Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply


Published on

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


    • Concept
    • Covered Entities
    • Transactions
    • Privacy
    • Security
    • Implementation
  • 2. Inevitable Transformation...
    • Today health data is keyed into a computer, printed, mailed or transmitted, re-keyed into another computer…
    • The constant demand for more information in less time is pushing health care systems toward electronic data interchange, the computer-to-computer exchange of information in a standard format
    • Institutions pursue electronic data interchange internally, but encounter barriers to sharing data externally , among institutions
  • 3. Barriers to Transformation
    • Lack of data standards —no single entity has the market power to move the health care industry toward a common electronic standard
    • Legal ambiguity —antiquated state licensing laws make computerized medical records technically illegal in 12 states and legally ambiguous in 16 others
    • Privacy concerns —health information is “private” today not because it is secure but because it is difficult to access—and making it more accessible makes it less secure
  • 4. Standards Leverage Transformation
    • Money as a standard replaced barter
    • East and West coast railroads needed a standard gauge to meet at Promontory Point
    • Appliances and motors were custom made before electrical current was standardized
    • Electronic transaction standards have been the norm in banking for two decades
    • Our century’s great innovation—the Internet—is a web of connection standards
  • 5. Congress Acts
    • The Health Care Modernization and Security Act of 1993 (or “Data Bill”)
    • Sponsored by Sens. Kit Bond (R-MO) and Joseph Lieberman (D-CT) and Reps. Dave Hobson (R-OH) and Tom Sawyer (D-OH)
    • Congress established a process to adopt standards for health information and required health plans to use the standards and transmit data electronically
  • 6. Guiding Themes
    • National Policy Framework —the barriers to modernizing health information systems are national in scope, and require national solutions
    • Technology Neutral —encourage continued innovation and intentionally avoid “locking in” a technology today that could be useless tomorrow
    • Private/public partnership —build on the extensive use of electronic data interchange in the private sector by adopting standards “already in use and generally accepted”
  • 7. Broad Support
    • The Working Group for Healthcare Administrative Simplification
    • American Association of Retired People, American College of Physicians, American Hospital Association, American Association of Medical Colleges, American Health Information Management Association, American National Standards Institute, American Academy of Pediatrics, Ameritech, Association for Electronic Healthcare Transactions, Bellcore, Blue Cross/Blue Shield Association, CCH Inc, Center for Health Care Information Management, CIS Technologies, COB Clearinghouse, Digital Equipment, Dun & Bradstreet, Electronic Data Systems, ERIC, Federation of American Health Systems, First Health, Fleishman-Hillard Inc, Health Industry Manufacturers Association, Health Care Financial Management Association, Hewlett-Packard, Health Insurance Association of America, IBM, Information Industry Association, ITAA, JCAHO, MetPath, Mutual of Omaha, National Association of Medical Equipment Suppliers, National Association of Chain Drug Stores, National Electronic Information Corporation, Orkand Corporation, PCS Health Systems, Podesta Associates, Prudential, Public Health Foundation, Rossman Health Industry Consulting, SAIC, SmithKline Beecham, Society of Professional Benefits Administrators, Travelers, Davidson Colling Group, UNISYS
  • 8. President Clinton’s Health Security Act
    • Comprehensive health care reform dominated the national political agenda in 1992
    • “ Increasing access” vs. “decreasing costs”
    • Administrative simplification contributes to both
    • “ Local storage” vs. “central storage”
    • The Clinton Administration’s emphasis on research triggered a debate about how and who could use sensitive patient data and overwhelmed the effort to harmonize data standards
  • 9. Medicare Reform
    • Balancing the federal budget dominated the national political agenda in 1994
    • Medicare was estimated to be bankrupt in four years
    • Administrative simplification was refocused on eliminating Medicare fraud and catching the Medicare “secondary payer” problem up front, rather than recovering dollars after-the-fact
    • Rolled back the scope to financial (not clinical) data
  • 10. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    • Administrative simplification reached its maturity along with incremental health insurance reform
    • Bipartisan throughout two bitterly partisan debates
    • Broad-based, private-sector support
    • Enacted 421 to 2 in the House, 98 to 2 in the Senate, and signed by President Clinton on August 21, 1996
    • The basic framework enacted by Congress passed to the U.S. Department of Health and Human Services for rulemaking and implementation
  • 11. HIPAA’s Three Purposes
    • Health Insurance Portability —improve the portability and continuity of health insurance coverage for groups and individuals
    • Accountability —combat waste, fraud, and abuse in health insurance and health care delivery
    • Administrative Simplification —simplify health care billing by adopting standards that allow health plans to transmit data electronically
  • 12. HIPAA Administrative Simplification
    • Transactions —adopt financial and administrative data standards and require health plans to use those standards to exchange information electronically
    • Privacy —adopt standards for individually-identifiable health information that address the rights of individuals, procedures to exercise those rights, and uses and disclosures of information that are authorized or required
    • Security —adopt standards to protect the confidentiality of health information, prevent threats or hazards to the security or integrity of the information, and prevent unauthorized uses or disclosures
  • 13. Opportunities to Decrease Costs…
    • Enable the use of the Internet instead of expensive, private networks
    • Develop less costly “off-the-shelf” management information systems solutions
    • Reduce unnecessary paperwork—estimated to add at least ten cents on every health care dollar
