From Registration to Accounts Receivable – The Whole Can of Worms 2007 UBO/UBU Conference 1 Briefing: The Impact of HIPAA on the Military Health System Date:20 March 2007 Time:

2007 UBO/UBU Conference From Registration to Accounts Receivable 2 Objectives Brief review of the history of the Health Insurance Portability & Accountability Act (HIPAA) Learn what’s really required by HIPAA & what’s not Learn about the new HIPAA requirements on the horizon Take advantage of HIPAA resources on the Internet

2007 UBO/UBU Conference From Registration to Accounts Receivable 3 How Did We Get Here? Move toward standard Electronic Data Interchange (EDI) Transactions and away from paper-based processes Healthcare industry pushing this effort in early 1990s Workgroup for EDI (WEDI) was taking the lead – Estimated $42 billion in net savings ( ) WEDI Report Recognize the need to protect electronic health data Role of “those privacy zealots"

2007 UBO/UBU Conference From Registration to Accounts Receivable 4 History of HIPAA Health Insurance Portability and Accountability Act (HIPAA) – P.L Also known as Kennedy-Kassebaum Bill (K2) or Kassebaum-Kennedy, depending on your party affiliation – House of Representatives passed it – Senate passed it unanimously Signed into law on August 21, 1996, by President Clinton

2007 UBO/UBU Conference From Registration to Accounts Receivable 5 HIPAA Components Insurance Portability Accountability (Fraud & Abuse) Administrative Simplification

2007 UBO/UBU Conference From Registration to Accounts Receivable 6 Intents of HIPAA Administrative Simplification Reduce Paperwork Improve Efficiency of Health Systems Protect Security and Confidentiality of Electronic Health Information

2007 UBO/UBU Conference From Registration to Accounts Receivable 7 HIPAA Rule Making Process Department of Health & Human Services (DHHS) publishes Notice of Proposed Rule Making (NPRM) 60-day comment period – Receive written public input Comments reviewed resulting in modifications to the Final Rule version Final Rule published in Federal Register Congress has 60 days to make changes Two years before Final Rule becomes effective – Normally

2007 UBO/UBU Conference From Registration to Accounts Receivable 8 HIPAA’s Original Timeline HIPAA signed into law on August 21, 1996 All Final Rules to be issued by February 21, 1998 – Eighteen months after signing into law Full compliance to be achieved by April 22, 2000 – We’ve been under HIPAA for nearly 7 years!!! What happened to the original timeline? – DHHS had three (3) Number One priorities Y2K Balanced Budget Act (BBA) of 1997 HIPAA

2007 UBO/UBU Conference From Registration to Accounts Receivable 9 Timetable for Adoption of Standards 04/14/2003 (2004<$5M) 12/28/200011/03/1999Privacy 04/20/2005 (2006<$5M) 02/20/200308/12/1998Security 07/30/2004 (2005<$5M) 05/31/200206/16/1998National Employer Identifier 05/23/2007 (2008<$5M) 01/23/200405/07/1998National Provider Identifier 10/16/ with extension 08/17/200005/07/1998Transactions & Codes Sets Compliance Required Final Rule Publication Notice of Proposed Rule Making (NPRM) Standard

2007 UBO/UBU Conference From Registration to Accounts Receivable 10 Who Must Use the Standards? Covered Entities (CEs) Include: – Health Plan – Health Care Clearinghouse – Health Care Provider (who transmits any health information in electronic form in connection with any covered transaction) MHS Direct Care System is considered to be a Health Care Provider Congress directed DHHS to use existing standards wherever possible rather than develop new ones

2007 UBO/UBU Conference From Registration to Accounts Receivable 11 Civil & Criminal Penalties Civil penalty of $100 per violation, up to $25,000 maximum per year per HIPAA standard Wrongful disclosure of Individually Identifiable Health Information (IIHI) – Fined not more than $50,000, imprisoned not more than 1 year, or both If offense committed under false pretenses – Fined not more than $100,000, imprisoned not more than 5 years, or both —Continued—

2007 UBO/UBU Conference From Registration to Accounts Receivable 12 Civil & Criminal Penalties If offense committed with intent to sell, transfer, or use information for commercial advantage, personal gain, or malicious harm – Fined not more than $250,000, imprisoned not more than 10 years, or both

2007 UBO/UBU Conference From Registration to Accounts Receivable 13 ANSI ASC X12N & IGs ANSI – American National Standards Institute ASC X12 – Accredited Standards Committee (ASC) chartered by ANSI to develop standards for inter- industry electronic business transactions (EDI) X12N – is the Subcommittee for Insurance who developed the HIPAA EDI standards IGs – Implementation Guides that provide detailed formats for implementing the HIPAA EDI standards Version 4010A of the HIPAA IGs is the standard National Council for Prescription Drug Programs (NCPDP) developed standards for retail pharmacy drug claims

