1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards

2 Brief History HIPAA signed into law August 1996 –Major publicity around insurance portability Transactions and Code Sets Proposed Rule –Published May 1998 –Lots of comments, but who really paid attention to the standards?

3 Brief History Final rule published August 2000 –Described who must use the standards and when –Adopted specific standards for transactions, NCPDP and X12 –Adopted specific code sets –Required implementation by Oct 2002 Who was paying attention?

4 Brief History Industry finally reacts – says need more time ASCA statute in December 2001 provides for an additional year – no more – to implement. New date October 16, 2003 Law also requires covered entities to develop plans to meet the new date April 16 is a testing deadline Also required billing to Medicare be done electronically, making providers covered entities.

5 Brief History Modifications to standards issued February 2002 –Based on critical problems with the initial standards –NDC code no longer required, except for retail pharmacies

6 Where Are We Today? We are less than 6 months from Oct 16 Testing should have started, at least internally Vendors should have provided software to their customers so testing could be begin Clearinghouses should have test plans and packages available for customers

7 Where are we today? Health plans should be scheduling testing with providers –Most Medicare contractors are already doing this. Providers should be looking for plans to test with. External certification is a business decision each entity must make.

8 Reminders for Oct 16 HIPAA standard transaction and code sets must be used. All covered entities must participate. Providers still have the option for paper (except for Medicare). We want this to work – cash flow disruption is not an option for many providers

9 Key is Cooperation Plans, providers, clearinghouses, vendors must work together –Coordinate testing schedules –Coordinate information campaigns –Test early to discover problems –Work together to fix them –Look at solutions others have already found

10 Opportunities for Learning Take advantage –CMS web site ( –National conference calls –Regional conference calls –Askhipaa s –Regional SNIP affiliates –SNIP web site (snip.wedi.org)

11 Enforcement of Administrative Simplification Standards CMS named to enforce HIPAA transactions and code sets OCR continues to enforce HIPAA privacy CMS creates Office of HIPAA Standards

12 Office of HIPAA Standards Outreach Regulations and Policy Enforcement

13 Enforcement Responsibilities Establish enforcement process Develop regulations

14 Enforcement Reality CMPs may not be more than - - $100/violation - $25,000/calendar year for violation of an identical requirement or prohibition We need to determine what is a violation.

15 Enforcement Authority Two provisions of HIPAA government enforcement - § 1176: civil monetary penalties (CMPs) - § 1177: criminal penalties HHS has authority to assess CMPs DOJ has authority for criminal penalties

16 Enforcement Regulation HHS lead on developing enforcement regulation Simplifies and standardizes the enforcement process Provides a predictable process

17 Enforcement Regulation Notice of what constitutes a violation and how penalties will be determined Hapless vs. Willful Rulemaking process allows for public input

18 From Complaint To Compliant Complaint driven Voluntary compliance Technical assistance Corrective action plan Progressive Steps

19 Complaint Driven Complaints - web submittal - download and mail Notification in writing

20 Voluntary Compliance Opportunity to demonstrate compliance Good faith efforts go a long way

21 Corrective Action Plan Opportunity to submit corrective action plan Demonstrate and document efforts to become compliant Exercise reasonable diligence, make efforts to correct problem

22 Progressive Steps Compliance FIRST Corrective Action MIDDLE Tied for LAST: -CMPs - Exclusion from Medicare Access to care and patient safety

23 Future Standards Security Attachments Identifiers

24 Regulation Dates Published February 20, 2003 Effective Date April 21, 2003 Compliance Date: –April 21, 2005 for all covered entities except small health plans –April 21, 2006 for small health plans (as HIPAA requires)

25 General Requirements ( (a)) Ensure –Confidentiality (only the right people see it) –Integrity (the information is what it is supposed to be – it hasn’t been changed) –Availability (the right people can see it when needed)

26 General Requirements Applies to Electronic Protected Health Information That a Covered Entity Creates, Receives, Maintains, or Transmits

27 General Requirements Protect against reasonably anticipated threats or hazards to the security or integrity of information Protect against reasonably anticipated uses and disclosures not permitted by privacy rules Ensure compliance by workforce

28 Regulation Themes Scalability/Flexibility –Covered entities can take into account: Size Complexity Capabilities Technical Infrastructure Cost of procedures to comply Potential security risks

29 Regulation Themes Technologically Neutral –What needs to be done, not how Comprehensive –Not just technical aspects, but behavioral as well

30 How Did We Accomplish This Standards Are Required but: –Implementation specifications which provide more detail can be either required or addressable.

31 Addressability If an implementation specification is addressable, a covered entity can: –Implement, if reasonable and appropriate –Implement an equivalent measure, if reasonable and appropriate –Not implement it Based on sound, documented reasoning from a risk analysis

32 What are the Standards? Three types: –Administrative –Physical –Technical

33 Administrative Standards Security Management –Risk analysis (R) –Risk management (R) Assigned Responsibility Workforce Security –Termination procedures (A) –Clearance Procedures (A)

34 Administrative Standards Information Access Management –Isolating Clearinghouse (R) –Access Authorization (A) Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts

35 Physical Standards Facility Access Controls –All addressable specifications Contingency operations Facility Security Plan Access control Maintenance Records Workstation Use (no imp specs) Workstation Security Device and Media Controls

36 Technical Standards Access Control –Unique User Id (R) –Emergency Access (R) –Automatic Logoff (A) –Encryption and Decryption (A) Audit Controls Integrity Person or Entity Authentication Transmission Security

37 Chart in Regulation At end of the regulation, this chart lists each standard, its associated implementation specifications, and if they are required or addressable

38 Basic Changes from NPRM Aligned with Privacy (Definitions, requirements for business associates) Encryption now addressable No requirement for certification Standards simplified and redundancy eliminated.

39 Implementation Approach Do Risk Analysis – Document Based on Analysis, determine how to implement each standard and implementation specification – Document Develop Security Policies and Procedures – Document Train Workforce Implement Policies and Procedures Periodic Evaluation

40 Summary Scalable, flexible approach Standards that make good business sense Two years for implementation First step is risk analysis

41 Claims Attachments Will provide standards for sending claims attachments (medical records, lab reports, xrays) electronically All health plans will be required to support these. Expect proposed rule later this year.

42 Identifiers National Provider Identifier –Final rule later this year –Will have minimum two years to implement National Plan Identifier –Proposed rule later this year.

43 Questions?