1. Introduction to Health Care and Public Health in the U.S.
Regulating Health Care
Welcome to Introduction to Health Care and Public Health in the U.S.: Regulating Health Care. This is lecture d.
The component, Introduction to Health Care and Public Health in the U.S., is a survey of how health care and public health are organized and how services are delivered in the U.S. It covers public policy, relevant organizations and their interrelationships, professional roles, legal and regulatory issues, and payment systems. It also addresses health reform initiatives in the U.S.
Lecture d
This material (Comp 1 Unit 6) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001.
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit
Health IT Workforce Curriculum Version 4.0

2. Regulating Health Care Learning Objectives - 1
Describe the role of accreditation, regulatory bodies, and professional associations in health care in the U.S. (Lecture a)
Describe the basic concepts of law in the United States: the legal system, sources of law, classification of laws, the court system, and the trial process. (Lecture b)
The learning objectives for Regulating Health Care are to:
Describe the role of accreditation, regulatory bodies, and professional associations in health care in the U.S.
Describe the basic concepts of law in the U.S.: the legal system, sources of law, classification of laws, the court system, and the trial process.

3. Regulating Health Care Learning Objectives - 2
Describe legal aspects of medicine involving the Affordable Care Act, professional standards in health care, medical malpractice, Tort reform, and Medicare and Medicaid Fraud and Abuse (Lecture c)
Describe legal aspects of medicine involving the Affordable Care Act, professional standards in health care, medical malpractice, tort reform, and Medicare and Medicaid fraud and abuse.

4. Regulating Health Care Learning Objectives - 3
Describe key components of the Health Insurance Portability and Accountability Act (HIPAA) and describe efforts to promote patient safety in the U.S. (Lecture d)
Discuss the need for quality clinical documentation for the use of the health record as a legal document, communication tool and a key to prove compliance for health care organizations. (Lecture e)
Describe key components of the Health Insurance Portability and Accountability Act, or HIPAA, and current issues concerning privacy and patient safety in the U.S.
And discuss the need for quality clinical documentation for use of the health record as a legal document, communication tool, and a key to prove compliance for health care organizations.

5. Health Insurance Portability and Accountability Act (HIPAA)
Improves “portability” of health insurance
Employer plans may not limit coverage due to pre-existing conditions
If health insurance is lost, improves access to a group health plan
Protects from discrimination based on health status
Establishes requirements for the exchange of personally identifiable health information
This lecture discusses key elements in maintaining patient confidentiality and promoting the safety of patients. Topics include the privacy and security provisions of HIPAA, nationwide efforts to improve patient safety, the role of the Joint Commission, and the federal Agency for Health Care Research and Quality.
It is imperative that health care organizations maintain the privacy and confidentiality of patients’ health information. Because privacy is a critical legal and ethical concern, it is the subject of numerous regulations. HIPAA is a major source of patient privacy standards. HIPAA was originally signed into law in 1996, with the goal of improving the portability of health insurance, and increasing efficiency through the electronic exchange of patient information.
Portability can be thought of as the ability to transfer health insurance coverage. For example, HIPAA limits the ability of a new employer plan to exclude people who have preexisting conditions. For employees who lose group health insurance coverage, HIPAA provides opportunities to enroll in another plan. HIPAA also gives certain individuals guaranteed access to individual health insurance policies. In addition, HIPAA prohibits discrimination against employees and their family members based on their health, including genetic disease.
Recognizing that the electronic exchange of patient information may pose a risk to patient privacy, HIPAA establishes requirements that must be met when personally identifiable health information is shared between entities.

6. HIPAA Privacy & Security
Privacy requirements
What health information must be protected
Security requirements
How to protect health information
This lecture concentrates on those parts of HIPAA that relate to the privacy and security of health information. Generally speaking, privacy requirements describe the kinds of information that must be protected and who must protect the information.
Security requirements address the steps that must be taken to protect health information and who is responsible for protecting that information. HIPAA also specifies that individuals have the right to control how their health information is used.
Detailed information about all aspects of HIPAA coverage and requirements can be found using the links on this slide.

7. HIPAA Covered Entities - 1
HIPAA privacy and security requirements apply to individuals and organizations called “covered entities” who transmit health information in electronic form.
Transactions that must comply with HIPAA regulations include health plan enrollment and disenrollment, information sharing related to health care referrals, preauthorization of services, payment of insurance premiums, and payment for health care services.
6.1 Figure: Flowchart for determining whether an entity is a HIPAA covered health provider or not. (CMS.gov, nd.)

