hip - prof
Terms
undefined, object
copy deck
-
Ch 1
3 things about HIPAA -
Insurance Portability
Fraud
Administrative Simplification -
Ch 1
PHI - Protected Health Information
-
Ch 1
2 other names for HIPAA -
1) Public Law 104-191
2) Kennedy-Kasebaum bill -
Ch 1
Why pass HIPPAA? 5 reasons -
1) Improve portability and continuity of health insurance coverage
2) Combat waste, fraud, and abuse in health insurance and health care deliverg
3) Promote use of medical savings accounts
4) Improve access to long term care services and coverage
5) Simplify administration of health insurance
6) Protecting the privacy of patient re ords and any other patient identifiable information -
Ch 1
5 HIPAA titles? -
1) Health Care Insurance Access, Portability, and Renwability
2) Preventing healthcare fraud and abuse; Administrative simplification; Medical Liability Reform
3) Tax related health provisions
4) Application and Enforcement of Group Health Insurance Requirements
5) Revenue Offsets -
Ch 1
4 new protections of Section 1 of HIPAA -
1) increase ability to GET health coverage when starting a new job
2) reduces chance of losing existing health care coverage
3) help workers maintain continuous health coverage when changing jobs
4) help workers purcahse health coverage on their own if they lose employers coverage and have no other plan available -
Ch 1
Why privacy in HIPAA? - Security and privacyt promote higher quality care by giving consumers confidence that health information is protected from inappropriate uses and disclosures
-
Ch 1
4 ways that 1 in 6 people have shielded themselves with privacy? -
1) Doctor hopping
2) Withholding information
3) Inaccurate information
4) Paying out of pocket -
Ch 1
How much will addressing privacy and security issues in healthcare cost the industry? - between 17 and 22 billion in the first 5-10 years!
-
Ch 1
Provider and Payer vs Clearinghouse solution? - Congress intends providers and payers to become compliant together. Consumers have the most to gain by this.
-
Ch 1
Changing 1 component in tightly coupled, integrated systems? - Causes issues.
-
Ch 1
HIPAA's impact? (5 things) -
1) Standardization of electonic, admin, and financial health transactions
2) Unique health identifiers for all members in the health transactions (employers, plans, insurance, individuals)
3) Security standards protecting confidentiality and integrity
4) Privacy
5) Standards for e-medical records -
Ch 1
Covered Entitites? -
1) Health care plans
2) Health care clearing houses
3) Health care providers -
Ch 1
Health plan? and a few examples -
-Individual or group plan that provides or pays the cost of medical care.
1) HMO
2) Issuer of long term care policy
3) Indian Health Service
4) Employee welfare benefit plan -
Ch 1
Health care clearinghouse? -
-organizations that process health care transactions on behalf of providers and insurers.
1) Billing services
2) Community health management information systems
3) Medical reviewers -
Ch 1
Health care provider? -
A person who is trained and licensed to give health care.
1) doctor
2) hospital
3) clinic
4) pharmacy -
Ch 1
3 attributes of an org DEFINITELY impacted? -
1) Receives, submit, or pay health care claims
2) involved in plan enrollment or benefits
3) receives, distributes, or retains patient health care data -
Ch 1
4 attributes of an org that MAY be impacted -
1) receive or submit med information from/to a business partner
2) receive info from or to provider working in a HIPAA compliant environment
3) use detailed or summary medical info from other entities
4) generate reports from medically related information -
Overview
Meaning of 5 titles -
Title 1 - Insurance access and portability
Title 2 - Preventing Fraud, Administrative Simplification
Title 3 - Tax related health provisions
Title 4 - Application and Enforcement of Group Insurance Requirements
Title 5 - Revenue Offsets -
Overview
Standards for Electronic -Administrative Simplification - Transactions, Cod Sets, and Identifiers; definies standards for conducting EDI health transactions
-
Overview
Standards for Privacy - Administrative Simplification - Who is authroized to access health finroamtion and gives individuals the right to keep information about themselves from being disclosed
-
Overview
Standards for Security - Administrative Simplification - Admin, Physical, and Technical safeguards to secure PHI
-
Overview
3 covered entities -
1) Health Plan
2) Health Care clearinghouse
3) Health Care provider -
Overview
Compliance timeline
1) Transactions and Code sets
2) Privacy
3) Transactions testing
4) Employer identifier
5) Security -
1) 10/16/2003 (large w/permission), 10/16/2002 (medium,small)
2) 4/14/2003
3) 4/16/2003
4) 7/20/2004
5) 4/21/2005 -
Overview
Civil Penalties -
$100 - single violation of a provision (multiple penalties for violating multiple provisions)
$25k - making the same mistake more than once in the same calendar year...Secretary might reduce fine if not due to willful neglect -
Overview
Criminal Penalties
1) Wrongful disclosure of individually identifiable health information - 1) up to 50k, 1 year
-
Overview
Criminal Penalties
2)Wrongful disclosure of individually identifiable health information under false pretenses - 2) up to 100k, up to 5 years
-
Overview
Criminal Penalties
3)Wrongful disclosure of individually identifiable health information under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm - 3) up to 250k, up to 10 years
-
Overview
DSMO - Designated Standards Maintenance Organization
-
Overview
6 DSMOs -
1) ANSI
2) Dental Content Committee of ADA
3) HL7 (health level 7)
4) National Council for prescription drug programs (NCPDP)
5) National Uniform Billing Committee (NUBC)
6) National Uniform Claim Committee (NUCC) -
Overview
Related Orgs...
