HIPAA Where Should We Be - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

HIPAA Where Should We Be

Description:

WaltCulbertson_at_aol.com. www.SharpWorkGroup.com. Dr. HIPAA says.. HIPAA is ... Covers electronic protected health information (as is defined in privacy rule) ... – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 42
Provided by: tru27
Category:
Tags: hipaa | aol | health

less

Transcript and Presenter's Notes

Title: HIPAA Where Should We Be


1
HIPAA Where Should We Be?
  • May 7, 2004
  • Walt Culbertson
  • Chief Technology, Security and Privacy Officer,
    Webify
  • Chair - Southern HIPAA Administrative Regional
    Process
  • Co-Chair - Southern Insurance Commissioner Task
    Force
  • Co-Chair WEDI/SNIP Privacy and Security
    Workgroup
  • WaltCulbertson_at_aol.com

2
Dr. HIPAA says..HIPAA is like an Iceberg
3
There is a lot beneath the surface
4
There is also much behind the scenes!
5
And of Course.. There is the other side
6
The Future of HealthCare Success
  • Improved relationships and communications
  • Transition from transaction processing to
    partnerships in the healthcare delivery through
    value added collaborations
  • Improved models for effective care management and
    wellness programs
  • Evolution towards real-time enterprise and a more
    efficient operating model

7
First Step.. Get rid of the Paper
  • Possibility of errors
  • More time intensive
  • Administrative costs are higher (forms,
    envelopes, postage, FTE requirements)
  • Paper requires additional processing from the
    payer/plan
  • Increased follow-up time with payers
  • Rejections from payer/plan result in delayed
    payment and resubmission
  • Misfiled, in another patients file missing (may
    be in stack to be filed)
  • Exposed individually identifiable information
  • Access to files

8
HIPAA is a Catalyst for Necessary Change
High Availability
Drug Interactions
Clinical Order Entry
Efficiency
Connectivity
Quality Metrics
Better Information
EMR
Avail-ibility
Individual E-HDb
E-Health
EDI
Privacy
Security
9
Moving Away from Paper.. ALL EDI
  • Electronic transactions are less likely to have
    errors
  • Takes less time to complete electronic forms
  • Less payer processing time
  • Status information more readily available
  • More easily tracked and secured
  • Possibility to upload adjudication information
    into management systems
  • Computer costs vary based on type of operation
  • Automate claims management, Pre-registration,
    revenue cycle
  • Data access controls applied security practices
  • Audit trails

10
Movement towards Real-Time
  • Plan for HIPAA compliance to evolve in thenext
    three years
  • Focus first on surviving, then on becomingan
    Real-Time Enterprise (RTE)
  • If you are not in a community, create one!
  • Health plans go beyond minimal implementations
  • its good for the providers, and
  • that is good for you!

11
HIPAA Jump Start
  • HIPAA claims are a threat (if not done well or
    compliant)
  • The other HIPAA transactions are opportunities
  • HIPAA jump-starts the real-time enterprise
  • Surviving and thriving are community affairs

12
DDE and Real-Time EDILead to More Internet Usage
Health Plan
Care Delivery Organization
ReplicaCoreApplication
LegacyCoreApplication
Browser
HTMLInternetSecure HTTP
ProgramLogic
WebServer
CDOScheduling orRegistrationSystem
Mapper
WebServer
EDIInternetSecure HTTP
Application Server
Source Gartner Teleconference - 12 August 2003
13
Working Together
14
HIPAA Compliance Deadlines
15
HIPAA Security.. Step 1 Get HPP
16
Focus of Final Security Standards
  • Ensure Confidentiality, Integrity and
    Availability of electronic Protected Health
    Information (ePHI)
  • Data at rest and data in transit
  • Protect against reasonably anticipated threats or
    hazards to the security or integrity of
    information
  • Protect against reasonably anticipated uses and
    disclosures not permitted by privacy rules
  • Ensure compliance by workforce

17
Security Road Map Step 2Security Gap How to
Comply?
  • Do a risk analysis
  • Based on the analysis, determine necessary
    security policies and procedures as required by
    the regulation
  • Implement required, and appropriate addressable
    specifications
  • Documentation, Documentation, Documentation and
    ohyeah Documentation
  • Possible Resource NIST Risk Management Guide
    (800-30) www.nist.gov
  • Internal Vulnerabilities http//icat.nist.gov/icat
    .cfm

