d050 Unit 5

¡Supera tus tareas y exámenes ahora con Quizwiz!

Year HIPAA was first enacted

1996

What is a PERM audit?

Reviews claims against medical records

ICD-9

These codes are the 9th revision to ICD codes. They are used to classify mortality statistics from death certificates from 1978 to 1999.

Which medical coding system is payment-based and identifies services provided for insurance companies?

CPT

Which organization offers legal enforcement of established practices of third-party payments?

The Department of Justice

Full name of HIPAA

The Health Insurance Privacy and Accessibility Act of 1996

Mid-1990s: The Kennedy-Kassebaum Bill

which will eventually be passed as HIPAA, is introduced and debated in Congress.

How many years can a Medicaid audit review?

4

Which is an eligibility requirement for third-party insurance?

A married individual covered under an employed or retired first party spouse

Current Procedural Terminology (CPT)

A medical payment-based coding system that identifies services provided for insurance companies.

Medicaid Recovery Audits (MRACs)

Audits post-payment procedures and claims

In the 1990s...

Children with disabilities, and their parents and caretakers, became eligible for services and prescription coverage was expanded.

Which is true regarding third-party administrators (TPAs)?

Collects insurance premiums.

Which Medicaid audit was established to monitor medical mistakes?

Comprehensive Error Rate Testing (CERT)

HIPAA Title I

Covers Health Care Access, Portability, and Renewability. This segment of the original HIPAA law stipulates that healthcare plans must charge the same premiums for all plan members, and once regulated exclusion period lengths for pre-existing conditions allowable within insurance plans. Title I also allow patients to take their healthcare with them when they voluntarily changed jobs.

Which act is focused on preventing Medicaid fraud and abuse?

Deficit Reduction Act

A healthcare worker views a patient's electronic health record (EHR) without a legitimate medical reason and tells a friend about the patient's condition. Which rule allows the Department of Health and Human Services to investigate the complaint?

Enforcement

Office of the Attorney General

Established new protocols for service and payment structures

Component of HIPAA Title I which was invalidated with the passage of the Affordable Care Act of 2010

Exclusion period for pre-existing conditions

CPT Code-Category II are the largest body of codes used by providers to report services and procedures

False

If an insurance company rejects a bill, the treating provider bills the federal government.

False

Insurance audits are conducted by hospital auditing firms and reported to the federal government.

False

The U.S relies on first-party insurance payment systems to manage and regulate healthcare payment services.

False

An accounting firm was informed that it and its associates must comply with HIPPA laws. It hires small and large vendors to assist in handling client accounts. What is true of this situation according to the Omnibus update of 2013?

HIPAA applies to independent contractors employed by covered entities

Law Enacted in 2009 which defined standards for how and when to notify patients of a breach of PHI security

HITECH Act

What entity is covered under HIPAA's most current set of rules and regulations?

Healthcare contractors and subcontractors

Comprehensive Error Rate Testing (CERT)

Identifies diagnosing and treatment errors and recoups funds when errors are identified

Zone Program Integrity Contractors (ZIPCs)

Identifies overpayments and handles legal processes

Arrange ICD-10 Character breakdown in sequence

Identifies the site of the disease/symptoms/infection on the body

Medicare Part A

Inpatient hospital coverage

Which audits conduct post-payment evaluations and claims?

MRAC

Why does a healthcare facility need to comply with conditions of participation from the Centers for Medicare and Medicaid Services?

Maintain inclusion in the programs

In 1986...

Medicaid begins offering healthcare coverage to low-income pregnant women.

Which is an organization based third-party?

Medicare

Medicare Part C

Medicare Advantage Plan

Part C and Part D Compliance and Audits

Medicare Advantage providers, prescription drug plan sponsors, and other service providers (hospice/long-term services) submit performance data to CMS and receive regular audit visits.

Part A Cost Report Audit & Reimbursement

Medicare providers are required to submit annual cost reports to the Medicare Administrative Contractor (MAC). These reports contain provider and patient information, utilization data, and total cost of services (Medicare costs and patient payments).

