Administrative Simplification, Medical Liability Reforms, Prevention of Healthcare Abuse and Fraud
These rules are applicable to health insurance policy covers that come under the purview of HIPAA and HHS. The coverage includes health plans, health care clearinghouses such as medical billing healthcare service providers and HIS (Health Information Systems) for interoperability of healthcare data regulated by HIPAA.
Based on the requirements of Title II, HHS has enacted five rules with context to Administrative Simplification enlisted below:
a) Privacy Rule
b) Transactions and Code Sets Rule
c) Security Rule
d) Unique Identifiers Rule
e) Enforcement Rule
a) Privacy Rule
The Privacy Rule of HIPAA regulates the usage and disclosure of certain confidential information held by "covered entities" that includes employer sponsored health plans, health insurers, healthcare clearinghouses and healthcare service providers. It establishes regulations for the usage and disclosure of PHI (Protected Health Information) wherein data confidentiality and data privacy are of utmost importance. PHI deals with healthcare data held by a covered entity concerning health status, healthcare diagnostics, treatment details or payment of expenses incurred towards healthcare that can be linked to an individual. It incorporates an individual's medical records or payment status vis-à-vis healthcare.
Under this Act, the covered entities must disclose PHI to the individual within 30 days as requested. Disclosure of PHI under the ambit of law must be carried out, for example child sexual abuse, rape etc. A covered entity may disclose PHI to facilitate sharing of healthcare data that involves privacy and confidentiality, health care operations, treatment or payment aspects, provided the covered entity has obtained pre-requisite permission from the concerned individual. However, it must be borne in mind to disclose and share only the minimum essential data as required to serve the purpose.
Under this Act, the citizens are given the privilege to alter or modify any inaccuracies in PHI, ensuring the confidentiality of communications with individuals needs to be strictly adhered to by the concerned covered entities. For example, an individual can disclose only his/her office number and maintain the confidentiality of residence landline or mobile number.
Under the Privacy Rule, it is mandatory by the covered entities under HIPAA to notify individuals pertaining to the usage of their PHI. Tracking of PHI disclosures and privacy of documentation policies and procedures must be strictly adhered to by the covered entities. Hence, for this purpose, appointment of a Privacy Official and Grievances Officer becomes imperative for addressing customer complaints. Imparting education and training the workforce regarding PHI procedures which is a customary process under HIPAA Act.
If the Privacy Rule is not being adhered to by a healthcare service provider under the norms of HIPAA Act, an individual is free to file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR), USA.
b) Transactions and Code Sets Rule
Due to widespread confusion and difficulty in implementing the rule, full implementation of HIPAA could not be achieved and an open-ended "contingency period" was initiated. However, Medicare contingency period ended on July 1, 2005. After July 1 2005, it became mandatory for all the healthcare service providers to file their online electronic claims online, by adhering to HIPAA standards in order to be eligible for re-imbursement by the insurance companies. Medical professionals can also file online electronic claims in a similar fashion provided that such doctors fulfill certain criteria and parameters as specified under HIPAA.
The key EDI(X12) transactions used for complying under HIPAA are enlisted below:
i) EDI Retail Pharmacy Claim Transaction (NCPDP Telecommunications Standard version 5.1)
This transaction set is used for submission of retail pharmacy billing claims to payers by healthcare professionals who are involved in dispensing medicaments, either directly or via intermediate medical billing companies and claims clearinghouses. It can also be utilized for sharing or transmitting claims for retail pharmacy services and medical billing payment information involving payers with different payment options and responsibilities. Smooth co-ordination between payers and regulatory agencies to monitor the rendering, billing, and/or payment of retail pharmacy services within the pharmacy health care/insurance industry segment.
ii) EDI Health Care Eligibility/Benefit Inquiry (270)
This transaction set is used to enquire about the healthcare benefits and eligibility parameters associated with a subscriber including their dependents.
iii) EDI Health Care Eligibility/Benefit Response (271)
This transaction set is used for responding to requests enquiring about healthcare benefits, eligibility criteria and exclusions associated with a policyholder including their dependents.
iv) EDI Health Care Claim Status Request (276)
This transaction set can be used by a healthcare service provider, recipient of healthcare products and services or by authorized agents for requesting the status of healthcare claims.
