1. Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006

2. Community Care Network of Virginia, Inc 2 Discussion Points  Overview of HIPAA Regulations  Administrative Simplification  EDI Components  Standard Transactions  Standard Code Sets  Unique Identifiers  Privacy Rule Review  Security Rule Overview

3. October 2006Community Care Network of Virginia, Inc 3 HIPAA-What’s in a Name?  Health Insurance Portability and Accountability Act  Implemented in 1996  Includes Titles I - V  Portability -Title I  Accountability - Title II  Administrative Simplification

4. HIPAA Administrative Simplification Provisions

5. October 2006Community Care Network of Virginia, Inc 5 Who Oversees HIPAA Administrative Simplification? Department of Health & Human Services The Centers for Medicare and Medicaid Services (CMS) Oversees: Transactions & Code Sets Standard Unique Identifiers Security Rule NPI The Office for Civil Rights (OCR) Oversees: Privacy Rule

6. Administrative Simplification Provisions Time Table * Small Health Plans have 1 year longer

7. October 2006Community Care Network of Virginia, Inc 7 Why are HIPAA Electronic Standard Transactions Important?  Standardize claim submission Fewer errors  Standardize payment method Faster processing  Reduces paperwork ( from~400 forms to ~4)  Reduces postage costs  Real-time patient eligibility and benefits  Overall ~~ Less Administrative Burden

8. October 2006Community Care Network of Virginia, Inc 8 Current HIPAA Standard Transactions

9. October 2006Community Care Network of Virginia, Inc 9 Unique Identifiers for HIPAA EDI National Employer Identifier Standard  Compliance Date = July 30, 2004  IRS Employer Identification Number (EIN)  9-digit number (Tax ID #) for all employers  Number to be used on all claims to identify the Center (54-*******)

10. October 2006Community Care Network of Virginia, Inc 10 Unique Identifiers for HIPAA EDI National Provider Identifier (NPI)  Compliance Date = May 23, 2007 {Small Health Plans = May 23, 2008}  We will discuss details in Part 2….

11. Reviewing of the Privacy Rule

12. October 2006Community Care Network of Virginia, Inc 12 On To The Privacy Rule……...  Purpose:  Provides national standards to protect Protected Health Information (PHI)  Gives patients increased control over their health information  Sets limits on the use of and disclosure of health information  Allows for a balance in disclosing PHI in some forms for public health reasons  Establishes penalties for violations of a person’s privacy rights.

13. October 2006Community Care Network of Virginia, Inc 13 Areas Addressed in the Privacy Standards + Notice of Privacy Practice (NPP ) + Use & disclosure of PHI + T P O + Authorization for Release of PHI + Minimum Necessary Information + Incidental Uses Disclosures + Oral Communications + Accounting of Disclosures + Business Associates + Personal Representatives & Minors + Marketing & Health- Related Communications + Research + Government Access to PHI + Violations & Penalties

14. October 2006Community Care Network of Virginia, Inc 14 Review of Patient’s Rights...  Receive a copy of Notice of Privacy Practices (NPP)/Signature of Receipt  Review & request copies of/amendments to their medical records  Need to be informed on how their PHI may be used/disclosed {stated in NPP}  Any release of PHI will be held to the minimum necessary to achieve the task  File grievance concerning privacy issues

15. October 2006Community Care Network of Virginia, Inc 15 What Should We Have in Place ?  Policies & Procedures that address the requirements of the Standards  Forms that support P &P  NPP acknowledgement of receipt  Restrictions on uses & disclosures of PHI  Patient request to review & copy medical record  Denial for access to the request  Amendment of the medical record  Accounting of disclosures log  Patient Authorization for disclosure other than TPO  Patient Grievance Form

16. October 2006Community Care Network of Virginia, Inc 16 How’s Privacy Compliance Going ? DHHS Reports the following:  As of November 30, 2005-  16,625 privacy rule complaints received by the Office for Civil Rights since the effective date (April 14, 2003)  69% of the cases have been resolved/closed  Covered entity corrected the problem  Complaint was not a true violation of Privacy Rule  263 violations referred by the OCR to the Department of Justice for potential prosecution-- one case has been successfully prosecuted

17. October 2006Community Care Network of Virginia, Inc 17 How’s Privacy Compliance Going ? DHHS Reports the following:  Top Five Complaints Against Providers 1. Impermissible use/disclosure of PHI 2. Lack of adequate safeguards in place 3. Refusal or failure to provide a patient access to records 4. Disclosure of more than minimally necessary information 5. Failure to obtain valid authorizations for disclosures that required them.

