1. ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004

2. 2 HIPAA Health Insurance Portability and Accountability Act of 1996 Or Kennedy – Kassenbaum, 1996 Signed into law on August 21, 1996 Final Privacy rule published on December 28, 2000. With full compliance date of April 14, 2003.

3. 3 HIPAA - Background First federal policy to govern the privacy of health information in electronic form. Effort by the Clinton Administration & congressional healthcare reform proponents to reform healthcare. Legislation goals & objections: To streamline industry inefficiencies, reduce paperwork, make it easier to detect fraud & abuse and enable workers of all professions to change jobs, even if they (or family members) had pre-existing medical conditions.

4. 4 HIPAA - Background Major issue in HIPAA Information Security requirements – No standard process to determine HIPAA compliance. More complicated when institutions used different criteria and methodologies for evaluation.

5. 5 HIPAA – Scope Addresses  Issues like health care privacy, security, transactions & code sets, unique identifiers, electronic signatures, and plan portability.  Rights of the individual over information about them  Procedures for the execution of such rights  The uses and disclosures of information that should be authorized

6. 6 HIPAA – Scope Institutions must have in place:  Standard Safe Guards - must have appropriate administrative, technical and physical safeguards  Implementation of Standard Safe Guards - A covered entity must protect health care information from intentional or unintentional disclosure

7. 7 HIPAA – Final The final privacy rule was published on December 28, 2000. (http://www.hipaaplus.com/abouthippa.htm)http://www.hipaaplus.com/abouthippa.htm  Standards for Privacy of Individually Identifiable Health Information  National Provider Identifier  Employer Identifier  Security and Electronic Signatures

8. 8 HIPAA – Final (2) Standards for Privacy of Individually Identifiable Health Information ….. designed to help guarantee privacy and confidentiality of patient medical records. National Provider Identifier & Employer Identifier..... designed to help speed processing of enrollment, eligibility and claims processing by having a national set of identification numbers that the entire industry would use to identify a specific provider, insurer or patient. ….. help identify fraud and abuse.

9. 9 HIPAA – Final (3) Security and Electronic Signatures ….. for persons submitting healthcare claims and claims attachments through the use of a digitally encrypted key "signature", that requires a "private key" to create and send the "signed document".

10. 10 HIPAA – Enforcement ( http://www.cms.gov/hipaa/hipaa2/enforcement/paper_complaint_form.pdf ) http://www.cms.gov/hipaa/hipaa2/enforcement/paper_complaint_form.pdf The Department of Health and Human Services (DHHS), specifically the Office of HIPAA standards (OHS) is responsible for HIPAA transactions and code sets (TCS) enforcement. OHS’s purpose is for HIPAA enforcement but operates as a separate entity

11. 11 HIPAA – Enforcement Penalties for violations range from $100 for less serious offence (e.g. failure to comply) to $250,000 and/or imprisonment of <10 years for serious offence like intention to sell information

12. 12 HIPAA - Enforcement Who will enforce HIPAA? (http://www.hep-c-alert.org/links/hippa.html)http://www.hep-c-alert.org/links/hippa.html WHO WHAT (health care portability requirements) The Secretary of Labor On group health plans under ERISA (Employee Retirement Income Security Act) including self-insured arrangements The Secretary of the Treasury On group healths plan including self- insured arrangement States or Secretary of Health & Human Services For group & individual requirements imposed on health insurance issues, including sanctions available under state law.