Red Raven Productions PRESENTATIONicd-gem.com/HIPAA-X12N-ICD/CH1-HIPAA-Overview_Handouts-x.pdf ·...

RedRed Raven Raven ProductionsProductions

PRESENTATIONPRESENTATION

HIPAA Privacy & SecurityX12 Standards

ICD�GEM©™

Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com

It is not the strongestof the species that survive,

nor the most intelligent, but the one most responsive

to change. - Charles Darwin



CH1: HIPAA Overview

• Brief History of HIPAA

• HIPAA Privacy & Security

CH2: X12N Standards Overview

CH3: ICD��GEM ©™ Overview

CH4: Boothill – Death Registry Manager©™

CH5: ICD��GEM Manager©™

CH6: ICD��GEM SuperBill©™


HIPAA – X12N - ICD


5

CH1: HIPAA OverviewBrief History of HIPAA

�Prior to HIPAA � Horror Stories

� Patient Records made public….� UCLA researcher illegally read medical

records….� eMail reminders not BCC’d� Women were fired….� Companies checked medical records before

hiring or promoting� People avoid using insurance….� BCBS of Tennessee reported 57 HD’s stolen…

Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com6


�Prior to HIPAA � Horror Stories

� Technician viewed PHI…� Records blew out of truck….� Used computers purchased containing

prescription records� Pharmaceutical companies sold marketing lists � Banker called in mortgages� Hospitals gave PHI to newspapers


7


�Prior to HIPAA � Horror Stories� Before 1983



The Privacy Act of 1974, protected records that could be retrieved by personal identifiers such as a name, social security number, or other

identifying number or symbol. � An individual is entitled to access to his or her records and to request

correction of these records if applicable.� The Privacy Act prohibits disclosure of these records without written

individual consent unless one of the twelve disclosure exceptions enumerated in the Act applies.

� These records are held in Privacy Act systems of records.

� A notice of any such system is published in the Federal Register. � These notices identify the

� legal authority for collecting and storing the records, � individuals about whom records will be collected, � what kinds of information will be collected, � and how the records will be used.


9



• Privacy Act of 1974• Payers w/different forms

�Example


Before 1983 Example

Most of the BCBS organizations were separate entities in each state

Individual from Illinois

Vacations in Florida

and has to get Health Care


Before 1983 Example

The health care provider would

complete payment forms and send them

into the BCBS of Florida

The BCBS of Florida would decode

the forms and enter the information into

their mainframe computer, and pay the provider

Then BCBS of Florida would send

the payment information to the BCBS of Illinois

for reimbursement / reconciliation


Before 1983 Example

The BCBS of Illinois would have to decipher

what information was supplied on the form

and data enter the information into

their mainframe computer

Sometimes the information was incomplete

and/or in a format that was difficult to

interpret by their standards

This would cause the payers to play “form tag”

going back and forth coordinating

health care information


Before 1983 Example

Then after a great deal of effort,

Payment is made for

the insured’s treatment

This process would take weeks,

months and sometimes years




• Privacy Act of 1974

• Payers w/different forms�Example

� In 1983�IPDR (Inter-Plan Data Reporting)

1983As an application Data Base Administrator, Data Base Designer and Application programmer for the BCBSAssociation in Chicago, I designed and developed the first Inter Plan Data Reporting VSAM file structure and

COBOL programs.


15






1983As an application Data Base Administrator, Data Base Designer and Application programmer for the BCBCAssociation in Chicago, I designed and developed the first Inter Plan Data Reporting VSAM file structure and

COBOL programs.

This design structure was known as IPDR.







Thus I created this first common file format & data content

standardization that allowed the "Blues" in all the states to

communicate more efficiently with each other and get paid

or reimbursed in a timely manner.


17






�Administrative Simplification

During that time, the Health Care industry wanted

administrative simplification in one format, one guide for all.

And my work for the BCBSA helped.



�Beginnings of HIPAA � In the mid-1990’s

• Reform Health Care

• Address Administrative Concerns

� In 1996• HIPAA Enacted into Law

• By Senators:

�Edward Kennedy

�Nancy Kassebaum

• Portability

PORTABILITYWorkers can continue health care between different employers

•Group insurance cannot:

� Reject,

� Refuse to renew,

� or Charge higher premiums of certain individuals

•It simplified administration by creating a health care

transaction standard.


