As HIPAA
Progresses…..
…What you need to know to keep up
1
HIPAA Progresses
•
•
•
•
•
HIPAA EDI (Electronic Data Interchange)
HIPAA Unique Provider & Employer ID
HIPAA Security
HIPAA Privacy Compliance
NOA References to help you with HIPAA
2
HIPAA Progresses
•
•
•
•
•
HIPAA EDI (Electronic Data Interchange)
HIPAA Unique Employer ID
HIPAA Security
HIPAA Privacy Compliance
NOA References to help you with HIPAA
3
EDI (Electronic Data Interchange)
• If you use EDI it must comply with
HIPAA
• HIPAA does not force you to use EDI
except for Medicare claims under
limited circumstances
4
EDI (Electronic Data Interchange)
Why HIPAA EDI?
• Prior to HIPAA EDI multiple EDI data
forms
• Different entities could not communicate
• Delays and confusion in claims
5
HIPAA Administrative Simplification
• Sets standard data sets
– Routine Care (VSP, EyeMed, CVC)
– Medical Claims (Medicare, BCBS)
6
Affects most electronic health data
• Claims/Encounter submission
• Payment remittance notices
• Insurance eligibility
• Claim status
and…
7
Additional electronic health data
• Group Health enrollment
• Health insurance premium payments
• Other Internet health data
8
End Result
• When the data ends up at 3rd party payer it
must be in HIPAA EDI format
• Examples Follow: Current Method vs.
HIPAA EDI
9
Current vs. New: Authorization
• Current Method
– Provider seeks authorization over Internet 
– 3rd Party Payer receives and replies
• HIPAA EDI
– Provider seeks authorization over Internet 
– HIPAA compliant site or program intervenes 
– 3rd Party Payer receives in HIPAA format and replies
• WYNTD: Test
10
Current vs. New:
Routine Care Claims
• Current Method
– Provider completes web page form over Internet 
– 3rd Party Payer receives and replies
• HIPAA EDI
– Provider completes web page form over Internet 
– HIPAA compliant site or program intervenes 
– 3rd Party Payer receives in HIPAA format and replies
• WYNTD: Test
11
Current vs. New:
Medical Claims
• Current Method
– Provider’s paper data 
– Billing service - Clearinghouse 
– 3rd Party Payer
• HIPAA EDI
– Provider’s paper data 
– HIPAA compliant Billing service - Clearinghouse 
– 3rd Party Payer
– WYNTD: Test
12
Current vs. New:
Medical Claims
• Current Method
– Provider’s data 
– Computer program 
– 3rd Party Payer
• HIPAA EDI
– Provider’s data 
– HIPAA compliant computer program 
– 3rd Party Payer
– WYNTD: Test
13
Testing NOW (yesterday!)
is imperative
•
•
•
•
If you wait, you will be delayed by a traffic jam
Payment will be delayed until you comply
It is anticipated that many practitioners will not comply
It is anticipated that back-up systems will be swamped
– Fax
– Phone
– Paper
• Non-electronic filers should anticipate delays as well
14
Contact all 3rd parties for
immediate testing if:
• You file claims electronically with
them.
• You communicate with them
electronically in any way except
• voice phone
• paper fax
15
Contacting 3rd parties
• NOA August issue of 3rd Party Newsletter
contains pages of information on what
questions to ask.
• Newsletter available at the NOA Website if
you don’t have a printed copy
16
Contacting 3rd parties
• Respective 3rd party contact information
should be available in their manual.
• NOA 3rd Party HIPAA web page will
contain as many contact sites as Dr. Quack
can find.
• Please email Dr. Quack of other sites not
listed on NOA HIPAA Web page so he can
add them to the list.
