presented by the office of the general counsel an overview of hipaa

Presented by the Office of the General CounselPresented by the Office of the General Counsel

An Overview of An Overview of HIPAAHIPAA

An Overview of An Overview of HIPAAHIPAA

HIPAAHIPAAHIPAAHIPAA• HHealthealth• IInsurancensurance• PPortability andortability and• AAccountabilityccountability• AActct

HIPAA’s GoalsHIPAA’s GoalsHIPAA’s GoalsHIPAA’s Goals• Simplify the Administration of Simplify the Administration of

Electronic Health InformationElectronic Health Information

• Protect an Individual’s Privacy Protect an Individual’s Privacy Rights with regard to Health Rights with regard to Health InformationInformation

When is HIPAA When is HIPAA effective?effective?

When is HIPAA When is HIPAA effective?effective?

• First Deadline: October 2002First Deadline: October 2002– Possible Extension until Oct. 2003 Possible Extension until Oct. 2003 – AU must have Compliance planAU must have Compliance plan

• Privacy Regulations: Privacy Regulations: April April 20032003– AU target date for complianceAU target date for compliance

Who Must Who Must Comply?Comply?

Who Must Who Must Comply?Comply?

“ “ Each Each Covered EntityCovered Entity who who maintains or transmits maintains or transmits health information”health information”

• Health PlansHealth Plans• Health Care ClearinghouseHealth Care Clearinghouse

• Health Care Health Care ProvidersProviders

Who is a Who is a Provider?Provider?Who is a Who is a Provider?Provider?

““Any person or entity that Any person or entity that furnishes, bills, or is paid for furnishes, bills, or is paid for health care in the normal health care in the normal course of business.”course of business.”

– Health CareHealth Care = any “care, = any “care, services, or supplies related to services, or supplies related to the health of an individual”the health of an individual”

Examples of Examples of Providers / PlansProviders / Plans

Examples of Examples of Providers / PlansProviders / Plans

• Student Health Student Health CenterCenter

• Psychology Psychology ClinicsClinics

• EAPEAP

• Athletic Athletic DepartmentDepartment

• Hearing / Eye Hearing / Eye ClinicsClinics

• Self – Insurance Self – Insurance Health Plans Health Plans

4 Key HIPAA 4 Key HIPAA ElementsElements

4 Key HIPAA 4 Key HIPAA ElementsElements

• Electronic Transaction & Code Electronic Transaction & Code Set StandardsSet Standards

• Security StandardsSecurity Standards• Privacy RegulationsPrivacy Regulations• National IdentifiersNational Identifiers

Electronic Transaction Electronic Transaction & Code Set Standards& Code Set StandardsElectronic Transaction Electronic Transaction & Code Set Standards& Code Set Standards

• General Rule:General Rule:

““If a covered entity (either itself or If a covered entity (either itself or through an agent) conducts a through an agent) conducts a Covered Transaction Covered Transaction electronically, the transaction electronically, the transaction must be conducted using the must be conducted using the HIPAA form.”HIPAA form.”


Required ElementsRequired Elements

1.1. Covered EntityCovered Entity

2.2. Electronically transmitsElectronically transmits

3.3. Covered TransactionCovered Transaction

Covered Covered TransactionsTransactions

Covered Covered TransactionsTransactions

• Submission of Submission of Claims for Claims for paymentpayment

• Checking Checking eligibilityeligibility

• Enrollment & Enrollment & DisenrollmentDisenrollment

• Referrals and pre-Referrals and pre-certificationcertification

• Claims Claims attachmentsattachments

• Payment & claims Payment & claims remittanceremittance

• Coordination of Coordination of BenefitsBenefits

• Checking claims’ Checking claims’ statusstatus


Requirements of ETSRequirements of ETS

• Standard FormatsStandard Formats• Standard Data ContentStandard Data Content• Standard CodesStandard Codes


Where to find the ETS Where to find the ETS standards:standards:

• http://aspe.hhs.gov/http://aspe.hhs.gov/admnsimpadmnsimp

• www.wpc-edi.com/HIPAAwww.wpc-edi.com/HIPAA

• www.afehct.orgwww.afehct.org

http://www.wpc-edi.com/HIPAA

Security Security StandardsStandardsSecurity Security

StandardsStandards• Intended to protect againstIntended to protect against

•Unauthorized access Unauthorized access •Accidental / Intentional Accidental / Intentional disclosure to unauthorized disclosure to unauthorized personspersons

•Alteration, destruction, or lossAlteration, destruction, or loss


StandardsStandardsWho is CoveredWho is Covered??