Sec. 1820

Medicare rural hospital flexibility program information

CMS

Monitors third-party healthcare insurance and payers

Rules enacted in 2013 which expanded the definition of "covered entities" under HIPAA

Omnibus Rules

Medicare Part B

Outpatient hospital coverage

2009: HITECH was passed

Passed as part of the American Recovery and Reinvestment Act of 2009, this addition to HIPAA established standards for what constitutes a breach of PHI security and how/when to notify parties affected by that PHI breach that it has occurred.

Which is an example of first-party service?

Patients receives services and pays co-pay

A hospital system housed its EHR servers at a remote location for all of its member hospitals to access remotely. The servers also routinely "backed up" EHR data to tape-based media to ensure accessibility in the event of server loss. A natural disaster befell the remote server location, but the hospital system was able to get EHR records back online within 30 minutes thanks to the tape-based backup. Which of the following describes this macro situation under HIPAA?

Physical security Electronic security Accessibility

Medicare Part D

Prescription Coverage

Deficit Reduction Act

Prevents Medicaid fraud and abuse

Which type of audit requires a provider to furnish documentation from previous patient records before a claim is paid?

Probe Audit

Medicare also has four savings plans

Qualified Medicare Beneficiary Program (QMB) Specified Low Income Medicare Beneficiary Program (SLMB) Qualified Individual Program (QI) Qualified Disabled & Working Individuals (QDWI) Each of these programs is federally funded and offers resources to help pay for Medicare premiums, deductibles, copayments, and coinsurance. In addition to meeting basic Medicare eligibility requirements, participants must receive Social Security benefits and meet specific standard income and resource requirements.

State Medicaid Fraud Control Units (MFCUs)

Recoups overpayments and oversee the investigation and/or criminal prosecutions

Which of the following mezzo situations under HIPAA places PHI data at risk for security breach and/or loss of data integrity?

Registering patients in an open area (such as the office lobby) without checking their photo identification

Health and Human Services

Regulates the accuracy of services rendered vs. services paid

ICD-11

Released in May 2019, ICD-11 codes provide multiple case studies and health analysis to compliment ICD-10.

Payment Error Rate Measurement (PERM)

Reviews claims against medical records to uncover errors

Mezzo setting

Securing PHI in provider groups, such as an individual medical practice, a single hospital department, a single health-insurance department, or other small healthcare group-based setting.

Macro setting

Securing large numbers of records containing PHI, and/or securing the transfer of these record(s) from one large setting to another (such as from hospital to hospital, between providers and insurance companies, or across large multi-party healthcare systems.)

Healthcare Providers

Should be prepared to support claims

The Centers for Medicare & Medicaid (CMS) uses reporting systems to regulate and monitor services to avoid fraud. Based on the CMS auditing process, which provision ensures compliance for Medicare billing services?

Submitting all claims within one year of service.

Which rule was passed to address HIPAA implementation concerns by setting civil money penalties and investigation procedures for violations?

The Enforcement Rule

In 1977...

The Health Care Financing Administration was created to manage Medicare and Medicaid Services. This provided the proper management over the division of services.

Layer II Second-Party

The insurance company/providers—this is the organization that manages the insurance policy.

Layer III Third-Party

The insurance policy—the policy is purchased by the first-party and managed by the second party

CPT Category III

These are temporary codes that are used to track emerging and experimental services and procedures. These codes can remain temporary for five years; and are then classified as Category I codes. Temporary codes are also used to classify new and holistic services/treatment.

ICD-10

These codes are the current ICD diagnostic and treatment medical codes. ICD-10 codes consist of three to seven alphanumeric characters that are used to describe a diagnosis. The character breakdown is as follows: The first three codes define the symptoms, infection, disease, and/or disorder Characters four through six identify the site of the disease/symptoms/infection on the body and the severity of the problem. The sixth character usually identifies the specific part of the body impacted (arm, wrist, leg, etc.) The seventh character identifies the continuation of the problem (e.g. initial problem, issue-based on treatment side effects, and/or a recurrent/acute illness).

