Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA -- A Primer for State Corrections CIOs

Similar presentations

Presentation on theme: "HIPAA -- A Primer for State Corrections CIOs"— Presentation transcript:

1 HIPAA -- A Primer for State Corrections CIOs
Scott McPherson Chief Information Officer, Florida Department of Corrections

2 What HIPAA is NOT….


4 OK, smart guy, I know what HIPAA isn’t. What is HIPAA ?

5 HIPAA is: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Signed into Law August 21, 1996 Administrative Simplification Subtitle Congress gave itself until 1999 to enact the legislation Failing that, they gave HHS the ability to promulgate rules That happened August 26, 1999, when Congress failed to enact privacy rules

6 HIPAA standards apply to covered entities:
Health plans Health care clearinghouses Health care providers that conduct designated transactions electronically AND to those who conduct business for them (Business Associates)

7 March, 2002 HIPAA’s reach is more encompassing than anyone in the states thought it would be when the U.S. Congress passed the law in 1996. HIPAA applies to every health care provider, health plan or clearinghouse — in short, nearly anyone who bills or pays for a health service. The only ones excused are those who do not transfer any information electronically. In effect, that means that HIPAA covers just about any public program or private company dealing with health records.

8 “There’s a tendency for those not really involved with HIPAA to look at it as a technology problem, as something like Y2K where you can just fix a database,” says W. Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance, known as NCHICA. “But technology is only 25 percent of the challenge. The rest is changing policies, cultures and business practices. HIPAA is a major shift in the way we do health care.”

9 Who is a Covered Entity? “A health care provider who transmits any health information in electronic form in connection with a transaction.” Providers get a choice; made by conducting electronic transactions (or getting a business associate to). “A health care clearinghouse.” clearinghouses get no choice. “A health plan.” Explicitly including government plans such as Medicaid & Medicare, VA, DoD, CHAMPUS, IHS, etc. Exceptions for some not primarily “health” plans. e.g., workers comp, property & casualty.

10 When Washington State did an analysis of which departments would fall under HIPAA, it found that, in addition to corrections and schools, the Department of Labor and Industries was involved. Although workers’ compensation programs are specifically excluded from HIPAA, the department has other programs that aren’t, such as a program on occupational safety and health and one that provides benefits to victims of crimes.           

11 On the government side, HIPAA clearly affects public hospitals, insurance programs for state and local employees and Medicaid. Less obviously, HIPAA extends to many agencies that one wouldn’t intuitively put in the health care column. Corrections departments, for instance, can fall under HIPAA, depending on who runs prison health services and how. Education systems are likely to be HIPAA-impacted since most schools deal with student health records, and should they so much as fax a student’s vaccination record, that would be an electronic transfer of health information.           

12 Covered Entities Required To:
Use HIPAA standards for designated transactions no later than appropriate compliance date via: internal systems changes clearinghouse compliant business associate Use appropriate code sets in transactions

13 3 Parts to Administrative Simplification
45 CFR Subtitle A, Subchapter C PART 160 – General Administrative Requirements Scope, common definitions, enforcement. PART 162 – Administrative Requirements Transaction, code set, [and identifier] standards. PART 164 – Security And Privacy Privacy [and security] rules.

14 Business Associates – Outsourced Medical Services?
Transactions Rule: 45 C.F.R (c): requires a “business associate” of a covered entity to comply with all applicable requirements Privacy Rule: (e) and (e): parallel provision for privacy requirements

15 HIPAA timeline Effective Mandatory Compliance (security) Assessments,
Strategic Planning Assumptions: Through 3Q03, 70 percent of healthcare payer organizations will not have achieved full compliance with the full set of final HIPAA standards for transactions, codes and identifiers (0.8 probability). Through 2003, healthcare payer organizations that have not achieved full compliance with the HIPAA transaction standards will not experience substantial economic consequences due to explicit government delays of the deadlines, slow enforcement or accepting fines as the cost of doing business (0.7 probability). Effective Mandatory Compliance (security) Assessments, No Later Than 4Q 04 Elections, Lobbying and Legislation? Mandatory Compliance: EDI Mandatory Compliance: Privacy October 2003 April 2003 Anticipated Final Rule: Security No Later Than 3Q02 Congress Delays EDI implementation one year (Dec. 2001) Final Rule: Privacy December 2000 Final Rule: EDI August 2000 Source: Gartner Research The Department of Health and Human Services (DHHS) has not yet published final rules on identifiers, claim attachments and report of first injury. As the healthcare industry fully analyzes the implementation guides and standards for the transactions that have been published, questions have arisen that must be answered prior to full implementation, and these answers have not yet been provided. The industry is just now understanding the remediation effort required to prepare for the standards. There is no guidance from the government with respect to the processes necessary for a full national implementation, and yet this requires a degree of coordination among independent entities that is unprecedented for government regulations. These issues together lead to the inescapable conclusion that the healthcare industry cannot meet the mandatory deadlines. There is precedent for an action by the government to delay the deadlines or delay enforcement. DHHS officials have already hinted that early enforcement may be directed at healthcare organizations (HCOs) that have blatantly ignored the regulations, rather than at those that are diligently working to comply but have not fully completed the tasks. Even if such delays are not forthcoming, large HCOs may consider unilateral delays for programs that are not paid with federal funds, regarding the maximum penalty of $25,000 per year, per standard as a cost of doing business. Ultimately, competitive pressures and the requirement for the cost savings will drive compliance, but HCOs have options to consider so that delays of up to a year will not have devastating consequences. 21 August 1996: HIPAA Enacted Copyright © 2001

