© 2010 Delmar, Cengage Learning. ALL RIGHTS RESERVED. Chapter 5 The Health Insurance Portability and Accountability Act (HIPAA) Jahangir Moini, MD, MPH,

© 2010 Delmar, Cengage Learning. ALL RIGHTS RESERVED.

Chapter 5

The Health Insurance Portability and Accountability Act (HIPAA)

Jahangir Moini, MD, MPH, CPhT


Overview

• Creation of privacy and security laws aimed at more efficient pharmacy practice and faster reimbursement

• HIPAA laws put into place to standardize controls over dissemination of private health records


Goal of HIPAA

• Primary goals include improving portability (ability to transmit and transfer information) and continuity of health care coverage

• Intended to reduce abuse, fraud, and waste in health care delivery and insurance


Goal of HIPAA

• Use and disclosure of protected health information (PHI) by covered entitiescontrolled by HIPAA

• PHI must be identified to be protected

• All health information (verbal, written, or electronic) should be protected

• Patients have the right to know PHI can be used


Title I: Health Insurance Reform

• Before HIPAA, people with PHI did not have as many rights as people covered by Medicare or Medicaid

• Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) allows employees leaving a job to elect to continue employer’s health coverage for limited time


Title I: Health Insurance Reform

• COBRA modified by Title I with exclusions for pre-existing health conditions being limited, which gave certain people ability to enroll in new health care plans


Title II: Administrative Simplification

• Restricts electronic transferring of health care data, allows patients more rights to PHI, and put in place better security for PHI

• Sought to reduce paperwork, simplify processing, and standardize administration

• Encourages use of electronic data interchange (EDI) to exchange information between computers and set standards


Title II: Basic Provisions• Electronic health information transaction

standards (benefits coordination)• Penalties (fines and imprisonment)• Privacy (standards and regulations)• Provider and health plan mandate and timetable (2

years to start using HIPAA)• State law preemption (state laws supersede unless

Health & Human Services decide otherwise)


Complying with HIPAA

• Those who must comply with HIPAA are “covered entities” (CEs)

• CEs health care services regularly and send HIPAA-protected information electronically

• Includes clearinghouses, health insurance plans, and health care providers


Complying with HIPAA

• State law may be more stringent than actual related HIPAA requirements when it:

– Grants patient better access rights to PHI– Prohibits use or disclosure of PHI that HIPAA

would allow– Provides more information to an individual

upon request– Requires record keeping in great detail– Requires more focused, limited, or narrowed

authorization


Privacy Standards

• Pharmacies have increased controls over management and storage of PHI

• Result of Privacy Rule of 2003

• Information belongs to patients, who have the right to control who may view it


Privacy Standards

• Discarded patient information (DPI) must be handled with great care– Should be destroyed by licensed, bonded

company– Must never be thrown in trash because of theft

of paper records and computer disks containing patient records


The Medical Record

• Medical records contain information about patient’s health over time

• Document all medical history of patient in chronological order

• Are legal documents, and accuracy is vital in documenting that appropriate medical care has been given


The Medical Record• Electronic medical records (EMRs) are

preferred over paper because they can be accessed more quickly and take up less room

• Shared between health care professionals more easily

• Electronic health records are not the same as EMRs, and are owned by patient or person with a stake in the outcome, providing interactive patient access


Protected Health Information

• HIPAA privacy standards established in 2003 to require that privacy policies are appropriate to services provided

• Patients’ records must always be protected by trained employees who understand legal regulations about who may access them

• Patients must be told how PHI can be used and by whom


Protected Health Information• Minimum necessary standard protects against

too much information being given to any specific person or entity

• A group of medical records is known as a designated record set (DRS), including a provider’s medical and billing records

• Providers must establish a Notice of Privacy Practices (NOPP), which details policies and procedures, and make it available to anyone who requests them


Protected Health Information• PHI includes:

– Patient name and address

– All dates relating to patient age and medical history

– Phone and fax numbers

– E-mail and Web site addresses

– Certificate and license numbers

– Vehicle ID and related numbers

– Medical device identifiers and serial numbers


Protected Health Information• PHI includes:

- Social security and medical record numbers

- Health plan beneficiary numbers

- Various account numbers

- Fingerprints, voiceprints, and other biometric identifiers

- Photographs of patient’s face and other photos

- Other identifying numbers, codes, or characteristics


Disclosure of Protected Health Information

• Disclosure occurs when entity holding information performs actions causing it to move outside entity, such as:

– Releasing– Transferring– Providing access– Divulging (in any manner)


Disclosure of Protected Health Information

• People who are acting on behalf of patient may receive certain PHI

• Providers must be very careful when deciding to release PHI

• Pharmacy technicians should refer issues related to disclosure of child’s PHI to pharmacist or privacy officer


