HIPAA Overview CH2: CH4: Boothill Death Registry Manager. Prior to HIPAA Horror Stories

Transcription

1 Red Raven Productions PRESENTATION HIPAA Privacy & Security X12 Standards ICD GEM Red Raven Productions Red Raven Productions HIPAA X12N - ICD CH1: It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change. - Charles Darwin CH2: X12N Standards Overview GEM Overview CH3: ICD CH4: Boothill Death Registry Manager CH5: ICD GEM Manager CH6: ICD GEM SuperBill Prior to HIPAA Prior to HIPAA Horror Stories Horror Stories Patient Records made public. UCLA researcher illegally read medical records. reminders not BCC d Women were fired. Companies checked medical records before hiring or promoting People avoid using insurance. BCBS of Tennessee reported 57 HD s stolen Technician viewed PHI Records blew out of truck. Used computers purchased containing prescription records Pharmaceutical companies sold marketing lists Banker called in mortgages Hospitals gave PHI to newspapers 5 HIPAA Overview HIPAA Privacy & Security 6

2 Prior to HIPAA The Privacy Act of 1974, protected records that could be retrieved by personal identifiers such as a name, social security number, or other identifying number or symbol. An individual is entitled to access to his or her records and to request correction of these records if applicable. The Privacy Act prohibits disclosure of these records without written individual consent unless one of the twelve disclosure exceptions enumerated in the Act applies. These records are held in Privacy Act systems of records. A notice of any such system is published in the Federal Register. These notices identify the legal authority for collecting and storing the records, individuals about whom records will be collected, what kinds of information will be collected, and how the records will be used. Horror Stories Before Prior to HIPAA 8 Before 1983 Example Most of the BCBS organizations were separate entities in each state Horror Stories Before 1983 Privacy Act of 1974 Payers w/different forms Example Individual from Illinois Vacations in Florida and has to get Health Care 9 Before 1983 Example Before 1983 Example The BCBS of Illinois would have to decipher what information was supplied on the form and data enter the information into their mainframe computer The health care provider would complete payment forms and send them into the BCBS of Florida The BCBS of Florida would decode the forms and enter the information into their mainframe computer, and pay the provider Then BCBS of Florida would send the payment information to the BCBS of Illinois for reimbursement / reconciliation Sometimes the information was incomplete and/or in a format that was difficult to interpret by their standards This would cause the payers to play form tag going back and forth coordinating health care information

3 Before 1983 Example 1983 As an application Data Base Administrator, Data Base Designer and Application programmer for the BCBS Association in Chicago, I designed and developed the first Inter Plan Data Reporting VSAM file structure and COBOL programs. Then after a great deal of effort, Payment is made for the insured s treatment Prior to HIPAA Horror Stories Before 1983 This process would take weeks, months and sometimes years Privacy Act of 1974 Payers w/different forms Example In 1983 IPDR As an application Data Base Administrator, Data Base Designer and Application programmer for the BCBC Association in Chicago, I designed and developed the first Inter Plan Data Reporting VSAM file structure and COBOL programs. Thus I created this first common file format & data content standardization that allowed the "Blues" in all the states to communicate more efficiently with each other and get paid or reimbursed in a timely manner. Prior to HIPAA Prior to HIPAA Horror Stories Before 1983 Horror Stories Before 1983 This design structure was known as IPDR. Privacy Act of 1974 Payers w/different forms Example Privacy Act of 1974 Payers w/different forms Example In 1983 In 1983 IPDR IPDR (Inter-Plan Data Reporting) During that time, the Health Care industry wanted PORTABILITY Workers can continue health care between different employers Group insurance cannot: Reject, Refuse to renew, Reform Health Careof certain individuals or Charge higher premiums It Address simplified administration by creating a health care Administrative Concerns transaction standard. Beginnings of HIPAA And my work for the BCBSA helped. Horror Stories Before 1983 In the mid-1990 s Privacy Act of 1974 Payers w/different forms Example In 1996 HIPAA Enacted into Law By Senators: Edward Kennedy Nancy Kassebaum Portability In 1983 IPDR (Inter-Plan Data Reporting) Administrative Simplification administrative simplification in one format, one guide for all. Prior to HIPAA (Inter-Plan Data Reporting) 17 (Inter-Plan Data Reporting) 18

