HIPAA and Your Compliance Program
description
Transcript of HIPAA and Your Compliance Program
S I D L E Y & A U S T I N
HIPAA and Your Compliance ProgramHCCA’s 2000 Compliance Institute
New Orleans, Louisiana
September 25, 2000
2
S I D L E Y & A U S T I N
Presentation Agenda
• Introductions
• Overview and Background
• HIPAA Requirements and Provisions° Technology with Q&A
° Privacy with Q&A
° Security with Q&A
• Integration into Compliance Program
S I D L E Y & A U S T I N
Overview and Background of HIPAA
4
S I D L E Y & A U S T I N
General Provisions
Group and Individual Insurance Reform• Limits on pre-existing exclusion
provisions• Portability of coverage,
guaranteed issue and renewal
Fraud and Abuse • Medicare integrity, data
collection, beneficiary incentive programs
• Increased penalties, sanctions, and exclusions
Tax-Related Health Provisions• MSAs, long-term care
insurance, taxation of insurance benefits
Administrative Simplification (AS)• Improve efficiency and
effectiveness of the healthcare system
• Define standards for electronic transmission - standard identifiers, transaction and code sets
• Protect the privacy and security of health information
5
S I D L E Y & A U S T I N
Applicability
Health Plans
Clearinghouses Providers
“…that transmitand receiveelectronicinformation.”
BusinessPartners
BusinessPartners
6
S I D L E Y & A U S T I N
Penalties and Fines
Non-Compliance with Requirements
• $100 per violation to a maximum of $25,000 per requirement per year
• Considering the proposed security rules contain more than 25 specific requirements, the maximum penalty can exceed $625,000 per year
Wrongful Disclosure of Health Information
• Simple disclosure – fines up to $50,000 and/or one year in prison
• Disclosure under false pretenses – fines up to $100,000 and/or five years in prison
• Disclosure with intent to sell or use – fines up to $250,000 and/or 10 years in prison
S I D L E Y & A U S T I N
Technology Requirements
8
S I D L E Y & A U S T I N
Transactions, Code Sets and Identifiers
Transaction Standards for HIPAA: “Transactions” are the exchange of information between two parties carrying out financial and administrative activities with data elements in a single format.
Three Categories of Technology Requirements:
a) Transaction Sets
b) Code Sets
c) Identifiers
9
S I D L E Y & A U S T I N
Transactions, Code Sets and Identifiers
Highlights
Standardized transaction formats and data elements for information that is transmitted and received electronically
Code Sets Standards Built on Current Coding Systems
• Major code sets characterize medical data (e.g. CPT, ICD-9)
• Code sets included in standard transaction sets
• Current national coding standards to be updated in 2002
Unique Identifiers
• “Intelligence-free” (will not contain any encoded information)
• “Single unique identification of providers”
• Apply to all persons furnishing healthcare services and supplies
• Reduce potential for fraud and abuse
• Creates considerable privacy/ confidentiality concerns
10
S I D L E Y & A U S T I N
Standard transaction sets are defined for the following:
• Health claims or equivalent encounter (X12N 837)• Enrollment and disenrollment in a health plan (X12 834)• Eligibility for health plan - inquiry/response (X12N 270-271)• Healthcare payment and remittance advice (X12N 835)• Health plan premium payments (X12 820)• Health claim status - inquiry/response (X12N 276-277)
• Coordination of benefits (X12N 837)• Referral certification (X12N 278)• Referral authorization (X12N 278)• First report of injury (open)• Health claims attachments (open)
Standard Transaction Record
Identifiers
ProvidersEmployersHealth plans (open)Individuals (open)
Code Sets
ICD-9-CM (diagnosis and procedures)CPT-4 (physician procedures)HCPCS (ancillary services/procedures)CDT-2 (dental terminology)NDC (national drug codes)
Transactions, Code Sets and Identifiers
11
S I D L E Y & A U S T I N
Key Business Considerations
• Integration of new transactions into legacy systems
• Investment in new systems/channels
• Revision of Q/A testing and user acceptance processes
• Integration of technology requirements in contracts, accreditation
• Budget impact
• Return on investment
• Leverage investment in Y2K
S I D L E Y & A U S T I N
Privacy Requirements
13
S I D L E Y & A U S T I N
• IIHI
• Uses and Disclosures
