Presentation is loading. Please wait.

Presentation is loading. Please wait.

S I D L E Y & A U S T I N HIPAA and Your Compliance Program HCCA’s 2000 Compliance Institute New Orleans, Louisiana September 25, 2000.

Published byKelly Watkins Modified over 8 years ago

Similar presentations

Presentation on theme: "S I D L E Y & A U S T I N HIPAA and Your Compliance Program HCCA’s 2000 Compliance Institute New Orleans, Louisiana September 25, 2000."— Presentation transcript:

1 S I D L E Y & A U S T I N HIPAA and Your Compliance Program HCCA’s 2000 Compliance Institute New Orleans, Louisiana September 25, 2000

2 S I D L E Y & A U S T I N 2 Presentation Agenda Introductions Overview and Background HIPAA Requirements and Provisions °Technology with Q&A °Privacy with Q&A °Security with Q&A Integration into Compliance Program

3 S I D L E Y & A U S T I N Overview and Background of HIPAA

4 S I D L E Y & A U S T I N 4 General Provisions Group and Individual Insurance Reform Limits on pre-existing exclusion provisions Portability of coverage, guaranteed issue and renewal Fraud and Abuse Medicare integrity, data collection, beneficiary incentive programs Increased penalties, sanctions, and exclusions Tax-Related Health Provisions MSAs, long-term care insurance, taxation of insurance benefits Administrative Simplification (AS) Improve efficiency and effectiveness of the healthcare system Define standards for electronic transmission - standard identifiers, transaction and code sets Protect the privacy and security of health information

5 S I D L E Y & A U S T I N 5 Applicability

6 S I D L E Y & A U S T I N 6 Penalties and Fines Non-Compliance with Requirements $100 per violation to a maximum of $25,000 per requirement per year Considering the proposed security rules contain more than 25 specific requirements, the maximum penalty can exceed $625,000 per year Wrongful Disclosure of Health Information Simple disclosure – fines up to $50,000 and/or one year in prison Disclosure under false pretenses – fines up to $100,000 and/or five years in prison Disclosure with intent to sell or use – fines up to $250,000 and/or 10 years in prison

7 S I D L E Y & A U S T I N Technology Requirements

8 S I D L E Y & A U S T I N 8 Transactions, Code Sets and Identifiers Transaction Standards for HIPAA: “Transactions” are the exchange of information between two parties carrying out financial and administrative activities with data elements in a single format. Three Categories of Technology Requirements: a) Transaction Sets b) Code Sets c) Identifiers

9 S I D L E Y & A U S T I N 9 Transactions, Code Sets and Identifiers Highlights Standardized transaction formats and data elements for information that is transmitted and received electronically Code Sets Standards Built on Current Coding Systems Major code sets characterize medical data (e.g. CPT, ICD-9) Code sets included in standard transaction sets Current national coding standards to be updated in 2002 Unique Identifiers “Intelligence-free” (will not contain any encoded information) “Single unique identification of providers” Apply to all persons furnishing healthcare services and supplies Reduce potential for fraud and abuse Creates considerable privacy/ confidentiality concerns

10 S I D L E Y & A U S T I N 10 Standard transaction sets are defined for the following: Health claims or equivalent encounter (X12N 837) Enrollment and disenrollment in a health plan (X12 834) Eligibility for health plan - inquiry/response (X12N 270-271) Healthcare payment and remittance advice (X12N 835) Health plan premium payments (X12 820) Health claim status - inquiry/response (X12N 276-277) Coordination of benefits (X12N 837) Referral certification (X12N 278) Referral authorization (X12N 278) First report of injury (open) Health claims attachments (open) Standard Transaction Record Identifiers Providers Employers Health plans (open) Individuals (open) Code Sets ICD-9-CM (diagnosis and procedures) CPT-4 (physician procedures) HCPCS (ancillary services/procedures) CDT-2 (dental terminology) NDC (national drug codes) Transactions, Code Sets and Identifiers

11 S I D L E Y & A U S T I N 11 Key Business Considerations Integration of new transactions into legacy systems Investment in new systems/channels Revision of Q/A testing and user acceptance processes Integration of technology requirements in contracts, accreditation Budget impact Return on investment Leverage investment in Y2K

