HIPAA The What, When, Where, How, and Why of HIPAA for Agencies in the NC DHHS Family Presented By...
-
Upload
noah-wiggins -
Category
Documents
-
view
214 -
download
1
Transcript of HIPAA The What, When, Where, How, and Why of HIPAA for Agencies in the NC DHHS Family Presented By...
HIPAA
The What, When, Where, How, and Why of HIPAA for Agencies in the
NC DHHS Family
Presented By NCDHHS Sarah Brooks
HIPAA PMO Staff: Julie Burton
Susan Mitchell
NCDHHS - HIPAA PMO 2
TRAINING OBJECTIVES
• Provide High Level Overview of HIPAA Regulations
• Clarify Agencies Covered Under HIPAA
• Explain Approach Adopted by NC DHHS to Address HIPAA
• Identify Steps Agencies Can Begin Taking to Comply with HIPAA
• Identify HIPAA Resources
Addressing the Health Care Tower of Babel
The Health Insurance Portability and Accountability Act of 1996
(HIPAA)
Pieter BruegelPieter Bruegel
Healthcare’sHealthcare’sTower of BabelTower of Babel
NCDHHS - HIPAA PMO 4
CURRENT INDUSTRY LIMITATIONS / CONCERNS
– Over 400 different proprietary claim forms and/or file formats dictated by payers
– Administrative overhead, including claims processing, accounts for > 20¢ of every health care dollar
– Average “Accounts Receivable” 60 days
– Increased computerization does not adequately address privacy and security concerns
NCDHHS - HIPAA PMO 5
FEDERAL RESPONSE
Healthcare Insurance Portability and Accountability Act (HIPAA)
– Public Law 104-191, August 21, 1996
– Amends Internal Revenue Service Code of 1986
NCDHHS - HIPAA PMO 6
WHAT DOES HIPPA ACCOMPLISH?• Guarantees Health Coverage When Job Changes
• Reduces Fraud and Abuse (Medicare/Medicaid)
• Administrative Simplification– Establishes national standards for:
• Electronic (EDI) transactions
• Security and privacy of health care information
• Identifiers such as provider, payer and employer Improved efficiency of processing health care information
– Ultimately should lower administrative overhead• Currently estimated at $300 Billion per year nationwide
• Preempts State Laws Unless More Stringent
NCDHHS - HIPAA PMO 7
ADMINISTRATIVE SIMPLIFICATION REGULATIONS
• Title II, Subtitle F, Administrative Simplification (FINAL RULES PUBLISHED)
– Electronic Health Transactions Standards (45 CFR Parts 160 & 162)
• Federal Register, Vol. 65, p. 50312-50372 (published August 17, 2000)
– Privacy and Confidentiality Standards (45 CFR Parts 160 & 164)
• Federal Register, Vol. 65, p. 82462 - 82829 (published December 28, 2000)
NCDHHS - HIPAA PMO 8
ADMINISTRATIVE SIMPLIFICATION REGULATIONS
(continued)(PROPOSED RULES - PUBLISHED)
– Security and Electronic Signature Standards (45 CFR Part 142)
• Federal Register, Vol. 63, p. 43242-43280 (published August 12, 1998)
– Health Insurance Reform: National Standard Employer Identifier (45 CFR Part 142)
• Federal Register, Vol. 63, p. 32784-32798 (published June 16, 1998)
– National Standard Health Care Provider Identifier (45 CFR Part 142)
• Federal Register, Vol. 63, p. 25320-25357(published May 7, 1998)
NCDHHS - HIPAA PMO 9
ADMINISTRATIVE SIMPLIFICATION REGULATIONS
(continued)
(PROPOSED RULES - NOT PUBLISHED)– National Health Plan Identifier (Payer ID)
Scheduled draft publication: Q2/2001
– Claims Attachments Scheduled draft publication: Q3/2001
– Enforcement Scheduled draft publication: Q4/2001
– First Report of Injury Scheduled draft publication: Q4/2001
– National Individual IdentifierScheduled draft publication: On Hold
NCDHHS - HIPAA PMO 10
REGULATION TIMEFRAMESFinal Standards:
EDI Transaction and Codes Sets Published: 8/17/2000 Final compliance: 10/16/2002 Includes transaction sets:
Claims and Remittance AdviceEnrollmentEligibility, Inquiry and Response Status Inquiry and ResponseRequest Review and ResponsePayroll Deduction and Premium Payment
Privacy Published: 12/28/2000 Final compliance: 4/16/2003Proposed Rules:
National Provider Identifier Draft published: 5/07/1998 Scheduled final rule: Q3/2001National Employer Identifier Draft published: 6/16/1998 Scheduled final rule: Q3/2001Security Draft published: 8/12/1998 Scheduled final rule: Q2/2001
Proposed Rules not yet published:National Health Plan Identifier Scheduled draft publication: Q2/2001Claims Attachments Scheduled draft publication: Q3/2001Enforcement Scheduled draft publication: Q4/2001First Report of Injury Scheduled draft publication: Q4/2001National Individual Identifier Scheduled draft publication: On Hold
NCDHHS - HIPAA PMO 11
WHO IS AFFECTED?
