Health Informatics Week 1
CHAPTER
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill
2 HIPAA, HITECH, and
Medical Records
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
Learning Outcomes
When you finish this chapter, you will be able to:
2.1 List several legal uses of a patient’s medical record.
2.2 Define HIPAA and HITECH, and name the three
types of covered entities that must comply with
them.
2.3 Discuss how the HIPAA Privacy Rule protects
patients’ protected health information (PHI).
2.4 Discuss how the HIPAA Security Rule protects
electronic protected health information (ePHI).
2.5 Explain the purpose of the HITECH breach
notification rule.
2-2
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
Learning Outcomes (Continued)
When you finish this chapter, you will be able to:
2.6 State the goal of the HIPAA Electronic Health Care
Transactions and Code Sets (TCS) standards and
list the HIPAA transactions and code sets standards
that will be required in the future.
2.7 Discuss some of the most common threats to the
privacy and security of electronic information and
ways in which the HITECH Act addresses them.
2.8 Define fraud and abuse in health care and cite an
example of each.
2-3
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
Learning Outcomes (Continued)
When you finish this chapter, you will be able to:
2.9 Describe the various government agencies that are
responsible for enforcing HIPAA.
2.10 Identify the parts of a compliance plan and the types
of documentation used to demonstrate compliance.
2-4
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
Key Terms
• abuse
• Acknowledgment of
Receipt of Notice of
Privacy Practices
• ASC X12 Version 5010
• audit
• breach
• breach notification
• business associate
• Centers for Medicare
and Medicaid Services
(CMS)
2-5
• clearinghouse
• code set
• covered entity
• electronic data
interchange (EDI)
• electronic protected
health information (ePHI)
• encryption
• fraud
• Health Care Fraud and
Abuse Control Program
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
Key Terms (Continued)
• Health Information
Technology for
Economic and Clinical
Health (HITECH) Act
• HIPAA Electronic Health
Care Transactions and
Code Sets (TCS)
• HIPAA National
Identifiers
• HIPAA Privacy Rule
• HIPAA Security Rule
2-6
• National Provider
Identifier (NPI)
• Notice of Privacy
Practices (NPP)
• protected health
information (PHI)
• release of information
(ROI)
• treatment, payment, and
health care operations
(TPO)
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.1 The Legal Medical Record 2-7
Medical records serve legal purposes, such as:
– providing a physician with defense against
accusations that patients were not treated correctly,
– providing appropriate documentation,
– proving medical necessity,
– proving medical professional liability was met.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.2 Health Care Regulation 2-8
• Centers for Medicare and Medicaid Services
(CMS)—federal agency in the Department of
Health and Human Services that runs Medicare,
Medicaid, clinical laboratories, and other
government health programs; responsible for
enforcing all HIPAA standards other than the
privacy and security standards
• Electronic data interchange (EDI)—computer-
to-computer exchange of routine business
information using publicly available electronic
standards
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.2 Health Care Regulation (Continued) 2-9
• HIPAA is a law designed to:
– ensure the security and privacy of health information,
– ensure the portability of employer-provided health
insurance coverage for workers and their families
when they change or lose their jobs,
– increase accountability and decrease fraud and
abuse in health care, and
– improve the efficiency of health care delivery by
creating standards for electronic transmission of
health care transactions.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.2 Health Care Regulation (Continued) 2-10
• Health Information Technology for Economic
and Clinical Health (HITECH) Act—provisions
in the ARRA of 2009 that extend and reinforce
HIPAA and contain new breach notification
requirements for covered entities and business
associates, guidance on ways to encrypt or
destroy PHI to prevent a breach, requirements
for informing individuals when a breach occurs,
higher monetary penalties for HIPAA violations,
and stronger enforcement of the Privacy and
Security Rules
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.2 Health Care Regulation (Continued) 2-11
• Covered entity—under HIPAA, a health plan,
clearinghouse, or provider who transmits any
health information in electronic form in
connection with a HIPAA transaction
• Clearinghouse—a company that processes
electronic health information and executes
electronic transactions for providers
• Business associate—a person or organization
that requires access to PHI to perform a function
or activity on behalf of a covered entity but is not
part of its workforce
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.3 HIPAA Privacy Rule 2-12
• HIPAA Privacy Rule—law that regulates the
use and disclosure of patients’ protected health
information
• Protected health information (PHI)—
individually identifiable health information
transmitted or maintained by electronic media or
in any other form or medium
– The minimum necessary standard means using
reasonable safeguards to protect PHI from being
accidentally released to those not needing the
