Hipaa Lesson 1

Lesson 1 AN INTRODUCTION TO HIPAA What is HIPAA? HIPAA – is the Health Insurance Portability and Accountability Act. A federal law created in 1996. - Signed into Law by Pres. Bill Clinton last August 21, 1996. - It is considered the most significant healthcare legislation since Medicare in 1965. Why outsource? 1. Lower Cost 2. Manpower – skilled 3. Quality of work of Filipinos is better than any Asian countries. Health Insurance Portability and Accountability Act (HIPAA)

Administrative Simplification [Accountability]

Transactions, Code Sets, & Identifiers Compliance Date: 10/16/2002 or

Insurance Reform [Portability]

Privacy

Security

Compliance Date: 04/14/2003

Compliance Date: 2005

MLS – Medical Language Specialist CMT – Certified Medical Specialist MTs – are the one who interpret files clinical course, diagnosis & prognosis Main Life of MTs – Quality Work Asset of MT Companies – human resource/people PHI – Patient Health Information (security & privacy of the file) T - Transcribe E - Edit P - Proofread T - Transmit Medical Billing – process of submitting and follow up or claims to insurance companies in order to receive payment for services rendered by a healthcare provider. NACHA – National Automated Clearinghouses Association jso,rn09

Page 1

WHO’S AFFECTED?

Providers Clearinghouses (NACHA) Hospitals

HIP AA

Billing Agencies Health Plan Pharmacies

Laboratories Indirect Applicability: All organizations that exchange data with those directly covered under the HIPAA through Chain of Trust Agreements and/or contracts PRE-HIPAA FACTS • No standards existed to guide organizations in how to store, process, communicate, or secure data • Management and clinical information software differed from organization to organization, even if it was purchased from the same vendor • Lack of standard data format proven to be a barrier, too costly and complex for most organization to overcome • Over 450 different electronic claim formats exist • Lack of transaction uniformity among existing standards makes it difficult for communication to occur WHAT IF WE DO NOT COMPLY? Non-Compliance • $100 for each violation • Maximum of $25,000 per year per specific provision Unauthorized Disclosure or Misuse of Patient Information • Penalties up to $250,000 • Prison time up to 10 years TRANSACTIONS, CODE SETS, IDENTIFIERS a. Transaction - The exchange of information between two parties to carry out financial or administrative activities related to health care b. Code Set - Any set of codes used to encode data elements, such as table of terms, medical concepts, medical diagnostic or procedure codes. A code set includes the codes and description of the codes c. Identifiers - Standard, unique health identifiers (numbers/digits/alphanumeric) for each health care provider, employer, health plan, and individual (patient)

jso,rn09

Page 2

PRIVACY vs. SECURITY • Privacy - Refers to WHAT is protected – Health information about an individual and the determination of who is permitted to use, disclose, or access the information. • Security - Refers to HOW private information is safeguarded – Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss. PRIVACY Overview: Due to the constraints imposed by scope of HIPAA, privacy regulation is applicable only to: o “Covered” Entities – Healthcare Providers that transmit electronic health information, Health Plans, and Clearing houses o “Protected” Health Information (PHI) – Transmitted or maintained in any form or medium (includes paper and oral) HIPAA Privacy Definitions… just a few… • “Protected Health Information” • “Authorization” • “Treatment, Payment, Healthcare, Operations” • “Patient Notice” • “Uses and Disclosures” • “Minimum Necessary” • “Business Associate Agreements” Protected Health Information (PHI) • Individual (Patient) identifiable health information relating to the past, present or future health conditions of the individual. • This covers all information, whether maintained electronically, in paper form or communicated orally. • PHI cannot be released unless authorized by the patient or for treatment, payment, or healthcare operations. PHI includes all of the following: 1. Names 2. Addresses including Zip 3. Codes 4. All Dates 5. Telephone and Fax Numbers 6. E-mail Addresses 7. Social Security Numbers 8. Medical Record Numbers 9. Health Plan Numbers

jso,rn09

10.License Numbers 11.Vehicle Identification Numbers 12.Account Numbers 13.Biometric Identifiers 14.Full Face Photos 15.Any other Unique Identifying Number, Characteristic or Code

