Health Insurance Portability and Accountability Act of 1996
Section 1
Section 2
Section 3
Appendix
This Site was updated on: May 18, 2007
What Is HIPAA?
HIPAA seeks to guarantee the privacy of consumer’s health information, heighten the overall security of that information, and simplify the health care system by streamlining and standardizing certain practices. The SCDMH HIPAA Site serves as a resource for HIPAA, and is not intended to be the single location for all your HIPAA -related needs. You are encouraged to seek out other resources, including additional web sites and resources identified on this Site.
JOIN THE SCDMH HIPAA LISTSERVE
The SCDMH HIPAA Listserve serves as a conduit for communicating HIPAA news, questions, and issues throughout the SCDMH system. To join the Listserve, send an e-mail to hipaa-request@r2.scdmh.
Write "subscribe" in the message portion of the email.
HIPAA Listserve Instructions
SCDMH HIPAA TRAINING
All SCDMH staff is required to complete HIPAA Privacy and Security Training. At a minimum, staff is required to complete the following Pathlore training modules: “HIPAA Training for Members of the SCDMH Workforce Module I” and “HIPAA Security.” Additional training modules are available and may be optional or required, depending on the needs and requirements of the employee’s job. The SCDMH Workforce HIPAA Privacy Training is available on-line and all staff are required to successfully complete the training.
New employees must complete the HIPAA Computerized Learning Module I: HIPAA Training for Members of the SCDMH Workforce within 30 days of their date of hire. See Memo: HIPAA Privacy Training for New Hires in Centers and Facilities.
YOUR SCDMH STATE OFFICE CONTACT
If you have any questions about HIPAA, you can call Keith Randolph, State HIPAA Coordinator, at (803) 898-8362 or e-mail him at DKR82@scdmh.org. Also, contact him if you have some HIPAA news that you think others should know about. For specific CO Admin contacts who are responsible for particular HIPAA areas, click on the Planning and Implementation section of this Site.
GETTING STARTED (HIPPA)
"SCDMH Road Map to HIPAA Compliance," a general planning document
Who Must Comply With HIPAA?
"Covered entities," as designated in the standards, include medical and health service providers, health plans, and health care clearinghouses. Therefore, the HIPAA standards apply to almost all health care industry entities including Medicaid, Medicare, and other governmental healthcare programs, Health Maintenance Organizations and group health plans, and the South Carolina Department of Mental Health and other South Carolina health services agencies. Only certain small (less than 50 employees) self-administered health plans are exempt.
HIPAA does not apply directly to vendors, schools, suppliers, banks or other non-health care providers. However, under the privacy and security regulations, these entities will have business obligations to enter into chain of trust agreements to protect the integrity and confidentiality of exchanged identifiable health care information.
When Must Covered Entities Comply With HIPAA?
Large and mid-sized covered entities, including SCDMH, Medicaid, and Medicare, must comply with HIPAA within 24 months from the effective date of the final rules. Small payment plans (those with less than $5 million in revenue) have 36 months. Final Rules are effective 60 days from the publication of the final rule in the Federal Register.
HIPAA regulations are actually comprised of a series of regulations that are in different stages of development and final publication from the U.S. Department of Health and Human Services. Because the regulations are released in a staggered fashion, covered entities are required to be in compliance with the respective standards at different times depending on the date of publication of each standard's Final Ruling in the Federal Register. Nevertheless, the regulations are interdependent within the systems and operations of covered entities and none of the provisions should be assessed or implemented in a vacuum. Refer to Compliance Time Frames for the compliance deadlines for the specific HIPAA standards.
What Are The Penalties for Failure to Comply?
One goal of HIPAA is to prevent health care fraud and abuse and there are serious penalties, both civil and criminal, for failure to comply. Penalties include $100 per violation with a $25,000 maximum fine for all violations of a single requirement. For wrongful disclosure, the penalty is $50,000 and/or imprisonment for < 1 year, or $100,000 and/or imprisonment for < 5 years if under false pretenses, or $250,000 and/or imprisonment for < 10 years if there is intent to sell information.
