1 / 49

Collegiate Sports Medicine Revenue & Reimbursement Workshop

Collegiate Sports Medicine Revenue & Reimbursement Workshop. HIPAA & FERPA Considerations January 4- 7, 2006 Keith Webster MA, ATC University of Kentucky Chair, NATA Governmental Affairs Committee. HIPAA. Mandates the privacy and security of Protected Health Information (PHI)

Leo
Download Presentation

Collegiate Sports Medicine Revenue & Reimbursement Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Collegiate Sports MedicineRevenue & Reimbursement Workshop HIPAA & FERPA Considerations January 4- 7, 2006 Keith Webster MA, ATC University of Kentucky Chair, NATA Governmental Affairs Committee

  2. HIPAA • Mandates the privacy and security of Protected Health Information (PHI) • Portability of health insurance • Simplification of electronic billing • Coincides with existing state statutes, need pre-emption analysis

  3. NATA GAC • GAC began to address HIPAA 2001 • NATABOD issued response to Privacy modifications in April 2002 • Contacted HHS in September, 2002 • Meeting held in December, 2002 with HHS/ OCR • GAC, CUATC, SSATC, CIC, and NATA staff attended

  4. Three Major Components • Privacy Rule- governs use, access, and protects confidentiality of PHI • Security Rule- secures PHI being transmitted electronically, 4/21/05 • Transaction Rule- standardize procedure codes and electronic billing format

  5. Privacy Rule • Protects the privacy of an individual’s health information • Governs use and disclosure of PHI • Provides patient’s access to their records • Patients have control of their records • Patients can file complaints about use and disclosure • Applies only to Covered Entities

  6. Office of Civil Rights • Civil penalties • Up to $25,000 • Criminal penalties • Knowing disclosure: • $50,000 1 year imprisonment • False pretenses: • $100,000 5 years imprisonment • Intent to sell: • $250,000 10 years imprisonment

  7. What is PHI? • There are 18 identifiers that constitute Protected Health Information • Includes: Name Medical Record # Address Telephone # DOB Fax # SS# Driver’s License # Photographs Email, URL, IP addresses Fingerprints Admit / Discharge Dates Any other unique ID #

  8. Covered Entity Administrative Simplification Standards: • A health care provider who conducts certain transactions electronically • A health care clearinghouse • A health plan

  9. What is a Covered Entity?As a Health Care Provider: The following is from the decision support tool found on the www.hhs.gov/ocr website 1. A person, business, or agency that: • Furnishes • Bills or • Receives payment for health care in the normal course of business

  10. What is a Covered Entity? 2.A person, business, or agency that conducts covered transactions, including: • Request to obtain payment from provider to a health plan for health care or; • In the absence of a direct claim, transmission of encounter information for reporting health care

  11. More Covered Transactions • Checking on eligibility to receive care under the health plan • Coverage and benefits under the plan • Request to obtain authorization for referring someone to another provider • Inquiry/ response about status of a claim

  12. Still More Covered Transactions • Transmission of payment, info about transfer of funds, payment processing info • Transmission of EOB’s • Coordination of benefits transaction is the transmission from any entity to a plan to determine payment responsibilities of the plan

  13. What is a Covered Entity? 3.Are any of the covered transactions transmitted in electronic form? “Electronic form” includes: • Internet • Extranet • Leased lines, dial-up lines, private networks • Magnetic tape, disk, or CD media that are physically moved from one location to another

  14. You Are A Covered Entity If: • You furnish, bill, or receive payment for health care • You conduct covered transactions AND • You transmit covered transactions in electronic form AND if your attorney says so!

  15. Determine Legal Entity • Single provider • Affiliated Covered Entities (ACE’S)- made up of several CE’s that are under common ownership or control • Organized Health Care Arrangement (OCHA)- a setting with multiple providers • Hybrid- single legal entity and whose covered functions are NOT its primary functions- Example: an academic institution with a medical center Consult your attorney

  16. Hybrid Entity • Isolated activities involve Protected Health Information (PHI) • Must identify those components • Responsible for compliance in those areas • Must protect from improper use/disclosure of PHI

  17. Requirements of the CE • Adopt and implement privacy procedures • Train employees so that they understand the procedures • Designate a privacy officer to see that procedures are adopted and followed • Secure patient records from unauthorized use • Account for disclosures

  18. Requirements of the CE Notice of Privacy Practices (NPP) • Fundamental new right to be informed of privacy rights and practices of covered health plans and providers

  19. NPP includes: • How PHI is used and disclosed • Individual’s rights regarding PHI with complaint process • CE’s legal duty with statement that this is required by law • Contact person for individual to receive further information • NPP can be layered- brief summary with “long” version • Effective date

  20. Providing the NPP • CE is required to promptly revise and distribute after material changes • NPP available to anyone requesting it • NPP must be posted in office, website, etc • CE must provide NPP to patient no later than first date of service • CE must make good faith effort to get written receipt of NPP • Acknowledgment of receipt can be combined with consent form

  21. Other Requirements of the CE • Adopt and implement privacy procedures for its practice • Train employees so that they understand the procedures • Designate a privacy officer to see that procedures are adopted and followed • Secure patient records from unauthorized use

