1 / 13

Understanding Healthcare Legislation & Terminology

Understanding Healthcare Legislation & Terminology. What is HIPAA?. HIPAA = Health Insurance Portability and Accountability Act of 1996 Specifies laws for the protection and use of Protected Health Information (PHI) Comprised of 4 main rules:

elgin
Download Presentation

Understanding Healthcare Legislation & Terminology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Understanding Healthcare Legislation & Terminology

  2. What is HIPAA? • HIPAA = Health Insurance Portability and Accountability Act of 1996 • Specifies laws for the protection and use of Protected Health Information (PHI) • Comprised of 4 main rules: • HIPAA Privacy Rule - protects the privacy of individually identifiable health information (IIHI) • Requires covered entities and business associates to implement administrative, technical, and physical safeguards in place to protect the privacy of protected health information • The Department of Health & Human Services lists the use of computer monitor privacy filters as an example of a physical safeguard for PHI* * “Guide to Privacy and Security Health Information” by the Office of the National Coordinator for Health Information Technology; Department of Health & Human Services • HIPAA Security Rule - sets national standards for the security of electronic protected PHI • HIPAA Breach Notification Rule – requires covered entities and business associates to provide notification following a breach of unsecured PHI • Patient Safety Rule – confidentiality provisions, which protect IIHI being used to analyze patient safety events and improve patient safety

  3. What is HIPAA? - Continued • HIPAA basically requires three things: • Integrity of information – the medical record must be accurate • Confidentiality – The medical record should only be seen by those with a need to know and all uses of that data should be knowable by the individual. • Availability – The medical record must be available, in essence, no reasonably avoidable downtime • Administered by the Dept. of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR) – sub-agency of the U.S. Department of Education • HHS and OCR does not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as "HIPAA compliant." 

  4. What is the HIPAA Omnibus Rule? • It was an update to the HIPAA Act. The main, or most important/relevant, changes were: • It extended HIPAA to include business associates and their subcontractors in addition to covered entities. • Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules. If an entity  does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules.  See definitions of “business associate” and “covered entity” at 45 CFR 160.103 • Strengthened penalties for violations: • Failure to comply with HIPAA rules is subject to civil penalties of between $100 and $25,000 per violation during a calendar year. • Privacy breaches are subject to penalties and fines of up to $1.5 million per year for all violations of an identical provision. • The HIPAA Omnibus Interim Rule actually went into effect in 2009 and the rule was finalized in 2013.

  5. What is HITECH? • HITECH (Health Information Technology for Economic and Clinical Health Act) - enacted under Title XIII of the American Recovery and Reinvestment Act (ARRA) • HITECH was passed in 2010 in order to update HIPAA rules and provide federal funds for deploying electronic medical records (EMR), also referred to as electronic health records (EHR). HITECH upgraded HIPAA because medical records were now in digital form, and as a result, they needed new rules for protection and availability • Enforcement arm of HIPAA and strengthened HIPAA. Implements a tiered system of civil monetary penalties for noncompliance and allows state attorney generals to file civil actions for HIPAA violations. • Offers eligible healthcare organizations monetary incentives to encourage the adoption of EHR technology - also known as “Meaningful Use Programs” • Up to $25 billion in incentives being offered for EHR purchases via Medicare and Medicaid through 2015 • Protecting patients’ privacy and securing their health information is a core requirement of the program in order to receive its incentives • A healthcare practice is responsible for taking the steps needed to protect the confidentiality of health information

  6. What is Protected Health Information(PHI)? Protected Health Information (PHI) is individually identifiable health information transmitted or maintained by a covered entity (CE) or its Business Associate (BA) in any form or medium. Reference: 45 CFR 160.103 • Reveals the state of a person’s health • Identifies an individual’s: • Past, present or future physical or mental health • Past, present, or future health care • Past, present, or future health care payment • Gives reasonable basis for determining a person’s identity • ePHI is any PHI transmitted electronically • PHI may be in any form or medium