2007 UBO/UBU Conference From Registration to Accounts Receivable 14 Covered Transactions 837 – Health Care Claim (3 types) – Institutional – Professional – Dental Retail Pharmacy Drug Claim – National Council for Prescription Drug Programs (NCPDP) Telecommunication Standard Implementation Guide, Version 5.1, September 1999 – NCPDP Batch Standard Batch Implementation Guide, Version 1.1, January 2000

2007 UBO/UBU Conference From Registration to Accounts Receivable 15 Covered Transactions (con’t) 270/271 – Health Care Eligibility Benefit Inquiry and Response 276/277 – Health Care Claim Status Request and Response 278 – Health Care Services Review 820 – Payroll Deducted and Other Group Premium Payment for Insurance Products 834 – Benefit Enrollment and Maintenance 835 – Health Care Claim Payment/Advice 837 – Coordination of Benefits

2007 UBO/UBU Conference From Registration to Accounts Receivable 16 Mandated Code Sets ICD-9-CM – International Classification of Diseases – Clinical Modification for Diagnoses, 9 th Edition (Volumes 1 and 2) ICD-9-CM – International Classification of Diseases – Clinical Modification for Inpatient Procedures, 9 th Edition (Volume 3) CPT-4 – Current Procedural Terminology, 4 th Edition CDT-3 – Code on Dental Procedures and Nomenclature, 3 rd Edition HCPCS – Healthcare Common Procedure Coding System

2007 UBO/UBU Conference From Registration to Accounts Receivable 17 Impact of HIPAA EDI Electronic claims just means faster rejections if data is incomplete or incorrect Increasing emphasis on the need for quality data “the first time” Personnel savings may need to be redeployed to other areas in order to improve data capture and quality 837 is NOT JUST an electronic UB-92 or CMS 1500 HIPAA transactions often require more data that is currently captured or stored State Prompt Payment laws will still be needed Electronic claims attachments (275) will be a big aid once they are available

2007 UBO/UBU Conference From Registration to Accounts Receivable 18 Privacy vs. Security Privacy – What needs to be protected – Protected Health Information (PHI) Security – Methods by which we will protect it Need to determine the desired balance among: – Confidentiality of the data – Integrity of the data – Availability of the data Final Rules for Privacy issued December 2000 and August 2002 Security Final Rule issued February 2003

2007 UBO/UBU Conference From Registration to Accounts Receivable 19 Privacy Rule December 2000 Privacy Rule required patients to give consent before their protected health information (PHI) could be used for treatment, payment, or health care operations (TPO) August 2002 Privacy Rule dropped the consent requirement – Direct health care provider now just has to make a good faith effort to obtain an individual’s written acknowledgement of receipt of the provider’s Notice of Privacy Practices (NPP) – Copy of MHS NPP on TMA HIPAA Web Site

2007 UBO/UBU Conference From Registration to Accounts Receivable 20 Privacy Rule (con’t) Authorization by the individual is still required before a Covered Entity can release PHI for non-TPO purposes – Life insurance company seeking medical information regarding a policy applicant Access without written authorization allowed for national and public health needs

2007 UBO/UBU Conference From Registration to Accounts Receivable 21 Privacy Rule (con’t) Individual’s right of access – Patient can see their medical record – Can request copies – Can request amendments to medical record Provider does not have to make the amendment Preemption – Final Rule can not supersede more stringent state privacy laws – Establishes the Federal floor of safeguards – You need to know which state privacy laws still apply (i.e., those that are more stringent)

2007 UBO/UBU Conference From Registration to Accounts Receivable 22 What Is IIHI? Individually identifiable health information (IIHI) is information that is a subset of health information, including demographic information collected from an individual, and: – Is created or received by a health care provider, health plan, employer, or health care clearinghouse – Relates to: the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for health care received by an individual; and that – Either identifies the individual or provides a “reasonable basis” to believe the information can identify the individual

2007 UBO/UBU Conference From Registration to Accounts Receivable 23 What Is PHI? Protected Health Information (PHI) is IIHI that is: – Transmitted by electronic media – Maintained by electronic media – Transmitted or maintained in any other form or medium (includes written or oral communications) PHI excludes IIHI in: – Education records covered by the Family Educational Rights and Privacy Act (FERPA) – Employment records held by a CE in its role as an employer