• Covered Entities– Health Plan (provides or pays the cost of medical care
- e.g., Medicaid, HMOs, BC/BS, Medicare, Champus)
– Health Care Clearinghouse (routes electronic data between payers & providers - e.g., billing services )
– Health Care Provider who transmits any health information in an electronic transaction (e.g., Hospitals, Physicians, Public Health Departments, Group Homes, Home Health)
NCDHHS - HIPAA PMO 12
WHO IS AFFECTED? (continued)• Business Associates
– Definition: Person who performs a function or activity on behalf of a covered entity
– Excludes person who is part of the Covered Entity’s workforce (e.g., Employees, Physicians with Staff Privileges)
– Contractual Agreements with Covered Entity (e.g., Area MH/DD/SAS Contract Agencies, S/W Vendors)
– Complies with HIPAA
• Health Care Providers Who Transmit Paper Health Claims Must Use New Code Sets
NCDHHS - HIPAA PMO 13
WHY COMPLY WITH HIPAA?• Avoid Denied and/or Delayed Reimbursements
– DHHS agencies process claims bringing in more than $550 million in receipts annually
– Annual Medicaid disbursements totaling more than $4.6 billion
• May Risk Accreditation (e.g., Joint Commission on Accreditation of Health Care Organizations)
• Public Relations and Business Risk Issues• Benefit from Long Term Health Care Cost
Reductions• Imposes Severe Penalties for Non-compliance
NCDHHS - HIPAA PMO 14
IMPOSING COMPLIANCE• General Civil Penalty for Failure to Comply
– $100/violation/person
– Not to exceed $25,000 in one calendar year
• Criminal Penalties (Privacy) - Person who knowingly and wrongfully discloses individually identifiable health information is subject to fines and imprisonment
– Simple Offense - Up to $50,000 &/or 1 year imprisonment
– If Committed under False Pretenses - Up to $100,000 &/or 5 years imprisonment
– If Committed with Intent to Sell, Transfer, or Use Individual Identifiable Health Information for Commercial Advantage, Personal Gain, or Malicious Harm - Up to $250,000 &/or 10 years imprisonment
QUESTIONS
NCDHHS - HIPAA PMO 16
REGULATIONS OVERVIEW
LEARNING THE ROPES
Healthcare eBusiness Standardization
Electronic Data Interchange Transaction Sets
Standardized Codes Sets
Standardized Identifiers
(EDI/TCI)
NCDHHS - HIPAA PMO 17
EDI/TCI OBJECTIVESEDI/TCI OBJECTIVES
• Definitions– Trading Partner
– Transaction
– Standard Setting Organization (SSO)
• Transaction Sets
• Code Sets
• Unique Identifiers
NCDHHS - HIPAA PMO 18
TRADING PARTNER
In Electronic Data Interchange (EDI) this generally applies to two parties engaged in the exchange of business data through electronic means.
NCDHHS - HIPAA PMO 19
TRANSACTION
(1) Health Care claims or equivalent encounter information.
(2) Health Care payment and remittance advice.(3) Coordination of benefits.(4) Health Care claim status.(5) Enrollment and disenrollment in a health plan.(6) Eligibility for a health plan.(7) Health plan premium payments.(8) Referral certification and authorization.(9) First report of injury.(10)Health claims attachments.(11)Other transactions that the Secretary may prescribe
by regulation.
The exchange of data between two parties to carry out financial or administrative activities related to health care.
