Title: HIPAA and the States Critical Issues
1HIPAA and the StatesCritical Issues Compliance
Strategies
- Presented by
- Robert J. Burns
- National Governors Association
- Center for Best Practices
Regional Technical Assistance Meetings Substance
Abuse and Mental Health Services Administration
April 18, 2002 Phoenix, AZ
May 2, 2002 Atlanta, GA
May 16, 2002 Chicago, IL
June 20, 2002 Boston, MA
2About NGA
- Professional association of, by, and for the
nations Governors - Nonpartisan
- Unique relationship with Governors/States
- Organization
- NGA Committee (voice in DC)
- NGA Center for Best Practices
(technical assistance to states)
3FY2002 Budget Overview
- Revenue nearly 4 percent below expectations
- By end of June, shortfall will reach 40 to 50
billion (4 to 5 percent of total state budgets) - Post-9/11 activities responsible for 5 to 7
billion in state costs
4How States Are Coping
- First tier cuts hiring freezes, delaying new
capital projects, delaying payments, salary
freezes - Recent tier cuts across-the-board slashes,
halting road projects, eliminating new and some
existing programs, some job cuts
5Revenue Enhancements
- Few states calling for tax increases
- IN (cigarettes, gambling)
- KS (fuel, sales, cigarettes)
- Some tax cuts postponed (FL, MD)
- Other revenue sources tapped
- Rainy day funds (drained)
- Some bonds (borrowing at record levels)
- Lottery funds
6Top Gubernatorial Priorities
- Bolstering Homeland Security
- Fostering Economic Recovery
- Maintaining Education Initiatives
- Containing Health Care Costs
7Top State Health Priorities
- Containing Pharmaceutical Costs
- Medicaid Reform
- Enhancing waiver authority
- Overall reform
- Emerging Issues
- Workforce
- Malpractice
- HIPAA compliance
8Why Just Now Emerging?
- Legally Complex
- PHI definitions
- Covered entities, business associates, trading
partners - Minimum amount necessary, reasonable efforts
- Preemption, exemptions
- Technically Complex
- Transactions, codes, identifiers, data format
- Electronic data interchange
- Poor Guidance
- CMS underestimated Medicaid costs
- No data on fiscal impact outside Medicaid
- Program differences among states
9Regulation Status
Proposed Rule Final Rule Compliance Deadline
Privacy 11/99 8/02 4/03
Security 8/98
Transactions and Codes 5/98 10/00 10/02
National Provider Identifier 5/98
Health Plan Identifier
Employer Identifier 6/98 7/02 7/04
Enforcement
Small health plans have one additional year following this date to be compliant. HHS proposed modifications to the privacy rule on March 27, 2002. The modifications were finalized on August 14, 2002. The compliance deadline will not change. The compliance deadline may be extended by one year if a compliance plan is submitted to HHS before October 16, 2002. Small health plans are not eligible for the conditional extension. Small health plans have one additional year following this date to be compliant. HHS proposed modifications to the privacy rule on March 27, 2002. The modifications were finalized on August 14, 2002. The compliance deadline will not change. The compliance deadline may be extended by one year if a compliance plan is submitted to HHS before October 16, 2002. Small health plans are not eligible for the conditional extension. Small health plans have one additional year following this date to be compliant. HHS proposed modifications to the privacy rule on March 27, 2002. The modifications were finalized on August 14, 2002. The compliance deadline will not change. The compliance deadline may be extended by one year if a compliance plan is submitted to HHS before October 16, 2002. Small health plans are not eligible for the conditional extension. Small health plans have one additional year following this date to be compliant. HHS proposed modifications to the privacy rule on March 27, 2002. The modifications were finalized on August 14, 2002. The compliance deadline will not change. The compliance deadline may be extended by one year if a compliance plan is submitted to HHS before October 16, 2002. Small health plans are not eligible for the conditional extension.