information during an appropriate use or disclosure.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.3 HIPAA Privacy Rule (Continued) 2-13
• Notice of Privacy Practices (NPP)—HIPAA-
mandated document stating the privacy policies
and procedures of a covered entity
• Acknowledgment of Receipt of Notice of
Privacy Practices—form accompanying a
covered entity’s Notice of Privacy Practices
• Release of information (ROI)—process
followed by employees of covered entities when
releasing patient information
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.3 HIPAA Privacy Rule (Continued) 2-14
• Treatment, payment, and health care
operations (TPO)—under HIPAA, three
conditions under which patients’ protected
health information may be released without their
consent
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.4 HIPAA Security Rule 2-15
• HIPAA Security Rule—law that requires
covered entities to establish administrative,
physical, and technical safeguards to protect the
confidentiality, integrity, and availability of health
information
• Electronic protected health information
(ePHI)—PHI that is created, received,
maintained, or transmitted in electronic form
– Regulations under the HIPAA Security Rule apply to
ePHI.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.4 HIPAA Security Rule (Continued) 2-16
• The HIPAA Security Rule contains requirements
for three types of safeguards to prevent security
breaches:
– Administrative
– Physical
– Technical
• Encryption—process of converting electronic
information into an unreadable format before it is
distributed
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.5 HITECH Breach Notification Rule 2-17
• Breach—under the HIPAA Privacy Rule,
impermissible use or disclosure that
compromises the security or privacy of PHI that
could pose a significant risk of financial,
reputational, or other harm to the affected
person
• Breach notification—document used by a
covered entity to notify individuals of a breach in
their PHI required under the new HITECH
breach notification rules
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.6 HIPAA Electronic Health Care Transactions
and Code Sets, and National Identifiers 2-18
• HIPAA Electronic Health Care Transactions
and Code Sets (TCS)—HIPAA rule governing
the electronic exchange of health information
– Establishes standards that apply to electronic
formats, code sets, and identifiers
• ASC X12 Version 5010—updated electronic
data standard for transmitting HIPAA X12
documents
• Code set—alphabetic and/or numeric
representations for data
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.6 HIPAA Electronic Health Care Transactions
and Code Sets, and National Identifiers (Cont.) 2-19
• HIPAA National Identifiers—HIPAA-mandated
identification system for employers, health care
providers, health plans, and patients
• National Provider Identifier (NPI)—under
HIPAA, system for identifying all health care
providers using unique ten-digit identifiers
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.7 Threats to Privacy and Security 2-20
• Common threats to information security include:
– Utility failures
– Natural disasters
– Problems with computer systems and software
– Malware
– Identity theft
– Subversive employees or contractors
– Outsiders who try to damage or steal information
• HITECH Act makes business associates subject
to the same privacy and security requirements
as covered entities.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.8 Fraud and Abuse Regulations 2-21
• Health Care Fraud and Abuse Control
Program—government program to uncover
misuse of funds in federal health care programs
run by the Office of the Inspector General
• Fraud—intentional act of deception to take
financial advantage of another person
– Example—forging another person’s signature on a
check
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.8 Fraud and Abuse Regulations
(Continued) 2-22
• Abuse—actions that improperly use another
person’s resources
– Abuse may or may not be intentional.
– Example—an ambulance service billing Medicare for
transporting a patient to the hospital when the patient
did not need ambulance service
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.9 Enforcement and Penalties 2-23
• Several government agencies help to enforce
HIPAA:
– Office for Civil Rights—handles civil violations
– Department of Justice—handles criminal violations
– Centers for Medicare and Medicaid Services—
enforces all the HIPAA standards except the privacy
and security standards
– Office of Inspector General—combats fraud and
abuse in health insurance and health care delivery
• Audit—formal examination or review
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.10 Compliance Plans 2-24
• According to the OIG, a voluntary compliance
plan should contain seven elements:
1. Consistent written policies and procedures
2. Appointment of a compliance officer and committee
3. Training plans
4. Communication guidelines
5. Disciplinary systems
6. Auditing and monitoring
7. Responding to and correcting errors
© 2012 The McGraw-Hill Companies, Inc. All rights reserved.
2.10 Compliance Plans (Continued) 2-25
• Common compliance documentation includes:
– Retaining written or electronic results of risk analysis
– Documenting the results of an audit
– Developing and implementing comprehensive privacy
and security policies and procedures
– Documenting staff training and security incident
threats