HIPAA

Document Sample
HIPAA Powered By Docstoc
					Health Insurance
Portability and
Accountability Act

Yaseen Hayajneh RN, MPH, PhD




                               Dr. Yaseen Hayajneh
               HIPAA

• The Health Insurance Portability and Accountability Act of 1996.
• AKA Kassebaum-Kennedy Act, after the two senators who
  spearheaded the bill.
• Passed in 1996 to help people buy and keep health insurance,
  even when they have serious health conditions.
• Generally, HIPAA restricts the use of preexisting condition
  exclusions, creates special enrollment periods and prohibits
  discrimination based on health-status related conditions in
  enrollment and premiums.




                                                            Dr. Yaseen Hayajneh
               HIPAA

• The federal law which establishes standards for the privacy and
  security of health information, as well as standards for
  electronic data interchange (EDI) of health information.

• HIPAA has two main goals:
   – making health insurance more portable when persons change
     employers, and
   – making the health care system more accountable for costs --
     trying especially to reduce waste and fraud.




                                                              Dr. Yaseen Hayajneh
               HIPAA: Administrative Simplification

• HIPAA aims to improve accountability in part through what it
  calls administrative simplification -- a term that translates,
  roughly, as "promoting efficiency.“
• Administrative Simplification is a subtitle of the Health
  Insurance Portability and Accountability Act of 1996.
• The principal means of promoting efficiency is better use of
  information technology.
• Broader use of computer systems increased concerns about
  misuse of patient's health information, hence the inclusion of
  privacy and security provisions as part of HIPAA along with EDI
  standards.




                                                           Dr. Yaseen Hayajneh
                  Health Insurance Portability and
                         Accountability Act




                                                     Insurance Reform
         Administrative Simplification                   (Portability)
                 (Accountability)




Transactions
                National
     &                        Privacy    Security
               Identifier
 Code Sets




                                                                         Dr. Yaseen Hayajneh
                What is Privacy?

• The condition of being concealed or hidden
• Right of an individual to be left alone

• For purposes of the HIPAA Privacy Rule, privacy means an
  individual's interest in limiting who has access to personal
  health care information.




                                                             Dr. Yaseen Hayajneh
                HIPAA Privacy Rule

• Effective April 14, 2003.
• The Privacy Rule sets standards for how protected health
  information (PHI) "in any form or medium" should be controlled.
• HIPAA's other rules cover only electronic information.
• HIPAA sets a federal floor for PHI, but:
   – States may have more stringent privacy protections, and
   – The more stringent law (HIPAA or state) governs.

• Remember in "in any form or medium"




                                                               Dr. Yaseen Hayajneh
                 Protected Health Information (PHI)

• Privacy Rule protects health information identifying a person (or
  information that can be used to identify a person):
   – All individually identifiable health information that provider
     creates, uses or receives.
   – Includes information about:
       » Past, present or future physical or mental health of a person,
       » Provision of health care to that person, and
       » Payment for care received.
   – Includes information in written, electronic or oral form.




                                                                          Dr. Yaseen Hayajneh
                     Protected Health Information (PHI)

• Name                                       • Account numbers
• Social Security Number                     • Certificate/license numbers
• Medical record numbers                     • Vehicle identifiers and serial
• Telephone numbers                            numbers, including license plate
• Fax numbers                                  numbers
• Full face photographs                      • Device identifiers and serial
• Geographic subdivisions smaller              numbers
  than state (street address, city,          • Biometric identifiers (including
  county, precinct, zip code, equivalent       finger or voice prints)
  geo-codes except first 3 digits of a zip   • URL (Web Universal Resource
  code)                                        Locator)
• All elements of dates (except year)        • Email addresses
  directly related to an individual,         • Internal Protocol (IP) address
  including birth date, admission date,        numbers
  discharge date, date of death, and         • Any other unique identifying
  ages over 89                                 number, characteristic, or code
• Health plan beneficiary numbers

                                                                            Dr. Yaseen Hayajneh
                Privacy Rule: What does it do?

