1 2 table of contents main...
TRANSCRIPT
1
2
TABLE OF CONTENTSTABLE OF CONTENTSMAIN MENU…………………………………………………………………………………............................…Page 3
PRE-INSTRUCTIONAL STRATEGIES……………………………………………………………………….…..…Page 4-8
OVERVIEW………………………………………………………………………………………………………………….Page 9-11
UNIQUE IDENTIFICATIONS……………………………………………………………………………………..…..Pages 12-13
TRANSACTIONS & CODE SETS……………………………………………………………………………………..Pages 14-15
SECURITY RULE.………………………………………………………………………………………………………….Pages 16-17
PRIVACY RULE…………………………………………………………………………………………………………….Pages 18-21
ENFORCEMENT…………………………………………………………………………………………………………..Pages 22-23
SUMMARY………………………………………………………………………………………………………………….Pages 24-26
EVALUATIONS…………………………………………………………………………….………………………………Page 27
CREDITS……………………………………………………………………………………………………………………..Page 28
ELECTRONIC RESOURCES……………………………………………………………………………………………Page 29
SITE MAP……………………………………………………………………………………………………………………Page 30
3© 2008 Althea Cameron-Mason, all rights reserved. Contact webmaster at [email protected] Last modified April 2, 2008
Overview
Unique Identifications
Transactions & Code Sets
Security Rule
Privacy Rule
Enforcement
Summary
Evaluations
Credits
Site Map and Exit
Pre-Instructional Strategies
MAIN MENU
4
PRE-INSTRUCTIONAL STRATEGIESPRE-INSTRUCTIONAL STRATEGIES
Pretest1. What is confidential information?
2. Give four Examples of confidential information
3. Explain what electronic transfer of information is.
4. List some types of electronic information transfers.
5. What does the abbreviation EIN stands for, and list the different ways in which it is used.
6. Given scenarios, Participants will be able to, name the Rule that is violated 8 out of ten times.
5
HIPPA Title II
Definition: HIPAA deals with electronic insurance information
HIPAA does not deal with licensing of laboratory facilities and personnel.
Examples of HIPAA Title II: Privacy, Security, Transaction and Code Sets, and the Enforcement rule.
Non-Examples: Each lab must have a medical director, a CLIA number for each facility, licensed med techs, and waived tests can be performed by unlicensed workers.
Frayer Model- Definition of the Concept HIPAA Title II
Graphic Organizer
PRE-INSTRUCTIONAL STRATEGIESPRE-INSTRUCTIONAL STRATEGIES
6
PRE-INSTRUCTIONAL STRATEGIESPRE-INSTRUCTIONAL STRATEGIES
Venn Diagram- Comparison Of HIPAA with CLIA
Comparing HIPAA and CLIA
HIPAACLIA
•Law
•Enforced By HHS
•Affects medical labs
PHI Licensing
& Testing
7
Key Words and Phrases Definitions
Protected health information(PHI)
Universal identification Number
An Entity
HIPAA
Protected Health Information is any information about health status, provisions of health care, or payment of healthcare that can be linked to an individual.Employer Identification number (EIN)
An Entity as used in this course means a service provider. For example a hospital, insurance company, or a clinical laboratory.
Health Insurance Portability and Accountability Act
Vocabulary
PRE-INSTRUCTIONAL STRATEGIESPRE-INSTRUCTIONAL STRATEGIES
8
PRE-INSTRUCTIONAL STRATEGIESPRE-INSTRUCTIONAL STRATEGIES
Goals ObjectivesGiven case studies examinees will be able to pass a twenty-item multiple-choice test on concepts of HIPAA Title II, by scoring 80 percent on the exam. Given appropriate scenarios, participants will be able to apply the course contents to real life situations in the workplace.At the completion of the course, laboratory personnel will be able to name some HIPAA violations, with 80 percent accuracy.Given a graphic organizer, trainees will be able to match the correct responses, and get at least 8 out of 10 correct. Given a Cloze Test, students will be able to supply the missing words that describes HIPAA Title II, at the or above 80% mastery.
