This site is 100% ad supported. Please add an exception to adblock for this site.

hip - prof


undefined, object
copy deck
Ch 1
3 things about HIPAA
Insurance Portability
Administrative Simplification
Ch 1
Protected Health Information
Ch 1
2 other names for HIPAA
1) Public Law 104-191
2) Kennedy-Kasebaum bill
Ch 1
Why pass HIPPAA? 5 reasons
1) Improve portability and continuity of health insurance coverage
2) Combat waste, fraud, and abuse in health insurance and health care deliverg
3) Promote use of medical savings accounts
4) Improve access to long term care services and coverage
5) Simplify administration of health insurance
6) Protecting the privacy of patient re ords and any other patient identifiable information
Ch 1
5 HIPAA titles?
1) Health Care Insurance Access, Portability, and Renwability
2) Preventing healthcare fraud and abuse; Administrative simplification; Medical Liability Reform
3) Tax related health provisions
4) Application and Enforcement of Group Health Insurance Requirements
5) Revenue Offsets
Ch 1
4 new protections of Section 1 of HIPAA
1) increase ability to GET health coverage when starting a new job
2) reduces chance of losing existing health care coverage
3) help workers maintain continuous health coverage when changing jobs
4) help workers purcahse health coverage on their own if they lose employers coverage and have no other plan available
Ch 1
Why privacy in HIPAA?
Security and privacyt promote higher quality care by giving consumers confidence that health information is protected from inappropriate uses and disclosures
Ch 1
4 ways that 1 in 6 people have shielded themselves with privacy?
1) Doctor hopping
2) Withholding information
3) Inaccurate information
4) Paying out of pocket
Ch 1
How much will addressing privacy and security issues in healthcare cost the industry?
between 17 and 22 billion in the first 5-10 years!
Ch 1
Provider and Payer vs Clearinghouse solution?
Congress intends providers and payers to become compliant together. Consumers have the most to gain by this.
Ch 1
Changing 1 component in tightly coupled, integrated systems?
Causes issues.
Ch 1
HIPAA's impact? (5 things)
1) Standardization of electonic, admin, and financial health transactions
2) Unique health identifiers for all members in the health transactions (employers, plans, insurance, individuals)
3) Security standards protecting confidentiality and integrity
4) Privacy
5) Standards for e-medical records
Ch 1
Covered Entitites?
1) Health care plans
2) Health care clearing houses
3) Health care providers
Ch 1
Health plan? and a few examples
-Individual or group plan that provides or pays the cost of medical care.
1) HMO
2) Issuer of long term care policy
3) Indian Health Service
4) Employee welfare benefit plan
Ch 1
Health care clearinghouse?
-organizations that process health care transactions on behalf of providers and insurers.

1) Billing services
2) Community health management information systems
3) Medical reviewers
Ch 1
Health care provider?
A person who is trained and licensed to give health care.
1) doctor
2) hospital
3) clinic
4) pharmacy
Ch 1
3 attributes of an org DEFINITELY impacted?
1) Receives, submit, or pay health care claims
2) involved in plan enrollment or benefits
3) receives, distributes, or retains patient health care data
Ch 1
4 attributes of an org that MAY be impacted
1) receive or submit med information from/to a business partner
2) receive info from or to provider working in a HIPAA compliant environment
3) use detailed or summary medical info from other entities
4) generate reports from medically related information
Meaning of 5 titles
Title 1 - Insurance access and portability
Title 2 - Preventing Fraud, Administrative Simplification
Title 3 - Tax related health provisions
Title 4 - Application and Enforcement of Group Insurance Requirements
Title 5 - Revenue Offsets
Standards for Electronic -Administrative Simplification
Transactions, Cod Sets, and Identifiers; definies standards for conducting EDI health transactions
Standards for Privacy - Administrative Simplification
Who is authroized to access health finroamtion and gives individuals the right to keep information about themselves from being disclosed
Standards for Security - Administrative Simplification
Admin, Physical, and Technical safeguards to secure PHI
3 covered entities
1) Health Plan
2) Health Care clearinghouse
3) Health Care provider
Compliance timeline
1) Transactions and Code sets
2) Privacy
3) Transactions testing
4) Employer identifier
5) Security
1) 10/16/2003 (large w/permission), 10/16/2002 (medium,small)
2) 4/14/2003
3) 4/16/2003
4) 7/20/2004
5) 4/21/2005
Civil Penalties
$100 - single violation of a provision (multiple penalties for violating multiple provisions)
$25k - making the same mistake more than once in the same calendar year...Secretary might reduce fine if not due to willful neglect
Criminal Penalties
1) Wrongful disclosure of individually identifiable health information
1) up to 50k, 1 year
Criminal Penalties
2)Wrongful disclosure of individually identifiable health information under false pretenses
2) up to 100k, up to 5 years
Criminal Penalties
3)Wrongful disclosure of individually identifiable health information under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm
3) up to 250k, up to 10 years
Designated Standards Maintenance Organization
2) Dental Content Committee of ADA
3) HL7 (health level 7)
4) National Council for prescription drug programs (NCPDP)
5) National Uniform Billing Committee (NUBC)
6) National Uniform Claim Committee (NUCC)
Related Orgs...
