The Basics Of EDI And HIPAA For Clinicians, Healthcare . PDF Free Download

2y ago

64 Views

1 Downloads

914.80 KB

116 Pages

Report/dmca

Download PDF

Transcription

The Basics of EDI and HIPAAfor Clinicians, HealthcareExecutives and Trustees,Compliance Officers, PrivacyOfficers and Legal CounselJim MoynihanMcLure-Moynihan Inc.www.mmiec.comFor HIPAA Summit WestJune 20, 2001Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

HIPAA is a Compliance Initiative but the mindset of the regulatorsis different from “Fraud and Abuse”.Final enforcement rules are notfinalized. HIPAA is an IT Initiative but while it shares features withY2K it is both bigger and morebeneficial.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

HIPAA is all about Standards! Standards for automating the businessprocess of Claims Administration Standards for the security andconfidentiality of Health InformationCreated by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Administrative Simplification New England Journal of Medicine articleclaims 19-24% of US Healthcare Costsare Administrative. Private Sector Response - the BushAdministration and WEDI.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

1993 WEDI Recommendations To automate the claims process willrequire: Standards for key Employer-HealthPlan data exchanges. Standards for key Payer-Provider dataexchanges. Uniform Code Sets National Identifiers Patient Provider Payer EmployerCreated by McLure-Moynihan Inc. 2001 MMI All rights reserved.

1993 WEDI Recommendations National Guidelines to preempt statestandards Signatures Security The Clinton Reform Initiativeincorporated many of the WEDIrecommendations with someembellishments. Support for AdministrativeSimplification survived the death of theClinton Healthcare Reform InitiativeCreated by McLure-Moynihan Inc. 2001 MMI All rights reserved.

PrivacyThe “leak” of the HIV Positive Diagnosis ledto an alarmed public and a series of hearingson Privacy. Bipartisan consensus on administrativesimplification found its expression inHIPAA legislation of 1996. WEDIrecommendations were incorporated withadditional requirements related to Privacy.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Who Has to Comply? Section 162-923 A covered entity may use a business associate,including a healthcare clearinghouse, to conduct atransaction covered by this part. If a covered entitychooses to use a business associate to conduct all orpart of a transaction on behalf of the covered entity, thecovered entity must require the business associate to dothe following:– Comply with all applicable requirements of this part– Require any agent or subcontractor to comply with allapplicable requirements of this part.“Business Associate”Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

What Kind of Provider Are You?The Privacy Rule differentiates betweenproviders: Direct Treatment Indirect Treatment “The health care provider delivers health care to the individualbased on the orders of another health care provider; and.The health care provider typically provides services or products, orreports the diagnosis or results associated with the health care,directly to another health care provider, who provides the servicesor products or reports to the individual.”Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

PenaltiesMonetaryPenaltyTerm ofImprisonmentOffense 100N/ASingle violation of a provisionUp to 25,000N/AMultiple violations of an identical requirement orprohibition made during a calendar yearUp to 50,000Up to one yearWrongful disclosure of individually identifiablehealth informationUp to 100,000Up to five yearsWrongful disclosure of individually identifiablehealth information committed under falsepretensesUp to 250,000Up to 10 yearsWrongful disclosure of individually identifiablehealth information committed under falsepretenses with intent to sell, transfer, or use forcommercial advantage, personal gain, ormalicious harmFailure to implement transaction sets can result in fines up to 225,000 per year ( 25,000 per requirement, times ninetransactions)Failure to implement privacy and security measures canresult in jail timeCreated by McLure-Moynihan Inc. 2001 MMI All rights reserved.

1996-2001 Waiting for Rules NCVHS– DHHS charged National Committee on Vital HealthStatistics (NCVHS) to hold hearings on: Transaction Standards Code Sets Identifiers Final and Proposed Rules– Security Proposed Rule 8/98– Privacy Proposed Rule 11/99– Final Rule on Transaction Sets and Code Sets issued8/00 effective 10/02– Final Rule on Privacy issued April 14th, 2001, effective2003.Final Rules on Identifiers and Securityexpected midCreated by McLure-Moynihan Inc.2001 2001 MMI All rights reserved.

National Identifiers Patient ID– No NCVHS recommendation Provider ID– HCFA-maintained Provider ID# recommended Payer ID/HealthPlan ID– HCFA-maintained database recommended. RequiresFunding (and release of final rule). Employer ID– Tax ID #Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Security “Protected Health Information”– individually identifiable that has ever been: electronically transmitted electronically stored Administrative procedures---documentedgeneral practices for establishing and enforcingsecurity policies Physical safeguards---documented processesfor protecting physical computer systems,buildings, and so on Technical security services---processes thatprotect, control, and monitor access Technical security mechanisms---mechanismsfor protecting information and restricting access todata transmitted over a networkCreated by McLure-Moynihan Inc. 2001 MMI All rights reserved.