9
OVERVIEWOVERVIEW
Introduction To HIPAAThe acronym HIPAA stands for Health Insurance and Portability Accountability Act. It was proposed in 1996, to be phased in over a period of three to five years. The main focus of HiPAA is to streamline medical information as it is electronically transmited for numerous purposes such as billing, and determination of illegibility of benefits to name a few reasons. In order to reap maximum benefits from this tutorial, participants need a working knowledge of a laboratory setting, and must be a phlebotomist with two or more years of experience at minimum. Technical knowledge of laboratory procedures and practices along with a 12 grade reading level is critical for success in this course.
10
OVERVIEWOVERVIEW
Overview Of HIPAA Title IIHIPAA Title II, specifically addresses the uniform and efficient distribution of electronic data in the healthcare sector, while maintaining confidentiality of patients’ data. The Department of Health and Human Services is commissioned by Congress to implement and monitor HIPAA Title II among other sections of the Rule. The Center for Medicaid and Medicare Services (CMS) is the branch of HHS that is instrumental in implementation of The Title II enactment. Armed with this bit of knowledge just provided, you are now ready to take a further look at what HIPAA Title II involves. Let us look at some of the benefits of the course.
11
Benefits Of The CourseTaking this course will be beneficial to participants and stakeholders of laboratories in several ways: It will aid in becoming compliant with Title II guidelines, improve administration of the lab, save resources (time, money, FTA, etc.), improve customer satisfaction, help to pass Joint Accreditations Commission of health Care Organizations (JAHCO) inspections, and increase the overall proficiency of laboratorians in general. In addition to the above benefits, successful completion of the course will help to clear up many misconceptions of HIPAA Title II. Only the basic tenets of HIPAA will be discussed. No claim is made nor implied as to comprehensiveness coverage of the rules, as such a complex document evades the scope of this course. Attempt to undertake such a venture is not feasible. Please see resources at the end of the tutorial for suggested site for more information on the topic. A breakdown of the 5 Title II rules will aid in understanding the concept, so we will begin with the first one, Unique identifications for all entities.
OVERVIEWOVERVIEW
12
UNIQUE IDENTIFICATIONSUNIQUE IDENTIFICATIONS
Patients HIPAA requires the use of unique identifiers by entities within the health care delivery business. The adoption of Title II Rules has been in effect for quite some time, as the grace periods has now expired. Unique identifications must be used by practically all entities that process patients’ medical data. One may ask what does it mean to have unique patient identifications? It means having a method whereby records can be linked to one individual only. A good example is by use of a social security number. HIPAA officials initially proposed a universal type of identifications, but public entities have since refuted such request. A variety of patient identifications ranging from social security numbers, medical record number, and other combinations are acceptable for processing PHI transactions. Facilities have implemented software and other technological devices to help generate unique IDs for patients’ records. Next, let us see what is available for medical service providers, which will be discussed in the next slide.
13
UNIQUE IDENTIFICATIONSUNIQUE IDENTIFICATIONS
Service ProvidersRequirements similar to that for patient unique identifier exit for service providers, depending on the type of trans actions, and the third party they are working with. HIPAA does not discriminate against the type used, but most providers use one of the following IDs: Employee identification numbers, Medicare/Medicaid number, or Clinical Laboratory Improvement Act (CLIA) number. These options work for third party vendors, and will be discussed below. Note that the difference between these two former mentioned entities Medicare and Medicaid are very fluid.
Third PartiesMost third party vendors are data clearinghouses, but a few may come under the umbrella of service providers. Good examples are subcontractors such as radiology, reference laboratories, and other specialists. They use the MRN#, CLIA#, and similar numbers primarily as medical identifiers mentioned above. We will now turn our attention to the second rule.
14
TRANSACTIONS & CODE SETSTRANSACTIONS & CODE SETS
Types of Transactions CodesThe final HIPAA mandate requires all entities filing medical claims on patients’ behalf to use specific Transaction Codes Sets. After much debating and input from the public, it was finally decided by HIPAA that the employer identification number (EIN) is to be used as the national drug code (NDC). The national drug code is to be used by pharmacies and other retail dispensaries for processing claims. Other entities such as hospitals and doctors’ offices can use one or more of the following codes. The transaction code sets authorized for use by non-retail businesses varies from ICD-9, CPT-4, HCPCS, etc. Please note these are only a few of the more popular ones in use. For a more current update on the codes and other information please visithttp://www.cms.hhs.gov/hipaa/hipaa2. As mentioned in the introduction of this tutorial, two of the purposes of HIPAA Title II are to promote efficiency and provide uniform transmission of electronic PHI. To this end we will momentarily look at exchange of how data are to be exchanged.