v) EDI Health Care Claim Status Notification (277)
This transaction set can be used by a healthcare payer or authorized agents on their behalf to notify a service provider, recipient or authorized agent regarding the status of their healthcare claims. It can also be used to request additional information from the healthcare service provider regarding healthcare claims or encounter. This transaction set is not meant for replacing the Healthcare Claim Payment/Advice Transaction Set (835) and hence is not useful for account payment posting. The issuance of notification is at a summary or service line level which may be solicited or unsolicited in nature.
vi) EDI Health Care Service Review Information (278)
This transaction set can be used for transmitting healthcare data such as subscribers, patients, demographic, diagnosis or treatment details. Such data is utilized for the purpose of review only based on the requisition of the client, certification, notification, and reporting the outcome of review of healthcare products and services.
vii) EDI Payroll Deducted and other group Premium Payment for Insurance Products (820)
This transaction set is used for facilitating payment of premiums for insurance products and services. Requesting a financial institution for making payments to a payee are made possible under this option.
viii) EDI Benefit Enrollment and Maintenance Set (834)
This transaction set can be used by organizational employers, company managers, unions, government agencies, associations or insurance agencies for enrollment members to a payer. This payer is a healthcare organization that reimburses expenses pertaining to healthcare claims and administers insurance products and services. Payers include Insurance organizations, Healthcare professionals (HMO), Preferred Provider Organization (PPO), Governmental Agencies such as Medicaid, Medicare etc.
ix) EDI Health Care Claim Payment/Advice Transaction Set (835)
This transaction set can be used for facilitating payments, delivering an Explanation of Benefits (EOB) remittance advice and delivering an EOB remittance advice from a health insurance company to a healthcare provider either directly or via a third-party intermediary which involves a financial institution.
x) EDI Health Care Claim Transaction set (837)
This transaction set is used for submitting claims related to healthcare billing, encounter information or a combination of both. This does not cover pharmacy or medical bills raised from retail pharmacy stores. Such a transaction set can be delivered from healthcare service providers to payers, either directly or via intermediaries such as billers and claims clearinghouses. Under this transaction set, sharing of data pertaining to healthcare claims, status of billing payment status between payers with different payment responsibilities involved in transaction process, payment of healthcare products and services are incorporated under this facility. There can be slight deviations involving unique claims such for Academic and Research Institutions, Medical and Healthcare Professionals, Alternative Medical Practitioners, Optometrists, Dentists etc.
xi) EDI Functional Acknowledgement Transaction Set (997)
This transaction set is used for defining the control structures especially meant for set of acknowledgments that indicate the outcome of syntactical analysis of online electronically encoded documents. This has not been incorporated in HIPAA Legislation or Final Rule, but is required for X12 transaction set processing. The encoded documents incorporate the transaction sets that are categorized in functional groups. Such encoded documents are extensively used in defining transactions for business data interchange. However, this standard does not provide coverage for the semantic meaning of the information encoded in the transaction sets.
c) Security Rule
Under HIPAA, Security Rule complements Privacy Rule. While the Privacy Rule deals with PHI (Protected Health Information) in both-paperwork and electronic formats, Security Rule is concerned specifically about EPHI (Electronic Protected Health Information). Three types of security safeguards required for compliance are as follows:
i) Administrative Safeguards
Policies and procedures have been designed in a manner to depict how the entity will comply with the Act.
► Entities covered under Act must comply with the requirements as stated by HIPAA. For this purpose, a written set of privacy procedures must be adopted and documented for adhering to the procedures. A Privacy Officer should be specially designated for this purpose, responsible for the implementation of the Act.
► The policies and procedures of an organization must be in sync with the documented security controls. Oversight of any related fact must be bought to the notice of the management.
► Clear identification of employees or classes of employees who will have access to EPHI (Electronic Protected Health Information) should be documented in the procedures. Only those employees must be permitted to access EPHI must be permitted who have a need for it that describes their job function in an organization.
► Access to authorization, establishment, modification and termination must be addressed by the procedures established in the process.
► Depiction of an appropriate ongoing training program vis-à-vis the handling of PHI is to be provided by the entities to employees that perform health plan administrative functions.
► Entities that outsource their business processes to a third party must ensure that their customers, including vendors, possess a framework in place that adheres with HIPAA requirements. Gaining such an assurance by the concerned organizations is through the inclusion of clauses in their contracts. Pre-requisite care must be incorporated for determining in case the vendor further decides for outsourcing data related activities to other parties and monitor whether appropriate controls are in place and applicable as desired.
► Incase of emergencies, a contingency plan should be in place as a stand-by. Entities under HIPAA are responsible for back-up of their data including databases accompanied with disaster recovery procedures in place. Documentation of data priority and failure analysis, change in control procedures and testing activities are also bought under the purview of this Act.
