1 Medicolegal Issues and the Pharmacy Chapter 2 © 2010 The McGraw-Hill Companies, Inc. All rights reserved.
Chapter 22 Key Terms Abuse Audit Authorization Business associate Centers for Medicare and Medicaid Services (CMS) Clearinghouses Code set Compliance plans Corporate integrity agreement Covered entities Current Procedural Terminology (CPT) De-identified health information
Chapter 23 Key Terms (Continued) Designated record set (DRS) Encryption Fraud Health care Common Procedure Coding System (HCPCS) Health Care Fraud and Abuse Control Program Health Insurance Portability and Accountability Act (HIPAA) of 1996
Chapter 24 Key Terms (Continued) HIPAA Electronic Health Care Transactions and Code Sets (TCS) HIPAA National Identifiers HIPAA Privacy Rule HIPAA Security Rule ICD-9-CM Medical records Minimum necessary standard National Provider Identifier (NPI) NCPDP Provider Identification Number Notice of Privacy Practices (NPP)
Chapter 25 Key Terms (Continued) Office for Civil Rights (OCR) Office of the Inspector General (OIG) Password Protected Health Information (PHI) Qui tam Relator Respondeat superior Subpoena Subpoena duces tecum Transaction Treatment, payment, and health care operations (TPO)
Chapter 26 Healthcare Regulation Both federal and state governments pass laws affecting the medical services offered to patients to protect their health Laws are also passed to protect the privacy of their health information and practices relating to this matter Pharmacy technicians must correctly handle patient’s health information
Chapter 27 Healthcare Regulation (Cont.) Federal Regulation The Centers for Medicare and Medicaid Services (CMS) is the federal agency that regulates health care, and performs many functions: Regulating laboratory testing Preventing discrimination Researching effectiveness Evaluating health care quality
Chapter 28 Healthcare Regulation (Cont.) State Regulation States are major regulators of the health care industry Insurance companies must have a license States may govern health care pricing, policies, and situations in which coverage has been cancelled
Chapter 29 Pharmacy Records Patients’ medical records are stored in the pharmacy practice Patients control the amount and type of information that is released, excellent for legitimate pharmacy business uses Pharmacy insurance technician specialists handle request for information and must know what information can legally be shared with what entities
Chapter 210 Pharmacy Records (Cont.) HIPAA's Administrative Simplification Provisions: HIPAA Privacy Rule - covers patients’ health information HIPAA Security Rule – states the requirements to protect patients’ health information HIPAA Electronic Transaction and Code Sets Standards – regulates transactions, code sets, and identifiers
Chapter 211 Complying With HIPAA Covered entities are health care organizations required by law to obey HIPAA regulations Health plans – provider/payer of medical care and pharmacy benefits Health care clearinghouses – help providers with electronic transactions Health care providers - people or organizations that furnish, bill, or are paid for health care
Chapter 212 Complying With HIPAA (Cont.) Business Associates Through agreements with their business associates, covered entities must perform their work as required by HIPAA Includes law firms, accountants, information technology contractors, transcription companies, compliance consultants, and collection agencies
Chapter 213 HIPAA Privacy Rule First comprehensive federal protection for the privacy of health information The rule states covered entities must: Have a set of privacy practices Notify patients about their rights Train employees to know the policies Appoint a privacy official Safeguard patients’ records
Chapter 214 Disclosure For TPO Patients’ PHI may be distributed for treatment, payment, and health care operations Treatment - providing and coordinating the patient’s medical care Payment - exchange of information with health plans Health care operations - general business management functions
Chapter 215 Minimum Necessary Standard Refers to taking reasonable safeguards to protect PHI from incidental disclosure Only the information the recipient needs to know is given Necessary faxing/ ing between physicians Patients’ family member picks up pharmacy supplies and a prescription
Chapter 216 Designated Record Set Refers to the medication and billing records the pharmacy maintains, within which patients have the right to: Access, copy, and inspect their PHI Request amendments to their PHI Obtain accounting of most disclosures Receive pharmacy communications from other means (i.e. Braille) Make legitimate complaints
Chapter 217 Notice of Privacy Practices Covered entities must give each patient a notice of privacy practice at the first contact or encounter Document must also be clearly posted in the pharmacy Explains how patients’ PHI may be used and describes their rights
Chapter 218 Authorizations To release information for use other than for TPO, the covered entity must have the patient sign an authorization Information about substance abuse, STDs or HIV, and behavioral/mental health services may not be released without an authorization from the patient Authorizations contain all valid information and must follow set rules
Chapter 219 Requests for Information Other Than for TPO There are some exceptions for releases: Court Orders – PHI may be released for a judicial order, such as a subpoena Workers’ Compensation Cases - state law may provide for release of records to employers Statutory Reports – released to state health or social services departments Research Data – approved researchers
Chapter 220 De-identified Health Information There are no restrictions on the use or disclosure of de-identified health information This information neither identifies nor provides a reasonable basis to identify an individual Specific patient identifiers (names, record numbers, etc.) must be removed
Chapter 221 State Statutes Some state statutes are more stringent than HIPAA specifications State statutes may differ from HIPAA in some areas: Designated record set Psychotherapy notes Rights of inmates Information complied for civil, criminal, or administrative court cases
