HIPAA Review
By the Office of Civil Rights (OCR)
How will compliance with HIPAA be enforced?
1. ICD-9-CM: (International Classification of Diseases, 9th edition, Clinical Modification 2. CPT-4: (Current Procedural Terminology, 4th edition) and HCPCS (Health Care Financing Administration Common Procedure Coding System) 3. HCPCS: designated code set for supplies and equipment, medical supplies, orthotic and prosthetic devices and DME 4. CDT-2: (Current Dental Terminology)
What are 4 code sets commonly used today?
breach
an impermissible disclosure of PHI that compromises the security or privacy of the patient.
1. Privacy 2. Security 3. Transactions 4. Code Sets
as of today, compliance is required with which regulations?
1. to obtain payment 2. to a public health authority 3. for worker's compensation 4. use of email 5. how to complain 6. any state law requirements
some of the uses and disclosures of the NPP include:...
Persons or companies that do work for a covered entity that requires them to have access to individually identifiable health information
what are business associates?
organizations that are directly affected and must comply with the regulations
what are covered entities?
designated standard formats for certain electronic transactions and designated standard code sets for diagnoses, procedures, drugs, and biologics
what are covered transactions?
1. Name a Privacy officer 2. train workers in privacy 3. have a complaint process 4. sanction policy 5. refrain from intimidating or retaliatory acts 6. privacy policies and procedures
what are some administrative requirements?
civil and criminal
what are the 2 categories of HIPAA violations?
1.protection of health information that identifies individuals 2.individually identifiable health information
1.what is the "Administrative Simplification" part of HIPAA? 2.What does HIPAA call the information?
1. An individual's permission is obtained 2. Disclosure is specifically permitted under HIPAA
PHI may not be used or disclosed unless...
notice of privacy practice
A document that explains your organization's rules for releasing a patient's medical information is
Treatment, payment, or healthcare operations
Providers are not required to get patient consent to use or disclose information for....
1. Providers with more than 10 full time employees must file claims electronically with medicare 2. must use the designated standard formats if they choose to conduct any of the covered transactions
Providers are not required to perform any covered transactions electronically however,...
1. Don't share access devices 2. Collect keys, badges, and other access devices when employee leaves. Access codes should be changed 3. Angle your computer away from public access 4. Keep all PDAs, laptops, and media locked up when not in use 5. Lock all desks, files, and doors as appropriate sense security.
What are some guidelines to follow to help keep information physically secure?
1. Providers 2. Employers 3. Health Plans 4. Individuals
What are the 4 groups that help unique identifiers?
1. Healthcare claims or equivalent encounter information 2. Healthcare payment and remittance advice 3. Coordination of benefits 4. Healthcare claims status 5. Enrollment and dis-enrollment 6. Eligibility for a health plan 7. Health plan premium payments 8. Referral certification and authorization
What are the 8 covered transactions with standards?
1. Receive notice about a covered entity's privacy practices 2. Restrict the use or disclosure of PHI 3. Access health information 4. Request amendments to health information 5. Obtain an accounting of the uses an disclosures of PHI
What are the individual's rights under HIPAA?
1. psycotherapy notes 2. information compiled for a civil, criminal or administrative action or proceeding, 3. PHI subject to the Clinical Laboratory Improvements Act (CLIA)
What do individuals NOT have access to?
expanded penalties for HIPAA violations and added numerous additional notification requirements for breaches of unsecured protected health information. Also, extended many of the HIPAA privacy and security requirements and penalties for non-compliance to business associates.
What does the ARRA do?
to protect an individual's privacy and confidentiality of their health information. Individuals must be assured that the information they share with us will not be used or disclosed in an unauthorized manner.
What is YOUR main role?
designed to protect the confidentiality of health information and give individuals more control over how their information is used
What is the privacy standard?
1. Must be able to perform that function in the standard format 2. Cannot refuse to conduct a transaction as a standard transaction 3. Cannot delay processing a transaction if it is submitted in the standard format
When a health plan performs covered transactions it....