19


�Beginnings of HIPAA � In the mid-1990’s

• Reform Health Care

• Address Administrative Concerns

� In 1996• HIPAA Enacted into Law

• By Senators:

�Edward Kennedy

�Nancy Kassebaum

• Portability

• Accountability

ACCOUNTABILITY•There are Penalties for non-compliance which I'll discuss in a

later slide

•And there are also Tax provisions

•The law contains a section known as Administrative

Simplification and includes requirements for the following:

� Electronic transactions and code set standards

� Privacy

� Security

� National Identifiers


� Titles

� Administrative Simplification

� Privacy & Security Rules

� Electronic Health Record Standards

� Definitions

� Acronyms

� Compliance Timelines

� Penalties for non-Compliance

� HIPAA Audits

CH1: HIPAA OverviewHIPAA Privacy & Security


Titles

Title I: Healthcare Insurance Access, Portability, and Renewability Prohibits discrimination in enrollments and in premiums

charged to employees and their dependents based on

health status related factors

Health Status Related Factors

Group Health Plans may Exclude Coverage

Group Health Plans may Apply Lifetime Limits

Preexisting Condition Exclusion

Limits exclusions for pre-existing medical conditions

6-month period pre-existing medical condition exclusion

Health status related factors include:

•health status, •medical conditions (including both physical and mental illness),

•claims experience,

•receipt of health care,

•medical history, •genetic information,

•evidence of insurability, and disability.

Group health plans may exclude coveragefor a specific disease, limit or exclude benefits for certain types of

treatments or drugs, or limit or exclude benefits based on

determination of whether the benefits are experimental or medically

necessary, if the benefit restriction is applied uniformly to all similarly

situated individuals and is not directed at any individual participants or beneficiaries based on a health factor.

Group health plans may apply lifetime limits,

generally or with respect to benefits for a specific disease or

treatment, provided the limits are applied uniformly to all similarly

situated individuals and is not directed at any individual participants or beneficiaries based on a health factor.


Titles

Title I: Healthcare Insurance Access, Portability, and Renewability Prohibits discrimination in enrollments and in premiums

charged to employees and their dependents based on

health status related factors

Health Status Related Factors

Group Health Plans may Exclude Coverage

Group Health Plans may Apply Lifetime Limits

Preexisting Condition Exclusion

Limits exclusions for pre-existing medical conditions

6-month period pre-existing medical condition exclusion


Titles

Title I: Healthcare Insurance Access, Portability, and Renewability

Title II: Preventing Healthcare Fraud and Abuse; Administrative Simplification; Medical Liability Reform

Title III: Tax-related Health Provisions

Title IV: Application and Enforcement of Group Health Insurance Requirements

Title V: Revenue Offsets


Titles

Title II: Has Three Rules

1) Transactions, Code Sets, and Identifiers: Standards for electronic transmission

� Electronic Data Interchange (EDI): Standardized records for health care transactions

2) The Privacy Rule: Standard for Privacy of Individually Identifiable Health Information, (IIHI)

3) The Security Rule: Security Standard for electronic patient health records


Standards for Electronic Transactions Also referred to as Transactions, Code Sets, and Identifiers;

defines standards for conducting EDI health transactions

Standards for Privacy Defines who is authorized to access health information and

gives individuals the right to keep information about themselves from being disclosed

Standards for Security Defines Administrative, Physical, and Technical Safeguards to

secure electronic PHI

Administration Simplification


Designed for Administrative Simplification

Provides Standard Uniformity

Standard EAT Processes

Standard Electronic Transactions and Code Sets

Need for HIPAA

Administration Simplification


� The Privacy Rule regulations ensure basic privacy protections for patients by limiting the ways that health plans, pharmacies, hospitals and other covered entities can use patients' personal medical information.

� The regulations protect medical records and other Individually Identifiable Health Information (aka: IIHI), whether it is on paper, in computers or communicated orally.

The PRIVACY RULE:

Patient Protections


The PRIVACY RULE:

Patient Protections

Provide a Notice Health Care Providers must provide a notice

Patients will be asked to sign, initial or otherwise acknowledge that they received this notice

Health plans generally must mail the notice to their enrollees and again if the notice changes significantly

Patients also may ask covered entities to restrict the use or disclosure of their information beyond the practices included in the notice, but the covered entities would not

have to agree to the changes


The PRIVACY RULE:

Patient Protections

A Notice must:

� Be written in plain, simple language.

