MidAtlantic Health Initiative - PowerPoint PPT Presentation

1 / 50
About This Presentation
Title:

MidAtlantic Health Initiative

Description:

Health plan includes, when applied to government funded programs, the components ... Business Associate Not part of the covered entity's workforce but performs or ... – PowerPoint PPT presentation

Number of Views:58
Avg rating:3.0/5.0
Slides: 51
Provided by: jennife350
Category:

less

Transcript and Presenter's Notes

Title: MidAtlantic Health Initiative


1
Mid-Atlantic Health Initiative
2
Mid-Atlantic Health Initiative (MAHI)
  • HIPAA 101
  • Washington, D.C.
  • October 18, 2002
  • Tom Sadauskas, FHFMA, CHE, CPA
  • Northrop Grumman Information Technology

3
The New Rules of the Game
  • The Health Insurance Portability and
    Accountability Act of 1996 (HIPAA)
  • History of HIPAA and Administrative
    Simplification
  • Covered Entities
  • Standard Transactions
  • Code Sets
  • Identifiers
  • Privacy
  • Security
  • Implementation
  • Compliance
  • HIPAA Web Sites

4
eHealth HIPAA
  • What if.
  • Payment occurred when treatment was delivered
  • Test orders and results were available online for
    all tests
  • Data errors were drastically reduced
  • Patients could query practitioners and plans
    online
  • All health information systems were interoperable

5
HIPAA Value Proposition
  • Cost-effective interoperable infrastructure
  • Standard
  • Reliable and secure
  • One-time core infrastructure
  • Strategic investment
  • Customer and partner confidence
  • More accountable

6
History
  • Health Insurance Portability and Accountability
    Act (HIPAA) - P.L. 104-191 signed into law by
    President Clinton on August 21, 1996
  • Kennedy-Kassebaum Bill (K2) or Kassebaum-Kennedy
    depending upon your party affiliation
  • House of Representatives passed it 421-2
  • Senate passed it Unanimously
  • Legislation had multiple goals including
  • Improve portability and continuity of health
    insurance coverage in the group and individual
    markets
  • Combat waste, fraud, and abuse in health
    insurance and health care delivery (HIPDB
    created),
  • Simplify the administration of health insurance
  • (Subtitle F - Administrative Simplification)

7
Administrative Simplification
  • Subtitle F - Administrative Simplification
    provisions
  • EDI transaction standards
  • Standardized codes sets
  • Standardized identifiers - employers, health
    plans, providers and individuals
  • Privacy legislation or regulations
  • Security standards
  • Eventual standards for an electronic medical
    record
  • Intention is to reduce the costs and
    administrative burdens of health care by making
    possible the standardized, electronic
    transmission of many administrative and financial
    transactions that are currently carried out
    manually on paper and the adoption of security
    and privacy standards appropriate for the
    protection of individually identifiable health
    care information.

8
Covered Entities
  • A health plan an individual or group plan that
    provides, or pays the cost of, medical care (PHS
    Act). Health plan includes, when applied to
    government funded programs, the components of the
    government agency administering the program.
    Health plan includes the following, singly or in
    combination
  • Group health plan
  • Health Insurance Issuer
  • HMO
  • Part A or Part B Medicare
  • Medicaid
  • Issuer of a Medicare Supplemental Policy
  • Issuer of a Long-Term Care Policy (excluding a
    nursing home fixed indemnity policy)

9
Covered Entities
  • health plan (continued)
  • Health care Programs for Active military
    Personnel
  • Veterans Health Care Programs
  • Civilian Health and Medical Program
  • Indian Health Service
  • Employee Welfare Benefit Plan
  • Federal Employees Health Benefit Program
  • State Child Health Plan
  • Medicare Choice
  • Another other individual or group plan, or
    combination of individual or group plans, that
    providers or pays for the cost of medical care
    (PHS Act)

10
Covered Entities
  • (2) A health care clearinghouse a public or
    private entity that does either of the following
  • Processes or facilitates the processing of
    information received from another entity in a
    nonstandard format or containing nonstandard data
    content into standard data elements or a standard
    transaction.
  • Receives a standard transaction from another
    entity and processes or facilitates the
    processing of information into nonstandard format
    or nonstandard data content for a receiving
    entity.

11
Covered Entities
  • (3) A health care provider who transmits any
    health information in electronic form in
    connection with a standard transaction referred
    to in Section 1173(a)(1).

