Presentation on theme: "HIPAA Administrative Simplification and Nebraska SNIP (Strategic National Implementation Process)"— Presentation transcript:
HIPAA Administrative Simplification and Nebraska SNIP (Strategic National Implementation Process)
HIPAA Law & Intent Who is affected Standards Current issues to track Implementation Process (SNIP) Additional resources
HIPAA Administrative Simplification Law Health Insurance Portability and Accountability Act of 1996 – HIPAA H.R. 3103 – Kasselbaum/Kennedy Bill Title II – Subtitle F – Administrative Simplification Signed into Law August 21, 1996 Public Law 104-191 Part C of Title XI of Social Security Act
Intent of HIPAA Reduce the costs and administrative burdens of healthcare with standardized, electronic transmission of many administrative and financial transactions. Protect the security and confidentiality of electronic health information. Enable individual to control own health information.
Who is affected by HIPAA? Providers Health Plans Employers acting as Self Insured Groups Payers Third Party Administrators Clearinghouses All trading partners of above
Transactions and Code Sets Standards Final Rule Published in August 17, 2000 Federal Register Compliance is required by October 16, 2002 (October 16, 2003 by small health plans) NDC code retraction On May 29, 2001, Tommy Thompson retracted the standard of using NDCs on institutional and professional claims.
Code sets Standards Service & Diagnosis Codes ICD-9-CM Volumes I, II & III CPT-4 HCPCS CDT NDC No Local Codes will be allowed
Information Between Health Plans Coordination of Benefits Claims Processing
Is a provider required to send claims electronically? No, but if you do, they have to be HIPAA compliant. You can use a clearinghouse to handle the translation of the data from your current form into HIPAA compliant.
Failure to Comply with Transactions Standards Penalty Jail Time Offense $100NoneSingle Violation of a provision Up to $25kNoneMultiple violations of an identical requirement or prohibition made during a calendar year
Privacy Standards Final Rule Published in December 28, 2000 Federal Register Compliance is required by April 14, 2003 (April 14, 2004 by small health plans) OCR issued guidance on July 6, 2001 Additional guidelines are expected
Privacy Summary of Privacy regulation: Consumer Control over Health Information Use and Disclosure Boundaries Ensure the Security of Protected Health Information Establish Accountability for Use and Release Balancing Public Responsibility with Privacy Protections Preserving Existing, Strong State Confidentiality Laws
Definitions Privacy is what happens to information after the appropriate person has it ( I only use the data for the agreed purpose) Confidentiality is the control of the information at all times, providing ‘need to know’ access to only those appropriate Security is the enforcement and protection afforded information under both conditions
Consumer Control over Health Information Notice of Privacy Practice Patient access to their health records and right to amend Patient consent before information is released Recourse if privacy protections are violated Accounting for release of health information
Use and Disclosure Boundaries Ensuring that health information is not used for non-health purposes Providing the minimum amount of information necessary
Ensure the Security of Protected Health Information Adopt written privacy procedures Train employees on privacy Designate a privacy officer
Establish Accountability for Protected Health Information Penalty Jail Time Offense Up to $50kUp to 1 yearWrongful disclosure of individually identifiable health information Up to $100kUp to 5 years Wrongful disclosure of individually identifiable health info committed under false pretenses Up to $250kUp to 10 years Wrongful disclosure of individually identifiable health information committed under false pretenses with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm.
Balancing Public Responsibility with Privacy Protections In limited circumstances, the final rule permits, but does not require, covered entities to continue existing disclosures of health information for specific public responsibilities without individual authorization.
Preserving Existing, Strong State Confidentiality Laws National "floor" of privacy standards that protects all Americans, but in some states individuals enjoy additional protection. Stronger state laws (like those covering mental health, HIV infection, and AIDS information) continue to apply.
