1 HIPAA Health Insurance Portability and Accountability Act Budgeting Effectively for Good Faith...
-
Upload
vivian-cook -
Category
Documents
-
view
216 -
download
0
Transcript of 1 HIPAA Health Insurance Portability and Accountability Act Budgeting Effectively for Good Faith...
1
HIPAA
Health Insurance Portability and Accountability Act
Budgeting Effectively for Good Faith Compliance
2
Through HIPAA, Congress Through HIPAA, Congress intended to:intended to:
Overcome “job lock” – the reluctance of moving from one company to another for fear of losing health insurance
Increase portability and access to health insurance
Simplify health care administration
3
The Result of HIPAA was:The Result of HIPAA was:
Administrative Simplification = Uniformity of Electronic Transactions
Standardized Electronic Transactions Highlighted the Need for:
Patient Privacy Records Security
4
IMPACTIMPACT
Patient PrivacyRecords Security
Significant Increases
In Operating Costs
U.S. Dept. of Health & Human Services estimates the industry cost for privacy compliance alone at $3.8 billion.The American Hospital Association estimates the cost of compliance at $22.5 billion over five years.
5
PENALTIES FOR PENALTIES FOR NONCOMPLIANCENONCOMPLIANCE
General Penalty for Failure to Comply– Each violation: $100.– Maximum penalty for violations per standard may not
exceed $25,000.
Wrongful Disclosure of Individual Health Information- Basic offense: $50,000, imprisonment of not more than
one year or both.- False Pretenses: $100,000, imprisonment of not more
than 5 years, or both.- Intent to Sell: $250,000, imprisonment of not more than
10 years, or both.
6
Establishing a “Good Faith”Establishing a “Good Faith”Compliance EffortCompliance Effort
Written compliance program/policiesEmployee trainingRevise vendor contractsAudit security procedures and upgrade as
necessary
7
Covered EntitiesCovered Entities
All health care providers and health plans are required to implement the standardized transactions and to comply with the new privacy and security rules.
Employer group health plans with more than 50 participants are included.
8
Elimination of Local CodesElimination of Local Codes Seven Required Standardized Transactions
Provider Payer Plan Sponsor
Patient Info/ Eligibility Request (270)
Response to Eligibility (271)
Enrollment info (834)
Authorizations & Referrals (Requesting Review 278)
Authorization & Referrals (Response 278)
Plan sponsors do not have to transmit information electronically. However, if they submit standard transactions 834 or 820 Payors and Providers will be required to accept such transactions
Claims/Encounter (Claim 837) (Attachment 275 not yet mandated
Claim/Encounter
(Attachment Request 276 not yet mandated)
Claim Status (Request 276)
Claim Status
(Response 277)
Claim Payment (Remittance Advice 835)
Premium Paid Premium Payment (820)
9
Protected Health Information Protected Health Information (“PHI”)(“PHI”)
A convoluted regulatory definition: All health information created and/or received by
provider, health plan, health care clearinghouse, employer, life insurer or school or university that relates to the physical or mental health or condition of an individual, the provision of health care to that person, or to the payment for that person’s health care, which is sufficiently specific to identify the person, that is transmitted or maintained by a covered entity in any form (orally, on paper or electronically).
10
PrivacyPrivacy
Prohibits the USE or DISCLOSURE of PHI unless PERMITTED or REQUIRED by HIPAA
11
Patient Consents Patient Consents
• New requirements for format and content mandated. Old consent forms for treatment, payment or health care operations will not comply.
• New, broad-form consent now needed for peer reviews, medical training, quality assurance, etc.
12
Restricted Use of Patient Restricted Use of Patient InformationInformation
Affects information used in patient directories. Affects consultations with and disclosures to
family members. Numerous exceptions: child abuse, domestic
violence, research, licensure and disciplinary actions.
Note: HIPAA pre-empts state law unless state law is more restrictive, e.g. HIPAA would allow disclosure of a patient’s religious affiliation, but that is prohibited in Tennessee.
13
Written Authorization Required in Written Authorization Required in Addition to ConsentAddition to Consent
• Any use or disclosure of Psychotherapy Notes requires written authorization.
