Complying With HIPAA Complying With HIPAA ––What Will It Take?What Will It Take?

HIPAA SummitOctober 16, 2000

Jim KleinManager, Enterprise Security & HIPAA Compliance1-800-4BEACON

Page 2

Key QuestionsKey QuestionsKey QuestionsKey Questions

◆ What are the major compliance issues? ◆ How will HIPAA change the way

organizations operate?◆ What needs to be done to comply?◆ How can organizations capitalize on

opportunities?◆ How much will it cost?

Page 3

Benefits & How to Benefits & How to Benefits & How to Benefits & How to CapitalizeCapitalizeCapitalizeCapitalize

◆ Simplified transaction requirements ◆ Single coding rule◆ Increased EDI, lower FTEs ◆ DHHS; 29.9b net savings in 10 years◆ Reduced liability◆ Begin preparations and planning early

Page 4

Compliance Compliance Compliance Compliance IssuesIssuesIssuesIssues

Page 5

Key Compliance IssuesKey Compliance IssuesKey Compliance IssuesKey Compliance Issues

◆ Non-compliance liabilities◆ Coordinating compliance with multiple

trading and business partners◆ Protecting patient confidentiality◆ Enterprise-wide view of security/privacy

practices ◆ Organizational compliance assurance◆ Protecting public trust

Page 6

Key Issues Key Issues Key Issues Key Issues ––––TTTTransactions/Codes/NPIransactions/Codes/NPIransactions/Codes/NPIransactions/Codes/NPI

◆ Content gaps◆ Multiple formats & trading partners◆ Elimination of local & redundant codes◆ Replacing homegrown provider numbers◆ Provider IDs with built-in intelligence

Page 7

Key Issues Key Issues Key Issues Key Issues ---- SecuritySecuritySecuritySecurity

◆ Assessment◆ Appropriate security levels◆ Technology not the answer◆ Audit trails – review & detection

Page 8

Key Issues Key Issues Key Issues Key Issues ---- PrivacyPrivacyPrivacyPrivacy

◆ Patient rights◆ Use/disclosure practices◆ Accounting for disclosures◆ Disclosure restrictions◆ Incident reporting

Page 9

Key ChallengesKey ChallengesKey ChallengesKey Challenges

◆ HIPAA – Profound & Sweeping◆ Capitalizing on opportunities◆ Organizational focus and commitment◆ Identifying gaps and vulnerabilities◆ Compliance plan◆ Training◆ Documentation◆ Working with partners

Page 10

No QuickNo QuickNo QuickNo QuickFixesFixesFixesFixes

Page 11

Providers Providers Providers Providers ---- Not Just EDI Not Just EDI Not Just EDI Not Just EDI or Ior Ior Ior ITTTT

Information Systems

Business Office

Trading/Business Partners

Enterprise-Wide Event

Billing, EDIMedical records

PharmacyRegistration

TranscriptionLab, Radiology

Clinical

HumanResourcesAdministrative

Office Work Flow

Policies & Procedures

Page 12

Payers Payers Payers Payers ---- Not Just EDI or Not Just EDI or Not Just EDI or Not Just EDI or ITITITIT

Information Systems

Operations

Trading/Business Partners

Enterprise-Wide Event

EDIIndemnity

Managed CareMembershipAdjudicationCertification

Service FunctionsProvider Networks

Brokers

Membership

HumanResourcesAdministrative

Office Work Flow

Policies & Procedures

Page 13

Health Care LandscapeHealth Care LandscapeHealth Care LandscapeHealth Care Landscape

BeneficiaryBeneficiary ProviderProvider PMS/HISSystem

PMS/HISSystem

BillingAgentBillingAgent

VANVAN

NationalClearing-

house

NationalClearing-

house

Proprietary/Private

Network

Proprietary/Private

Network

Private

Blue

HMO

PPAAYYEERRSS MCO

Medicare

MedicaidRegional/

LocalClearinghouse

Regional/Local

Clearinghouse

NumerousData FlowsNumerousNumerousData FlowsData Flows

- Contractual obligations- Trading partner

readiness- Risk assessment- Contingency plans- Coordination issues

AFEHCT January 1997 presentation to HCFA

Page 14

OOOOperation peration peration peration ChangesChangesChangesChanges

Page 15

EnterpriseEnterpriseEnterpriseEnterprise----Wide ImpactsWide ImpactsWide ImpactsWide Impacts