    • Increase the speed and accuracy of transactions with other entities (faster third party collections, etc)
    • Expose fraud in ways that are impossible under the current, confusing, disjointed paperwork system
  • 14. Opportunities to Increase Quality…
    • Strengthen privacy and confidentiality associated with personal health information
    • Aggregate and compare data (non-standard code sets make this difficult to do today)
    • Provide the data consumers need to compare the value of insurance plans and health services
    • Forge stronger cooperative relationships with providers (“We’re all in this together”)
    • Upgrade existing but outdated technology
  • 15. Business Transformation
    • Administrative Simplification is a business challenge—not just a technical problem, like Y2K
    • Existing technology is applied to improve business practices—something most industries do already
    • People, paper, and postage are replaced with electronic communications to reduce costs and improve services
    • Health care organizations will either choose to treat administrative simplification as a conformance nuisance or use it as their catalyst to e-business
  • 16. Business Transformation X X X x Physicians and Clinicians Source: GartnerGroup December 2000 X X X Nursing X X X X X Physician Contracting X X X X Reporting and Analytics X X X X X Benefit Design X X X X X Sales and Underwriting X X X Marketing X X X X Customer Service X X X X X Case Management X X X X X Medical Management X X X X X Eligibility X X X X Enrollment X X X X X Claims and Encounters X X X X Medical Records X X X X X Billing and Patient Accounting Security Privacy Code Sets Identifiers EDI Functional Area Impacted
    • Concept
    • Covered Entities
    • Transactions
    • Privacy
    • Security
    • Implementation
  • 18. Covered Entities
    • Health Plans —an individual or group plan that provides or pays the cost of medical care
    • Health Care Clearinghouses —an entity that processes or facilitates processing of information received from another entity
    • Health Care Providers —any provider of medical or other health services, and any other person furnishing health care services or supplies
  • 19. Examples of Health Plans
    • ERISA defined group health plan
    • Health insurance issuer
    • HMO
    • Medicare
    • Medicaid
    • Medicare supplement
    • Long-term care policy
    • VA health care system
    • Employee welfare benefit plan
    • Health plan for active military
    • Indian Health Services
    • Federal Employees Health Benefit Plan
    • Or any combination
  • 20. Health Plan Exclusions
    • Workers’ Compensation programs
    • Correctional Institutions
    • Disability insurance programs
    • Automobile insurance carriers
    • Property and casualty insurers
    • Nursing home fixed-indemnity policies
  • 21. Health Care Clearinghouse
    • A Public or private entity that
    • Receives a non-standard transaction from another entity and processes or facilitates the processing of health information into a standard format or standard data content or
    • Receives a standard transaction from another entity and processes or facilities the processing of health information into a non-standard format or non-standard data content
  • 22. Health Care Provider
    • Any person or organization who furnishes, bills, or is paid for health care in the normal course of business
    • Health care is defined as care, services or supplies related to the health of an individual, including:
      • Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care
      • Counseling, service, assessment, or procedure with respect to physical or mental condition or functional status
      • Sale or dispensing of a drug, device, equipment or other item in accordance with a prescription
  • 23. Hybrid Covered Entities
    • Determine if “covered entity” functions are performed within a department or program (evaluate each area separately according to their respective functions)
    • If the component that provides the services is itself not a separate entity, then the entity to which it belongs is a “hybrid entity”
    • HIPAA rules apply to the component that performs the covered function and requires a “wall” between the covered functions and the rest of the entity
    • For example, the Ohio Department of Health runs a hemophilia program as a provider and a Black Lung clinic program as a health plan
  • 24. Business Associates
    • A person or entity to whom a covered entity discloses protected health information to perform a function on behalf of or to provide services to a covered entity
    • Includes lawyers, accountants, consultants, and accrediting agencies
    • Must have a contract obligating them to safeguard protected health information
  • 25. Business Associate Contracts
    • Must establish the permitted and required uses and disclosures of protected health information by the business associate and may not authorize further disclosure in violation of the regulations
    • If the covered entity knows of a practice or pattern of activity that constitutes a material breach of the business associate’s obligations under the contract, the covered entity must take reasonable steps to ensure cure of the breach or terminate the contract or report the problem to the Secretary
  • 26. Business Associate Obligations
    • Must not use or disclose protected health information in violation of the law or contract
    • Implement safeguards against improper use or disclosure
    • Ensure that any agents or subcontractors agree to fulfill contractual and legal obligations
    • Afford individual access to records; make available records for amendment by the individual; account to the individual for use or disclosure other than for payment, treatment, or operations
    • At termination of the contract, return or destroy protected health information
    • Concept
    • Covered Entities
    • Transactions
    • Privacy
    • Security
    • Implementation
  • 28. Transaction Standards Enable Electronic Data Interchange
    • Health care electronic data interchange is commonly used and generally accepted—HHS estimates that at least 400 formats are used in the United States for health care claims processing
    • However, the lack of a standard format makes it difficult for vendors to develop software, inhibits potential efficiencies, and increases costs for health care providers and health plans
    • In order to perform electronic data interchange using a common interchange and data structure a widely adopted use of standards is required.