Patients’ Rights

• Patients have the right to view and copy PHI within 30 days of request, either free or for a reasonable fee, as per HIPAA

• They can request amendments (changes) to any incorrect parts

• They can request an “accounting of disclosures” but many disclosures (e.g., TPHCO) do not have to be included


Patient Notification

• HIPAA Privacy Rule changed the way patients are informed about HIPAA compliance of covered entities

• Using NOPPs, providers explain to patients how PHI may be used and disclosed

• NOPPs discuss patient access and rights and how to register complaints


Security Standards

• HIPAA security standards describe how electronic PHI must be safeguarded

• Important to understand them

• All health care professionals participate in protection of patients’ records


HIPAA Security

• HIPAA security standards focus on electronic PHI, also called “ePHI”

• May be stored in computers and related peripheral devices

• Goals of ePHI include availability, confidentiality, and integrity of information

• Covered entities must use risk analysis to determine potential security threats


Mobile Devices and Media

• “Mobile” or “portable” devices include:– Backup media– Home computers– Laptop computers– Memory cards– Personal digital

assistants (PDAs)

– Public workstations– Remote access devices– Smart phones– USB flash drives– Wireless access points


Faxes and E-mail• HIPAA also requires protection of PHI when

using faxes and e-mail• Suggests that all fax numbers and e-mail

addresses be verified before transmission• Recommends inclusion of “confidentiality

notice” instructing that anyone who receives the communication in error should immediately contact the sender and destroy information received


HIPAA Transactions

• HIPAA has requirements concerning EDI to simplify administration information exchange

• Health care professionals should understand related code sets and national identifiers used in EDI


HIPAA Electronic Health Care Transactions

• All providers are required by HIPAA to use the same code sets, identifiers, and transactions when health care information is transmitted

• Examples:

– Claims– Claim status – Encounter

information

– Inquiries– Payment or

remittance advice


Transaction Standards• HIPAA requires that transfers of ePHI for specific

business purposes comply with specific transaction standards

• Purposes include:

– Benefits– Claims and

equivalent encounters– Claim status

– Eligibility inquiries– Enrollment/disenrollment– Payments and remittance– Referrals


Transaction Standards

• National Council for Prescription Drug Programs (NCPDP) creates and promotes data transfer standards as they relate to pharmacy

• Members of NCPDP may receive education tailored to practice and receive database services

• NCPDP standards focus on diverse areas of pharmacy practice


Medical Code Sets• Used to encode data elements concerning

specific diagnoses and clinical procedures using alphanumeric codes

• 6 code sets for clinical information:– ICD-9-CM (identifying diseases and conditions)

– HCPCS (items, supplies, and non-physician services)– CPT-4 (medical procedures and services)– ICD Volume 3 Codes (inpatient hospital services)– NDC (drug products)– CDT-4 (dental services)


Administrative Code Sets

• Non-medical code sets also known as “administrative code sets”

• Include simple and complex codes

• Simple codes include abbreviations for states and locations

• Complex codes may refer to payments, claims, providers, and places of service


HIPAA Enforcement

• Covered entities must implement policies and procedures that will prevent, detect, contain, and correct security violations

• HIPAA enforces its standards and regulations, and abuse and fraud relating

to them


HIPAA Enforcement Agencies and Rules

• Department of Justice (DOJ)

• Centers for Medicare and Medicaid Services (CMS)

• Electronic Health Care Transaction and Code Set Rule (TCS)

• National Employer Identifier Number Rule (EIN)

• Security Rule

• Office for Civil Rights (OCR)

• Office of Inspector General (OIG)


Fraud and Abuse Regulation

• Health care fraud and abuse may harm patients financially and medical terms if unsafe procedures are performed as a result

• Enforcement is through:– Health Care Fraud and Abuse Control Program– False Claims Act


Compliance Plan

• Many health care providers create compliance plans to stay in line with governmental regulations, develop consistent policies and procedures, train their staff, and eliminate errors


Compliance Plan

• Compliance plans also serve as legal defense in case of prosecution for fraud

• The Office of the Inspector General (OIG) has created compliance program guidelines for many areas of health care


Violations and Penalties

• All health care employees who deal with PHI must comply with HIPAA

• Ethical or legal breaches of confidentiality may result in fines, termination, and imprisonment


Criminal Penalties

• Criminal penalties usually assessed for intentional misuse of PHI

• Can be as high as $250,000 in fines and up to 10 years in prison


Civil Penalties

• Civil penalties given for violating privacy on an unintentional basis

• Can be as high as $25,000 in fines per year if repeated violations occur

Documents

© 2010 Delmar, Cengage Learning. ALL RIGHTS RESERVED. Chapter 5 The Health Insurance Portability and Accountability Act (HIPAA) Jahangir Moini, MD, MPH,