HIPAA, HITECH, and Medical Records

CHAPTER

© 2012 The McGraw-Hill Companies, Inc. All rights reserved.

2HIPAA, HITECH, and

Medical Records


Learning Outcomes

When you finish this chapter, you will be able to:2.1 Discuss the importance of medical records and

documentation in the medical billing process.

2.2 Compare the intent of HIPAA and ARRA/HITECH laws.

2.3 Describe the relationship between covered entities and business associates.

2.4 Explain the purpose of the HIPAA Privacy Rule.

2.5 Briefly state the purpose of the HIPAA Security Rule.

2.6 Explain the purpose of the HITECH Breach Notification Rule.

2-2


Learning Outcomes (Continued)

When you finish this chapter, you will be able to:2.7 Describe the HIPAA Electronic Health Care

Transactions and Code Sets standards and the four National Identifiers.

2.8 Explain the purpose of the Health Care Fraud andAbuse Control Program and related laws.

2.9 Identify the organizations that enforce HIPAA.

2.10 Discuss the ways in which compliance plans help medical practices avoid fraud or abuse.

2-3


Key Terms

• abuse• American Recovery and

Reinvestment Act (ARRA) of 2009

• audit• authorization• breach• breach notification• business associate (BA)• Centers for Medicare

and Medicaid Services (CMS)

2-4

• clearinghouse

• code set

• compliance plan

• covered entity (CE)

• de-identified health information

• designated record set (DRS)

• documentation

• electronic data interchange (EDI)

• electronic health record (EHR)


Key Terms (Continued)

• electronic medical record (EMR)

• encounter• encryption• evaluation and

management (E/M)• fraud• Health Care Fraud and

Abuse Control Program• Health Insurance

Portability and Accountability Act (HIPAA) of 1996

2-5

• HIPAA Electronic Health Care Transactions and Code Sets (TCS)

• HIPAA final enforcement rule

• HIPAA National Identifier

• HIPAA Privacy Rule

• HIPAA Security Rule• HITECH Act• informed consent• malpractice• medical record


Key Terms (Continued)

• medical standards of care

• minimum necessary standard

• National Provider Identifier (NPI)

• Notice of Privacy Practices (NPP)

• Office for Civil Rights (OCR)

• Office of the Inspector General (OIG)

2-6

• password

• protected health information (PHI)

• qui tam• relator• respondeat superior• subpoena• subpoena duces tecum• transaction• treatment, payment, and

health care operations (TPO)


2.1 Medical Record Documentation 2-7

• A patient’s medical record contains facts, findings, and observations about that patient’s health

• Documentation is the recording of a patient’s health status in a medical record history

• Medical standards of care—state-specified performance measures for health care delivery– Medical records and documentation act as legal

documents and help physicians make accurate diagnoses

– Malpractice—failure to use professional skill when giving medical services that results in injury or harm


2.1 Medical Record Documentation(Continued)

2-8

• Encounter—an office visit between a patient and a medical professional

• Evaluation and management (E/M)—provider’s evaluation of a patient’s condition and decision on a course of treatment

• Electronic health record (EHR)—computerized lifelong health care record with data from all sources

• Electronic medical record (EMR)—computerized record of one physician’s encounters with a patient


2.1 Medical Record Documentation(Continued)

2-9

• Informed consent—process by which a patient authorizes medical treatment after a discussion with a physician


2.2 Health Care Regulation: HIPAA andHITECH

2-10

• The main federal government agency responsible for health care is the Centers for Medicare and Medicaid Services, also known as CMS

• The foundation legislation for the privacy of patients’ health information is called the Health Insurance Portability and Accountability Act (HIPAA) of 1996– Protects private health information, ensures coverage,

uncovers fraud and abuse, and creates industry standards


2.2 Health Care Regulation: HIPAA andHITECH (Continued)

2-11

• American Recovery and Reinvestment Act (ARRA) of 2009—law with provisions concerning the standards for the electronic transmission of health care data– Contains the HITECH Act—law promoting the

adoption and use of health information technology


2.3 Covered Entities and Business Associates

2-12

• Electronic data interchange (EDI)—system-to-system exchange of data in a standardized format

