1. HIPAA
The What, When, Where, How, and Why of HIPAA for Agencies in the NC DHHS Family
Presented By NCDHHS Sarah Brooks
HIPAA PMO Staff: Julie Burton
Susan Mitchell

2. TRAINING OBJECTIVES Provide High Level Overview of HIPAA Regulations
Clarify Agencies Covered Under HIPAA
Explain Approach Adopted by NC DHHS to Address HIPAA
Identify Steps Agencies Can Begin Taking to Comply with HIPAA
Identify HIPAA Resources
NCDHHS - HIPAA PMO

3. Addressing the Health Care Tower of Babel
The Health Insurance Portability and Accountability Act of 1996
(HIPAA)
Look up on Web

4. CURRENT INDUSTRY LIMITATIONS / CONCERNS
Over 400 different proprietary claim forms and/or file formats dictated by payers
Administrative overhead, including claims processing, accounts for > 20¢ of every health care dollar
Average “Accounts Receivable” ³ 60 days
Increased computerization does not adequately address privacy and security concerns
Even with automation today:
1) Interfaces are inadequate
Example: In some cases, required to lookup Medicaid Eligibility information on one system, and then key this information into another system.
2) Lack of Standards….
Partial automation of claims (still a mix of paper and automated forms).
NCDHHS - HIPAA PMO

5. Healthcare Insurance Portability and Accountability Act (HIPAA)
FEDERAL RESPONSE
Healthcare Insurance Portability and Accountability Act (HIPAA)
Public Law , August 21, 1996
Amends Internal Revenue Service Code of 1986
Federal Response was initiated due to lack of standards and concerns of Insurance Industry. Insurance and Healthcare industries pushed for legislation to standardize transactions.
NCDHHS - HIPAA PMO

6. WHAT DOES HIPPA ACCOMPLISH?
Guarantees Health Coverage When Job Changes
Reduces Fraud and Abuse (Medicare/Medicaid)
Administrative Simplification
Establishes national standards for:
Electronic (EDI) transactions
Security and privacy of health care information
Identifiers such as provider, payer and employer Improved efficiency of processing health care information
Ultimately should lower administrative overhead
Currently estimated at $300 Billion per year nationwide
Preempts State Laws Unless More Stringent
NCDHHS - HIPAA PMO

7. ADMINISTRATIVE SIMPLIFICATION REGULATIONS
Title II, Subtitle F, Administrative Simplification (FINAL RULES PUBLISHED)
Electronic Health Transactions Standards (45 CFR Parts 160 & 162)
Federal Register, Vol. 65, p (published August 17, 2000)
Privacy and Confidentiality Standards (45 CFR Parts 160 & 164)
Federal Register, Vol. 65, p (published December 28, 2000)
Regulations are coming out of DHHS in a staggered manner which may cause problems. For example, EDI rules will be effective before standardized identifiers which may cause additional programming changes. Privacy and security will take effect after EDI standards are in effect so data transmissions of PHI may not be adequately protected.
NCDHHS - HIPAA PMO

8. ADMINISTRATIVE SIMPLIFICATION REGULATIONS (continued)
(PROPOSED RULES - PUBLISHED)
Security and Electronic Signature Standards (45 CFR Part 142)
Federal Register, Vol. 63, p (published August 12, 1998)
Health Insurance Reform: National Standard Employer Identifier (45 CFR Part 142)
Federal Register, Vol. 63, p (published June 16, 1998)
National Standard Health Care Provider Identifier (45 CFR Part 142)
Federal Register, Vol. 63, p (published May 7, 1998)
Rules not yet finalized.
NCDHHS - HIPAA PMO

9. ADMINISTRATIVE SIMPLIFICATION REGULATIONS (continued)
(PROPOSED RULES - NOT PUBLISHED)
National Health Plan Identifier (Payer ID) Scheduled draft publication: Q2/2001
Claims Attachments Scheduled draft publication: Q3/2001
Enforcement Scheduled draft publication: Q4/2001
First Report of Injury Scheduled draft publication: Q4/2001
National Individual Identifier Scheduled draft publication: On Hold
Information is needed to support an insurance claim.
NCDHHS - HIPAA PMO

10. REGULATION TIMEFRAMES
Final Standards:
EDI Transaction and Codes Sets Published: 8/17/2000 Final compliance: 10/16/2002
Includes transaction sets:
Claims and Remittance Advice
Enrollment
Eligibility, Inquiry and Response
Status Inquiry and Response
Request Review and Response
Payroll Deduction and Premium Payment
Privacy Published: 12/28/2000 Final compliance: 4/16/2003
Proposed Rules:
National Provider Identifier Draft published: 5/07/ Scheduled final rule: Q3/2001
National Employer Identifier Draft published: 6/16/ Scheduled final rule: Q3/2001
Security Draft published: 8/12/ Scheduled final rule: Q2/2001
Proposed Rules not yet published:
National Health Plan Identifier Scheduled draft publication: Q2/2001
Claims Attachments Scheduled draft publication: Q3/2001
Enforcement Scheduled draft publication: Q4/2001
First Report of Injury Scheduled draft publication: Q4/2001
National Individual Identifier Scheduled draft publication: On Hold
Security - 98% same as draft rules
Privacy - President Bush instructed DHHS Secretary Tommy Thompson to let the Privacy Regulations take effect April 16th, but more than likely DHHS will prepare revisions to the regs that will address some of the concerns of the healthcare industry., During the month of March, DHHS allowed comments to be submitted relative to the final regs and more than 24,000 comments were received.
NCDHHS - HIPAA PMO

11. WHO IS AFFECTED? Covered Entities
Health Plan (provides or pays the cost of medical care - e.g., Medicaid, HMOs, BC/BS, Medicare, Champus)
Health Care Clearinghouse (routes electronic data between payers & providers - e.g., billing services )
Health Care Provider who transmits any health information in an electronic transaction (e.g., Hospitals, Physicians, Public Health Departments, Group Homes, Home Health)
NCDHHS - HIPAA PMO

12. WHO IS AFFECTED? (continued)
Business Associates
Definition: Person who performs a function or activity on behalf of a covered entity
Excludes person who is part of the Covered Entity’s workforce (e.g., Employees, Physicians with Staff Privileges)
Contractual Agreements with Covered Entity (e.g., Area MH/DD/SAS Contract Agencies, S/W Vendors)
Complies with HIPAA
Health Care Providers Who Transmit Paper Health Claims Must Use New Code Sets
NCDHHS - HIPAA PMO

13. WHY COMPLY WITH HIPAA? Avoid Denied and/or Delayed Reimbursements
DHHS agencies process claims bringing in more than $550 million in receipts annually
Annual Medicaid disbursements totaling more than $4.6 billion
May Risk Accreditation (e.g., Joint Commission on Accreditation of Health Care Organizations)
Public Relations and Business Risk Issues
Benefit from Long Term Health Care Cost Reductions
Imposes Severe Penalties for Non-compliance
1) Denied and delayed reimbursements
Denied - If claims are not sent in standard format, then many claims will be denied.
Delayed - If claims continue to be submitted in paper form, reimbursement will continue to be delayed.
2) Joint Commission - Joint Commission plans to adopt/incorporate HIPAA standards as part of their review process. Without HIPAA compliance, there could be a loss of accreditation, which in turn could potentially risk loss of certification for Medicare/Medicaid.
3) Providers throughout the state could refuse to work with DHHS because we could not enter into “chain of trust partner agreements”e.g. Group homes).
If the Medicaid Information System (DMA) is not compliant this could impact all providers across the state (billing for Medicaid).
4)Give an example of HEARTS - RA’s posted manually now.
NCDHHS - HIPAA PMO