Centers for Medicare and Medicaid Services - CMS responsible for implementing unrelated provisions of HIPAA; responsible for enforcing HIPAA Transactions Rule
-
Overview
Related orgs...
Workgroup for EDI (WEDI) - voluntary, private task force created to streamline health care admin by standardizing electronic communication across the country
-
Overview
RElated orgs...
Health Level 7 (HL7) - ANSI accredited, defines standards for cross platform exchange of information within health care organization
-
Overview
Related orgs...
Washington Publishing Company (WPC) - Publishes X12N HPAA Implementations guides and X12N HIPAA Data Dictionary
-
Overview
Related Orgs...
National Council for Prescription Drug Programs - ANSI accredited, maintains standard formats for use by retail pharmacy industry.
-
Overview
National Committee on Vital Health Statistics (NCVHS) - advisory committee to Sec of HHS. NCVHS reviews sample plans to identify common problems that are complicating compliance activities.
-
Overview
4 Types of transactions? -
1) patient scheduling
2) registration
3) clinical reporting
4) billing -
Overview
ANSI vs NCPDP - ANSI for everything except for pharmacy transactions
-
Overview
ASC 270 - Eligibility, Coverage, or Benefit Inquiry
-
Overview
ASC 271 - ELigibility, Coverage, or Benefit Information
-
Overview
ASC 276 - Health Care Cliam Status Request
-
Overview
ASC 277 - Health Care Claim Status Notification
-
Overview
ASC 278 -
Health Care Services Review: 1) Request for review
2) Response -
Overview
ASC 820 - Payment order remittance advice
-
Overview
ASC 834 - Benefit enrollment and maintenance
-
Overview
ASC 835 - Health Care Claim Payment/Advice
-
Overview
ASC 837
004010X096 - Health Care Claim Institutional
-
Overview
ASC 837
004010X097 - Health Care Claim: Dental
-
Overview
ASC 837 - Health Care Claim: Professional
-
Overview
When do transaction standards apply? - Only when data is transmitted electronically
-
Overview
Compliance - compliance by October 16, 2003
-
Overview
ICD-9-CM Volumes 1 and 2 - International classification of diseases. Updated by DHHS.
-
Overview
ICD-9-CM, Volume 3 - Used to describe/identify inpatient hospital services and sugrical procedures. Updated by DHHS.
-
Overview
CPT-4 - Current Procedural Terminology, used to identify physician services or procedures. Maintained by AMA
-
Overview
CDT - Code on dental procedures and nomenclature. Used to describe dental services or procedures. ADA
-
Overview
NDC - National Drug Code. Used to identify drugs. HHS and FDA
-
Overview
HCPCS - Healthcare common procedure coding system - used to describe services that are not physician, dentist, hospital, or radiological/vision/hearing services. Updated by CMS (Centers for Medicare and Medicaid Services (CMS))
-
Overview
(National Healthcare Identifiers)
NPI -
National Provider Identifier
1) Individual Providers
2) Organization providers - Notes on NPI
-
1) Keep NPI for life
2) Org can get multiple NPI
3) Individual NPI will not be linked to Org NPI -
(National Healthcare Identifier)
NHPI - National Health Plan Identifier - a standard and uniform identifier that would apply to health plans and payers
-
(National Healthcare Identifier)
NEI - A standard for national employer and requirements concerning its use
- National Health Identifier for individuals
- ignored in implementation planning for HIPAA. HHS says it will NOT social security number.
