the health insurance portability and accountability act ... · the health insurance portability and...
TRANSCRIPT
The Health Insurance Portability The Health Insurance Portability and Accountability Act (HIPAA)and Accountability Act (HIPAA)
andandStrategies for Implementation in a Strategies for Implementation in a
Government Healthcare Government Healthcare OrganizationOrganization
Overview of HIPAA • ETCS• ASCA• Identifiers• Privacy• Security
Implementation Strategies• Challenges• Impacts of HIPAA on VHA• Implementation Organizational Structure• Successes
Questions
Overview of HIPAA Overview of HIPAA •• ETCSETCS•• ASCAASCA•• IdentifiersIdentifiers•• PrivacyPrivacy•• SecuritySecurity
Implementation StrategiesImplementation Strategies•• ChallengesChallenges•• Impacts of HIPAA on VHAImpacts of HIPAA on VHA•• Implementation Organizational StructureImplementation Organizational Structure•• SuccessesSuccesses
QuestionsQuestions
AgendaAgenda
HIPAA Health Insurance Portability and Accountability Act of 1996
HIPAA Health Insurance Portability and Accountability Act of 1996
TransactionsTransactions Code SetsCode Sets
Insurance Portability
AdministrativeSimplification
Fraud and AbuseMedical Liability Reform
Title ITitle I Title IITitle II Title IIITitle III Title IVTitle IV Title VTitle V
PrivacyPrivacy SecuritySecurity EDIEDI
Tax RelatedHealth Provision
Group HealthPlan Requirements
RevenueOff-sets
IdentifiersIdentifiers
Overview of HIPAA: VHAOverview of HIPAA: VHA’’s Focuss Focus
Proposed
Electronic Transactions and Code Sets Standards
Security Standards
PrivacyStandards
Transactions& Code SetsETCS AddendaProvider IDEmployer IDPayer IDPatient ID
Final
Released 5/1998
5/2002
Released 5/1998Released 6/1998Not yet releasedNot yet released
8/2000
2/2003
Not yet published5/2002Not yet publishedOn-hold
Released 8/1998 Final Rule 2/2003
No action by Congress; First regulation released 11/1999Proposed mods: Privacy of IIHI 3/2002
First Final Rule 12/2000Second Final Rule on Modifications released 8/2002
Status of HIPAA in Rulemaking Status of HIPAA in Rulemaking ProcessProcess
Covered EntityCovered Entity•• ProvidersProviders•• PlansPlans•• ClearinghousesClearinghouses
RequirementsRequirements•• Scope Scope –– All of Health Care All of Health Care •• Specific to Structure of entity Specific to Structure of entity •• Different for each covered entityDifferent for each covered entity•• Different for each area of HIPAADifferent for each area of HIPAA•• Includes Business AssociatesIncludes Business Associates
DeadlinesDeadlines•• Different for each area of HIPAADifferent for each area of HIPAA•• Privacy Privacy –– April 14, 2003April 14, 2003•• Standard Transactions and Code Sets Standard Transactions and Code Sets –– October 15, 2003October 15, 2003
Who Complies With HIPAA?Who Complies With HIPAA?
