Red Raven Productions PRESENTATIONicd-gem.com/HIPAA-X12N-ICD/CH1-HIPAA-Overview_Handouts-x.pdf ·...
Transcript of Red Raven Productions PRESENTATIONicd-gem.com/HIPAA-X12N-ICD/CH1-HIPAA-Overview_Handouts-x.pdf ·...
RedRed Raven Raven ProductionsProductions
PRESENTATIONPRESENTATION
HIPAA Privacy & SecurityX12 Standards
ICD�GEM©™
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
It is not the strongestof the species that survive,
nor the most intelligent, but the one most responsive
to change. - Charles Darwin
RedRed Raven Raven ProductionsProductions
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
CH1: HIPAA Overview
• Brief History of HIPAA
• HIPAA Privacy & Security
CH2: X12N Standards Overview
CH3: ICD����GEM ©™ Overview
CH4: Boothill – Death Registry Manager©™
CH5: ICD����GEM Manager©™
CH6: ICD����GEM SuperBill©™
RedRed Raven Raven ProductionsProductions
HIPAA – X12N - ICD
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
5
CH1: HIPAA OverviewBrief History of HIPAA
�Prior to HIPAA � Horror Stories
� Patient Records made public….� UCLA researcher illegally read medical
records….� eMail reminders not BCC’d� Women were fired….� Companies checked medical records before
hiring or promoting� People avoid using insurance….� BCBS of Tennessee reported 57 HD’s stolen…
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com6
CH1: HIPAA OverviewBrief History of HIPAA
�Prior to HIPAA � Horror Stories
� Technician viewed PHI…� Records blew out of truck….� Used computers purchased containing
prescription records� Pharmaceutical companies sold marketing lists � Banker called in mortgages� Hospitals gave PHI to newspapers
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
7
CH1: HIPAA OverviewBrief History of HIPAA
�Prior to HIPAA � Horror Stories� Before 1983
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com8
CH1: HIPAA OverviewBrief History of HIPAA
The Privacy Act of 1974, protected records that could be retrieved by personal identifiers such as a name, social security number, or other
identifying number or symbol. � An individual is entitled to access to his or her records and to request
correction of these records if applicable.� The Privacy Act prohibits disclosure of these records without written
individual consent unless one of the twelve disclosure exceptions enumerated in the Act applies.
� These records are held in Privacy Act systems of records.
� A notice of any such system is published in the Federal Register. � These notices identify the
� legal authority for collecting and storing the records, � individuals about whom records will be collected, � what kinds of information will be collected, � and how the records will be used.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
9
CH1: HIPAA OverviewBrief History of HIPAA
�Prior to HIPAA � Horror Stories� Before 1983
• Privacy Act of 1974• Payers w/different forms
�Example
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Before 1983 Example
Most of the BCBS organizations were separate entities in each state
Individual from Illinois
Vacations in Florida
and has to get Health Care
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Before 1983 Example
The health care provider would
complete payment forms and send them
into the BCBS of Florida
The BCBS of Florida would decode
the forms and enter the information into
their mainframe computer, and pay the provider
Then BCBS of Florida would send
the payment information to the BCBS of Illinois
for reimbursement / reconciliation
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Before 1983 Example
The BCBS of Illinois would have to decipher
what information was supplied on the form
and data enter the information into
their mainframe computer
Sometimes the information was incomplete
and/or in a format that was difficult to
interpret by their standards
This would cause the payers to play “form tag”
going back and forth coordinating
health care information
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Before 1983 Example
Then after a great deal of effort,
Payment is made for
the insured’s treatment
This process would take weeks,
months and sometimes years
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com14
CH1: HIPAA OverviewBrief History of HIPAA
�Prior to HIPAA � Horror Stories� Before 1983
• Privacy Act of 1974
• Payers w/different forms�Example
� In 1983�IPDR (Inter-Plan Data Reporting)
1983As an application Data Base Administrator, Data Base Designer and Application programmer for the BCBSAssociation in Chicago, I designed and developed the first Inter Plan Data Reporting VSAM file structure and
COBOL programs.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
15
CH1: HIPAA OverviewBrief History of HIPAA
�Prior to HIPAA � Horror Stories� Before 1983
• Privacy Act of 1974
• Payers w/different forms�Example
� In 1983�IPDR (Inter-Plan Data Reporting)
1983As an application Data Base Administrator, Data Base Designer and Application programmer for the BCBCAssociation in Chicago, I designed and developed the first Inter Plan Data Reporting VSAM file structure and
COBOL programs.