� Include header that reads:

"This Notice describes how medical information

about you may be used and disclosed and how

you can get access to this information. Please

review carefully."

� Describe the covered entity's uses and

disclosures of PHI.


The PRIVACY RULE:

Patient Protections

A Notice must:

� Describe an individual's rights under the Privacy

Rule. These include the right of the individual to:

• Request restrictions on certain uses and disclosures.

• Receive confidential communication of PHI.

• Inspect, copy, and amend PHI.

• Obtain an accounting of disclosures of PHI.


The PRIVACY RULE:

Patient Protections

A Notice must:

� Describe the covered entity's duties.

� Describe how to register complaints concerning

suspected privacy violations.

� Specify a point of contact.

� Specify an effective date.

� State that the entity reserves the right to change

its privacy practices.


The PRIVACY RULE:

Patient Protections

Access To Medical Records

Patients generally should be able to see and obtain copies of their medical records and request corrections if they identify errors and mistakes.

Health plans, doctors, hospitals, clinics, nursing homes and other covered entities generally should provide access to these records within 30 days and

may charge patients for the cost of copying and sending the records.


The PRIVACY RULE:

Patient Protections

Limits on Use of Personal Medical Information� The privacy rule sets limits on how health plans and covered providers

may use IIHI.

� To promote the best quality care for patients, the rule does not restrict the ability of doctors, nurses and other providers to share information needed to treat their patients.

� PHI may NOT be used for purposes NOT related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purpose.

� In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care.


The PRIVACY RULE:

Patient Protections

Provide an Authorization• That allows use and disclosure of PHI for purposes other

than treatment, payment, or health care operations (TPO)

• An Authorization can allow PHI to be used and disclosed by the covered entity seeking the Authorization or by a

third party.

• Covered entities must obtain an individual's Authorization

for uses or disclosures not covered by the Notice


The PRIVACY RULE:

Patient Protections

An Authorization must:• Be written in plain language.• Give a specific and meaningful description of the

authorized information.

• List the persons authorized to use or disclose PHI.• List the persons to whom the covered entity may make the

requested use or disclosure.• Describe the purpose or purposes of the requested use or

disclosure.• Give an expiration date or an expiration event for the use

or disclosure of an individual's PHI.


The PRIVACY RULE:

Patient Protections

An Authorization must: State the individual's right to revoke the Authorization in writing,

and state the exceptions to the right to revoke.

Detail the ability or inability to conduct treatment, collect payment, manage enrollment, or determine eligibility for benefits based on the Authorization.

State that information used or disclosed in accordance with the Authorization might be subject to re-disclosure by the recipient and might no longer be protected by this rule.

Have the individual's signature and the date.

NOTE: If an Authorization is signed by a personal representative of the individual, the Authorization must have a description of the representative's authority to act for the individual.


The PRIVACY RULE:

Patient Protections

Prohibition on Marketing The final privacy rule sets new restrictions and limits on the

use of patient information for marketing purposes.

Pharmacies, health plans and other covered entities must first obtain an individual's specific authorization before disclosing their patient information for marketing.

At the same time, the rule permits doctors and other covered

entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.


The PRIVACY RULE:

Patient Protections

Stronger State Laws• The new federal privacy standards do not affect state laws

that provide additional privacy protections for patients.

• The confidentiality protections are cumulative. The privacy rule will set a national "floor" of privacy standards that

protect all Americans, and any state law providing additional protections would continue to apply.

• When a state law requires a certain disclosure, such as reporting an infectious disease outbreak to the public health authorities, the federal privacy regulations would not preempt the state law.


The PRIVACY RULE:

Patient Protections

Confidential Communications

Patients can request that their doctors, health plans and other covered entities take reasonable steps to ensure that their communications with the patient are confidential.

For example: A patient could ask a doctor to call his or her office rather than home, and the doctor's office should comply with that request if it can be reasonably

accommodated.


The PRIVACY RULE:

Patient Protections

If you believe that a person or a covered entity violated your or someone else's health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with the Office for Civil Rights.