Chapter 222 HIPAA Security Rule Requires covered entities to establish safeguards to protect PHI Specifies how to guard data on computers and PC networks, the Internet, and storage disks Security measures rely on encryption, the process of encoding information in such a way that only the person (or computer) with the key can decode it
Chapter 223 Security Measures A number of other security measures help enforce the HIPAA Security Rule: Access control, passwords, and log files to keep intruders out Backups to replace items after damage Security policies to handle violations that do occur
Chapter 224 Access Control, Passwords, and Log Files Role-based access limits access so that only people who need information can see it Users must enter a user ID and a password to access information Passwords must be carefully selected Words, sequences, or ID numbers should not be used Numbers and symbols are effective They should be changed periodically
Chapter 225 Other Security Measures Backups - information should be backed up, which is the activity of copying files to another medium so that they will be preserved in case the originals are no longer available Security Policies - pharmacies have security policies that inform employees about their responsibilities for protecting electronically stored information
Chapter 226 Standard Code Sets A code set is any group of codes used for encoding data elements There are several relevant code sets: ICD-9-CM – used for diagnoses Current Procedural Terminology data set –physician procedures and services Healthcare Common Procedure Coding System – reporting supplies, devices, and durable medical equipment
Chapter 227 HIPAA National Identifiers An identifiers is a unique number of predetermined length and structure HIPAANational Identifiers are for: Employers Health care providers Health plans Patients
Chapter 228 National Provider Identifier (NPI) The standard for the identification of providers when filing claims and other transactions Consists of nine numbers and a check digit Assigned by the federal government to individual providers Note that the NPI does not replace the NCPDP Provider Identification Number
Chapter 229 Other Legislation Affecting Pharmacy Medicare Prescription Drug Improvement and Modernization Act of 2003 (MMA) Provided seniors and individuals with disabilities access to prescription drug plans, with more choices, and better benefits under Medicare E-prescribing – enables physicians to send more efficient claims electronically Electronic health record – enables easily accessible PHI for multiple physicians
Chapter 230 Other Legislation Affecting Pharmacy (Cont.) Freedom of Choice Pharmacy law that focuses on the plan member and the pharmacy or pharmacist Allows the member to select a pharmacy of choice Patient cannot be financially penalized for obtaining benefits at a nonparticipating provider
Chapter 231 Other Legislation Affecting Pharmacy (Cont.) Prescription Drug Equity Act of 1997 Prohibits a prescription drug plan from providing mail order coverage without also providing non-mail order prescription benefits Allows the patient to obtain benefits from a participating community pharmacy, not just through mail order
Chapter 232 Other Legislation Affecting Pharmacy (Cont.) Antitrust/Exclusive Pharmacy Contracts Exclusive contracts exist when a pharmacy in a particular area contracts with a benefit plan to be the only provider for plan members Must not violate antitrust laws in order to be legal
Chapter 233 Fraud and Abuse Regulations The Health Care Fraud and Abuse Control Program Created by HIPAA to uncover and prosecute fraud and abuse The HHS Office of the Inspector General (OIG) has the task of detecting health care fraud and abuse and enforcing all related laws
Chapter 234 Fraud and Abuse Regulations (Cont.) The federal False Claims Act (FCA) Prohibits submitting a fraudulent claim or making a false statement or representation in connection with one Encourages reporting suspected fraud and abuse against the government by protecting people against employer retaliation
Chapter 235 Fraud and Abuse Regulations (Cont.) Additional laws relating to health care exist to help control fraud and abuse Antikickback statutes Self-referral prohibitions The Sarbanes-Oxley Act of 2002 State laws
Chapter 236 Definition of Fraud and Abuse Fraud is an act of deception used to take advantage of another person Fraudulent acts are intentional; the individual expects an illegal or unauthorized benefit to result In federal law, abuse means an action that misuses money that the government has allocated May include billing for services that were not medically necessary
Chapter 237 Examples of Fraudulent and Abusive Acts The stealing of prescription pads Patients altering a prescription Drug abusers giving incorrect phone numbers to represent physicians Intentionally billing for services that were not performed or documented Reporting services at a higher level than was carried out
Chapter 238 Enforcement and Penalties HIPAA privacy regulations are enforced by the Office for Civil Rights (OCR) Covered entities must comply and give the OCR access to its facilities, books, records, and systems for investigations The Office of the Inspector General (OIG) enforces rules relating to fraud and abuse OIG has the authority to investigate suspected fraud cases and to audit the records of providers and payers
Chapter 239 Compliance Plans Pharmacy practices must be sure that all staff members follow billing rules A compliance plans sets up the steps needed to: Audit and monitor compliance Have consistent policies and procedures Provide ongoing staff training and communication Respond to and correct errors
Chapter 240 Compliance Plans (Cont.) Goals of Compliance Plans Prevent fraud and abuse Ensure compliance with all laws Help defend the practice if investigated or prosecuted for fraud Compliance plans demonstrate to outside investigators that the practice has made honest, ongoing attempts to find and fix weak areas
Chapter 241 Compliance Plans (Cont.) Seven Components of Compliance Plans: 1.Consistent written policies and procedures 2.Appointment of a compliance officer and committee 3.Training 4.Communication 5.Disciplinary systems 6.Auditing and monitoring 7.Responding to and correcting errors