• For the first time creates national standards to protect
  individuals' medical records and other personal health
  information.
• It gives patients more control over their health information.
• It sets boundaries on the use and release of health records.
• It establishes appropriate safeguards that health care providers
  and others must achieve to protect the privacy of health
  information.
• It holds violators accountable, with civil and criminal penalties
  that can be imposed if they violate patients' privacy rights.
• And it strikes a balance when public responsibility requires
  disclosure of some forms of data - for example, to protect public
  health.


                                                             Dr. Yaseen Hayajneh
                Privacy Rule Requirements

• For the average health care provider or health plan, the Privacy
  Rule requires activities, such as:
   – Providing information to patients about their privacy rights and
     how their information can be used.
   – Adopting clear privacy procedures for its practice, hospital, or
     plan.
   – Training employees so that they understand the privacy
     procedures.
   – Designating an individual to be responsible for seeing that the
     privacy procedures are adopted and followed.
   – Securing patient records containing individually identifiable health
     information so that they are not readily available to those who do
     not need them.



                                                                  Dr. Yaseen Hayajneh
                Privacy Rule: Covered Entities

• Health plans,
• Health care clearinghouses
• Health care providers who conduct certain financial and
  administrative transactions electronically.
   – Covered entities are bound by the privacy standards even if they
     contract with others to perform some of their essential functions.




                                                                  Dr. Yaseen Hayajneh
               Privacy Rule: Use vs. Disclosure

• Use: Sharing within the entity.
• Disclosure: Sharing outside the entity.
• Privacy rule allows use and disclosure without specific
  authorization for Treatment, Payment, and Operations
  (TPO).




           Research is not considered to be
           treatment, payment or operations




                                                     Dr. Yaseen Hayajneh
                  Health Insurance Portability and
                         Accountability Act




         Administrative Simplification
                 (Accountability)




Transactions
                National
     &                        Privacy    Security
               Identifier
 Code Sets




                                                     Dr. Yaseen Hayajneh
                Security Rule
• The Security Rule's requirements are divided into:
   – Administrative safeguards.
   – Physical safeguards.
   – Technical safeguards.
• Each category includes various standards and implementation
  specifications that provide instructions for putting in place the
  components of the three categories.




                                                              Dr. Yaseen Hayajneh
               Security Rule

• The HIPAA Security Rule applies to covered entities -- defined
  as (a) health plans, (b) health care clearinghouses, and (c)
  health care providers who transmit any protected health
  information (PHI) in "electronic form."

• The Security Rule does not include any standards for PHI in
  non-electronic forms. Such information is, however, covered by
  the HIPAA Privacy Rule, which extends to PHI in "any form or
  medium."




                                                            Dr. Yaseen Hayajneh
                  Security Rule: Administrative Safeguards

• Administrative actions, and policies and procedures, to manage
  the selection, development, implementation, and maintenance
  of security measures to protect electronic PHI and to manage
  the conduct of the covered entity's workforce in relation to the
  protection of that information.“
   – Examples
       »   Security management process
       »   Assigned security responsibility
       »   Workforce security
       »   Information access management
       »   Security awareness and training
       »   Security incident procedures
       »   Business associate contracts and other arrangements
       »   Documentation


                                                                 Dr. Yaseen Hayajneh
                  Security Rule: Physical Safeguards
• Physical measures, policies and procedures to protect a
  covered entity's electronic information systems and related
  buildings and equipment, from natural and environmental
  hazards, and unauthorized intrusion.
   – Examples:
       »   Facility access controls;
       »   Workstation use
       »   Workstation security
       »   Device and media controls




                                                            Dr. Yaseen Hayajneh
                  Security Rule: Technical Safeguards
• the technology and the policy and procedures for its use that
  protect electronic protected health information [PHI] and control
  access to it.“
   – Examples
       »   Access control
       »   Integrity
       »   Audit controls
       »   Person or entity authentication
       »   Transmission security




                                                             Dr. Yaseen Hayajneh
                  Health Insurance Portability and
                         Accountability Act




         Administrative Simplification
                 (Accountability)