14. IMPOSING COMPLIANCE General Civil Penalty for Failure to Comply
$100/violation/person
Not to exceed $25,000 in one calendar year
Criminal Penalties (Privacy) - Person who knowingly and wrongfully discloses individually identifiable health information is subject to fines and imprisonment
Simple Offense - Up to $50,000 &/or 1 year imprisonment
If Committed under False Pretenses - Up to $100,000 &/or 5 years imprisonment
If Committed with Intent to Sell, Transfer, or Use Individual Identifiable Health Information for Commercial Advantage, Personal Gain, or Malicious Harm - Up to $250,000 &/or 10 years imprisonment
Civil Penalties can apply to violation of any standard up to $25,000 in one calendar year.
Criminal Penalties - Wrongful disclosure of health information - up to 10 years and/or $250,000 per occurrence.
It should be mentioned that enforcement standards have not been provided to date.
NCDHHS - HIPAA PMO

15. QUESTIONS
? ? ? ? ?

16. REGULATIONS OVERVIEW LEARNING THE ROPES
Healthcare eBusiness Standardization
Electronic Data Interchange Transaction Sets
Standardized Codes Sets
Standardized Identifiers
(EDI/TCI)
NCDHHS - HIPAA PMO

17. EDI/TCI OBJECTIVES Definitions Transaction Sets Code Sets
Trading Partner
Transaction
Standard Setting Organization (SSO)
Transaction Sets
Code Sets
Unique Identifiers
The Administrative Simplification (AS) provisions of HIPAA are divided into three main categories:
Transaction Sets,
Code Sets, and
Identifiers.
In the past, individual providers (physicians and others) that utilized electronic connections to Health Plans had to supported a vast array of electronic formats. For example, about 400 different formats exist today for health care claims alone. Each Health Plan required the provider to adhere to the Health Plans specific electronic transactions. Hence, the Health plans could not agree on an electronic standard without giving their competitors a market advantage, at least in the short-run.
HIPAA, which requires national standards to be followed for electronic transmission of health care transactions, levels the playing field. These national standards will make electronic data interchange a viable and preferable alternative to paper processing for providers and health plans alike.
HIPAA does not require providers to submit transactions electronically. Paper documents are still allowed.
Although HIPAA does require that all transactions submitted electronically comply with the adopted national standards.
NCDHHS - HIPAA PMO

18. TRADING PARTNER
In Electronic Data Interchange (EDI) this generally applies to two parties engaged in the exchange of business data through electronic means.
NCDHHS - HIPAA PMO

19. TRANSACTION
The exchange of data between two parties to carry out financial or administrative activities related to health care. It includes the following types of information exchanges:
Health Care claims or equivalent encounter information.
Health Care payment and remittance advice.
Coordination of benefits.
Health Care claim status.
Enrollment and disenrollment in a health plan.
Eligibility for a health plan.
Health plan premium payments.
Referral certification and authorization.
First report of injury.
Health claims attachments.
Other transactions that the Secretary may prescribe by regulation.
All the basic health care business functions are covered by the HIPAA transactions.
As required by HIPAA, the Secretary of Health and Human Services adopted standards for the following administrative and financial health care transactions:
Eligibility for a health plan
Health claim status
Referral certification and authorization
Health plan premium payments
Enrollment and dis-enrollment in a health plan
Health care payment and remittance advice
Health claims and equivalent encounter information
Coordination of benefits.
Standards for the first report of injury and claims attachments (also required by HIPAA) will be adopted at a later date.
NCDHHS - HIPAA PMO

20. STANDARD SETTING ORGANIZATION
An organization accredited by the American National Standards Institute (ANSI) that develops and maintains standards for information transactions or data elements, or any other standard that is necessary for, or will facilitate the implementation of HIPAA
ASC X12
NCPDP
HL7
UN/EDIFACT (Interactive Claim)
Standards Development Organizations (SDO’s) were selected by the government to select the standards for HIPAA.
All of the SDO’s are accredited by the American National Standards Institute, or ANSI. Their job was to ensure that the procedures used to develop the standards met certain due process requirements and that the process was voluntary, open, and based on obtaining consensus.
The groups chosen included the following:
The Accredited Standards Committee X12. They are dedicated to developing national standards for electronic data interchange (EDI).
The National Council for Prescription Drug Programs, which is responsible for pharmaceutical standards.
Health Level 7 is the SDO for clinical and administrative data.
The United Nations/Electronic Data Interchange For Administration, Commerce, and Transport, is the organization under the United Nations responsible for international standards development.
NCDHHS - HIPAA PMO

21. TRANSACTION SETS HIPAA Mandated Transaction Sets NCDHHS - HIPAA PMO
We’ll start with the transaction sets.
National standards for electronic health care transactions are intended to encourage electronic commerce in the health care industry and ultimately simplify the processes involved. This will result in savings from the reduction in administrative burdens on health care providers and health plans.
Today, health care providers and health plans that conduct business electronically must use many different formats for electronic transactions. For example, about 400 different formats exist today for health care claims. With a national standard for electronic claims and other transactions, health care providers will be able to submit the same transaction to any health plan in the United States and the health plan must accept it. Health plans will be able to send standard electronic transactions such as remittance advices and referral authorizations to health care providers.
These national standards will make electronic data interchange a viable and preferable alternative to paper processing for providers and health plans alike.
NCDHHS - HIPAA PMO

22. TRANSACTION SETS (ASCx12)
148 First Report of Injury
270/271 Health Care Eligibility Benefit Inquiry and Response
275 Additional Information to Support a Health Care Claim or Encounter
276/277 Health Care Claim Status Request and Response
278 Health Care Services Review - Request for Review and Response
820 Payroll Deducted and Other Group Premium Payment for Insurance Products
834 Benefit Enrollment and Maintenance
There are eight transaction sets specifically mentioned in the HIPAA Notice of Proposed Rule Making (NPRM) for transaction sets and code sets. They cover the basic health care business functions.
The final rule mandates the use of these transaction sets to conduct certain very specific health care transactions. However, business partners are free to agree to use the transactions for additional purposes.
The 148 First Report of Injury may be used to report information pertaining to an injury, illness, or incident to entities interested in the information for statistical, legal, claims, and risk management processing requirements.
The 270 and 271 are used to inquire about the eligibility associated with a benefit plan, employer, subscriber, or a dependent under the subscriber’s policy. It also can be used to communicate information about or changes to eligibility coverage from insurers and health plans to information receivers such as physicians, hospitals and third party administrators.
The 275 is the health claim attachment, and can be used to transmit health care service information such as subscriber, patient, demographic, diagnosis, or treatment data for the purpose of a request for review, certification, notification, or reporting the outcome of a health care services review.
The 276 and 277 are used for transmitting a health claims status request and response. They may be used by health care providers and recipients of health care products or services to request the status of a health care claim or encounter from a health plan.
The 278 is the referral certification and authorization. It may be used to send health care service referral information between health care providers, health care providers furnishing services, and health plans. It can also be used to obtain authorization for certain health care services from a health plan.
Standards for the first report of injury and claims attachments (also required by HIPAA) will be adopted at a later date.
The 820 is used for health plan premium payments. It may be used by employers, employees, and associations to make and keep track of payments of health plan premiums to their health insurers.
The 834 is enrollment and dis-enrollment in a health plan. It may be used to establish communication between the sponsor of a health benefit and a health plan.
The 835 is the health care payment and remittance advice. This transaction may be used by a health plan to make a payment to a financial institution for a health care provider or to send an explanation of benefits or a remittance advice directly to a health care provider, to make payment and send an explanation of benefits remittance advice to a health care provider via a financial institution (sending both payments and data).
The 837 is used for health care claims or equivalent encounter information. This transaction may be used to submit health care claim billing information, encounter information, or both, from health care providers to health plans, either directly or via intermediary billers and claims clearinghouses.
The choice for the retail pharmacy transactions was the standard maintained by the NCPDP because it is already in widespread use.
The NCPDP Telecommunications Standard Format Version 5.1 and equivalent NCPDP Batch Standard Version 1.0 have been adopted in this rule (health plans will be required to support one of these two NCPDP formats: either directly or through a clearinghouse).
The NCPDP is named as the retail pharmacy standard for the following transactions: Claims, Eligibility, Coordination of Benefits.
Payment and Remittance Advice will be on the 835 (NCPDP/SNIP are currently working on this)
835 Health Care Claim Payment/Advice
837 Health Care Claim (Institutional, Professional, Dental)
National Council for Prescription Drug Program (NCPDP V 5.1 & 1.0 )
Healthcare Data Element Dictionary
NCDHHS - HIPAA PMO

