keep an eye out for selener

scope of practice

A specific set of standards that a medical professional may perform within the limits of the medical license, registration, and/or certification.

ethics

Set of principles that differentiate between right and wrong.

Health Insurance Portability and Accountability Act (HIPAA)

Federal law that ensures confidentiality of protected health information and sets the standards for health care code sets and billing.

informed consent

An oral or written agreement of mutual communication that ensures the patient has been notified about their health care choices before making them.

abuse

Any practice that may result in unnecessary costs to Medicare.

National Patient Safety Goals (NPSG) and The Joint Commission (TJC)

agencies help ensure compliance by defining standards of care, education resources, and tools.

compliance

Following mandated laws, policies, standards, and guidelines.

laws

an obligation imposed by the authority to protect patients, providers, and property, and non-compliance may lead to punishment. For example, the Food and Drug Administration (FDA) is a federal regulatory agency that protects people and animals from food, drugs, medical devices, and other products.

Regulations

rules or orders issued by an executive authority or regulatory agency of a government with the force of law. An example of health care regulation is the Healthcare Quality Improvement Act (HCQIA), which gives immunity to medical providers who do peer reviews to investigate potential fraud or abuse.

Guidelines

written recommendations of policy. For example, the official medical coding guidelines provide rules and conventions that support correct code assignment. 

Policies

written documents that specify responsibilities among boards, management, and medical staff. Health care organizations use health and safety policies to define how health care services are provided to their patients. 

Standards

criteria and practices established by authority as rules for measuring value, extent, or quality. Ethical standards are an expectation of health care organizations and medical professionals.

Occupational Safety and Health Administration (OSHA)

Enforces safety, a healthy workplace, and training.

The Joint Commission (TJC)

Seeks to improve health care for the public, in collaboration with stakeholders, by evaluating health care organizations.

National Patient Safety Goals (NPSG)

Aims to improve patient safety.

Centers for Medicare and Medicaid Serves (CMS)

Ensures standards in federally funded medical programs are followed.

Office of the Inspector General (OIG)

Investigates all fraud and abuse cases suspected or reported for federally funded medical programs.

Americans with Disabilities Act Amendments Act (ADAAA)

passed in 2008 . Ensures policies and practices that define disability, with the aim of protecting people who have disabilities from discrimination.

medical law

Laws that explain the rights and responsibilities of medical providers and patients.

contracts

Legally binding agreements between parties.

malpractice

Any treatment by a medical professional that does not follow the standards of care.

patient abandonment

Form of malpractice that occurs when a provider stops treating a patient without a reasonable cause and/or without reasonable notice.

negligence

When a patient does not receive adequate and appropriate care, which leads to suffering and harm.

patient abandonment

Patient abandonment is a form of malpractice that occurs when a provider stops treating a patient without a reasonable cause or reasonable notice.

Mandatory reporting laws

Mandatory reporting laws protect vulnerable populations such as children, older adults, and those who have disabilities. These laws vary by state, and some states mandate reporting abuse (emotional, financial, physical, sexual, neglect) by an intimate partner. Health care providers are mandated reporters. Other mandated reporters usually include clergy, teachers, and law enforcement officers. Health care providers also report communicable diseases to the local county or state public health department.  

Medicare fraud

Intentionally submitting false medical claims for payment, receiving incentives for medical services or devices that are federally funded, or making inappropriate referrals.

Medicare abuse

Any practice that may result in unnecessary costs to Medicare.

Laws Specific to Medicare Fraud and Abuse

False Claims Act (FCA)	Billing for medical services that were not provided.
Anti-Kickback Statute (AKS)	Medical providers financially benefitting from referrals.
Physician Self-Referral Law (Stark Law)	Prohibits referrals to health care services that the provider (or family members) has a financial interest in unless an exception applies.
Social Security Act	Payment and insurance for older retirees and individuals with disabilities.
United States Criminal Code	Protection with public behavior.
Surprise Act	Protection from unknown medical bills.

how can u ID fraud/abuse in an organization?

Conducting internal audits is one way to identify fraud or abuse within the organization.

The Joint Commission

Accrediting body that focuses on quality improvement and patient safety, certifying health care organizations and programs in the U.S. including hospitals and health care organizations that provide ambulatory and office-based surgery, behavioral health, home health care, laboratory, and nursing care center services.

National Patient Safety Goals (NPSG)

Program that focuses on transforming health care by recognizing patient safety issues and gathering data to support the progress in correcting these issues.

Evacuation Plans and Emergency Procedures

The CMAA is also responsible for patient safety by being aware of evacuation plans and emergency procedures. Emergencies and hazards often occur without warning, so a thorough evacuation and emergency plan must be in place to ensure the safety of health care workers and their patients. Evacuation routes need to be clearly defined and posted. Emergency plans should account for environmental and human-made hazards, such as inclement weather and violent encounters. In an emergency, the CMAA will need to assist with the evacuation and instruction of patients.

Describe which components of the professional code of ethics are related to medical law, ethics, and compliance. 

Uphold the standards of professionalism and be honest in all professional interactions. Continuously act in the best interests of the general public. Protect and respect the dignity and privacy of all patients.

Which of the following agencies is required to report suspected abuse?

sheriff department—Federal, state, and city law enforcement agencies are exempt from HIPAA.

Which of the following is how often the National Patient Safety Goals are evaluated?

annually

Which of the following is addressed under OSHA?

PPE—OSHA addresses universal precautions, personal protective equipment, and exposure plans for employees who experience a needlestick injury.

