HIPAA (Health Insurance Portability & Accountability act)

HIPAA (Health Insurance Portability & Accountability act)

History
• HIPPA: Health Insurance Portability and accountability act of 1996 was enacted
by United States in the year 1996 and signed by President Bill Clinton.

• Approved by Sen. Nancy Kassebaum.

3
• HIPAA is the United States Health Insurance Portability and Accountability
Act of 1996. There are two sections to the Act.

Title 1 Title 2
Title I Title II
Deals with Includes an administrative
protecting health simplification section which
insurance deals with
coverage for the standardization of
people who lose healthcare-related
or change jobs. information systems.
Title II is most important section when referred to HIPAA
Objectives of the Act:
• HIPAA seeks to establish standardized mechanisms for Electronic Data
Interchange (EDI), security, and confidentiality of all healthcare-related data.

The Act mandates: standardized formats for all

i. Patient health,
ii. Administrative, and financial data
iii. Unique identifiers (ID numbers) for each healthcare entity, including individuals,
employers,
iv. Health plans and health care providers
v. Security mechanisms to ensure confidentiality and data integrity for any
information that identifies an individual.

5
 Title I:
• Deals with Health care access, Portability and Renewability (Plans)

• It regulates the availability and extent of group health plans and certain

individual insurance policies.

• Limits restriction that a group health plan can place on benefits of certain

preexisting conditions.

6
 Title lI:

• Deals with:

• Preventing Health Care Fraud and Abuse

• Administrative Simplification

• Medical Liability Reform

7
 What it does?

• Defines policies, procedures and guidelines for maintaining the privacy and
security of individually identifiable health information.

• Outlines several policies, numerous offences relating to health care and

sets civil and criminal penalties for violation.
• Plans several programs to control fraud and abuse within the health
care system.

8
Contd…..

• Most important activity carried out by this section is

Administrative Simplification programs.

• Title II requires Dept. of Health and Human Services (HHS) to

draft rules aimed at increasing the efficiency of health care
systems by creating standards for use and dissemination of
health care system.

9
This rule is applicable to :

• Health plans

• Health care clearing houses. Covered entities.

• Billing services

• Community health care information systems.

10
As per the requirements of Title II, the HHS has promulgated five rules regarding
Administrative Simplification:,

The Unique Identifiers Rule

The Privacy Rule

The Security Rule,

The Enforcement Rule.

The Transactions and Code Sets

Rule

11
The Unique Identifier Rule:
• HIPAA covered entities such as providers completing electronic transactions, healthcare clearing
houses, and large health plans, must use only the National Provider Identifier (NPI) to identify
covered healthcare providers in standard transactions. (A National Provider Identifier (NPI) is a
unique 10-digit identification number issued to health care providers in the United States by the
Centers for Medicare and Medicaid Services (CMS). The NPI has replaced the Unique Physician
Identification Number (UPIN) as the required identifier for Medicare services, and is used by other
payers, including commercial healthcare insurers. )

• This rule came into force by May 23rd 2006 and was to be implemented by May 23rd 2007, for
small health care plans the rule was effective from May 23 rd 2008.

12
 The Unique Identifier Rule:
Contd…..

• All the covered entities using electronic communications must use a single new
NPI.

• The NPI replaces all other identifiers used by the covered entities and assigns a
unique number.

• The NPI does not replace DEA (Drug enforcement agency) Number, state
license number, or tax identification number.

13
• NPI Number is 10 Digit Number.

• Alpha- Numeric.

• The last digit is a checksum.

• Does not contain any embedded intelligence and its simply a number.

• It’s a number which is Unique and never reused and repeated.

• An institution can obtain multiple NPI’s for different subparts. Ex: Hospital
providing cancer treatment, as well as running rehabilitation center can
have two different NPI Numbers.
14
Enforcement Rule

• This was the final rule passed by HHS.

• Became effective on march 16th 2006.

• Sets monetary penalties for violation of HIPAA rules.

• Establishes procedures for investigation into HIPAA violations.

15
Transactions and Code Sets Rule

• HIPAA was intended to make the health care system in the United States

more efficient by standardizing health care transactions.

• To achieve this HIPAA added new part titled as Administrative

simplification.

• This act simplifies the health care transactions by requiring all health

care plans to engage in a Standardized way.

16
• Information about the administrative simplification can be found at 42 USC §
1320d-2 and 45 CFR Part 162.