What Do Centers and Facilities Need to Do?
Centers and Facilities are responsible for ensuring that they meet HIPAA requirements, in consultation and with technical assistance from Central Office Administration.
- Ensure that your staff is knowledgeable about HIPAA.
- Identify staff who will take a lead role in your HIPAA planning and compliance efforts. Depending on the HIPAA regulations, staff may need specific expertise as the new regulations and associated issues evolve.
- Ensure that management staff is attuned to HIPAA and its implications for your business and clinical activities.
- Complete a compliance assessment and a gap analysis to identify areas where you will not meet requirements. As you complete your assessments, consider if there will be a “statewide response” to any areas where you do not currently comply with HIPAA. For example, SCDMH has a single Notice of Privacy Practices and Privacy Directive. You might determine that in order to address a particular area within your Center/Facility that you need additional policies, procedures or practices to ensure that you will be in compliance with HIPAA.
- Coordinate your compliance plans with Central Office Administration compliance activities. Don’t reinvent the wheel! If there will be a single, statewide response, don’t create your own, unless you believe that the statewide response will not enable you to be in compliance with HIPAA.
- Implement your compliance plans.
COMPLIANCE TIME FRAMES
The following are the deadlines for compliance with each HIPAA standard. Deadlines apply to SCDMH and other large and mid-sized covered entities. Small payment plans have an additional 12 months to comply with the respective ruling. Additional regulations surrounding the major standards are also expected, such as the issuance of enforcement and regulations for privacy.
STANDARD |
EXPECTED REGS |
PROPOSED REGS |
FINAL REGS |
COMPLIANCE |
|---|---|---|---|---|
Transactions-----> |
---------------> |
---------------> |
** AUG 2000---> |
* OCT 2002 |
Privacy----------> |
---------------> |
---------------> |
** DEC 2000---> |
APR 2003----> |
Security---------> |
---------------> |
---------------> |
FEB 2003----> |
APR 2005----> |
Claims----------> |
YES----------> |
-------?-------> |
-------?------> |
-------?-------> |
Identifiers: |
|
|
|
|
Provider-----> |
YES----------> |
MAY 1998 |
JAN 2004 |
***MAY 2007 |
Client--------> |
---------------> |
----------------> |
-------?-------> |
-------?-------> |
Health Plan--> |
YES-----------> |
-------?--------> |
-------?-------> |
-------?-------> |
Employer----> |
---------------> |
----------------> |
MAY 2002 |
JULY 2004 |
* Through a request for an extension filed with the Centers for Medicare and Medicaid Services, SCDMH had until October 16, 2003 to comply with the HIPAA Transaction and Code Sets requirements.
** Modifications to the Transactions and Code Sets requirements were issued in Final Regulations published February 2003, effective March 2003, and with a compliance deadline October 2003.
***SCDHHS implemented a Contingency Plan allowing provider legacy numbers until May 23, 2008 for Medicaid billing. See: Provider Identifiers.
HIPAA REGULATIONS AND ADMINISTRATIVE SIMPLIFICATION
Overview of HIPAA Administrative Simplification (SCDMH Slide Presentation to Key Management Personnel) (Options: Next slide or automatic running show)
The administrative simplification part of HIPAA seeks to establish standards and requirements to enable the electronic exchange of certain health information, to protect security and assure privacy of transmitted information and to reduce administrative costs. The specific areas addressed by the administrative simplification standards are privacy, identifiers, electronic data interchange (sometimes also referred to as transactions and code sets) and security.
Privacy
July 11, 2002: "HIPAA Privacy Rule and DMH: Introduction, Assessment and Implementation Guide"
The underlying philosophy behind the HIPAA privacy regulations is that individually identified health information should be protected and easily accessible when it is appropriate to do so, but difficult to access when it is not appropriate to do so. The regulations consider access to be appropriate when the information is necessary for purposes of treatment, payment, and healthcare operations or when required by law. The HIPAA privacy standards include 24 statements applicable to privacy. The following is a summary of those requirements:
Fair Health Information Practices - Individuals have the right to be informed of information practices, individuals have the right to access their health care information, to know who accessed their health care information, and to request that information be corrected when it is not correct.
