DPH CBO Women's Health Training July 2003 › hipaa › training › DPHW... · July 23 and 24, 2003 Division of Public Health, Women's Health Branch 2 HIPAA Overview • Welcome

July 23 and 24, 2003 Division of Public Health, Women's Health Branch

1

HIPAA Overview

HIPAA Overview

Presented to Women’s Health Branch

Community-Based Organizations

July 23 and July 24, 2003


2

HIPAA Overview

• Welcome and Introductions

• Logistics and Housekeeping

• Training Objectives

− Provide an overview of HIPAA− Help determine how HIPAA affects your organization− Provide an overview of the importance of privacy− Present a HIPAA privacy vocabulary− Raise awareness of how health information may be used and disclosed− Understand Patients Rights under HIPAA− Increase knowledge of privacy requirements

• Agenda


3

HIPAA Overview Handouts

• HIPAA Components (Social Security Act Titles)

• HIPPA Overview (UNC Institute of Government)

• Status of HIPAA Regulations

• Know your Compliance Requirements (HIPAA Tip #2)

• Electronic Data Interchange (EDI Rule)

• HIPAA Definitions

• Q&A Consents and Authorizations

• Sample Authorization and Consent Forms

• Countdown to Compliance (Before April 14, 2003)

• Detailed Countdown for Implementing HIPAA’s Individual Rights

• Guidelines for Safeguarding the Privacy of Health Information


4

HIPAA Overview Health Insurance Portability and Accountability Act (HIPAA)

• Public Law 104-191, August 21, 1996

• Amends Internal Revenue Service Code of 1986

Purpose of HIPAA

• Guarantees health coverage when job changes• Combats waste, fraud, and abuse in health insurance and health care

industry• Promotes use of medical savings accounts• Improve access to long-term care services and coverage• Simplifies the administration of health insurance


5

HIPAA Overview How the Law is Structured

• HIPAA is divided into five titles – each addresses a unique aspect of health insurance reform. (See Handout: HIPAA Titles).

• Title II is also known as Administrative Simplification.

• If Congress did not adopt legislation to enact AdministrativeSimplification, HHS was charged with promulgating rules.

• HHS was limited to enacting rules based on statutory language.


6

HIPAA Overview

What are the HIPAA Regulations?

See Handouts:

• Overview of HIPAA• Status of Regulations


7

HIPAA Overview

Standards for Electronic Transactions and Code Sets• Standardizes the data content and format of 10 financial or administrative

transactions related to health care (e.g., claims, payments) • Standardizes medical codes (ICD-9, CPT-4) and other codes sets• Compliance deadline: October 16, 2003 (extended from 10/16/02 if

compliance plan filed with CMS• Requires all Medicare claims be electronic after 10/16/03• Health Care Providers and Payers currently use many different forms and formats

for billing and claims processing–Confusing–Inefficient–Expensive

• Standardized Transactions and Codes–Consistency–Accuracy–Reduced paperwork


8

HIPAA Overview

Standards for Identifiers

• National Employer Identifier – Adopt Employer Identification Number as standard

• Compliance deadline: 7/30/04• National Provider Identifier (Final Rule projected July 2003)• National Health Plan Identifier (Proposed rule projected August 2003)• National Identifier for Individuals - on hold indefinitely • Compliance deadline: 2 years after final rules published


9

HIPAA Overview

Standards for Privacy of Individually Identifiable Health Information

Compliance deadline: April 14, 2003

• Regulates uses and disclosures of individually identifiable healthinformation

• Provides patient rights with respect to their health information • Establishes requirements to assure privacy of patient IIHI • Applies to paper/oral/electronic records • Sets boundaries on the Use and Disclosure of health information• Gives “patients” more control over their own health information• Establishes safeguards for protecting the privacy of health information• Holds providers and payers accountable for violations of privacy

requirements


10

HIPAA Overview Standards for Security

• Proposed Standards for Security and Electronic Signatures− Adopts standards for security of health information in electronic format − Compliance deadline: April 2005− Electronic Signature Standards Final Rule - projected availability TBD

• Applies to electronic records only− Privacy Rule addresses security of all records and communications

• Requirements for providers and payers to assure that electronic health information pertaining to individuals remains secure

• Technology-neutral• Scalable• Addresses administrative, technical and physical safeguards


11

HIPAA Overview

Privacy versus Security

• Privacy and Security go hand-in-hand.