Page 3

AUTHORIZATION A covered entity may not use or disclose protected health information without a valid written authorization from the individual. An authorization must be specific and cannot be combined with other documents. Treatment, Payment and Operations • Treatment – the provision, coordination or management of health care and related services by one or more health care providers, including consultation or referral. • Payment – collection of premiums, reimbursement, coverage determinations, risk adjusting, billing, claims management, medical necessity determinations, utilization review, and pre-authorization of services. • Health Care Operations – specified activities by or for a health plan or health care provider that are related to its “covered functions”, including quality assessment and improvements; peer review, training and credentialing of providers; business planning; and business management. Patient Notice • Description of uses and disclosures of protected health information made by the covered entity. • Every patient will receive a copy of the Patient Notice and will be asked to sign an “Acknowledgement.” Uses and Disclosures • Use – Employment, application, utilization, examination or analysis of information within a covered entity that holds the information. • Disclosure – Release, transfer, provision of access to, or divulging in any other manner of information outside the covered entity holding the information. SECURITY Overview: Purpose – To protect both the system and the information it contains from unauthorized access and misuse. Encompasses – All safeguards in a covered entities structure including: Information systems (hardware/software), Personal policies, Information practice policies and Disaster Preparedness. SECURITY -> FINAL RULE JUST PUBLISHED in effect April 2005 Administrative Procedures – To ensure security plans, policies, procedures, training and contractual agreements exist Physical Safeguards – To provide assigned security responsibility and controls over all media and devices

jso,rn09

Page 4

Technical Security Services – To provide specific authentication, authorization, access and audit controls to prevent improper access to electronically stored information. Technical Security Mechanisms – To established communication/network controls to avoid the risk of interception and/or alteration during electronic transmission of information. FINAL NOTE on PRIVACY and SECURITY The privacy and security rules are flexible and scalable to account for the nature of each organization’s culture, size and resources. Each organization will determine its own privacy policies and security practices within the context of the HIPAA requirements and its own capabilities and needs. HIPAA Frequently Asked Questions (FAQ) 1. Is PHI the same as the medical record? a. No. HIPAA protects more than the official medical record. A great deal of other information is also considered PHI, such as billing and demographic data. Even the information that a person is a patient here is Protected Health Information. 2. What if I’m accidentally overheard discussing a patient’s PHI record? a. It is not a violation as long as you were taking reasonable precautions and were discussing the protected health information for a legitimate purpose. The HIPAA privacy rule is not meant to prevent care providers from communicating with each other and their patients during the course of treatment. These “incidental disclosures” are allowed under HIPAA. 3. If I overhear patient care information in the stairway or in the hallway, how should I handle it? a. If it seems appropriate, remind the speakers of the policy in private. If the conversation clearly violates policies or regulations, report it to the Privacy Officer. 4. I work in the hospital and don’t need to access PHI for my job, but every now and then a patient’s family asks me about a patient. What should I do? a. Explain that you do not have access to that information, and refer the individual to the patient’s health care provider. 5. What will happen if the PHI regulations have been violated? a. The Health System may face civil or criminal penalties and be substantially fined. Further, employees who knowingly misuse protected health information may be subject to prosecution, fines and/or imprisonment up to ten years, in addition to any University disciplinary actions. 6. What else can I do for security? a. Don’t allow others, such as family members, to use the equipment. They might accidentally access confidential information.

jso,rn09

Page 5

7. What are the different penalties for those who deliberately misuse protected health information? a. For knowing misuse of PHI – up to 1 year imprisonment, or $50,000 fine or both b. For obtaining PHI under false pretenses – up to 5 years imprisonment, or $100,000 fine or both c. For using PHI for commercial advantage, personal gain or malicious harm – up to 10 years imprisonment, or $250,000 fine or both.

jso,rn09

Page 6