OCR has authority to receive and investigate complaints against covered entities related to the Privacy Rule.

Such complaints can be made directly to the covered provider or health plan or to HHS' OCR, which is charged with investigating complaints and enforcing the privacy regulation.

Complaints


The PRIVACY RULE:

Patient Protections

Complaints to the OCR must: 1) Be filed in writing, either on paper or electronically;

2) Name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule;

3) Be filed within 180 days of when the act or omission, complained of, is known to have occurred.

OCR may extend the 180-day period if it can be shown "good cause"

Complaints


The PRIVACY RULE:

Patient Protections

• Information about filing complaints should be included in each covered entity's notice of privacy practices.

• Consumers can find out more information about filing a complaint at:

�http://www.hhs.gov/ocr/hipaa/

�866-627-7748

�800-368-1019

Complaints


The PRIVACY RULE:

Health Plans and Providers

The privacy rule requires health plans, pharmacies, doctors and

other covered entities to establish policies and procedures to protect the confidentiality of protected health information about their patients.

These requirements are designed to be flexible and scalable allowing different covered entities to implement them as appropriate for their businesses or practices.

Covered entities must provide all the protections for patients cited above, such as providing a notice of their privacy practices and limiting the use and disclosure of information as required

under the rule.


The PRIVACY RULE:


Written Privacy Procedures The rule requires covered entities to have written privacy

procedures, including a description of:

� staff that has access to protected information,

� how it will be used and

� when it may be disclosed

Covered entities generally must take steps to ensure that any business associates who have access to protected

information agree to the same limitations on the use and disclosure of that information


The PRIVACY RULE:


Employee Training and Privacy Officer

Covered entities must train their employees in their privacy procedures and must designate an individual to be responsible for ensuring the procedures are followed

If covered entities learn an employee failed to follow these procedures, they must take appropriate

disciplinary action


The PRIVACY RULE:


In limited circumstances, the final rule permits, but does not require, covered entities to continue certain existing disclosures of health information for specific public responsibilities.

These permitted disclosures include: � emergency circumstances;

� identification of the body of a deceased person, or the cause ofdeath;

� public health needs; � research that involves limited data or has been independently

approved by an Institutional Review Board or privacy board;

� oversight of the health care system; � judicial and administrative proceedings;

� limited law enforcement activities; � and activities related to national defense and security

Public Responsibilities


The PRIVACY RULE:


The privacy rule generally establishes new

safeguards and limits on these disclosures

Where no other law requires disclosures in these

situations, covered entities may continue to use

their professional judgment to decide whether to

make such disclosures based on their own

policies and ethical principles

Public Responsibilities


The PRIVACY RULE:


Equivalent Requirements For Government

The provisions of the final rule generally apply equally to private sector and public sector covered entities

For example: private hospitals and government-

run hospitals covered by the rule have to

comply with the full range of requirements


The SECURITY RULE:

• ePHI� electronic Protected Health Information

• 8 pages and is highly technical

• Three types of safeguards1. Administrative

2. Physical

3. Technical

• Provider Compliance� April 20, 2005


The SECURITY RULE:

• ePHI� electronic Protected Health Information

• 8 pages and is highly technical

• Three types of safeguards1. Administrative

2. Physical

3. Technical

• Provider Compliance� April 20, 2005


Electronic Health Record

(EHR) Standards

ARRA�American Recovery and Reinvestment Act

of 2009

�Meaningfully Use�Red Raven Productions, Presentation #2

This proposed rule would implement the provisions of the American Recovery and Reinvestment Act of 2009 that

provide incentive payments to Eligible Professionals and Eligible Hospitals participating in Medicare and Medicaid

programs that adopt and meaningfully use certified EHRtechnology.



(EHR) Standards

The Proposed Rule Would Specify:•Initial criteria

•Calculation

•Payment Adjustments•Other Program Participation Requirements



(EHR) Standards

ONC-HIT• Office of the National Coordinator for

Health Information Technology

• ONC also issued a notice of proposed rulemaking

on the process for organizations to conduct the

certification of Electronic Health Record (EHR) technology.


DEFINITIONSCovered Entities

Health CareClearinghouses

HealthPlans

Non Sta

ndard B

ills

Standard Bills

Standard Bills


DEFINITIONSHEALTH CARE PROVIDER: • The term ‘Health Care Provider’ includes

– a provider of services as defined in section 1861,

– a provider of medical or other health services as defined in section 1861,

– and any other persons furnishing health care services or supplies.

