesHIPAA & the StatesNew Federalism for a New CenturyNew Federalism for a New Century

HIPAAHIPAACenters for Disease Control and PreventionCenters for Disease Control and Prevention

Washington, DC Washington, DC • January 27, • January 27, 20032003

Presented byPresented by

Robert J. BurnsRobert J. BurnsNGA Center for Best PracticesNGA Center for Best Practices

© 2002 National Governors Association© 2002 National Governors Association 22

What is HIPAA?What is HIPAA?

Health Insurance Portability and Accountability Health Insurance Portability and Accountability Act of 1996 (HIPAA)Act of 1996 (HIPAA)

Established federal floor of consumer Established federal floor of consumer protections, marketplace standardsprotections, marketplace standards– Insurance market reformsInsurance market reforms– Privacy, securityPrivacy, security– Administrative simplificationAdministrative simplification

New FederalismNew Federalism


Health Insurance Market ReformsHealth Insurance Market Reforms

Limits preexisting condition exclusionsLimits preexisting condition exclusions– Creditable coverage, significant breaksCreditable coverage, significant breaks

Prohibits insurer penalties because of poor Prohibits insurer penalties because of poor healthhealth

Extends certain coverage rightsExtends certain coverage rights– Maintain group coverage when changing jobsMaintain group coverage when changing jobs– Purchase coverage (termination, small employers)Purchase coverage (termination, small employers)– Renew coverage (individuals, small employers)Renew coverage (individuals, small employers)– Special enrollment (marriage, birth, adoption, etc.)Special enrollment (marriage, birth, adoption, etc.)


Mental Health Parity Act (1996)Mental Health Parity Act (1996)– Same annual and lifetime dollar coverage mental Same annual and lifetime dollar coverage mental

health as for general healthhealth as for general health

Newborns’ and Mothers’ Health Protection Newborns’ and Mothers’ Health Protection Act (1996)Act (1996)– Coverage for breast reconstruction following cancer-Coverage for breast reconstruction following cancer-

related mastectomyrelated mastectomy

Women’s Health and Cancer Rights Act Women’s Health and Cancer Rights Act (1998)(1998)– Length of hospital stay in connection with child birth Length of hospital stay in connection with child birth

(“drive-by deliveries”)(“drive-by deliveries”)

Health Insurance Market ReformsHealth Insurance Market Reforms


Privacy (and Security)Privacy (and Security)

Restricts use(-s) of “individually Restricts use(-s) of “individually identifiable” patient health informationidentifiable” patient health information– Conditions necessary (authorized uses, patient Conditions necessary (authorized uses, patient

consent)consent)– Information allowed (“minimum necessary”)Information allowed (“minimum necessary”)– Protocols, procedures (patient notification, business Protocols, procedures (patient notification, business

associate agreements)associate agreements)

Prevents unauthorized access to PHIPrevents unauthorized access to PHI– Administrative, technical, physical safeguardsAdministrative, technical, physical safeguards


Administrative SimplificationAdministrative Simplification

To improve the efficiency and effectiveness of To improve the efficiency and effectiveness of the health care systemthe health care system

Standardizes the exchange of electronic health Standardizes the exchange of electronic health information (administrative, financial)information (administrative, financial)

– Health plan enrollment (or Health plan enrollment (or disenrollment)disenrollment)

– Health plan eligibility Health plan eligibility determinationsdeterminations

– Health plan premium Health plan premium paymentspayments

– Referral certification, Referral certification, authorizationauthorization

– Claim submissions Claim submissions (encounter info)(encounter info)

– Health plan benefit Health plan benefit coordinationcoordination

– Claim status inquiriesClaim status inquiries– Payment and remittance Payment and remittance

advicesadvices


Who Must Comply?Who Must Comply?(“Covered Entities” and “Covered Functions”)(“Covered Entities” and “Covered Functions”)

Individual or group Individual or group health planshealth plans (or programs) (or programs) that provide health benefits directly, through that provide health benefits directly, through insurance, or otherwiseinsurance, or otherwise

Health care providersHealth care providers (or suppliers) of medical (or suppliers) of medical or other health services or supplies (or other health services or supplies (that also that also conduct certain health care transactions conduct certain health care transactions electronicallyelectronically))

Health information clearinghousesHealth information clearinghouses that that process or facilitate the processing of electronic process or facilitate the processing of electronic health information into a standard formathealth information into a standard format


“ “Agencies can no longer act as if they are Agencies can no longer act as if they are separate organizations with independent separate organizations with independent missions.”missions.”

Governing MagazineGoverning MagazineJanuary 2003January 2003


Who Else Must Comply?Who Else Must Comply?

