Presentation is loading. Please wait.

Presentation is loading. Please wait.

CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.

Similar presentations


Presentation on theme: "CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records."— Presentation transcript:

1 CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records

2 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Learning Outcomes When you finish this chapter, you will be able to: 2.1List several legal uses of a patient’s medical record. 2.2Define HIPAA and HITECH, and name the three types of covered entities that must comply with them. 2.3Discuss how the HIPAA Privacy Rule protects patients’ protected health information (PHI). 2.4Discuss how the HIPAA Security Rule protects electronic protected health information (ePHI). 2.5Explain the purpose of the HITECH breach notification rule. 2-2

3 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Learning Outcomes (Continued) When you finish this chapter, you will be able to: 2.6State the goal of the HIPAA Electronic Health Care Transactions and Code Sets (TCS) standards and list the HIPAA transactions and code sets standards that will be required in the future. 2.7Discuss some of the most common threats to the privacy and security of electronic information and ways in which the HITECH Act addresses them. 2.8Define fraud and abuse in health care and cite an example of each. 2-3

4 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Learning Outcomes (Continued) When you finish this chapter, you will be able to: 2.9Describe the various government agencies that are responsible for enforcing HIPAA. 2.10Identify the parts of a compliance plan and the types of documentation used to demonstrate compliance. 2-4

5 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Key Terms abuse Acknowledgment of Receipt of Notice of Privacy Practices ASC X12 Version 5010 audit breach breach notification business associate Centers for Medicare and Medicaid Services (CMS) 2-5 clearinghouse code set covered entity electronic data interchange (EDI) electronic protected health information (ePHI) encryption fraud Health Care Fraud and Abuse Control Program

6 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. Key Terms (Continued) Health Information Technology for Economic and Clinical Health (HITECH) Act HIPAA Electronic Health Care Transactions and Code Sets (TCS) HIPAA National Identifiers HIPAA Privacy Rule HIPAA Security Rule 2-6 National Provider Identifier (NPI) Notice of Privacy Practices (NPP) protected health information (PHI) release of information (ROI) treatment, payment, and health care operations (TPO)

7 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.1 The Legal Medical Record 2-7 Medical records serve legal purposes, such as: –providing a physician with defense against accusations that patients were not treated correctly, –providing appropriate documentation, –proving medical necessity, –proving medical professional liability was met.

8 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.2 Health Care Regulation 2-8 Centers for Medicare and Medicaid Services (CMS)—federal agency in the Department of Health and Human Services that runs Medicare, Medicaid, clinical laboratories, and other government health programs; responsible for enforcing all HIPAA standards other than the privacy and security standards Electronic data interchange (EDI)—computer- to-computer exchange of routine business information using publicly available electronic standards

9 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.2 Health Care Regulation (Continued) 2-9 HIPAA is a law designed to: –ensure the security and privacy of health information, –ensure the portability of employer-provided health insurance coverage for workers and their families when they change or lose their jobs, –increase accountability and decrease fraud and abuse in health care, and –improve the efficiency of health care delivery by creating standards for electronic transmission of health care transactions.

10 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.2 Health Care Regulation (Continued) 2-10 Health Information Technology for Economic and Clinical Health (HITECH) Act—provisions in the ARRA of 2009 that extend and reinforce HIPAA and contain new breach notification requirements for covered entities and business associates, guidance on ways to encrypt or destroy PHI to prevent a breach, requirements for informing individuals when a breach occurs, higher monetary penalties for HIPAA violations, and stronger enforcement of the Privacy and Security Rules

11 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.2 Health Care Regulation (Continued) 2-11 Covered entity—under HIPAA, a health plan, clearinghouse, or provider who transmits any health information in electronic form in connection with a HIPAA transaction Clearinghouse—a company that processes electronic health information and executes electronic transactions for providers Business associate—a person or organization that requires access to PHI to perform a function or activity on behalf of a covered entity but is not part of its workforce

12 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.3 HIPAA Privacy Rule 2-12 HIPAA Privacy Rule—law that regulates the use and disclosure of patients’ protected health information Protected health information (PHI)— individually identifiable health information transmitted or maintained by electronic media or in any other form or medium –The minimum necessary standard means using reasonable safeguards to protect PHI from being accidentally released to those not needing the information during an appropriate use or disclosure.