  22. Consent and Notice • Consent for routine health care purposes is now optional • Due to strengthened NPP and thus eliminates barrier to treatment • Other consent requirements may be in affect i.e. State law

  23. Authorization Must include these core elements: • Information to be used or disclosed • Persons authorized to make the use or disclosure • Persons authorized to receive PHI • Purpose of the use or disclosure • Expiration date • Patient’s signature and date • Personal representative authority

  24. Authorization Must include the following notification statements: • Individual may revoke authorization in writing with instructions • Treatment and payment may not be conditioned on obtaining authorization or • If conditioning is permitted, consequences of refusing to sign authorization • Potential for the PHI to be redisclosed by the recipient

  25. Authorization Authorization can be mandated under “condition to participate” Revocation would disqualify participant Family Educational Rights and Privacy Act (FERPA) takes precedent over HIPAA Privacy Rule defers to State law for <18 y.o.

  26. Uses and Disclosures for Treatment, Payment, and Health Care Operations (TPO) • Permits this use and disclosure of PHI without authorization • CE may disclose PHI for treatment purposes to providers who are not a CE

  27. Minimum Necessary • A CE must develop policies and procedures that limit its disclosures for payment and health care operations to the minimum necessary • Identify who needs access to PHI within the CE for job duties • This does not apply when PHI is disclosed for treatment purposes

  28. Incidental Uses and Disclosures • Permissible as long as there are reasonable safeguards and minimum necessary standards • Avoid discussing PHI in elevators and hallways • Be aware of others in public places i.e. waiting rooms • Secure file cabinets or records rooms • Use passwords for computers

  29. Media Issues • Establish policy- consider implications • Determine procedure for authorizations • HIPAA or FERPA compliance • Per injury basis or blanket for season • Right to refuse- consequences • “Open Records” request- drug test results

  30. Business Associates A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity Including: claims processing, data analysis, utilization review, quality assurance, billing, benefit management See: OCR Guidance Manual for details

  31. Security Rule • Linked to Privacy Rule requirements • Internal & External Safeguards • E-mail encryption • Formatting claim forms • Research issues

  32. Research • A covered entity may use or disclose PHI for research purposes once it has been de-identified regardless of provisions • The Common Rule and FDA human subject protection regulations apply • Allowed with individual authorization

  33. Research Allowed without authorization under limited circumstances: • IRB/ Privacy Board approval • Preparatory to research • Research on PHI of decedents • Limited data sets with a data use agreement See: OCR Guidance Manual for details

  34. Transaction Rule Standardize procedure codes and electronic billing format Standard electronic transactions include: *claims *referrals *eligibility inquiries & responses *claim status inquiries & responses *remittance advices

  35. National Provider IdentificationNumbers (NPI) • Use in standard electronic transactions • Replaces Health Care Provider Identifiers • Most health plans, Medicare, and private insurers must accept NPI by 5/23/07

  36. How to get a NPI • National Plan and Provider Enumeration System (NPPES) 1-800-465-3203 • Providers may apply online at: https://nppes.cms.hhs.gov • Need only one NPI for all health plans

  37. NPI On-line Application • Entity type: Type 1 for individual provider • Taxonomy: Type 22 Respiratory, Rehabilitative & Restorative Service Providers • Classification: 2255A2300X- Specialist/Technologist- Athletic Trainer • Provide State License Number

  38. The Family Educational Rights and Privacy Act (FERPA) • Federal law that protects the privacy of student education records • For all schools that receive federal funds • Gives parents certain rights with respect to their children’s education records

  39. The Family Educational Rights and Privacy Act (FERPA) • Generally, schools must have written permission in order to release any information from a student’s education record • These rights transfer to the student when he/she reaches the age of 18 or attends post-secondary school • Must notify parents & eligible students annually

  40. FERPADisclosure without consent • To school officials with legitimate educational interests • School official: a person employed by the School …including health or medical staff; a person or company with whom the School has contracted to perform a special task, such as medical consultant or therapist…

  41. FERPA S.1232g.(4)(B)“Education record” does not include: (iv) Records on an eligible student which are made by a physician, or other recognized professional and used only for treatment of that student and are not available to anyone other than persons providing such treatment …

  42. FERPAWritten Consent for education records • Records to be released • Reasons for such release • To Whom • A copy to parents and student if desired by parents

  43. References & Resources • Decision Tools, Privacy Policy Guidance, and PHI Regulation Text: www.hhs.gov/ocr/ • EDUCAUSE (targets higher ed): www.educause.edu/issues/hipaa.html • HIPAA Guidelines for Academic Medical Centers: www.aamc.org/members/gir/gasp • Other links: www.hipaadvisory.com & www.hipaacomply.com • NATA updates: www.nata.org

  44. References & Resources • Guidelines for Academic Medical Centers: www.aamc.org/members/gir/gasp/ • Sample forms (repository): http://atc.uwa.edu/admin/www.csmfoundation.org • FERPA: www.ed.gov • To create news alerts for HIPAA, FERPA, etc: http://www.google.com/newsalerts

  45. Discussion Questions

More Related