|
HIPAA
| Overview: |
What is HIPAA? |
|
The History of
HIPAA. |
|
Administrative Simplification:
What is Title II? |
| Business Associates |
|
| Standards |
Privacy, Security
and Other |
| Timeline |
|
| Benefits |
|
| Penalties |
|
| Project
HC2: |
HIPAA
COMPLIANCE CHALLENGE |
| Resources |
|
HIPAA OVERVIEW
What
is HIPAA?
The Health Insurance Portability and Accountability Act
of 1996.
IPAA attempts to streamline the processing of health
care claims, to increase productivity, to cut administrative costs,
and to reduce paperwork by submitting claims electronically. In addition, HIPAA provides protection through
privacy and security of all entities involved under the Act.
Title I of the HIPAA protects health insurance
coverage for workers and their families when they change or lose their
jobs.
HIPAA is the first ever standard for protecting
the privacy of personal health records of individuals in the United States. It is a single, efficient electronic transaction
environment to provide better service for providers, insurers, and patients.
The expected savings for this project is
$29.9 billion over a 10 year period.
Not only does the plan address the security and privacy of health
data, these standards will improve the efficiency and effectiveness
of the nation’s health care system by encouraging the use of electronic
data interchange(EDI) in health care.
HIPAA is a sweeping Federal law designed to protect
the privacy and security of health information of consumers. Its goal
is to improve the quality of health care by restoring trust in the health
care system among consumers, health care professionals and the related
organizations and individuals who are part of the U.S.
heath care industry.
HIPAA will improve the efficiency and effectiveness
of health care delivery by creating a national framework for health
privacy protection that builds on efforts by states, health systems
and individual organizations and individuals.
HIPAA
requires compliance on many levels including privacy, security, transaction
standards, information control and access, education and training. Health
care providers (doctors, dentists, etc. and their employees), health
care clearinghouses, health insurance plans and their employees are
covered by the HIPAA regulations. These organizations are known as "covered
entities".
Covered entities that qualify for the extension will have until Oct. 16, 2003, to meet the electronic
transaction standards instead of the original Oct. 16, 2002, deadline. (Small health plans must
still meet the Oct. 16, 2003,
compliance date and are not eligible for an extension under the new
law.) The legislative extension does not affect the compliance dates
for the health information privacy rule, which remains April
14, 2003, for most covered entities (and April 14, 2004, for small health plans).
Medical
Network I provides your practice with a cost
effective compliance management system in order to reach full HIPAA
compliance.
HIPAA Components: Portability refers to the protection of
workers who leave their jobs from losing their ability to be covered
by health insurance. Accountability refers to the protection of integrity, confidentiality,
and availability of electronic health information. Administrative
Simplification Provision
refers to the establishment of national standards for electronic
health care transactions and national identifiers for providers, health
plans, and employers.
The History of HIPAA?
On August
21, 1996,
the Health Insurance Portability and Accountability Act was
signed into law. It is a piece
of legislation aimed at reforming healthcare and recognizing the healthcare
industry’s increased use of electronic technology. Congress directed the Department of Health and
Human Services (HHS) to create a set of standards for transaction formats
and code sets for exchange of information with respect to financial
and administrative actions in order to comply.
There were risks involved with the advances in electronic technology
and communication that allowed for the enactment of a privacy statute
that had to be increased in order to protect the privacy of personal
health information.
In August 2000, HHS issued final electronic transaction standards to
streamline the processing of health care claims, reduce the volume of
paperwork and provide better service for providers, insurers and patients.
The new standards establish standard data content, codes and formats
for submitting electronic claims and other administrative health care
transactions. By promoting the greater use of electronic transactions
and the elimination of inefficient paper forms, these standards are
expected to provide a net savings to the health care industry of $29.9
billion over 10 years. All health care providers will be able to use
the electronic format to bill for their services, and all health plans
will be required to accept these standard electronic claims, referral
authorizations and other transactions.
HIPAA National Standards
PRIVACY STANDARDS
In December 2000, HHS issued a final rule to protect the confidentiality
of medical records and other personal health information. The rule limits
the use and release of individually identifiable health information;
gives patients the right to access their medical records; restricts
most disclosure of health information to the minimum needed for the
intended purpose; and establishes safeguards and restrictions regarding
disclosure of records for certain public responsibilities, such as public
health, research and law enforcement. Improper uses or disclosures under
the rule are subject to criminal and civil sanctions prescribed in HIPAA.
After considering public comment on the final rule, HHS Secretary Tommy
G. Thompson allowed it to take effect as scheduled, with compliance
for most covered entities required by April
14, 2003. (Small health plans have an additional year.) In
March 2002, HHS proposed changes to the rule to eliminate unintended
consequences that could interfere with access to or quality of health
care. A summary of the proposed modifications is available at http://www.hhs.gov/news/press/2002pres/20020321.html.
More information on the privacy rule, including HHS guidance that clarifies
the rule's provisions, is available at http://www.hhs.gov/ocr/hipaa.