4 Brief History ACCOUNTABILITY of HIPAA There are Penalties for non-compliance which I'll discuss in a Beginnings later slide of HIPAA And there are also Tax provisions The In law contains the a mid-1990 s section known as Administrative Simplification and includes requirements for the following: Reform Health Care Electronic transactions and code set standards Address Administrative Concerns Privacy Security In 1996 National Identifiers HIPAA Enacted into Law By Senators: Edward Kennedy Nancy Kassebaum Portability Accountability HIPAA Privacy & Security Titles Administrative Simplification Privacy & Security Rules Electronic Health Record Standards Definitions Acronyms Compliance Timelines Penalties for non-compliance HIPAA Audits 19 Titles Titles Title I: Healthcare Insurance Access, Portability, and Renewability Prohibits Group discrimination health plans may in apply enrollments lifetime limits, and in premiums charged to employees and their dependents based on health status related factors Health beneficiaries Status Related based on Factors a health factor. Group Health Health status Plans related may factors Exclude include: Coverage Group Group Health health health Plans status, plans may Apply exclude Lifetime coveragelimits Preexisting Condition Exclusion generally or with respect to benefits for a specific disease or treatment, provided the limits are applied uniformly to all similarly situated individuals and is not directed at any individual participants or for a specific medical disease, conditions limit (including or exclude both benefits physical for and certain mental types illness), of treatments claims or experience, drugs, or limit or exclude benefits based on Limits determination exclusions receipt of of health whether for pre-existing care, the benefits medical are experimental conditions or medically medical history, 6-month necessary, period if the pre-existing benefit restriction medical is applied condition uniformly exclusion to all similarly situated genetic individuals information, and is not directed at any individual participants or beneficiaries evidence based of insurability, on a health factor. and disability. Title I: Healthcare Insurance Access, Portability, and Renewability Prohibits discrimination in enrollments and in premiums charged to employees and their dependents based on health status related factors Health Status Related Factors Group Health Plans may Exclude Coverage Group Health Plans may Apply Lifetime Limits Preexisting Condition Exclusion Limits exclusions for pre-existing medical conditions 6-month period pre-existing medical condition exclusion Titles Titles Title I: Healthcare Insurance Access, Portability, and Renewability Title II: Preventing Healthcare Fraud and Abuse; Administrative Simplification; Medical Liability Reform Title III: Tax-related Health Provisions Title IV: Application and Enforcement of Group Health Insurance Requirements Title V: Revenue Offsets Title II: Has Three Rules 1) Transactions, Code Sets, and Identifiers: Standards for electronic transmission Electronic Data Interchange (EDI): Standardized records for health care transactions 2) The Privacy Rule: Standard for Privacy of Individually Identifiable Health Information, (IIHI) 3) The Security Rule: Security Standard for electronic patient health records

5 Administration Simplification Standards for Electronic Transactions Also referred to as Transactions, Code Sets, and Identifiers; defines standards for conducting EDI health transactions Standards for Privacy Defines who is authorized to access health information and gives individuals the right to keep information about themselves from being disclosed Standards for Security Defines Administrative, Physical, and Technical Safeguards to secure electronic PHI Need for HIPAA Administration Simplification Designed for Administrative Simplification Provides Standard Uniformity Standard EAT Processes Standard Electronic Transactions and Code Sets The Privacy Rule regulations ensure basic privacy protections for patients by limiting the ways that health plans, pharmacies, hospitals and other covered entities can use patients' personal medical information. The regulations protect medical records and other Individually Identifiable Health Information (aka: IIHI), whether it is on paper, in computers or communicated orally. Provide a Notice Health Care Providers must provide a notice Patients will be asked to sign, initial or otherwise acknowledge that they received this notice Health plans generally must mail the notice to their enrollees and again if the notice changes significantly Patients also may ask covered entities to restrict the use or disclosure of their information beyond the practices included in the notice, but the covered entities would not have to agree to the changes A Notice must: Be written in plain, simple language. Include header that reads: "This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review carefully." Describe the covered entity's uses and disclosures ofphi. A Notice must: Describe an individual's rights under the Privacy Rule. These include the right of the individual to: Request restrictions on certain uses and disclosures. Receive confidential communication of PHI. Inspect, copy, and amend PHI. Obtain an accounting of disclosures ofphi.