Security Standards Proposed Rule Published in August 12, 1998 Federal Register Final Rule expected this year
Security The security standard is a set of requirements with implementation features that providers, plans, and clearinghouses must include in their operations to assure that electronic health information pertaining to an individual remains secure. The standard does not reference or advocate specific technology. The standard does not address the extent to which a particular entity should implement the specific features. Individual security requirements and which technology to use is a business decision that each organization must make. HIPAA IS TECHNOLOGY NEUTRAL
Security Best Security is what we can do ourselves 75% of security breaches happen inside.
Technical Security Mechanisms In addition, if using a network for communications, the following implementation features would be in place: Alarm Audit trail Entity authentication Event reporting
Electronic Signature Digital Signature - Optional, but if used: Nonrepudiation User Authentication Message integrity
Unique Health Identifiers Provider Will not replace TIN Will eventually replace the UPIN Employer - Will be TIN Health Plan - may include Sub ID Patient - still under discussion
Status of Identifiers National Provider Proposed Rule Published in May 7, 1998 Federal Register National Employer Proposed Rule Published in June 16, 1998 Federal Register Final Rules???
Status of Identifiers Movement on this portion of HIPAA has not occurred Focus is on implementation of standards for data and on final privacy and security regulations
Current Issues To Track Federal legislation H.R. 1975 and S. 836 are in the House and Senate to delay HIPAA’s administrative simplification provisions. Some members of Congress are considering overturning the privacy rule Case constitutionally challenging HIPAA SC Medical Assoc, Physicians Care Network, LA State Medical Society vs. US Dept of Health and Human Services AAPS vs. US Dept of Health and Human Services
Current Issues To Track Final rule on health data security Due out this year – HHS must ensure the final security rule is compatible with the final privacy rule – published in late 2000 (and likely to undergo some changes) Additional Guidance on Privacy Standards Additional code changes as implementation progresses
Compliance with HIPAA Administrative Simplification Nebraska SNIP (Strategic National Implementation Process)
Why collaborate? Implementing HIPAA requires coordination and collaboration among trading partners There is no competitive advantage to be ‘HIPAA Ready’, if your trading partners aren’t ready Collaboration and coordination will limit costly implementation efforts Avoid the ‘re-inventing the wheel all over again’ syndrome
Why collaborate? Standards are dependant on consistent policies, practices and technology among business partners Actions of a business partner may generate liabilities for one’s own organization Sloppy planning and inefficient implementation will be costly to everyone
Key Elements for Collaborative Environment Trust Commitment Clear Vision
Trust Joint ownership Joint accountability No dominant player Balanced interests No hidden agendas Neutral meeting ground
Commitment NE Health and Human Services System Key providers Leading health plans/payers Trade associations & societies Key vendors
Clear Vision Use HIPAA as an opportunity to redesign business process Remember patient rights in process Improve efficiency of healthcare through information technology
Regional Approaches Implementation will occur locally Healthcare crosses local political and business boundaries National coordination and guidance will be exceedingly helpful
Nebraska SNIP Formation Blue Cross and Blue Shield of Nebraska Health Data Management Mutual of Omaha NE Assn of Hospitals and Health Systems NE Health and Human Services System NE Medical Association
Nebraska SNIP …is a collaborative healthcare industry-wide process resulting in the implementation of standards and furthering the development and implementation of future standards.
Nebraska SNIP Promote general healthcare industry readiness to implement HIPAA standards. Identify education and general awareness opportunities for the healthcare industry to utilize. Recommend an implementation time frame for each component of HIPAA for each stakeholder and identify the best migration paths for trading partners.
Nebraska SNIP Establish opportunities for collaboration, compile industry input, and document the industry “best practices”. Identify resolution or next steps where there are interpretation issues or ambiguities within HIPAA standards. Serve as a resource for the healthcare industry when resolving issues arising from HIPAA implementation.
Nebraska SNIP Approach Facilitate planning among: Providers Health Plans State Government Vendors Trade associations and professional societies playing a key role.