EDI Health Care Claim Transaction set

• Used to submit health care claim billing information, encounter information or both.
• Can be sent from providers of health care services to payer’s either directly or via
intermediary biller’s.
EDI Health Care Claim Transaction set Contd…..

• It can also be used to transmit health care claims and billing payment
information between payers with different payment responsibilities where
coordination of benefits is required or between payers and regulatory
agencies to monitor the rendering, billing, and/or payment of health care
services within a specific health care/insurance industry segment.
EDI Retail Pharmacy Claim Transaction:

• It is used to submit retail pharmacy claims to payers by health care

professionals who dispense medications, either directly or via
intermediary billers and claims clearing houses

• It can also be used to transmit claims for retail pharmacy services and
billing payment information between payers with different payment
responsibilities where coordination of benefits is required or between
payers and regulatory agencies to monitor the rendering, billing, and/or
payment of retail pharmacy services within the pharmacy health
care/insurance industry segment.
EDI Health Care Claim Payment/Advice Transaction Set:
• It can be used to make a payment, send an Explanation of Benefits
(EOB), send an Explanation of Payments (EOP) remittance advice, or
make a payment and send an EOP remittance advice only from a health
insurer to a health care provider either directly or via a financial institution.

EDI Benefit Enrollment and Maintenance Set:

• Can be used by employers, unions, government agencies, associations or
insurance agencies to enroll members to a payer. The payer is a
healthcare organization that pays claims, administers insurance or benefit
or product.
EDI Benefit Enrollment and Maintenance Set:
Contd….
• Examples of payers include an insurance company, health care
professional (HMO), preferred provider organization (PPO),
government agency (Medicaid, Medicare) etc.

EDI Payroll Deducted and other group Premium

Payment for Insurance Products:

• It is a transaction set which can be used to make a premium payment for

insurance products. It can be used to order a financial institution to make a
payment to a payee.
EDI Health Care Eligibility/Benefit Inquiry:
Is used to inquire about the health care benefits and eligibility associated with a
subscriber or dependent.

EDI Health Care Eligibility/Benefit Response :

Is used to respond to a request inquire about the health care benefits and eligibility
associated with a subscriber or dependent.

EDI Health Care Claim Status Request :

This transaction set can be used by a provider, recipient of health care products or
services or their authorized agent to request the status of a health care claim.
EDI Health Care Claim Status Notification :

• This transaction set can be used by a health care payer or authorized

agent
• To notify a provider, recipient or authorized agent regarding the status of a
health care claim or encounter,
• To request additional information from the provider regarding a health
care claim or encounter.
• This transaction set is not intended to replace the Health Care Claim
Payment/Advice Transaction Set (835) and therefore, is not used for
account payment posting.
EDI Health Care Service Review Information

• This transaction set can be used to transmit health care service

information, such as subscriber, patient, demographic, diagnosis or
treatment data for the purpose of request for review, certification,
notification or reporting the outcome of a health care services review.

24
EDI Functional Acknowledgement Transaction Set :

• This transaction set can be used to define the control structures for a set
of acknowledgments

• To indicate the results of the syntactical analysis of the electronically

encoded documents.

• Although it is not specifically named in the HIPAA Legislation or Final Rule,

it is necessary for transaction set processing.
EDI Functional Acknowledgement Transaction Set :
Contd…..

• The encoded documents are the transaction sets, which are grouped in
functional groups, used in defining transactions for business data
interchange. This standard does not cover the semantic meaning of the
information encoded in the transaction sets
Privacy rule
Effective date: April 14th 2003. (one year extension for small plans).

• What it regulates?

Regulates the use and disclosure of Protected Health Information (PHI).

• Dept. of health and human services extended HIPAA privacy rule to independent

contractors who fit as business associates.

• PHI is the information held by a covered entity which concerns health status,

provision of health care, or payment for health care that can be linked to an

individual.
Privacy rule Contd….
• Also includes patients medical history and payment history.

• Covered entities must disclose the information to individual within 30

days of request.

• A covered entity may disclose PHI (Protected Health Information) to

facilitate treatment, payment, or health care operations without a
patient's express written authorization.

28
Privacy rule Contd….
• Any other disclosures of PHI (Protected Health Information) require the covered

entity to obtain written authorization from the individual for the disclosure.

• Only minimum information should be divulged by the covered entities.

• Confers right to individuals that a covered entity correct the any inaccurate PHI.

