Ethics Week 8

What federal office is responsible for enforcement of the four laws discussed in this section?

Office of the Inspector General (OIG)

What are the key elements of protected health information?

PHI refers to information that contains one or more patient identifiers and can, therefore, be used to identify an individual. Examples are name, address, social security numbers, and photos.

One can only legally release PHI under six HIPAA-defined ___ .

Permissions

List the four HIPAA standards and briefly describe their purpose

Standard 1: Transactions and Code Sets—for uniformity in reporting Standard 2: Privacy Rule—for protecting PHI during electronic transmission Standard 3: Security Rule—for securing electronic storage and transmission against unauthorized intruders Standard 4: National Identifier Standards—provide uniform national identifiers for the movement of electronic transactions; the 4 identifiers are provider, health plan, employer, and individual

Briefly distinguish between the electronic medical record (EMR) and the electronic health record (EHR).

x

What is a risk analysis for purposes of protecting PHI?

A risk analysis is when CEs evaluate the likelihood and impact of potential risk to the PHI. CEs must implement appropriate security measures to address the risks found in the risk analysis. The rationale for adopting the chosen security measures must be documented.

What is a breach?

An impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.

Which of the following might a health care practitioner suffer if convicted of the False Claims Act, the Federal Anti-Kickback Law, the Stark Law, or the Criminal Health Care Fraud Statute? a. A fine b. A prison sentence c. Loss of medical license d. All of these

D

Which of the following statements is true? a. The False Claims Act covers only hospitals. b. The Federal Anti-Kickback Law and the Stark Law are the same. c. The Criminal Health Care Fraud Statute has been repealed. d. The Federal Anti-Kickback Law and the Stark Law are not the same.

D

Check all statements below that are true of a Patients' Bill of Rights: Congress passed a general Patients' Bill of Rights in 2010, and it is now law. Under HIPAA's Patients' Bill of Rights, patients may sue. The Patients' Bill of Rights for the Patient Protection and Affordable Care Act applies to insurance companies. Some health care providers publish their own Patients' Bill of Rights. A Patients' Bill of Rights is enforceable under the Criminal Health Care Fraud Statute.

*The Patient's Bill of Rights for the Patient Protection and Affordable Care Act applies to insurance companies.*Some health care providers publish their own Patients' Bill of Rights.

A CE or BA must report a breach of ______ or more records to the media.

500

What is a breach of PHI?

A breach is any unauthorized acquisition, access, use, or disclosure of personal health information which compromises the security or privacy of such information

One of the best ways to ensure against loss or corruption of medical data is to a. Refuse to send any medical data electronically b. Back up all data regularly c. Send only paper records to recipients of medical data d. Never store medical data on a computer

B

What is the relationship between a CE and a BA?

Business associates provide services to covered entities.

A physician pays a long-term care administrator to refer all new Medicare and Medicaid patients to his medical practice. He is most likely to be accused of violating which federal law? a. HIPAA b. Gramm-Rudman Law c. Federal Anti-Kickback Law d. None of these

C

The False Claims Act provides for: a. Paying any legitimate Medicare or Medicaid bill b. Making it a criminal offense to defraud any health care benefit program c. People bringing claims to share in any court-awarded damages d. Jail sentences for all violators

C

The authority to administer the Security Rule of HIPAA rests with the a. FBI b. NSA c. OCR d. DOJ

C

Define covered entity and business associate.

Covered entities are health care providers who conduct administrative and financial transactions in electronic form. This includes all employees, volunteers, trainees, and all others who are under the control of the entity.

A breach of more than ______ records requires notification to the media. a. 200 b. 300 c. 400 d. 500

D

A risk analysis for the Security Rule is a. Done by the federal government b. Is voluntarily done by the health care organization c. Is done by the individual state d. Is a requirement for the health care organization

D

An entity may have violated the Stark Law if "yes" is answered to which of the following questions? a. Has a physician or a member of her family referred a Medicare or Medicaid patient to an entity? b. Is the referral for a "designated health service"? c. Is there a financial relationship between the referring physician or family member and the entity providing service? d. All of these

D

Medicare fraud is not easy to estimate. Which of the following does not contribute to the challenge of determining Medicare fraud? a. Fraud is often undetected and therefore difficult to quantify. b. Dollar amounts spent in a single incident of fraud are increasing. c. Fraudulent spending is not always separated from total health care dollars spent. d. Records are destroyed yearly.

D

Which of the following constitutes a data breach? a. A medical office computer is sold without erasing the hard drive. b. A hacker accesses a hospital's list of patients with HIV. c. A business-use laptop is stolen from a health insurance company executive while she is traveling. d. All of these

D

Define the six HIPAA-defined permissions.

Disclosures to patientsDisclosures for treatment, payment, or health care operationsDisclosures with opportunity to agree or objectSome incidental uses and disclosures permitted without authorizationDisclosures for public interest and benefit activitiesLimited data set disclosures

How might a health care provider show that their EHR was as safe as possible from a breach?

