HIPAA

health insurance portability and accountability act

what does HIPAA stand for?

history

1990s: recognized that healthcare needed to be more efficient by computerizing medical records and how to protect medical records on the internet

- also how to maintain health insurance for those who received insurance as a part of their job and wanted to switch jobs

- also covered those individuals with "pre-existing conditions"

history

1996- signed into law

2003- privacy rule into effect

2005- security standards rule into effect

2006- enforcement rule into effect

2009- HITECH act signed

2013- final Omnibus Rule in effect

2015- ICD-10 mandated into effect

coverage of law

title 1: health care access, portability and renewability

title 2: preventing healthcare fraud and abuse

Title 1

- regulated time health insurers can delay coverage for pre-existing conditions and ways that policy holder can reduce the delay (AKA cannot delay coverage or not cover those with pre-existing conditions)

- enables people to carry insurance from one job to another

- provides tax breaks for medical saving plans

title 2

- privacy rule

- transaction and code sets rule

- security rule

- unique identifiers or national provider rule

- enforcement rule

who is covered

- hospitals and providers

- health insurance providers

- healthcare clearinghouses

Privacy Rule

- title 2

- PHI must be protected and may not be disclosed unless authorized by the patient EXCEPT for routine purposes

SUCH AS

1) communication between providers

2) submitting for reimbursment

3) completing quality assurance activities that do not require pre-authorization (must be in-house)

** should use MINIMUM AMOUNT OF INFORMATION REQUIRED

Privacy Rule Requirements

Covered entities MUST

- ensure internal protection of records

- conduct employee training and education

- create mechanisms for addressing privacy complaints

- designate a privacy officer

Direct PHI

- name

- SS#

- driver license #

- health insurance #

- biometric identifiers

- photographs

- anything that can directly identify a person

indirect PHI

- date of birth

- address

- phone number

- email address

- anything else that can be matched to identify the person

documents covered under Privacy Rule

- all documents generated are considered protected including but not limited to

- any intake forms

- clinical documentation

- images or videos

- communication (phone, text, email, fax)

- billing

patient rights

- notice of privacy practices

- access to medical records, not free

- request an amendment of medical records (may be denied if justification is provided)

- restrict access to who can view records

100-50,000; 25,000-1.5 million

CIVIL PENALTIES

unknowingly per violation; max offense

1,000-50,000; 100k-1.5 million

CIVIL PENALTIES

reasonable cause; max offense

10,000-50,000; 250k-1.5 million

CIVIL PENALTIES

willful neglect, but CORRECTED within required timeframe; max offense

50,000; 1.5 million

CIVIL PENALTIES

willful neglect but NOT corrected; max offense

up to 50,000/ 1 year

CRIMINAL PENALTIES

- knowingly obtain or disclose

- fine/time

up to 100k/up to 5 years

CRIMINAL PENALTIES

- offenses committed under false pretenses (hackers)

- fine/time

up to 250k/ up to 10 years

CRIMINAL PENALTIES

- offenses committed with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm

- fine/time

tips for maintaining patient privacy

Communication

- only disclose minimum amount of information necessary

- avoid eavesdropping

- limit identifying information

- always use cover page or encrypting software for faxes or electronic communication

Documentation

- keep charts or other documents out of view of public

- keep patient information locked up

- minimize identifying information in view of public

- dont take patient info out of facility

Electronic Medical Records

- keep passwords safeguarded

- keep screens away from public view or use protective screen

- utilize software that protects remote logins

- use 2-factor authentication

Disposal

- shred all paper after appropriate timeframe and proper wiping and disposing of electronic devices

7, 21

Medical records have to be maintained for ____ years or until the person is ____, WHICH EVER IS LONGER

ex: 20 y/o received care from you, records must be kept until 27

12 y/o receives care from you, records must be kept until they are 21 years old

transaction and code set rule

- title 2

- required all covered entities to communicate using the same standards

- Diagnosis: ICD-10CM

- Inpatient Hospital Procedures: PCS

- Physician Services: CPT-4

- Ancillary Services/Procedures (orthotics/DME): HCPCS

**failure to follow standards can result in exclusion for participation in Medicare program

CPT-4

- codes that represent procedures performed, time spend, complexity of treatment plan

