HIPAA – Amendment to Internal Revenue Code Washington County Health System HIPAA – Amendment to Internal Revenue Code Washington County Health System HIPAA – Amendment to Internal Revenue Code Washington County Health System Washington County Health System H ealth I nformation P ortability & A ccountability A ct Amendment to Internal Revenue Code HIPAA – Amendment to Internal Revenue Code Washington County Health System Purpose of HIPAA Legislation “To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.” Preamble to Public Law 104-191 (“HIPAA”) Health Insurance Portability and Accountability Act of 1996 HIPAA – Amendment to Internal Revenue Code Washington County Health System Title I – Health Access, Portability, Renewability Title II – Health Care Fraud & Abuse (subtitle F-Administrative Simplification) Title III – Tax Related Provisions Title IV – Application & Enforcement of Group Health Plan Requirements Title V – Revenue Offsets HIPAA – Amendment to Internal Revenue Code Washington County Health System Title I Health Access, Portability, Renewability • Covers preexisting conditions may be covered • No discrimination based on health status • Guaranteed renewal clauses • Requires certificate of coverage • Exercise reasonable diligence in determining eligibility HIPAA – Amendment to Internal Revenue Code Washington County Health System Title II Fraud & Abuse • Created Fraud & Abuse Control Program and Medicare Integrity Program • Created incentives for beneficiaries to report suspected fraud & abuse • Established penalties for program violations: – Fines and returns of overpayments – Criminal prosecution – Exclusion from federal healthcare programs HIPAA – Amendment to Internal Revenue Code Washington County Health System Title II Fraud & Abuse • Mandated national data collection effort on fraud & abuse • Defined Civil Monetary Penalties (CMPs) for violations • Revised criminal laws relating to healthcare fraud HIPAA – Amendment to Internal Revenue Code Washington County Health System Purpose of Subtitle F Reasoning Behind HIPPA Administrative Simplifications Congress sought to reduce the administrative costs and burden associated with health care by standardizing data and facilitating electronic transmission of many administrative and financial transactions. Because of the belief that the electronic movement of health information creates patient privacy and security concerns, Congress also directed the Secretary of HHS to develop standards to protect the privacy and security of individually identifiable health information. HIPAA – Amendment to Internal Revenue Code Washington County Health System Title III Tax Related Provisions • Established non-taxable Medical Savings Accounts to pay medical bills • Increased income tax deduction for self-employed individuals who purchase their own health insurance • Established income tax deduction for long-term care insurance premiums and defined policy requirements HIPAA – Amendment to Internal Revenue Code Washington County Health System Title III Tax Related Provisions • Made accelerated death benefits tax-exempt—for example, a terminally ill individual receives the proceeds of their life insurance policy prior to death to pay end-of-life expenses. • Made state-sponsored insurance programs for highrisk individuals exempt from income tax Established non-taxable Medical Savings Accounts to pay medical bills HIPAA – Amendment to Internal Revenue Code Washington County Health System Title III Tax Related Provisions • Allowed penalty-free withdrawals from IRAs to pay “financially devastating medical expenses” • Provided organ and tissue donation information with income tax refund payments HIPAA – Amendment to Internal Revenue Code Washington County Health System Title IV Application and Enforcement of Group Health Plan Requirements • Requires that group health plans offer portability, access and renewability with similar stipulations as individual plans under Title I of HIPAA • Imposes a penalty for failure to meet certain group health plan requirement • Clarifies COBRA requirements for terminating employees with group health coverage HIPAA – Amendment to Internal Revenue Code Washington County Health System Title V Revenue Offsets • Loans against company-owned life insurance policies • Tax treatment of individuals who lose U.S. citizenship • How financial institutions allocate interest HIPAA – Amendment to Internal Revenue Code Washington County Health System Title II Administrative Simplification is the Following: 1. 2. Electronic transactions and code sets Unique identifiers – – – – 3. 4. 5. 