Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Administrative Simplification and Nebraska SNIP (Strategic National Implementation Process)

Similar presentations

Presentation on theme: "HIPAA Administrative Simplification and Nebraska SNIP (Strategic National Implementation Process)"— Presentation transcript:

1 HIPAA Administrative Simplification and Nebraska SNIP (Strategic National Implementation Process)

2 HIPAA  Law & Intent  Who is affected  Standards  Current issues to track  Implementation Process (SNIP)  Additional resources

3 HIPAA Administrative Simplification Law  Health Insurance Portability and Accountability Act of 1996 – HIPAA  H.R. 3103 – Kasselbaum/Kennedy Bill  Title II – Subtitle F – Administrative Simplification  Signed into Law August 21, 1996  Public Law 104-191  Part C of Title XI of Social Security Act

4 Intent of HIPAA  Reduce the costs and administrative burdens of healthcare with standardized, electronic transmission of many administrative and financial transactions.  Protect the security and confidentiality of electronic health information.  Enable individual to control own health information.

5 Who is affected by HIPAA?  Providers  Health Plans  Employers acting as Self Insured Groups  Payers  Third Party Administrators  Clearinghouses  All trading partners of above

6 HIPAA Standards  Transactions & Code Sets  Privacy  Security  Identifiers

7 Transactions and Code Sets Standards  Final Rule Published in August 17, 2000 Federal Register  Compliance is required by October 16, 2002 (October 16, 2003 by small health plans)  NDC code retraction  On May 29, 2001, Tommy Thompson retracted the standard of using NDCs on institutional and professional claims.

8 Transaction standards  Data Element  Required vs. Conditional  Formats  Codes  Values  Transaction Sets  X12 Version 4010  Claim - 837  Payment/Remit - 835  Claim Status - 276/277  Eligibility 270/271  Referral - 278  Enrollment & benefits Maintenance - 834  Premium Payments - 820  Claims Attachments - 275*  First Report of Injury - 148*  NCPDP  * expected later...

9 Code sets Standards  Service & Diagnosis Codes  ICD-9-CM Volumes I, II & III  CPT-4  HCPCS  CDT  NDC  No Local Codes will be allowed

10 Information Between Health Plans  Coordination of Benefits  Claims Processing

11 Is a provider required to send claims electronically?  No, but if you do, they have to be HIPAA compliant.  You can use a clearinghouse to handle the translation of the data from your current form into HIPAA compliant.

12 Failure to Comply with Transactions Standards Penalty Jail Time Offense $100NoneSingle Violation of a provision Up to $25kNoneMultiple violations of an identical requirement or prohibition made during a calendar year

13 Privacy Standards  Final Rule Published in December 28, 2000 Federal Register  Compliance is required by April 14, 2003 (April 14, 2004 by small health plans)  OCR issued guidance on July 6, 2001  Additional guidelines are expected

14 Privacy Summary of Privacy regulation:  Consumer Control over Health Information  Use and Disclosure Boundaries  Ensure the Security of Protected Health Information  Establish Accountability for Use and Release  Balancing Public Responsibility with Privacy Protections  Preserving Existing, Strong State Confidentiality Laws

15 Definitions  Privacy is what happens to information after the appropriate person has it ( I only use the data for the agreed purpose)  Confidentiality is the control of the information at all times, providing ‘need to know’ access to only those appropriate  Security is the enforcement and protection afforded information under both conditions

16 Consumer Control over Health Information  Notice of Privacy Practice  Patient access to their health records and right to amend  Patient consent before information is released  Recourse if privacy protections are violated  Accounting for release of health information

17 Use and Disclosure Boundaries  Ensuring that health information is not used for non-health purposes  Providing the minimum amount of information necessary

18 Ensure the Security of Protected Health Information  Adopt written privacy procedures  Train employees on privacy  Designate a privacy officer

19 Establish Accountability for Protected Health Information Penalty Jail Time Offense Up to $50kUp to 1 yearWrongful disclosure of individually identifiable health information Up to $100kUp to 5 years Wrongful disclosure of individually identifiable health info committed under false pretenses Up to $250kUp to 10 years Wrongful disclosure of individually identifiable health information committed under false pretenses with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm.

20 Balancing Public Responsibility with Privacy Protections  In limited circumstances, the final rule permits, but does not require, covered entities to continue existing disclosures of health information for specific public responsibilities without individual authorization.