- Transaction set
- group of logically related data units. Smallest meaningful set of data exchanged between trading partners
- Functional group
- adds relevance to 2 or more data segments. Introduced by a group start segment; concluded by group end segment
- Enumerator
- Organization that will assign unique health care identifiers and maintain the NPS/NPF
- National Provider System (NPS)
- A central electronic system that will identify and uniquely enumerate health care providers at the national level
- National (NPF)
- A national database of providers that will be distributed electronically
- Privacy Standard
- Policies and procedures in place to control who has access to PHI
- Individual Rights (Privacy standard)
-
1) Access to info
2) Amendment to PHI
3) Additional Restriction Information (request it)
4) Alternative Communications
5) Accounting of Disclosures - Use (Privacy standard)
- sharing, employing, applying individually identifiable health information by employees or other members of workforce
- Disclosure (Privacy standard)
- releasing, tx, providing access to any information outside the entity holding the information.
- IIHI
- Individually Identifiable Health Information
- PHI
- Protected Health Information - patient identifiable inforation regardless of the media form it is in.
- PII
- Patient Identifiable information. IDENTIFIERS in health information that can be used to identify an individual.
- DII
- De-identified information. Personal identifiers removed from data set. Information not individually identifiable and can be disclosed w/o authorization
- Business Associate
- A person who has, on behalf of covered entity, assists in functions that use IIHI
- Workforce
- employees, vounteers, trainees, and other people under direct control of a covered entity
- Treatment
- Using PHI to provide coordinate or manage health care and related services
- Payment
- Refers to using PHI to obtain payment of health care services (can include operations that a health plan undertakes before paying for services)
- Health care operations
- using PHI to support the business activities for a practice. May include quality assessment, employee review, and training of medical students, licensing, marketing, and fund raising activities.
-
Documents
Notice of Privacy Practices - Describes use and disclosure of PHI for carrying out treatment, payment, or health care operations.
-
Documents
Authorization - Authorization to use or disclose PHI must be obtained when a consent form does no apply.
-
Documents
Business Associate Contract (BAC) - Addresses core issue of protecting privacy of PHI when dealing with outside entities
-
Documents
Data Use Agreement - An agreement with a recipient of PHI data that limits their use of PHI
-
Documents
Privacy offer job description - Description of Privacy Officer's responsibilities
-
Documents
Termination Procedure - For employees who fail to comply with internal privacy policies and procedures
-
Admin
A Personnel Designations - Assign a Privacy Officer
-
Admin
B Complaints - Identify how to handle complaints
-
Admin
D Documentation - Create and maintain documentation related to Privacy Rule
-
Admin
E Training -
Privacy and security requirements
PHI policies and procedures -
Admin
F Safeguards - Administrative, technical, and physical
-
Admin
G Sanctions - Policy that describes the specific actions against employees who fail to comply with internal policies and procedures
-
Admin
H Mitigation - Policy that includes steps to remedy any harm caused by mistake and prevent that mistake from occurring again.
-
Admin
I No intimidating or retaliatory acts - An organization cannot intimidate, threaten, coerce, or take other retaliatory action against any patient for the exercise of any right under the Privacy Rule, including filing a complaint
-
Admin
J No waiver of rights - An organization cannot require as a condition of TPO or eligibility of benefits, that an individual waive his or her right to make complaints to Secretary of HHS
- 10 steps to HIPAA Privacy
-
1) Assign privacy responsibility
2) Identify and assess organizations PHI
3) Assess privacy policies
4) Analyze gaps in current policies
5) Adjust organization policies
6) Identify business associates
-Does entity provide services for organization
-Is entity exempted from business associate requirements
-is service a part of your treatment of person
-does all such service performed require access to PHI
7) Negotiate BACs
8) Develop Privacy Documents
9) Develop privacy training program
10) Document privacy policies -
Security Standard
3 things - Confidentiality, Integrity, Availability
- Common Security Threats
-
1) Virus or malicious code
2) Unauthorized remote access or login
3) Unauthorized local access or login
4) Unauthorized physical access to systems
5) Tampering of data while in transit
6) Theft or removable media
7) Intentional or inadvertent loss of electric - Administrative Safeguards (9 of them)
-
1) Security Management Process
2) Assigned Security Responsibility
3) Workforce Security
4) Information access management
5) Security awareness and training
6) Security incident procedures
7) Contingency plan
8) Evaluation
9) BAC and other arrangements - Physical Safeguards (4 of them)
-
1) Facility access control
2) Workstation use
3) Workstation Security
4) Device and media controls - Technical Safeguards
-
1) Access controls
2) Audit Controls
3) Integrity
4) Person or entity authentication
5) Transmission Security - 7 Steps to HIPAA Security Solutions
-
1) Assign Security Responsibility
2) Risk Analysis and vulnerability assessment
3) Remediation
4) Security policies and procedures
5) Business Associate Contracts
6)Training, HIPAA awareness
7) Evaluate - Authentication
-
means the corroboration that the person is the one they claim to be.