  7. What is Individually Identifiable Health Information (IIHI)? Individually Identifiable Health Information (IIHI) is information that is a subset of health information, including demographic information collected from an individual. Reference: 45 CFR 160.103 Certificate or license number such as driver’s license number Vehicle identifier and serial number including license plate number Medical device identifier and serial number such as pace maker serial number Web site address Internet protocol (IP) address number Biometric identifier including finger & voice prints Full face photographic images and any comparable image Any other unique identifying number characteristic or code Name Any address specification such as street, city, county, precinct or zip code All dates except for the year including birth date, admission date, discharge date, date of death and all ages over 89 Telephone number Fax number Electronic mail address Social Security number Medical record number Health plan beneficiary number Account number maintained by the healthcare provider If any of the above data is transmitted or maintained, it is PHI and must be protected

  8. What is a Covered Entity? A Covered Entity is one of the following: • Health Care Providers • Includes: doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies •  Health Plans • Includes: Health insurance companies, HMOs, Company health plans, and Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs •  Health Care Clearinghouses •  Includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

  9. What is a Business Associate? • A “business associate”is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. • A member of the covered entity’s workforce is not a business associate.  A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. • Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and re-pricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.   Examples of Business Associates: • A third party administrator that assists a health plan with claims processing.  • A CPA firm whose accounting services to a health care provider involve access to protected health information.  • An attorney whose legal services to a health plan involve access to protected health information.  • A consultant that performs utilization reviews for a hospital.  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.  • An independent medical transcriptionist that provides transcription services to a physician.  • A pharmacy benefits manager that manages a health plan’s pharmacist network.  

  10. Glossary • Ambulatory CareA personal healthcare consultation, treatment, or intervention using advanced medical technology or procedures delivered on an outpatient basis – usually consists of clinics and smaller offices vs. hospitals or inpatient types of • Anonymized -Previously identifiable data that have been deidentified and for which a code or other link no longer exists. An investigator would not be able to link anonymized information back to a specific individual. • Anonymous - Data that was collected without identifiers and that were never linked to an individual. Coded data are not anonymous. • Business AssociatesAnyone who has access to patient information, whether directly, indirectly, physically or virtually. Additionally, any organization that provides support in the treatment, payment or operations is considered a business associate, i.e. an IT company or a billing and claims processing company. Other examples include a document destruction company, a telephone service provider, accountant or lawyer. The business associates also have the responsibility to achieve and maintain HIPAA compliance in terms of all of the internal, administrative and technical safeguards. A business associate does not work under the covered entity’s workforce, but instead performs some type of service on their behalf. • Business Associate AgreementThe agreement standard document that clearly defines the roles and responsibilities of a business associate and the covered entity. The other key piece of the Business Associates Agreement is the assurance that businesses will take proper steps to implement the appropriate administrative, physical and technical safeguards. • Covered Entities (CE)Anyone who provides treatment, payment and operations in healthcare. It could include a doctor’s office, dental office, clinics, psychologist, nursing home, pharmacy, hospital or home healthcare agency. This also includes health plans, health insurance companies, HMOs, company health plans and government programs that pay for health care. Health clearing houses are also considered covered entities. • Electronic Data Interchange (EDI) The communication or exchange of business documents between companies via computer.

  11. HIPAA Glossary • Electronic Health Records (EHR)Electronic health records are any electronic record of patient health information generated within a clinical institution or environment, such as a hospital or doctor’s office. This may include medical history, laboratory results, immunizations, demographics, etc. • Electronic Medical Records (EMR) • Electronic Protected Health Information (EPHI)All individually identifiable health information that is created, maintained or transmitted electronically. • Healthcare ClearinghouseAn organization that standardizes health information. One example is a billing company that processes data from its initial format into a standardized billing format. • Health InformationPatient information collected by a health plan, health care provider, public health authority, employer, healthcare clearinghouse or other organization that falls under covered entity. • Healthcare Insurance Portability and Accountability Act (HIPAA)Developed in 1996, the acronym HIPAA stands for Healthcare Insurance Portability and Accountability Act. Initially created to help the public with insurance portability, they eventually built administrative simplifications that involved electronic, medical record technology and other components. In addition, they built a series of privacy tools to protect healthcare data. • Health Information Technology for Economic and Clinical Health (HITECH)In 2009, as part of the American Recovery and Reinvestment Act (ARRA), there was an act within that called HITECH, short for The Health Information Technology for Economic and Clinical Health Act. The act included incentives offered to physicians in private practices, as well as institutional practices to implement and adopt electronic medical records. In addition to incentives, the act included a series of fines to help enforce HIPAA rules. HITECH also mandated that business associates of covered entities, as well as the covered entities themselves, were responsible for the same level of HIPAA compliance.