6 A Notice must: Describe the covered entity's duties. Describe how to register complaints concerning suspected privacy violations. Specify a point of contact. Specify an effective date. State that the entity reserves the right to change its privacy practices. Access To Medical Records Patients generally should be able to see and obtain copies of their medical records and request corrections if they identify errors and mistakes. Health plans, doctors, hospitals, clinics, nursing homes and other covered entities generally should provide access to these records within 30 days and may charge patients for the cost of copying and sending the records. Limits on Use of Personal Medical Information The privacy rule sets limits on how health plans and covered providers may useiihi. To promote the best quality care for patients, the rule does not restrict the ability of doctors, nurses and other providers to share information needed to treat their patients. PHI may NOT be used for purposes NOT related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purpose. In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care. Provide an Authorization That allows use and disclosure of PHI for purposes other than treatment, payment, or health care operations (TPO) An Authorization can allow PHI to be used and disclosed by the covered entity seeking the Authorization or by a third party. Covered entities must obtain an individual's Authorization for uses or disclosures not covered by the Notice An Authorization must: Be written in plain language. Give a specific and meaningful description of the authorized information. List the persons authorized to use or disclose PHI. List the persons to whom the covered entity may make the requested use or disclosure. Describe the purpose or purposes of the requested use or disclosure. Give an expiration date or an expiration event for the use or disclosure of an individual's PHI. An Authorization must: State the individual's right to revoke the Authorization in writing, and state the exceptions to the right to revoke. Detail the ability or inability to conduct treatment, collect payment, manage enrollment, or determine eligibility for benefits based on the Authorization. State that information used or disclosed in accordance with the Authorization might be subject to re-disclosure by the recipient and might no longer be protected by this rule. Have the individual's signature and the date. NOTE: If an Authorization is signed by a personal representative of the individual, the Authorization must have a description of the representative's authority to act for the individual.

7 Prohibition on Marketing The final privacy rule sets new restrictions and limits on the use of patient information for marketing purposes. Pharmacies, health plans and other covered entities must first obtain an individual's specific authorization before disclosing their patient information for marketing. At the same time, the rule permits doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs. Stronger State Laws The new federal privacy standards do not affect state laws that provide additional privacy protections for patients. The confidentiality protections are cumulative. The privacy rule will set a national "floor" of privacy standards that protect all Americans, and any state law providing additional protections would continue to apply. When a state law requires a certain disclosure, such as reporting an infectious disease outbreak to the public health authorities, the federal privacy regulations would not preempt the state law. Confidential Communications Patients can request that their doctors, health plans and other covered entities take reasonable steps to ensure that their communications with the patient are confidential. For example: A patient could ask a doctor to call his or her office rather than home, and the doctor's office should comply with that request if it can be reasonably accommodated. Complaints If you believe that a person or a covered entity violated your or someone else's health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with the Office for Civil Rights. OCR has authority to receive and investigate complaints against covered entities related to the Privacy Rule. Such complaints can be made directly to the covered provider or health plan or to HHS' OCR, which is charged with investigating complaints and enforcing the privacy regulation. Complaints Complaints to the OCR must: 1) Be filed in writing, either on paper or electronically; 2) Name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule; 3) Be filed within 180 days of when the act or omission, complained of, is known to have occurred. OCR may extend the 180-day period if it can be shown "good cause" Complaints Information about filing complaints should be included in each covered entity's notice of privacy practices. Consumers can find out more information about filing a complaint at:

