Lesson 15- MA- Ethics and Legal Issues

How does the Office for Civil Rights (OCR) enforce Privacy and Security Standards?

by investigating complaints, conducting compliance reviews, performing education and outreach to foster compliance with the rules

What do business associates include?

claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management and practice management

What do insurance companies try to do when they discover fraudulent claims?

collect damages, including compensatory damages and punitive damages

National Plan and Provider Enumeration System (NPPES)

collects identifying information on healthcare providers and assigns each a unique National Provider Identifier (NPI).

auditing

comprehensive and formal review with a standard of measurement

What is "willful neglect" according to HIPAA?

conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated

resolution agreement

contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. HHS monitors to ensure compliance.

Self-Disclosure Protocol (SDP)

created to allow providers to voluntarily identify, disclose and resolve instances of potential fraud involving federal healthcare programs

Punitive damages

damages awarded to the plaintiff to punish the defendant and, theoretically, deter the defendant from repeating the fraud in the future

Compensatory damages

damages directly related to the fraud. represent the compensation a plaintiff receives from a defendant for the actual damage caused

ICD-10-CM/ICD-10-PCS

diagnoses and hospital inpatient procedures

Privacy Rules states that healthcare providers must make reasonable efforts to what?

disclose and request the minimum necessary amount of PHI needed to accomplish the purpose of the authorization

Efaxing

document is sent from computer without activating the fax machine and prints out on traditional fax machine at destination

Code of Ethics:

document that outlines specific ethical guidelines

What is a transaction?

electronic exchange involving the transfer of information between two parties for a specific purpose

Encryption

electronic information is put into a coded form while transmitted

What do security standards deal with?

electronic protected health information (ePHI)

Electronic data interchange (EDI)

electronic transfer of information in a standard format between trading partners. process of submitting a claim electronically in a standard format to an insurance company for reimbursement for the provider's services

Portability- HIPPA

ensuring the continuation of health insurance coverage for workers and families during times of job change or loss

Unique Identifier Standards

establish the implementation specifications for obtaining and using the standard unique health identifier for healthcare providers

Who can fraud and abuse be reported to?

federal Office of Inspector General (OIG)

Why were specific code sets adopted for?

for diagnoses and procedures to be used in all healthcare transactions

Compliance plans

formalizations of processes that identify, investigate and prevent violations in various healthcare services

release of information (ROI)

gives healthcare providers the authority to disclose patient-specific health information to persons not otherwise authorized to receive this information

medical peer review committee

group of medical professionals who study and evaluate the performance of their colleagues when concerns over malpractice or incompetence arise.

What is Protected Health Information (PHI)?

health information, or information that can be used to identify an individual, held or transmitted by a covered entity/ business associate in any form (electronic, paper or oral)

when might an insurance company ask for punitive damages?

if the insurance company feels the fraud was intentional or perhaps negligent

Medical Ethics

includes confidentiality, accuracy, integrity, and completeness of medical records and the proper storage of these records (Also involve guarding against fraud and misleading claims)

Accountability- HIPPA

increasing effectiveness of the healthcare system while protecting health data integrity, confidentiality, and availability (while also preventing fraud and abuse)

What does Minimum necessary do?

limits unnecessary or inappropriate access to and disclosure of PHI

What penalties does the Office of Inspector General (OIG) make?

monetary, criminal, administrative penalty or any combination of the three

Security Standards (AKA Security rule) establish what?

national set of security standards for PHI held or transferred in electronic form

HIPAA Privacy Standards establishes what?

national standards to protect individuals' medical records and other personal health information that apply to covered entities

HIPPA requires covered entities provide patients what?

notice of privacy practices, which is a form that defines how the provider can use PHI (information that can be used to identify an individual)

Fraud

occurs when inaccurate information is used to wrongfully gain compensation

Transaction and Code Sets Standards

outline the format and codes used for electronic transmissions

defendant

person named in the claim or charged with the crime

What is a business associate?

person that performs/assist an activity involving the use/disclosure of individually identifiable health information

plaintiff

person who files the claim and initiates a lawsuit

What does HIPPA require compliance to?

privacy standards and security in the maintenance and electronic exchange of administrative and financial healthcare information.

