© 2010 Delmar, Cengage Learning. ALL RIGHTS RESERVED. Chapter 5 The Health Insurance Portability...

Chapter 5

The Health Insurance Portability and Accountability Act (HIPAA)

Jahangir Moini, MD, MPH, CPhT

Overview

• Creation of privacy and security laws aimed at more efficient pharmacy practice and faster reimbursement

• HIPAA laws put into place to standardize controls over dissemination of private health records

Goal of HIPAA

• Primary goals include improving portability (ability to transmit and transfer information) and continuity of health care coverage

• Intended to reduce abuse, fraud, and waste in health care delivery and insurance

Goal of HIPAA

• Use and disclosure of protected health information (PHI) by covered entitiescontrolled by HIPAA

• PHI must be identified to be protected

• All health information (verbal, written, or electronic) should be protected

• Patients have the right to know PHI can be used

Title I: Health Insurance Reform

• Before HIPAA, people with PHI did not have as many rights as people covered by Medicare or Medicaid

• Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) allows employees leaving a job to elect to continue employer’s health coverage for limited time

Title I: Health Insurance Reform

• COBRA modified by Title I with exclusions for pre-existing health conditions being limited, which gave certain people ability to enroll in new health care plans

Title II: Administrative Simplification

• Restricts electronic transferring of health care data, allows patients more rights to PHI, and put in place better security for PHI

• Sought to reduce paperwork, simplify processing, and standardize administration

• Encourages use of electronic data interchange (EDI) to exchange information between computers and set standards

Title II: Basic Provisions• Electronic health information transaction

standards (benefits coordination)• Penalties (fines and imprisonment)• Privacy (standards and regulations)• Provider and health plan mandate and timetable (2

years to start using HIPAA)• State law preemption (state laws supersede unless

Health & Human Services decide otherwise)

Complying with HIPAA

• Those who must comply with HIPAA are “covered entities” (CEs)

• CEs health care services regularly and send HIPAA-protected information electronically

• Includes clearinghouses, health insurance plans, and health care providers

Complying with HIPAA

• State law may be more stringent than actual related HIPAA requirements when it:

– Grants patient better access rights to PHI– Prohibits use or disclosure of PHI that HIPAA

would allow– Provides more information to an individual

upon request– Requires record keeping in great detail– Requires more focused, limited, or narrowed

authorization

Privacy Standards

• Pharmacies have increased controls over management and storage of PHI

• Result of Privacy Rule of 2003

• Information belongs to patients, who have the right to control who may view it

Privacy Standards

• Discarded patient information (DPI) must be handled with great care– Should be destroyed by licensed, bonded

company– Must never be thrown in trash because of theft

of paper records and computer disks containing patient records

The Medical Record

• Medical records contain information about patient’s health over time

• Document all medical history of patient in chronological order

• Are legal documents, and accuracy is vital in documenting that appropriate medical care has been given

The Medical Record• Electronic medical records (EMRs) are

preferred over paper because they can be accessed more quickly and take up less room

• Shared between health care professionals more easily

• Electronic health records are not the same as EMRs, and are owned by patient or person with a stake in the outcome, providing interactive patient access

Protected Health Information

• HIPAA privacy standards established in 2003 to require that privacy policies are appropriate to services provided

• Patients’ records must always be protected by trained employees who understand legal regulations about who may access them

• Patients must be told how PHI can be used and by whom

Protected Health Information• Minimum necessary standard protects against

too much information being given to any specific person or entity

• A group of medical records is known as a designated record set (DRS), including a provider’s medical and billing records

• Providers must establish a Notice of Privacy Practices (NOPP), which details policies and procedures, and make it available to anyone who requests them

Protected Health Information• PHI includes:

– Patient name and address

– All dates relating to patient age and medical history

– Phone and fax numbers

– E-mail and Web site addresses

– Certificate and license numbers

– Vehicle ID and related numbers

– Medical device identifiers and serial numbers

Protected Health Information• PHI includes:

- Social security and medical record numbers

- Health plan beneficiary numbers

- Various account numbers

- Fingerprints, voiceprints, and other biometric identifiers

- Photographs of patient’s face and other photos

- Other identifying numbers, codes, or characteristics

Disclosure of Protected Health Information

• Disclosure occurs when entity holding information performs actions causing it to move outside entity, such as:

– Releasing– Transferring– Providing access– Divulging (in any manner)

Disclosure of Protected Health Information

• People who are acting on behalf of patient may receive certain PHI

• Providers must be very careful when deciding to release PHI

• Pharmacy technicians should refer issues related to disclosure of child’s PHI to pharmacist or privacy officer

Patients’ Rights

• Patients have the right to view and copy PHI within 30 days of request, either free or for a reasonable fee, as per HIPAA

• They can request amendments (changes) to any incorrect parts

• They can request an “accounting of disclosures” but many disclosures (e.g., TPHCO) do not have to be included

Patient Notification

• HIPAA Privacy Rule changed the way patients are informed about HIPAA compliance of covered entities

• Using NOPPs, providers explain to patients how PHI may be used and disclosed

• NOPPs discuss patient access and rights and how to register complaints

Security Standards

• HIPAA security standards describe how electronic PHI must be safeguarded

• Important to understand them

• All health care professionals participate in protection of patients’ records

HIPAA Security

• HIPAA security standards focus on electronic PHI, also called “ePHI”

• May be stored in computers and related peripheral devices

• Goals of ePHI include availability, confidentiality, and integrity of information

• Covered entities must use risk analysis to determine potential security threats