• Minimum Necessary
• Rights of Individual
• Business Partners
• Related Entities
• Internal process changes
• Privacy Official
• Training
• Complaint Handling
• Disclosure Accounting
Privacy Standards
14
S I D L E Y & A U S T I N
Permitted Uses and Disclosures
Protected Health Information
Authorization required for:
• Disclosures on request of individual, entity or third party
• Marketing, fund-raising purposes
• Disclosure to non-health related affiliates (e.g., life insurance)
• Underwriting or risk rating
• Employment determinations
• Sale, rental or barter
• Disclosure of psychotherapy notes or research information
Authorization not required for:
• Uses or disclosures relating to treatment, payment or health care operations
• Public health agency activities
• Health oversight and regulatory agencies
• Judicial proceedings and law enforcement investigations
• Health care fraud
• Research purposes (under rigorous criteria)
• Disclosure of “de-identified” health information
15
S I D L E Y & A U S T I N
Minimum Necessary Disclosure
• Reasonable efforts not to use or disclose more than the minimumamount of information needed to accomplish an intended purpose
• Entity designates staff to determine minimum necessary information
• Determination made on individual basis within limits of technology
• Pervasive throughout organization° Applies to both internal and external uses° “Minimum necessary” varies by function and department° Implications for information systems
16
S I D L E Y & A U S T I N
Administrative Requirements
• Designate privacy official
• Conduct privacy training program
• Verification procedures
• Maintain policies and procedures for PHI
• Notice of privacy practices
17
S I D L E Y & A U S T I N
Business Partners
• Contractors providing services to covered entities - that utilize or share IIHI
• Business partner contracts must contain specific privacy provisions ° Appropriate safeguards of records° Report any unauthorized disclosures to entity° Books and records available for inspection° Material breach by partner grounds for termination, constitutes violation
by entity° Member/patient is third party beneficiary
• Extension of liability
18
S I D L E Y & A U S T I N
Rights of Individuals
• With the exception of treatment, payment or health care operations, most uses and disclosures are permitted only with authorization
• Individuals may revoke their authorization(s)
• May request restriction of uses and disclosures by providers
• Access to health information
• Amendment and correction of health information
• Accounting for disclosures of health information
19
S I D L E Y & A U S T I N
Protected Health InformationAdministrative
ProceduresPhysical
SafeguardsTechnical Security
ServicesTechnical Security
Mechanisms
Research
and Marketing
Research and
Clinical T
rials
Marketing and
Other U
ses of Data
Across O
pen Netw
ork
Treatm
ent, Paym
ent and O
perationsO
ver Open N
etwork
Treatm
ent, Paym
ent and O
perationsO
ver Secure N
etwork
Patient A
ccess, Correction,
Accounting of U
se
Authentication
Minimum Necessary
Patient Authorization
IRBEncryption
Business Partner Agreement
Anonymization
The Intersection of Privacy and Security Standards
S I D L E Y & A U S T I N
Security Requirements
21
S I D L E Y & A U S T I N
Security Standards
22
S I D L E Y & A U S T I N
Security Challenges
Authentication of users/partners
System vulnerabilities
Web security
Evolving technologies
Failure to plan for growth
No Internet reliability guarantees
User privacy
ConfidentialityIntegrity
Availability
23
S I D L E Y & A U S T I N
Administrative Procedures
• Certification
• Chain of Trust Partner Agreement
• Contingency Plan
• Formal Mechanism for Processing Records
• Information Access Control
• Internal Audit
• Personnel Security
• Security Configuration Management
• Security Incident Procedures
• Security Management Process
• Termination Procedures
• Training
24
S I D L E Y & A U S T I N
Physical Safeguards
• Assigned Security Responsibility
• Media Controls
• Physical Access Controls
• Policy/Guideline on Workstation Use
• Secure Work Station Use
• Security Awareness Training
25
S I D L E Y & A U S T I N
Technical Security Services
• Access Control
• Audit Controls
• Authorization Control
• Data Authentication
• Entity Authentication
26
S I D L E Y & A U S T I N
Technical Security Mechanisms
