CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. Learning Outcomes When you finish this chapter, you will be able to: 2.1Discuss the importance of medical records and documentation in the medical billing process. 2.2Compare the intent of HIPAA and ARRA/HITECH laws. 2.3Describe the relationship between covered entities and business associates. 2.4Explain the purpose of the HIPAA Privacy Rule. 2.5Briefly state the purpose of the HIPAA Security Rule. 2.6Explain the purpose of the HITECH Breach Notification Rule. 2-2

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. Learning Outcomes (Continued) When you finish this chapter, you will be able to: 2.7Describe the HIPAA Electronic Health Care Transactions and Code Sets standards and the four National Identifiers. 2.8Explain the purpose of the Health Care Fraud and Abuse Control Program and related laws. 2.9Identify the organizations that enforce HIPAA. 2.10Discuss the ways in which compliance plans help medical practices avoid fraud or abuse. 2-3

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. Key Terms abuse American Recovery and Reinvestment Act (ARRA) of 2009 audit authorization breach breach notification business associate (BA) Centers for Medicare and Medicaid Services (CMS) 2-4 clearinghouse code set compliance plan covered entity (CE) de-identified health information designated record set (DRS) documentation electronic data interchange (EDI) electronic health record (EHR)

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. Key Terms (Continued) electronic medical record (EMR) encounter encryption evaluation and management (E/M) fraud Health Care Fraud and Abuse Control Program Health Insurance Portability and Accountability Act (HIPAA) of HIPAA Electronic Health Care Transactions and Code Sets (TCS) HIPAA final enforcement rule HIPAA National Identifier HIPAA Privacy Rule HIPAA Security Rule HITECH Act informed consent malpractice medical record

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. Key Terms (Continued) medical standards of care minimum necessary standard National Provider Identifier (NPI) Notice of Privacy Practices (NPP) Office for Civil Rights (OCR) Office of the Inspector General (OIG) 2-6 password protected health information (PHI) qui tam relator respondeat superior subpoena subpoena duces tecum transaction treatment, payment, and health care operations (TPO)

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.1 Medical Record Documentation 2-7 A patient’s medical record contains facts, findings, and observations about that patient’s health Documentation is the recording of a patient’s health status in a medical record history Medical standards of care—state-specified performance measures for health care delivery –Medical records and documentation act as legal documents and help physicians make accurate diagnoses –Malpractice—failure to use professional skill when giving medical services that results in injury or harm

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.1 Medical Record Documentation (Continued) 2-8 Encounter—an office visit between a patient and a medical professional Evaluation and management (E/M)—provider’s evaluation of a patient’s condition and decision on a course of treatment Electronic health record (EHR)—computerized lifelong health care record with data from all sources Electronic medical record (EMR)— computerized record of one physician’s encounters with a patient

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.1 Medical Record Documentation (Continued) 2-9 Informed consent—process by which a patient authorizes medical treatment after a discussion with a physician

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.2 Health Care Regulation: HIPAA and HITECH 2-10 The main federal government agency responsible for health care is the Centers for Medicare and Medicaid Services, also known as CMS The foundation legislation for the privacy of patients’ health information is called the Health Insurance Portability and Accountability Act (HIPAA) of 1996 –Protects private health information, ensures coverage, uncovers fraud and abuse, and creates industry standards

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.2 Health Care Regulation: HIPAA and HITECH (Continued) 2-11 American Recovery and Reinvestment Act (ARRA) of 2009—law with provisions concerning the standards for the electronic transmission of health care data –Contains the HITECH Act—law promoting the adoption and use of health information technology

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.3 Covered Entities and Business Associates 2-12 Electronic data interchange (EDI)—system-to- system exchange of data in a standardized format The electronic exchange of health care information is called a transaction

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.3 Covered Entities and Business Associates (Continued) 2-13 Health care organizations that must obey HIPAA regulations are called covered entities (CEs) –Transmit information electronically Clearinghouse—company that helps providers handle electronic transactions and manage EMR systems Business Associates (BA)—organizations that work for covered entities but are not themselves CEs –Law firms; outside medical billers, coders, and transcriptionists; accountants; collection agencies

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.4 HIPAA Privacy Rule 2-14 HIPAA Privacy Rule—law regulating the use and disclosure of patients’ protected health information (PHI) Protected health information (PHI)— individually identifiable health information that is transmitted or maintained by electronic media Both use and disclosure of PHI are necessary and permitted for patients’ treatment, payment, and health care operations (TPO)

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.4 HIPAA Privacy Rule (Continued) 2-15 Minimum necessary standard—taking reasonable safeguards to protect PHI from incidental disclosure Designated record set (DRS)—CE’s records that contain PHI Notice of Privacy Practices (NPP)— description of a CE’s principles and procedures related to the protection of patients’ health information For use or disclosure other than for TPO, a CE must have the patient sign an authorization

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.4 HIPAA Privacy Rule (Continued) 2-16 Health information can be released for reasons other than TPO in some cases –Subpoena—order of a court for a party to appear and testify –Subpoena duces tecum—order of a court directing a party to appear, testify, and bring specified documents or items –De-identified health information—medical data from which individual identifiers have been removed

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Security Rule 2-17 The HIPAA Security Rule requires CEs to establish safeguards to protect PHI –Encryption—method of converting a message into encoded text –Password—confidential authentication information (the key)

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.6 HITECH Breach Notification Rule 2-18 HITECH Act requires CEs to notify affected individuals following the discovery of a breach of unsecured health information Breach—impermissible use or disclosure of PHI that could pose significant risk to the affected person Breach notification—document notifying an individual of a breach

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.7 HIPAA Electronic Health Care Transactions and Code Sets 2-19 HIPAA Electronic Health Care Transactions and Code Sets (TCS)—rule governing the electronic exchange of health information –Under HIPAA, a code set is any group of codes used for encoding data elements HIPAA National Identifier—identification systems for employers, health care providers, health plans, and patients –National Provider Identifier (NPI)—unique ten-digit identifier assigned to each provider

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.8 Fraud and Abuse Regulations 2-20 HIPAA created the Health Care Fraud and Abuse Control Program to uncover and prosecute fraud and abuse The HHS Office of the Inspector General (OIG) has the task of detecting health care fraud and abuse and enforcing all the related laws –Has the authority to investigate suspected fraud cases and to audit the records of physicians and payers –Audit—formal examination of a physician’s records

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.8 Fraud and Abuse Regulations (Continued) 2-21 Qui tam—cases in which a relator accuses another party of fraud or abuse against the federal government Relator—person who makes an accusation of fraud or abuse

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.8 Fraud and Abuse Regulations (Continued) 2-22 Fraud—an act of deception used to take advantage of another person –Example—forging another person’s signature In federal law, abuse means an action that misuses money that the government has allocated –Example—billing Medicare for an unnecessary ambulance service

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2.9 Enforcement and Penalties 2-23 HIPAA final enforcement rule—law designed to combine the enforcement procedures for privacy and security standards into a single rule Office for Civil Rights (OCR)—government agency that enforces the HIPAA Privacy Act Criminal violations of HIPAA privacy standards are prosecuted by the Department of Justice (DOJ) –Other standards are enforced by the CMS

© 2012 The McGraw-Hill Companies, Inc. All rights reserved Compliance Plans 2-24 Compliance plan—medical practice’s written plan for complying with regulations –Used to uncover compliance problems and correct them to avoid risking liability –A process for finding, correcting, and preventing illegal medical office practices Respondeat superior—doctrine making employers responsible for employee actions