1. HIPAA -- A Primer for State Corrections CIOs
Scott McPherson
Chief Information Officer,
Florida Department of Corrections

2. What HIPAA is NOT….

4. OK, smart guy, I know what HIPAA isn’t. What is HIPAA ?

5. HIPAA is:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Signed into Law August 21, 1996
Administrative Simplification Subtitle
Congress gave itself until 1999 to enact the legislation
Failing that, they gave HHS the ability to promulgate rules
That happened August 26, 1999, when Congress failed to enact privacy rules

6. HIPAA standards apply to covered entities:
Health plans
Health care clearinghouses
Health care providers that conduct designated transactions electronically
AND to those who conduct business for them (Business Associates)

7. March, 2002
HIPAA’s reach is more encompassing than anyone in the states thought it would be when the U.S. Congress passed the law in 1996.
HIPAA applies to every health care provider, health plan or clearinghouse — in short, nearly anyone who bills or pays for a health service.
The only ones excused are those who do not transfer any information electronically.
In effect, that means that HIPAA covers just about any public program or private company dealing with health records.

8. “There’s a tendency for those not really involved with HIPAA to look at it as a technology problem, as something like Y2K where you can just fix a database,” says W. Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance, known as NCHICA.
“But technology is only 25 percent of the challenge. The rest is changing policies, cultures and business practices. HIPAA is a major shift in the way we do health care.”

9. Who is a Covered Entity?
“A health care provider who transmits any health information in electronic form in connection with a transaction.”
Providers get a choice; made by conducting electronic transactions (or getting a business associate to).
“A health care clearinghouse.”
clearinghouses get no choice.
“A health plan.”
Explicitly including government plans such as Medicaid & Medicare, VA, DoD, CHAMPUS, IHS, etc.
Exceptions for some not primarily “health” plans.
e.g., workers comp, property & casualty.

10. When Washington State did an analysis of which departments would fall under HIPAA, it found that, in addition to corrections and schools, the Department of Labor and Industries was involved. Although workers’ compensation programs are specifically excluded from HIPAA, the department has other programs that aren’t, such as a program on occupational safety and health and one that provides benefits to victims of crimes.
          

11. On the government side, HIPAA clearly affects public hospitals, insurance programs for state and local employees and Medicaid. Less obviously, HIPAA extends to many agencies that one wouldn’t intuitively put in the health care column.
Corrections departments, for instance, can fall under HIPAA, depending on who runs prison health services and how. Education systems are likely to be HIPAA-impacted since most schools deal with student health records, and should they so much as fax a student’s vaccination record, that would be an electronic transfer of health information.
          

12. Covered Entities Required To:
Use HIPAA standards for designated transactions no later than appropriate compliance date via:
internal systems changes
clearinghouse
compliant business associate
Use appropriate code sets in transactions

13. 3 Parts to Administrative Simplification
45 CFR Subtitle A, Subchapter C
PART 160 – General Administrative Requirements
Scope, common definitions, enforcement.
PART 162 – Administrative Requirements
Transaction, code set, [and identifier] standards.
PART 164 – Security And Privacy
Privacy [and security] rules.

14. Business Associates – Outsourced Medical Services?
Transactions Rule: 45 C.F.R (c): requires a “business associate” of a covered entity to comply with all applicable requirements
Privacy Rule: (e) and (e): parallel provision for privacy requirements

15. HIPAA timeline Effective Mandatory Compliance (security) Assessments,
Strategic Planning Assumptions: Through 3Q03, 70 percent of healthcare payer organizations will not have achieved full compliance with the full set of final HIPAA standards for transactions, codes and identifiers (0.8 probability).
Through 2003, healthcare payer organizations that have not achieved full compliance with the HIPAA transaction standards will not experience substantial economic consequences due to explicit government delays of the deadlines, slow enforcement or accepting fines as the cost of doing business (0.7 probability).
Effective Mandatory
Compliance (security)
Assessments,
No Later Than 4Q 04
Elections, Lobbying
and Legislation?
Mandatory Compliance: EDI
Mandatory Compliance: Privacy
October 2003
April 2003
Anticipated Final Rule: Security
No Later Than 3Q02
Congress Delays EDI implementation one year (Dec. 2001)
Final Rule: Privacy
December 2000
Final Rule: EDI
August 2000
Source: Gartner Research
The Department of Health and Human Services (DHHS) has not yet published final rules on identifiers, claim attachments and report of first injury. As the healthcare industry fully analyzes the implementation guides and standards for the transactions that have been published, questions have arisen that must be answered prior to full implementation, and these answers have not yet been provided. The industry is just now understanding the remediation effort required to prepare for the standards. There is no guidance from the government with respect to the processes necessary for a full national implementation, and yet this requires a degree of coordination among independent entities that is unprecedented for government regulations. These issues together lead to the inescapable conclusion that the healthcare industry cannot meet the mandatory deadlines. There is precedent for an action by the government to delay the deadlines or delay enforcement. DHHS officials have already hinted that early enforcement may be directed at healthcare organizations (HCOs) that have blatantly ignored the regulations, rather than at those that are diligently working to comply but have not fully completed the tasks. Even if such delays are not forthcoming, large HCOs may consider unilateral delays for programs that are not paid with federal funds, regarding the maximum penalty of $25,000 per year, per standard as a cost of doing business. Ultimately, competitive pressures and the requirement for the cost savings will drive compliance, but HCOs have options to consider so that delays of up to a year will not have devastating consequences.
21 August 1996: HIPAA Enacted
Copyright © 2001