HIPAA EDI StandardsHIPAA EDI Standards
Transaction standards:Transaction standards:•• Enrollment/DisEnrollment/Dis--enrollment:enrollment: ASC X12N 834ASC X12N 834•• Eligibility request and response:Eligibility request and response: ASC X12N 270/271 ASC X12N 270/271 •• ClaimsClaims ASC X12N 837 ASC X12N 837
-- InstitutionalInstitutional-- ProfessionalProfessional-- DentalDental
•• Claims Claims –– PharmacyPharmacy ASC NCPDP v 5.1ASC NCPDP v 5.1•• Claim status: Claim status: ASC X12N 276/277 ASC X12N 276/277 •• Referral and authorization:Referral and authorization: ASC X12N 278ASC X12N 278•• Payment and remittance advice: Payment and remittance advice: ASC X12N 835ASC X12N 835•• Premium payment:Premium payment: ASC X12N 820ASC X12N 820
Though a standard for Claims Attachments has not yet been Though a standard for Claims Attachments has not yet been announced, it is expected to be: ASC X12N 277+275 + HL7announced, it is expected to be: ASC X12N 277+275 + HL7
HIPAA: The EDI StandardsHIPAA: The EDI Standards
Clinical Data Code Sets Standards:Clinical Data Code Sets Standards:•• ICDICD--9 for diseases (CMS formerly HCFA)9 for diseases (CMS formerly HCFA)•• CPTCPT-- 4 for services and procedures (AMA)4 for services and procedures (AMA)•• HCPCS for medical equipment, injectable HCPCS for medical equipment, injectable
drugs, and transportation services (AMA)drugs, and transportation services (AMA)•• CDTCDT-- 3 for dental services (ADA)3 for dental services (ADA)•• NDC for prescription drugs (For retail only)NDC for prescription drugs (For retail only)
These apply only to the administrative and These apply only to the administrative and financial electronic transactionsfinancial electronic transactions
HIPAA: The EDI StandardsHIPAA: The EDI Standards
The organization must submit a request for the extension The organization must submit a request for the extension prior to October 15, 2002; VHA filed timelyprior to October 15, 2002; VHA filed timelyTo file, the organization must have a To file, the organization must have a plan in placeplan in place to to become compliant with HIPAA by October 2003become compliant with HIPAA by October 2003Must begin testing by April 2003 . . . translates to a 6Must begin testing by April 2003 . . . translates to a 6--mos mos extensionextensionThe extension does not affect the deadline for other areas The extension does not affect the deadline for other areas of the legislation (i.e., Privacy)of the legislation (i.e., Privacy)ASCA prohibits payment of Medicare claims ASCA prohibits payment of Medicare claims not submitted not submitted electronicallyelectronically
Congress has approved through the Administrative Simplification Compliance Act, an extension to the HIPAA ETCS deadline for organizations who need additional time to comply with HIPAA.
ASCA: The ASCA: The 66--MonthsMonths ExtensionExtension
Key EDI InitiativesKey EDI Initiatives
Payor ETCS for payor functionsPayor ETCS for payor functions•• Ability to receive all required transactionsAbility to receive all required transactions
Provider ETCS for VA medical centersProvider ETCS for VA medical centers•• ee--Claims transactionsClaims transactions•• ee--Payment transactionsPayment transactions•• ee--Insurance Identification & VerificationInsurance Identification & Verification•• ee--Status MessagingStatus Messaging•• ee--Medicare Remittance AdviceMedicare Remittance Advice
Special Government Agency IssuesSpecial Government Agency Issues•• Other laws dictates how VA does businessOther laws dictates how VA does business•• Relationship with Department of TreasuryRelationship with Department of Treasury
HIPAA Standard IdentifiersHIPAA Standard Identifiers
HIPAA: Standard IdentifiersHIPAA: Standard Identifiers
Universal Identifier Standards: Universal Identifier Standards: •• Health Care Providers (NPI Health Care Providers (NPI -- National Provider Identifier) National Provider Identifier)
-- Originally proposed to be an 10 digit numeric Originally proposed to be an 10 digit numeric identifier with a check digit, though some modifications identifier with a check digit, though some modifications already expectedalready expected
