slide 1 page 1 nc dhhs hipaa office presented to the nc association on aging conference april 29,...
TRANSCRIPT
Slide 1
Page 1 NC DHHS HIPAA OFFICE
Presented to the NC Association on Aging Conference
April 29, 2003
Sarah Brooks, MPA, RHIA, CPMSarah Brooks, MPA, RHIA, CPMManager, NC DHHS HIPAA OfficeManager, NC DHHS HIPAA Office
HIPAAHIPAAHealth Insurance Portability and Health Insurance Portability and
Accountability ActAccountability Act
Slide 2 NC DHHS HIPAA OFFICE
AGENDAAGENDA
What is HIPAAWhat is HIPAA
Who Must Comply with HIPAAWho Must Comply with HIPAA
Overview of RegulationsOverview of Regulations
ResourcesResources
Slide 4 NC DHHS HIPAA OFFICE
Purpose of HIPAAPurpose of HIPAA
HHealth ealth IInsurance nsurance PPortability & ortability & AAccountability ccountability AAct of 1996 ct of 1996 [Public Law 104-191][Public Law 104-191]
Improve portability and continuity of health insurance Improve portability and continuity of health insurance coverage in the group and individual markets;coverage in the group and individual markets;
To combat waste, fraud, and abuse in health insurance To combat waste, fraud, and abuse in health insurance and health care delivery;and health care delivery;
To promote the use of medical savings accounts;To promote the use of medical savings accounts; To improve access to long-term care services and To improve access to long-term care services and
coverage; andcoverage; and To simplify the administration of health insuranceTo simplify the administration of health insurance
– HHS was charged with promulgating rulesHHS was charged with promulgating rules
Slide 5 NC DHHS HIPAA OFFICE
How the Law is StructuredHow the Law is Structured
HIPAA is divided into five titles - each HIPAA is divided into five titles - each addresses a unique aspect of health addresses a unique aspect of health insurance reform. insurance reform.
Title II is also known as Administrative Title II is also known as Administrative Simplification Simplification
If Congress did not adopt legislation to If Congress did not adopt legislation to enact Administrative Simplification, enact Administrative Simplification, HHS was charged with promulgating HHS was charged with promulgating rulesrules
HHS was limited to enacting rules HHS was limited to enacting rules based on statutory languagebased on statutory language
Slide 6 NC DHHS HIPAA OFFICE
ADMINISTRATIVE SIMPLIFICATIONADMINISTRATIVE SIMPLIFICATION Establishes National Standards forEstablishes National Standards for
– Electronic Electronic TTransactions and ransactions and CCode Setsode Sets– IIdentifiers (Providers, Payers, Employers, Individuals) dentifiers (Providers, Payers, Employers, Individuals) – PrivacyPrivacy– Security & Electronic SignatureSecurity & Electronic Signature– ComplianceCompliance
Provides Patients With Certain RightsProvides Patients With Certain Rights Cuts Administrative CostsCuts Administrative Costs Preempts State Laws, Unless More StringentPreempts State Laws, Unless More Stringent Potential Civil Monetary & Criminal PenaltiesPotential Civil Monetary & Criminal Penalties
Potential Impacts on Business ContinuityPotential Impacts on Business Continuity
Slide 7 NC DHHS HIPAA OFFICE
HIPAA vs. Y2KHIPAA vs. Y2K Y2K impacted all information systems; HIPAA impacts Y2K impacted all information systems; HIPAA impacts
health information systems that contain identifying health information systems that contain identifying patient datapatient data
Y2K did not require major business process changes; Y2K did not require major business process changes; HIPAA will have major impacts on business practices HIPAA will have major impacts on business practices in the healthcare industryin the healthcare industry
Once Y2K issues were resolved, consumers were not Once Y2K issues were resolved, consumers were not impacted; HIPAA will impact healthcare consumersimpacted; HIPAA will impact healthcare consumers