It includes the following types of information exchanges:
NCDHHS - HIPAA PMO 20
STANDARD SETTING ORGANIZATION
An organization accredited by the American National Standards Institute (ANSI) that develops and maintains standards for information transactions or data elements, or any other standard that is necessary for, or will facilitate the implementation of HIPAA
•ASC X12•NCPDP•HL7•UN/EDIFACT (Interactive Claim)
NCDHHS - HIPAA PMO 21
TRANSACTION SETS
HIPAA Mandated Transaction Sets
NCDHHS - HIPAA PMO 22
TRANSACTION SETS(ASCx12)
148 First Report of Injury
270/271 Health Care Eligibility Benefit Inquiry and Response
278 Health Care Services Review - Request for Review and Response
276/277 Health Care Claim Status Request and Response
820 Payroll Deducted and Other Group Premium Payment for Insurance Products
275 Additional Information to Support a Health Care Claim or Encounter
834 Benefit Enrollment and Maintenance
835 Health Care Claim Payment/Advice
837 Health Care Claim (Institutional, Professional, Dental)
National Council for Prescription Drug Program (NCPDP V 5.1 & 1.0 )
Healthcare Data Element Dictionary
NCDHHS - HIPAA PMO 23
X12 TRANSACTIONS FLOW
270 Eligibility Request
837 Claim
275 Additional Information
277 Claim Status Response
820 Premium Payment
834 Enrollment
835 Claim Payment Advice
271 Eligibility Response
278 Referral Request
278 Referral Response
Eligibility Verification
Precertification and Referrals
Service Billing / Claim Submission
Claim Reconciliation
Accounts Receivable
Claim Status
Adjudication
Claim Receipt and Routing
Eligibility Verification
Member Services
Enrollment
276 Claim Status Request
277 Claim Status Response
Health Care Providers Health Care Plans Employers
NCDHHS - HIPAA PMO 24
HIPAA TRANSACTIONS BUSINESS PRACTICES EFFECTS
• Backend Reporting
• Coordination of Benefits
• Claim Status
• Electronic Remittance Advice
• Maximum Data Set
NCDHHS - HIPAA PMO 25
IMPLEMENTATION TIMELINE
The Compliance Date for the Transaction Sets and Code Sets is
October 16, 2002
NCDHHS - HIPAA PMO 26
PROPOSED IMPLEMENTATION TIMELINE - WEDI/SNIP
Group 1 Group 2 Group 3 Group 4 Group 5TransactionGroups
837835
270/271834
276/277 278 820
Beta/PilotTestingPeriod
Jul 1, 2001 Dec 1,2001
Feb 1,2002
Mar 1,2002
May 1, 2002
PayerReadinessDate
Oct 1, 2001 Mar 1,2002
May 1,2002
June 1,2002
Aug 1, 2002
MigrationCompletion
Oct 16, 2002 Oct 16,2002
Oct 16,2002
Oct 16,2002
Oct 16, 2002
NCDHHS - HIPAA PMO 27
HIPAA IMPLEMENTATION GUIDES
X12 Transactions - Washington Publishing Inc.
www.wpc-edi.org
NCPDP Transactions – National Council of Prescription Drug Programs
www.ncpdp.org
HL7 Standards – Health Level 7
www.hl7.org
NCDHHS - HIPAA PMO 28
REQUESTING CHANGES TO TRANSACTION SET STANDARDS
Join the Appropriate Standards Development Organization
Contact an Industry Group with Representation on a Standards Development Group
Expect a 2 to 3 Year Lead Time for Request Implementation in HIPAA
NCDHHS - HIPAA PMO 29
• Diagnosis
• Medical Procedures
• Drugs
BASIC HIPAA CODE SETS FUNCTIONS
NCDHHS - HIPAA PMO 30
HIPAA MANDATED CODE SETS
• International Classification of Diseases, Ninth Edition, Clinical Modification (ICD-9-CM )
• Health Care Procedural Coding System (HCPCS)
• Current Procedural Terminology, Fourth Edition (CPT-4)
• Current Dental Terminology (CDT)• National Drug Codes (NDC)
NCDHHS - HIPAA PMO 31
• Explicit Code Sets – Defined in the rules– CDT, HCPCS, ICD-9-CM, NDC
• Implicit Code Sets– Referenced in the Transaction Implementation guides such as the
codes that specify a patient’s relationship to an insured subscriber
TWO TYPES OF HIPAA MANDATED CODE SETS
NCDHHS - HIPAA PMO 32
ELIMINATION OF HOMEGROWN CODES
(NC Medicaid ‘Y’ Codes)
Homegrown Codes
NCDHHS - HIPAA PMO 33
SAMPLE HEALTH CARE FUNCTIONS THAT USE CODE SETS
• Claim Processing
• Utilization Management
• Disease Management
• Enrollment
NCDHHS - HIPAA PMO 34
REQUESTING CHANGES TO CODE SET STANDARDS
•Join the Appropriate Standards Development Organization if Possible
•For HCPCS Contact HCFA
•Not Applicable for NDCs
•For CDT Codes Contact ADA
NCDHHS - HIPAA PMO 35
UNIQUE IDENTIFIERS
• National Identifier for Individuals
• National Health Care Identifier of Employers
• National Standard for Identifiers of Health Plans
• National Provider Identifier
NCDHHS - HIPAA PMO 36
NATIONAL INDIVIDUAL IDENTIFIER
• Currently on Hold
• Proposed Rule Is Not Expected to Be Published in the Near Future
• Pending Congressional Privacy Legislation
NCDHHS - HIPAA PMO 37
NATIONAL EMPLOYER IDENTIFIER
• Employer ID Will Be The Employer’s Tax ID
• The Internal Revenue Service (IRS) Will Maintain the Assignment and Reference Facilities
• Nine Digits
NCDHHS - HIPAA PMO 38
NATIONAL HEALTH PLAN IDENTIFIER
• Plan IDs Will Be Issued to Health Plans Plan ID Identifies Three Different Types of Entities: Payers,
Group Health Plans, and Provider Networks
Payers and Administrators
ERISA Group Health Plan, Taft-Hartley Trust, METs, and Other Group Plans
PPOs and Similar Organizations
• Proposed Rule Not Yet Published
NCDHHS - HIPAA PMO 39
NATIONAL PROVIDER IDENTIFIER
