Title: HIPAA Where Should We Be
1HIPAA Where Should We Be?
- May 7, 2004
- Walt Culbertson
- Chief Technology, Security and Privacy Officer,
Webify - Chair - Southern HIPAA Administrative Regional
Process - Co-Chair - Southern Insurance Commissioner Task
Force - Co-Chair WEDI/SNIP Privacy and Security
Workgroup - WaltCulbertson_at_aol.com
2Dr. HIPAA says..HIPAA is like an Iceberg
3There is a lot beneath the surface
4There is also much behind the scenes!
5And of Course.. There is the other side
6The Future of HealthCare Success
- Improved relationships and communications
- Transition from transaction processing to
partnerships in the healthcare delivery through
value added collaborations - Improved models for effective care management and
wellness programs - Evolution towards real-time enterprise and a more
efficient operating model
7First Step.. Get rid of the Paper
- Possibility of errors
- More time intensive
- Administrative costs are higher (forms,
envelopes, postage, FTE requirements) - Paper requires additional processing from the
payer/plan - Increased follow-up time with payers
- Rejections from payer/plan result in delayed
payment and resubmission - Misfiled, in another patients file missing (may
be in stack to be filed) - Exposed individually identifiable information
- Access to files
8HIPAA is a Catalyst for Necessary Change
High Availability
Drug Interactions
Clinical Order Entry
Efficiency
Connectivity
Quality Metrics
Better Information
EMR
Avail-ibility
Individual E-HDb
E-Health
EDI
Privacy
Security
9Moving Away from Paper.. ALL EDI
- Electronic transactions are less likely to have
errors - Takes less time to complete electronic forms
- Less payer processing time
- Status information more readily available
- More easily tracked and secured
- Possibility to upload adjudication information
into management systems - Computer costs vary based on type of operation
- Automate claims management, Pre-registration,
revenue cycle - Data access controls applied security practices
- Audit trails
10Movement towards Real-Time
- Plan for HIPAA compliance to evolve in thenext
three years - Focus first on surviving, then on becomingan
Real-Time Enterprise (RTE) - If you are not in a community, create one!
- Health plans go beyond minimal implementations
- its good for the providers, and
- that is good for you!
11HIPAA Jump Start
- HIPAA claims are a threat (if not done well or
compliant) - The other HIPAA transactions are opportunities
- HIPAA jump-starts the real-time enterprise
- Surviving and thriving are community affairs
12DDE and Real-Time EDILead to More Internet Usage
Health Plan
Care Delivery Organization
ReplicaCoreApplication
LegacyCoreApplication
Browser
HTMLInternetSecure HTTP
ProgramLogic
WebServer
CDOScheduling orRegistrationSystem
Mapper
WebServer
EDIInternetSecure HTTP
Application Server
Source Gartner Teleconference - 12 August 2003
13Working Together
14HIPAA Compliance Deadlines
15HIPAA Security.. Step 1 Get HPP
16Focus of Final Security Standards
- Ensure Confidentiality, Integrity and
Availability of electronic Protected Health
Information (ePHI) - Data at rest and data in transit
- Protect against reasonably anticipated threats or
hazards to the security or integrity of
information - Protect against reasonably anticipated uses and
disclosures not permitted by privacy rules - Ensure compliance by workforce
17Security Road Map Step 2Security Gap How to
Comply?
