350 likes | 369 Views
This chapter explores the importance of accurate documentation in medical records and the relationship between HIPAA, HITECH, and ACA laws. It covers the HIPAA Privacy and Security Rules, HITECH Breach Notification Rule, and the influence of HIPAA Electronic Health Care Transactions and Code Sets standards on health information exchange. It also discusses the four final rules in the Omnibus Rule and how to guard against potentially fraudulent situations.
E N D
CHAPTER 2 Electronic Health Records, HIPAA, and HITECH: Sharing and Protecting Patients’ Health Information
See the ten-step Revenue Cycle figure (at the beginning of the chapter). • This chapter focuses on the following steps: • Preregister patients • Establish financial responsibility • Check in patients • Review coding compliance • Review billing compliance • Check out patients • Prepare and transmit claims • Monitor payer adjudication • Generate patient statements • Follow up payments and collections Chapter 2: Electronic Health Records, HIPAA, and HITECH
When you finish this chapter, you should be able to: 2.1 Explain the importance of accurate documentation when working with medical records. 2.2 Compare the intent of HIPAA, HITECH, and ACA laws. 2.3 Describe the relationship between covered entities and business associates. 2.4 Explain the purpose of the HIPAA Privacy Rule. 2.5 Briefly state the purpose of the HIPAA Security Rule. 2.6 Explain the purpose of the HITECH Breach Notification Rule. Learning Outcomes (1)
When you finish this chapter, you should be able to: 2.7 Explain how the HIPAA Electronic Health Care Transactions and Code Sets standards influence the electronic exchange of health information. 2.8 Describe the four final rules in the Omnibus Rule. 2.9 Explain how to guard against potentially fraudulent situations. 2.10 Assess the benefits of a compliance plan. Learning Outcomes (2)
Key Terms (1) • abuse • accountable care organization (ACO) • accounting of disclosure • Affordable Care Act (ACA) • audit • authorization • breach • breach notification • business associate (BA) • Centers for Medicare and Medicaid Services (CMS) • clearinghouse • code set • compliance plan • covered entity (CE) • de-identified health information • designated record set (DRS) • documentation • electronic data interchange (EDI) • encounter
Key Terms (2) • encryption • evaluation and management (E/M) • fraud • Health Care Fraud and Abuse Control Program • health information exchange (HIE) • Health Information Technology for Economic and Clinical Health (HITECH) Act • Health Insurance Portability and Accountability Act (HIPAA) of 1996 • HIPAA Electronic Health Care Transactions and Code Sets (TCS) • HIPAA National Identifiers • HIPAA Privacy Rule • HIPAA Security Rule • informed consent • malpractice
Key Terms (3) • meaningful use • medical documentation and revenue cycle • medical record • medical standards of care • minimum necessary standard • National Provider Identifier (NPI) • Notice of Privacy Practices (NPP) • Office for Civil Rights (OCR) • Office of E-Health standards and Services (OESS) • Office of the Inspector General (OIG) • Omnibus Rule • operating rules • password • protected health information (PHI) • relator • transaction • treatment, payment, and healthcare operations (TPO)
Medical record contains facts, findings, and observations about the patient’s health • Documentation: recording and organizing a patient’s medical record in a consistent manner • Including health history, examinations, tests, treatment • Must be complete 2.1 Medical Record Documentation: Electronic Health Records (1)
Medical standards of care—state-specified performance measures for healthcare delivery • Medical professional liability: responsibility of healthcare professionals to provide standard of care • Malpractice—failure to use professional skill when giving medical services that results in injury or harm • Medical records and documentation act as legal documents; can defend physician in legal cases • Medical record provides rationale for medical necessity (services essential for treatment of the medical problem) 2.1 Medical Record Documentation: Electronic Health Records (2)
EHR vs. EMR • Electronic health record (EHR)—computerized lifelong healthcare record with data from all sources • Electronic medical record (EMR)—computerized record of one physician’s encounters with a patient • Advantages of EHR • Immediate access to health information • Computerized physician order management • Clinical decision support • Automated alerts and reminders • Electronic communication and connectivity • Patient support • Administration and reporting • Error reduction 2.1 Medical Record Documentation: Electronic Health Records (3)
Encounter—a visit between a patient and a medical professional • Must contain specific types of information (name, date, diagnosis, etc.) • Evaluation and Management (E/M)—provider’s evaluation of a patient’s condition, and decision on a course of treatment • Common formats include POMR • POMR (problem-oriented medical record) • SOAP (subjective, objective, assessment, plan) • H&P (history and physical) • DS (discharge summary) • Procedure reports for operations, labs, and x-rays 2.1 Medical Record Documentation (1)
Informed consent—process by which a patient authorizes medical treatment after a discussion with a physician • Revenue Cycle with Medical Documentation (see Figure 2.3) • Explains how EHR is integrated with PM (practice management) programs during the 10-step revenue cycle • Both billing information and clinical information are collected from the patient and documented • Insurance specialists must understand PM/EHR cycle so they can find the documentation to complete claims 2.1 Medical Record Documentation (2)