16. So why should I care about HIPAA?
After all, I’m not a health care provider like other agencies are…

17. HIPAA and State Law Compliance: the Problem of the Lack of Federal Preemption
Clark Stanton Davis Wright Tremaine LLP

18. Preemption
Preemption is the name we give to the theory under which the law at one level (federal, or even state) eliminates or controls the power of government at other levels (state and/or local) to regulate or pass laws in a particular area of activity.

19. Why Do We Care?
Currently, each state has a complex array of laws that affect the privacy of medical information.
Medical record confidentiality laws
Public health reporting laws
Special topics: mental health; HIV; genetic information
Litigation related laws: physician-patient privilege; notice for subpoenas
State constitutional privacy

20. Why Do We Care?
Each state law concerning medical confidentiality has been crafted to provide privacy protections considered important to the people of that state.
California HIV confidentiality law prevents disclosure of HIV test results and even the identity of persons tested for HIV
California consumer notice law requires person seeking to subpoena medical information to give notice to subject of records prior to serving subpoena on third party

21. HIPAA Preemption Express Conflict based Exceptions Quirks Contrary
More stringent
Exceptions
Quirks
More stringent state law undercut by “back door” provisions that bring HIPAA back in
HIPAA 1178(a), 264(c)(2)
Reg ff
Excepted are--
state laws that the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, for State reporting on health care delivery, and other purposes for improving the health care delivery system
state laws for public health reporting, surveillance, investigation or intervention
state laws that address controlled substances
HIPAA pre-empts only state laws that are designed to regulate the privacy of health information; not those that do so only incidentally

22. Privacy

23. When Can You Report? National security exception
Avert serious threats to health or public safety
Law enforcement rules generally

24. National Security Exception
Section 512(k)(2)
May disclose PHI “to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities”
Those activities as defined in law -- what you expect as “intelligence”

25. Averting Serious Threats
Section 512(j) permits voluntary disclosure by a covered entity
Must be “consistent with applicable law and standards of ethical conduct”

26. Averting Serious Threats
Option 1, can disclose where:
“Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public”; and
“Is to a person or persons reasonably able to prevent or lessen the threat”

27. Averting Serious Threats
Option 2, disclosure OK where:
“Is necessary for law enforcement authorities to identify or apprehend an individual”
“Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim”
That is, confessions to violent crimes

28. General Law Enforcement
Sec. 512(f) generally requires “in response to law enforcement official’s request”
Covered entity can’t volunteer the information, except where required by a reporting law or requested by law enforcement

29. General Law Enforcement
Court order, grand jury subpoena, administrative subpoena for full file
To locate or identify a suspect, fugitive, material witness, or missing person:
Name, SSN, limited other information

30. Greater Focus on Security
Less tolerance for hackers and other unauthorized use
Cyber-security and the need to protect critical infrastructures
Back-up needed in case of cyber-attack, attack on payments system, electricity grid, telephone system, or other systems you need

31. Security and Privacy
Good data handling practices become more important -- good security protects PHI against unauthorized use
Audit trails, accounting become more obviously desirable -- helps some HIPAA compliance
Part of system upgrade for security will be system upgrade for other requirements, such as HIPAA privacy

32. Employee Data New exclusion from definition of PHI for
“Employment records held by a covered entity in its role as employer.”
Limiting language in preamble.
But the regulatory text is very broad -- those records are entirely outside of the rule.

33. Hybrid entities Current law: Proposal: Example:
If “primarily” a covered entity, then all your operations are covered.
Proposal:
Covered entity defines components that are covered
Example:
If no standard transactions, could a hospital web site be outside the rule? Sell all data?

