Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA: Where Are We and Where Are We Going?? A Survey of the Current HIPAA Landscape Gail Edson Halterman Lathrop & Gage L.C. HCCA Region VII Conference.

Similar presentations

Presentation on theme: "HIPAA: Where Are We and Where Are We Going?? A Survey of the Current HIPAA Landscape Gail Edson Halterman Lathrop & Gage L.C. HCCA Region VII Conference."— Presentation transcript:


2 HIPAA: Where Are We and Where Are We Going?? A Survey of the Current HIPAA Landscape Gail Edson Halterman Lathrop & Gage L.C. HCCA Region VII Conference August 1, 2003

3 ► We have had:  109 Days of Privacy ► We have:  74 Days Until Standard Transactions and Medicare’s Required Electronic Claims Submission (October 16, 2003)  624 Days to Get Secure (April 21, 2005)

4 PRIVACY: Where are We? ► April 14, 2003: The ENFORCEMENT Date  The Office of Civil Rights (OCR) is the ENFORCER  OCR has received several hundred complaints ► Some Complaints were not properly filed ► Continual re-emphasis that OCR is the kinder, gentler enforcement agency  No indication by OCR that Penalties have been imposed

5 PRIVACY: COMPLAINTS ► March 20, 2003 – HHS Issues Complaint Process in the Federal Register ► Complaints must:  Be filed in writing, either on paper or electronically (OCR Form recommended)  Name the entity that is the subject of the complaint and describe the acts or omissions in violation of the statute or regulations;  Be filed within 180 days when the complainant knew or should have known that the act or omission occurred;  Relate to violations that occurred AFTER April 14, 2003

6 PRIVACY: COMPLAINTS ► Complaints can be made by anyone – the regulations do not specify that it must be the subject of the information ► Complaints must be mailed, faxed or emailed to the OCR regional office in which the covered entity is located ► Region VII (IA, KS, MO or NE): OCR, 601 E 12 th Street, KC, MO 64106 (816) 426-7278, fax: (816) 426-3686 or

7 PRIVACY: Enforcement ► General Approach to enforcement:  HHS “intends to seek and promote voluntary compliance with the rules promulgated to carry out the HIPAA Provisions.”  OCR “will seek the cooperation of covered entities in obtaining compliance...[and] will seek to resolve matters by informal means before issuing findings of non-compliance.  CMS “Enforcement Activities will focus on obtaining voluntary compliance through technical assistance. The process will be primarily complaint driven and will consist of progressive steps that will provide opportunities to demonstrate compliance or submit a corrective action plan.”

8 Enforcement ► Violations:  Civil Penalties – ► up to $100 per violation, not to exceed $25,000 per year ► Defenses - no willfulness involvement; organization exercised reasonable diligence

9 Enforcement  Criminal Penalties ► applies in knowing violations of regulations ► Can be subject to fines of not more than $50,000 or jail time of not more than 1 year or both ► If the offense is committed under false pretenses, can be subject to fines of not more than $100,000 or imprisoned for not more than 5 years or both ► If the offense involves the intent to sell or transfer PHI for commercial gain or malicious harm, can be subject to fines of not more than $250,000 or jail time of 10 years or both.

10 PRIVACY: Enforcement ► Interim Rules related to civil money penalties (CMPs) issued April 17, 2003 ► Enforcement Regulations are applicable to investigations, imposition of penalties and hearings conducted as a result of proposed CMPs. ► Not a lot of new information ► Waiting for more!

11 PRIVACY: Enforcement ► Requires HHS to provide written notice to Covered Entity of proposed penalty ► Notice must contain:  A description of the findings of fact  Reasons why the penalty is being proposed  Instructions for response to the Notice, including the right to request a hearing

12 PRIVACY: Enforcement ► If a hearing is requested, it is heard before an administrative judge. ► The request for hearing must meet certain specifications ► Secretary of HHS has authority to settle disputes

13 PRIVACY: Enforcement ► What We Know  CMPs only for Knowing Violations  CMPs can be reduced or waived  6 year statute of limitations on violations for CMP purposes  Due process issues exist in current rule ► What We Don’t Know  Does a HIPAA violation have an impact on compliance with Medicare Conditions of Participation?  Details of how CMPs will be determined