• Privacy is the “what.”− Patients have the right to have their health information protected from

unauthorized disclosures.

• Security is the “how.”− Organizations must determine the procedures they will put into place to

protect health information.


12

HIPAA Overview

Enforcement Rule

• First installment: Civil Money Penalties (Enforced by CMS)• Coming: Criminal Money Penalties (Enforced by US Dept of Justice)• Establishes procedures for imposing penalties for violation of

Administrative Simplification Regulations• Civil Money Penalties:

− $100 per violation− $25,000 cap per year/per violation

• Enforcement initially complaint driven:− Office Of Civil Rights is responsible for Privacy Enforcement.


13

HIPAA Overview

What is the Impact of Not Complying?

• Possible litigation• Potential withholding of federal Medicaid and Medicare funds• Penalties:

− Civil monetary for violation of each standard− Criminal for intentional wrongful disclosure of protected health information.


14

HIPAA Overview

Why Comply with HIPAA?

• Protecting the confidentiality of our clients’ health information is criticalto maintaining trust and confidence in the healthcare and public healthsystems.

• Protecting client health information− Is the right thing to do! − Is required by law!


15

HIPAA Overview

Short Stretch Break


16

HIPAA Overview

Who is Affected by HIPAA?

• Professionals who provide services or activities through a contractualagreement with a health care provider/plan

• Individuals/professionals who work directly for a health careprovider/plan

• Patients who seek services from a health care provider or health care plan


17

HIPAA Overview Who is covered by HIPAA - Covered Entities?

• Health plans− Provides or pays for the cost of health care services− Includes Medicaid, Medicare, HealthChoice, Veterans Health Program, Military

Health Plan, Indian Health Service, others− Excludes most all other government-funded programs

DPH Programs are not considered “health plans” (e.g., Maternal and ChildHealth Block Grant, Sickle Cell Program, Cancer Control Program, etc.)

• Health care providers who conduct any of the HIPAA-regulated transactions electronically

DPH Program Participants, such as local health departments, public and private health care providers, and community-based organizations are coveredentities if they electronically process any of the transactions, even if they use abilling service to file their claims.

• Health care clearinghouses (billing services)


18

HIPAA Overview How to Determine if You are a Covered Entity

• See Handout: How to HIPAA – Tip #2

• Do you provide health care care services as defined by HIPAA?

• Do you conduct any of the defined transactions electronically?• See Handout: Electronic Data Interchange (EDI Rule)

− Do you bill payers for services (Medicaid, Medicaid, Insurance Companies)?

− Do you bill payers electronically directly?− Do you use a billing service to bill payers and do they bill payers

electronically on your behalf?

Organizations need to work with their attorney to determinetheir covered entity status and how HIPAA affects them legally!


19

HIPAA Overview How to Comply with TCS (EDI) Standard

• If you bill electronically either directly or via a billing service, you need to assurethat you can continue to do so according to the HIPAA Transaction and Code SetStandards:

− Contact your software vendors.− Contact your billing services.− Contact your payers (Insurance, Medicaid, Medicare).− Inquire about their HIPAA plans and status & how you need to work with them to

ensure that your billing will not be interrupted.− Medicare and Medicaid have free direct billing software available.− TCS requires new data for claims.− TCS requires use of standard code sets.− Some insurance companies might no longer accept paper claims in the future (like

Medicare post October).− Review your status with Medicare regarding exemption from electronic billing (fewer

than 10 full-time employees).


20

HIPAA Overview Who is covered in DHHS and DPH?

