HIPAA Health Insurance Portability and Accountability Act

1
HIPAAHealth Insurance Portability and
Accountability Act

• Background Summary
• Signed to Federal Public Law in August 1996
• Task assigned to the Department of Health and
  Human Services - to impose Universal Standards
  for Privacy and protection of all Electronic
  Health information linked to individuals
• Effects ALL Hospital and Health Care Systems,
  Health Plans, Physician organizations, and Health
  Care Intermediaries
• Compliance is REQUIRED!
• Timeline for planning is NOW!

Santa Clara Valley Health Hospital System
2
Administrative Simplification - Objectives

• To reduce the administrative burden associated
  with the transfer of health information between
  organizations
• To increase the efficiency and cost-effectiveness
  of the health care system
• Adopts national uniform standards for Electronic
  Financial transactions and Code Sets, Unique
  Identifiers, Security and use of Electronic
  Signatures, and Privacy and Health Information
  Disclosure

Santa Clara Valley Health Hospital System
3
Administrative Simplification - Compliance Dates

• Notice of Proposed Rule Making (NPRM) Released in
  Aug. 2000, with effective implementation date of
  10/16/2002
• Financial Transactions
• Code Sets
• Notice of Proposed Rule Making (NPRM) Pending
  Releases estimated by the end of the Calendar
  Year 2000, with effective implementation dates of
  January 2003
• Unique Health Identifiers
• Security and Electronic Signatures
• Privacy and Health Information Disclosure
• Non-Compliance can include Civil and/or Criminal
  penalties, to be imposed starting Oct. 2002, with
  Organizational penalties up to 25,000 per
  standard violated per calendar year, or
  Individuals up to 250,000 and imprisonment up to
  10 years

Santa Clara Valley Health Hospital System
4
Unique Health Identifiers - Proposed

• Individual Identifier - Targeted to improve
  quality of care, allow for rapid identification
  practice, reduction of cost, promotes protection
  from fraud and abuse, and promotes prompt payment
  response
• EIN or Employer Identification number - taxpayer
  identification number assigned by IRS
• NPI or National Provider Identifier - under
  development and to be maintained by HCFA
• Health Plan PlanID- formerly known as PAYERID, to
  be assigned to all health plans

Santa Clara Valley Health Hospital System
5
Security Standards - Proposed

• Administrative Procedures - documents formal
  practices to manage security measures, protect
  data, and manage conduct of personnel (policies
  and procedures)
• Physical Safeguards - provide physical protection
  of equipment and equipment control (secure
  workstation and equipment areas, and internal and
  offsite data storage)
• Technical Security Services - processes to
  protect, control and monitor information access
  (employee termination procedures, user
  identification and authentication)
• Technical Security Mechanisms - technology to
  prevent unauthorized access to data transmissions
  (network and integrity controls, message
  authentication, and data encryption)

Note Adjunct to JCAHO, Science Applications
International Corporation (SAIC), has done a
preliminary security review, which provides a
starting roadmap
Santa Clara Valley Health Hospital System
6
Privacy Proposed -Focus on Patient Rights

• To receive a written notice of information
  practices of the entity, and must be posted in
  patient care areas
• To request information obtained in their health
  record
• To request amendments to inaccuracies or
  incomplete health records
• To lodge complaints about the entitys
  information practices
• To request limited disclosure of their health
  record
• To review historical log of disclosures

Santa Clara Valley Health Hospital System
7
Overall Impact

• Redefines how to access, transmit, store, and
  disclose health information
• Affects information technology infrastructure and
  all system applications
• Implement new business and information system
  policies and procedures
• Opportunity to streamline business operations and
  processes, and incorporate strategic initiatives
• First steps in making health care an e-business
• Reduce costs in the long-term

Santa Clara Valley Health Hospital System
8
Financial Impact

• Estimated costs not fully clarified, but is
  expected to range from two to three times that of
  Y2K (limited to first three years of program)
• System application upgrades and data base
  conversions
• Potential use of electronic clearinghouses
• Integration of security technologies, such as
  encryption
• Historical access logs and audit controls
• Resources to create, monitor and maintain
  security access
• Develop new security and privacy policies and
  procedures
• Policy education to all employees and staff
  members
• Develop sanctions for violations
• Legal contract review and revisions
• New technologies and systems

Santa Clara Valley Health Hospital System
9
Phase 1 - Timeline Starts NOW!

• Create HIPAA Awareness Program
• Assign HIPAA Coordinator
• Create HIPAA Compliance Steering Committee
• Build Vendor and Business Partner Relationships
• Identify Impact Departments
• Review ANSI ASC X12 Technology
• Create HIPAA Compliance Work plan
• Develop Budget Estimates
• Incorporate Strategic Initiatives
• Perform Risk Analysis and Degree of Threat

Santa Clara Valley Health Hospital System
10
Phase 2 - Security Privacy Policy

• Assign Security Officer
• Formalize Security Organization
• Organizational Policy and Procedure Assessment
• Develop processes to address Patient Rights and
  individual health data disclosure policy
• Develop privacy training programs for Employees
• Develop sanctions for violations
• Review Contracts and develop standard provisions
• Research security technologies

Providers must give notice to each patient at
first service after effective date, and post copy
of notice
Santa Clara Valley Health Hospital System
11
Phase 3 - Implementation Preparation

• Develop an implementation schedule for adopting
  each standard
• Coordinate schedules with Business Partners
• Work with Vendors on support of multiple
  versions/releases of the standards
• Provide staff with instructional materials to aid
  implementation
• Develop an information system compliance program
  which includes security technologies

Santa Clara Valley Health Hospital System
12
Expected Outcome

• Expect savings to exceed costs by the fourth year
  of the program -estimate overall net savings of
  16.7 billion from 2001-2011
• Lower cost of software development and
  maintenance since software works with all payers
  and plans
• Improves the Medicare and Medi-Cal Programs, as
  well as overall effectiveness of the health care
  system
• Lower cost of administrative transactions by
  eliminating time and expense of handling paper
• Cost-effective, uniform, fair, and confidential
  health information practices
• Promotes accuracy, reliability and usefulness of
  the information shared

Santa Clara Valley Health Hospital System
13
HHC Considerations

• Potential Funding Requests and Budget
  Augmentation for FY 01/02 for FTEs and
  Professional Services Support
• Capital Costs for software/hardware FY 01/02
• HHS Steering Committee being formed
• County Counsel participation requested

Santa Clara Valley Health Hospital System