View
215
Download
0
Category
Preview:
Citation preview
Health Insurance Portability and Accountability Act of 1996 Presented For: CAHF Quarterly
Location: Sacramento, California– Date: May 20, 2003
Presented by Rhonda Anderson, RHIA
–Anderson Health Systems, Inc.
–email: office@ahis.net –Phone: 714-558-3881–Fax.714-558-1302–Web Site: www.ahis.net
HIPAA TRANSACTION
Who is involved: Administrator, Business Office Manager, HIM/Record Director, Nursing Management, IT resource, Business Associates
COMPLIANCE DATES
Electronic Transactions StandardsStandardized Code Sets –
10/16/02 or 10/16/03 published
COMPLIANCE DATES
Privacy Standards – 4/14/03Privacy Standards – 4/14/03 Security Standards – Due Security Standards – Due
February, 2005February, 2005
Enforcement Proposed Enforcement Proposed ‘date final??’‘date final??’
DESIGNATED CODE SETS ICD-9-CM HCPCS - Health Care Financing
Administration Common Procedural Coding System (eliminates level III codes)
CPT is required for Physician’s and ancillary services
HCPCS- health care supplies, etc. J-Codes used for drugs – (from
HCPCS Codes)
WHAT DO THESE MEAN TO YOU? NDC - National Drug Codes –
Commercial Pharmacies Billing and other systems will need to be modified to include new standard IDs
UB - 92 will be replaced with 837- new claims form
Computer systems need to accommodate the required codes/changes
WHAT DO THESE MEAN TO YOU? -2
Compare current code sets to HIPAA standards–Must use standard code sets and code “by the book”
–May require modifications or upgrades to computerized coding systems
–Accuracy of coding is an issue!!!
WHAT DO THESE MEAN TO YOU? -3
Follow the Fiscal Intermediary Guidelines…..Be aware of the AHA Coding Clinic & AHIMA Coding recommendations
Watch for CMS Electronic Transmittals for guidance (No more paper transmittals)
TCS TESTING…
Testing of the Standardized Transactions required– Must begin testing by April
16, 2003– May begin testing sooner
“SIX NEW PRIVACY RIGHTS”
Notice of Organizations “PHI” Privacy Practices
Request Restrictions on Disclosures to Others of their “PHI”
Request alternative means of communicating “PHI”
“SIX NEW Resident RIGHTS”-2
May (access) inspect and get a copy of “PHI”
May request Amendments to their “PHI”
Must be given an accounting of organization’s disclosures of their “PHI”
PRIVACY RULE: WHAT DOES IT DO?HIPAA regulates the use or HIPAA regulates the use or
disclosure of Protected Health disclosure of Protected Health Information (PHI)Information (PHI)
PRIVACY: KEY COMPONENTS PHI Notice of Privacy Practices Acknowledgement Uses & Disclosures Authorization Minimum Necessary Patient Rights
PRIVACY: KEY COMPONENTS-3
Business Associates Marketing, Fundraising, and
Research Interaction with State privacy
and confidentiality laws-Preemption
PRIVACY: KEY COMPOENENTS-4
Administrative Requirements – Staff, Privacy Officer, Contact Department/Person. Security Officer, Training, Monitoring
Penalties
WHAT IS PHI?Health and demographic information about an individual that is transmitted or maintained in any medium where the information:
Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
Copyright 2002 HIPAA COW
WHAT IS PHI?
Relates to the past, present, or futurePhysical or mental health condition of an individual, or
Provision of health care to an individual, or
Payment for the provision of health care to an individual
PRIVACY NOTICES AND BEYOND
HIPAA DOES NOT END ON HIPAA DOES NOT END ON APRIL 14,2003APRIL 14,2003
THE ONLY THING YOU CAN THE ONLY THING YOU CAN COUNT ON IS CHANGECOUNT ON IS CHANGE
COMMON HIPAA MANDATES? Notice of Privacy Practices Acknowledgement Accounting of Disclosures Minimum Necessary Standard Access to Records
COMMON HIPAA MANDATES?-2
Amendment to Records Disclosure under authorizations Sanctions Audit Trails
WHAT IS COMMON?
Requests for PHIRequests for PHI Uses of PHIUses of PHI Disclosures of PHIDisclosures of PHI ““Minimum Necessary” – and can Minimum Necessary” – and can
it be consistent? Over – it be consistent? Over – dramatization – over correction. dramatization – over correction. REMEMBER RESIDENT CARE AND REMEMBER RESIDENT CARE AND TREATMENT!!TREATMENT!!
REQUESTING PHI –
Do you ever request/or receive PHIrequest/or receive PHI from outside the organization– Is the information for treatment– Is the information for payment– Is the information for operations
If not for TPO, why is the information used?
have you mapped who?
