HIPAA and Your Compliance Program

1
HIPAA and Your Compliance Program
September 25, 2000

• HCCAs 2000 Compliance Institute
• New Orleans, Louisiana

2
Presentation Agenda

• Introductions
• Overview and Background
• HIPAA Requirements and Provisions
• Technology with QA
• Privacy with QA
• Security with QA
• Integration into Compliance Program

3
Overview and Background of HIPAA
4
General Provisions

• Group and Individual Insurance Reform
• Limits on pre-existing exclusion provisions
• Portability of coverage, guaranteed issue and
  renewal
• Fraud and Abuse
• Medicare integrity, data collection, beneficiary
  incentive programs
• Increased penalties, sanctions, and exclusions

• Tax-Related Health Provisions
• MSAs, long-term care insurance, taxation of
  insurance benefits
• Administrative Simplification (AS)
• Improve efficiency and effectiveness of the
  healthcare system
• Define standards for electronic transmission -
  standard identifiers, transaction and code sets
• Protect the privacy and security of health
  information

5
Applicability
6
Penalties and Fines

• Non-Compliance with Requirements
• 100 per violation to a maximum of 25,000 per
  requirement per year
• Considering the proposed security rules contain
  more than 25 specific requirements, the maximum
  penalty can exceed 625,000 per year

• Wrongful Disclosure of Health Information
• Simple disclosure fines up to 50,000 and/or
  one year in prison
• Disclosure under false pretenses fines up to
  100,000 and/or five years in prison
• Disclosure with intent to sell or use fines up
  to 250,000 and/or 10 years in prison

7
Technology Requirements
8
Transactions, Code Sets and Identifiers

• Transaction Standards for HIPAA Transactions
  are the exchange of information between two
  parties carrying out financial and administrative
  activities with data elements in a single format.
  
• Three Categories of Technology Requirements
• a) Transaction Sets
• b) Code Sets
• c) Identifiers

9
Transactions, Code Sets and Identifiers

• Unique Identifiers
• Intelligence-free (will not contain any encoded
  information)
• Single unique identification of providers
• Apply to all persons furnishing healthcare
  services and supplies
• Reduce potential for fraud and abuse
• Creates considerable privacy/ confidentiality
  concerns

• Highlights
• Standardized transaction formats and data
  elements for information that is transmitted and
  received electronically
• Code Sets Standards Built on Current Coding
  Systems
• Major code sets characterize medical data (e.g.
  CPT, ICD-9)
• Code sets included in standard transaction sets
• Current national coding standards to be updated
  in 2002

10
Transactions, Code Sets and Identifiers

• Standard transaction sets are defined for the
  following
• Health claims or equivalent encounter (X12N 837)
• Enrollment and disenrollment in a health plan
  (X12 834)
• Eligibility for health plan - inquiry/response
  (X12N 270-271)
• Healthcare payment and remittance advice (X12N
  835)
• Health plan premium payments (X12 820)
• Health claim status - inquiry/response (X12N
  276-277)

• Coordination of benefits (X12N 837)
• Referral certification (X12N 278)
• Referral authorization (X12N 278)
• First report of injury (open)
• Health claims attachments (open)

Standard Transaction Record
Identifiers Providers Employers Health plans
(open) Individuals (open)
Code Sets ICD-9-CM (diagnosis and
procedures) CPT-4 (physician procedures) HCPCS
(ancillary services/procedures) CDT-2 (dental
terminology) NDC (national drug codes)
11
Key Business Considerations

• Integration of new transactions into legacy
  systems
• Investment in new systems/channels
• Revision of Q/A testing and user acceptance
  processes
• Integration of technology requirements in
  contracts, accreditation
• Budget impact
• Return on investment
• Leverage investment in Y2K

12
Privacy Requirements
13
Privacy Standards
14
Protected Health Information
Permitted Uses and Disclosures

• Authorization not required for
• Uses or disclosures relating to treatment,
  payment or health care operations
• Public health agency activities
• Health oversight and regulatory agencies
• Judicial proceedings and law enforcement
  investigations
• Health care fraud
• Research purposes (under rigorous criteria)
• Disclosure of de-identified health information

• Authorization required for
• Disclosures on request of individual, entity or
  third party
• Marketing, fund-raising purposes
• Disclosure to non-health related affiliates
  (e.g., life insurance)
• Underwriting or risk rating
• Employment determinations
• Sale, rental or barter
• Disclosure of psychotherapy notes or research
  information

15
Minimum Necessary Disclosure

• Reasonable efforts not to use or disclose more
  than the minimumamount of information needed to
  accomplish an intended purpose
• Entity designates staff to determine minimum
  necessary information
• Determination made on individual basis within
  limits of technology
• Pervasive throughout organization
• Applies to both internal and external uses
• Minimum necessary varies by function and
  department
• Implications for information systems

16
Administrative Requirements

• Designate privacy official
• Conduct privacy training program
• Verification procedures
• Maintain policies and procedures for PHI
• Notice of privacy practices

