Slide 1 Page 1 NC DHHS HIPAA OFFICE Presented to the NC Association on Aging Conference April 29,...

NC DHHS HIPAA OFFICE

Presented to the NC Association on Aging Conference

April 29, 2003

Sarah Brooks, MPA, RHIA, CPMSarah Brooks, MPA, RHIA, CPMManager, NC DHHS HIPAA OfficeManager, NC DHHS HIPAA Office

HIPAAHIPAAHealth Insurance Portability and Health Insurance Portability and

Accountability ActAccountability Act


AGENDAAGENDA

What is HIPAAWhat is HIPAA

Who Must Comply with HIPAAWho Must Comply with HIPAA

Overview of RegulationsOverview of Regulations

ResourcesResources


What is HIPAA?


Purpose of HIPAAPurpose of HIPAA

HHealth ealth IInsurance nsurance PPortability & ortability & AAccountability ccountability AAct of 1996 ct of 1996 [Public Law 104-191][Public Law 104-191]

Improve portability and continuity of health insurance Improve portability and continuity of health insurance coverage in the group and individual markets;coverage in the group and individual markets;

To combat waste, fraud, and abuse in health insurance To combat waste, fraud, and abuse in health insurance and health care delivery;and health care delivery;

To promote the use of medical savings accounts;To promote the use of medical savings accounts; To improve access to long-term care services and To improve access to long-term care services and

coverage; andcoverage; and To simplify the administration of health insuranceTo simplify the administration of health insurance

– HHS was charged with promulgating rulesHHS was charged with promulgating rules


How the Law is StructuredHow the Law is Structured

HIPAA is divided into five titles - each HIPAA is divided into five titles - each addresses a unique aspect of health addresses a unique aspect of health insurance reform. insurance reform.

Title II is also known as Administrative Title II is also known as Administrative Simplification Simplification

If Congress did not adopt legislation to If Congress did not adopt legislation to enact Administrative Simplification, enact Administrative Simplification, HHS was charged with promulgating HHS was charged with promulgating rulesrules

HHS was limited to enacting rules HHS was limited to enacting rules based on statutory languagebased on statutory language


ADMINISTRATIVE SIMPLIFICATIONADMINISTRATIVE SIMPLIFICATION Establishes National Standards forEstablishes National Standards for

– Electronic Electronic TTransactions and ransactions and CCode Setsode Sets– IIdentifiers (Providers, Payers, Employers, Individuals) dentifiers (Providers, Payers, Employers, Individuals) – PrivacyPrivacy– Security & Electronic SignatureSecurity & Electronic Signature– ComplianceCompliance

Provides Patients With Certain RightsProvides Patients With Certain Rights Cuts Administrative CostsCuts Administrative Costs Preempts State Laws, Unless More StringentPreempts State Laws, Unless More Stringent Potential Civil Monetary & Criminal PenaltiesPotential Civil Monetary & Criminal Penalties

Potential Impacts on Business ContinuityPotential Impacts on Business Continuity


HIPAA vs. Y2KHIPAA vs. Y2K Y2K impacted all information systems; HIPAA impacts Y2K impacted all information systems; HIPAA impacts

health information systems that contain identifying health information systems that contain identifying patient datapatient data

Y2K did not require major business process changes; Y2K did not require major business process changes; HIPAA will have major impacts on business practices HIPAA will have major impacts on business practices in the healthcare industryin the healthcare industry

Once Y2K issues were resolved, consumers were not Once Y2K issues were resolved, consumers were not impacted; HIPAA will impact healthcare consumersimpacted; HIPAA will impact healthcare consumers

During Y2K, healthcare providers and payers relied on During Y2K, healthcare providers and payers relied on vendors, contractors or internal IS staff to resolve the vendors, contractors or internal IS staff to resolve the Y2K issues; with HIPAA, the entire organization will Y2K issues; with HIPAA, the entire organization will be impacted by changes resulting from HIPAA be impacted by changes resulting from HIPAA implementationimplementation


Wishful thinking about HIPAAWishful thinking about HIPAA

Congress will repeal HIPAACongress will repeal HIPAA

There will be additional delaysThere will be additional delays

There will be no HIPAA enforcement for many, There will be no HIPAA enforcement for many,

many yearsmany years

My vendor will take care of HIPAAMy vendor will take care of HIPAA

HIPAA is an IT projectHIPAA is an IT project


HIPAA RealityHIPAA Reality

Not a “one shot deal”Not a “one shot deal”

Not solely a technology or systems fixNot solely a technology or systems fix

Affects the culture of handling health Affects the culture of handling health

informationinformation

Not an easy “return to normal operations”Not an easy “return to normal operations”

Major impacts on policy and trainingMajor impacts on policy and training

Affects business relationshipsAffects business relationships


Who Must Comply With HIPAA?