Documented risk analysis, along with evidence that problems have been fixed

What was the first federal law to deal explicitly with the privacy of medical records?

Health Insurance Portability and Accountability Act (HIPAA)

What are the key elements in a Notice of Privacy Practices?

How the CE may use and disclose an individual's PHI The patient's rights with respect to the information and how the patient may exercise those rights, with clear direction on how the patient may complain to the CE The CE's legal duties with respect to the information Whom patients can contact for further information

What must a Notice of Privacy Practices contain?

How the CE may use and disclose an individual's PHI • The patient's rights with respect to the information and how the patient may exercise those rights, with clear direction on how the patient may complain to the CE • The CE's legal duties with respect to the information • Whom patients can contact for further information

What information may be found in a Notice of Privacy Practices?

How the CE may use and disclose an individual's PHI; the patient's rights with respect to the information and how the patient may exercise those rights, with clear direction on how the patient may complain to the CE; the CE's legal duties with respect to the information; whom patients can contact for further information.

Which law usually prevails, federal or state, if a state law provides greater privacy protection than a federal law? Explain your answer.

If state law provides for greater privacy than HIPAA privacy standards and/or guarantees more patients' rights, the state law will take precedence

Name four considerations for protecting privacy when federal and/or state legislation is written.

Information collected and stored about individuals should be limited to what is necessary to carry out the functions of the business or government agency collecting the information; once collected, access to personal information should be limited to those employees who must use the information in performing their jobs; personal information cannot be released outside the organization collecting it unless authorization is obtained from the subject; when information is collected about a person, that person should know that the information is being collected and should have the opportunity to check the information for accuracy.

What types of legal convictions are most likely to exclude health care providers from participation in a federal health care program?

Medicare fraud Patient abuse or neglect Felony convictions for other health care related fraud, theft, or other financial misconduct Felony convictions for unlawful manufacture, Distribution, prescription, or dispensing of controlled substances

List at least three items that are considered patient identifiers.

NameAddressSocial security numberDriver's licensesPhotos

Are the Federal Anti-Kickback Law and the Stark Law exactly the same? Explain your answer.

No, the two laws are not exactly the same. Stark Law is specifically concerning those who own health care facilities from referring patients.

Patients with Alzheimer's disease twice every week, sat unsupervised inside a small room of a memory care facility watching the movie "Forrest Gump." Each time the patients sat in front of the tube watching the movie, the facility submitted insurance claims for providing "group therapy."Is this practice legal and appropriate, or is it an example of health care fraud?

No. It's health care fraud.

Check each activity listed below that is permitted by HIPAA without authorization, then list the understood provision in each permitted case. A nurse discusses a patient's medical tests with her over the telephone. Two medical assistants in a medical office discuss the medical care of a patient they both know. A medical office receptionist discusses a friend's medical treatment with her family at the dinner table. Two physicians debate the possible treatment of a patient's difficult disease. A health insurance salesman telephones a medical office to speak with a medical assistant "off the record."

Nurse discusses patient's medical tests with her over the telephoneTwo physicians debate the possible treatment of a patient's difficult diseaseThe understood provision is that no PHI is being revealed without the patient's permission

What does the Criminal Health Care Fraud Statute prohibit?

The Criminal Health Care Fraud Statute prohibits knowingly and willfully executing, or attempting to execute, a scheme intending to defraud any health care benefit program

The False Claims Act contains which distinguishing provision?

The Federal False Claims Act allows individuals to bring civil actions on behalf of the U.S. government for false claims made to the federal government, under a provision of the law called qui tam

Which U.S. Constitutional Amendments deal with the issue of privacy?

The First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments

Does the Constitution provide specifically for the protection of privacy? Explain your answer.

The word privacy does not specifically appear in the Constitution or the Bill of Rights. However, over the years the first, third, fourth, fifth, ninth, and fourteenth amendment have all been cited in support of privacy

T/F: According to HIPAA, health care providers and plans can use and disclose patient information (PHI), but they must identify a permission for each use and disclosure.

True: According to HIPAA, health care providers and plans can use and disclose patient information (PHI), but they must identify a permission or reason for each use and disclosure

t/f HIPAA of 1996 was the first federal legislation to deal thoroughly and explicitly with the privacy of medical records.

True: HIPAA of 1996 was the first federal legislation to deal thoroughly and explicitly with the privacy of medical records. To ensure compliance, HIPAA provides for civil and criminal sanctions for violators of the law.

John works as an LVN at a Hollywood, California, hospital. While distributing meds to the patients on his floor he noticed that the recently admitted patient in Room 402, named Jason Wilson, was really a well-known actor from a popular television series. John called his wife to tell her about the celebrity patient on his floor. Was John's statement to his wife a HIPAA violation?Can the actor sue for punitive damages?

Yes, John has violated HIPAA privacy provisions—even revealing that the celebrity is a patient is a violation of the HIPAA Privacy Rule. The HIPAA Privacy Rule does not give patients the express right to sue, but they have the right to file a complaint with the Secretary of Health and Human Services through the Office of Civil Rights. If John's infraction becomes known, he is definitely subject to disciplinary action which could even lead to his dismissal. If John's infraction leads to a wider release of the patient's health information which causes demonstrable damage, John and his employer could be objects of a civil suit.

