POP QUIZ!! • What does CMS stand for? • What does HIPAA stand for? • Which is a record of all of your visits with one doctor, EMR or EHR? • Documents in a medical file are considered what kind of documents? • In a patient’s chart, if something is SUBJECTIVE, what does that mean? POP QUIZ!! • What does CMS stand for? – Centers for Medicare and Medicaid Services • What does HIPAA stand for? – Health Insurance Portability and Accountability Act • Which is a record of all of your visits with one doctor, EMR or EHR? – Electronic MEDICAL Record • Documents in a medical file are considered what kind of documents? – Legal documents • In a patient’s chart, if something is SUBJECTIVE, what does that mean? – It’s in their own words. HIPAA, HITECH, and Medical Records 2 Lecture 2 2.3 Covered Entities and Business Associates 2-12 • Electronic data interchange (EDI)—system-tosystem exchange of data in a standardized format • The electronic exchange of health care information is called a transaction 2.3 Covered Entities and Business Associates (Continued) • Health care organizations that must obey HIPAA regulations are called covered entities (CEs) – Transmit information electronically • Clearinghouse—company that helps providers handle electronic transactions and manage EMR systems • Business Associates (BA)—organizations that work for covered entities but are not themselves CEs – Law firms; outside medical billers, coders, and transcriptionists; accountants; collection agencies 2-13 2.4 HIPAA Privacy Rule 2-14 • HIPAA Privacy Rule—law regulating the use and disclosure of patients’ protected health information (PHI) • Protected health information (PHI)—individually identifiable health information that is transmitted or maintained by electronic media • Both use and disclosure of PHI are necessary and permitted for patients’ treatment, payment, and health care operations (TPO) 2.4 HIPAA Privacy Rule (Continued) 2-15 • Minimum necessary standard—taking reasonable safeguards to protect PHI from incidental disclosure • Designated record set (DRS)—CE’s records that contain PHI • Notice of Privacy Practices (NPP)—description of a CE’s principles and procedures related to the protection of patients’ health information • For use or disclosure other than for TPO, a CE must have the patient sign an authorization 2.4 HIPAA Privacy Rule (Continued) • Health information can be released for reasons other than TPO in some cases – Subpoena—order of a court for a party to appear and testify – Subpoena duces tecum—order of a court directing a party to appear, testify, and bring specified documents or items – De-identified health information—medical data from which individual identifiers have been removed 2-16 2.5 HIPAA Security Rule 2-17 • The HIPAA Security Rule requires CEs to establish safeguards to protect PHI – Encryption—method of converting a message into encoded text – Password—confidential authentication information (the key) 2.6 HITECH Breach Notification Rule 2-18 • HITECH Act requires CEs to notify affected individuals following the discovery of a breach of unsecured health information • Breach—impermissible use or disclosure of PHI that could pose significant risk to the affected person • Breach notification—document notifying an individual of a breach 2.7 HIPAA Electronic Health Care Transactions and Code Sets 2-19 • HIPAA Electronic Health Care Transactions and Code Sets (TCS)—rule governing the electronic exchange of health information – Under HIPAA, a code set is any group of codes used for encoding data elements • HIPAA National Identifier—identification systems for employers, health care providers, health plans, and patients – National Provider Identifier (NPI)—unique ten-digit identifier assigned to each provider 2.8 Fraud and Abuse Regulations 2-20 • HIPAA created the Health Care Fraud and Abuse Control Program to uncover and prosecute fraud and abuse • The HHS Office of the Inspector General (OIG) has the task of detecting health care fraud and abuse and enforcing all the related laws – Has the authority to investigate suspected fraud cases and to audit the records of physicians and payers – Audit—formal examination of a physician’s records 2.8 Fraud and Abuse Regulations (Continued) • Qui tam—cases in which a relator accuses another party of fraud or abuse against the federal government • Relator—person who makes an accusation of fraud or abuse 2-21