12
Standard Transactions
  • Health claims or equivalent encounter
    information.
  • Health Care Claim (837)
  • NCPDP v5.1 Telecommunications v1.1 Batch
  • Enrollment and disenrollment in a health plan.
  • Benefit Enrollment and Maintenance (834)
  • Eligibility for a health plan.
  • Health Care Eligibility / Benefit Inquiry (270)
  • Health Care Eligibility / Benefit Information
    (271)

13
Standard Transactions
  • Claim Payment
  • Health Care Claim Payment/Advice (835)
  • Health Premium Payment (820)
  • Health claim status.
  • Health Care Claim Status request (276)
  • Health Care Claim Status Notification (277)
  • Referral certification and authorization.
  • Health Care Service Information (278)
  • Health claim attachments
  • Additional Health Claim Information (275)

14
Standard Transactions
  • Other Standards for voluntary use (not mandated
    yet)
  • Health Care Benefit Coordination of Benefits
    Verification (269)
  • Unsolicited Eligibility Roster (271)
  • Unsolicited Health Care Claim Status (277)
  • Provider Information (274)
  • Services review notification (278)
  • Healthcare Data Reporting Services (837 R)

15
Standard Transactions
  • On October 16, 2000 the Final Rule for Electronic
    Transactions became effective with a compliance
    date of October 16, 2002.
  • This rule adopts standards for eight electronic
    transactions and for the code sets to be used in
    those transactions. It also contains requirement
    concerning the use of these standard by health
    plans, health care clearinghouses, and certain
    health care providers.

16
ASCA
  • Administrative Simplification Compliance Act
    (ASCA) (P.L. 107-105) signed into law
    December 27, 2001
  • Allowed Covered Entities to submit a plan to DHHS
    by NLT October 15, 2002 and request a one year
    extension until October 16, 2003 for
    meeting EDI rules
  • Testing of EDI transactions must begin NLT April
    16, 2003
  • April 2003 Privacy Rule deadline NOT extended
  • Require all Medicare claims to be submitted
    electronically in standard format after October
    16, 2003
  • Small provider waiver service providers lt25
    FTEs and physicians, practitioners, facilities or
    suppliers lt10 FTEs
  • Small provider waiver NOT an exemption from HIPAA
    Privacy or Security Rules

17
Transactions NPRMs
  • Transaction Addenda NPRM published May 2002
  • Modifications to the HIPAA Standard
    Implementation Guides
  • Clarifications on the final rule
  • Typos Corrected
  • NDC NPRM published May 2002
  • The codifying of national drugs
  • J-Codes are being proposed to be used in
    conjunction with the pharmacy NDC codes.
  • Notice of Proposed Rule Making

18
Code Sets
  • DHHS has the authority to specify what data
    coding schemes can be used in the health care
    transactions.
  • Medical Code Sets Defined by the Transactions
    final rule (FR p. 50370)
  • International Classification of Diseases, 9th
    Edition, Clinical Modification, Vol. 12
    (ICD-9-CM)
  • International Classification of Diseases, 9th
    Edition, Clinical Modification, Vol. 3 (ICD-9-CM
    including the Official ICD-9-CM Guidelines for
    Coding and Reporting)
  • National Drug Code (NDC)
  • Code on Dental Procedures and Nomenclature (CDT-3)

19
Code Sets
  • The combination of Health Care Procedure Coding
    System (HCPCS) and Current Procedural
    Terminology, 4th Edition (CPT-4), for physician
    services and other health care services.
  • The Healthcare Common Procedure Coding System
    (HCPCS) for all other substances, equipment,
    supplies, or other items used in health care
    services.
  • NO MORE LOCAL CODES - Eliminates Level 3 HCPCS

20
Identifiers
  • National Employer ID
  • This final rule was published May 31, 2002 with
    an effective date of July 1, 2002, has been the
    least controversial of the NPRMs released so far.
  • Intended to uniquely identify
  • Employers
  • Benefit Sponsors
  • And others who use electronic exchanges to enroll
    members in health plans and to pay benefit
    premiums.

21
Identifiers
  • National Health Plan ID
  • This NPRM not been released yet.
  • Intended to uniquely identify
  • Medicare part A contractors
  • Medicare part B contractors
  • Medicaid Programs
  • HMOs
  • Private Health Plans
  • Commercial Health Plans
  • Intentions are that there would be a national
    payer registry, a payer database, and
    documentation on its use.

22
Identifiers
  • National Provider ID (NPI)
  • The NPRM (published on May 7, 1998) proposed a
    data-less 8-position alphanumeric identifier,
    with at check digit in the eight position.
  • Likely final NPI will be a ten digit, all numeric
    identifier
  • Identifier itself not include any information
    about practice locations
  • Data in this national database be limited to the
    minimum needed to support the enumeration
    activities, and not include any credentialing or
    sanctions data.
  • Enumerating process be placed outside the Federal
    Government.