This design structure was known as IPDR.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com16
CH1: HIPAA OverviewBrief History of HIPAA
�Prior to HIPAA � Horror Stories� Before 1983
• Privacy Act of 1974
• Payers w/different forms�Example
� In 1983�IPDR (Inter-Plan Data Reporting)
Thus I created this first common file format & data content
standardization that allowed the "Blues" in all the states to
communicate more efficiently with each other and get paid
or reimbursed in a timely manner.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
17
CH1: HIPAA OverviewBrief History of HIPAA
�Prior to HIPAA � Horror Stories� Before 1983
• Privacy Act of 1974
• Payers w/different forms�Example
� In 1983�IPDR (Inter-Plan Data Reporting)
�Administrative Simplification
During that time, the Health Care industry wanted
administrative simplification in one format, one guide for all.
And my work for the BCBSA helped.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com18
CH1: HIPAA OverviewBrief History of HIPAA
�Beginnings of HIPAA � In the mid-1990’s
• Reform Health Care
• Address Administrative Concerns
� In 1996• HIPAA Enacted into Law
• By Senators:
�Edward Kennedy
�Nancy Kassebaum
• Portability
PORTABILITYWorkers can continue health care between different employers
•Group insurance cannot:
� Reject,
� Refuse to renew,
� or Charge higher premiums of certain individuals
•It simplified administration by creating a health care
transaction standard.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
19
CH1: HIPAA OverviewBrief History of HIPAA
�Beginnings of HIPAA � In the mid-1990’s
• Reform Health Care
• Address Administrative Concerns
� In 1996• HIPAA Enacted into Law
• By Senators:
�Edward Kennedy
�Nancy Kassebaum
• Portability
• Accountability
ACCOUNTABILITY•There are Penalties for non-compliance which I'll discuss in a
later slide
•And there are also Tax provisions
•The law contains a section known as Administrative
Simplification and includes requirements for the following:
� Electronic transactions and code set standards
� Privacy
� Security
� National Identifiers
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
� Titles
� Administrative Simplification
� Privacy & Security Rules
� Electronic Health Record Standards
� Definitions
� Acronyms
� Compliance Timelines
� Penalties for non-Compliance
� HIPAA Audits
CH1: HIPAA OverviewHIPAA Privacy & Security
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Titles
Title I: Healthcare Insurance Access, Portability, and Renewability Prohibits discrimination in enrollments and in premiums
charged to employees and their dependents based on
health status related factors
Health Status Related Factors
Group Health Plans may Exclude Coverage
Group Health Plans may Apply Lifetime Limits
Preexisting Condition Exclusion
Limits exclusions for pre-existing medical conditions
6-month period pre-existing medical condition exclusion
Health status related factors include:
•health status, •medical conditions (including both physical and mental illness),
•claims experience,
•receipt of health care,
•medical history, •genetic information,
•evidence of insurability, and disability.
Group health plans may exclude coveragefor a specific disease, limit or exclude benefits for certain types of
treatments or drugs, or limit or exclude benefits based on
determination of whether the benefits are experimental or medically
necessary, if the benefit restriction is applied uniformly to all similarly
situated individuals and is not directed at any individual participants or beneficiaries based on a health factor.
Group health plans may apply lifetime limits,
generally or with respect to benefits for a specific disease or
treatment, provided the limits are applied uniformly to all similarly
situated individuals and is not directed at any individual participants or beneficiaries based on a health factor.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Titles
Title I: Healthcare Insurance Access, Portability, and Renewability Prohibits discrimination in enrollments and in premiums
charged to employees and their dependents based on
health status related factors
Health Status Related Factors
Group Health Plans may Exclude Coverage
Group Health Plans may Apply Lifetime Limits
Preexisting Condition Exclusion
Limits exclusions for pre-existing medical conditions
6-month period pre-existing medical condition exclusion
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Titles
Title I: Healthcare Insurance Access, Portability, and Renewability
Title II: Preventing Healthcare Fraud and Abuse; Administrative Simplification; Medical Liability Reform
Title III: Tax-related Health Provisions
Title IV: Application and Enforcement of Group Health Insurance Requirements
Title V: Revenue Offsets
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Titles
Title II: Has Three Rules
1) Transactions, Code Sets, and Identifiers: Standards for electronic transmission
� Electronic Data Interchange (EDI): Standardized records for health care transactions
2) The Privacy Rule: Standard for Privacy of Individually Identifiable Health Information, (IIHI)
3) The Security Rule: Security Standard for electronic patient health records
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Standards for Electronic Transactions Also referred to as Transactions, Code Sets, and Identifiers;
defines standards for conducting EDI health transactions
Standards for Privacy Defines who is authorized to access health information and
gives individuals the right to keep information about themselves from being disclosed
Standards for Security Defines Administrative, Physical, and Technical Safeguards to
secure electronic PHI
Administration Simplification
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Designed for Administrative Simplification
Provides Standard Uniformity
Standard EAT Processes
Standard Electronic Transactions and Code Sets
Need for HIPAA
Administration Simplification
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
� The Privacy Rule regulations ensure basic privacy protections for patients by limiting the ways that health plans, pharmacies, hospitals and other covered entities can use patients' personal medical information.