15
TRANSACTIONS & CODE SETSTRANSACTIONS & CODE SETS
Protecting Electronic TransfersAs patient data is moved along the electronics highway, ensuring that this information is protected and remains private is not just of paramount concern to users, but the law. Apart from using codes for transmitting this data, most entities use one or more forms of technology to aid in safe and confidential relay of protected data. Some of these transfers involve very sensitive information such as wiring of money, sending test results, passwords, and military information. Here are measures that can be taken by your facilities to promote safe electronic transfers: Code and encrypt data, turn on firewalls on PCs, use VPN, Access internet using routers, and install and use anti-fishing software. Most importantly, do not discard confidential information carelessly (shred unwanted documents). As we continue discussion of The Title II Rules, we will be taken to the third one, The Security Rule. I choose to discuss this before The Privacy Rule, since records must be secured before they can be private.
16
THE SECURITY RULETHE SECURITY RULESecuring Patient Health InformationSome of the security measures required by HIPAA title II were touched upon in the previous slide, buy a closer look will be taken now. Can you think of instances in which you would want your information to be secured from unauthorized use and revelation? Some of your answers will include the following data: Bank accounts, medical info, grades, and addresses. As consumers of medical services we too can personally relate to the concept of security. Title II makes it unlawful for insurance companies, medical facilities, and clearinghouses to handle your records in a reckless fashion. A current practice in place in the lab, before HIPAA was enacted, is requiring persons other than the patients and their physician to produce written authorization from the patient prior to medical information is disclosed. Another pre-HIPAA safeguard practiced in the lab is requirement for positive identification from entities that ask for patients’ medical information. Title II is a more comprehensive guideline, as it covers not just lab data, but others such as billing, demographics, and other histories. These require further elaboration, which will be done in the next slide.
17
THE SECURITY RULETHE SECURITY RULE
The Security Of DataIn the previous slide we looked at some critical data that should be secured. Now we will pay closer attention to HIPAA’s take on the subject of security. The law requires entities to be compliant with all HIPAA mandates. What does this mean? Well, a common saying goes like this, “it is one’s responsibility to know the law, since not knowing it, does not exempt one from the penalties.” This is a good reason for performing gap analysis in order to find breaches of The Rules. Gap analysis according to CMS, “ is a technical systems development tool used to ensure HIPAA compliance.” (2003) Any compromise in a lab’s system or protocol need to be addresses immediately so as not to experience the wrath of HIPAA. You have taken the first step in becoming Title II compliant, by taking this course, from which you will get some vital pointers. Do not settle for just this initial step, however, visit HIPAA’s website in order to keep abreast of new information. So far we have gone over three of the five rules: Unambiguous patient record IDs, coded transactions, and securing medical data. The fourth rules to be presented is The Privacy Rule.
18
THE PRIVACYTHE PRIVACY RULERULE
Protected Health InformationThe Privacy Rule as the name states deals with keeping protected information private. Before we progress, let me define protected health information. According to HHS, “Protected Health Information (PHI) is any information about health status, provisions of health care, or payment of healthcare that can be linked to an individual. This is interpreted as any part or all of a patient’s medical record or payment history” (HHS, 2002). With proper documentation, facilities should release requested PHIs to parties within thirty days of receiving such requests. In some cases though, PHIs can be
released without patients’ consent. Examples are in cases of getting DNA in a rape case and court subpoena. Take a look at this site http://www.hhs.gov/ocr/hipaa or
contact HIPAA at 1-866-627-7748 for more information on The Privacy Standard. The Privacy Rule probably carries the most weight compared with all other rules. For this reason a little more time will be devoted to it. The next slides will focus on some scenarios in which HIPAA Title II would have been violated if the situations were real. The correct responses will be give. I strongly suggest making some scenarios of your own later, and practice among coworkers.
