d050 Unit 5
Year HIPAA was first enacted
1996
What is a PERM audit?
Reviews claims against medical records
ICD-9
These codes are the 9th revision to ICD codes. They are used to classify mortality statistics from death certificates from 1978 to 1999.
Which medical coding system is payment-based and identifies services provided for insurance companies?
CPT
Which organization offers legal enforcement of established practices of third-party payments?
The Department of Justice
Full name of HIPAA
The Health Insurance Privacy and Accessibility Act of 1996
Mid-1990s: The Kennedy-Kassebaum Bill
which will eventually be passed as HIPAA, is introduced and debated in Congress.
How many years can a Medicaid audit review?
4
Which is an eligibility requirement for third-party insurance?
A married individual covered under an employed or retired first party spouse
Current Procedural Terminology (CPT)
A medical payment-based coding system that identifies services provided for insurance companies.
Medicaid Recovery Audits (MRACs)
Audits post-payment procedures and claims
In the 1990s...
Children with disabilities, and their parents and caretakers, became eligible for services and prescription coverage was expanded.
Which is true regarding third-party administrators (TPAs)?
Collects insurance premiums.
Which Medicaid audit was established to monitor medical mistakes?
Comprehensive Error Rate Testing (CERT)
HIPAA Title I
Covers Health Care Access, Portability, and Renewability. This segment of the original HIPAA law stipulates that healthcare plans must charge the same premiums for all plan members, and once regulated exclusion period lengths for pre-existing conditions allowable within insurance plans. Title I also allow patients to take their healthcare with them when they voluntarily changed jobs.
Which act is focused on preventing Medicaid fraud and abuse?
Deficit Reduction Act
A healthcare worker views a patient's electronic health record (EHR) without a legitimate medical reason and tells a friend about the patient's condition. Which rule allows the Department of Health and Human Services to investigate the complaint?
Enforcement
Office of the Attorney General
Established new protocols for service and payment structures
Component of HIPAA Title I which was invalidated with the passage of the Affordable Care Act of 2010
Exclusion period for pre-existing conditions
CPT Code-Category II are the largest body of codes used by providers to report services and procedures
False
If an insurance company rejects a bill, the treating provider bills the federal government.
False
Insurance audits are conducted by hospital auditing firms and reported to the federal government.
False
The U.S relies on first-party insurance payment systems to manage and regulate healthcare payment services.
False
An accounting firm was informed that it and its associates must comply with HIPPA laws. It hires small and large vendors to assist in handling client accounts. What is true of this situation according to the Omnibus update of 2013?
HIPAA applies to independent contractors employed by covered entities
Law Enacted in 2009 which defined standards for how and when to notify patients of a breach of PHI security
HITECH Act
What entity is covered under HIPAA's most current set of rules and regulations?
Healthcare contractors and subcontractors
Comprehensive Error Rate Testing (CERT)
Identifies diagnosing and treatment errors and recoups funds when errors are identified
Zone Program Integrity Contractors (ZIPCs)
Identifies overpayments and handles legal processes
Arrange ICD-10 Character breakdown in sequence
Identifies the site of the disease/symptoms/infection on the body
Medicare Part A
Inpatient hospital coverage
Which audits conduct post-payment evaluations and claims?
MRAC
Why does a healthcare facility need to comply with conditions of participation from the Centers for Medicare and Medicaid Services?
Maintain inclusion in the programs
In 1986...
Medicaid begins offering healthcare coverage to low-income pregnant women.
Which is an organization based third-party?
Medicare
Medicare Part C
Medicare Advantage Plan
Part C and Part D Compliance and Audits
Medicare Advantage providers, prescription drug plan sponsors, and other service providers (hospice/long-term services) submit performance data to CMS and receive regular audit visits.
Part A Cost Report Audit & Reimbursement
Medicare providers are required to submit annual cost reports to the Medicare Administrative Contractor (MAC). These reports contain provider and patient information, utilization data, and total cost of services (Medicare costs and patient payments).