• DHHS is what is defined as a “hybrid entity” whose primary purpose is not toprovide health care, but has components that perform covered functions (healthplan, health care providers services). The areas within DHHS that performHIPAA covered functions are called covered health care components. Healthcare components must comply with HIPAA fully. An example within DPH is theState Laboratory for Public Health.

• Most program areas within DPH are not HIPAA-covered health care components:− DPH provides program funding via grants, which not considered health

plans.− DPH in most cases does not provide direct health care services, but program

(health care and program oversight), technical consultation, case consultation.− DPH performs public health activities, such as vital records, communicable disease

surveillance, etc.


21

HIPAA Overview

Privacy Regulation Applicability

• The Privacy Regulation establishes a federal floor of safeguards to protect the confidentiality of health information.

• The HIPAA Privacy Regulation does not preempt state laws that provide greater protections (e.g., mental health, HIV/AIDS).

• The HIPAA Privacy Regulation applies to covered entities (or to covered health care components within a hybrid entity).

• Privacy Requirements affect:– Medical records– Billing records– Other records/documents with health information– Paper records– Electronic records– Oral communications.


22

HIPAA Overview

Privacy

Privacy is the right of an individual to keep his/her individual health information from being used or disclosed inappropriately for non-health related purposes.

DPH Privacy Policies

DPH privacy policies apply to all areas that create, maintain, or receive individually identifiable health information during their regular course of business. This extends privacy protections beyond HIPAA covered health care components.


23

HIPAA Overview

Privacy Regulation - Key Concepts• Sets boundaries on the use and disclosure of health records.• Establishes appropriate safeguards health care providers and others must

achieve to protect privacy of client information.• Holds health care providers accountable with civil and criminal penalties if

they violate an individual’s privacy rights.• Ensures that each covered health care component protects the health

information it maintains.• Ensures that an individual’s health information is not used inappropriately.• Ensures that the minimum amount of information is used or disclosed

whenever possible:− Does not apply to treatment− Limits the amount of information to be used or disclosed to what is

minimally necessary to accomplish intended purpose.


24

HIPAA Overview

Privacy Regulation - Key Concepts• Requires identification of members of the workforce who need access to health

information and the type of information that they need access to in order to perform their jobs.

• Requires appropriate administrative, technical, and physical safeguards to protect health information.

• Requires new policies and procedures to address privacy protections and an individual’s access rights.

• Requires training of all staff members.

• Establishes new rights for individuals regarding access to their personal health information.

• Ensures individuals have more control over when and how their personal health information is used.


25

HIPAA Overview

Privacy Regulation - Individual Rights• Right to be informed about protections on and use of their health information

through a notice of privacy practices• Right to inspect, copy, and review their health records• Right to request amendments to their health records• Right to request restrictions on use and disclosure of health information• Right to request reasonable personal communications • Right to an accounting of disclosures of their health information• Right to file a complaint against covered entity


26

HIPAA Overview Privacy Regulation Terminology

• See Handout: HIPAA Definitions• To understand HIPAA, there are some important terms you should know:

- Covered Entity- Hybrid Entity- Health Care Component- PHI- IIHI- TPO- Use vs. Disclosure- Minimum Necessary- Consent vs. Authorization- Designated Record Set- Notice of Privacy Practices- Business Associate- Workforce


27

HIPAA Overview

Privacy Regulation Terminology

• Covered Entities:-Health plans (provide or pay for the cost of medical care)

- Medicaid, Medicare, Blue Cross- Excludes Workers’ Comp, Disability, WIC, most government-fundedprograms that provide grants

- Health care clearinghouses (narrowly defined to those that translate data fromnon-standard to standard format)

- Health care providers who electronically transmit health information inconnection with a standard transaction


28

HIPAA Overview


• Hybrid Entity is:– A single legal entity that is a covered entity and whose covered functions are not its

primary functions. Your organization may be designated as a hybrid entity. The hybrid entity is responsible for ensuring that is health care components within the entity comply with the rules

• A Health Care Component is:– A component of a covered entity that performs covered functions that qualify the

component as a Health Care Provider, Health Plan, or Health Care Clearinghouse. Health Care Components within a hybrid entity are required to comply with HIPAA fully.