23. Precertification and Referrals
X12 TRANSACTIONS FLOW
Health Care Providers
Health Care Plans
Employers
270 Eligibility Request
834 Enrollment
Eligibility
Verification
Member
Services
Enrollment
271 Eligibility Response
820 Premium Payment
278 Referral Request
Precertification and Referrals
Eligibility
Verification
278 Referral Response
837 Claim
275 Additional Information
Service Billing /
Claim Submission
Claim Receipt and Routing
277 Claim Status Response
This diagram shows the business flow of the HIPAA transaction sets. The flow follows a normal sequence of functions from enrolling a subscriber or member to paying for a claim. We will look at each portion of the flow separately.
276 Claim Status Request
Claim Reconciliation
Claim Status
277 Claim Status Response
Accounts Receivable
Adjudication
835 Claim Payment Advice
NCDHHS - HIPAA PMO

24. HIPAA TRANSACTIONS BUSINESS PRACTICES EFFECTS
Backend Reporting
Coordination of Benefits
Claim Status
Electronic Remittance Advice
Maximum Data Set
The use of the transactions will result in in many changes to organizations within the health care industry. Back end reporting will require changes to include all the new data available from the transactions.
Many providers and payers today do not handle coordination of benefits in an automated fashion. This will require business and systems changes to implement.
Claims status is one transaction that providers are likely to use. Many organizations today do not have an automated claims status process. Others send an unsolicited claims status upon receipt of a claims file to verify they received the file. Now the claims status will be an interactive transaction that must be able to take in a specific request and build a proper response.
Electronic remittance advice is another transaction that will require changes. Few organizations currently use an automated process that includes electronic funds transfer, or EFT. This process offers a potential cost savings and time savings to the health care industry.
Payers may not require administrative information that is not included in the standard transaction sets. For example, there is no data element for “Place of Service.” Claims may not be rejected on the basis of a missing “Place of Service” code, even if that is the business practice today.
NCDHHS - HIPAA PMO

25. IMPLEMENTATION TIMELINE
The Compliance Date for the Transaction Sets and Code Sets is
October 16, 2002
With the publication of the Final Rule for transaction sets and code sets, the legislative clock has started ticking. The mandatory compliance date is October 16, 2002.
NCDHHS - HIPAA PMO

26. PROPOSED IMPLEMENTATION TIMELINE - WEDI/SNIP
NCDHHS - HIPAA PMO

27. HIPAA IMPLEMENTATION GUIDES
X12 Transactions - Washington Publishing Inc.
NCPDP Transactions – National Council of Prescription Drug Programs
HL7 Standards – Health Level 7
The HIPAA transaction sets are a subset of the larger X12 transactions which have been designed to work for all industries. In order to limit the amount of data required for health care transactions, and to make implementation more manageable, implementation guides were created. These guides contain the mandatory and situational elements that make up HIPAA compliant transactions.
The X12 committee for insurance and health care is X12N. The X12N committee has worked for several years to complete the guidelines for the HIPAA transaction sets. The guides must be followed completely. No changes or additions to the data content are allowed during implementation.
NCDHHS - HIPAA PMO

28. REQUESTING CHANGES TO TRANSACTION SET STANDARDS
Join the Appropriate Standards Development Organization
Contact an Industry Group with Representation on a Standards Development Group
Expect a 2 to 3 Year Lead Time for Request Implementation in HIPAA
The required procedures to request changes to the transaction set standards are outlined in the Final Rule. It is helpful to become a member of any appropriate SDO’s that apply to your organization’s business, although it is not necessary to be a member in order to request a change.
The appropriate industry group must be contacted and presented with a request for a change. The groups have stated timeframes in which they must respond to the request.
The change process is not a speedy one. Requestors should expect that the change, even if approved, will not occur for 2 to 3 years later.
NCDHHS - HIPAA PMO

29. BASIC HIPAA CODE SETS FUNCTIONS
Diagnosis
Medical Procedures
Drugs
Code sets for medical data are required for data elements in the administrative and financial health care transaction standards adopted under HIPAA for diagnoses, procedures, and drugs.
NCDHHS - HIPAA PMO

30. HIPAA MANDATED CODE SETS
International Classification of Diseases, Ninth Edition, Clinical Modification (ICD-9-CM )
Health Care Procedural Coding System (HCPCS)
Current Procedural Terminology, Fourth Edition (CPT-4)
Current Dental Terminology (CDT)
National Drug Codes (NDC)
These code sets are specifically mentioned in the NPRM and Final Rule for transaction and code sets. These codes are used mainly in the transactions related to claims and also in referral and authorization transactions.
NCDHHS - HIPAA PMO

31. TWO TYPES OF HIPAA MANDATED CODE SETS
Explicit Code Sets
Defined in the rules
CDT, HCPCS, ICD-9-CM, NDC
Implicit Code Sets
Referenced in the Transaction Implementation guides such as the codes that specify a patient’s relationship to an insured subscriber
There are some others external codes such as the Claim Adjustment Reason Codes that were not explicitly mentioned in the rules.
NCDHHS - HIPAA PMO

32. ELIMINATION OF HOMEGROWN CODES (NC Medicaid ‘Y’ Codes)
All local codes will be eliminated. Users that need codes must apply to the appropriate organizations (e.g. HCFA for HCPCS codes, the AMA for CPT-4 codes) for national codes.
NCDHHS - HIPAA PMO

33. SAMPLE HEALTH CARE FUNCTIONS THAT USE CODE SETS
Claim Processing
Utilization Management
Disease Management
Enrollment
Code sets are used in every HIPAA transaction. HIPAA transactions typically include much more data than is housed on most legacy or current systems. These systems will all have to be expanded to house these codes where necessary.
Claims processing will need to store all codes on incoming claims in order to recreate the claim for COB forwarding.
Utilization and disease management are two areas that rely heavily on codified information.
NCDHHS - HIPAA PMO

34. REQUESTING CHANGES TO CODE SET STANDARDS
Join the Appropriate Standards Development Organization if Possible
For HCPCS Contact HCFA
Not Applicable for NDCs
For CDT Codes Contact ADA
All HIPAA Implementation Guides are free for downloading on the Washington Publishing Web site.
NCPDP transaction Implementation guides are free to NCPDP members. The fee for NCPDP membership is $550 per year per person in an organization. Members of NCPDP are entitled to receive one complimentary copy of each standards manual. Members may also purchase additional copies at the cost of $250 for Standards documentation and $250 for Data Dictionaries. These are available in diskette format (MS Word 6.0 or greater) and through the Members Only Area of the NCPDP web site.
HL7 standards are included as information in the 275 Claims attachments implementation guides.
NCDHHS - HIPAA PMO

35. UNIQUE IDENTIFIERS National Identifier for Individuals
National Health Care Identifier of Employers
National Standard for Identifiers of Health Plans
National Provider Identifier
There are four identifiers explicitly mentioned in the legislation include the National Identifier for Individuals, the National Health Care Identifier of Employers, the National Standard for Identifiers of Health Plans, and the National Provider Identifier.
NCDHHS - HIPAA PMO

36. NATIONAL INDIVIDUAL IDENTIFIER
Currently on Hold
Proposed Rule Is Not Expected to Be Published in the Near Future
Pending Congressional Privacy Legislation
This identifier has met with massive controversy in the health care industry. It is currently on hold pending release of the Privacy regulations. The proposed rule is expected to be published, but the date is uncertain. It is not known what size or format this identifier will be.
NCDHHS - HIPAA PMO

37. NATIONAL EMPLOYER IDENTIFIER
Employer ID Will Be The Employer’s Tax ID
The Internal Revenue Service (IRS) Will Maintain the Assignment and Reference Facilities
Nine Digits
The employer Identification Number (EIN) is the taxpayer identifying number for employers that is assigned by the Internal Revenue Service. The identifier has 9 digits with the first 2 digits separated by a hyphen.
The Internal Revenue Service maintains the process for assigning EINs. An employer obtains an EIN by submitting the proper form to the IRS. Any business that pays wages to one or more employees is required to have an EIN. Most employers already have an EIN.
HIPAA does not require employers to use the standard employer identifier or standard health care transactions. However, it is believed that many employers will want to take advantage of the standardization.
NCDHHS - HIPAA PMO

