back to HIPAA Information

Getting A Handle on HIPAA

• Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191, 42 U.S.C. §§1320d-2 et seq.
• "Administrative Simplification" provisions

• Evolving technology, moving from paper to electronic communication
• Need for uniformity in coding and transmitting data
• New uses for personal health information
  • analyze cost and quality
  • clinical uses
  • marketing
• Heightened public concern for privacy, security

• Standardized coding, billing, electronic transactions
• Protect privacy and security of health information

• Standards to enable electronic interchange
• Standards for unique health identifiers (individual, employer, health plan, health care providers)
• Standards for code sets
• Security standards
• Standards for electronic signatures
• Standards for transfer of information among health plans
• Privacy standards

• Final standards for electronic transactions

• Effective 10/16/00
• Final compliance by 10/16/02
• Privacy regulations
  • Effective 04/14/01
  • Final compliance by 4/14/03
• Security regulations

• Proposed 08/12/98
• Not yet final

Covered entities --

• Health plans
• Health care clearinghouses
• Health care providers that transmit information in electronic form

Indirect coverage --

• Business associates

• Private physician office - individual and group practice
• Member of medical staff in hospital /health care facility/health system
• Employee of health care facility or health plan
• Medical director for nursing home or home health agency
• Member of IPA or PHO

• More than Y2K
• Requirements will be ongoing
• Industry-wide culture change

• Adopts standards for eight electronic transactions and for code sets to be used in those transactions
• Electronic Standard Transactions:
  • Healthcare claim or encounter
  • Claim payment and remittance advice
  • Healthcare claims standard
  • Coordination of benefits
  • Eligibility for a health plan
  • Referral certification and authorization
  • Enrollment & disenrollment in a health plan
  • Premium payments
• Future Electronic Standard Transactions

• First report of injury

• Healthcare claims attachment

• To be addressed in future regulations

• Five medical codes standards to be used initially under HIPAA

• International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM)
• Current Procedural Terminology, 4th Edition (CPT-4)
• Health Care Financing Administration Common Procedure Coding Set (HCPCS)
• Code on Dental Procedures and Nomenclature, 2nd Edition (CDT-2)
• National Drug Codes (NDC)

• For each transaction specifies format, data elements, data content
• Uses industry consensus-based standards wherever possible
• ANSI - American National Standards Institute
• ASC X-12 Insurance Subcommittee
• WEDI/SNIP www.wedi.org/snip

• Covered entities must comply with standards, implementation guides
• HIPAA Implementation Guide by X12N Insurance Subcommittee available at http://www.wpc-edi.com/hipaa
• Payers must accept claims presented in standard format
• Medicare testing capability by late 2001?

• WHAT IMPLEMENTATION STEPS SHOULD PHYSICIANS TAKE?

• Identify covered transactions
• Contact your software vendors
• Assess need for software conversions or upgrades
• Review data collection practices to ensure all required elements are collected
• Plan for synchronized testing
• Review agreements with "trading partners"

• Proposed August 12, 1998
• General security measures including administrative, technical and physical safeguards
• "Scalable"
• Technology neutral

• Apply to all individually identifiable health information that is electronically maintained or transmitted
• Each covered entity must assess potential risks and vulnerabilities to individual health data and develop, implement and maintain appropriate security measures

• Administrative procedures
  Physical safeguards
• Technical security services
  Technical security mechanisms

• Certification of system security
• "Chain of Trust partner agreements"
• Contingency plan
• Formal, documented policies and procedures for processing records, access control, internal audits, personnel security, security system management, incidents, risk analysis and management, access termination, training

• Use of locks, keys and administrative measures to control access to computers and facilities
• Control of possession and access to hardware, software, data
• Disaster recovery, emergency mode
• Workstation use and security
• Security awareness training for all employees, agents and contractors based on jobs

• Requirements to protect and control access to data/information
• Mechanism/process to guard against unauthorized access to data transmitted over a communications network

• What are the practical implications for physicians?

• Issued December 28, 2000
• Accepted by Bush Administration

• HHS has delegated oversight and enforcement of the Privacy Rule to the Office of Civil Rights ("OCR")
• Guidance issued by OCR on July 6, 2001
• Clarifies variety of issues raised in comments and in questions submitted to OCR
• HHS has promised further guidance and modifications to the Privacy Rule to address "unintended" problems with the Rule

• What is Protected Health Information?

• Includes all individually identifiable health information transmitted or maintained by a covered entity, whether electronic, paper or oral.

• What information will physicians need to protect?

• Patients’ medical records
• Health reimbursement claims
• Appointment reminders - phone messages and postcard mailings
• Patient information - in-office and telephone discussions
• Office registration information
• Faxing patient information

• Is HIPAA really any different than current practice?