Sec. 1820
Medicare rural hospital flexibility program information
CMS
Monitors third-party healthcare insurance and payers
Rules enacted in 2013 which expanded the definition of "covered entities" under HIPAA
Omnibus Rules
Medicare Part B
Outpatient hospital coverage
2009: HITECH was passed
Passed as part of the American Recovery and Reinvestment Act of 2009, this addition to HIPAA established standards for what constitutes a breach of PHI security and how/when to notify parties affected by that PHI breach that it has occurred.
Which is an example of first-party service?
Patients receives services and pays co-pay
A hospital system housed its EHR servers at a remote location for all of its member hospitals to access remotely. The servers also routinely "backed up" EHR data to tape-based media to ensure accessibility in the event of server loss. A natural disaster befell the remote server location, but the hospital system was able to get EHR records back online within 30 minutes thanks to the tape-based backup. Which of the following describes this macro situation under HIPAA?
Physical security Electronic security Accessibility
Medicare Part D
Prescription Coverage
Deficit Reduction Act
Prevents Medicaid fraud and abuse
Which type of audit requires a provider to furnish documentation from previous patient records before a claim is paid?
Probe Audit
Medicare also has four savings plans
Qualified Medicare Beneficiary Program (QMB) Specified Low Income Medicare Beneficiary Program (SLMB) Qualified Individual Program (QI) Qualified Disabled & Working Individuals (QDWI) Each of these programs is federally funded and offers resources to help pay for Medicare premiums, deductibles, copayments, and coinsurance. In addition to meeting basic Medicare eligibility requirements, participants must receive Social Security benefits and meet specific standard income and resource requirements.
State Medicaid Fraud Control Units (MFCUs)
Recoups overpayments and oversee the investigation and/or criminal prosecutions
Which of the following mezzo situations under HIPAA places PHI data at risk for security breach and/or loss of data integrity?
Registering patients in an open area (such as the office lobby) without checking their photo identification
Health and Human Services
Regulates the accuracy of services rendered vs. services paid
ICD-11
Released in May 2019, ICD-11 codes provide multiple case studies and health analysis to compliment ICD-10.
Payment Error Rate Measurement (PERM)
Reviews claims against medical records to uncover errors
Mezzo setting
Securing PHI in provider groups, such as an individual medical practice, a single hospital department, a single health-insurance department, or other small healthcare group-based setting.
Macro setting
Securing large numbers of records containing PHI, and/or securing the transfer of these record(s) from one large setting to another (such as from hospital to hospital, between providers and insurance companies, or across large multi-party healthcare systems.)
Healthcare Providers
Should be prepared to support claims
The Centers for Medicare & Medicaid (CMS) uses reporting systems to regulate and monitor services to avoid fraud. Based on the CMS auditing process, which provision ensures compliance for Medicare billing services?
Submitting all claims within one year of service.
Which rule was passed to address HIPAA implementation concerns by setting civil money penalties and investigation procedures for violations?
The Enforcement Rule
In 1977...
The Health Care Financing Administration was created to manage Medicare and Medicaid Services. This provided the proper management over the division of services.
Layer II Second-Party
The insurance company/providers—this is the organization that manages the insurance policy.
Layer III Third-Party
The insurance policy—the policy is purchased by the first-party and managed by the second party
CPT Category III
These are temporary codes that are used to track emerging and experimental services and procedures. These codes can remain temporary for five years; and are then classified as Category I codes. Temporary codes are also used to classify new and holistic services/treatment.
ICD-10
These codes are the current ICD diagnostic and treatment medical codes. ICD-10 codes consist of three to seven alphanumeric characters that are used to describe a diagnosis. The character breakdown is as follows: The first three codes define the symptoms, infection, disease, and/or disorder Characters four through six identify the site of the disease/symptoms/infection on the body and the severity of the problem. The sixth character usually identifies the specific part of the body impacted (arm, wrist, leg, etc.) The seventh character identifies the continuation of the problem (e.g. initial problem, issue-based on treatment side effects, and/or a recurrent/acute illness).