◆ Policies & procedures◆ Minimum use, need-to-know◆ Security measures◆ Data collection◆ Disclosures◆ Training◆ Audit trails◆ Rules regarding marketing/sales divisions

Page 16

ProProProProvider vider vider vider Operation Operation Operation Operation ChanChanChanChangesgesgesges

Page 17

Scheduling & Front DeskScheduling & Front DeskScheduling & Front DeskScheduling & Front Desk

◆ Appointment confirmations, auto dialers◆ Sign-in◆ Registration, physical set-up◆ Information release forms◆ Patient rights◆ Certification/authorization

Page 18

Medical Medical Medical Medical RecordsRecordsRecordsRecords

◆ Release procedures◆ Authenticating requests◆ Controlling and accounting for records◆ Communicating record changes◆ Storage and destruction

Page 19

Clinical FunctionsClinical FunctionsClinical FunctionsClinical Functions

◆ Primary care, specialists, radiology, lab & pharmacy

◆ Automated lab results◆ Transcriptions◆ Physical set-up, terminals, films, records◆ Cultural change

Page 20

BillingBillingBillingBilling

◆ Transaction interchange◆ Trading partners & business associates◆ 3rd party collections◆ Internal procedures◆ Faxing◆ Storage and destruction

Page 21

Payer Payer Payer Payer Operation Operation Operation Operation ChangesChangesChangesChanges

Page 22

EnrollmentEnrollmentEnrollmentEnrollment

◆ Standard transaction◆ Member release form◆ Written notification of policies & patient

rights✦ Inspection✦ Copy✦ Correction

Page 23

Membership ServicesMembership ServicesMembership ServicesMembership Services

◆ Authenticating inquiries◆ Information release procedures◆ Processing record change requests◆ Change denial and appeal procedures◆ Processing disclosure history requests

Page 24

Provider ServicesProvider ServicesProvider ServicesProvider Services

◆ Authenticating inquiries◆ Disclosures◆ Communicating member restrictions◆ Faxes

Page 25

Administrative Administrative Administrative Administrative TransactionsTransactionsTransactionsTransactions

◆ Transaction standards◆ Personnel training/migration planning◆ Trading partners & business associates◆ Information exchange controls and

responsibilities

Page 26

Provider Provider Provider Provider & & & & Payer Payer Payer Payer

Operation Operation Operation Operation ChangesChangesChangesChanges

Page 27

AdministrationAdministrationAdministrationAdministration

◆ Audit trails◆ Security◆ Backup & recovery◆ Retention & destruction

Page 28

Human ResourcesHuman ResourcesHuman ResourcesHuman Resources

◆ Background checks◆ Training & orientation◆ Employee agreement◆ Infractions◆ Terminations

Page 29

Facility ManagementFacility ManagementFacility ManagementFacility Management

◆ Entry & access◆ After hours◆ Inner office access

Page 30

What Needs What Needs What Needs What Needs To Be To Be To Be To Be Done?Done?Done?Done?

Page 31

HIPAA HIPAA HIPAA HIPAA Critical PathCritical PathCritical PathCritical Path1998 1999 2000 2001

Published Draft Standards…Adopted…

Staggered 2 Year Compliance Period…

Awareness/EducationImpact Assessment

Planning/PreparationImplementation

Draft Standard Comments

DHHS

Industry

2002

Time frames will vary based on each organization’s unique circumstance

2003

Page 32

Key StepsKey StepsKey StepsKey Steps

◆ Executive level visibility and accountability

◆ HIPAA budget◆ Cross-organizational team◆ Impact assessments◆ Compliance options, pros & cons, costs◆ Compliance implementation◆ Coordinating with trading/business

partners

Page 33

Planning BaselinePlanning BaselinePlanning BaselinePlanning Baseline◆ Stable

✦ Transactions, code sets

✦ Employer identifier◆ Minor Change

✦ Security (definitions)✦ Separate e-signature

reg◆ Material Change

✦ Provider identifier (draft - 8 position AN, final - 10 digit N)

◆ Privacy✦ Definitions, scope,

patient control may be changed

◆ Unpublished✦ Claim attachments✦ First report of injury✦ Payer identifier

◆ Controversy✦ Individual identifier

(SSN?, ASTM UHID)

Page 34

Education/TrainingEducation/TrainingEducation/TrainingEducation/Training

◆ Business/technology leaders◆ Operational/business units◆ Security/technology specialists