21 Preserving Existing, Strong State Confidentiality Laws  National "floor" of privacy standards that protects all Americans, but in some states individuals enjoy additional protection.  Stronger state laws (like those covering mental health, HIV infection, and AIDS information) continue to apply.

22 Security Standards  Proposed Rule Published in August 12, 1998 Federal Register  Final Rule expected this year

23 Security  The security standard is a set of requirements with implementation features that providers, plans, and clearinghouses must include in their operations to assure that electronic health information pertaining to an individual remains secure.  The standard does not reference or advocate specific technology.  The standard does not address the extent to which a particular entity should implement the specific features.  Individual security requirements and which technology to use is a business decision that each organization must make. HIPAA IS TECHNOLOGY NEUTRAL

24 Security  Best Security is what we can do ourselves  75% of security breaches happen inside.

25 Security  Administrative Procedures  Physical Safeguards  Technical Data Security  Technical Security Mechanisms

26 Administrative Procedures  Certification  Chain of Trust agreement  Contingency Plan  Formal Mechanism for Processing Records  Information Access Control  Internal Audit

27 Administrative Procedures  Personnel Security  Security Configuration Management  Security Incident Procedures  Security Management Process  Termination Procedures  Training

28 Physical Safeguards  Assigned Security Responsibility  Media Controls  Physical Access Controls  Policy/Guideline on Workstation Use  Secure Workstation Location  Security Awareness Training

29 Technical Data Security  Access Control  Audit Controls  Authorization Controls  Data Authentication  Entity Authentication

30 Technical Security Mechanisms  Integrity controls  Message authentication  Access controls or Encryption  Entity authentication  Event reporting

31 Technical Security Mechanisms  In addition, if using a network for communications, the following implementation features would be in place:  Alarm  Audit trail  Entity authentication  Event reporting

32 Electronic Signature  Digital Signature -  Optional, but if used: Nonrepudiation User Authentication Message integrity

33 Unique Health Identifiers  Provider  Will not replace TIN  Will eventually replace the UPIN  Employer - Will be TIN  Health Plan - may include Sub ID  Patient - still under discussion

34 Status of Identifiers  National Provider Proposed Rule Published in May 7, 1998 Federal Register  National Employer Proposed Rule Published in June 16, 1998 Federal Register  Final Rules???

35 Status of Identifiers  Movement on this portion of HIPAA has not occurred  Focus is on implementation of standards for data and on final privacy and security regulations

36 Current Issues To Track  Federal legislation  H.R. 1975 and S. 836 are in the House and Senate to delay HIPAA’s administrative simplification provisions.  Some members of Congress are considering overturning the privacy rule  Case constitutionally challenging HIPAA  SC Medical Assoc, Physicians Care Network, LA State Medical Society vs. US Dept of Health and Human Services  AAPS vs. US Dept of Health and Human Services

37 Current Issues To Track  Final rule on health data security  Due out this year – HHS must ensure the final security rule is compatible with the final privacy rule – published in late 2000 (and likely to undergo some changes)  Additional Guidance on Privacy Standards  Additional code changes as implementation progresses

38 NOW WHAT??? Where do I go from here ???

39 Compliance with HIPAA Administrative Simplification Nebraska SNIP (Strategic National Implementation Process)

40 Why collaborate?  Implementing HIPAA requires coordination and collaboration among trading partners  There is no competitive advantage to be ‘HIPAA Ready’, if your trading partners aren’t ready  Collaboration and coordination will limit costly implementation efforts  Avoid the ‘re-inventing the wheel all over again’ syndrome

41 Why collaborate?  Standards are dependant on consistent policies, practices and technology among business partners  Actions of a business partner may generate liabilities for one’s own organization  Sloppy planning and inefficient implementation will be costly to everyone

42 Key Elements for Collaborative Environment  Trust  Commitment  Clear Vision

43 Trust  Joint ownership  Joint accountability  No dominant player  Balanced interests  No hidden agendas  Neutral meeting ground

44 Commitment  NE Health and Human Services System  Key providers  Leading health plans/payers  Trade associations & societies  Key vendors

45 Clear Vision  Use HIPAA as an opportunity to redesign business process  Remember patient rights in process  Improve efficiency of healthcare through information technology

46 Regional Approaches  Implementation will occur locally  Healthcare crosses local political and business boundaries  National coordination and guidance will be exceedingly helpful

47 Nebraska SNIP Formation  Blue Cross and Blue Shield of Nebraska  Health Data Management  Mutual of Omaha  NE Assn of Hospitals and Health Systems  NE Health and Human Services System  NE Medical Association

48 Nebraska SNIP …is a collaborative healthcare industry-wide process resulting in the implementation of standards and furthering the development and implementation of future standards.