During Y2K, healthcare providers and payers relied on During Y2K, healthcare providers and payers relied on vendors, contractors or internal IS staff to resolve the vendors, contractors or internal IS staff to resolve the Y2K issues; with HIPAA, the entire organization will Y2K issues; with HIPAA, the entire organization will be impacted by changes resulting from HIPAA be impacted by changes resulting from HIPAA implementationimplementation
Slide 8 NC DHHS HIPAA OFFICE
Wishful thinking about HIPAAWishful thinking about HIPAA
Congress will repeal HIPAACongress will repeal HIPAA
There will be additional delaysThere will be additional delays
There will be no HIPAA enforcement for many, There will be no HIPAA enforcement for many,
many yearsmany years
My vendor will take care of HIPAAMy vendor will take care of HIPAA
HIPAA is an IT projectHIPAA is an IT project
Slide 9 NC DHHS HIPAA OFFICE
HIPAA RealityHIPAA Reality
Not a “one shot deal”Not a “one shot deal”
Not solely a technology or systems fixNot solely a technology or systems fix
Affects the culture of handling health Affects the culture of handling health
informationinformation
Not an easy “return to normal operations”Not an easy “return to normal operations”
Major impacts on policy and trainingMajor impacts on policy and training
Affects business relationshipsAffects business relationships
Slide 11 NC DHHS HIPAA OFFICE
Terms You Should KnowTerms You Should Know
To understand HIPAA, there are some To understand HIPAA, there are some important terms you must knowimportant terms you must know
They are:They are: Covered EntityCovered Entity Business AssociateBusiness Associate Hybrid EntityHybrid Entity
Slide 12 NC DHHS HIPAA OFFICE
Who is Impacted?Who is Impacted?Covered EntitiesCovered Entities
Health PlanHealth Plan (provides or pays the cost of medical (provides or pays the cost of medical care - e.g., Medicaid, HMOs, BC/BS, Medicare, care - e.g., Medicaid, HMOs, BC/BS, Medicare, Champus)Champus)
Health Care ClearinghouseHealth Care Clearinghouse (routes electronic data (routes electronic data between payers & providers - e.g., billing servicesbetween payers & providers - e.g., billing services ))
Health Care Provider Health Care Provider who transmits any who transmits any health information in an electronic health information in an electronic transactiontransaction (e.g., Hospitals, Physicians, Public Health (e.g., Hospitals, Physicians, Public Health Departments, Group Homes, Home Health, Pharmacies, Departments, Group Homes, Home Health, Pharmacies, Laboratories)Laboratories)
Slide 13 NC DHHS HIPAA OFFICE
Who is Impacted?Who is Impacted? Business AssociatesBusiness Associates
Definition: Definition: Person who performsPerson who performs a function or activity a function or activity on behalf of a covered entityon behalf of a covered entity, involving the use and/or , involving the use and/or disclosure of PHI.disclosure of PHI.
Excludes person who is part of the Covered Entity’s Excludes person who is part of the Covered Entity’s
workforceworkforce (e.g., Employees, Physicians with Staff (e.g., Employees, Physicians with Staff Privileges)Privileges)
Must protect PHI and help Covered Entity comply Must protect PHI and help Covered Entity comply with its obligations under the Privacy Rulewith its obligations under the Privacy Rule
DO NOT have to comply with HIPAA Privacy RulesDO NOT have to comply with HIPAA Privacy Rules Must abide by Business Associate Agreement with Must abide by Business Associate Agreement with
covered entitycovered entity
Slide 14 NC DHHS HIPAA OFFICE
Who is Impacted?Who is Impacted?Hybrid EntitiesHybrid Entities
Defined as, “a single legal entity that is a Defined as, “a single legal entity that is a covered entity and whose covered functions covered entity and whose covered functions are not its primary functions.” are not its primary functions.”