  • 29. Adopting Transaction Standards
    • HIPAA requires HHS to adopt standards for health care transactions that are:
      • Consistent with reducing the administrative costs of providing and paying for health care
      • Already “in use and generally accepted”
      • Developed or modified by a private sector standard development organization like the American National Standards Setting Institute
    • All of the current code sets have been developed by a private sector standard development organization
  • 30. Required Transaction Standards
    • American National Standards Institute (ANSI)
    • Accredited Standards Committee (ASC)
    • Insurance Subcommittee (X12N)
    • Health care claim or encounter (837)
    • Health care claim payment and remittance (835)
    • Health care claim status inquiry/response (276, 277)
    • Health care eligibility inquiry/response (270/271)
    • Benefit enrollment and maintenance (834)
    • Referral certification and authorization (278)
    • Payment order and remittance (820)
  • 31. Required Code Sets
    • Diseases, injuries, impairments, and other health related problems
    • Prevention, diagnosis, treatment, management
    • Drugs and biologicals
    • Dental Services
    • Physician services, physical and occupational therapy services, radiological procedures, clinical laboratory tests, other medical diagnostic procedures, hearing and vision services, transportation services including ambulance
  • 32. Local Codes
    • HCFA Common Procedural Coding System (HCPCS) identifies health care procedures, equipment and supplies for billing purposes
      • Level I: AMA-owned physician CPT codes
      • Level II: CMS-maintained “other”
      • Level III: State Medicaid program local codes
    • Today states rely heavily on local codes
    • Local codes are scheduled to be eliminated (or rolled into level II) effective October 2002
  • 33. Migrating Local Codes
    • State programs forced to “crosswalk” local codes into a limited number of level II codes
    • Particularly challenging for waiver programs
    • National work underway to identify current or modified level III codes for addition to the level II code set
    • From over 30,000 to approximately 2000 of which about 100-200 are waiver codes
  • 34. Local Code Policy
    • Standardization of local codes may impair the payer’s ability to customize policies
    • Coding decisions shape coverage and reimbursement policies
    • A payer cannot cover a service for which a code does not exist
    • Congress did not intend to dictate health care policy or limit state policy discretion
  • 35. Implementation Strategies
    • Organization-wide general education and awareness
    • Risk assessment and gap analysis
    • Complete a cost/benefit analysis, strategic plan, and select tools
    • Update policies and procedures, and install tools and applications
    • Complete testing and audits and verify third-party compliance
  • 36. Transaction Compliance
    • Final transaction rule in effect August 2000 (HHS guidance published May 2001)
    • Most covered entities are required to comply by October 2002 (October 2003 for “small” health plans)
    • Covered entities may comply directly or use a health care clearinghouse
    • Penalties for non-compliance are $100 per incident up to $25,000 per standard per year
  • 37. System Readiness
    • Current timeframe to comply with transaction standards is unrealistic
    • Great confusion among providers
    • Could lead to the election of paper claims and overwhelm state payment systems—which today are 85 percent electronic
    • Paper claims cost more, take longer, and intensify provider frustration
  • 38. Staggered Release of Final Rules
    • Staggered effective dates make it difficult to plan
    • The transaction and code set rule is final but most individual code sets have not been determined
    • The compliance clock is ticking—but covered entities don’t have the information they need to implement
    • Covered entities will be required to move protected health information electronically beginning October 2002—six months ahead of new privacy standards and at least one year ahead of security standards
    • Concept
    • Covered Entities
    • Transactions
    • Privacy
    • Security
    • Implementation
  • 40. Electronic Transactions Require Additional Privacy Protection
    • “ Privacy” defines what information to protect
    • As the ease of exchanging individually-identifiable health information increases, there is a corresponding need to increase privacy protection
    • The new federal privacy rule provides a national standard “floor” to address the fundamental privacy rights of individuals
  • 41. No Change in Existing Federal Law
    • Privacy Act
    • Substance Abuse laws and regulations
    • Fraud and abuse prevention requirements
    • Medicare Act for dual eligibles
    • Medicaid beneficiary privacy protections
      • Section 1902(a)(7) of the Social Security Act
      • Regulations at 42 CFR 431.300
      • 35 years of guidance and practice
  • 42. State Privacy Law Preempted