•Identifying An Individual An individual provider ( such as a physician, dentist,
nurse, or therapist) receives an NPI that never changes
If the individual is a health care provider in two different capacities, it is expected that there will still be only a single NPI
NCDHHS - HIPAA PMO 40
• Identifying An Organization– Organizational health care providers, such as:
•Hospitals•Clinics•Laboratories•Physician group practices•Home health care agencies•Pharmacies
•10 Digits with Right Most Digit Being a Check Digit (Proposed)
NATIONAL PROVIDER IDENTIFIER (continued)
NCDHHS - HIPAA PMO 41
HIPAA TRANSACTIONS, CODE SETS AND UNIQUE IDS
• Code Sets are Used in the Transactions
• Unique IDs are Used in the Transactions with Proprietary Values until They are Defined
• Required Use of Standards
QUESTIONS
NCDHHS - HIPAA PMO 43
REGULATIONS OVERVIEW
PRIVACY
NCDHHS - HIPAA PMO 44
BASIC PRINCIPLES • First Comprehensive Federal Law to Protect the
Privacy of Individually Identifiable Health Information– HIPAA Protections
• Importance– To Patients– To Healthcare Providers/Plans/Clearinghouses
• Protected Health Information (PHI)– Past, Present, Future Health Information– Electronic/Paper/Oral– Best Practice
NCDHHS - HIPAA PMO 45
PROTECTED HEALTH INFORMATION (PHI)
• Individually Identifiable Information– Name– Address– Social Security Number– Names of Relatives– Unique Identifiers– Telephone/Fax/Other Numbers– Geographic Designation Smaller than State– Photograph
NCDHHS - HIPAA PMO 46
GENERAL PROVISIONS• HIPAA Preempts State Laws
– Provides uniform “floor” for protection
– More stringent current state laws will stand
– More stringent future state laws allowed
• Allows Consumer Control– Establish rights of patients regarding their confidential
health information
• Recognizes Public Responsibility– Balance of individual privacy and the public need to know
NCDHHS - HIPAA PMO 47
• Healthcare Provider Responsibilities– Protect health information– Secure health information– Provide complete information to other Healthcare Providers– Provide “minimum necessary” information to other requesters– Create De-identified information when feasible
– Remove
– Code– Encrypt– Eliminate/conceal
GENERAL PROVISIONS
NCDHHS - HIPAA PMO 48
• Healthcare Provider Responsibilities (continued)
– Establish an Internal Complaint Process that provides individuals with means to lodge complaints about the entity’s information practices, and maintain a record of any complaints
– Develop a system of sanctions for members of the workforce and business partners who violate the entity’s policies
– Enforcement and Compliance
GENERAL PROVISIONS
NCDHHS - HIPAA PMO 49
• Notice of Information Practices
– Brochure– Pamphlet– Posted on Wall
• Notice must include anticipated uses and disclosures of protected health information without the patient’s written authorization
NOTICE
NCDHHS - HIPAA PMO 50
• Right to be informed through NOTICE• Right to inspect and review record• Right to receive copies• Right to amend/correct copies• Right to add supplemental information• Right to restrict Use and Disclosure of information• Right to Accounting of Disclosures• Right to a personal representative• Right to revoke authorization• Right to appeal
PATIENT’S RIGHTS
NCDHHS - HIPAA PMO 51
• Healthcare Provider Provides Access– 60 days after receiving request– Extended 30 more days without reason– Provide patient with a summary of records if
agreed upon in advance – Recover cost-based fee for providing patient
with a copy, explanation or summary of records
ACCESS TO RECORD
NCDHHS - HIPAA PMO 52
• Healthcare Provider Denial of Access with Opportunity for Review when in the Opinion of a Licensed Health Care Professional that:– Information would endanger life or safety of
patient or others– References to others is reasonably likely to cause
substantial harm to that other person– Request was made by the patient’s personal
representative and access would likely cause substantial harm to that person or others.
DENIED ACCESS
NCDHHS - HIPAA PMO 53
• Healthcare Provider Denial of Access Without Opportunity for Review– Psychotherapy Notes– Information compiled for civil, criminal or
administrative actions– Inmate request that would jeopardize health or
safety of inmate or others– Research that includes treatment– Information obtained from an anonymous source
under a promise of confidentiality
DENIED ACCESS
NCDHHS - HIPAA PMO 54
• Use: Protected Health Information is “used” when shared, examined, applied or analyzed within the covered entity that maintains the information
• Disclosure: Protected Health information is disclosed” when released, transferred, been given access to or divulged outside the entity holding the information.
USE AND DISCLOSURE OF PHI
NCDHHS - HIPAA PMO 55
USES AND DISCLOSURES WITH INDIVIDUAL AUTHORIZATION
• A General Consent is required for use or disclosure of information for treatment, payment and health operations.
• A more specific Authorization is required for use or disclosure of information for purposes other than treatment, payment or health operations.
