Compliance with HIPAA Administrative Simplification
HIPAA Administrative Simplification Regulations Transaction & Code Sets Privacy Security National Provider, Employer & Health Plan Identifiers Claims Attachments Doctor s First Notice of Injury National Individual Identifier
is a collaborative healthcare industry-wide process resulting in the implementation of standards and furthering the development and implementation of future standards.
Promote general healthcare industry readiness to implement HIPAA standards. Identify education and general awareness opportunities for the healthcare industry to utilize. Recommend an implementation time frame for each component of HIPAA for each stakeholder and identify the best migration paths for trading partners.
Establish opportunities for collaboration, compile industry input, and document the industry best practices. Identify resolution or next steps where there are interpretation issues or ambiguities within HIPAA standards. Serve as a resource for the healthcare industry when resolving issues arising from HIPAA implementation.
HIPAA Privacy Implementation and the Physician Practice Utilizing the Work Group to assist you in compliance
Objectives of Privacy Regulations Control sharing of identifiable information Permit unauthorized disclosures for public health, research, oversight, etc. Require written authorization for all other purposes Mandate fair information/security practices Preempt state laws that conflict/less stringent
Which entities are covered? Health plans (Any individual or group plan covering medical care) Healthcare clearinghouses (Billing services, community health information services, etc) Healthcare providers who maintain identifiable health information (electronic, written oral, or any other recorded medium)
Individual Rights Receive written notice of information practices Obtain access to protected health information about them (inspect/copy) Consent before information is released Request amendment/correction of inaccurate information Receive accounting of what has been disclosed for purposes other than treatment, payment or healthcare operations
Administrative Requirements Designate a privacy official Provide privacy training/sanctions for employees/business partner violations Institute safeguards against intentional or accidental misuse Process for lodging/tracking complaints Maintain documentation of policies/procedures, including: Who has access to protected information How information used within entity When it will/will not be disclosed to others
Disclosures Consent: General written permission for purposes of treatment, payment and healthcare operations (can refuse to treat if refusal) Authorization: Specific written permission for all other uses (cannot refuse to treat for refusal) Limited Disclosures without Consent/Authorization: > Oversight/quality assurance > Public health/public interest > Research with IRB/Privacy Board approval > Judicial/administrative/law enforcement > Emergency > Identification of body/cause of death > Facility patient directories > National defense/security
Information Practices Minimum Necessary requirements De-identification whenever possible Verification No conditioning treatment/coercion to release Notice of information practices Designated record sets
Penalties Civil monetary penalties $100 per incident, up to $25,000 per person, per year, per standard for failure to comply with the requirements Criminal penalties for wrongful release of protected health information (false pretenses/selling information/malicious harm) from $50,000/1year prison to $250,000/up to 10 years prison
Cost of Implementation HHS estimates $17.6 billion costs, but $12.3 billion net savings over 10 years from standardization of claims processing HHS impact analysis excludes most costly provisions (monitoring business partners, state law preemption and minimum necessary use) AHA consultant estimates are $4 to 22 billion higher
NE SNIP Lessens the Burden NE SNIP Steering Committee Privacy Transaction/Code Sets Security Education/Awareness NE Strategic National Implementation Process Goals: Establish collaborative planning with payers, providers, clearinghouses and vendors Identify education and awareness needs Identify best practices Share sample policies/procedures/forms
Privacy Work Group Model Prioritize privacy issues Establish subcommittees to organize and present major topics All members volunteer for topic subcommittees to share the workload For each topic the subcommittee develops: Educational Session Checklist for implementation Sample policies, procedures, forms
Priority Privacy Issues Patient Access Consent Process Business Partner Agreements Minimum Necessary Preemption Gap Analysis Training & Education Healthcare Operations Single Entity De-identification Marketing & Fundraising Physical Safeguards
Privacy Workbook Each subcommittee will organize their materials into a workbook chapter Final product will provide a Nebraska best practice implementation plan Each participant can then customize the policies, procedures and forms for their own organization Instead of reinventing the wheel we will have clear guidelines