1 / 40

Chapter 5

Chapter 5. The Health Insurance Portability and Accountability Act (HIPAA) Jahangir Moini, MD, MPH, CPhT. Overview. Creation of privacy and security laws aimed at more efficient pharmacy practice and faster reimbursement

gerd
Download Presentation

Chapter 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 5 The Health Insurance Portability and Accountability Act (HIPAA) Jahangir Moini, MD, MPH, CPhT

  2. Overview • Creation of privacy and security laws aimed at more efficient pharmacy practice and faster reimbursement • HIPAA laws put into place to standardize controls over dissemination of private health records

  3. Goal of HIPAA • Primary goals include improving portability (ability to transmit and transfer information) and continuity of health care coverage • Intended to reduce abuse, fraud, and waste in health care delivery and insurance

  4. Goal of HIPAA • Use and disclosure of protected health information (PHI) by covered entitiescontrolled by HIPAA • PHI must be identified to be protected • All health information (verbal, written, or electronic) should be protected • Patients have the right to know PHI can be used

  5. Title I: Health Insurance Reform • Before HIPAA, people with PHI did not have as many rights as people covered by Medicare or Medicaid • Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) allows employees leaving a job to elect to continue employer’s health coverage for limited time

  6. Title I: Health Insurance Reform • COBRA modified by Title I with exclusions for pre-existing health conditions being limited, which gave certain people ability to enroll in new health care plans

  7. Title II: Administrative Simplification • Restricts electronic transferring of health care data, allows patients more rights to PHI, and put in place better security for PHI • Sought to reduce paperwork, simplify processing, and standardize administration • Encourages use of electronic data interchange (EDI)to exchange information between computers and set standards

  8. Title II: Basic Provisions • Electronic health information transaction standards (benefits coordination) • Penalties (fines and imprisonment) • Privacy (standards and regulations) • Provider and health plan mandate and timetable (2 years to start using HIPAA) • State law preemption (state laws supersede unless Health & Human Services decide otherwise)

  9. Complying with HIPAA • Those who must comply with HIPAA are “covered entities” (CEs) • CEs health care services regularly and send HIPAA-protected information electronically • Includes clearinghouses, health insurance plans, and health care providers

  10. Complying with HIPAA • State law may be more stringent than actual related HIPAA requirements when it: • Grants patient better access rights to PHI • Prohibits use or disclosure of PHI that HIPAA would allow • Provides more information to an individual upon request • Requires record keeping in great detail • Requires more focused, limited, or narrowed authorization

  11. Privacy Standards • Pharmacies have increased controls over management and storage of PHI • Result of Privacy Rule of 2003 • Information belongs to patients, who have the right to control who may view it

  12. Privacy Standards • Discarded patient information (DPI) must be handled with great care • Should be destroyed by licensed, bonded company • Must never be thrown in trash because of theft of paper records and computer disks containing patient records

  13. The Medical Record • Medical records contain information about patient’s health over time • Document all medical history of patient in chronological order • Are legal documents, and accuracy is vital in documenting that appropriate medical care has been given

  14. The Medical Record • Electronic medical records (EMRs) are preferred over paper because they can be accessed more quickly and take up less room • Shared between health care professionals more easily • Electronic health records are not the same as EMRs, and are owned by patient or person with a stake in the outcome, providing interactive patient access

  15. Protected Health Information • HIPAA privacy standards established in 2003 to require that privacy policies are appropriate to services provided • Patients’ records must always be protected by trained employees who understand legal regulations about who may access them • Patients must be told how PHI can be used and by whom

  16. Protected Health Information • Minimum necessary standard protects against too much information being given to any specific person or entity • A group of medical records is known as a designated record set (DRS), including a provider’s medical and billing records • Providers must establish a Notice of Privacy Practices (NOPP), which details policies and procedures, and make it available to anyone who requests them

  17. PHI includes: Patient name and address All dates relating to patient age and medical history Phone and fax numbers E-mail and Web site addresses Certificate and license numbers Vehicle ID and related numbers Medical device identifiers and serial numbers Protected Health Information

  18. PHI includes: Social security and medical record numbers Health plan beneficiary numbers Various account numbers Fingerprints, voiceprints, and other biometric identifiers Photographs of patient’s face and other photos Other identifying numbers, codes, or characteristics Protected Health Information

  19. Disclosure of Protected Health Information • Disclosure occurs when entity holding information performs actions causing it to move outside entity, such as: • Releasing • Transferring • Providing access • Divulging (in any manner)

  20. Disclosure of Protected Health Information • People who are acting on behalf of patient may receive certain PHI • Providers must be very careful when deciding to release PHI • Pharmacy technicians should refer issues related to disclosure of child’s PHI to pharmacist or privacy officer

