Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability and Accountability Act General Overview for Software Vendors

Background Originally proposed in 1996 as part of a comprehensive set of reforms targeting health insurance Administrative Simplification section created in response to the commercialization of health information and the potential for abuse with the increased use of electronic systems Prior to HIPAA, there were no federal regulations to govern the use of personal health information (PHI)

Some Significant Abuses Marketing Employment Screening Inappropriate release of private information

Legislative Authority Department of Health and Human Services –Defines requirements –Educates and inspects (Office of Civil Rights) –Fines for minor offences Department of Justice –Criminal prosecution

What is HIPAA? Four Components –Transaction Standards –Privacy Regulations –Security Regulations –National Provider ID Regulation of individually identifiable health information

What is HIPAA? Covers electronic systems –Billing –EMR –Scheduling Impacts –Health plans –Health care providers –Health care clearing houses

HIPAAs Goals Reduce administrative burdens Protect the privacy of individually identifiable health information Ensure the security, integrity and availability of health information

Transaction Standards Creates standard transaction sets for communicating health information via electronic interfaces Creates a standard definition of data elements Impacts billing, enrollment, disenrollment and authorization transactions Final rule published in August 2000 Requires implementation within 24 months

Privacy Standards Requires a covered entity to make a reasonable effort to obtain a patients permission to use their PHI for Treatment, Payment and Healthcare Operations (TPO) Requires a covered entity to obtain a patients permission for any non-TPO use of health information Defines the approved uses of health information Defines the process for gaining approval Gives patients the right to dispute information in their health records Defines the process for patient disputes

Security Standards Regulate integrity, confidentiality, unauthorized access, and availability Five components: –Administrative procedures –Physical safeguards –Technical security services –Technical security for networks –Electronic signature

Impact on Software Vendors Transaction Standards –Implementation by 10/2004 –Standard data elements and transaction formats Privacy Standards –Implementation by 4/2003 –Minimal impact on software vendors Security Standards –No implementation date (12 months from final rule date) –Largest impact on software vendors

Operational Issues Legal requirements –Business Associate Agreements Changes to policies and procedures –System Access –Training Software enhancements –Audit –Security

Client Issues Interpretation and implementation of three standards in a short period of time Developing appropriate polices and procedures Training, training, training

Regulatory Issues Enforcement –Office of Civil Rights –Department of Justice Fines and Penalties –Monetary fines for inappropriate disclosure of PHI –Potential jail time for willful misuse of PHI

Risk and Opportunities Timeline for implementation of security requirements Client focus during the implementation process Development of new policies and procedures Additional or upgraded network infrastructure

Got Questions?