Medical Billing Module 9: Part 1

Legal Aspects of Health Insurance and Reimbursement

abuse

actions inconsistent with accepted, sound medical, business, or fiscal practices.

accounting of disclosures

HIPAA regulation that requires health care organizations to track medical information provided to third parties (e.g., attorneys, third-party payers, and Social Security disability offices) so that patients can be notified if there has been an inappropriate release of their medical information.

Anti-Kickback Statute (AKS)

protects patients and federal health care programs from fraud and abuse by prohibiting the exchange of money or items of value for patient referrals to federally funded health care facilities or programs.

audit

objective evaluation to determine the accuracy of submitted financial statements.

authorization

document that provides official instruction, such as the customized document that gives covered entities permission to use specified protected health information (PHI) for specified purposes or to disclose PHI to a third party specified by the individual.

breach notification

HIPAA rule that requires covered entities and their business associates to provide patient notification following a breach of unsecured protected health information.

breach of confidentiality

unauthorized release of patient information to a third party.

case law

also called common law; based on a court decision that establishes a precedent.

civil law

area of law not classified as criminal.

CMS Internet-only manual (IOM)

includes program issuances, day-to-day operating instructions, policies, and procedures that are based on statutes, regulations, guidelines, models, and directives; and is used by CMS program components, providers, contractors, Medicare Advantage organizations, and state survey agencies to administer CMS programs

CMS transmittals

document published by Medicare containing new and changed policies and/or procedures that are to be incorporated into a specific CMS program manual (e.g., Medicare Claims Processing Manual); summarizes new and changed material, and subsequent pages provide details; transmittals are sent to each Medicare administrative contractor.

coding compliance

conformity to established coding guidelines and regulations.

common law

also called case law; is based on a court decision that establishes a precedent.

Conditions for Coverage (CfC)

health and safety regulations that health care organizations, such as end-stage renal disease facilities, must meet in order to begin and continue participating in the Medicare and Medicaid programs.

Conditions of Participation (CoP)

health and safety regulations that health care organizations, such as hospitals, must meet in order to begin and continue participating in the Medicare and Medicaid programs.

confidentiality

restricting patient information access to those with proper authorization and maintaining the security of patient information.

criminal law

public law governed by statute or ordinance that deals with crimes and their prosecution.

data classes

the aggregation of various data elements by a common theme or use, such as patient demographics, EHR entry provenance, and substance reactions.

data elements

the most granular level at which a piece of data is represented in the USCDI for exchange.

decrypts

to decode an encoded computer file so that it can be viewed; convert data to a language that can be read.

de-identification of protected health information

process that removes identifiers from health information to mitigate privacy risks for individuals and thus supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors.

deposition

legal proceeding during which a party answers questions under oath (but not in open court).

designated record set

group of records maintained by or for a covered entity and includes medical and billing records about individuals maintained by or for a covered health care provider; enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or other records that are used by or for the covered entity to make decisions about individuals.

digital

application of a mathematical function to an electronic document to create a computer code that can be encrypted (encoded).

electronic transaction standards

also called transaction rules; a uniform language for electronic data interchange.

encrypt

to convert information to a secure language format for transmission.

Federal Register

legal newspaper published every business day by the National Archives and Records Administration (NARA).

fraud

intentional deception or misrepresentation that could result in an unauthorized payment.

general compliance program guidance (GCPG)

voluntary reference guide created by the HHS OIG, which contains elements of a compliance program, adapted for small and large entities, along with other compliance considerations that are adhered to by all health care industry stakeholders.

Health Care Fraud Prevention and Enforcement Action Team (HEAT)

joint effort between the Department of Health and Human Services and the Department of Justice to fight health care fraud by increasing coordination, intelligence sharing, and training among investigators, agents, prosecutors, analysts, and policymakers; implemented as a result of the Patient Protection and Affordable Care Act (also called Obamacare).

Health Insurance Portability and Accountability Act (HIPAA)

mandates regulations that govern privacy, security, and electronic transactions standards for health care information.

HIPAA Privacy Rule

HIPAA provision that creates national standards to protect individuals’ medical records and other personal health information.

HIPAA Security Rule

HIPAA standards and safeguards that protect health information collected, maintained, used, or transmitted electronically; covered entities affected by this rule include health plans, health care clearinghouses, and certain health care providers.