CPT Category II

These codes track specific information about patients, such as medical and treatment history, and psychosocial outliers (smoking, homelessness, drug addiction, etc.). Category II contains ten code sections: a. Composite Measures (0001F - 0015F) b. Patient Management (0500F - 0584F) c. Patient History (1000F - 1505F) d. Physical Examination (2000F - 2060F) e. Diagnostic/Screening Processes or Results (3006F - 3776F) f. Therapeutic, Preventive, or Other Interventions (4000F - 4563F) g. Follow-up or Other Outcomes (5005F - 5250F) h. Patient Safety (6005F - 6150F) i. Structural Measures (7010F - 7025F) j. Non-Measure Code Listing (9001F - 9007F)

Violation due to willful neglect

This is a severe type of violation, in which a covered entity knew it was in violation of HIPAA regulations, yet chose not to correct the problem. An example would be a hospital system which had been informed by a HIPAA compliance consultant that its EHR system used unsecure and/or outdated levels of encryption, but chose not to rectify the situation. Fines for these types of violations may be as low as $10,000 to as high as $1.65 million per occurrence.

Violation from a reasonable cause

This is a violation that was of a relatively common threat type that most reasonable professionals should have planned for/trained against. An example of this type of violation at the mezzo level could include the improper sharing of PHI access passwords among staff. Fines for these types of violations can range from $1,000 to $1.65 million per occurrence, depending on the type of violation, and the size/resources of the covered entity.

CPT Category I

This is the largest body of codes used by providers to report services and procedures. There are six main sections: a. Evaluation & Management Services (99201 - 99499) b. Anesthesia Services (01000 - 01999) c. Surgery (10021 - 69990) - further broken down by body area or system within this code range d. Radiology Services (70010 - 79999) e. Pathology and Laboratory Services (80047 - 89398) f. Medical Services and Procedures (90281 - 99607)

Violation due to willful neglect: not corrected

This is the most severe type of HIPAA violation, which occurs when a covered entity engages in willful neglect of required HIPAA compliance, is ordered by an enforcement agency to correct it, and then fails to correct it. Fines for this violation type can range from $50,000 to $1.65 million annually per violation, and may also result in criminal prosecution.

Layer I First-Party

This refers to the insured person—the individual who purchases insurance from the insurance company.

2006: The Enforcement Rule

This rule established standardized civil penalties and guidelines for criminal prosecution for HIPAA violations. Prior to the establishment of the Enforcement Rule, few HIPAA violations were prosecuted. Once the rule was established, however, enforcement of HIPAA stepped up considerably, resulting in tens of thousands of civil/criminal enforcement actions.

2006: The National Provider Identifier (NPI) Rule

This rule helped to spur wider adoption of electronic health records (EHRs) by assigning every covered entity (healthcare providers, insurance companies, etc.) with a unique identification number that helps separate identifying information about that provider from the PHI record for greater security/portability and facilitates simpler sharing of electronic records between providers.

HIPAA Title II

This segment of HIPAA includes the Administrative Simplification (AS) provisions, including the Privacy Rule for "covered entities," which standardized and established patients' right to privacy of their PHI, whether those records were on paper or electronic. Title II triggered a graduated rollout of the following components between 2000 and 2006 (see Timeline Items 3-6). These components were intended to help prevent healthcare fraud and abuse.

Unknowing violation

This violation type occurs without the covered entity's knowledge and was likely unanticipated/unplanned for. A micro-level example might include an online attack of a doctor's office involving ransomware prior to the widespread knowledge of the existence of ransomware. Fines for these types of violations may be as low as $100 to as high as $1.65 million per occurrence, depending on the type of violation and size/resources of the covered entity.

Component of HIPAA passed in 1996 which allows patients to take their health insurance with them when they lose or change a job

Title I

Component of HIPAA passed in 1996 which has had many Rules and Amendment added surrounding prevention of fraud and abuse

Title II

Why did Public Law 92-603 expand the initial Medicare and Medicaid requirements for utilization review?

