hipaa & the states new federalism for a new century hipaa centers for disease control and...
TRANSCRIPT
HIPAA & the StatesHIPAA & the StatesNew Federalism for a New CenturyNew Federalism for a New Century
HIPAA & the StatesHIPAA & the StatesNew Federalism for a New CenturyNew Federalism for a New Century
HIPAAHIPAACenters for Disease Control and PreventionCenters for Disease Control and Prevention
Washington, DC Washington, DC • January 27, • January 27, 20032003
Presented byPresented by
Robert J. BurnsRobert J. BurnsNGA Center for Best PracticesNGA Center for Best Practices
© 2002 National Governors Association© 2002 National Governors Association 22
What is HIPAA?What is HIPAA?
Health Insurance Portability and Accountability Health Insurance Portability and Accountability Act of 1996 (HIPAA)Act of 1996 (HIPAA)
Established federal floor of consumer Established federal floor of consumer protections, marketplace standardsprotections, marketplace standards– Insurance market reformsInsurance market reforms– Privacy, securityPrivacy, security– Administrative simplificationAdministrative simplification
New FederalismNew Federalism
© 2002 National Governors Association© 2002 National Governors Association 33
Health Insurance Market ReformsHealth Insurance Market Reforms
Limits preexisting condition exclusionsLimits preexisting condition exclusions– Creditable coverage, significant breaksCreditable coverage, significant breaks
Prohibits insurer penalties because of poor Prohibits insurer penalties because of poor healthhealth
Extends certain coverage rightsExtends certain coverage rights– Maintain group coverage when changing jobsMaintain group coverage when changing jobs– Purchase coverage (termination, small employers)Purchase coverage (termination, small employers)– Renew coverage (individuals, small employers)Renew coverage (individuals, small employers)– Special enrollment (marriage, birth, adoption, etc.)Special enrollment (marriage, birth, adoption, etc.)
© 2002 National Governors Association© 2002 National Governors Association 44
Mental Health Parity Act (1996)Mental Health Parity Act (1996)– Same annual and lifetime dollar coverage mental Same annual and lifetime dollar coverage mental
health as for general healthhealth as for general health
Newborns’ and Mothers’ Health Protection Newborns’ and Mothers’ Health Protection Act (1996)Act (1996)– Coverage for breast reconstruction following cancer-Coverage for breast reconstruction following cancer-
related mastectomyrelated mastectomy
Women’s Health and Cancer Rights Act Women’s Health and Cancer Rights Act (1998)(1998)– Length of hospital stay in connection with child birth Length of hospital stay in connection with child birth
(“drive-by deliveries”)(“drive-by deliveries”)
Health Insurance Market ReformsHealth Insurance Market Reforms
© 2002 National Governors Association© 2002 National Governors Association 55
Privacy (and Security)Privacy (and Security)
Restricts use(-s) of “individually Restricts use(-s) of “individually identifiable” patient health informationidentifiable” patient health information– Conditions necessary (authorized uses, patient Conditions necessary (authorized uses, patient
consent)consent)– Information allowed (“minimum necessary”)Information allowed (“minimum necessary”)– Protocols, procedures (patient notification, business Protocols, procedures (patient notification, business
associate agreements)associate agreements)
Prevents unauthorized access to PHIPrevents unauthorized access to PHI– Administrative, technical, physical safeguardsAdministrative, technical, physical safeguards
© 2002 National Governors Association© 2002 National Governors Association 66
Administrative SimplificationAdministrative Simplification
To improve the efficiency and effectiveness of To improve the efficiency and effectiveness of the health care systemthe health care system
Standardizes the exchange of electronic health Standardizes the exchange of electronic health information (administrative, financial)information (administrative, financial)
– Health plan enrollment (or Health plan enrollment (or disenrollment)disenrollment)
– Health plan eligibility Health plan eligibility determinationsdeterminations
– Health plan premium Health plan premium paymentspayments
– Referral certification, Referral certification, authorizationauthorization
– Claim submissions Claim submissions (encounter info)(encounter info)
– Health plan benefit Health plan benefit coordinationcoordination
– Claim status inquiriesClaim status inquiries– Payment and remittance Payment and remittance
advicesadvices
© 2002 National Governors Association© 2002 National Governors Association 77
Who Must Comply?Who Must Comply?(“Covered Entities” and “Covered Functions”)(“Covered Entities” and “Covered Functions”)
Individual or group Individual or group health planshealth plans (or programs) (or programs) that provide health benefits directly, through that provide health benefits directly, through insurance, or otherwiseinsurance, or otherwise
Health care providersHealth care providers (or suppliers) of medical (or suppliers) of medical or other health services or supplies (or other health services or supplies (that also that also conduct certain health care transactions conduct certain health care transactions electronicallyelectronically))
Health information clearinghousesHealth information clearinghouses that that process or facilitate the processing of electronic process or facilitate the processing of electronic health information into a standard formathealth information into a standard format
© 2002 National Governors Association© 2002 National Governors Association 88
“ “Agencies can no longer act as if they are Agencies can no longer act as if they are separate organizations with independent separate organizations with independent missions.”missions.”