• They are individuals or group plans that provide, or pay the cost of, medical care.

• A Health Care Provider is a person who is trained and licensed to give health care.

• A Health Care Provider can also be a place licensed to give health care. Which includes:� Clinics

� Dentists

� Hospitals

� Laboratories

� Pharmacies

� Physicians


DEFINITIONSHEALTH CARE CLEARINGHOUSE:

• The term 'Health Care Clearinghouse' means a public or private entity that processes or facilitates the processing of nonstandard data elements of health

information into standard data elements.

• They are entities that process information received in a

non-standard format into a standard one, and vice versa.


DEFINITIONSHEALTH PLANS:• The term ‘Health Plan' means an individual or group

plan that provides, or pays the cost of, medical care.

• Such term includes the following, and any combination of:– A group health plan as defined in the Public Health Service Act, but only

if the plan:

• Has 50 or more participants as defined in the Employee Retirement Income Security Act of 1974, or

• Is administered by an entity other than the employer who established and maintains the plan.

– A health insurance issuer.

– A Health Maintenance Organization (aka: HMO).

– Part A or part B of the Medicare program under title XVIII.

– The Medicaid program under title XIX.

– A Medicare supplemental policy.


DEFINITIONSHEALTH PLANS: • A long-term care policy, including a nursing home fixed indemnity policy

(unless the Secretary determines that such a policy does not provide sufficiently comprehensive coverage of a benefit so that the policy should be treated as a health plan).

• An employee welfare benefit plan or any other arrangement which is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers.

• The health care program for active military personnel under title 10, United States Code.

• The veteran’s health care program under chapter 17 of title 38, United States Code.

• The Civilian Health And Medical Program of the Uniformed Services (CHAMPUS), as defined in section 1072(4) of title 10, United States Code.

• The Indian Health Service Program under the Indian Health Care Improvement Act.

• The Federal Employees Health Benefit Plan under chapter 89 of title 5, United States Code.


DEFINITIONSBusiness Associate (BA)

Business Associate (BA)• Is a person who, on behalf of the

covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of IIHI.

• Does not include members of the covered entity's workforce.


DEFINITIONSBusiness Associate (BA)

• Business Associate Contracts (BAC) must specify the PHI to be disclosed and the uses that may be made of that information.

• BA Examples:� Accounting� Actuarial� Administration � Accreditation� Auditing Firms� Consulting� Data Aggregation� Financial Or Accounting� Legal

• Sample Contract� http://www.hhs.gov/ocr/hipaa/ContractProv.html


DEFINITIONS• Covered Information

The key information covered by the Privacy Rule, which is Protected Health Information (aka: PHI).

The Privacy Rule protects health

information that identifies an individual and is maintained or exchanged electronically.


DEFINITIONS• Covered Information• Scope of Coverage

Medical records and other Individually Identifiable Health Information (aka: IIHI) that's used or disclosed electronically, via

paper, or orally by a covered entity.

Thus, if you print any electronic information, that information (in paper form) retains its coverage.


DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health

Information (IIHI)

The term IIHI means any information, including demographic information collected from an individual, that:

• Is created or received by a health care provider, health plan, employer, or health care clearinghouse,• and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and,• identifies the individual,

• or with respect to which there is a reasonable basis to believethat the information can be used to identify the individual.



Information (IIHI)• Code Set

The term “Code Set” means any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.



Information (IIHI)• Code Set• Health Information

The term “Health Information” means any information, whether oral or recorded in any form or medium, that:

•is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; •and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.



Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)

Any patient-identifiable information is now Protected Health Information (PHI) regardless of the media form it is or was in. Data can be at rest or in transit. At rest can mean data that is accessed, stored, processed, or maintained.



Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)

Treatment: Organizations can use or disclose information to health care providers who are involved in your health care. For example: information can be shared to create and carry out a plan for your treatment.Payment: Organizations can use or disclose information to get payment or to pay for the health care services you receive. For example: an organization can provide PHI to bill your health plan for health care you received.Health Care Operations: Organizations can use or disclose information in order to manage their programs and activities. For example: an organization can use PHI to review the quality of services you receive.



Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)

PII is a subset of PHI that contains identifiers that could be used to identify an individual. Such as:

•Name•Social Security number

•Address•Phone number



Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)• De-Identified Information (DII)

A data set that has personal identifiers removed from the information is not Individually Identifiable and can be disclosed

without an Individual's Authorization.



Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)• De-Identified Information (DII)• Use and Disclosure

Use and Disclosure are two fundamental concepts of the HIPAA Privacy Rule.

•Use limits the sharing of information

within a covered entity, and•Disclosure restricts the sharing of information outside the covered entity.




USE: Refers to doing any of the following to IIHI by employees or other members of an organization's workforce:

• Analyzing• Applying• Employing• Examining• Sharing

• Utilizing

……Basically all information is used when it moves within an organization.




DISCLOSURE: is defined as doing any of the following by the entity holding the information so that the information is outside the entity:

•Release•Transfer•Provision of access to•Divulging in any manner

………Information is disclosed when it's transmitted between or among organizations.






Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)• De-Identified Information (DII)• Use and Disclosure• Workforce

Workforce: Employees, volunteers,

trainees, and other people under the

direct control of a covered entity.



Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)• De-Identified Information (DII)• Use and Disclosure• Workforce


DEFINITIONS• National Provider Identifier (NPI)• National Health Plan Identifier (NHPI)• National Employer Identifier

for Health Care (NEI)• DSMO:

Designated Standards Maintenance Organizations1. ANSI Accredited Standards Committee (ASC) X122. Dental Content Committee of the

American Dental Association3. Health Level Seven (HL7)4. National Council for Prescription Drug Programs (NCPDP)5. National Uniform Billing Committee (NUBC)6. National Uniform Claim Committee (NUCC)

National Provider Identifier (NPI)

NPI will be assigned to:� Individual providers� Individual NPI's will not be linked to organizational NPI's.� Individual providers keep their NPI for

life.� Organizational providers can get multiple NPI's.


AcronymsARRA American Recovery and Reinvestment Act of 2009

ASC Accredited Standards Committee

ADA American Dental Association

AMA American Medical Association

ANSI American National Standards Institute

CAH Critical Access Hospital

CAHPS Consumer Assessment of Healthcare Providers and Systems

CCN CMS Certification Numbers

CDC Center for Disease Control

CHIP Children's Health Insurance Program

CHIPRA CHIP Reauthorization Act of 2009

CMS Centers for Medicare & Medicaid Services

CY Calendar Year

EAT Electronic Administrative Transactions

EHR Electronic Health Record

EMR Electronic Medical Record

EP Eligible Professionals

EPO Exclusive Provider Organization

FACA Federal Advisory Committee Act


FDA Food and Drug Administration

FFP Federal Financial Participation

FFS Fee-For-Service

FQHC Federally Qualified Health Center

FTE Full-Time Equivalent

FY Fiscal Year

FFY Federal Fiscal Year

GEM General Equivalence Mapping

HCPCS Health-Care Common Procedure Coding System

ICD International Statistical Classification of Diseases and Related Health Problems

