HIPAA Project
University Health System
Angela Carson
Tim Geryk
Bill Phillips

• Health Insurance Portability and Accountability
Act ( HIPAA ) of 1996
• Title II, Subtitle F of this act has four key aims :
– Protect the insurability of individuals
– Ensure information security
– Simplify health care administration
– Preserve patient privacy of individual health information

(cont’d)
…and it mandates regulation in five areas :
– Electronic transaction standards
– Unique health identifiers
– Standard code sets
– Security of electronically stored health care data
– Privacy of individually identifiable health information

Congress perceived:
• Increased public concern about privacy
• Increased use of interconnected electronic information systems in health care
• Advances in genetic sciences
• Estimated average of
150 people have access to patient’s medical record

Healthcare
Fraud and Abuse on the Rise
EMAILED
PATIENT INFO

• Improve consumer control of their health information
• Change the way health care is provided and information is managed
• Health care industry to speak same language
– Provide a seamless exchange of clinical information between healthcare providers by 2005
• Save the industry administrative $$$ ???
– Through administrative simplification, the potential is there to reduce the cost of administrative overhead in healthcare

“HIPAA is not about information technology like Y2K was. Although
HIPAA involves various IT components, much of an organization’s ability to achieve compliance will be based on
.”
–
Patrick Carney, CIO, North-Shore Long Island Jewish Health System,
Great Neck, NY in the August 2001 issue of Modern Healthcare

• The most sweeping legislation to affect the health care system in over 30 years (since
Medicare)
• Changes are much more significant than Y2K
• Popular consensus anticipates real benefits from HIPAA law
•
Everyone in health care and at UHS is affected!

HIPAA effects:
• How we code patient charts
• How we transact with health care payers
• Who can access patient information
• How we use patient information
• How we protect patient information
• And others…

OPERATIONAL:
MANAGERIAL:
TECHNOLOGICAL:
New Administrative and Clinical
Procedures (EXAMPLE: Billing, Operations,
Coding, Claims Processing)
Contracts and/or Chain of Trust
Agreements (EXAMPLE: Providers, Payers,
Clearinghouses, other healthcare service companies)
• Leadership & Support
• New or Revised Policies & Procedures
• Interoperability
(Hardware, Software, Connectivity)
• Vendor Management
• Security Infrastructure

Everyone in Health Care Will Be Affected!
Providers
Hospitals
Health Plans
Clearinghouses
Etc...
Billing Agencies
Pharmacies
Laboratories
Indirect Applicability: All organizations that exchange data with those directly covered under the HIPAA through Chain of Trust
Agreements and/or contracts

• Board of Directors
• Executive Officers
• Directors
• Physicians
• Staff
• Medical students and residents
• Contractors and vendors
• Volunteers

HIPAA

Health Insurance
Portability and Accountability
Act (HIPAA)
Administrative
Simplification
[Accountability]
Transactions,
Code Sets, &
Identifiers
Compliance Date:
16 Oct 03
May 2001
Privacy
Compliance Date:
14 April 03
Security
Compliance Date:
TBD
Insurance
Reform
[ Portability]

• Portability (Insurance Reform)
– Individuals moving from one plan to another have continuity of insurance coverage
•
Accountability
– Significantly increases the federal government’s fraud enforcement authority
• Administrative Simplification
– Cuts administrative waste in the health care industry!

Goal: To substantially reduce costs in administrative operations via…
•
Transactions & Code Sets –
Compliance date 16 Oct 03
– Uniform National Standards - For electronic transmission of certain transactions
–
Single Identification Numbers - Providers, employers, health plans and patients
• Security Standards –
Compliance date TBD
– Ensure the security of electronic health information and electronic signatures
•
Privacy Standards –
Compliance date 14 Apr 03
– To protect individuals’ health care information

• Reduce handling and processing time
• Eliminate the risk of lost paper documents
• Eliminate the inefficiencies of handling paper documents
• Improve overall data quality
• Decrease administrative costs
• Increase faith in the protection of patients’ personal health information
• Thus, improve quality of patient care!

• National standards for electronic health care transactions will encourage electronic commerce and simplify processes involved. For example, about 400 different formats exist today for electronic claims.
• An industry-wide standard will reduce the amount of conversion and translation being used in the industry today and will c reate consistency.
• Industry example
~ What are the benefits of using standards in pharmacy transactions? Faster payments, faster response to eligibility requests, etc.