16 So why should I care about HIPAA?
After all, I’m not a health care provider like other agencies are…

17 HIPAA and State Law Compliance: the Problem of the Lack of Federal Preemption
Clark Stanton Davis Wright Tremaine LLP

18 Preemption Preemption is the name we give to the theory under which the law at one level (federal, or even state) eliminates or controls the power of government at other levels (state and/or local) to regulate or pass laws in a particular area of activity.

19 Why Do We Care? Currently, each state has a complex array of laws that affect the privacy of medical information. Medical record confidentiality laws Public health reporting laws Special topics: mental health; HIV; genetic information Litigation related laws: physician-patient privilege; notice for subpoenas State constitutional privacy

20 Why Do We Care? Each state law concerning medical confidentiality has been crafted to provide privacy protections considered important to the people of that state. California HIV confidentiality law prevents disclosure of HIV test results and even the identity of persons tested for HIV California consumer notice law requires person seeking to subpoena medical information to give notice to subject of records prior to serving subpoena on third party

21 HIPAA Preemption Express Conflict based Exceptions Quirks Contrary
More stringent Exceptions Quirks More stringent state law undercut by “back door” provisions that bring HIPAA back in HIPAA 1178(a), 264(c)(2) Reg ff Excepted are-- state laws that the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, for State reporting on health care delivery, and other purposes for improving the health care delivery system state laws for public health reporting, surveillance, investigation or intervention state laws that address controlled substances HIPAA pre-empts only state laws that are designed to regulate the privacy of health information; not those that do so only incidentally

22 Privacy

23 When Can You Report? National security exception
Avert serious threats to health or public safety Law enforcement rules generally

24 National Security Exception
Section 512(k)(2) May disclose PHI “to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities” Those activities as defined in law -- what you expect as “intelligence”

25 Averting Serious Threats
Section 512(j) permits voluntary disclosure by a covered entity Must be “consistent with applicable law and standards of ethical conduct”

26 Averting Serious Threats
Option 1, can disclose where: “Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public”; and “Is to a person or persons reasonably able to prevent or lessen the threat”

27 Averting Serious Threats
Option 2, disclosure OK where: “Is necessary for law enforcement authorities to identify or apprehend an individual” “Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim” That is, confessions to violent crimes

28 General Law Enforcement
Sec. 512(f) generally requires “in response to law enforcement official’s request” Covered entity can’t volunteer the information, except where required by a reporting law or requested by law enforcement

29 General Law Enforcement
Court order, grand jury subpoena, administrative subpoena for full file To locate or identify a suspect, fugitive, material witness, or missing person: Name, SSN, limited other information

30 Greater Focus on Security
Less tolerance for hackers and other unauthorized use Cyber-security and the need to protect critical infrastructures Back-up needed in case of cyber-attack, attack on payments system, electricity grid, telephone system, or other systems you need

31 Security and Privacy Good data handling practices become more important -- good security protects PHI against unauthorized use Audit trails, accounting become more obviously desirable -- helps some HIPAA compliance Part of system upgrade for security will be system upgrade for other requirements, such as HIPAA privacy

32 Employee Data New exclusion from definition of PHI for
“Employment records held by a covered entity in its role as employer.” Limiting language in preamble. But the regulatory text is very broad -- those records are entirely outside of the rule.

33 Hybrid entities Current law: Proposal: Example:
If “primarily” a covered entity, then all your operations are covered. Proposal: Covered entity defines components that are covered Example: If no standard transactions, could a hospital web site be outside the rule? Sell all data?

