FAQs
sites from DHHS:
Employer
Identifier Standard FAQs
National
Provider Identifier Standard FAQs
Security
and Electronic Signature Standards FAQs
Electronic
Transactions Standards FAQs
Code
Sets FAQs
Protecting
the Privacy of patient's Health Information (8/21/02)
www.hhs.gov/news/pres/2002pres/privacy.html
Frequently Asked Questions about HIPAA Privacy
Rule (10/2/02) www.hhs.gov/ocr/faqs1001.doc
Frequently Asked Questions about the Minimum Necessary
Standards
http://www.hhs.gov/ocr/hipaa/minnec.html
Frequently Asked Questions
1.
What is HIPAA?
2. What are the objectives of
HIPAA?
3. Who is affected?
4. What is a covered entity?
5. What is individually Identifiable
Health Information (IIHI)?
6. What is Protected Health Information
(PHI)
7. What exactly does HIPAA mandate?
8. What are the compliance deadlines?
9. Are there penalties? Why comply?
10. What are the Electronic
Transaction Standards?
11. What are the Code Set Standards?
12. What are the Identifier Standards?
13. What are the Security Standards?
14. What are the Privacy Standards?
15. Why was this legislation
necessary?
16. How will we be affected?
17. What are our plans?
What
is HIPAA?
The
Health Insurance Portability & Accountability Act
of 1996, Public Law104-191.
Title
II includes a section, Administrative Simplification,
requiring:
1. Improved
efficiency in healthcare delivery by standardizing electronic
data interchange and
2. Protection
of confidentiality and security of health data through
setting and enforcing standards.
More
specifically, HIPAA calls for:
- Standardization
of electronic patient/ health, administrative and
financial data
- Unique
health identifiers for individuals, employers, health
plans and health care providers
- Security
standards to provide physical, technical and administrative
safeguards to protect the integrity, availability
and confidentiality of health information.
- Privacy
standards to ensure administrative and physical safeguards
to protect the privacy and confidentiality of health
information, and to protect against unauthorized access.
What
are the objectives of HIPAA?
- Group
and Individual Insurance Reform. It allows portability
and continuity of health insurance, place limits on
pre-existing exclusion provisions.
- Accountability
– It reduces the potential for waste, fraud and abuse.
New penalties and sanctions will be imposed.
- Administrative
Simplification – It requires application of uniform
standards to electronic data transactions in a confidential
and secure environment. Its goal is to improve the
effectiveness and efficiency of the health care system.
Who
is affected?
All
healthcare organizations are covered entities.
This includes health care providers, health plans,
employers, public health authorities, life insurers,
and clearinghouses, billing agencies, information system
vendors, service organizations and universities.
What
is a Covered Entity?
A
health plan, health care clearinghouse or health care
provider who maintains and transmits any health information.
What
is “Individually Identifiable Health Information (IIHI)?
Information
that is a subset of health information, including demographic
information collected from an individual and
1. is
created or received from a health care prov9ider, health
plan, employer or health care clearinghouse and
2. relates
to the past, present or future physical or mental health
or condition of an individual; the provision of health
care to an individual; and
3. that
identifies the individual or there is reasonable basis
to believe the information can be used to identify the
individual.
What
is Protected Health Information (PHI)?
All
individually identifiable health information (IHII)
transmitted or maintained by a covered entity, regardless
of form. Protected health information excludes IIHI
in education records. The following individually identifiable
data elements are deemed protected health information
under the Privacy Rule:
§
Names
§
Geographic subdivisions smaller than
a state
§
Birth date (except Year)
§
Telephone number
§
E-Mail address
§
Social Security number
§
Medial record number
§
Health plan beneficiary number
§
Account number
§
Certificate / license numbers
§
Vehicle identifiers & serial numbers
§
Device identifiers & serial numbers
§
Uniform Resource Locators (URLs)
§
IP address numbers
§
Biometrics identifiers
§
Full faces photograph
§
Any other unique identifying number,
characteristic or code.
What
exactly does HIPAA mandate?
The
federal government enacted the Health Insurance Portability
Act of 1996 (HIPAA) with the intent to assure health
insurance portability, reduce healthcare fraud and abuse,
guarantee security and privacy of health information,
and enforce standards for health information.
Title
II, Subtitle F of this act mandates regulations in five
areas:
1. National
standards for electronic data transmission
2. Unique
health identifiers for providers, employers, plans and
individuals
3. Security
standards to protect electronically maintained health
information
4. Privacy
and confidentiality provisions for individually identifiable
health care data.
What
are the compliance deadlines?
Transaction
and Code Sets 10/16/2002
10/16/2003
if an extension is filed before 10/16/2002
Privacy
Standards
4/14/2003
Security
Rule (Proposed) Final rule expected
in 8/2002
Compliance will be 2 years after final rule is
published.
Unique
Identifier No
target Date
Are
there penalties?
Why comply?