(cont’d)
• Electronic transaction is the exchange of electronic information between two parties to carry out financial or administrative activities related to health care
• Types of electronic transactions include:
– Health care claims or encounter information
– Eligibility for health plan coverage
– Health care payment or remittance advice
– Health claim status
– Enrollment/dis-enrollment information
– Health plan premium payments
– Referral certification or authorization
– Eligibility inquiry & response

(cont’d)
HIPAA universal identifiers include:
• Healthcare providers
– NPI (national provider identification #); 10-digit alphanumeric
• Employers
– EIN (employer ID #); 9-digit taxpayer ID
• Health plans
– Plan ID; 9-digit ID assigned
• Individual
– Hot debate, delayed legislation

(cont’d)
• Code sets define the valid date values that can be used within a transaction
• Code sets include:
– Diseases & inpatient hospital services: ICD-9-CM
– Physician services & procedures: CPT-4
– Medical equipment and injectables: HCPCS
– Dental: CDT
– National drug codes: NDC
– Other health-related services: HCPCS Level 2
– Other substances, equipment, supplies, or other items used in health care services: HCPCS

•
Privacy
– The right of individuals to keep information about themselves from being disclosed to others
•
Security
– The ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss

• HIPAA security includes organizational & facility security, not just Information Systems
• Requirements in four areas/categories address health care data integrity, confidentiality and availability:
– Non-IT: Administrative procedures and physical safeguards
– IT: Technical security services and technical security mechanisms
• Covers all electronically maintained or transmitted individual health information

(cont’d)
Some non-IT administrative procedures and physical safeguards include:
– Password management for computers
– Locking drawers, bins and files
– Physical access to building and/or departments
– Clean desk awareness
– Faxes, printouts and reports
– Virus protection
– Visitor access to facility
– Backup and disaster recovery procedures

(cont’d)
Some IT technical security services and technical security mechanisms include:
– Unique user ID
– Access restriction
– Audit controls to record or examine system activity
– Entity ID verification
– Data authentication to ensure data is not altered or destroyed with inappropriate access
– Transmission security during external transmission of data

A Tampa, FL man stole a list of 4,000 HIV-positive patients from a state health worker and sent the list to the Tampa Tribune, which did not publish it. The man was found guilty and sentenced to jail.
New York State congressional candidate’s past suicide attempt was made public during the election. She won the election and sued the hospital for failing to maintain the confidentiality of her medical records.
An employee of a large Blue Cross/Blue Shield plan obtained unauthorized access to the medical records of the ex-wife of a friend and sent them to his friend.
A bank member of a state health commission accessed a list of local cancer patients and cross-referenced it to a list of of his customers.
He then called in their loans.

• The Privacy Rule
– States that a Covered Entity ( University Health System
& staff) may not use or disclose Protected Health
Information (PHI) unless the patient agrees to the use or disclosure , or the use or disclosure is specifically required or permitted by the HIPAA regulations.
• Compliance date – 14 April 03!
– You will be learning more about “The Privacy Rule” and
UHS policies and procedures as they relate to this regulation in another required course.

•
Covered Entities
– Healthcare providers ( University Health System!
), health plans, and clearinghouses
•
Protected Health Information (PHI)
– All individually identifiable information that is transmitted or maintained in ANY form of medium
(electronic, paper & oral)
•
Floor of Provisions
– HIPAA does not preempt more stringent state laws

• “Use”
– Applies to internal utilization or sharing of PHI at
University Health System
. Information shared easily
(without authorization) for treatment, payment and health care operations
• “Disclosure”
– Applies to external release of PHI. Allowed without authorization for certain national priority purposes under defined circumstances. Written authorization, as specified, for all other purposes.

• PHI elements include:
– Names
– Geographic locations smaller than a state
– Birth date (except for a year)
– Telephone or fax
– Email address
– Biometric identifiers
– Social security number
– Medical record # or account #
– Photographs
– License number/VINs
– URLs/IP address
– Health plan beneficiary number

• It’s the Law ! Civil penalties up to $25,000 per person, per standard….and worse!
• Standardization will result in significant savings in administrative costs
• It is good business to protect patients’ health information
• It is a good Risk Management strategy
– Why put University Health System at risk for bad publicity or a law suit?

Non-Compliance (Civil Penalty)
• Fine of up to $100 for each violation/person, per transaction and up to a maximum of
$25,000 per year per incident
• For failure to comply with transaction standards
Unauthorized Disclosure or Misuse of
Patient Information (Criminal Penalty)
•
•
Fine of up to $250,000 and/or imprisonment up to 10 years
For a knowing misuse of unique health identifiers and/or individually identifiable health information
Penalties may apply to the individual violator but they may also apply to the organization or even to its officers

• Make obvious changes as soon as possible
• Protect your patients privacy and rights
– Don’t leave medical information where people can see
– Control access to your department
– Don’t leave information on desktops
– Use a screen saver
– Identify patients properly before giving information
– Lock your desktop when you leave it, even to run to the copier
– Can others overhear you when speaking about a patient on the telephone?

• Education (lots of it) on HIPAA will be coming your way, For questions regarding this training, contact Jacque Burandt at 358-2355
• Periodic news updates
• Updates on changing policies and procedures
• For questions, please contact the UHS Chief
Privacy Officer, Angela Carson, at 358-2299
(email address:alcarson@uhs-sa.com)

• Initial HIPAA awareness exposure (this presentation) for directors and supervisors
• Complete Information Flow Assessments by RC (by
8/31/02) Who: All directors
• Make decisions on HIPAA organization structure (by
8/31/02) Who: Legal Services
• Collect all policies and procedures that you use for handling patient information (hand in with Information
Flow Assessments) Who: All directors
• For questions, please contact Angela Carson at 358-2299
(email address:alcarson@uhs-sa.com)