EHR

Standard Code Sets

...

Must contain the following 3 types of safeguards to prevent breaches

1. Administrative: >Implementing polices/procedures >Security manager-risk assessment >Educate staff to raise awareness of security & privacy issues >*Creates* Sanction Policies > states consequences of violations of security policies/procedures by employees, agents, contractors >Backup plan to recover from security breach

ICD-9-CM

= Purpose=Codes for disease, injuries, impairments & health-related problems

Goals of HIPAA security standards:

>Confidentiality of ePHI >Integrity ePHI >Availability of ePHI

Administrative Simplification Provisions

>Encourage use of EDI (computer-computer exchange of routine business info using publicity available electronic standarts. >Used EDI to exchange info of pts w/ payers & clearinghouses >Each exchange is a transaction = to business document >Not visible - similar to process of an ATM

Disclosure for Treatment, Payment, & Health Care Operations (TPO)

>Health care team must follow ROI process >Rules says: Three everyday situations > info can be used/disclosed w/out pt permission >> TPO *Treatment: providing/ coordinating pts med care >> med staff can discuss in office w/other physicians. LAB/X-Ray tech > call obtain clarification *Payment: exchange of info w/health plans. Med office staff >take required info from records to prepare claims *Health care Operations: general business management functions needed to run office >> tracking/measuring adherence to quality standards, staff training & business planning

Breach Notification Procedures

>Involved parties in the breach exposure must be notified *Without reasonable delay > 60 days *If breach by business assoc > they must notify the covered entity * If involves deceased patients, next of kin *If involves 500 or more individuals, the Secretary of HHS needs to be notified w/out reasonable delay *If breach involves less than 500 & poses a dig financial risk or other harm to pt, as reputation, an Annual notice must be sent to the Sec HHS

HIPAA National Identifiers

>Mandates using certain identifying numbers in HIPAA transactions >Identifiers: numbers of predetermined length and structure > such as SS# >Two numbers have been set up for employers & for providers. Two yet to be established will be for patients & health plans

Physical Safeguards

>Mechanisims to protect E-systems, equipment & data >Devices limit Physical Access to facilities -> *Re-inforced doors, locks, ID badge readers >Control on files

Security requirements

>Protect privacy of pts eHI against unintended disclosure > breaches *Administrative *Technical *Physical safeguards

*Designated Record Set (DRS): HIPPA states a group of records is DRS

>Record means any item, collection or grouping of info that includes PHI > maintained by a covered entity > HIPPA term for group of records (DRS) >For Provider > DRS is: Medical & Billing records then maintain >For Health Plans > includes enrollment info, payment info, claim decisions & med management systems

National Provider Identifier (NPI)

>Standard for identifying providers when filing claims/transactions >Has nine numbers & check digit = 10 #'s >Assigned by Federal Government > physicians, nurses, pharmacist & provider org > hosp, clinics, pharmacies >Maintained by CMS, once assigned # does not change, remains w/provider regardless of job location changes

2nd Part: HIPAA Security Rule-

Adm Simplification provisions > enacted 2005

Three parts to HIPAA's Administrative Simplification provisions

1. HIPAA Privacy Rule - cover paper, electronic or otherwise 2. HIPAA Security Rule - Adm, technical & physical safeguards required to protect pts EHR 3. HIPAA Electronic Transactions & Code Sets standards- Requires all providers using E-systems to use the same health care transactions, code sets & indentifiers

COVERED ENTITIES Three types of covered entities follow the regulations

1. Health plans: government/private payers plans 2. Health care Providers: People, org > furnish, bill or are paid for health care >Hospital, nursing homes, home health agencies, labs etc. 3. Health care Cloearinghouses > CE that helps providers process Health info & execute E-Transactions > Insurance Claims: Process by converting into a format meeting HIPAA Standards

CPT

=Purpose=Codes for Procedure or other actions taken to prevent, diagnosis, treatment or manage disease, injuries & impairments

HCPCS (Healthcare Common Procedures Coding System)

=Purpose=Codes for other medical services

Breeches that occure from "Unsecured" health info by covered entities or business associates

> HITECH requires > Providers, health plans & other entities covered by HIPAA to notify individuals that their health info has been compromised >Monetary penalties for privacy & security violations >Compliance checks > overseen by CPO under Office National Coordinator for HIT, 2/2010

As use of EHR's, HITECH ACT will increase protection by implementing

> new breach notification requirements >higher monetary penalties for violations & >greater enforcement of the Privacy & Security Rules

Breach Notification Form

>Brief Dexcription of what happened, date of breach & date of discovery >Description of types of unsecured PHI involved > SS#, DOB, Home Address, Acct #, Disability code >Steps individual should take protect themselves from potential harm > result of breach >Brief description of what they are doing to investigate breach, mitigate losses, protect against further breaches >Contact Procedures for those w/questions including a toll-free #, e-mail address, website or mailing address The Secretary of HHS is required to annually prepare & submit to Congress a report regarding the breaches and all enforcement actions taken.