Get the right training to the right people -

Page 35

AssessAssessAssessAssessmentmentmentment

◆ Enterprise-wide focus◆ Current state◆ Gap analysis, risks◆ Strategic plan implications◆ Compliance strategy, options, cost

Understanding HIPAA implications is the first step toward successful compliance -

Page 36

AssessmentAssessmentAssessmentAssessment

◆ Business framework◆ Operational interfaces◆ Risks and potential failures◆ Non-compliant systems and components◆ Compliance capability and plans◆ Contingencies

Evaluation of all trading partners is a key element in understanding compliance issues -

Page 37

Compliance OptionsCompliance OptionsCompliance OptionsCompliance Options

◆ Internal vs. 3rd party assessment◆ Translators◆ Clearinghouses◆ Complete vs. partial remediation

✦ Cross-walks✦ Long-term implications

◆ Impact on other initiatives

Page 38

Costs & Costs & Costs & Costs & PlanningPlanningPlanningPlanning

Page 39

Building the Financial Building the Financial Building the Financial Building the Financial ModelModelModelModel

◆ Cost factors & drivers✦ Expertise & Personnel✦ Capital outlay✦ Manual (or paper) versus electronic✦ ROI

◆ Opportunities for additional efficiencies✦ Automated eligibility, pre-certification, etc.✦ Technology (proximity sensors, single sign-on,

etc.)✦ Work flow efficiencies

Page 40

Common Business DriversCommon Business DriversCommon Business DriversCommon Business Drivers

Business

Partners

Operations

SystemsThe HIPAA Challenge

� Compliance� Product/service/business

impacts� Implementation options� Strategic business plan

alignment� Resource/cost requirements� Implementation complexities� Risk management� Legal implications

� Market share/growth� Consumer

trends/expectations� Cost management� Service distinction� Competition

Page 41

Planning ChecklistPlanning ChecklistPlanning ChecklistPlanning Checklist

Business

Partners

Operations

Systems Key Components� EDI� Adjudication,

membership, utilization, provider network

� Billing, clinical, admissions, registration, medical records

� Audit, history� Access, authentication

� Software Applications� Data Structures� Interfaces� Networks� Security

Page 42

Planning ChecklistPlanning ChecklistPlanning ChecklistPlanning Checklist

Business

Partners

Operations

Systems

Key Components� HIPAA relevance� Compliance

strategy� Accountability

� Acquisitions, mergers� E-business initiatives� Technology strategies� Funding

Page 43

Planning ChecklistPlanning ChecklistPlanning ChecklistPlanning Checklist

Business

Partners

Operations

SystemsKey Components

� Corporate policy/procedure impacts

� As-is process flow impacts� Changes in interacting with the

public, members/patients, providers, payers, and business partners

� Audit and control changes� Security program, responsibility,

safeguards, procedures� Compliance monitoring� Awareness/responsibility training

� Affected business processes

� Administration and Human Resources

� Security program

Page 44

PlanningPlanningPlanningPlanning ChecklistChecklistChecklistChecklist

Business

Partners

Operations

Systems Key Components� Compliance liability &

responsibility� Performance expectations� Commitments� Risk assessment� Options� Contingency planning� Implementation coordination

� Clearinghouses� Practice management

system vendors� IT outsourcing� Products/private labeling� Internet partners

Page 45

General General General General DiscussiDiscussiDiscussiDiscussionononon

Page 46

ResourcesResourcesResourcesResources

◆ DHHS - administrative simplification✦ aspe.dhhs.gov/admnsimp/index.htm

◆ DHHS data council web site✦ aspe.dhhs.gov/datacncl/

◆ NCVHS Web Site✦ ncvhs.hhs.gov

Page 47

ResourcesResourcesResourcesResources

◆ HIPAA Comply web site ✦ www.HIPAAcomply.com

◆ WEDI web site✦ www.wedi.org

◆ AFEHCT web site✦ www.afehct.org

◆ EHNAC web site✦ www.ehnac.org

Page 48

Thank You!Thank You!Thank You!Thank You!Jim KleinManager, Enterprise Security & HIPAA ComplianceBeacon Partners, Inc.200 Cordwainer Drive, Suite 300Norwell, MA 02061PH: (410) 721-9144Email: jklein@beaconpartners.comWeb: www.HIPAAcomply.com