18
Security Road Map Step 3 Identify Business
Associates
  • Definitions and many administrative requirements
    aligned with the Privacy regulations
  • Covers electronic protected health information
    (as is defined in privacy rule)
  • Same requirements for business associate
    agreements (need to have them with covered
    entities who are business associates)
  • No longer need Chain of trust, security
    provisions must be added to the Business
    Associate Agreement

19
Security Road Map Step 4Address Final Security
Standards
  • Have administrative, physical, and technical
    standards
  • Now have required and addressable specifications
  • Encryption now addressable
  • No electronic signature standard
  • Industry does not yet agree on a standard,
    although much progress has been made recently

20
Security Road Map Step 5Addressable Security
Standards
  • If an implementation specification is
    addressable, a covered entity can
  • Implement, if reasonable and appropriate
  • Implement an equivalent measure, if reasonable
    and appropriate
  • Not implement it
  • Based on sound, documented reasoning from a risk
    analysis

21
Security Road Map Step 6 Implement
Administrative Standards
  • Security Awareness and Training
  • Security Reminders (A)
  • Protection from Malicious Software (A)
  • Log-in Monitoring (A)
  • Password Management (A)
  • Security Incident Procedures
  • Response and Reporting (R)
  • Evaluation
  • Business Associate Contracts (R)
  • Written Contract (or other arrangement) (R)
  • Security Management
  • Risk analysis (R)
  • Risk management (R)
  • Sanction Policy (R)
  • Information System Activity Review (R)
  • Assigned Responsibility
  • Workforce Security
  • Authorization and/or Supervision (A)
  • Clearance Procedures (A)
  • Termination procedures (A)
  • Information Access Management
  • Isolate Clearinghouse Function (R)
  • Access Authorization (A)
  • Access Establishment/Modification (A)
  • Contingency Plan
  • Data Backup Plan (R)
  • Disaster Recovery Plan (R)
  • Emergency Operations Plan (R)
  • Testing and Revision Procedure (A)
  • Applications and Data Criticality (A)

22
Security Road Map Step 7Implement Physical
Standards
  • Facility Access Controls
  • Contingency Operations (A)
  • Facility Security Plan (A)
  • Access Control Validation Procedures (A)
  • Maintenance Records (A)
  • Workstation Use (R)
  • Workstation Security (R)
  • Device and Media Controls
  • Disposal (R)
  • Media Re-use (R)
  • Accountability (A)
  • Data Backup Storage (A)

23
Security Road Map Step 8Implement Technical
Standards
  • Access Control
  • Unique User Id (R)
  • Emergency Access (R)
  • Automatic Logoff (A)
  • Encryption and Decryption (A)
  • Audit Controls (R)
  • Integrity (R)
  • Mechanism to Authenticate ePHI (A)
  • Person or Entity Authentication
  • Transmission Security
  • Integrity Controls (A)
  • Encryption (A)

24
Security Road Map Step 9Get a real Disaster
Recovery Program
  • Covered Entities must identify potential threats
    to the organization and plan for continuing
    operations in such events
  • Establish a plan for continuity of practice
    operations in the event of both external and
    internal events (disaster, break-in, break-down)
  • HIPAA requires backups and protection of
    protected health information in electronic form
  • Requirements for emergency mode access and
    operation
  • TEST your plan including technology and paper

25
Security Road Map Step 10Documentation and
Training
  • All personnel must be aware of all security
    policies and procedures YOU MUST HAVE
  • It is critical that each covered entity document
    their Security HIPAA assessment process and the
    resulting outcomes
  • Must answer why and how decisions were made
    especially regarding the requirements within the
    rule that are addressable in nature
  • Documentation and training should be kept current
    and available to all employees as a part of the
    overall HR process

26
HIPAA The race to compliance
27
Why Are Standards Important to You?
  • Standard method for submitting claims
  • Standard method for getting paid
  • Use of transactions can greatly improve
    efficiency and reduce paperwork
  • Real-time Eligibility/Benefits today Claims
    tomorrow
  • Penalties for non-compliance
  • Non-compliance can result in a cash flow
    disruption or improper payment

28
Electronic Highway Round One
  • HIPAA required HHS adopt industry-developed
    standards for administrative and revenue EDI

