Health Care Informatics

profileneey42
hc_lesson_5_notes.pdf

LESSON 5 Regulation of Health Care LECTURE NOTES ______________________________________________________________________________________

Introductory Lesson Comments

This lesson will focus on the legal, regulatory, and oversight of health care organizations and

their health information systems.

Regulation of Health Care

For health care providers, many governmental agencies have the responsibility to provide

regulations and oversight of health care organizations and health care professionals. This might

include the following:

 Licensure boards for the various health-related professions

 State and federal agencies that determine compliance with Medicare and Medicaid standards

 Other state and federal agencies for other rules and regulations (i.e., OSHA, Wage and Hour, EPA, IRS, etc.)

 Local government entities such as health departments, food safety, etc.

Generally, laws, rules, and regulations by governmental agencies are mandatory for health care

providers to follow. Failure to meet the standards may result in the imposition of sanctions,

including monetary fines, suspension of payments, and termination from a reimbursement

program.

For health information systems, there are numerous regulations and requirements for the maintenance

of health records. These include federal, state, and local regulations as well as the requirements of

credentialing bodies and payer agencies, such as insurance carriers, health maintenance

organizations, and preferred provider networks.

The requirements may vary for each of the various entities; however, most of the requirements are

quite similar. They might include the demand for certain information in a mandated format, such as

an assessment form that is signed by the health care professional that attests to the care, condition, or

diagnosis of the patient. Many of the required information tools are needed by the paying agency to

verify the following:

 That the services rendered were needed to treat the patient

 That the services rendered were actually provided to the patient

 That the services rendered were within the professional standards

 That the services rendered achieved the desired outcome

Other standards for health records have been created by professionals and experts to assist in the

organization of the actual health record. This is done to create a standard format for health records

that allows for the accurate, timely, and completeness of the information by the various health care

professionals who need to access or input information. By creating standard protocols and formats

for health records, individual professionals who need to review information or otherwise access the

information can quickly find a section of the record rather than search numerous documents and

pages of information.

One of the main tools used by governmental agencies, insurance carriers, and other third-party

payers is the use of payment for services to enforce standards, rules, and requirements. Since

providers want to receive payment for services rendered, and most health care services are

covered by either a governmental or insurance program, providers are required to sign

agreements with those organizations that include certain requirements and mandates for records.

This would include how the provider protects health information.

Protecting Health Information – HIPAA and Related Privacy Issues

The protection and privacy of patient information has been a long-standing practice for health

care providers and has become an expectation of the public. This needs to be a key focus area

for all health care providers in their policies and procedures, in their orientation of employees,

and as an essential part of the culture of their organization.

Professional standards have evolved demanding that providers take affirmative steps to protect

the confidentiality of personal health care information. While professional standards were used

to create the privacy and confidentiality standards, these were considered to be voluntary, and

compliance was sporadic. Since violations of the voluntary standards did occur, some form of

governmental oversight and regulation was necessary.

Historically, medical privacy and confidentiality laws were first regulated by local and state

governments. They created mandatory standards and could impose sanctions on providers who

failed to adhere to the requirements. Voluntary standards were included as part of the ethical

requirements of professional organizations, such as the American Hospital Association, the

American Medical Association, and the American Nursing Association. Most professional

organizations created a code of ethics or other requirements of the profession for individuals to

follow to maintain the privacy and confidentiality of personal health information.

As the role of the government as a source of payment grew larger, the federal government

became involved in the protection of information through various laws and regulations. This

role allowed the government to mandate stronger requirements and impose sanctions for failure

to meet the standards.

Major federal legislation passed in 1996 increased the requirements for privacy and is commonly

referred to as HIPAA (Health Insurance Portability and Accountability Act of 1996 [P.L.104-

191]). This law has many provisions beyond privacy and includes how patients may access

information, how they can extend health care coverage, and how electronic data can be

exchanged.

The federal Department of Health and Human Services, Office of Civil Rights (OCR), has the

responsibility for enforcing the HIPAA rules. The Department issues rules and information for the

public to use in order to comply with the various requirements. Providers must allocate resources to

assure that they are in compliance with the ever-changing environment of privacy.

There are numerous and ongoing actions that involve providers and the breaching of privacy or

security of protected information. The Department has the authority to apply monetary and other

sanctions, and there are private civil actions for breaches of privacy afforded to the patient.

Investigations typically begin with a complaint made by an individual who believes his or her

privacy has been compromised.

As investigations of breaches by the OCR evolved over the years, several major cases have been

covered by the media that indicated the imposition of major fines to providers well into the hundreds

of thousands of dollars. This got the attention of Boards of Directors and Senior Management Teams

of health care organizations as well as financial accountants, consultants, and others who are

interested in this area of practice.

Systems have been developed to create internal protocols, monitor performance, audit activities, and

generally create tools and resources to keep health information from unauthorized access and

breaches. Unfortunately, all of those systems are dependent on people to assure compliance. So,

ultimately, this is not a system or technology problem; it is a people problem.

The creation of electronic information creates new challenges and problems for providers, payers, the

government, and the patient in protecting confidential and private information. HIPAA has processes

for establishing standards for electronic health information, including how data may be exchanged

between entities, or electronic data interchange (EDI). These standards began as part of the long

journey to establish electronic health records, which continues today and well into the future as new

formats and forms of health information are created electronically.

As requirements of law and others mandate the maintenance and protection of information, this also

includes the storage of information once the service has been rendered. Whether health information

is contained in paper form or electronic form, providers need to create policies, procedures,

protocols, and systems for the long-term safe storage of this information. The length of time for

record retention that is mandated by local, state, or federal law is usually a time period of years.

Once the time period has expired, providers may dispose of the records. However, they must do so

in a way that assures the records are not readable and are not in a usable format, such as shredding or

other means to destroy the information.

Health care providers are also required to provide access to records when requested by an authorized

agency or the patient. This means that the information, while secure, still needs to be in a form or

location easily accessible by authorized individuals. Proper written authorization or legally

mandated access demands the need to have policies and procedures that are enforced by the

organization.

Failure to comply with any law, requirement, or rule could cause sanctions to be imposed on the

offending provider which range from fines (in governmental operated programs) to termination

from the payment system (used by both government and private sectors.) In this situation,

sanctions or termination provide significant incentives for providers to create systems, processes,

and protocols that assist in protecting an individual’s health information.