Todd FrechOcius Medical Informatics6650 Rivers Ave, Suite 137North Charleston, SC 29406

843-576-1426

http://www.ocius.biz

Health Insurance Portability and

Accountability ActGeneral Overview for Software Vendors

Background

• Originally proposed in 1996 as part of a comprehensive set of reforms targeting health insurance

• Administrative Simplification section created in response to the commercialization of health information and the potential for abuse with the increased use of electronic systems

• Prior to HIPAA, there were no federal regulations to govern the use of personal health information (PHI)

Some Significant Abuses

• Marketing• Employment Screening• Inappropriate release of private

information

Legislative Authority

• Department of Health and Human Services– Defines requirements– Educates and inspects (Office of Civil

Rights)– Fines for minor offences

• Department of Justice– Criminal prosecution

What is HIPAA?

• Four Components– Transaction Standards– Privacy Regulations– Security Regulations– National Provider ID

• Regulation of individually identifiable health information

What is HIPAA?

• Covers electronic systems– Billing– EMR– Scheduling

• Impacts– Health plans– Health care providers– Health care clearing houses

HIPAA’s Goals

• Reduce administrative burdens• Protect the privacy of individually

identifiable health information• Ensure the security, integrity and

availability of health information

Transaction Standards

• Creates standard transaction sets for communicating health information via electronic interfaces

• Creates a standard definition of data elements

• Impacts billing, enrollment, disenrollment and authorization transactions

• Final rule published in August 2000• Requires implementation within 24

months

Privacy Standards

• Requires a covered entity to make a reasonable effort to obtain a patient’s permission to use their PHI for Treatment, Payment and Healthcare Operations (TPO)

• Requires a covered entity to obtain a patient’s permission for any non-TPO use of health information

• Defines the approved uses of health information• Defines the process for gaining approval• Gives patients the right to dispute information in

their health records• Defines the process for patient disputes

Security Standards

• Regulate integrity, confidentiality, unauthorized access, and availability

• Five components:– Administrative procedures – Physical safeguards– Technical security services– Technical security for networks– Electronic signature

Impact on Software Vendors

• Transaction Standards– Implementation by 10/2004– Standard data elements and transaction

formats

• Privacy Standards– Implementation by 4/2003– Minimal impact on software vendors

• Security Standards– No implementation date (12 months from final

rule date)– Largest impact on software vendors

Operational Issues

• Legal requirements– Business Associate Agreements

• Changes to policies and procedures– System Access– Training

• Software enhancements– Audit– Security

Client Issues

• Interpretation and implementation of three standards in a short period of time

• Developing appropriate polices and procedures

• Training, training, training

Regulatory Issues

• Enforcement– Office of Civil Rights– Department of Justice

• Fines and Penalties– Monetary fines for inappropriate

disclosure of PHI– Potential jail time for willful

misuse of PHI

Risk and Opportunities

• Timeline for implementation of security requirements

• Client focus during the implementation process

• Development of new policies and procedures

• Additional or upgraded network infrastructure

Got Questions?