Federal Regulation • Centers for Medicare and Medicaid Services (CMS)—the main federal government agency responsible for healthcare (Medicare, Medicaid, clinical laboratories, and other government health programs) • State Regulation • States are also a major regulator • State insurance commissioners investigate healthcare consumer complaints • State laws require licensing to operate an insurance company • States may restrict price increases and require certain policy provisions 2.2 Healthcare Regulation: HIPAA, HITECH, and ACA (1)
Health Insurance Portability and Accountability Act (HIPAA) of 1996 • Federal act with guidelines for standardizing the electronic data interchange of administrative and financial healthcare transactions, exposing fraud and abuse, and protecting and securing PHI • Protects private health information, ensures coverage, uncovers fraud and abuse, and creates industry standards 2.2 Healthcare Regulation: HIPAA, HITECH, and ACA (2)
American Recovery and Reinvestment Act (ARRA) • law with provisions concerning standards for electronic transmission of healthcare data • Contains the HITECH Act—law promoting the adoption and meaningful use of health information technology • Meaningful use signifies utilization of certified EHR technology to improve quality, efficiency, and patient safety; includes financial incentive for providers • Regional extension centers (RECs) assist with transition to EHR • Health information exchange (HIE) makes it possible to share health-related information among provider organizations 2.2 Healthcare Regulation: HIPAA, HITECH, and ACA (3)
Affordable Care Act (ACA) • Health system reform legislation that offers improved insurance coverage and other benefits • Offers incentives to form accountable care organizations (ACOs) • ACO—network of doctors and hospitals who share responsibility for managing quality and cost of care provided to a group of patients • Goals of ACO—improve quality, save money, avoid unnecessary tests and procedures 2.2 Healthcare Regulation: HIPAA, HITECH, and ACA (4)
Covered Entity (CE) • Healthcare organization (health plan, clearinghouse, provider, or business associate) that transmits HIPAA-protected information electronically • Must obey HIPAA regulations • Clearinghouse • Company that converts nonstandard transactions into standard transactions and transmits the data to health plans (and the reverse procedure) • Business associate (BA) • Organizations that work for covered entities but are not themselves CEs (law firms; outside medical billers, coders, and transcriptionists; collection agencies; accountants) 2.3 Covered Entities and Business Associates (1)
HIPAA Administrative Simplification provisions HIPAA Privacy Rule: The privacy requirements cover patients’ health information. HIPAA Security Rule: The security requirements state the administrative, technical, and physical safeguards that are required to protect patients’ health information HIPAA Electronic Transaction and Code Sets Standards: Require every provider who does business electronically to use the same healthcare transactions, code sets, and identifiers 2.3 Covered Entities and Business Associates (2)
Medical record belongs to the provider who created it • Patients control how medical information is released (with some exceptions) • Important for insurance specialists to know what (and how) information can be released • Electronic data interchange (EDI)—computer-to-computer exchange of data in a standardized format • Transaction—the electronic exchange of healthcare information 2.3 Covered Entities and Business Associates (3)
HIPAA Privacy Rule—law regulating use and disclosure of patients’ protected health information (PHI) • Protected health information (PHI)—individually identifiable health information transmitted or maintained by electronic media • Both use and disclosure of PHI are necessary and permitted for patients’ treatment, payment, and healthcare operations (TPO) • Treatment—providing care • Payment—exchange of information with health plan • Operations—general business management 2.4 HIPAA Privacy Rule (1)
Minimum necessary standard—principle of using reasonable safeguards to disclose PHI only to the extent needed Designated record set (DRS)—CE’s records that contain PHI Notice of Privacy Practices (NPP)—description of a CE’s principles and procedures related to protection of patients’ health information Accounting for disclosure – documentation of release of information other than for PTO 2.4 HIPAA Privacy Rule (2)
For use or disclosure other than TPO, a CE must have the patient sign an authorization (written permission) • Psychotherapy notes have special protection • Health information can be released without authorization for some reasons other than TPO: • Court orders • Workers’ compensation cases • Statutory reports • Research • Self-pay (patient payment) requests for restrictions • De-identified health information—medical data from which individual identifiers have been removed 2.4 HIPAA Privacy Rule (3)
The HIPAA Security Rule requires CEs to establish safeguards to protect PHI • Encryption—method of converting a message into encoded text • Security Measures • Secure Internet connections • Access control, password (confidential authentication information = the key), and log files • Backups • Security policies 2.5 HIPAA Security Rule