29

HIPAA Overview


• PHI (Protected Health Information):– All Individually Identifiable Health Information and other information on treatment

and care that is transmitted or maintained in any form or medium (electronic, paper, oral, etc…)

• IIHI (Individually Identifiable Health Information− Any information, including demographic information collected from an

individual, that:• Is created or received by a health care provider, health plan, employer, or

health care clearinghouse; and that• Relates to the past, present, or future physical or mental health or condition of

an individual, the provision of health care to an individual, or the past, present, or future payment of the provision of health care to an individuals; and that

• Identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.


30

HIPAA Overview


• Individual Identifiers:• Names• All geographic subdivisions smaller than a

state, including street address, city, county, precinct, zip code……….

• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death……..

• Telephone numbers

• Fax numbers

• Electronic mail addresses

• Social Security numbers

• Medical record numbers

• Health plan beneficiary numbers

Account numbersCertificate/license numbers

Vehicle identifiers and serial numbers, including license plate numbers

Device identifiers and serial numbers

Web Universal Resource Locators (URLs)

Internet Protocol (IP) address numbers

Biometric identifiers, including finger and voice prints

Full face photographic images and any comparable images…..

Any other unique identifying number or characteristic…..


31

HIPAA Overview


• TPO – treatment, payment, and other health care operations- Treatment:

• Provision, coordination, or management of health care and related services• Coordination and management of health care by a health care provider with a

third party (e.g., HMOs)• Consultations among health care providers• Referrals of patients from one health care provider to another


32

HIPAA Overview


• Payment:− Activities by a health plan to obtain premiums or fulfill obligations for

coverage and the provision of benefits− Activities by either a provider or a health plan to obtain reimbursement

(e.g., Medicaid payment of claims; provider filing of claims− Examples:

-Billing and Claims Management-Determination of eligibility or coverage-Utilization Review Activities-Debt Collections


33

HIPAA Overview


• Health Care Operations:− Quality assessment and improvement activities− Competency and performance reviews− Conducting training programs− Accreditation, Certification, Licensing− Credentialing− Medical Review− Legal Services− Auditing functions− Business planning and development


34

HIPAA Overview


Use

• The sharing, employment, application, utilization, examination, or analysis of Protected Health Information (PHI) within the covered entity that maintains the PHI.

Disclosure

• The release, transfer, provision of access to, or divulging in any other manner of PHI outside the covered entity holding the information.


35

HIPAA Overview


• Minimum Necessary:− When using any PHI, a covered entity must make all reasonable efforts to

limit itself to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

• Need to Know Principle:− Necessary for your job− How much do you need to know?− How much do other people need to know?− The key is to balance the privacy of health information against the need

for information.


36

HIPAA Overview Privacy Regulation TerminologySee Handouts: Q&A Consents and Authorizations, Authorization Forms,

Consent Form

Consent

• Consent from client to use IIHI for Treatment, Payment and Health Care Operations (TPO)

• HIPAA no longer requires…strongly suggested, may be required by NC General Statutes

• Not a consent for treatment, which is still required by NC General Statute and Standard of Care

Authorization

• Required for all non-TPO uses and disclosures not otherwise permitted by law

• Customized document that gives permission to use specified PHI for specified purposes or disclose to specified third party

• If client refuses to sign authorization, health care provider can not deny treatment

• Expiration date required• Precise language


37

HIPAA Overview

When an Authorization is NOT Required

• Disclosure is required by law

• Disclosure is for public health purposes

• When required for program monitoring and evaluation

• To avert serious threat to health or safety

• To report child abuse and/or neglect

• When used in judicial/administrative proceedings

• When required in certain situations for law enforcement purposes

• Others also (medical examiner, organ donation)


38

HIPAA Overview


• Notice of Privacy Practices:– Who

• Covered health care components– What

• Must develop a document that describes the ways health information may be used and to whom it could be disclosed, including examples of each

– Why• So that patients are more aware of who might have access to their health

information and for what reasons• Components must also post their Notice in the facility and on their public web

site, if available– When

• Providers: At their first treatment encounter after 4-14-03


39

HIPAA Overview


• Notice of Privacy Practices:– Contacts

• Notices must identify a person in the agency to contact for more information or for complaints.