What is the goal of the American Association of Medical Assistants (AAMA)?

provide medical assistant professional with education, certification, credential acknowledgement, networking opportunities, scope-of-practice protection, and advocacy of quality patient-centered health care

Health Care Quality Improvement Act (HCQIA)

provides for peer review of physicians by other physicians and health care professionals. Physicians communicate honestly and weed out incompetent physicians

Treatment includes:

providing, coordinating and managing healthcare services

payment is the:

reimbursement process

What may Corrective action include?

repayment of overpayments or disciplinary action against the employee responsible for non-compliance

authorization

required when using or disclosing protected health information for reasons other than for treatment, payment or healthcare operations

National Practitioner Data Bank (NPDB)

resource of names of all healthcare professional is under review for an unethical, incompetent or illegal practice

Health Information Technology for Economic and Clinical Health (HITECH) Act

revised the original HIPAA legislation and expanded responsibilities for securing and making other changes relating to disclosure of health information and enforcement

compliance officer

single employee who is responsible for the daily working of the compliance program

What must a contract between a covered entity and a business associate contain?

specific elements describing the permitted and required uses of protected health information

What triggers an insurance audit?

suspicious claims or doctor files an unusual number of similar claims. or patient brings a questionable claim

Unsecured

the information hasn't been encrypted

insurance audit

thorough review by the insurance company of a claim and all related documentation. Auditors compare and search for inconsistencies and alterations

Why was the HITECH Act created?

to stimulate the adoption of electronic records and supporting technology in the United States as part of the American Recovery and Reinvestment Act (ARRA) of 2009

Privacy Standards, also referred to as the Privacy Rule, addresses what?

use and disclosure of a patient's protected health information

Faxing

used to send and receive patient information using traditional and eFax technology. Involves feeding document through fax machine and dialing destination number

consent

used when the permission is for treatment, payment or healthcare operations

What current standard version of electronic transmissions has been used since 2012?

version 5010

What were the three goals of the American Recovery and Reinvestment Act (ARRA) of 2009

1. Create and save jobs 2. Spur economic activity and Invest in long-term growth 3. Support accountability and transparency in recovery spending

What does the Administrative Simplification Compliance Act (ASCA) sets up nationally consistent regulations in?

1. Transaction and Code Sets Standards 2. Privacy Standards 3. Security Standards 4. Unique Identifier Standards

What are the core elements of an Effective Compliance program?

1. Written policies, procedures, and standards of conduct 2. training and education 3. monitoring and auditing 4. corrective action 5. compliance officer and committee 6. lines of communication 7. disciplinary guidelines

What does the Health Care Quality Improvement Act (1986) do?

1. creates national tracking system of physicians with medical malpractice payment history 2. outlines standards review boards must use 3. protects every review board from blame and liability

What are some security procedures to ensure confidentiality of medical records and information?

1. employees can't work on records of acquaintances 2. new employees must sign confidentiality pledges before accessing confidential information 3. security procedures for accessing medical record storage areas not under continuous supervision 4. computerized patient information only accessible with unique passwords 5. written plan developed for suspected breaches of confidentiality

What are some procedures that help ensure the confidentiality of faxed medical records?

1. following rules sent by provider/client you're working with 2. always have OG release form on file before sending patient records via fax 3. do not accept faxed copy of patient release form (don't know if signature is valid) 4. only send faxes to secure fax machines (means verifying with receiving person) 5. never send sensitive information via fas (HIV and pregnancy results) 6. always use fax cover sheets (list name, company name, telephone number, fax number, and number of pages sent)

What are the factors considered to ensure confidentiality of patient records?

1. hiring trustworthy staff 2. ensuring computerized info is secure and only available to authorized 3. standardized, secured procedures for transferring patient info

What does a notice of privacy practice include?