•• Employers (EIN Employers (EIN -- Employer Identification Number) Employer Identification Number) ––Final Rule designates the nine digit IRS Taxpayer Final Rule designates the nine digit IRS Taxpayer Identification NumberIdentification Number
•• Health Plans (HealthPlanID) Health Plans (HealthPlanID) -- Identifier yet to be Identifier yet to be announcedannounced
•• Individuals (UHID) Individuals (UHID) -- Currently on hold; hotly debatedCurrently on hold; hotly debated
Use of these identifiers technically applies only to the Use of these identifiers technically applies only to the administrative and financial electronic transactionsadministrative and financial electronic transactions
HIPAA Privacy RuleHIPAA Privacy Rule
The Privacy Rule:The Privacy Rule:Extends coverage to electronic, paperExtends coverage to electronic, paper--based and orally based and orally communicated informationcommunicated informationAllows health information to be used and shared for Allows health information to be used and shared for treatment, payment and health care operationstreatment, payment and health care operationsSupports disclosure under defined circumstances for certain Supports disclosure under defined circumstances for certain national priority purposes such as research, public health, law national priority purposes such as research, public health, law enforcement and oversightenforcement and oversightRequires patient authorization for use and disclosure of health Requires patient authorization for use and disclosure of health information for purposes other than treatment, payment or information for purposes other than treatment, payment or health care operations health care operations Gives consumers greater access to and control over their Gives consumers greater access to and control over their health informationhealth informationRequires organizations to establish and maintain safeguards for Requires organizations to establish and maintain safeguards for protecting the confidentiality and integrity of health informatiprotecting the confidentiality and integrity of health information on and protect against unauthorized access of this informationand protect against unauthorized access of this information
HIPAA: The Privacy RuleHIPAA: The Privacy Rule
The Bottom Line:The Bottom Line:Compliance will be required by April 14, 2003Compliance will be required by April 14, 2003Civil monetary and criminal penalties apply:Civil monetary and criminal penalties apply:•• If knowingly providing informationIf knowingly providing information
$50,000 and/or up to 1 year imprisonment$50,000 and/or up to 1 year imprisonment•• Under false pretensesUnder false pretenses
$100,000 and/or up to 5 years imprisonment$100,000 and/or up to 5 years imprisonment•• Intent to sell, transfer, or use health information for Intent to sell, transfer, or use health information for
commercial advantage, personal gain, or malicious harmcommercial advantage, personal gain, or malicious harm$250,000 and/up to 10 years imprisonment$250,000 and/up to 10 years imprisonment
At the present time there is no indication of when At the present time there is no indication of when enforcement will be effective and how enforcement will be enforcement will be effective and how enforcement will be conductedconducted•• A separate Enforcement Rule is being draftedA separate Enforcement Rule is being drafted
Office of Civil Rights has been given responsibility for Office of Civil Rights has been given responsibility for enforcementenforcement
HIPAA: The Privacy RuleHIPAA: The Privacy Rule
General Rules & Information
Uses and Disclosures
Requirements
Notice
Patient’s Rights
Administration
§164.506 Uses and disclosures to carry out treatment, payment or healthcare operations
§164.508 Uses and disclosures to which an authorization is required§164.510 Uses and disclosures requiring an opportunity for the individual to
agree or object§164.512 Uses and disclosures for an authorization or opportunity to agree
or object is not required§164.514 Uses and disclosures of protected health information: Other
requirements
§164.520 Notice of privacy practices for protected health information
§164.522 Patient’s Rights: Right to request privacy protection for protected health information
§164.524 Patient’s Rights: Access of individuals to protected health information
