Presentation on theme: "Rosie Callender, RHIA An Overview of HIPAA Health Insurance Portability and Accountability Act – 1996 Rosie Callender, RHIA HIPAA Project Manager Morehouse."— Presentation transcript:
Rosie Callender, RHIA An Overview of HIPAA Health Insurance Portability and Accountability Act – 1996 Rosie Callender, RHIA HIPAA Project Manager Morehouse School of Medicine Compliance Office
Rosie Callender, RHIA TOPICS COVERED : What is HIPAA? HIPAA Overview Title II – Administrative Simplification Provisions HIPAA Objectives Who Must Comply with HIPAA – “Covered Entities” Penalties For Non-compliance / Enforcement Agency What information is protected by HIPAA Permitted Uses and Disclosures HIPAA Privacy Rule – Key Elements
Rosie Callender, RHIA WHAT IS HIPAA H H ealth I I nsurance P P ortability A A ccountability A A ct of 1996
Rosie Callender, RHIA HIPAA OVERVIEW Health Insurance Portability and Accountability Act ( HIPAA) Administrative Simplification (Accountability ) Insurance Reform ( Portability ) Transactions, Code Sets, Compliance by10/16/03 National Provider Identifiers Published 1/23/04 Effective 5/23/05 Compliance by 5/23/07 Privacy Compliance Date: 4/14/2003 Security Final Regulations Published on 2/20/03 Compliance Date: 4/20/2005
Rosie Callender, RHIA TITLE II - ADMINSTRATIVE SIMPLIFICATION PROVISIONS
Rosie Callender, RHIA HIPAA Objectives Insurance portability and continuity- Protect insurability of individuals Accountability - to reduce the potential for waste, fraud & abuse Administrative Simplification – to apply uniform standards to electronic data transactions in a confidential and secure environment.
Rosie Callender, RHIA Expected Results of Administrative Simplification Reduce handling and processing time Eliminate the risk of lost paper documents Eliminate the inefficiencies of handling paper documents Improve overall data quality / fewer errors Decrease administrative costs Increase faith in the protection of patients’ personal health information Thus, improve quality of patient care!
Rosie Callender, RHIA What is HIPAA? HIPAA = Health Insurance Portability and Accountability Act A Federal Law Created in 1996 H = Health I = Insurance P = Portability and A = Accountability A = Act HIPAA Administrative Simplification Code Sets Security Unique Identifiers Privacy Electronic Transactions
Rosie Callender, RHIA Healthcare Fraud and Abuse on the Rise Healthcare costs out of control Patient Records Found on Street Hospital Security Breach TEMP DUMP MEDICAL RECORDS WHY HIPAA?
Rosie Callender, RHIA Who must comply with HIPAA - “ COVERED ENTITIES” Health care providers, that transmit or maintain patient identifiable information. Health plans that provide or pay the cost of medical care including Medicare and Medicaid Health care clearinghouses that process data elements or transactions Employees ( indirectly)
Rosie Callender, RHIA Covered Entity Provides health care Conducts one or more standard HIPAA transactions. Transmits or receives standard transactions in electronic form. Or Performed through a Business Associate.
Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Business Associates (BA) A person or entity that, on behalf of a Covered Entity, access and uses PHI to perform or assists in the performance of a function or activity for the CE. Does not include a member of the workforce or volunteers. Business Associate Agreement Must have a contract requiring BA to keep PHI safeguarded; Contract must have required elements described in the regulations; Must include other HIPAA-related risk/liability; Does not apply to disclosure of PHI to providers for treatment; If the CE becomes aware of a violation by the BA and fails to act, it can be penalized; Existing contracts will not have to be compliant until 4/14/2004.
Rosie Callender, RHIA HIPAA ELECTRONIC TRANSACTIONS An entity id regulated by the Privacy Rule as a Covered Entity if it does any of the following electronically. 1.Claims or equivalent encounter Information 2.Payment and Remittance Advice 3.Claim Status Inquiry and Response 4.Eligibility Inquiry and Response 5.Referral Certification and Authorization Inquiry and Response 6.Enrollment and Disenrollment in a Health Plan 7.Health Plan Premium Payments 8.Coordination of Benefits
Rosie Callender, RHIA STANDARD CODE SETS Combination of HCPCS & CPT-4 Physician Services and other Health Care Services HCPCS – Medical supplies, Orthotics & other equipment ICD-9-CM, Vols 1&2 Conditions and other health problems & manifestations Code on Dental Procedures and Nomenclature Dental services - CDT NDC – National Drug Codes - Drugs/Biologics NOTE: Local codes are replaced by standard codes.