Governing MagazineGoverning MagazineJanuary 2003January 2003
© 2002 National Governors Association© 2002 National Governors Association 99
Who Else Must Comply?Who Else Must Comply?
Hybrid entitiesHybrid entities whose business activities whose business activities include both covered include both covered andand non-covered functions non-covered functions
Business associatesBusiness associates that perform certain that perform certain functions or activities functions or activities on behalf ofon behalf of a covered a covered entityentity
Information Information trading partnerstrading partners that rely on that rely on protected health information for purposes protected health information for purposes not not directly relateddirectly related to the business activities of to the business activities of covered entitiescovered entities
© 2002 National Governors Association© 2002 National Governors Association 1010
State ParadoxState Paradox
The broad mandates of most public programs go The broad mandates of most public programs go far beyond HIPAA’s narrow, private-sector far beyond HIPAA’s narrow, private-sector orientation towards health plans, health care orientation towards health plans, health care providers, and health information providers, and health information clearinghouses.clearinghouses.
Unlike the private sector, states must balance Unlike the private sector, states must balance the law’s requirements with their additional roles the law’s requirements with their additional roles as purchasers, managers, and regulators of as purchasers, managers, and regulators of health care, as well as guardian of the public’s health care, as well as guardian of the public’s health and safety.health and safety.
© 2002 National Governors Association© 2002 National Governors Association 1111
What Does this Mean for States?What Does this Mean for States?(Labor-Intensive Review of State Government)(Labor-Intensive Review of State Government)
Identify covered entitiesIdentify covered entities– Agencies, programs, covered functionsAgencies, programs, covered functions
Evaluate information sharing practices (PHI)Evaluate information sharing practices (PHI)– Transactions, technologyTransactions, technology
Determine legal requirementsDetermine legal requirements– Preemption analysis of state, federal lawPreemption analysis of state, federal law
Revise business practices (statewide)Revise business practices (statewide)– Policies, procedures, materialsPolicies, procedures, materials– TechnologyTechnology
Adapt information sharing relationshipsAdapt information sharing relationships– Business associates, trading partnersBusiness associates, trading partners
© 2002 National Governors Association© 2002 National Governors Association 1212
How States Are RespondingHow States Are Responding(Process)(Process)
Compliance planningCompliance planning– Interagency planning committeesInteragency planning committees– Dedicated HIPAA project offices (CA, IA, OH, SC)Dedicated HIPAA project offices (CA, IA, OH, SC)– Medicaid-led (NC)Medicaid-led (NC)– State CIO, privacy office (FL, KY, NY)State CIO, privacy office (FL, KY, NY)
Pooled resourcesPooled resources– Compliance tools (impact assessments, Compliance tools (impact assessments,
business associate agreements)business associate agreements)– Some cost sharing (CA, TN)Some cost sharing (CA, TN)– Public/private collaborativesPublic/private collaboratives
© 2002 National Governors Association© 2002 National Governors Association 1313
How States Are RespondingHow States Are Responding(Policy)(Policy)
Implementing trading partner agreementsImplementing trading partner agreements
Consolidating technology (GA, UT)Consolidating technology (GA, UT)
Reassigning program functionsReassigning program functions– Orthodontia, hearing aids (CO)Orthodontia, hearing aids (CO)
Instituting complaint management systemsInstituting complaint management systems– 800 referral number (NC)800 referral number (NC)
© 2002 National Governors Association© 2002 National Governors Association 1414
Ongoing Compliance BarriersOngoing Compliance Barriers
Unfunded mandateUnfunded mandate– Medicaid (recoup enhanced match)Medicaid (recoup enhanced match)– Non-Medicaid (no federal funding)Non-Medicaid (no federal funding)
Poor guidance (no validation)Poor guidance (no validation)– Covered entity determinationsCovered entity determinations– Preemption decisions (state, federal)Preemption decisions (state, federal)
Staggered implementation scheduleStaggered implementation schedule– Counterproductive (state resources)Counterproductive (state resources)– Wasteful (taxpayer dollars)Wasteful (taxpayer dollars)
Complaint-driven enforcementComplaint-driven enforcement– Unknown vulnerability (penalties, lawsuits)Unknown vulnerability (penalties, lawsuits)– Unknown application (among HHS regions)Unknown application (among HHS regions)
© 2002 National Governors Association© 2002 National Governors Association 1515
Community-based providers Community-based providers (“safety net”)(“safety net”)
Public hospitals/clinicsPublic hospitals/clinics
Mental health facilitiesMental health facilities
Substance abuse treatment Substance abuse treatment centerscenters
State/local health State/local health departmentsdepartments
Academic medical/research Academic medical/research centerscenters
Organ donation programsOrgan donation programs
Foster careFoster care
Law enforcement and corrections Law enforcement and corrections (coroners, medical examiners)(coroners, medical examiners)