CPT Category II
These codes track specific information about patients, such as medical and treatment history, and psychosocial outliers (smoking, homelessness, drug addiction, etc.). Category II contains ten code sections: a. Composite Measures (0001F - 0015F) b. Patient Management (0500F - 0584F) c. Patient History (1000F - 1505F) d. Physical Examination (2000F - 2060F) e. Diagnostic/Screening Processes or Results (3006F - 3776F) f. Therapeutic, Preventive, or Other Interventions (4000F - 4563F) g. Follow-up or Other Outcomes (5005F - 5250F) h. Patient Safety (6005F - 6150F) i. Structural Measures (7010F - 7025F) j. Non-Measure Code Listing (9001F - 9007F)
Violation due to willful neglect
This is a severe type of violation, in which a covered entity knew it was in violation of HIPAA regulations, yet chose not to correct the problem. An example would be a hospital system which had been informed by a HIPAA compliance consultant that its EHR system used unsecure and/or outdated levels of encryption, but chose not to rectify the situation. Fines for these types of violations may be as low as $10,000 to as high as $1.65 million per occurrence.
Violation from a reasonable cause
This is a violation that was of a relatively common threat type that most reasonable professionals should have planned for/trained against. An example of this type of violation at the mezzo level could include the improper sharing of PHI access passwords among staff. Fines for these types of violations can range from $1,000 to $1.65 million per occurrence, depending on the type of violation, and the size/resources of the covered entity.
CPT Category I
This is the largest body of codes used by providers to report services and procedures. There are six main sections: a. Evaluation & Management Services (99201 - 99499) b. Anesthesia Services (01000 - 01999) c. Surgery (10021 - 69990) - further broken down by body area or system within this code range d. Radiology Services (70010 - 79999) e. Pathology and Laboratory Services (80047 - 89398) f. Medical Services and Procedures (90281 - 99607)
Violation due to willful neglect: not corrected
This is the most severe type of HIPAA violation, which occurs when a covered entity engages in willful neglect of required HIPAA compliance, is ordered by an enforcement agency to correct it, and then fails to correct it. Fines for this violation type can range from $50,000 to $1.65 million annually per violation, and may also result in criminal prosecution.
Layer I First-Party
This refers to the insured person—the individual who purchases insurance from the insurance company.
2006: The Enforcement Rule
This rule established standardized civil penalties and guidelines for criminal prosecution for HIPAA violations. Prior to the establishment of the Enforcement Rule, few HIPAA violations were prosecuted. Once the rule was established, however, enforcement of HIPAA stepped up considerably, resulting in tens of thousands of civil/criminal enforcement actions.
2006: The National Provider Identifier (NPI) Rule
This rule helped to spur wider adoption of electronic health records (EHRs) by assigning every covered entity (healthcare providers, insurance companies, etc.) with a unique identification number that helps separate identifying information about that provider from the PHI record for greater security/portability and facilitates simpler sharing of electronic records between providers.
HIPAA Title II
This segment of HIPAA includes the Administrative Simplification (AS) provisions, including the Privacy Rule for "covered entities," which standardized and established patients' right to privacy of their PHI, whether those records were on paper or electronic. Title II triggered a graduated rollout of the following components between 2000 and 2006 (see Timeline Items 3-6). These components were intended to help prevent healthcare fraud and abuse.
Unknowing violation
This violation type occurs without the covered entity's knowledge and was likely unanticipated/unplanned for. A micro-level example might include an online attack of a doctor's office involving ransomware prior to the widespread knowledge of the existence of ransomware. Fines for these types of violations may be as low as $100 to as high as $1.65 million per occurrence, depending on the type of violation and size/resources of the covered entity.