8 Health Plans and Providers The privacy rule requires health plans, pharmacies, doctors and other covered entities to establish policies and procedures to protect the confidentiality of protected health information about their patients. These requirements are designed to be flexible and scalable allowing different covered entities to implement them as appropriate for their businesses or practices. Covered entities must provide all the protections for patients cited above, such as providing a notice of their privacy practices and limiting the use and disclosure of information as required under the rule. Health Plans and Providers Written Privacy Procedures The rule requires covered entities to have written privacy procedures, including a description of: staff that has access to protected information, how it will be used and when it may be disclosed Covered entities generally must take steps to ensure that any business associates who have access to protected information agree to the same limitations on the use and disclosure of that information Health Plans and Providers Employee Training and Privacy Officer Covered entities must train their employees in their privacy procedures and must designate an individual to be responsible for ensuring the procedures are followed If covered entities learn an employee failed to follow these procedures, they must take appropriate disciplinary action Health Plans and Providers Public Responsibilities In limited circumstances, the final rule permits, but does not require, covered entities to continue certain existing disclosures of health information for specific public responsibilities. These permitted disclosures include: emergency circumstances; identification of the body of a deceased person, or the cause of death; public health needs; research that involves limited data or has been independently approved by an Institutional Review Board or privacy board; oversight of the health care system; judicial and administrative proceedings; limited law enforcement activities; and activities related to national defense and security Health Plans and Providers Public Responsibilities The privacy rule generally establishes new safeguards and limits on these disclosures Where no other law requires disclosures in these situations, covered entities may continue to use their professional judgment to decide whether to make such disclosures based on their own policies and ethical principles Health Plans and Providers Equivalent Requirements For Government The provisions of the final rule generally apply equally to private sector and public sector covered entities For example: private hospitals and governmentrun hospitals covered by the rule have to comply with the full range of requirements

9 The SECURITY RULE: The SECURITY RULE: ephi electronic Protected Health Information 8 pages and is highly technical Three types of safeguards 1. Administrative 2. Physical 3. Technical Provider Compliance April 20, 2005 ephi electronic Protected Health Information 8 pages and is highly technical Three types of safeguards 1. Administrative 2. Physical 3. Technical Provider Compliance April 20, 2005 Electronic Health Record (EHR) Standards ARRA American Recovery and Reinvestment Act of 2009 Meaningfully Use Red Raven Productions, Presentation #2 Electronic Health Record (EHR) Standards The Proposed Rule Would Specify: Initial criteria Calculation Payment Adjustments Other Program Participation Requirements This proposed rule would implement the provisions of the American Recovery and Reinvestment Act of 2009 that provide incentive payments to Eligible Professionals and Eligible Hospitals participating in Medicare and Medicaid programs that adopt and meaningfully use certified EHR technology. Electronic Health Record (EHR) Standards ONC-HIT Office of the National Coordinator for Health Information Technology ONC also issued a notice of proposed rulemaking on the process for organizations to conduct the certification of Electronic Health Record (EHR) technology. Covered Entities Non Standard Bills Health Care Clearinghouses Standard Bills Standard Bills Health Plans

10 HEALTH CARE PROVIDER: The term Health Care Provider includes a provider of services as defined in section 1861, a provider of medical or other health services as defined in section 1861, and any other persons furnishing health care services or supplies. They are individuals or group plans that provide, or pay the cost of, medical care. A Health Care Provider is a person who is trained and licensed to give health care. A Health Care Provider can also be a place licensed to give health care. Which includes: HEALTH CARE CLEARINGHOUSE: The term 'Health Care Clearinghouse' means a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. They are entities that process information received in a non-standard format into a standard one, and vice versa. Clinics Dentists Hospitals Laboratories Pharmacies Physicians The term Health Plan' means an individual or group plan that provides, or pays the cost of, medical care. Such term includes the following, and any combination of: A group health plan as defined in the Public Health Service Act, but only if the plan: Has 50 or more participants as defined in the Employee Retirement Income Security Act of 1974, or Is administered by an entity other than the employer who established and maintains the plan. A health insurance issuer. A Health Maintenance Organization (aka: HMO). Part A or part B of the Medicare program under title XVIII. The Medicaid program under title XIX. A Medicare supplemental policy. HEALTH PLANS: HEALTH PLANS: Business Associate (BA) Business Associate (BA) Business Associate (BA) Is a person who, on behalf of the covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of IIHI. Does not include members of the covered entity's workforce. A long-term care policy, including a nursing home fixed indemnity policy (unless the Secretary determines that such a policy does not provide sufficiently comprehensive coverage of a benefit so that the policy should be treated as a health plan). An employee welfare benefit plan or any other arrangement which is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers. The health care program for active military personnel under title 10, United States Code. The veteran s health care program under chapter 17 of title 38, United States Code. The Civilian Health And Medical Program of the Uniformed Services (CHAMPUS), as defined in section 1072(4) of title 10, United States Code. The Indian Health Service Program under the Indian Health Care Improvement Act. The Federal Employees Health Benefit Plan under chapter 89 of title 5, United States Code. Business Associate Contracts (BAC) must specify the PHI to be disclosed and the uses that may be made of that information. BA Examples: Accounting Actuarial Administration Accreditation Auditing Firms Consulting Data Aggregation Financial Or Accounting Legal Sample Contract