NCDHHS - HIPAA PMO 56
USES AND DISCLOSURES WITHOUT INDIVIDUAL AUTHORIZATION
• Disclosures For:– Public health activities– Health oversight activities– Judicial and administrative proceedings– Governmental health data systems– Research, emergency circumstances, next of kin, and
as required by other laws– Coroners and Medical Examiners– Law Enforcement– Directory information– Banking and payment processes
NCDHHS - HIPAA PMO 57
• Application to Business Associates– Establish contracts that ensure Business
Associates exercise an appropriate level of care related to privacy and conform to HIPAA regulations
– Must treat PHI the same as the covered entity– Covered entity must take action if it is learned
that Business Associate is not protecting PHI.
BUSINESS ASSOCIATES
NCDHHS - HIPAA PMO 58
• Application to Information About Deceased Persons– Same as if person was alive
• Application to Covered Entities That Are Components of Organizations That Are Not Covered Entities– Hybrid Entity (Covered functions are not the
primary functions of the entity)
ADDITIONAL PROVISIONS
NCDHHS - HIPAA PMO 59
• Policies and Practices must be developed and documented
• Scalability – Appropriate to the nature and scope of the
business that enables protection of health information in accordance with the rules
IMPLEMENTATION REQUIREMENTS
NCDHHS - HIPAA PMO 60
IMPLEMENTATION REQUIREMENTS
• Designation of Privacy Officer
• Provide Privacy Initial & On-going Training to Workforce
• Develop internal policies and forms
• Implement Safeguards – To protect health information from intentional
or accidental misuse
• Audit and QA
NCDHHS - HIPAA PMO 61
The Compliance Date
for the Privacy is
April 14, 2003
IMPLEMENTATION TIMELINE
NCDHHS - HIPAA PMO 62
REGULATIONS OVERVIEW
SECURITY
NCDHHS - HIPAA PMO 63
SECURITY OBJECTIVE
To Protect the Confidentiality, Integrity and Availability of Individual
Health Information, While Permitting the Appropriate Access and Use of
That Information by Healthcare Providers, Healthcare Plans and
Healthcare Clearinghouses.
NCDHHS - HIPAA PMO 64
SCOPE OF SECURITY REGULATIONS
• Applies to Healthcare Providers, Plans and Clearinghouses
• Applies to All Size Organization (Physician Offices, Medical Centers, County Public Health Departments, HMOs, Medicaid, etc.)
• Applies to All Health Information Pertaining to an Individual That Is Electronically Created, Received, Transmitted or Maintained.
NCDHHS - HIPAA PMO 65
PRIVACY vs. SECURITY
PRIVACY is the right of an individual to keep his/her individual health information from being disclosed.
SECURITY is the mechanism in place to protect individual health information.
NCDHHS - HIPAA PMO 66
SECURITY STANDARD IMPACTSELECTRONICALLY MAINTAINED
AND TRANSMITTED DATA
• Data on Magnetic Tape or Disk
• Entry of Patient Information in Computers
• Transmission of Treatment Data to a Healthcare Plan
• Claims Printed From a Healthcare Clearinghouse
• Records Transcribed and Stored in a Word Processor
• Lab Results Sent by Modem to a Printer at an Office
• Etc.
NCDHHS - HIPAA PMO 67
SECURITY STANDARD
• Does Not Identify or Require Specific Technologies
• Allows Healthcare Industry to Implement Different Solutions Depending Upon Needs and Technologies in Place
• Mandates Safeguards for Physical Storage and Maintenance, Transmission and Access to Individual Health Information
NCDHHS - HIPAA PMO 68
GUARDING DATA INTEGRITY, CONFIDENTIALITY AND
AVAILABILITY
1. Administrative Procedures
2. Physical Safeguards
3. Technical Security Services
4. Technical Security Mechanisms
5. Electronic Signature
NCDHHS - HIPAA PMO 69
ADMINISTRATIVE PROCEDURES(Policies and Procedures)
1. Certification of Data Systems to Evaluate Security
2. “Chain of Trust” Agreement
3. Contingency Plan in Case of Emergency
4. Formal Data Processing Protocols
5. Controlling Access to Data
6. Internal Audit Procedures
NCDHHS - HIPAA PMO 70
ADMINISTRATIVE PROCEDURES(Policies and Procedures)
7. Security Activities by Personnel
8. Overall Security of Hardware, Software, and Virus Checking
9. Protocols for Reporting and Responding to Breaches of Security
10. Risk Management and Sanctions
11. Security Procedures in Event of Personnel Terminations
12. Security Training Programs
NCDHHS - HIPAA PMO 71
PHYSICAL SAFEGUARDS(Buildings and Equipment)
1. Designate Security Responsibilities
2. Develop Controls on Access and Manipulations of Hardware Components (Disk, Keyboard, Monitor)
3. Develop Disaster/Intrusion Response and Recovery Plans
4. Implement Personnel Identification for Access
5. Maintain Maintenance Records
6. Enforce Security Clearances (Need-to Know Basis)
7. Develop Protocols Regarding Activities and Security at the Work Station Level
NCDHHS - HIPAA PMO 72
TECHNICAL SECURITY MEASURES
(Software Controls)
1. Regulate Access (Includes Emergency Access)
2. Audits and Controls
3. Data Authentication (Security of Stored Data)
4. Ensure User Authentication and Access Control (User ID, Automatic Log-off)
NCDHHS - HIPAA PMO 73
TECHNICAL SECURITY MECHANISMS
(Transmission of Data)
1. Storage and Transmission of Health Information Cannot Easily Be Accessed or Interpreted by Unauthorized Third Parties
2. Ensure Messages Sent and Received Are the Same
3. Access Control to Transmission (Dedicated Lines)
4. Encryption
NCDHHS - HIPAA PMO 74
ELECTRONIC SIGNATURE(On Hold)
1. Ensure Identity of the Signer
2. Ensure Unaltered Transmission and Receipt of the Data
3. Must Prevent a Signer from Successfully Denying the Signature
Proposed standard explicitly notes that a Digital Signature is the only technology that satisfies these requirements.
