Hipaa Lesson 1
Click here to load reader
-
Upload
jepoy-olivo -
Category
Documents
-
view
161 -
download
0
Transcript of Hipaa Lesson 1
Lesson 1AN INTRODUCTION TO HIPAA
What is HIPAA?
HIPAA – is the Health Insurance Portability and Accountability Act. A federal law created in 1996. - Signed into Law by Pres. Bill Clinton last August 21, 1996.- It is considered the most significant healthcare legislation since Medicare in 1965.
Why outsource?1. Lower Cost2. Manpower – skilled3. Quality of work of Filipinos is better than any Asian countries.
MLS – Medical Language SpecialistCMT – Certified Medical SpecialistMTs – are the one who interpret files clinical course, diagnosis & prognosisMain Life of MTs – Quality WorkAsset of MT Companies – human resource/peoplePHI – Patient Health Information (security & privacy of the file)T - TranscribeE - EditP - ProofreadT - TransmitMedical Billing – process of submitting and follow up or claims to insurance companies in order to receive payment for services rendered by a healthcare provider.NACHA – National Automated Clearinghouses Association
jso,rn09 Page 1
Administrative Simplification
[Accountability]
Insurance Reform [Portability]
Transactions, Code Sets, & Identifiers
Compliance Date:10/16/2002 or
10/16/2003
Privacy
Compliance Date:04/14/2003
Security
Compliance Date:2005
Health Insurance Portability and Accountability Act
(HIPAA)
WHO’S AFFECTED?
PRE-HIPAA FACTS No standards existed to guide organizations in how to store, process, communicate, or
secure data Management and clinical information software differed from organization to organization,
even if it was purchased from the same vendor Lack of standard data format proven to be a barrier, too costly and complex for most
organization to overcome Over 450 different electronic claim formats exist Lack of transaction uniformity among existing standards makes it difficult for
communication to occur
WHAT IF WE DO NOT COMPLY?Non-Compliance
$100 for each violation Maximum of $25,000 per year per specific provision
Unauthorized Disclosure or Misuse of Patient Information Penalties up to $250,000 Prison time up to 10 years
TRANSACTIONS, CODE SETS, IDENTIFIERSa. Transaction
- The exchange of information between two parties to carry out financial or administrative activities related to health care
b. Code Set- Any set of codes used to encode data elements, such as table of terms, medical concepts,
medical diagnostic or procedure codes. A code set includes the codes and description of the codes
c. Identifiers- Standard, unique health identifiers (numbers/digits/alphanumeric) for each health care
provider, employer, health plan, and individual (patient)
jso,rn09 Page 2
HIPAA
Providers
Clearinghouses (NACHA)
Hospitals
Billing Agencies
Health Plan
Pharmacies
LaboratoriesIndirect Applicability: All organizations that exchange data with those directly covered under the HIPAA through Chain of Trust Agreements and/or contracts
PRIVACY vs. SECURITY Privacy
- Refers to WHAT is protected – Health information about an individual and the determination of who is permitted to use, disclose, or access the information.
Security- Refers to HOW private information is safeguarded – Insuring privacy by controlling access to
information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss.
PRIVACYOverview:
Due to the constraints imposed by scope of HIPAA, privacy regulation is applicable only to:o “Covered” Entities – Healthcare Providers that transmit electronic health information,
Health Plans, and Clearing houseso “Protected” Health Information (PHI) – Transmitted or maintained in any form or
medium (includes paper and oral)
HIPAA Privacy Definitions… just a few… “Protected Health Information” “Authorization” “Treatment, Payment, Healthcare, Operations” “Patient Notice” “Uses and Disclosures” “Minimum Necessary” “Business Associate Agreements”
Protected Health Information (PHI) Individual (Patient) identifiable health information relating to the past, present or future health
conditions of the individual. This covers all information, whether maintained electronically, in paper form or communicated
orally. PHI cannot be released unless authorized by the patient or for treatment, payment, or
healthcare operations.