17
18
Medicare and EDI
• If you have 10 or more FTE employees you
must file with Medicare via EDI
• Most offices of this size already use EDI
• If you have less employees you do not have
to tell Medicare (no waiver needed)
• No official employee counter has been
appointed to Dr. Quack’s knowledge
19
Medicare and EDI
• Electronic filers should TEST as described
• Delays in paper claim payments expected
since more paper claims -with errors- are
anticipated
20
HIPAA EDI Bottom Line:
TEST
IMMEDIATELY
21
HIPAA Continues
•
•
•
•
•
HIPAA EDI (Electronic Data Interchange)
HIPAA Unique ID
HIPAA Security
HIPAA Privacy Compliance
NOA References to help you with HIPAA
22
National Identifiers
• Requires standard Identifier for
– Health care providers
– Health-related Employers
23
Applies to
• All health plans,
• All health care clearinghouses, and
• Any health care providers that transmit any
health information in electronic form
24
Electronic transmissions include
all media:
• Magnetic tape
• Disk
• CD media
25
Transmissions include
•
•
•
•
•
Internet
Extranet
Leased lines
Dial-up lines
Private networks.
26
Not Included
• Telephone voice response
• “Fax back” systems
27
Estimated time of
implementation:
• Mid-2004 (Dr. Quack wonders…)
28
Action needed at this time:
• None
29
HIPAA Continues
•
•
•
•
•
HIPAA EDI (Electronic Data Interchange)
HIPAA Unique Employer ID
HIPAA Security
HIPAA Privacy Compliance
NOA References to help you with HIPAA
30
HIPAA Security and Electronic
Signature Standards
• Requires health care information be
protected to ensure privacy and
confidentiality when electronically
– stored,
– maintained, or
– transmitted.
31
HIPAA Security and Electronic
Signature Standards
• The proposed security standards also
specify a standard for electronic signature
• …but does not require the use of an
electronic signature
32
Applies to
• All health plans,
• All health care clearinghouses, and
• Any health care providers that transmit any
health information in electronic form
33
Electronic transmissions include
all media:
• Magnetic tape
• Disk
• CD media
34
Transmissions include
•
•
•
•
•
Internet
Extranet
Leased lines
Dial-up lines
Private networks.
35
Not Included
• Telephone voice response
• “Fax back” systems
36
Estimated time of
implementation:
• 2005
37
Action required at this time:
• None
38
HIPAA Continues
•
•
•
•
•
HIPAA EDI (Electronic Data Interchange)
HIPAA Unique Employer ID
HIPAA Security
HIPAA Privacy Compliance
NOA References to help you with HIPAA
39
HIPAA PRIVACY
What do we do now?
• Dr. Quack has been receiving many
Questions regarding HIPAA Privacy
– Some show fear and over-reaction
– Others reflect lack of compliance
• ERGO:
– 15 Minute review of HIPAA Privacy basics
– For those that already understand, please be
patient!
40
HIPAA PRIVACY
What do we do now?
• Read aloud your Notice of Privacy Practices at
staff meetings once a quarter.
• Follow it with a HIPAA discussion of
– reasonable safeguards
– minimum necessary
• Your Privacy Officer should review and update
your HIPAA Privacy Manual once a quarter.
41
OCR Guidance
• Privacy Rule permits certain incidental uses
& disclosures of PHI when the covered
entity uses
– reasonable safeguards
– minimum necessary policies &
procedures
42
Reasonable Safeguards
– Speaking quietly when discussing a patient’s
condition with family members in a waiting
room or other public area;
– Avoiding using patients’ names in public
hallways & elevators
43
Reasonable Safeguards
– Posting signs to remind employees to protect
patient confidentiality;
– By supervising, isolating, or locking file
cabinets or records rooms;
– By providing additional security, such as
passwords, on computers maintaining personal
information.
44
More Safeguards
– Ask waiting customers to stand a few feet back
from a counter used for patient counseling.
– Use of cubicles, dividers, shields, curtains, or
similar barriers where multiple patient-staff
communications routinely occur
45
OCR Guidance
• Privacy Rule permits certain incidental uses
& disclosures of PHI when the covered
entity uses
– reasonable safeguards
– minimum necessary policies &
procedures
46
Minimum Necessary Rule
– Requires limit of access to PHI, based on needs
to perform job duties.
– Unimpeded access to PHI, where not necessary
for the job at hand, is not applying the
minimum necessary standard.
– Any incidental use or disclosure that results
from not applying the Minimum Necessary
Standard would be an unlawful.
47
Minimum Necessary Rule
– The minimum necessary standard does not
apply to disclosures, including oral disclosures,
among health care providers for treatment
purposes
48
FAQs
Frequently Asked Questions….