Required If Using Open Networks• Alarm• Audit trail• Entity authentication• Event reporting• Integrity controls• Message authentication
Plus, At Least One of the Following:• Access controls• Encryption
S I D L E Y & A U S T I N
HIPAA Compliance Framework
28
S I D L E Y & A U S T I N
Operation andMaintenance
Operation andMaintenance
Assessmentand Analysis
Assessmentand Analysis
SolutionImplementation
SolutionImplementation
Solution Designand Development
Solution Designand Development
EVALUATEEVALUATE
APPLYAPPLY
SUSTAINSUSTAIN FORMULATEFORMULATE
• EVALUATE Critical business and system functions
• FORMULATE Plans and solutions
• APPLY Solutions to process, data, and systems
• SUSTAIN Compliance through time
HIPAA Lifecycle
29
S I D L E Y & A U S T I N
Health Care OrganizationHIPAA Steering Committee
Project Office
Privacy Work Group
Departmental HIPAA Liaisons
Security Work Group Technology Work Group
Pro forma HIPAA Project Structure
General Counsel
Department 1 Department 1 Department 1Department 1Department 1 Department 1
30
S I D L E Y & A U S T I N
Assessmentand Analysis
Assessmentand Analysis
SolutionImplementation
SolutionImplementation
Solution Designand Development
Solution Designand DevelopmentOperation and
Maintenance
Operation andMaintenance
EVALUATE critical businessand system functions across the enterprise to determine the actions required to achieve HIPAA compliance
Phase 1: Assessment and Analysis
TasksUnderstand the existing environment
• Mission/vision
• Organization
• Strategic, Organizational and IT plans° Inventory existing systems and operations
° Evaluate existing policies and procedures
° Perform operational and technical reviews and assessments
° Align HIPAA requirements against existing systems
° Identify potential compliance gaps
31
S I D L E Y & A U S T I N
Assessmentand Analysis
Assessmentand Analysis
SolutionImplementation
SolutionImplementation
Solution Designand DevelopmentOperation and
Maintenance
Operation andMaintenance
FORMULATE plans and solutions to respond to HIPAA and business requirements identified in the Assessment and Analysis phase
Phase 2: Solution Design and Development
Tasks
• Identify both technical and non-technical solutions
• Evaluate effect on business partners
• Assess alternative approaches° Integration with Compliance Program
° Consider outsourcing
• Identify risks and mitigation strategies
• Create prioritized project plans
• Identify resources required to complete plans
32
S I D L E Y & A U S T I N
Assessmentand Analysis
Assessmentand Analysis
SolutionImplementation
Solution Designand Development
Solution Designand DevelopmentOperation and
Maintenance
Operation andMaintenance
APPLY solutions developed to those business and system functions necessary to ensure compliance with HIPAA regulations
Phase 3: Solution Implementation
Tasks
• Implement communication strategy
• Execute project plans
• Perform testing and quality assurance
• Provide end user training
33
S I D L E Y & A U S T I N
Assessmentand Analysis
Assessmentand Analysis
SolutionImplementation
SolutionImplementation
Solution Designand Development
Solution Designand Development
Operation andMaintenance
SUSTAIN a compliant environment through ongoing initiatives
Phase 4: Operation and Maintenance
Tasks
• Keep documentation current as changes occur° New systems and technology
° Organizational (i.e., mergers and acquisitions)
• Periodically test system vulnerabilities
• Institutionalize ongoing HIPAA compliance
34
S I D L E Y & A U S T I N
• Enterprise-wide planning
• Align HIPAA initiatives with corporate strategy(s) and integrate into operations
• Secure management support and awareness
• Leverage historic and on-going initiatives and accumulated knowledge (Y2K, E-Business, Business Transformation, etc..)
• Build HIPAA into existing change initiatives (do it once)
• Integrate with current Compliance Program activities
Critical Success FactorsCritical Success Factors
• Establish clear governance structure to manage complexities and interdependencies among business units and the technology, security and privacy requirements of HIPAA
• Ensure on-going communication channels for HIPAA specific initiatives
• Raise corporate awareness of HIPAA and its potential impacts on the origination and its stakeholders
• Incorporate HIPAA into existing compliance program