1. The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law 104-191

2. The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) HIPAA n 1996 passage of HIPAA gave Congress 36 months to pass legislation or… n DHHS was to promulgate final regulations n Congress did not act by the deadlines, so… Purpose: Congressional attempt at incremental health care reform: “portability & administrative simplification”

3. The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) HIPAA n DHHS published proposed standards for individual identifiable health information on November 3, 1999 (Federal Register) n No common standard for the transfer of information between providers and payers (no electronic data interchange standard “EDI”)

4. n Ensure confidentiality and integrity n Prevent unauthorized use or disclosure n Protect against threat or physical hazards n Save money through “Simplification” Intent of HIPAA

5. HIPAA Mandate Adoption of new security standards to protect an individual’s health information while permitting the appropriate access and use of the information by: n Providers n Clearinghouses n Health Plans

6. n Permit health information to be used and shared n Require written authorization for use and disclosure n Establish fair information practices n Ensure patient access HIPAA Mandate (contd.)

7. n Require Providers to establish administrative and physical safeguards n Allow de-identified info to be used in any way as long as it is “stripped” n Require Payers to accept EDI standards n Mandate the use of unique identifiers HIPAA Mandate (contd.)

8. Impact n All health care organizations that maintain or transmit electronic health information n Time frame is short n Y2K has diverted attention n Significant criminal and civil penalties n No “quick fix”

9. What is Administrative Simplification? n Administrative Simplification aspect of the law requires DHHS to develop standards and requirements for maintenance and transmission of health information that identifies individual patients.

10. Why have standards? n Standards are designed to: –Improve efficiency and effectiveness by standardizing interchange of electronic data for specific financial and administrative transactions –Protect the security and confidentiality of electronic health information

11. Standards n Standards for electronic data transmission –Transactions (EDI) –Code Sets –Unique National Identifiers n Standards for electronic data protection –Security –Privacy What is the main focus?

12. Security Standards n Administrative n Physical n Technical n Network

13. Administrative n Policies and procedures n Certification n Chain of trust n Contingency plan (Emergency) n Formal records processing n Access policy n Internal auditing

14. Administrative (contd.) n Personnel security n Security configuration management n Incident reporting n Security management n Termination procedures n Training

15. Physical n Protection of computer systems and buildings n Assignment of security responsibilities n Medial controls n Physical access n Workstation use n Security workstation location n Security awareness training

16. Technical n Identification, authentication, and authorization n Automatic logoff n Data integrity n Protecting data in transit n Secure remote access

17. Technical (contd.) n System/network certification n Disaster recovery/business continuity n Virus protection n Minimum necessary access; de-identification of data

18. Network n Process to guard against unauthorized access data in transit n Integrity controls n Message authentication n Access controls or encryption n Alarm system n Audit trail n Entity authentication n Event reporting

19. What is the time frame for implementation? n Small practice plans - 36 months n All others - 24 months

20. Covered Entities n Providers n Clearinghouses n Health Plans n Subsidiary Operations n Business Partners

21. What is our implementation strategy? n Executive commitment n Assign responsibility n Establish steering committee n Gap analysis and risk assessment n Develop a system-wide approach n Provide awareness and training

22. HIPAA Organization

23. What is our structure, who will be involved, and who will coordinate the Medical Center efforts? –Executive –Public Relations –Compliance –Medical Records –Risk Management –All Departments –Legal –Personnel –Purchasing –Information Systems Organizational Structure

24. Technical Standards Physical Standards Administrative Standards Network Standards HIPAA Framework Information Services Audit Policies Training Departments

25. Administrative Simplification - Benefits n Simplification n Reduction in time n Reduces administrative costs n Improved customer satisfaction n Investment in the future

26. HIPAA Compliance Monetary Each violation: $100 - $25,000 Potential Waivers: n “Reasonable Cause” - due diligence n “Not Willful Neglect” - corrected in 30 days n Excessive penalty related to the failure Penalties

27. HIPAA Compliance Criminal Liability: Knowingly or willfully obtaining or disclosing individual identifiable health information. n Fine not to exceed $50,000 and not more than one year imprisonment or both n Under False Pretenses - Fine not more than $100,000 and not more than five years imprisonment or both Penalties

28. HIPAA Compliance Penalties (contd.) n With intent to sell, transfer or use for commercial advantage, personal gain or malicious harm - $250,000 and not more than ten years for both

29. Suggestions n Mike Walker: WFU Compliance Officer 716-5252 716-5252 n John Hart: NCBH Internal Audit 716-3002 716-3002

30. Summary: Myths n Congress will repeal HIPAA n HIPAA is a Clinton Program n HIPAA will not be enforced for years n Vendors will take care of HIPAA n HIPAA is just an IT Project n Compliance is optional