38. NATIONAL HEALTH PLAN IDENTIFIER
Plan IDs Will Be Issued to Health Plans
Plan ID Identifies Three Different Types of Entities: Payers, Group Health Plans, and Provider Networks
Payers and Administrators
ERISA Group Health Plan, Taft-Hartley Trust, METs, and Other Group Plans
PPOs and Similar Organizations
Proposed Rule Not Yet Published
Plan IDs will be issued to health plans when the identifier is approved for use. The Plan ID will identify three different types of entities: Payers, Group Health Plans, and Provider Networks.
The NPRM has not yet been published for this identifier.
NCDHHS - HIPAA PMO

39. NATIONAL PROVIDER IDENTIFIER
Identifying An Individual
An individual provider ( such as a physician, dentist, nurse, or therapist) receives an NPI that never changes
If the individual is a health care provider in two different capacities, it is expected that there will still be only a single NPI
The NPI will be issued at two levels, for an individual and for an organization or group.
An individual health provider’s identifier would not change with moves or changes in specialty. This facilitates tracking of fraudulent health care providers over time and across geographic areas.
This will assist in tracking docs with poor records. If they get refused a license in one state they cannot just move to another state and set up another practice.
Since a health care provider would only receive one identifier, they would not be able to receive duplicate payments from a program by submitting claims under multiple identifiers.
NCDHHS - HIPAA PMO

40. NATIONAL PROVIDER IDENTIFIER (continued)
Identifying An Organization
Organizational health care providers, such as:
Hospitals
Clinics
Laboratories
Physician group practices
Home health care agencies
Pharmacies
10 Digits with Right Most Digit Being a Check Digit (Proposed)
Organizations consist of entities other than an individual that is licensed, certified, or otherwise authorized to provide medical services, care, equipment, or supplies in the normal course of business. In this case the license is granted to the organization rather than to an individual.
Examples of organizations are hospitals,clinics, laboratories, physician group practices, home health care agencies, and pharmacies.
NCDHHS - HIPAA PMO

41. HIPAA TRANSACTIONS, CODE SETS AND UNIQUE IDS
Code Sets are Used in the Transactions
Unique IDs are Used in the Transactions with Proprietary Values until They are Defined
Required Use of Standards
Both the code sets and the unique identifiers are used in the transaction sets.
The unique identifiers have been paired with proprietary identifiers to be used until the standard identifiers are required. This will allow the transactions to be utilized in a compliant manner before the identifiers become law.
NCDHHS - HIPAA PMO

42. QUESTIONS
? ? ? ? ?

43. REGULATIONS OVERVIEW
PRIVACY
NCDHHS - HIPAA PMO

44. BASIC PRINCIPLES
First Comprehensive Federal Law to Protect the Privacy of Individually Identifiable Health Information
HIPAA Protections
Importance
To Patients
To Healthcare Providers/Plans/Clearinghouses
Protected Health Information (PHI)
Past, Present, Future Health Information
Electronic/Paper/Oral
Best Practice
· The Privacy Rule establishes National Standards to protect the privacy of individually identifiable health information, regardless if it is transmitted electronically, on paper or through oral communication.
· You will be hearing the acronym PHI in connection with the HIPAA regulations. “Protected Health Information” relates to the past, present or future physical or mental health, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual. Such information must be individually identifiable.
· Although there are a few exceptions when healthcare information is not covered in this rule, it appears, at this time, that the best way to comply with the rule is to consider all healthcare information as being covered. Just trying to identify exceptions will probably be more costly than being inclusive.
(DHHS will be exploring this in greater depth before making a final determination)
· This Privacy Rule gives the individual the right to inspect and copy his own record, and the right to amend or supplement the individual’s own health information.
NCDHHS - HIPAA PMO

45. PROTECTED HEALTH INFORMATION (PHI)
Individually Identifiable Information
Name
Address
Social Security Number
Names of Relatives
Unique Identifiers
Telephone/Fax/Other Numbers
Geographic Designation Smaller than State
Photograph
NCDHHS - HIPAA PMO

46. GENERAL PROVISIONS HIPAA Preempts State Laws Allows Consumer Control
Provides uniform “floor” for protection
More stringent current state laws will stand
More stringent future state laws allowed
Allows Consumer Control
Establish rights of patients regarding their confidential health information
Recognizes Public Responsibility
Balance of individual privacy and the public need to know
NCDHHS - HIPAA PMO

47. GENERAL PROVISIONS Healthcare Provider Responsibilities
Protect health information
Secure health information
Provide complete information to other Healthcare Providers
Provide “minimum necessary” information to other requesters
Create De-identified information when feasible
Remove
Code
Encrypt
Eliminate/conceal
NCDHHS - HIPAA PMO

48. GENERAL PROVISIONS Healthcare Provider Responsibilities (continued)
Establish an Internal Complaint Process that provides individuals with means to lodge complaints about the entity’s information practices, and maintain a record of any complaints
Develop a system of sanctions for members of the workforce and business partners who violate the entity’s policies
Enforcement and Compliance
· Part of the required Administrative procedures is to
- develop an internal complaint process that provides a process for individuals
- develop a system of sanctions for staff and business associates who violate the covered entity’s policies
- enter into mitigation as needed
NCDHHS - HIPAA PMO

49. NOTICE Notice of Information Practices
Brochure
Pamphlet
Posted on Wall
Notice must include anticipated uses and disclosures of protected health information without the patient’s written authorization
· The Privacy Regulation provides in general, a more uniform minimum level of confidentiality protection for health information.
The Rule sets a standard for “minimum necessary information” for disclosing or requesting protected health information except in cases of a healthcare provider who is providing treatment. Any or all of the health information is considered “necessary” for continued treatment.
The Rule permits limited “use and disclosure” of protected health information without consent or authorization in a variety of circumstances where there is an over-riding public interest……such as -public health activities, -reporting abuse or neglect, -medical research; to name a few
The Regulation establishes a new federal legal right for individuals to see and obtain a copy of their own protected health information.
The Regulation does not apply to protected health information that has been “De-identified” by removing, coding, encrypting or otherwise eliminating or concealing all individually identifying information.
De-Identified information may be used or disclosed freely, so long as no means of re-identifying is disclosed.
Information considered to be “De-Identified” if specific items are removed. A few of those items include:
-name
-geographic designations smaller than a state
-dates
-telephone/fax numbers
-other identifying numbers
-addresses
-unique identifiers
-photographs
NCDHHS - HIPAA PMO

50. PATIENT’S RIGHTS Right to be informed through NOTICE
Right to inspect and review record
Right to receive copies
Right to amend/correct copies
Right to add supplemental information
Right to restrict Use and Disclosure of information
Right to Accounting of Disclosures
Right to a personal representative
Right to revoke authorization
Right to appeal
· The Privacy Regulation provides in general, a more uniform minimum level of confidentiality protection for health information.
The Rule sets a standard for “minimum necessary information” for disclosing or requesting protected health information except in cases of a healthcare provider who is providing treatment. Any or all of the health information is considered “necessary” for continued treatment.
The Rule permits limited “use and disclosure” of protected health information without consent or authorization in a variety of circumstances where there is an over-riding public interest……such as -public health activities, -reporting abuse or neglect, -medical research; to name a few
The Regulation establishes a new federal legal right for individuals to see and obtain a copy of their own protected health information.
The Regulation does not apply to protected health information that has been “De-identified” by removing, coding, encrypting or otherwise eliminating or concealing all individually identifying information.
De-Identified information may be used or disclosed freely, so long as no means of re-identifying is disclosed.
Information considered to be “De-Identified” if specific items are removed. A few of those items include:
-name
-geographic designations smaller than a state
-dates
-telephone/fax numbers
-other identifying numbers
-addresses
-unique identifiers
-photographs
NCDHHS - HIPAA PMO

