Part III – HIPAA Reference HIPAA – In General – Background – Why Employers Should Care ? ...
-
Upload
suzan-mcgee -
Category
Documents
-
view
216 -
download
2
Transcript of Part III – HIPAA Reference HIPAA – In General – Background – Why Employers Should Care ? ...
Part III – HIPAA Reference
HIPAA – In General– Background– Why Employers Should Care ?
Overview of Requirements– EDI Transaction Standards– Security– Privacy
HIPAA Compliance Implementation
BackgroundIn General
Enacted in 1996, HIPAA was to incrementally address various issues within the health care industry
Major elements include:– Improved health coverage portability requirements– Prohibitions on discrimination based on health status– Increased fraud enforcement– Simplifying health care claim payment process to reduce
administrative costs• Primarily by standardizing electronic data transactions, which raises
security and privacy concerns
Title I
Guarantees health insurance portability and renewal
HIPAA
Title II Title VTitle IVTitle III
Administrative simplification
Tax provision for medical savings accounts
Enforcement of group health plan provisions
Revenue offset provisions
Background Statutory Structure
BackgroundWhy was HIPAA Needed?
Healthcare industry– Need for ease of data transfer– Move from paper to EDI (electronic data interchange)– Economic reasons
The “patient” as the “consumer’– Increasing privacy and confidentiality concerns
Legislative issues– 50 different states, with different laws, lack of consistency with
no minimum floor
Why Employers Should Care?In General
Although not a covered entity, any employer that provides group health benefits will be at least indirectly affected– Employers with self-funded plans will be considered “hybrid”
entities and their health plan operations will be directly subject to the rules
Company access to employee health plan records for employment reasons (including administration of other benefit plans and laws) will be further limited
Federal preemption of state laws will be limited to establishing minimum floor protection
Certain customary practices may have to be changed
Civil Monetary Penalties
$100 for each violation $25,000 maximum per year, per violation
Accreditation
Accrediting organizations will require compliance in the future
Wrongful Disclosure
Each Offense (max.)$50,000 per offense1 year imprisonment
False Pretenses$100,000 per offense5 years imprisonment
Intent to Sell, Transfer or Use$250,000 per offense10 years imprisonment
Federal ProgramsExclusion from
federalprograms
anticipated
Why Employers Should Care?Penalties
Why Employers Should Care?Compliance Deadlines
HIPAA’s administrative simplification incorporates three major distinct but overlapping components, each with different compliance deadlines:– Electronic transaction standards
• Generally 10/16/03– Privacy
• Generally 4/14/03– Security
• Generally 4/21/05 For more information:
http://aspe.hhs.gov/adminsimp.Index.htmhttp://www.hhs.gov/ocr/hipaahttp://www.ibiweb.org/news/HIPAA
EDI Transaction StandardsIn General
HIPAA requires standardization of these electronic health care transactions:– Health claims or similar encounter information– Enrollment & disenrollment in a health plan– Eligibility for a health plan– Health care payment & remittance advice– Health plan premium payments– Health claim status– Referral certification & authorization– Health claims attachments (to be issued in the future)– First report of injury (to be issued in the future)
EDI Transaction Points of Contact Patient/Consumer PayersSponsors
Need HC Insurance (Form)
Payroll Deduction
Enrollment (834)
Invoice (811)
Premium Pmt (820)
Providers
Treatment
Eligibility (270)
Response (271)
Referral (278)
Response (278)
Claim (837)
Claim Inquiry (276)
Response (277)
Need more info (277)
Payment & EOB (835) EOB (Paper)
Non-HIPAA
Transaction
EDI Transaction StandardsUnique Identifiers
Eventually HIPAA will require use of unique identifying numbers for employers and for covered entities (i.e., health plans, providers, and clearinghouses) – To date, only the employer identifier standards have been
finalized (the employer’s federal tax identification number must be used)
The controversial use of an unique identifier for employees has been withdrawn
SecurityIn General
Intended to minimize risk of intentional or accidental disclosure or misuse, or the loss or corruption of patient-identifiable health information
Sets a floor of minimum administrative, physical, and computer security standards to protect medical data
Reflects commonly accepted security safeguards widely used across many industries
Security measures to be tailored to organization’s risk analyses, technical environment, and business needs
SecurityEmployer Implications
Typically, will require developing and/or modifying a number of IT/IS policies, procedures, and protocols with respect to individual health information that is generated, transmitted, or stored electronically– With respect to both the covered entity and its business
associates– Thus, early involvement of IT/IS staff in an employer’s
HIPAA compliance effort is critical Not uncommon for employers to engage a specialized
IT/IS consultant to help assess compliance gaps and implement corrective steps
PrivacyIn General
Rules apply to all individually patient-identifiable health information whether in paper or electronic form
Key terms– Protected Health Information (PHI)– Covered Entity– Business Associate