Hybrid entitiesHybrid entities whose business activities whose business activities include both covered include both covered andand non-covered functions non-covered functions

Business associatesBusiness associates that perform certain that perform certain functions or activities functions or activities on behalf ofon behalf of a covered a covered entityentity

Information Information trading partnerstrading partners that rely on that rely on protected health information for purposes protected health information for purposes not not directly relateddirectly related to the business activities of to the business activities of covered entitiescovered entities


State ParadoxState Paradox

The broad mandates of most public programs go The broad mandates of most public programs go far beyond HIPAA’s narrow, private-sector far beyond HIPAA’s narrow, private-sector orientation towards health plans, health care orientation towards health plans, health care providers, and health information providers, and health information clearinghouses.clearinghouses.

Unlike the private sector, states must balance Unlike the private sector, states must balance the law’s requirements with their additional roles the law’s requirements with their additional roles as purchasers, managers, and regulators of as purchasers, managers, and regulators of health care, as well as guardian of the public’s health care, as well as guardian of the public’s health and safety.health and safety.


What Does this Mean for States?What Does this Mean for States?(Labor-Intensive Review of State Government)(Labor-Intensive Review of State Government)

Identify covered entitiesIdentify covered entities– Agencies, programs, covered functionsAgencies, programs, covered functions

Evaluate information sharing practices (PHI)Evaluate information sharing practices (PHI)– Transactions, technologyTransactions, technology

Determine legal requirementsDetermine legal requirements– Preemption analysis of state, federal lawPreemption analysis of state, federal law

Revise business practices (statewide)Revise business practices (statewide)– Policies, procedures, materialsPolicies, procedures, materials– TechnologyTechnology

Adapt information sharing relationshipsAdapt information sharing relationships– Business associates, trading partnersBusiness associates, trading partners


How States Are RespondingHow States Are Responding(Process)(Process)

Compliance planningCompliance planning– Interagency planning committeesInteragency planning committees– Dedicated HIPAA project offices (CA, IA, OH, SC)Dedicated HIPAA project offices (CA, IA, OH, SC)– Medicaid-led (NC)Medicaid-led (NC)– State CIO, privacy office (FL, KY, NY)State CIO, privacy office (FL, KY, NY)

Pooled resourcesPooled resources– Compliance tools (impact assessments, Compliance tools (impact assessments,

business associate agreements)business associate agreements)– Some cost sharing (CA, TN)Some cost sharing (CA, TN)– Public/private collaborativesPublic/private collaboratives


How States Are RespondingHow States Are Responding(Policy)(Policy)

Implementing trading partner agreementsImplementing trading partner agreements

Consolidating technology (GA, UT)Consolidating technology (GA, UT)

Reassigning program functionsReassigning program functions– Orthodontia, hearing aids (CO)Orthodontia, hearing aids (CO)

Instituting complaint management systemsInstituting complaint management systems– 800 referral number (NC)800 referral number (NC)


Ongoing Compliance BarriersOngoing Compliance Barriers

Unfunded mandateUnfunded mandate– Medicaid (recoup enhanced match)Medicaid (recoup enhanced match)– Non-Medicaid (no federal funding)Non-Medicaid (no federal funding)

Poor guidance (no validation)Poor guidance (no validation)– Covered entity determinationsCovered entity determinations– Preemption decisions (state, federal)Preemption decisions (state, federal)

Staggered implementation scheduleStaggered implementation schedule– Counterproductive (state resources)Counterproductive (state resources)– Wasteful (taxpayer dollars)Wasteful (taxpayer dollars)

Complaint-driven enforcementComplaint-driven enforcement– Unknown vulnerability (penalties, lawsuits)Unknown vulnerability (penalties, lawsuits)– Unknown application (among HHS regions)Unknown application (among HHS regions)


Community-based providers Community-based providers (“safety net”)(“safety net”)

Public hospitals/clinicsPublic hospitals/clinics

Mental health facilitiesMental health facilities

Substance abuse treatment Substance abuse treatment centerscenters

State/local health State/local health departmentsdepartments

Academic medical/research Academic medical/research centerscenters

Organ donation programsOrgan donation programs

Foster careFoster care

Law enforcement and corrections Law enforcement and corrections (coroners, medical examiners)(coroners, medical examiners)

TANF-funded programsTANF-funded programs

MCH programs (Title V)MCH programs (Title V)

School-based health programs School-based health programs (immunizations, dental)(immunizations, dental)

HIV/AIDS (“Ryan White”)HIV/AIDS (“Ryan White”)

