Health Informatics Week 1

profilegregueira82
chapter2informt.pdf

CHAPTER

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill

2 HIPAA, HITECH, and

Medical Records

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

Learning Outcomes

When you finish this chapter, you will be able to:

2.1 List several legal uses of a patient’s medical record.

2.2 Define HIPAA and HITECH, and name the three

types of covered entities that must comply with

them.

2.3 Discuss how the HIPAA Privacy Rule protects

patients’ protected health information (PHI).

2.4 Discuss how the HIPAA Security Rule protects

electronic protected health information (ePHI).

2.5 Explain the purpose of the HITECH breach

notification rule.

2-2

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

Learning Outcomes (Continued)

When you finish this chapter, you will be able to:

2.6 State the goal of the HIPAA Electronic Health Care

Transactions and Code Sets (TCS) standards and

list the HIPAA transactions and code sets standards

that will be required in the future.

2.7 Discuss some of the most common threats to the

privacy and security of electronic information and

ways in which the HITECH Act addresses them.

2.8 Define fraud and abuse in health care and cite an

example of each.

2-3

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

Learning Outcomes (Continued)

When you finish this chapter, you will be able to:

2.9 Describe the various government agencies that are

responsible for enforcing HIPAA.

2.10 Identify the parts of a compliance plan and the types

of documentation used to demonstrate compliance.

2-4

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

Key Terms

• abuse

• Acknowledgment of

Receipt of Notice of

Privacy Practices

• ASC X12 Version 5010

• audit

• breach

• breach notification

• business associate

• Centers for Medicare

and Medicaid Services

(CMS)

2-5

• clearinghouse

• code set

• covered entity

• electronic data

interchange (EDI)

• electronic protected

health information (ePHI)

• encryption

• fraud

• Health Care Fraud and

Abuse Control Program

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

Key Terms (Continued)

• Health Information

Technology for

Economic and Clinical

Health (HITECH) Act

• HIPAA Electronic Health

Care Transactions and

Code Sets (TCS)

• HIPAA National

Identifiers

• HIPAA Privacy Rule

• HIPAA Security Rule

2-6

• National Provider

Identifier (NPI)

• Notice of Privacy

Practices (NPP)

• protected health

information (PHI)

• release of information

(ROI)

• treatment, payment, and

health care operations

(TPO)

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.1 The Legal Medical Record 2-7

Medical records serve legal purposes, such as:

– providing a physician with defense against

accusations that patients were not treated correctly,

– providing appropriate documentation,

– proving medical necessity,

– proving medical professional liability was met.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.2 Health Care Regulation 2-8

• Centers for Medicare and Medicaid Services

(CMS)—federal agency in the Department of

Health and Human Services that runs Medicare,

Medicaid, clinical laboratories, and other

government health programs; responsible for

enforcing all HIPAA standards other than the

privacy and security standards

• Electronic data interchange (EDI)—computer-

to-computer exchange of routine business

information using publicly available electronic

standards

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.2 Health Care Regulation (Continued) 2-9

• HIPAA is a law designed to:

– ensure the security and privacy of health information,

– ensure the portability of employer-provided health

insurance coverage for workers and their families

when they change or lose their jobs,

– increase accountability and decrease fraud and

abuse in health care, and

– improve the efficiency of health care delivery by

creating standards for electronic transmission of

health care transactions.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.2 Health Care Regulation (Continued) 2-10

• Health Information Technology for Economic

and Clinical Health (HITECH) Act—provisions

in the ARRA of 2009 that extend and reinforce

HIPAA and contain new breach notification

requirements for covered entities and business

associates, guidance on ways to encrypt or

destroy PHI to prevent a breach, requirements

for informing individuals when a breach occurs,

higher monetary penalties for HIPAA violations,

and stronger enforcement of the Privacy and

Security Rules

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.2 Health Care Regulation (Continued) 2-11

• Covered entity—under HIPAA, a health plan,

clearinghouse, or provider who transmits any

health information in electronic form in

connection with a HIPAA transaction

• Clearinghouse—a company that processes

electronic health information and executes

electronic transactions for providers

• Business associate—a person or organization

that requires access to PHI to perform a function

or activity on behalf of a covered entity but is not

part of its workforce

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.3 HIPAA Privacy Rule 2-12

• HIPAA Privacy Rule—law that regulates the

use and disclosure of patients’ protected health

information

• Protected health information (PHI)—

individually identifiable health information

transmitted or maintained by electronic media or

in any other form or medium

– The minimum necessary standard means using

reasonable safeguards to protect PHI from being

accidentally released to those not needing the

information during an appropriate use or disclosure.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.3 HIPAA Privacy Rule (Continued) 2-13