• The electronic exchange of health care information is called a transaction


2.3 Covered Entities and Business Associates (Continued)

2-13

• Health care organizations that must obey HIPAA regulations are called covered entities (CEs)– Transmit information electronically

• Clearinghouse—company that helps providers handle electronic transactions and manage EMR systems

• Business Associates (BA)—organizations that work for covered entities but are not themselves CEs– Law firms; outside medical billers, coders, and

transcriptionists; accountants; collection agencies


2.4 HIPAA Privacy Rule 2-14

• HIPAA Privacy Rule—law regulating the use and disclosure of patients’ protected health information (PHI)

• Protected health information (PHI)—individually identifiable health information that is transmitted or maintained by electronic media

• Both use and disclosure of PHI are necessary and permitted for patients’ treatment, payment, and health care operations (TPO)


2.4 HIPAA Privacy Rule (Continued) 2-15

• Minimum necessary standard—taking reasonable safeguards to protect PHI from incidental disclosure

• Designated record set (DRS)—CE’s records that contain PHI

• Notice of Privacy Practices (NPP)—description of a CE’s principles and procedures related to the protection of patients’ health information

• For use or disclosure other than for TPO, a CE must have the patient sign an authorization


2.4 HIPAA Privacy Rule (Continued) 2-16

• Health information can be released for reasons other than TPO in some cases– Subpoena—order of a court for a party to appear and

testify– Subpoena duces tecum—order of a court directing a

party to appear, testify, and bring specified documents or items

– De-identified health information—medical data from which individual identifiers have been removed


2.5 HIPAA Security Rule 2-17

• The HIPAA Security Rule requires CEs to establish safeguards to protect PHI– Encryption—method of converting a message into

encoded text– Password—confidential authentication information

(the key)


2.6 HITECH Breach Notification Rule 2-18

• HITECH Act requires CEs to notify affected individuals following the discovery of a breach of unsecured health information

• Breach—impermissible use or disclosure of PHI that could pose significant risk to the affected person

• Breach notification—document notifying an individual of a breach


2.7 HIPAA Electronic Health Care Transactions and Code Sets

2-19

• HIPAA Electronic Health Care Transactions and Code Sets (TCS)—rule governing the electronic exchange of health information– Under HIPAA, a code set is any group of codes used

for encoding data elements

• HIPAA National Identifier—identification systems for employers, health care providers, health plans, and patients– National Provider Identifier (NPI)—unique ten-digit

identifier assigned to each provider


2.8 Fraud and Abuse Regulations 2-20

• HIPAA created the Health Care Fraud and Abuse Control Program to uncover and prosecute fraud and abuse

• The HHS Office of the Inspector General (OIG) has the task of detecting health care fraud and abuse and enforcing all the related laws– Has the authority to investigate suspected fraud

cases and to audit the records of physicians and payers

– Audit—formal examination of a physician’s records


2.8 Fraud and Abuse Regulations (Continued)

2-21

• Qui tam—cases in which a relator accuses another party of fraud or abuse against the federal government

• Relator—person who makes an accusation of fraud or abuse


2.8 Fraud and Abuse Regulations (Continued)

2-22

• Fraud—an act of deception used to take advantage of another person– Example—forging another person’s signature

• In federal law, abuse means an action that misuses money that the government has allocated– Example—billing Medicare for an unnecessary

ambulance service


2.9 Enforcement and Penalties 2-23

• HIPAA final enforcement rule—law designed to combine the enforcement procedures for privacy and security standards into a single rule

• Office for Civil Rights (OCR)—government agency that enforces the HIPAA Privacy Act

• Criminal violations of HIPAA privacy standards are prosecuted by the Department of Justice (DOJ)– Other standards are enforced by the CMS


2.10 Compliance Plans 2-24

• Compliance plan—medical practice’s written plan for complying with regulations– Used to uncover compliance problems and correct

them to avoid risking liability– A process for finding, correcting, and preventing

illegal medical office practices

• Respondeat superior—doctrine making employers responsible for employee actions

Documents

HIPAA, HITECH, and Medical Records