49 Nebraska SNIP  Promote general healthcare industry readiness to implement HIPAA standards.  Identify education and general awareness opportunities for the healthcare industry to utilize.  Recommend an implementation time frame for each component of HIPAA for each stakeholder and identify the best migration paths for trading partners.

50 Nebraska SNIP  Establish opportunities for collaboration, compile industry input, and document the industry “best practices”.  Identify resolution or next steps where there are interpretation issues or ambiguities within HIPAA standards.  Serve as a resource for the healthcare industry when resolving issues arising from HIPAA implementation.

51 Nebraska SNIP Approach  Facilitate planning among:  Providers  Health Plans  State Government  Vendors  Trade associations and professional societies playing a key role.

52 NE SNIP Steering Committee  Goal: Develop overall strategy for addressing HIPAA compliance in an orderly & effective manner  Defined Work Groups:  Transactions, Codes and Identifiers  Privacy  Security  Awareness, Education and Training

53 Transactions, Codes and Identifiers Work Group  Goal: Develop consensus on sequence and timing for implementation of transactions & codes  Activities  Issue and publicize Target Date Guidelines  Build critical mass of providers, health plans, clearinghouses, vendors and gov’t agencies for transaction testing

54 Privacy Work Group  Goal: Understand impact of final regulations  Activities:  Develop working knowledge of Privacy regulations and impact  Determine organization’s current level of HIPAA privacy compliance  Develop gap analysis, checklists, and guidelines for policies & procedures to implement Privacy Standards

55 Security Work Group  Goals: Understand HIPAA requirements for security of data and communications  Activities:  Investigate secure transaction & interoperability among trading partners  Develop self-assessment checklist / tool to determine organization’s current level of HIPAA security compliance - gap analysis

56 Awareness, Education & Training Work Group  Goals:  Develop programs to share HIPAA information.  Collaborate with professional groups and agencies to promote and deliver programs.  Activities:  Survey to determine awareness and readiness.  Leverage current planned activity in NE  Develop Nebraska SNIP communication and information sharing

57 Steering Committee Contacts Brenda Block Health Data Management Corp. 402-965-8158 Kevin Conway NE Assn of Hospitals & Health Systems 402-458-4910,

58 Transactions, Code Sets & Identifiers Contacts Don Butler Blue Cross and Blue Shield of Nebraska 402-398-3843,

59 Privacy Contacts Lori Umberger, RN, BSN Creighton Cardiac Center 402-280-4603, Kathleen Zeitz Methodist Health System 402-354-2174,

60 Security Contacts Susan Heider Regional West Medical Center 308-635-3711, Sue Huenniger Mutual of Omaha 402-351-8622,

61 Awareness, Education and Training Contacts Brenda L. Block Health Data Management Corp. 402-965-8158, Rick Hain BryanLGH Medical Center 402-481-8521, NESNIPAWARENESS NESNIPAWARENESS

62 Nebraska SNIP Activities  First Meeting March 15, 2001  HIPAA background  Other regional efforts  NE SNIP mission  NE SNIP organization  Next NE SNIP Meeting September 18, 2001, Kearney  Work Group and sub group meetings

63 Additional HIPAA Resources  Health Insurance Portability and Accountability Act of 1996 Public law 104-191, 104th Congress, August 21, 1996   Department of Health and Human Services Administrative Simplification   Centers For Medicare and Medicaid Services (HCFA)  HCFA fact sheet on HIPAA’s provisions   HIPAA Security Accreditation information 

64 HIPAA Resources cont...  Workgroup for Electronic Data Interchange   Washington Publishing Company ANSI, ASC and X12N HIPAA Implementation Guides   Data Interchange Standards Association (DISA)   Designated Standard Maintenance Organization (DSMO)   ANSI X12 Committee 

65 HIPAA Resources cont...  HIPAA Comply - security and privacy compliance   Welcome to HIPAA   HHS Office of Civil Rights   Nebraska SNIP 

Download ppt "HIPAA Administrative Simplification and Nebraska SNIP (Strategic National Implementation Process)"

Similar presentations

Ads by Google