19
THE PRIVACY RULETHE PRIVACY RULE
Sharing of Patient InformationScenario 1: Jane noticed her neighbor Joyce, lost all the hair from her head within the past months. She learned from another neighbor that the hair loss was due to a dye that was used; but Jane thinks it was due to chemotherapy, because she have seen her at least once per week at the hospital Jane works for.
It so happened that the following week after their conversation, Joyce went to Jane’s lab to have some blood tests done. Jane works as a phlebotomist at the lab, so she convinced the technologist that was examining Joyce’s slide, to let her take a look at the slide. When the lab tech stepped away, Jane looked up Joyce’s information in the computer, and discovered that the neighbor was indeed diagnosed with chronic lymphocytic leukemia.
HIPAA Violation: Jane is guilty of unauthorized access of a patient’s protected health information, and is subject to disciplinary actions. The Privacy and Security Rules were not adhered to.
20
THE PRIVACY RULETHE PRIVACY RULE
Releasing PHIScenario 2: Dr Brown just reviewed Mrs. Robert’s labs and decided that her patient must undergo a very expensive surgery. She is breaking this news to Mrs. Roberts, but hidden from your view in the far corner of the room, two housekeepers were busily working, and over-heard the conversation. Not only this, Dr Brown pulled up the patient’s billing account to show the patient, and has since left it on the computer screen where it can be viewed by anyone from the hallway.
HIPAA Violation: The two breaches here are one, discussing the patient’s information within hearing range of other individuals that have no need to know this information. Second, displaying of billing information on the computer where unauthorized persons can view it, is a violation of electronic transfer of PHI. The following rules were broken: The Privacy and The Security Rules were breached.
21
THE PRIVACY RULETHE PRIVACY RULE
Electronic DataScenario 3: Dennis an employee from a data processing company used by Maximum Insurance Company called the laboratory to verify some procedures that the facility billed the insurance for on behalf of a patient. When the medical technologist answered the phone, he did not verify who was on the line. Rather, after hearing Dennis introduced himself as a bill processor, the Med Tech pulled up the patient in question lab reports and emailed copies of every procedure done within the last three months to Dennis. This included records for which claims were not processed by Dennis’s company.
HIPAA Violations: The first offence committed, is not positively identifying who was on the phone requesting protected information. The technologist assumed the individual on the phone had the right to the records. Second, the lab tech sent three months of the patient’s records, and did not bother to provide only the records for which Dennis was billing. The Transactions and Code sets, the Privacy, Security, and the Unique identifiers rules were violated. We will now look at how sanctions are enforced against violators of HIPAA Title II.
22
ENFORCEMENT OF RULESENFORCEMENT OF RULES
Breaking The RulesViolation of HIPAA Title II can cost companies a lot of money. Apart from being the right thing to do, promotion of efficient and confidential handling of protected health information prevents negative impact on entities’ financial security. As medical laboratory employees, this bit of news is not foreign, as those of you familiar with CLIA regulations, already know too well the implications of breaking rules, and the harsh fines that could be levied consequently. HHS is the same governing body that enforces CLIA, so you can draw parallels between the two (HIPAA and CLIA). On the next page, there is a list that highlights HHS’s plans on dealing with some deviations from the standards. The list is not extensive, therefore I recommend visiting the site listed in the electronic resources at the end of the course content, for more succinct information.
23
ENFORCEMENT OF RULESENFORCEMENT OF RULES
ConsequencesAccording to CMS, there is punishment for breaking the rules. Below is an excerpt from a HIPAA site, which outlines some of the sanctions that can be levied against entities that do not adhere to the standards. The law does provide for fines for non-compliance. The Secretary of HHS
may impose a civil monetary penalty on any person or covered entity whoviolates any HIPAA requirement. The civil monetary penalty for violatingtransaction standards is up to $100 per person per violation and up to$25,000 per person per violation of a single standard per calendar year.Keep in mind, CMS sees its primary role as a promoter of compliance andwould only impose a monetary fine as a last resort. As discussed earlier,organizations that exercise “reasonable diligence” and make efforts to correctproblems are unlikely to be subject to civil penalties. However, if the coveredentity does not respond to CMS, fines could be imposed as a last resort. (CMS, 2003).
As the tutorial nears an end, a summary of HIPAA Title II is in order. The next two slides will condense the key points of the concepts discussed so far.