• Patient confidentiality has always been a basic component of the practice of medicine
• HIPAA introduces new concepts and required practices
• Will require some changes in office practices and staff education
• Will require revisions of policies and procedures and new HIPAA compliant forms, policies and procedures

• "Use" versus "Disclosure"
• New policies and procedures concerning how patient health information is disclosed and used
• "Minimum necessary" requirements

• "Consent" required for "treatment, payment or health care operations"
• "Authorization" required for most other uses and disclosures (including release of psychotherapy notes)
• Opportunity to "Agree" or "Object"

Some uses and disclosures permitted without consent or authorization. Examples include:

• Public health and welfare
• Health oversight
• Required by law
• Judicial and administrative proceedings
• Law enforcement purposes

• What are some practical implications for physicians?

• Development and implementation of "consent" and "authorization" forms
• Documentation of "opportunity to agree or object"
• New office policies and procedures addressing use and disclosure

• HIPAA obligations extend to contractors performing functions for providers using protected health information (such as billing, data processing, consulting)
• Written contract specifications
• Responsibilities concerning acts of business associates

• What are the practical implications for physicians?

• Identify business associates
• Develop or amend contracts
• Ongoing review of business associates’ activities

Right to:

• Notice of information use and disclosure practices
• Request restrictions on use and disclosure of PHI
• Access to own PHI and to make copies
• Obtain accounting of disclosures
• Request amendments

• Designate a privacy official
• Training for all employees, volunteers, trainees
• Implement complaint process
• Develop and enforce internal sanctions for noncompliance
• Required policies and procedures

• Distinguish research from health care operations
• No restrictions if use "de-identified" information
• Special authorization required for most clinical trials
• Permitted without authorization if:

• IRB or Privacy Board Approval
• Review preparatory to research
• Research on protected health information of decedents

• How will HIPAA affect physician participation in clinical research studies?

• Generally disclosures for marketing require an authorization

• Very limited exceptions allow some use of protected information for marketing of products/services of nominal value

• For example, solicitations must -

• identify the physician as the party making the communication;
• prominently state if the physician will receive direct or indirect remuneration for making the communication; and
• explain how to opt out of future communications

If marketing targets a patient based on the patient’s health condition, the provider must also:

• make a determination that the marketed product/service may be beneficial to the health of the type of patient targeted; and
• explain in the communication why the patient has been targeted and how the product/service relates to the patient’s health.

• How will physicians be affected?

• Be cautious of any arrangement involving use of patient’s identity or health information for marketing

• Affiliated entities may designate themselves as a single covered entity.
• Benefits include using a single shared notice of information practices and consents and consolidating certain other functions.
• OHCAs: separate covered entities in a clinically integrated setting (e.g. medical staff) may combine notices and consents.

• Role of Office of Civil Rights
• Civil

• HHS vows assistance and cooperation through OCR
• Office for Civil Rights investigation of complaints

• Criminal

• FBI? Office of Inspector General?
• Department of Justice

• Civil Lawsuits?

• Civil penalties -- for violation of standards

• Fines up to $100 per violation, $250,000 annual cap
• Avoided if failure due to reasonable cause and corrected within 30 days

• Criminal penalties -- for wrongful use or disclosure

• Up to $50,000 fines, 1 year imprisonment.
• If for commercial advantage, personal gain or malicious harm, up to $250,000 fines, 10 years imprisonment

• Generally HIPAA supersedes contrary state law
• HIPAA privacy requirements do not preempt "more stringent" state requirements
• In many states more stringent mental health, HIV/AIDS and substance abuse protections will continue to apply.
• Need for detailed analysis of state confidentiality law

• You now have 13 months to implement the HIPAA transaction and code set standards
• You have 19 months to implement the privacy standards
• Move forward with very basic security implementation in conjunction with privacy; not certain when final security rule will be issued
• You should start now

• Designate someone to lead your HIPAA efforts

• Gather HIPAA resources

• Check in with your state and/or national associations for assistance

• Gap Analysis (Inventory and Assessment of HIPAA Readiness)

• Inventory existing systems, policies, procedures and processes
• Inventory software capabilities and security measures
• Inventory contractual arrangements in light of business associate and "chain of trust" agreement requirements

• Develop work plan and timeline for implementation
• Develop budget
• Pool resources where appropriate

• aspe.hhs.gov/admnsimp
• www.hcfa.gov/hipaa/hipaahm.htm
• www.hhs.gov/ocr/hipaa
• www.healthprivacy.org
• www.hipaaadvisory.com
• www.hipaacomply.com
• www.wiggin.com
  www.aha.org/hipaa/hipaa_home.asp
• www.ama-assn.org/ama/pub/category/4234.html
• www.massmed.org/pages/hipaa_tip.asp
• www.osma.org/legal/hipaa.cfm
  www.wpc-edi.com