Health Information Technology for Economic and Clinical Health (HITECH) Act requires CEs to notify affected individuals following the discovery of a breach of unsecured health information Breach—impermissible use or disclosure of PHI that could pose significant risk to the affected person Breach notification—document notifying an individual of a breach (usually required within 60 days) 2.6 HITECH Breach Notification Rule
HIPAA Electronic Health Care Transactions and Code Sets (TCS) • Rule governing electronic exchange of health information • Operating rules improve interoperability between data systems of different entities • Under HIPAA, a code set is any group of codes used for encoding data elements • HIPAA National Identifiers • Identification systems for employers, healthcare providers, health plans, and patients • National Provider Identifier (NPI)—unique ten-digit identifier assigned to each provider • Employer Identification Number (EIN)—used when employers enroll/disenroll employees in a health plan 2.7 HIPAA Electronic Health Care Transactions and Code Sets
Omnibus Rule—set of regulations enhancing patients’ privacy protections and rights to information, and the government’s ability to enforce HIPAA • Four final rules: • Strengthen previous HIPAA/HITECH rules • Increase monetary penalties for violations • Restate the standard for reporting breaches • Prohibit health plans from using or disclosing genetic information for determining insurance coverage • Audit—formal examination of a physician’s or payer’s records 2.8 Omnibus Rule and Enforcement (1)
Government agencies that enforce HIPAA: • Office for Civil Rights (OCR)—government agency that enforces the HIPAA privacy standards and investigates civil complaints on behalf of an individual • Department of Justice (DOJ)—prosecutes criminal violations of HIPAA privacy standards • Office of E-Health Standards and Services (OESS)—part of CMS—enforces: • Transaction and Code Set (TCS) Rule • National Employer Identification (EIN) Rule • National Provider Identifier (NPI) Rule 2.8 Omnibus Rule and Enforcement (2)
Government agencies that enforce HIPAA (cont.) • Office of Inspector General • Authority to investigate suspected fraud and audit records of physicians and payers • Innocent errors will be distinguished from clear patterns of practice • Civil and Criminal Money Penalties • Most complaints settled by voluntary compliance • HITECH has tiered system for monetary penalties for privacy violations • CMS and OCR can supersede HITECH limits • $1.5 million dollars is current cap for a calendar year for the same type of violation 2.8 Omnibus Rule and Enforcement (3)
Fraud—intentional deceptive act to obtain a benefit by taking advantage of another person • Example—forging another person’s signature • Abuse—action that improperly uses another’s resources • In federal law, abuse means an action that misuses money allocated by the government • Example—billing Medicare for an unnecessary ambulance service • May not be intentional and could result from ignorance or inaccuracy 2.9 Fraud and Abuse Regulations (1)
HIPAA created the Health Care Fraud and Abuse Control Program to uncover and prosecute fraud and abuse in federal healthcare programs • The HHS Office of the Inspector General (OIG) has the task of detecting healthcare fraud and abuse and enforcing all related laws • Has authority to investigate suspected fraud cases and to audit records of physicians and payers • Relator—person who makes an accusation of fraud or abuse 2.9 Fraud and Abuse Regulations (2)
Compliance plan—medical practice’s written plan for complying with regulations • Used to uncover compliance problems and correct them to avoid risking liability • A process for finding, correcting, and preventing illegal medical office practices • Changing mandate • Compliance plans soon will be mandated by law rather than voluntary 2.10 Compliance Plans (1)
Compliance plan areas • Coding and billing procedures • Equal Employment Opportunity (EEO) regulations • Occupational Safety and Health Administration regulations (OSHA) • Compliance plan goals • Prevent fraud and abuse through a formal process • Ensure compliance with federal, state, and local laws • Defend the practice if investigated or prosecuted for fraud 2.10 Compliance Plans (2)
Compliance officer and committee • Compliance officer is in charge of ongoing work and can be a physician, practice manager, or billing manager • Compliance committee is established to oversee the entire program • Error and omission insurance may be recommended as part of a compliance guideline for the healthcare facility’s employees 2.10 Compliance Plans (3)
Code of Conduct • Procedures for ensuring compliance with laws relating to referral arrangements • Provisions for discussing compliance during employees’ performance reviews and for disciplinary action against employees, if needed • Mechanisms to encourage employees to report compliance concerns directly to the compliance officer 2.10 Compliance Plans (4)
Ongoing training • Physicians must be trained in pertinent coding and regulatory matters as part of the compliance plan • Medical office and staff members involved with coding and billing must also receive ongoing training as part of the compliance plan • Usually conducted by compliance officer • Keep sessions brief and straightforward • Focus sessions on specialty area • Use actual examples • Explain benefits of compliance • Use meetings or newsletters as communication methods *end of presentation* 2.10 Compliance Plans (5)