    • In general “contrary” State privacy laws are preempted by the new federal privacy rules
    • State law prevails if the HHS Secretary determines it is necessary for public health or State regulatory reporting
    • State law prevails if it is contrary to and more stringent than the HIPAA privacy rule
  • 43. Examples of More Stringent State Laws
    • Further limit the use or disclosure of protected health information
    • Provide individuals with greater rights of access or more information about their rights
    • Enhance protections afforded by an authorization
    • Impose greater record keeping requirements
    • Otherwise enhance privacy protection
  • 44. Protected Health Information
    • Individually Identifiable Health Information that
    • Relates to the past, present, or future
      • Physical or mental health or condition of an individual;
      • Provision of health care to the individual;
      • Payment for the provision of health care to an individual
    • Regardless of form
    • Excluding certain student records
  • 45. Consent and Authorization
    • In general a covered entity may use or disclose protected health information only
      • With the consent of the individual for treatment, payment, or health care operations
      • With the authorization of the individual for all other uses or disclosures
      • As permitted under the rule for certain public policy purposes
  • 46. No Consent or Authorization Required
    • Public health disclosures
    • FDA requirements
    • Work related injuries
    • Reports of abuse or neglect
    • Upon reasonable inference by a health care provider that the individual would not object to the disclosure of protected health information to a relative or personal friend (may be preempted)
  • 47. Privacy Rights of Individuals
    • Receive notice of information practices
    • See and copy own records
    • Request corrections
    • Obtain accounting of disclosures
    • Request restrictions and confidential communications
    • File complaints
  • 48. Administrative Requirements
    • Covered entities are required to have:
      • A designated privacy official and a privacy contact person
      • A defined complaint process
      • A process for responding to individual’s request for additional restrictions (not required to agree to the request)
      • A process for verifying the identity and legal authority of any person requesting personal health information
      • Training on privacy policies and procedures for each person who has contact with personal health information
      • Documentation that training requirements are satisfied
      • A process to sanction employees and business associates who violate protected health information
  • 49. Record Requirements
    • Covered entities are required to have:
      • Copies of signed authorizations
      • Log of non-routine disclosures
      • Written statements of denial of requests for information
      • Responses to requests for corrections
      • Notices of disagreement from individuals
      • Contracts with business associates
      • Signed employee compliance statements
  • 50. Restrictions on Marketing
    • Covered entities must obtain authorization before using or disclosing protected health information for marketing
    • Health care providers must secure consent for use of disclosure of protected health information for operations (including marketing)
    • There are specific limits on the use of protected health information for fundraising
  • 51. Implementation Strategies
    • Assess the application of the new privacy rule to your organization
    • Assess the application of more stringent State privacy requirements
    • Assess your current privacy policies and practices to identify gaps
    • Seek legal assistance to resolve ambiguity
    • Apply the new federal or more stringent State privacy standards to your organization
  • 52. Privacy Compliance
    • Final privacy rule in effect April 2001 (HHS guidance published July 2001)
    • Most covered entities are required to comply by April 2003 (February 2004 for “small” health plans)
    • Criminal penalties of up to $250,000 and 10 years imprisonment for use of protected health information for commercial gain
    • Concept
    • Covered Entities
    • Electronic Transactions
    • Privacy
    • Security
    • Implementation
  • 54. Additional Privacy Requires More Secure Systems
    • “ Security” defines how to protect information
    • Security is an outcome, not a technology
    • Covered entities must be able to:
      • Control access to data
      • Protect data from accidental or intentional disclosure to unauthorized persons
      • Protect information from alteration, destruction, or loss
  • 55. Administrative Requirements
    • Covered entities are required to have:
      • Documented security management process
      • Computer system/network accreditation
      • Contingency and disaster recover plans
      • Data processing policies and information access controls
      • Internal audit function
      • Security incident reporting procedures
      • Adequate supervision and training for staff
  • 56. National Identifiers