Centers for Medicare and Medicaid Services
CMS responsible for implementing unrelated provisions of HIPAA; responsible for enforcing HIPAA Transactions Rule
Related orgs...
Workgroup for EDI (WEDI)
voluntary, private task force created to streamline health care admin by standardizing electronic communication across the country
RElated orgs...
Health Level 7 (HL7)
ANSI accredited, defines standards for cross platform exchange of information within health care organization
Related orgs...
Washington Publishing Company (WPC)
Publishes X12N HPAA Implementations guides and X12N HIPAA Data Dictionary
Related Orgs...
National Council for Prescription Drug Programs
ANSI accredited, maintains standard formats for use by retail pharmacy industry.
National Committee on Vital Health Statistics (NCVHS)
advisory committee to Sec of HHS. NCVHS reviews sample plans to identify common problems that are complicating compliance activities.
4 Types of transactions?
1) patient scheduling
2) registration
3) clinical reporting
4) billing
ANSI for everything except for pharmacy transactions
ASC 270
Eligibility, Coverage, or Benefit Inquiry
ASC 271
ELigibility, Coverage, or Benefit Information
ASC 276
Health Care Cliam Status Request
ASC 277
Health Care Claim Status Notification
ASC 278
Health Care Services Review: 1) Request for review
2) Response
ASC 820
Payment order remittance advice
ASC 834
Benefit enrollment and maintenance
ASC 835
Health Care Claim Payment/Advice
ASC 837
Health Care Claim Institutional
ASC 837
Health Care Claim: Dental
ASC 837
Health Care Claim: Professional
When do transaction standards apply?
Only when data is transmitted electronically
compliance by October 16, 2003
ICD-9-CM Volumes 1 and 2
International classification of diseases. Updated by DHHS.
ICD-9-CM, Volume 3
Used to describe/identify inpatient hospital services and sugrical procedures. Updated by DHHS.
Current Procedural Terminology, used to identify physician services or procedures. Maintained by AMA
Code on dental procedures and nomenclature. Used to describe dental services or procedures. ADA
National Drug Code. Used to identify drugs. HHS and FDA
Healthcare common procedure coding system - used to describe services that are not physician, dentist, hospital, or radiological/vision/hearing services. Updated by CMS (Centers for Medicare and Medicaid Services (CMS))
(National Healthcare Identifiers)
National Provider Identifier
1) Individual Providers
2) Organization providers
Notes on NPI
1) Keep NPI for life
2) Org can get multiple NPI
3) Individual NPI will not be linked to Org NPI
(National Healthcare Identifier)
National Health Plan Identifier - a standard and uniform identifier that would apply to health plans and payers
(National Healthcare Identifier)
A standard for national employer and requirements concerning its use
National Health Identifier for individuals
ignored in implementation planning for HIPAA. HHS says it will NOT social security number.
