Part III – HIPAA Reference

HIPAA – In General– Background– Why Employers Should Care ?

Overview of Requirements– EDI Transaction Standards– Security– Privacy

HIPAA Compliance Implementation

BackgroundIn General

Enacted in 1996, HIPAA was to incrementally address various issues within the health care industry

Major elements include:– Improved health coverage portability requirements– Prohibitions on discrimination based on health status– Increased fraud enforcement– Simplifying health care claim payment process to reduce

administrative costs• Primarily by standardizing electronic data transactions, which raises

security and privacy concerns

Title I

Guarantees health insurance portability and renewal

HIPAA

Title II Title VTitle IVTitle III

Administrative simplification

Tax provision for medical savings accounts

Enforcement of group health plan provisions

Revenue offset provisions

Background Statutory Structure

BackgroundWhy was HIPAA Needed?

Healthcare industry– Need for ease of data transfer– Move from paper to EDI (electronic data interchange)– Economic reasons

The “patient” as the “consumer’– Increasing privacy and confidentiality concerns

Legislative issues– 50 different states, with different laws, lack of consistency with

no minimum floor

Why Employers Should Care?In General

Although not a covered entity, any employer that provides group health benefits will be at least indirectly affected– Employers with self-funded plans will be considered “hybrid”

entities and their health plan operations will be directly subject to the rules

Company access to employee health plan records for employment reasons (including administration of other benefit plans and laws) will be further limited

Federal preemption of state laws will be limited to establishing minimum floor protection

Certain customary practices may have to be changed

Civil Monetary Penalties

$100 for each violation $25,000 maximum per year, per violation

Accreditation

Accrediting organizations will require compliance in the future

Wrongful Disclosure

Each Offense (max.)$50,000 per offense1 year imprisonment

False Pretenses$100,000 per offense5 years imprisonment

Intent to Sell, Transfer or Use$250,000 per offense10 years imprisonment

Federal ProgramsExclusion from

federalprograms

anticipated

Why Employers Should Care?Penalties

Why Employers Should Care?Compliance Deadlines

HIPAA’s administrative simplification incorporates three major distinct but overlapping components, each with different compliance deadlines:– Electronic transaction standards

• Generally 10/16/03– Privacy

• Generally 4/14/03– Security

• Generally 4/21/05 For more information:

http://aspe.hhs.gov/adminsimp.Index.htmhttp://www.hhs.gov/ocr/hipaahttp://www.ibiweb.org/news/HIPAA

EDI Transaction StandardsIn General

HIPAA requires standardization of these electronic health care transactions:– Health claims or similar encounter information– Enrollment & disenrollment in a health plan– Eligibility for a health plan– Health care payment & remittance advice– Health plan premium payments– Health claim status– Referral certification & authorization– Health claims attachments (to be issued in the future)– First report of injury (to be issued in the future)

EDI Transaction Points of Contact Patient/Consumer PayersSponsors

Need HC Insurance (Form)

Payroll Deduction

Enrollment (834)

Invoice (811)

Premium Pmt (820)

Providers

Treatment

Eligibility (270)

Response (271)

Referral (278)

Response (278)

Claim (837)

Claim Inquiry (276)

Response (277)

Need more info (277)

Payment & EOB (835) EOB (Paper)

Non-HIPAA

Transaction

EDI Transaction StandardsUnique Identifiers

Eventually HIPAA will require use of unique identifying numbers for employers and for covered entities (i.e., health plans, providers, and clearinghouses) – To date, only the employer identifier standards have been

finalized (the employer’s federal tax identification number must be used)

The controversial use of an unique identifier for employees has been withdrawn

SecurityIn General

Intended to minimize risk of intentional or accidental disclosure or misuse, or the loss or corruption of patient-identifiable health information

Sets a floor of minimum administrative, physical, and computer security standards to protect medical data

Reflects commonly accepted security safeguards widely used across many industries

Security measures to be tailored to organization’s risk analyses, technical environment, and business needs

SecurityEmployer Implications

Typically, will require developing and/or modifying a number of IT/IS policies, procedures, and protocols with respect to individual health information that is generated, transmitted, or stored electronically– With respect to both the covered entity and its business

associates– Thus, early involvement of IT/IS staff in an employer’s

HIPAA compliance effort is critical Not uncommon for employers to engage a specialized

IT/IS consultant to help assess compliance gaps and implement corrective steps

PrivacyIn General

Rules apply to all individually patient-identifiable health information whether in paper or electronic form