11 Covered Information Covered Information Scope of Coverage The key information covered by the Privacy Rule, which is Protected Health Information (aka: PHI). The Privacy Rule protects health information that identifies an individual and is maintained or exchanged electronically. Medical records and other Individually Identifiable Health Information (aka: IIHI) that's used or disclosed electronically, via paper, or orally by a covered entity. Thus, if you print any electronic information, that information (in paper form) retains its coverage. Covered Information Scope of Coverage Individually Identifiable Health Information (IIHI) The term IIHI means any information, including demographic information collected from an individual, that: Is created or received by a health care provider, health plan, employer, or health care clearinghouse, and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and, identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. Covered Information Scope of Coverage Individually Identifiable Health Information (IIHI) Code Set The term Code Set means any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. Covered Information Scope of Coverage Individually Identifiable Health Information (IIHI) Code Set Health Information The term Health Information means any information, whether oral or recorded in any form or medium, that: is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Covered Information Scope of Coverage Individually Identifiable Health Information (IIHI) Code Set Health Information Protected Health Information (PHI) Any patient-identifiable information is now Protected Health Information (PHI) regardless of the media form it is or was in. Data can be at rest or in transit. At rest can mean data that is accessed, stored, processed, or maintained.

12 Treatment: Organizations can use or disclose information to health care providers who are involved in your health care. For example: information can be shared to create and carry out a plan for your treatment. Payment: Organizations can use or disclose information to get payment Covered Information or to pay for the health care services you receive. For example: an organization Scope can of provide Coverage PHI to bill your health plan for health care you received. Individually Identifiable Health Information (IIHI) in order to manage their programs and activities. For example: an organization Code Set can use PHI to review the quality of services you receive. Health Information Protected Health Information (PHI) Treatment/Payment/Operations (TPO) Health Care Operations: Organizations can use or disclose information Covered Information Scope PII of is Coverage a subset of PHI that contains Individually identifiers Identifiable that could be used Health to identify an individual. Such as: Information Name(IIHI) Code SetSocial Security number Health Information Address Protected Phone Health number Information (PHI) Treatment/Payment/Operations (TPO) Patient Identifiable Information (PII) Covered Information Scope of Coverage Individually Identifiable Health A data set that has personal identifiers Information removed from the (IIHI) information is not Code Individually Set Identifiable and can be disclosed Health without Information an Individual's Authorization. Protected Health Information (PHI) Treatment/Payment/Operations (TPO) Patient Identifiable Information (PII) De-Identified Information (DII) Covered Information Scope Use and Disclosure of Coverage are two fundamental concepts of the HIPAA Privacy Rule. Individually Use limits the Identifiable sharing of information Health Information within a covered (IIHI) entity, and Code Disclosure Set restricts the sharing of Health information Information outside the covered entity. Protected Health Information (PHI) Treatment/Payment/Operations (TPO) Patient Identifiable Information (PII) De-Identified Information (DII) Use and Disclosure Covered Information other Scope members of of Coverage an organization's workforce: Individually Analyzing Identifiable Health Information Applying (IIHI) Employing Code Set Examining Health Sharing Information Protected Utilizing Health Information (PHI) Treatment/Payment/Operations Basically all information is used when (TPO) it moves Patient within Identifiable an organization. Information (PII) De-Identified Information (DII) Use and Disclosure USE: Refers to doing any of the following to IIHI by employees or DISCLOSURE: Covered Information is defined as doing any of the following by the Scope of Coverage the Individually entity: Identifiable Health Information Release (IIHI) Transfer Code Set Provision of access to Health Divulging Information in any manner Protected Health Information (PHI) Treatment/Payment/Operations Information is disclosed when it's transmitted (TPO) between or among organizations. Patient Identifiable Information (PII) De-Identified Information (DII) Use and Disclosure entity holding the information so that the information is outside