14 PRIVACY: Certification of Business Associates ► Joint Commission on Accreditation of Health Care Organizations (JCAHO) and the National Committee or Quality Assurance (NCQA) will be certifying business associates ► 8 Organizations have committed to seeking certification ► Any type of BA is eligible for certification ► Once certification application is submitted, a survey of practices is conducted to see compliance with JCAHO and NCQA standards

15 PRIVACY: Certification ► Standards for Certification of Business Associates issued and are intended to address:  Privacy protections the business associate uses for oral, written and electronic health information  Employee training in protecting PHI  Consumer access to health information held by the business associate  Contracting between covered entities and the business associate ► Standards were not available at the time of presentation material deadline

16 PRIVACY: IMPLEMENTATION QUESTIONS ► Biggest areas of questions/concerns thus far:  BUSINESS ASSOCIATES ► Are they or aren’t they? ► Remember “extension” deadline for all contracts is April 14, 2004  RESEARCH ► When can we use PHI for Reviews Preparatory to Research  RESPONDING TO SUBPOENAS  ACCOUNTING OF DISCLOSURES  LAW ENFORCEMENT COMMUNICATIONS

17 BUSINESS ASSOCIATES ► No need for Business Associate Agreement in TREATMENT situations ► COVERED ENTITY has the obligation to obtain the Business Associate Agreement ► TWO PART TEST:  Do they perform a service or function on behalf of a COVERED ENTITY?  Do they receive PHI in doing so?

18 REVIEWS PREPARATORY TO RESEARCH REVIEWS PREPARATORY TO RESEARCH ► A covered entity can use or disclose PHI to a researcher IF the researcher represents:  The use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for a similar purpose;  The PHI will not be removed from the covered entity in the course of the review (including notes of the researcher); and  The PHI requested is necessary for the researcher

19 RESPONDING TO SUBPOENAS ► Generally – No disclosure pursuant to a subpoena UNLESS:  Qualified Protective Order  Written assurances from party seeking the information: ► Of a good faith attempt to provide notice to the subject and no objection was made; or ► That a request for a Qualified Protective Order has been submitted to the Court. ► Workers Compensation  If state law allows party issued subpoenas – may disclose PHI pursuant to subpoena

20 ACCOUNTING FOR DISCLOSURES ► Right to an Accounting  patient may request accounting of uses and disclosures made within the last 6 years (beginning 4/14/03).  An Accounting must be given within 60 days of request.

21 Disclosures NOT included in Accounting ► Disclosures made for TPO ► Disclosures for which there has been an opportunity to object (as permitted) ► Disclosures made incidental to permissible disclosures ► Disclosures made pursuant to an authorization

22 Disclosures NOT included in Accounting ► Disclosures for national security or intelligence purposes ► Disclosures made to correctional institutions and law enforcement officials ► Disclosures made as part of a limited data set ► Disclosures that occurred prior to 4/14/03

23 So What Must Be Included in an Accounting?! ► Uses or Disclosures made by mistake (i.e. violations) ► Most of the PERMITTED uses and disclosures:  Except for disclosures made: ► For National Security or Intelligence Purposes ► To Law Enforcement ► To Correctional Facilities

24 So What Must Be Included in an Accounting?! ► PERMITTED DISCLOSURES = all other disclosures (not included in an exception above) listed in 45 CFR § 164.512

25 LAW ENFORCEMENT COMMUNICATIONS ► Can Provide PHI to Law Enforcement IF:  Required by Law to Do So (e.g. reporting gunshot wounds)  In compliance with court, grand jury or administrative agency- ordered warrant or subpoena or request  Limited info for identification and location purposes (suspect, fugitive, material witness or missing person)  Victim of a Crime and individual agrees or it is in the best interest of the individual  For purposes of alerting to the death of individual if death resulted from crime  Reporting a crime on the premises  Reporting crime in emergencies


27 Transactions and Code Sets A Quick Overview ► The Standards regulate the transmission of electronic data and require standard formatting for the transmissions. ► Accredited Standards Committee’s Insurance Subcommittee (ANSI X12N): define how electronic data is to be structured to accurately and consistently represent data contained in paper based documents.