• Use of PHI in marketing or fundraising activities may require written authorization.
14
Umbrella RuleUmbrella Rule
• Superimposed over all of the new HIPAA regulations is the concept that in using, disclosing or requesting PHI, all covered entities must make reasonable efforts to limit it to the “Minimum Necessary”
• Non-routine uses and disclosures will require case-by-case analysis
15
Vendor ContractsVendor ContractsCovered Entities will be non-compliant unless they execute written agreements with their vendors which cover specific provisions concerning HIPAA compliance.
-A general HIPAA compliance clause is not sufficient for contracts with Business Associates of Covered Entities.
-Vendor contracts must specifically address the limited use and disclosure of PHI as well as other listed vendor obligations.
- Indemnification provisions for failure to comply should be considered.
16
Notice of Privacy PracticesNotice of Privacy Practices
Among the new “Patients’ Rights” created by HIPAA. Must be written in “plain language” and carefully worded. Important to include the ability to change a provider’s privacy
practices. Providers may be required to comply with specific patient
instructions, even if given orally or to non-medical office personnel. – e.g. sending patient information via e-mail or fax or to a specific
address Additional Patients Rights include access to PHI, medical records
accounting of disclosures. Computer system must be capable of creating an audit trail of all
PHI disclosures and to retain records for 6 years.
17
Administrative Requirements: A Administrative Requirements: A Potential Budgetary NightmarePotential Budgetary Nightmare
• Appoint a privacy officer and complaint officer
• Overhaul compliance manual to require HIPAA Compliance
• Employee training: privacy and security awareness
• Institute a formal complaint mechanism
• Audit technical and physical safeguards
• Institute sanctions for failure to comply
• Include mitigation procedures to reduce harmful impact of known violations
18
INCREASED SECURITY OF PHIINCREASED SECURITY OF PHI
All Covered Entities must establish and maintain appropriate policies and procedures to safeguard the confidentiality of their patients’ health information. This includes:
•Administrative procedures•Physical safeguards•Technical security services and mechanisms
19
Review and Upgrade Review and Upgrade Administrative ProceduresAdministrative Procedures
Revise written policies and procedures for each area or department (e.g., for physical security, personal security, procedural security, etc.)
Require security training for all personnelRequire “Chain of Trust Partner
Agreements” with whom you share PHI
20
Review and Upgrade Physical Review and Upgrade Physical SafeguardsSafeguards
Restrict access to PHI
- building/physical plant
- work stations, files
- computers, computer screens and printers
21
Review and Upgrade Technical Review and Upgrade Technical SecuritySecurity
Authentication – to verify the person transacting business electronically is in fact who they claim to be
Encryption – to scramble data so it is non-recognizable
Non-Repudiation – to prevent the person performing data transmission to deny that it was that person sending the data
22
Comprehensive Compliance Services Comprehensive Compliance Services Provided byProvided by
Miller & Martin LLPMiller & Martin LLP Phase I Package Includes: Vendor contract review and amendment Revision of written policies and procedures to
include HIPAA compliance Revised patient privacy, notices, consents and
authorization forms “Chain of Trust Partner Agreements” Employee training Package Services also provided separately and additional services provided as needed
23
Joint Services Provided by Joint Services Provided by Miller & Martin LLP and G.A. Miller & Martin LLP and G.A.
SullivanSullivanPrivacy procedures auditsSecurity procedures auditsReview and upgrade of computer systems
for HIPAA complianceIT personnel training and assistance
24
HIPAA Practice GroupHIPAA Practice GroupWith 14 firm member representatives of each regional office, Miller & Martin’s HIPAA practice group includes attorneys who specialize in healthcare, corporate law, labor and employment, litigation and government relations.We believe a cross-disciplinary approach will help you tackle the complexities of HIPAA in a more comprehensive and cost-effective manner.For more information concerning the individual members of Miller & Martin’s HIPAA practice group, click on the HIPAA icon at www.millermartin.com
25
HIPAAFor further information, please contact
CLAY PHILLIPS([email protected]; 615-744-8446)
orCHRISTIE GROT
([email protected]; 423-785-8307)MILLER & MARTIN LLP