ADMINISTRATIVE SIMPLIFICATION

1
ADMINISTRATIVE SIMPLIFICATION

• Concept
• Covered Entities
• Transactions
• Privacy
• Security
• Implementation

2
Inevitable Transformation...

• Today health data is keyed into a computer,
  printed, mailed or transmitted, re-keyed into
  another computer
• The constant demand for more information in less
  time is pushing health care systems toward
  electronic data interchange, the
  computer-to-computer exchange of information in a
  standard format
• Institutions pursue electronic data interchange
  internally, but encounter barriers to sharing
  data externally, among institutions

3
Barriers to Transformation

• Lack of data standardsno single entity has the
  market power to move the health care industry
  toward a common electronic standard
• Legal ambiguityantiquated state licensing laws
  make computerized medical records technically
  illegal in 12 states and legally ambiguous in 16
  others
• Privacy concernshealth information is private
  today not because it is secure but because it is
  difficult to accessand making it more accessible
  makes it less secure

4
Standards Leverage Transformation

• Money as a standard replaced barter
• East and West coast railroads needed a standard
  gauge to meet at Promontory Point
• Appliances and motors were custom made before
  electrical current was standardized
• Electronic transaction standards have been the
  norm in banking for two decades
• Our centurys great innovationthe Internetis a
  web of connection standards

5
Congress Acts

• The Health Care Modernization and Security Act of
  1993 (or Data Bill)
• Sponsored by Sens. Kit Bond (R-MO) and Joseph
  Lieberman (D-CT) and Reps. Dave Hobson (R-OH) and
  Tom Sawyer (D-OH)
• Congress established a process to adopt standards
  for health information and required health plans
  to use the standards and transmit data
  electronically

6
Guiding Themes

• National Policy Frameworkthe barriers to
  modernizing health information systems are
  national in scope, and require national solutions
• Technology Neutralencourage continued innovation
  and intentionally avoid locking in a technology
  today that could be useless tomorrow
• Private/public partnershipbuild on the extensive
  use of electronic data interchange in the private
  sector by adopting standards already in use and
  generally accepted

7
Broad Support

• The Working Group for Healthcare Administrative
  Simplification
• American Association of Retired People,
  American College of Physicians, American Hospital
  Association, American Association of Medical
  Colleges, American Health Information Management
  Association, American National Standards
  Institute, American Academy of Pediatrics,
  Ameritech, Association for Electronic Healthcare
  Transactions, Bellcore, Blue Cross/Blue Shield
  Association, CCH Inc, Center for Health Care
  Information Management, CIS Technologies, COB
  Clearinghouse, Digital Equipment, Dun
  Bradstreet, Electronic Data Systems, ERIC,
  Federation of American Health Systems, First
  Health, Fleishman-Hillard Inc, Health Industry
  Manufacturers Association, Health Care Financial
  Management Association, Hewlett-Packard, Health
  Insurance Association of America, IBM,
  Information Industry Association, ITAA, JCAHO,
  MetPath, Mutual of Omaha, National Association of
  Medical Equipment Suppliers, National Association
  of Chain Drug Stores, National Electronic
  Information Corporation, Orkand Corporation, PCS
  Health Systems, Podesta Associates, Prudential,
  Public Health Foundation, Rossman Health Industry
  Consulting, SAIC, SmithKline Beecham, Society of
  Professional Benefits Administrators, Travelers,
  Davidson Colling Group, UNISYS

8
President Clintons Health Security Act

• Comprehensive health care reform dominated the
  national political agenda in 1992
• Increasing access vs. decreasing costs
• Administrative simplification contributes to both
• Local storage vs. central storage
• The Clinton Administrations emphasis on research
  triggered a debate about how and who could use
  sensitive patient data and overwhelmed the effort
  to harmonize data standards

9
Medicare Reform

• Balancing the federal budget dominated the
  national political agenda in 1994
• Medicare was estimated to be bankrupt in four
  years
• Administrative simplification was refocused on
  eliminating Medicare fraud and catching the
  Medicare secondary payer problem up front,
  rather than recovering dollars after-the-fact
• Rolled back the scope to financial (not clinical)
  data