To establish a professional standards review process

Micro setting

Treatment of individual patients at a person-to-person level, and the secure handling of related PHI for individual patients during and between care encounters.

A violation due to willful neglect is a severe violation

True

HIPAA has established Administrative Rules

True

The State Children's Health Insurance Program provides insurance for their employees, employee spouses and children, and retired personnel.

True

Workers' compensations, self-insured plans, and pharmacy benefit managers are types of third-party insurance coverage.

True

A well-known NFL athlete comes to a hospital emergency room for treatment of a severe injury sustained during a Monday Night Football game that was broadcast on television. While the athlete is managed by an emergency physician, two nurses, and an orthopedic surgeon, several other nurses and administrative staff pass around a secured laptop containing the athlete's PHI and medical records. The nurse authorized to view the athlete's PHI shares her access password with the other staff so they can "stay updated" on the athlete's condition. All of the personnel viewing the PHI are big fans of the athlete's NFL team. Which of the following describes this micro situation under HIPAA?

Unauthorized Use/Access of PHI

The University of Texas MD Anderson Cancer Center failed to conduct itself in full compliance with HIPPA in 2018, after 3 unencrypted devices used to access PHI without appropriate security measures were lost. Moreover, an encryption policy had been in place several years before its unencrypted devices went missing. Which HIPPA regulation was violated?

Violation due to willful neglect: not corrected

Which is an example of a medical third-party?

Worker's compensation

2003: Congress passed the Security Rule

a new component of HIPAA legislation which governs standardization of security processes and procedures for all PHI. The Security Rule incorporates flexible requirements that allow healthcare providers to adopt new technologies while also protecting patient privacy. Providers of varying sizes have various security options and requirements which can be scaled up or down according to their available resources.

International Classification of Diseases (ICD)

a standard coding system used to record medical diagnoses and classify mortality illnesses and statistics.

Sec. 1806

an explanation of Medicare benefits

CERTS Audits

annual audits to ensure proper payments.

Office of the Attorney General

establishes new protocols for service and payment structures.

Probe Audits

evaluates past patient claims to determine payment equality.

1996: The Health Insurance Privacy and Accessibility Act of 1996

is passed by Congress and signed into law by President Bill Clinton, establishing for the first time citizens' right to privacy for their personal healthcare information (PHI), the right to easy accessibility to, and ownership of, that information, and better ability to take your health insurance with you when you change jobs or retire early.

Sec. 1805

provides information on the Medicare payment advisory commission

Sec. 1804

provides specific provisions for "Notice of Medicare benefits: Medicare and Medigap information"

The Department of Health and Human Services

regulates the accuracy of services rendered vs. services paid.

The Department of Justice

represents the legality of third-party payments and offers legal enforcement of established practices.

RAC audits (Recovery Audit Contractor)

reviews fee-for-service claims to recover money.

2000: The Transaction and Code Sets Rule

was established and rolled out under HIPAA Title II. This rule standardizes how healthcare transactions/related diagnoses are categorized, classified, and billed across all U.S. healthcare providers using the same diagnostic coding set (ICD codes).

2013: HIPAA Omnibus Rules

were enacted which expanded the definition of "covered entity" under HIPAA. Prior to the Omnibus Rules, only healthcare providers/hospitals/insurance companies were considered covered entities under HIPAA. Under the new rules, healthcare contractors and subcontractors (such as records-processing/storage companies, IT providers, marketing companies, and other service providers) who had access to PHI also became covered entities under HIPAA. This greatly expands the types of organizations who must adhere to HIPAA regulations.


Conjuntos de estudio relacionados

Chapter 8: Conducting Causal Research

View Set

Folders and Files - vocabulary & techniques

View Set

Muscle Excitation and Relaxation

View Set

Principles of Economics - Modules 4-7 Review

View Set

BASIC VEHICLE TECHNOLOGIES 2: ENGINES

View Set

Ch. 9 connect practice questions

View Set