2007 UBO/UBU Conference From Registration to Accounts Receivable 24 Real World Privacy Issues “Anonymous” medical records identified in Massachusetts – Governor’s record included Survey finds one out of six patients engage in “privacy protected behaviors” Foreign transcriber threatens California medical center to release medical records on the Internet – Disagreement over back pay

2007 UBO/UBU Conference From Registration to Accounts Receivable 25 HIPAA Security Rule Background Proposed Rule was issued August 12, 1998 covering Security and Electronic Signature Standards (39 pages) Many security and privacy recommendations based on the National Research Council’s 1997 report entitled For The Record: Protecting Electronic Health Information More than 2,300 comments submitted by individuals and organizations

2007 UBO/UBU Conference From Registration to Accounts Receivable 26 HIPAA Security Rule Background (con’t) Security Final Rule issued February 20, 2003 (48 pages) – Provisions apply ONLY to electronic Protected Health Information (PHI) – Does not cover electronic signatures DHHS will issue separate NPRM Awaiting recommendation from National Committee on Vital & Health Statistics (NCVHS) – Date unknown Security Final Rule does not reference or advocate specific technology

2007 UBO/UBU Conference From Registration to Accounts Receivable 27 HIPAA Security Rule Background (con’t) Intentionally generic, scalable for both small and large organizations, technology neutral Each affected entity must assess its own security needs and risks and devise, implement, and maintain appropriate security measures to address its business requirements Measures must be documented and kept current Challenge for the organization to assess their own security risks, weigh them, implement appropriate solutions

2007 UBO/UBU Conference From Registration to Accounts Receivable 28 HIPAA Security Standards – General Rules General requirements – Covered entities (CEs) must do the following: – Ensure the confidentiality, integrity, and availability of all electronic PHI the CE creates, receives, maintains, or transmits – Protect against any reasonably anticipated threats or hazards to the security or integrity of such information – Protect against any reasonably anticipated uses or disclosures of such information – Ensure compliance by its workforce

2007 UBO/UBU Conference From Registration to Accounts Receivable 29 Some Operational Challenges Healthcare staff want to help others – We’re too trusting Security system is only as good as its weakest link – 999 secure passwords out of 1000 users is NOT “good enough” Hackers & Social Engineering – Attempt to exploit our desire to be helpful – Not enough to thwart them – need to report it to the right person so appropriate actions can be taken —Continued —

2007 UBO/UBU Conference From Registration to Accounts Receivable 30 Some Operational Challenges Don’t be a soft target – Hackers are lazy Viruses and worms – Need to be alert/wary Capability to track access to Protected Health Information (PHI) – Insurance company example – Harvard Community Health Plan Patients can review who accessed their PHI

2007 UBO/UBU Conference From Registration to Accounts Receivable 31 HIPAA Security Considerations How do you dispose of your obsolete PCs? – Savannah River DOE example – Indianapolis hospital example Do you allow providers to access your network from their home PCs? – Any penalties for violations? – Are they ever enforced? —Continued —

2007 UBO/UBU Conference From Registration to Accounts Receivable 32 HIPAA Security Considerations Have you outsourced medical transcription? If so, how is PHI transmitted/stored & protected when off- site? Do your passwords contain both alpha and numeric characters as well as special characters/minimum length of at least 8 characters – How often are they updated? – No yellow Post-Its on the PC monitor or under the desktop keyboard

2007 UBO/UBU Conference From Registration to Accounts Receivable 33 Changes on the Horizon National Provider Identifier (NPI) New paper forms (UB-04, revised CMS 1500) – Implement use of NPI New draft HIPAA EDI transaction set – 275 – Electronic Claims Attachment Future use of ICD-10

2007 UBO/UBU Conference From Registration to Accounts Receivable 34 National Provider Identifier (NPI) – Health care providers began applying for NPIs beginning May 23, 2005 – Health care providers, health plans, and health care clearinghouses must begin using the NPI in standard transactions NLT May 23, 2007 – Small health plans have until NLT May 23, 2008 – Is a 10-position numeric identifier (last digit is a check figure) – Is an intelligence-free number – NPI Type 1 – for health care providers who are individual human beings – NPI Type 2 – for health care organizations

2007 UBO/UBU Conference From Registration to Accounts Receivable 35 Use of the NPI Type 1 in the MHS HA Policy issued 26 January 2005 regarding NPI Type 1 – Requires “all Health Care Providers who furnish billable health care services or who may initiate and/or receive referrals must obtain an NPI Type 1.” – Services are responsible for ensuring all privileged/credentialed providers (including Reserve Component) obtain and submit their NPI to the TMA designated data base/repository prior to 23 May 2007 – Services SGs have issued Memoranda of Instruction detailing Service-specific instructions As of 27 February 2007, 19,711 NPI Type 1 identifiers have been entered into DMHRSi Still need an estimated 8,711 more NPI Type 1 identifiers! Only 64 days remaining until 23 May 2007 deadline

