What Will It Take?Complying With HIPAA · Automated lab results ... step toward successful...
Transcript of What Will It Take?Complying With HIPAA · Automated lab results ... step toward successful...
Complying With HIPAA Complying With HIPAA ––What Will It Take?What Will It Take?
HIPAA SummitOctober 16, 2000
Jim KleinManager, Enterprise Security & HIPAA Compliance1-800-4BEACON
Page 2
Key QuestionsKey QuestionsKey QuestionsKey Questions
◆ What are the major compliance issues? ◆ How will HIPAA change the way
organizations operate?◆ What needs to be done to comply?◆ How can organizations capitalize on
opportunities?◆ How much will it cost?
Page 3
Benefits & How to Benefits & How to Benefits & How to Benefits & How to CapitalizeCapitalizeCapitalizeCapitalize
◆ Simplified transaction requirements ◆ Single coding rule◆ Increased EDI, lower FTEs ◆ DHHS; 29.9b net savings in 10 years◆ Reduced liability◆ Begin preparations and planning early
Page 4
Compliance Compliance Compliance Compliance IssuesIssuesIssuesIssues
Page 5
Key Compliance IssuesKey Compliance IssuesKey Compliance IssuesKey Compliance Issues
◆ Non-compliance liabilities◆ Coordinating compliance with multiple
trading and business partners◆ Protecting patient confidentiality◆ Enterprise-wide view of security/privacy
practices ◆ Organizational compliance assurance◆ Protecting public trust
Page 6
Key Issues Key Issues Key Issues Key Issues ––––TTTTransactions/Codes/NPIransactions/Codes/NPIransactions/Codes/NPIransactions/Codes/NPI
◆ Content gaps◆ Multiple formats & trading partners◆ Elimination of local & redundant codes◆ Replacing homegrown provider numbers◆ Provider IDs with built-in intelligence
Page 7
Key Issues Key Issues Key Issues Key Issues ---- SecuritySecuritySecuritySecurity
◆ Assessment◆ Appropriate security levels◆ Technology not the answer◆ Audit trails – review & detection
Page 8
Key Issues Key Issues Key Issues Key Issues ---- PrivacyPrivacyPrivacyPrivacy
◆ Patient rights◆ Use/disclosure practices◆ Accounting for disclosures◆ Disclosure restrictions◆ Incident reporting
Page 9
Key ChallengesKey ChallengesKey ChallengesKey Challenges
◆ HIPAA – Profound & Sweeping◆ Capitalizing on opportunities◆ Organizational focus and commitment◆ Identifying gaps and vulnerabilities◆ Compliance plan◆ Training◆ Documentation◆ Working with partners
Page 10
No QuickNo QuickNo QuickNo QuickFixesFixesFixesFixes
Page 11
Providers Providers Providers Providers ---- Not Just EDI Not Just EDI Not Just EDI Not Just EDI or Ior Ior Ior ITTTT
Information Systems
Business Office
Trading/Business Partners
Enterprise-Wide Event
Billing, EDIMedical records
PharmacyRegistration
TranscriptionLab, Radiology
Clinical
HumanResourcesAdministrative
Office Work Flow
Policies & Procedures
Page 12
Payers Payers Payers Payers ---- Not Just EDI or Not Just EDI or Not Just EDI or Not Just EDI or ITITITIT
Information Systems
Operations
Trading/Business Partners
Enterprise-Wide Event
EDIIndemnity
Managed CareMembershipAdjudicationCertification
Service FunctionsProvider Networks
Brokers
Membership
HumanResourcesAdministrative
Office Work Flow
Policies & Procedures
Page 13
Health Care LandscapeHealth Care LandscapeHealth Care LandscapeHealth Care Landscape
BeneficiaryBeneficiary ProviderProvider PMS/HISSystem
PMS/HISSystem
BillingAgentBillingAgent
VANVAN
NationalClearing-
house