13 Covered Information Scope of Coverage Individually Identifiable Health Information (IIHI) Code Set Health Information Protected Health Information (PHI) Treatment/Payment/Operations (TPO) Patient Identifiable Information (PII) De-Identified Information (DII) Use and Disclosure Covered Information Scope of Coverage Individually Identifiable Health Workforce: Employees, volunteers, Information (IIHI) trainees, and other people under the direct Code control Set of a covered entity. Health Information Protected Health Information (PHI) Treatment/Payment/Operations (TPO) Patient Identifiable Information (PII) De-Identified Information (DII) Use and Disclosure Workforce Covered Information Scope of Coverage Individually Identifiable Health Information (IIHI) Code Set Health Information Protected Health Information (PHI) Treatment/Payment/Operations (TPO) Patient Identifiable Information (PII) De-Identified Information (DII) Use and Disclosure Workforce National Provider Identifier (NPI) National Health Plan Identifier (NHPI) National Employer Identifier for Health Care (NEI) National Provider Identifier (NPI) DSMO: Designated NPI will be Standards assigned to: Maintenance Organizations 1. ANSI Individual Accredited providers Standards Committee(ASC) X12 2. Dental Individual Content NPI's Committee will not be of the linked to organizational NPI's. American Dental Association Individual providers keep their NPI for 3. Health Level Seven (HL7) life. 4. National Organizational Council for providers Prescription can get Drug Programs (NCPDP) 5. National multiple Uniform NPI's. Billing Committee (NUBC) 6. National Uniform Claim Committee (NUCC) Acronyms ARRA American Recovery and Reinvestment Act of 2009 ASC Accredited Standards Committee ADA American Dental Association AMA American Medical Association ANSI American National Standards Institute CAH Critical Access Hospital CAHPS Consumer Assessment of Healthcare Providers and Systems CCN CMS Certification Numbers CDC Center for Disease Control CHIP Children's Health Insurance Program CHIPRA CHIP Reauthorization Act of 2009 CMS Centers for Medicare & Medicaid Services CY Calendar Year EAT Electronic Administrative Transactions EHR Electronic Health Record EMR Electronic Medical Record EP Eligible Professionals EPO Exclusive Provider Organization FACA Federal Advisory Committee Act FDA FFP FFS FQHC FTE FY FFY GEM HCPCS ICD MMIS MSA NCQA NCVHS NDC NPI ONC PAHP PAPD Acronyms Food and Drug Administration Federal Financial Participation Fee-For-Service Federally Qualified Health Center Full-Time Equivalent Fiscal Year Federal Fiscal Year General Equivalence Mapping Health-Care Common Procedure Coding System International Statistical Classification of Diseases and Related Health Problems Medicaid Management Information Systems Medical Savings Account National Committee for Quality Assurance National Committee on Vital and Health Statistics National Drug Code National Provider Identifier Office of the National Coordinator for Health Information Technology Prepaid Ambulatory Health Plan Planning Advanced Planning Document