- Do a risk analysis
- Based on the analysis, determine necessary
security policies and procedures as required by
the regulation - Implement required, and appropriate addressable
specifications - Documentation, Documentation, Documentation and
ohyeah Documentation - Possible Resource NIST Risk Management Guide
(800-30) www.nist.gov - Internal Vulnerabilities http//icat.nist.gov/icat
.cfm
18Security Road Map Step 3 Identify Business
Associates
- Definitions and many administrative requirements
aligned with the Privacy regulations - Covers electronic protected health information
(as is defined in privacy rule) - Same requirements for business associate
agreements (need to have them with covered
entities who are business associates) - No longer need Chain of trust, security
provisions must be added to the Business
Associate Agreement
19Security Road Map Step 4Address Final Security
Standards
- Have administrative, physical, and technical
standards - Now have required and addressable specifications
- Encryption now addressable
- No electronic signature standard
- Industry does not yet agree on a standard,
although much progress has been made recently
20Security Road Map Step 5Addressable Security
Standards
- If an implementation specification is
addressable, a covered entity can - Implement, if reasonable and appropriate
- Implement an equivalent measure, if reasonable
and appropriate - Not implement it
- Based on sound, documented reasoning from a risk
analysis
21Security Road Map Step 6 Implement
Administrative Standards
- Security Awareness and Training
- Security Reminders (A)
- Protection from Malicious Software (A)
- Log-in Monitoring (A)
- Password Management (A)
- Security Incident Procedures
- Response and Reporting (R)
- Evaluation
- Business Associate Contracts (R)
- Written Contract (or other arrangement) (R)
- Security Management
- Risk analysis (R)
- Risk management (R)
- Sanction Policy (R)
- Information System Activity Review (R)
- Assigned Responsibility
- Workforce Security
- Authorization and/or Supervision (A)
- Clearance Procedures (A)
- Termination procedures (A)
- Information Access Management
- Isolate Clearinghouse Function (R)
- Access Authorization (A)
- Access Establishment/Modification (A)
- Contingency Plan
- Data Backup Plan (R)
- Disaster Recovery Plan (R)
- Emergency Operations Plan (R)
- Testing and Revision Procedure (A)
- Applications and Data Criticality (A)
22Security Road Map Step 7Implement Physical
Standards
- Facility Access Controls
- Contingency Operations (A)
- Facility Security Plan (A)
- Access Control Validation Procedures (A)
- Maintenance Records (A)
- Workstation Use (R)
- Workstation Security (R)
- Device and Media Controls
- Disposal (R)
- Media Re-use (R)
- Accountability (A)
- Data Backup Storage (A)
23Security Road Map Step 8Implement Technical
Standards
- Access Control
- Unique User Id (R)
- Emergency Access (R)
- Automatic Logoff (A)
- Encryption and Decryption (A)
- Audit Controls (R)
- Integrity (R)
- Mechanism to Authenticate ePHI (A)
- Person or Entity Authentication
- Transmission Security
- Integrity Controls (A)
- Encryption (A)
24Security Road Map Step 9Get a real Disaster
Recovery Program
- Covered Entities must identify potential threats
to the organization and plan for continuing
operations in such events - Establish a plan for continuity of practice
operations in the event of both external and
internal events (disaster, break-in, break-down) - HIPAA requires backups and protection of
protected health information in electronic form - Requirements for emergency mode access and
operation - TEST your plan including technology and paper
25Security Road Map Step 10Documentation and
Training
- All personnel must be aware of all security
policies and procedures YOU MUST HAVE - It is critical that each covered entity document
their Security HIPAA assessment process and the
resulting outcomes - Must answer why and how decisions were made
especially regarding the requirements within the
rule that are addressable in nature - Documentation and training should be kept current
and available to all employees as a part of the
overall HR process
26HIPAA The race to compliance
27Why Are Standards Important to You?
- Standard method for submitting claims
- Standard method for getting paid
- Use of transactions can greatly improve
efficiency and reduce paperwork - Real-time Eligibility/Benefits today Claims
tomorrow - Penalties for non-compliance
- Non-compliance can result in a cash flow
disruption or improper payment
28Electronic Highway Round One
- HIPAA required HHS adopt industry-developed
standards for administrative and revenue EDI
Transactions applicable to providers
29Provider RTE Round TwoRevenue Cycle Management
- Pre-care
- Self-service registration and scheduling
- Accurate patient demographic/coverage information
- Eligibility and referral checking, not
labor-limited - Pre-established health plan data requirements
- Concurrent with care
- Simultaneous documentation through delivery
systems - Point-of-service collections
- Post-care
- Rapid closing of case
- Non-labor-intensive claim follow-up (status,
posting, secondary coverage) - Consumer access to statements/Web payments
30Providers.. Start your engines!