    • Unique national identifiers will be required for providers, employers, and health plans
    • National identifiers will not include embedded information
    • Delayed adoption of national identifiers is making it difficult for covered entities to plan system requirements
  • 57. Implementation Strategies
    • Assign security responsibility to a specific individual or group
    • Develop and maintain physical access controls
    • Develop and maintain policies for workstation use and control
    • Develop policies for personnel authorization control, data authentication, and entity authentication
  • 58. Security Compliance
    • Final security rule is expected early in 2002 (it is expected to be similar to the proposed rule published in August 1998)
    • Covered entities will be required to comply two years after the rule becomes final
    • Penalties capped at $25,000 in a calendar year for each standard violated, unless patient data is disclosed, then penalties for privacy violations apply
    • Concept
    • Covered Entities
    • Transactions
    • Privacy
    • Security
    • Implementation
  • 60. Organizational Objectives
    • Assure compliance with HIPAA administrative simplification requirements
    • Assure that technical systems and business processes are integrated across agencies
    • Develop work products and tools to promote cost effective implementation
    • Develop effective education and outreach programs
    • Promote a consistent national legislative and policy agenda
  • 61. Ohio’s Participating Agencies
    • Governor’s Office
    • Auditor of State
    • Attorney General
    • Administrative Services
    • Aging
    • Alcohol and Drug Addiction Services
    • Budget and Management
    • Health
    • Mental Health
    • Job and Family Services
    • Mental Retardation and Developmental Disabilities
    • Rehabilitation and Corrections
    • Workers’ Compensation
    • Veterans’ Services
  • 62. Ohio’s Organizational Model (similar approaches in CA, MN, NC, WA) Governor’s Office Sponsor Cabinet Director Executive Leadership Committee Deputy Director Project Management Team Privacy Workgroup Technical Partners Committee Business Partners Committee                                       Security Workgroup Contracts Workgroup Education Workgroup Code Set Workgroup
  • 63. Organizational Leadership
    • Governor’s Office —project sponsor and primary coordination among agencies
    • Cabinet-Level Executive Leadership Committee —project champions and oversight; make final business decisions; coordinate national issues
    • Deputy-Level Project Management Team —develop and maintain strategic plan; receive and review recommendations; assess resources for budget requirements
  • 64. Organizational Assignments
    • Business Partners Committee (policy and program experts)—define and validate functional requirements; formulate workgroups; resolve policy issues; formulate recommendations for the Executive Leadership Committee (ELC)
    • Technology Partners Committee (information technology experts)—determine optimal technical platform; determine tool development, testing, and production; formulate workgroups; resolve information technology issues; formulate recommendations for the ELC
  • 65. Organizational Workgroups
    • Privacy —develop statewide, HIPAA-compliant, baseline privacy standards
    • Security —develop statewide, HIPAA-compliant, baseline security standards, both technical and related to personnel
    • Code Sets —provide a forum for agencies to identify and resolve interagency code issues and “work arounds”
    • Education —identify stakeholders and their educational needs and develop training materials
    • Contracts —identify and analyze existing contracts in light of HIPAA regulations and develop “template” agreements
  • 66. Implementation Challenges
    • Enterprise-wide Transformation
    • Engaging Business Associates
    • Converting Local Codes
    • System Readiness
    • Staggered Release of Rules
    • Funding
  • 67. Funding
    • Enhanced federal financial participation is available for systems remediation (90/10)
    • “ Systems remediation” sends a signal that administrative simplification is like Y2K—just another technical problem
    • A greater commitment of resources is needed for “business transformation”
    • Difficult to estimate implementation costs
    • Initially, costs will far exceed savings
  • 68. Congressional Update
    • H.R. 3323
    • Allow covered entities to delay compliance for transactions and code sets until October 2003
    • But only if the entity submits a plan to HHS that certifies progress toward compliance
    • Any entity that does not meet original deadlines or submit a plan cannot participate in Medicare
    • Privacy takes effect April 2003 as planned
    • After October 2003 Medicare will charge certain providers a $1 fee for every paper claim
  • 69. Implementation Resources
    • U.S. Department of Health and Human Services HIPAA Home Page
    • HHS Office of Civil Rights
    • HHS Center for Medicare and Medicaid Services
    • HHS links to other resources
    • HIPAA Ohio