hipaa administrative simplification and nebraska snip (strategic national implementation process)
TRANSCRIPT
HIPAA Administrative
Simplification and
Nebraska SNIP (Strategic National Implementation Process)
HIPAALaw & IntentWho is affectedStandardsCurrent issues to track Implementation Process (SNIP)Additional resources
HIPAA Administrative Simplification Law Health Insurance Portability and Accountability
Act of 1996 – HIPAA H.R. 3103 – Kasselbaum/Kennedy Bill
Title II – Subtitle F – Administrative Simplification
Signed into Law August 21, 1996 Public Law 104-191 Part C of Title XI of Social Security Act
Intent of HIPAA Reduce the costs and administrative burdens
of healthcare with standardized, electronic transmission of many administrative and financial transactions.
Protect the security and confidentiality of electronic health information.
Enable individual to control own health information.
Who is affected by HIPAA?ProvidersHealth Plans
Employers acting as Self Insured GroupsPayersThird Party AdministratorsClearinghousesAll trading partners of above
HIPAA StandardsTransactions & Code SetsPrivacySecurity Identifiers
Transactions and Code Sets Standards Final Rule Published in August 17, 2000
Federal Register Compliance is required by October 16, 2002
(October 16, 2003 by small health plans) NDC code retraction
On May 29, 2001, Tommy Thompson retracted the standard of using NDCs on institutional and professional claims.
Transaction standards Data Element
Required vs. Conditional
Formats Codes Values
Transaction Sets X12 Version 4010 Claim - 837 Payment/Remit - 835 Claim Status - 276/277 Eligibility 270/271 Referral - 278 Enrollment & benefits
Maintenance - 834 Premium Payments - 820 Claims Attachments - 275* First Report of Injury - 148* NCPDP
* expected later...
Code sets StandardsService & Diagnosis Codes
ICD-9-CM Volumes I, II & III CPT-4 HCPCS CDT NDC
No Local Codes will be allowed
Information Between Health Plans
Coordination of BenefitsClaims Processing
Is a provider required to send claims electronically?No, but if you do, they have to be
HIPAA compliant.You can use a clearinghouse to handle
the translation of the data from your current form into HIPAA compliant.
Failure to Comply with Transactions Standards
PenaltyJail
TimeOffense
$100 None Single Violation of a provision
Up to $25k None Multiple violations of an identical requirement or prohibition made during a calendar year
Privacy Standards Final Rule Published in December 28, 2000
Federal Register Compliance is required by April 14, 2003
(April 14, 2004 by small health plans) OCR issued guidance on July 6, 2001 Additional guidelines are expected
Privacy
Summary of Privacy regulation: Consumer Control over Health Information Use and Disclosure Boundaries Ensure the Security of Protected Health Information Establish Accountability for Use and Release Balancing Public Responsibility with Privacy
Protections Preserving Existing, Strong State Confidentiality
Laws
Definitions Privacy is what happens to information after
the appropriate person has it (I only use the data for the agreed purpose)
Confidentiality is the control of the information at all times, providing ‘need to know’ access to only those appropriate
Security is the enforcement and protection afforded information under both conditions
Consumer Control over Health Information
Notice of Privacy Practice Patient access to their health records and
right to amend Patient consent before information is
released Recourse if privacy protections are violated Accounting for release of health information
Use and Disclosure Boundaries Ensuring that health information is not used
for non-health purposes Providing the minimum amount of information
necessary
Ensure the Security of Protected Health Information
Adopt written privacy procedures Train employees on privacy Designate a privacy officer
Establish Accountability for Protected Health Information
PenaltyJail
TimeOffense
Up to $50k Up to 1 year Wrongful disclosure of individually identifiable health information
Up to $100k Up to 5 years
Wrongful disclosure of individually identifiable health info committed under false pretenses
Up to $250k Up to 10 years
Wrongful disclosure of individually identifiable health information committed under false pretenses with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm.
Balancing Public Responsibility with Privacy Protections In limited circumstances, the final rule
permits, but does not require, covered entities to continue existing disclosures of health information for specific public responsibilities without individual authorization.
Preserving Existing, Strong State Confidentiality Laws National "floor" of privacy standards that
protects all Americans, but in some states individuals enjoy additional protection.
Stronger state laws (like those covering mental health, HIV infection, and AIDS information) continue to apply.