23
Identifiers
  • Individual ID
  • This NPRM not been released yet. This is the
    most controversial of the identifiers by far.
    Congress requires additional Congressional
    approval of any proposed individual
    identification plan. An anticipated Notice of
    Intent (NOI) on this initiative has been put on
    hold, additional hearings have been indefinitely
    postponed, and there is no currently available
    estimate of when or whether this initiative will
    get back on track. Therefore, this identifiers
    future is not certain. This is as far as most
    industry and political participants see for this
    identifier.

24
Privacy
  • Final Rule became effective on April 14, 2001
    with a compliance date of April 14, 2003.
  • Definitions
  • Individually Identifiable Health Information
    (IIHI) any information including demographic
    information collected from an individual that
  • Is created or received by a HIPAA Covered Entity
  • Relates to the past, present, or future physical
    or mental health condition of an individual, the
    provision of health care to an individual or the
    past, present, or future payment for the
    provision of health care to an individual
  • Identifies an individual
  • There is a reasonable basis to believe that the
    information can be used to identify the
    individual.
  • Patient Consent voluntary agreement to
    conditions of use, storage, and disclosure of
    information (Internal)

25
Privacy
  • Definitions
  • Patient Authorization voluntary agreement to
    conditions of use, storage and disclosure of
    information beyond that set forth in the notice
    (External) for a specified period of time.
  • Chain of Trust A pattern of agreements that
    extend protection of health care data by
    requiring that each covered entity that shares
    health care data with another entity require that
    that entity, in turn, require that any other
    entities with which it shares the data satisfy
    the same requirements.
  • Business Associate Not part of the covered
    entity's workforce but performs or assists in the
    performance of a function or activity involving
    the use or disclosure of IIHI, including claims
    processing or administration, data analysis,
    processing or billing, benefit management
    practice management, and repricing or any other
    function or activity regulated by this
    subchapter or provides legal, actuarial,
    accounting, consulting, data aggregation
    management, administrative, accreditation, or
    financial services.

26
Privacy
  • Definitions
  • Trading Partner While a Business Associate is
    an entity that performs certain business
    functions for a covered entity, a Trading Partner
    is an external entity, such as a customer, that
    does business with the covered entity. This
    relationship can be formalized via a Trading
    Partner Agreement. It is possible to be a
    Trading Partner of a covered entity for some
    purposes and a Business Associate of the same
    covered entity for other purposes.
  • Disclosure to a Business Associate A covered
    entity may disclose protected health information
    to a business associate and may allow a business
    associate to create or receive protected health
    information on its behalf, if the covered entity
    obtains satisfactory assurance that the business
    associate will appropriately safeguard the
    information.

27
Privacy
  • Definitions
  • Info on Deceased Persons If under applicable
    law an executor, administrator, or other person
    has authority to act on behalf of a deceased
    individual or of the individuals estate, a
    covered entity must treat such person as a
    personal representative, with respect to
    protected health information relevant to such
    personal representation.
  • Protected Health Information IIHI
  • Transmitted or maintained with/by electronic
    media
  • Excluded
  • Educational records covered by FERPA (FR p.
    82805)
  • Other records as described 20 U.S.C.
    1232g(a)(B)(iv).

28
Privacy
  • Administrative Requirements
  • Designation of a Privacy Official
  • Training
  • Safeguards
  • Internal Complaint Process
  • Sanctions for employees who do not comply
  • Duty to mitigate
  • Patient Rights
  • Patients are entitled to adequate notice about
    how their IIHI will be routinely used, stored,
    and disclosed
  • Written notice of information practices
  • Access for inspections and copying
  • Accounting of disclosures
  • Amendment and correction
  • The right to say no

29
Privacy
  • Disclosure Conditions
  • Minimum Necessary use and disclosure
  • Not to use or disclose more than the minimum
    amount of information necessary to accomplish the
    intended purpose of the use or disclosure taking
    into consideration practical and technological
    limitations
  • Does not apply to
  • Requests from a patient
  • Releases of information required by law to
    government entities
  • Uses or disclosures requested for audit and
    related purposes
  • Patient right to restrict uses and disclosures
  • Application to business partners
  • Application information about deceased persons
  • Adherence to the notice of information practices