- used to submit for reimbursement from insurance plans

- PT codes are in 97000's

HCPCS

- included CPT code and codes for billing of supplies and other DME

Transaction and Code Set Rule

- codes are selected either by procedure performed or intended result of intervention performed

- codes are either TIMED CODES OR SERVICE CODES

time codes: billed in 15 minute increments

services codes: billed when performed, regardless of time spend

*time spent can include ASSESSMENT, SET-UP BEFORE/AFTER, COMMUNICATION/DOCUMENTATION but patient must be present

timed

TIMED OR SERVICE

- self-care/ home management

- wheel chair management

- physical performance testing (FCE)

- orthotic initial

- prosthetic initial

- orthotic/ prosthetic management

timed

TIMED OR SERVICE

-e-stim manual

- iontophoresis

- contrast bath

- US/Phono

- Laser/other

timed

TIMED OR SERVICE

- Therapeutic Exercise

- Neuromuscular Re-education

- Aquatic therapy

- Gait training

- massage

- manual therapy

- therapeutic activities

service

TIMED OR SERVICE

- moist heat/cryotherapy

- traction (mechanical)

- e-stim (unattended)

- vasopneumatic

- paraffin

- whirlpool

- diatheramy

- infared/ ultraviolet

service

TIMED OR SERVICE

- group therapy

- PT EVAL (low/medium/high complexity)

- PT RE-EVAL

Therapeutic Exercise

97110 (timed code)

- therapeutic exercise to develop strength, endurance, ROM or flexibility

- specific to reflect single parameter

neuromuscular re-education

97112 (timed code)

- neuromuscular re-education of movement, balance, coordination, kinesthetic sense, posture, proprioception, co-contraction/stability

gait training

97716 (timed code)

- gait training, including stair climbing

therapeutic activities

97530 (timed code)

- use of dynamic activities to improve functional activities

Low Complexity Evaluation

EVALUATION CODE: 97161 (service)

- NO personal factors and/or comorbidities

- addressing 1-2 elements

- stable

Moderate Complexity Evaluation

EVALUATION CODE: 97162 (service)

- 1-2 personal factors and/or comorbidities

- addressing 3+ elements

- evolving

High Complexity Evaluation

EVALUATION CODE: 971613 (service)

- 3+ personal factors and/or comorbidities

- addressing 4+ elements

- unstable (irritable condition)

CPT Codes for Caregiver

New Codes

97550: caregiver training, first 30 min (timed code)

97551: caregiver training, 15 minutes subsequent (timed code)

97552: caregiver training group (service code)

Security Rule

- developed 18 standards that fit into 3 areas

- HITECH Act filled gaps as technology advanced

administrative

3 AREAS OF SECURITY RULE

- planning, training, preparation

- policies, procedures and other administrative actions that implement or maintain security measures and manage employee conduct

- security management process, security personnel, workforce training and evaluation of policies

physical

3 AREAS OF SECURITY RULE

- physical measures, policies, procedures that protect information systems and buildings/related equipment from natural or environmental hazards or unauthorized intrusions

- locks, keys, barriers

- facility access and control, workstation and device security

technical safeguards

3 AREAS OF SECURITY RULE

- technology, policies, or procedures to protect and control access to PHI

- computer passwords, encryption, 2 factor authentication

- audit controls, integrity controls, transmission security

500

If _______ people or more are involved, than the HHS must be notified in a data breach

60

Any breach of data must be reported to individual within _____ days

EIN (employer identification number)

Employers are identified by the ________

NPI (national provider identifier)

providers are identified by _______

Unique identifier or National Provider Rule

- mandates all providers, health plans, employers and individuals receiving health care services have a unique identifier

enforcement rule

- establishes procedures and provisions for compliance, investigating and imposing penalties

- office for civil rights is responsible for investigating complaints and conducting compliance reviews

- department of justice (DOJ) handles CRIMINAL INVESTIGATIONS