Carol Ann Raymond - PowerPoint PPT Presentation

1 / 27

About This Presentation

Title:

Carol Ann Raymond

Description:

Allows employees to set up medical savings accounts exempted from taxation ... Administration Simplification ... Medical record numbers ... – PowerPoint PPT presentation

Number of Views:30

Avg rating:3.0/5.0

Slides: 28

Provided by: carolann4

Category:

more less

Transcript and Presenter's Notes

Title: Carol Ann Raymond

1
HIPAA OVERVIEW

Carol Ann Raymond
UGA Speech and Hearing Clinic
Department of Communication Sciences and
Special Education
Technology and Data Management Security Liaison
Meeting
February 10, 2006

2
HIPAA Overview

Description
Scope
Covered Entities
Administration Simplification
Electronic Data Interchange
National Provider Identification
Privacy
Security
Enforcement

3
HIPAA

Health Insurance Portability and Accountability
Act of 1996 (P.L. 104-191)
Reforms insurance market and simplifies health
care administrative processes
Developed and enforced by the U.S. Department of
Health and Human Services
Office of Civil Rights (OCR)
Centers for Medicare Medicaid Services (CMS)
Prevails in all covered regulations unless state
laws are more restrictive.

4
Purpose

Improve portability and continuity of health
insurance coverage in group and individual
markets
Combat waste, fraud and abuse in health insurance
and health care delivery
Promote use of medical savings accounts
Improve access to long-term care services and
coverage
Simplify administration of health insurance

5
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
ACT

I. Healthcare Insurance Access, Portability, and
Renewability
II. Preventing Healthcare Fraud Abuse
III. Tax- Related Health Provisions
IV. Group Health Plan Requirements
V. Revenue Offsets

Administration Simplification

Privacy 4/14/03
Electronic Data Interchange
Security 4/20/05
Transactions 10/02
Code Sets 10/02
Identifiers
National Provider Identifier 5/23/07
6
HIPAA Titles Key Points
7
Covered Entities Administration Simplification

Healthcare providers, health plans, and
clearinghouses who transmit any health
information in electronic form
Insurance claims, eligibility, etc.
Business Associates
Services provided on behalf of the covered
entity, involving the use or disclosure of
protected health information (PHI)
E.g., consultants, accreditation agencies,
vendors, etc.
Must sign agreement to comply with HIPAA

8
UGA Designated Health Care Components

Center for Counseling - College of Education
Employee Benefits Division - Human Resources
Department
Psychology Clinic - Franklin College of Arts and
Sciences
McPhaul Marriage and Family Therapy Clinic
Medication Access Program - College of Pharmacy
School Psychology Clinic - College of Education
University Health Center
Office of Legal Affairs
Speech and Hearing Clinic - College of Education
Wellness Clinic - College of Pharmacy

9
Administration Simplification

To improve efficiency and effectiveness
To reduce costs of healthcare system
Electronic Data Interchange (EDI)
Transactions - Single standard format for
electronic submissions
Claims submissions, eligibility inquiry,
enrollments, health care payments, transmitted
patient data, etc.
Code sets (diagnostic and procedure codes, etc.)
Identifiers
National Provider Identifier
Employer Identifier
National Individual Identifier

10
National Provider Identification

All HIPAA covered healthcare providers must apply
for single provider identification number
Includes individuals and organizations
Number will not change regardless of job or
location changes
Paper or web-based application process
May be filed in bulk enumeration in Electronic
File Interchange (EFI) process by organization on
providers behalf
Required by May 23, 2007

11
HIPAA Privacy Security Rules

Privacy Rule
What information must be kept confidential
Defines use and disclosure of PHI
Defines how patient rights are to be protected
Includes all forms of Protected Health
Information (PHI)
Paper, electronic, and oral
Security Rule
How ePHI will be kept confidential (physical and
technical means).
Covers PHI that is in electronic form only (ePHI)
Must have Security to ensure Privacy

12
Privacy Rule General Requirements

Designate a Privacy Official
Develop Notice of Privacy Practices
Develop Acknowledgement Form
Develop Authorization Form
To use or disclose PHI for purposes other than
Treatment,
Payment, or
Health Care Operations

TPO
13
Privacy Rule Cont

Develop Business Associate Agreements
Develop Policies Procedures for Handling PHI
Develop Minimum Necessary Use Policies
Develop Security Safeguards
Develop a Training Program
Develop Complaint Process
Develop Sanctions for Infractions