Rosie Callender, RHIA PENALTIES For Non-compliance Monetary Penalty Term of Imprisonment Offense CIVIL PENALTIES $100N/A Single violation of provision Up to $25,000N/A Multiple violations of identical requirement or prohibition made during the calendar year CRIMINAL PENALTIES Up to $50,000Up to one year Wrongful disclosure of individually identifiable health information Up to $100,000Up to five years Wrongful disclosure of individually identifiable health information committed under false pretenses Up to $250,000Up to 10 years Wrongful disclosure of individually identifiable health information committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm
Rosie Callender, RHIA Enforcement Agency Department of Health and Human Services Office of Civil Rights (OCR) will: will investigate complaints enforce compliance impose civil monetary penalties Department of Justice will: enforce criminal penalties Center for Medicare and Medicaid (CMS) will oversee compliance with Transaction Code Sets and Identifiers
Rosie Callender, RHIA HIPAA PRIVACY RULE – Key Elements WHAT IS COVERED? Protected Health Information (PHI) individually identifiable health information transmitted or maintained in any form or medium. Individually Identifiable Health Information Health information, including demographic information Created or received by a covered entity Relates to the individual’s physical or mental health or provision of, or payment for health care. Identifies the individual
Rosie Callender, RHIA HIPAA PRIVACY RULE – Key Elements Individually Identifiable Health Information Name All geographic subdivisions smaller than state Birth date Telephone/Fax numbers addresses Social Security Number Medical Record Number Health Plan Number Account Number Certificate / license number Vehicle identifier/serial number Device identifier/serial number Uniform Resource Locators (URLs) IP addresses Biometric identifiers Photos Other unique characteristics Full face photograph
Rosie Callender, RHIA HIPAA PRIVACY RULE – Key Elements WHAT IS NOT COVERED? Not PHI Employment records Family Educational Rights and Privacy Act (FERPA) records De-identified Records: Removal of certain identifiers so that the individual who is subject of the PHI will not longer be identified. Statistical expert determined that risk of identification is small Facility may assign code of other means to allow for re- identification
Rosie Callender, RHIA HIPAA PRIVACY RULE – Scope Consumer control of information Patient privacy rights defined Boundaries of Medical Record Usage Access controls to information Security measures for patient information Assignment of Privacy Officer Business Associate contracts
Rosie Callender, RHIA IMPACT ON PROVIDERS OPERATIONAL New Administrative and Clinical Procedures ( EXAMPLE : Billing, Operations Coding, Claims Processing) Contracts and/or Chain of Trust Agreements (Example: providers, Payers, clearinghouses, other healthcare service companies) MANAGERIAL Leadership & Support New or Revised Policies and Procedures Training of Staff Leadership & Support New or Revised Policies and Procedures Training of Staff TECHNOLOGICAL Interoperability (hardware, Software, Connectivity) Vendor Management Security Infrastructure Interoperability (hardware, Software, Connectivity) Vendor Management Security Infrastructure
Rosie Callender, RHIA Maintain a HIPAA-compliant Environment Make obvious changes as soon as possible Protect your patients privacy and rights Don’t leave medical information where people can see Control access to your department Don’t’ leave information on desktops Use a screen saver Identify patients properly before giving information Lock your desktop when you leave it, even to run to the copier Can others overhear PHI when you speak on the telephone? Can passers-by easily read your computer screen?
Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Notice of Privacy Practices An individual has a right to adequate written notice of: uses and disclosures of PHI that may be made by the covered entity, and. individual’s rights and covered entity’s legal duties with respect to PHI Must be given by direct treatment providers on first service delivery after compliance date Written Acknowledgement of Receipt of Notice
Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Individual Rights Access, copy, inspect Request amendments/corrections Restrict disclosures Request confidential communications Accounting of disclosures Information on how to file a complaint
Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Designated Record Set A group of records maintained by or for a covered entity that may include: Medical records billing records Enrollment, payment, claims adjudication case or medical management records systems Used for the covered entity to make decisions about individuals
Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Uses and disclosure for PHI. Required Disclosures To individuals who request access, and accounting of disclosures. To HHS to investigate or determine compliance with Privacy Rule. Permitted Disclosures To individuals For treatment, payment and health care operations Public policy purposes Family, friends & advocates / opportunity for individual to agree/ object Incidental disclosures Limited Data Set Authorized Disclosures For other uses or disclosures not required nor permitted. Special rules for marketing and psychotherapy notes
Rosie Callender, RHIA Commonly Used Terminology TPO -Treatment of patients - Payment for treatment - Health Care Operations
Rosie Callender, RHIA Commonly Used Terminology Health Care Operations Activities related to the Covered Entity’s functions: Quality assessment and improvement activities Reviewing the competence and qualifications of health care professionals Conduct training programs in which students, trainees learn under supervision Conducting medical reviews, legal services, and auditing functions Business planning and development Business management and general administrative activities Customer service Resolution of grievances Creating de-identified information or limited data set.
Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Minimum Necessary Standard Must make reasonable efforts to limit the use or disclosure of, and request for, PHI to minimum necessary to accomplish intended use. Exceptions: Treatment, Disclosure to the individual, Disclosure to HHS/OCR or Required by law Permits incidental uses or disclosures as long as reasonable safeguards are in place. Role-based access. In the work place access to health information should be on a need to know basis.
Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Privacy Complaints CE must provide a process for individuals to make complaints concerning CE’s policies and procedures and its compliance with the privacy rule. Complaints can be filed with the CE or DHHS/OCR
Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Other Requirements: Privacy Training Safeguards Mitigation process Policies and procedures in place Sanction process
Rosie Callender, RHIA HIPAA & RESEARCH Access to PHI by researchers : –With Authorization obtained from patient; –Without Authorization: Documented IRB approval of a Waiver of Authorization Submit justification Preparatory to research; Research on PHI of Decedents; Limited Data Sets with a Data Use Agreement; –De-Identified Information ( not covered by HIPAA )
Rosie Callender, RHIA HIPAA & RESEARCH References: MSM HIPAA Website: Office of Civil Rights (OCR) National Institutes of Health: American Health Information Management Association – OCR Frequently Asked Questions – Summary of HIPAA Privacy Rule –
Rosie Callender, RHIA Specific Security in Privacy Effective compliance with the Privacy regulations is dependent on security of patient’s PHI. Role-based access required under minimum necessary rule Verification and authentication of individuals and authorities requesting PHI Security required by Privacy Rule applies to PHI in all forms
Rosie Callender, RHIA Definitions for Privacy & Security Privacy is the right of an individual to keep information about him/her from being disclosed to others. Confidentiality is the obligation of another party to respect privacy by: -Protecting personal information they receive and -Preventing it from being used or disclosed without the subject’s knowledge or permission. Security is the means used to protect integrity, availability and confidentiality of information. Physical, technical and administrative safeguards
Rosie Callender, RHIA Specific Security in Privacy HIPAA Security standards address organizational and facility security, not just Information Systems Requirements in four areas will address health care data integrity, confidentiality and availability: 1.Administrative procedures 2.Physical safeguards 3. Technical security services 4. Technical security mechanisms The HIPAA Security standards protects all e-PHI (electronic protected health information)
Rosie Callender, RHIA HIPAA Security ( cont’d ) What is Information Security ? All protections in place to ensure that PHI is: kept confidential (confidentiality) not improperly altered or destroyed (integrity) readily available to authorized users (availability) These principles represent the heart of any information security program.
Rosie Callender, RHIA HIPAA Security ( cont’d ) The HIPAA Security standards provides the mechanisms that support efforts to protect privacy. It covers information : on hard drives on removable/transportable digital memory medium (magnetic tape/disk) transported electronically via the internet, or other means.
Rosie Callender, RHIA YOUR RESPONSIBILITIES 1.Properly manage your password; 2.Prevent the spread of viruses; 3.Properly dispose of material with PHI (hard copy); 4.Contact DITS to clear disks and hard drives of all PHI; before selling or giving computer to another user; 5.Protect system from outside threats ( hackers, malicious software); 6.Do not use unauthorized software or hardware; 7.Follow the organizations policies regarding the use of PDAs and Laptops. 8.Be familiar with the organizations Information Security policies. 9.Use common sense-security
Rosie Callender, RHIA HIPAA Web Sites HHS Administrative Simplification Page American Health Information Management Association Office of Civil rights - HIPAA CMS Website Workgroup for Electronic Data Interchange OCR Guidelines to Final Regulations (12/04/2002 MSM HIPAA Website
Rosie Callender, RHIA QUESTIONS? Rosie Callender, RHIA HIPAA Project Manager Morehouse School of Medicine Compliance Office 22 Piedmont Road Atlanta, GA (404)