1. Rosie Callender, RHIA An Overview of HIPAA Health Insurance Portability and Accountability Act – 1996 Rosie Callender, RHIA HIPAA Project Manager Morehouse School of Medicine Compliance Office

2. Rosie Callender, RHIA TOPICS COVERED : What is HIPAA? HIPAA Overview Title II – Administrative Simplification Provisions HIPAA Objectives Who Must Comply with HIPAA – “Covered Entities” Penalties For Non-compliance / Enforcement Agency What information is protected by HIPAA Permitted Uses and Disclosures HIPAA Privacy Rule – Key Elements

3. Rosie Callender, RHIA WHAT IS HIPAA H H ealth I I nsurance P P ortability A A ccountability A A ct of 1996

4. Rosie Callender, RHIA HIPAA OVERVIEW Health Insurance Portability and Accountability Act ( HIPAA) Administrative Simplification (Accountability ) Insurance Reform ( Portability ) Transactions, Code Sets, Compliance by10/16/03 National Provider Identifiers Published 1/23/04 Effective 5/23/05 Compliance by 5/23/07 Privacy Compliance Date: 4/14/2003 Security Final Regulations Published on 2/20/03 Compliance Date: 4/20/2005

5. Rosie Callender, RHIA TITLE II - ADMINSTRATIVE SIMPLIFICATION PROVISIONS

6. Rosie Callender, RHIA HIPAA Objectives Insurance portability and continuity- Protect insurability of individuals Accountability - to reduce the potential for waste, fraud & abuse Administrative Simplification – to apply uniform standards to electronic data transactions in a confidential and secure environment.

7. Rosie Callender, RHIA Expected Results of Administrative Simplification Reduce handling and processing time Eliminate the risk of lost paper documents Eliminate the inefficiencies of handling paper documents Improve overall data quality / fewer errors Decrease administrative costs Increase faith in the protection of patients’ personal health information Thus, improve quality of patient care!

8. Rosie Callender, RHIA What is HIPAA? HIPAA = Health Insurance Portability and Accountability Act A Federal Law Created in 1996 H = Health I = Insurance P = Portability and A = Accountability A = Act HIPAA Administrative Simplification Code Sets Security Unique Identifiers Privacy Electronic Transactions

9. Rosie Callender, RHIA Healthcare Fraud and Abuse on the Rise Healthcare costs out of control Patient Records Found on Street Hospital Security Breach TEMP DUMP MEDICAL RECORDS WHY HIPAA?

10. Rosie Callender, RHIA Who must comply with HIPAA - “ COVERED ENTITIES” Health care providers, that transmit or maintain patient identifiable information. Health plans that provide or pay the cost of medical care including Medicare and Medicaid Health care clearinghouses that process data elements or transactions Employees ( indirectly)

11. Rosie Callender, RHIA Covered Entity  Provides health care  Conducts one or more standard HIPAA transactions.  Transmits or receives standard transactions in electronic form. Or  Performed through a Business Associate.

12. Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Business Associates (BA) A person or entity that, on behalf of a Covered Entity, access and uses PHI to perform or assists in the performance of a function or activity for the CE. Does not include a member of the workforce or volunteers. Business Associate Agreement Must have a contract requiring BA to keep PHI safeguarded; Contract must have required elements described in the regulations; Must include other HIPAA-related risk/liability; Does not apply to disclosure of PHI to providers for treatment; If the CE becomes aware of a violation by the BA and fails to act, it can be penalized; Existing contracts will not have to be compliant until 4/14/2004.

13. Rosie Callender, RHIA HIPAA ELECTRONIC TRANSACTIONS An entity id regulated by the Privacy Rule as a Covered Entity if it does any of the following electronically. 1.Claims or equivalent encounter Information 2.Payment and Remittance Advice 3.Claim Status Inquiry and Response 4.Eligibility Inquiry and Response 5.Referral Certification and Authorization Inquiry and Response 6.Enrollment and Disenrollment in a Health Plan 7.Health Plan Premium Payments 8.Coordination of Benefits

14. Rosie Callender, RHIA STANDARD CODE SETS Combination of HCPCS & CPT-4 Physician Services and other Health Care Services HCPCS – Medical supplies, Orthotics & other equipment ICD-9-CM, Vols 1&2 Conditions and other health problems & manifestations Code on Dental Procedures and Nomenclature Dental services - CDT NDC – National Drug Codes - Drugs/Biologics NOTE: Local codes are replaced by standard codes.