51. ACCESS TO RECORD Healthcare Provider Provides Access
60 days after receiving request
Extended 30 more days without reason
Provide patient with a summary of records if agreed upon in advance
Recover cost-based fee for providing patient with a copy, explanation or summary of records
· The Privacy Regulation provides in general, a more uniform minimum level of confidentiality protection for health information.
The Rule sets a standard for “minimum necessary information” for disclosing or requesting protected health information except in cases of a healthcare provider who is providing treatment. Any or all of the health information is considered “necessary” for continued treatment.
The Rule permits limited “use and disclosure” of protected health information without consent or authorization in a variety of circumstances where there is an over-riding public interest……such as -public health activities, -reporting abuse or neglect, -medical research; to name a few
The Regulation establishes a new federal legal right for individuals to see and obtain a copy of their own protected health information.
The Regulation does not apply to protected health information that has been “De-identified” by removing, coding, encrypting or otherwise eliminating or concealing all individually identifying information.
De-Identified information may be used or disclosed freely, so long as no means of re-identifying is disclosed.
Information considered to be “De-Identified” if specific items are removed. A few of those items include:
-name
-geographic designations smaller than a state
-dates
-telephone/fax numbers
-other identifying numbers
-addresses
-unique identifiers
-photographs
NCDHHS - HIPAA PMO

52. DENIED ACCESS
Healthcare Provider Denial of Access with Opportunity for Review when in the Opinion of a Licensed Health Care Professional that:
Information would endanger life or safety of patient or others
References to others is reasonably likely to cause substantial harm to that other person
Request was made by the patient’s personal representative and access would likely cause substantial harm to that person or others.
· Agencies will be required to look at their current practices to assess their own level of security of health information of their active as well as inactive clients. Although the Information Flow Assessment, developed by the PMO Office, addresses the security of protected health information, a more in-depth assessment may have to be undertaken by each agency to more clearly identify their own security efforts.
· Enforcement of the Privacy Regulations has been delegated to the DHHS Office of Civil Rights. There are both civil and criminal penalties for violation, including a fine up to $250,000 and imprisonment for knowingly disclosing or obtaining protected health information if done for commercial or personal gain or for malicious harm.
· The general approach that the regulation takes towards compliance and enforcement is…whenever possible….work cooperatively to maintain individual privacy, while insuring that information needed for the “good of the public” is available.
NCDHHS - HIPAA PMO

53. DENIED ACCESS
Healthcare Provider Denial of Access Without Opportunity for Review
Psychotherapy Notes
Information compiled for civil, criminal or administrative actions
Inmate request that would jeopardize health or safety of inmate or others
Research that includes treatment
Information obtained from an anonymous source under a promise of confidentiality
· Part of the required Administrative procedures is to
- develop an internal complaint process that provides a process for individuals
- develop a system of sanctions for staff and business associates who violate the covered entity’s policies
- enter into mitigation as needed
NCDHHS - HIPAA PMO

54. USE AND DISCLOSURE OF PHI
Use: Protected Health Information is “used” when shared, examined, applied or analyzed within the covered entity that maintains the information
Disclosure: Protected Health information is disclosed” when released, transferred, been given access to or divulged outside the entity holding the information.
· Part of the required Administrative procedures is to
- develop an internal complaint process that provides a process for individuals
- develop a system of sanctions for staff and business associates who violate the covered entity’s policies
- enter into mitigation as needed
NCDHHS - HIPAA PMO

55. USES AND DISCLOSURES WITH INDIVIDUAL AUTHORIZATION
A General Consent is required for use or disclosure of information for treatment, payment and health operations.
A more specific Authorization is required for use or disclosure of information for purposes other than treatment, payment or health operations.
· Policies must include situations when use and disclosure may be made only WITH individual authorization.
· Authorization forms must be developed using easy to understand language
· It must be made clear that treatment is not conditioned on such authorization
· Information must be included in the authorization form that specifically identifies the entity’s practices with regard to protected health information, revocation of authorizations and the consequences of expired, deficient or false authorizations.
The PMO office will be developing sample policies, procedures and forms to assist DHHS agencies in their preparations for implementation of the privacy rules.
NCDHHS - HIPAA PMO

56. USES AND DISCLOSURES WITHOUT INDIVIDUAL AUTHORIZATION
Disclosures For:
Public health activities
Health oversight activities
Judicial and administrative proceedings
Governmental health data systems
Research, emergency circumstances, next of kin, and as required by other laws
Coroners and Medical Examiners
Law Enforcement
Directory information
Banking and payment processes
· This slide presents a more comprehensive view of the activities for which protected health information may be disclosed.
NCDHHS - HIPAA PMO

57. BUSINESS ASSOCIATES Application to Business Associates
Establish contracts that ensure Business Associates exercise an appropriate level of care related to privacy and conform to HIPAA regulations
Must treat PHI the same as the covered entity
Covered entity must take action if it is learned that Business Associate is not protecting PHI.
Two very important entities you will become very familiar with are: covered entities and
business associates
Covered entities are considered: Health care providers, Health care plan, and Health care clearinghouses……..that electronically transmit health information in connection with standard transactions as defined by HIPAA.
Business Associates are defined as an individual or organization that provides a service on behalf of a covered entity.
A covered entity and its business associate are required to enter into a contract that requires the business associate to treat protected health information in the same manner as the covered entity.
Protected health information of deceased persons is treated the same as if the individual was alive.
Health Plans and Healthcare Providers are required to provide WRITTEN NOTICE of their privacy practices (including the individual’s rights). The notice must include anticipated uses and disclosures of their protected health information without the individual’s written authorization.
A covered entity may be one entire organization….or it may be one component of a large organization. The activities of the organization will determine if the entire organization or only part of it is a covered entity. The part of the organization that meets the definition of a covered entity would be subject to these privacy rules.
NCDHHS - HIPAA PMO

58. ADDITIONAL PROVISIONS
Application to Information About Deceased Persons
Same as if person was alive
Application to Covered Entities That Are Components of Organizations That Are Not Covered Entities
Hybrid Entity (Covered functions are not the primary functions of the entity)
· The Privacy Regulation establishes a uniform “floor” for protecting the privacy of protected health information. HIPAA provides that state laws that are more protective of individual privacy will stand. States are also free to pass stronger laws in the future.
NCDHHS - HIPAA PMO

59. IMPLEMENTATION REQUIREMENTS
Policies and Practices must be developed and documented
Scalability
Appropriate to the nature and scope of the business that enables protection of health information in accordance with the rules
· As stated earlier the Rule requires a Written Notice of Information Practices.
Such notice could be a brochure or pamphlet and/or a notice posted on the wall.
While such notice might be mentioned in a consent or authorization form, the notice itself cannot be a part of the consent or authorization itself.
· In general, a covered entity must allow an individual to inspect or obtain a copy of the protected health information in the form or format requested by the individual. Such request must be honored within 30 days (with a 30 day extension without a reason).
The covered entity may provide the individual a summary of the protected health information if the individual agreed to this arrangement in advance….and agreed to a “reasonable fee” for such service.
· Under this rule, a covered entity is “required” to disclose protected health information only to the individual who is the subject of the information; and to HHS for enforcement of the privacy regulation…..and in those instances as mentioned before, such as public health issues.
The required Notice must contain the uses and disclosures of information that the covered entity permits.
· Individuals have the right to amend/correct or supplement their own PHI
Covered entities have a total of 90 days to accept or reject such amendments or corrections.
NCDHHS - HIPAA PMO

60. IMPLEMENTATION REQUIREMENTS
Designation of Privacy Officer
Provide Privacy Initial & On-going Training to Workforce
Develop internal policies and forms
Implement Safeguards
To protect health information from intentional or accidental misuse
Audit and QA
· The HIPAA privacy rule requires that the agency designate a Privacy Official who is responsible for the development and implementation of the HIPAA requirements.
Such activities include:
Training
Identifying and implementing safeguards
Auditing
NCDHHS - HIPAA PMO