� The regulations protect medical records and other Individually Identifiable Health Information (aka: IIHI), whether it is on paper, in computers or communicated orally.
The PRIVACY RULE:
Patient Protections
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
Provide a Notice Health Care Providers must provide a notice
Patients will be asked to sign, initial or otherwise acknowledge that they received this notice
Health plans generally must mail the notice to their enrollees and again if the notice changes significantly
Patients also may ask covered entities to restrict the use or disclosure of their information beyond the practices included in the notice, but the covered entities would not
have to agree to the changes
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
A Notice must:
� Be written in plain, simple language.
� Include header that reads:
"This Notice describes how medical information
about you may be used and disclosed and how
you can get access to this information. Please
review carefully."
� Describe the covered entity's uses and
disclosures of PHI.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
A Notice must:
� Describe an individual's rights under the Privacy
Rule. These include the right of the individual to:
• Request restrictions on certain uses and disclosures.
• Receive confidential communication of PHI.
• Inspect, copy, and amend PHI.
• Obtain an accounting of disclosures of PHI.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
A Notice must:
� Describe the covered entity's duties.
� Describe how to register complaints concerning
suspected privacy violations.
� Specify a point of contact.
� Specify an effective date.
� State that the entity reserves the right to change
its privacy practices.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
Access To Medical Records
Patients generally should be able to see and obtain copies of their medical records and request corrections if they identify errors and mistakes.
Health plans, doctors, hospitals, clinics, nursing homes and other covered entities generally should provide access to these records within 30 days and
may charge patients for the cost of copying and sending the records.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
Limits on Use of Personal Medical Information� The privacy rule sets limits on how health plans and covered providers
may use IIHI.
� To promote the best quality care for patients, the rule does not restrict the ability of doctors, nurses and other providers to share information needed to treat their patients.
� PHI may NOT be used for purposes NOT related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purpose.
� In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
Provide an Authorization• That allows use and disclosure of PHI for purposes other
than treatment, payment, or health care operations (TPO)
• An Authorization can allow PHI to be used and disclosed by the covered entity seeking the Authorization or by a
third party.
• Covered entities must obtain an individual's Authorization
for uses or disclosures not covered by the Notice
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
An Authorization must:• Be written in plain language.• Give a specific and meaningful description of the
authorized information.
• List the persons authorized to use or disclose PHI.• List the persons to whom the covered entity may make the
requested use or disclosure.• Describe the purpose or purposes of the requested use or
disclosure.• Give an expiration date or an expiration event for the use
or disclosure of an individual's PHI.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
An Authorization must: State the individual's right to revoke the Authorization in writing,
and state the exceptions to the right to revoke.
Detail the ability or inability to conduct treatment, collect payment, manage enrollment, or determine eligibility for benefits based on the Authorization.
State that information used or disclosed in accordance with the Authorization might be subject to re-disclosure by the recipient and might no longer be protected by this rule.
Have the individual's signature and the date.
NOTE: If an Authorization is signed by a personal representative of the individual, the Authorization must have a description of the representative's authority to act for the individual.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
Prohibition on Marketing The final privacy rule sets new restrictions and limits on the
use of patient information for marketing purposes.
Pharmacies, health plans and other covered entities must first obtain an individual's specific authorization before disclosing their patient information for marketing.
At the same time, the rule permits doctors and other covered
entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
Stronger State Laws• The new federal privacy standards do not affect state laws
that provide additional privacy protections for patients.
• The confidentiality protections are cumulative. The privacy rule will set a national "floor" of privacy standards that
protect all Americans, and any state law providing additional protections would continue to apply.