NationalClearing-
house
Proprietary/Private
Network
Proprietary/Private
Network
Private
Blue
HMO
PPAAYYEERRSS MCO
Medicare
MedicaidRegional/
LocalClearinghouse
Regional/Local
Clearinghouse
NumerousData FlowsNumerousNumerousData FlowsData Flows
- Contractual obligations- Trading partner
readiness- Risk assessment- Contingency plans- Coordination issues
AFEHCT January 1997 presentation to HCFA
Page 14
OOOOperation peration peration peration ChangesChangesChangesChanges
Page 15
EnterpriseEnterpriseEnterpriseEnterprise----Wide ImpactsWide ImpactsWide ImpactsWide Impacts
◆ Policies & procedures◆ Minimum use, need-to-know◆ Security measures◆ Data collection◆ Disclosures◆ Training◆ Audit trails◆ Rules regarding marketing/sales divisions
Page 16
ProProProProvider vider vider vider Operation Operation Operation Operation ChanChanChanChangesgesgesges
Page 17
Scheduling & Front DeskScheduling & Front DeskScheduling & Front DeskScheduling & Front Desk
◆ Appointment confirmations, auto dialers◆ Sign-in◆ Registration, physical set-up◆ Information release forms◆ Patient rights◆ Certification/authorization
Page 18
Medical Medical Medical Medical RecordsRecordsRecordsRecords
◆ Release procedures◆ Authenticating requests◆ Controlling and accounting for records◆ Communicating record changes◆ Storage and destruction
Page 19
Clinical FunctionsClinical FunctionsClinical FunctionsClinical Functions
◆ Primary care, specialists, radiology, lab & pharmacy
◆ Automated lab results◆ Transcriptions◆ Physical set-up, terminals, films, records◆ Cultural change
Page 20
BillingBillingBillingBilling
◆ Transaction interchange◆ Trading partners & business associates◆ 3rd party collections◆ Internal procedures◆ Faxing◆ Storage and destruction
Page 21
Payer Payer Payer Payer Operation Operation Operation Operation ChangesChangesChangesChanges
Page 22
EnrollmentEnrollmentEnrollmentEnrollment
◆ Standard transaction◆ Member release form◆ Written notification of policies & patient
rights✦ Inspection✦ Copy✦ Correction
Page 23
Membership ServicesMembership ServicesMembership ServicesMembership Services
◆ Authenticating inquiries◆ Information release procedures◆ Processing record change requests◆ Change denial and appeal procedures◆ Processing disclosure history requests
Page 24
Provider ServicesProvider ServicesProvider ServicesProvider Services
◆ Authenticating inquiries◆ Disclosures◆ Communicating member restrictions◆ Faxes
Page 25
Administrative Administrative Administrative Administrative TransactionsTransactionsTransactionsTransactions
◆ Transaction standards◆ Personnel training/migration planning◆ Trading partners & business associates◆ Information exchange controls and
responsibilities
Page 26
Provider Provider Provider Provider & & & & Payer Payer Payer Payer
Operation Operation Operation Operation ChangesChangesChangesChanges
Page 27
AdministrationAdministrationAdministrationAdministration
◆ Audit trails◆ Security◆ Backup & recovery◆ Retention & destruction
Page 28
Human ResourcesHuman ResourcesHuman ResourcesHuman Resources
◆ Background checks◆ Training & orientation◆ Employee agreement◆ Infractions◆ Terminations
Page 29
Facility ManagementFacility ManagementFacility ManagementFacility Management
◆ Entry & access◆ After hours◆ Inner office access
Page 30
What Needs What Needs What Needs What Needs To Be To Be To Be To Be Done?Done?Done?Done?