SecurityA complete Internet communicationsimplementation must include adequateencryption, employment of authenticationor identification of communicationspartners, & a management scheme toincorporate effective password/keymanagement systems.Acceptable encryption hardware & softwareapproachesAcceptable authentication/identificationapproachesCreated by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Security Authentication Did the sender of the message (user of thesystem) really send this message or was itsent by a “bad guy”. Encryption Scrambling a message so that only thesender and the receiver can “unscramble”the message using a Key. Public Key Infrastructure (PKI) Use of public and private keys to encryptmessages.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Are You In The“Chain of Trust” “a contract entered into by two businesspartners in which the partners agree toelectronically exchange data and protect theintegrity and confidentiality of the dataexchanged.”Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Security First assign responsibility for HIPAA securitycompliance. Self assessment tool kits are available frommultiple sources. “For the Record” published by NACI is anexcellent book that was a source book for thesecurity proposed rule. Most people and literature overemphasize thetechnology and underemphasize the culturaland physical aspects of security.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Privacy The Privacy Rule defines “protected healthinformation”, provides guidelines fordisclosure of data and policies for authorizeddisclosure. Privacy guidelines are very controversial withover 60,000 comments from both sides of thedebate. Final Privacy rules differed from ProposedRules and administration and expenseestimates vary widely.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Privacy “The Privacy Advocate will be to theInformation Age what the EnvironmentalAdvocate was to the Industrial Age.” Providers have potential liability undercommon law and state statutes. HIPAA sets afloor, not a ceiling, and more stringent statelaws preempt HIPAA. This is a people issue. How can managementcreate a climate of confidentiality that canensure patient trust? Attitudes matter – don’tmake dismissive comments about privacyrequirements.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Health Information Health Information Any information, whetheroral or recorded in any form or medium. Identifiable Health InformationRelates to the past, present, or future physicalor mental health or condition of an individual;the provision of health care to an individual; orthe past, present, or future payment for theprovision of health care to an individual; and (i)that identifies the individual; or (ii) with respectto which there is a reasonable basis to believethe information can be used to identify theindividual.”Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Protected Health Information(§164.501): “means individually identifiable healthinformation that is: (i) Transmitted by electronic media; (ii) Maintained in any medium described inthe definition of electronic media [under HIPAA],or (iii) Transmitted or maintained in any otherform or medium.”Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Eliminating Paperwork A Decades-Old Quest––––––1950s First Steps1960s Tape-based standards1970s Industry-Specific Standards1980 Cross-Industry Standards1990s EDI evolves into EC2000s Stay Tuned!Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

What Took So Long? Primitive networks. Lack of electronic format standards. Expensive hardware and software. Lack of consensus among tradingpartners.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Value Added Networks VANs offer store and forward mail boxservices. Operated by GEIS, AT&T,MCI andothers. VANs support numerouscommunications interfaces, security, 24hour support and an audit trail.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

The Internet A Public Packet Network thatlooks free! But there is no support, nosecurity, no audit trail.Despite shortcomings, theInternet and its protocols appearto be the dominant network ofthe future.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Let’s Define Our Terms Electronic Data Interchange:– The exchange of computer-processabledata in a standardized format between twoenterprises. Electronic Commerce:– Any use of a variety of technologies thateliminate paper and substitute electronicalternatives for data collection andexchange. Options include InteractiveVoice Response, Fax, Email, Imaging,Swipe Cards and multiple Web-basedInternet tools.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

EDI and EC: A Place for Both EDI– Standards-based data exchange - the foundation ofquality transaction processing.– System to system exchanges of highly structureddata. Electronic Commerce:– Multiple ways to communicate unstructured data.– People-to-system or people-to-people exchanges.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

X12 Standards“X12 Standards do not define the the method inwhich interchange partners should establish therequired electronic media communication link,nor the hardware and translation softwarerequirements to exchange EDI data.”Source HIPAA Implementation GuidelinesCreated by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Is Getting Paid Important? Banks are involved with two HIPAAtransactions, claims payments and premiumpayments. Banking industry networks are secure, widelyused and as familiar as direct deposit of payrolland social security payments. Electronic Funds Transfer (EFT) is the transferof value through the banking system.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Fedwire vs. ACH Fedwire Immediate funds transfer. Limited data carrying capability. Expensive to send and receive. ACH Good funds arrive the day after paymentorigination. Extensive Data carrying capability in CTX. Inexpensive to send and receive.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Option 1: Dollars & Data Travel Together 835 Electronic PaymentOrder with nator)Receiver’sBank835 Electronic funds transferProvider(Beneficiary)between banks which includesremittance information in an“electronic envelope”.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Option 2: Dollars & Data Travel Separately 835 Electronic PaymentOrder with no remittanceinformationOriginator’sBankCredit AdviceReceiver’sBankElectronic Funds transferbetween banksPayer(Originator)VANProvider(Beneficiary)835 Electronic remittance information sentthrough non-bank electronic network.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