18. October 2006Community Care Network of Virginia, Inc 18 The Penalties…………..  $100/incident  up to ---- $25,000/person/year/ standard violated  $50,000 and/or ONE year I prison for knowingly violating the Rule

19. October 2006Community Care Network of Virginia, Inc 19 The Penalties…………..  False Pretense:  Up to $100,000; 5 years in prison  For Commercial Gain, Advantage, or Harm -  $250,000; 10 years in prison

20. October 2006Community Care Network of Virginia, Inc 20 Suggestions for Compliance  Ensure Policies & Procedures (P & P) cover standards in the Rule and are up-to-date with Center operations  ANNUAL staff training on current Privacy P & P  Continue to make the Center Notice of Privacy Practices (NPP) available to patients and obtain signatures of receipt for medical record.  Ensure Privacy Officer is designated  Ensure Business Associate Agreements (BAA), according to the Rule standards, are in place

21. October 2006Community Care Network of Virginia, Inc 21 Security Rule  Compliance Date = April 21, 2005  Purpose:  Ensure the integrity, availability, & confidentiality of EPHI {Electronic PHI}  Protect against reasonably anticipated threats of security & improper use or disclosure of EPHI  Ensure compliance by Center staff

22. October 2006Community Care Network of Virginia, Inc 22 What Does the Security Rule Include?  Electronic Protected Health Information {EPHI} ONLY  Privacy Rule covers all PHI in paper, oral, and electronic format.  All stored data and transmitted data in systems  All Covered Entities  Standards to ensure that appropriate access to EPHI is addressed.

23. October 2006Community Care Network of Virginia, Inc 23 Security Rule Concepts  Flexible & Scalable  Works for small to large providers & health plans  Technology Neutral  Allows for future technology advances  Comprehensive  Administrative Safeguards (policies & procedures)  Physical Safeguards (restricting access, providing back-up plans)  Technical Safeguards (authentication, integrity controls, access)

24. October 2006Community Care Network of Virginia, Inc 24 Required vs. Addressable Specifications Required  Implementation of specification is mandatoryAddressable  Specification must be used if the risk analysis shows it is needed  If a specification is not implemented, documentation must explain why & what else is being done in its place

25. October 2006Community Care Network of Virginia, Inc 25 Security Standards Flowchart

26. October 2006Community Care Network of Virginia, Inc 26 Implementing Security  Risk Analysis should access security risks & vulnerabilities  Consider Center size, capabilities, & costs of addressing the security areas  Assign a Security Officer  May have a “group” working together ~ responsibility must be assigned to an individual.

27. October 2006Community Care Network of Virginia, Inc 27 Implementing Security  Develop P & P to address the security standards as appropriate and reasonable for Center operations.  TRAIN staff on the P & P and the overall purpose of implementation  Ensure proper language in BAAs to cover security standards.  Evaluate Security P &P at least annually to ensure they are being followed & to update as appropriate

28. October 2006Community Care Network of Virginia, Inc 28 Relationships between Privacy & Security  Privacy is the…  Who  What  When  Security is the…  How

29. October 2006Community Care Network of Virginia, Inc 29 Relationships between Privacy & Security  Privacy covers PHI on paper, orally, & electronic format  Security covers electronic PHI ONLY  Security enables Privacy by providing safeguards for proper access to data  Business Associate Agreements(Privacy) need to detail how the integrity, confidentiality, & availability of the data exchange will take place (Security).

30. October 2006Community Care Network of Virginia, Inc 30 Tying It All Together-----  Patient  Registration  Collecting PHI  Handling PHI  Encounter  Diagnosis - All digits needed  E & M Service - Based on Key Elements  Procedures (Modifiers as appropriate)  Documentation to support ALL CODES used

31. October 2006Community Care Network of Virginia, Inc 31 Tying It All Together-----  Input data into Account  Proper Log-in/Access to System  Accuracy of Information  Submit Claim Electronically  Transmission process  Request for Medical Record Information  Minimum Necessary to complete the request

32. October 2006Community Care Network of Virginia, Inc 32 Tying It All Together-----  Electronic Payment/Denial  Input Data into Account  Proper Access  Accuracy  Maintaining Integrity of Data  Changes to be monitored ON A GOOD DAY---- The Process Works!

33. Patient is Happy ! Billing Staff is Happy Providers are Happy Center Management is Happy Board Members are Happy Everyone is HAPPY !!

34. October 2006Community Care Network of Virginia, Inc 34 Questions??

35. October 2006Community Care Network of Virginia, Inc 35 Thank You for Coming ! ! Stephanie Anderson, CPC Community Care Network of Virginia, Inc. 6802 Paragon Place Suite 630 Richmond, VA 23230 (T) (804) 237-7686 x 102 sanders@ccnva.com