BMS HIPAA Security FAQ

HIPAA Security FAQ
1.	What are the compliance deadlines for Security?
2.	How will we be affected by the new security?
3.	Which HIPAA regulations will have the most impact on healthcare?
4.	What is the purpose of the HIPAA Security and Electronic Signature standards?
5.	Why are new Security and Electronic Signature standards needed?
6.	What is the electronic signature standard?
7.	How will the standards be implemented?
8.	Who must comply?
9.	Since the regulations frequently refer to "electronic" communication, what media falls into that category?
10	Who must comply with the Electronic Signature standard?
11.	Do security requirements apply only to the transactions adopted under HIPAA?
12.	Is it mandatory to use an electronic signature?
13.	Do the Security Standards apply to paper documents?
14.	Does the Security Standard require use of specific technologies?
15.	How will smaller providers be affected?
16.	What are the required timelines for achieving compliance with HIPAA regulations?
17.	What benefits do the new HIPAA regulations provide to healthcare organizations?
18.	Is there any consideration for small plans for complying with the standard once it is adopted?
19.	Is a Health Plan required to accept transactions?
20.	Can Health Plans delay payments for transactions submitted electronically according to the standard?
21.	Is HIPPA a way for the government to create one large database with everyone's health information?
22.	What is the penalty if a payer does not comply with the Transaction and Code Set standards, for all eight Transactions, by October 2002?

1.	What are the compliance deadlines for Security?
	Most entities have 24 months from the effective date of the final rules to achieve compliance. The compliance deadlines are April 20, 2005 for large plans and April 20, 2006 for small plans. Top

2.	How will we be affected by the new security?
	Broadly and deeply. Required compliance responses aren't standard because organizations aren't standard. For example, and organization with a computer network will be required to implement one or more security authentication access mechanisms - "user-based", "role-based", and/or "context based" access depending on its network environment. Top

3.	Which HIPAA regulation will have the most impact on healthcare?
	At the core of the new regulations are requirements to systemize, expedite, and protect the electronic transfer of healthcare information. These include: Standards for the electronic transmission of financial and administrative information. Standard codes for identifying medical diagnoses and procedures. A 10 - digit numeric ID known as a National Provider Identifier issued to every provider organization. A 9 - digit numeric ID issued to each employer to use in all HIPAA-governed administrative and financial transactions. 34 specific security measures that providers must adopt in order to protect patient-identifiable healthcare information. Top

4.	What is the purpose of the HIPAA Security and Electronic standards?
	The new standards are being developed to protect the confidentiality, integrity, and availability of individual health information. Top

5.	Why are new Security and Electronic Signature standards needed?
	There were no existing standards that provided comprehensive and uniform protection of individual health information. HIPAA's new security standards will permit appropriate access and use of an individual's health information by health care providers, clearinghouses, and health plans while providing appropriate safeguards against misuse and dissemination. HIPAA will also mandate a new electronic signature standard for healthcare organizations when an electronic signature is employed in the transmission of a HIPAA standard transaction. Top

6.	What is the electronic signature standard?
	The Electronic Signature Standard will provide a reliable method of assuring message integrity, user authentication and non-repudiation. Top

7.	How will the standard be implemented?
	The standards require safeguards for the physical storage and maintenance, transmission, and access to individual health information. Implementation will depend upon the individual organization, its existing technology and the risks to and vulnerabilities of the information it must protect. Top

8.	Who must comply? Covered entities must comply with HIPAA. Covered entity means: Health Plans, Health Care Clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction covered by the HIPAA transactions regulation (HHS Regulations Definitions 160.103). Top

9.	Since the regulation frequently refer to "electronic" communication, what media falls into that category? HIPAA applies to all communication that is stored or transmitted electronically, or that has been stored or transmitted electronically in the past. Media includes, but is not limited to: computer databases, tapes, disks, telecommunications, FAX, internet, or networks. Top

10.	Who must comply with Electronic Signature standard? Any healthcare provider, health care clearinghouse, or health plan that employs an electronic signature in the transmission of one of the transactions adopted under HIPAA. The electronic signature standard applies only to the transactions adopted under HIPAA. Top