• Any covered entityAny covered entity• That That StoresStores information information

electronicallyelectronically• Does not have to be a Does not have to be a

covered transactioncovered transaction


StandardsStandards- Elements -- Elements -

• Administrative ProceduresAdministrative Procedures– Protects health info Protects health info – Manages personnel ConductManages personnel Conduct

• Physical SafeguardsPhysical Safeguards– Protects physical systems / buildingsProtects physical systems / buildings

• Technical SecurityTechnical Security– Controls access to health informationControls access to health information

Administrative Administrative ProceduresProcedures


• Security AnalysisSecurity Analysis• Information access privilegesInformation access privileges• Password & Authentication policiesPassword & Authentication policies• Plans for disasters & security Plans for disasters & security

breachesbreaches• Disciplinary process & penaltiesDisciplinary process & penalties• Employee & Vendor TrainingEmployee & Vendor Training• Security OfficerSecurity Officer

Physical SafeguardsPhysical SafeguardsPhysical SafeguardsPhysical Safeguards• Document ways computer & Document ways computer &

physical records are physical records are protectedprotected

• Use of keys, locks, etc. to Use of keys, locks, etc. to control access to computerscontrol access to computers

• Restriction of access to Restriction of access to authorized personsauthorized persons

• Tracking of medical recordsTracking of medical records• Workstation location policyWorkstation location policy

Technical Technical SecuritySecurity

Technical Technical SecuritySecurity

• Single sign-on technologySingle sign-on technology• New user ID’s, passwordsNew user ID’s, passwords• Audit trails for health infoAudit trails for health info


StandardsStandardsGeneral CommentsGeneral Comments

• Still in proposed formStill in proposed form• Not technically specificNot technically specific• Amount of security Amount of security

required is scalable based required is scalable based on dept. size and on dept. size and resourcesresources

Privacy Privacy RegulationsRegulations


• General Rule:General Rule:

“ “A covered entity A covered entity may not may not useuse

or discloseor disclose Protected Protected Health Health

Information (PHI) except as Information (PHI) except as permitted by the privacy permitted by the privacy regulations.” regulations.”



• PHIPHI – – Protected Health InformationProtected Health Information– Individually IdentifiableIndividually Identifiable

– Any form or mediumAny form or medium• Electronic, Oral, or WrittenElectronic, Oral, or Written

– Created or ReceivedCreated or Received

– Relates to past, present, future Relates to past, present, future condition or payment of individualcondition or payment of individual

– Exception: FERPA recordsException: FERPA records



• General Requirement:General Requirement:

““Must make Must make reasonable effortsreasonable efforts to limit the use and disclosure to limit the use and disclosure of PHI to the of PHI to the minimum minimum necessarynecessary to accomplish to accomplish intended purpose.”intended purpose.”



Main ElementsMain Elements

• Rules for Use & Disclosure of Rules for Use & Disclosure of PHIPHI

• Patient’s Rights to Health InfoPatient’s Rights to Health Info

• Administrative ProceduresAdministrative Procedures

• Business Partner RequirementBusiness Partner Requirement

Rules for Use & Rules for Use & DisclosureDisclosure


Consent vs. AuthorizationConsent vs. Authorization

ConsentConsent: If a general written consent : If a general written consent is obtained, a provider may is obtained, a provider may use/disclose PHI for “TPO”use/disclose PHI for “TPO”

AuthorizationAuthorization: If use/disclosure is not : If use/disclosure is not for “TPO”, use/disclosure forbidden for “TPO”, use/disclosure forbidden without a more specific without a more specific authorizationauthorization

““TPO” = Treatment/Payment/Health TPO” = Treatment/Payment/Health Care OperationsCare Operations



““TPO” = Treatment / Payment / TPO” = Treatment / Payment / Health Care OperationsHealth Care Operations

TreatmentTreatment: Provision, coordination, : Provision, coordination, management of healthcaremanagement of healthcare

PaymentPayment: Actions to obtain payment: Actions to obtain payment

OperationsOperations: Internal day-to-day business : Internal day-to-day business Ex: QA, Peer Review, Customer ServiceEx: QA, Peer Review, Customer Service



ConsentConsent• Must be in plain languageMust be in plain language• Must specify use of PHIMust specify use of PHI• Can make a prerequisite to Can make a prerequisite to

treatment (Can refuse treatment)treatment (Can refuse treatment)• Exceptions: Emergency, Required Exceptions: Emergency, Required

by Lawby Law, , Communication barriers, Communication barriers,


Rules for Use & Rules for Use & DisclosureDisclosureAuthorizationAuthorization

• Cannot be a condition of treatmentCannot be a condition of treatment• Must Inform about specific use and Must Inform about specific use and

right to refuse, revoke, and inspectright to refuse, revoke, and inspect• Psychotherapy Notes require Psychotherapy Notes require

AuthorizationAuthorization• ExamplesExamples

• ResearchResearch• MarketingMarketing• FundraisingFundraising

Patient’s RightsPatient’s RightsPatient’s RightsPatient’s Rights• Right to Notice of Privacy Right to Notice of Privacy

PracticesPractices• Right of Access to PHIRight of Access to PHI• Right to Accounting of Right to Accounting of

Disclosures for 6 years Disclosures for 6 years • Right to request restriction of Right to request restriction of

TPO use to family membersTPO use to family members– Not required to agree if TPO Not required to agree if TPO



• Document policies, procedures, & Document policies, procedures, & systems to achieve compliancesystems to achieve compliance

• Complaint MechanismsComplaint Mechanisms• Employee SanctionsEmployee Sanctions• Documented Documented training of employeestraining of employees• Mitigation of harmful effects Mitigation of harmful effects • Designated Privacy officerDesignated Privacy officer

Business AssociatesBusiness AssociatesBusiness AssociatesBusiness Associates• General Rule:General Rule:

– A covered entity must have a A covered entity must have a business associate contract to business associate contract to ensure that its business ensure that its business associates also are in compliance associates also are in compliance with HIPAA’s protection of PHI.with HIPAA’s protection of PHI.