1. description of the information to be disclosed 2. purpose of the request 3. date or event upon which the authorization will expire 4. statement explaining the individual's right to revoke the authorization in writing and how to do so 5. statement that the information may be subject to re-disclosure and may no longer be protected 6. name the person or organization authorized to make the disclosure 7. person or organization to which the disclosure may be made
elements that must be included in an authorization to use or disclose health information:
a fine or criminal prosecution
failure to comply with the regulations may result in...
24 months from the regulations effective date
how long are covered entities given to come into compliance?
streamlining administrative processes and increasing the use of technology
how will the goal of administrative simplification be achieved?
1.Administrative: formal, documented practices to protect ePHI. (Includes policies and procedures to manage conduct of users) 2. Physical: Procedures to protect computer systems, buildings and other equipment from fire and other natural and environmental hazards as well as intrusion. 3. Technical: Processes to control and monitor access to ePHI such as passwords as well as limit unauthorized access to data that is transmitted over a communications network
what are the 3 safeguards categories for information security?
1. Misuses a unique health identifier or makes an unauthorized release of health information ($25,000 and 1 year prison) 2. Obtaining information under false pretenses ($100,000 and 5 years prison) 3. Intent to sell, transfer, or use information for personal gain or malicious harm ($250,000 and 10 years prison)
what are the 3 types of criminal penalties? (compliance violations)
1. The person didn't know and exercised reasonable diligence 2. Reasonable cause and not willful neglect 3. willful neglect that is later corrected 4. willful neglect that is not corrected
what are the 4 tiers of Civil monetary Penalties? (Compliance Violations)
1. Electronic Transactions 2. Code Sets 3. Unique Identifiers 4. Privacy 5. Security
what are the 5 key areas of administrative simplification?
1. User, application and network passwords 2. access to certain parts of an individual's health record 3. password-protected screensaver 4. automatic log-off procedures
what are the minimum necessary rules for the system controls?
electronic exchanges of information between two parties to carry out financial or administrative activities including (internet, dial-up lines, privates networks, etc.)
what are transactions under HIPAA?
1. Health Plans- self-funded employer plans and government programs like Medicare and Medicaid 2. Healthcare Providers- transmit electronic transactions known as covered transactions 3. Healthcare Clearinghouses- translate healthcare electronic transactions between non-standard and standard transactions 4. Medicare Part D- provide prescription drug coverage to Medicare beneficiaries.
what do covered entities include?
identity of the employees, patients, and vendors
what do good HIPAA practices protect?
provides a framework for covered entities to develop information security programs
what do security standards do?
the federal law and the different sets of federal regulations issued by the Department of Health and Human Services (HHS)
what does HIPAA cover?
health insurance portability and accountability act of 1996
what does HIPAA stand for?
meeting the goals of confidentiality, integrity, and availability (CIA) by instituting and following policies the balance information integrity and confidentiality against cost, usability and availability
what does an effective information security consist of?
reduce healthcare costs
what is HIPAA's focus on administrative simplification?
a federal law that addresses many healthcare issues including insurance benefits, medical savings accounts, fraud, and abuse
what is HIPAA?
Finding out who their health information was shared with within 6 years prior
what is an accounting of disclosures?
all activities undertaken to protect information assets from misuse, theft, destruction, or damage
what is information security?
Identity theft
what is one big risk that comes with putting patient information on computers?
American Recovery and Reinvestment Act of February 17, 2009
what is the ARRA?
notice to explain the individual's rights and the covered entity's legal duties with respect to protected health information
what is the Notice of Privacy Practives? (NPP)
the right to access the records used to make decisions about themselves
what is the designated record set?
Authorization is written permission allowing the covered entity to disclose protected health information to a specific outside entity for a specific purpose. Consent is general written permission allowing the covered entity to use and disclose protected health information for treatment, payment, and healthcare operations
what is the difference between authorization and consent?
let people take their health insurance benefits with them when they change jobs or leave the workplace
what is the main focus of HIPAA?
enrollment records, payment records, claims adjudication records, case or medical management records
what type of access do health plans have for PHI?
medical and billing records
what type of access do providers have for PHI?
they are used to determine if there are unusual activities happening at either a system level or a user level
why is auditing and audit trails needed?
to expand the reach of the regulations beyond the covered entities
why was the concept of "business associates" created?