- Demand your HIPAA Rights
- The right to send a standard transaction
- The right to have the transaction serviced with
reasonable telecommunications fees applied - The right to exchange the full lifecycle of HIPAA
transactions - Implement a pre-registration process
- Leverage the Eligibility and Benefits 270/271
- Implement the Authorization and Referral 278
- Pro-active use of the Claims Status 276-277
31Providers.. Rev your engines!
- Preventive care is good for you too!
- Always check EB BEFORE the visit when possible
- Obtain approvals and authorizations
- Reduce bad encounters by eliminating validation
on the date of service - Significant results are possible
- Much shorter check-in process
- Push for co-pays, deductibles, other OOP no later
than the date of service - Time for you and the patient to make choices
32Providers GO GO GO The Claims Attachment (275)
- The claims attachment standard will allow the
electronic attachment of clinical data (medical
opinions, diagnostic information from lab tests
and radiology reports, EKG readings and similar) - One day we may be able to add radiology images
and scans
33Clinical Outcomes Round Three Real Impact of
Electronic Highway
- Leverage Internet and Real-Time connections used
for administrative and revenue transactions for
provider to provider interactions - Focus on applied digital healthcare through the
use of technology for more effective clinical
outcomes - Enabling technologies will be required
- Voice-to-text is a critical element to clinical
adoption - Interoperable security and authentication
- High availability and on-demand architectures
34Conclusion HIPAA Threats and Opportunities
For claims, the goal is to survive a threat
Other transactions are opportunities to thrive
- Early adopters are demonstrating this
- Full realization is acomplex process
- Dropping back to paper
- Increase claims failure
- Increase reliance on 3rd party clearinghouses
35Follow the leader
36Do not underestimate the Challenges of the NPI
- Providers may begin applying for NPIs on May 23,
2005 - Compliance Date May 23, 2007 providers and
health plans must use only the NPI to identify
providers in standard EDI transactions no
legacy provider identifiers will be allowed - NPIs can also be used on paper transactions
- 10 positions (9 plus the check-digit)
- All numeric
- Only a number no embedded intelligence
- Assigned by NPS
37NPI Impact on Providers
- No longer necessary to use different identifiers
for different health plans, contracts, locations - Each organization provider is responsible for
determining the number of NPIs needed for their
organization - (cannot be dictated by health plans)
- May need to increase the information they are
providing within the standard transaction e.g.
rendering location, taxonomy code in order to be
paid correctly
38NPI Impact on Health Plans
- Legacy and health plan assigned provider
identifiers will not be permitted in standard
transactions. NPI must be used as the providers
primary - and only identifier - No information about the provider exists in its
NPI - Will still need provider enrollment process
- Will need to collect enrollment data (memberships
in groups, multiple practice locations) - Will need to validate enrollment data
- May access NPS to verify and validate NPIs and
related data - Final Rule does not require NPI to replace a
providers EDI sender s - Paper vs. electronic transactions
- Covered vs. Non-covered providers
- Require NPI on both?
- How does implementation strategy align with other
health plans and CMS? - Transition planning
- How best to transition providers in an orderly
manner by May 23, 2007 - Contingency planning
39How to Get Paid Under HIPAA?
USE IT!
40Getting Paid Steps
- Ask Vendor about their compliance
- Obtain Companion Guides
- Learn Process, timing for Testing
- Free EDI service?
- Determine gaps new - old formats
- Decide how to support changes
- including HIPAA medical, non-medical code sets..
- Remember NO MORE Local Codes!
41Thank You
- Questions
- WaltCulbertson_at_aol.com