Need to authenticate to a degree appropirate to risk/threat - Access Control
- method of restricting access to resources. Allow only priviledged entities access
- Non-repudiation
- prevent denial by one of the entities involved in a communication of having participated in all or part of the communication
- Evaluation
- periodic evaluation to verify complaince with HIPAA Security Rule. Account for changes introduced in infrastructure that impact security of electronic PHI
- BAC
- Business Associate Contracts - covered entity can permit business associate access to PHI only if covered entity obtains satisfactory assurances that business associate will appropriately safeguard info
- Contingency Plan
-
Plan for responding to system emergency. Includes:
-Backups
-Prepare Critical facilities that can be used to ensure continuity of operations
-Recovering from disaster - Prepare org for HIPAA compliance? 5 things
-
1) obtain executive buy-in
2) strategic and financial plan
3) establish program management position
4) involve IT partners on assessing current environment
5) training for key executives, IT professionals, and information management professionals - Preparing IT for HIPAA? 5 things
-
1) Assess readiness for transaction standards, code sets, security
2) Extend Y2K business continuity planning
3) conduct risk analysis
4) contact app systems, hw and sw vendors
5) assess business associates timelines for compliance - Prepare for transaction standards?
- understand which transaction your org uses and what you will need to implement
- What 11 transactions will be implemented as a part of HIPAA?
-
1) First report of injury (148)
2) Eligibility benefit request and response (270/271)
3) Provider information (274)
4) Health Claims Attachments (275)
5) Claim status request and response (276/277)
6) Referral certification (278)
7) Consolidated Service Invoice (811)
8) Plan Premium Payments (820)
9) Benefit Enrollment Maintenance (834)
10) Payment and REmittance Advice (834)
11) Health Care Claim - Dental/Professional/Institutional (837) -
IIHI
3 fundamental things -
1) created or received by covered entity
2) relates to past, present, or future physical or mental health or condition. Relates to care provided to individual or payment for that care.
3) Identifies individual (or reasonable basis to believe the info can be used to id the person) - PHI at rest?
- data is accessed, stored, processed, or maintained
- TPO?
- Treatment, payment, or health care operations
- Treatment?
- organizations can use or disclose info to healthcare providers who are involevd with your health care (for example to create and carry out a plan for treatment)
- Payment?
- Organizations can use or dislose information to get payment or to pay for health care services you receive. For example, a doctor provide PHI to bill health plan.
- PHI (subset?)
- subset of PHI identifiers that can be used to identify an individual
- Use and disclosure
-
USE limits sharing of information within a covered entity.
DISCLOSURE restricts sharing of info outside of covered entity. - 6 Uses
-
1) Sharing
2) Employing
3) Applying
4) Utilizing
5) Examining
6) Analyzing - 4 Dislosures
-
1) Release
2) Transfer
3) Provision of access to
4) Divulging in any manner - Notice (required)
- Covered entities must provide Notice that summarizes privacy practices.
- Attributes of Notice
-
1) Plain language
2) include header
3) Describe use and PHI disclosure
4) describe rights under privacy rule
5) describe individual rights under privacy rule
6) describe covered entities duties
7) describe how to register complaints concerning suspected privacy violations
8) specify a point of contact
9) specify an effective date
10) state that the entity reserves the right to change its privacy practices - What are individual rights under privacy rule?
-
1) request restrictions
2) receive confidential communication of PHI
3) inspect copy and amend PHI
4) obtain accounting of PHI disclosures - Authorization (required)
- allows use and disclosure of PHI for purposes other than treatment, payment, or health care operations
- Authorization attributes (3 of them)
-
1) Authorization must be on specific terms
2) Authorization can allow PHI to be used and disclosed by covered entity
3) Covered entities must obtain an individuals Authorization for uses or disclosers not covered by Notice - 10 Core elements of Authorization
-
1) Give specific description of authorized information
2) List persons authorized to use or disclose PHI
3) Disclosureable persons
4) purpose of use or disclosure
5) expiration date or event for discloure
6) right to revoke and exceptions thereof
7) ability or inability to perform based on Authorization
8) state that disclosed info may be re-disclosed by recipient and then not protected by rule
9) signature of individual
10) plain language - Policies and Procedures
- must keep key audit documents and forms. HHS Office for Civil Rights will look for this.