• Notices must inform clients about contacting US DHHS to report violations of privacy practices.

– Rights• Notices must inform patients of their rights.


40

HIPAA Overview


• Designated Record Set:− A group of records maintained by or for a health plan or health care

provider: • The medical records and billing records about individuals maintained by or for

a covered health care provider; or• The enrollment, payment, claims adjudication, and case or medical

management record systems maintained by or for a health plan; that are • Used, in whole or in part, by or for the health plan or health care provider to

make decisions about individuals.


41

HIPAA Overview


• Business Associate:– A person (or agency) who, on behalf of a covered health care component

(but other than a workforce member), performs or assists in performing a function or activity; or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for the covered entity and involves the use or disclosure of protected health information (PHI).


42

HIPAA Overview


• Workforce:– Workforce means employees, volunteers, trainees, and other persons whose

conduct, in the performance of work for a covered health care component, is under the direct control of such entity, whether or not they are paid by the covered entity.

− Member workforce test:• Performs a substantial portion of their activities on the premises of the

covered entity• Works under the direction and control of the covered entity• Must follow the policies/procedures of the covered entity• NOT a Business Associate.


43

HIPAA Overview

Break


44

HIPAA Overview

What is Required to Comply With HIPAA Privacy:

• See Handouts:− What Covered Entities Must Do Before April 14, 2003− Detailed Countdown for HIPAA’s Implementing Individual Rights

• Determine/Confirm Your Organization’s Covered Entity Status Under HIPAA.

• Educate Agency Management and Identify Sources of Funds.

• Designate Local HIPAA Coordinator (Privacy Official).

• Appoint HIPAA Implementation Team Members.

• Define Roles and Responsibilities.

• Attend HIPAA Training Sessions.

• Conduct Baseline Assessments and Identify Gaps.

• Develop and Work Implementation Plan.


45

HIPAA Overview


• Develop policies and procedures based on identified gaps in current practices toensure the protection of individually identifiable health information. Privacy Policies include:

− Privacy Protections (List of policies)

− Privacy Official (Requirement to identify Official)

− Workforce (Who is workforce/requirements)

− Safeguards (Privacy protections)

− Privacy Complaints (How to file a complaint)

− Business Associates (Who/What they need to do)

− Authorizations (Requirements and Form)

− De-identification (What/How/When)

− Minimum Necessary (What/When to use)


46

HIPAA Overview


• Privacy Policies include:− Notice of Privacy Practices (What/How/When)

− Client Rights (What/How to implement)

− Personal Representative (What/Who/Duties)

− Designated Record Sets (What/When to use)

− Use and Disclosure (What/When/How)

− Legal Occurrences (Laws/Regulations/Rules)

− Accounting of Disclosures (What/How)

− Research (What/When/How)

− Marketing and Fundraising (What/Limitations)


47

HIPAA Overview

What is Required to Comply With HIPAA Privacy

• Implement privacy requirements by incorporating new operationalprivacy practices into existing business practices.

• Implement appropriate and reasonable safeguards to protect individually identifiable health information.

• Define minimum necessary requirements.• Develop and provide applicable privacy training to staff.• Provide a designated contact for privacy complaints and assure that all

complaints are appropriately documented.• Assure appropriate use and disclosure of individually identifiable health

information .


48

HIPAA Overview

What is Required to Comply With HIPAA Privacy

• Develop procedures for obtaining client authorizations to release their health information.

• Define procedures for appropriate client accessibility to health information and toassure client rights regarding their health information.

• Evaluate physical safeguards (building and equipment) and implement physicalsafeguards.

• Develop disciplinary procedures for employees who intentionally violate privacy protection policies.