Component of HIPAA passed in 1996 which allows patients to take their health insurance with them when they lose or change a job
Title I
Component of HIPAA passed in 1996 which has had many Rules and Amendment added surrounding prevention of fraud and abuse
Title II
Why did Public Law 92-603 expand the initial Medicare and Medicaid requirements for utilization review?
To establish a professional standards review process
Micro setting
Treatment of individual patients at a person-to-person level, and the secure handling of related PHI for individual patients during and between care encounters.
A violation due to willful neglect is a severe violation
True
HIPAA has established Administrative Rules
True
The State Children's Health Insurance Program provides insurance for their employees, employee spouses and children, and retired personnel.
True
Workers' compensations, self-insured plans, and pharmacy benefit managers are types of third-party insurance coverage.
True
A well-known NFL athlete comes to a hospital emergency room for treatment of a severe injury sustained during a Monday Night Football game that was broadcast on television. While the athlete is managed by an emergency physician, two nurses, and an orthopedic surgeon, several other nurses and administrative staff pass around a secured laptop containing the athlete's PHI and medical records. The nurse authorized to view the athlete's PHI shares her access password with the other staff so they can "stay updated" on the athlete's condition. All of the personnel viewing the PHI are big fans of the athlete's NFL team. Which of the following describes this micro situation under HIPAA?
Unauthorized Use/Access of PHI
The University of Texas MD Anderson Cancer Center failed to conduct itself in full compliance with HIPPA in 2018, after 3 unencrypted devices used to access PHI without appropriate security measures were lost. Moreover, an encryption policy had been in place several years before its unencrypted devices went missing. Which HIPPA regulation was violated?
Violation due to willful neglect: not corrected
Which is an example of a medical third-party?
Worker's compensation
2003: Congress passed the Security Rule
a new component of HIPAA legislation which governs standardization of security processes and procedures for all PHI. The Security Rule incorporates flexible requirements that allow healthcare providers to adopt new technologies while also protecting patient privacy. Providers of varying sizes have various security options and requirements which can be scaled up or down according to their available resources.
International Classification of Diseases (ICD)
a standard coding system used to record medical diagnoses and classify mortality illnesses and statistics.
Sec. 1806
an explanation of Medicare benefits
CERTS Audits
annual audits to ensure proper payments.
Office of the Attorney General
establishes new protocols for service and payment structures.
Probe Audits
evaluates past patient claims to determine payment equality.
1996: The Health Insurance Privacy and Accessibility Act of 1996
is passed by Congress and signed into law by President Bill Clinton, establishing for the first time citizens' right to privacy for their personal healthcare information (PHI), the right to easy accessibility to, and ownership of, that information, and better ability to take your health insurance with you when you change jobs or retire early.
Sec. 1805
provides information on the Medicare payment advisory commission
Sec. 1804
provides specific provisions for "Notice of Medicare benefits: Medicare and Medigap information"
The Department of Health and Human Services
regulates the accuracy of services rendered vs. services paid.
The Department of Justice
represents the legality of third-party payments and offers legal enforcement of established practices.
RAC audits (Recovery Audit Contractor)
reviews fee-for-service claims to recover money.
2000: The Transaction and Code Sets Rule
was established and rolled out under HIPAA Title II. This rule standardizes how healthcare transactions/related diagnoses are categorized, classified, and billed across all U.S. healthcare providers using the same diagnostic coding set (ICD codes).
2013: HIPAA Omnibus Rules
were enacted which expanded the definition of "covered entity" under HIPAA. Prior to the Omnibus Rules, only healthcare providers/hospitals/insurance companies were considered covered entities under HIPAA. Under the new rules, healthcare contractors and subcontractors (such as records-processing/storage companies, IT providers, marketing companies, and other service providers) who had access to PHI also became covered entities under HIPAA. This greatly expands the types of organizations who must adhere to HIPAA regulations.