12 S I D L E Y & A U S T I N Privacy Requirements

13 S I D L E Y & A U S T I N 13 IIHI Uses and Disclosures Minimum Necessary Rights of Individual Business Partners Related Entities Internal process changes Privacy Official Training Complaint Handling Disclosure Accounting Privacy Standards

14 S I D L E Y & A U S T I N 14 Permitted Uses and Disclosures Protected Health Information Authorization required for: Disclosures on request of individual, entity or third party Marketing, fund-raising purposes Disclosure to non-health related affiliates (e.g., life insurance) Underwriting or risk rating Employment determinations Sale, rental or barter Disclosure of psychotherapy notes or research information Authorization not required for: Uses or disclosures relating to treatment, payment or health care operations Public health agency activities Health oversight and regulatory agencies Judicial proceedings and law enforcement investigations Health care fraud Research purposes (under rigorous criteria) Disclosure of “de-identified” health information

15 S I D L E Y & A U S T I N 15 Minimum Necessary Disclosure Reasonable efforts not to use or disclose more than the minimum amount of information needed to accomplish an intended purpose Entity designates staff to determine minimum necessary information Determination made on individual basis within limits of technology Pervasive throughout organization °Applies to both internal and external uses °“Minimum necessary” varies by function and department °Implications for information systems

16 S I D L E Y & A U S T I N 16 Administrative Requirements Designate privacy official Conduct privacy training program Verification procedures Maintain policies and procedures for PHI Notice of privacy practices

17 S I D L E Y & A U S T I N 17 Business Partners Contractors providing services to covered entities - that utilize or share IIHI Business partner contracts must contain specific privacy provisions °Appropriate safeguards of records °Report any unauthorized disclosures to entity °Books and records available for inspection °Material breach by partner grounds for termination, constitutes violation by entity °Member/patient is third party beneficiary Extension of liability

18 S I D L E Y & A U S T I N 18 Rights of Individuals With the exception of treatment, payment or health care operations, most uses and disclosures are permitted only with authorization Individuals may revoke their authorization(s) May request restriction of uses and disclosures by providers Access to health information Amendment and correction of health information Accounting for disclosures of health information

19 S I D L E Y & A U S T I N 19 Protected Health Information Administrative Procedures Physical Safeguards Technical Security Services Technical Security Mechanisms Research and Marketing Research and Clinical Trials Marketing and Other Uses of Data Across Open Network Treatment, Payment and Operations Over Open Network Treatment, Payment and Operations Over Secure Network Patient Access, Correction, Accounting of Use Authentication Minimum Necessary Patient Authorization IRBEncryption Business Partner Agreement Anonymization The Intersection of Privacy and Security Standards

20 S I D L E Y & A U S T I N Security Requirements

21 S I D L E Y & A U S T I N 21 Security Standards

22 S I D L E Y & A U S T I N 22 Security Challenges Authentication of users/partners System vulnerabilities Web security Evolving technologies Failure to plan for growth No Internet reliability guarantees User privacy Confidentiality Integrity Availability

23 S I D L E Y & A U S T I N 23 Administrative Procedures Certification Chain of Trust Partner Agreement Contingency Plan Formal Mechanism for Processing Records Information Access Control Internal Audit Personnel Security Security Configuration Management Security Incident Procedures Security Management Process Termination Procedures Training

24 S I D L E Y & A U S T I N 24 Physical Safeguards Assigned Security Responsibility Media Controls Physical Access Controls Policy/Guideline on Workstation Use Secure Work Station Use Security Awareness Training

25 S I D L E Y & A U S T I N 25 Technical Security Services Access Control Audit Controls Authorization Control Data Authentication Entity Authentication

26 S I D L E Y & A U S T I N 26 Technical Security Mechanisms Required If Using Open Networks Alarm Audit trail Entity authentication Event reporting Integrity controls Message authentication Plus, At Least One of the Following: Access controls Encryption

27 S I D L E Y & A U S T I N HIPAA Compliance Framework

28 S I D L E Y & A U S T I N 28 Operation and Maintenance Assessment and Analysis Solution Implementation Solution Design and Development EVALUATE APPLY SUSTAIN FORMULATE EVALUATE Critical business and system functions FORMULATE Plans and solutions APPLY Solutions to process, data, and systems SUSTAIN Compliance through time HIPAA Lifecycle

