As HIPAA Progresses….. …What you need to know to keep up 1 HIPAA Progresses • • • • • HIPAA EDI (Electronic Data Interchange) HIPAA Unique Provider & Employer ID HIPAA Security HIPAA Privacy Compliance NOA References to help you with HIPAA 2 HIPAA Progresses • • • • • HIPAA EDI (Electronic Data Interchange) HIPAA Unique Employer ID HIPAA Security HIPAA Privacy Compliance NOA References to help you with HIPAA 3 EDI (Electronic Data Interchange) • If you use EDI it must comply with HIPAA • HIPAA does not force you to use EDI except for Medicare claims under limited circumstances 4 EDI (Electronic Data Interchange) Why HIPAA EDI? • Prior to HIPAA EDI multiple EDI data forms • Different entities could not communicate • Delays and confusion in claims 5 HIPAA Administrative Simplification • Sets standard data sets – Routine Care (VSP, EyeMed, CVC) – Medical Claims (Medicare, BCBS) 6 Affects most electronic health data • Claims/Encounter submission • Payment remittance notices • Insurance eligibility • Claim status and… 7 Additional electronic health data • Group Health enrollment • Health insurance premium payments • Other Internet health data 8 End Result • When the data ends up at 3rd party payer it must be in HIPAA EDI format • Examples Follow: Current Method vs. HIPAA EDI 9 Current vs. New: Authorization • Current Method – Provider seeks authorization over Internet – 3rd Party Payer receives and replies • HIPAA EDI – Provider seeks authorization over Internet – HIPAA compliant site or program intervenes – 3rd Party Payer receives in HIPAA format and replies • WYNTD: Test 10 Current vs. New: Routine Care Claims • Current Method – Provider completes web page form over Internet – 3rd Party Payer receives and replies • HIPAA EDI – Provider completes web page form over Internet – HIPAA compliant site or program intervenes – 3rd Party Payer receives in HIPAA format and replies • WYNTD: Test 11 Current vs. New: Medical Claims • Current Method – Provider’s paper data – Billing service - Clearinghouse – 3rd Party Payer • HIPAA EDI – Provider’s paper data – HIPAA compliant Billing service - Clearinghouse – 3rd Party Payer – WYNTD: Test 12 Current vs. New: Medical Claims • Current Method – Provider’s data – Computer program – 3rd Party Payer • HIPAA EDI – Provider’s data – HIPAA compliant computer program – 3rd Party Payer – WYNTD: Test 13 Testing NOW (yesterday!) is imperative • • • • If you wait, you will be delayed by a traffic jam Payment will be delayed until you comply It is anticipated that many practitioners will not comply It is anticipated that back-up systems will be swamped – Fax – Phone – Paper • Non-electronic filers should anticipate delays as well 14 Contact all 3rd parties for immediate testing if: • You file claims electronically with them. • You communicate with them electronically in any way except • voice phone • paper fax 15 Contacting 3rd parties • NOA August issue of 3rd Party Newsletter contains pages of information on what questions to ask. • Newsletter available at the NOA Website if you don’t have a printed copy 16 Contacting 3rd parties • Respective 3rd party contact information should be available in their manual. • NOA 3rd Party HIPAA web page will contain as many contact sites as Dr. Quack can find. • Please email Dr. Quack of other sites not listed on NOA HIPAA Web page so he can add them to the list. 17 18 Medicare and EDI • If you have 10 or more FTE employees you must file with Medicare via EDI • Most offices of this size already use EDI • If you have less employees you do not have to tell Medicare (no waiver needed) • No official employee counter has been appointed to Dr. Quack’s knowledge 19 Medicare and EDI • Electronic filers should TEST as described • Delays in paper claim payments expected since more paper claims -with errors- are anticipated 20 HIPAA EDI Bottom Line: TEST IMMEDIATELY 21 HIPAA Continues • • • • • HIPAA EDI (Electronic Data Interchange) HIPAA Unique ID HIPAA Security HIPAA Privacy Compliance NOA References to help you with HIPAA 22 National Identifiers • Requires standard Identifier for – Health care providers – Health-related Employers 23 Applies to • All health plans, • All health care clearinghouses, and • Any health care providers that transmit any health information in electronic form 24 Electronic transmissions include all media: • Magnetic tape • Disk • CD media 25 Transmissions include • • • • • Internet Extranet Leased lines Dial-up lines Private networks. 26 Not Included • Telephone voice response • “Fax back” systems 27 Estimated time of implementation: • Mid-2004 (Dr. Quack wonders…) 28 Action needed at this time: • None 29 HIPAA Continues • • • • • HIPAA EDI (Electronic Data Interchange) HIPAA Unique Employer ID HIPAA Security HIPAA Privacy Compliance NOA References to help you with HIPAA 30 HIPAA Security and Electronic Signature Standards • Requires health care information be protected to ensure privacy and confidentiality when electronically – stored, – maintained, or – transmitted. 31 HIPAA Security and Electronic Signature Standards • The proposed security standards also specify a standard for electronic signature • …but does not require the use of an electronic signature 32 Applies to • All health plans, • All health care clearinghouses, and • Any health care providers that transmit any health information in electronic form 33 Electronic transmissions include all media: • Magnetic tape • Disk • CD media 34 Transmissions include • • • • • Internet Extranet Leased lines Dial-up lines Private networks. 