1

HIPAA and Medical Records

Chapter 2

© 2010 The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 2 2

Learning OutcomesAfter studying this chapter, you should be able to:2.1 Discuss the importance of medical records

and documentation in the medical billing process.

2.2 Describe the benefits of electronic healthrecords (EHR).

2.3 Explain the purpose of the HIPAA Privacy Rule.

2.4 Distinguish between a covered entity and a business associate under HIPAA.

Chapter 2 3

Learning Outcomes (Continued)

2.5 Define protected health information (PHI).

2.6 Discuss patients’ authorizations to use or disclose their health information.

2.7 Briefly describe the purpose of the HIPAA Security Rule.

2.8 Describe the HIPAA Electronic Health Care Transactions and Code Sets

standards and the four National Identifiers.

Chapter 2 4

Learning Outcomes (Continued)

2.9 Explain the purpose of the Health Care Fraud and Abuse Control Program and related laws.

2.10 Discuss the ways in which compliance plans help medical practices avoid

fraud and abuse.

Chapter 2 5

Key Terms

• Abuse• Audit• Authorization• Business associate• Centers for

Medicare and Medicaid Services (CMS)

• Certification Commission for Healthcare Information Technology (CCHIT)

• Clearinghouse • Code set• Compliance plan

Chapter 2 6

Key Terms (Continued)

• Covered entity• De-identified health

information• Designated record

set (DRS)• Documentation• Electronic data

interchange (EDI)

• Electronic health record (EHR)

• Encounter• Encryption• Evaluation and

management (E/M)• Fraud

Chapter 2 7

Key Terms (Continued)

• Health Care Fraud and Abuse Control Program

• Health Insurance Portability and Accountability Act (HIPAA) of 1996

• HIPAA Electronic Health Care Transactions and Code Sets (TCS)

• HIPAA Final Enforcement Rule

• HIPAA National Identifier

Chapter 2 8

Key Terms (Continued)

• HIPAA Privacy Rule

• HIPAA Security Rule

• Informed consent• Malpractice• Medical record• Medical standards

of care

• Minimum necessary standard

• National Plan and Provider Enumerator System (NPPES)

• National Provider Identifier (NPI)

• Notice of Privacy Practices (NPP)

Key Terms (Continued)

Chapter 2 9

• Office for Civil Rights (OCR)

• Office of the Inspector General (OIG)

• Password• Protected health

information (PHI)• Qui tam

• Relator• Respondeat superior• Subpoena• Subpoena duces

tecum• Transaction• Treatment,

payment, and health care operations (TPO)

Chapter 2 10

Medical Records: Documentation

• Provide for continuity of care• Aid in communication among health care

providers• Provide data for medical research• Are used for medical education• Help physicians make accurate diagnoses• Document and trace the course of treatment to

prove adherence to medical standards of care

Medical recordsare legal

documents

Chapter 2 11

Medical Record Documentation• Record of each encounter (face-to-face visit)

must be legible and clear• Entries must be signed and dated• Changes must be clearly made• No blank spaces are left between entries• Each patient should have a single record• Records should use consistent vocabulary and

format• Diagnostic information must be easy to locate• Entries must be made promptly

Chapter 2 12

SOAP Format

Subjective

Objective

Assessment

Plan

What the patient reports, chief complaint, symptoms

The physician’s findings fromthe physical exam, lab tests,

vitals signs, etc.