Terms You Should KnowTerms You Should Know

To understand HIPAA, there are some To understand HIPAA, there are some important terms you must knowimportant terms you must know

They are:They are: Covered EntityCovered Entity Business AssociateBusiness Associate Hybrid EntityHybrid Entity


Who is Impacted?Who is Impacted?Covered EntitiesCovered Entities

Health PlanHealth Plan (provides or pays the cost of medical (provides or pays the cost of medical care - e.g., Medicaid, HMOs, BC/BS, Medicare, care - e.g., Medicaid, HMOs, BC/BS, Medicare, Champus)Champus)

Health Care ClearinghouseHealth Care Clearinghouse (routes electronic data (routes electronic data between payers & providers - e.g., billing servicesbetween payers & providers - e.g., billing services ))

Health Care Provider Health Care Provider who transmits any who transmits any health information in an electronic health information in an electronic transactiontransaction (e.g., Hospitals, Physicians, Public Health (e.g., Hospitals, Physicians, Public Health Departments, Group Homes, Home Health, Pharmacies, Departments, Group Homes, Home Health, Pharmacies, Laboratories)Laboratories)


Who is Impacted?Who is Impacted? Business AssociatesBusiness Associates

Definition: Definition: Person who performsPerson who performs a function or activity a function or activity on behalf of a covered entityon behalf of a covered entity, involving the use and/or , involving the use and/or disclosure of PHI.disclosure of PHI.

Excludes person who is part of the Covered Entity’s Excludes person who is part of the Covered Entity’s

workforceworkforce (e.g., Employees, Physicians with Staff (e.g., Employees, Physicians with Staff Privileges)Privileges)

Must protect PHI and help Covered Entity comply Must protect PHI and help Covered Entity comply with its obligations under the Privacy Rulewith its obligations under the Privacy Rule

DO NOT have to comply with HIPAA Privacy RulesDO NOT have to comply with HIPAA Privacy Rules Must abide by Business Associate Agreement with Must abide by Business Associate Agreement with

covered entitycovered entity


Who is Impacted?Who is Impacted?Hybrid EntitiesHybrid Entities

Defined as, “a single legal entity that is a Defined as, “a single legal entity that is a covered entity and whose covered functions covered entity and whose covered functions are not its primary functions.” are not its primary functions.”

Most covered government agencies will be Most covered government agencies will be hybrid entitieshybrid entities

Need to identify those health care Need to identify those health care components within the Hybrid Entity that components within the Hybrid Entity that perform covered functions and other perform covered functions and other components that would normally be a components that would normally be a Business AssociateBusiness Associate


Statewide ImpactStatewide Impact

Covered EntitiesCovered Entities– State Health Plan (includes State Health Plan (includes

HealthChoice for Children)HealthChoice for Children)– UNC Health CareUNC Health Care

Business AssociatesBusiness Associates– Department of JusticeDepartment of Justice– Office of the State AuditorOffice of the State Auditor– Office of the ControllerOffice of the Controller

Hybrid EntitiesHybrid Entities– Dept of AdministrationDept of Administration– Dept of CorrectionDept of Correction– Dept of Health and Human ServicesDept of Health and Human Services– Office of Information Technology Office of Information Technology

ServicesServices**

– East Carolina UniversityEast Carolina University– University of NC at Chapel University of NC at Chapel

HillHill– University of NC at University of NC at

GreensboroGreensboro

Hybrid Entities

Covered Entities

Business Associates


DHHS ImpactDHHS Impact

MedicaidMedicaid Public healthPublic health

– State LabState Lab– State Center for Health State Center for Health

StatisticsStatistics– Local health servicesLocal health services– Children’s special health Children’s special health

servicesservices– Developmental education Developmental education

clinics (13)clinics (13)

EducationEducation– School for the blind (1)School for the blind (1)– Schools for the deaf (2)Schools for the deaf (2)

