HIPAA Where Should We Be

1
HIPAA Where Should We Be?

• May 7, 2004
• Walt Culbertson
• Chief Technology, Security and Privacy Officer,
  Webify
• Chair - Southern HIPAA Administrative Regional
  Process
• Co-Chair - Southern Insurance Commissioner Task
  Force
• Co-Chair WEDI/SNIP Privacy and Security
  Workgroup
• WaltCulbertson_at_aol.com

2
Dr. HIPAA says..HIPAA is like an Iceberg
3
There is a lot beneath the surface
4
There is also much behind the scenes!
5
And of Course.. There is the other side
6
The Future of HealthCare Success

• Improved relationships and communications
• Transition from transaction processing to
  partnerships in the healthcare delivery through
  value added collaborations
• Improved models for effective care management and
  wellness programs
• Evolution towards real-time enterprise and a more
  efficient operating model

7
First Step.. Get rid of the Paper

• Possibility of errors
• More time intensive
• Administrative costs are higher (forms,
  envelopes, postage, FTE requirements)
• Paper requires additional processing from the
  payer/plan
• Increased follow-up time with payers
• Rejections from payer/plan result in delayed
  payment and resubmission
• Misfiled, in another patients file missing (may
  be in stack to be filed)
• Exposed individually identifiable information
• Access to files

8
HIPAA is a Catalyst for Necessary Change
High Availability
Drug Interactions
Clinical Order Entry
Efficiency
Connectivity
Quality Metrics
Better Information
EMR
Avail-ibility
Individual E-HDb
E-Health
EDI
Privacy
Security
9
Moving Away from Paper.. ALL EDI

• Electronic transactions are less likely to have
  errors
• Takes less time to complete electronic forms
• Less payer processing time
• Status information more readily available
• More easily tracked and secured
• Possibility to upload adjudication information
  into management systems
• Computer costs vary based on type of operation
• Automate claims management, Pre-registration,
  revenue cycle
• Data access controls applied security practices
• Audit trails

10
Movement towards Real-Time

• Plan for HIPAA compliance to evolve in thenext
  three years
• Focus first on surviving, then on becomingan
  Real-Time Enterprise (RTE)
• If you are not in a community, create one!
• Health plans go beyond minimal implementations
• its good for the providers, and
• that is good for you!

11
HIPAA Jump Start

• HIPAA claims are a threat (if not done well or
  compliant)
• The other HIPAA transactions are opportunities
• HIPAA jump-starts the real-time enterprise
• Surviving and thriving are community affairs

12
DDE and Real-Time EDILead to More Internet Usage
Health Plan
Care Delivery Organization
ReplicaCoreApplication
LegacyCoreApplication
Browser
HTMLInternetSecure HTTP
ProgramLogic
WebServer
CDOScheduling orRegistrationSystem
Mapper
WebServer
EDIInternetSecure HTTP
Application Server
Source Gartner Teleconference - 12 August 2003
13
Working Together
14
HIPAA Compliance Deadlines
15
HIPAA Security.. Step 1 Get HPP
16
Focus of Final Security Standards

• Ensure Confidentiality, Integrity and
  Availability of electronic Protected Health
  Information (ePHI)
• Data at rest and data in transit
• Protect against reasonably anticipated threats or
  hazards to the security or integrity of
  information
• Protect against reasonably anticipated uses and
  disclosures not permitted by privacy rules
• Ensure compliance by workforce

17
Security Road Map Step 2Security Gap How to
Comply?

• Do a risk analysis
• Based on the analysis, determine necessary
  security policies and procedures as required by
  the regulation
• Implement required, and appropriate addressable
  specifications
• Documentation, Documentation, Documentation and
  ohyeah Documentation
• Possible Resource NIST Risk Management Guide
  (800-30) www.nist.gov
• Internal Vulnerabilities http//icat.nist.gov/icat
  .cfm

18
Security Road Map Step 3 Identify Business
Associates

• Definitions and many administrative requirements
  aligned with the Privacy regulations
• Covers electronic protected health information
  (as is defined in privacy rule)
• Same requirements for business associate
  agreements (need to have them with covered
  entities who are business associates)
• No longer need Chain of trust, security
  provisions must be added to the Business
  Associate Agreement

