HIPAA: The View from 30,000 Feet

1
HIPAA The View from 30,000 Feet

2
HIPAA

• Health Insurance Portability and Accountability
  Act
• One small section of law required HHS to make
  RULES for administrative simplification and to
  protect patient privacy and security of
  electronic medical records
• Applies to COVERED ENTITIES

3
HIPAA COVERED ENTITIES

• A health care provider who transmits health
  information in electronic form in connection with
  certain financial and administrative
  transactions
• A health plan and
• A health care clearinghouse

4
On-Line Help to Determine Covered Entity Status

• http//fortress.wa.gov/dshs/maa/dshshipaa/de_matri
  x.htm Decision Matrix to Determine HIPAA
  Applicability

5
Hybrid Entities

• Entities whose primary function is not a covered
  function
• Entity must designate portions which carry on
  covered functions
• Be sure to designate all functions that support
  hybrid entity covered functions (legal, IT, etc.)
• This and other structural options to limit
  liability and ease administrative burdens are
  available

6
Business Associates

• BA person or entity who performs a function
  involving the use or disclosure of Protected
  Health Information (PHI) on behalf of a covered
  entity
• CE generally cannot disclose PHI to BA without
  satisfactory assurance that PHI will be
  safeguarded (written contract take action for
  breach)

• Contracts between CE and BA must require BA
• Only use PHI as specifically permitted in
  contract or under rule
• Use appropriate safeguards to ensure safety of
  PHI
• Report misuse of PHI to CE
• Make PHI and accounting of disclosures available
  to individuals
• Make books and records available to DHHS on
  request

7
HIPAA RULES 3 sets!

• EDI (Electronic Data Interface) requires
  standard electronic format for all submissions,
  effective October 2, 2002 (unless 1 year
  extension applied for)
• Privacy relates to how covered entities may use
  and must control patient PHI, effective April
  14, 2003
• Security relates to physical/electronic
  protection of PHI records (no final
  regs/effective date)

8
Common Administrative Requirements

• Chief Privacy Officer/Chief Security Officer
• Safeguards/firewalls
• Policies and procedures
• Training

9
EDI

• 45 CFR 162
• Free downloads of HIPAA implementation guides
  http//www.wpc-edi.com/hipaa/HIPAA_40.asp
• Info Technology for IT Professionals
  http//www.ready4hipaa.com/index.cfm
• (proceed through tabs at top)
• WEDI http//www.wedi.org/public/articles/index.c
  fm?Cat232

10
EDI Requirements

• Use HIPAA standards for designated transactions
  no later than appropriate compliance date
  through
• Internal system changes
• Clearinghouse
• Compliant business associate
• Use appropriate code sets in transactions
• Content-only exception for direct data entry

11
45 CFR Part 162

• Sub-part A General provisions
• Sub-part I General transaction provisions
• Sub-part J Code sets
• Sub-parts K-R Claims, eligibility, referral,
  claim status, enrollment disenrollment, payment
  remittance advice, premium payments and
  coordination of benefits

12
Sub-Part I General Requirements

• Updates process
• Requirements for covered entities and their
  business associates
• Trading partner agreements
• Exceptions process for testing proposed
  modifications

13
Business Associates/Trading Partners

• BAs required to comply with all applicable
  requirements of the rule
• Trading Partners may NOT
• Change a standard definition, data condition, or
  use of data element or segment
• Add data elements or segments to a maximum
  defined data set
• Use non-standard code or data elements
• Change the meaning or intent of the
  implementation specification

14
Sub-Part J Code Sets

• Medical Data Code Sets (by Secy HHS)
• ICD-9-CM for diagnosis
• ICD-9-CM for inpatient procedures
• NDC for drugs and biologics
• CDT for dental svcs
• HCPCS CPT4 for physician and similar svcs
• HCPCS for non-physician outpatient items