35 Not Included • Telephone voice response • “Fax back” systems 36 Estimated time of implementation: • 2005 37 Action required at this time: • None 38 HIPAA Continues • • • • • HIPAA EDI (Electronic Data Interchange) HIPAA Unique Employer ID HIPAA Security HIPAA Privacy Compliance NOA References to help you with HIPAA 39 HIPAA PRIVACY What do we do now? • Dr. Quack has been receiving many Questions regarding HIPAA Privacy – Some show fear and over-reaction – Others reflect lack of compliance • ERGO: – 15 Minute review of HIPAA Privacy basics – For those that already understand, please be patient! 40 HIPAA PRIVACY What do we do now? • Read aloud your Notice of Privacy Practices at staff meetings once a quarter. • Follow it with a HIPAA discussion of – reasonable safeguards – minimum necessary • Your Privacy Officer should review and update your HIPAA Privacy Manual once a quarter. 41 OCR Guidance • Privacy Rule permits certain incidental uses & disclosures of PHI when the covered entity uses – reasonable safeguards – minimum necessary policies & procedures 42 Reasonable Safeguards – Speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area; – Avoiding using patients’ names in public hallways & elevators 43 Reasonable Safeguards – Posting signs to remind employees to protect patient confidentiality; – By supervising, isolating, or locking file cabinets or records rooms; – By providing additional security, such as passwords, on computers maintaining personal information. 44 More Safeguards – Ask waiting customers to stand a few feet back from a counter used for patient counseling. – Use of cubicles, dividers, shields, curtains, or similar barriers where multiple patient-staff communications routinely occur 45 OCR Guidance • Privacy Rule permits certain incidental uses & disclosures of PHI when the covered entity uses – reasonable safeguards – minimum necessary policies & procedures 46 Minimum Necessary Rule – Requires limit of access to PHI, based on needs to perform job duties. – Unimpeded access to PHI, where not necessary for the job at hand, is not applying the minimum necessary standard. – Any incidental use or disclosure that results from not applying the Minimum Necessary Standard would be an unlawful. 47 Minimum Necessary Rule – The minimum necessary standard does not apply to disclosures, including oral disclosures, among health care providers for treatment purposes 48 FAQs Frequently Asked Questions…. 49 OCR Guidance FAQs....... confidential conversations – Q: Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard? – A: Yes, when using reasonable safeguards. 50 OCR Guidance FAQs....... confidential conversations – Free to engage in communications as required for quick, effective, & high quality health care. – Overheard communications in these settings may be unavoidable & are allowed as incidental disclosures. 51 OCR Guidance FAQs....... confidential conversations • When using Reasonable Safeguards: – Health care staff may orally coordinate services at hospital nursing stations. – Staff may discuss a patient’s condition over the phone with the patient, a provider, or a family member. – A health care professional may discuss lab test results with a patient or other provider in a joint treatment area. 52 OCR Guidance FAQs....... confidential conversations • HIPAA Privacy does not require – Private rooms. – Soundproofing of rooms. – Encryption of wireless or other emergency medical radio communications – Encryption of telephone systems. 53 OCR Guidance FAQs....... Mailings & phone calls – Q: May physician’s offices or pharmacists leave messages at patient’s homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes? 54 OCR Guidance FAQs....... Mailings & phone calls • A: Yes. – Limit the PHI disclosed on the answering machine. – Consider leaving only name & number & PHI necessary to confirm an appointment – Or ask the individual to call back. – May leave a message with a family member or other person who answers the phone when the patient is not home. 55 OCR Guidance FAQs....... Confidential Conversation – Where a patient has requested confidential communication, you must accommodate that request, if reasonable. Examples, • mailings in an envelope, not postcard. • mail sent to a P.O. box, not to home • receive calls at the office, not at home 56 OCR Guidance FAQs....... Sign-in sheet – Q: May physicians offices use patient sign-in sheets or call out the names of their patients in their waiting rooms? – A: Yes. But the sign-in sheet may not display medical information that is not necessary for the purpose of signing in. 57 OCR Guidance FAQs....... Charts on doors – Q: Are charts outside of exam rooms prohibited – A: No. Using reasonable safeguards & the minimum necessary rule, covered entities must simply • evaluate what measures make sense in their environment • tailor their practices & safeguards to their particular circumstances. 