Page 31
HIPAA HIPAA HIPAA HIPAA Critical PathCritical PathCritical PathCritical Path1998 1999 2000 2001
Published Draft Standards…Adopted…
Staggered 2 Year Compliance Period…
Awareness/EducationImpact Assessment
Planning/PreparationImplementation
Draft Standard Comments
DHHS
Industry
2002
Time frames will vary based on each organization’s unique circumstance
2003
Page 32
Key StepsKey StepsKey StepsKey Steps
◆ Executive level visibility and accountability
◆ HIPAA budget◆ Cross-organizational team◆ Impact assessments◆ Compliance options, pros & cons, costs◆ Compliance implementation◆ Coordinating with trading/business
partners
Page 33
Planning BaselinePlanning BaselinePlanning BaselinePlanning Baseline◆ Stable
✦ Transactions, code sets
✦ Employer identifier◆ Minor Change
✦ Security (definitions)✦ Separate e-signature
reg◆ Material Change
✦ Provider identifier (draft - 8 position AN, final - 10 digit N)
◆ Privacy✦ Definitions, scope,
patient control may be changed
◆ Unpublished✦ Claim attachments✦ First report of injury✦ Payer identifier
◆ Controversy✦ Individual identifier
(SSN?, ASTM UHID)
Page 34
Education/TrainingEducation/TrainingEducation/TrainingEducation/Training
◆ Business/technology leaders◆ Operational/business units◆ Security/technology specialists
Get the right training to the right people -
Page 35
AssessAssessAssessAssessmentmentmentment
◆ Enterprise-wide focus◆ Current state◆ Gap analysis, risks◆ Strategic plan implications◆ Compliance strategy, options, cost
Understanding HIPAA implications is the first step toward successful compliance -
Page 36
AssessmentAssessmentAssessmentAssessment
◆ Business framework◆ Operational interfaces◆ Risks and potential failures◆ Non-compliant systems and components◆ Compliance capability and plans◆ Contingencies
Evaluation of all trading partners is a key element in understanding compliance issues -
Page 37
Compliance OptionsCompliance OptionsCompliance OptionsCompliance Options
◆ Internal vs. 3rd party assessment◆ Translators◆ Clearinghouses◆ Complete vs. partial remediation
✦ Cross-walks✦ Long-term implications
◆ Impact on other initiatives
Page 38
Costs & Costs & Costs & Costs & PlanningPlanningPlanningPlanning
Page 39
Building the Financial Building the Financial Building the Financial Building the Financial ModelModelModelModel
◆ Cost factors & drivers✦ Expertise & Personnel✦ Capital outlay✦ Manual (or paper) versus electronic✦ ROI
◆ Opportunities for additional efficiencies✦ Automated eligibility, pre-certification, etc.✦ Technology (proximity sensors, single sign-on,
etc.)✦ Work flow efficiencies
Page 40
Common Business DriversCommon Business DriversCommon Business DriversCommon Business Drivers
Business
Partners
Operations
SystemsThe HIPAA Challenge
� Compliance� Product/service/business
impacts� Implementation options� Strategic business plan
alignment� Resource/cost requirements� Implementation complexities� Risk management� Legal implications
� Market share/growth� Consumer
trends/expectations� Cost management� Service distinction� Competition
Page 41
Planning ChecklistPlanning ChecklistPlanning ChecklistPlanning Checklist
Business
Partners
Operations
Systems Key Components� EDI� Adjudication,
membership, utilization, provider network
� Billing, clinical, admissions, registration, medical records
� Audit, history� Access, authentication
� Software Applications� Data Structures� Interfaces� Networks� Security
Page 42
Planning ChecklistPlanning ChecklistPlanning ChecklistPlanning Checklist
Business
Partners
Operations
Systems
Key Components� HIPAA relevance� Compliance
strategy� Accountability
� Acquisitions, mergers� E-business initiatives� Technology strategies� Funding
Page 43
Planning ChecklistPlanning ChecklistPlanning ChecklistPlanning Checklist
Business
Partners
Operations
SystemsKey Components
� Corporate policy/procedure impacts
� As-is process flow impacts� Changes in interacting with the
public, members/patients, providers, payers, and business partners
� Audit and control changes� Security program, responsibility,
safeguards, procedures� Compliance monitoring� Awareness/responsibility training
� Affected business processes
� Administration and Human Resources
� Security program
Page 44
PlanningPlanningPlanningPlanning ChecklistChecklistChecklistChecklist
Business
Partners
Operations
Systems Key Components� Compliance liability &
responsibility� Performance expectations� Commitments� Risk assessment� Options� Contingency planning� Implementation coordination
� Clearinghouses� Practice management
system vendors� IT outsourcing� Products/private labeling� Internet partners
Page 45
General General General General DiscussiDiscussiDiscussiDiscussionononon
Page 46
ResourcesResourcesResourcesResources
◆ DHHS - administrative simplification✦ aspe.dhhs.gov/admnsimp/index.htm
◆ DHHS data council web site✦ aspe.dhhs.gov/datacncl/
◆ NCVHS Web Site✦ ncvhs.hhs.gov
Page 47
ResourcesResourcesResourcesResources
◆ HIPAA Comply web site ✦ www.HIPAAcomply.com
◆ WEDI web site✦ www.wedi.org
◆ AFEHCT web site✦ www.afehct.org
◆ EHNAC web site✦ www.ehnac.org
Page 48
Thank You!Thank You!Thank You!Thank You!Jim KleinManager, Enterprise Security & HIPAA ComplianceBeacon Partners, Inc.200 Cordwainer Drive, Suite 300Norwell, MA 02061PH: (410) 721-9144Email: [email protected]: www.HIPAAcomply.com