Key terms– Protected Health Information (PHI)– Covered Entity– Business Associate

PrivacyProtected Health Information

PHI = individually identifiable health information + created or received by a covered entity– Individually identifiable health information

• Any information that relates to an individual’s past, present, or future physical or mental condition, or the provision or payment of health care, and

• That specifically identifies the individual (or there is a reasonable belief that the individual can be identified), AND WHICH IS

– Created or received by a covered entity• Can be in any form (oral, written, or electronic)

Examples: claims data, and (depending on source) enrollment data, and employee contribution information

PrivacyDe-Identification Requirements

Covered entities are permitted to use PHI to create de-identified information for its own unlimited use or for unlimited use by another entity without authorization from individuals

De-identified information = health care information which does not identify the individual or that which the covered entity has no reasonable basis to believe can be used to identify the individual

– While use of such generic information may be useful for certain types of broad based trend studies, it is probably not useful to achieve most other business objectives

Use of certain types of partially de-identified information (summary information or “limited data sets”) allowed for specific limited purposes

– Enrollment/disenrollment data– Aggregate claims history / expenses / types of claims data for coverage

renewals and plan design changes

PrivacyCovered Entity

All health care providers All health care payers (including managed care

organizations, carriers, and self-funded employers) All health care clearinghouses that process claims, or

route electronic claims Certain health plans

– Health insurers (including HMO’s), and – Group health plans with 50+ participants or administered by

an entity other than the employer that established and maintains the plan

PrivacyCovered Entity (cont.)

Employers, as a whole, typically are not covered entities– Thus, most employers are not directly subject to HIPAA privacy

regulations– However, certain components of an employer might constitute a

covered entity (e.g., self-funded group health plan) Hybrid employers will be subject to various requirements

and obligations– “Firewalls” must be created between covered and non-covered

functions– Plan cannot share PHI with non-health plan component of

employer unless plan sponsor certifies plan has been amended to limit use and disclosure of PHI and that safeguards are in place

– Exceptions for limited enrollment activities

PrivacyBusiness Associates

Business associate = any outside entity to which covered entities disclose PHI to perform necessary functions – E.g., third-party administrators, case managers, attorneys,

collection agencies, claims auditors, consultants– Does not include plan sponsors, insurers, disclosures from

a covered entity to a health care provider for treatment of an individual

Covered entities must have agreements in place to contractually bind BAs to limit use of PHI to designated purposes and to comply with covered entity-type of confidentiality rules

PrivacyBusiness Associates (cont.)

Covered entities have potential civil and criminal liability exposure for breaches by BAs– Thus, there is an obligation to monitor your BAs’ activities– Under final regulations, however, action needs to be taken

only if there is actual knowledge of material violation Compliance deadline

– Generally, all BA agreements must be in place by 4/14/03– However, any BA agreements in place prior to 10/15/02 will

be deemed sufficient until 4/14/04 (unless the agreement terminates or is modified in any way prior to that date)

PrivacyBasic Requirements

Patients have the right to understand and control how their health information is being used– Providers and health plans to give individuals clear, written notice

of how they use, keep, and disclose their health information– Individuals have right to access their medical records (to view,

make copies, request amendments, and obtain accounting for non-routine disclosures)

– Individual authorizations required before information is released in most non-routine situations

– Covered entities accountable for use and release of information, with recourse available if privacy is violated

PrivacyBasic Requirements (cont.)

Use of individual health information generally limited to health purposes– PHI cannot be used for purposes other than treatment,

payment, or health care operations without individual authorization

– Individual authorizations must be informed and voluntary– Reasonable efforts must be undertaken to limit release of

information to “minimum necessary amount”• Minimum necessary amount requirement applies to use of

protected health information for payment or health plan operations, but not for treatment purposes

PrivacyBasic Requirements (cont.)

Minimum privacy safeguard standards established for covered entities (with similar requirement applicable to BAs by contract and plan sponsor by plan amendment) – Adoption of written privacy procedures, with safeguards and

sanctions specified– Periodic distribution of privacy notice– Training of employees on handling PHI– Designation of a privacy officer (covered entities only)– Establishment of a grievance / complaint procedure– Recordkeeping with respect to PHI disclosures

HIPAA ImplementationBasic Phases

Phase I– Awareness / Education– Preliminary scope assessment– Budgeting– Task force team selection

Phase II– Detailed current PHI flow and use analysis– Detailed compliance gap analysis

Phase III– Implementation of prioritized action item list