29
Privacy rule Contd….
• Ensures confidentiality of communications with the individuals.
• Mandates that the covered entities keep the individuals notified, of their uses of
PHI.
• Covered entities must keep track of disclosures of information, document privacy
policies and procedures.
• Must appoint a person to handle the complaints and to train all members of work
force in the area of PHI.
• Complaint filing – if privacy rule is not being upheld.

30
 Security Rule
• The Final Rule on Security Standards was issued on 20th February, 2003.

• It took effect on April 21, 2003 with a compliance date of April 21, 2005 for
most covered entities and April 21, 2006 for "small plans“.

• Supports privacy rule.

• Security rule deals specifically with the Electronic Protected Health

Information.

31
 Security Rule Contd….
• This rule lays out three safe guards.

1. Administrative safeguards

2. Physical safeguards

3. Technical safeguards.

Each safeguard consists of required and addressable specifications.

• Required specification – must be administered and adopted as dictated by the rule.

32
Security Rule Contd…. Security Rule Contd….
• Addressable specification – a bit flexible specification.

Administrative safeguard:
• Policies and procedures designed to clearly show how the entity will comply with
the act.

• Covered entities (entities that must comply with HIPAA requirements) must adopt
a written set of privacy procedures and designate a privacy officer to be
responsible for developing and implementing all required policies and procedures.

33
Administrative safeguard:
Contd…..

• Policies and procedures must reflect oversight of the organization.

• Procedures must identify employees, their class and must assign access
to those who need PHI to complete their job.

• Access authorization, modernization, modification and termination.

• Entities must show that an appropriate ongoing training program

regarding the handling of PHI is provided to employees performing health
plan administrative functions.
34
Administrative safeguard:
Contd…..

• Covered entities that out-source some of their business processes to a

third party must ensure that their vendors also have a framework in place
to comply with HIPAA requirements.

• Companies typically gain this assurance through clauses in the contracts

stating that the vendor will meet the same data protection requirements
that apply to the covered entity.

35
 Administrative safeguard:
Contd…..
• Contingency plan to exist.

• Proper data back up plan to be present.

• Policies and procedures should specifically document the scope, frequency,

and procedures of audits. Audits should be both routine and event-based.

• Procedures should be present explaining steps to be carried out in event of

security breach.

36
 Physical Safeguards
• controlling physical access to protect against inappropriate access to protected
data.

• Controls must govern the introduction and removal of hardware and software
from the network. (When equipment is retired it must be disposed of properly to
ensure that PHI is not compromised.)

• Access to equipment containing health information should be carefully controlled

and monitored.

37
Physical Safeguards Contd….
• Access to hardware and software must be limited to properly authorized
individuals.

• Required access controls consist of facility security plans, maintenance

records, and visitor sign-in and escorts.

• Policies are required to address proper workstation use. Workstations

should be removed from high traffic areas and monitor screens should not
be in direct view of the public.

• If the covered entities utilize contractors or agents, they too must be fully
trained on their physical access responsibilities.
38
Technical Safeguards

• Information systems housing PHI must be protected from intrusion. When

information flows over open networks, some form of encryption must be
utilized. If closed systems/networks are utilized, existing access controls
are considered sufficient and encryption is optional.

• Each covered entity is responsible for ensuring that the data within its
systems has not been changed or erased in an unauthorized manner.

39
Technical Safeguards
Contd…..

• Data validation, including the use of check sum, double-keying, message

authentication, and digital signature may be used to ensure data integrity.

• Authentication of entities with which covered entities communicate.

• Documentation of HIPAA practices must be made available to Govt. to

determine the compliance.

40
 Technical Safeguards
Contd…..

• Information technology documentation -should include a

written record of all configuration settings on the components of
the network because these components are complex,
configurable, and always changing.

• Documented risk analysis and risk management programs are

required.

41
Technical Safeguards
Contd…..

• Covered entities must carefully consider the risks of their operations as

they implement systems to comply with the act. (The requirement of risk
analysis and risk management implies that the act’s security requirements
are a minimum standard and places responsibility on covered entities to
take all reasonable precautions necessary to prevent PHI from being used
for non-health purposes)

42
REFERENCES

1. https://searchhealthit.techtarget.com/definition/HIPAA
2. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/
index.html
3. https://www.dhcs.ca.gov/formsandpubs/laws/hipaa/pages/
1.00whatishipaa.aspx
4. https://compliancy-group.com/hipaa/
5. https://evisit.com/resources/what-is-hipaa/

43