14 PIHP PFFS HEDIS HHS HIE HIT Acronyms Prepaid Inpatient Health Plan Private Fee-For-Service Healthcare Effectiveness Data and Information Set Department of Health and Human Services Health Information Exchanges Health Information Technology Acronyms PFFS Private Fee-For-Service HEDIS Healthcare Effectiveness Data and Information Set HHS Department of Health and Human Services HIE Health Information Exchanges HIT Health Information Technology HIPPA Health Insurance Portability and Accountability Act of 1996 HIPPA Health Insurance Portability and Accountability Act of 1996 HITECH Health Information Technology for Economic and Clinical Health Act HMO Health Maintenance Organization HOS Health Outcomes Survey HPSA Health Professional Shortage Area HRSA Health Resource Services Administration IAPD Implementation Advanced Planning Document IPA Independent Practice Association IHS Indian Health Services IT Information Technology MA Medicare Advantage MAC Medicare Administrative Contractor HITECH HMO HOS HPSA HRSA IAPD IPA IHS IT MA MAC Health Information Technology for Economic and Clinical Health Act Health Maintenance Organization Health Outcomes Survey Health Professional Shortage Area Health Resource Services Administration Implementation Advanced Planning Document Independent Practice Association Indian Health Services Information Technology Medicare Advantage Medicare Administrative Contractor Compliance Timelines Past Dates Completed Deadlines Deadline to submit a compliance extension form for Electronic Health Care Transactions and 15-Oct-2001 Code Sets. Electronic Health Care Transactions and Code Sets - all covered entities except those who filed 16-Oct-2002 for an extension and are not a small health plan. 14-Apr-2003 Privacy - all covered entities except small health plans. Electronic Health Care Transactions and Code Sets - all covered entities must have started 16-Apr-2003 software and systems testing. Electronic Health Care Transactions and Code Sets - all covered entities who filed for an 16-Oct-2003 extension and small health plans. 16-Oct-2003 Medicare will only accept paper claims under limited circumstances. 14-Apr-2004 Privacy - small health plans. 30-Jul-2004 Employer Identifier Standard - all covered entities except small health plans. 20-Apr-2005 Security Standards - all covered entities except small health plans. 1-Aug-2005 Employer Identifier Standard - small health plans. Compliance Timelines Center for Medicare and Medicaid Services (CMS) ASC X A1 to ASC X NCPDP 5.1 to NCPDP D.0 Description Final rule was published Effective Date of the regulation Level I Compliance Level II Compliance Fully compliant Deadlines 16-Jan Mar Dec Dec Jan Apr May May-2008 Security Standards small health plans. National Provider Identifier - all covered entities except small health plans National Provider Identifier - small health plans Dual use of existing standards permitted. March 17, 2009, until January 1, Compliance Timelines The CMS Medicare Fee-for-Service Schedule Compliance Timelines The CMS Medicare Fee-for-Service Schedule Description Level I Level II Fully compliant Deadlines 1-Apr-10 Thru 31-Dec-10 1-Jan-11 Thru 31-Dec-11 1-Jan-12 Description Level I Level II Fully compliant Deadlines 1-Apr-10 Thru 31-Dec-10 1-Jan-11 Thru 31-Dec-11 1-Jan-12 CMS has prepared a comparison of the currentx12 HIPAA EDI standards (Version 4010/4010A1) with Version 5010 and the NCPDP EDI standards Version 5.1 to D.0. The 4010A1 Implementation Guides and the 5010 Technical Report 3 (TR3) documents served as reference materials during the preparation of the comparison Excel spreadsheets. 83 CMS has prepared a comparison of the currentx12 HIPAA EDI standards (Version 4010/4010A1) with Version 5010 and the NCPDP EDI standards Version 5.1 to D.0. The 4010A1 Implementation Guides and the 5010 Technical Report 3 (TR3) documents served as reference materials during the preparation of the comparison Excel spreadsheets. 84

