reviewing the world of hipaa stephanie anderson, cpc october 2006

Reviewing the World of HIPAA

Stephanie Anderson, CPCOctober 2006

2Community Care Network of Virginia, IncOctober 2006

Discussion Points Overview of HIPAA Regulations

Administrative Simplification

EDI Components Standard Transactions

Standard Code Sets

Unique Identifiers

Privacy Rule Review

Security Rule Overview


HIPAA-What’s in a Name?

Health Insurance Portability and Accountability Act

Implemented in 1996 Includes Titles I - V

Portability -Title I Accountability - Title II

Administrative Simplification

HIPAA Administrative Simplification Provisions

T itle IInsu rance P o rtab ility

F raud & A buseM ed ica l L iab ility R e fo rm

T ransactions C ode S e ts Iden tifie rs

E D I P rivacy S ecu rity

A dm in is tra tive S im p lifica tion

T itle II T itle IIIT ax R e la ted H ea lth P rov is ion

T itle IVG roup Hea lth P lan R equirem en ts

T itle VR evenue O ff-se ts

H IP A A

October 2006 Community Care Network of Virginia, Inc5

Who Oversees HIPAA Administrative Simplification?

Department of Health & Human Services

The Centers for Medicare and Medicaid Services (CMS) Oversees:

• Transactions & Code Sets

• Standard Unique Identifiers

• Security Rule

• NPI

The Office for Civil Rights (OCR) Oversees:

• Privacy Rule


Administrative Simplification Provisions Time Table

* Small Health Plans have 1 year longerHIPAA Regulation Proposed RulePublication

Final RulePublication

Compliance Date

EDIElectronicTransactions & CodeSets Standards

May 7, 1998 August 17, 2000 October 16,2003 (if entityapplied for extension)

National StandardProvider ID (NPI)

May 7, 1998 January 23,2004

May 23, 2007 *

National StandardHealth Plan ID

Under development

National StandardEmployer ID (TIN)

June 16, 1998 May 31, 2002 July 30, 2004

Attachments Under developmentPrivacy & PrivacyModifications

November 13,1999

December 28,2000 & August14, 2002

April 14, 2003

Security Rule August 12,1998

February 20,2003

April 21, 2005


Why are HIPAA Electronic Standard Transactions

Important? Standardize claim submission Fewer errors

Standardize payment method Faster processing

Reduces paperwork (from~400 forms to ~4) Reduces postage costs Real-time patient eligibility and benefits Overall ~~ Less Administrative Burden


Current HIPAA Standard Transactions

Claims Payment &Remittance Advice

Claim Status Inquiry& Response

Enrollment in HealthPlan

Referral Certification and AuthorizationInquiry & ResponseHealth Plan premiumpayments

Coordination ofBenefits


Unique Identifiers for HIPAA EDI

National Employer Identifier Standard

Compliance Date = July 30, 2004 IRS Employer Identification Number (EIN) 9-digit number (Tax ID #) for all employers

Number to be used on all claims to identify the Center (54-*******)


Unique Identifiers for HIPAA EDI

National Provider Identifier (NPI)

Compliance Date = May 23, 2007{Small Health Plans = May 23, 2008}

We will discuss details in Part 2….

Reviewing of the Privacy Rule


On To The Privacy Rule……...

Purpose: Provides national standards to protect

Protected Health Information (PHI) Gives patients increased control over their

health information Sets limits on the use of and disclosure of

health information Allows for a balance in disclosing PHI in some

forms for public health reasons Establishes penalties for violations of a

person’s privacy rights.


Areas Addressed in the Privacy Standards

Notice of Privacy Practice (NPP) Use & disclosure of PHI T P O

Authorization for Release of PHI

Minimum Necessary Information

Incidental Uses Disclosures Oral Communications

Accounting of Disclosures

Business Associates Personal Representatives

& Minors Marketing & Health-

Related Communications Research Government Access to

PHI Violations & Penalties


Review of Patient’s Rights...

Receive a copy of Notice of Privacy Practices (NPP)/Signature of Receipt

Review & request copies of/amendments to their medical records

Need to be informed on how their PHI may be used/disclosed {stated in NPP}

Any release of PHI will be held to the minimum necessary to achieve the task

File grievance concerning privacy issues


What Should We Have in Place ?

Policies & Procedures that address the requirements of the Standards

Forms that support P &P NPP acknowledgement of receipt Restrictions on uses & disclosures of PHI Patient request to review & copy medical record Denial for access to the request Amendment of the medical record Accounting of disclosures log Patient Authorization for disclosure other than TPO Patient Grievance Form


How’s Privacy Compliance Going ?