Most covered government agencies will be Most covered government agencies will be hybrid entitieshybrid entities
Need to identify those health care Need to identify those health care components within the Hybrid Entity that components within the Hybrid Entity that perform covered functions and other perform covered functions and other components that would normally be a components that would normally be a Business AssociateBusiness Associate
Slide 15 NC DHHS HIPAA OFFICE
Statewide ImpactStatewide Impact
Covered EntitiesCovered Entities– State Health Plan (includes State Health Plan (includes
HealthChoice for Children)HealthChoice for Children)– UNC Health CareUNC Health Care
Business AssociatesBusiness Associates– Department of JusticeDepartment of Justice– Office of the State AuditorOffice of the State Auditor– Office of the ControllerOffice of the Controller
Hybrid EntitiesHybrid Entities– Dept of AdministrationDept of Administration– Dept of CorrectionDept of Correction– Dept of Health and Human ServicesDept of Health and Human Services– Office of Information Technology Office of Information Technology
ServicesServices**
– East Carolina UniversityEast Carolina University– University of NC at Chapel University of NC at Chapel
HillHill– University of NC at University of NC at
GreensboroGreensboro
Hybrid Entities
Covered Entities
Business Associates
Slide 16 NC DHHS HIPAA OFFICE
DHHS ImpactDHHS Impact
MedicaidMedicaid Public healthPublic health
– State LabState Lab– State Center for Health State Center for Health
StatisticsStatistics– Local health servicesLocal health services– Children’s special health Children’s special health
servicesservices– Developmental education Developmental education
clinics (13)clinics (13)
EducationEducation– School for the blind (1)School for the blind (1)– Schools for the deaf (2)Schools for the deaf (2)
Mental health, substance Mental health, substance abuseabuse– State psychiatric hospitals, State psychiatric hospitals,
substance abuse, nursing (7)substance abuse, nursing (7)– Mental retardation centers (5)Mental retardation centers (5)– Adolescent treatment (2)Adolescent treatment (2)
Other divisionsOther divisions– Controller’s OfficeController’s Office– Information Resource MgmtInformation Resource Mgmt– Public AffairsPublic Affairs– Internal AuditorInternal Auditor– Research, Demonstrations, Research, Demonstrations,
and Rural Health Developmentand Rural Health Development
Slide 17 NC DHHS HIPAA OFFICE
Division of Aging ImpactsDivision of Aging Impacts
Not a Health Care Provider - AAA’s may be Not a Health Care Provider - AAA’s may be providers but not the Division of Agingproviders but not the Division of Aging
Not a Health Plan - regulations exclude Not a Health Plan - regulations exclude government funded programs whose government funded programs whose primary purpose is not provision of health primary purpose is not provision of health carecare
ARMS Implications - since Aging is not a ARMS Implications - since Aging is not a Health Plan or Health Care Provider, ARMS Health Plan or Health Care Provider, ARMS does not have any HIPAA impactsdoes not have any HIPAA impacts
Slide 18 NC DHHS HIPAA OFFICE
Impact of Not ComplyingImpact of Not Complying Possible litigationPossible litigation
Potential withholding of federal Potential withholding of federal Medicaid and Medicare fundsMedicaid and Medicare funds
Federal Medicaid Share in NC in Federal Medicaid Share in NC in @ 4.5 billion@ 4.5 billion
In DHHS, more than $300 million In DHHS, more than $300 million in revenues at riskin revenues at risk
PenaltiesPenalties Civil Monetary for violations of Civil Monetary for violations of
each standardeach standard Wrongful disclosure of protected Wrongful disclosure of protected
health informationhealth information
Slide 20 NC DHHS HIPAA OFFICE
FinalFinal Regulation RegulationTRANSACTIONS & CODE SETSTRANSACTIONS & CODE SETS
Electronic Health Transactions Electronic Health Transactions Standards (45 CFR Parts 160 & 162)Standards (45 CFR Parts 160 & 162)
Compliance originally required Compliance originally required 10/16/0210/16/02
With a plan filed, compliance extended With a plan filed, compliance extended to 10/16/03to 10/16/03
Revisions could be made on annual Revisions could be made on annual basis with 180 days to complybasis with 180 days to comply
Slide 21 NC DHHS HIPAA OFFICE
What Do Standard Transactions Cover?What Do Standard Transactions Cover?
