Lesson 1AN INTRODUCTION TO HIPAA

What is HIPAA?

HIPAA – is the Health Insurance Portability and Accountability Act. A federal law created in 1996. - Signed into Law by Pres. Bill Clinton last August 21, 1996.- It is considered the most significant healthcare legislation since Medicare in 1965.

Why outsource?1. Lower Cost2. Manpower – skilled3. Quality of work of Filipinos is better than any Asian countries.

MLS – Medical Language SpecialistCMT – Certified Medical SpecialistMTs – are the one who interpret files clinical course, diagnosis & prognosisMain Life of MTs – Quality WorkAsset of MT Companies – human resource/peoplePHI – Patient Health Information (security & privacy of the file)T - TranscribeE - EditP - ProofreadT - TransmitMedical Billing – process of submitting and follow up or claims to insurance companies in order to receive payment for services rendered by a healthcare provider.NACHA – National Automated Clearinghouses Association

jso,rn09 Page 1

Administrative Simplification

[Accountability]

Insurance Reform [Portability]

Transactions, Code Sets, & Identifiers

Compliance Date:10/16/2002 or

10/16/2003

Privacy

Compliance Date:04/14/2003

Security

Compliance Date:2005

Health Insurance Portability and Accountability Act

(HIPAA)

WHO’S AFFECTED?

PRE-HIPAA FACTS No standards existed to guide organizations in how to store, process, communicate, or

secure data Management and clinical information software differed from organization to organization,

even if it was purchased from the same vendor Lack of standard data format proven to be a barrier, too costly and complex for most

organization to overcome Over 450 different electronic claim formats exist Lack of transaction uniformity among existing standards makes it difficult for

communication to occur

WHAT IF WE DO NOT COMPLY?Non-Compliance

$100 for each violation Maximum of $25,000 per year per specific provision

Unauthorized Disclosure or Misuse of Patient Information Penalties up to $250,000 Prison time up to 10 years

TRANSACTIONS, CODE SETS, IDENTIFIERSa. Transaction

- The exchange of information between two parties to carry out financial or administrative activities related to health care

b. Code Set- Any set of codes used to encode data elements, such as table of terms, medical concepts,

medical diagnostic or procedure codes. A code set includes the codes and description of the codes

c. Identifiers- Standard, unique health identifiers (numbers/digits/alphanumeric) for each health care

provider, employer, health plan, and individual (patient)

jso,rn09 Page 2

HIPAA

Providers

Clearinghouses (NACHA)

Hospitals

Billing Agencies

Health Plan

Pharmacies

LaboratoriesIndirect Applicability: All organizations that exchange data with those directly covered under the HIPAA through Chain of Trust Agreements and/or contracts

PRIVACY vs. SECURITY Privacy

- Refers to WHAT is protected – Health information about an individual and the determination of who is permitted to use, disclose, or access the information.

Security- Refers to HOW private information is safeguarded – Insuring privacy by controlling access to

information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss.

PRIVACYOverview:

Due to the constraints imposed by scope of HIPAA, privacy regulation is applicable only to:o “Covered” Entities – Healthcare Providers that transmit electronic health information,

Health Plans, and Clearing houseso “Protected” Health Information (PHI) – Transmitted or maintained in any form or

medium (includes paper and oral)

HIPAA Privacy Definitions… just a few… “Protected Health Information” “Authorization” “Treatment, Payment, Healthcare, Operations” “Patient Notice” “Uses and Disclosures” “Minimum Necessary” “Business Associate Agreements”

Protected Health Information (PHI) Individual (Patient) identifiable health information relating to the past, present or future health

conditions of the individual. This covers all information, whether maintained electronically, in paper form or communicated

orally. PHI cannot be released unless authorized by the patient or for treatment, payment, or

healthcare operations.

