hip - prof

Start Studying!

Terms

undefined, object

copy deck

Ch 1 3 things about HIPAA: Insurance Portability
Fraud
Administrative Simplification
Ch 1 PHI: Protected Health Information
Ch 1 2 other names for HIPAA: 1) Public Law 104-191
2) Kennedy-Kasebaum bill
Ch 1 Why pass HIPPAA? 5 reasons: 1) Improve portability and continuity of health insurance coverage
2) Combat waste, fraud, and abuse in health insurance and health care deliverg
3) Promote use of medical savings accounts
4) Improve access to long term care services and coverage
5) Simplify administration of health insurance
6) Protecting the privacy of patient re ords and any other patient identifiable information
Ch 1 5 HIPAA titles?: 1) Health Care Insurance Access, Portability, and Renwability
2) Preventing healthcare fraud and abuse; Administrative simplification; Medical Liability Reform
3) Tax related health provisions
4) Application and Enforcement of Group Health Insurance Requirements
5) Revenue Offsets
Ch 1 4 new protections of Section 1 of HIPAA: 1) increase ability to GET health coverage when starting a new job
2) reduces chance of losing existing health care coverage
3) help workers maintain continuous health coverage when changing jobs
4) help workers purcahse health coverage on their own if they lose employers coverage and have no other plan available
Ch 1 Why privacy in HIPAA?: Security and privacyt promote higher quality care by giving consumers confidence that health information is protected from inappropriate uses and disclosures
Ch 1 4 ways that 1 in 6 people have shielded themselves with privacy?: 1) Doctor hopping
2) Withholding information
3) Inaccurate information
4) Paying out of pocket
Ch 1 How much will addressing privacy and security issues in healthcare cost the industry?: between 17 and 22 billion in the first 5-10 years!
Ch 1 Provider and Payer vs Clearinghouse solution?: Congress intends providers and payers to become compliant together. Consumers have the most to gain by this.
Ch 1 Changing 1 component in tightly coupled, integrated systems?: Causes issues.
Ch 1 HIPAA's impact? (5 things): 1) Standardization of electonic, admin, and financial health transactions
2) Unique health identifiers for all members in the health transactions (employers, plans, insurance, individuals)
3) Security standards protecting confidentiality and integrity
4) Privacy
5) Standards for e-medical records
Ch 1 Covered Entitites?: 1) Health care plans
2) Health care clearing houses
3) Health care providers
Ch 1 Health plan? and a few examples: -Individual or group plan that provides or pays the cost of medical care.
1) HMO
2) Issuer of long term care policy
3) Indian Health Service
4) Employee welfare benefit plan
Ch 1 Health care clearinghouse?: -organizations that process health care transactions on behalf of providers and insurers.