1. how the Privacy Rule allows providers to use and disclose PHI. Explains your permission is necessary before your health records are shared for any reason 2. Org's duties to protect health information privacy 3. Privacy rights (right to complain to HHS and Org) 4. how to contact org for more info/file complaint must include effective date and required to provide note on first visit

What are the two primary purposes of Security Standards?

1. protect security safeguards to protect ePHI 2. promote access and use of ePHI

When did Congress enact HIPPA?

1996

what can the Civil money penalties for willful neglect extend to?

250,000, repeat or uncorrected violations extend up to $1.5 million

What is an independent medical transcriptionist providing transcription services to a physician considered?

A business associate

What is Title II Subtitle F called?

Administrative Simplification Compliance Act

How to guard against Fraud?

Be accurate. Don't change accurate information.

CDT

Current Dental Terminology

CPT

Current Procedural Terminology (physician services/procedures)

responsibilities of a compliance officer provided by CMS:

Developing and/or reviewing policies and procedures that implement the compliance program Attending operations staff meetings Monitoring compliance performance by operational areas Enforcing disciplinary standards and ensuring consistency of discipline Implementing a system for assessment of risk Developing an auditing work plan Reviewing auditing and monitoring reports Coordinating with human resources Monitoring effectiveness of corrective actions

What are the two standards for Unique Identifiers?

Employer Identification Number and the National Provider Identifier

What happens when there is an intentional or unintentional use or disclosure of ePHI?

HITECH Act requires covered entities to inform to all patients and the Department of Health and Human Services (HHS) if information is unsecured.

What does HIPPA stand for?

Health Insurance Portability and Accountability Act

HCPCS

Healthcare Common Procedural Coding System (ancillary services/procedures)

NDC

National Drug Codes

What happens if the covered entity does not take action to resolve the OCR matter satisfactorily?

OCR may impose civil money penalties (CMPs) on the covered entity

What happens if OCR finds evidence that covered entity is not in compliance with HIPPA?

OCR will attempt to resolve case by obtaining voluntary compliance, corrective action and/or a resolution agreement

Where are HIPAA and HITECH administered by the HHS?

Office for Civil Rights (OCR)

What do the rules that the Security standards set not apply to?

PHI transmitted orally or in writing.

What safeguards should be in place to protect Protected Health Information (PHI)?

Passwords, key cards and encryption

What are the two objectives of HIPAA?

Portability and Accountability

monitoring

Regular reviews performed as part of normal operations

Together, what are treatment, payment and healthcare operations known as?

TPO

Employer Identification Number (EIN)

The number assigned to each employer by the Internal Revenue Service to identify employers on standard transactions, including all electronic transmissions of claims

How do insurance companies catch fraudulent claims?

They conduct company-auditing procedures.

What is required from all covered entities doing business electronically?

They use the same transactions and code sets

What are Covered Entities?

Those who must follow HIPAA regulations, including health plans, healthcare clearinghouses and healthcare providers who transmit any health information in electronic form

What are the different sections of HIPPA known as?

Titles

Why was NPI regulated?

To eliminate multiple identifiers, since before with legacy numbers identifiers were not standardized and providers had multiple identification and billing numbers.

NPI (National Provider Identifier)

a unique 10-digit intelligence-free identification number issued to health care providers in the United States by the Centers for Medicare and Medicaid Services (CMS)

healthcare operations are the:

administrative functions of the patient care

What to the best practices and professional standards require?

all information from the patient record be treated as highly sensitive (personal, financial, genetic data, and outcome information)

Patient Safety and Quality Improvement Act (PSQIA) of 2005

allows healthcare practitioners the ability to voluntarily and anonymously report safety problems

False Claims Act (FCA)

basis for prosecution of healthcare fraud and abuse claims. FCA prohibits anyone from presenting a false or fraudulent claim to be paid by the government; using a false record or statement to conceal or avoid paying money to the government; or conspiring to defraud the government.