19
Security Road Map Step 4Address Final Security
Standards

• Have administrative, physical, and technical
  standards
• Now have required and addressable specifications
• Encryption now addressable
• No electronic signature standard
• Industry does not yet agree on a standard,
  although much progress has been made recently

20
Security Road Map Step 5Addressable Security
Standards

• If an implementation specification is
  addressable, a covered entity can
• Implement, if reasonable and appropriate
• Implement an equivalent measure, if reasonable
  and appropriate
• Not implement it
• Based on sound, documented reasoning from a risk
  analysis

21
Security Road Map Step 6 Implement
Administrative Standards

• Security Awareness and Training
• Security Reminders (A)
• Protection from Malicious Software (A)
• Log-in Monitoring (A)
• Password Management (A)
• Security Incident Procedures
• Response and Reporting (R)
• Evaluation
• Business Associate Contracts (R)
• Written Contract (or other arrangement) (R)

• Security Management
• Risk analysis (R)
• Risk management (R)
• Sanction Policy (R)
• Information System Activity Review (R)
• Assigned Responsibility
• Workforce Security
• Authorization and/or Supervision (A)
• Clearance Procedures (A)
• Termination procedures (A)
• Information Access Management
• Isolate Clearinghouse Function (R)
• Access Authorization (A)
• Access Establishment/Modification (A)

• Contingency Plan
• Data Backup Plan (R)
• Disaster Recovery Plan (R)
• Emergency Operations Plan (R)
• Testing and Revision Procedure (A)
• Applications and Data Criticality (A)

22
Security Road Map Step 7Implement Physical
Standards

• Facility Access Controls
• Contingency Operations (A)
• Facility Security Plan (A)
• Access Control Validation Procedures (A)
• Maintenance Records (A)
• Workstation Use (R)
• Workstation Security (R)
• Device and Media Controls
• Disposal (R)
• Media Re-use (R)
• Accountability (A)
• Data Backup Storage (A)

23
Security Road Map Step 8Implement Technical
Standards

• Access Control
• Unique User Id (R)
• Emergency Access (R)
• Automatic Logoff (A)
• Encryption and Decryption (A)
• Audit Controls (R)
• Integrity (R)
• Mechanism to Authenticate ePHI (A)
• Person or Entity Authentication
• Transmission Security
• Integrity Controls (A)
• Encryption (A)

24
Security Road Map Step 9Get a real Disaster
Recovery Program

• Covered Entities must identify potential threats
  to the organization and plan for continuing
  operations in such events
• Establish a plan for continuity of practice
  operations in the event of both external and
  internal events (disaster, break-in, break-down)
• HIPAA requires backups and protection of
  protected health information in electronic form
• Requirements for emergency mode access and
  operation
• TEST your plan including technology and paper

25
Security Road Map Step 10Documentation and
Training

• All personnel must be aware of all security
  policies and procedures YOU MUST HAVE
• It is critical that each covered entity document
  their Security HIPAA assessment process and the
  resulting outcomes
• Must answer why and how decisions were made
  especially regarding the requirements within the
  rule that are addressable in nature
• Documentation and training should be kept current
  and available to all employees as a part of the
  overall HR process

26
HIPAA The race to compliance
27
Why Are Standards Important to You?

• Standard method for submitting claims
• Standard method for getting paid
• Use of transactions can greatly improve
  efficiency and reduce paperwork
• Real-time Eligibility/Benefits today Claims
  tomorrow
• Penalties for non-compliance
• Non-compliance can result in a cash flow
  disruption or improper payment

28
Electronic Highway Round One

• HIPAA required HHS adopt industry-developed
  standards for administrative and revenue EDI

Transactions applicable to providers
29
Provider RTE Round TwoRevenue Cycle Management