Security StandardsProposed Rule Published in August 12,
1998 Federal RegisterFinal Rule expected this year
Security The security standard is a set of requirements with
implementation features that providers, plans, and clearinghouses must include in their operations to assure that electronic health information pertaining to an individual remains secure.
The standard does not reference or advocate specific technology.
The standard does not address the extent to which a particular entity should implement the specific features.
Individual security requirements and which technology to use is a business decision that each organization must make.
HIPAA IS TECHNOLOGY NEUTRAL
SecurityBest Security is what we can do
ourselves75% of security breaches happen
inside.
SecurityAdministrative ProceduresPhysical SafeguardsTechnical Data Security Technical Security Mechanisms
Administrative ProceduresCertificationChain of Trust agreementContingency PlanFormal Mechanism for Processing
Records Information Access Control Internal Audit
Administrative ProceduresPersonnel SecuritySecurity Configuration ManagementSecurity Incident ProceduresSecurity Management ProcessTermination ProceduresTraining
Physical SafeguardsAssigned Security ResponsibilityMedia ControlsPhysical Access ControlsPolicy/Guideline on Workstation UseSecure Workstation LocationSecurity Awareness Training
Technical Data SecurityAccess ControlAudit ControlsAuthorization ControlsData AuthenticationEntity Authentication
Technical Security Mechanisms
Integrity controlsMessage authenticationAccess controls or EncryptionEntity authenticationEvent reporting
Technical Security Mechanisms In addition, if using a network for
communications, the following implementation features would be in place:
AlarmAudit trailEntity authenticationEvent reporting
Electronic SignatureDigital Signature -
Optional, but if used:NonrepudiationUser AuthenticationMessage integrity
Unique Health IdentifiersProvider
Will not replace TIN Will eventually replace the UPIN
Employer - Will be TINHealth Plan - may include Sub ID Patient - still under discussion
Status of IdentifiersNational Provider Proposed Rule
Published in May 7, 1998 Federal Register
National Employer Proposed Rule Published in June 16, 1998 Federal Register
Final Rules???
Status of IdentifiersMovement on this portion of HIPAA has
not occurredFocus is on implementation of
standards for data and on final privacy and security regulations
Current Issues To Track Federal legislation
H.R. 1975 and S. 836 are in the House and Senate to delay HIPAA’s administrative simplification provisions.
Some members of Congress are considering overturning the privacy rule
Case constitutionally challenging HIPAA SC Medical Assoc, Physicians Care Network, LA
State Medical Society vs. US Dept of Health and Human Services
AAPS vs. US Dept of Health and Human Services
Current Issues To TrackFinal rule on health data security
Due out this year – HHS must ensure the final security rule is compatible with the final privacy rule – published in late 2000 (and likely to undergo some changes)
Additional Guidance on Privacy Standards
Additional code changes as implementation progresses
NOW WHAT???
Where do I go from here ???
Compliance with HIPAA
Administrative Simplification
Nebraska SNIP
(Strategic National
Implementation Process)
Why collaborate?
Implementing HIPAA requires coordination and collaboration among trading partners
There is no competitive advantage to be ‘HIPAA Ready’, if your trading partners aren’t ready
Collaboration and coordination will limit costly implementation efforts
Avoid the ‘re-inventing the wheel all over again’ syndrome
Why collaborate?
Standards are dependant on consistent
policies, practices and technology among
business partners
Actions of a business partner may generate
liabilities for one’s own organization
Sloppy planning and inefficient implementation
will be costly to everyone
Key Elements for Collaborative Environment
Trust
Commitment
Clear Vision
Trust
Joint ownership
Joint accountability
No dominant player
Balanced interests
No hidden agendas
Neutral meeting ground
Commitment
NE Health and Human Services System
Key providers
Leading health plans/payers
Trade associations & societies
Key vendors
Clear Vision
Use HIPAA as an opportunity to redesign business process
Remember patient rights in process Improve efficiency of healthcare through
information technology
Regional Approaches
Implementation will occur locally
Healthcare crosses local political and
business boundaries
National coordination and guidance will
be exceedingly helpful
Nebraska SNIP Formation
Blue Cross and Blue Shield of Nebraska Health Data Management Mutual of Omaha NE Assn of Hospitals and Health Systems NE Health and Human Services System NE Medical Association
Nebraska SNIP
…is a collaborative healthcare industry-wide process resulting in the implementation of standards and furthering the development and implementation of future standards.
Nebraska SNIP
Promote general healthcare industry readiness to implement HIPAA standards.
Identify education and general awareness opportunities for the healthcare industry to utilize.