Transaction set
group of logically related data units. Smallest meaningful set of data exchanged between trading partners
Functional group
adds relevance to 2 or more data segments. Introduced by a group start segment; concluded by group end segment
Organization that will assign unique health care identifiers and maintain the NPS/NPF
National Provider System (NPS)
A central electronic system that will identify and uniquely enumerate health care providers at the national level
National (NPF)
A national database of providers that will be distributed electronically
Privacy Standard
Policies and procedures in place to control who has access to PHI
Individual Rights (Privacy standard)
1) Access to info
2) Amendment to PHI
3) Additional Restriction Information (request it)
4) Alternative Communications
5) Accounting of Disclosures
Use (Privacy standard)
sharing, employing, applying individually identifiable health information by employees or other members of workforce
Disclosure (Privacy standard)
releasing, tx, providing access to any information outside the entity holding the information.
Individually Identifiable Health Information
Protected Health Information - patient identifiable inforation regardless of the media form it is in.
Patient Identifiable information. IDENTIFIERS in health information that can be used to identify an individual.
De-identified information. Personal identifiers removed from data set. Information not individually identifiable and can be disclosed w/o authorization
Business Associate
A person who has, on behalf of covered entity, assists in functions that use IIHI
employees, vounteers, trainees, and other people under direct control of a covered entity
Using PHI to provide coordinate or manage health care and related services
Refers to using PHI to obtain payment of health care services (can include operations that a health plan undertakes before paying for services)
Health care operations
using PHI to support the business activities for a practice. May include quality assessment, employee review, and training of medical students, licensing, marketing, and fund raising activities.
Notice of Privacy Practices
Describes use and disclosure of PHI for carrying out treatment, payment, or health care operations.
Authorization to use or disclose PHI must be obtained when a consent form does no apply.
Business Associate Contract (BAC)
Addresses core issue of protecting privacy of PHI when dealing with outside entities
Data Use Agreement
An agreement with a recipient of PHI data that limits their use of PHI
Privacy offer job description
Description of Privacy Officer's responsibilities
Termination Procedure
For employees who fail to comply with internal privacy policies and procedures
A Personnel Designations
Assign a Privacy Officer
B Complaints
Identify how to handle complaints
D Documentation
Create and maintain documentation related to Privacy Rule
E Training
Privacy and security requirements
PHI policies and procedures
F Safeguards
Administrative, technical, and physical
G Sanctions
Policy that describes the specific actions against employees who fail to comply with internal policies and procedures
H Mitigation
Policy that includes steps to remedy any harm caused by mistake and prevent that mistake from occurring again.
I No intimidating or retaliatory acts
An organization cannot intimidate, threaten, coerce, or take other retaliatory action against any patient for the exercise of any right under the Privacy Rule, including filing a complaint
J No waiver of rights
An organization cannot require as a condition of TPO or eligibility of benefits, that an individual waive his or her right to make complaints to Secretary of HHS
10 steps to HIPAA Privacy
1) Assign privacy responsibility
2) Identify and assess organizations PHI
3) Assess privacy policies
4) Analyze gaps in current policies
5) Adjust organization policies
6) Identify business associates
-Does entity provide services for organization
-Is entity exempted from business associate requirements
-is service a part of your treatment of person
-does all such service performed require access to PHI
7) Negotiate BACs
8) Develop Privacy Documents
9) Develop privacy training program
10) Document privacy policies
Security Standard
3 things
Confidentiality, Integrity, Availability
Common Security Threats
1) Virus or malicious code
2) Unauthorized remote access or login
3) Unauthorized local access or login
4) Unauthorized physical access to systems
5) Tampering of data while in transit
6) Theft or removable media
7) Intentional or inadvertent loss of electric
Administrative Safeguards (9 of them)
1) Security Management Process
2) Assigned Security Responsibility
3) Workforce Security
4) Information access management
5) Security awareness and training
6) Security incident procedures
7) Contingency plan
8) Evaluation
9) BAC and other arrangements
Physical Safeguards (4 of them)
1) Facility access control
2) Workstation use
3) Workstation Security
4) Device and media controls
Technical Safeguards
1) Access controls
2) Audit Controls
3) Integrity
4) Person or entity authentication
5) Transmission Security
7 Steps to HIPAA Security Solutions
1) Assign Security Responsibility
2) Risk Analysis and vulnerability assessment
3) Remediation
4) Security policies and procedures
5) Business Associate Contracts
6)Training, HIPAA awareness
7) Evaluate
means the corroboration that the person is the one they claim to be.