34. Thanks to: Professor Peter Swire Ohio State University College of Law Director D.C. program Consultant, Morrison & Foerster, with focus on medical privacy Phone: (301) Web:

35. EDI (Electronic Data Interchange)

36. Transaction and Code Sets Standards
Final Regulation published in August, 2000
Original compliance date: October 16, 2002
Many sectors of health care requested additional time to build, test, and successfully implement the standards

37. Congress’ Response
Administrative Simplification Compliance Act or ASCA (P.L )
Allows covered entities to request a one-year extension for transactions and code sets compliance
Does not affect other HIPAA standards, e.g., privacy

38. ASCA Provisions
Covered entities may receive a one-year extension (to 10/16/03)
If they submit a compliance extension plan by 10/15/2002
NCVHS will study sample of plans to identify compliance barriers -- publish solutions

39. Compliance Extension Plan
Per ASCA, the plan must include a summary of:
schedule for HIPAA implementation
work plan and budget
implementation strategy
planned use of vendors
time frame for testing (begin NLT 4/03)

40. How to Submit a Plan Electronically Via paper at www.cms.hhs.gov/hipaa
strongly suggested
will receive confirmation number
Via paper
model form or other format

41. Who Should Submit a Plan
Covered entity that does not expect to be compliant by 10/16/02
Note: providers not conducting electronic transactions are not covered entities
Exception:
Small plans already have until 10/03 and cannot receive an extension

42. Medicaid Developed a HIPAA compliance “road map” for States
CD-based tool
Provides gap analysis, resources
Facilitating cooperative working relationships among States to identify issues

43. Conclusions
Extension provides opportunity for higher quality, lower risk
Don’t rush to submit a plan
Establish a reasonable plan and stick to it
Begin external testing as early as possible
Use resources/information available through CMS, industry groups, associations and other partners

44. Covered Entity To Do List
Submit compliance plan if extension desired
Work with IT staff and vendors
Contact your business associates and trading partners
Join WEDI/SNIP efforts
Support SDOs
Use the delay time to reach compliance

45. Security

46. Security Requirements
Covered Entities shall maintain reasonable and appropriate administrative, technical, and physical safeguards --
to ensure integrity and confidentiality
to protect against reasonably anticipated
threats or hazards to security or integrity
unauthorized uses or disclosures
taking into account
technical capabilities
costs, training, value of audit trails
needs of small and rural providers

47. Security Issues Covers transmitted data plus data at rest.
Involves policies/procedures & contracts with business associates.
For most security technology to work, behavioral safeguards must also be established and enforced.
requires administration commitment and responsibility.
Electronic signatures:
Final rule will depend on industry progress on reaching consensus on a standard.

48. Enforcement Philosophy
Pre-emption of state law wherever feasible.
not politically possible for privacy.
Enforcement by investigating complaints.
not HIPAA police force -- OCR not OIG.
“The Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance”
The philosophy is to improve the health care system by helping entities comply, not by punishing unintentional mistakes.

49. Excuses from civil penalties (from law)
NONCOMPLIANCE NOT DISCOVERED
the person did not know, and by exercising reasonable diligence would not have known.
FAILURES DUE TO REASONABLE CAUSE.
the failure was due to reasonable cause and not to willful neglect; and
the failure is corrected within 30-days (which may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply.)
the failure was because the person was unable to comply
REDUCTION
If the failure is due to reasonable cause , any penalty may be waived …

50. Remediation, testing, implementation

51. ‘You Take the High Road; I’m Busy Fighting the Alligators’
Imperative: Incorporate tactical remediation activities into a plan that balances expedience against strategic benefits and composes a long-term strategy for the fundamental data model and process improvements necessary to be competitive.
The high road: finally, a corporate data model
HIPAA standards provide a rare opportunity to standardize data elements and codes
Consolidate duplicate systems
The adoption of Internet technologies
Straight-through processing and reduced latency
The low road: wrap, map and hack
Minimize the renovation of transaction systems
Eliminate impacts on downstream systems
Ostensibly required by HIPAA deadlines
Source: Gartner Research
There are two approaches to HIPAA transaction compliance — tactical and strategic. Each provides a different ROI, with vastly different investments. The tactical approach focuses on the fastest and most cost-effective (in the short term) route to HIPAA transaction compliance. The solution includes a heavy reliance on translation and auditing tools, employing internal or outsourced clearinghouse mapping technologies. Few changes to the back-end processing environment or data model are planned. Although ROI results will be tangible, they are short-term only. As all healthcare organizations must comply with these standards, so there is no specific competitive advantage for minimal compliance. This approach does nothing to address current processing inefficiencies and costs, which include process inefficiencies such as dumping electronic transaction to paper and then rekeying them, poor internal data models, and continuing translation or clearinghouse vendor costs.
The strategic approach focuses on improved data models and business processes that will better position the health plan to reap the administrative benefits and position HIPAA investments as the catalyst to better healthcare outcomes and new business opportunities. This will enable quicker adjudication, customer response, better reporting, improved successes with Internet initiatives and better use of data from external sources.
By 2005, healthcare organizations that rely solely on tactical HIPAA remediation will lose market share because of process inefficiency and inflexibility (0.8 probability).
Copyright © 2001