49
OCR Guidance FAQs.......
confidential conversations
– Q: Can health care providers engage in
confidential conversations with other providers
or with patients, even if there is a possibility
that they could be overheard?
– A: Yes, when using reasonable safeguards.
50
OCR Guidance FAQs.......
confidential conversations
– Free to engage in communications as required
for quick, effective, & high quality health care.
– Overheard communications in these settings
may be unavoidable & are allowed as incidental
disclosures.
51
OCR Guidance FAQs.......
confidential conversations
• When using Reasonable Safeguards:
– Health care staff may orally coordinate services
at hospital nursing stations.
– Staff may discuss a patient’s condition over the
phone with the patient, a provider, or a family
member.
– A health care professional may discuss lab test
results with a patient or other provider in a joint
treatment area.
52
OCR Guidance FAQs.......
confidential conversations
• HIPAA Privacy does not require
– Private rooms.
– Soundproofing of rooms.
– Encryption of wireless or other emergency
medical radio communications
– Encryption of telephone systems.
53
OCR Guidance FAQs.......
Mailings & phone calls
– Q: May physician’s offices or pharmacists leave
messages at patient’s homes, either on an
answering machine or with a family member, to
remind them of appointments or to inform them
that a prescription is ready? May providers
continue to mail appointment or prescription
refill reminders to patients’ homes?
54
OCR Guidance FAQs.......
Mailings & phone calls
• A: Yes.
– Limit the PHI disclosed on the answering
machine.
– Consider leaving only name & number & PHI
necessary to confirm an appointment
– Or ask the individual to call back.
– May leave a message with a family member or
other person who answers the phone when the
patient is not home.
55
OCR Guidance FAQs.......
Confidential Conversation
– Where a patient has requested confidential
communication, you must accommodate that
request, if reasonable. Examples,
• mailings in an envelope, not postcard.
• mail sent to a P.O. box, not to home
• receive calls at the office, not at home
56
OCR Guidance FAQs.......
Sign-in sheet
– Q: May physicians offices use patient sign-in
sheets or call out the names of their patients in
their waiting rooms?
– A: Yes. But the sign-in sheet may not display
medical information that is not necessary for
the purpose of signing in.
57
OCR Guidance FAQs.......
Charts on doors
– Q: Are charts outside of exam rooms prohibited
– A: No. Using reasonable safeguards & the
minimum necessary rule, covered entities must
simply
• evaluate what measures make sense in their
environment
• tailor their practices & safeguards to their
particular circumstances.
58
OCR Guidance FAQs.......
Charts on doors
– You May maintain patient charts outside of
exam rooms, displaying patient names on the
outside of patient charts…
– Possible safeguards may include:
• Supervise area
• place patient charts facing the wall or
otherwise covered
59
OCR Guidance FAQs.......
Announcing names
– You May: Announce patient names & other
information over a facility’s public
announcement system.
– Possible safeguards may include:
• limiting the information disclosed over the
system, such as referring the patients to a
reception desk.
60
OCR Guidance FAQs.......
Overheard conversation
– A provider may be overheard, in the reception
area, instructing staff to bill a patient for a
particular procedure
– A health plan employee discussing a patient’s
health care claim on the phone may be
overheard by another employee who is not
authorized to handle patient information.
61
OCR Guidance FAQs.......
Office re-design
• Q: Are covered entities required to restructure
workflow systems, redesign office space &
upgrading computer systems to comply with the
HIPAA Privacy Rule’s?
• A: The Department generally does not consider
facility redesigns as necessary to meet the
reasonableness standard for minimum necessary
uses.
• Use reasonable safeguards and minimum
necessary rule listed earlier
62
OCR Guidance FAQs.......
Business Associate
• Examples of Business Associates.
– A health care clearinghouse that translates a
claim from non-standard to standard format &
forwards to a payer.
– An independent medical transcriptionist that
provides transcription services to a physician.
– A collection agency
– Software personnel who have access to PHI
63
OCR Guidance FAQs....…….. No
permission needed
• Q: Can a patient have a friend or family
member pick up a prescription for her?