Minimum Necessary - A health care provider, plan, or clearinghouse must make all reasonable efforts not to use or disclose more than the minimum amount of protected information that is necessary to accomplish the intended purpose(s).
Disclosure/Authorization Requirements - Permitted disclosures without authorization are those that are permitted by the standard (i.e., for emergency treatment, part of treatment team, inmate, for purposes of treatment, payment, and/or healthcare operations or as required by law and unable to obtain consent, and barriers to community consent, but inferred. Disclosure for other reasons requires authorization, including research unrelated to treatment and the use of psychotherapy notes other than by the creator. Providers can condition treatment on receipt of consent, but not on authorization for non-treatment purposes.
De-Identification - When health care information is used outside the scope of the standard, individual identifiers must be removed.
Business Partners - A health care provider, plan, or clearinghouse must have satisfactory assurance from the business partner that it will appropriately safeguard the information.
Administrative Requirements - There must be a privacy officer and a contact person for complaints, privacy training, and safeguards to ensure reasonable evidence of identity and authority, sanctions for those who fail to comply with the privacy standards, and the covered entities have the duty to mitigate any deleterious effect of a use of disclosure that is in violation of the standards.
Documentation of compliance - Must demonstrate how the organization is complying.
Cooperation with compliance and enforcement procedures - Organizations must cooperate in the investigation of breaches of confidentiality.
SCDMH Notice of Privacy Practices
SCDMH Privacy Practices Directive
Identifiers
Employer: The HIPAA Employer Identifier standards require that health care providers adopt the Employer Identification Number as the standard unique identifier for employers in the filing and processing of health care claims and other transactions. SCDMH already uses the Employer Identification Number issued and maintained by the Internal Revenue Service and, therefore, Centers and Facilities are already in compliance with this HIPAA requirement.
The final regulations for the use of the National Employer Identifier were issued in the Federal Register on May 31, 2002 and became effective July 30, 2002. By July 2004, SCDMH and all other covered entities must use the Federal Employer Identification Number (EIN) when sending and/or receiving standardized HIPAA transactions (see Transactions Workgroup Report for additional information about those required transactions). The final regulations can be found in the Federal Register, Volume 67, Number 105 (May 31, 2002) and can be accessed online via the Government Printing Office Web site (www.gpo.gov).
Provider: The HIPAA National Provider Identifier (NPI) is the standard unique identifier for health care providers to use in filing and processing health care claims and other transactions. The SCDMH must comply by May 23, 2007. The NOU will be issued through the National Provider System, under development by the Centers for Medicare and Medicaid Services.
The National Plan and Provider Enumeration System (NPPES) is the computer system that would be used to uniquely identify health care providers, assign them NPIs, update their information, and disseminate data to the industry. The Enumerator will carry out a number of functions, including, but not limited to, entering identifying information about a health care provider into the NPPES for those providers applying via paper applications; notifying such a provider of its NPI; and assisting providers with questions or problems, including those providers applying for NPIs via the Internet. The NPPES will edit the data, checking for consistency, formatting addresses, and validate Social Security Numbers. The NPPES will also search the database to determine whether the health care provider already has an NPI. The NPI will replace all "legacy" identifiers currently used. Each Center and Facility will receive notice of its NPI from SCDMH Central Office Administration.
Medicaid and the NPI: SCDHHS requires NPI by May 2007
- National Provider Identifier and the Application Process
- National Provider Identifier (NPI) Requirements for South Carolina Medicaid
Pharmacy Claims
SCDHHS NPI Contingency Plan Bulletins:
Health Plan: The health plan identifier is likely to be a 9-digit numeric identifier. Of the identifier standards, the least progress has been made by CMS toward issuance of the health plan identifier. The requirement for this identifier has not yet been published. SCDMH does not anticipate completing any compliance activities on this regulation until it is published.
