chapter © 2012 the mcgraw-hill companies, inc. all rights reserved. 2 hipaa, hitech, and medical...

CHAPTER

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2HIPAA, HITECH, and

Medical Records


Learning Outcomes

When you finish this chapter, you will be able to:2.1 List several legal uses of a patient’s medical

record.

2.2 Define HIPAA and HITECH, and name the three types of covered entities that must comply with

them.

2.3 Discuss how the HIPAA Privacy Rule protects patients’ protected health information (PHI).

2.4 Discuss how the HIPAA Security Rule protects electronic protected health information (ePHI).

2.5 Explain the purpose of the HITECH breach notification rule.

2-2


Learning Outcomes (Continued)

When you finish this chapter, you will be able to:2.6 State the goal of the HIPAA Electronic Health

Care Transactions and Code Sets (TCS) standards and list the HIPAA transactions and code sets

standards that will be required in the future.

2.7 Discuss some of the most common threats to the privacy and security of electronic information and ways in which the HITECH Act addresses them.

2.8 Define fraud and abuse in health care and cite an example of each.

2-3


Learning Outcomes (Continued)

When you finish this chapter, you will be able to:2.9 Describe the various government agencies that

are responsible for enforcing HIPAA.

2.10 Identify the parts of a compliance plan and the types of documentation used to demonstrate compliance.

2-4


Key Terms

• abuse

• Acknowledgment of Receipt of Notice of Privacy Practices

• ASC X12 Version 5010

• audit

• breach

• breach notification

• business associate

• Centers for Medicare and Medicaid Services (CMS)

2-5

• clearinghouse• code set• covered entity• electronic data

interchange (EDI)• electronic protected

health information (ePHI)• encryption• fraud• Health Care Fraud and

Abuse Control Program


Key Terms (Continued)

• Health Information Technology for Economic and Clinical Health (HITECH) Act

• HIPAA Electronic Health Care Transactions and Code Sets (TCS)

• HIPAA National Identifiers

• HIPAA Privacy Rule• HIPAA Security Rule

2-6

• National Provider Identifier (NPI)

• Notice of Privacy Practices (NPP)

• protected health information (PHI)

• release of information (ROI)

• treatment, payment, and health care operations (TPO)


2.1 The Legal Medical Record 2-7

Medical records serve legal purposes, such as:– providing a physician with defense against

accusations that patients were not treated correctly,– providing appropriate documentation,– proving medical necessity,– proving medical professional liability was met.


2.2 Health Care Regulation 2-8

• Centers for Medicare and Medicaid Services (CMS)—federal agency in the Department of Health and Human Services that runs Medicare, Medicaid, clinical laboratories, and other government health programs; responsible for enforcing all HIPAA standards other than the privacy and security standards

• Electronic data interchange (EDI)—computer-to-computer exchange of routine business information using publicly available electronic standards


2.2 Health Care Regulation (Continued) 2-9

• HIPAA is a law designed to:– ensure the security and privacy of health information,– ensure the portability of employer-provided health

insurance coverage for workers and their families when they change or lose their jobs,

– increase accountability and decrease fraud and abuse in health care, and

– improve the efficiency of health care delivery by creating standards for electronic transmission of health care transactions.



• Health Information Technology for Economic and Clinical Health (HITECH) Act—provisions in the ARRA of 2009 that extend and reinforce HIPAA and contain new breach notification requirements for covered entities and business associates, guidance on ways to encrypt or destroy PHI to prevent a breach, requirements for informing individuals when a breach occurs, higher monetary penalties for HIPAA violations, and stronger enforcement of the Privacy and Security Rules



• Covered entity—under HIPAA, a health plan, clearinghouse, or provider who transmits any health information in electronic form in connection with a HIPAA transaction

• Clearinghouse—a company that processes electronic health information and executes electronic transactions for providers

• Business associate—a person or organization that requires access to PHI to perform a function or activity on behalf of a covered entity but is not part of its workforce


2.3 HIPAA Privacy Rule 2-12

• HIPAA Privacy Rule—law that regulates the use and disclosure of patients’ protected health information

• Protected health information (PHI)—individually identifiable health information transmitted or maintained by electronic media or in any other form or medium– The minimum necessary standard means using

reasonable safeguards to protect PHI from being accidentally released to those not needing the information during an appropriate use or disclosure.