13 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.3 HIPAA Privacy Rule (Continued) 2-13 Notice of Privacy Practices (NPP)—HIPAA- mandated document stating the privacy policies and procedures of a covered entity Acknowledgment of Receipt of Notice of Privacy Practices—form accompanying a covered entity’s Notice of Privacy Practices Release of information (ROI)—process followed by employees of covered entities when releasing patient information

14 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.3 HIPAA Privacy Rule (Continued) 2-14 Treatment, payment, and health care operations (TPO)—under HIPAA, three conditions under which patients’ protected health information may be released without their consent

15 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.4 HIPAA Security Rule 2-15 HIPAA Security Rule—law that requires covered entities to establish administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of health information Electronic protected health information (ePHI)—PHI that is created, received, maintained, or transmitted in electronic form –Regulations under the HIPAA Security Rule apply to ePHI.

16 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.4 HIPAA Security Rule (Continued) 2-16 The HIPAA Security Rule contains requirements for three types of safeguards to prevent security breaches: –Administrative –Physical –Technical Encryption—process of converting electronic information into an unreadable format before it is distributed

17 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HITECH Breach Notification Rule 2-17 Breach—under the HIPAA Privacy Rule, impermissible use or disclosure that compromises the security or privacy of PHI that could pose a significant risk of financial, reputational, or other harm to the affected person Breach notification—document used by a covered entity to notify individuals of a breach in their PHI required under the new HITECH breach notification rules

18 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.6 HIPAA Electronic Health Care Transactions and Code Sets, and National Identifiers 2-18 HIPAA Electronic Health Care Transactions and Code Sets (TCS)—HIPAA rule governing the electronic exchange of health information –Establishes standards that apply to electronic formats, code sets, and identifiers ASC X12 Version 5010—updated electronic data standard for transmitting HIPAA X12 documents Code set—alphabetic and/or numeric representations for data

19 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.6 HIPAA Electronic Health Care Transactions and Code Sets, and National Identifiers (Cont.) 2-19 HIPAA National Identifiers—HIPAA-mandated identification system for employers, health care providers, health plans, and patients National Provider Identifier (NPI)—under HIPAA, system for identifying all health care providers using unique ten-digit identifiers

20 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.7 Threats to Privacy and Security 2-20 Common threats to information security include: –Utility failures –Natural disasters –Problems with computer systems and software –Malware –Identity theft –Subversive employees or contractors –Outsiders who try to damage or steal information HITECH Act makes business associates subject to the same privacy and security requirements as covered entities.

21 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.8 Fraud and Abuse Regulations 2-21 Health Care Fraud and Abuse Control Program—government program to uncover misuse of funds in federal health care programs run by the Office of the Inspector General Fraud—intentional act of deception to take financial advantage of another person –Example—forging another person’s signature on a check

22 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.8 Fraud and Abuse Regulations (Continued) 2-22 Abuse—actions that improperly use another person’s resources –Abuse may or may not be intentional. –Example—an ambulance service billing Medicare for transporting a patient to the hospital when the patient did not need ambulance service

23 © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.9 Enforcement and Penalties 2-23 Several government agencies help to enforce HIPAA: –Office for Civil Rights—handles civil violations –Department of Justice—handles criminal violations –Centers for Medicare and Medicaid Services— enforces all the HIPAA standards except the privacy and security standards –Office of Inspector General—combats fraud and abuse in health insurance and health care delivery Audit—formal examination or review

24 © 2012 The McGraw-Hill Companies, Inc. All rights reserved Compliance Plans 2-24 According to the OIG, a voluntary compliance plan should contain seven elements: 1.Consistent written policies and procedures 2.Appointment of a compliance officer and committee 3.Training plans 4.Communication guidelines 5.Disciplinary systems 6.Auditing and monitoring 7.Responding to and correcting errors

25 © 2012 The McGraw-Hill Companies, Inc. All rights reserved Compliance Plans (Continued) 2-25 Common compliance documentation includes: –Retaining written or electronic results of risk analysis –Documenting the results of an audit –Developing and implementing comprehensive privacy and security policies and procedures –Documenting staff training and security incident threats


Download ppt "CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records."

Similar presentations


Ads by Google