• Non-medical Code Sets (implementation standards)
• State abbreviations and ZIP codes
• Telephone area codes
• Race and ethnicity codes
• Measurement systems
• And many, many more

15
Sub-Parts K-R Two Part Transaction Standards

• Defines each transaction in terms of
• Action or purpose
• Party or parties
• Adopts a particular implementation guide
• Generally, or
• For each of several specific sectors (e.g.,
  retail pharmacy, institutional)
• Batch, real-time or interactive

16
PRIVACY

• 45 CFR 164.104 Comply no later than April 14,
  2003
• COMPREHENSIVE regulation on how Protected Health
  Information must be treated within
  institution/may be released
• Affects covered entity component
• But, does NOT preempt more strict state law

17
PRIVACY Consents, Notices and Authorizations

• Signed consent is optional
• (Providers)Required written acknowledgement of
  receipt of Notice of Privacy Practices
• Relates solely to Treatment, Payment and Health
  Operations (TPO) uses of PHI
• Cannot be combined with an authorization
• Must be obtained no later than first service
• Must be retained for 6 years

• Almost all non-TPO uses require authorizations
• Standardized authorization must contain certain
  core elements and notification statements
• Special requirements for psychotherapy notes,
  marketing and research authorizations
• Disclosures OTHER THAN TPO or by authorization
  must be tracked--and accounted for to patient at
  patients request

18
Authorizations

• Core elements include
• Description of information to be used
• Identification of person(s) authorized to make
  the use or disclosure
• Identification of authorized recipient(s)
• Description of purpose of use or disclosure
• Expiration date or event
• Signature and date
• Personal representatives authority (if
  applicable)

19
Authorizations (contd)

• Three Required Notification Statements (in
  addition to core elements)
• 1) Individual has right to revoke authorization
  and either
• Exceptions to right and a description of how to
  revoke or
• Reference to the Notice of Privacy Practices
• 2) Treatment, payment, enrollment, or eligibility
  for benefits may not be conditioned on obtaining
  the authorization if prohibited by the Privacy
  Rule. If conditioning is permitted, the
  consequences to the individual for refusing to
  sign the authorization.
• 3) The potential for the information to be
  subject to redisclosure by the recipient and no
  longer be protected by the Privacy Rule.

20
Minimum Necessary Requirement

• Privacy Rule requires Covered Entity to make
  reasonable efforts to limit the use or disclosure
  of, and requests for, PHI to the minimum
  necessary to accomplish the intended purpose.
• Privacy Rule requires Covered Entity to develop
  and implement policies and procedures appropriate
  to the Covered Entitys business practice and
  workforce to reasonably minimize the amount of
  PHI used, disclosed and requested.
• Exception for disclosures to or requests by a
  health care provider for treatment but NOT for
  uses or disclosures for payment or health care
  operations.

21
Minimum Necessary (contd)

• Minimum necessary requirements do not apply,
  among other things, to disclosures made to the
  individual or pursuant to any authorizations,
  including
• Authorizations requested by a Covered Entity for
  its own use and disclosure
• Authorizations requested by a Covered Entity for
  disclosure to others
• Authorizations involving PHI created for research
  that includes treatment of an individual

• For requests not made on a routine and recurring
  basis, rule requires CE to develop criteria
  designed to limit PHI to minimum necessary to
  accomplish the intended purpose creates
  consistency with routine and recurring requests
  and disclosures.
• DHHS commits to issue further guidance to clarify
  issues, as well as additional technical
  assistance material to help CEs implement the
  provisions.