29 S I D L E Y & A U S T I N 29 Health Care Organization HIPAA Steering Committee Project Office Privacy Work Group Departmental HIPAA Liaisons Security Work GroupTechnology Work Group Pro forma HIPAA Project Structure General Counsel Department 1

30 S I D L E Y & A U S T I N 30 Assessment and Analysis Solution Implementation Solution Design and Development Operation and Maintenance EVALUATE critical business and system functions across the enterprise to determine the actions required to achieve HIPAA compliance Phase 1: Assessment and Analysis Tasks Understand the existing environment Mission/vision Organization Strategic, Organizational and IT plans °Inventory existing systems and operations °Evaluate existing policies and procedures °Perform operational and technical reviews and assessments °Align HIPAA requirements against existing systems °Identify potential compliance gaps

31 S I D L E Y & A U S T I N 31 Assessment and Analysis Solution Implementation Solution Design and Development Operation and Maintenance FORMULATE plans and solutions to respond to HIPAA and business requirements identified in the Assessment and Analysis phase Phase 2: Solution Design and Development Tasks Identify both technical and non- technical solutions Evaluate effect on business partners Assess alternative approaches °Integration with Compliance Program °Consider outsourcing Identify risks and mitigation strategies Create prioritized project plans Identify resources required to complete plans

32 S I D L E Y & A U S T I N 32 Assessment and Analysis Solution Implementation Solution Design and Development Operation and Maintenance APPLY solutions developed to those business and system functions necessary to ensure compliance with HIPAA regulations Phase 3: Solution Implementation Tasks Implement communication strategy Execute project plans Perform testing and quality assurance Provide end user training

33 S I D L E Y & A U S T I N 33 Assessment and Analysis Solution Implementation Solution Design and Development Operation and Maintenance SUSTAIN a compliant environment through ongoing initiatives Phase 4: Operation and Maintenance Tasks Keep documentation current as changes occur °New systems and technology °Organizational (i.e., mergers and acquisitions) Periodically test system vulnerabilities Institutionalize ongoing HIPAA compliance

34 S I D L E Y & A U S T I N 34 Enterprise-wide planning Align HIPAA initiatives with corporate strategy(s) and integrate into operations Secure management support and awareness Leverage historic and on-going initiatives and accumulated knowledge (Y2K, E-Business, Business Transformation, etc..) Build HIPAA into existing change initiatives (do it once) Integrate with current Compliance Program activities Critical Success Factors Establish clear governance structure to manage complexities and interdependencies among business units and the technology, security and privacy requirements of HIPAA Ensure on-going communication channels for HIPAA specific initiatives Raise corporate awareness of HIPAA and its potential impacts on the origination and its stakeholders Incorporate HIPAA into existing compliance program

Download ppt "S I D L E Y & A U S T I N HIPAA and Your Compliance Program HCCA’s 2000 Compliance Institute New Orleans, Louisiana September 25, 2000."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 Health Insurance Portability and Accountability Act of 1996 IS&C Expo October 16 & 17, 2002 John Wagner Governor’s Office of Technology.

1 Health Insurance Portability and Accountability Act of 1996 IS&C Expo October 16 & 17, 2002 John Wagner Governor’s Office of Technology.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
HIPAA Administrative Simplification Final Rule for Transactions Code Sets Stanley Nachimson

HIPAA Administrative Simplification Final Rule for Transactions Code Sets Stanley Nachimson
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.
B Healthcare HIPAA Overview February 2001. 2 What is HIPAA?  HIPAA is the Health Insurance Portability and Accountability Act of 1996 (PL 104-191) 

B Healthcare HIPAA Overview February What is HIPAA?  HIPAA is the Health Insurance Portability and Accountability Act of 1996 (PL ) 
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
Virginia Department of Medical Assistance Services Presentation On HIPAA to the Virginia COTS PSA Workgroup Frank G Guinan Craig Goeller November 7, 2000.

Virginia Department of Medical Assistance Services Presentation On HIPAA to the Virginia COTS PSA Workgroup Frank G Guinan Craig Goeller November 7, 2000.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Similar presentations

Ads by Google