ACCESSING PHI WITHIN
Do you know who has access Do you know who has access to PHI within the organization to PHI within the organization and do you know who uses it.and do you know who uses it.
“THE STUDY”
Have you carried out any of the “due diligence” to the use and disclosure of PHI coming into the facility GOING OUT OF THE FACILITY???
HOW CAN YOU ASSURE THE MINIMUM NECESSARY use and MINIMUM NECESSARY use and disclosure?disclosure?
THE TEAM
WHAT NEEDS TO BE DONE??? Assure you know who has, uses and
discloses PHI Do you know which WorkForce
Members access PHI, Use/Disclose PHI Have you got documents to show this
information… Carried out “due diligence”
POLICIES AND PROCEDURES
USE AND USE AND DISCLOSURE FORDISCLOSURE FORTreatmentTreatmentPaymentPaymentHealth Care OperationsHealth Care Operations
Commonly known as “TPO”
USE AND DISCLOSURE
GENERAL POLICY AND GENERAL POLICY AND PROCEDURES – PROCEDURES – ADMINISTRATIVE, CLINICAL ADMINISTRATIVE, CLINICAL RECORDS, OTHER RECORDS, OTHER DEPARTMENTSDEPARTMENTS– Assure it meets your Assure it meets your
facility/agency requirementfacility/agency requirement:
DESIGNATED RECORD SET
NEW CONCEPT DRIVES POLICY PROCEDURE What is to be included?
Medical RecordsBilling RecordsPayment ClaimsCase Management records
(maintained for or by a health plan
USES & DISCLOSURES-1
PHI can be used/disclosed without consent, authorization, or opportunity to agree/object in the following instances as defined in 164.512
USES & DISCLOSURES-
2 EXCEPTIONS include:
– Required by law– Public Health activities– Victims of abuse, neglect or
domestic violence– Health oversight activities– Law enforcement purposes
USES & DISCLOSURES-3
EXCEPTIONS –cont.
– Judicial and administrative proceedings
– Decedents (coroners & medical examiners)
– Cadaveric organ, eye or tissue donation
– Research
USES & DISCLOSURES -4
EXCEPTIONS –cont.– Avert serious threat to health and
safety– Specialized government functions– Correctional institutions & other
law enforcement custodial situations
– Worker’s compensation
USE/DISCLOSURE- MINIMUM NECESSARY Requires reasonable efforts be
made to limit disclosure of ‘PHI’ to minimum necessary to accomplish the intended purpose of the use, disclosure or request.
RULE - MAINTAIN RECORDS
The requirement to maintain records and titles of persons responsible for processing request for access for 6 years
These are for those specific authorizations for request of protected health information
HIPAA – BUSINESS HIPAA – BUSINESS ASSOCIATESASSOCIATES
Who is involved: Those person/s companies who are not a part of your work force AND DO NOT PROVIDE TREATMENT
ADMINISTRATIVE
Designation of a Privacy Official Designation of Contact Person Employee Training H.O. #3
Training Grid Safeguards Complaint procedures Employee Sanctions
ADMINISTRATIVE -2
Documentation Requirements Refraining from intimidating or
retaliatory acts Policies and Procedures Mitigation of risks Waiver of rights Retention period
E-ISSUES
FAX – NOT addressed in HIPAA E-Mail – encryption required Internet vs. Intranet Security
– Or - PRIVACY
Or both??
IMPLEMENTATION
Understand the impact and liability in YOUR setting
Scalable solutions and applications Track regulations Review/Revise project plan Coordinate with professionals Determine the gap between what
is required and what you have
SECURITY
Applies to health information in Applies to health information in manual or electronic form or manual or electronic form or information that had at one time information that had at one time been in electronic form.been in electronic form.
Operationally difficult to separate security and privacy
SECURITYCovered Entities must maintain reasonable & appropriate administrative, physical, & technical safeguards to:
Ensure the integrity & confidentiality of PHI
Protect against unauthorized access, use, or disclosures by employees or external parties
Protect the availability of PHI in emergency and disaster situations
Demonstrate compliance by officers and employees
SECURITY: KEY COMPONENTSAdministrative Security
Procedures Physical SafeguardsTechnical Security ServicesCommunications SecurityElectronic Signature
ADMINISTRATIVE PROCEDURES Contingency and Disaster
Recovery Planning Information Access Control Internal Security Audit
Procedures
ADMINISTRATIVE PROCEDURES Personnel Security
TransfersTermination proceduresManagement of
authorization methodsPersonnel clearance
proceduresTraining in security
PHYSICAL SAFEGUARDS
Assigned Security Responsibility Media Controls Physical Access Controls Secure Workstation Location
TECHNICAL SECURITY SERVICES Access Controls Audit Controls Authorization Controls Data Authentication Entity Authentication
Recommended