HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS O

1
HIPAAAdministrative Simplification Standards
Yesterday, Today, and Tomorrow Stanley
NachimsonCMS Office of HIPAA Standards
2
Brief History

• HIPAA signed into law August 1996
• Major publicity around insurance portability
• Transactions and Code Sets Proposed Rule
• Published May 1998
• Lots of comments, but who really paid attention
  to the standards?

3
Brief History

• Final rule published August 2000
• Described who must use the standards and when
• Adopted specific standards for transactions,
  NCPDP and X12
• Adopted specific code sets
• Required implementation by Oct 2002
• Who was paying attention?

4
Brief History

• Industry finally reacts says need more time
• ASCA statute in December 2001 provides for an
  additional year no more to implement. New
  date October 16, 2003
• Law also requires covered entities to develop
  plans to meet the new date
• April 16 is a testing deadline
• Also required billing to Medicare be done
  electronically, making providers covered entities.

5
Brief History

• Modifications to standards issued February 2002
• Based on critical problems with the initial
  standards
• NDC code no longer required, except for retail
  pharmacies

6
Where Are We Today?

• We are less than 6 months from Oct 16
• Testing should have started, at least internally
• Vendors should have provided software to their
  customers so testing could be begin
• Clearinghouses should have test plans and
  packages available for customers

7
Where are we today?

• Health plans should be scheduling testing with
  providers
• Most Medicare contractors are already doing this.
• Providers should be looking for plans to test
  with.
• External certification is a business decision
  each entity must make.

8
Reminders for Oct 16

• HIPAA standard transaction and code sets must be
  used.
• All covered entities must participate.
• Providers still have the option for paper (except
  for Medicare).
• We want this to work cash flow disruption is
  not an option for many providers

9
Key is Cooperation

• Plans, providers, clearinghouses, vendors must
  work together
• Coordinate testing schedules
• Coordinate information campaigns
• Test early to discover problems
• Work together to fix them
• Look at solutions others have already found

10
Opportunities for Learning

• Take advantage
• CMS web site (www.cms.hhs.gov/hipaa/hipaa2)
• National conference calls
• Regional conference calls
• Askhipaa emails
• Regional SNIP affiliates
• SNIP web site (snip.wedi.org)

11
Enforcement of Administrative Simplification
Standards

• CMS named to enforce HIPAA transactions and code
  sets
• OCR continues to enforce HIPAA privacy
• CMS creates Office of HIPAA Standards

12
Office of HIPAA Standards

• Outreach
• Regulations and Policy
• Enforcement

13
Enforcement Responsibilities

• Establish enforcement process
• Develop regulations

14
Enforcement Reality

• CMPs may not be more than -
• - 100/violation
• - 25,000/calendar year for violation of an
  identical requirement or prohibition
• We need to determine what is a violation.

15
Enforcement Authority

• Two provisions of HIPAA government enforcement
• - 1176 civil monetary penalties (CMPs)
• - 1177 criminal penalties
• HHS has authority to assess CMPs
• DOJ has authority for criminal penalties

16
Enforcement Regulation

• HHS lead on developing enforcement regulation
• Simplifies and standardizes the enforcement
  process
• Provides a predictable process

17
Enforcement Regulation

• Notice of what constitutes a violation and how
  penalties will be determined
• Hapless vs. Willful
• Rulemaking process allows for public input

18
From Complaint To Compliant

• Complaint driven
• Voluntary compliance
• Technical assistance
• Corrective action plan
• Progressive Steps

19
Complaint Driven

• Complaints
• - web submittal
• - download and mail
• Notification in writing

20
Voluntary Compliance

• Opportunity to demonstrate compliance
• Good faith efforts go a long way

21
Corrective Action Plan

• Opportunity to submit corrective action plan
• Demonstrate and document efforts to become
  compliant
• Exercise reasonable diligence, make efforts to
  correct problem

22
Progressive Steps

• Compliance FIRST
• Corrective Action MIDDLE
• Tied for LAST
• - CMPs
• - Exclusion from Medicare
• Access to care and patient safety

23
Future Standards

• Security
• Attachments
• Identifiers

24
Regulation Dates

• Published February 20, 2003
• Effective Date April 21, 2003
• Compliance Date
• April 21, 2005 for all covered entities except
  small health plans
• April 21, 2006 for small health plans (as HIPAA
  requires)

25
General Requirements(164.306(a))

• Ensure
• Confidentiality (only the right people see it)
• Integrity (the information is what it is supposed
  to be it hasnt been changed)
• Availability (the right people can see it when
  needed)

26
General Requirements

• Applies to Electronic Protected Health
  Information
• That a Covered Entity Creates, Receives,
  Maintains, or Transmits

27
General Requirements

• Protect against reasonably anticipated threats or
  hazards to the security or integrity of
  information
• Protect against reasonably anticipated uses and
  disclosures not permitted by privacy rules
• Ensure compliance by workforce

28
Regulation Themes

• Scalability/Flexibility
• Covered entities can take into account
• Size
• Complexity
• Capabilities
• Technical Infrastructure
• Cost of procedures to comply
• Potential security risks

29
Regulation Themes

• Technologically Neutral
• What needs to be done, not how
• Comprehensive
• Not just technical aspects, but behavioral as well

30
How Did We Accomplish This

• Standards Are Required but
• Implementation specifications which provide more
  detail can be either required or addressable.

31
Addressability

• If an implementation specification is
  addressable, a covered entity can
• Implement, if reasonable and appropriate
• Implement an equivalent measure, if reasonable
  and appropriate
• Not implement it
• Based on sound, documented reasoning from a risk
  analysis

32
What are the Standards?

• Three types
• Administrative
• Physical
• Technical

33
Administrative Standards

• Security Management
• Risk analysis (R)
• Risk management (R)
• Assigned Responsibility
• Workforce Security
• Termination procedures (A)
• Clearance Procedures (A)

34
Administrative Standards

• Information Access Management
• Isolating Clearinghouse (R)
• Access Authorization (A)
• Security Awareness and Training
• Security Incident Procedures
• Contingency Plan
• Evaluation
• Business Associate Contracts

35
Physical Standards

• Facility Access Controls
• All addressable specifications
• Contingency operations
• Facility Security Plan
• Access control
• Maintenance Records
• Workstation Use (no imp specs)
• Workstation Security
• Device and Media Controls

36
Technical Standards

• Access Control
• Unique User Id (R)
• Emergency Access (R)
• Automatic Logoff (A)
• Encryption and Decryption (A)
• Audit Controls
• Integrity
• Person or Entity Authentication
• Transmission Security

37
Chart in Regulation

• At end of the regulation, this chart lists each
  standard, its associated implementation
  specifications, and if they are required or
  addressable

38
Basic Changes from NPRM

• Aligned with Privacy (Definitions, requirements
  for business associates)
• Encryption now addressable
• No requirement for certification
• Standards simplified and redundancy eliminated.

39
Implementation Approach

• Do Risk Analysis Document
• Based on Analysis, determine how to implement
  each standard and implementation specification
  Document
• Develop Security Policies and Procedures
  Document
• Train Workforce
• Implement Policies and Procedures
• Periodic Evaluation

40
Summary

• Scalable, flexible approach
• Standards that make good business sense
• Two years for implementation
• First step is risk analysis

41
Claims Attachments

• Will provide standards for sending claims
  attachments (medical records, lab reports, xrays)
  electronically
• All health plans will be required to support
  these.
• Expect proposed rule later this year.

42
Identifiers

• National Provider Identifier
• Final rule later this year
• Will have minimum two years to implement
• National Plan Identifier
• Proposed rule later this year.

43
Questions?