15. Rosie Callender, RHIA PENALTIES For Non-compliance Monetary Penalty Term of Imprisonment Offense CIVIL PENALTIES $100N/A Single violation of provision Up to $25,000N/A Multiple violations of identical requirement or prohibition made during the calendar year CRIMINAL PENALTIES Up to $50,000Up to one year Wrongful disclosure of individually identifiable health information Up to $100,000Up to five years Wrongful disclosure of individually identifiable health information committed under false pretenses Up to $250,000Up to 10 years Wrongful disclosure of individually identifiable health information committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm

16. Rosie Callender, RHIA Enforcement Agency Department of Health and Human Services Office of Civil Rights (OCR) will: will investigate complaints enforce compliance impose civil monetary penalties Department of Justice will: enforce criminal penalties Center for Medicare and Medicaid (CMS) will oversee compliance with Transaction Code Sets and Identifiers

17. Rosie Callender, RHIA HIPAA PRIVACY RULE – Key Elements WHAT IS COVERED? Protected Health Information (PHI) individually identifiable health information transmitted or maintained in any form or medium. Individually Identifiable Health Information Health information, including demographic information Created or received by a covered entity Relates to the individual’s physical or mental health or provision of, or payment for health care. Identifies the individual

18. Rosie Callender, RHIA HIPAA PRIVACY RULE – Key Elements Individually Identifiable Health Information Name All geographic subdivisions smaller than state Birth date Telephone/Fax numbers E-mail addresses Social Security Number Medical Record Number Health Plan Number Account Number Certificate / license number Vehicle identifier/serial number Device identifier/serial number Uniform Resource Locators (URLs) IP addresses Biometric identifiers Photos Other unique characteristics Full face photograph

19. Rosie Callender, RHIA HIPAA PRIVACY RULE – Key Elements WHAT IS NOT COVERED? Not PHI Employment records Family Educational Rights and Privacy Act (FERPA) records De-identified Records: Removal of certain identifiers so that the individual who is subject of the PHI will not longer be identified. Statistical expert determined that risk of identification is small Facility may assign code of other means to allow for re- identification

20. Rosie Callender, RHIA HIPAA PRIVACY RULE – Scope Consumer control of information Patient privacy rights defined Boundaries of Medical Record Usage Access controls to information Security measures for patient information Assignment of Privacy Officer Business Associate contracts

21. Rosie Callender, RHIA IMPACT ON PROVIDERS OPERATIONAL New Administrative and Clinical Procedures ( EXAMPLE : Billing, Operations Coding, Claims Processing) Contracts and/or Chain of Trust Agreements (Example: providers, Payers, clearinghouses, other healthcare service companies) MANAGERIAL Leadership & Support New or Revised Policies and Procedures Training of Staff Leadership & Support New or Revised Policies and Procedures Training of Staff TECHNOLOGICAL Interoperability (hardware, Software, Connectivity) Vendor Management Security Infrastructure Interoperability (hardware, Software, Connectivity) Vendor Management Security Infrastructure

22. Rosie Callender, RHIA Maintain a HIPAA-compliant Environment Make obvious changes as soon as possible Protect your patients privacy and rights  Don’t leave medical information where people can see  Control access to your department  Don’t’ leave information on desktops  Use a screen saver  Identify patients properly before giving information  Lock your desktop when you leave it, even to run to the copier  Can others overhear PHI when you speak on the telephone?  Can passers-by easily read your computer screen?

23. Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Notice of Privacy Practices An individual has a right to adequate written notice of: uses and disclosures of PHI that may be made by the covered entity, and. individual’s rights and covered entity’s legal duties with respect to PHI Must be given by direct treatment providers on first service delivery after compliance date Written Acknowledgement of Receipt of Notice

24. Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Individual Rights Access, copy, inspect Request amendments/corrections Restrict disclosures Request confidential communications Accounting of disclosures Information on how to file a complaint

25. Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Designated Record Set A group of records maintained by or for a covered entity that may include:  Medical records  billing records  Enrollment, payment, claims adjudication  case or medical management records systems Used for the covered entity to make decisions about individuals

26. Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Uses and disclosure for PHI. Required Disclosures  To individuals who request access, and accounting of disclosures.  To HHS to investigate or determine compliance with Privacy Rule. Permitted Disclosures  To individuals  For treatment, payment and health care operations  Public policy purposes  Family, friends & advocates / opportunity for individual to agree/ object  Incidental disclosures  Limited Data Set Authorized Disclosures For other uses or disclosures not required nor permitted. Special rules for marketing and psychotherapy notes

27. Rosie Callender, RHIA Commonly Used Terminology TPO -Treatment of patients - Payment for treatment - Health Care Operations

28. Rosie Callender, RHIA Commonly Used Terminology Health Care Operations Activities related to the Covered Entity’s functions: Quality assessment and improvement activities Reviewing the competence and qualifications of health care professionals Conduct training programs in which students, trainees learn under supervision Conducting medical reviews, legal services, and auditing functions Business planning and development Business management and general administrative activities Customer service Resolution of grievances Creating de-identified information or limited data set.

29. Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Minimum Necessary Standard Must make reasonable efforts to limit the use or disclosure of, and request for, PHI to minimum necessary to accomplish intended use. Exceptions: Treatment, Disclosure to the individual, Disclosure to HHS/OCR or Required by law Permits incidental uses or disclosures as long as reasonable safeguards are in place. Role-based access. In the work place access to health information should be on a need to know basis.

30. Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Privacy Complaints CE must provide a process for individuals to make complaints concerning CE’s policies and procedures and its compliance with the privacy rule. Complaints can be filed with the CE or DHHS/OCR

31. Rosie Callender, RHIA HIPAA Privacy Rule – Key Elements Other Requirements: Privacy Training Safeguards Mitigation process Policies and procedures in place Sanction process

32. Rosie Callender, RHIA HIPAA & RESEARCH Access to PHI by researchers : –With Authorization obtained from patient; –Without Authorization: Documented IRB approval of a Waiver of Authorization Submit justification Preparatory to research; Research on PHI of Decedents; Limited Data Sets with a Data Use Agreement; –De-Identified Information ( not covered by HIPAA )

33. Rosie Callender, RHIA HIPAA & RESEARCH References: MSM HIPAA Website: http://www.msm.edu/hipaa/index.htmhttp://www.msm.edu/hipaa/index.htm Office of Civil Rights (OCR) http://www.hhs.gov/ocr/hipaahttp://www.hhs.gov/ocr/hipaa National Institutes of Health: http://privacyruleandresearch.nih.govhttp://privacyruleandresearch.nih.gov American Health Information Management Association – http://www.ahima.org. http://www.ahima.org OCR Frequently Asked Questions – http://www.hhs.gov/ocr/hipaa/whatsnew.html http://www.hhs.gov/ocr/hipaa/whatsnew.html Summary of HIPAA Privacy Rule – http://www.hhs.gov/ocr/privacysummary.pdf http://www.hhs.gov/ocr/privacysummary.pdf

34. Rosie Callender, RHIA Specific Security in Privacy Effective compliance with the Privacy regulations is dependent on security of patient’s PHI. Role-based access required under minimum necessary rule Verification and authentication of individuals and authorities requesting PHI Security required by Privacy Rule applies to PHI in all forms

35. Rosie Callender, RHIA Definitions for Privacy & Security Privacy is the right of an individual to keep information about him/her from being disclosed to others. Confidentiality is the obligation of another party to respect privacy by: -Protecting personal information they receive and -Preventing it from being used or disclosed without the subject’s knowledge or permission. Security is the means used to protect integrity, availability and confidentiality of information. Physical, technical and administrative safeguards

36. Rosie Callender, RHIA Specific Security in Privacy HIPAA Security standards address organizational and facility security, not just Information Systems Requirements in four areas will address health care data integrity, confidentiality and availability: 1.Administrative procedures 2.Physical safeguards 3. Technical security services 4. Technical security mechanisms The HIPAA Security standards protects all e-PHI (electronic protected health information)

37. Rosie Callender, RHIA HIPAA Security ( cont’d ) What is Information Security ? All protections in place to ensure that PHI is: kept confidential (confidentiality) not improperly altered or destroyed (integrity) readily available to authorized users (availability) These principles represent the heart of any information security program.

38. Rosie Callender, RHIA HIPAA Security ( cont’d ) The HIPAA Security standards provides the mechanisms that support efforts to protect privacy. It covers information : on hard drives on removable/transportable digital memory medium (magnetic tape/disk) transported electronically via the internet, e-mail or other means.

39. Rosie Callender, RHIA YOUR RESPONSIBILITIES 1.Properly manage your password; 2.Prevent the spread of viruses; 3.Properly dispose of material with PHI (hard copy); 4.Contact DITS to clear disks and hard drives of all PHI; before selling or giving computer to another user; 5.Protect system from outside threats ( hackers, malicious software); 6.Do not use unauthorized software or hardware; 7.Follow the organizations policies regarding the use of PDAs and Laptops. 8.Be familiar with the organizations Information Security policies. 9.Use common sense-security

40. Rosie Callender, RHIA HIPAA Web Sites HHS Administrative Simplification Page http://aspe.os.dhhs.gov/admnsimp American Health Information Management Association http://www.AHIMA.org Office of Civil rights - HIPAA http://www.hhs.gov/ocr/hipaa/http://www.hhs.gov/ocr/hipaa/privacy.html CMS Website http://www.cms.hhs.gov/hipaa/hipaa2/ Workgroup for Electronic Data Interchange http://www.wedi.org OCR Guidelines to Final Regulations (12/04/2002 http://www.hhs.gov/ocr/hipaa/guidelines/AllSectionsCombined.doc MSM HIPAA Website http://www.msm.edu/hipaa/index.htm

41. Rosie Callender, RHIA QUESTIONS? Rosie Callender, RHIA HIPAA Project Manager Morehouse School of Medicine Compliance Office 22 Piedmont Road Atlanta, GA 30303 (404) 756-1345 rcallend@msm.edu