34 Thanks to: Professor Peter Swire Ohio State University College of Law Director D.C. program Consultant, Morrison & Foerster, with focus on medical privacy Phone: (301) Web:

35 EDI (Electronic Data Interchange)

36 Transaction and Code Sets Standards
Final Regulation published in August, 2000 Original compliance date: October 16, 2002 Many sectors of health care requested additional time to build, test, and successfully implement the standards

37 Congress’ Response Administrative Simplification Compliance Act or ASCA (P.L ) Allows covered entities to request a one-year extension for transactions and code sets compliance Does not affect other HIPAA standards, e.g., privacy

38 ASCA Provisions Covered entities may receive a one-year extension (to 10/16/03) If they submit a compliance extension plan by 10/15/2002 NCVHS will study sample of plans to identify compliance barriers -- publish solutions

39 Compliance Extension Plan
Per ASCA, the plan must include a summary of: schedule for HIPAA implementation work plan and budget implementation strategy planned use of vendors time frame for testing (begin NLT 4/03)

40 How to Submit a Plan Electronically Via paper at
strongly suggested will receive confirmation number Via paper model form or other format

41 Who Should Submit a Plan
Covered entity that does not expect to be compliant by 10/16/02 Note: providers not conducting electronic transactions are not covered entities Exception: Small plans already have until 10/03 and cannot receive an extension

42 Medicaid Developed a HIPAA compliance “road map” for States
CD-based tool Provides gap analysis, resources Facilitating cooperative working relationships among States to identify issues

43 Conclusions Extension provides opportunity for higher quality, lower risk Don’t rush to submit a plan Establish a reasonable plan and stick to it Begin external testing as early as possible Use resources/information available through CMS, industry groups, associations and other partners

44 Covered Entity To Do List
Submit compliance plan if extension desired Work with IT staff and vendors Contact your business associates and trading partners Join WEDI/SNIP efforts Support SDOs Use the delay time to reach compliance

45 Security

46 Security Requirements
Covered Entities shall maintain reasonable and appropriate administrative, technical, and physical safeguards -- to ensure integrity and confidentiality to protect against reasonably anticipated threats or hazards to security or integrity unauthorized uses or disclosures taking into account technical capabilities costs, training, value of audit trails needs of small and rural providers

47 Security Issues Covers transmitted data plus data at rest.
Involves policies/procedures & contracts with business associates. For most security technology to work, behavioral safeguards must also be established and enforced. requires administration commitment and responsibility. Electronic signatures: Final rule will depend on industry progress on reaching consensus on a standard.

48 Enforcement Philosophy
Pre-emption of state law wherever feasible. not politically possible for privacy. Enforcement by investigating complaints. not HIPAA police force -- OCR not OIG. “The Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance” The philosophy is to improve the health care system by helping entities comply, not by punishing unintentional mistakes.

49 Excuses from civil penalties (from law)
NONCOMPLIANCE NOT DISCOVERED the person did not know, and by exercising reasonable diligence would not have known. FAILURES DUE TO REASONABLE CAUSE. the failure was due to reasonable cause and not to willful neglect; and the failure is corrected within 30-days (which may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply.) the failure was because the person was unable to comply REDUCTION If the failure is due to reasonable cause , any penalty may be waived …

50 Remediation, testing, implementation

51 ‘You Take the High Road; I’m Busy Fighting the Alligators’
Imperative: Incorporate tactical remediation activities into a plan that balances expedience against strategic benefits and composes a long-term strategy for the fundamental data model and process improvements necessary to be competitive. The high road: finally, a corporate data model HIPAA standards provide a rare opportunity to standardize data elements and codes Consolidate duplicate systems The adoption of Internet technologies Straight-through processing and reduced latency The low road: wrap, map and hack Minimize the renovation of transaction systems Eliminate impacts on downstream systems Ostensibly required by HIPAA deadlines Source: Gartner Research There are two approaches to HIPAA transaction compliance — tactical and strategic. Each provides a different ROI, with vastly different investments. The tactical approach focuses on the fastest and most cost-effective (in the short term) route to HIPAA transaction compliance. The solution includes a heavy reliance on translation and auditing tools, employing internal or outsourced clearinghouse mapping technologies. Few changes to the back-end processing environment or data model are planned. Although ROI results will be tangible, they are short-term only. As all healthcare organizations must comply with these standards, so there is no specific competitive advantage for minimal compliance. This approach does nothing to address current processing inefficiencies and costs, which include process inefficiencies such as dumping electronic transaction to paper and then rekeying them, poor internal data models, and continuing translation or clearinghouse vendor costs. The strategic approach focuses on improved data models and business processes that will better position the health plan to reap the administrative benefits and position HIPAA investments as the catalyst to better healthcare outcomes and new business opportunities. This will enable quicker adjudication, customer response, better reporting, improved successes with Internet initiatives and better use of data from external sources. By 2005, healthcare organizations that rely solely on tactical HIPAA remediation will lose market share because of process inefficiency and inflexibility (0.8 probability). Copyright © 2001