• When a state law requires a certain disclosure, such as reporting an infectious disease outbreak to the public health authorities, the federal privacy regulations would not preempt the state law.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
Confidential Communications
Patients can request that their doctors, health plans and other covered entities take reasonable steps to ensure that their communications with the patient are confidential.
For example: A patient could ask a doctor to call his or her office rather than home, and the doctor's office should comply with that request if it can be reasonably
accommodated.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
If you believe that a person or a covered entity violated your or someone else's health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with the Office for Civil Rights.
OCR has authority to receive and investigate complaints against covered entities related to the Privacy Rule.
Such complaints can be made directly to the covered provider or health plan or to HHS' OCR, which is charged with investigating complaints and enforcing the privacy regulation.
Complaints
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
Complaints to the OCR must: 1) Be filed in writing, either on paper or electronically;
2) Name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule;
3) Be filed within 180 days of when the act or omission, complained of, is known to have occurred.
OCR may extend the 180-day period if it can be shown "good cause"
Complaints
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Patient Protections
• Information about filing complaints should be included in each covered entity's notice of privacy practices.
• Consumers can find out more information about filing a complaint at:
�http://www.hhs.gov/ocr/hipaa/
�866-627-7748
�800-368-1019
Complaints
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Health Plans and Providers
The privacy rule requires health plans, pharmacies, doctors and
other covered entities to establish policies and procedures to protect the confidentiality of protected health information about their patients.
These requirements are designed to be flexible and scalable allowing different covered entities to implement them as appropriate for their businesses or practices.
Covered entities must provide all the protections for patients cited above, such as providing a notice of their privacy practices and limiting the use and disclosure of information as required
under the rule.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Health Plans and Providers
Written Privacy Procedures The rule requires covered entities to have written privacy
procedures, including a description of:
� staff that has access to protected information,
� how it will be used and
� when it may be disclosed
Covered entities generally must take steps to ensure that any business associates who have access to protected
information agree to the same limitations on the use and disclosure of that information
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Health Plans and Providers
Employee Training and Privacy Officer
Covered entities must train their employees in their privacy procedures and must designate an individual to be responsible for ensuring the procedures are followed
If covered entities learn an employee failed to follow these procedures, they must take appropriate
disciplinary action
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Health Plans and Providers
In limited circumstances, the final rule permits, but does not require, covered entities to continue certain existing disclosures of health information for specific public responsibilities.
These permitted disclosures include: � emergency circumstances;
� identification of the body of a deceased person, or the cause ofdeath;
� public health needs; � research that involves limited data or has been independently
approved by an Institutional Review Board or privacy board;
� oversight of the health care system; � judicial and administrative proceedings;
� limited law enforcement activities; � and activities related to national defense and security
Public Responsibilities
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Health Plans and Providers
The privacy rule generally establishes new
safeguards and limits on these disclosures
Where no other law requires disclosures in these
situations, covered entities may continue to use
their professional judgment to decide whether to
make such disclosures based on their own
policies and ethical principles
Public Responsibilities
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The PRIVACY RULE:
Health Plans and Providers
Equivalent Requirements For Government
The provisions of the final rule generally apply equally to private sector and public sector covered entities
For example: private hospitals and government-
run hospitals covered by the rule have to
comply with the full range of requirements
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The SECURITY RULE:
• ePHI� electronic Protected Health Information
• 8 pages and is highly technical
• Three types of safeguards1. Administrative
2. Physical
3. Technical
• Provider Compliance� April 20, 2005
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
The SECURITY RULE:
• ePHI� electronic Protected Health Information
• 8 pages and is highly technical
• Three types of safeguards1. Administrative
2. Physical
3. Technical
• Provider Compliance� April 20, 2005
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Electronic Health Record
(EHR) Standards
ARRA�American Recovery and Reinvestment Act
of 2009
�Meaningfully Use�Red Raven Productions, Presentation #2
This proposed rule would implement the provisions of the American Recovery and Reinvestment Act of 2009 that
provide incentive payments to Eligible Professionals and Eligible Hospitals participating in Medicare and Medicaid
programs that adopt and meaningfully use certified EHRtechnology.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Electronic Health Record
(EHR) Standards
The Proposed Rule Would Specify:•Initial criteria
•Calculation
•Payment Adjustments•Other Program Participation Requirements
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Electronic Health Record
(EHR) Standards
ONC-HIT• Office of the National Coordinator for
Health Information Technology
• ONC also issued a notice of proposed rulemaking
on the process for organizations to conduct the
certification of Electronic Health Record (EHR) technology.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONSCovered Entities
Health CareClearinghouses
HealthPlans
Non Sta
ndard B
ills
Standard Bills
Standard Bills
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONSHEALTH CARE PROVIDER: • The term ‘Health Care Provider’ includes
– a provider of services as defined in section 1861,
– a provider of medical or other health services as defined in section 1861,
– and any other persons furnishing health care services or supplies.