2007 UBO/UBU Conference From Registration to Accounts Receivable 36 Use of the NPI Type 2 in the MHS HA Policy issued 1 August 2005 regarding NPI Type 2 – Requires all organizational health care providers within the MHS to obtain an NPI Type 2. These include: MTFs that bill third party insurers Pharmacy dispensing sites – The Services are responsible for ensuring all applicable organizational health care providers obtain NPI Type 2 identifiers prior to 23 May 2007 As of 27 February 2007 – 128 NPI Type 2 identifiers for MTFs have been entered into DMHRSi – 600 NPI Type 2 identifiers for Pharmacy Dispensing Sites have been entered into DMHRSi Only 64 days remaining until 23 May 2007 deadline

2007 UBO/UBU Conference From Registration to Accounts Receivable 37 New Paper Bill Forms Use of new revised CMS 1500 Form required beginning 1 February 2007 Use of new UB-04 Form required beginning 23 May 2007 Both new forms require use of NPIs beginning 23 May 2007 MHS System Change Requests (SCRs) have been submitted for making changes to TPOCS and the CHCS MSA module to support the new paper claim formats CHCS software change package to support the UB-04 will be available for MTFs to load beginning in early May 2007 MTFs need to start ordering the new UB-04 and CMS 1500 forms

2007 UBO/UBU Conference From Registration to Accounts Receivable – Electronic Claim Attachment Claims Attachment NPRM issued 23 September 2005 Will simultaneously use both ANSI X12 and HL7 EDI standards Six different attachment types proposed – Clinical Reports – Laboratory Results – Medications – Rehabilitation Services – Ambulance Service – Emergency Department

2007 UBO/UBU Conference From Registration to Accounts Receivable 39 ICD-10 Implementation ICD-10s likely coming in 2009 – 2010 – AHIMA & AMIA support October 2009 date TMA monitoring status of ICD-10 implementation in U.S. – Changes will be made in MHS automated information systems to support the new code set once it is mandated

2007 UBO/UBU Conference From Registration to Accounts Receivable 40 Truisms Regarding HIPAA Compliance Changing the organizational privacy & security culture will be the BIGGEST challenge HIPAA compliance has no finish line – National Committee on Vital & Health Statistics (NCVHS) recommended in February 2002 more clinical messaging formats as potential HIPAA standards for an electronic medial record (EMR) – New transaction sets will continue to be added (e.g., 275 – Electronic Claims Attachment)

2007 UBO/UBU Conference From Registration to Accounts Receivable 41 HIPAA Resources on the Internet TMA HIPAA Web site – HA Policy – NPI Entity – Type 1 – HA Policy – NPI Entity – Type 2 – National Uniform Billing Committee (NUBC) – National Uniform Claim Committee (NUCC) – —Continued —

2007 UBO/UBU Conference From Registration to Accounts Receivable 42 HIPAA Resources on the Internet CMS HIPAA Web site – For the Record: Protecting Electronic Health Information, The National Academies Press, 1997 – or View free on-line version of For the Record – DHHS Office of Civil Rights (OCR) – —Continued —

2007 UBO/UBU Conference From Registration to Accounts Receivable 43 HIPAA Resources on the Internet Washington Publishing Company – HIPAA EDI Implementation Guides – Workgroup for Electronic Data Interchange (WEDI) – National Council for Prescription Drug Programs (NCPDP) – National Committee on Vital & Health Statistics (NCVHS) –

2007 UBO/UBU Conference From Registration to Accounts Receivable 44 Summary History of HIPAA – It’s been a law since 1996! What’s really required by HIPAA & what’s not – Need to separate truth from fiction New HIPAA requirements on the horizon – NPIs, new paper forms (UB-04, revised CMS 1500) – Additional covered transactions (e.g., 275) – Future use of ICD-10 Take advantage of HIPAA resources on the Internet – No need to “reinvent the wheel!”

2007 UBO/UBU Conference From Registration to Accounts Receivable 45 Summary History of the Health Insurance Portability & Accountability Act (HIPAA) What’s really required by HIPAA & what’s not New HIPAA requirements on the horizon HIPAA resources on the Internet

2007 UBO/UBU Conference From Registration to Accounts Receivable 46 Quiz How do you spell HIPAA and what do the letters stand for? Who/what needs to get an NPI Type 1? Who/what needs to get an NPI Type 2? What form is replacing the UB-92? What form is replacing the CMS 1500?