Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Overview of HIPAA

VIEWS: 5 PAGES: 36

  • pg 1
									                                                      -ANANT VYAS
                              PRIVACY IN DATA MANAGEMENT: CS295D
                                   UNIVERSITY OF CALIFORNIA,IRVINE


CS295d:Privacy in Data Management University of California, Irvine   1
Why HIPAA?

 More than 25 cents of every health-care
  dollar is spent on administration
 More than 450 billing forms
 National changes requested by providers
 Increasing public concern around privacy
 Highly public breaches of privacy




        CS295d:Privacy in Data Management University of California, Irvine   2
Health Insurance Portability &
Accountability Act (HIPPA)

 In August 1996, President Clinton signed into law
  the Public Law 104-91, Health Insurance
  Portability and Accountability Act (HIPAA).
 The Act included provisions for health insurance
  portability, fraud and abuse control, tax related
  provisions, group health plan requirements,
  revenue offset provisions, and administrative
  simplification requirements.

         CS295d:Privacy in Data Management University of California, Irvine   3
HIPAA’s Intent

 Improve efficiency and effectiveness of health
  care system
 The HIPAA Privacy Rule for the first time creates
  national standards to protect the privacy of
  individuals’ medical records and other personal
  health information.
 Creates standards for the security of health
  information
 Creates standards for electronic exchange of
  health information

         CS295d:Privacy in Data Management University of California, Irvine   4
What HIPAA Doesn't do
 It doesn't: force your employer to offer or pay for health
    insurance coverage.
   guarantee that all those in the workforce will get health
    coverage.
   control how much an insurance company can charge for
    group coverage.
   force group health plans to offer specific benefits.
   allow you to keep the exact same health insurance plan that
    you had at your old job when you go to a new job.
   eliminate the use of pre-existing condition exclusions.
   replace your specific state as the primary regulator of
    health insurance.


            CS295d:Privacy in Data Management University of California, Irvine   5
HIPAA SPEAK

 Individually Identifiable Health
  Information(IIHI)
   Related to an individual; the provision of health
    care to an individual; or payment for health care
   and that identifies the individual
   or a reasonable basis to believe the information
    can be used to identify the individual
   Health information + Identifiers (18 defined) = IIHI




         CS295d:Privacy in Data Management University of California, Irvine   6
HIPAA SPEAK(contd.)
18 Identifiers:

   (1) Names;                                                  (10) Account numbers;
    (2) All geographic subdivisions                              (11) Certificate/license numbers;
    smaller than a State, including                              (12) Vehicle identifiers and serial
    street address, city, county,                                numbers, including license plate
    precinct, zip code                                           numbers;
    (3) All elements of date (except year)                       (13) Device identifiers and serial
    for dates directly related to an                             numbers;
    individual, including birth date etc                         (14) Web Universal Resource
    (4) Telephone numbers;                                       Locators (URLs);
    (5) Fax numbers;
    (6) Electronic mail addresses;                               (15) Internet Protocol (IP) address
    (7) Social security numbers;                                 numbers;
    (8) Medical record numbers;                                  (16) Biometric identifiers,
    (9) Health plan beneficiary numbers;                         including finger and voice prints;
    unique identifying number,                                   (17) Full face photographic images
    characteristic, or code.                                     and any comparable images; and
                                                                 (18) Any other

                    CS295d:Privacy in Data Management University of California, Irvine                 7
HIPAA SPEAK (contd.)


   Use (of IIHI)
    Sharing within the entity. For example, when
    members of the covered entity’s workforce
    share IIHI.

   Disclosure (of IIHI)
    Sharing outside the entity. For example,
    sharing IIHI with someone who is not a
    member of the covered entity’s workforce.

         CS295d:Privacy in Data Management University of California, Irvine   8
HIPAA SPEAK (contd.)


 Protected Health Information (PHI)
   Individually Identifiable Health Information
    maintained by CE
   Electronic, paper, oral
   Created or received by a health care provider,
    public health authority, employer, school or
    university



         CS295d:Privacy in Data Management University of California, Irvine   9
HIPAA SPEAK (contd.)

 Covered Entity
   Health care provider/Health Plan/Health care
    clearing house who transmits any health
    information in electronic form in connection with
    HIPAA regulations




        CS295d:Privacy in Data Management University of California, Irvine   10
HI vs. IIHI vs. PHI: Difference?