22
Unintended/Incidental Uses and Disclosures

• CE must take reasonable steps to limit incidental
  use/disclosure
• Incidental use or disclosure is
• A secondary use or disclosure that cannot be
  reasonably prevented
• Limited in nature
• Occurs as a by-product of an otherwise permitted
  use or disclosure

• NOT permissible disclosure as incidental
• Use or disclosure that occurs as a result of
  failure to implement the minimum necessary
  standard
• Permitting employee unlimited access to records
  when not necessary to do their job
• Erroneous uses or disclosures from mistake or
  neglect
• Posting patient PHI on website
• Sending PHI to the wrong person by email

23
SECURITY

• 63 FR 43245
• Final regulations expected by years end
• Most IT driven regulation
• Final regs may include hybrid entity concept (not
  currently included)
• IT professional doubts as to whether non-unified
  standard is technically feasible

24
SECURITY GOALS

• Confidentiality
• Integrity
• Availability
• Goals are flexible, scalable, technology neutral
• Devise, implement and maintain appropriate
  security for business requirements
• Based on good business practice

25
Security Standards Big Picture

• Procedures and systems must be updated to ensure
  that health care data are protected
• Written security policies and procedures must be
  created or reviewed to ensure compliance
• Employees must be trained on PPs
• Access to data must be controlled through
  appropriate mechanisms (e.g., passwords,
  automatic tracking when patient data has been
  created, modified or deleted)
• Security procedures must be certified
  (self-certification is OK) to meet the minimum
  standards

26
Security Compliance Areas

• Training and awareness
• Policy and Procedure review/creation
• System review
• Documentation review
• Contract review
• Infrastructure and Connectivity review
• Access controls
• Authentication
• Media controls

27
Security Compliance Areas (contd)

• Workstation
• Emergency mode access
• Audit trails
• Automatic removal of accounts
• Event reporting
• Incident reporting
• Sanctions

28
Security Measures

• In general, can be grouped as
• Administrative
• Physical
• Technical (data in transit and data at rest)

29
Security Standards (proposed rule)

• Administrative Requirements (12)
• Physical Requirements (6)
• Technical Requirements data at rest (5)
• Technical Requirements data in transit (1)
• Electronic signature
• Implementation Features (70)

30
Standard Areas of Business Security BS 7799/ISO
17799

• Security policy
• Security organization
• Asset classification and control
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• Systems development and maintenance
• Business continuity management
• Compliance

31
HIPAA Security The Final Rule

• What to expect
• Streamlining same core values-more specificity
  as to mandatory (must do)/discretionary (should
  do)
• Fewer standards
• Paper (?) as well as electronic media
• Business Associate contracts/Chain of Trust
• Synchronize with Privacy rules

32
The Final Rule (contd)

• Dont expect Electronic Signature
• Comments to proposed rule indicated lack of
  consensus industry continues to work on
  monitoring by NCVHS
• NCVHS necessary before regulation developed
• Proposed rule specified digital signature
  (authentication, message integrity,
  non-repudiation requirements)
• Probably developed by NIST, not DHHS
• PKI-HealthKey Bridge effort

33
DONT PANIC (Its too late for that!)

• Many on-line resources exist
• Workgroup for Electronic Data Interchange (WEDI)
  site http//www.wedi.org/
• Link to all states websites http//fortress.wa.
  gov/dshs/maa/dshshipaa/links.htm
• AAMC http//www.aamc.org/members/gir/gasp/start.
  htm
• North Carolina Healthcare Information and
  Communications Alliance, Inc. (NCHICA)
  http//www.nchica.org/HIPAAResources/Samples/Porta
  l.asp
• Loyola University HIPAA site http//www.luhs.org
  /feature/hipaa/index.htm
• University of Alabama/Birmingham HIPAA site
  http//www.hrm.uab.edu/HIPAA/home.html
• HIPAA information related to banks/banking (which
  may be business associates of covered entities)
  http//www.hipaabanking.org/
• Compilation of HIPAA links http//pweb.netcom.co
  m/ottx4/HIPAA.htm
• Miscellaneous topics on HIPAA
  http//www.hipaadvisory.com/
• HCFA 1998 Internet security policy
  http//world.std.com/goldberg/TLhcfainet.pdf

34
HIPAA The View from 30,000 Feet

• QUESTIONS?