28 Transactions and Code Sets ► Any time you are engaging in these 8 activities electronically (or someone is on your behalf) you must comply. ► 8 Standard Transactions  health care claims or equivalent encounter information (including Medicaid claims) (837);  eligibility for a health plan (270/271);  referral certification or authorization (278);  health care claim status (276/277);

29 Transactions and Code Sets ► 8 Standard Transactions (con’t):  enrollment and disenrollment in a health plan (834);  health care payment and remittance advice (835);  health plan premium payments (820); and  coordination of benefits (837)

30 Code Sets Required ► Current Procedure Terminology (CPT-4)  For Physician and other related services ► International Classification of Diseases, Clinical Modification (ICD-9-CM)  For diagnosis and inpatient hospital services ► HCFA Common Procedure Coding Systems (HCPCS)  For physician and other related services ► Code on Dental Procedures and Nomenclature (CDT-2)  For dental services ► NCPDP OR NDC  For Retail Drug Claims

31 Code Sets Indirectly Recognized ► UB-92 ► HCFA 1500 ► Non-medical codes (revenue codes, etc.)

32 Electronic Transactions ► After October 16, 2003, Medicare will no longer accept paper claims (some exceptions apply) ► Likely Medicaid and Private Payors will follow!

33 Implementation Guides ► What are they?  Format: how information should be arranged  Content: what information should be included  Code Sets: how information should be reported  Order or Download from: ► ► Many, many pages (For example: Implementation Guide for 837 Professional Claims is 768 pages)

34 TRANSACTIONS & CODE SETS ► 74 days until the “TRAIN WRECK” ► AHA and other associations have great concern about the ability to go about our business on and after October 16, 2003 and have urged Congress to consider another extension, or at least remedial efforts to address payment issues ► National Committee on Vital and Health Statistics recommends no delay but “flexible enforcement” ► Where are you in your readiness?

35 RESOURCES ► Resource: Strategic National Implementation Process: SNIP  (National)  (Missouri)  (Kansas)  (Iowa)  (Nebraska)


37 SECURITY: The New Kid On the Block ► Enforcement Date: April 21, 2005 ► Requires physical, administrative and technical safeguards be in place to protect ELECTRONIC PHI (EPHI) ► HOWEVER – Privacy Rule requires that covered entities have physical, administrative and technical safeguards in place to protect PHI in any form or medium

38 SECURITY ► No answer from HHS as to whether standards for security will be required for privacy RIGHT NOW.

39 Intent of the Security Rule ► Ensure confidentiality, integrity and availability of all electronic PHI ► Protect against reasonably anticipated threats or hazards ► Protect against any reasonably anticipated use or disclosure not required or permitted by the Privacy Rule

40 Intent of Security Rule ► Use any security measure deemed appropriate by the entity to reasonably implement the Security standards – Each entity MUST make documented security implementation decisions that take into account its  Risk analysis  Structure, etc.  Cost  Technical capabilities

41 Security Regulations Overview ► Requires Standards and Implementation Specifications for:  Administrative Safeguards  Physical Safeguards  Technical Safeguards

42 Security Regulations Overview ► All standards are required (18) ► Some implementation specifications are required, some are merely “addressable” (i.e. suggested) ► “Addressable” should allow for flexibility ► There is no distinction between data at rest and data in transmission

43 Security Regulations Overview ► Paper-to-paper faxes, person-to-person telephone calls, video teleconferencing, or messages left on voicemail are not covered by the Security Regulations

44 Standards: Administrative Safeguards ► Standard: A covered entity must implement policies and procedures to prevent, detect, contain and correct security violations ► REQUIRED Implementation:  Risk Analysis  Risk Management  Sanctions Policy  Information System Activity Review (i.e. internal audit)

45 Standards: Administrative Safeguards ► Standard: Assign Security Responsibility ► REQUIRED Implementation: Identify the security official who is responsible for the security practices

46 Standards: Administrative Safeguards ► Standard: Workforce Security  Implement policies and procedures to ensure workforce has appropriate access ► ADDRESSABLE Implementation:  Authorization and/or supervision  Workforce clearance  Termination procedures (when employees exit)

47 Standards: Administrative Safeguards ► Standard: Information Access Management  Implement policies and procedures for authorizing access consistent with the Privacy Rule ► REQUIRED Implementation:  Isolating health care clearinghouse functions ► ADDRESSABLE Implementation:  Access authorization  Access establishment and modification

