HIPAA 101: HIPAA 101: OverviewOverview

An Introduction tothe HIPAA Regulations

2

Presentation Agenda

At the end of this presentation, you should: Know what HIPAA is and where it came from Know why we should care about it Have a basic understanding of the HIPAA

standards and their impact on the culture of the organization

Know what your biggest challenges will be Know your role in HIPAA compliance

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act

It was originally intended to support:- The portability of health insurance- Improved fraud and abuse

protections The Administrative Simplification provisions

were added to lower administrative health care costs by conducting more business electronically

4

HIPAA

Title I Title II Title III Title IV Title V Health

insurance access, portability and renewal

Fraud and Abuse

Medical Liability Reform

Administrative Simplification

Medical Savings Accounts

Tax deduction provisions

Group health plan provisions

Revenue offset provisions

Electronic Transaction Standards (EDI)

Security Standards

PrivacyStandards

For 9 key payor transactions Includes clinical code sets Includes key identifiers

For protecting electronic health information

To spell out permissible uses of patient identifiable healthcare information

Background: Where Did HIPAA Come From?

6

Cost Concerns

The U.S. spends about $400 billion each year on administrative services related to health care

The Congress estimated that approximately $87 billion could be saved annually if administrative efficiencies could be improved by:– Requiring more health care transactions to be

conducted electronically, which would reduce paperwork, and

– By standardizing health care transactions

7

Privacy Concerns

As more business is conducted electronically, it becomes more difficult to protect the privacy of the data

– A Wall Street Journal/ABC poll on September 16, 1999 survey revealed that the greatest concern of Americans in this century is the loss of personal privacy.

– The increasing availability of information on the Internet adds to people’s fears

– The case of Arthur Ashe– The case of Robert Bork– The inappropriate use of DNA is a growing concern

8

Breaches of Patient Privacy

These sample published accounts of privacy breaches are only a fraction of all cases.

– A bank accesses records and calls in loans of cancer patients

– A medical student sells “promising” cases to a malpractice lawyer

– A hospital ED employee shares patient information with an ambulance chaser for financial gain

Why Should You Care About HIPAA?

10

Why should you care about HIPAA?

First Reason: HIPAA is the law Second Reason: all indications are that HIPAA

regulations will be incorporated into existing accreditation standards and annual audit procedures.

Third Reason: Many of the HIPAA regulations make good common business sense.

Every employee will be impacted by HIPAA

11

How Does HIPAA Benefit Hospitals?

It reduces paperwork The accuracy of documentation is improved It could reduce the turnaround time for getting

claims paid

12

Banking Has Led the Way

During the 1970s, the banking industry led the way in standardizing financial transactions.

Standardization enables us to use our credit cards, make withdrawals and deposit money to our bank accounts all over the world.

HIPAA Standards for Electronic Transactions

14

HIPAA: The Electronic Transaction Standards

Standards were developed for nine administrative and financial transactions (such as healthcare claims, claims payment, eligibility determination) to accomplish the following: – Require payers to accept those electronic

transactions for health care services in a standardized format

– Establish standard codes to be used for those electronic transactions

– Develop universal identifiers for health care providers, employers and individuals

HIPAA Privacy and Security Standards

16

Privacy: rules governing use and disclosure of data

Security: mechanisms for protecting access to systems and data

Privacy vs. Security

First: some definitions -

How can patient

information be used

Preventing unauthorized

individuals from gaining access

HIPAA Privacy Standards

18

Protected Health Information

The privacy standards were developed to limit the ways in which information that can be used to identify an individual can be used or disclosed

Protected health information is individually identifiable health information that is maintained or transmitted electronically, or in any other form or medium

That means that information transmitted orally is protected, as well as information that is maintained or transmitted electronically or on paper

19

Approach to Privacy Rule

In developing the final Privacy Rule, the Department of Health and Human Services:– Sought to create a balance between the patient’s

right to information privacy and with the public’s responsibility to provide health care services

– Established accountability for breaches of privacy and delegated responsibility to the Department’s Office for Civil Rights for enforcement

– Developed penalties for individuals who violate the Privacy Rule

20

The Bottom Line

Civil monetary and criminal penalties:– Failure to comply with transaction standards

$100 per person, per transaction, up to an annual maximum of $25,000

– If knowingly providing information $50,000 and/or up to 1 year imprisonment

– Under false pretenses $100,000 and/or up to 5 years imprisonment

– Intent to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm

$250,000 and/up to 10 years imprisonment

Every employee is at risk

21

Privacy Regulations Provide Consumer Control over Health Information

The hospital is required to give patients a clear written explanation of how they can use, keep, and disclose their health information. This is called a Notice of Privacy Practices, and the regulations identify specific information that it must contain.