• Notice of Privacy Practices (NPP)—HIPAA-

mandated document stating the privacy policies

and procedures of a covered entity

• Acknowledgment of Receipt of Notice of

Privacy Practices—form accompanying a

covered entity’s Notice of Privacy Practices

• Release of information (ROI)—process

followed by employees of covered entities when

releasing patient information

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.3 HIPAA Privacy Rule (Continued) 2-14

• Treatment, payment, and health care

operations (TPO)—under HIPAA, three

conditions under which patients’ protected

health information may be released without their

consent

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.4 HIPAA Security Rule 2-15

• HIPAA Security Rule—law that requires

covered entities to establish administrative,

physical, and technical safeguards to protect the

confidentiality, integrity, and availability of health

information

• Electronic protected health information

(ePHI)—PHI that is created, received,

maintained, or transmitted in electronic form

– Regulations under the HIPAA Security Rule apply to

ePHI.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.4 HIPAA Security Rule (Continued) 2-16

• The HIPAA Security Rule contains requirements

for three types of safeguards to prevent security

breaches:

– Administrative

– Physical

– Technical

• Encryption—process of converting electronic

information into an unreadable format before it is

distributed

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.5 HITECH Breach Notification Rule 2-17

• Breach—under the HIPAA Privacy Rule,

impermissible use or disclosure that

compromises the security or privacy of PHI that

could pose a significant risk of financial,

reputational, or other harm to the affected

person

• Breach notification—document used by a

covered entity to notify individuals of a breach in

their PHI required under the new HITECH

breach notification rules

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.6 HIPAA Electronic Health Care Transactions

and Code Sets, and National Identifiers 2-18

• HIPAA Electronic Health Care Transactions

and Code Sets (TCS)—HIPAA rule governing

the electronic exchange of health information

– Establishes standards that apply to electronic

formats, code sets, and identifiers

• ASC X12 Version 5010—updated electronic

data standard for transmitting HIPAA X12

documents

• Code set—alphabetic and/or numeric

representations for data

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.6 HIPAA Electronic Health Care Transactions

and Code Sets, and National Identifiers (Cont.) 2-19

• HIPAA National Identifiers—HIPAA-mandated

identification system for employers, health care

providers, health plans, and patients

• National Provider Identifier (NPI)—under

HIPAA, system for identifying all health care

providers using unique ten-digit identifiers

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.7 Threats to Privacy and Security 2-20

• Common threats to information security include:

– Utility failures

– Natural disasters

– Problems with computer systems and software

– Malware

– Identity theft

– Subversive employees or contractors

– Outsiders who try to damage or steal information

• HITECH Act makes business associates subject

to the same privacy and security requirements

as covered entities.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.8 Fraud and Abuse Regulations 2-21

• Health Care Fraud and Abuse Control

Program—government program to uncover

misuse of funds in federal health care programs

run by the Office of the Inspector General

• Fraud—intentional act of deception to take

financial advantage of another person

– Example—forging another person’s signature on a

check

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.8 Fraud and Abuse Regulations

(Continued) 2-22

• Abuse—actions that improperly use another

person’s resources

– Abuse may or may not be intentional.

– Example—an ambulance service billing Medicare for

transporting a patient to the hospital when the patient

did not need ambulance service

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.9 Enforcement and Penalties 2-23

• Several government agencies help to enforce

HIPAA:

– Office for Civil Rights—handles civil violations

– Department of Justice—handles criminal violations

– Centers for Medicare and Medicaid Services—

enforces all the HIPAA standards except the privacy

and security standards

– Office of Inspector General—combats fraud and

abuse in health insurance and health care delivery

• Audit—formal examination or review

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.10 Compliance Plans 2-24

• According to the OIG, a voluntary compliance

plan should contain seven elements:

1. Consistent written policies and procedures

2. Appointment of a compliance officer and committee

3. Training plans

4. Communication guidelines

5. Disciplinary systems

6. Auditing and monitoring

7. Responding to and correcting errors

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2.10 Compliance Plans (Continued) 2-25

• Common compliance documentation includes:

– Retaining written or electronic results of risk analysis

– Documenting the results of an audit

– Developing and implementing comprehensive privacy

and security policies and procedures

– Documenting staff training and security incident

threats