61. IMPLEMENTATION TIMELINE
The Compliance Date
for the Privacy is
April 14, 2003
NCDHHS - HIPAA PMO

62. REGULATIONS OVERVIEW
SECURITY
NCDHHS - HIPAA PMO

63. SECURITY OBJECTIVE
To Protect the Confidentiality, Integrity and Availability of Individual Health Information, While Permitting the Appropriate Access and Use of That Information by Healthcare Providers, Healthcare Plans and Healthcare Clearinghouses.
Sound simple?
Let’s delve deeper.
NCDHHS - HIPAA PMO

64. SCOPE OF SECURITY REGULATIONS
Applies to Healthcare Providers, Plans and Clearinghouses
Applies to All Size Organization (Physician Offices, Medical Centers, County Public Health Departments, HMOs, Medicaid, etc.)
Applies to All Health Information Pertaining to an Individual That Is Electronically Created, Received, Transmitted or Maintained.
NCDHHS - HIPAA PMO

65. PRIVACY vs. SECURITY
PRIVACY is the right of an individual to keep his/her individual health information from being disclosed.
SECURITY is the mechanism in place to protect individual health information.
1) HOW are you going to protect PHI?
2) Who has the right of access to health information?
NCDHHS - HIPAA PMO

66. SECURITY STANDARD IMPACTS ELECTRONICALLY MAINTAINED AND TRANSMITTED DATA
Data on Magnetic Tape or Disk
Entry of Patient Information in Computers
Transmission of Treatment Data to a Healthcare Plan
Claims Printed From a Healthcare Clearinghouse
Records Transcribed and Stored in a Word Processor
Lab Results Sent by Modem to a Printer at an Office
Etc.
NCDHHS - HIPAA PMO

67. SECURITY STANDARD Does Not Identify or Require Specific Technologies
Allows Healthcare Industry to Implement Different Solutions Depending Upon Needs and Technologies in Place
Mandates Safeguards for Physical Storage and Maintenance, Transmission and Access to Individual Health Information
NCDHHS - HIPAA PMO

68. GUARDING DATA INTEGRITY, CONFIDENTIALITY AND AVAILABILITY
1. Administrative Procedures
2. Physical Safeguards
3. Technical Security Services
4. Technical Security Mechanisms
5. Electronic Signature
NCDHHS - HIPAA PMO

69. ADMINISTRATIVE PROCEDURES (Policies and Procedures)
1. Certification of Data Systems to Evaluate Security
2. “Chain of Trust” Agreement
3. Contingency Plan in Case of Emergency
4. Formal Data Processing Protocols
5. Controlling Access to Data
6. Internal Audit Procedures
NCDHHS - HIPAA PMO

70. ADMINISTRATIVE PROCEDURES (Policies and Procedures)
7. Security Activities by Personnel
8. Overall Security of Hardware, Software, and Virus Checking
9. Protocols for Reporting and Responding to Breaches of Security
10. Risk Management and Sanctions
11. Security Procedures in Event of Personnel Terminations
12. Security Training Programs
NCDHHS - HIPAA PMO

71. PHYSICAL SAFEGUARDS (Buildings and Equipment)
1. Designate Security Responsibilities
2. Develop Controls on Access and Manipulations of Hardware Components (Disk, Keyboard, Monitor)
3. Develop Disaster/Intrusion Response and Recovery Plans
4. Implement Personnel Identification for Access
5. Maintain Maintenance Records
6. Enforce Security Clearances (Need-to Know Basis)
7. Develop Protocols Regarding Activities and Security at the Work Station Level
NCDHHS - HIPAA PMO

72. TECHNICAL SECURITY MEASURES (Software Controls)
1. Regulate Access (Includes Emergency Access)
2. Audits and Controls
3. Data Authentication (Security of Stored Data)
4. Ensure User Authentication and Access Control (User ID, Automatic Log-off)
NCDHHS - HIPAA PMO

73. TECHNICAL SECURITY MECHANISMS (Transmission of Data)
1. Storage and Transmission of Health Information Cannot Easily Be Accessed or Interpreted by Unauthorized Third Parties
2. Ensure Messages Sent and Received Are the Same
3. Access Control to Transmission (Dedicated Lines)
4. Encryption
Encryption - look at Level I
NCDHHS - HIPAA PMO

74. ELECTRONIC SIGNATURE (On Hold)
1. Ensure Identity of the Signer
2. Ensure Unaltered Transmission and Receipt of the Data
3. Must Prevent a Signer from Successfully Denying the Signature
Proposed standard explicitly notes that a Digital Signature is the only technology that satisfies these requirements.
There are security issues with electronic signatures and it is anticipated these regs will be pulled from security and come out at a later time.
NCDHHS - HIPAA PMO

75. SECURITY OFFICER
Serves As Internal Information Security Consultant in Agency
Documents Security Policies and Procedures
Provides Risk Assessments
Functions As Internal Auditor
Monitors Compliance With Standards
NCDHHS - HIPAA PMO

76. SECURITY BOUNDARIES Identifies “What” Does Not Identify “How”
Scalability (allows agency to define and implement security appropriate to size and activities of the agency)
NCDHHS - HIPAA PMO

77. GETTING STARTED Baseline Assessment GAP Analysis Risk Assessment
Current Security Environment
Policies
Procedures
Technology
Information Systems
GAP Analysis
Compare Current Environment With Security Requirements
Determine “GAPS”
Risk Assessment
Analyze likely and unlikely scenarios in terms of probability of occurrence and impact on agency
NCDHHS - HIPAA PMO

78. SECURITY ASSESSMENT Not Just a Technology Issue
40% Information Technology
60% Business Issues
Security and Privacy Go Hand-in-Hand
Integrate Both Standards
NCDHHS - HIPAA PMO

79. ENFORCEMENT RESPONSIBILITY: U.S. DHHS Office for Civil Rights
Assist with voluntary compliance efforts
Respond to questions, interpretation, guidance
Respond to states’ requests for exceptions
Investigate complications
Conduct compliance surveys
Seek criminal prosecution for non-compliance efforts
If a healthcare provider does not comply with the Privacy Regulations a complaint can be files with the U.S. Department of Health and Human Services Office for Civil Rights.
NCDHHS - HIPAA PMO

80. Expected to Become Effective in Late 2001
COMPLIANCE DATE
Expected to Become Effective in Late 2001
NCDHHS - HIPAA PMO

81. QUESTIONS
? ? ? ? ?

82. APPROACH FOR ADDRESSING HIPAA
NCDHHS
IMPACT IN DHHS
APPROACH FOR ADDRESSING HIPAA
NCDHHS - HIPAA PMO

83. HIPAA IMPACT ON DHHS Standardized Transactions
Initial Assessment - 26 Systems Process Health Care Transactions
Public Health - 10 Systems
Mental Health/dev Disabilities/sub Abuse - 7 Systems
Vocational Rehabilitation - 3 Systems
Services for Blind - 1 System
Medical Assistance - 1 System
Shared (Multiple DHHS Agencies) - 4 Systems
Local Agencies (E.G., MH/DD/SAS Area Programs) Must Modify Their Information Systems
THIS INITIAL REVIEW FOUND OVER 100 DIFFERENT ELECTRONIC APPLICATIONS IN USE THROUGHOUT THE STATE
26 IDENTIFIED SYSTEMS PROCESS HEALTH CARE TRANSACTIONS
NCDHHS - HIPAA PMO

84. HIPAA IMPACT ON DHHS (continued)
Privacy and Security Standards
Secure and Protect Electronic and Paper Records
DHHS Serves “at Risk” Population
Establish Policies and Procedures
Establish Documentation and Audit Processes
DHHS IS BEING HEAVILY IMPACTED BY NEW REGULATIONS.
OUR CLIENT POPULATION SERVES MANY WITH AIDS, MENTAL ILLNESS AND SUBSTANCE ABUSE ISSUES.
DHHS IS ASSESSING CURRENT PRACTICES TO DETERMINE HOW PROTECTED HEALTH INFORMATION IS HANDLED AND TRANSMITTED FOR COMPLIANCE WITH EDI, PRIVACY AND SECURITY REGULATIONS.
NCDHHS - HIPAA PMO