1) Billing services
2) Community health management information systems
3) Medical reviewers
Ch 1 Health care provider?: A person who is trained and licensed to give health care.
1) doctor
2) hospital
3) clinic
4) pharmacy
Ch 1 3 attributes of an org DEFINITELY impacted?: 1) Receives, submit, or pay health care claims
2) involved in plan enrollment or benefits
3) receives, distributes, or retains patient health care data
Ch 1 4 attributes of an org that MAY be impacted: 1) receive or submit med information from/to a business partner
2) receive info from or to provider working in a HIPAA compliant environment
3) use detailed or summary medical info from other entities
4) generate reports from medically related information
Overview Meaning of 5 titles: Title 1 - Insurance access and portability
Title 2 - Preventing Fraud, Administrative Simplification
Title 3 - Tax related health provisions
Title 4 - Application and Enforcement of Group Insurance Requirements
Title 5 - Revenue Offsets
Overview Standards for Electronic -Administrative Simplification: Transactions, Cod Sets, and Identifiers; definies standards for conducting EDI health transactions
Overview Standards for Privacy - Administrative Simplification: Who is authroized to access health finroamtion and gives individuals the right to keep information about themselves from being disclosed
Overview Standards for Security - Administrative Simplification: Admin, Physical, and Technical safeguards to secure PHI
Overview 3 covered entities: 1) Health Plan
2) Health Care clearinghouse
3) Health Care provider
Overview Compliance timeline 1) Transactions and Code sets 2) Privacy 3) Transactions testing 4) Employer identifier 5) Security: 1) 10/16/2003 (large w/permission), 10/16/2002 (medium,small)
2) 4/14/2003
3) 4/16/2003
4) 7/20/2004
5) 4/21/2005
Overview Civil Penalties: $100 - single violation of a provision (multiple penalties for violating multiple provisions)
$25k - making the same mistake more than once in the same calendar year...Secretary might reduce fine if not due to willful neglect
Overview Criminal Penalties 1) Wrongful disclosure of individually identifiable health information: 1) up to 50k, 1 year
Overview Criminal Penalties 2)Wrongful disclosure of individually identifiable health information under false pretenses: 2) up to 100k, up to 5 years
Overview Criminal Penalties 3)Wrongful disclosure of individually identifiable health information under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm: 3) up to 250k, up to 10 years
Overview DSMO: Designated Standards Maintenance Organization
Overview 6 DSMOs: 1) ANSI
2) Dental Content Committee of ADA
3) HL7 (health level 7)
4) National Council for prescription drug programs (NCPDP)
5) National Uniform Billing Committee (NUBC)
6) National Uniform Claim Committee (NUCC)
Overview Related Orgs... Centers for Medicare and Medicaid Services: CMS responsible for implementing unrelated provisions of HIPAA; responsible for enforcing HIPAA Transactions Rule
Overview Related orgs... Workgroup for EDI (WEDI): voluntary, private task force created to streamline health care admin by standardizing electronic communication across the country
Overview RElated orgs... Health Level 7 (HL7): ANSI accredited, defines standards for cross platform exchange of information within health care organization
Overview Related orgs... Washington Publishing Company (WPC): Publishes X12N HPAA Implementations guides and X12N HIPAA Data Dictionary
Overview Related Orgs... National Council for Prescription Drug Programs: ANSI accredited, maintains standard formats for use by retail pharmacy industry.
Overview National Committee on Vital Health Statistics (NCVHS): advisory committee to Sec of HHS. NCVHS reviews sample plans to identify common problems that are complicating compliance activities.
Overview 4 Types of transactions?: 1) patient scheduling
2) registration
3) clinical reporting
4) billing
Overview ANSI vs NCPDP: ANSI for everything except for pharmacy transactions
Overview ASC 270: Eligibility, Coverage, or Benefit Inquiry
Overview ASC 271: ELigibility, Coverage, or Benefit Information
Overview ASC 276: Health Care Cliam Status Request
Overview ASC 277: Health Care Claim Status Notification
Overview ASC 278: Health Care Services Review: 1) Request for review
2) Response
Overview ASC 820: Payment order remittance advice
Overview ASC 834: Benefit enrollment and maintenance
Overview ASC 835: Health Care Claim Payment/Advice
Overview ASC 837 004010X096: Health Care Claim Institutional
Overview ASC 837 004010X097: Health Care Claim: Dental
Overview ASC 837: Health Care Claim: Professional
Overview When do transaction standards apply?: Only when data is transmitted electronically
Overview Compliance: compliance by October 16, 2003
Overview ICD-9-CM Volumes 1 and 2: International classification of diseases. Updated by DHHS.
Overview ICD-9-CM, Volume 3: Used to describe/identify inpatient hospital services and sugrical procedures. Updated by DHHS.
Overview CPT-4: Current Procedural Terminology, used to identify physician services or procedures. Maintained by AMA
Overview CDT: Code on dental procedures and nomenclature. Used to describe dental services or procedures. ADA
Overview NDC: National Drug Code. Used to identify drugs. HHS and FDA