8. HIPAA Covered Entities - 2
Health care providers
Health plans
Insurance companies
Health maintenance organizations (HMOs)
Company insurance plans
Government agencies that pay for health care
The first category of covered entities is health care providers. HIPAA defines health care providers quite broadly, to include not only individuals such as doctors and dentists, but also institutions, including clinics, hospitals, and nursing homes. Basically, any person or organization that provides health care, bills for health care, or is paid for health care is a covered entity. Health Care providers are covered entities even if they use a third party, such as a billing service, to transmit the protected electronic information.
The second category of covered entities that must follow HIPAA privacy and security rules is health plans. For HIPAA purposes, health plans include health insurance companies, health maintenance organizations, or HMOs, company insurance plans, and government agencies that pay for health care.

9. HIPAA Covered Entities - 3
Health care clearinghouses
Billing services
Repricing companies
Community health management information systems
Value-added networks and switches that perform clearinghouse functions
The third category of covered entities is health care clearinghouses, which are organizations that standardize health information. Examples include billing services, repricing companies that adjust prices based on insurance payments, and community health management information systems. Value-added networks and switches are also covered entities if they perform clearinghouse functions. A value-added network is a private network provider hired by a company to facilitate electronic data interchange or provide other network services. A switch refers to a type of computer network vendor.

10. Business Associates
Entities that are engaged to assist covered entities in delivering health care services
Business Associate Agreement (BAA)
Must also comply with HIPAA rules
In addition to covered entities, HIPAA rules also apply to a covered entity’s business associates. If a covered entity engages businesses to help the covered entity deliver care, the covered entity must enter a Business Associate Agreement, also known as a BAA, with each business. The BAA must specify what the business associate has been engaged to do, and must require the business associate to comply with HIPAA rules. Business associates are responsible for their own compliance with HIPAA rules.
Health IT Workforce Curriculum Version 4.0

11. HIPAA Privacy Rule Applies to protected health information (PHI)
Applies to all forms or medium
Individually identifiable health information
Name/address
Phone number
address
SSN
Photograph
The HIPAA Privacy Rule applies to what is termed protected health information, or PHI, that is held or transmitted by a covered entity or its business associates. The term PHI refers to individually identifiable health information that is transmitted electronically, maintained in electronic media, or transmitted or maintained in any other form or medium.
Obvious examples of individually identifiable information are the patient’s name, address, telephone number, address, Social Security number, and photograph. However, many other kinds of information are considered capable of uniquely identifying the patient. These include birth date, admission date, discharge date, medical record number, and date of death, if applicable.

12. Individually Identifiable Information
Information can be used to identify the individual
Physical or mental health condition
Provision of health care
Payment
Individually identifiable health information can be divided into three main categories. The first category, physical or mental health condition, refers to information that relates to a person’s past, present, or future physical or mental health condition. The second category, provision of health care, describes the health care services that have been or will be provided to the person. The third kind of protected information is payment information. All of this information is protected as long as there is a reasonable basis to believe that it can be used to identify the individual.

13. Privacy Rule Requirements
Notify patients of rights
Allow patients to see their medical records
Implement and train employees on privacy procedures
Designate individual to be responsible for seeing that procedures are adopted and followed
Keep patient records secure
One of the basic requirements of the HIPAA Privacy Rule is to notify patients about their privacy rights and how their information can be used. In addition, the HIPAA Privacy Rule gives patients the right to see their medical records.
The Privacy Rule also has several requirements that relate to office policies and procedures. Covered entities must adopt and implement privacy procedures and train their employees to follow the procedures. Covered entities must also designate an individual to be responsible for ensuring that the privacy procedures are followed. Finally, covered entities must secure patient records so they are not easily accessible to those who do not need them.

14. HIPAA Security Rule
Requires covered entities to use security measures to protect health information
Does not specify which technology must be used
Establishes minimum federal standards
State laws may require more rigorous safeguards
The HIPAA Security Rule sets out administrative, physical, and technical measures that covered entities must have in place to protect electronic health information. The Security Rule does not require the use of any specific technology, so that organizations can use the latest electronic communications and security technologies as they are developed. The law emphasizes that security is an ongoing process rather than a one-time goal.
The HIPAA Security Rule establishes certain minimum standards. In some states, state law may require more rigorous safeguards than HIPAA specifies. In these cases, covered entities must follow the more stringent state laws.

15. HIPAA Security Rule: General Guidelines
Covered entities must:
Ensure confidentiality, integrity, and availability
Anticipate threats and protect against them
Protect against impermissible uses or disclosures
Ensure workforce compliance
The U.S. Department of Health and Human Services has published a summary of the HIPAA Security Rule that lays out some general guidelines. The first is to ensure the confidentiality, integrity, and availability of all protected health information that covered entities create, receive, maintain, or transmit. The second general requirement is that covered entities must try to anticipate threats to the security and integrity of the information, and protect against them. Third, covered entities must protect against impermissible uses or disclosures of protected information. Fourth, covered entities must ensure employee compliance with HIPAA regulations.