Client Identifier: The individual client identifier standard will probably be the last identifier standards published pending the promulgation and implementation of other regulations.
Electronic Data Interchange
HIPAA requires the use of a standard format when health care information is transmitted between trading partners. These standards apply to transactions and code sets that are used in administrative and financial operations.
Transactions
The Electronic Data Interchange regulations affect the following transactions:
- Claims
- Payment and remittance advices
- Claim status and request and response
- Benefit enrollment and maintenance
- Eligibility benefit inquiry and response
- Payment order and remittance advice
- Request for services review and response
The new required claim formats will make available dozens of supporting co-medical and non-medical data elements which are embedded in the new claim formats.
Code Sets
HIPAA requires specific code sets to be used in all applicable transactions including:
- ICD-9-CM
- CPT-4
- Health Care Financing Administration Common Procedural Coding System
- Current Dental Terminology
Facilities and Centers that store, create, and/or transmit electronic transactions that do not process through Central Office administration claims processing must ensure that they will be in compliance with the standardized transactions and code sets requirements for all applicable HIPAA-required transactions.
"HIPAA Transactions and Code Sets Rule and SCDMH: Inventory Planning" A tool for accessing SCDMH compliance with the HIPAA Transaction and Code Sets Regulations.
Security
The HIPAA security standards contain 24 specific requirements which are grouped into four main categories:
- Administrative Procedures - formal practices to manage security and personnel. This includes training, procedures for terminating access to information, security management and incident procedures, personnel security and procedures and practices to ensure security of information systems, security audits, control of access to information, formal mechanisms for processing records including storage and disposal of records, chain of trust agreements for purposes of exchanging information between business partners, and an internal or external technical evaluation to determine system or network security compliance.
- Physical safeguards - protection of computer systems. This includes the ensuring the security of workstations and implementing necessary physical access controls including equipment control, visitor sign-in requirements, security awareness training, policies and procedures for controlling the exchange of information via faxes, printout management (e.g., secure trash bins), and the assignment of a security officer or other person to designate the responsibility for the management and supervision of security measures and the conduct of personnel regarding the protection of confidential information.
- Technical Security Services - safeguards to control and monitor the integrity, confidentiality and availability of data stored in a system. This includes such services as the capability to authenticate and identify authorized users and the deny access to unauthorized entities and a procedure for emergency access to information.
- Technical Security Mechanisms - safeguards to control against the unauthorized access of data-in-transit. This includes mechanisms to inform or alarm a user entity that there is a system abnormality, a message authentication mechanism, and ensuring an audit trail for records access.
The above information about the HIPAA regulations is not an exhaustive description of the requirements. For additional information, you can go to the DHHS Web site at: http://aspe.os.dhhs.gov/admnsimp/
SCDMH Planning and Implementation
In general, planning and implementation for HIPAA will continue according to the following schedule of activities:
Awareness - Organizational-wide awareness of the HIPAA and the issues applicable to the standards.
Risk Assessment - Development of tool set(s) for self-assessment, an inventory of policies, procedures and systems, gap analysis and cost analysis.
Develop a Work Plan - Based on available resources and needs as determined by the Risk Assessment
Develop Testing and Validation Planning
Develop implementation process and procedures/operation verification
SCDMH HIPAA Steering Committee Members:
- Mark Binkley, J.D., General Counsel, Office of General Counsel
- John Bourne, Director, Division of Financial Services
- Herbert Drucker, Director, Division of Information Technology
- George Johnson, Network Manager, Division of Information Technology
- Alan Powell, J.D., Assistant General Counsel, Office of General Counsel
- Keith Randolph, SCDMH HIPAA Coordinator, Committee Chair
- Jac Upfield, CBHS Chief of Operations
From a practical standpoint, HIPAA implementation is larger and more complex than activities required with Y2K. Whereas Y2K was a systems issue with a defining end and limited scope, HIPAA includes requirements imposed on administrative operations which impact many different areas from customer service to data storage. In addition, compliance with HIPAA will be a constantly evolving process and has no defined end.
