nhcma at a glance

Become A Member

For over 225 years, NHCMA has represented the voice of New Haven County physicians and their patients. We offer not just a wealth of benefits, like networking events, discounts, action alerts and workshops, we also give you and your patients a way to get involved in the fight for the future of health care.

click for complete member benefits

Action Alerts

Don't be left behind! Find out the latest news, whether it's a policy change, a contract change, billing and coding news and alerts or anything else that affects the way you practice medicine.

see action alerts in your area

Calendar of Events

NHCMA's Event Calendar includes a variety of valuable seminars and events. Our goal is to offer our physician members and their staffs the knowledge and resources necessary to manage a successful practice.

launch event calendar

Physician Locator

Looking for a doctor who supports quality patient care? Search our directory of NHCMA members for a physician in your community. You can search by speciality or geographic location.

find a doctor


Practice Solutions
back to HIPAA Information

Getting A Handle on HIPAA

Jeanette C. Schreiber, J.D.
Wiggin & Dana, LLP

OVERVIEW OF HIPAA

  • Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191, 42 U.S.C. §§1320d-2 et seq.
  • "Administrative Simplification" provisions

BACKGROUND LEADING TO HIPAA

  • Evolving technology, moving from paper to electronic communication
  • Need for uniformity in coding and transmitting data
  • New uses for personal health information

    • analyze cost and quality
    • clinical uses
    • marketing
  • Heightened public concern for privacy, security

PURPOSE OF HIPAA

  • Standardized coding, billing, electronic transactions
  • Protect privacy and security of health information

ELEMENTS OF HIPAA STATUTE: INSTRUCTIONS TO HHS

  • Standards to enable electronic interchange
  • Standards for unique health identifiers (individual, employer, health plan, health care providers)
  • Standards for code sets
  • Security standards
  • Standards for electronic signatures
  • Standards for transfer of information among health plans
  • Privacy standards

HIPAA TIMETABLE

  • Final standards for electronic transactions
    • Effective 10/16/00
    • Final compliance by 10/16/02
  • Privacy regulations
    • Effective 04/14/01
    • Final compliance by 4/14/03
  • Security regulations
    • Proposed 08/12/98
    • Not yet final

WHO IS COVERED BY HIPAA?

Covered entities:

  • Health plans
  • Health care clearinghouses
  • Health care providers that transmit information in electronic form

Indirect coverage:

  • Business associates

WHERE WILL HIPAA AFFECT PHYSICIANS?

  • Private physician office - individual and group practice
  • Member of medical staff in hospital /health care facility/health system
  • Employee of health care facility or health plan
  • Medical director for nursing home or home health agency
  • Member of IPA or PHO

IMPACT OF HIPAA

  • More than Y2K
  • Requirements will be ongoing
  • Industry-wide culture change

ELECTRONIC TRANSACTIONS AND CODE SETS REGULATIONS

  • Adopts standards for eight electronic transactions and for code sets to be used in those transactions
  • Electronic Standard Transactions:

    • Healthcare claim or encounter
    • Claim payment and remittance advice
    • Healthcare claims standard
    • Coordination of benefits
    • Eligibility for a health plan
    • Referral certification and authorization
    • Enrollment & disenrollment in a health plan
    • Premium payments
  • Future Electronic Standard Transactions
    • First report of injury
    • Healthcare claims attachment
  • To be addressed in future regulations
  • Five medical codes standards to be used initially under HIPAA

    • International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM)
    • Current Procedural Terminology, 4th Edition (CPT-4)
    • Health Care Financing Administration Common Procedure Coding Set (HCPCS)
    • Code on Dental Procedures and Nomenclature, 2nd Edition (CDT-2)
    • National Drug Codes (NDC)
  • For each transaction specifies format, data elements, data content
  • Uses industry consensus-based standards wherever possible
  • ANSI - American National Standards Institute
  • ASC X-12 Insurance Subcommittee
  • WEDI/SNIP www.wedi.org/snip
  • Covered entities must comply with standards, implementation guides
  • HIPAA Implementation Guide by X12N Insurance Subcommittee available at http://www.wpc-edi.com/hipaa
  • Payers must accept claims presented in standard format
  • Medicare testing capability by late 2001?
  • WHAT IMPLEMENTATION STEPS SHOULD PHYSICIANS TAKE?