16. HIPAA Enforcement and Penalties - 1
The Office of Civil Rights within the U.S. Department of Health and Human Services enforces HIPAA compliance
The HITECH Act extends privacy and security rules, provides for enhanced enforcement
Compliance with HIPAA is enforced by the Office of Civil Rights of the U.S. Department of Health and Human Services. Failure to comply with these rules can result in substantial civil fines and criminal penalties.
The HIPAA privacy and security rules were extended with Health Information Technology for Economic and Clinical Health, or HITECH, legislation in 2009, resulting in a widened scope of protections and enhanced enforcement.

17. HIPAA Enforcement and Penalties - 2
HIPAA Omnibus Rule, 2013
Stringent requirements regarding notification of health information breach to the Department of Health and Human Services
Increased fines and penalties
Enhanced patient control of health information
The HIPAA Omnibus Rule went into effect in 2013, resulting in more stringent requirements regarding notification of health information breach to the Department of Health and Human Services, increased fines and penalties, and enhanced patient control of health information.

18. Patient Safety - 1
Regulation is an important mechanism used to improve patient safety
Landmark 1999 report (To Err is Human)
44,000 to 98,000 people die in hospitals each year as a result of preventable medical mistakes
Mistakes cost hospitals $17 billion to $29 billion yearly
We now transition to the topic of patient safety and federal efforts focused on improved patient safety.
In a landmark 1999 report, the nonprofit Institute of Medicine published a report called To Err is Human. This report was the first to deal in-depth and openly with the problem of medical errors on a nationwide scale. It concluded that between forty-four thousand and ninety-eight thousand people die in hospitals each year as a result of preventable medical errors, such as administration of the wrong drug or dosage. The report also showed that U.S. hospitals lose seventeen to twenty-nine billion dollars every year as a result of errors.

19. Patient Safety - 2 The 1999 To Err is Human Report:
Individual errors are not the main problem
Faulty systems, processes, and other conditions lead to preventable errors
The report noted that errors by individuals are not the predominant problem. Instead, it argued that faulty systems and procedures are most often to blame for preventable errors. An example of a faulty system is a hospital that stocks patient-care areas with full-strength drugs that are toxic until they are diluted, which may lead to use without proper drug preparation. While safety advancements have occurred since this landmark report, patient safety remains a concern, and is a focus of health care improvement efforts today.

20. Medical Mistakes Today
Errors can result in medical malpractice lawsuits
61% of doctors are sued at some point
Medical malpractice payouts totaled over $3 billion dollars in 2014
Suffering from medical errors: not measurable
Medical mistakes often result in lawsuits for malpractice. A study by the American Medical Association found that approximately 61 percent of all physicians will have been sued at some point in their careers. Medical malpractice payouts totaled over 3 billion dollars in 2014.
The cost of human suffering from medical errors is probably not measurable. However, it is the reason that patient safety remains a top priority for the entire health care workforce.

21. The Joint Commission Safety Initiatives - 1
Sentinel Event Policy
Unexpected death, unexpected serious physical or psychological injury, or the risk of such an event
Patient Safety Advisory Group
Panel of experts who recommend National Patient Safety Goals
Also address newly developing safety issues
As discussed earlier in this unit, the Joint Commission, or TJC, is a nonprofit organization that accredits hospitals and other health care organizations. However, TJC also plays a major role in efforts to improve patient safety. In fact, more than half of its activities are directly related to that goal.
One of these initiatives is called the Sentinel Event Policy. TJC defines a sentinel event as one that resulted or could have resulted in an unexpected death or serious harm. Some sentinel events relate to the patient’s health, such as death of an apparently healthy baby or a bad reaction to a blood transfusion. Other sentinel events relate to conditions in the hospital, such as the discharge of a baby to the wrong family, or the abduction or rape of a patient.
Whenever a sentinel event occurs, the health care organization is expected to conduct a thorough analysis of the situation that caused it or allowed it, and take steps to prevent the event from happening again. Organizations are encouraged to report sentinel events to TJC, so other health care organizations can learn from the analysis.
The Patient Safety Advisory Group is a panel of safety experts, nurses, physicians, pharmacists, and other professionals. Working with TJC staff, this group establishes annual National Patient Safety Goals, which are lists of tips for health care professionals to follow to prevent errors. For example, when taking a blood sample, a health care professional must label the specimen container before moving on to the next patient to avoid inadvertent labeling mistakes. The Patient Safety Advisory Group also helps TJC detect and address newly emerging safety issues.

