HIPAA Here Today Where Tomorrow - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

HIPAA Here Today Where Tomorrow

Description:

HIPAA. Here Today. Where Tomorrow? Stanley Nachimson. Office of HIPAA Standards. CMS ... medical errors, and giving providers tools to improve the delivery of ... – PowerPoint PPT presentation

Number of Views:20
Avg rating:3.0/5.0
Slides: 37
Provided by: CMS1103
Category:

less

Transcript and Presenter's Notes

Title: HIPAA Here Today Where Tomorrow


1
HIPAA Here TodayWhere Tomorrow?
  • Stanley Nachimson
  • Office of HIPAA Standards
  • CMS

2
Imagine the future
  • Single set of information for all payers
  • Standard, easily understood coding rules
  • Standard responses from payers
  • Little, if any human intervention for billing,
    remittance, posting, eligibility inquiries,
    coordination of benefits
  • Secure data, well understood privacy protection

3
Imagine the Future
  • Patient medical records easily (and securely)
    available when needed by health care providers.
  • How can this happen?
  • Weve taken the first steps - HIPAA

4
Brief History
  • Law 1996
  • Final Rules
  • Transactions 2000 (finally effective October
    2003)
  • Privacy 2000 (effective April 2003)
  • Employer ID 2002
  • Transactions Modifications 2003
  • Security - 2003

5
Transactions Status
  • Effective Oct 16 2003 (after ASCA extension)
  • CMS Contingency Plan Guidance allows for
    transition period to keep funds flowing
  • However, entities should be compliant

6
Transactions Status
  • Enforcement in Place
  • Complaint based
  • Aim is to get to compliance
  • Will look at good faith efforts

7
Where is the Industry Today?
  • Lots of contingency plans, but
  • Many moving into compliance
  • Medicare rate above 50 for claims
  • Why not compliant?
  • New data elements
  • Reliance on vendors
  • Not enough time for testing started
    implementation too late

8
What Will/Should be Happening?
  • Contingency plans will end
  • Entities must be compliant, or payments may stop
  • Need to embrace other transactions automated
    eligibility, remittance, claims status
  • Need to participate in standards revision process

9
Some Positive Impacts
  • Realization that standards impact business
    process
  • Industry getting together to implement
  • Different provider groups coming forward to
    participate in standards

10
Next Standard to Implement
  • Security!

11
Regulation Dates
  • Published February 20, 2003
  • Effective Date April 21, 2003
  • Compliance Date
  • April 21, 2005 for all covered entities except
    small health plans
  • April 21, 2006 for small health plans (as HIPAA
    requires)

12
General Requirements(164.306(a))
  • Ensure
  • Confidentiality (only the right people see it)
  • Integrity (the information is what it is supposed
    to be it hasnt been changed)
  • Availability (the right people can see it when
    needed)

13
General Requirements
  • Applies to Electronic Protected Health
    Information
  • That a Covered Entity Creates, Receives,
    Maintains, or Transmits

14
General Requirements
  • Protect against reasonably anticipated threats or
    hazards to the security or integrity of
    information
  • Protect against reasonably anticipated uses and
    disclosures not permitted by privacy rules
  • Ensure compliance by workforce

15
Regulation Themes
  • Scalability/Flexibility
  • Covered entities can take into account
  • Size
  • Complexity
  • Capabilities
  • Technical Infrastructure
  • Cost of procedures to comply
  • Potential security risks

16
Regulation Themes
  • Technologically Neutral
  • What needs to be done, not how
  • Comprehensive
  • Not just technical aspects, but behavioral as well

17
How Did We Accomplish This
  • Standards Are Required but
  • Implementation specifications which provide more
    detail can be either required or addressable.

18
Addressability
  • If an implementation specification is
    addressable, a covered entity can
  • Implement, if reasonable and appropriate
  • Implement an equivalent measure, if reasonable
    and appropriate
  • Not implement it
  • Based on sound, documented reasoning from a risk
    analysis

19
What are the Standards?
  • Three types
  • Administrative
  • Physical
  • Technical

20
Administrative Standards
  • Security Management
  • Risk analysis (R)
  • Risk management (R)
  • Assigned Responsibility
  • Workforce Security
  • Termination procedures (A)
  • Clearance Procedures (A)

21
Administrative Standards
  • Information Access Management
  • Isolating Clearinghouse (R)
  • Access Authorization (A)
  • Security Awareness and Training
  • Security Incident Procedures
  • Contingency Plan
  • Evaluation
  • Business Associate Contracts

22
Physical Standards
  • Facility Access Controls
  • All addressable specifications
  • Contingency operations
  • Facility Security Plan
  • Access control
  • Maintenance Records
  • Workstation Use (no imp specs)
  • Workstation Security
  • Device and Media Controls

23
Technical Standards
  • Access Control
  • Unique User Id (R)
  • Emergency Access (R)
  • Automatic Logoff (A)
  • Encryption and Decryption (A)
  • Audit Controls
  • Integrity
  • Person or Entity Authentication
  • Transmission Security

24
Chart in Regulation
  • At end of the regulation, this chart lists each
    standard, its associated implementation
    specifications, and if they are required or
    addressable

25
Basic Changes from NPRM
  • Aligned with Privacy (Definitions, requirements
    for business associates)
  • Encryption now addressable
  • No requirement for certification
  • Standards simplified and redundancy eliminated.

26
Implementation Approach
  • Do Risk Analysis Document
  • Based on Analysis, determine how to implement
    each standard and implementation specification
    Document
  • Develop Security Policies and Procedures
    Document
  • Train Workforce
  • Implement Policies and Procedures
  • Periodic Evaluation

27
Summary
  • Scalable, flexible approach
  • Standards that make good business sense
  • Two years for implementation
  • First step is risk analysis

28
CMS and Other Resources
  • CMS HIPAA Web Site www.cms.hhs.gov/hipaa/hipaa2
  • FAQs
  • Guidance Documents
  • AskHIPAA_at_cms.hhs.gov email box
  • Teleconferences

29
Other Resources
  • NIST
  • WEDI/SNIP

30
Future Steps in Standardization
  • HIPAA
  • National Provider Identifier (NPI)
  • Claims Attachments
  • Beyond HIPAA
  • Electronic Health Records

31
National Provider Identifier
  • Final Rule Expected January 23rd
  • Will adopt the standard for a single identifier
    for every provider
  • No need for different identifiers for different
    health plans
  • Facilitates COB, research, etc.
  • Simplifies provider software and means health
    plans need not maintain their own id system.

32
Claims Attachments
  • New transaction required by HIPAA
  • Not widely automated today
  • Will allow health plans to request and providers
    to send extra information needed to adjudicate
    a claim
  • Bridge between administrative (HIPAA, up to now)
    and clinical records
  • Expect NPRM later this year

33
Electronic Health Records
  • Momentum is building
  • For reducing costs, improving accuracy,
    eliminating medical errors, and giving providers
    tools to improve the delivery of health care

34
Electronic Health Records
  • DHHS is working with HL7 on concepts for an
    electronic health record
  • This, paired with administrative transactions,
    should pave the way for real paperless offices.

35
What Should You Be Doing?
  • Be compliant follow the HIPAA rules
  • Keep aware of future HIPAA standards rules
  • Participate in industry organizations make your
    voice heard

36
  • These standards and efforts will only work for
    you if you make your business needs known.
  • Keep your eye on the future.
Write a Comment
User Comments (0)
About PowerShow.com