DHHS Reports the following: As of November 30, 2005-

16,625 privacy rule complaints received by the Office for Civil Rights since the effective date (April 14, 2003)

69% of the cases have been resolved/closed Covered entity corrected the problem Complaint was not a true violation of Privacy Rule

263 violations referred by the OCR to the Department of Justice for potential prosecution--one case has been successfully prosecuted


How’s Privacy Compliance Going ?

DHHS Reports the following: Top Five Complaints Against

Providers1. Impermissible use/disclosure of PHI2. Lack of adequate safeguards in place3. Refusal or failure to provide a patient

access to records4. Disclosure of more than minimally

necessary information5. Failure to obtain valid authorizations for

disclosures that required them.


The Penalties…………..

$100/incident up to ----

$25,000/person/year/ standard violated

$50,000 and/or ONE year I prison for knowingly violating the Rule


The Penalties…………..

False Pretense: Up to $100,000; 5

years in prison

For Commercial Gain, Advantage, or Harm - $250,000; 10 years in

prison


Suggestions for Compliance

Ensure Policies & Procedures (P & P) cover standards in the Rule and are up-to-date with Center operations

ANNUAL staff training on current Privacy P & P Continue to make the Center Notice of Privacy

Practices (NPP) available to patients and obtain signatures of receipt for medical record.

Ensure Privacy Officer is designated Ensure Business Associate Agreements (BAA),

according to the Rule standards, are in place


Security Rule

Compliance Date = April 21, 2005 Purpose:

Ensure the integrity, availability, & confidentiality of EPHI {Electronic PHI}

Protect against reasonably anticipated threats of security & improper use or disclosure of EPHI

Ensure compliance by Center staff


What Does the Security Rule Include?

Electronic Protected Health Information {EPHI} ONLY

Privacy Rule covers all PHI in paper, oral, and electronic format.

All stored data and transmitted data in systems

All Covered Entities Standards to ensure that appropriate

access to EPHI is addressed.


Security Rule Concepts

Flexible & Scalable Works for small to large providers & health plans

Technology Neutral Allows for future technology advances

Comprehensive Administrative Safeguards (policies &

procedures) Physical Safeguards (restricting access,

providing back-up plans) Technical Safeguards (authentication, integrity

controls, access)


Required vs. Addressable Specifications

RequiredRequired

Implementation of specification is mandatory

AddressableAddressable Specification must be

used if the risk analysis shows it is needed

If a specification is not implemented, documentation must explain why & what else is being done in its place


Security Standards Flowchart

12R e qu ired

11A d dre ssa b le

S p e c if ica tio ns

A d m in is tra tiveS a feg ua rds

4R e qu ired

6A d dre ssa b le


P h ys ica lS a feg ua rds

4R e qu ired

5A d dre ssa b le


T e ch n ica lS a feg ua rds

S e curity S ta n da rds


Implementing Security

Risk Analysis should access security risks & vulnerabilities

Consider Center size, capabilities, & costs of addressing the security areas

Assign a Security Officer May have a “group” working together ~

responsibility must be assigned to an individual.


Implementing Security

Develop P & P to address the security standards as appropriate and reasonable for Center operations.

TRAIN staff on the P & P and the overall purpose of implementation

Ensure proper language in BAAs to cover security standards.

Evaluate Security P &P at least annually to ensure they are being followed & to update as appropriate


Relationships between Privacy & Security

Privacy is the… Who What When

Security is the… How


Relationships between Privacy & Security

Privacy covers PHI on paper, orally, & electronic format Security covers electronic PHI ONLY

Security enables Privacy by providing safeguards for proper access to data

Business Associate Agreements(Privacy) need to detail how the integrity, confidentiality, & availability of the data exchange will take place (Security).


Tying It All Together-----

Patient Registration

Collecting PHI Handling PHI

Encounter Diagnosis - All digits needed E & M Service - Based on Key Elements Procedures (Modifiers as appropriate) Documentation to support ALL CODES used



Input data into Account Proper Log-in/Access to System Accuracy of Information

Submit Claim Electronically Transmission process

Request for Medical Record Information

Minimum Necessary to complete the request



Electronic Payment/Denial Input Data into Account

Proper Access Accuracy Maintaining Integrity of Data

Changes to be monitored

ON A GOOD DAY---- The Process Works!

Patient is Happy !

Billing Staff is Happy

Providers are Happy

Center Management

is Happy

Board Members are

Happy

Everyone is HAPPY !!Everyone is HAPPY !!


Questions??


Thank You for Coming ! !

Stephanie Anderson, CPC

Community Care Network of Virginia, Inc.

6802 Paragon PlaceSuite 630Richmond, VA 23230(T) (804) 237-7686 x [email protected]

reviewing the world of hipaa stephanie anderson, cpc october 2006

Documents