24
SUMMARYSUMMARYDebrief Of HIPAA Title IIAs the tutorial approaches its end, consideration is appropriate for to the five main themes that make up HIPAA Title II. The goal is that you have learned the key elements tabulated below, after which a general revision will be given.
FIVE HIPAA Standards Short Summary
The Enforcement Rule Hefty fines, corrective actions, civil penalty, and other sanctions to be levied
The Privacy Rule The “right to know” is the rule of thumb to use as a guideline.
The Security Rule Lock it, password protect it, conceal it, encrypt it, and get permission before you share it. I use IT to recall this rule.
The Transactions & Code Sets Rule Standard code must be used to conduct business, i.e. SS#, MRN#
The Unique Identifiers Rule Employee, patients, and all entities must have unique identifications
25
SUMMARYSUMMARY
Division of the PieHIPAA Title II is sometimes seen by most individuals as the hippopotamus of healthcare organizations. This fear does not have to be so, as there are good information to be found on the web and courses such as the one you have just taken. Remember, the main goal of Title II is to streamline the process of how business is conducted among entities. By standardizing the way business is conducted, efficiency, productivity, customer satisfaction, confidentiality, and resources are maximized.
The five standard, Privacy, Security, Unique identifications, Enforcing, and Transaction Codes rules provide a guideline from which the goals mentioned above can be attained. It is your responsibility to know them and comply. With this said, the last slide will address ways in which a laboratory can stay within the confines of the law by listing some dos and don’ts. It is easier than it is usually conceived to stay within the law.
26
SUMMARYSUMMARYDos And Don’ts Of HIPAADON’TS:
•Do not leave patient information in locations where it may be accessed by unauthorized persons.
•Do not assume all requests for PHI are legitimate ones.
DO:
•Ask for identification before you release protected health information to another party.
•Verify that entities requesting PHI have a need to know the information.
•Know which entities are exempt by law from getting patients’ permission prior to release of PHI (i.e. the court).
•Protect your computers and other electronic devices used for transmission of protected health data.
27
Comprehensive Exam DirectionsClick on the links below to access the exam and quiz. There are ten items on the test and four response options. You are to select the option that is the most correct. You are encouraged to guess if you are unsure of an answer, since you will not be penalized for guessing. You may repeat the exam as many times as you wish, as you need to score at least 80% to pass. Successful candidates will be notified within two weeks of taking the test of their grades. If the link below does not launch from this application, copy it and past it to your browser.
Test: http://uk1.hotpotatoes.net/ex/24965/SGPFETNL.php
Quiz: http://uk1.hotpotatoes.net/ex/24965/CCYIPUAX.php
EVALUATIONSEVALUATIONS
28
CREDITSCREDITS
Works CitedThe Center for Medicaid and Medicare Services (2003). Retrieve on 3/26/08 from
http://www.cms.hhs.gov/hipaa/hipaa2.Federal Register / Vol. 67, No. 157 Rules and Regulations: Standards for Privacy of Individually Identifiable Health Information.Microsoft Clip Arts. Retrieved 3/26/08 from http://www.Microsoft.com.
Morrison, G., Ross, S., and Kemp, J. (2007). Designing Effective Instruction. Hoboken, New Jersey: John Wiley & sons.
United States Department of Health & Human Services. HIPAA. Retrieved on 3/26/08 from http://www.hhs.gov/news/press/2002pres/hipaa.html.
29
RESOURCESRESOURCES
Electronic Sources•United States Department of Health & Human Services. HIPAA. http://www.hhs.gov/news/press/2002pres/hipaa.html.
•The Center for Medicaid and Medicare Services (CMS) http://www.cms.hhs.gov/hipaa/hipaa2http://www.cms.hhs.gov/SecurityStandard/
30
Home Page
Pre-Instructional Strategies
Security Rule
Privacy Rule
Summary
Unique Identifications
Evaluations
Credits
Transaction and Code Sets
Overview
Electronic Resources
Overview Overview
Pre-Instructional Strategies Pre-Instructional Strategies
Privacy Rule Privacy Rule
Privacy Rule
Pre-Instructional Strategies Pre-Instructional Strategies
Unique Identifications
Transaction and Code Sets
Security Rule
Summary Summary