SECURITY STANDARDS
In May 2002, HHS issued a final rule to standardize the identifying
numbers assigned to employers in the health care industry by using the
existing Employer Identification Number (EIN), which is assigned and
maintained by the Internal Revenue Service. Businesses that pay wages
to employees already have an EIN. Currently, health plans and providers
may use different ID numbers for a single employer in their transactions,
increasing the time and cost for routine activities such as health plan
enrollments and health plan premium payments. Most covered entities
must comply with the EIN standard by July 30, 2004. (Small health plans have
an additional year to comply.)
In August 1998, HHS proposed rules for security standards to protect
electronic health information systems from improper access or alteration.
In preparing final rules for these standards, HHS is considering substantial
comments from the public, as well as new laws related to these standards
and the privacy regulations. HHS expects to issue final security standards
shortly.
National provider identifier (NPI).
In 1998, Donna Shalala of the Department of Health and Human Services
(HHS) proposed, as part of these HIPAA provisions, a Nation Standard
Provider Identifier (NPI), a Nation Standard Employer Identifier and
security standards for electronic health data. These standards require
hospitals, doctors, nursing homes, and other health care providers to
obtain a unique identifier when filing electronic claims with public
and private insurance programs. Providers would apply for an identifier
once and keep it if they relocated or changed specialties.
Currently, health care providers are assigned different ID numbers
by each different private health plan, hospital, nursing home, and public
program such as Medicare and
OTHER
ADDITIONAL STANDARDS
Led by CMS, HHS is currently developing other administrative
simplification standards. HHS has published proposed regulations for
three other major standards - security standards and national identifiers
for health care providers and for employers - and is now reviewing public
comments and preparing final regulations. HHS also is working to develop
other proposed standards, including a national health plan identifier,
additional electronic transaction standards and minor modifications
to the original transaction rule. In addition, HHS is developing regulations
related to enforcement of the adopted standards. The status of key standards
required under HIPAA follows:
Medicaid. These multiple ID numbers result
in slower payments, increased costs and a lack of coordination.
National health plan identifier and other HIPAA
regulations. HHS is working to propose standards that would
create a unique identifier for health plans, making it easier for health
care providers to conduct transactions with different health plans.
HHS is also working to develop additional transaction standards for
attachments to electronic claims and for a doctor's first report of
a workplace injury. In addition, HHS is developing a proposed rule on
enforcement of the HIPAA requirements. As with other HIPAA regulations,
HHS will first consider public comment on each proposed rule before
issuing any final standards.
Personal identifier on hold. Although
HIPAA included a requirement for a unique personal health care identifier,
HHS and Congress have put the development of such a standard on hold
indefinitely. In 1998, HHS delayed any work on this standard until after
comprehensive privacy protections were in place. Since 1999, Congress
has adopted budget language to ensure no such standard is adopted without
Congress' approval. HHS has no plans to develop such an identifier.
HIPAA Timeline.
| October 16, 2002 |
Date
of compliance: Transaction and Code Sets |
| December 28, 2000 |
Privacy
Final Rule Published |
| August 17, 2000 |
Transaction
and Code Sets Final Rule Published |
| February 21, 2000 |
Deadline
for DHHS Secretary to publish privacy standards for individually
identifiable health information.
|
| February 17, 2000 |
Extended
deadline
for comment period on Privacy Standards for Individually Identifiable
Health Information. |
| January 3, 2000 |
60
day comment period on Privacy Standards for Individually Identifiable
Health Information ends.
|
| November 3, 1999 |
Privacy
Standards for Individually Identifiable Health Information is published in Federal Register |
| October 29, 1999 |
Clinton Administration Announces Proposed
Rules -- Privacy Standards
for Individually Identifiable Health Information. |
| August 21, 1999 |
Deadline
for Congress to enact legislation governing the privacy of individually
identifiable health information standards. Because Congress failed
to meet the deadline, HIPAA requires the Secretary of Health and
Human Services to promulgate such standards by regulation. |
| November 3, 1999 |
Privacy
NRPM published |
| August 12, 1998 |
Security
NRPM published. |
| June 16, 1998 |
National
Employer Identifier NRPM published |
| May 7, 1998 |
National
Provider Identifier NRPM published
Transactions and Code Sets NRPM published |
Administrative Simplification:
What is Title II?
Administrative
Simplification was added to develop standards for maintenance and transmission
of health information that identifies individual patients.
1.
Requires the Department of Health and Human Services (HHS) to establish
national standards for electronic health care transactions and national
identifiers for providers, health plans, and employers.
2.
Applies to all entities such as health plans, health care providers,
health care clearinghouses who transmits health
information in electronic form.
1.
Health Plans: Health care insurance companies or plans that
provide or pay the cost of medical care.
2.
Health Care Providers: Any entity providing medical or other health
services and any person furnishing health care services.
3.
Health Care Clearinghouses:
A company that processes non-standard healthcare
data elements into standard healthcare data elements. As taken from 45 CFR 160.103
3.
To reduce the administrative costs of providing and paying for health
care by requiring standards be adopted for electronic transactions,
unique health identifiers, code sets, security and privacy of electronic
health information, and electronic signatures.
These
HIPAA provisions are intended to improve the efficiency in healthcare
delivery through standardized, electronic transmission of many administrative
and financial . To qualify for the extension, the covered entity
must submit a plan for achieving compliance by the new deadline.