MMIS Medicaid Management Information Systems

MSA Medical Savings Account

NCQA National Committee for Quality Assurance

NCVHS National Committee on Vital and Health Statistics

NDC National Drug Code

NPI National Provider Identifier

ONC Office of the National Coordinator for Health Information Technology

PAHP Prepaid Ambulatory Health Plan

PAPD Planning Advanced Planning Document

Acronyms


AcronymsPIHP Prepaid Inpatient Health Plan

PFFS Private Fee-For-Service

HEDIS Healthcare Effectiveness Data and Information Set

HHS Department of Health and Human Services

HIE Health Information Exchanges

HIT Health Information Technology

HIPPA Health Insurance Portability and Accountability Act of 1996

HITECH Health Information Technology for Economic and Clinical Health Act

HMO Health Maintenance Organization

HOS Health Outcomes Survey

HPSA Health Professional Shortage Area

HRSA Health Resource Services Administration

IAPD Implementation Advanced Planning Document

IPA Independent Practice Association

IHS Indian Health Services

IT Information Technology

MA Medicare Advantage

MAC Medicare Administrative Contractor


AcronymsPFFS Private Fee-For-Service

HEDIS Healthcare Effectiveness Data and Information Set

HHS Department of Health and Human Services

HIE Health Information Exchanges

HIT Health Information Technology

HIPPA Health Insurance Portability and Accountability Act of 1996

HITECH Health Information Technology for Economic and Clinical Health Act

HMO Health Maintenance Organization

HOS Health Outcomes Survey

HPSA Health Professional Shortage Area

HRSA Health Resource Services Administration

IAPD Implementation Advanced Planning Document

IPA Independent Practice Association

IHS Indian Health Services

IT Information Technology

MA Medicare Advantage

MAC Medicare Administrative Contractor


81

Past DatesPast DatesPast DatesPast Dates Completed DeadlinesCompleted DeadlinesCompleted DeadlinesCompleted Deadlines

15-Oct-2001Deadline to submit a compliance extension form for Electronic Health Care Transactions and

Code Sets.

16-Oct-2002Electronic Health Care Transactions and Code Sets - all covered entities except those who filed

for an extension and are not a small health plan.

14-Apr-2003 Privacy - all covered entities except small health plans.

16-Apr-2003Electronic Health Care Transactions and Code Sets - all covered entities must have started

software and systems testing.

16-Oct-2003Electronic Health Care Transactions and Code Sets - all covered entities who filed for an

extension and small health plans.

16-Oct-2003 Medicare will only accept paper claims under limited circumstances.

14-Apr-2004 Privacy - small health plans.

30-Jul-2004 Employer Identifier Standard - all covered entities except small health plans.

20-Apr-2005 Security Standards - all covered entities except small health plans.

1-Aug-2005 Employer Identifier Standard - small health plans.

20-Apr-2006 Security Standards – small health plans.

23-May-2007 National Provider Identifier - all covered entities except small health plans

23-May-2008 National Provider Identifier - small health plans

Compliance Timelines



•ASC X12 4010A1 to ASC X12 5010•NCPDP 5.1 to NCPDP D.0

Dual use of existing standards permitted.

March 17, 2009, until January 1, 2012

Description Deadlines

Final rule was published 16-Jan-2009

Effective Date of the regulation 17-Mar-2009

Level I Compliance 31-Dec-2010

Level II Compliance 31-Dec-2011

Fully compliant 1-Jan-2012

Center for Medicare and Medicaid Services(CMS)


83


The CMS Medicare Fee-for-Service Schedule

DeadlinesDescription

Level I 1-Apr-10 Thru 31-Dec-10

Level II 1-Jan-11 Thru 31-Dec-11


CMS has prepared a comparison of the current X12 HIPAA EDI standards (Version 4010/4010A1) with Version 5010 and the NCPDP EDI standards Version 5.1 to D.0.

The 4010A1 Implementation Guides and the 5010 Technical Report 3(TR3) documents served as reference materials during the

preparation of the comparison Excel spreadsheets.



The CMS Medicare Fee-for-Service Schedule

DeadlinesDescription

Level I 1-Apr-10 Thru 31-Dec-10

Level II 1-Jan-11 Thru 31-Dec-11


CMS has prepared a comparison of the current X12 HIPAA EDI standards (Version 4010/4010A1) with Version 5010 and the NCPDP EDI standards Version 5.1 to D.0.

The 4010A1 Implementation Guides and the 5010 Technical Report 3(TR3) documents served as reference materials during the

preparation of the comparison Excel spreadsheets.


Penalties• Civil • Criminal

CIVIL Penalties

Under "General Penalty for Failure to Comply with Requirements and Standards" of Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996, Section 1176 says that the

Secretary can impose fines for noncompliance as high as $100 per offense, with a maximum of $25,000 per year on any person who

violates a provision of this part.