§164.526 Patient’s Rights: Amendment of protected health information§164.528 Patient’s Rights: Accounting of disclosures of protected health
information
§164.530 Administrative Requirements
§164.502 Uses and disclosures of protected health information General Rules§164.504 Uses and disclosures: Organizational Requirements
HIPAA: The Privacy RuleHIPAA: The Privacy Rule
Key Privacy InitiativesKey Privacy Initiatives
Policy Review and RePolicy Review and Re--write write Privacy Policy TrainingPrivacy Policy TrainingNotice of Privacy PracticesNotice of Privacy PracticesMinimum NecessaryMinimum NecessaryDirectory OptDirectory Opt--outoutBusiness AssociatesBusiness AssociatesSecurity SafeguardsSecurity SafeguardsSpecial Government IssuesSpecial Government Issues•• Privacy Act, FOIA and other GovernmentPrivacy Act, FOIA and other Government--specific laws specific laws
governing privacygoverning privacy•• Sharing relationship with other Government agencies Sharing relationship with other Government agencies
(i.e., DoD)(i.e., DoD)
HIPAA Security RuleHIPAA Security Rule
Intent of HIPAA Security Rule:Intent of HIPAA Security Rule:Maintain reasonable and appropriate operational, technical, and Maintain reasonable and appropriate operational, technical, and physical safeguards that:physical safeguards that:•• Ensure confidentiality and integrity of information provided to Ensure confidentiality and integrity of information provided to
authorized staffauthorized staff•• Prevent unauthorized use or disclosurePrevent unauthorized use or disclosure•• Protect against external threats and physical hazardsProtect against external threats and physical hazards
Standards are intended to protect against both external and Standards are intended to protect against both external and internal threatsinternal threatsTechnical measures alone will be insufficient; security tools byTechnical measures alone will be insufficient; security tools bythemselves wonthemselves won’’t make an organization compliantt make an organization compliantA successful privacy/security program requires a solid A successful privacy/security program requires a solid ““confidentiality cultureconfidentiality culture””Good documentation will is essential to compliance with the Good documentation will is essential to compliance with the Security standards and development of a Security ProgramSecurity standards and development of a Security Program
HIPAA: The Security RuleHIPAA: The Security Rule
Implementation StrategiesImplementation Strategies
ChallengesChallenges
VHA is one covered entity with 162 VHA is one covered entity with 162 hospitals and over 600 CBOCshospitals and over 600 CBOCsLegislative mandate on program Legislative mandate on program structuresstructuresClassification in HIPAA inconsistent with Classification in HIPAA inconsistent with major business modelsmajor business modelsComplexities of a Governmental AgencyComplexities of a Governmental Agency
Strategies: Immediate ImpactsStrategies: Immediate Impacts•• Classification of OrganizationClassification of Organization•• Privacy (by April 2003)Privacy (by April 2003)
Development /documentation of policies & proceduresDevelopment /documentation of policies & proceduresBroadening responsibilities of VHA Privacy OfficersBroadening responsibilities of VHA Privacy OfficersIdentifying /contracting with business associatesIdentifying /contracting with business associatesDeDe--identifying patient information where necessaryidentifying patient information where necessaryProducing notice of privacy practices, authorization formsProducing notice of privacy practices, authorization formsCapturing, providing patients access to, the uses and disclosureCapturing, providing patients access to, the uses and disclosures of their s of their health information for purposes other than treatment, payment orhealth information for purposes other than treatment, payment or health health care operationscare operationsTraining workforce members who have access to IIHITraining workforce members who have access to IIHIAltering information usage culture & security awareness of the Altering information usage culture & security awareness of the organizationorganizationProcessing & reviewing individual complaintsProcessing & reviewing individual complaints