• They are individuals or group plans that provide, or pay the cost of, medical care.
• A Health Care Provider is a person who is trained and licensed to give health care.
• A Health Care Provider can also be a place licensed to give health care. Which includes:� Clinics
� Dentists
� Hospitals
� Laboratories
� Pharmacies
� Physicians
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONSHEALTH CARE CLEARINGHOUSE:
• The term 'Health Care Clearinghouse' means a public or private entity that processes or facilitates the processing of nonstandard data elements of health
information into standard data elements.
• They are entities that process information received in a
non-standard format into a standard one, and vice versa.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONSHEALTH PLANS:• The term ‘Health Plan' means an individual or group
plan that provides, or pays the cost of, medical care.
• Such term includes the following, and any combination of:– A group health plan as defined in the Public Health Service Act, but only
if the plan:
• Has 50 or more participants as defined in the Employee Retirement Income Security Act of 1974, or
• Is administered by an entity other than the employer who established and maintains the plan.
– A health insurance issuer.
– A Health Maintenance Organization (aka: HMO).
– Part A or part B of the Medicare program under title XVIII.
– The Medicaid program under title XIX.
– A Medicare supplemental policy.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONSHEALTH PLANS: • A long-term care policy, including a nursing home fixed indemnity policy
(unless the Secretary determines that such a policy does not provide sufficiently comprehensive coverage of a benefit so that the policy should be treated as a health plan).
• An employee welfare benefit plan or any other arrangement which is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers.
• The health care program for active military personnel under title 10, United States Code.
• The veteran’s health care program under chapter 17 of title 38, United States Code.
• The Civilian Health And Medical Program of the Uniformed Services (CHAMPUS), as defined in section 1072(4) of title 10, United States Code.
• The Indian Health Service Program under the Indian Health Care Improvement Act.
• The Federal Employees Health Benefit Plan under chapter 89 of title 5, United States Code.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONSBusiness Associate (BA)
Business Associate (BA)• Is a person who, on behalf of the
covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of IIHI.
• Does not include members of the covered entity's workforce.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONSBusiness Associate (BA)
• Business Associate Contracts (BAC) must specify the PHI to be disclosed and the uses that may be made of that information.
• BA Examples:� Accounting� Actuarial� Administration � Accreditation� Auditing Firms� Consulting� Data Aggregation� Financial Or Accounting� Legal
• Sample Contract� http://www.hhs.gov/ocr/hipaa/ContractProv.html
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information
The key information covered by the Privacy Rule, which is Protected Health Information (aka: PHI).
The Privacy Rule protects health
information that identifies an individual and is maintained or exchanged electronically.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage
Medical records and other Individually Identifiable Health Information (aka: IIHI) that's used or disclosed electronically, via
paper, or orally by a covered entity.
Thus, if you print any electronic information, that information (in paper form) retains its coverage.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)
The term IIHI means any information, including demographic information collected from an individual, that:
• Is created or received by a health care provider, health plan, employer, or health care clearinghouse,• and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and,• identifies the individual,
• or with respect to which there is a reasonable basis to believethat the information can be used to identify the individual.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set
The term “Code Set” means any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set• Health Information
The term “Health Information” means any information, whether oral or recorded in any form or medium, that:
•is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; •and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)
Any patient-identifiable information is now Protected Health Information (PHI) regardless of the media form it is or was in. Data can be at rest or in transit. At rest can mean data that is accessed, stored, processed, or maintained.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)
Treatment: Organizations can use or disclose information to health care providers who are involved in your health care. For example: information can be shared to create and carry out a plan for your treatment.Payment: Organizations can use or disclose information to get payment or to pay for the health care services you receive. For example: an organization can provide PHI to bill your health plan for health care you received.Health Care Operations: Organizations can use or disclose information in order to manage their programs and activities. For example: an organization can use PHI to review the quality of services you receive.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)
PII is a subset of PHI that contains identifiers that could be used to identify an individual. Such as:
•Name•Social Security number
•Address•Phone number
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)• De-Identified Information (DII)
A data set that has personal identifiers removed from the information is not Individually Identifiable and can be disclosed
without an Individual's Authorization.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)• De-Identified Information (DII)• Use and Disclosure
Use and Disclosure are two fundamental concepts of the HIPAA Privacy Rule.