85. HIPAA IMPACT ON DHHS (continued)
Agencies Directly Impacted by HIPAA
Public Health (including 86 county/regional health departments, State Laboratory, Medical Examiner’s Office)
Mental Health, Developmental Disabilities and Substance Abuse Services (4 psychiatric hospitals, 5 mental retardation centers, 2 alcohol and drug abuse treatment centers, 1 extended care facility, 2 schools for emotionally disturbed children, 39 area programs)
DHHS KNOWS THAT THESE AGENCIES WILL BE COVERED ENTITIES
NCDHHS - HIPAA PMO

86. HIPAA IMPACT ON DHHS (continued)
Agencies Directly Impacted by HIPAA
Medical Assistance (Medicaid program)
Early Intervention and Education (18 Developmental Evaluation Centers, 3 schools for Deaf and Hard of Hearing, 1 school for Blind)
Vocational Rehabilitation (72 local offices)
Social Services (100 county offices)
Services for the Blind (serve >35,000 North Carolinians each year)
Child Development
NCDHHS - HIPAA PMO

87. HIPAA IMPACT ON DHHS (continued)
Agencies Indirectly Impacted by HIPAA
Research, Demonstrations and Rural Health Development
Division of Aging
Facility Services
Human Resources
Internal Auditor
Public Affairs (Communications)
Citizen Services
Then there are several DHHS agencies that are felt will be indirectly impacted by the HIPAA regulations.
1) Research Demonstrations and Rural Health Development - No services provided directly. Agency will be working with providers to ensure that providers address HIPAA compliance.
2) Facility Services - Has a contract with UNC Hospital to maintain Emergency Management System. Facility Services maintains patient information in relation to complaints about providers.
3) Human Resources - Impact in relation to new hire and employee termination procedures. In addition to policy/procedure changes, training personnel based on changes will be required. (Address indirect impact to DHHS, but this does not speak to statewide health plan issues.
4) Internal Auditor - As information is is made available on certification procedures, internal audit section will need to be involved concerning certification checkpoints and ongoing monitoring guidelines. In addition, this section will be involved in “security” process.
5) Public Affairs - Assist with “HIPAA Awareness” through communication planning.
NCDHHS - HIPAA PMO

88. DHHS REACTION Provide Centralized Management Response
Establishment of HIPAA Program Management Office (PMO)
Appoint HIPAA Coordinators
Designate HIPAA Attorney - Marc Lodge
Develop Communications Plan
1)HAVE CENTRALIZED APPROACH WITH ESTABLISHMENT OF PMO
STANDARDIZE AND ECONOMIES OF SCALE FOR DISSEMINATION OF INFORMATION, POLICIES, PROCEDURES, PROCESSES, SYSTEMS
HIPAA COORDINATORS IDENTIFIED AT EACH DIVISION WITH APPOINTMENT OF LOCAL COORDINATORS
NCDHHS - HIPAA PMO

89. DHHS REACTION (continued)
Identify Funding Sources
No Federal Funds Appropriated for HIPAA Implementation
Submission of Expansion Budget Request
Developed Cost Allocation Models to Maximize Federal Funding for Systems/Programs
Currently Investigating
Availability of grants
Other opportunities for maximizing federal funds
Sharing vendor costs with other states
Collaborative efforts with vendors
DHHS/PMO BUSY WITH IDENTIFYING SOURCES OF FUNDING FOR IMPLEMENTATION
PRESENTATIONS TO APPROPRIATION COMMITTEES, WORKING WITH IMPACTED DIVISIONS ON BUDGET REQUESTS AND SUBMITTALS
DHHS USES GIVES, NCHICA, SMART TO COLLABORATE AND FORM JOINT EFFORTS
NCDHHS - HIPAA PMO

90. DHHS REACTION (continued)
Partner with Other Organizations/States to Share Information/Deliverables
NC Health Care Information and Communications Alliance (NCHICA)
Government Information Value Exchange for States (GIVES)
Southern HIPAA Administrative Regional Process (SHARP)
The North Carolina Healthcare Information and Communications Alliance, better known as NCHICA, is an organization whose goal is to promote the advancement and integration of information technology into the healthcare industry. NCHICA is composed of health care organizations, private industry, attorneys, state agencies and technology interests to name a few.
A new program is Government Information Value Exchange for States, also known as GIVES. GIVES provides a forum for states to communicate/address HIPAA issues and is an information clearinghouse of deliverable to be shared across the states. Currently eleven states are participating, and it is growing.
The Southern HIPAA Administrative Regional Process , known as SHARP is planning to form an alliance between GIVES and SHARP to promote HIPAA compliance.
The PMO is currently working on a Communication Plan for DHHS that will provide the framework for all the HIPAA initiatives in the coming months.
NCDHHS - HIPAA PMO

91. PROGRAM MANAGEMENT OFFICE
HIPAA Oversight Committee
Karen Tomczak
PMO Director
Sarah Brooks
Business Operations Mgr.
Ivey Palmer
Tactical Operations Mgr.
Julie Burton
Business Specialist
Frances Taylor
Business Specialist
EDI Team
Security Team
Operations Support
The HIPAA Program Management Office is organized as shown on this slide.
Karen Tomczak is heading up this effort
Sarah Brooks is the Business Operations Manager and
Ivey Palmer is the Tactical Operations Manager
Each office has specific staff, but since this is a coordinated effort, staff routinely work together sharing information and ideas.
Susan Mitchell
Business Analyst
Dwala Johnson
Technical Writer
Cynthia Wagnor
Team Lead
Joyce Young
Technical Writer
Bruce Chao
Web Developer
Stephen Fraser
Technical Writer
NCDHHS - HIPAA PMO

92. PMO TASKS Research HIPAA Requirements
Determine Impact of Requirements on DHHS
Serve as HIPAA Resource Center
Correlate DHHS HIPAA activities with HIPAA Coordinators
Establish and Coordinate Focus Groups
Business Operations
Security
EDI/TCI
NCDHHS - HIPAA PMO

93. PMO TASKS (continued) Disseminate HIPAA Information throughout DHHS
Develop Enterprise Policies, Procedures, Tools, Processes, Forms, Implementation Guidelines, Contracts, Agreements
Develop Best Practice Models
Promote Business Process Reengineering
Provide Technical, Operational and Management Support
Provide Overall Project Monitoring and DHHS HIPAA Status Reporting
NCDHHS - HIPAA PMO

94. PMO TASKS (continued) http://dirm.state.nc.us/hipaa/
Provide Levels of HIPAA Training
Awareness
Core
Intermediate
Expert
Develop Job Classifications/Descriptions for Security and Privacy Officers
Maintain PMO Web Site for Communications
NCDHHS - HIPAA PMO

95. DHHS WEBSITE NCDHHS - HIPAA PMO
This is the homepage of the NC DHHS HIPAA website.
NCDHHS - HIPAA PMO

96. USER LOGIN NCDHHS - HIPAA PMO
This slide is here to just acquaint you with the page for the User Login.
General information is available to anyone who would like to visit the website.
Specific information intended to assist in implementing the HIPAA Regulations may only be assessed with a password.
NCDHHS - HIPAA PMO

97. PMO DELIVERABLES Presentations Tools to Assess HIPAA Impact
Information Flow Assessment Database
Questionnaires (e.g., Early View)
Reviews of Statutes, Rules, Policies, Procedures
NCHICA Privacy and Confidentiality Focus Group
Attorney General’s Office - HIPAA Legal Resources
Department/Division/Agency Review
Gap Analyses
Risk Assessments
NCDHHS - HIPAA PMO

98. PMO DELIVERABLES (continued)
Tools for HIPAA Remediation
Work Plans
Checklists
Processes
Sample Policies, Procedures, Forms, Notices, Contracts, Chain of Trust Agreements
Tools for HIPAA Testing and Training
Testing Processes/Procedures
Staff Training Courses
Other Training Courses
NCDHHS - HIPAA PMO

99. PMO DELIVERABLES (continued)
Tools for HIPAA Compliance
Self-Certification Tools
Quality Assurance Audits
On-going Awareness Training
Staff
Others (Business Associates, Vendors)
New Employee Orientations
Business Continuity Plans
NCDHHS - HIPAA PMO

100. DELIVERABLE PROCESS PMO Business Operations Focus Group
Develops Deliverables
Business Operations Focus Group
Reviews Deliverables with Their Divisions/Local Agency Staff
Selected Pilot Agencies/Institutions
Test Deliverables
Recommend Modifications
Enterprise Dissemination
Distribute via web site, HIPAA Coordinators and Focus Group
NCDHHS - HIPAA PMO

101. PMO OUTREACH HIPAA Awareness Seminars
Professional Groups/Organizations with HIPAA Interests
NC Association of Local Health Directors
Technology Committee
NC Health Information Management Association
Behavioral Health Section
HEARTS User Group
Local Agencies, Institutions, Groups
NCDHHS - HIPAA PMO

102. QUESTIONS
? ? ? ? ?
I WOULD LIKE TO REQUEST THAT WE DELAY ANSWERING QUESTIONS AT THIS TIME AND MOVE ON SO WE CAN FINISH IN OUR ALLOTTED TIME - WE ARE ALMOST DONE.