State employee benefitsState employee benefits

Worker’s compensationWorker’s compensation

State technology authoritiesState technology authorities

Health policy officesHealth policy offices

Unfunded MandateUnfunded Mandate(Non-Medicaid)(Non-Medicaid)


Federal GuidanceFederal Guidance

Covered entity Covered entity determinationsdeterminations– No arbitration processNo arbitration process– No validation mechanismNo validation mechanism

Preemption decisionsPreemption decisions– State lawState law– Other federal lawsOther federal laws


Implementation ScheduleImplementation ScheduleProposedProposed

RuleRule

FinalFinal

RuleRule

Compliance Compliance DeadlineDeadline††

PrivacyPrivacy 11/9911/99 8/028/02‡‡ 4/034/03

SecuritySecurity 8/988/98 —— ——

Transactions and CodesTransactions and Codes 5/985/98 10/0010/00 10/0210/02**

National Provider IdentifierNational Provider Identifier 5/985/98 —— ——

Health Plan IdentifierHealth Plan Identifier —— —— ——

Employer IdentifierEmployer Identifier 6/986/98 7/027/02 7/047/04

EnforcementEnforcement —— —— ——†† Small health plans have one additional year following this date to be compliant.Small health plans have one additional year following this date to be compliant.‡‡ HHS proposed modifications to the privacy rule on March 27, 2002. The modifications were finalized on August 14, 2002. HHS proposed modifications to the privacy rule on March 27, 2002. The modifications were finalized on August 14, 2002. The compliance deadline will not change. The compliance deadline will not change.** The compliance deadline may be extended by one year if a compliance plan is submitted to HHS before October 16, The compliance deadline may be extended by one year if a compliance plan is submitted to HHS before October 16, 2002. Small health plans are not eligible for the conditional extension.2002. Small health plans are not eligible for the conditional extension.


Complaint-Driven EnforcementComplaint-Driven Enforcement

ExpectationsExpectations– Who will complain?Who will complain?– What will they complain about?What will they complain about?

VulnerabilityVulnerability– LawsuitsLawsuits– Federal penaltiesFederal penalties– Negative publicityNegative publicity

ApplicationApplication– Measure of due diligenceMeasure of due diligence– Sanctions, technical assistanceSanctions, technical assistance– Consistent enforcement across HHS regionsConsistent enforcement across HHS regions


Policy Implications for StatesPolicy Implications for States

Worsening the budget situationWorsening the budget situation

Impeding access to health careImpeding access to health care

Affecting the quality of careAffecting the quality of care

Threatening provider solvencyThreatening provider solvency

Impairing state-level program Impairing state-level program administration (grant reporting)administration (grant reporting)

Hindering the ability to make good policy Hindering the ability to make good policy decisionsdecisions


Implications for CDCImplications for CDC

Information sharing standards will varyInformation sharing standards will vary– Different legal interpretations (state-level)Different legal interpretations (state-level)– Grant reportingGrant reporting– Surveillance data (disease reporting)Surveillance data (disease reporting)

Prevention activities Prevention activities – ImmunizationsImmunizations– Disease managementDisease management

Assurances will be neededAssurances will be needed– Business associate, trading partner agreementsBusiness associate, trading partner agreements


What States NeedWhat States Need

GuidanceGuidance– Validation of state decisions (OCR)Validation of state decisions (OCR)– Analysis of HIPAA, other federal lawsAnalysis of HIPAA, other federal laws– Direction from federal funders (grants)Direction from federal funders (grants)– Coordination among federal-level agenciesCoordination among federal-level agencies

Time & moneyTime & money– 2002 election2002 election– State fiscal crisisState fiscal crisis– Opportunity to upgrade health data systemsOpportunity to upgrade health data systems


NGA Center for Best PracticesNGA Center for Best Practices((http://www.nga.org/centerhttp://www.nga.org/center))

Robert J. BurnsRobert J. BurnsPolicy AnalystPolicy AnalystHealth Policy Studies DivisionHealth Policy Studies Division

National Governors AssociationNational Governors AssociationCenter for Best PracticesCenter for Best Practices

Hall of States, Suite 267Hall of States, Suite 267444 North Capitol Street, NW444 North Capitol Street, NWWashington, DC 20001-1512Washington, DC 20001-1512

(202) 624-7729(202) 624-7729fax: (202) 624-5313fax: (202) 624-5313email: email: [email protected]@nga.org

hipaa & the states new federalism for a new century hipaa centers for disease control and...

Documents

health services

health benefits

health insurance portability

protected health information

health care systemstandardizes

group health plans

mothers health protection

covered functionsindividual