14
Protected Health Information (PHI)

Information which relates to the physical/mental
health or condition of an individual that
Identifies the individual or with respect to
which there is reasonable basis to believe the
information can be used to identify the
individual
Includes
Electronic or paper records, oral information
Exception
Education records covered by the Family
Educational Rights and Privacy Act (FERPA)
Employment records held in role as employer

15
PHI Identifiers

Social Security number
Health plan beneficiary numbers and other
identifying information
Account numbers
Certificate of license numbers
Vehicle identifiers and serial numbers to include
license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Full face photographic images and other
comparable images

Name
Medical record numbers
Geographic subdivision smaller than a state
including street address, city, county, precinct,
zip code
Any and all dates (except the year), including
birth date, encounter date, and date of death
Telephone numbers
Fax numbers
Electronic mail addresses
Any other unique identifying number,
characteristic or codes

To De-Identify Remove All Identifiers
16
Privacy Rule Individual Patient Rights

Individuals have a right to
Receive a Notice of Privacy Practices
Receive PHI by alternative means or at
alternative locations to protect confidentiality
Review and obtain a copy of their protected
health information
Request amendments of protected health
information
Request that uses and disclosures of health
information be restricted and
Request an accounting of certain disclosures of
PHI for purposes other than TPO.

17
Security Rule

Covers all electronic PHI (ePHI), whether it is
being stored or transmitted
Requires implementation of appropriate
administrative, technical, and physical
safeguards for ePHI
Is technology neutral - what to do, not how
Is scalable and flexible - takes into account
Size, complexity and capabilities of the entity
Technical infrastructure, hardware, and software
security capabilities
Costs of security measures
Probability and criticality of potential risks

18
Security Standards General Rules

(1) Must ensure the confidentiality, integrity,
and availability of ePHI
Confidentiality Data or information is not made
available or disclosed to unauthorized persons
Integrity Data or information is not altered or
destroyed in an unauthorized manner
Availability Data or information is accessible
and usable upon demand by an authorized person
160.306(a)

19
Security Standards General Rules

(2) Must protect against any reasonably
anticipated threats or hazards to the security or
integrity of ePHI
(3) Must protect against any reasonably
anticipated uses or disclosures that are not
permitted by privacy rules
(4) Must ensure compliance with workforce

20
Security Standards (18)

Specifications (42)
Required
Specification must be implemented as stated
Addressable (not optional)
Assess whether each specification is reasonable
and appropriate for its environment to protect
ePHI.
If reasonable and appropriate - Implement as
stated
If not reasonable and appropriate,
Document rationale and implement an equivalent
alternative measure, if reasonable and
appropriate

21
Safeguard Categories

Administrative Safeguards
Administrative actions, policies, and procedures
to protect ePHI and to manage the conduct of the
workforce
Access controls, risk analysis, risk management,
training, incident reporting, business associates
contracts, etc.
Physical Safeguards
Physical measures, policies and procedures to
protect electronic information systems and
related buildings and equipment from natural and
environmental hazards and unauthorized intrusion
Locks and keys, disposal methods, data backup and
storage requirements, etc.
Technical Safeguards
The technology and policies that protect ePHI and
control access to it
Authentication of users, audit logs, data
integrity checks, and transmission
security/encryption, etc.

22
Safeguards - Departmental Procedures

Administrative Safeguards
Risk Analysis (R)
Identify threats, vulnerabilities, security
controls, etc.
Risk Management (R)
Identify, control, minimize, or eliminate
security risks
Physical Safeguard
Workstation Security (R)
Restrict access to authorized users
Identify all workstations that access ePHI
Departmental Procedures Example
SF 10 COE Security Access Log
SF 11 Electronic Device Inventory/Audit

23
Enforcement

Civil Penalties
Up to 100/per person, per violation, up to
25,000 per year
Criminal Penalties
Knowing misuse of PHI up to 50,000 and/or up to
one year imprisonment
Under false pretences up to 100,000 and/or
up to five years imprisonment
Personal gain/malicious harm up to 250,000
and/or up to 10 years imprisonment
Primarily complaint - driven

24
HIPAA Complaints Office of Civil Rights

Over 10,000 privacy complaints filed
Most complaints involve
Impermissible use or disclosures of PHI
Absence of adequate safeguards to protect PHI
Failure to provide patents with access to records
Disclosing more information than is minimally
necessary
Making disclosures without a valid authorization
when an authorization is required
Source http//www.calhipaa.com

25
References Resources