103. Work Plan Template on PMO Web Site
GETTING STARTED
Designate HIPAA Coordinator
Establish HIPAA Implementation Team
Participate in HIPAA Training Opportunities
Present HIPAA Awareness Program to Management and Staff
Develop and Implement HIPAA Work Plan
Work Plan Template on PMO Web Site
Conduct Information Flow Assessment
NOW THAT YOU ARE BRIEFLY INFORMED ON THE HIPAA REGS AND WE HAVED DETAILED HOW THE PMO PLANS TO ASSIST YOU,
THIS LAST SECTION BRIEFLY OUTLINES SOME SUGGESTED STEPS FOR GETTING HIPAA ON ITS WAY TO COMPLIANCE
NOW TO DEVELOP YOUR HIPAA PLAN AND YOUR TIMELINE OR SCHEDULE DATES AT VARIOUS MILESTONES TO ENSURE YOU REACH COMPLIANCE IN A TIMELY MANNER
NCDHHS - HIPAA PMO

104. PMO TOOL Information Flow Assessment
Status of Current Information Flow
Web Based Database
Individual Division/Office Customization
Comprehensive Evaluation of Information Flow
Ease of Use
Report Generation
Due Diligence
Pinpoint Areas of HIPAA Impact
NCDHHS - HIPAA PMO

105. WHY DO A INFORMATION FLOW ASSESSMENT?
Determine if a Covered Entity
Identify:
Business Associates
Types & methods of information handling
Code Sets currently in use
Systems/applications in use
Systems/applications for remediation
Flow and routing of information
Short and long term storage of information
Areas of privacy/security weaknesses
Current contracts and Agreements
Documentation for Due Diligence
NCDHHS - HIPAA PMO

106. PMO TOOL Information Flow Assessment
What Information Flows Within and Without an Agency
Types of Information (personal, financial, medical)
Who Accesses Information
How is Information Transmitted
When is Information Shared
Where is Information Stored (temporary and permanent)
How is Information Disposed
NCDHHS - HIPAA PMO

107. INFORMATION FLOW ASSESSMENT
NCDHHS - HIPAA PMO

108. GETTING STARTED (continued)
If Covered Entity, Identify Business Associates and Trading Partners
Evaluate Systems/Applications for HIPAA Remediation
Utilize Y2K Inventory Data
Contact Software Vendors
Review Implementation Guides
Evaluate Current Security of Protected Health Information (PHI)
Door Locks, Paper Storage/Disposal, Location of Fax/Copiers/Shredders, System Security
KNOW THE HIPAA REGULATIONS AND WEBSITES
CONDUCT AN INFORMATION FLOW ASSESSMENT
MAKE SURE SENIOR MANAGEMENT UNDERSTANDS YOUR PLAN OF ACTION AND ENDORSES YOUR APPROACH
NCDHHS - HIPAA PMO

109. GETTING STARTED (continued)
Analyze Data Collection Process
Registration
Coding
Discharge
Compile Current Information for Remediation to HIPAA Compliance
Policies
Procedures
Forms
Contracts
ENSURE YOU HAVE SUFFICIENT RESOURCES BOTH FUNDING AND STAFF TO ACCOMPLISH THE GOALS AND ARRIVE AT COMPLIANCE
EVALUATE YOUR SYSTEMS AND APPLICATION
ANALYZE YOUR DATA COLLECTION PROCESS
EVALUATE CURRENT SECURITY AND PRIVACY PRACTICES IN HANDLING PROTECTED HEALTH INFORMATION.
NCDHHS - HIPAA PMO

110. GETTING STARTED (continued)
Submit Budget Based on Anticipated IT and Business Changes (Budget Questionnaire)
Work Your HIPAA Work Plan
Monitor DHHS HIPAA Web Site
Utilize HIPAA PMO/HIPAA Coordinators as Resources for HIPAA Implementation
IDENTIFY WHAT BUSINESS OPERATIONS DOCUMENTATION NEEDS TO BE MODIFIED FOR HIPAA COMPLIANCE
WORK YOUR PLAN
BY TAKING DAILY, INCREMENTAL STEPS TOWARD COMPLIANCE WITH HIPAA, WE WILL REACH OUR GOALS ON SCHEDULE .
NCDHHS - HIPAA PMO

111. RESOURCES Attachments to Slide Presentation Materials
HIPAA Related Web Sites
HIPAA Glossary and Acronym References
DHHS Division HIPAA Coordinators
NCHICA HIPAA Committees
NCHICA HIPAA Privacy Regulation Work Groups
NCHICA Top 10 Planning Points for HIPAA Compliance
HIPAA Regulations
AS AN ATTACHMENT TO THIS SLIDE PRESENTATION, WE HAVE COMPILED SOME ADDITIONAL RESOURCES TO ASSIST IN REACHING YOUR GOALS.
THESE RESOURCE LISTINGS WILL ALSO BE ADDED TO OUR WEBSITE AND UPDATED PERIODICALLY
NCDHHS - HIPAA PMO

112. SUMMARY HIPAA - A Health Care Paradigm
Affects Payers, Providers, Employers, Medical Manufacturers, Pharmaceutical Companies, Employees, Clearinghouses, Patients.
Requires Redesign of Business Processes, Staffing Plans, Workflow
Requires Changes to Business Applications, Technology Architecture, Facilities
Shifts Power in Provider/Consumer Relationship
Presents Change Management Challenges
Introduces New Legal Liabilities
Provides Patients with Rights
Conveys Severe Civil and Criminal Penalties
HIPAA IS HEALTHCARE’S PARADIGM
HIPPA IMPACTS ALL OF US EITHER DIRECTLY OR INDIRECTLY ON HOW WE CONDUCT OUR DAILY BUSINESS OPERATIONS
A FEW OF THESE ARE LISTED
HEALTHCARE STANDARDIZATION, PRIVACY AND SECURITY DEFINITELY IMPACTS BUSINESS OPERATIONS AS WE BEGIN THIS 21ST CENTURY.
NCDHHS - HIPAA PMO

113. SUMMARY HIPAA Is Not Going Away HIPAA Is Not an Option
Heath Care Industry Wants Standardization
Consumers Want Health Information to Be Protected
HIPAA Is Not an Option
HIPAA Is Doing Business in the ‘New Millennium
Implementation Cost Is Short-term
Operational Benefit Is Long-term
HIPAA IS HERE TO STAY……..THE COMPLIANCE CLOCK IS TICKING….
STANDARDIZATION OF TRANSACTION CODES AND FORMATS BY OCTOBER 16, 2002
PRIVACY COMPLIANCE BY APRIL 14, 2003, WITH SOME CHANGES BEING MADE WITHIN THE NEXT YEAR
SECURITY REGS FINALIZED LATER THIS YEAR AND
ENFORCEMENT REGULATIONS COMING IN THE NEAR FUTURE
NCDHHS - HIPAA PMO

114. QUESTIONS
? ? ? ? ?