22. The Joint Commission Safety Initiatives - 2
Universal Protocol for Preventing Wrong Site, Wrong Procedure and Wrong Person Surgery
Pre-surgery verification
Site marking
“Time out” before an incision is made
The Speak Up Initiative
Encourages patients to participate in their care
Free patient education materials
The Universal Protocol is an initiative designed to prevent surgical errors. An important part of the protocol is for health care professionals to conduct a pre-procedure verification process, making sure that they have the right patient, that they plan to conduct the right procedure, and that they plan to operate on the correct site—for example, the patient’s left leg, not the right leg. Other steps in the Universal Protocol are to mark the intended site of the surgery and for the surgical team to take a “time out” before making any incision. During the time out, the team members communicate with one another and verify once again that they have the correct patient and the correct surgical site, and that all agree about what procedure they are about to perform.
The Speak Up Initiative encourages patients to take an active role in the decisions that are made about their health care. Patients are urged to speak up if they have a question or concern, and to educate themselves about their disease and the medications they take. The program provides educational materials for patients on topics including surgery, infection prevention, medication safety, medical tests, and patient rights. Speak Up materials are free and can be downloaded from the Joint Commission website, which is listed in the References section of this presentation.

23. Agency for Health Care Research and Quality (AHRQ)
Part of U.S. Department of Health and Human Services.
Improve safety and quality of care
Investing in research
Creating tools to put the results into practice
Generating measures and data used by providers and policymakers
The Agency for Health Care Research and Quality, or AHRQ, is part of the U.S. Department of Health and Human Services. The AHRQ Web site contains a wealth of information for both health care providers and the public at AHRQ dot gov. The agency is charged with improving the safety and quality of care that patients receive. Key activities include investing in research to understand how to improve safety and quality, creating tools to help put the results of research into practice, and generating measures and data used by providers and policymakers in decision making.

24. National Health Care Quality Report
Effectiveness
Timeliness
Efficiency
Patient safety
Access to care
Patient centeredness
Every year, AHRQ issues a National Health Care Quality Report, which focuses on national trends in the quality of health care. The report discusses health care effectiveness, timeliness, and efficiency; patient safety; access to care; and the effectiveness of health care professionals at putting patients at the center of their efforts.

25. AHRQ: Health IT Develops and disseminates information
Toolkits and educational materials are available to capture best practices in the use of technology
Research funding opportunities are also available
AHRQ develops and disseminates evidence to inform policy and practice on how health information technology can improve the quality of health care. The AHRQ website offers resources focused on topics such as consumer health IT applications, electronic medical records systems, workflow, and health information exchange. The site also links to top peer-reviewed articles that provide insight into designing and implementing appropriate health IT systems.
Furthermore, AHRQ provides grant funding for projects designed to improve processes and procedures in health IT. Information about these grants is available on their website, which is provided in the Resources section of this presentation.

26. Regulating Health Care Summary – 1 – Lecture d
Patient privacy and safety are high priorities for all people employed in the health care industry
HIPAA has rules for the privacy and security of patient health information
The Joint Commission supports initiatives for reducing medical errors
This concludes lecture d of Regulating Health Care.
In summary, it is imperative, both ethically and legally, that everyone involved in health care maintain patient privacy and safety. HIPAA enforces rules about the privacy and security of patient health information. The Joint Commission supports initiatives for reducing medical errors, including the Sentinel Event Policy, the National Patient Safety Goals, the Universal Protocol for surgery, and the Speak Up Initiative.

27. Regulating Health Care Summary – 2 – Lecture d
Patient safety is an important focus for health care improvement
The Agency for Health Care Research and Quality is an important source of information regarding care improvement through the effective use of health IT
Finally, the Agency for Health Care Research and Quality is an important source of information about how to improve the safety and quality of patient care through the effective use of Health IT.

28. Regulating Health Care References – 1 – Lecture d
Agency for Health Care Research and Quality National Health Care Quality Report. Accessed January 27, 2017.
Agency for Health Care Research and Quality. Health information technology portfolio. Accessed January 27, 2017.
Centers for Medicare and Medicaid Services. Are you a covered entity? Accessed January 27, 2017.
HIPAA Business Associates. Accessed January 27, 2017.
Institute of Medicine. To Err is Human: Building a Safer Health System. November 1, Accessed January 27, 2017.
Medical Liability. Accessed January 27, 2017.
References slides. No audio.

29. Regulating Health Care References – 2 – Lecture d
Medical Malpractice Payout Analysis. Diederich Healthcare. Accessed January 27, 2017.
Office of Civil Rights. Accessed January 27, 2017.
The Joint Commission. Accessed January 27, 2017.
US Department of Health and Human Resources. Health information privacy. Accessed January 27, 2017.
Charts, Tables, Figures
6.1 Figure: Adapted from CMS (nd.) Acquired from Last accessed January 27, 2017.
References slides. No audio.

30. Introduction to Health Care and Public Health in the U. S
Introduction to Health Care and Public Health in the U.S. Regulating Health Care Lecture d
This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001.
No Audio.