10The Ripple Effect
- Community-based providers (safety net)
- Public hospitals/clinics
- Mental health facilities
- Substance abuse treatment centers
- State/local health departments
- Academic medical/research centers
- Organ donation
- Law enforcement and corrections (coroners,
medical examiners) - School-based health programs (immunizations,
dental) - SAPT-funded programs
- MCH programs (Title V)
- HIV/AIDS (Ryan White)
- TANF-funded programs
- State employee benefits
- Workers compensation
- Health policy offices
11HIPAA Cost Estimates
Medicaid Non-Medicaid
California 100 million
Pennsylvania 50-200 million 50-200 million
Indiana 160 million
12Critical Issues
- Liability
- Privacy and Security
- Lawsuits
- Civil, criminal penalties
- Operational Disruption
- Electronic Transactions Codes (and Identifiers)
- Enrollment, eligibility, billing, payment, etc.
- Reporting, budgeting, research, etc.
- Funding
13Compliance Strategies
- Oversight commission or committee
- Governors office
- Budget Director, State CIO
- Attorney General, General Counsel
- Directors of affected (or likely affected)
agencies - Designated HIPAA office
- Medicaid agency
- Privacy or IT office
- Special project office (HIPAA-specific)
- Leadership (and authority)
- Specialty workgroups
- Multi-year business plan
14North CarolinaHIPAA Statewide Assessment Team
- Collaborative Leadership
- Oversight committee
- Centralized Management
- Housed within DHHS
- Decision Making Authority
- Legislature
- Governor
- Budget director, IT office
- Clear Mission
- Assess statewide impact
- Build awareness
- Develop strategic plan, compliance tools
- Coordinate state activities
15New YorkCentral HIPAA Coordination Project
- Collaborative Leadership
- Steering Committee
- Centralized Management
- Led by IT office
- Decision Making Authority
- Governor
- Budget director
- Agency directors
- Clear Mission
- Assess statewide impact
- Build awareness
- Develop compliance tools
- Provide technical support
16OhioEngagement Management Structure
- Collaborative Leadership
- Governor, Cabinet
- Centralized Management
- Deputy Directors Team
- Decision Making Authority
- Governor
- Agency Directors
- Clear Mission
- Assess statewide impact
- Build awareness
- Develop strategic plan, compliance tools
- Coordinate state activities
17Public-Private Partnerships
- Hawaii HIPAA Readiness Collaborative
- New Hampshire Vermont Strategic HIPAA
Implementation Plan (NHVSHIP) - North Carolina Healthcare Information and
Communications Alliance (NCHICA) - Southern HIPAA Administrative Regional Process
(SHARP) - Washington State HIPAA Partnership
18Impact Assessment Tools
- Covered Entity Screening Tools
- Covered Entity Screening Tool (OH)
- HIPAA Impact Assessment (NY)
- Organizational Impact Assessments
- HIPAA Awareness Self-Assessment Checklist (WA)
- HIPAA Facilities Checklist (CA)
- A Guide to Privacy Readiness (MD)
- HIPAA EarlyView Privacy (NC)
- Business Information Flow Assessment (NC)
- Electronic Data Interchange Assessment (NC)
19Model Forms Educational Materials
- Business Associate Agreement (OH)
- Patient Consent/Authorization Form (OH)
- Monthly HIPAA Newsletter (NC)
- HIPAA Awareness Brochure (OH)
20KentuckyCabinet-Level Awareness Survey
- Developed by Governors Office for Technology
- Cabinet Awareness
- Cabinet Impact
- Costs, budget needs
21Building Support Awareness
- Difficult to estimate implementation costs
- Initially, costs will exceed savings
- Systems remediation signals that administrative
simplification is like Y2Kjust another technical
problem - Business transformation implies that a greater
commitment of resources is needed
22NGA Center Activities(www.nga.org/center)
- Issue Brief (HIPAA)
- Executive-level technical assistance meeting
(late summer) - Internet broadcast (fall)
- State-specific technical assistance (via
Governors office)
23NGA Center for Best Practices(www.nga.org/center)
- Robert J. Burns
- Policy Analyst
- Health Policy Studies Division
- National Governors Association
- Center for Best Practices
- 444 North Capitol Street, Suite 267
- Washington, DC 20001-1512
- (202) 624-7729
- fax (202) 624-5313
- email rburns_at_nga.org