        CS295d:Privacy in Data Management University of California, Irvine   11
HIPAA: Title I

 Health Care Access, Portability, and
  Renewability
 Protects health insurance coverage for
  workers and their families when they change
  or lose their jobs
 It amended the Employee Retirement Income
  Security Act, the Public Health Service Act,
  and the Internal Revenue Code.

        CS295d:Privacy in Data Management University of California, Irvine   12
HIPAA : Title II

 Standards for Electronic Transactions
   Implementation of a national standard for
    electronic health care transactions
   All transactions to be processed using the same
    electronic format
 Unique Identifiers Standards
   All health car providers, plans and clearinghouses
    to use NPI(national provider identifier)



         CS295d:Privacy in Data Management University of California, Irvine   13
HIPAA : Title II Rules

 Administrative Simplification rules
 5 rules:
   Privacy Rule,
   Transactions and Code Sets Rule,
   Security Rule,
   Unique Identifiers Rule,
   Enforcement Rule.




         CS295d:Privacy in Data Management University of California, Irvine   14
HIPAA Privacy Rule


 The Privacy Rule took effect on April 14, 2003
 Establishes regulations for the use and
  disclosure of Protected Health Information
  (PHI)




        CS295d:Privacy in Data Management University of California, Irvine   15
What does the HIPAA Privacy Rule
do?
 It gives patients more control over their
  health information.
 It sets boundaries on the use and release of
  health records.
 It establishes appropriate safeguards that
  health care providers and others must
  achieve to protect the privacy of health
  information.

        CS295d:Privacy in Data Management University of California, Irvine   16
 It holds violators accountable, with civil and
  criminal penalties that can be imposed if they
  violate patients’ privacy rights.
 And it strikes a balance when public
  responsibility supports disclosure of some
  forms of data – for example, to protect public
  health.



        CS295d:Privacy in Data Management University of California, Irvine   17
HIPAA Security Rule:


 Issued on February 20, 2003. It took effect on
  April 21, 2003.

 Deals specifically with Electronic Protected
  Health Information (EPHI) i.e. individually
  identifiable information that is in electronic
  form.

        CS295d:Privacy in Data Management University of California, Irvine   18
HIPAA Security Rule(contd.):



 Confidentiality?
 Integrity?
 Availability?




         CS295d:Privacy in Data Management University of California, Irvine   19
HIPAA Security Rule(contd.):


 “ To ensure reasonable and appropriate
  administrative, technical, and physical
  safeguards that insure the integrity,
  availability and confidentiality of health care
  information, and protect against reasonably
  foreseeable threats to the security or
  integrity of the information.”


        CS295d:Privacy in Data Management University of California, Irvine   20
Security Rule: 4 Categories



 Administrative Procedures
 Physical Safeguards
 Technical data security services
 Technical security mechanisms



        CS295d:Privacy in Data Management University of California, Irvine   21
Administrative Procedures:
12 Requirements
1.Certification
2.Chain of Trust Agreements
3.Contingency Plan
4.Mechanism for processing records
5.Information Access Control
6.Internal Audit
7.Personnel Security
8.Security Configuration Management
9.Security Incident Procedures
10.Security Management Process
11.Termination Procedures
12.Training

           CS295d:Privacy in Data Management University of California, Irvine   22
Physical Safeguards:
6 Requirements

1.Assigned Security Responsibility
2.Media Controls
3.Physical Access Controls
4.Policy on Workstation Use
5.Secure Workstation Location
6.Security Awareness Training


        CS295d:Privacy in Data Management University of California, Irvine   23
Technical Data Security Services: 4
Requirements


1.Access Control
2.Audit Controls
4.Data Authentication
5.Entity Authentication



        CS295d:Privacy in Data Management University of California, Irvine   24
Guiding principles

The Security Rule is based on several important
  principles.
 Scalability
 Comprehensiveness
 Technology neutral
 Internal and external security threats
 Risk analysis


        CS295d:Privacy in Data Management University of California, Irvine   25
Non Compliance

 CEs that do not comply with the Security Rule
  requirements are subject to a number of
  penalties.
 Civil penalties are $100 per violation, up to
  $25,000 per year for each requirement
  violated. Criminal penalties range from
  $50,000 in fines and one year in prison up to
  $250,000 in fines and 10 years in jail.