10
Health Insurance Portability and Accountability
Act of 1996 (HIPAA)

• Administrative simplification reached its
  maturity along with incremental health insurance
  reform
• Bipartisan throughout two bitterly partisan
  debates
• Broad-based, private-sector support
• Enacted 421 to 2 in the House, 98 to 2 in the
  Senate, and signed by President Clinton on August
  21, 1996
• The basic framework enacted by Congress passed to
  the U.S. Department of Health and Human Services
  for rulemaking and implementation

11
HIPAAs Three Purposes

• Health Insurance Portabilityimprove the
  portability and continuity of health insurance
  coverage for groups and individuals
• Accountabilitycombat waste, fraud, and abuse in
  health insurance and health care delivery
• Administrative Simplificationsimplify health
  care billing by adopting standards that allow
  health plans to transmit data electronically

12
HIPAA Administrative Simplification

• Transactionsadopt financial and administrative
  data standards and require health plans to use
  those standards to exchange information
  electronically
• Privacyadopt standards for individually-identifia
  ble health information that address the rights of
  individuals, procedures to exercise those rights,
  and uses and disclosures of information that are
  authorized or required
• Securityadopt standards to protect the
  confidentiality of health information, prevent
  threats or hazards to the security or integrity
  of the information, and prevent unauthorized uses
  or disclosures

13
Opportunities to Decrease Costs

• Enable the use of the Internet instead of
  expensive, private networks
• Develop less costly off-the-shelf management
  information systems solutions
• Reduce unnecessary paperworkestimated to add at
  least ten cents on every health care dollar
• Increase the speed and accuracy of transactions
  with other entities (faster third party
  collections, etc)
• Expose fraud in ways that are impossible under
  the current, confusing, disjointed paperwork
  system

14
Opportunities to Increase Quality

• Strengthen privacy and confidentiality associated
  with personal health information
• Aggregate and compare data (non-standard code
  sets make this difficult to do today)
• Provide the data consumers need to compare the
  value of insurance plans and health services
• Forge stronger cooperative relationships with
  providers (Were all in this together)
• Upgrade existing but outdated technology

15
Business Transformation

• Administrative Simplification is a business
  challengenot just a technical problem, like Y2K
• Existing technology is applied to improve
  business practicessomething most industries do
  already
• People, paper, and postage are replaced with
  electronic communications to reduce costs and
  improve services
• Health care organizations will either choose to
  treat administrative simplification as a
  conformance nuisance or use it as their catalyst
  to e-business

16
Business Transformation
Functional Area Impacted EDI Identifiers Code Sets Privacy Security
Billing and Patient Accounting X X X X X
Medical Records X X X X
Claims and Encounters X X X X X
Enrollment X X X X
Eligibility X X X X X
Medical Management X X X X X
Case Management X X X X X
Customer Service X X X X
Marketing X X X
Sales and Underwriting X X X X X
Benefit Design X X X X X
Reporting and Analytics X X X X
Physician Contracting X X X X X
Nursing X X X
Physicians and Clinicians x X X X
Source GartnerGroup December 2000 Source GartnerGroup December 2000 Source GartnerGroup December 2000 Source GartnerGroup December 2000 Source GartnerGroup December 2000 Source GartnerGroup December 2000
17
ADMINISTRATIVE SIMPLIFICATION

• Concept
• Covered Entities
• Transactions
• Privacy
• Security
• Implementation

18
Covered Entities

• Health Plansan individual or group plan that
  provides or pays the cost of medical care
• Health Care Clearinghousesan entity that
  processes or facilitates processing of
  information received from another entity
• Health Care Providersany provider of medical or
  other health services, and any other person
  furnishing health care services or supplies

19
Examples of Health Plans

• ERISA defined group health plan
• Health insurance issuer
• HMO
• Medicare
• Medicaid
• Medicare supplement
• Long-term care policy
• VA health care system