§
Individuals have the right to file complaints
with the Secretary of HHS, and covered entities are
required to provide a complaint mechanism
§
The following is a summary of penalties
for failure to comply with requirements and for wrongful
disclosure of individually identifiable health information:
|
General Penalty for Failure
to Comply |
| Each violation |
$100 |
| Maximum penalty for all violations of an identical requirement |
May not exceed $25,000 |
| |
Failure to comply due to reasonable cause and not with willful
neglect must be corrected within 30 days, and
may be extended by the Secretary of HHS. |
|
Wrongful disclosure of Individually Identifiable
Health Information |
| Wrongful disclosure offense |
$50,000, imprisonment of not more than 1 year, or both |
| Offense under false pretenses |
$100,000, imprisonment of not more than 5 years, or both |
| Offense committed with intent to sell information |
$250,000, imprisonment of not more than 10 years, or both |
§
Non-compliance could lead in exclusion
from participating in federally funded programs
What
are the Electronic Transaction Standards? (Compliance 10/16/2002 or 10/16/2003
with extension)
A
single standard is established to replace hundreds of
forms and formats for claims and other administrative
and financial transactions.
The
rules cover specified transactions in any electronic
form. The specified transaction standards include those
developed by the American National Standards Institute’s
(ANSI) Accredited Standards Committee (ASC), and for
pharmacy claims, the National Council for Prescription
Drug Programs (NCPDP). Each of these organizations
have developed implementation guides for their standard,
the specifications of which are included in the final
rule.
What
are the Code Set Standards? (Compliance 10/16/2002 or 10/16/2003 with extension)
These
require standard data content for each transaction.
Standard content refers to Code Sets for both medical
and non-medical data.
ICD-9-CM,
CPT-4, CDT-3 (dental) and NDC (National Drug Codes)
are required for transaction standards for medical data.
CDT-2 and NDC will replace “D” and “J” codes respectively
in HCPA Level 3, which will be modified to eliminate
duplications and overlap. Official Coding guidelines,
published through HHS National Center for Health Statistics
(NCHS), are required to guide implementation
What
are the Identifier Standards?
Four
types of identifiers were targeted for standardization
under HIPAA:
§
National Provider Identifier (NPI) -
issued to each healthcare provider
§
Employer Identification Number (EIN)
administered by the IRS
§
Standard identifiers for health plans
§
Unique identifier for individuals – highly controversial, consideration deferred.
What
are the Security Standards (Final Rule due in 8/2002; Compliance 24 months later)
The
proposed security regulations consist of administrative
procedures, physical safeguards, and technical security
mechanisms that a health care entity must address in
order to safeguard the integrity, confidentiality, and
availability of its electronic data.
What
are the Privacy Standards?
The
regulation requires
Creation
of a set of fair information practices to inform people
of how their information is used and disclosed, ensure
that they have access to information about them, require
health plans and providers to maintain administrative
and physical safeguards to protect the confidentially
of health information and protect against unauthorized
access
Why
was this legislation necessary?
Technological
advancements have impacted the electronic transmission
of health data including:
§
Rapid growth
of health care Internet and intranet applications to
transmit and share patient information such as diagnoses,
radiological images, lab tests, and prescriptions.
§
Advancements
in the computerization of patient medical records.
§
Increasing
use of electronic prior authorizations for services,
as well as claims submission and payments
§
Use of e-mail
as a communication tool between caregivers and their
patients
§
Lack of standardization
for the collection, storage and transmission of health
data which results in increased administrative costs,
with an accompanying decrease in the use of data.
§
Increasing
health care costs, a demand for uniform healthcare data
to evaluate coverage and treatment approaches.
§
Public concerns
about privacy bring demands for greater security.
How
will we be affected?
§
Assessment and implementation will take
time, planning, resources and change in attitude and
behavior.
§
Security and privacy are primary consumer
concerns. Failure to address them proactively will
result in loss of trust, credibility and potential revenue.
§
Noncompliance will result in ineligibility
to participate in Medicare and other federal funded
programs.
§
We have to develop and disseminate a
Notice of Privacy Practices.
§
Patients must be educated regarding their
rights.
§
All members of the workforce must be
educated about HIPAA
§
We must review all policies and procedures;
revise and develop policies where appropriate to be
compliant with HIPAA.
§
The Institutional Review Board would
have an increased role in the evaluation and monitoring
of all research projects.
§
Electronic transactions for claims to
payers including Medicare, must meet HIPAA standards
What
are our plans?
A
HIPAA Steering Committee is assigned to oversee activities
that will ensure compliance with HIPAA regulations.
Several Task Teams were formed and are presently doing
some of the background work to revise or develop policies
and procedures where appropriate.
We
plan to develop the HIPAA section on the Compliance
website, to keep you up to date.
I
can be reached at X1345 or by e-mail at rcallend@msm.edu.
Useful
HIPAA Resources
|
