reviewing the world of hipaa stephanie anderson, cpc october 2006
TRANSCRIPT
Reviewing the World of HIPAA
Stephanie Anderson, CPCOctober 2006
2Community Care Network of Virginia, IncOctober 2006
Discussion Points Overview of HIPAA Regulations
Administrative Simplification
EDI Components Standard Transactions
Standard Code Sets
Unique Identifiers
Privacy Rule Review
Security Rule Overview
3Community Care Network of Virginia, IncOctober 2006
HIPAA-What’s in a Name?
Health Insurance Portability and Accountability Act
Implemented in 1996 Includes Titles I - V
Portability -Title I Accountability - Title II
Administrative Simplification
HIPAA Administrative Simplification Provisions
T itle IInsu rance P o rtab ility
F raud & A buseM ed ica l L iab ility R e fo rm
T ransactions C ode S e ts Iden tifie rs
E D I P rivacy S ecu rity
A dm in is tra tive S im p lifica tion
T itle II T itle IIIT ax R e la ted H ea lth P rov is ion
T itle IVG roup Hea lth P lan R equirem en ts
T itle VR evenue O ff-se ts
H IP A A
October 2006 Community Care Network of Virginia, Inc5
Who Oversees HIPAA Administrative Simplification?
Department of Health & Human Services
The Centers for Medicare and Medicaid Services (CMS) Oversees:
• Transactions & Code Sets
• Standard Unique Identifiers
• Security Rule
• NPI
The Office for Civil Rights (OCR) Oversees:
• Privacy Rule
6Community Care Network of Virginia, IncOctober 2006
Administrative Simplification Provisions Time Table
* Small Health Plans have 1 year longerHIPAA Regulation Proposed RulePublication
Final RulePublication
Compliance Date
EDIElectronicTransactions & CodeSets Standards
May 7, 1998 August 17, 2000 October 16,2003 (if entityapplied for extension)
National StandardProvider ID (NPI)
May 7, 1998 January 23,2004
May 23, 2007 *
National StandardHealth Plan ID
Under development
National StandardEmployer ID (TIN)
June 16, 1998 May 31, 2002 July 30, 2004
Attachments Under developmentPrivacy & PrivacyModifications
November 13,1999
December 28,2000 & August14, 2002
April 14, 2003
Security Rule August 12,1998
February 20,2003
April 21, 2005
October 2006 Community Care Network of Virginia, Inc7
Why are HIPAA Electronic Standard Transactions
Important? Standardize claim submission Fewer errors
Standardize payment method Faster processing
Reduces paperwork (from~400 forms to ~4) Reduces postage costs Real-time patient eligibility and benefits Overall ~~ Less Administrative Burden
October 2006 Community Care Network of Virginia, Inc8
Current HIPAA Standard Transactions
Claims Payment &Remittance Advice
Claim Status Inquiry& Response
Enrollment in HealthPlan
Referral Certification and AuthorizationInquiry & ResponseHealth Plan premiumpayments
Coordination ofBenefits
October 2006 Community Care Network of Virginia, Inc9
Unique Identifiers for HIPAA EDI
National Employer Identifier Standard
Compliance Date = July 30, 2004 IRS Employer Identification Number (EIN) 9-digit number (Tax ID #) for all employers
Number to be used on all claims to identify the Center (54-*******)
October 2006 Community Care Network of Virginia, Inc10
Unique Identifiers for HIPAA EDI
National Provider Identifier (NPI)
Compliance Date = May 23, 2007{Small Health Plans = May 23, 2008}
We will discuss details in Part 2….
Reviewing of the Privacy Rule
October 2006 Community Care Network of Virginia, Inc12
On To The Privacy Rule……...
Purpose: Provides national standards to protect
Protected Health Information (PHI) Gives patients increased control over their
health information Sets limits on the use of and disclosure of
health information Allows for a balance in disclosing PHI in some
forms for public health reasons Establishes penalties for violations of a
person’s privacy rights.
October 2006 Community Care Network of Virginia, Inc13
Areas Addressed in the Privacy Standards
Notice of Privacy Practice (NPP) Use & disclosure of PHI T P O
Authorization for Release of PHI
Minimum Necessary Information
Incidental Uses Disclosures Oral Communications
Accounting of Disclosures
Business Associates Personal Representatives
& Minors Marketing & Health-
Related Communications Research Government Access to
PHI Violations & Penalties
October 2006 Community Care Network of Virginia, Inc14
Review of Patient’s Rights...
Receive a copy of Notice of Privacy Practices (NPP)/Signature of Receipt
Review & request copies of/amendments to their medical records
Need to be informed on how their PHI may be used/disclosed {stated in NPP}
Any release of PHI will be held to the minimum necessary to achieve the task
File grievance concerning privacy issues
October 2006 Community Care Network of Virginia, Inc15
What Should We Have in Place ?
Policies & Procedures that address the requirements of the Standards
Forms that support P &P NPP acknowledgement of receipt Restrictions on uses & disclosures of PHI Patient request to review & copy medical record Denial for access to the request Amendment of the medical record Accounting of disclosures log Patient Authorization for disclosure other than TPO Patient Grievance Form
October 2006 Community Care Network of Virginia, Inc16
How’s Privacy Compliance Going ?
DHHS Reports the following: As of November 30, 2005-
16,625 privacy rule complaints received by the Office for Civil Rights since the effective date (April 14, 2003)
69% of the cases have been resolved/closed Covered entity corrected the problem Complaint was not a true violation of Privacy Rule
263 violations referred by the OCR to the Department of Justice for potential prosecution--one case has been successfully prosecuted
October 2006 Community Care Network of Virginia, Inc17
How’s Privacy Compliance Going ?