• Employee welfare benefit plan
• Health plan for active military
• CHAMPUS
• Indian Health Services
• Federal Employees Health Benefit Plan
• Or any combination

20
Health Plan Exclusions

• Workers Compensation programs
• Correctional Institutions
• Disability insurance programs
• Automobile insurance carriers
• Property and casualty insurers
• Nursing home fixed-indemnity policies

21
Health Care Clearinghouse

• A Public or private entity that
• Receives a non-standard transaction from another
  entity and processes or facilitates the
  processing of health information into a standard
  format or standard data content or
• Receives a standard transaction from another
  entity and processes or facilities the processing
  of health information into a non-standard format
  or non-standard data content

22
Health Care Provider

• Any person or organization who furnishes, bills,
  or is paid for health care in the normal course
  of business
• Health care is defined as care, services or
  supplies related to the health of an individual,
  including
• Preventive, diagnostic, therapeutic,
  rehabilitative, maintenance, or palliative care
• Counseling, service, assessment, or procedure
  with respect to physical or mental condition or
  functional status
• Sale or dispensing of a drug, device, equipment
  or other item in accordance with a prescription

23
Hybrid Covered Entities

• Determine if covered entity functions are
  performed within a department or program
  (evaluate each area separately according to their
  respective functions)
• If the component that provides the services is
  itself not a separate entity, then the entity to
  which it belongs is a hybrid entity
• HIPAA rules apply to the component that performs
  the covered function and requires a wall
  between the covered functions and the rest of the
  entity
• For example, the Ohio Department of Health runs a
  hemophilia program as a provider and a Black Lung
  clinic program as a health plan

24
Business Associates

• A person or entity to whom a covered entity
  discloses protected health information to perform
  a function on behalf of or to provide services to
  a covered entity
• Includes lawyers, accountants, consultants, and
  accrediting agencies
• Must have a contract obligating them to safeguard
  protected health information

25
Business Associate Contracts

• Must establish the permitted and required uses
  and disclosures of protected health information
  by the business associate and may not authorize
  further disclosure in violation of the
  regulations
• If the covered entity knows of a practice or
  pattern of activity that constitutes a material
  breach of the business associates obligations
  under the contract, the covered entity must take
  reasonable steps to ensure cure of the breach or
  terminate the contract or report the problem to
  the Secretary

26
Business Associate Obligations

• Must not use or disclose protected health
  information in violation of the law or contract
• Implement safeguards against improper use or
  disclosure
• Ensure that any agents or subcontractors agree to
  fulfill contractual and legal obligations
• Afford individual access to records make
  available records for amendment by the
  individual account to the individual for use or
  disclosure other than for payment, treatment, or
  operations
• At termination of the contract, return or destroy
  protected health information

27
ADMINISTRATIVE SIMPLIFICATION

• Concept
• Covered Entities
• Transactions
• Privacy
• Security
• Implementation

28
Transaction Standards Enable
Electronic Data Interchange

• Health care electronic data interchange is
  commonly used and generally acceptedHHS
  estimates that at least 400 formats are used in
  the United States for health care claims
  processing
• However, the lack of a standard format makes it
  difficult for vendors to develop software,
  inhibits potential efficiencies, and increases
  costs for health care providers and health plans
• In order to perform electronic data interchange
  using a common interchange and data structure a
  widely adopted use of standards is required.

29
Adopting Transaction Standards

• HIPAA requires HHS to adopt standards for health
  care transactions that are
• Consistent with reducing the administrative costs
  of providing and paying for health care
• Already in use and generally accepted
• Developed or modified by a private sector
  standard development organization like the
  American National Standards Setting Institute
• All of the current code sets have been developed
  by a private sector standard development
  organization

30
Required Transaction Standards

• American National Standards Institute (ANSI)
• Accredited Standards Committee (ASC)
• Insurance Subcommittee (X12N)
• Health care claim or encounter (837)
• Health care claim payment and remittance (835)
• Health care claim status inquiry/response (276,
  277)
• Health care eligibility inquiry/response
  (270/271)
• Benefit enrollment and maintenance (834)
• Referral certification and authorization (278)
• Payment order and remittance (820)

