Health Insurance Portability and Accountability Act HIPAA

1
Health Insurance Portability and Accountability
Act (HIPAA)

• Overview of Privacy, Electronic, and Security
  Standards
• Sarah A. Wattenberg, LCSW-C
• Office of Quality Improvement and Financing
• Center for Substance Abuse Treatment, SAMHSA

2
Health Insurance Portability and Accountability
Act (HIPAA)

• Administrative Simplification Provisions
• Covered Entities
• Effective Dates
• Standards
• Electronic Transactions
• Code Sets
• Privacy of Individually Identifiable Health
  Information
• Unique Identifiers
• Security and Electronic Signatures

3
Administrative Simplification Provision

• Goal
• to improve electronic transmission of health care
  administrative efficiency and effectiveness of
  health care system (claims payment)
• encourage information in standardized formats
  (EDI)
• ensure privacy and security of patient
  identifying information
• Method

4
Covered Entities

• Those that fall under authority of HHS
• Health Plans
• Health Care Providers who engage in
• electronic transactions covered by HIPAA
• Health Care Clearinghouses

5
Non-Covered Entities

• Employers
• Government Agencies
• Agencies that have as their principle activity
  the direct provision of grants that fund the
  direct provision of healthcare.
• Government programs that incidentally provide
  health care (WIC, Food Stamps, workmans
  compensation)
• Local welfare agencies that determine enrollment
  or eligibility for government health programs
  (Medicaid or SCHIPS) AND are not the
  administering program

6
Business Associates

• A person who receives PHI information from a
  covered entity to perform or assist the entity in
  
• claims
• data analysis
• utilization review
• benefit management
• A person who provides to the entity
• legal
• actuarial
• consulting
• data aggregation
• accreditation

7
Business Associates

• Enforceable agreement that the Business Associate
  will safeguard the protected health information
  to the level required by the Rule
• Agreement not required for disclosures to a
  health care provider for treatment
• Covered entity is not responsible for monitoring
  BA
• Responsible for knowledge of a violation and
  failure to act

8
Effective Dates

• Electronic Transaction Standards effective
  October 16, 2002 for all covered entities except
  
• October 16, 2003 for small health plans
• October 16, 2003 for a covered entity (other than
  a small health plan) that submits a compliance
  plan to HHS by 10/16/02
• Compliance Plan
• Extent to which, reasons why, not in compliance
• Budget, schedule, work plan, strategy
• Use of contractor or other vendor to achieve
  compliance
• Timeframe for testing, begin no later than
  4/16/03

9
Effective Dates

• Privacy Standards effective April 14, 2003
• Small plans April 14, 2004.
• Security Transactions comment period is closed
  effective date TBD
• Unique Identifiers comment period is closed TBD

10
Electronic Transaction

• Addresses the need to standardize the format and
  content (data elements) of the electronic
  transmissions of health care information.
• Organizations can exchange standard transactions
  or have clearinghouses translate the data
  elements into standardized transactions on their
  behalf.
• A health plan may not add data elements or change
  the standardized format without first going
  through the private sector standards modification
  process.

11
Electronic Transaction Standards

• Health care claims or equivalent encounter
  information
• Eligibility for a health plan
• Referral certification and authorization
• Health care claim status
• Enrollment and disenrollment in a health plan
• Health care payment and remittance advice
• Coordination of benefits
• Health plan premium payments

12
Code Sets

• Addresses the need for national uniform codes for
  diagnosis, treatment, and drugs and others.
• Local codes are being eliminated, resulting in
  less state-level detail.
• Private data standards maintenance organizations
  (DSMOs) will maintain the codes and modify them
  according to standard operating procedures of
  those organizations.
• APACPT-4
• HCPCS

13
Code Sets

• CSAT LEADERSHIP
• Ongoing collaboration between CSAT and the SSAs
  and the mental health community (CMHS and
  NASMHPD)
• March 2001 Sponsored forum for NASADAD to bring
  states together to review codes
• April 2001 Funded and facilitated the effort to
  submit a code set to HCPCS
• November 2001 Forum to review HCPCS feedback
• February 2002 Facilitated re-submission to
  HCPCS
• TBD 2002 Collaboration with larger stakeholder
  groups, including public/ private partnerships

14
Privacy Rule

• Privacy is the right of the individual to be left
  alone.
• Confidentiality is the responsibility for
  limiting disclosure of private matters.
• Security is the means to control access and
  protect information from accidental or
  intentional disclosure.

Guardent
15
Privacy Rule
Addresses the need to safeguard patients
health care information by standardizing how and
under what circumstances organizations use
patient information.
16
Individually Identifiable Health Information
(IIHI)

• Identifies the individual, or offers a reasonable
  basis for identification
• Is created or received by a covered entity or an
  employer and
• Relates to the past, present, or future
• Physical or mental health or condition
• Provision of health care or
• Payment for health care

17
Protected Health Information

• Individually Identifiable Health Information that
  is
• Transmitted or maintained in any medium (PHI)
• Held by a covered entity or business associate
• De-identified information is not covered

18
General Principles of Privacy Rule

• Use and disclose minimal amount necessary to
  satisfy purpose of request
• Consents are required for use or disclosure of
  routine information
• Authorizations are required for use or disclosure
  non-routine information
• Expansion of patient access to records and
  ability to modify records

19
Minimum Necessary
Privacy Officer to perform internal assessment
procedures

• Determine minimum necessary
• Assessment of job functions and job descriptions
  to allow for appropriate and differential access
  to categories of information
• Develop policies and procedures to operationalize
  and implement this new work flow
• Organization of information (networks, computer
  screens, hard files, data bases) to allow
  differential access according to categories of
  information needed.
• Train staff.

20
Consent Authorization Research TBD
21
Patient Rights

• Notice of privacy rights/information practices
• Access to inspect and copy medical record
• Request corrections
• Accounting of disclosures
• Restrictions on disclosures
• File complaints

22
Violations

• Civil Penalties 100/violation up to
  25,000/year/person/standard
• Federal criminal penalties up to 250,000 and 10
  years in prison for intentional disclosure
• 500/1st offense under 42 CFR Part II with 5,000
  for each subsequent offense
• Direct right of action
• State Law
• Patient Bill of Rights

23
42 CFR, Part 2

• 42 CFR part 2 is NOT superceded by HIPAA.
• 42 CFR Part II is more stringent than HIPAA on
  SOME things, but not on others.
• Both Rules must be read together to ensure that
  the more stringent protections are implemented.

24
Unique Identifiers

• Employers, providers, health plans and patients
  receive a single unique lifetime identifier.
• Provider identifiers will be loaded into the CMS
  National Provider System.
• Health plan and individual identifiers have not
  yet been proposed.

25
Security and Electronic Signatures

• Assign a Security Officer
• Address the physical and technical security
  required to guard the integrity, confidentiality
  and availability of confidential information that
  is electronically stored, maintained or
  transmitted (include paper).
• Covered entities are responsible for doing a risk
  assessment and determining appropriate scope for
  their security plan to become compliant.

26
Security and Electronic Signatures

• Standards are technologically neutral, allowing
  covered entities to transition to newer
  technologies when available.
• The standard is scalable in relation to the size
  and complexity of the organization, making it
  achievable for individual or small providers.

27
(No Transcript)
28
The End