Overview HCPCS: Healthcare common procedure coding system - used to describe services that are not physician, dentist, hospital, or radiological/vision/hearing services. Updated by CMS (Centers for Medicare and Medicaid Services (CMS))
Overview (National Healthcare Identifiers) NPI: National Provider Identifier
1) Individual Providers
2) Organization providers
Notes on NPI: 1) Keep NPI for life
2) Org can get multiple NPI
3) Individual NPI will not be linked to Org NPI
(National Healthcare Identifier) NHPI: National Health Plan Identifier - a standard and uniform identifier that would apply to health plans and payers
(National Healthcare Identifier) NEI: A standard for national employer and requirements concerning its use
National Health Identifier for individuals: ignored in implementation planning for HIPAA. HHS says it will NOT social security number.
Transaction set: group of logically related data units. Smallest meaningful set of data exchanged between trading partners
Functional group: adds relevance to 2 or more data segments. Introduced by a group start segment; concluded by group end segment
Enumerator: Organization that will assign unique health care identifiers and maintain the NPS/NPF
National Provider System (NPS): A central electronic system that will identify and uniquely enumerate health care providers at the national level
National (NPF): A national database of providers that will be distributed electronically
Privacy Standard: Policies and procedures in place to control who has access to PHI
Individual Rights (Privacy standard): 1) Access to info
2) Amendment to PHI
3) Additional Restriction Information (request it)
4) Alternative Communications
5) Accounting of Disclosures
Use (Privacy standard): sharing, employing, applying individually identifiable health information by employees or other members of workforce
Disclosure (Privacy standard): releasing, tx, providing access to any information outside the entity holding the information.
IIHI: Individually Identifiable Health Information
PHI: Protected Health Information - patient identifiable inforation regardless of the media form it is in.
PII: Patient Identifiable information. IDENTIFIERS in health information that can be used to identify an individual.
DII: De-identified information. Personal identifiers removed from data set. Information not individually identifiable and can be disclosed w/o authorization
Business Associate: A person who has, on behalf of covered entity, assists in functions that use IIHI
Workforce: employees, vounteers, trainees, and other people under direct control of a covered entity
Treatment: Using PHI to provide coordinate or manage health care and related services
Payment: Refers to using PHI to obtain payment of health care services (can include operations that a health plan undertakes before paying for services)
Health care operations: using PHI to support the business activities for a practice. May include quality assessment, employee review, and training of medical students, licensing, marketing, and fund raising activities.
Documents Notice of Privacy Practices: Describes use and disclosure of PHI for carrying out treatment, payment, or health care operations.
Documents Authorization: Authorization to use or disclose PHI must be obtained when a consent form does no apply.
Documents Business Associate Contract (BAC): Addresses core issue of protecting privacy of PHI when dealing with outside entities
Documents Data Use Agreement: An agreement with a recipient of PHI data that limits their use of PHI
Documents Privacy offer job description: Description of Privacy Officer's responsibilities
Documents Termination Procedure: For employees who fail to comply with internal privacy policies and procedures
Admin A Personnel Designations: Assign a Privacy Officer
Admin B Complaints: Identify how to handle complaints
Admin D Documentation: Create and maintain documentation related to Privacy Rule
Admin E Training: Privacy and security requirements
PHI policies and procedures
Admin F Safeguards: Administrative, technical, and physical
Admin G Sanctions: Policy that describes the specific actions against employees who fail to comply with internal policies and procedures
Admin H Mitigation: Policy that includes steps to remedy any harm caused by mistake and prevent that mistake from occurring again.
Admin I No intimidating or retaliatory acts: An organization cannot intimidate, threaten, coerce, or take other retaliatory action against any patient for the exercise of any right under the Privacy Rule, including filing a complaint
Admin J No waiver of rights: An organization cannot require as a condition of TPO or eligibility of benefits, that an individual waive his or her right to make complaints to Secretary of HHS
10 steps to HIPAA Privacy: 1) Assign privacy responsibility
2) Identify and assess organizations PHI
3) Assess privacy policies
4) Analyze gaps in current policies
5) Adjust organization policies
6) Identify business associates
-Does entity provide services for organization
-Is entity exempted from business associate requirements
-is service a part of your treatment of person
-does all such service performed require access to PHI
7) Negotiate BACs
8) Develop Privacy Documents
9) Develop privacy training program
10) Document privacy policies
Security Standard 3 things: Confidentiality, Integrity, Availability
Common Security Threats: 1) Virus or malicious code
2) Unauthorized remote access or login
3) Unauthorized local access or login