31
Required Code Sets

• Diseases, injuries, impairments, and other health
  related problems
• Prevention, diagnosis, treatment, management
• Drugs and biologicals
• Dental Services
• Physician services, physical and occupational
  therapy services, radiological procedures,
  clinical laboratory tests, other medical
  diagnostic procedures, hearing and vision
  services, transportation services including
  ambulance

32
Local Codes

• HCFA Common Procedural Coding System (HCPCS)
  identifies health care procedures, equipment and
  supplies for billing purposes
• Level I AMA-owned physician CPT codes
• Level II CMS-maintained other
• Level III State Medicaid program local codes
• Today states rely heavily on local codes
• Local codes are scheduled to be eliminated (or
  rolled into level II) effective October 2002

33
Migrating Local Codes

• State programs forced to crosswalk local codes
  into a limited number of level II codes
• Particularly challenging for waiver programs
• National work underway to identify current or
  modified level III codes for addition to the
  level II code set
• From over 30,000 to approximately 2000 of which
  about 100-200 are waiver codes

34
Local Code Policy

• Standardization of local codes may impair the
  payers ability to customize policies
• Coding decisions shape coverage and reimbursement
  policies
• A payer cannot cover a service for which a code
  does not exist
• Congress did not intend to dictate health care
  policy or limit state policy discretion

35
Implementation Strategies

1. Organization-wide general education and awareness
2. Risk assessment and gap analysis
3. Complete a cost/benefit analysis, strategic plan,
   and select tools
4. Update policies and procedures, and install tools
   and applications
5. Complete testing and audits and verify
   third-party compliance

36
Transaction Compliance

• Final transaction rule in effect August 2000 (HHS
  guidance published May 2001)
• Most covered entities are required to comply by
  October 2002 (October 2003 for small health
  plans)
• Covered entities may comply directly or use a
  health care clearinghouse
• Penalties for non-compliance are 100 per
  incident up to 25,000 per standard per year

37
System Readiness

• Current timeframe to comply with transaction
  standards is unrealistic
• Great confusion among providers
• Could lead to the election of paper claims and
  overwhelm state payment systemswhich today are
  85 percent electronic
• Paper claims cost more, take longer, and
  intensify provider frustration

38
Staggered Release of Final Rules

• Staggered effective dates make it difficult to
  plan
• The transaction and code set rule is final but
  most individual code sets have not been
  determined
• The compliance clock is tickingbut covered
  entities dont have the information they need to
  implement
• Covered entities will be required to move
  protected health information electronically
  beginning October 2002six months ahead of new
  privacy standards and at least one year ahead of
  security standards

39
ADMINISTRATIVE SIMPLIFICATION

• Concept
• Covered Entities
• Transactions
• Privacy
• Security
• Implementation

40
Electronic Transactions Require Additional
Privacy Protection

• Privacy defines what information to protect
• As the ease of exchanging individually-identifiabl
  e health information increases, there is a
  corresponding need to increase privacy protection
• The new federal privacy rule provides a national
  standard floor to address the fundamental
  privacy rights of individuals

41
No Change in Existing Federal Law

• Privacy Act
• Substance Abuse laws and regulations
• Fraud and abuse prevention requirements
• Medicare Act for dual eligibles
• Medicaid beneficiary privacy protections
• Section 1902(a)(7) of the Social Security Act
• Regulations at 42 CFR 431.300
• 35 years of guidance and practice

42
State Privacy Law Preempted

• In general contrary State privacy laws are
  preempted by the new federal privacy rules
• State law prevails if the HHS Secretary
  determines it is necessary for public health or
  State regulatory reporting
• State law prevails if it is contrary to and more
  stringent than the HIPAA privacy rule

43
Examples of More Stringent State Laws

• Further limit the use or disclosure of protected
  health information
• Provide individuals with greater rights of access
  or more information about their rights
• Enhance protections afforded by an authorization
• Impose greater record keeping requirements
• Otherwise enhance privacy protection