    • Identify covered transactions
    • Contact your software vendors
    • Assess need for software conversions or upgrades
    • Review data collection practices to ensure all required elements are collected
    • Plan for synchronized testing
    • Review agreements with "trading partners"

PROPOSED SECURITY REGULATIONS

  • Proposed August 12, 1998
  • General security measures including administrative, technical and physical safeguards
  • "Scalable"
  • Technology neutral
  • Apply to all individually identifiable health information that is electronically maintained or transmitted
  • Each covered entity must assess potential risks and vulnerabilities to individual health data and develop, implement and maintain appropriate security measures

PROPOSED SECURITY REGULATIONS

Categories of Standards

  • Administrative procedures
    Physical safeguards
  • Technical security services
    Technical security mechanisms

PROPOSED SECURITY REGULATIONS

Administrative Procedures

  • Certification of system security
  • "Chain of Trust partner agreements"
  • Contingency plan
  • Formal, documented policies and procedures for processing records, access control, internal audits, personnel security, security system management, incidents, risk analysis and management, access termination, training

PROPOSED SECURITY REGULATIONS

Physical Safeguards

  • Use of locks, keys and administrative measures to control access to computers and facilities
  • Control of possession and access to hardware, software, data
  • Disaster recovery, emergency mode
  • Workstation use and security
  • Security awareness training for all employees, agents and contractors based on jobs

PROPOSED SECURITY REGULATIONS

Technical Security Services and Mechanisms

  • Requirements to protect and control access to data/information
  • Mechanism/process to guard against unauthorized access to data transmitted over a communications network

PROPOSED SECURITY REGULATIONS

  • What are the practical implications for physicians?

FINAL PRIVACY REGULATIONS

  • Issued December 28, 2000
  • Accepted by Bush Administration

PRIVACY REGULATIONS

Office of Civil Rights Guidance

  • HHS has delegated oversight and enforcement of the Privacy Rule to the Office of Civil Rights ("OCR")
  • Guidance issued by OCR on July 6, 2001
  • Clarifies variety of issues raised in comments and in questions submitted to OCR
  • HHS has promised further guidance and modifications to the Privacy Rule to address "unintended" problems with the Rule

PRIVACY REGULATIONS

  • What is Protected Health Information?

    • Includes all individually identifiable health information transmitted or maintained by a covered entity, whether electronic, paper or oral.
  • What information will physicians need to protect?

    • Patients’ medical records
    • Health reimbursement claims
    • Appointment reminders - phone messages and postcard mailings
    • Patient information - in-office and telephone discussions
    • Office registration information
    • Faxing patient information
  • Is HIPAA really any different than current practice?

    • Patient confidentiality has always been a basic component of the practice of medicine
    • HIPAA introduces new concepts and required practices
    • Will require some changes in office practices and staff education
    • Will require revisions of policies and procedures and new HIPAA compliant forms, policies and procedures

PRIVACY REGULATIONS

Use and Disclosure

  • "Use" versus "Disclosure"
  • New policies and procedures concerning how patient health information is disclosed and used
  • "Minimum necessary" requirements

PRIVACY REGULATIONS

Consent and Authorization

  • "Consent" required for "treatment, payment or health care operations"
  • "Authorization" required for most other uses and disclosures (including release of psychotherapy notes)
  • Opportunity to "Agree" or "Object"

Some uses and disclosures permitted without consent or authorization. Examples include:

  • Public health and welfare
  • Health oversight
  • Required by law
  • Judicial and administrative proceedings
  • Law enforcement purposes

PRIVACY REGULATIONS

  • What are some practical implications for physicians?

    • Development and implementation of "consent" and "authorization" forms
    • Documentation of "opportunity to agree or object"
    • New office policies and procedures addressing use and disclosure

PRIVACY REGULATIONS

Business Associate Requirements

  • HIPAA obligations extend to contractors performing functions for providers using protected health information (such as billing, data processing, consulting)
  • Written contract specifications
  • Responsibilities concerning acts of business associates
  • What are the practical implications for physicians?