  21. Patients’ Rights • Patients have the right to view and copy PHI within 30 days of request, either free or for a reasonable fee, as per HIPAA • They can request amendments (changes) to any incorrect parts • They can request an “accounting of disclosures” but many disclosures (e.g., TPHCO) do not have to be included

  22. Patient Notification • HIPAA Privacy Rule changed the way patients are informed about HIPAA compliance of covered entities • Using NOPPs, providers explain to patients how PHI may be used and disclosed • NOPPs discuss patient access and rights and how to register complaints

  23. Security Standards • HIPAA security standards describe how electronic PHI must be safeguarded • Important to understand them • All health care professionals participate in protection of patients’ records

  24. HIPAA Security • HIPAA security standards focus on electronic PHI, also called “ePHI” • May be stored in computers and related peripheral devices • Goals of ePHI include availability, confidentiality, and integrity of information • Covered entities must use risk analysis to determine potential security threats

  25. Mobile Devices and Media • “Mobile” or “portable” devices include: • Backup media • Home computers • Laptop computers • Memory cards • Personal digital assistants (PDAs) • Public workstations • Remote access devices • Smart phones • USB flash drives • Wireless access points

  26. Faxes and E-mail • HIPAA also requires protection of PHI when using faxes and e-mail • Suggests that all fax numbers and e-mail addresses be verified before transmission • Recommends inclusion of “confidentiality notice” instructing that anyone who receives the communication in error should immediately contact the sender and destroy information received

  27. HIPAA Transactions • HIPAA has requirements concerning EDI to simplify administration information exchange • Health care professionals should understand related code sets and national identifiers used in EDI

  28. HIPAA Electronic Health Care Transactions • All providers are required by HIPAA to use the same code sets, identifiers, and transactions when health care information is transmitted • Examples: • Inquiries • Payment or remittance advice • Claims • Claim status • Encounter information

  29. Transaction Standards • HIPAA requires that transfers of ePHI for specific business purposes comply with specific transaction standards • Purposes include: • Eligibility inquiries • Enrollment/disenrollment • Payments and remittance • Referrals • Benefits • Claims and equivalent encounters • Claim status

  30. Transaction Standards • National Council for Prescription Drug Programs (NCPDP) creates and promotes data transfer standards as they relate to pharmacy • Members of NCPDP may receive education tailored to practice and receive database services • NCPDP standards focus on diverse areas of pharmacy practice

  31. Medical Code Sets • Used to encode data elements concerning specific diagnoses and clinical procedures using alphanumeric codes • 6 code sets for clinical information: • ICD-9-CM (identifying diseases and conditions) • HCPCS (items, supplies, and non-physician services) • CPT-4 (medical procedures and services) • ICD Volume 3 Codes (inpatient hospital services) • NDC (drug products) • CDT-4 (dental services)

  32. Administrative Code Sets • Non-medical code sets also known as “administrative code sets” • Include simple and complex codes • Simple codes include abbreviations for states and locations • Complex codes may refer to payments, claims, providers, and places of service

  33. HIPAA Enforcement • Covered entities must implement policies and procedures that will prevent, detect, contain, and correct security violations • HIPAA enforces its standards and regulations, and abuse and fraud relating to them

  34. HIPAA Enforcement Agencies and Rules • Department of Justice (DOJ) • Centers for Medicare and Medicaid Services (CMS) • Electronic Health Care Transaction and Code Set Rule (TCS) • National Employer Identifier Number Rule (EIN) • Security Rule • Office for Civil Rights (OCR) • Office of Inspector General (OIG)

  35. Fraud and Abuse Regulation • Health care fraud and abuse may harm patients financially and medical terms if unsafe procedures are performed as a result • Enforcement is through: • Health Care Fraud and Abuse Control Program • False Claims Act

  36. Compliance Plan • Many health care providers create compliance plans to stay in line with governmental regulations, develop consistent policies and procedures, train their staff, and eliminate errors

  37. Compliance Plan • Compliance plans also serve as legal defense in case of prosecution for fraud • The Office of the Inspector General (OIG) has created compliance program guidelines for many areas of health care

  38. Violations and Penalties • All health care employees who deal with PHI must comply with HIPAA • Ethical or legal breaches of confidentiality may result in fines, termination, and imprisonment

  39. Criminal Penalties • Criminal penalties usually assessed for intentional misuse of PHI • Can be as high as $250,000 in fines and up to 10 years in prison

  40. Civil Penalties • Civil penalties given for violating privacy on an unintentional basis • Can be as high as $25,000 in fines per year if repeated violations occur

More Related