What Standards? What is ANSI?– American National Standards Institute– Since 1917 the only source of American NationalStandards What is ASC X12– Accredited Standards Committee X12, chartered in1979– Responsible for cross-industry standards forelectronic documents– Data Interchange Standards Association (X12Secretariat) publishes annual upgrades throughWashington Publishing Company.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

EDI Standard/DocumentFormats Use Standard SegmentsSegments Lines or Boxes on FormsName (N1)Address Information (N3)Reference Number (REF)Date/Time Reference (DTM)Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

EDI Standard/DocumentSegments are composedof Data ElementsIndividual NameName, LastMiddle InitialNM1*P2*1*Clinton*Hilary*R InsuredPersonName, FirstCreated by McLure-Moynihan Inc. 2001 MMI All rights reserved.

How Does EDI Work?EDI is the computer-to-computer exchangeof routine business information.SellersMaterialManagementSystemMapping &TranslationtoANSI ASCX12“Standard”ST*850*0001 BEG*00*SA*XX-1234*19980301*AE123 PER*BD*EDSMITH*TEField NameX12Value-Added*800-123-4567 TAX*53247765*SP*CNetworkA*********9 FOB*PP*OR*DALLASTXPO NumberBEG03 ITD*01*3*5**10**30*******E N1*ST*ABCLineEMPLOYER*9*123456789-01Item No. PO10101 N2*CORPORATE DIVISION N3*100Qty. Ordered PO1020 TOON BLVD. N4*AGOURA HILLS*CAUnit of Meas. PO10398898*US PO1*1*25*EA*9.5*CT*MG*XYZ-1234 PID*F****HAMMER-CLAW MUnit PricePO104EA*PD*WT*10*OZ PO1*2*75*EA*6.95“ElectronicBuyer’s P/NPO107*CT*MG*L505-123 PID*F****PLIERSMailbox”8” – NEEDLENOSE MEA*PD*LN*8*INVendor’sP/N PO109 PO1*3*48*EA*3*CT*MG*R5656-2*BPDelivery QtySCH01*AB123-2 PID*F**** METEL RULERDelivery Date SCH07- MACHINIST MEA*PD*LN*12*IN FOB*CC*PL*TOON TOWN***SE*LOADING DOCK SCH*24*EA*106*19980515 SCH*24*EA*106*19980615 CTT*3 AMT*TT*902.75*C SE*23*0001Buyers OrderEntry SystemMapping &TranslationfromANSI ASCX12“Standard”Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

X12 StandardsX12 Standards establish standards for the“enveloping” of data for successful messagerouting.EDI allows “trading partners to use theelectronic equivalent of “return receipt mail”with a transaction set called the FunctionalAcknowledgement (997).Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

EDI Standard/DocumentThe outer envelopes are crucial tosupport of the FunctionalAcknowledgement (997) standard.As will become apparent the 997 andmessage tracking are crucial formaking HIPAA standards work.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Healthcare EDI/EC Medicare practices and procedures createdtoday’s electronic claims processes. Claims clearinghouses arose to meet themapping and editing needs of providers andcommercial claims payers. Medicaid’s practices and procedurescreated today’s electronic eligibilityprocesses.Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Transaction Set Standards Healthcare Claim or Encounter (837) Enrollment and Disenrollment in a HealthPlan (834) Eligibility for a Health Plan (270-271) Claim Payment and Remittance Advice (835) Premium Payments (820) Healthcare Claim Status (276-277) Referral Certification and Authorization (278) Coordination of Benefits (837) Later Healthcare Claim Attachment (275) First Report of Injury (148)Created by McLure-Moynihan Inc. 2001 MMI All rights reserved.

Beyond Formats Data Element Standards– Existing groups such as NUBC, ADA, NUCCcontinue to define data elements of a claim but X12 and HHS determine data elements forclaims status, eligibility, treatmentauthorization, remittance messages. Code Sets– HIPAA aims to standardize code set adoption.– NCVHS endorsed “defacto” standards ICD-9 CM,CPT-4, HCPCS, CDT-2 and NDC code sets.Creat