•Use limits the sharing of information
within a covered entity, and•Disclosure restricts the sharing of information outside the covered entity.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)• De-Identified Information (DII)• Use and Disclosure
USE: Refers to doing any of the following to IIHI by employees or other members of an organization's workforce:
• Analyzing• Applying• Employing• Examining• Sharing
• Utilizing
……Basically all information is used when it moves within an organization.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)• De-Identified Information (DII)• Use and Disclosure
DISCLOSURE: is defined as doing any of the following by the entity holding the information so that the information is outside the entity:
•Release•Transfer•Provision of access to•Divulging in any manner
………Information is disclosed when it's transmitted between or among organizations.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)• De-Identified Information (DII)• Use and Disclosure
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)• De-Identified Information (DII)• Use and Disclosure• Workforce
Workforce: Employees, volunteers,
trainees, and other people under the
direct control of a covered entity.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• Covered Information• Scope of Coverage• Individually Identifiable Health
Information (IIHI)• Code Set• Health Information• Protected Health Information (PHI)• Treatment/Payment/Operations (TPO)• Patient Identifiable Information (PII)• De-Identified Information (DII)• Use and Disclosure• Workforce
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
DEFINITIONS• National Provider Identifier (NPI)• National Health Plan Identifier (NHPI)• National Employer Identifier
for Health Care (NEI)• DSMO:
Designated Standards Maintenance Organizations1. ANSI Accredited Standards Committee (ASC) X122. Dental Content Committee of the
American Dental Association3. Health Level Seven (HL7)4. National Council for Prescription Drug Programs (NCPDP)5. National Uniform Billing Committee (NUBC)6. National Uniform Claim Committee (NUCC)
National Provider Identifier (NPI)
NPI will be assigned to:� Individual providers� Individual NPI's will not be linked to organizational NPI's.� Individual providers keep their NPI for
life.� Organizational providers can get multiple NPI's.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
AcronymsARRA American Recovery and Reinvestment Act of 2009
ASC Accredited Standards Committee
ADA American Dental Association
AMA American Medical Association
ANSI American National Standards Institute
CAH Critical Access Hospital
CAHPS Consumer Assessment of Healthcare Providers and Systems
CCN CMS Certification Numbers
CDC Center for Disease Control
CHIP Children's Health Insurance Program
CHIPRA CHIP Reauthorization Act of 2009
CMS Centers for Medicare & Medicaid Services
CY Calendar Year
EAT Electronic Administrative Transactions
EHR Electronic Health Record
EMR Electronic Medical Record
EP Eligible Professionals
EPO Exclusive Provider Organization
FACA Federal Advisory Committee Act
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
FDA Food and Drug Administration
FFP Federal Financial Participation
FFS Fee-For-Service
FQHC Federally Qualified Health Center
FTE Full-Time Equivalent
FY Fiscal Year
FFY Federal Fiscal Year
GEM General Equivalence Mapping
HCPCS Health-Care Common Procedure Coding System
ICD International Statistical Classification of Diseases and Related Health Problems
MMIS Medicaid Management Information Systems
MSA Medical Savings Account
NCQA National Committee for Quality Assurance
NCVHS National Committee on Vital and Health Statistics
NDC National Drug Code
NPI National Provider Identifier
ONC Office of the National Coordinator for Health Information Technology
PAHP Prepaid Ambulatory Health Plan
PAPD Planning Advanced Planning Document
Acronyms
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
AcronymsPIHP Prepaid Inpatient Health Plan
PFFS Private Fee-For-Service
HEDIS Healthcare Effectiveness Data and Information Set
HHS Department of Health and Human Services
HIE Health Information Exchanges
HIT Health Information Technology
HIPPA Health Insurance Portability and Accountability Act of 1996
HITECH Health Information Technology for Economic and Clinical Health Act
HMO Health Maintenance Organization
HOS Health Outcomes Survey
HPSA Health Professional Shortage Area
HRSA Health Resource Services Administration
IAPD Implementation Advanced Planning Document
IPA Independent Practice Association
IHS Indian Health Services
IT Information Technology
MA Medicare Advantage
MAC Medicare Administrative Contractor
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
AcronymsPFFS Private Fee-For-Service
HEDIS Healthcare Effectiveness Data and Information Set
HHS Department of Health and Human Services
HIE Health Information Exchanges
HIT Health Information Technology
HIPPA Health Insurance Portability and Accountability Act of 1996
HITECH Health Information Technology for Economic and Clinical Health Act
HMO Health Maintenance Organization
HOS Health Outcomes Survey
HPSA Health Professional Shortage Area
HRSA Health Resource Services Administration
IAPD Implementation Advanced Planning Document
IPA Independent Practice Association
IHS Indian Health Services
IT Information Technology
MA Medicare Advantage
MAC Medicare Administrative Contractor
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
81
Past DatesPast DatesPast DatesPast Dates Completed DeadlinesCompleted DeadlinesCompleted DeadlinesCompleted Deadlines
15-Oct-2001Deadline to submit a compliance extension form for Electronic Health Care Transactions and
Code Sets.