NCDHHS - HIPAA PMO 75
SECURITY OFFICER
• Serves As Internal Information Security Consultant in Agency
• Documents Security Policies and Procedures
• Provides Risk Assessments
• Functions As Internal Auditor
• Monitors Compliance With Standards
NCDHHS - HIPAA PMO 76
SECURITY BOUNDARIES
• Identifies “What”
• Does Not Identify “How”
• Scalability (allows agency to define and implement security appropriate to size and activities of the agency)
NCDHHS - HIPAA PMO 77
GETTING STARTED• Baseline Assessment
– Current Security Environment• Policies
• Procedures
• Technology
– Information Systems
• GAP Analysis– Compare Current Environment With Security Requirements
– Determine “GAPS”
• Risk Assessment– Analyze likely and unlikely scenarios in terms of
probability of occurrence and impact on agency
NCDHHS - HIPAA PMO 78
SECURITY ASSESSMENT
• Not Just a Technology Issue– 40% Information Technology– 60% Business Issues
• Security and Privacy Go Hand-in-Hand
• Integrate Both Standards
NCDHHS - HIPAA PMO 79
ENFORCEMENT
• RESPONSIBILITY: U.S. DHHS Office for Civil Rights– Assist with voluntary compliance efforts– Respond to questions, interpretation, guidance– Respond to states’ requests for exceptions– Investigate complications– Conduct compliance surveys– Seek criminal prosecution for non-compliance efforts
NCDHHS - HIPAA PMO 80
COMPLIANCE DATE
Expected to Become Effective in Late 2001
QUESTIONS
NCDHHS - HIPAA PMO 82
NCDHHS
IMPACT IN DHHS
APPROACH FOR ADDRESSING HIPAA
NCDHHS - HIPAA PMO 83
HIPAA IMPACT ON DHHS• Standardized Transactions
– Initial Assessment - 26 Systems Process Health Care Transactions
• Public Health - 10 Systems
• Mental Health/dev Disabilities/sub Abuse - 7 Systems
• Vocational Rehabilitation - 3 Systems
• Services for Blind - 1 System
• Medical Assistance - 1 System
• Shared (Multiple DHHS Agencies) - 4 Systems
– Local Agencies (E.G., MH/DD/SAS Area Programs) Must Modify Their Information Systems
NCDHHS - HIPAA PMO 84
HIPAA IMPACT ON DHHS (continued)
• Privacy and Security Standards– Secure and Protect Electronic and Paper Records
• DHHS Serves “at Risk” Population
– Establish Policies and Procedures– Establish Documentation and Audit Processes
NCDHHS - HIPAA PMO 85
HIPAA IMPACT ON DHHS (continued)
• Agencies Directly Impacted by HIPAA– Public Health (including 86 county/regional
health departments, State Laboratory, Medical Examiner’s Office)
– Mental Health, Developmental Disabilities and Substance Abuse Services (4 psychiatric hospitals, 5 mental retardation centers, 2 alcohol and drug abuse treatment centers, 1 extended care facility, 2 schools for emotionally disturbed children, 39 area programs)
NCDHHS - HIPAA PMO 86
HIPAA IMPACT ON DHHS (continued)
• Agencies Directly Impacted by HIPAA – Medical Assistance (Medicaid program)
– Early Intervention and Education (18 Developmental Evaluation Centers, 3 schools for Deaf and Hard of Hearing, 1 school for Blind)
– Vocational Rehabilitation (72 local offices)
– Social Services (100 county offices)
– Services for the Blind (serve >35,000 North Carolinians each year)
– Child Development
NCDHHS - HIPAA PMO 87
HIPAA IMPACT ON DHHS (continued)
• Agencies Indirectly Impacted by HIPAA– Research, Demonstrations and Rural Health
Development– Division of Aging– Facility Services – Human Resources– Internal Auditor– Public Affairs (Communications)– Citizen Services
NCDHHS - HIPAA PMO 88
DHHS REACTION
• Provide Centralized Management Response– Establishment of HIPAA Program
Management Office (PMO)
• Appoint HIPAA Coordinators
• Designate HIPAA Attorney - Marc Lodge
• Develop Communications Plan
NCDHHS - HIPAA PMO 89
DHHS REACTION (continued)
• Identify Funding Sources– No Federal Funds Appropriated for HIPAA
Implementation– Submission of Expansion Budget Request– Developed Cost Allocation Models to Maximize
Federal Funding for Systems/Programs– Currently Investigating
• Availability of grants
• Other opportunities for maximizing federal funds
• Sharing vendor costs with other states
• Collaborative efforts with vendors
NCDHHS - HIPAA PMO 90
DHHS REACTION (continued)
• Partner with Other Organizations/States to Share Information/Deliverables– NC Health Care Information and Communications
Alliance (NCHICA)
– Government Information Value Exchange for States (GIVES)
– Southern HIPAA Administrative Regional Process (SHARP)
NCDHHS - HIPAA PMO 91
PROGRAM MANAGEMENT OFFICE
Dwala Johnson
Technical Writer
Susan Mitchell
Business Analyst
Julie Burton
Business Specialist
Frances Taylor
Business Specialist
Cynthia Wagnor
Team Lead
Joyce Young
Technical Writer
Bruce Chao
Web Developer
Ivey Palmer
Tactical Operations Mgr.