•• Electronic Transactions and Code SetsElectronic Transactions and Code Sets——ETCS ETCS (Testing by April 2002 and Implementation by October 2003)(Testing by April 2002 and Implementation by October 2003)
Multiple IT initiatives to upgrade core systems for ETCS Multiple IT initiatives to upgrade core systems for ETCS Establish a new system Establish a new system --oror-- outsource HP2 payment activitiesoutsource HP2 payment activitiesMultiple IT initiatives to upgrade HP1 systems for ETCSMultiple IT initiatives to upgrade HP1 systems for ETCSImplementing code set updates in a more timely mannerImplementing code set updates in a more timely manner
ResourcesResources
Strategies: Future ImpactsStrategies: Future Impacts•• Resources Resources
•• Identifiers (multiple implementation dates)Identifiers (multiple implementation dates)Health Care Provider ID Health Care Provider ID
•• NPRM Published May 1998NPRM Published May 1998•• Awaiting Final RuleAwaiting Final Rule
Employer IDEmployer ID•• NPRM Published June 1998NPRM Published June 1998•• Final Rule Published May 2002Final Rule Published May 2002
Health Plan IDHealth Plan ID•• Controversial & Debated within the IndustryControversial & Debated within the Industry•• Awaiting NPRMAwaiting NPRM
Individual IDIndividual ID•• ControversialControversial•• Placed on hold by CongressPlaced on hold by Congress
•• Additional Transaction Sets, e.g. Claims AttachmentsAdditional Transaction Sets, e.g. Claims Attachments
•• Dynamic Nature of Evolving Electronic Business SolutionsDynamic Nature of Evolving Electronic Business Solutions•• Ongoing Maintenance of RequirementsOngoing Maintenance of Requirements
(Continued)
Strategies: Roles and ResponsibilitiesStrategies: Roles and Responsibilities
Role of the PMO Role of the PMO
Role of the HIPAA Implementation Advisory Role of the HIPAA Implementation Advisory Council (HIAC)Council (HIAC)
Role of the Office LiaisonsRole of the Office Liaisons
HIPAA Implementation Teams (HITs)HIPAA Implementation Teams (HITs)
VA HRMOfficeLiaison
AACOfficeLiaison
Under Secretary for HealthBusiness Office
VHA HIPAA-AS PMO
Admin.Support
SECURITYSTANDARDS
VHA HIPAA-ASCOMPONENT
Liaison
BUSINESSASSOCIATERELATIONS
Assistant PMODirector
ETCSSTANDARDS
VHA HIPAA-ASCOMPONENT
Liaison
STANDARDIDENTIFIERSSTANDARDS
VHA HIPAA-ASCOMPONENT
Liaison
PMO STAFF
ComplianceOfficeLiaison
HECOfficeLiaison
HISSOfficeLiaison
DentalOfficeLiaison
Mgmt.Support
OfficeLiaison
ProstheticsOfficeLiaison
SD&DOfficeLiaison
PharmacyOfficeLiaison
HASOfficeLiaison
HACOfficeLiaison
RevenueOfficeLiaison
EESOfficeLiaison
OGCOfficeLiaison
HSR&DOfficeLiaison
OIOfficeLiaison
VISN/NetworkOfficeLiaison
VHA HIPAA-ASAdvisory Board
(e.g., HRM, OI, IA,SD&D, etc.)
VA OA&MMOfficeLiaison
Cyber SecurityOfficeLiaison
PRIVACYSTANDARDS
VHA HIPAA-ASCOMPONENT
Liaison
PMO Director
HIP
AA
Org
aniz
atio
nal S
truct
ure
HIP
AA
Org
aniz
atio
nal S
truct
ure
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VISNHIT
VAMCHIT Teams X162
HIAC
The PMO will serve as:The PMO will serve as:The major communications &information forum for HIPAA. The major communications &information forum for HIPAA. Coordinate VHACoordinate VHA’’s efforts with the Department. s efforts with the Department.
Clearinghouse for ideas, best practices, solutions to Clearinghouse for ideas, best practices, solutions to problemsproblems
Champion for overall vision, providing program guidanceChampion for overall vision, providing program guidance
Catalyst for ensuring that HIPAA compliance strategies are Catalyst for ensuring that HIPAA compliance strategies are implemented within the identified time frames.implemented within the identified time frames.
Reporting entity that collects & aggregates monthly Reporting entity that collects & aggregates monthly progress reports from Office Liaisonsprogress reports from Office Liaisons
Role of the HIPAARole of the HIPAA--AS PMO: AS PMO:
The HIAC provides overall guidance to the PMO with The HIAC provides overall guidance to the PMO with subject matter expertise, rule interpretation, legal and subject matter expertise, rule interpretation, legal and general support. general support.
Representatives from all critical VHA and VA Representatives from all critical VHA and VA Departments fulfill these HIAC roles. Departments fulfill these HIAC roles.
