1 hipaa overview version 2: 12/16/02 hipaa collaborative of wisconsin (hipaa cow) copyright 2002...
Post on 14-Dec-2015
235 Views
Preview:
TRANSCRIPT
1
HIPAA OVERVIEWVersion 2: 12/16/02
HIPAA Collaborative of Wisconsin (HIPAA COW)
www.hipaacow.org
Copyright 2002 HIPAA COW
2
This Training Module is Copyright 2002 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely
redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial
documents without the written permission of the copyright holder. This Training Module is provided “as is” without any express or
implied warranty. This Training Module is for educational purposes only and does not constitute legal advice. If you require legal
advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this Training Module. Therefore, this form may need to be modified in order to
comply with Wisconsin law.
Copyright 2002 HIPAA COW
3
AGENDA
History Purpose Compliance Dates Covered Entities Electronic Transactions & Code Sets Security Privacy Failure to Comply Implementation
Copyright 2002 HIPAA COW
Press for Glossary
4
HISTORY
HIPAA stands for “Health Insurance Portability & Accountability Act of 1996”
HIPAA was passed in 1996 as part of a broad congressional attempt at healthcare reform
What we’re now dealing with is Title II – Administrative Simplification
Copyright 2002 HIPAA COW
Press for Glossary
5
HIPAA
Title I
Title II Title III
Title IV Title V Health
insurance access, portability and renewal
Fraud and Abuse
Medical Liability Reform
Administrative Simplification
Medical Savings Accounts
Tax deduction provisions
Group health plan provisions
Revenue offset provisions
Electronic Transaction Standards (EDI)
Security Standards
PrivacyStandards
For 9 key payor transactions
Includes clinical code sets
Includes key identifiers For protecting electronic
health information
To spell out permissible uses of patient identifiable healthcare information
Copyright 2002 HIPAA COW
Press for Glossary
6
PURPOSE – TITLE IIADMINISTRATIVE SIMPLIFICATION
To increase the efficiency and effectiveness of the entire health care system through: The electronic exchange of information The standardization of that information
To enhance the security and privacy of Protected Health Information (PHI) throughout the entire health system
Copyright 2002 HIPAA COW
Press for Glossary
7
THE NEED
1 in 6 patients will omit sensitive information when discussing medical history with their physician out of fear of misuse or mishandling.
DHHS-Privacy Rule Preamble
Copyright 2002 HIPAA COW
Press for Glossary
8
COMPLIANCE DATES
Electronic Transactions Standards Standardized Code Sets – 10/16/02 or 10/16/03 if extension
was filed. Unique Provider & Health Plan Identifiers – Final Rule not yet
published Claims Attachments & 1st Report of Injury – Final rule not yet
published
Privacy Standards – April 14, 2003
Security Standards – Final rule not yet published
Copyright 2002 HIPAA COW
Press for Glossary
9
HIPAA APPLIES TO:
Covered Entities: Health Plans (licensed insurers, ERISA plans,
HMOS, Medicare, etc.) Providers (physicians, hospitals, home health,
DME, pharmacy, chiropractic, dental, etc.) who conduct 1 or more of the HIPAA-defined transactions electronically
Clearinghouses
Copyright 2002 HIPAA COW
Press for Glossary
10
Electronic Transactions and Code Sets
Copyright 2002 HIPAA COW
Press for Glossary
11
ELECTRONIC TRANSACTIONS
Eligibility and Benefits Inquiry
Claim Submission
Claim Status Inquiry
Receive Claim Payment / Advice
Preauthorization or Referral Request
Providers
Eligibility and Benefits Response
Claim Receipt
Claim Status Response
Claim Payment/Advice
Preauthorization or Referral Response
Enrollment and Termination of Enrollment Data
PremiumPayment and Advice
Employers270
271
837
276
835
820
834
278
277Source: Phoenix Health Systems
Payers
Copyright 2002 HIPAA COW
Press for Glossary
12
ELECTRONIC TRANSACTIONS & CODE SETS
Must use HIPAA standards for designated transactions
Must use appropriate code sets in transactions Medical data code sets Non-medical data code sets
Copyright 2002 HIPAA COW
Press for Glossary
13
Security
Proposed Rule