         CS295d:Privacy in Data Management University of California, Irvine   26
Transaction Rule

 July 1, 2005
 The transaction rule covers several key ED
  transactions
 Although many companies were already
  developing standardized EDI’s, there still
  wasn’t an industry standard before the rule
  was put in place.



        CS295d:Privacy in Data Management University of California, Irvine   27
Transaction and Code Set Rule: “Speak
the Same Language”

   Health Care Claim or Encounter (837)
   Health Care Claim Payment and Remittance (835)
   Health Care Claim Status Inquiry/Response (276, 277)
   Health Care Eligibility Inquiry/Response(270, 271)
   Enrollment and Disenrollment in a Health Plan (834)
   Referral Certification and Authorization (278)
   Health Plan Premium Payments (820)
   Health Care Claim Attachments (delayed)
   First Report of Injury (delayed)
           CS295d:Privacy in Data Management University of California, Irvine   28
Compliance Deadlines:



 Privacy: April 14, 2003
 Security: Fall 2004
 Transactions & Code Sets: October 16 2005
 Identifiers : Fall 2004



         CS295d:Privacy in Data Management University of California, Irvine   29
Some common reactions

 HIPAA is an unfunded mandate.
 It’s an IT issue (like Y2K)
 It is someone else’s problem (State’s,
  Health’s, ITs)
 Local agencies are waiting for direction
  from State, County, Fed…
 Compliance issues


         CS295d:Privacy in Data Management University of California, Irvine   30
Compliance is Increasingly an Issue
The number of HIPAA Privacy Rule compliance and enforcement complaints
have continually increased over the years1.




              CS295d:Privacy in Data Management University of California, Irvine   31
Complaints Are Consistently Related
to Data Privacy
 Three of the top five Privacy Rule Complaints
  are data privacy issues:
   Impermissible uses and disclosures – e.g.
    providing PHI to external partners
   Safeguards – e.g. PHI is not protected in
    computer systems
   Access - e.g. PHI is accessible to those without a
    need to know



         CS295d:Privacy in Data Management University of California, Irvine   32
Examples of PHI Leaking Out
   Example 1: Safeguards
    A flaw in a national health maintenance organization’s computer system
    sent explanation of benefits to a patient’s unauthorized family member.
    This flaw put the PHI of approximately 2000 families at risk in
    violation of the Privacy Rule.

 Example 2: Impermissible Disclosures and Safeguard
   A municipal social service agency disclosed protected health
  information while processing Medicaid applications by sending
  consolidated data to computer vendors who were not business
  associates. This flaw was putting PHI in the hands of an uncovered
  entity who could have used it for a variety of harmful purposes
 These examples ended with minimal public impact and were remedied with
  improved security procedures and controls.
 But, what if this PHI had gotten into the wrong hands?



             CS295d:Privacy in Data Management University of California, Irvine   33
Worst Case Scenario: HIPAA Data Theft

 The owner of a Florida claims handling system,
  Fernando Ferrer, Jr, was convicted of illegally buying
  PHI from a clinic employee and then submitting
  fraudulent claims to collect on the resulting payouts.
  The clinic employee downloaded the PHI of more
  than 1,100 patients and sold the information to
  Ferrer.
 This theft resulted in the submission of more than $7
  million in fraudulent Medicare claims with $2.5
  million paid to providers and suppliers.
 The risk for such a scenario increases substantially
  without the necessary controls in place to lock down
  and minimize the PHI in an enterprise
          CS295d:Privacy in Data Management University of California, Irvine   34
Conclusion?

 HIPAA has had a large effect on the industry
  today
 The type of health information being
  recorded is changing.
 In the end a great act!




        CS295d:Privacy in Data Management University of California, Irvine   35
More Information:

 Department of Health & Human Services –
  HIPAA: www.hhs.gov/ocr/hipaa
 HIPAA.ORG
 Overview HIPAA - General Information
  http://www.cms.hhs.gov/hipaaGenInfo/




       CS295d:Privacy in Data Management University of California, Irvine   36

								
To top