HIPAA Administration Simplification
(part 2)by A. Maureen Hanna
HIPAA Administration Simplification
(part 2)
by A. Maureen Hanna
In last month's issue we provided you with an overview of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, specifically the section of the last that is referred to as Administration Simplification. As of writing of this article, many of the details of this Act have not yet been released. However, the information below should provided providers with a summary of some of the rules and considerations that provider will need to keep in mind as the Act is implemented in the next year.
National Provider Identifier (NPI) - There are three categories of individuals whom will be issued identifier numbers. They are:
An Individual - A human being licensed, certified or otherwise authorized to perform medical services or provide medical care, equipment or supplies in the normal course of business (e.g. physicians, nurses, dentists, pharmacists, and physical therapists).
An organization - An entity, other than an individual, that is licensed, certified or otherwise authorized to provide medical care, equipment or supplies in the normal course of business (e.g. hospitals, laboratories, ambulance companies, HMOs, and pharmacies). The licensure, certification, or other recognition is granted to the organization entity. Each separate location of an organization, each member of an organization chain, and each subpart of an organization that needs to be identified would receive its own NPI.
A Group - An entity composed of one or more individuals, generally created to provide coverage of patients in terms of office hours, professional backup and support, or ranges of services resulting in specific billing or payment arrangements.
Providers would apply for an eight-digit alphanumeric identifier that they would use whenever processing claims electronically. The eighth digit would be a numeric check digit, which will assist in identifying erroneous or invalid NPIs. First, numeric-only identifiers would be used and then later the introduction of alphabetic characters starting with the first position of the NPI. The NPI format would allow for the creation of approximately 20 billion unique identifiers.
Providers would apply for that identifier only once and keep it when they move from one state to another or if they change specialties. Data integrity would be protected on three levels such as (error prevention, ongoing monitoring, and active auditing). The unique identifiers are expected to allow for the rapid and accurate identification of proper records and their integration for purpose of providing high quality, patient-focused care and facilitate:
Ordering of tests and reporting their
results.
Posting results, diagnosis, procedures,
and observations to the patient charts.
Updating, maintaining, and retrieving medical records.
Integrate information across various
internal information systems.
Highly sensitive information (e.g. mental health diagnosis or treatment, HIV antibody tests, or genetic tests) would be critical to protect information from inadvertent disclosure. HHS is proceeding cautiously in fulfilling its statutory responsibility in this area. Controversy has focused on privacy concerns. Specifically if:
The Social Security Number (SSN) were
to become the unique health identifier.
Another option would be a biometric
identifier (e.g. including fingerprints, retinal patterns analysis,
iris scan, voice pattern identification and DNA analysis) or
Personal immutable properties (a 19 digit number including a seven
digit date of birth, a six digit geographic code, a five digit
sequence number plus one check digit).
There is a need for a temporary patient
identifier when the universal health identifier is not available
(e.g. the patient is unconscious, care is provided to child when
informed adult is not present, a language barrier exists). Unique
health identifier should be available at birth.
Standards Electronic Format
All (e.g. Medicare, Medicaid, and private) health plans would be required to accept these standard electronic claims. The new formats also includes new standards for reporting diagnosis (e.g. ICD-9-CM) and procedures (e.g. HCPCS) in the transactions.
National Identification Numbers for Health Care Plans
All health insurance plans would be issued numbers for tracking purposes. These would likely to be similar to group numbers issued today along with a base number to identify the plan name (e.g. Blue Cross).
National Standard Employer Identification Number (EIN)
These are currently issued and maintained by the IRS.
Security Rules to Protect Patient Confidentiality of and Access to Health Records.
Standards will be designed to protect all electronic health information from improper access or alteration, and to protect against loss of records.
The Secretary's recommendations for Federal privacy legislation would authorize uses of individuals identifiable health information without direct consent for:
Health care and payment.
Health oversight (e.g. law enforcement,
government agencies investigating or paying for health care, professional
licensure and discipline systems, regulators such as insurance
commissioners, accreditation and quality review bodies).
Public health, including public health surveillance.
Health research, under certain limited
conditions.
Emergency purposes.
Health data collection by state agencies.
All health plans, health care providers, and health care clearinghouses that maintain or transmit health information electronically will be required to establish and maintain responsible and appropriate safeguards to ensure the integrity and confidentiality of the information. All firms that transmit or maintain information will need to develop:
A security plan.
Provide training for employees.
Secure physical access to records
(e.g. where backup diskettes are stored, location of a backup
personal system, remote hot site operations, and secure off-site
storage electronic media).
Authorizations to release information would be required to specify:
The information to be disclosed.
Who would get the information?
When the authorization would expire.
If authorization were sought so that a covered entity may sell
or barter the information, the covered entity would have to disclose
this fact on the authorization form.
Each entity must access potential risks and vulnerabilities to individual health data in its possession. It must develop, implement and maintain appropriate security measures. These measures must be documented and kept current. Policies and practice recommended were:
Security and confidentiality policies:
Chain of trust partner agreements
Routine and non-routine receipt, manipulation, storage, dissemination,
transmission, and/or disposal of health information.
Information security officers.
Education and training programs would include vulnerabilities of the health information in entity's possession, procedures that must be followed, virus protection, password management, personnel security, and termination procedures. Specifically:
Access controls (e.g. establish and maintain
formal, documented policies and procedures for granting different
levels of access).
Audit trails (e.g. requirement for
ongoing internal audit process such as logins, file accesses,
security incidents).
Physical security and disaster recovery that includes: periodic
backup of data having critical facilities for continuing operations,
having a disaster recovery procedure in place, testing and revision
procedures, security configuration management, security incident
procedures and security management process.
Protections of remote access points.
Protection of external electronic communications.
Software discipline.
Systems assessment such as: evaluation of computer systems and
network design.
The proposal includes an electronic signature standard, which specifies that a digital signature be used when an electronic signature is required for one of the standard transactions specified in the law. Individuals would have the right to:
Receive a written notice of information
practices from health plans and providers.
Obtain access to protected information
about them, including a right to inspect and obtain a copy of
the information.
Request amendment or correction of protected health information
that is inaccurate or incomplete.
Receive an accounting of the instances
where protected health information about them has been disclosed
by an entity for purposes other than treatment, payment, or health
care operations (subject to certain time-limited exceptions for
disclosures to law enforcement and oversight agencies).
 |
 |
 |
 |
 |
 |
 |
 |