58 OCR Guidance FAQs....... Charts on doors – You May maintain patient charts outside of exam rooms, displaying patient names on the outside of patient charts… – Possible safeguards may include: • Supervise area • place patient charts facing the wall or otherwise covered 59 OCR Guidance FAQs....... Announcing names – You May: Announce patient names & other information over a facility’s public announcement system. – Possible safeguards may include: • limiting the information disclosed over the system, such as referring the patients to a reception desk. 60 OCR Guidance FAQs....... Overheard conversation – A provider may be overheard, in the reception area, instructing staff to bill a patient for a particular procedure – A health plan employee discussing a patient’s health care claim on the phone may be overheard by another employee who is not authorized to handle patient information. 61 OCR Guidance FAQs....... Office re-design • Q: Are covered entities required to restructure workflow systems, redesign office space & upgrading computer systems to comply with the HIPAA Privacy Rule’s? • A: The Department generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. • Use reasonable safeguards and minimum necessary rule listed earlier 62 OCR Guidance FAQs....... Business Associate • Examples of Business Associates. – A health care clearinghouse that translates a claim from non-standard to standard format & forwards to a payer. – An independent medical transcriptionist that provides transcription services to a physician. – A collection agency – Software personnel who have access to PHI 63 OCR Guidance FAQs....…….. No permission needed • Q: Can a patient have a friend or family member pick up a prescription for her? • A: Yes. A pharmacist may use professional judgment & experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person, other that the patient, to pick up a prescription. 64 OCR Guidance FAQs....…….. No permission needed – Q: Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill? – A: Yes. A covered entity or their business associate (e.g., a collection agency), may disclose PHI as necessary to obtain payment for health care, & there is no limit to whom such a disclosure may be made. 65 OCR Guidance FAQs....…….. No permission needed • However, the Privacy Rule requires you – Place a reasonable limit the amount of information disclosed, – Abide by any reasonable requests for confidential communications – Honor any agreed-to restrictions on the use or disclosure of PHI. 66 OCR Guidance FAQs....…….. No permission needed • Q: Does the HIPAA Privacy Rule prevent health plans & providers from using debt collection agencies? • A: The Privacy Rule permits use of debt collection agencies through a business associate arrangement. • Disclosures to collection agencies are governed by provisions such as the business associate agreement & minimum necessary requirements. 67 OCR Guidance FAQs....…….. No permission needed • Q: Does the HIPAA Privacy Rule permit an eye doctor to confirm a contact prescription received by a mail-order contact company? • A: Yes. The disclosure of PHI by an eye doctor to a distributor of contact lenses for the purpose of confirming a contact lens prescription is a treatment disclosure, & is permitted under the Privacy Rule at 45 CFR 164.506. 68 OCR Guidance FAQs....…….. No permission needed – Q: Is a hospital permitted to contact another hospital or health care facility, such as a nursing home, to which a patient will be transferred for continued care, without the patient’s authorization? 69 OCR Guidance FAQs....…….. No permission needed • A: Yes. The HIPAA Privacy Rule permits disclosure of PHI without authorization to another health care provider for treatment or payment purposes, as well as to another covered entity for certain health care operations of that entity. 70 Physical Changes • HIPAA does not require that you make radical, expensive changes to your office. • The following are some reasonable alterations in office layout to assist in complying with HIPAA 71 Doors • Close doors (anonymity) • Especially when discussing PHI, e.g., – History – Pre-examination – Examination 72 Always speak quietly • Hearing impaired? – Speak slowly – Get closer • Take special care when speaking in hallways and other common areas 73 Multi-patient areas (Check-in, Check-out, Dispensary) • Speak reasonably quietly • Use “PLEASE WAIT HERE” signs if appropriate • Provide “PLEASE WAIT HERE” chairs if appropriate • Incidental disclosure is acceptable 74 Business Office Areas • Place HIPAA reminder signs at work stations • Place HIPAA reminder signs on computer monitors • Place HIPAA reminder signs on file cabinets 75 Computer Monitors • • • • • Rotate screen away from public Put a plant next to monitor Use Screen saver or “Minimize” screen Place HIPAA reminder sign on monitor Remember, patients can see their own PHI! 76 77 78 79 80 Minimize --- 81 82 Patient Records • Keep records closed except when in use • When practical, divide each record into sections, e.g., – Demographics – Examination – Claims • Staff should use only that portion of record needed for the task at hand 83 84 85 Patient Record Storage • Post HIPAA reminder signs in record storage areas • Reasonably monitor record storage areas • Reasonably monitor records in hallways 86 87 HIPAA Continues • • • • • HIPAA EDI (Electronic Data Interchange) HIPAA Unique Employer ID HIPAA Security HIPAA Privacy Compliance NOA References to help you with HIPAA 88 89 Dr. Birthday MMDDYY Dr. lastname only All lower case Check this box 90 91 92 93 94 95 96 97 98 99 100 101 102 http://www.cms.hhs.gov/medicaid/hipaa/adminsim/ 103 104 105 106 107 108 109 110 111 112 113 114 115 THANK YOU… …FOR YOUR ATTENTION! 116