Security TeamEDI Team
Karen Tomczak
PMO Director
Operations Support
Sarah Brooks
Business Operations Mgr.
Stephen Fraser
Technical Writer
HIPAA Oversight Committee
NCDHHS - HIPAA PMO 92
PMO TASKS• Research HIPAA Requirements• Determine Impact of Requirements on
DHHS• Serve as HIPAA Resource Center • Correlate DHHS HIPAA activities with
HIPAA Coordinators • Establish and Coordinate Focus Groups
– Business Operations – Security– EDI/TCI
NCDHHS - HIPAA PMO 93
PMO TASKS (continued)
• Disseminate HIPAA Information throughout DHHS
• Develop Enterprise Policies, Procedures, Tools, Processes, Forms, Implementation Guidelines, Contracts, Agreements
• Develop Best Practice Models• Promote Business Process Reengineering• Provide Technical, Operational and
Management Support• Provide Overall Project Monitoring and
DHHS HIPAA Status Reporting
NCDHHS - HIPAA PMO 94
PMO TASKS (continued)
• Provide Levels of HIPAA Training – Awareness– Core– Intermediate– Expert
• Develop Job Classifications/Descriptions for Security and Privacy Officers
• Maintain PMO Web Site for Communications
http://dirm.state.nc.us/hipaa/
NCDHHS - HIPAA PMO 95
DHHS WEBSITE
NCDHHS - HIPAA PMO 96
USER LOGIN
NCDHHS - HIPAA PMO 97
PMO DELIVERABLES• Presentations
• Tools to Assess HIPAA Impact– Information Flow Assessment Database– Questionnaires (e.g., Early View) – Reviews of Statutes, Rules, Policies, Procedures
• NCHICA Privacy and Confidentiality Focus Group
• Attorney General’s Office - HIPAA Legal Resources
• Department/Division/Agency Review
– Gap Analyses– Risk Assessments
NCDHHS - HIPAA PMO 98
PMO DELIVERABLES (continued)
• Tools for HIPAA Remediation– Work Plans– Checklists– Processes– Sample Policies, Procedures, Forms, Notices,
Contracts, Chain of Trust Agreements
• Tools for HIPAA Testing and Training– Testing Processes/Procedures– Staff Training Courses– Other Training Courses
NCDHHS - HIPAA PMO 99
PMO DELIVERABLES (continued)
• Tools for HIPAA Compliance– Self-Certification Tools– Quality Assurance Audits– On-going Awareness Training
• Staff• Others (Business Associates, Vendors)
– New Employee Orientations– Business Continuity Plans
NCDHHS - HIPAA PMO 100
DELIVERABLE PROCESS• PMO
– Develops Deliverables
• Business Operations Focus Group – Reviews Deliverables with Their Divisions/Local
Agency Staff
• Selected Pilot Agencies/Institutions – Test Deliverables
– Recommend Modifications
• Enterprise Dissemination– Distribute via web site, HIPAA Coordinators and Focus
Group
NCDHHS - HIPAA PMO 101
PMO OUTREACH• HIPAA Awareness Seminars
• Professional Groups/Organizations with HIPAA Interests– NC Association of Local Health Directors
• Technology Committee
– NC Health Information Management Association
• Behavioral Health Section
– HEARTS User Group
• Local Agencies, Institutions, Groups
QUESTIONS
NCDHHS - HIPAA PMO 103
GETTING STARTED• Designate HIPAA Coordinator
• Establish HIPAA Implementation Team
• Participate in HIPAA Training Opportunities
• Present HIPAA Awareness Program to Management and Staff
• Develop and Implement HIPAA Work Plan– Work Plan Template on PMO Web Site
• Conduct Information Flow Assessment
NCDHHS - HIPAA PMO 104
PMO TOOL• Information Flow Assessment
– Status of Current Information Flow– Web Based Database– Individual Division/Office Customization– Comprehensive Evaluation of Information Flow– Ease of Use– Report Generation– Due Diligence– Pinpoint Areas of HIPAA Impact
NCDHHS - HIPAA PMO 105
WHY DO A INFORMATION FLOW ASSESSMENT?