30
Privacy
  • Disclosure Conditions
  • Creation of de-identified information
  • Covered entities may use and disclose
    de-identified information in any way provided the
    covered entity reasonably believes the
    information will not result in the use or
    disclosure of protected health information.
  • Allowed information
  • Age with dates limited to a year
  • Age over 90 aggregated
  • Aggregated three-digit ZIP codes to include at
    least 20K people
  • Gender, race, ethnicity, marital status

31
Privacy
  • Disclosure Conditions
  • Creation of de-identified information
  • Information Not Allowed
  • Names
  • All geographic locations
  • All elements of Date (except year) for dates
    directly related to an individual.
  • Electronic mail addresses
  • Social Security Numbers
  • Medical Record Numbers
  • Health Plan Beneficiary Numbers
  • Account Numbers
  • Certificate or License Numbers
  • Vehicle identifiers
  • Device identifiers and serial number
  • Web URLs

32
Privacy
  • Disclosure Conditions
  • Creation of de-identified information
  • Information Not Allowed (contd)
  • IP Addresses
  • Biometric Identifiers
  • Full face photographic images and any comparable
    images
  • Any other unique identifying number,
    characteristic, or code

33
Privacy
  • Authorization Requirements
  • Authorization is required for purposes other than
    Treatment, Payment, or Health Care Operations
    (TPO).
  • Authorization is NOT required
  • Health oversight activities
  • Public Health activities
  • Judicial and Admin Procedures
  • Law Enforcement
  • Individual requested access to own info
  • CE Data for enforcement of Security and Privacy
    policies that implement HIPAA
  • Governmental health data systems
  • Disclosure for directory information
  • Disclosure for banking and payment processes
  • Uses and disclosure for research, emergency
    circumstances, next-of-kin, and as required by
    other laws.

34
Privacy
  • State Laws are preempted except
  • State Laws relating to the privacy of
    individually identifiable health information that
    are more stringent than the federal requirements
    (HIPAA sets a minimum federal floor for privacy)
  • State laws that the Secretary of DHHS determines
    are necessary for certain purposes such as fraud
    and abuse, insurance regulations, public health
    and safety, and controlled substances
  • Certain reporting, surveillance, investigation,
    and intervention requirements and
  • Health plan auditing, licensure, and oversight.

35
Security
  • NPRM published Aug. 12, 1998.
  • Security is the How To Protect and Privacy is
    the What to Protect.
  • Applies to Covered Entities who
  • electronically maintain or transmit any health
    information pertaining to an individual

36
Security
  • What is to be secured?
  • Personal Workstations
  • Enhanced Access controls
  • Enhanced Audit Trails
  • Inside Secure Network Data at Rest
  • Secure Networks
  • Secure Sign-on
  • Secure VPN
  • Data in Motion with persistence
  • CAs, PKI, Trustdata, Others (UPS, FedEX)
  • DRM and the hope for PHI

37
Security
  • Electronic Signatures (rumored to be removed from
    the final rule and an additional NPRM to be
    issued specifically for electronic signatures)
  • Electronic Signature
  • Digital Signature
  • Certificate Policies
  • Certification Authorities
  • Electronic Medical Records

38
HIPAA Security Matrix
  • Administrative Safeguards
  • Certification
  • Chain of trust
  • Contingency planning
  • Formal Record processing mechanisms
  • Information access controls
  • Internal Audit
  • Personnel security
  • Security configuration management
  • Security incident process
  • Security management process
  • Termination procedures
  • Training
  • Physical safeguards
  • Assigned security responsibility
  • Media controls
  • Physical access controls
  • Policy/guideline on workstation use
  • Secure workstation location
  • Security awareness training
  • Technical Security Services (Data at
    Rest)
  • Access controls
  • Audit controls
  • Authorization controls
  • Data authentication
  • Entity authentication
  • Technical Security Mechanisms/ Communications/netw
    ork controls (Data in Motion)
  • Digital Signature (optional)

39
Timetable for Adoption of Standards
40
Implementation
  • Strategic National Implementation Process
  • Provide forum for discussion of HIPAA issues
  • Recommend sequence EDI schedule
  • Identify security / privacy tools
  • Coordinate industry recommendations
  • Education
  • Awareness
  • Best Practices discussions
  • Support of State Regional efforts
  • http//snip.wedi.org

41
Implementation
  • Implementation Steps
  • Designate management sponsor for EDI Team
  • Become familiar with ANSI X12N Standards
  • Download implementation guides
  • Inventory data repositories
  • Determine financial resources needed to become
    compliant
  • Identify payers, providers, clearinghouse your
    organization deals with and determine how and
    when they will begin accepting/sending standard
    formats and code sets.
  • Develop an implementation strategy start with
    most complex claims
  • Discuss Migration plan to new standard testing,
    target dates, contingency plans.
  • Derived from the AHAs Executive Checklist for
    Transactions, Identifiers, Code Sets
  • Hospitals Health Networks, December 2000.