Need to authenticate to a degree appropirate to risk/threat
Access Control
method of restricting access to resources. Allow only priviledged entities access
prevent denial by one of the entities involved in a communication of having participated in all or part of the communication
periodic evaluation to verify complaince with HIPAA Security Rule. Account for changes introduced in infrastructure that impact security of electronic PHI
Business Associate Contracts - covered entity can permit business associate access to PHI only if covered entity obtains satisfactory assurances that business associate will appropriately safeguard info
Contingency Plan
Plan for responding to system emergency. Includes:
-Prepare Critical facilities that can be used to ensure continuity of operations
-Recovering from disaster
Prepare org for HIPAA compliance? 5 things
1) obtain executive buy-in
2) strategic and financial plan
3) establish program management position
4) involve IT partners on assessing current environment
5) training for key executives, IT professionals, and information management professionals
Preparing IT for HIPAA? 5 things
1) Assess readiness for transaction standards, code sets, security
2) Extend Y2K business continuity planning
3) conduct risk analysis
4) contact app systems, hw and sw vendors
5) assess business associates timelines for compliance
Prepare for transaction standards?
understand which transaction your org uses and what you will need to implement
What 11 transactions will be implemented as a part of HIPAA?
1) First report of injury (148)
2) Eligibility benefit request and response (270/271)
3) Provider information (274)
4) Health Claims Attachments (275)
5) Claim status request and response (276/277)
6) Referral certification (278)
7) Consolidated Service Invoice (811)
8) Plan Premium Payments (820)
9) Benefit Enrollment Maintenance (834)
10) Payment and REmittance Advice (834)
11) Health Care Claim - Dental/Professional/Institutional (837)
3 fundamental things
1) created or received by covered entity
2) relates to past, present, or future physical or mental health or condition. Relates to care provided to individual or payment for that care.
3) Identifies individual (or reasonable basis to believe the info can be used to id the person)
PHI at rest?
data is accessed, stored, processed, or maintained
Treatment, payment, or health care operations
organizations can use or disclose info to healthcare providers who are involevd with your health care (for example to create and carry out a plan for treatment)
Organizations can use or dislose information to get payment or to pay for health care services you receive. For example, a doctor provide PHI to bill health plan.
PHI (subset?)
subset of PHI identifiers that can be used to identify an individual
Use and disclosure
USE limits sharing of information within a covered entity.
DISCLOSURE restricts sharing of info outside of covered entity.
6 Uses
1) Sharing
2) Employing
3) Applying
4) Utilizing
5) Examining
6) Analyzing
4 Dislosures
1) Release
2) Transfer
3) Provision of access to
4) Divulging in any manner
Notice (required)
Covered entities must provide Notice that summarizes privacy practices.
Attributes of Notice
1) Plain language
2) include header
3) Describe use and PHI disclosure
4) describe rights under privacy rule
5) describe individual rights under privacy rule
6) describe covered entities duties
7) describe how to register complaints concerning suspected privacy violations
8) specify a point of contact
9) specify an effective date
10) state that the entity reserves the right to change its privacy practices
What are individual rights under privacy rule?
1) request restrictions
2) receive confidential communication of PHI
3) inspect copy and amend PHI
4) obtain accounting of PHI disclosures
Authorization (required)
allows use and disclosure of PHI for purposes other than treatment, payment, or health care operations
Authorization attributes (3 of them)
1) Authorization must be on specific terms
2) Authorization can allow PHI to be used and disclosed by covered entity
3) Covered entities must obtain an individuals Authorization for uses or disclosers not covered by Notice
10 Core elements of Authorization
1) Give specific description of authorized information
2) List persons authorized to use or disclose PHI
3) Disclosureable persons
4) purpose of use or disclosure
5) expiration date or event for discloure
6) right to revoke and exceptions thereof
7) ability or inability to perform based on Authorization
8) state that disclosed info may be re-disclosed by recipient and then not protected by rule
9) signature of individual
10) plain language
Policies and Procedures
must keep key audit documents and forms. HHS Office for Civil Rights will look for this.