HIPAA

HIPAA is a federal law. The HIPAA Privacy Rule establishes national standards that define protected health information (PHI) and how it should be accessed, used, and transmitted. HIPAA also allows individuals to access or request corrections to their health information. Health plans, health care clearinghouses, medical organizations, providers, and medical staff must comply with HIPAA regulations.

HIPAA security rule

With the evolution of electronic health records, the HIPAA Security Rule was created to protect electronic personal health information by requiring appropriate administrative, physical, and technical safeguards. In many health care settings, the CMAA will be responsible for ensuring office compliance with HIPAA regulations, especially with managing records requests and patient documentation. ​​​​​​​

HIPAA Violation Tier Structure

HIPAA Violation Tier Structure

Tier​​​​​​​	Level of Culpability	Description	Penalty
Tier 1	Unknowingly Committing a Violation	According to hhs.gov, “A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA rules.”	Minimum fine of $100 per violation up to $50,000
Tier 2	Reasonable Cause	According to hhs.gov, “A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care.”	Minimum fine of $1,000 per violation up to $50,000
Tier 3	Willful Neglect	Corrected: According to hhs.gov, “A violation suffered as a direct result of 'willful neglect' of HIPAA rules, in cases where an attempt has been made to correct the violation.”	Minimum fine of $10,000 per violation up to $50,000
Tier 4	Willful Neglect	Uncorrected: According to hhs.gov, “A violation of HIPAA rules constituting willful neglect, where no attempt has been made to correct the violation.”	Minimum fine of $50,000 per violation

According to HIPAA, PHI includes one or more of the following 18 identifiers.​​​​​​​​​​​​​​

• Names (Full or last name and initial)

• All geographical identifiers smaller than a state, except for the initial three digits of a zip code

• Phone numbers

• Fax numbers

• Email addresses

• Social Security numbers

• Medical record numbers

• Health insurance beneficiary numbers

• Account numbers

• Certificate/license numbers

• Vehicle identifiers (including serial numbers and license plate numbers)

• Device identifiers and serial numbers

• Web uniform resource locators (URLs)

• Internet protocol (IP) address numbers

• Biometric identifiers, including finger, retinal, and voice prints

• Full-face photographic images and any comparable images

• Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Permitted Use and Disclosure of Patient Information

• Reporting gunshots or stab wounds

• Reporting child or elder abuse or neglect

• Reporting STIs:

  • HIV/AIDS

  • Chancroid

  • Chlamydia

  • Gonorrhea

  • Syphilis

  • Other STDs/STIs are reported according to state and county regulations.

• Reporting specified communicable diseases deemed public health concerns by a county or state

• Responding to a court order, warrant, subpoena, or summons

• Identifying a suspect, fugitive, material witness, or missing person

• Reporting domestic violence

HIPAA regulation also includes exceptions. For example, certain situations are excluded for the good of the patient or the population. The following are examples of HIPAA exceptions.

Information That Is Not Private for Authorities and Health Departments

The HIPAA Privacy Rule defines how PHI is used and disclosed. The covered entity can disclose PHI with patient authorization or when the Privacy Rule specifically allows it. Instances when there are permitted uses for disclosures of protected health information include using it for treatment, payment, and health care operations (TPO). However, even with a suitable reason for sharing health information, a covered entity must also meet the following three criteria:

1. Both covered entities must have or have had a relationship with the patient (can be a past or present patient).

2. The PHI requested must pertain to the relationship.

3. The discloser must disclose only the minimum information necessary for the health care operation at hand.

The CMAA must be aware of the differences between HIPAA reporting requirements to prepare medical records for release effectively and efficiently.

HIPAA applies to covered entities and their business associates. Covered entities are health care providers, health plans, and clearinghouses. Business associates perform related work on behalf of covered entities, such as billing agencies, consultants, and accountants.

Procedures to Safeguard Data

A variety of administrative, physical, and technical safeguards may be implemented to ensure the protection of electronic medical records. The first step in creating a secure process for records is identifying potential risks for patient-protected health information. Next, a security official for each entity will be responsible for creating policies and procedures. When PHI does need to be disclosed, then only the “minimum necessary” should be disclosed to comply with the Privacy Rule.

Entities are responsible for providing appropriate training, authorization, and supervision of all staff who are in contact with electronic PHI to ensure that all policies and procedures are being followed. Audit and integrity controls are used to monitor the effectiveness of policies and procedures to safeguard patient data. Audit controls are the activity records of information systems that include PHI, hardware, software applications, and monitoring of who accesses the information to ensure appropriate use. An example of audit control is using an operator audit log report to analyze the access of medical records for employee violations. Integrity controls protect and secure ePHI where it lives using authentication mechanisms such as digital signatures.

Consent

Types of Consent

Type of Consent	Meaning	Example
Expressed	Written or verbal permission is granted by the patient.	A patient verbally agrees to having x-rays taken for a suspected fracture.
Implied	Patient cooperates with medical care and treatment without written consent.	A patient presents to urgent care for treatment for a fever.  Medication is administered without obtaining a written consent.
Informed	A thorough process that explains the proposed patient treatment, alternatives to treatment, and risks and benefits to accepting the proposed treatment, resulting in written consent.	A patient signs a consent form authorizing a surgical procedure.
Waived	Informed consent is not obtained from a patient because the patient is incapacitated or unable to grant consent (criteria vary by state).	A patient is unconscious or experiencing a life-threatening emergency and requires immediate treatment.