Copyright 2002 HIPAA COW
Press for Glossary
14
SECURITY
Covered Entities must maintain reasonable & appropriate administrative, physical, & technical safeguards to:
Ensure the integrity & confidentiality of PHI Protect against unauthorized access, use, or
disclosures by employees or external parties Protect the availability of PHI in emergency and
disaster situations Demonstrate compliance by officers and
employees Copyright 2002 HIPAA COW
Press for Glossary
15
COMPONENTS OF PROPOSED SECURITY STANDARDS
Administrative Security Procedures Physical Safeguards Technical Security Services Communications Security Electronic Signature
Copyright 2002 HIPAA COW
Press for Glossary
16
ADMINISTRATIVE PROCEDURES
Certification of Security Chain of Trust Agreements Contingency and Disaster Recovery Planning Information Access Control Internal Security Audit Procedures Personnel Security
Transfers Termination procedures Management of authorization methods Personnel clearance procedures Training in security
Copyright 2002 HIPAA COW
Press for Glossary
17
PHYSICAL SAFEGUARDS
Assigned Security Responsibility Media Controls Physical Access Controls Secure Workstation Location
Copyright 2002 HIPAA COW
Press for Glossary
18
TECHNICAL SECURITY SERVICES
Access Controls Audit Controls Authorization Controls Data Authentication Entity Authentication
Copyright 2002 HIPAA COW
Press for Glossary
19
COMMUNICATIONS SECURITY
Integrity Controls Message Authentication Access Controls or Encryption Alarm Audit trail Entity Authentication Event Reporting
Copyright 2002 HIPAA COW
Press for Glossary
20
Privacy
Copyright 2002 HIPAA COW
Press for Glossary
21
PRIVACY: KEY FEATURES
PHI Uses & Disclosures Consent Authorization Notice of Privacy
Practices Minimum Necessary Patient Rights Business Associates
Marketing, Fundraising, and Research
Interaction with State privacy and confidentiality laws
Administrative Requirements
Penalties
Copyright 2002 HIPAA COW
Press for Glossary
22
PRIVACY RULE: WHAT DOES IT DO?
HIPAA regulates the use or disclosure of Protected Health Information (PHI).
Copyright 2002 HIPAA COW
Press for Glossary
23
WHAT IS PHI?
Health and demographic information about an individual that is transmitted or maintained in any medium where the information:
Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
Relates to the past, present, or future: Physical or mental health condition of an individual, or Provision of health care to an individual, or Payment for the provision of health care to an individual.
Copyright 2002 HIPAA COW
Press for Glossary
24
INDIVIDUAL IDENTIFIERS
1. Name
2. Geographic subdivisions smaller than a State– Street Address– City – County – Precinct – Zip Code & their equivalent
geocodes, except for the initial three digits
3. Dates, except year– Birth date – Admission date– Discharge date– Date of death
4. Telephone numbers
5. Fax number
6. E-Mail Address
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web universal resource locations (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code
Copyright 2002 HIPAA COW
Press for Glossary
25
LIMITED DATA SET
1. Names
2. Postal Address, other than town, state, & zip
3. Telephone numbers
4. Fax numbers
5. E-mail addresses
6. Social Security Numbers
7. Medical Record numbers
8. Beneficiary numbers
9. Account numbers
10. Certificate/license numbers
11. Vehicle numbers
12. Device identifiers
13. URLs – web locators
14. Internet IP addresses
15. Biometric identifiers
16. Full face photographs
For research, public health or health care operations:
26
PERMITTED USES & DISCLOSURES
Covered entities are permitted to use and disclose PHI for:
Treatment Payment Health Care Operations
(These are referred to as “TPO”)
Copyright 2002 HIPAA COW
Press for Glossary
27
PERMITTED USES & DISCLOSURES
The final modifications permit covered entities to: Use or disclose PHI for its own TPO Disclose PHI to another entity for treatment,
payment and health care operation activities.– Each entity has a current or prior relationship.– The disclosure is for “health care operations”– The disclosure is for fraud and abuse detection.