Strategic individuals from the former OI HIPAA Strategic individuals from the former OI HIPAA Workgroup were transitioned onto the HIAC to ensure Workgroup were transitioned onto the HIAC to ensure consistency. consistency.
HIAC members may assist with the development of HIAC members may assist with the development of projects, strategy, and implementation planning of the projects, strategy, and implementation planning of the HIPAA requirements. HIPAA requirements.
Role of the VHA HIPAA Implementation Role of the VHA HIPAA Implementation Advisory Council (HIAC)Advisory Council (HIAC)
The Office Liaison responsible for managing/monitoring The Office Liaison responsible for managing/monitoring individual initiatives within their Program Office and individual initiatives within their Program Office and ensuring that their Office complies. ensuring that their Office complies. The PMO works with Office Liaisons to define tasks/offer The PMO works with Office Liaisons to define tasks/offer guidance & support. guidance & support. Specific responsibilities of the Office Liaison are to:Specific responsibilities of the Office Liaison are to:•• Facilitate OfficeFacilitate Office--wide efforts and promote overall HIPAA wide efforts and promote overall HIPAA
implementation;implementation;•• Provide direction to their HIPAA Team Members;Provide direction to their HIPAA Team Members;•• Communicate overall status to PMO on a monthly basis;Communicate overall status to PMO on a monthly basis;•• Escalate issues to the PMO;Escalate issues to the PMO;•• Facilitate tactical development to address new HIPAA Facilitate tactical development to address new HIPAA
requirementsrequirements•• Communicate Best Practices, Issues and Resolutions to Communicate Best Practices, Issues and Resolutions to
the PMO.the PMO.
Role of the Office LiaisonsRole of the Office Liaisons
The HIT is responsible for implementing within their Facility The HIT is responsible for implementing within their Facility and ensuring that their Facility complies with HIPAA. and ensuring that their Facility complies with HIPAA. The PMO and Program Offices will assist HITs in The PMO and Program Offices will assist HITs in understanding requirements. understanding requirements. Specific responsibilities of the HIT are to:Specific responsibilities of the HIT are to:•• Interact with HIPAA PMO, the Privacy Office and other Interact with HIPAA PMO, the Privacy Office and other
Program Offices to implement HIPAA solutions created Program Offices to implement HIPAA solutions created by Program Offices.by Program Offices.
•• Conduct local surveys/inventories & initiatives to prepare Conduct local surveys/inventories & initiatives to prepare facility for HIPAA implementationfacility for HIPAA implementation
•• Assist Program Offices & HIPAA PMO in educating their Assist Program Offices & HIPAA PMO in educating their facility on HIPAA requirementsfacility on HIPAA requirements
•• Monitor and report their facilityMonitor and report their facility’’s implementation s implementation progress as required by the HIPAA PMOprogress as required by the HIPAA PMO
Role of the HITsRole of the HITs
SuccessesSuccesses
Compliance with Privacy Rule by April 2003Compliance with Privacy Rule by April 2003•• Notice released to VeteransNotice released to Veterans•• Training completed by workforceTraining completed by workforce•• P&P ReP&P Re--write complete and implementedwrite complete and implemented•• Minimum Necessary assignments completedMinimum Necessary assignments completed•• Business Associate Agreements in placeBusiness Associate Agreements in place•• Confidential communications and directoryConfidential communications and directory--opt out capabilities opt out capabilities
in placein place•• Release of Information Software in placeRelease of Information Software in place•• Research forms, policies and procedures in placeResearch forms, policies and procedures in place•• Complaint tracking process in placeComplaint tracking process in place
Compliance with ETCS Rule by October 2003Compliance with ETCS Rule by October 2003•• Testing on a number of projectsTesting on a number of projects•• On target for all major ETCS initiatives for payor and On target for all major ETCS initiatives for payor and
provider functionsprovider functions
Questions?Questions?