PHI includes all of the following:1. Names2. Addresses including Zip3. Codes4. All Dates5. Telephone and Fax Numbers6. E-mail Addresses7. Social Security Numbers8. Medical Record Numbers
9. Health Plan Numbers10. License Numbers11. Vehicle Identification Numbers12. Account Numbers13. Biometric Identifiers14. Full Face Photos15. Any other Unique Identifying
Number, Characteristic or Code
jso,rn09 Page 3
AUTHORIZATIONA covered entity may not use or disclose protected health information without a valid written
authorization from the individual.An authorization must be specific and cannot be combined with other documents.
Treatment, Payment and Operations Treatment – the provision, coordination or management of health care and related services by
one or more health care providers, including consultation or referral. Payment – collection of premiums, reimbursement, coverage determinations, risk adjusting,
billing, claims management, medical necessity determinations, utilization review, and pre-authorization of services.
Health Care Operations – specified activities by or for a health plan or health care provider that are related to its “covered functions”, including quality assessment and improvements; peer review, training and credentialing of providers; business planning; and business management.
Patient Notice Description of uses and disclosures of protected health information made by the covered entity. Every patient will receive a copy of the Patient Notice and will be asked to sign an
“Acknowledgement.”
Uses and Disclosures Use – Employment, application, utilization, examination or analysis of information within a
covered entity that holds the information. Disclosure – Release, transfer, provision of access to, or divulging in any other manner of
information outside the covered entity holding the information.
SECURITYOverview:Purpose – To protect both the system and the information it contains from unauthorized access and misuse.
Encompasses – All safeguards in a covered entities structure including: Information systems (hardware/software), Personal policies, Information practice policies and Disaster Preparedness.
SECURITY -> FINAL RULE JUST PUBLISHED in effect April 2005
Administrative Procedures – To ensure security plans, policies, procedures, training and contractual agreements exist
Physical Safeguards – To provide assigned security responsibility and controls over all media and devices
Technical Security Services – To provide specific authentication, authorization, access and audit controls to prevent improper access to electronically stored information.
Technical Security Mechanisms – To established communication/network controls to avoid the risk of interception and/or alteration during electronic transmission of information.
FINAL NOTE on PRIVACY and SECURITY
jso,rn09 Page 4
The privacy and security rules are flexible and scalableto account for the nature of each organization’s
culture, size and resources.
Each organization will determine its own privacypolicies and security practices within the
context of the HIPAA requirementsand its own capabilities and needs.
HIPAA Frequently Asked Questions (FAQ)1. Is PHI the same as the medical record?
a. No. HIPAA protects more than the official medical record. A great deal of other information is also considered PHI, such as billing and demographic data. Even the information that a person is a patient here is Protected Health Information.
2. What if I’m accidentally overheard discussing a patient’s PHI record?a. It is not a violation as long as you were taking reasonable precautions and were
discussing the protected health information for a legitimate purpose. The HIPAA privacy rule is not meant to prevent care providers from communicating with each other and their patients during the course of treatment. These “incidental disclosures” are allowed under HIPAA.
3. If I overhear patient care information in the stairway or in the hallway, how should I handle it?a. If it seems appropriate, remind the speakers of the policy in private. If the conversation
clearly violates policies or regulations, report it to the Privacy Officer.4. I work in the hospital and don’t need to access PHI for my job, but every now and then a
patient’s family asks me about a patient. What should I do?a. Explain that you do not have access to that information, and refer the individual to the
patient’s health care provider.5. What will happen if the PHI regulations have been violated?
a. The Health System may face civil or criminal penalties and be substantially fined. Further, employees who knowingly misuse protected health information may be subject to prosecution, fines and/or imprisonment up to ten years, in addition to any University disciplinary actions.
6. What else can I do for security?a. Don’t allow others, such as family members, to use the equipment. They might
accidentally access confidential information.7. What are the different penalties for those who deliberately misuse protected health
information?a. For knowing misuse of PHI – up to 1 year imprisonment, or $50,000 fine or bothb. For obtaining PHI under false pretenses – up to 5 years imprisonment, or $100,000 fine
or bothc. For using PHI for commercial advantage, personal gain or malicious harm – up to 10
years imprisonment, or $250,000 fine or both.
jso,rn09 Page 5