4) Unauthorized physical access to systems
5) Tampering of data while in transit
6) Theft or removable media
7) Intentional or inadvertent loss of electric
Administrative Safeguards (9 of them): 1) Security Management Process
2) Assigned Security Responsibility
3) Workforce Security
4) Information access management
5) Security awareness and training
6) Security incident procedures
7) Contingency plan
8) Evaluation
9) BAC and other arrangements
Physical Safeguards (4 of them): 1) Facility access control
2) Workstation use
3) Workstation Security
4) Device and media controls
Technical Safeguards: 1) Access controls
2) Audit Controls
3) Integrity
4) Person or entity authentication
5) Transmission Security
7 Steps to HIPAA Security Solutions: 1) Assign Security Responsibility
2) Risk Analysis and vulnerability assessment
3) Remediation
4) Security policies and procedures
5) Business Associate Contracts
6)Training, HIPAA awareness
7) Evaluate
Authentication: means the corroboration that the person is the one they claim to be.
Need to authenticate to a degree appropirate to risk/threat
Access Control: method of restricting access to resources. Allow only priviledged entities access
Non-repudiation: prevent denial by one of the entities involved in a communication of having participated in all or part of the communication
Evaluation: periodic evaluation to verify complaince with HIPAA Security Rule. Account for changes introduced in infrastructure that impact security of electronic PHI
BAC: Business Associate Contracts - covered entity can permit business associate access to PHI only if covered entity obtains satisfactory assurances that business associate will appropriately safeguard info
Contingency Plan: Plan for responding to system emergency. Includes:
-Backups
-Prepare Critical facilities that can be used to ensure continuity of operations
-Recovering from disaster
Prepare org for HIPAA compliance? 5 things: 1) obtain executive buy-in
2) strategic and financial plan
3) establish program management position
4) involve IT partners on assessing current environment
5) training for key executives, IT professionals, and information management professionals
Preparing IT for HIPAA? 5 things: 1) Assess readiness for transaction standards, code sets, security
2) Extend Y2K business continuity planning
3) conduct risk analysis
4) contact app systems, hw and sw vendors
5) assess business associates timelines for compliance
Prepare for transaction standards?: understand which transaction your org uses and what you will need to implement
What 11 transactions will be implemented as a part of HIPAA?: 1) First report of injury (148)
2) Eligibility benefit request and response (270/271)
3) Provider information (274)
4) Health Claims Attachments (275)
5) Claim status request and response (276/277)
6) Referral certification (278)
7) Consolidated Service Invoice (811)
8) Plan Premium Payments (820)
9) Benefit Enrollment Maintenance (834)
10) Payment and REmittance Advice (834)
11) Health Care Claim - Dental/Professional/Institutional (837)
IIHI 3 fundamental things: 1) created or received by covered entity
2) relates to past, present, or future physical or mental health or condition. Relates to care provided to individual or payment for that care.
3) Identifies individual (or reasonable basis to believe the info can be used to id the person)
PHI at rest?: data is accessed, stored, processed, or maintained
TPO?: Treatment, payment, or health care operations
Treatment?: organizations can use or disclose info to healthcare providers who are involevd with your health care (for example to create and carry out a plan for treatment)
Payment?: Organizations can use or dislose information to get payment or to pay for health care services you receive. For example, a doctor provide PHI to bill health plan.
PHI (subset?): subset of PHI identifiers that can be used to identify an individual
Use and disclosure: USE limits sharing of information within a covered entity.
DISCLOSURE restricts sharing of info outside of covered entity.
6 Uses: 1) Sharing
2) Employing
3) Applying
4) Utilizing
5) Examining
6) Analyzing
4 Dislosures: 1) Release
2) Transfer
3) Provision of access to
4) Divulging in any manner
Notice (required): Covered entities must provide Notice that summarizes privacy practices.
Attributes of Notice: 1) Plain language
2) include header
3) Describe use and PHI disclosure
4) describe rights under privacy rule
5) describe individual rights under privacy rule
6) describe covered entities duties
7) describe how to register complaints concerning suspected privacy violations
8) specify a point of contact
9) specify an effective date
10) state that the entity reserves the right to change its privacy practices
What are individual rights under privacy rule?: 1) request restrictions
2) receive confidential communication of PHI
3) inspect copy and amend PHI
4) obtain accounting of PHI disclosures
Authorization (required): allows use and disclosure of PHI for purposes other than treatment, payment, or health care operations
Authorization attributes (3 of them): 1) Authorization must be on specific terms
2) Authorization can allow PHI to be used and disclosed by covered entity
3) Covered entities must obtain an individuals Authorization for uses or disclosers not covered by Notice
10 Core elements of Authorization: 1) Give specific description of authorized information