11.	Do security requirements apply only to the transactions adopted under HIPAA? No. The security standard applies to all individual health information that is maintained or transmitted. This is much broader than the specific transactions currently defined in the law. Top

12.	Is it mandatory to use an electronic signature? No. At this time, none of the transactions adopted under HIPAA requires an electronic signature. Top

13.	Do the Security Standards apply to paper documents? The most significant change from the proposed regulations is that they now extend to all individual identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. This includes purely paper records and oral communications. Top

14.	Does the Security Standard require use of specific technologies? No. The Security Standard is "technologically neutral" in order to facilitate use of the latest and most promising technologies that meet the needs of different healthcare organizations. The security standard is a compendium of security requirements that must be satisfied. While all organizations will be required to meet the basic requirements, particular solutions will likely vary upon organizational size and complexity. Top

15.	How will smaller providers be affected? The proposed security standard does not require extraordinary measures. It involves taking actions that assure the security of the information to be protected. The standard does not dictate specific technologies. The requirements of the standard may be implemented in a number of ways, depending upon the security needs and technologies in place at each business and upon agreements among businesses that work together. Top

16.	What are the required timelines for achieving compliance with HIPAA regulations? According to HHS rules, the implementation deadlines are April 20, 2005 for large plans and April 20, 2006 for small plans. Enforcement of the regulations will be the responsibility of CMS and will be preformed in concert with the Office of Civil Rights as they enforce HIPAA Privacy Regulations enforcement. Top

17.	What benefits do the new HIPAA regulations provide to healthcare organizations? There are three important potential benefits: Standardization of electronic data interchange may significantly improve information transfer between payer and provider. Codification of electronic data standards may position providers to efficiently move their services onto the Internet: It provides healthcare organizations with an opportunity to streamline and simplify their operations and infrastructure thereby providing a significant potential for savings. For example, a large amount of physician practice time is currently spent on administrative processing. We expect that administrative needs may significantly decrease with implementation of HIPAA standards. Top

18.	Is there any consideration for small plans to comply with the stand once it is adopted? Small plans have an extra year or until April 20, 2006 to comply. Top

19.	Is a Health Plan required to accept transactions? Health Plans may not refuse to accept standard translations which are submitted electronically. Top

20.	Can Health Plans delay payments for transactions submitted electronically according to the standard? There will be no delay of payments by the health plans because the transactions are submitted electronically in compliance with the standards. Top

21.	Is HIPAA a way for the government to create one large database with everyone's health information? There is no provision in HIPAA law to create or propose to create such a database. HIPAA is designed to reduce cost and administrative burden. HIPAA recognized the significance of protecting personal health information. New security standards and more privacy legislation are intended to protect the confidentiality of health care information. Top

22.	What is the penalty if a payer does not comply with the Transaction and Code Set standards, for all eight transactions, by October 2002? The penalty for non-compliance with transactions and code sets is $100 per occurrence up to a maximum of $25,000 per standard per year. What most people get confused about is the maximum is per standard, so when you calculate how many transactions standards there are to possibly not comply with, the number can add up! Plus, the payers have a greater burden in that they must be ready to comply with all the transaction and code set standards, regardless of whether they are currently performing them electronically or via paper. The Final Rule explains the penalty to be imposed "per violation on any person who fails to comply with a standard" and puts a cap on the amount imposed on any one person per year to be $25,000. Since a provider usually files more than one claim at a time, it would be easy to accumulate many violations with one single transmission. For instance, if a provider sends a batch of claims electronically directly to a payer but does not use the 837 format, the penalties would be $100 for each of the claims in that batch. Assuming the provider sends 100 claims per day, the possible penalty would be $10,000 ($100 x100 claims). In 3 days the provider would amass the maximum amount of penalty that could be imposed. What we don't know yet is how enforcement is going to be conducted, nor are we sure how the compliance provisions will be established. HHS has announced that it intends to publish an NPRM sometime early next year that will cover these issues. Since the NPRM will not establish a 'standard', it will not require the 2 year implementation timetable that the existing NPRM's require so it will be effective BEFORE the Final Rule for Transactions and Codes Sets. This NPRM ( and subsequent Final Rule) is also expected to address some other outstanding issues such as certification. Top

Office of Administration / 350 Capitol Street Room 251 / Charleston, WV 25301-3709