DHHS Reports the following: Top Five Complaints Against
Providers1. Impermissible use/disclosure of PHI2. Lack of adequate safeguards in place3. Refusal or failure to provide a patient
access to records4. Disclosure of more than minimally
necessary information5. Failure to obtain valid authorizations for
disclosures that required them.
October 2006 Community Care Network of Virginia, Inc18
The Penalties…………..
$100/incident up to ----
$25,000/person/year/ standard violated
$50,000 and/or ONE year I prison for knowingly violating the Rule
October 2006 Community Care Network of Virginia, Inc19
The Penalties…………..
False Pretense: Up to $100,000; 5
years in prison
For Commercial Gain, Advantage, or Harm - $250,000; 10 years in
prison
October 2006 Community Care Network of Virginia, Inc20
Suggestions for Compliance
Ensure Policies & Procedures (P & P) cover standards in the Rule and are up-to-date with Center operations
ANNUAL staff training on current Privacy P & P Continue to make the Center Notice of Privacy
Practices (NPP) available to patients and obtain signatures of receipt for medical record.
Ensure Privacy Officer is designated Ensure Business Associate Agreements (BAA),
according to the Rule standards, are in place
October 2006 Community Care Network of Virginia, Inc21
Security Rule
Compliance Date = April 21, 2005 Purpose:
Ensure the integrity, availability, & confidentiality of EPHI {Electronic PHI}
Protect against reasonably anticipated threats of security & improper use or disclosure of EPHI
Ensure compliance by Center staff
October 2006 Community Care Network of Virginia, Inc22
What Does the Security Rule Include?
Electronic Protected Health Information {EPHI} ONLY
Privacy Rule covers all PHI in paper, oral, and electronic format.
All stored data and transmitted data in systems
All Covered Entities Standards to ensure that appropriate
access to EPHI is addressed.
October 2006 Community Care Network of Virginia, Inc23
Security Rule Concepts
Flexible & Scalable Works for small to large providers & health plans
Technology Neutral Allows for future technology advances
Comprehensive Administrative Safeguards (policies &
procedures) Physical Safeguards (restricting access,
providing back-up plans) Technical Safeguards (authentication, integrity
controls, access)
October 2006 Community Care Network of Virginia, Inc24
Required vs. Addressable Specifications
RequiredRequired
Implementation of specification is mandatory
AddressableAddressable Specification must be
used if the risk analysis shows it is needed
If a specification is not implemented, documentation must explain why & what else is being done in its place
October 2006 Community Care Network of Virginia, Inc25
Security Standards Flowchart
12R e qu ired
11A d dre ssa b le
S p e c if ica tio ns
A d m in is tra tiveS a feg ua rds
4R e qu ired
6A d dre ssa b le
S p e c if ica tio ns
P h ys ica lS a feg ua rds
4R e qu ired
5A d dre ssa b le
S p e c if ica tio ns
T e ch n ica lS a feg ua rds
S e curity S ta n da rds
October 2006 Community Care Network of Virginia, Inc26
Implementing Security
Risk Analysis should access security risks & vulnerabilities
Consider Center size, capabilities, & costs of addressing the security areas
Assign a Security Officer May have a “group” working together ~
responsibility must be assigned to an individual.
October 2006 Community Care Network of Virginia, Inc27
Implementing Security
Develop P & P to address the security standards as appropriate and reasonable for Center operations.
TRAIN staff on the P & P and the overall purpose of implementation
Ensure proper language in BAAs to cover security standards.
Evaluate Security P &P at least annually to ensure they are being followed & to update as appropriate
October 2006 Community Care Network of Virginia, Inc28
Relationships between Privacy & Security
Privacy is the… Who What When
Security is the… How
October 2006 Community Care Network of Virginia, Inc29
Relationships between Privacy & Security
Privacy covers PHI on paper, orally, & electronic format Security covers electronic PHI ONLY
Security enables Privacy by providing safeguards for proper access to data
Business Associate Agreements(Privacy) need to detail how the integrity, confidentiality, & availability of the data exchange will take place (Security).
October 2006 Community Care Network of Virginia, Inc30
Tying It All Together-----
Patient Registration
Collecting PHI Handling PHI
Encounter Diagnosis - All digits needed E & M Service - Based on Key Elements Procedures (Modifiers as appropriate) Documentation to support ALL CODES used
October 2006 Community Care Network of Virginia, Inc31
Tying It All Together-----
Input data into Account Proper Log-in/Access to System Accuracy of Information
Submit Claim Electronically Transmission process
Request for Medical Record Information
Minimum Necessary to complete the request
October 2006 Community Care Network of Virginia, Inc32
Tying It All Together-----
Electronic Payment/Denial Input Data into Account
Proper Access Accuracy Maintaining Integrity of Data
Changes to be monitored
ON A GOOD DAY---- The Process Works!
Patient is Happy !
Billing Staff is Happy
Providers are Happy
Center Management
is Happy
Board Members are
Happy
Everyone is HAPPY !!Everyone is HAPPY !!
October 2006 Community Care Network of Virginia, Inc34
Questions??
October 2006 Community Care Network of Virginia, Inc35
Thank You for Coming ! !
Stephanie Anderson, CPC
Community Care Network of Virginia, Inc.
6802 Paragon PlaceSuite 630Richmond, VA 23230(T) (804) 237-7686 x [email protected]