The impression, conclusion,or diagnosis

Treatment and follow up, advice

Chapter 2 13

History and Physical Examination

The initial exam usually entails a history and physical examination. The components of the exam include:

• Chief complaint

• History and physical examination

• Diagnosis

• Treatment plan

Chapter 2 14

More Documentation

Progress Reports

During Treatment Course

• Are documented at follow-up visits

• Explain if the treatment plan should be continued or changed

Discharge Summaries of Final Visit

• Include final diagnosis• Compare patient

statements and doctor’s findings

• Goals achieved?• Patient’s current

condition, status, and final prognosis

• Reason and date of discharge

Procedural services

• Procedural or operative reports

• Laboratory reports

• Radiology reports

• Specific forms as applicable

Termination of Provider-Patient Relationship

• Provider keeps the record

• If provider ends the relationship, the patient is informed in writing

• Termination letter placed in patient’s medical record

Chapter 2 17

Electronic Medical vs. Paper Records

Electronic Health Records

• Are created and maintained electronically

• Are expensive and time-consuming to implement

• Easily permit large amounts of data to be stored, analyzed, and processed

Paper Records• Are created manually

• Are inexpensive to create

• Include handwritten entries in a medical record

What are the pros and consof both types of records?

Chapter 2 18

Billing Tip

• Documentation and billing must be connected for compliance.

IF A SERVICE IS NOT DOCUMENTED, IT SHOULD NOT BE BILLED

Chapter 2 19

Health Care Regulation Federal Regulation

• Centers for Medicare and Medicaid Services (CMS) (formerly HCFA)

– Administers Medicare and Medicaid

– Regulates medical laboratory testing

– Prevents discrimination based on health status

– Assesses the quality of health care facilities

– Researches effectiveness of health care management, treatment, and financing

– Combats fraud and abuse in government-sponsored programs

Chapter 2 20

Health Care RegulationLaws

• Health Insurance Portability and Accountability Act (HIPAA)– Protects peoples’ private health information

– Protects health insurance coverage for employees and their dependents if job status changes

– Uncovers fraud and abuse

– Includes the adoption of standards for electronic transmission in health care industry

Chapter 2 21

Health Care RegulationLaws

State laws• Implement quality and control of

HMOs and PPOs and may require:– business licenses

– financial guidelines

– limitations on premium increases

Chapter 2 22

Ownership of Medical Records• The physical document(s) are the

property of the provider (physician, clinic, or facility) thatcreated them.

• The information contained in the medical record belongs to the patient.

Providers’ responsibilitiesvs. Patients’ rights to their information

Chapter 2 23

HIPAA Administrative Simplification: 3 Rules

• HIPAA Privacy Rule

• HIPAA Security Rule

• HIPAA Electronic Health Care Transactions and Code Sets standards

Regulates the use and disclosure of patients’ PHI

Security requirements needed to protect patients’

PHI

Every provider doing business electronically must use same standards for transactions and code sets

Chapter 2 24

Covered Entities under HIPAA

• Covered entities electronically transmit HIPAA-protected information

• CEs are (1) health plans, (2) health care clearinghouses, and (3) health care providers

• Business associates work for covered entities and include services such as law firms, accounting practices, IT consultants, and collection agencies

Chapter 2 25

HIPAA Privacy Rule

• States that covered entities must:– Have appropriate privacy practices – Notify patients about their privacy rights– Train employees on the privacy practices– Appoint a privacy official responsible for the

adoption and following of privacy practices

– Safeguard patients’ records

Chapter 2 26

PHI

• A patient’s Protected Health Information– Medical record– Other personal health information

that is transmitted or maintained by electronicmedia

Chapter 2 27

PHI

– Name

– Social Security Number

– Address

– Phone

– E-mail address

– Photo images

– Birth date

– Relatives and employers

• Contains individually identifiable health information, such as the patient’s

Chapter 2 28

Use and Disclosure of PHI

• Use = sharing within the entity that holds the patient’s information

• Disclosure = the release of information outside the entity holding the patient’s information

Chapter 2 29

Use and Disclosure of PHI

Necessary and permitted for patients’ TPO

TPO = Treatment

Payment

Operations

Providing and coordinating medical care

The exchange of information with health plans

General business management functions

Chapter 2 30

Use and Disclosure of PHI

Under HIPAA, no patient release of information document is required when PHI is shared for TPO.

The CE must try to limit the information shared to the minimum for the intended purpose—following the minimum necessary standard.