► Conducting internal audits by reviewing processes, systems and operations with the potentiality of identifying and analyzing a broad-spectrum range of security violations are an important part and parcel of HIPAA. The procedures should clearly outline the scope, procedures and frequency for conducting such audits. Audits should be a routine and event-based activity.
► In case of security breaches, identified either during the audit process or the normal course of operations, procedural norms should be evolved for documenting the modalities of addressing and responding to instructions.
ii) Physical Safeguards
Under this category, steps are initiated for exercising control of physical access for providing protection against unauthorized and inappropriate access to protected data.
► Controls should be exercised to govern the introduction and removal of hardware and software from the network. In this process, PHI should never be compromised.
► The access to equipment containing healthcare databases should be carefully controlled, regulated and monitored.
► The access to hardware and software must be restricted to appropriately authorized individuals only.
► Required access controls consists of facilities such as: security plans, maintenance records, visitor sign-in and escorts.
► Policies are required to address the usage of proper workstation. Workstations should be removed from areas wherein there is high traffic density. It should be kept in mind that monitor screens should not be in direct view of the public.
► If the covered entities utilize the services of contractors, middlemen or agents, such individuals too must be fully trained on their physical access responsibilities under the provisions of this Act.iii) Technical Safeguards
Under this category, control of access to computer systems and enablement of covered entities for protecting communications enclosing PHI that are transmitted electronically over networks from being intercepted by an intruder other than the recipient for whom the access is intended.
► Protection must be provided to information systems housing PHI from intrusion. When data flows via open networks, some form of encryption must be used. If closed systems/networks are utilized, then the existing access controls are considered as sufficient and encryption is an optional exercise.
► Each covered entity bears the responsibility for ensuring that the data within its systems has not been altered, added, deleted or modified in an unauthorized manner.
► Data corroboration that includes the usage of check sum, double-keying, message authentication and digital signature may be utilized to ensure data integrity.
► Covered entities under HIPAA must authenticate entities with whom communications are made. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration are password systems, token systems, two/ three-way handshakes and telephone callback
► Covered entities must make documentation of their HIPAA practices available to the government to determine compliance with the procedures.
► In addition to policies, procedures and access records, information technology documentation should incorporate a written record of various configuration settings on the components of the network. Such components are complex, configurable and ever changing.
► Documentation of risk analysis and risk management programs are desirable. The covered entities must carefully consider the ever-pervading risks of their operations since they implement systems to comply with the act.d) Unique Identifiers Rule (National Provider Identifier)
Covered entities under HIPAA such as service providers, large and small health plans, healthcare clearinghouses must utilize National Provider Identifier (NPI) only, for identification of covered healthcare providers in standard transactions.
All covered entities using electronic communications such as physicians, hospitals, health insurance companies, third-party administrators, clinical research organizations, clinical data management, regulatory bodies, pharmaceutical manufacturing companies etc. must use a single NPI. The NPI replaces all other identifiers used by health plans, Medicare (i.e., the UPIN), Medicaid and other government programs. But, the NPI does not replace a provider's DEA number, tax identification number or state license number. The NPI is 10 digits and can be alphanumeric, with the last digit being a checksum. The NPI cannot contain any embedded intelligence. In other words, the NPI is simply a number that does not contain any additional meaning. It is unique and national and can never be re-used. Except for institutions, a provider usually can have only one NPI. An institution may obtain multiple NPIs for different "subparts" such as a cancer center or rehabilitation facility.
e) Enforcement Rule
HHS issued the Final Rule regarding HIPAA enforcement in February 16, 2006, and the same became effective on March 16, 2006. It sets civil money penalties for violating HIPAA rules and regulations. It establishes procedures for investigations, court proceedings and hearings for HIPAA violations.
Security-breach notification requirements
The HITECH (Health Information Technology for Economic and Clinical Health Act) Act was enacted as an extension of American Recovery and Reinvestment Act in 2009. This Act imposes notification requirements on HIPAA covered entities such as business associates, vendors and related entities in the eventuality of breach in confidentiality and security measures related to PHI (Protected Health Information). To effectively combat that such events do not occur, HHS (Health and Human Services) has issued guidelines to deal with this issue. HHS and FTC (Federal Trade Commission) are working in unison to standardize their respective regulations and are seeking public comment for issuing interim final regulations by August 17, 2009, based on the deadline as imposed under the HITECH Act.