2) List persons authorized to use or disclose PHI
3) Disclosureable persons
4) purpose of use or disclosure
5) expiration date or event for discloure
6) right to revoke and exceptions thereof
7) ability or inability to perform based on Authorization
8) state that disclosed info may be re-disclosed by recipient and then not protected by rule
9) signature of individual
10) plain language
Policies and Procedures: must keep key audit documents and forms. HHS Office for Civil Rights will look for this.
8 Examples of Privacy Policies: 1) Use patient, client, or participant information
2) Use for research purposes and waivers
3) enforcement, sanctions, and penalties for violation of individual privacy
4) Patient (or client) rights
5) Minimum necessary
6) De-Identification and use of limited data sets
7) Administrative, Technical, and Physical safeguards
8) General Privacy Policy
Tracking Flow of PHI/PII: 1) Created?
2) Reviewed and Modified?
3) Transferred
4) Received from within or outside org
5) Other sources
6) To what sources disclosed
7) What info is maintained?
DII or aggregate patient data?: 1) Creating or reviewing aggregate data
2) Transferring data w/in org
3) Receive data w/in org
4) Receive aggregate date from outside
5) Disclose aggregate data outside of org
HIPAA and requirement to send claims electronically?: HIPAA does not require it, but a payer may require it
Standard for Electronic Transactions: Transactions and Code Sets, facilitates standardized information exchange
Covered entities and Transactions?: All covered entities must use standard when e-conducting any defined transactions covered under HIPAA
Clearinghouse and nonstandard transactions?: May accept for purpose of translating into standard transactions for sending customers. Also may convert standard into nonstandard
When must a health plan be able to support e-standard for a transaction?: If it performs ANY business function for that transaction whether over phone, paper, or computer.
Can outsource this to a 3rd party though
Scope of transaction standards?: apply only when data is tx electronically between providers and plans as part of a standard transaction
Data format and standards?: Can be in any format as long as it can be translated into standard transaction when required
Security standards and health information?: will apply to ALL healthcare information
Providers and elements of choice?: Providers are the lone entity with an element of choice.
HIPAA and claim forms?: Provider will have 1 electronic claim form that handles everything
HIPAA and health plans and forcing providers to use transactions?: HIPAA does not require it, but health plans may.
Employers and covered entity status?: Employers are not a covered entity. They may continue to use non-standard means of enrollment
Compliance Date?: Must comply w/in 24 months of Transaction Rule publication. Small plans may comply w/in 36 months of publication
2 part test to determine if the standard must be used?: 1) Is transaction initiated by a covered entity or BA?
-if yes, then standard must be used
-if no, then standard need not be used
2) Has HHS adopted a standard for this type of transaction?
-if yes, standard must be used
-if no, standard need not be used
TPA? (are they a covered entity?): Third Part Administrator (as in an insurer who is outsourced) (not a covered entity!, however may be a BA of the covered entity)
Internet transactions and other e-transactions?: Internet transactions are treated the same as other electronic transactions
What if data is directly entered into system outside of health plan system, to be transmitted later?: Then format and content must be standard
data directly entered?: Standard content REQUIRED
Standard format OPTIONAL
State medicaid programs and HIPAA?: yes they'll need to comply w/in 2 years of publication.
No requirement for internal info maintained in accordance w/standard. However, Medicaid will need to process standards transactions
Penalty for failure to comply w/Transaction standard?: $100 per incident, not to exceed $25,000
ICD-9-CM, Volumes 1 and 2: Disease codes
sponsor? 3 things: pays for coverage, benefit, or product
(Employer, Union, Insurance Agency, Association, Government Agency)
UB-92: the de facto claim standard...will be outlawed under HIPAA...however, a clearinghouse can translate a standard transaction into a UB-92
Paper version can still be used by providers
2 levels of scrutiny for e-transactions...: 1) Compliance w/HIPAA standard
2) Specifc processing by the system reading or writing the standard transaction
Payer, Insurer: Party that claims or administers insurance coverage, benefit, or product (HMO, Insurance Company, PPO)
Destination Payer: Payer who is specified in the subscriber/payer loop
Secondary Payer: payer who is not primary payer
Subscriber: person whose name is listed in the insurance policy
Dependant: Individual who is eligible for coverage because of his or her association with subscriber
Insured or member: a subscriber that has been enrolled for coverage in plan
Patient: Patient loop used when patient is not the subscriber
Subscriber loop used when Patient is the subscriber
Provider: Entity that originally submitted the claim/encounter
3 types of providers?: 1) Billing
2) Performaing
3) Referring
Transmission Intermediary: handles transactionb between provider and payer

Start Studying!

Deck Info

Number of cards 165