6. National providers National employers Health plan Individuals Privacy Security and E-Signatures Claims attachments Enforcement June 2000 January 2001 January 2001 January 2001 On Hold January 2001 January 2001 January 2001 No Drafts HIPAA – Amendment to Internal Revenue Code Washington County Health System Title II Administrative Simplification 1. Electronic transactions & code sets - Standardize software & data elements - Standardize common diagnostic, therapeutic, and treatment codes HIPAA – Amendment to Internal Revenue Code Washington County Health System Title II Overview of Transaction Exchange PROVIDERS Eligibility Verification HEALTH PLANS 270 271 Authorization & Referrals Claim / Encounter Claim Status Inquiry Remittance / Payment Enrollment 278 837 275 276 275 811 834 820 PreCertification Claim Acceptance Adjudication 277 835 SPONSORS Accounts Payable Enrollment HIPAA – Amendment to Internal Revenue Code Washington County Health System Title II Administrative Simplification 2. Unique Identifiers • Provider – Replace UPIN number • Employer – What to do with Federal Tax ID # ? • Health Plans – Create new numbering system • Individual – Purpose of ID is to link medical information between providers HIPAA – Amendment to Internal Revenue Code Washington County Health System Title II Administrative Simplification 3. Privacy • • May extend to paper document Must have patient’s permission to use their data for marketing or fund raising HIPAA – Amendment to Internal Revenue Code Washington County Health System Title II Administrative Simplification 4. Security & Electronic Signature - Security Tracks - Administrative Procedures - Physical Safeguards (facilities) - Technical Security Services - Technical Security Mechanisms - Electronic Signatures HIPAA – Amendment to Internal Revenue Code Washington County Health System Security Requirements Security Tracks • • • Certification Chain of trust or business partner agreement Contingency plan (disaster recovery, testing, and verification) • • Formal mechanism for processing records Formal access control (procedures for granting access) HIPAA – Amendment to Internal Revenue Code Washington County Health System Security Requirements Administrative Procedures • • • Internal Audits Personnel security Security management (risk analysis, mgmt, sanction policy) • Incident reporting, termination procedures, training … HIPAA – Amendment to Internal Revenue Code Washington County Health System Security Requirements Physical Safeguards • • • • • • Assigned security responsibility (accountability) Media controls Physical access controls (limited access) Policy/guidelines for workstation use Secure workstation location Security awareness training HIPAA – Amendment to Internal Revenue Code Washington County Health System Security Requirements Technical Security Services • Access control (emergency access, and one of context, role, or user based access; encryption is optional) • • • • Audit controls Authorization controls (role or user based access) Data authentication (hashing algorithms, MAC) Entity authentication (auto logoff, unique user id, and one biometric, password, PIN, telephone callback, or token) HIPAA – Amendment to Internal Revenue Code Washington County Health System Security Requirements Technical Security Mechanisms • Private Networks – Dial-Up, leased lines, extranets, intranets, VAN’s • • Requires: Integrity controls, message authentication, access controls, encryption Public Networks – Internet • • Requires: All of the above and In addition: Alarms, audit trails, entity authentication, event reporting, and encryption HIPAA – Amendment to Internal Revenue Code Washington County Health System Security Requirements Electronic Signatures Requirements • Features that must be implemented: – • Message integrity, non-repudiation, User authentication Optional features: – Ability to add attributes, continuity of signatures, Counter signatures, independent verifiability, Interoperability, multiple signatures, transportability, non-repudiation, User authentication HIPAA – Amendment to Internal Revenue Code Washington County Health System Title II Administrative Simplification 5. Claims attachments – No proposal yet - Within the claims, some method of identifying any attachments HIPAA – Amendment to Internal Revenue Code Washington County Health System Title II Administrative Simplification 6. Enforcement - Fines $50,000 to $250,000 - Prison terms up to 10 years HIPAA – Amendment to Internal Revenue Code Washington County Health System Next Steps • Issue Recognized • • • • • September 1999 Education process started Budgeted for several initiatives Contingency budgeted P.I. Team Formed Awaiting final regulations May 2000 HIPAA – Amendment to Internal Revenue Code Washington County Health System Next Steps A. Awareness Training B. C. D. Security Assessment Evaluate Vulnerabilities Review Procedures & Update as Needed – E. In Process Complete Requirements Assessment and Budget Resources – December 2000 HIPAA – Amendment to Internal Revenue Code Washington County Health System