  12. HIPAA Glossary • HIPAA ViolationsIf a company fails to comply with HIPAA rules, they are subject to both civil and criminal penalties. • Civil PenaltiesEstablished by the American Recovery and Reinvestment Act of 2009 (ARRA), the tiered civil penalty structure below determines the cause and consequences of the HIPAA breaches. The Secretary of the Department of Health and Human Services has the ability to ultimately determine fines and penalties due to the extent of the violation on a case-by-case basis. • Due DiligenceAn organization is in violation, but they have taken every possible step they could have foreseen to prevent that. Minimum fine: $100 per incident with annual maximum of $25,000 for repeat violations Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations • Reasonable CauseThe steps have been taken, but something was not addressed. For example, a company went into a HIPAA audit and provided a gap analysis, but something wasn’t addressed yet. The violation is due to reasonable cause and not willful neglect. Minimum fine: $1,000 per incident with annual maximum of $100,000 for repeat violations Maximum fine: $50,000 per incident with annual maximum of $1.5 million for repeat violations • Willful NeglectThere are two types of willful neglect. The first is when a company clearly ignores the HIPAA law but corrects their mistake within the given amount of time. Minimum fine: $10,000 per incident with annual maximum of $1.5 million for repeat violations Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations The second type of willful neglect is when a company ignores the HIPAA law and does not correct their mistake. Minimum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations Maximum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations • Criminal PenaltiesThe U.S. Department of Justice established who can be held liable for HIPAA violations due to criminal activity. This includes covered entities and any specified individual working under a covered entity. Anyone who knowingly misuses health information can be fined up to $50,000 including up to a year of imprisonment. More serious offenses call for higher fines and prison time.

  13. HIPAA Glossary • HIPAA AuditA HIPAA audit is based off a set of regulations, standards and implementation specifications. The audit is an analysis that helps to pinpoint the organization’s current state and what steps need to be taken to get the organization compliant. • An evaluation is part of the audit - a company must perform an evaluation and undergo periodic evaluations once a year at minimum. As technology changes, different components are added to an organization’s infrastructure and they should be re-evaluated. • While covered entities need to undergo HIPAA audits, third-party business associates also need to comply. This includes any company that might provide services for a covered entity, for example, an application hosted in a cloud and provided to a covered entity. • Individually Identifiable Health InformationA subset of health information, this includes demographic information about an individual’s health that identifies or can be used to identify the individual. This includes name, address, date of birth, etc. • OCR HIPAA Audit ProtocolUp through early 2012, there was no federal standard for third-party auditors to conduct a HIPAA audit. With the publication of the new Office for Civil Rights audit protocol, auditors are able to gain a more consistent direction on how the OCR will conduct HIPAA audits in the future. The new protocol covers requirements found in the HIPAA Security Rule, Privacy Rule and Breach Notification Rule. Read more here. • Privacy RuleThe part of the HIPAA rule that addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient’s own right to access. • Protected Health Information (PHI)This includes any individually identifiable health information collected from an individual by a healthcare provider, employer or plan that includes name, social security number, phone number, medical history, current medical condition, test results and more. • Security RuleThe part of the HIPAA rule that outlines national security standards intended to protect health data created, received, maintained or transmitted electronically.

More Related