28
MANDATED USES & DISCLOSURES
HIPAA mandates the disclosure of PHI for certain purposes such as: Health oversight activities Judicial and administrative proceedings Law enforcement purposes Organ donation
All other uses or disclosures outside of TPO require an authorization.
Copyright 2002 HIPAA COW
Press for Glossary
29
HEALTH CARE OPERATIONS
Any of the following activities of a Covered Entity: Quality assessment and improvement and population-
based activities Peer review and credentialing activities Underwriting, premium rating, and other activities related to
the creation, renewal, or replacement of a contract of health insurance
Medical review, legal services, and auditing Business planning and development Business management and general administrative activities
Copyright 2002 HIPAA COW
Press for Glossary
30
CONSENT
Consent is optional, prior to disclosing PHI for treatment, payment or health care operations.
Covered entities must provide individuals with notice of their privacy practices.
Providers required to keep the patients receipt acknowledgement on file.
Copyright 2002 HIPAA COW
Press for Glossary
31
CONSENT
Consent forms must: Be in plain language Inform individual of how information may be used
for TPO Refer to notice of privacy practices Inform of the right to request restrictions Inform of the right to revoke consent
Be signed and dated by the individual
Consent forms are valid until revoked Copyright 2002 HIPAA COW
Press for Glossary
This slide is optional
32
AUTHORIZATION
Authorization must be obtained for ALL uses and disclosures other than TPO or those mandated under law.
Authorizations must include: A description of the information to be disclosed The name of the person or entities to whom the information
will be disclosed An expiration date Information regarding right to revoke Date and signature
Copyright 2002 HIPAA COW
Press for Glossary
33
PRIVACY NOTICE
Privacy Notices Must: Be in plain language Contain a description and example of TPO Contain a description and example of other uses
and disclosures not requiring Authorization Include statements about an individual’s rights Include statements about the Covered Entity’s
duties Describe the complaint process Provide other specific requirements
Copyright 2002 HIPAA COW
Press for Glossary
34
MINIMUM NECESSARY
The privacy rule requires covered entities to use or disclose only the “minimum
necessary” PHI to accomplish the intended purpose of the use, disclosure, or request.
Copyright 2002 HIPAA COW
Press for Glossary
35
MINIMUM NECESSARY
Internal Requirements: Identify workforce who need to access PHI For each class, category or person identified, limit
access based on need-to-know
External Requirements: Limit access to what is needed to accomplish the
purpose for which the request was made May “reasonably rely” that the requesting entity is
asking for the “minimum necessary”.* Copyright 2002 HIPAA COW
Press for Glossary
36
BUSINESS ASSOCIATE
A person or entity who either provides services on behalf of a Covered Entity, or to a Covered Entity which involves the use or disclosure of PHI
NOT a member of your workforce
Transition Period - an additional year to enter into
Business Associate Agreements.
Copyright 2002 HIPAA COW
Press for Glossary
37
MARKETING
HIPAA defines “marketing” as a communication about a product or service to encourage a recipient to purchase or use that product or service.
What is NOT marketing? Concerns health-related products and services of the
covered entity, and the communication meets certain requirements.
Is made for treatment of the individual Is made for case management or care coordination, or to
direct alternative treatments, therapies, providers or care.
Copyright 2002 HIPAA COW
Press for Glossary
38
MARKETING
Authorization is not required to use or disclose PHI for marketing if the communication is: Face-to-face, made by the covered entity with the
individual. A promotional gift of nominal value.
• Any other marketing requires an individual’s authorization.