Transactions applicable to providers
29
Provider RTE Round TwoRevenue Cycle Management
  • Pre-care
  • Self-service registration and scheduling
  • Accurate patient demographic/coverage information
  • Eligibility and referral checking, not
    labor-limited
  • Pre-established health plan data requirements
  • Concurrent with care
  • Simultaneous documentation through delivery
    systems
  • Point-of-service collections
  • Post-care
  • Rapid closing of case
  • Non-labor-intensive claim follow-up (status,
    posting, secondary coverage)
  • Consumer access to statements/Web payments

30
Providers.. Start your engines!
  • Demand your HIPAA Rights
  • The right to send a standard transaction
  • The right to have the transaction serviced with
    reasonable telecommunications fees applied
  • The right to exchange the full lifecycle of HIPAA
    transactions
  • Implement a pre-registration process
  • Leverage the Eligibility and Benefits 270/271
  • Implement the Authorization and Referral 278
  • Pro-active use of the Claims Status 276-277

31
Providers.. Rev your engines!
  • Preventive care is good for you too!
  • Always check EB BEFORE the visit when possible
  • Obtain approvals and authorizations
  • Reduce bad encounters by eliminating validation
    on the date of service
  • Significant results are possible
  • Much shorter check-in process
  • Push for co-pays, deductibles, other OOP no later
    than the date of service
  • Time for you and the patient to make choices

32
Providers GO GO GO The Claims Attachment (275)
  • The claims attachment standard will allow the
    electronic attachment of clinical data (medical
    opinions, diagnostic information from lab tests
    and radiology reports, EKG readings and similar)
  • One day we may be able to add radiology images
    and scans

33
Clinical Outcomes Round Three Real Impact of
Electronic Highway
  • Leverage Internet and Real-Time connections used
    for administrative and revenue transactions for
    provider to provider interactions
  • Focus on applied digital healthcare through the
    use of technology for more effective clinical
    outcomes
  • Enabling technologies will be required
  • Voice-to-text is a critical element to clinical
    adoption
  • Interoperable security and authentication
  • High availability and on-demand architectures

34
Conclusion HIPAA Threats and Opportunities
For claims, the goal is to survive a threat
Other transactions are opportunities to thrive
  • Early adopters are demonstrating this
  • Full realization is acomplex process
  • Dropping back to paper
  • Increase claims failure
  • Increase reliance on 3rd party clearinghouses

35
Follow the leader
36
Do not underestimate the Challenges of the NPI
  • Providers may begin applying for NPIs on May 23,
    2005
  • Compliance Date May 23, 2007 providers and
    health plans must use only the NPI to identify
    providers in standard EDI transactions no
    legacy provider identifiers will be allowed
  • NPIs can also be used on paper transactions
  • 10 positions (9 plus the check-digit)
  • All numeric
  • Only a number no embedded intelligence
  • Assigned by NPS

37
NPI Impact on Providers
  • No longer necessary to use different identifiers
    for different health plans, contracts, locations
  • Each organization provider is responsible for
    determining the number of NPIs needed for their
    organization
  • (cannot be dictated by health plans)
  • May need to increase the information they are
    providing within the standard transaction e.g.
    rendering location, taxonomy code in order to be
    paid correctly

38
NPI Impact on Health Plans
  • Legacy and health plan assigned provider
    identifiers will not be permitted in standard
    transactions. NPI must be used as the providers
    primary - and only identifier
  • No information about the provider exists in its
    NPI
  • Will still need provider enrollment process
  • Will need to collect enrollment data (memberships
    in groups, multiple practice locations)
  • Will need to validate enrollment data
  • May access NPS to verify and validate NPIs and
    related data
  • Final Rule does not require NPI to replace a
    providers EDI sender s
  • Paper vs. electronic transactions
  • Covered vs. Non-covered providers
  • Require NPI on both?
  • How does implementation strategy align with other
    health plans and CMS?
  • Transition planning
  • How best to transition providers in an orderly
    manner by May 23, 2007
  • Contingency planning

39
How to Get Paid Under HIPAA?

USE IT!
40
Getting Paid Steps
  • Ask Vendor about their compliance
  • Obtain Companion Guides
  • Learn Process, timing for Testing
  • Free EDI service?
  • Determine gaps new - old formats
  • Decide how to support changes
  • including HIPAA medical, non-medical code sets..
  • Remember NO MORE Local Codes!
  • TEST.. TEST TEST

41
Thank You
  • Questions
  • WaltCulbertson_at_aol.com
Write a Comment
User Comments (0)
About PowerShow.com