While patients cannot alter the existing content of their medical records, they do have the right to request that the hospital amend their records, by adding information to those records.

The hospital may refuse that request if, among other things, it determines that the information in dispute is accurate and complete.

22

Boundaries on Medical Information Use

Protected health information can be used without patient consent only for purposes of treatment, payment and health care operations.

Disclosures for any other reason require a written authorization from the patient.

Patients will be able to revoke an authorization (but not retroactively)

Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure.

23

Other Allowable Disclosures

Covered entities may disclose some information without consent, for example: – Oversight of the health care system, including

quality assurance activities– Public health– Emergency circumstances– For facility patient directories– For activities related to national defense and

security

24

Administrative Requirements

Covered entities must– Designate a privacy official with responsibility to

develop and implement privacy policies and procedures, and address patient complaints.

– Implement policies and procedures with respect to protected health information. Must also keep P&Ps and patient notices updated with changes in the law.

– Train all members of the workforce on those P&Ps before April 14, 2003

– Document and apply sanctions to members of its own workforce for privacy breaches.

– Covered entities must mitigate any harmful effects.– Establish written contracts with business associates

who perform or assist in the performance of a function or activity on behalf of a covered entity involving the use or disclosure of protected health information

25

DHHS Privacy Guidelines

HHS has issued two guidance documents on the patient privacy rule answering common questions and clarifying key areas of confusion. For example:– Pharmacies need not obtain a patient’s consent

before allowing a friend or relative to pick up a prescription

– Hospitals need not remove medical charts from patients’ bedsides, isolate x-ray light boards or be retrofitted with soundproof walls

– In general, common sense and practicality win out over a strict interpretation of the rule

26

DHHS Privacy Guidelines

The Privacy Rule states that the regulations are scalable, and that covered entities should do what is reasonable to implement them, considering the size and resources available to the organization

HIPAA Security Standard

28

Security Standards

Require covered entities to “maintain reasonable and appropriate administrative, technical, and physical safeguards”

The HIPAA security standards are organized into four categories– Administrative procedures to ensure that threats or violations can be

prevented, detected and resolved (security training, hiring practices, system audits)

– Physical safeguards to protect PHI from fire, disaster and unauthorized access (locks, keys, storage protection)

– Technical security services to control and monitor access (passwords, audit trails, automatic logoff)

– Network security to protect unauthorized access to data transmitted over a network (encryption, detection systems)

Standards were also proposed for electronic signatures, but will now be released under a separate rule

HIPAA Implementation Update

What’s the Current Status of HIPAA?

30

Deadline

Covered Entities must be in compliance by:

2002/2003

Deadline for compliance

• October 16, 2002 / 2003 - EDI transaction standards

• April 14, 2003 - Privacy standards

Other final rules are expected to be released throughout 2002

The Biggest Challenges Will Be:

Developing policies and procedures for privacy

Documenting compliance with your P&Ps

Modifying the culture to comply with HIPAA

Your Greatest Risk Exposure Will Be:

Disgruntled patients who feel that the privacy of their personal health information has been compromised

Your Role in HIPAA Compliance

Make every reasonable effort to protect the privacy of our patients’ health information Report any concern about suspected violations of patient privacy to the hospital Privacy Officer

Questions

35

Post-Test - Questions

The hospital may use the patient’s health information for whatever purposes that it deems necessary. True_____ False_____

Patients have the right to alter information contained in their medical records under HIPAA. True_____ False_____

All clinical staff may have access to any patient records under HIPAA. True_____ False_____

All employees within the hospital system will be impacted by HIPAA.True_____ False_____

Hospital employees can be individually penalized for violating the confidentiality of patient information. True_____ False_____

36

Post-Test - Answers

The hospital may use the patient’s health information for the purposes that it deems necessary. True_____ False__X__ The hospital may use the patient’s health information for treatment, payment and hospital operations only, unless a separate, specific purpose authorization is signed.

Patients have the right to alter information contained in their medical records under HIPAA. True_____ False_X_ Patients have the right to request that their records be amended, by adding to them.

All clinical staff may have access to patient records under HIPAA.True_____ False__X__ Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure.

All employees within the hospital system will be impacted by HIPAA.True_X_ False_____

Hospital employees can be individually penalized for violating the confidentiality of patient information. True__X__ False_____ See slide #24 for penalties