17
Business Partners

• Contractors providing services to covered
  entities - that utilize or share IIHI
• Business partner contracts must contain specific
  privacy provisions
• Appropriate safeguards of records
• Report any unauthorized disclosures to entity
• Books and records available for inspection
• Material breach by partner grounds for
  termination, constitutes violation by entity
• Member/patient is third party beneficiary
• Extension of liability

18
Rights of Individuals

• With the exception of treatment, payment or
  health care operations, most uses and disclosures
  are permitted only with authorization
• Individuals may revoke their authorization(s)
• May request restriction of uses and disclosures
  by providers
• Access to health information
• Amendment and correction of health information
• Accounting for disclosures of health information

19
The Intersection of Privacy and Security Standards
Protected Health Information
Administrative Procedures
Physical Safeguards
Technical Security Services
Technical Security Mechanisms
Authentication
Minimum Necessary
Patient Authorization
Business Partner Agreement
IRB
Encryption
Anonymization
Research and Clinical Trials
Research and Marketing
Marketing and Other Uses of Data Across Open
Network
Patient Access, Correction, Accounting of Use
Treatment, Payment and Operations Over Open
Network
Treatment, Payment and Operations Over Secure
Network
20
Security Requirements
21
Security Standards
22
Security Challenges
Authentication of users/partners
User privacy
Web security
ConfidentialityIntegrity Availability
No Internet reliability guarantees
Failure to plan for growth
System vulnerabilities
Evolving technologies
RISK
23
Administrative Procedures

• Certification
• Chain of Trust Partner Agreement
• Contingency Plan
• Formal Mechanism for Processing Records
• Information Access Control
• Internal Audit
• Personnel Security
• Security Configuration Management
• Security Incident Procedures
• Security Management Process
• Termination Procedures
• Training

24
Physical Safeguards

• Assigned Security Responsibility
• Media Controls
• Physical Access Controls
• Policy/Guideline on Workstation Use
• Secure Work Station Use
• Security Awareness Training

25
Technical Security Services

• Access Control
• Audit Controls
• Authorization Control
• Data Authentication
• Entity Authentication

26
Technical Security Mechanisms

• Required If Using Open Networks
• Alarm
• Audit trail
• Entity authentication
• Event reporting
• Integrity controls
• Message authentication
• Plus, At Least One of the Following
• Access controls
• Encryption

27
HIPAA Compliance Framework
28
HIPAA Lifecycle

• EVALUATE Critical business and system functions
• FORMULATE Plans and solutions
• APPLY Solutions to process, data, and systems
• SUSTAIN Compliance through time

29
Pro forma HIPAA Project Structure
Health Care OrganizationHIPAA Steering Committee
Project Office
General Counsel
Privacy Work Group
Security Work Group
Technology Work Group
Departmental HIPAA Liaisons
Department 1
Department 1
Department 1
Department 1
Department 1
Department 1
30
Phase 1 Assessment and Analysis

• Tasks
• Understand the existing environment
• Mission/vision
• Organization
• Strategic, Organizational and IT plans
• Inventory existing systems and operations
• Evaluate existing policies and procedures
• Perform operational and technical reviews and
  assessments
• Align HIPAA requirements against existing systems
• Identify potential compliance gaps

Assessmentand Analysis
Operation andMaintenance
Solution Designand Development
SolutionImplementation
EVALUATE critical businessand system functions
across the enterprise to determine the actions
required to achieve HIPAA compliance
31
Phase 2 Solution Design and Development

• Tasks
• Identify both technical and non-technical
  solutions
• Evaluate effect on business partners
• Assess alternative approaches
• Integration with Compliance Program
• Consider outsourcing
• Identify risks and mitigation strategies
• Create prioritized project plans
• Identify resources required to complete plans

Assessmentand Analysis
Operation andMaintenance
Solution Designand Development
SolutionImplementation
FORMULATE plans and solutions to respond to
HIPAA and business requirements identified in the
Assessment and Analysis phase
32
Phase 3 Solution Implementation

• Tasks
• Implement communication strategy
• Execute project plans
• Perform testing and quality assurance
• Provide end user training

33
Phase 4 Operation and Maintenance

• Tasks
• Keep documentation current as changes occur
• New systems and technology
• Organizational (i.e., mergers and acquisitions)
• Periodically test system vulnerabilities
• Institutionalize ongoing HIPAA compliance

34
Critical Success Factors

• Enterprise-wide planning
• Align HIPAA initiatives with corporate
  strategy(s) and integrate into operations
• Secure management support and awareness
• Leverage historic and on-going initiatives and
  accumulated knowledge (Y2K, E-Business, Business
  Transformation, etc..)
• Build HIPAA into existing change initiatives (do
  it once)
• Integrate with current Compliance Program
  activities

• Establish clear governance structure to manage
  complexities and interdependencies among business
  units and the technology, security and privacy
  requirements of HIPAA
• Ensure on-going communication channels for HIPAA
  specific initiatives
• Raise corporate awareness of HIPAA and its
  potential impacts on the origination and its
  stakeholders
• Incorporate HIPAA into existing compliance
  program