Mobile Devices and Media

• “Mobile” or “portable” devices include:– Backup media– Home computers– Laptop computers– Memory cards– Personal digital

assistants (PDAs)

– Public workstations– Remote access devices– Smart phones– USB flash drives– Wireless access points

Faxes and E-mail• HIPAA also requires protection of PHI when

using faxes and e-mail• Suggests that all fax numbers and e-mail

addresses be verified before transmission• Recommends inclusion of “confidentiality

notice” instructing that anyone who receives the communication in error should immediately contact the sender and destroy information received

HIPAA Transactions

• HIPAA has requirements concerning EDI to simplify administration information exchange

• Health care professionals should understand related code sets and national identifiers used in EDI

HIPAA Electronic Health Care Transactions

• All providers are required by HIPAA to use the same code sets, identifiers, and transactions when health care information is transmitted

• Examples:

– Claims– Claim status – Encounter

information

– Inquiries– Payment or

remittance advice

Transaction Standards• HIPAA requires that transfers of ePHI for specific

business purposes comply with specific transaction standards

• Purposes include:

– Benefits– Claims and

equivalent encounters– Claim status

– Eligibility inquiries– Enrollment/disenrollment– Payments and remittance– Referrals

Transaction Standards

• National Council for Prescription Drug Programs (NCPDP) creates and promotes data transfer standards as they relate to pharmacy

• Members of NCPDP may receive education tailored to practice and receive database services

• NCPDP standards focus on diverse areas of pharmacy practice

Medical Code Sets• Used to encode data elements concerning

specific diagnoses and clinical procedures using alphanumeric codes

• 6 code sets for clinical information:– ICD-9-CM (identifying diseases and conditions)

– HCPCS (items, supplies, and non-physician services)– CPT-4 (medical procedures and services)– ICD Volume 3 Codes (inpatient hospital services)– NDC (drug products)– CDT-4 (dental services)

Administrative Code Sets

• Non-medical code sets also known as “administrative code sets”

• Include simple and complex codes

• Simple codes include abbreviations for states and locations

• Complex codes may refer to payments, claims, providers, and places of service

HIPAA Enforcement

• Covered entities must implement policies and procedures that will prevent, detect, contain, and correct security violations

• HIPAA enforces its standards and regulations, and abuse and fraud relating

to them

HIPAA Enforcement Agencies and Rules

• Department of Justice (DOJ)

• Centers for Medicare and Medicaid Services (CMS)

• Electronic Health Care Transaction and Code Set Rule (TCS)

• National Employer Identifier Number Rule (EIN)

• Security Rule

• Office for Civil Rights (OCR)

• Office of Inspector General (OIG)

Fraud and Abuse Regulation

• Health care fraud and abuse may harm patients financially and medical terms if unsafe procedures are performed as a result

• Enforcement is through:– Health Care Fraud and Abuse Control Program– False Claims Act

Compliance Plan

• Many health care providers create compliance plans to stay in line with governmental regulations, develop consistent policies and procedures, train their staff, and eliminate errors

Compliance Plan

• Compliance plans also serve as legal defense in case of prosecution for fraud

• The Office of the Inspector General (OIG) has created compliance program guidelines for many areas of health care

Violations and Penalties

• All health care employees who deal with PHI must comply with HIPAA

• Ethical or legal breaches of confidentiality may result in fines, termination, and imprisonment

Criminal Penalties

• Criminal penalties usually assessed for intentional misuse of PHI

• Can be as high as $250,000 in fines and up to 10 years in prison

Civil Penalties

• Civil penalties given for violating privacy on an unintentional basis

• Can be as high as $25,000 in fines per year if repeated violations occur

© 2010 Delmar, Cengage Learning. ALL RIGHTS RESERVED. Chapter 5 The Health Insurance Portability...

Documents

Tomb of Jahangir

Jahangir Siddiqui & Co. Ltd. List of Shareholders

Jahangir Siddiqui & Co. Ltd. Annual Report 2006

PHARMACOLOGY - Columbia Southern University · Focus on Pharmacology: Essentials for Health Professionals, Second Edition Jahangir Moini Figure 29-1 The skeletal system and its functions

Jahangir - History – Mocomi.com

Jahangir Aziz - ICRIER

BZUPAGES.COM Presentation On SWITCHING TECHNIQUE Presented To; Sir Taimoor Presented By; Beenish Jahangir 07_04 Uzma Noreen 07_08 Tayyaba Jahangir 07_33

Specialized English Occupational Health Mahdi Jahangir-Blourchian Mahdi Jahangir-Blourchian The School of Health Guilan University of Medical Sciences

Synchronization Jahangir

© 2010 Delmar, Cengage Learning. ALL RIGHTS RESERVED. Chapter 7 State Laws and Pharmacy Practice Jahangir Moini, MD, MPH, CPhT

April 6, 2010 M. Conlan A. Moini

Jahangir Siddiqui & Co. Ltd

Session VIII Jahangir

Copyright ©2008 by Pearson Education, Inc. Upper Saddle River, New Jersey 07458 All rights reserved. Focus on Pharmacology, First Edition By Jahangir Moini

10 Topics presentation by Jahangir Alam Northern

DONALD DELMAR McQUEEN

Delmar MetroLink Walkability Workshop

Delmar E-Brochure

Dr. Jahangir Khan

Specialized English Environmental Health Mahdi Jahangir-Blourchian Mahdi Jahangir-Blourchian The School of Health Guilan University of Medical Sciences