44
Protected Health Information

• Individually Identifiable Health Information that
• Relates to the past, present, or future
• Physical or mental health or condition of an
  individual
• Provision of health care to the individual
• Payment for the provision of health care to an
  individual
• Regardless of form
• Excluding certain student records

45
Consent and Authorization

• In general a covered entity may use or disclose
  protected health information only
• With the consent of the individual for treatment,
  payment, or health care operations
• With the authorization of the individual for all
  other uses or disclosures
• As permitted under the rule for certain public
  policy purposes

46
No Consent or Authorization Required

• Public health disclosures
• FDA requirements
• Work related injuries
• Reports of abuse or neglect
• Upon reasonable inference by a health care
  provider that the individual would not object to
  the disclosure of protected health information to
  a relative or personal friend (may be preempted)

47
Privacy Rights of Individuals

• Receive notice of information practices
• See and copy own records
• Request corrections
• Obtain accounting of disclosures
• Request restrictions and confidential
  communications
• File complaints

48
Administrative Requirements

• Covered entities are required to have
• A designated privacy official and a privacy
  contact person
• A defined complaint process
• A process for responding to individuals request
  for additional restrictions (not required to
  agree to the request)
• A process for verifying the identity and legal
  authority of any person requesting personal
  health information
• Training on privacy policies and procedures for
  each person who has contact with personal health
  information
• Documentation that training requirements are
  satisfied
• A process to sanction employees and business
  associates who violate protected health
  information

49
Record Requirements

• Covered entities are required to have
• Copies of signed authorizations
• Log of non-routine disclosures
• Written statements of denial of requests for
  information
• Responses to requests for corrections
• Notices of disagreement from individuals
• Contracts with business associates
• Signed employee compliance statements

50
Restrictions on Marketing

• Covered entities must obtain authorization before
  using or disclosing protected health information
  for marketing
• Health care providers must secure consent for use
  of disclosure of protected health information for
  operations (including marketing)
• There are specific limits on the use of protected
  health information for fundraising

51
Implementation Strategies

1. Assess the application of the new privacy rule to
   your organization
2. Assess the application of more stringent State
   privacy requirements
3. Assess your current privacy policies and
   practices to identify gaps
4. Seek legal assistance to resolve ambiguity
5. Apply the new federal or more stringent State
   privacy standards to your organization

52
Privacy Compliance

• Final privacy rule in effect April 2001 (HHS
  guidance published July 2001)
• Most covered entities are required to comply by
  April 2003 (February 2004 for small health
  plans)
• Criminal penalties of up to 250,000 and 10 years
  imprisonment for use of protected health
  information for commercial gain

53
ADMINISTRATIVE SIMPLIFICATION

• Concept
• Covered Entities
• Electronic Transactions
• Privacy
• Security
• Implementation

54
Additional Privacy Requires
More Secure Systems

• Security defines how to protect information
• Security is an outcome, not a technology
• Covered entities must be able to
• Control access to data
• Protect data from accidental or intentional
  disclosure to unauthorized persons
• Protect information from alteration, destruction,
  or loss

55
Administrative Requirements

• Covered entities are required to have
• Documented security management process
• Computer system/network accreditation
• Contingency and disaster recover plans
• Data processing policies and information access
  controls
• Internal audit function
• Security incident reporting procedures
• Adequate supervision and training for staff

56
National Identifiers

• Unique national identifiers will be required for
  providers, employers, and health plans
• National identifiers will not include embedded
  information
• Delayed adoption of national identifiers is
  making it difficult for covered entities to plan
  system requirements

57
Implementation Strategies

1. Assign security responsibility to a specific
   individual or group
2. Develop and maintain physical access controls
3. Develop and maintain policies for workstation use
   and control
4. Develop policies for personnel authorization
   control, data authentication, and entity
   authentication

58
Security Compliance

• Final security rule is expected early in 2002 (it
  is expected to be similar to the proposed rule
  published in August 1998)
• Covered entities will be required to comply two
  years after the rule becomes final
• Penalties capped at 25,000 in a calendar year
  for each standard violated, unless patient data
  is disclosed, then penalties for privacy
  violations apply