    • Identify business associates
    • Develop or amend contracts
    • Ongoing review of business associates’ activities

PRIVACY REGULATIONS

Individual Rights

Right to:

  • Notice of information use and disclosure practices
  • Request restrictions on use and disclosure of PHI
  • Access to own PHI and to make copies
  • Obtain accounting of disclosures
  • Request amendments

PRIVACY REGULATIONS

Administrative Requirements

  • Designate a privacy official
  • Training for all employees, volunteers, trainees
  • Implement complaint process
  • Develop and enforce internal sanctions for noncompliance
  • Required policies and procedures

PRIVACY REGULATIONS

Clinical Research

  • Distinguish research from health care operations
  • No restrictions if use "de-identified" information
  • Special authorization required for most clinical trials
  • Permitted without authorization if:

    • IRB or Privacy Board Approval
    • Review preparatory to research
    • Research on protected health information of decedents
  • How will HIPAA affect physician participation in clinical research studies?

PRIVACY REGULATIONS

Marketing

  • Generally disclosures for marketing require an authorization
  • Very limited exceptions allow some use of protected information for marketing of products/services of nominal value
  • For example, solicitations must -

    • identify the physician as the party making the communication;
    • prominently state if the physician will receive direct or indirect remuneration for making the communication; and
    • explain how to opt out of future communications

If marketing targets a patient based on the patient’s health condition, the provider must also:

  • make a determination that the marketed product/service may be beneficial to the health of the type of patient targeted; and
  • explain in the communication why the patient has been targeted and how the product/service relates to the patient’s health.

PRIVACY REGULATIONS

Marketing

  • How will physicians be affected?
  • Be cautious of any arrangement involving use of patient’s identity or health information for marketing

PRIVACY REGULATIONS

Health Care Systems and Other Affiliated Entities/OHCAs

  • Affiliated entities may designate themselves as a single covered entity.
  • Benefits include using a single shared notice of information practices and consents and consolidating certain other functions.
  • OHCAs: separate covered entities in a clinically integrated setting (e.g. medical staff) may combine notices and consents.

PRIVACY REGULATIONS

Oversight and Enforcement

  • Role of Office of Civil Rights
  • Civil

    • HHS vows assistance and cooperation through OCR
    • Office for Civil Rights investigation of complaints
  • Criminal

    • FBI? Office of Inspector General?
    • Department of Justice
  • Civil Lawsuits?

PENALTIES FOR NONCOMPLIANCE

  • Civil penalties -- for violation of standards

    • Fines up to $100 per violation, $250,000 annual cap
    • Avoided if failure due to reasonable cause and corrected within 30 days
  • Criminal penalties -- for wrongful use or disclosure

    • Up to $50,000 fines, 1 year imprisonment.
    • If for commercial advantage, personal gain or malicious harm, up to $250,000 fines, 10 years imprisonment

IMPACT ON STATE LAW

  • Generally HIPAA supersedes contrary state law
  • HIPAA privacy requirements do not preempt "more stringent" state requirements
  • In many states more stringent mental health, HIV/AIDS and substance abuse protections will continue to apply.
  • Need for detailed analysis of state confidentiality law

GETTING READY: STEPS TOWARD IMPLEMENTATIONS

  • You now have 13 months to implement the HIPAA transaction and code set standards
  • You have 19 months to implement the privacy standards
  • Move forward with very basic security implementation in conjunction with privacy; not certain when final security rule will be issued
  • You should start now

Getting Ready for HIPAA

  • Designate someone to lead your HIPAA efforts
  • Gather HIPAA resources
  • Check in with your state and/or national associations for assistance
  • Gap Analysis (Inventory and Assessment of HIPAA Readiness)

    • Inventory existing systems, policies, procedures and processes
    • Inventory software capabilities and security measures
    • Inventory contractual arrangements in light of business associate and "chain of trust" agreement requirements
  • Develop work plan and timeline for implementation
  • Develop budget
  • Pool resources where appropriate

LINKS TO HIPAA RESOURCES