1. HIPAA – HITECH – MU
Simplified
A Brief History
Current State
Future Directions
2. Why “Accountability” for Privacy?
Historic Medical Record Modern Medical Record
www.medbid.com http://electronicmedicalrecords.page.tl/Home.htm
3. The History of Privacy
Health Records Were
Regulated in 1996
Other examples regulated prior
to 1996
Video Rentals
Phone Records
Driver’s License
Cable TVSchool Records
Are You Kidding Me?
4. HIPAA
The PRIVACY RULE
Addresses:
• The use of individuals’ protected
health information (PHI)
• How the information can be
disclosed (shared)
• Standards for individuals' rights to
understand and control how their
health information is used.
Under the SECURITY RULE
Covered Entities Must:
• Ensure the confidentiality, integrity,
and availability of all e-PHI they create,
receive, maintain or transmit
• Identify and protect against threats to
the security or integrity of the
information
• Protect against impermissible uses or
disclosures
• Ensure compliance by their workforce
5. Security Rule: “Safeguards” for Compliance
•SECURITY:
•Management
•Incident
•Contingency
Admin
•Workstations
•Disposal
•Data Backup
Physical
•Unique User
ID
•Encryption
•Secure
Transmission
Technical
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf
10. The American Recovery
and Reinvestment Act
The Health Information
Technology for Economic
and Clinical Health Act
Meaningful Use
ARRA - 2009
HITECH
MU
11. ARRA – Where is the Money Going?
http://www.recovery.gov/arra/Transparency/fundingoverview/Pages/fundingbreakdown.aspx
13. The American Recovery
and Reinvestment Act
The Health Information
Technology for Economic
and Clinical Health Act
Meaningful Use
ARRA - 2009
HITECH
MU
14. Meaningful Use
Using certified EHR technology to:
• Improve quality, safety, efficiency, and reduce health disparities
• Engage patients and families in their health care
• Improve care coordination
• Improve population and public health
AND
• All the while maintaining privacy and security
https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/downloads/MU_Stage1_ReqOverview.pdf
15. The American Recovery
and Reinvestment Act
The Health Information
Technology for Economic
and Clinical Health Act
Meaningful Use
ARRA - 2009
HITECH
MU
16. Core
Objectives
• E-Prescribing (eRx)
• Provide clinical summaries for patients for each office
visit
• Drug-drug interaction checks
• Record demographics
• Maintain active medication list
• Record smoking status for patients 13 years or older
• Capability to exchange key clinical information among
providers of care electronically
• Protect electronic health information
Sampling of Stage One
Measures
17. incentive payments
• $18,000 in 2011 or 2012 in the first year (only
$15,000 after 2012);
• $12,000 for the second year;
• $8,000 for the third year;
• $4,000 for the fourth year; and
• $2,000 for the fifth year
• After 2015, physicians who fail to meaningfully
use EHRs will be subject to reductions in
Medicare and Medicaid reimbursement
eligible professionals who demonstrate the
meaningful use of an EHR
The Health Insurance Portability and Accountability Act of 1996
The “Portability” part:
Provides rights and protections for participants in group health plans.
protects health insurance coverage for workers and their families when they change or lose their jobs, HIPAA includes protections for
exclusions for preexisting conditions;
prohibit discrimination against employees and dependents based on their health status
Etc
http://www.dol.gov/dol/topic/health-plans/portability.htm
Before the invention of such technology, one could be reasonably certain that conversations in private (e.g., in a person's home or office) could not be heard by other people.
Most modern invasions of privacy involve new technology
telephone wiretaps
microphones and electronic amplifiers for eavesdropping
photo and video cameras
computers for collecting/storing/finding information
Accountability requires the establishment of national standards for electronic health care transactions,
(Also requires national identifiers -NPI- for providers, health insurance plans, and employers.)
Privacy Law for medical records was a bit slow…
Statutes governing these, all came before medical records:
driver license records
cable TV records
school records
phone records
video rental records
Prior to HIPAA, no generally accepted set of security standards or requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information
A person has rights:
A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.
How does organization ensure those rights:
The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).
What are requirements under HIPAA?
TECHNICAL much like your home PC, what do you do to make sure your kids don’t go where they belong?
PHYSICAL
ADMINISTRATIVE Security Management Process. identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks.
Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
Workforce Training and Management. must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions
The International Classification of Diseases (ICD) assigns a number to describe thousands of possible diseases, as well as circumstances (traumatic, social and environmental) leading to bodily harm.
The Healthcare Common Procedure Coding System (HCPCS) is produced by the Centers for Medicare and Medicaid Services (CMS).
HCPCS Level I - the Current Procedural Terminology (CPT), a numeric coding system to identify medical services and procedures, produced by the AMA. In order to submit a CPT code, the physician must attach ICD codes along with the CPT claim. (There must be a reason for the visit - the ICD code).
Evaluation and Management (E/M) codes are a series of CPT codes that don't involve any type of procedure, but rather physician time, intensity of service and complexity of the evaluation.
HCPCS Level II - a standardized coding system to identify products, supplies, and services not included in the CPT codes, such as ambulance services and durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS).
They are a language of communication with third party insurance payers.
The National Drug Code (NDC)The Drug Listing Act of 1972 requires a current list of all drugs for commercial distribution. Drug products are reported using a unique, three-segment number, called updated daily.
So we get all our safeguards in place, we are protecting medical privacy…
We have all this data, we have a uniform language of coding, we have secured it…
Now what?
How do we use it?
How do we find it?
Intended to provide a stimulus to the US economy in the wake of the economic downturn.
How is this related to HIPAA?
ARRA includes
federal tax relief
expansion of unemployment benefits
social welfare provisions
domestic spending in
education
Infrastructure
health care
http://www.hitechanswers.net/about/about-arra/
Note Health Care, a small portion of the dollars
HIPAA security rules, PLUS expansion:
HIPAA: covered entities (health payors, providers, and clearinghouses)
business associates
HIPAA: business associates (entities who, on behalf of covered entities, perform tasks that necessitate access to PHI) not directly regulated, but bound to comply with HIPAA pursuant to agreements with covered entities.
HITECH, by contrast, provides for direct regulation of business associates and stipulates that HIPAA’s privacy and security rules apply to them.
http://journalofethics.ama-assn.org/2011/03/hlaw1-1103.html
breaches
Dramatically increases required response to breaches of PHI and the enforcement of such requirements. Raises the penalties for a violation
Creating incentives for developing a meaningful use of electronic health records
Remember the term in HIPAA—”Uses and Disclosures?”
We still see here the word USE, but note it’s “meaningful
Physicians are to demonstrate that they are meaningful users of certified EHR technology.
Examples from Stage I
Incentive roll-outs
Interrelationship between Law and Funding.
Hitech sprang from HIPAA.
The ARRA provides monetary pay outs for MU
We have implemented structured terminologies for coding and billing.
In contrast, there is no structure for clinical notes and lab results
Clinically, it is not the wild west, healthcare personnel understand terminology.
But for analytics –trying to analyze the data—computers do not understand varying terms or expressions and there is no structured system.
EXAMPLES – NEXT SLIDE
Clinical and Laboratory examples of naming: multiple names for the same clinical event or laboratory test.
The Systematized Nomenclature of Medicine (SNOMED)
Logical Observation Identifier Name and Codes (LOINC)