49

HIPAA Overview Guidelines for Safeguarding Health Information

• See Handout: Guidelines for Safeguarding Privacy of Health Information. • Do not leave any records containing IIHI where others can see them or access

them. • Keep medical test results and all other medical information private.• Do not share IIHI in public areas. • Do not leave copies of IHI at copy machines, printers, or fax machines. Pick up

printouts immediately.• Verify and double check fax numbers before sending, and verify receipt of fax

wherever possible.• Do not send sensitive and confidential information via email.• Do not leave IIHI exposed in mail boxes or conference rooms.• Secure IHI when no one is in the area, either in locked file cabinets or locked in

your office.• Always safeguard IIHI when records are in your possession.• Return all records containing IIHI to their appropriate location when you no

longer require them.


50

HIPAA Overview

HIPAA’s

• Do Not:• Share computer passwords or leave them visible.• Leave computer files open when leaving unlocked or shared work areas.• Leave IIHI in any public wall file trays unless enclosed in an interoffice envelope.• Discuss topics involving IIHI in front of other employees or visitors except on a“need to know” basis.

• Leave diskette boxes or Rolodex files containing IHI accessible in unlocked areas.• Reuse, share, or dispose of hard drives, floppy disks, CDs, etc., without propercleansing.

• Leave IIHI for shredding in unlocked/undesignated area.• Leave records opened and unattended.• Copy IIHI to your “personal” computer for use outside of authorized work areas.• Leave door, cabinet, or card keys unattended or share combination lock codes.


51

HIPAA Overview

Final Thoughts on Privacy

• We must vigorously safeguard all client health information.

• We should use and share only the client information necessary to do thework.

• Clients have the right to ask about how their health information is usedand disclosed and by whom.

• It is the right thing to do, even without HIPAA.


52

HIPAA Overview

HIPAA’s Public Health Exemption Provisions

Public Law 104-191 (Health Insurance Portability and Accountability Act or HIPAA) carved out a specific provision to avoid impeding certain public health laws:

“Public Health. --Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.” (P.L. 104-191, Sec. 1178(b)).

45 CFR Part 160§ 160.203 General rule and exceptions.

“A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met: …

(c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.”


53

HIPAA Overview


45 CFR Part 162§ 164.512 Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required. …

(b) Standard: uses and disclosures for public health activities.…“(1) Permitted disclosures. A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to:

(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions;…”


54

HIPAA Overview


45 CFR Part 162§ 164.512 Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required. …

(d) Standard: uses and disclosures for health oversight activities. …“(1) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:

(i) The health care system; (ii) Government benefit programs for which health information is relevant to beneficiary eligibility; (iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or (iv) Entities subject to civil rights laws for which health information is necessary for determining compliance.”


55

HIPAA Overview

Final Thoughts on HIPAA

• HIPAA is not going away. • The regulations set new privacy standards and public expectations for privacy

protections and rights to access health information• There will be penalties and liabilities for non-compliance.• Additional regulations will be forthcoming.• Changes to standards are expected.• There will be an expanded use of electronic transactions.• There is continued Congressional pressure to tighten privacy protections (e.g.,

requiring consents, further restrictions on marketing).


56

HIPAA Overview Useful Links:

HIPAA Regulations (federal site)http://aspe.os.dhhs.gov/admnsimp/

Office of Civil Rights (privacy)http://www.hhs.gov/ocr/hipaa

Center for Medicare and Medicaid Serviceshttp://www.cms.hhs.gov/hipaa/

DPH HIPAA Officehttp://dhhs.state.nc.us/dph/

DHHS HIPAA Officehttp://dirm.state.nc.us/hipaa/

Institute of Governmenthttp://www.medicalprivacy.unc.edu/

Local Health Departmentshttp://sph.unc.edu/hipaa


57

HIPAA Overview

ContactDPH HIPAA Office

[email protected]

(919) 715-0411


58

HIPAA Overview

Break


59

HIPAA Overview

Questions and Answers

Documents

DPH CBO Women's Health Training July 2003 › hipaa › training › DPHW... · July 23 and 24, 2003 Division of Public Health, Women's Health Branch 2 HIPAA Overview • Welcome