Mental health, substance Mental health, substance abuseabuse– State psychiatric hospitals, State psychiatric hospitals,

substance abuse, nursing (7)substance abuse, nursing (7)– Mental retardation centers (5)Mental retardation centers (5)– Adolescent treatment (2)Adolescent treatment (2)

Other divisionsOther divisions– Controller’s OfficeController’s Office– Information Resource MgmtInformation Resource Mgmt– Public AffairsPublic Affairs– Internal AuditorInternal Auditor– Research, Demonstrations, Research, Demonstrations,

and Rural Health Developmentand Rural Health Development


Division of Aging ImpactsDivision of Aging Impacts

Not a Health Care Provider - AAA’s may be Not a Health Care Provider - AAA’s may be providers but not the Division of Agingproviders but not the Division of Aging

Not a Health Plan - regulations exclude Not a Health Plan - regulations exclude government funded programs whose government funded programs whose primary purpose is not provision of health primary purpose is not provision of health carecare

ARMS Implications - since Aging is not a ARMS Implications - since Aging is not a Health Plan or Health Care Provider, ARMS Health Plan or Health Care Provider, ARMS does not have any HIPAA impactsdoes not have any HIPAA impacts


Impact of Not ComplyingImpact of Not Complying Possible litigationPossible litigation

Potential withholding of federal Potential withholding of federal Medicaid and Medicare fundsMedicaid and Medicare funds

Federal Medicaid Share in NC in Federal Medicaid Share in NC in @ 4.5 billion@ 4.5 billion

In DHHS, more than $300 million In DHHS, more than $300 million in revenues at riskin revenues at risk

PenaltiesPenalties Civil Monetary for violations of Civil Monetary for violations of

each standardeach standard Wrongful disclosure of protected Wrongful disclosure of protected

health informationhealth information


Overview of Regulations


FinalFinal Regulation RegulationTRANSACTIONS & CODE SETSTRANSACTIONS & CODE SETS

Electronic Health Transactions Electronic Health Transactions Standards (45 CFR Parts 160 & 162)Standards (45 CFR Parts 160 & 162)

Compliance originally required Compliance originally required 10/16/0210/16/02

With a plan filed, compliance extended With a plan filed, compliance extended to 10/16/03to 10/16/03

Revisions could be made on annual Revisions could be made on annual basis with 180 days to complybasis with 180 days to comply


What Do Standard Transactions Cover?What Do Standard Transactions Cover?

(1) Health Care claims or equivalent encounter information.(2) Health Care payment and remittance advice.(3) Coordination of benefits.(4) Health Care claim status.(5) Enrollment and disenrollment in a health plan.(6) Eligibility for a health plan.(7) Health plan premium payments.(8) Referral certification and authorization.(9) First report of injury.(10)Health claims attachments.(11)Other transactions that the Secretary may prescribe by

regulation.

The exchange of data between two parties to carry out financial or administrative activities related to health care. It includes the following types of information exchanges:


What Do Code Set Regulations Cover?What Do Code Set Regulations Cover?

Establishes standard code sets used to Establishes standard code sets used to identify diagnoses, procedures, etc. identify diagnoses, procedures, etc. Standard Code Sets are:Standard Code Sets are:– International Classification of Diseases, Ninth International Classification of Diseases, Ninth

Edition, Clinical Modification (ICD-9-CM ) Edition, Clinical Modification (ICD-9-CM ) – Health Care Procedural Coding System (HCPCS)Health Care Procedural Coding System (HCPCS)– Current Procedural Terminology, Fourth Edition Current Procedural Terminology, Fourth Edition

(CPT-4)(CPT-4)– Current Dental Terminology (CDT)Current Dental Terminology (CDT)– National Drug Codes (NDC)National Drug Codes (NDC)


FinalFinal Regulation RegulationPRIVACYPRIVACY

Privacy Standards (45 CFR Parts 160 Privacy Standards (45 CFR Parts 160 & 164)& 164)

Final Regulations published 12/28/00Final Regulations published 12/28/00 Modifications published 4/14/01Modifications published 4/14/01 Significant legal interpretation Significant legal interpretation

requiredrequired Ongoing compliance monitoringOngoing compliance monitoring Compliance 4/14/03Compliance 4/14/03


Scope of Privacy RegulationsScope of Privacy Regulations

Includes all medical records and other health Includes all medical records and other health information maintained by a health care provider, information maintained by a health care provider, clearinghouse or a health plan.clearinghouse or a health plan.