Business AssociatesBusiness AssociatesBusiness AssociatesBusiness Associates• Business Associates…Business Associates…

– Perform a function involving use / Perform a function involving use / disclosure of PHI disclosure of PHI on behalf ofon behalf of the the covered entitycovered entity

– Perform legal, accounting, Perform legal, accounting, consulting, data aggregation, consulting, data aggregation, administrative, management, or administrative, management, or financial services involving PHI financial services involving PHI for the covered entityfor the covered entity

Business AssociatesBusiness AssociatesBusiness AssociatesBusiness Associates• Examples:Examples:

– Billing companiesBilling companies– Computer VendorsComputer Vendors– Attorneys, Accountants, AuditorsAttorneys, Accountants, Auditors– ConsultantsConsultants– Document storage / destruction Document storage / destruction

companiescompanies

Business AssociatesBusiness AssociatesBusiness AssociatesBusiness Associates• Business Associate Contracts:Business Associate Contracts:

– Restrict use & disclosure of PHIRestrict use & disclosure of PHI– Require appropriate safeguardsRequire appropriate safeguards– Require similar requirements of Require similar requirements of

subcontractorssubcontractors– Require B.A. to disclose breachesRequire B.A. to disclose breaches– Require B.A. to remedy breaches or Require B.A. to remedy breaches or

risk termination of contract risk termination of contract

Hybrid EntityHybrid EntityHybrid EntityHybrid Entity• RequirementsRequirements

– Single Legal EntitySingle Legal Entity– Primary business is not Primary business is not

healthcarehealthcare• AdvantagesAdvantages

– Only “Healthcare Components” Only “Healthcare Components” must comply with HIPAAmust comply with HIPAA

• DisadvantageDisadvantage– Firewall between HC Firewall between HC

Components and Non-Components and Non-ComponentsComponents

Hybrid EntityHybrid EntityHybrid EntityHybrid Entity• Auburn must…Auburn must…

– Identify Healthcare ComponentsIdentify Healthcare Components– Identify Business Associates of Identify Business Associates of

the HC Componentsthe HC Components– Erect the ‘firewalls’ between HC Erect the ‘firewalls’ between HC

Components & Non-ComponentsComponents & Non-Components

Penalties for Non-Penalties for Non-ComplianceCompliance

Penalties for Non-Penalties for Non-ComplianceCompliance

** Both Individuals & Entities can incur ** Both Individuals & Entities can incur criminal and/or civil penalties criminal and/or civil penalties

Civil PenaltiesCivil Penalties: $100 - $25,000: $100 - $25,000

Criminal PenaltiesCriminal Penalties: Max 10 yrs. Prison: Max 10 yrs. Prison

Max $250,000 fineMax $250,000 fine

HIPAA TimelineHIPAA TimelineHIPAA TimelineHIPAA Timeline• ETS StandardsETS Standards: October 16, : October 16,

20022002 – Extended to Oct. 2003 w/ Extended to Oct. 2003 w/

University extensionUniversity extension

• Privacy Regs: April 14, 2003Privacy Regs: April 14, 2003

• Security Regs: Date expected Security Regs: Date expected by August 2002by August 2002

Next Steps toward Next Steps toward ComplianceCompliance

Next Steps toward Next Steps toward ComplianceCompliance

1.1. Fill out the AU HIPAA SurveyFill out the AU HIPAA Survey

2.2. Review how PHI is stored, Review how PHI is stored, accessed, protected, & accessed, protected, & destroyeddestroyed

3.3. Think about easy steps to Think about easy steps to better protect PHIbetter protect PHI

4.4. Designate 1+ person to review Designate 1+ person to review specific HIPAA policiesspecific HIPAA policies

For more HIPAA For more HIPAA info…info…

For more HIPAA For more HIPAA info…info…

• www.hipaa.orgwww.hipaa.org– Links to complete final rules & Links to complete final rules &

proposed rulesproposed rules

• www.hipaadvisory.comwww.hipaadvisory.com– News, primers, and complete News, primers, and complete

rulesrules

• www.hrm.uab.edu/HIPAAwww.hrm.uab.edu/HIPAA– UAB’s training siteUAB’s training site

http://www.hipaa.org/

http://www.hipaadvisory.com/

http://www.hrm.uab.edu/HIPAA

Additional Additional Questions?Questions?Additional Additional Questions?Questions?

Contact the Provost’s OfficeContact the Provost’s OfficeContact the Provost’s OfficeContact the Provost’s Office

presented by the office of the general counsel an overview of hipaa

Documents

health information slide

covered transaction

loss slide

compliance slide

individual slide

covered entity

claims status slide

overview of hipaa slide