• Pre-care
• Self-service registration and scheduling
• Accurate patient demographic/coverage information
• Eligibility and referral checking, not
  labor-limited
• Pre-established health plan data requirements
• Concurrent with care
• Simultaneous documentation through delivery
  systems
• Point-of-service collections
• Post-care
• Rapid closing of case
• Non-labor-intensive claim follow-up (status,
  posting, secondary coverage)
• Consumer access to statements/Web payments

30
Providers.. Start your engines!

• Demand your HIPAA Rights
• The right to send a standard transaction
• The right to have the transaction serviced with
  reasonable telecommunications fees applied
• The right to exchange the full lifecycle of HIPAA
  transactions
• Implement a pre-registration process
• Leverage the Eligibility and Benefits 270/271
• Implement the Authorization and Referral 278
• Pro-active use of the Claims Status 276-277

31
Providers.. Rev your engines!

• Preventive care is good for you too!
• Always check EB BEFORE the visit when possible
• Obtain approvals and authorizations
• Reduce bad encounters by eliminating validation
  on the date of service
• Significant results are possible
• Much shorter check-in process
• Push for co-pays, deductibles, other OOP no later
  than the date of service
• Time for you and the patient to make choices

32
Providers GO GO GO The Claims Attachment (275)

• The claims attachment standard will allow the
  electronic attachment of clinical data (medical
  opinions, diagnostic information from lab tests
  and radiology reports, EKG readings and similar)
• One day we may be able to add radiology images
  and scans

33
Clinical Outcomes Round Three Real Impact of
Electronic Highway

• Leverage Internet and Real-Time connections used
  for administrative and revenue transactions for
  provider to provider interactions
• Focus on applied digital healthcare through the
  use of technology for more effective clinical
  outcomes
• Enabling technologies will be required
• Voice-to-text is a critical element to clinical
  adoption
• Interoperable security and authentication
• High availability and on-demand architectures

34
Conclusion HIPAA Threats and Opportunities
For claims, the goal is to survive a threat
Other transactions are opportunities to thrive

• Early adopters are demonstrating this
• Full realization is acomplex process

• Dropping back to paper
• Increase claims failure
• Increase reliance on 3rd party clearinghouses

35
Follow the leader
36
Do not underestimate the Challenges of the NPI

• Providers may begin applying for NPIs on May 23,
  2005
• Compliance Date May 23, 2007 providers and
  health plans must use only the NPI to identify
  providers in standard EDI transactions no
  legacy provider identifiers will be allowed
• NPIs can also be used on paper transactions
• 10 positions (9 plus the check-digit)
• All numeric
• Only a number no embedded intelligence
• Assigned by NPS

37
NPI Impact on Providers

• No longer necessary to use different identifiers
  for different health plans, contracts, locations
• Each organization provider is responsible for
  determining the number of NPIs needed for their
  organization
• (cannot be dictated by health plans)
• May need to increase the information they are
  providing within the standard transaction e.g.
  rendering location, taxonomy code in order to be
  paid correctly

38
NPI Impact on Health Plans

• Legacy and health plan assigned provider
  identifiers will not be permitted in standard
  transactions. NPI must be used as the providers
  primary - and only identifier
• No information about the provider exists in its
  NPI
• Will still need provider enrollment process
• Will need to collect enrollment data (memberships
  in groups, multiple practice locations)
• Will need to validate enrollment data
• May access NPS to verify and validate NPIs and
  related data
• Final Rule does not require NPI to replace a
  providers EDI sender s
• Paper vs. electronic transactions
• Covered vs. Non-covered providers
• Require NPI on both?
• How does implementation strategy align with other
  health plans and CMS?
• Transition planning
• How best to transition providers in an orderly
  manner by May 23, 2007
• Contingency planning

39
How to Get Paid Under HIPAA?

USE IT!
40
Getting Paid Steps

• Ask Vendor about their compliance
• Obtain Companion Guides
• Learn Process, timing for Testing
• Free EDI service?
• Determine gaps new - old formats
• Decide how to support changes
• including HIPAA medical, non-medical code sets..
• Remember NO MORE Local Codes!

• TEST.. TEST TEST

41
Thank You

• Questions
• WaltCulbertson_at_aol.com