• Determine if a Covered Entity
• Identify:– Business Associates
– Types & methods of information handling
– Code Sets currently in use
– Systems/applications in use
– Systems/applications for remediation
– Flow and routing of information
– Short and long term storage of information
– Areas of privacy/security weaknesses
– Current contracts and Agreements
• Documentation for Due Diligence
NCDHHS - HIPAA PMO 106
PMO TOOL• Information Flow Assessment
– What Information Flows Within and Without an Agency
– Types of Information (personal, financial, medical)
– Who Accesses Information – How is Information Transmitted– When is Information Shared– Where is Information Stored (temporary and
permanent)– How is Information Disposed
NCDHHS - HIPAA PMO 107
A. Information Received, Sent and/or CreatedPlease specify the type of health information currently or planned to be received, sentand/or created in your area (select all that apply):
NON-MEDICAL
1. Administrative
None (go to next question)
Demographic Information Investigative Reports
Non-identifying statistical data Incident Reports
Birth Certificate/Death Certificate Applications (Admissions, Client,Employment, etc)
Legal Papers Complaint Information
Custody/Guardianship Papers Correspondence (Internal & External)
Parent Questionnaires Meeting Minutes/Notes
Logs (Shift, Insurance, Staff notes, etc.) Photographs
OtherAdministration_____________________________________________________________
2. Education
None (go to next question)
Individual Education Plan (IEP) Immunization Records
Psychological Records School Questionnaires
Behavior Rating Scales Child Symptom Inventory Checklist
Other Education______________________________________________________________
3. Financial
None (go to next question)
Information for filing insurance claim Medicaid Eligibility
Assets and Liabilities (Ability to Pay) Billing Information
Medicaid Liability Banking Information
Entitlement Information Direct Deposit Information
Financial Questionnaires Funding Justifications with Details
Reports/Data (UR, Financial, etc.) CAP or Respite determinations
Financial Correspondence
Other Financial______________________________________________________________
INFORMATION FLOW ASSESSMENT
NCDHHS - HIPAA PMO 108
GETTING STARTED (continued)
• If Covered Entity, Identify Business Associates and Trading Partners
• Evaluate Systems/Applications for HIPAA Remediation– Utilize Y2K Inventory Data
– Contact Software Vendors
– Review Implementation Guides
• Evaluate Current Security of Protected Health Information (PHI)– Door Locks, Paper Storage/Disposal, Location of
Fax/Copiers/Shredders, System Security
NCDHHS - HIPAA PMO 109
GETTING STARTED (continued)
• Analyze Data Collection Process– Registration
– Coding
– Discharge
• Compile Current Information for Remediation to HIPAA Compliance– Policies
– Procedures
– Forms
– Contracts
NCDHHS - HIPAA PMO 110
GETTING STARTED (continued)
• Submit Budget Based on Anticipated IT and Business Changes (Budget Questionnaire)
• Work Your HIPAA Work Plan
• Monitor DHHS HIPAA Web Site
• Utilize HIPAA PMO/HIPAA Coordinators as Resources for HIPAA Implementation
NCDHHS - HIPAA PMO 111
RESOURCES• Attachments to Slide Presentation
Materials– HIPAA Related Web Sites– HIPAA Glossary and Acronym References– DHHS Division HIPAA Coordinators– NCHICA HIPAA Committees– NCHICA HIPAA Privacy Regulation Work
Groups– NCHICA Top 10 Planning Points for HIPAA
Compliance– HIPAA Regulations
NCDHHS - HIPAA PMO 112
SUMMARY• HIPAA - A Health Care Paradigm
– Affects Payers, Providers, Employers, Medical Manufacturers, Pharmaceutical Companies, Employees, Clearinghouses, Patients.
– Requires Redesign of Business Processes, Staffing Plans, Workflow
– Requires Changes to Business Applications, Technology Architecture, Facilities
– Shifts Power in Provider/Consumer Relationship
– Presents Change Management Challenges
– Introduces New Legal Liabilities
– Provides Patients with Rights
– Conveys Severe Civil and Criminal Penalties
NCDHHS - HIPAA PMO 113
SUMMARY
• HIPAA Is Not Going Away– Heath Care Industry Wants Standardization– Consumers Want Health Information to Be
Protected
• HIPAA Is Not an Option
• HIPAA Is Doing Business in the ‘New Millennium
• Implementation Cost Is Short-term
• Operational Benefit Is Long-term
QUESTIONS