PrivacyProtected Health Information
PHI = individually identifiable health information + created or received by a covered entity– Individually identifiable health information
• Any information that relates to an individual’s past, present, or future physical or mental condition, or the provision or payment of health care, and
• That specifically identifies the individual (or there is a reasonable belief that the individual can be identified), AND WHICH IS
– Created or received by a covered entity• Can be in any form (oral, written, or electronic)
Examples: claims data, and (depending on source) enrollment data, and employee contribution information
PrivacyDe-Identification Requirements
Covered entities are permitted to use PHI to create de-identified information for its own unlimited use or for unlimited use by another entity without authorization from individuals
De-identified information = health care information which does not identify the individual or that which the covered entity has no reasonable basis to believe can be used to identify the individual
– While use of such generic information may be useful for certain types of broad based trend studies, it is probably not useful to achieve most other business objectives
Use of certain types of partially de-identified information (summary information or “limited data sets”) allowed for specific limited purposes
– Enrollment/disenrollment data– Aggregate claims history / expenses / types of claims data for coverage
renewals and plan design changes
PrivacyCovered Entity
All health care providers All health care payers (including managed care
organizations, carriers, and self-funded employers) All health care clearinghouses that process claims, or
route electronic claims Certain health plans
– Health insurers (including HMO’s), and – Group health plans with 50+ participants or administered by
an entity other than the employer that established and maintains the plan
PrivacyCovered Entity (cont.)
Employers, as a whole, typically are not covered entities– Thus, most employers are not directly subject to HIPAA privacy
regulations– However, certain components of an employer might constitute a
covered entity (e.g., self-funded group health plan) Hybrid employers will be subject to various requirements
and obligations– “Firewalls” must be created between covered and non-covered
functions– Plan cannot share PHI with non-health plan component of
employer unless plan sponsor certifies plan has been amended to limit use and disclosure of PHI and that safeguards are in place
– Exceptions for limited enrollment activities
PrivacyBusiness Associates
Business associate = any outside entity to which covered entities disclose PHI to perform necessary functions – E.g., third-party administrators, case managers, attorneys,
collection agencies, claims auditors, consultants– Does not include plan sponsors, insurers, disclosures from
a covered entity to a health care provider for treatment of an individual
Covered entities must have agreements in place to contractually bind BAs to limit use of PHI to designated purposes and to comply with covered entity-type of confidentiality rules
PrivacyBusiness Associates (cont.)
Covered entities have potential civil and criminal liability exposure for breaches by BAs– Thus, there is an obligation to monitor your BAs’ activities– Under final regulations, however, action needs to be taken
only if there is actual knowledge of material violation Compliance deadline
– Generally, all BA agreements must be in place by 4/14/03– However, any BA agreements in place prior to 10/15/02 will
be deemed sufficient until 4/14/04 (unless the agreement terminates or is modified in any way prior to that date)
PrivacyBasic Requirements
Patients have the right to understand and control how their health information is being used– Providers and health plans to give individuals clear, written notice
of how they use, keep, and disclose their health information– Individuals have right to access their medical records (to view,
make copies, request amendments, and obtain accounting for non-routine disclosures)
– Individual authorizations required before information is released in most non-routine situations
– Covered entities accountable for use and release of information, with recourse available if privacy is violated
PrivacyBasic Requirements (cont.)
Use of individual health information generally limited to health purposes– PHI cannot be used for purposes other than treatment,
payment, or health care operations without individual authorization
– Individual authorizations must be informed and voluntary– Reasonable efforts must be undertaken to limit release of
information to “minimum necessary amount”• Minimum necessary amount requirement applies to use of
protected health information for payment or health plan operations, but not for treatment purposes
PrivacyBasic Requirements (cont.)
Minimum privacy safeguard standards established for covered entities (with similar requirement applicable to BAs by contract and plan sponsor by plan amendment) – Adoption of written privacy procedures, with safeguards and
sanctions specified– Periodic distribution of privacy notice– Training of employees on handling PHI– Designation of a privacy officer (covered entities only)– Establishment of a grievance / complaint procedure– Recordkeeping with respect to PHI disclosures