(1) Health Care claims or equivalent encounter information.(2) Health Care payment and remittance advice.(3) Coordination of benefits.(4) Health Care claim status.(5) Enrollment and disenrollment in a health plan.(6) Eligibility for a health plan.(7) Health plan premium payments.(8) Referral certification and authorization.(9) First report of injury.(10)Health claims attachments.(11)Other transactions that the Secretary may prescribe by
regulation.
The exchange of data between two parties to carry out financial or administrative activities related to health care. It includes the following types of information exchanges:
Slide 22 NC DHHS HIPAA OFFICE
What Do Code Set Regulations Cover?What Do Code Set Regulations Cover?
Establishes standard code sets used to Establishes standard code sets used to identify diagnoses, procedures, etc. identify diagnoses, procedures, etc. Standard Code Sets are:Standard Code Sets are:– International Classification of Diseases, Ninth International Classification of Diseases, Ninth
Edition, Clinical Modification (ICD-9-CM ) Edition, Clinical Modification (ICD-9-CM ) – Health Care Procedural Coding System (HCPCS)Health Care Procedural Coding System (HCPCS)– Current Procedural Terminology, Fourth Edition Current Procedural Terminology, Fourth Edition
(CPT-4)(CPT-4)– Current Dental Terminology (CDT)Current Dental Terminology (CDT)– National Drug Codes (NDC)National Drug Codes (NDC)
Slide 23 NC DHHS HIPAA OFFICE
FinalFinal Regulation RegulationPRIVACYPRIVACY
Privacy Standards (45 CFR Parts 160 Privacy Standards (45 CFR Parts 160 & 164)& 164)
Final Regulations published 12/28/00Final Regulations published 12/28/00 Modifications published 4/14/01Modifications published 4/14/01 Significant legal interpretation Significant legal interpretation
requiredrequired Ongoing compliance monitoringOngoing compliance monitoring Compliance 4/14/03Compliance 4/14/03
Slide 24 NC DHHS HIPAA OFFICE
Scope of Privacy RegulationsScope of Privacy Regulations
Includes all medical records and other health Includes all medical records and other health information maintained by a health care provider, information maintained by a health care provider, clearinghouse or a health plan.clearinghouse or a health plan.
Covers information in Covers information in anyany format format– PaperPaper– ElectronicElectronic– OralOral
Affects use and disclosure of all Affects use and disclosure of all client health informationclient health information
Slide 25 NC DHHS HIPAA OFFICE
What Do The Privacy Regulations Cover?What Do The Privacy Regulations Cover?
Establishes federal ‘floor’ for Privacy-Preempts Establishes federal ‘floor’ for Privacy-Preempts state law unless state laws are more stringentstate law unless state laws are more stringent
Permits use or disclose of Individually Identifying Permits use or disclose of Individually Identifying Health Information (IIHI) for treatment, payment, Health Information (IIHI) for treatment, payment, health care operations (without client consent)health care operations (without client consent)
Limits the amount of information to be used or Limits the amount of information to be used or disclosed to what is minimally necessarydisclosed to what is minimally necessary
Identifies use and disclosure for which an Identifies use and disclosure for which an authorization is or is not requiredauthorization is or is not required
Establishes requirements for de-identification of Establishes requirements for de-identification of health information or limited data setshealth information or limited data sets
Slide 26 NC DHHS HIPAA OFFICE
What Do The Privacy Regulations Cover?What Do The Privacy Regulations Cover?