HHS'
Centers for Medicare & Medicaid Services (CMS) has issued a model
compliance plan that covered entities may use to obtain an extension.
The model plan is available at http://www.cms.gov/hipaa/hipaa2/ASCAForm.asp transactions
as well as protection of confidential health information.
In
addition, the act includes provisions for improving and monitoring the
security and confidentiality of any records containing health plan member
and patient information.
“Business Associates”
The Rule places restrictions
on disclosures of protected health information from covered entities
to business associates. Business associates include: pharmaceutical
manufacturers, direct marketers, medical equipment suppliers, software
and database vendors and suppliers. They perform certain functions or
services on behalf of the covered entity involving the use of protected
health information. Covered entities can also be business associates
to other covered entities.
Since
the regulations frequently refer to "electronic" communication,
what media falls into that category? HIPAA applies to all communication
that is stored or transmitted electronically, or that has been stored
or transmitted electronically in the past. Media includes, but is not
limited to, computer databases, tapes, disks, telecommunications, FAX,
Internet, networks.
Benefits of
HIPAA
Ultimately, the HIPAA law will create a dramatic
improvement in the efficiency and effectiveness of our current health
care system.
·
Decreased administrative burden. Less
time and cost to complete many clinical billing and other financial
work flow processes.
·
More efficient, cost effective processing. Standardizes the
flow of electronic health information and facilitates improved relationships
between health care partners.
·
Quicker flow of information between entities. Results in better patient care and
decreased reimbursement time. Also
provides a method to conduct streamlined, accurate B2B transaction processing.
·
Stricter Security Measures. To protect the physical accessibility
of patient health information.
·
Greater Privacy protection. To safeguard the disclosure
of confidential patient health information.
·
Streamlined
health care operations. Administrative
functions.
·
Improved cash
flow. Because of quicker return on claims &
payment transactions
·
Tighter security
measures to protect the accessibility of patient health information.
- Reduce the legal
risks, administrative penalties and negative attention due to wrongful
disclosures of protected health information (PHI) or other violations
of HIPAA regulations
Penalties of HIPAA
There
are civil and even criminal penalties which may be imposed for non-compliance
with HIPAA. The civil penalty ranges from $100 per violation to as much
as $25,000 per person, per year for EACH requirement or prohibition
violated. Criminal penalties range from $50,000 and one year in prison
for obtaining or disclosing protected health information up to $250,000
and 10 years in prison for doing the same with the intent to sell, transfer
or use it for commercial advantage, personal gain or malicious harm.
Project HC2:
HIPAA COMPLIANCE CHALLENGE
Medical Network One
wants you to be HIPAA compliant.
Our HIPAA administrative
department at Medical Network One would like to provide, share, and
exchange important and critical information for all of your HIPAA compliance
needs and concerns.
Medical Network One
suggests our three step HIPAA Compliant Challenge (HC2) to start you off in the right direction and lead you
to accomplish compliance in an organized timely fashion.
1. All covered entities
must designate an individual to be responsible for HIPAA compliance
- in essence, a privacy officer. The privacy officer must be trained
and knowledgeable regarding HIPAA and the compliance of his/her company.
2. All employees of covered entities must be trained regarding HIPAA
compliant privacy and protection of health information. This is what
we refer to as awareness training.
Medical Network One
provides the tools to:
1.
File for
an Extension. Medical Network One will walk you through the HIPAA ExtensionApply for your Electronic Health Care Transactions
and Code Sets Standards Model Compliance Plan Extension. Physician practices must electronically submit an application form by
October 15, 2002. You will
receive an additional year to comply, which sets the final date at October 15, 2003. CMS has published
an electronic version of the form that can be submitted via the internet.
Note: A
physician practice that fails to timely submit an extension form to
CMS and is not in compliance by October 16, 2002, can face potential exclusion from the Medicare program.
2.
Complete
a Gap Analysis Onsite Survey. Medical Network One’s HIPAA Initiative Manager will conduct
a preliminary HIPAA compliance survey to evaluate your progress toward
your implementation strategies for HIPAA compliance. We will determine your future goals and provide
useful tips and suggestions to ease your load during the compliance
process.
3.
Implementation
of policies, regulations, and documentation. Medical Network One will guide you during this final
step. Appointing a privacy official,
employee training, and the creation of forms, policies, and notices
are the necessary steps your practice must put into place for HIPAA
compliance.
Medical Network I will
work hard to create a cost-effective HIPAA compliance project to achieve
your full compliance, on time and within budget.
The HIPAA regulations are
complex and overwhelming. Compliance
can be a confusing and frustrating task to deal with. Medical Network
I will create a customized plan for all of your HIPAA compliance needs.
Resources
U.S. Department of
Health and Human Services, Office for Civil Rights http://www.hhs.gov/ocr/hipaa/
U.S. Department of
Health and Human Services, Administrative Simplification http://aspe.hhs.gov/admnsimp/Index.htm
General Information
from HCFA about HIPAA http://www.hcfa.gov/hipaa/hipaahm.htm
|