PHI includes all of the following:1. Names2. Addresses including Zip3. Codes4. All Dates5. Telephone and Fax Numbers6. E-mail Addresses7. Social Security Numbers8. Medical Record Numbers

9. Health Plan Numbers10. License Numbers11. Vehicle Identification Numbers12. Account Numbers13. Biometric Identifiers14. Full Face Photos15. Any other Unique Identifying

Number, Characteristic or Code

jso,rn09 Page 3

AUTHORIZATIONA covered entity may not use or disclose protected health information without a valid written

authorization from the individual.An authorization must be specific and cannot be combined with other documents.

Treatment, Payment and Operations Treatment – the provision, coordination or management of health care and related services by

one or more health care providers, including consultation or referral. Payment – collection of premiums, reimbursement, coverage determinations, risk adjusting,

billing, claims management, medical necessity determinations, utilization review, and pre-authorization of services.

Health Care Operations – specified activities by or for a health plan or health care provider that are related to its “covered functions”, including quality assessment and improvements; peer review, training and credentialing of providers; business planning; and business management.

Patient Notice Description of uses and disclosures of protected health information made by the covered entity. Every patient will receive a copy of the Patient Notice and will be asked to sign an

“Acknowledgement.”

Uses and Disclosures Use – Employment, application, utilization, examination or analysis of information within a

covered entity that holds the information. Disclosure – Release, transfer, provision of access to, or divulging in any other manner of

information outside the covered entity holding the information.

SECURITYOverview:Purpose – To protect both the system and the information it contains from unauthorized access and misuse.

Encompasses – All safeguards in a covered entities structure including: Information systems (hardware/software), Personal policies, Information practice policies and Disaster Preparedness.

SECURITY -> FINAL RULE JUST PUBLISHED in effect April 2005

Administrative Procedures – To ensure security plans, policies, procedures, training and contractual agreements exist

Physical Safeguards – To provide assigned security responsibility and controls over all media and devices

Technical Security Services – To provide specific authentication, authorization, access and audit controls to prevent improper access to electronically stored information.

Technical Security Mechanisms – To established communication/network controls to avoid the risk of interception and/or alteration during electronic transmission of information.

FINAL NOTE on PRIVACY and SECURITY

jso,rn09 Page 4

The privacy and security rules are flexible and scalableto account for the nature of each organization’s

culture, size and resources.

Each organization will determine its own privacypolicies and security practices within the

context of the HIPAA requirementsand its own capabilities and needs.

HIPAA Frequently Asked Questions (FAQ)1. Is PHI the same as the medical record?

a. No. HIPAA protects more than the official medical record. A great deal of other information is also considered PHI, such as billing and demographic data. Even the information that a person is a patient here is Protected Health Information.

2. What if I’m accidentally overheard discussing a patient’s PHI record?a. It is not a violation as long as you were taking reasonable precautions and were

discussing the protected health information for a legitimate purpose. The HIPAA privacy rule is not meant to prevent care providers from communicating with each other and their patients during the course of treatment. These “incidental disclosures” are allowed under HIPAA.

3. If I overhear patient care information in the stairway or in the hallway, how should I handle it?a. If it seems appropriate, remind the speakers of the policy in private. If the conversation

clearly violates policies or regulations, report it to the Privacy Officer.4. I work in the hospital and don’t need to access PHI for my job, but every now and then a

patient’s family asks me about a patient. What should I do?a. Explain that you do not have access to that information, and refer the individual to the

patient’s health care provider.5. What will happen if the PHI regulations have been violated?

a. The Health System may face civil or criminal penalties and be substantially fined. Further, employees who knowingly misuse protected health information may be subject to prosecution, fines and/or imprisonment up to ten years, in addition to any University disciplinary actions.

6. What else can I do for security?a. Don’t allow others, such as family members, to use the equipment. They might

accidentally access confidential information.7. What are the different penalties for those who deliberately misuse protected health

information?a. For knowing misuse of PHI – up to 1 year imprisonment, or $50,000 fine or bothb. For obtaining PHI under false pretenses – up to 5 years imprisonment, or $100,000 fine

or bothc. For using PHI for commercial advantage, personal gain or malicious harm – up to 10

years imprisonment, or $250,000 fine or both.

jso,rn09 Page 5