42
Implementation
  • Implementation Steps
  • Evaluate business unit modifications to
    procedures for compliance and effective
    implementation.
  • Inventory current business associate arrangements
    (particularly for methods to handle and dispose
    of received info.)
  • Review adjust letters of agreement and
    contracts with business associates to reflect
    mandated criteria for info use.
  • Review business process and workflow modeling.
  • Continuously test and adjust as applications
    change internal external interfaces.
  • Derived from the AHAs Executive Checklist for
    Transactions, Identifiers, Code Sets
  • Hospitals Health Networks, December 2000.

43
Implementation
  • Issues
  • Getting There
  • Incomplete definitions/interpretations
  • Incomplete Identifiers
  • Code Set Inadequacies
  • Data source issues
  • Interim solutions have a way of become long term
  • Direct Entry vs. Legacy Integration
  • Internet Data Entry (Quick Solution) Payer
    Provided?
  • EDI content, format, identifiers and Secure
    transmissions?
  • Lack of Integration with provider systems

44
Implementation
  • Issues
  • Communication Technologies
  • Mixing communication links
  • Authentication Verification
  • Role of Clearinghouse
  • Legacy Integration
  • Ideal Vendor provides compliant solution
    (native ability to send/receive EDI).
  • Internal transformational systems
  • Claim Scrubber Software
  • Interface engine (HIE, STC, SMS, etc.)
  • Indexing engine (HIE, STC, etc.)
  • E-commerce engine (Mercator, Sybase, etc.)
  • External transformational systems
  • Clearinghouses (Envoy, NDC, etc.)
  • ASP delivered solutions

45
Implementation
  • Issues
  • Cost of EDI
  • Training
  • Remediation (if necessary)
  • Environmental upgrades
  • Implementation
  • AHA estimates of 22 billion is for privacy
    securityHas anyone really validated costs of
    all?
  • Transaction Fees (ongoing?)
  • Return on Investment
  • Who defines reasonable communications costs?
  • Budget realities for all healthcare entities

46
HIPAA Compliance
  • Compliance
  • The Secretary may conduct compliance reviews to
    determine whether covered entities are complying
    with the applicable requirements of this part 160
    and the applicable standards, requirements, and
    implementation specifications of subpart E of
    part 164 of the subchapter. (Privacy Rule FR p.
    82820)
  • Enforcement
  • The privacy regulation is to be enforced by the
    DHHS Office for Civil Rights, which will provide
    assistance to providers, plans, and health care
    clearinghouses in meeting the requirements of the
    regulations. (From the DHHS Privacy Fact Sheet)

47
HIPAA Compliance
  • Penalties
  • Prohibits health plans from refusing to process,
    or from delaying processing of, a transaction
    that is presented in standard format (Section
    1175).
  • Civil Monetary penalties for violation of the
    provisions, subject to several limitations.
    Penalties may not be more than 100.00 per person
    per violation and not more than 25,000 per
    person for violations of a single standard for a
    calendar year (Section 1176).
  • Criminal penalties for any person that knowingly
    uses a unique health identifier, or obtains or
    discloses IIHI. Subject to fines up to 250K and
    or imprisonment up to 10 years. (Section 1177).

48
HIPAA Web Sites
  • WEDi/SNIP
    http//snip.wedi.org
  • AFEHCT
    http//www.afehct.org
  • HL7

    http//www.hl7.org
  • Washington Publishing Company
    http//www.wpc-edi.com
  • NCPDP National Council for Prescription Drug
    Programs
    http//www.ncpdp.org
  • MAHI
    http//www.mahicentral.org

49
HIPAA Web Sites
  • Health Privacy Project
    http//www.healthprivacy.org
  • CMS (formerly HCFA)
    http//www.cms.gov
  • DHHS HIPAA Web Site
    http//aspe.os.dhhs.gov/adminsimp/
  • P.L. 104-191 (HIPAA) http//aspe.hhs.gov/admnsimp
    /pl104191.htmSubtitle
  • P.L. 105-107 (ASCA) http//frwebgate.access.gpo.go
    v/cgi-bin/ getdoc.cgi?dbname107_cong_public_laws
    docidfpubl105.107.pdf

50
Questions?
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com