- 8 Examples of Privacy Policies
-
1) Use patient, client, or participant information
2) Use for research purposes and waivers
3) enforcement, sanctions, and penalties for violation of individual privacy
4) Patient (or client) rights
5) Minimum necessary
6) De-Identification and use of limited data sets
7) Administrative, Technical, and Physical safeguards
8) General Privacy Policy - Tracking Flow of PHI/PII
-
1) Created?
2) Reviewed and Modified?
3) Transferred
4) Received from within or outside org
5) Other sources
6) To what sources disclosed
7) What info is maintained? - DII or aggregate patient data?
-
1) Creating or reviewing aggregate data
2) Transferring data w/in org
3) Receive data w/in org
4) Receive aggregate date from outside
5) Disclose aggregate data outside of org - HIPAA and requirement to send claims electronically?
- HIPAA does not require it, but a payer may require it
- Standard for Electronic Transactions
- Transactions and Code Sets, facilitates standardized information exchange
- Covered entities and Transactions?
- All covered entities must use standard when e-conducting any defined transactions covered under HIPAA
- Clearinghouse and nonstandard transactions?
- May accept for purpose of translating into standard transactions for sending customers. Also may convert standard into nonstandard
- When must a health plan be able to support e-standard for a transaction?
-
If it performs ANY business function for that transaction whether over phone, paper, or computer.
Can outsource this to a 3rd party though - Scope of transaction standards?
- apply only when data is tx electronically between providers and plans as part of a standard transaction
- Data format and standards?
- Can be in any format as long as it can be translated into standard transaction when required
- Security standards and health information?
- will apply to ALL healthcare information
- Providers and elements of choice?
- Providers are the lone entity with an element of choice.
- HIPAA and claim forms?
- Provider will have 1 electronic claim form that handles everything
- HIPAA and health plans and forcing providers to use transactions?
- HIPAA does not require it, but health plans may.
- Employers and covered entity status?
- Employers are not a covered entity. They may continue to use non-standard means of enrollment
- Compliance Date?
- Must comply w/in 24 months of Transaction Rule publication. Small plans may comply w/in 36 months of publication
- 2 part test to determine if the standard must be used?
-
1) Is transaction initiated by a covered entity or BA?
-if yes, then standard must be used
-if no, then standard need not be used
2) Has HHS adopted a standard for this type of transaction?
-if yes, standard must be used
-if no, standard need not be used - TPA? (are they a covered entity?)
- Third Part Administrator (as in an insurer who is outsourced) (not a covered entity!, however may be a BA of the covered entity)
- Internet transactions and other e-transactions?
- Internet transactions are treated the same as other electronic transactions
- What if data is directly entered into system outside of health plan system, to be transmitted later?
- Then format and content must be standard
- data directly entered?
-
Standard content REQUIRED
Standard format OPTIONAL - State medicaid programs and HIPAA?
-
yes they'll need to comply w/in 2 years of publication.
No requirement for internal info maintained in accordance w/standard. However, Medicaid will need to process standards transactions - Penalty for failure to comply w/Transaction standard?
- $100 per incident, not to exceed $25,000
- ICD-9-CM, Volumes 1 and 2
- Disease codes
- sponsor? 3 things
-
pays for coverage, benefit, or product
(Employer, Union, Insurance Agency, Association, Government Agency) - UB-92
-
the de facto claim standard...will be outlawed under HIPAA...however, a clearinghouse can translate a standard transaction into a UB-92
Paper version can still be used by providers - 2 levels of scrutiny for e-transactions...
-
1) Compliance w/HIPAA standard
2) Specifc processing by the system reading or writing the standard transaction - Payer, Insurer
- Party that claims or administers insurance coverage, benefit, or product (HMO, Insurance Company, PPO)
- Destination Payer
- Payer who is specified in the subscriber/payer loop
- Secondary Payer
- payer who is not primary payer
- Subscriber
- person whose name is listed in the insurance policy
- Dependant
- Individual who is eligible for coverage because of his or her association with subscriber
- Insured or member
- a subscriber that has been enrolled for coverage in plan
- Patient
-
Patient loop used when patient is not the subscriber
Subscriber loop used when Patient is the subscriber - Provider
- Entity that originally submitted the claim/encounter
- 3 types of providers?
-
1) Billing
2) Performaing
3) Referring - Transmission Intermediary
- handles transactionb between provider and payer