• A: Yes. A pharmacist may use professional
judgment & experience with common
practice to make reasonable inferences of
the patient’s best interest in allowing a
person, other that the patient, to pick up a
prescription.
64
OCR Guidance FAQs....…….. No
permission needed
– Q: Does the HIPAA Privacy Rule permit a
covered entity or its collection agency to
communicate with parties other than the
patient (e.g., spouses or guardians) regarding
payment of a bill?
– A: Yes. A covered entity or their business
associate (e.g., a collection agency), may
disclose PHI as necessary to obtain payment
for health care, & there is no limit to whom
such a disclosure may be made.
65
OCR Guidance FAQs....…….. No
permission needed
• However, the Privacy Rule requires you
– Place a reasonable limit the amount of
information disclosed,
– Abide by any reasonable requests for
confidential communications
– Honor any agreed-to restrictions on the use or
disclosure of PHI.
66
OCR Guidance FAQs....…….. No
permission needed
• Q: Does the HIPAA Privacy Rule prevent health
plans & providers from using debt collection
agencies?
• A: The Privacy Rule permits use of debt collection
agencies through a business associate arrangement.
• Disclosures to collection agencies are governed by
provisions such as the business associate agreement
& minimum necessary requirements.
67
OCR Guidance FAQs....…….. No
permission needed
• Q: Does the HIPAA Privacy Rule permit an eye
doctor to confirm a contact prescription received
by a mail-order contact company?
• A: Yes. The disclosure of PHI by an eye doctor to
a distributor of contact lenses for the purpose of
confirming a contact lens prescription is a
treatment disclosure, & is permitted under the
Privacy Rule at 45 CFR 164.506.
68
OCR Guidance FAQs....…….. No
permission needed
– Q: Is a hospital permitted to contact another
hospital or health care facility, such as a nursing
home, to which a patient will be transferred for
continued care, without the patient’s
authorization?
69
OCR Guidance FAQs....…….. No
permission needed
• A: Yes. The HIPAA Privacy Rule permits
disclosure of PHI without authorization to another
health care provider for treatment or payment
purposes, as well as to another covered entity for
certain health care operations of that entity.
70
Physical Changes
• HIPAA does not require that you make
radical, expensive changes to your office.
• The following are some reasonable
alterations in office layout to assist in
complying with HIPAA
71
Doors
• Close doors (anonymity)
• Especially when discussing PHI, e.g.,
– History
– Pre-examination
– Examination
72
Always speak quietly
• Hearing impaired?
– Speak slowly
– Get closer
• Take special care when speaking in
hallways and other common areas
73
Multi-patient areas
(Check-in, Check-out, Dispensary)
• Speak reasonably quietly
• Use “PLEASE WAIT HERE” signs if
appropriate
• Provide “PLEASE WAIT HERE” chairs if
appropriate
• Incidental disclosure is acceptable
74
Business Office Areas
• Place HIPAA reminder signs at work
stations
• Place HIPAA reminder signs on computer
monitors
• Place HIPAA reminder signs on file
cabinets
75
Computer Monitors
•
•
•
•
•
Rotate screen away from public
Put a plant next to monitor
Use Screen saver or “Minimize” screen
Place HIPAA reminder sign on monitor
Remember, patients can see their own PHI!
76
77
78
79
80
Minimize ---
81
82
Patient Records
• Keep records closed except when in use
• When practical, divide each record into
sections, e.g.,
– Demographics
– Examination
– Claims
• Staff should use only that portion of record
needed for the task at hand
83
84
85
Patient Record Storage
• Post HIPAA reminder signs in record
storage areas
• Reasonably monitor record storage areas
• Reasonably monitor records in hallways
86
87
HIPAA Continues
•
•
•
•
•
HIPAA EDI (Electronic Data Interchange)
HIPAA Unique Employer ID
HIPAA Security
HIPAA Privacy Compliance
NOA References to help you with HIPAA
88
89
Dr. Birthday
MMDDYY
Dr. lastname only
All lower case
Check this box
90
91
92
93
94
95
96
97
98
99
100
101
102
http://www.cms.hhs.gov/medicaid/hipaa/adminsim/
103
104
105
106
107
108
109
110
111
112
113
114
115
THANK YOU…
…FOR YOUR
ATTENTION!
116