2.3 HIPAA Privacy Rule (Continued) 2-13

• Notice of Privacy Practices (NPP)—HIPAA-mandated document stating the privacy policies and procedures of a covered entity

• Acknowledgment of Receipt of Notice of Privacy Practices—form accompanying a covered entity’s Notice of Privacy Practices

• Release of information (ROI)—process followed by employees of covered entities when releasing patient information


2.3 HIPAA Privacy Rule (Continued) 2-14

• Treatment, payment, and health care operations (TPO)—under HIPAA, three conditions under which patients’ protected health information may be released without their consent


2.4 HIPAA Security Rule 2-15

• HIPAA Security Rule—law that requires covered entities to establish administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of health information

• Electronic protected health information (ePHI)—PHI that is created, received, maintained, or transmitted in electronic form– Regulations under the HIPAA Security Rule apply to

ePHI.


2.4 HIPAA Security Rule (Continued) 2-16

• The HIPAA Security Rule contains requirements for three types of safeguards to prevent security breaches:– Administrative– Physical– Technical

• Encryption—process of converting electronic information into an unreadable format before it is distributed


2.5 HITECH Breach Notification Rule 2-17

• Breach—under the HIPAA Privacy Rule, impermissible use or disclosure that compromises the security or privacy of PHI that could pose a significant risk of financial, reputational, or other harm to the affected person

• Breach notification—document used by a covered entity to notify individuals of a breach in their PHI required under the new HITECH breach notification rules


2.6 HIPAA Electronic Health Care Transactions and Code Sets, and National Identifiers

2-18

• HIPAA Electronic Health Care Transactions and Code Sets (TCS)—HIPAA rule governing the electronic exchange of health information– Establishes standards that apply to electronic formats,

code sets, and identifiers

• ASC X12 Version 5010—updated electronic data standard for transmitting HIPAA X12 documents

• Code set—alphabetic and/or numeric representations for data


2.6 HIPAA Electronic Health Care Transactions and Code Sets, and National Identifiers (Cont.)

2-19

• HIPAA National Identifiers—HIPAA-mandated identification system for employers, health care providers, health plans, and patients

• National Provider Identifier (NPI)—under HIPAA, system for identifying all health care providers using unique ten-digit identifiers


2.7 Threats to Privacy and Security 2-20

• Common threats to information security include:– Utility failures– Natural disasters– Problems with computer systems and software– Malware– Identity theft– Subversive employees or contractors– Outsiders who try to damage or steal information

• HITECH Act makes business associates subject to the same privacy and security requirements as covered entities.


2.8 Fraud and Abuse Regulations 2-21

• Health Care Fraud and Abuse Control Program—government program to uncover misuse of funds in federal health care programs run by the Office of the Inspector General

• Fraud—intentional act of deception to take financial advantage of another person– Example—forging another person’s signature on a

check


2.8 Fraud and Abuse Regulations (Continued)

2-22

• Abuse—actions that improperly use another person’s resources– Abuse may or may not be intentional.– Example—an ambulance service billing Medicare for

transporting a patient to the hospital when the patient did not need ambulance service


2.9 Enforcement and Penalties 2-23

• Several government agencies help to enforce HIPAA:– Office for Civil Rights—handles civil violations– Department of Justice—handles criminal violations– Centers for Medicare and Medicaid Services—

enforces all the HIPAA standards except the privacy and security standards

– Office of Inspector General—combats fraud and abuse in health insurance and health care delivery

• Audit—formal examination or review


2.10 Compliance Plans 2-24

• According to the OIG, a voluntary compliance plan should contain seven elements:1. Consistent written policies and procedures

2. Appointment of a compliance officer and committee

3. Training plans

4. Communication guidelines

5. Disciplinary systems

6. Auditing and monitoring

7. Responding to and correcting errors


2.10 Compliance Plans (Continued) 2-25

• Common compliance documentation includes:– Retaining written or electronic results of risk analysis– Documenting the results of an audit– Developing and implementing comprehensive privacy

and security policies and procedures– Documenting staff training and security incident

threats

chapter © 2012 the mcgraw-hill companies, inc. all rights reserved. 2 hipaa, hitech, and medical...

Documents

hipaa standards

mcgrawhill companies

department of health

hipaa transactions

health information technology

health care regulation

enforcing hipaa

medical records slide