Covers information in Covers information in anyany format format– PaperPaper– ElectronicElectronic– OralOral

Affects use and disclosure of all Affects use and disclosure of all client health informationclient health information


What Do The Privacy Regulations Cover?What Do The Privacy Regulations Cover?

Establishes federal ‘floor’ for Privacy-Preempts Establishes federal ‘floor’ for Privacy-Preempts state law unless state laws are more stringentstate law unless state laws are more stringent

Permits use or disclose of Individually Identifying Permits use or disclose of Individually Identifying Health Information (IIHI) for treatment, payment, Health Information (IIHI) for treatment, payment, health care operations (without client consent)health care operations (without client consent)

Limits the amount of information to be used or Limits the amount of information to be used or disclosed to what is minimally necessarydisclosed to what is minimally necessary

Identifies use and disclosure for which an Identifies use and disclosure for which an authorization is or is not requiredauthorization is or is not required

Establishes requirements for de-identification of Establishes requirements for de-identification of health information or limited data setshealth information or limited data sets



Establishes client rightsEstablishes client rights Right to request access to their health information with Right to request access to their health information with

limitations on denial of such requestlimitations on denial of such request Right to request amendment to health informationRight to request amendment to health information Right to receive an accounting of disclosures Right to receive an accounting of disclosures Right to receive a Right to receive a Notice of Privacy PracticesNotice of Privacy Practices

Requires appropriate administrative, technical Requires appropriate administrative, technical and physical safeguards to protect health and physical safeguards to protect health informationinformation

Establishes a protocol for using protected health Establishes a protocol for using protected health information for marketing and fundraisinginformation for marketing and fundraising

Requires designation of a privacy official and a Requires designation of a privacy official and a contact person for complaintscontact person for complaints



Requires identification of workforce members Requires identification of workforce members needing access to health information limiting needing access to health information limiting access to the minimum necessaryaccess to the minimum necessary

Requires training of all staff membersRequires training of all staff members Establishes content or documentation Establishes content or documentation

requirements for policies, procedures, notices, requirements for policies, procedures, notices, authorizations, amendments, accounting of authorizations, amendments, accounting of disclosures, complaints and compliancedisclosures, complaints and compliance

Addresses penalties for unauthorized disclosuresAddresses penalties for unauthorized disclosures


FinalFinal Regulation RegulationSECURITYSECURITY

Security Standards (45 CFR Parts 160, 162 Security Standards (45 CFR Parts 160, 162 & 164)& 164)

Final Regulations published 2/20/03Final Regulations published 2/20/03 Compliance 4/21/05Compliance 4/21/05 Written to conform to Privacy RegulationsWritten to conform to Privacy Regulations


Scope and Purpose of Security RegsScope and Purpose of Security Regs

Scope: Electronic Protected Scope: Electronic Protected Health Information Health Information (in motion and at rest)(in motion and at rest)

Purpose:Purpose:– Ensure integrity, confidentiality and availability Ensure integrity, confidentiality and availability

of electronic protected health informationof electronic protected health information– Protect against reasonably anticipated threats of Protect against reasonably anticipated threats of

hazards, and improper use or disclosurehazards, and improper use or disclosure


What Do Security Regulations Cover?What Do Security Regulations Cover?

Standards to Guard Data Integrity, Standards to Guard Data Integrity, Confidentiality, and AvailabilityConfidentiality, and Availability– Administrative Safeguards (Policies/Procedures)Administrative Safeguards (Policies/Procedures)– Physical SafeguardsPhysical Safeguards– Technical SafeguardsTechnical Safeguards

Flexible, ScalableFlexible, Scalable Technology NeutralTechnology Neutral Consistency with Privacy Regulations Consistency with Privacy Regulations

(Requires Business Associate (Requires Business Associate Agreements)Agreements)


Security vs. PrivacySecurity vs. Privacy

Privacy and Security go hand-in-handPrivacy and Security go hand-in-hand Privacy - WhatPrivacy - What

– Defines who is authorized to access Defines who is authorized to access information (the right of individuals to information (the right of individuals to keep information about themselves from keep information about themselves from being disclosed)being disclosed)