Technical Safeguards: ->*Passwords

>Control access via *Firewalls *Intrusion Detection Systems *Access control -> RBACs (Role Based Access Controls) *Encryption & Anti-virus software

Notice of Privacy Practices & Acknowledgement

>Each practice must have written explanation of their privacy practices >Must be given out at the pt's 1st contact/encounter w/facility & every 3 years after > called NPP (Notice of Privacy Practices) >Compliance >> keep track of when pts receive form >>> to do this: >Acknowledgment of Receipt of Notice of Privacy Practices *States pt has read & understands how provider intends to protect PHI * Can be paper or electronic format

The 1st part: HIPAA Privacy Rule: **NPP-Notice of Privacy Practices

>Enacted on 4/14/2003 > *Covered entity >Set of privacy practices that fit their health care services >Inform patients about their privacy rights, how info used or disclosed >Train employees so understand the rules >Appoint privacy officer > sees pp are adopted/followed >Safeguard the patients' records

Prevent Breeches

>Keeps PHI secure by making it *unusable, unreadable or indecipherable* to unauthorized individuals who use specified technologies/methods

BUSINESS ASSOCIATES Individuals or businesses whose services involve use or disclosure of personal HI to perform a function or activity on behalf of a covered entity > not part of the covered entity workforce

>Law Firms > Accountants > Benefits management co > IT contractors > Medical transcription > Compliance consultants > Collection agencies > Credit bureaus > Temporary office personnel >Pharmacy chains Rules now cover these outside sources with same penalties as covered entities Keep private & Secure!

Request restrictions on use/disclosure of PHI

>NEW: *Accounting of disclosures: Permitted to ask for account of disclosures including TPO over preceding 3 yrs vs preceding 6 yrs which did not include TPO *Restrict Access to some PHI: Ask not release info to health plan: pt paid in full provider can ask for purposes of carring out payment/healthcare operations to not release info. -> MUST COMPLY w/pt request >> previous HIPPA rule > covered entity could deny pt request.

*Minimum Necessary Standard

>ONLY information that is pertinent to the particular issue

*Rule covers use/disclosure of pts PHI

>PHI > individually identifiable health info transmitted or maintained by e-media or in any other form or medium >Privacy rule applies to PHI in ANY form > communicated Verbally, Written, Printed or maintained in e-format

Exceptions to Disclosure Standards

>Privacy rules do not apply: public health, law enforcement, research, workers' comp, national security situations >Evidence in court of law >De-identified Health Information >State Statutes = follow most stringent

Accounting for Disclosures

>Pts have right to an accounting of/ to whom & where their PHI has gone >Offices required to keep a disclosure log in each chart

HIPAA Employer Identifier & the National Provider Identifier standards mandates

>Use of certain identifying numbers by employers that sponsor health plans & by providers. >Goal of standards>Increase efficiency of conducting business in HC >Fully implemented in HC industry > exchange of info>>faster, more efficient & accurate >All adm teams use Diagnosis & Procedure codes to communicate reason for Patient services. Understanding of different standards & changes to them are important part of your jobs

Employer Identification Number (EIN)

>issued by IRS to identify employers in E-transactions since 7/2002 >EIN used when employers enroll/dis-enroll employees in health plan (X12 834) or >Making premium payments to plans on behalf of employees (X12 820)

3rd Part Adm Simplification Provisions HIPAA Electronic Health Care Transactions & Code Sets & National Identifiers

Applies to electronic formats, code sets & identifiers. All providers using electronic biling are required to use the same format for their transactions & same code sets for Diagnosis, Procedures & supplies

Data Standard for HIPAA Transactions

>ASC X12 Version 4010 >prescribes character sets & data elements used in exchange of documents, and provides rules for structure of documents (*Now ASCX12 Version 5010) >ANSI (Amer Nat'l Standards Institute) >org sets standards for E-data interchange on national level >ASC X12 (Accredited Standards Committee X12), Insurance Subcommittee (ASC X12N) is ANSI accredited org> develops/maintains administrative & financial E-transactions standards adopted un HIPAA >ASC X12 Version 5010* > Implemented in 01/2012 & includes updated standards for claims, RA's, eligibility inquiries, referral authorize & Administer transactions > standards = more specific data that is needed, collected & transmitted *Accommodates use of two new code sets for reporting health care diagnoses & inpatient procedures

Authorization Document

Easy to read/complete

Release by any method:

Info for TPO > release via writing, orally, fax or email

HITECH Act

Provision of ARRA (2/17/2009) > extends/reinforces HIPAA regulations. Major provision relates to the privacy & security standards

Standard Transactions

This is information sent back & fourth electronically between providers, health plans & employers >Electronic Claims >Payments >Forms used to verify Patients insurance coverage

Focus: Specifically EHR's: Also Known as HIPAA Title 11.

To protect health info on computer networks, the Internet & electronic storage media.