16-Oct-2002Electronic Health Care Transactions and Code Sets - all covered entities except those who filed
for an extension and are not a small health plan.
14-Apr-2003 Privacy - all covered entities except small health plans.
16-Apr-2003Electronic Health Care Transactions and Code Sets - all covered entities must have started
software and systems testing.
16-Oct-2003Electronic Health Care Transactions and Code Sets - all covered entities who filed for an
extension and small health plans.
16-Oct-2003 Medicare will only accept paper claims under limited circumstances.
14-Apr-2004 Privacy - small health plans.
30-Jul-2004 Employer Identifier Standard - all covered entities except small health plans.
20-Apr-2005 Security Standards - all covered entities except small health plans.
1-Aug-2005 Employer Identifier Standard - small health plans.
20-Apr-2006 Security Standards – small health plans.
23-May-2007 National Provider Identifier - all covered entities except small health plans
23-May-2008 National Provider Identifier - small health plans
Compliance Timelines
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com82
Compliance Timelines
•ASC X12 4010A1 to ASC X12 5010•NCPDP 5.1 to NCPDP D.0
Dual use of existing standards permitted.
March 17, 2009, until January 1, 2012
Description Deadlines
Final rule was published 16-Jan-2009
Effective Date of the regulation 17-Mar-2009
Level I Compliance 31-Dec-2010
Level II Compliance 31-Dec-2011
Fully compliant 1-Jan-2012
Center for Medicare and Medicaid Services(CMS)
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
83
Compliance Timelines
The CMS Medicare Fee-for-Service Schedule
DeadlinesDescription
Level I 1-Apr-10 Thru 31-Dec-10
Level II 1-Jan-11 Thru 31-Dec-11
Fully compliant 1-Jan-12
CMS has prepared a comparison of the current X12 HIPAA EDI standards (Version 4010/4010A1) with Version 5010 and the NCPDP EDI standards Version 5.1 to D.0.
The 4010A1 Implementation Guides and the 5010 Technical Report 3(TR3) documents served as reference materials during the
preparation of the comparison Excel spreadsheets.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com84
Compliance Timelines
The CMS Medicare Fee-for-Service Schedule
DeadlinesDescription
Level I 1-Apr-10 Thru 31-Dec-10
Level II 1-Jan-11 Thru 31-Dec-11
Fully compliant 1-Jan-12
CMS has prepared a comparison of the current X12 HIPAA EDI standards (Version 4010/4010A1) with Version 5010 and the NCPDP EDI standards Version 5.1 to D.0.
The 4010A1 Implementation Guides and the 5010 Technical Report 3(TR3) documents served as reference materials during the
preparation of the comparison Excel spreadsheets.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Penalties• Civil • Criminal
CIVIL Penalties
Under "General Penalty for Failure to Comply with Requirements and Standards" of Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996, Section 1176 says that the
Secretary can impose fines for noncompliance as high as $100 per offense, with a maximum of $25,000 per year on any person who
violates a provision of this part.