59
ADMINISTRATIVE SIMPLIFICATION

• Concept
• Covered Entities
• Transactions
• Privacy
• Security
• Implementation

60
Organizational Objectives

• Assure compliance with HIPAA administrative
  simplification requirements
• Assure that technical systems and business
  processes are integrated across agencies
• Develop work products and tools to promote cost
  effective implementation
• Develop effective education and outreach programs
• Promote a consistent national legislative and
  policy agenda

61
Ohios Participating Agencies

• Governors Office
• Auditor of State
• Attorney General
• Administrative Services
• Aging
• Alcohol and Drug Addiction Services
• Budget and Management
• Health

• Mental Health
• Job and Family Services
• Mental Retardation and Developmental Disabilities
• Rehabilitation and Corrections
• Workers Compensation
• Veterans Services

62
Ohios Organizational Model (similar
approaches in CA, MN, NC, WA)
                                 
 
 
Governors Office Sponsor
Cabinet Director Executive Leadership Committee
Deputy Director Project Management Team
Technical Partners Committee
Business Partners Committee
Privacy Workgroup
Security Workgroup
Contracts Workgroup
Education Workgroup
Code Set Workgroup
63
Organizational Leadership

• Governors Officeproject sponsor and primary
  coordination among agencies
• Cabinet-Level Executive Leadership
  Committeeproject champions and oversight make
  final business decisions coordinate national
  issues
• Deputy-Level Project Management Teamdevelop and
  maintain strategic plan receive and review
  recommendations assess resources for budget
  requirements

64
Organizational Assignments

• Business Partners Committee (policy and program
  experts)define and validate functional
  requirements formulate workgroups resolve
  policy issues formulate recommendations for the
  Executive Leadership Committee (ELC)
• Technology Partners Committee (information
  technology experts)determine optimal technical
  platform determine tool development, testing,
  and production formulate workgroups resolve
  information technology issues formulate
  recommendations for the ELC

65
Organizational Workgroups

• Privacydevelop statewide, HIPAA-compliant,
  baseline privacy standards
• Securitydevelop statewide, HIPAA-compliant,
  baseline security standards, both technical and
  related to personnel
• Code Setsprovide a forum for agencies to
  identify and resolve interagency code issues and
  work arounds
• Educationidentify stakeholders and their
  educational needs and develop training materials
• Contractsidentify and analyze existing contracts
  in light of HIPAA regulations and develop
  template agreements

66
Implementation Challenges

• Enterprise-wide Transformation
• Engaging Business Associates
• Converting Local Codes
• System Readiness
• Staggered Release of Rules
• Funding

67
Funding

• Enhanced federal financial participation is
  available for systems remediation (90/10)
• Systems remediation sends a signal that
  administrative simplification is like Y2Kjust
  another technical problem
• A greater commitment of resources is needed for
  business transformation
• Difficult to estimate implementation costs
• Initially, costs will far exceed savings

68
Congressional Update

• H.R. 3323
• Allow covered entities to delay compliance for
  transactions and code sets until October 2003
• But only if the entity submits a plan to HHS that
  certifies progress toward compliance
• Any entity that does not meet original deadlines
  or submit a plan cannot participate in Medicare
• Privacy takes effect April 2003 as planned
• After October 2003 Medicare will charge certain
  providers a 1 fee for every paper claim

69
Implementation Resources

• U.S. Department of Health and Human Services
  HIPAA Home Page
• http//aspe.os.dhhs.gov/admnsimp/
• HHS Office of Civil Rights
• http//www.os.dhhs.gov/ocr/hipaa/
• HHS Center for Medicare and Medicaid Services
• http//www.hcfa.gov/hipaa/hipaahm.htm
• HHS links to other resources
• http//aspe.hhs.gov/admnsimp/aslinks.htm
• HIPAA Ohio
• http//www.state.oh.us/hipaa/index.htm