Establishes client rightsEstablishes client rights Right to request access to their health information with Right to request access to their health information with
limitations on denial of such requestlimitations on denial of such request Right to request amendment to health informationRight to request amendment to health information Right to receive an accounting of disclosures Right to receive an accounting of disclosures Right to receive a Right to receive a Notice of Privacy PracticesNotice of Privacy Practices
Requires appropriate administrative, technical Requires appropriate administrative, technical and physical safeguards to protect health and physical safeguards to protect health informationinformation
Establishes a protocol for using protected health Establishes a protocol for using protected health information for marketing and fundraisinginformation for marketing and fundraising
Requires designation of a privacy official and a Requires designation of a privacy official and a contact person for complaintscontact person for complaints
Slide 27 NC DHHS HIPAA OFFICE
What Do The Privacy Regulations Cover?What Do The Privacy Regulations Cover?
Requires identification of workforce members Requires identification of workforce members needing access to health information limiting needing access to health information limiting access to the minimum necessaryaccess to the minimum necessary
Requires training of all staff membersRequires training of all staff members Establishes content or documentation Establishes content or documentation
requirements for policies, procedures, notices, requirements for policies, procedures, notices, authorizations, amendments, accounting of authorizations, amendments, accounting of disclosures, complaints and compliancedisclosures, complaints and compliance
Addresses penalties for unauthorized disclosuresAddresses penalties for unauthorized disclosures
Slide 28 NC DHHS HIPAA OFFICE
FinalFinal Regulation RegulationSECURITYSECURITY
Security Standards (45 CFR Parts 160, 162 Security Standards (45 CFR Parts 160, 162 & 164)& 164)
Final Regulations published 2/20/03Final Regulations published 2/20/03 Compliance 4/21/05Compliance 4/21/05 Written to conform to Privacy RegulationsWritten to conform to Privacy Regulations
Slide 29 NC DHHS HIPAA OFFICE
Scope and Purpose of Security RegsScope and Purpose of Security Regs
Scope: Electronic Protected Scope: Electronic Protected Health Information Health Information (in motion and at rest)(in motion and at rest)
Purpose:Purpose:– Ensure integrity, confidentiality and availability Ensure integrity, confidentiality and availability
of electronic protected health informationof electronic protected health information– Protect against reasonably anticipated threats of Protect against reasonably anticipated threats of
hazards, and improper use or disclosurehazards, and improper use or disclosure
Slide 30 NC DHHS HIPAA OFFICE
What Do Security Regulations Cover?What Do Security Regulations Cover?
Standards to Guard Data Integrity, Standards to Guard Data Integrity, Confidentiality, and AvailabilityConfidentiality, and Availability– Administrative Safeguards (Policies/Procedures)Administrative Safeguards (Policies/Procedures)– Physical SafeguardsPhysical Safeguards– Technical SafeguardsTechnical Safeguards
Flexible, ScalableFlexible, Scalable Technology NeutralTechnology Neutral Consistency with Privacy Regulations Consistency with Privacy Regulations
(Requires Business Associate (Requires Business Associate Agreements)Agreements)
Slide 31 NC DHHS HIPAA OFFICE
Security vs. PrivacySecurity vs. Privacy
Privacy and Security go hand-in-handPrivacy and Security go hand-in-hand Privacy - WhatPrivacy - What
– Defines who is authorized to access Defines who is authorized to access information (the right of individuals to information (the right of individuals to keep information about themselves from keep information about themselves from being disclosed)being disclosed)
Security - HowSecurity - How– Ability to control access to and protect Ability to control access to and protect