Designated Record Set• Covered entities must disclose certain PHI to patients

called “designated record set.”• Providers = medical and billing records

• Health plans = enrollment, payment, claim decisions, and medical management system data

• Within designated record set, patients can:• Access, copy, and inspect information

• Request amendments

• Obtain accounting of disclosures

• Receive information by other means

• Complain about alleged violations

Chapter 2 31

Chapter 2 32

Notice of Privacy Practices

• HIPAA-mandated document

• Presents the covered entity’s principles and procedures regarding protection of patients’ PHI

• A covered entity must give all patients a copy of its notice

Chapter 2 33

Patient Authorizationto Release Information

Document must be in plain language and include:

• Description of the information to be released

• Who can use or disclose the information

• Who will receive it

• For what purpose

• An expiration date

• Patient’s signature and date

Chapter 2 34

Exceptions to the Privacy Rule

• Court order

• Workers’ compensation cases

• Statutory reports

• Research

• De-identified health information

• Psychotherapy notes

• State statutes may be more stringent

Chapter 2 35

HIPAA Security Rule

Requires medical offices to protect protected health information (PHI) by:

• Encryption—encoding information so that a key is required to retrieve it

• The secure use of computer networks, the Internet, and storage disks

• Using security techniques, such as passwords• Limiting who in a medical office can see the

information• Creating activity logs that show who has accessed, or

tried to access, information

Chapter 2 36

HIPAA Electronic Health Care Transactions and Code Sets

Standard TransactionsExamples: Health care claims, claim status, referral authorizations, payments

Standard Code SetsExamples: ICD-9-CM, CPT, CDT, HCPCS

Financial andadministrative

information regularlyexchanged between

providersand health plans

Coding systems fordiseases;

treatments andprocedures; supplies

Chapter 2 37

HIPAA National Identifiers

• Employers

• Health care providers

• Health plans

• Patients

Employer Identification Number (EIN)

To be releasedby federalgovernmentin future

National Provider Identifier (NPI)

Chapter 2 38

Fraud and Abuse Regulations

Fraud: Act of deception used to take advantage of another person.

• Example – billing when the task was not done

Abuse: Act that misuses public funds.• Example – billing when the task was not

necessary

Chapter 2 39

Federal Laws

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• False Claims Act

• Federal Acts and other special legislation

Chapter 2 40

Federal Laws

• Civil False Claims Act

• Social Security Act

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• Federal Acts and other special legislation

Created the Health Care Fraud and AbuseControl Program to uncover fraud and abuse

in Medicare and Medicaid programs.

Chapter 2 41

Federal Laws

• Civil False Claims Act

• Social Security Act

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• Federal Acts and other special legislation

•Antikickback staute•Self-referral prohibitions (Stark Law)

•Sarbanes-Oxley Act

Chapter 2 42

Enforcement and Penalties

HIPAA – Enforced by the Office for Civil Rights (OCR) and CMS

Fraud and Abuse – Enforced by the Office of the Inspector General (OIG)

Penalties may be civil or criminal (the Department of Justice involved)

Chapter 2 43

Compliance Plans

Parts of a compliance plan:1. Consistent written policies and procedures2. Appointment of a compliance officer and committee3. Training4. Communication5. Disciplinary systems6. Auditing and monitoring 7. Responding to and correcting errors

Chapter 2 44

Compliance Plans

Compliance officer and committee

• Communication between the office staff and compliance officer encourages staff to report suspected fraud and/or abuse.

• A fraud and abuse “hotline” may be created.

Chapter 2 45

Compliance Plans

Code of conduct

• A statement of conduct promotes a clear commitment to compliance.

• The commitment can include a process to identify offenses and apply corrective action through internal investigation and publicized disciplinary guidelines.

Chapter 2 46

Compliance Plans

Ongoing training

• Assures compliance with latest rules and regulations by establishing training programs for all professional and support personnel.

• The training includes physicians and all billing and coding personnel.