48 Standards: Administrative Safeguards ► Standard: Security Awareness and Training  Implement security awareness training program for all members of the workforce (including management) ► ADDRESSABLE Implementation:  Security Reminders  Protection from Malicious Software  Log-in Monitoring  Password Management

49 Standards: Administrative Safeguards ► Standard: Security Incident Procedures  Implement policies and procedures to address security incidents ► REQUIRED Implementation:  Response and Reporting (instructions for reporting and responding to security breaches and documentation of security incidents and their outcomes)

50 Standards: Administrative Safeguards ► Standard: Contingency Plan  Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence that damages systems that contains PHI ► REQUIRED Implementation:  Data Backup Plan  Disaster Recovery, Emergency Mode Operations Plan ► ADDRESSABLE Implementation:  Testing and Revision Procedures  Applications and Data Criticality Analysis

51 Standards: Administrative Safeguards ► Standard: Evaluation  Perform periodic technical and non- technical evaluation in response to environmental or operational changes ► No Implementation Specifications, but examples include:  Updating software  Evaluating performance of system and make necessary adjustments

52 Standards: Administrative Safeguards ► Business Associate Contracts  No more “Chain of Trust”  Satisfactory Assurances that business associate will appropriately safeguard information ► REQUIRED Implementation:  Written Contract ► Ensure security is also covered in privacy Business Associate Agreement

53 Standards: Physical Safeguards ► Standard: Facility Access Control  Implement policies and procedures to limit physical access to electronic information ► ADDRESSABLE Implementation:  Contingency Operations  Facility Security Plan  Access control and validation  Maintenance Records

54 Standards: Physical Safeguards ► Standard: Workstation Use  Implement policies and procedures that specify functions, physical attributes of surroundings and manner in which functions performed ► No Implementation Specifications, but examples include:  Moving screens away from common areas, etc.

55 Standards: Physical Safeguards ► Standard: Workstation Security  Safeguards for access ► No Implementation Specifications, but examples include:  Restricting Access to authorized users  Using Password protections, etc.

56 Standards: Physical Safeguards ► Standard: Device and Media Controls  Govern the receipt and removal of hardware and electronic media into and out of facility, and movement within facility ► REQUIRED Implementation:  Disposal (where do your hard drives go?)  Media re-use ► ADDRESSABLE Implementation:  Accountability  Data backup and storage

57 Standards: Technical Safeguards ► Standard: Access Control  Technical safeguards to limit access ► REQUIRED Implementation:  Unique User Identification  Emergency Access Procedures ► ADDRESSABLE Implementation:  Automatic Logoff  Encryption and Decryption

58 Standards: Technical Safeguards ► Standard: Audit Controls  Implement mechanisms that record and examine activity in information systems ► No Implementation Specifications, but examples include  Using network intrusion detection  Performing system wide evaluation

59 General Safeguards ► Standard: Draft Policies and Procedures ► Standard: Documentation ► REQUIRED Implementation:  Record retention of policies and procedures – at least 6 years  Availability  Updates

60 Standards: Technical Safeguards ► Standard: Integrity  Implement safeguards to protect electronic PHI from improper alteration or destruction ► ADDRESSABLE Implementation:  Mechanisms that corroborate that information has not been altered or destroyed

61 Standards: Technical Safeguards ► Standard: Person or Entity Authentication No Implementation Specifications, but examples include: Verifying that persons or entities seeking access are the ones claimed

62 Standards: Technical Safeguards ► Standard: Transmission Security  Implement technical security measures to guard against unauthorized access transmitted over an electronic communications network ► ADDRESSABLE Implementation:  Integrity Controls  Encryption

63 GET STARTED ► SECURITY RISK ANALYSIS  Identify potential threats to the organization  Evaluate the likelihood that the threat will occur  Estimate the harm from such an occurrence  Determine whether planned or existing controls exist to reduce or eliminate the risk

64 Contact Information Gail Edson Halterman Lathrop & Gage L.C. 2345 Grand Boulevard, Suite 2400 Kansas City, Missouri 64108 816.460.5404 816.292.2001 (fax)

Download ppt "HIPAA: Where Are We and Where Are We Going?? A Survey of the Current HIPAA Landscape Gail Edson Halterman Lathrop & Gage L.C. HCCA Region VII Conference."

Similar presentations

Ads by Google