A physician assistant convinced her patients that hypnotherapy could make them more receptive to medical treatment. Fortunately, she told them, she could conduct the hypnosis sessions in the office she used for consultations. The predominant insurance company for many of the PA's patients did not pay for "hypnotherapy," not was the physician assistant qualified to perform it, so she billed the sessions as office visits, at $100 to $125 per visit.Was the physician assistant committing health care fraud? Explain your answer.

Yes. The fact that she convinced them and she wasn't qualified

You are a medical records supervisor in a clinic. A pharmaceutical firm asks for data on patients with a certain diagnosis for a study of the numbers of people with the disease. Can you give it the information it asks for? If so, how will you provide the information?

You can only release patient information to the pharmaceutical company with the patient's permission, and if permission is given, you would release only a limited data set.

Would you most likely send a patient's electronic medical record or his electronic health record to a specialist collaborating on the patient's treatment with your physician employer?

You would send the electronic medical record (EMR).

Define protected health information.

information that contains one or more patient identifiers

What does the Security Rule require CEs and BAs to do?

• Ensure the confidentiality, integrity, and availability of all PHI they create, receive, maintain, or transmit; • Identify and protect against reasonably anticipated threats to the security or integrity of the information; • Protect against reasonably anticipated, impermissible uses or disclosures; and • Ensure compliance by their workforce.

What federal laws cover fraud and abuse within the health care business environment?

• False Claims Act • Provides for civil penalties for persons knowingly making false claims to the federal government for payment. • Whistle-blowers who report false claims can share in awards under qui tam. • Federal Anti-Kickback Law • Criminal law that prohibits arranging items of value as a reward for referrals of services paid for by the government health care system. • Stark Law • Physicians or members of their immediate families cannot refer patients to health care facilities they own if the government pays for care. • Criminal Health Care Fraud Statute • A section of the U.S. Code that makes it a criminal offense to knowingly defraud a health care benefit program.

What considerations do federal and state privacy laws share?

• First, Third, Fourth, Fifth, Ninth, and Fourteenth U.S. Constitutional Amendments • Health Insurance Portability and Accountability Act (HIPAA) of 1996 • American Recovery and Reinvestment Act (ARRA) of 2009 • Health Information Technology for Economic and Clinical Health Act (HITECH) • Patient Protection and Affordable Care Act (PPACA) of 2010 • Health Care and Education Reconciliation Act (HCERA) of 2010

Which U.S. constitutional amendments and privacy laws pertain to health care?

• First, Third, Fourth, Fifth, Ninth, and Fourteenth U.S. Constitutional Amendments • Health Insurance Portability and Accountability Act (HIPAA) of 1996 • American Recovery and Reinvestment Act (ARRA) of 2009 • Health Information Technology for Economic and Clinical Health Act (HITECH) • Patient Protection and Affordable Care Act (PPACA) of 2010 • Health Care and Education Reconciliation Act (HCERA) of 2010

What is a covered entity?

• Health care providers who conduct administrative and financial transactions in electronic form. This includes all employees, volunteers, trainees, and all others who are under the control of the entity.

What is a business associate?

• Individuals and/or organizations that provide certain functions, activities, or services on behalf of covered entities that involve access to or the use of disclosure of PHI.

What are the elements of protected health information?

• Past, present, or future physical or mental health condition • Documentation of the provision of health care • Past, present, or future payment for the provision of health care

How are patient rights defined under HIPAA, the Patient Protection and Affordable Care Act, and other state statutes?

• Patient Protection and Affordable Care Act (PPACA). Insurance companies must: • Phase out annual and lifetime limits to coverage. • No longer limit or deny coverage to patients under 19 with a preexisting condition. • Cover children up to age 26 on their parents' health insurance policy. • Phase out arbitrary withdrawals of insurance coverage. • End lifetime limits on benefits. • Cover preventable care at no cost. • Justify any raise in rates. • Remove insurance company barriers to emergency service. • Allow clients to file a complaint. • Other state statutes • Patient Bill of Rights may be found in some state statutes. Some health care organizations create a Patient Bill of Rights, but those do not have the full force of law.

How are patients' rights defined under HIPAA?

• Patients have the right to: • Access and copy medical records. • Request amendments/corrections to medical record. • Request a list of disclosures. • Request to be contacted at certain locations. • Put further restrictions on those who have access to PHI. • File a complaint. • Notice of Privacy Practice • Requires CEs to post privacy policies.

What are HIPAA's special requirements for disclosing protected health information?

• Protected health information (PHI) can be de-identified by removing certain patient identifiers. • Permissions are required for releasing PHI under six categories: • Disclosures to patients • Disclosures for treatment, payment, or health care operations • Disclosures with opportunity to agree or object • Some incidental uses and disclosures permitted without authorization • Disclosures for public interest and benefit activities • Limited data set disclosures