information from accidental or intentional information from accidental or intentional disclosure to unauthorized persons and disclosure to unauthorized persons and from alteration, destruction, or lossfrom alteration, destruction, or loss
Slide 32 NC DHHS HIPAA OFFICE
FinalFinal Regulation RegulationNational Employer IdentifierNational Employer Identifier
National Standard Employer Identifier (45 National Standard Employer Identifier (45
CFR Part 160 and 162)CFR Part 160 and 162) Final Regulations published 5/31/02Final Regulations published 5/31/02 Compliance 7/30/04Compliance 7/30/04 Utilizes Employer Tax IDUtilizes Employer Tax ID Required in any standard transactions that Required in any standard transactions that
transmit employer-related informationtransmit employer-related information
Slide 33 NC DHHS HIPAA OFFICE
HIPAAHIPAA ProposedProposed Rules Published Rules Published
Electronic Signature Standards Electronic Signature Standards (45 CFR Part 142)(45 CFR Part 142)– Draft published August 12, 1998 with Security Draft published August 12, 1998 with Security
rules draftrules draft– Not included in final Security rule - will be sent Not included in final Security rule - will be sent
out as separate regulationout as separate regulation
National Standard Health Care Provider National Standard Health Care Provider Identifier (45 CFR Part 142)Identifier (45 CFR Part 142)– Draft published May 7, 1998Draft published May 7, 1998
Slide 34 NC DHHS HIPAA OFFICE
HIPAAHIPAA Proposed Rules Proposed Rules NotNot Published Published
National Health Plan Identifier (Payer ID) National Health Plan Identifier (Payer ID)
Claims Attachments Claims Attachments
Enforcement Enforcement
First Report of Injury First Report of Injury
National Individual IdentifierNational Individual Identifier
NOTE: Once published, 26 months to NOTE: Once published, 26 months to complycomply
Slide 36 NC DHHS HIPAA OFFICE
DHHS HIPAA WebsiteDHHS HIPAA Website http://dirm.state.nc.us/hipaa/http://dirm.state.nc.us/hipaa/
Slide 37 NC DHHS HIPAA OFFICE
NCHICANCHICA
NC Healthcare Information and NC Healthcare Information and Communications Alliance, Inc.Communications Alliance, Inc.
Membership is from public and private Membership is from public and private sectorssectors
HIPAA Workgroups in areas of Privacy HIPAA Workgroups in areas of Privacy and Confidentiality; Security; Training; and Confidentiality; Security; Training; Transactions/Code SetsTransactions/Code Sets
Slide 38 NC DHHS HIPAA OFFICE
NCHICA DeliverablesNCHICA Deliverables www.nchica.orgwww.nchica.org
– Privacy and Security Training ModulesPrivacy and Security Training Modules– HIPAA EarlyView™ Security HIPAA EarlyView™ Security – HIPAA EarlyView™ PrivacyHIPAA EarlyView™ Privacy– Security Policy and Procedures MatrixSecurity Policy and Procedures Matrix– Privacy Models (Notice of Privacy Practices, Privacy Models (Notice of Privacy Practices,
Authorization, Business Associate Agreement, Data Authorization, Business Associate Agreement, Data Use Agreement)Use Agreement)
– Minimum Necessary Decision TreeMinimum Necessary Decision Tree– Review of NC StatutesReview of NC Statutes– Guidance for Identifying Designated Record SetsGuidance for Identifying Designated Record Sets– HIPAA Privacy ChecklistsHIPAA Privacy Checklists
Slide 39 NC DHHS HIPAA OFFICE
ResourcesResources
US HHS / HIPAAUS HHS / HIPAA aspe.hhs.gov/adminsimpaspe.hhs.gov/adminsimp
Office of Civil Rights Office of Civil Rights http://www.hhs.gov/ocr/hipaa/http://www.hhs.gov/ocr/hipaa/
AHIMA AHIMA www.ahima.orgwww.ahima.org
Institute of Govt Institute of Govt http://www.medicalprivacy.unc.edu/http://www.medicalprivacy.unc.edu/
HIPAA Privacy Joint Info Ctr HIPAA Privacy Joint Info Ctr http://www.bricker.com/hipaa/http://www.bricker.com/hipaa/
Mass Health Data Consortium Mass Health Data Consortium http://www.mahealthdata.org/http://www.mahealthdata.org/
Administration on Aging Administration on Aging http://www.aoa.dhhs.gov/http://www.aoa.dhhs.gov/