Transactions
                National
     &                        Privacy    Security
               Identifier
 Code Sets




                                                     Dr. Yaseen Hayajneh
                  Identifier Rule
• HIPAA requires the Department of Health and Human Services
  (HHS) to develop standard, unique identifiers for every
   –   Health care provider;
   –   Employer;
   –   Health plan; and
   –   Patient




                                                        Dr. Yaseen Hayajneh
                   National Provider Identifier (NPI)
• Historically,
    – Health plans have independently assigned identifiers to health care
       providers.
    – These identifiers are not standardized within plans or across plans.
    – As a result, providers can have multiple billing numbers, significantly
       complicating the submission of claims, and coordination of benefits.
• A standard, unique provider identifier would assist in overcoming these
  difficulties.
    – The Final Rule adopting the HIPAA standard unique health identifier for
       health care providers was published on January 2004.
    – Health care providers can begin applying for NPIs on the effective date of
       the final rule, which is May 23, 2005.
    – All health care providers are eligible to be assigned NPIs;
    – Covered entities must obtain and use NPIs.
    – Covered entities must use NPIs by the compliance dates


                                                                         Dr. Yaseen Hayajneh
                Standard Unique Employer Identifier
• This rule establishes a standard for a unique employer identifier
  and requirements concerning its use by health plans, health
  care clearinghouses, and health care providers.
• The health plans, health care clearinghouses, and health care
  providers must use the identifier, among other uses, in
  connection with certain electronic transactions.
• The use of this identifier will improve the Medicare and Medicaid
  programs, and other Federal health programs and private health
  programs, and the effectiveness and efficiency of the health care
  industry in general, by simplifying the administration of the system
  and enabling the efficient electronic transmission of certain
  health information.




                                                               Dr. Yaseen Hayajneh
                 Identifier Rule: Plan & Patient
• National Health Plan Identifier
    – A national health plan identifier would apply to "health plans,"
      defined by HIPAA as an individual or group plan that provides for
      or pays the cost of medical care. A proposed plan identifier has
      not yet been issued.
    – Under development; not yet available


• National Patient Identifier
    – The requirement that HHS issue a national identifier for individuals
      has been extremely controversial because of issues such as
      privacy and what model of identifier should by used.




                                                                   Dr. Yaseen Hayajneh
                   Health Insurance Portability and
                          Accountability Act




         Administrative Simplification
                  (Accountability)




Transactions
                National
     &                         Privacy   Security
               Identifiers
 Code Sets




                                                      Dr. Yaseen Hayajneh
                Transactions & Code Sets

• TCS Rule mandate uniform electronic interchange formats for
  all covered entities.
• This rule adopts standards for eight electronic transactions and
  for code sets to be used in those transactions.
• The use of these standard transactions and code sets will
  improve the effectiveness and efficiency of the health care
  industry, by simplifying the administration of the system and
  enabling the efficient electronic transmission of certain health
  information.
• This standardization along with the Identifier rule is expected to
  produce the lion's share of the efficiency savings of
  "administrative simplification."




                                                              Dr. Yaseen Hayajneh
                 Transaction standards:
•   Claims
•   Payment and remittance
•   Eligibility for Health plan
•   Enrollment / disenrollment
•   Premium payments
•   Claim status
•   Coordination of benefits
•   Referral and authorization




                                          Dr. Yaseen Hayajneh
                Clinical data code sets standards:
1. ICD-9 for diseases
2. CPT-4 for services and procedures
3. HCPCS for medical equipment, injectable drugs, and
   transportation services
4. CDT-2 for dental services
5. NDC for prescription drugs

•   These apply only to the administrative and financial electronic
    transactions




                                                             Dr. Yaseen Hayajneh
               HIPAA Views & Issues

• CEO: Cost, effective delivery of healthcare services.
• CFO: Initial Capital costs, Return on Investment
• Health Professionals: Improve patient care and information
  access.
• CIO: Compliance, Vendor solutions, Security & Privacy




                                                           Dr. Yaseen Hayajneh

				
DOCUMENT INFO