NE SNIP Steering Committee Goal: Develop overall strategy for addressing HIPAA compliance in an orderly & effective manner Defined Work Groups: Transactions, Codes and Identifiers Privacy Security Awareness, Education and Training
Transactions, Codes and Identifiers Work Group Goal: Develop consensus on sequence and timing for implementation of transactions & codes Activities Issue and publicize Target Date Guidelines Build critical mass of providers, health plans, clearinghouses, vendors and gov’t agencies for transaction testing
Privacy Work Group Goal: Understand impact of final regulations Activities: Develop working knowledge of Privacy regulations and impact Determine organization’s current level of HIPAA privacy compliance Develop gap analysis, checklists, and guidelines for policies & procedures to implement Privacy Standards
Security Work Group Goals: Understand HIPAA requirements for security of data and communications Activities: Investigate secure transaction & interoperability among trading partners Develop self-assessment checklist / tool to determine organization’s current level of HIPAA security compliance - gap analysis
Awareness, Education & Training Work Group Goals: Develop programs to share HIPAA information. Collaborate with professional groups and agencies to promote and deliver programs. Activities: Survey to determine awareness and readiness. Leverage current planned activity in NE Develop Nebraska SNIP communication and information sharing
Steering Committee Contacts Brenda Block Health Data Management Corp. 402-965-8158 firstname.lastname@example.org Kevin Conway NE Assn of Hospitals & Health Systems 402-458-4910, email@example.com NESNIPSTEERING@yahoogroups.com
Transactions, Code Sets & Identifiers Contacts Don Butler Blue Cross and Blue Shield of Nebraska 402-398-3843, firstname.lastname@example.org NESNIPTRANSACTIONS@yahoogroups.com NESNIPTRANSACTIONSemail@example.com
Privacy Contacts Lori Umberger, RN, BSN Creighton Cardiac Center 402-280-4603, firstname.lastname@example.org Kathleen Zeitz Methodist Health System 402-354-2174, email@example.com NESNIPPRIVACY@yahoogroups.com NESNIPPRIVACYfirstname.lastname@example.org
Security Contacts Susan Heider Regional West Medical Center 308-635-3711, email@example.com Sue Huenniger Mutual of Omaha 402-351-8622, firstname.lastname@example.org NESNIPSECURITY@yahoogroups.com NESNIPSECURITYemail@example.com
Awareness, Education and Training Contacts Brenda L. Block Health Data Management Corp. 402-965-8158, firstname.lastname@example.org Rick Hain BryanLGH Medical Center 402-481-8521, email@example.com NESNIPAWARENESS @yahoogroups.com NESNIPAWARENESS -firstname.lastname@example.org
Nebraska SNIP Activities First Meeting March 15, 2001 HIPAA background Other regional efforts NE SNIP mission NE SNIP organization Next NE SNIP Meeting September 18, 2001, Kearney Work Group and sub group meetings
Additional HIPAA Resources Health Insurance Portability and Accountability Act of 1996 Public law 104-191, 104th Congress, August 21, 1996 aspe.hhs.gov/admnsimp/pl104191.htm Department of Health and Human Services Administrative Simplification aspe.hhs.gov/admnsimp/index.htm Centers For Medicare and Medicaid Services (HCFA) www.hcfa.gov/hipaa/hipaahm.htm HCFA fact sheet on HIPAA’s provisions www.hcfa.gov/facts/f9702as.htm HIPAA Security Accreditation information www.ehnac.org/securityaccreditation/default.html
HIPAA Resources cont... Workgroup for Electronic Data Interchange www.wedi.org/ Washington Publishing Company ANSI, ASC and X12N HIPAA Implementation Guides www.wpc-edi.com/hipaa Data Interchange Standards Association (DISA) www.disa.org/ Designated Standard Maintenance Organization (DSMO) www.hipaa-dsmo.org ANSI X12 Committee www.x12.org
HIPAA Resources cont... HIPAA Comply - security and privacy compliance www.hipaacomply.com Welcome to HIPAA Directory.com www.hipaadirectory.com HHS Office of Civil Rights www.hhs.gov/ocr/hipaa/ Nebraska SNIP www.nesnip.org