Recommend an implementation time frame for each component of HIPAA for each stakeholder and identify the best migration paths for trading partners.
Nebraska SNIP
Establish opportunities for collaboration, compile industry input, and document the industry “best practices”.
Identify resolution or next steps where there are interpretation issues or ambiguities within HIPAA standards.
Serve as a resource for the healthcare industry when resolving issues arising from HIPAA implementation.
Nebraska SNIP Approach
Facilitate planning among: Providers Health Plans State Government Vendors
Trade associations and professional societies playing a key role.
NE SNIP Steering Committee
Goal:Develop overall strategy for addressing HIPAA compliance in an orderly & effective manner
Defined Work Groups:
Transactions, Codes and Identifiers
Privacy
Security
Awareness, Education and Training
Transactions, Codes and Identifiers Work Group
Goal:Develop consensus on sequence and timing for implementation of transactions & codes
Activities
Issue and publicize Target Date Guidelines
Build critical mass of providers, health plans, clearinghouses, vendors and gov’t agencies for transaction testing
Privacy Work Group
Goal:Understand impact of final regulations
Activities: Develop working knowledge of Privacy
regulations and impact
Determine organization’s current level of HIPAA privacy compliance
Develop gap analysis, checklists, and guidelines for policies & procedures to implement Privacy Standards
Security Work Group
Goals:Understand HIPAA requirements for security of data and communications
Activities:
Investigate secure transaction & interoperability among trading partners
Develop self-assessment checklist / tool to determine organization’s current level of HIPAA security compliance - gap analysis
Awareness, Education & Training Work Group
Goals: Develop programs to share HIPAA information. Collaborate with professional groups and agencies
to promote and deliver programs.
Activities: Survey to determine awareness and readiness. Leverage current planned activity in NE Develop Nebraska SNIP communication and
information sharing
Steering Committee Contacts
Brenda Block
Health Data Management Corp.
402-965-8158 [email protected]
Kevin Conway
NE Assn of Hospitals & Health Systems
402-458-4910, [email protected]
Transactions, Code Sets & Identifiers Contacts
Don Butler
Blue Cross and Blue Shield of Nebraska
402-398-3843, [email protected]
Privacy ContactsLori Umberger, RN, BSN
Creighton Cardiac Center
402-280-4603, [email protected]
Kathleen Zeitz
Methodist Health System
402-354-2174, [email protected]
Security ContactsSusan Heider
Regional West Medical Center
308-635-3711, [email protected]
Sue Huenniger
Mutual of Omaha
402-351-8622, [email protected]
Awareness, Education and Training Contacts
Brenda L. Block
Health Data Management Corp.
402-965-8158, [email protected]
Rick Hain
BryanLGH Medical Center
402-481-8521, [email protected]
NESNIPAWARENESS @yahoogroups.com
NESNIPAWARENESS [email protected]
Nebraska SNIP Activities
First Meeting March 15, 2001 HIPAA background Other regional efforts NE SNIP mission NE SNIP organization Next NE SNIP Meeting
Next NE SNIP MeetingSeptember 18, 2001, Kearney
Work Group and sub group meetings
Additional HIPAA Resources Health Insurance Portability and Accountability Act of 1996
Public law 104-191, 104th Congress, August 21, 1996 aspe.hhs.gov/admnsimp/pl104191.htm
Department of Health and Human ServicesAdministrative Simplification aspe.hhs.gov/admnsimp/index.htm
Centers For Medicare and Medicaid Services (HCFA) www.hcfa.gov/hipaa/hipaahm.htmHCFA fact sheet on HIPAA’s provisions www.hcfa.gov/facts/f9702as.htm
HIPAA Security Accreditation information www.ehnac.org/securityaccreditation/default.html
HIPAA Resources cont... Workgroup for Electronic Data Interchange
www.wedi.org/ Washington Publishing Company
ANSI, ASC and X12N HIPAA Implementation Guides www.wpc-edi.com/hipaa
Data Interchange Standards Association (DISA) www.disa.org/
Designated Standard Maintenance Organization (DSMO) www.hipaa-dsmo.org
ANSI X12 Committee www.x12.org
HIPAA Resources cont... HIPAA Comply - security and privacy compliance
www.hipaacomply.com Welcome to HIPAA Directory.com
www.hipaadirectory.com HHS Office of Civil Rights
www.hhs.gov/ocr/hipaa/ Nebraska SNIP
www.nesnip.org