52 Remediation Approaches
Definition: “Wrap and map” remediation approaches use mapping software to transform data in the new format to look like the old format before presenting it to the application, and transform the output data from the old format to the new. Replace Renovate Old New Old Old Wrap and Map Wrap, Map and Hack 837 835 837 835 Mapper Mapper NSF Source: Gartner Research NSF NSF NSF There are four alternatives for remediation of an individual system: Replace the current system by acquiring a vendor solution that can process and produce the HIPAA solutions. When the time is available to select, acquire and implement a new system, this approach allows for substantial long-term efficiencies by replacing multiple separate applications that perform the same function with a single product that reduces the latency time for processing, upgrades the technology platform and provides a solid basis for future changes. Renovate the current system with a Y2K-like inspection of source code, repairing or replacing modules that deal with data elements and codes that are changed by the HIPAA standards. “Wrap and map” the old system by using software mapping tools or a clearinghouse to convert the HIPAA transactions to the old-style format, presenting the old-style format to the old system and translating the old-style output to the HIPAA response. Where feasible, this approach minimizes the short-term costs associated with HIPAA compliance. “Wrap, map, and hack” the old system, using the wrap-and-map technique to minimize the renovation that is required in the old system. Where a simple wrap-and-map solution is not feasible, this approach represents the minimal short-term costs. Old Old Copyright © 2001

53 A Framework Approach to HIPAA Readiness

54 Phase 1: Current Design - Functional Decomposition
“Framing Your Organization’s Environment” Sample Functional Areas Examples Processes Membership and Enrollment; Claims Administration; Contract Management; Administration; Financial; Scheduling Locations Hospital; Outpatient Clinic; Off-site storage; Headquarters; Remote Sales office; Data Center IT Environment Wireless; WAN; LAN; Dial-up; WebServers; Workstations; Facilities; Databases Applications Laboratory; Radiology; Pharmacy; Order Entry; Nurse Management; Financial; Enrollment; Billing & A/R; Provider Management; Sales Management Strategic Initiatives Integrating the Healthcare Enterprise (IHE); Electronic Medical Records; Web-Enabling Clinical Applications; Electronic Data Interchange (EDI); Customer Relationship Management (CRM)

55 Phase 2: Requirements Interpretation – Develop Reqt’s Categories
“Logical Means of Grouping the Criteria to Measure Progress” Category Description Policies and Standards Policies include senior management’s directives to create a computer security function, establish goals for the function, and assign responsibilities for the function. Standards include specific security rules for particular information systems and practices Procedures Procedures include the activities and tasks that dictate how the policies or supporting standards will be implemented in the organization’s environment Tools / Infrastructure Tools or infrastructure include the elements that are necessary to support implementation of the requirements within the organization such as process, organizational structure, network and system related controls, and logging and monitoring devices Operational Operational includes all the activities and supporting processes associated with maintaining the solution or system and ensuring it is running as intended. Typically, an owner is assigned to manage the execution of the activities and supporting processes. Examples of activities and supporting processes include maintenance, configuration management, technical documentation, backups, software support and user support

56 Phase 3: Gap Assessment – Determine Gaps
“ Avoid the Road to Abilene by Getting Organizational Alignment ” Current State + HIPAA Gap Analysis Use the HIPAA Security Criteria(Phase 2) to assess organization’s current state Determine gaps from the current state requirements

57 Phase 4: Execution - Establish PMO
“ HIPAA Readiness is NOT an IT Project ” HIPAA PMO Manager Security HIPAA Project Manager Privacy HIPAA Project Manager Other PMO Staff TCI HIPAA Project Manager Establish priorities Manage both organization and internal HIPAA dependencies Resolve project issues

58 Final HIPAA Rules To Come
Employer Identifier Security National Provider Identifier Electronic Signature Privacy modifications

59 This concludes the presentation.
Time for questions and comments.

Download ppt "HIPAA -- A Primer for State Corrections CIOs"

Similar presentations

Ads by Google