SCDMH HIPAA Primary Contacts
Overall HIPAA Planning
Keith Randolph, HIPAA State Coordinator (803) 898-8362
Transactions:
Outpatient - Paulette Drafts, Division of Information Technology - (803) 935-5462
Inpatient – Helen Koon, Division of Information Technology – (803) 898-8506
Code Sets:
Keith Randolph, DOAS (803) 898-8362
Privacy:
Alan Powell, Legal Services - (803) 898-8556
Security:
George Johnson, Division of Information Technology - (803) 935-5550
Identifiers:
Outpatient , Paulette Drafts (803) 935-5462
Inpatient, Roberta Shultz – (803)898-8523
Pharmacy, contact local facility pharmacy
Training
Sandy Hyre, Education, Training and Research – (803) 898-1682
Research Projects and HIPAA
Ed Taylor – (803) 898-8623
ADDITIONAL HIPAA RESOURCES AND LINKS
Due to the extensive number of resources and links offered below and the ever-evolving HIPAA domain, this SCDMH HIPAA Intranet Site is unable to verify that each is current or, in some cases, that the information is accurate. In addition to the Public Domain sites listed, contact your State HIPAA Coordinator if you would like information about resources that are Copyright Protected and/or Premium Resources.
The following list of HIPAA links is not for distribution to organizations outside SC state agencies and is provided by Gov Connect, Inc.
DESCRIPTION |
WEB SITE |
|---|---|
Association for Electronic Health Care Transactions (AFEHCT) |
|
American Health Information Management Association (AHIMA) |
|
Center for Healthcare Information (CHIM) |
|
Department of Health and Human Services HIPAA/administrative simplification web site |
|
HIMSS |
|
CMS HIPAA Home Page
|
|
HIPAA Transaction Implementation Guides |
|
Washington Publishing Company ANSI ASC X12N HIPAA Implementation Guides |
|
Workgroup for Electronic Data Interchange (WEDI) |
Public domain Web sites, no restrictions: |
|
South Carolina HIPAA Site |
|
Office of Civil Rights. |
|
CMS |
|
X12 N (Organization) |
|
Southern HIPAA Regional Administrative Regional Process (SHARP) Collaborative regional healthcare and provider focus group to facilitate southern regional readiness and compliance. SCDMH is represented on SHARP. |
|
HIPAA Gives |
|
The following Public Domain sites offer Privacy information and tools: |
|
Federal Government: |
|
DHHS |
|
|
|
Health and Human Services Office for Civil Rights |
|
|
|
State Government: |
|
North Carolina Department of Health and Human Services |
|
|
|
Kansas |
|
|
|
Private Corporations (Public Domain): |
|
Webman Associates |
|
|
|
The following Public Domain sites offer Security information and tools: |
|
Federal Government: |
|
DHHS – Office of the Assistant Secretary for Planning and Evaluation |
|
|
|
State Government: |
|
North Carolina Department of Health and Human Services |
|
|
http://dirm.state.nc.us/hipaa/newsite/focusgroup/operation/IFA.html |
|
http://dirm.state.nc.us/hipaa/hipaa2002/security/security.html |
Kansas |
|
|
|
The following Public Domain sites offer Transactions and Code Sets information and tools: |
|
Federal Government: |
|
Centers for Medicare and Medicaid Services |
|
|
|
|
|
|
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/transactions/default.asp |
National Center for Health Statistics |
|
|
|
State Governments: |
|
Minnesota Department of Human Services |
|
|
|
National Council for Prescription Drug Programs |
|
Mental Health Statistics Improvement Program |
|
|
|
The following Public Domain Sites offer Identifiers, Information and Tools |
|
CMS |
|
|
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/identifiers/default.asp |