52. Remediation Approaches
Definition: “Wrap and map” remediation approaches use mapping software to transform data in the new format to look like the old format before presenting it to the application, and transform the output data from the old format to the new.
Replace
Renovate
Old
New
Old
Old
Wrap and Map
Wrap, Map and Hack
837
835
837
835
Mapper
Mapper
NSF
Source: Gartner Research
NSF
NSF
NSF
There are four alternatives for remediation of an individual system:
Replace the current system by acquiring a vendor solution that can process and produce the HIPAA solutions. When the time is available to select, acquire and implement a new system, this approach allows for substantial long-term efficiencies by replacing multiple separate applications that perform the same function with a single product that reduces the latency time for processing, upgrades the technology platform and provides a solid basis for future changes.
Renovate the current system with a Y2K-like inspection of source code, repairing or replacing modules that deal with data elements and codes that are changed by the HIPAA standards.
“Wrap and map” the old system by using software mapping tools or a clearinghouse to convert the HIPAA transactions to the old-style format, presenting the old-style format to the old system and translating the old-style output to the HIPAA response. Where feasible, this approach minimizes the short-term costs associated with HIPAA compliance.
“Wrap, map, and hack” the old system, using the wrap-and-map technique to minimize the renovation that is required in the old system. Where a simple wrap-and-map solution is not feasible, this approach represents the minimal short-term costs.
Old
Old
Copyright © 2001

53. A Framework Approach to HIPAA Readiness

54. Phase 1: Current Design - Functional Decomposition
“Framing Your Organization’s Environment”
Sample Functional Areas
Examples
Processes
Membership and Enrollment; Claims Administration; Contract Management; Administration; Financial; Scheduling
Locations
Hospital; Outpatient Clinic; Off-site storage; Headquarters; Remote Sales office; Data Center
IT Environment
Wireless; WAN; LAN; Dial-up; WebServers; Workstations; Facilities; Databases
Applications
Laboratory; Radiology; Pharmacy; Order Entry; Nurse Management; Financial; Enrollment; Billing & A/R; Provider Management; Sales Management
Strategic Initiatives
Integrating the Healthcare Enterprise (IHE); Electronic Medical Records; Web-Enabling Clinical Applications; Electronic Data Interchange (EDI); Customer Relationship Management (CRM)

55. Phase 2: Requirements Interpretation – Develop Reqt’s Categories
“Logical Means of Grouping the Criteria to Measure Progress”
Category
Description
Policies and Standards
Policies include senior management’s directives to create a computer security function, establish goals for the function, and assign responsibilities for the function. Standards include specific security rules for particular information systems and practices
Procedures
Procedures include the activities and tasks that dictate how the policies or supporting standards will be implemented in the organization’s environment
Tools / Infrastructure
Tools or infrastructure include the elements that are necessary to support implementation of the requirements within the organization such as process, organizational structure, network and system related controls, and logging and monitoring devices
Operational
Operational includes all the activities and supporting processes associated with maintaining the solution or system and ensuring it is running as intended. Typically, an owner is assigned to manage the execution of the activities and supporting processes. Examples of activities and supporting processes include maintenance, configuration management, technical documentation, backups, software support and user support

56. Phase 3: Gap Assessment – Determine Gaps
“ Avoid the Road to Abilene by Getting Organizational Alignment ”
Current State +
HIPAA
Gap
Analysis
Use the HIPAA Security Criteria(Phase 2) to assess organization’s current state
Determine gaps from the current state requirements

57. Phase 4: Execution - Establish PMO
“ HIPAA Readiness is NOT an IT Project ”
HIPAA PMO Manager
Security
HIPAA
Project
Manager
Privacy
HIPAA
Project
Manager
Other PMO
Staff
TCI
HIPAA
Project
Manager
Establish priorities
Manage both organization and internal HIPAA dependencies
Resolve project issues

58. Final HIPAA Rules To Come
Employer Identifier
Security
National Provider Identifier
Electronic Signature
Privacy modifications

59. This concludes the presentation.
Time for questions and comments.