39
FUNDRAISING
PHI use and disclosure for a covered entity’s own fundraising purposes is permitted. Meets definition of Health Care Operations Consent required (to be removed under NPRM) Authorization not required
PHI may also be disclosed to a business associate or institutionally-related foundation Must be for purpose of raising funds for covered entity Limited to demographic information and dates of health
care provided Fundraising material must offer opt-out mechanism
Copyright 2002 HIPAA COW
Press for Glossary
40
RESEARCH
To use or disclose PHI for research purposes, without authorization, the covered entity must obtain one of the following:
Approval from the Institutional Review Board (IRB) or Privacy
Board
Data Use Agreement. Agreement to use limited data sets.
Preparatory to Research. PHI used to prepare research
protocol.
Research on PHI of Decedents.
Copyright 2002 HIPAA COW
Press for Glossary
41
RESEARCH AUTHORIZATION
Authorization requirements for the use and disclosure of PHI, for research purposes:
Unlike other authorizations, the research authorization does not have to include an expiration date.
Authorization may be combined with other research consent forms.
Copyright 2002 HIPAA COW
Press for Glossary
42
INDIVIDUAL RIGHTS
Individuals have the right to: Receive written notice of privacy practices Request restrictions on uses & disclosures Access, inspect & copy their PHI Request amendment or correction of their PHI Receive an accounting of disclosures of their PHI
(except those related to treatment, payment, & operations)
Copyright 2002 HIPAA COW
Press for Glossary
43
ADMINISTRATIVE REQUIREMENTS
Designate a privacy officer with primary responsibility for ensuring compliance with the regulations
Establish training programs for all members of the workforce
Implement appropriate policies & procedures to prevent intentional and accidental disclosures of PHI
Copyright 2002 HIPAA COW
Press for Glossary
44
ADMINISTRATIVE REQUIREMENTS
Establish a system for receiving and responding to complaints regarding the Covered Entity’s privacy practices
Implement appropriate sanctions for violations of the privacy guidelines
Make reasonable efforts to limit information to minimum necessary to accomplish a person’s purpose/job
Copyright 2002 HIPAA COW
Press for Glossary
45
ENFORCEMENT
The Public. The public will be educated about their privacy rights and will not tolerate violations to their privacy! Expect Class Action lawsuits.
Office For Civil Rights (OCR). Designated the enforcement agency concerning privacy regulations. They will provide guidance and monitor compliance.
Department of Justice (DOJ). Involved in criminal privacy violations. Fines, penalties & imprisonment.
Copyright 2002 HIPAA COW
Press for Glossary
46
PENALTIES - FAILURE TO COMPLY
Civil $100 per violation per person up to a maximum of
$25,000 per person per year per standard violated Criminal
Up to $50,000, 1 year in prison, or both, for inappropriate use of PHI
Up to $100,000, 5 years in prison, or both for using PHI under false pretenses
Up to $250,000, 10 years in prison or both, for the intent to sell or use PHI for commercial advantage, personal gain, or malicious harm
Copyright 2002 HIPAA COW
Press for Glossary
47
HIPAA AT (INSERT YOUR ORGANIZATION’S NAME)
(INSERT YOUR ORGANIZATION’S HIPAA STRUCTURE)
Copyright 2002 HIPAA COW
Press for Glossary
48
HIPAA IMPLEMENTATION STEPS
Provide Education & Awareness Training Establish an Implementation Team Develop Implementation Strategy Allocate Appropriate Resources Conduct Risk Assessment and Gap Analysis Establish Policies & Procedures Audit and Monitor Join HIPAA COW!
Copyright 2002 HIPAA COW
Press for Glossary
49
RESOURCE
WWW.HIPAACOW.ORG
Copyright 2002 HIPAA COW
50
REFERENCESThis presentation has been adapted
from Cathy Boelke’s presentation for Avanti.
Karen BauerJoan Benson, MBA, MT(ASCP)SHCatherine Boelke, MBA, CMPETony Cooper, FHFMA, CFETerri Edgar, RN, BSN Renee Hinkel, RN, MSNWilliam Jensen , MBAJennifer Laughlin, RHIARichard Reynolds, FHIMSSBeth Zallar, MS, RHIA
top related