8 Examples of Privacy Policies
1) Use patient, client, or participant information
2) Use for research purposes and waivers
3) enforcement, sanctions, and penalties for violation of individual privacy
4) Patient (or client) rights
5) Minimum necessary
6) De-Identification and use of limited data sets
7) Administrative, Technical, and Physical safeguards
8) General Privacy Policy
Tracking Flow of PHI/PII
1) Created?
2) Reviewed and Modified?
3) Transferred
4) Received from within or outside org
5) Other sources
6) To what sources disclosed
7) What info is maintained?
DII or aggregate patient data?
1) Creating or reviewing aggregate data
2) Transferring data w/in org
3) Receive data w/in org
4) Receive aggregate date from outside
5) Disclose aggregate data outside of org
HIPAA and requirement to send claims electronically?
HIPAA does not require it, but a payer may require it
Standard for Electronic Transactions
Transactions and Code Sets, facilitates standardized information exchange
Covered entities and Transactions?
All covered entities must use standard when e-conducting any defined transactions covered under HIPAA
Clearinghouse and nonstandard transactions?
May accept for purpose of translating into standard transactions for sending customers. Also may convert standard into nonstandard
When must a health plan be able to support e-standard for a transaction?
If it performs ANY business function for that transaction whether over phone, paper, or computer.
Can outsource this to a 3rd party though
Scope of transaction standards?
apply only when data is tx electronically between providers and plans as part of a standard transaction
Data format and standards?
Can be in any format as long as it can be translated into standard transaction when required
Security standards and health information?
will apply to ALL healthcare information
Providers and elements of choice?
Providers are the lone entity with an element of choice.
HIPAA and claim forms?
Provider will have 1 electronic claim form that handles everything
HIPAA and health plans and forcing providers to use transactions?
HIPAA does not require it, but health plans may.
Employers and covered entity status?
Employers are not a covered entity. They may continue to use non-standard means of enrollment
Compliance Date?
Must comply w/in 24 months of Transaction Rule publication. Small plans may comply w/in 36 months of publication
2 part test to determine if the standard must be used?
1) Is transaction initiated by a covered entity or BA?
-if yes, then standard must be used
-if no, then standard need not be used
2) Has HHS adopted a standard for this type of transaction?
-if yes, standard must be used
-if no, standard need not be used
TPA? (are they a covered entity?)
Third Part Administrator (as in an insurer who is outsourced) (not a covered entity!, however may be a BA of the covered entity)
Internet transactions and other e-transactions?
Internet transactions are treated the same as other electronic transactions
What if data is directly entered into system outside of health plan system, to be transmitted later?
Then format and content must be standard
data directly entered?
Standard content REQUIRED
Standard format OPTIONAL
State medicaid programs and HIPAA?
yes they'll need to comply w/in 2 years of publication.
No requirement for internal info maintained in accordance w/standard. However, Medicaid will need to process standards transactions
Penalty for failure to comply w/Transaction standard?
$100 per incident, not to exceed $25,000
ICD-9-CM, Volumes 1 and 2
Disease codes
sponsor? 3 things
pays for coverage, benefit, or product
(Employer, Union, Insurance Agency, Association, Government Agency)
the de facto claim standard...will be outlawed under HIPAA...however, a clearinghouse can translate a standard transaction into a UB-92
Paper version can still be used by providers
2 levels of scrutiny for e-transactions...
1) Compliance w/HIPAA standard
2) Specifc processing by the system reading or writing the standard transaction
Payer, Insurer
Party that claims or administers insurance coverage, benefit, or product (HMO, Insurance Company, PPO)
Destination Payer
Payer who is specified in the subscriber/payer loop
Secondary Payer
payer who is not primary payer
person whose name is listed in the insurance policy
Individual who is eligible for coverage because of his or her association with subscriber
Insured or member
a subscriber that has been enrolled for coverage in plan
Patient loop used when patient is not the subscriber
Subscriber loop used when Patient is the subscriber
Entity that originally submitted the claim/encounter
3 types of providers?
1) Billing
2) Performaing
3) Referring
Transmission Intermediary
handles transactionb between provider and payer

Deck Info