MonetaryPrison Time

Offenses

The Secretary may reduce the fine if a violation is not due to willful neglect and is corrected within 30 days

Single violation of a provisionMultiple penalties for violating

multiple Provisions

$25,000 N/AMultiple violations of an identicalrequirement made during

a calendar year

N/A$100



CRIMINAL Penalties

For the wrongful disclosure of Individually Identifiable Health Information (IIHI)

Under SEC. 1177. OFFENSE.--A person who knowingly and in violation of this part--

• uses or causes to be used a unique health identifier,• obtains Individually Identifiable Health Information

relating to an individual, OR• discloses Individually Identifiable Health Information

to another person,shall be punished as provided in subsection(b)



MonetaryPrison Time

Offenses

1 yr or less

Wrongful disclosure of Individually Identifiable Health Information

Wrongful disclosure of IIHIcommitted under false pretenses

5 yrs or less

$100,000 or less

$250,000 or less

10 yrs or less

Wrongful disclosure of IIHI committed under false pretenses with intent to sell, transfer, or use IIHI for commercial

advantage, personal gain, or malicious harm

$50,000 or less


HIPAA Audits: HHS might ask a Covered Entity about:

Establishing security access controls: e.g., What types of security access controls are currently implemented or installed in hospitals' databases that house ePHI data?

8

Establishing and terminating users' access to systems housing electronic patient health information (ePHI).

7

Employee violations (sanctions). 6

Emergency access to electronic information systems. 5

Electronically transmitting ePHI. 4

Creating, documenting and reviewing exception reports or logs: e.g., Provide a list of examples of security violation logging and monitoring.

3

Computer patch management.2

Anti-virus software. 1



Physical access to electronic information systems and the facility in which they are housed.

16

Password and server configurations. 15

Network remote access. 14

Monitoring systems and the network, including a listing of all network perimeter devices, e.g., firewalls and routers.

13

Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.

12

Internet usage. 11

Inactive computer sessions (periods of inactivity). 10

Firewalls, routers and switches. 9



Terminating an electronic session and encrypting and decrypting ePHI.

23

Recording and examining activity in information systems that contain or use ePHI.

22

The antivirus software used for desktop and other devices, including their versions.

21

Organizational charts that include names and titles for the management information system and information system security departments.

20

Entity-wide security program plans (e.g., System Security Plan). 19

Preventing, detecting, containing and correcting security violations (incident reports).

18

A list of antivirus servers, installed, including their versions. 17



All Terminated employees.31

All New hires.30

Risk assessments and analyses of relevant information systems that house or process ePHI data.

29

Remote access activity, e.g., network infrastructure, platform, access servers, authentication, and encryption software.

28

Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.

27

All information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.

26

Wireless security (transmission and usage).25

Transmitting ePHI. 24



Encryption mechanisms use for ePHI. 37

Database security requirements and settings. 36

Authentication methods used to identify users authorized to access ePHI.

35

Authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.

34

All users with access to ePHI data: e.g., Identify each user's access rights and privileges.

33

All Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows): e.g., Identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.

32



Users with remote access capabilities.42

Transmission methods used to transmit ePHI over an electronic communications network.

41

Systems administrators, backup operators and users.40

Software used to manage and control access to the Internet.39

Outsourced individuals and contractors with access to ePHI data, if applicable: e.g., Include a copy of the contract for these individuals.

38


Thomas Edison


REFERENCESREFERENCES• American Dental Association

www.ada.org• American Medical Association

www.ama-assn.org• ANSI Accredited Standards Committee (ASC) X12

www.X12.org• Centers for Medicare and Medicaid Services (CMS)

www.cms.hhs.gov• Dept. of Health & Human Services (HHS)

www.hhs.gov• Health Level Seven (HL7)

www.hl7.org• National Committee on Vital and Health Statistics (NCVHS)

www.ncvhs.hhs.gov• National Council for Prescription Drug Programs (NCPDP)

www.ncpdp.org• National Uniform Billing Committee (NUBC)

www.nubc.org• National Uniform Claim Committee (NUCC)

www.nucc.org• Washington Publishing Company (WPC)

www.wpc-edi.com• Workgroup for Electronic Data Interchange (WEDI)

www.wedi.org


CREDITSCREDITSThomas Dwyer, CHPSP

• Author, Director, Editor, Presenter

Sandra Remis, M.A• Editor

Dr. Ariel Schrodt• Video Director

CANTV.org

Copyright 2010-2012 - RedRavenProductions


Productions

Red Raven

Tom DwyerJanuary 1, 2012


Red Raven Productions PRESENTATIONicd-gem.com/HIPAA-X12N-ICD/CH1-HIPAA-Overview_Handouts-x.pdf ·...

Documents

Transcript of Red Raven Productions PRESENTATIONicd-gem.com/HIPAA-X12N-ICD/CH1-HIPAA-Overview_Handouts-x.pdf ·...