15 Civil Penalties Criminal Civil Penalties Criminal CIVIL Penalties Under "General Penalty for Failure to Comply with Requirements and Standards" of Public Law , the Health Insurance Portability and Accountability Act of 1996, Section 1176 says that the Secretary can impose fines for noncompliance as high as $100 per offense, with a maximum of $25,000 per year on any person who violates a provision of this part. Monetary $100 Prison Time N/A $25,000 N/A Offenses Single violation of a provision Multiple penalties for violating multiple Provisions Multiple violations of an identical requirement made during a calendar year The Secretary may reduce the fine if a violation is not due to willful neglect and is corrected within 30 days Civil Penalties Criminal Civil Penalties Criminal CRIMINAL Penalties For the wrongful disclosure of Individually Identifiable Health Information (IIHI) Under SEC OFFENSE.--A person who knowingly and in violation of this part-- uses or causes to be used a unique health identifier, obtains Individually Identifiable Health Information relating to an individual, OR discloses Individually Identifiable Health Information to another person, shall be punished as provided in subsection(b) Monetary $50,000 or less $100,000 or less $250,000 or less Prison Time 1 yr or less 5 yrs or less 10 yrs or less Offenses Wrongful disclosure of Individually Identifiable Health Information Wrongful disclosure of IIHI committed under false pretenses Wrongful disclosure of IIHI committed under false pretenses with intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm HIPAA Audits: HHS might ask a Covered Entity about: 1 Anti-virus software. 2 Computer patch management. 3 Creating, documenting and reviewing exception reports or logs: e.g., Provide a list of examples of security violation logging and monitoring. 4 Electronically transmitting ephi. 5 Emergency access to electronic information systems. 6 Employee violations (sanctions). 7 Establishing and terminating users' access to systems housing electronic patient health information (ephi). 8 Establishing security access controls: e.g., What types of security access controls are currently implemented or installed in hospitals' databases that house ephi data? HIPAA Audits: HHS might ask a Covered Entity about: 9 Firewalls, routers and switches. 10 Inactive computer sessions (periods of inactivity). 11 Internet usage. 12 Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas. 13 Monitoring systems and the network, including a listing of all network perimeter devices, e.g., firewalls and routers. 14 Network remote access. 15 Password and server configurations. 16 Physical access to electronic information systems and the facility in which they are housed.

16 HIPAA Audits: HIPAA Audits: HHS might ask a Covered Entity about: HHS might ask a Covered Entity about: 17 A list of antivirus servers, installed, including their versions. 24 Transmitting ephi. 18 Preventing, detecting, containing and correcting security violations (incident reports). 25 Wireless security (transmission and usage). 19 Entity-wide security program plans (e.g., System Security Plan). 20 Organizational charts that include names and titles for the management information system and information system security departments. 26 All information systems that house ephi data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ephi. 27 Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports. 21 The antivirus software used for desktop and other devices, including their versions. 28 Remote access activity, e.g., network infrastructure, platform, access servers, authentication, and encryption software. 22 Recording and examining activity in information systems that contain or use ephi. 29 Risk assessments and analyses of relevant information systems that house or process ephi data. 23 Terminating an electronic session and encrypting and decrypting ephi. 30 All New hires. 31 All Terminated employees. HIPAA Audits: HIPAA Audits: HHS might ask a Covered Entity about: HHS might ask a Covered Entity about: 32 All Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows): e.g., Identify whether these servers are used for processing, maintaining, updating, and sorting ephi. 33 All users with access to ephi data: e.g., Identify each user's access rights and privileges. 34 Authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems. 38 Outsourced individuals and contractors with access to ephi data, if applicable: e.g., Include a copy of the contract for these individuals. 39 Software used to manage and control access to the Internet. 40 Systems administrators, backup operators and users. 41 Transmission methods used to transmit ephi over an electronic communications network. 42 Users with remote access capabilities. 35 Authentication methods used to identify users authorized to access ephi. 36 Database security requirements and settings. 37 Encryption mechanisms use for ephi. REFERENCES American Dental Association American Medical Association ANSI Accredited Standards Committee (ASC) X12 Centers for Medicare and Medicaid Services (CMS) Dept. of Health & Human Services (HHS) Health Level Seven (HL7) National Committee on Vital and Health Statistics (NCVHS) National Council for Prescription Drug Programs (NCPDP) National Uniform Billing Committee (NUBC) National Uniform Claim Committee (NUCC) Washington Publishing Company (WPC) Workgroup for Electronic Data Interchange (WEDI) Thomas Edison

17 CREDITS Thomas Dwyer, CHPSP Author, Director, Editor, Presenter Sandra Remis, M.A Editor Dr. Ariel Schrodt Video Director CANTV.org Copyright RedRavenProductions Red Raven Productions January 1, 2012 Tom Dwyer