Security - HowSecurity - How– Ability to control access to and protect Ability to control access to and protect

information from accidental or intentional information from accidental or intentional disclosure to unauthorized persons and disclosure to unauthorized persons and from alteration, destruction, or lossfrom alteration, destruction, or loss


FinalFinal Regulation RegulationNational Employer IdentifierNational Employer Identifier

National Standard Employer Identifier (45 National Standard Employer Identifier (45

CFR Part 160 and 162)CFR Part 160 and 162) Final Regulations published 5/31/02Final Regulations published 5/31/02 Compliance 7/30/04Compliance 7/30/04 Utilizes Employer Tax IDUtilizes Employer Tax ID Required in any standard transactions that Required in any standard transactions that

transmit employer-related informationtransmit employer-related information


HIPAAHIPAA ProposedProposed Rules Published Rules Published

Electronic Signature Standards Electronic Signature Standards (45 CFR Part 142)(45 CFR Part 142)– Draft published August 12, 1998 with Security Draft published August 12, 1998 with Security

rules draftrules draft– Not included in final Security rule - will be sent Not included in final Security rule - will be sent

out as separate regulationout as separate regulation

National Standard Health Care Provider National Standard Health Care Provider Identifier (45 CFR Part 142)Identifier (45 CFR Part 142)– Draft published May 7, 1998Draft published May 7, 1998


HIPAAHIPAA Proposed Rules Proposed Rules NotNot Published Published

National Health Plan Identifier (Payer ID) National Health Plan Identifier (Payer ID)

Claims Attachments Claims Attachments

Enforcement Enforcement

First Report of Injury First Report of Injury

National Individual IdentifierNational Individual Identifier

NOTE: Once published, 26 months to NOTE: Once published, 26 months to complycomply


HIPAA Resources


DHHS HIPAA WebsiteDHHS HIPAA Website http://dirm.state.nc.us/hipaa/http://dirm.state.nc.us/hipaa/


NCHICANCHICA

NC Healthcare Information and NC Healthcare Information and Communications Alliance, Inc.Communications Alliance, Inc.

Membership is from public and private Membership is from public and private sectorssectors

HIPAA Workgroups in areas of Privacy HIPAA Workgroups in areas of Privacy and Confidentiality; Security; Training; and Confidentiality; Security; Training; Transactions/Code SetsTransactions/Code Sets


NCHICA DeliverablesNCHICA Deliverables www.nchica.orgwww.nchica.org

– Privacy and Security Training ModulesPrivacy and Security Training Modules– HIPAA EarlyView™ Security HIPAA EarlyView™ Security – HIPAA EarlyView™ PrivacyHIPAA EarlyView™ Privacy– Security Policy and Procedures MatrixSecurity Policy and Procedures Matrix– Privacy Models (Notice of Privacy Practices, Privacy Models (Notice of Privacy Practices,

Authorization, Business Associate Agreement, Data Authorization, Business Associate Agreement, Data Use Agreement)Use Agreement)

– Minimum Necessary Decision TreeMinimum Necessary Decision Tree– Review of NC StatutesReview of NC Statutes– Guidance for Identifying Designated Record SetsGuidance for Identifying Designated Record Sets– HIPAA Privacy ChecklistsHIPAA Privacy Checklists


ResourcesResources

US HHS / HIPAAUS HHS / HIPAA aspe.hhs.gov/adminsimpaspe.hhs.gov/adminsimp

Office of Civil Rights Office of Civil Rights http://www.hhs.gov/ocr/hipaa/http://www.hhs.gov/ocr/hipaa/

AHIMA AHIMA www.ahima.orgwww.ahima.org

Institute of Govt Institute of Govt http://www.medicalprivacy.unc.edu/http://www.medicalprivacy.unc.edu/

HIPAA Privacy Joint Info Ctr HIPAA Privacy Joint Info Ctr http://www.bricker.com/hipaa/http://www.bricker.com/hipaa/

Mass Health Data Consortium Mass Health Data Consortium http://www.mahealthdata.org/http://www.mahealthdata.org/

Administration on Aging Administration on Aging http://www.aoa.dhhs.gov/http://www.aoa.dhhs.gov/


QuestionsQuestions

??????????????

Slide 1 Page 1 NC DHHS HIPAA OFFICE Presented to the NC Association on Aging Conference April 29,...

Documents

Transcript of Slide 1 Page 1 NC DHHS HIPAA OFFICE Presented to the NC Association on Aging Conference April 29,...