TANF-funded programsTANF-funded programs
MCH programs (Title V)MCH programs (Title V)
School-based health programs School-based health programs (immunizations, dental)(immunizations, dental)
HIV/AIDS (“Ryan White”)HIV/AIDS (“Ryan White”)
State employee benefitsState employee benefits
Worker’s compensationWorker’s compensation
State technology authoritiesState technology authorities
Health policy officesHealth policy offices
Unfunded MandateUnfunded Mandate(Non-Medicaid)(Non-Medicaid)
© 2002 National Governors Association© 2002 National Governors Association 1616
Federal GuidanceFederal Guidance
Covered entity Covered entity determinationsdeterminations– No arbitration processNo arbitration process– No validation mechanismNo validation mechanism
Preemption decisionsPreemption decisions– State lawState law– Other federal lawsOther federal laws
© 2002 National Governors Association© 2002 National Governors Association 1717
Implementation ScheduleImplementation ScheduleProposedProposed
RuleRule
FinalFinal
RuleRule
Compliance Compliance DeadlineDeadline††
PrivacyPrivacy 11/9911/99 8/028/02‡‡ 4/034/03
SecuritySecurity 8/988/98 —— ——
Transactions and CodesTransactions and Codes 5/985/98 10/0010/00 10/0210/02**
National Provider IdentifierNational Provider Identifier 5/985/98 —— ——
Health Plan IdentifierHealth Plan Identifier —— —— ——
Employer IdentifierEmployer Identifier 6/986/98 7/027/02 7/047/04
EnforcementEnforcement —— —— ——†† Small health plans have one additional year following this date to be compliant.Small health plans have one additional year following this date to be compliant.‡‡ HHS proposed modifications to the privacy rule on March 27, 2002. The modifications were finalized on August 14, 2002. HHS proposed modifications to the privacy rule on March 27, 2002. The modifications were finalized on August 14, 2002. The compliance deadline will not change. The compliance deadline will not change.** The compliance deadline may be extended by one year if a compliance plan is submitted to HHS before October 16, The compliance deadline may be extended by one year if a compliance plan is submitted to HHS before October 16, 2002. Small health plans are not eligible for the conditional extension.2002. Small health plans are not eligible for the conditional extension.
© 2002 National Governors Association© 2002 National Governors Association 1818
Complaint-Driven EnforcementComplaint-Driven Enforcement
ExpectationsExpectations– Who will complain?Who will complain?– What will they complain about?What will they complain about?
VulnerabilityVulnerability– LawsuitsLawsuits– Federal penaltiesFederal penalties– Negative publicityNegative publicity
ApplicationApplication– Measure of due diligenceMeasure of due diligence– Sanctions, technical assistanceSanctions, technical assistance– Consistent enforcement across HHS regionsConsistent enforcement across HHS regions
© 2002 National Governors Association© 2002 National Governors Association 1919
Policy Implications for StatesPolicy Implications for States
Worsening the budget situationWorsening the budget situation
Impeding access to health careImpeding access to health care
Affecting the quality of careAffecting the quality of care
Threatening provider solvencyThreatening provider solvency
Impairing state-level program Impairing state-level program administration (grant reporting)administration (grant reporting)
Hindering the ability to make good policy Hindering the ability to make good policy decisionsdecisions
© 2002 National Governors Association© 2002 National Governors Association 2020
Implications for CDCImplications for CDC
Information sharing standards will varyInformation sharing standards will vary– Different legal interpretations (state-level)Different legal interpretations (state-level)– Grant reportingGrant reporting– Surveillance data (disease reporting)Surveillance data (disease reporting)
Prevention activities Prevention activities – ImmunizationsImmunizations– Disease managementDisease management
Assurances will be neededAssurances will be needed– Business associate, trading partner agreementsBusiness associate, trading partner agreements
© 2002 National Governors Association© 2002 National Governors Association 2121
What States NeedWhat States Need
GuidanceGuidance– Validation of state decisions (OCR)Validation of state decisions (OCR)– Analysis of HIPAA, other federal lawsAnalysis of HIPAA, other federal laws– Direction from federal funders (grants)Direction from federal funders (grants)– Coordination among federal-level agenciesCoordination among federal-level agencies
Time & moneyTime & money– 2002 election2002 election– State fiscal crisisState fiscal crisis– Opportunity to upgrade health data systemsOpportunity to upgrade health data systems
© 2002 National Governors Association© 2002 National Governors Association 2222
NGA Center for Best PracticesNGA Center for Best Practices((http://www.nga.org/centerhttp://www.nga.org/center))
Robert J. BurnsRobert J. BurnsPolicy AnalystPolicy AnalystHealth Policy Studies DivisionHealth Policy Studies Division
National Governors AssociationNational Governors AssociationCenter for Best PracticesCenter for Best Practices
Hall of States, Suite 267Hall of States, Suite 267444 North Capitol Street, NW444 North Capitol Street, NWWashington, DC 20001-1512Washington, DC 20001-1512
(202) 624-7729(202) 624-7729fax: (202) 624-5313fax: (202) 624-5313email: email: [email protected]@nga.org