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Penalties• Civil • Criminal
MonetaryPrison Time
Offenses
The Secretary may reduce the fine if a violation is not due to willful neglect and is corrected within 30 days
Single violation of a provisionMultiple penalties for violating
multiple Provisions
$25,000 N/AMultiple violations of an identicalrequirement made during
a calendar year
N/A$100
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Penalties• Civil • Criminal
CRIMINAL Penalties
For the wrongful disclosure of Individually Identifiable Health Information (IIHI)
Under SEC. 1177. OFFENSE.--A person who knowingly and in violation of this part--
• uses or causes to be used a unique health identifier,• obtains Individually Identifiable Health Information
relating to an individual, OR• discloses Individually Identifiable Health Information
to another person,shall be punished as provided in subsection(b)
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Penalties• Civil • Criminal
MonetaryPrison Time
Offenses
1 yr or less
Wrongful disclosure of Individually Identifiable Health Information
Wrongful disclosure of IIHIcommitted under false pretenses
5 yrs or less
$100,000 or less
$250,000 or less
10 yrs or less
Wrongful disclosure of IIHI committed under false pretenses with intent to sell, transfer, or use IIHI for commercial
advantage, personal gain, or malicious harm
$50,000 or less
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
HIPAA Audits: HHS might ask a Covered Entity about:
Establishing security access controls: e.g., What types of security access controls are currently implemented or installed in hospitals' databases that house ePHI data?
8
Establishing and terminating users' access to systems housing electronic patient health information (ePHI).
7
Employee violations (sanctions). 6
Emergency access to electronic information systems. 5
Electronically transmitting ePHI. 4
Creating, documenting and reviewing exception reports or logs: e.g., Provide a list of examples of security violation logging and monitoring.
3
Computer patch management.2
Anti-virus software. 1
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
HIPAA Audits: HHS might ask a Covered Entity about:
Physical access to electronic information systems and the facility in which they are housed.
16
Password and server configurations. 15
Network remote access. 14
Monitoring systems and the network, including a listing of all network perimeter devices, e.g., firewalls and routers.
13
Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
12
Internet usage. 11
Inactive computer sessions (periods of inactivity). 10
Firewalls, routers and switches. 9
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
HIPAA Audits: HHS might ask a Covered Entity about:
Terminating an electronic session and encrypting and decrypting ePHI.
23
Recording and examining activity in information systems that contain or use ePHI.
22
The antivirus software used for desktop and other devices, including their versions.
21
Organizational charts that include names and titles for the management information system and information system security departments.
20
Entity-wide security program plans (e.g., System Security Plan). 19
Preventing, detecting, containing and correcting security violations (incident reports).
18
A list of antivirus servers, installed, including their versions. 17
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
HIPAA Audits: HHS might ask a Covered Entity about:
All Terminated employees.31
All New hires.30
Risk assessments and analyses of relevant information systems that house or process ePHI data.
29
Remote access activity, e.g., network infrastructure, platform, access servers, authentication, and encryption software.
28
Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
27
All information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
26
Wireless security (transmission and usage).25
Transmitting ePHI. 24
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
HIPAA Audits: HHS might ask a Covered Entity about:
Encryption mechanisms use for ePHI. 37
Database security requirements and settings. 36
Authentication methods used to identify users authorized to access ePHI.
35
Authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.
34
All users with access to ePHI data: e.g., Identify each user's access rights and privileges.
33
All Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows): e.g., Identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
32
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
HIPAA Audits: HHS might ask a Covered Entity about:
Users with remote access capabilities.42
Transmission methods used to transmit ePHI over an electronic communications network.
41
Systems administrators, backup operators and users.40
Software used to manage and control access to the Internet.39
Outsourced individuals and contractors with access to ePHI data, if applicable: e.g., Include a copy of the contract for these individuals.
38
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Thomas Edison
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
REFERENCESREFERENCES• American Dental Association
www.ada.org• American Medical Association
www.ama-assn.org• ANSI Accredited Standards Committee (ASC) X12
www.X12.org• Centers for Medicare and Medicaid Services (CMS)
www.cms.hhs.gov• Dept. of Health & Human Services (HHS)
www.hhs.gov• Health Level Seven (HL7)
www.hl7.org• National Committee on Vital and Health Statistics (NCVHS)
www.ncvhs.hhs.gov• National Council for Prescription Drug Programs (NCPDP)
www.ncpdp.org• National Uniform Billing Committee (NUBC)
www.nubc.org• National Uniform Claim Committee (NUCC)
www.nucc.org• Washington Publishing Company (WPC)
www.wpc-edi.com• Workgroup for Electronic Data Interchange (WEDI)
www.wedi.org
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
CREDITSCREDITSThomas Dwyer, CHPSP
• Author, Director, Editor, Presenter
Sandra Remis, M.A• Editor
Dr. Ariel Schrodt• Video Director
CANTV.org
Copyright 2010-2012 - RedRavenProductions
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com
Productions
Red Raven
Tom DwyerJanuary 1, 2012
Copyright 2010-2012 Red Raven Productions http://ICD-GEM.com