HL7® FHIR® (Fast Healthcare Interoperability Resources)

the standard that was adopted to define how health care information can be exchanged among different computer systems regardless of how data is stored in those systems; allows health care information, including clinical and administrative data, to be securely available to those who are authorized to access it (e.g., to benefit of a patient receiving care).

individual compliance program guidance (ICPG)

voluntary reference guide published by the HHS OIG that is tailored to fraud and abuse risk areas that include compliance measures to help reduce risk by health care stakeholders.

interrogatory

document containing a list of questions that must be answered in writing.

mandate

an official directive, instruction, or order to take or perform a certain action, such as a federal regulation. Mandates are also authoritative commands, such as by courts, governors, and legislatures.

Medicaid Fraud Control Units (MFCUs)

investigates and prosecutes Medicaid provider fraud as well as patient abuse or neglect in health care facilities and board and care facilities in all 50 States, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands.

Medicaid Integrity Program (MIP)

combats fraud, waste, and abuse in the Medicaid program; Congress requires annual reporting by CMS about the use and effectiveness of funds appropriated for the MIP.

medical identity theft

occurs when someone uses another person’s name and/or insurance information to obtain medical and/or surgical treatment, prescription drugs, and medical durable equipment; it can also occur when dishonest people who work in a medical setting use another person’s information to submit false bills to health care plans.

Medicare administrative ­contractor (MAC)

an organization (e.g., third-party payer) that contracts with CMS to process claims and perform program integrity tasks for Medicare Part A and Medicare Part B, and DMEPOS; each contractor makes program coverage decisions and publishes a newsletter, which is sent to providers who receive Medicare reimbursement. Medicare transitioned fiscal intermediaries and carriers to create Medicare administrative contractors (MACs).

Medicare Integrity Program (MIP)

authorizes CMS to enter into contracts with entities to perform cost report auditing, medical review, anti-fraud activities, and the Medicare Secondary Payer (MSP) program.

Medicare medical review (MR) program Medicare Shared Savings Program

protects the Medicare Trust Fund through the collection and clinical review of medical records and related information to ensure that payment is made only for services that meet all Medicare coverage, coding, billing, and medical necessity requirements.

message digest

representation of text as a single string of digits, which was created using a formula; for the purpose of electronic signatures, the message digest is encrypted (encoded) and appended (attached) to an electronic document.

minimum necessary standard

key protection of the HIPAA Privacy Rule based on sound current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.

National Individual Identifier

unique identifier to be assigned to patients has been put on hold. Several bills in Congress would eliminate the requirement to establish a National Individual Identifier.

National Plan and Provider Enumeration System (NPPES)

developed by CMS to assign unique identifiers to health care providers (NPI).

National Provider Identifier (NPI)

unique identifier assigned to health care providers as a 10-digit numeric identifier, including a check digit in the last position.

National Standard Employer Identification Number (EIN)

unique identifier assigned to employers who, as sponsors of health insurance for their employees, need to be identified in health care transactions; it is the federal employer identification number (EIN) assigned by the Internal Revenue Service (IRS) and has nine digits with a hyphen (00-0000000); EIN assignment by the IRS began in January 1998.

National Standard Format (NSF)

flat-file format used to bill institutional services (UB-04 flat file) and professional services (CMS-1500 flat file).

Notice of Privacy Practices (NPP)

document that includes an individual’s health privacy rights related to protected health information (PHI) and communicates how health information may be used and shared.

Patient dumping

occurs when a facility that is capable of providing necessary medical care refuses care or transfers a patient to another facility because the patient is unable to pay for services.

Patient Safety Organizations (PSOs)

collect, aggregate, and analyze confidential information reported by health care providers and designates information reported to PSOs as privileged and not subject to disclosure (except when a court determines that the information contains evidence of a criminal act or each provider identified in the information authorizes disclosure).

precedent

based on a court decision that is legally binding and follows the doctrine of stare decisis for deciding subsequent cases involving identical or similar facts; stare decisis is Latin for “the thing speaks for itself,” which means it require courts to apply precedent law in the same manner to cases with the same facts.

privacy

right of individuals to keep their information from being disclosed to others.

privileged communication

private information shared between a patient and health care provider; disclosure must be in accordance with HIPAA and/or individual state provisions regarding the privacy and security of protected health information (PHI).

protected health information (PHI)

information that is identifiable to an individual (individual identifiers) such as name, address, telephone numbers, date of birth, Medicaid ID number, medical record number, Social Security number (SSN), and name of employer.

qui tam

abbreviation for the Latin phrase qui tam pro domino rege quam pro sic ipso in hoc parte sequitur, which means “he who sues in this matter for the king as well as for himself.” It is a provision of the False Claims Act that allows a private citizen to file a lawsuit in the name of the U.S. government, charging fraud by government contractors and other entities.

record retention

storage of documentation for an established period of time, usually mandated by federal and/or state law; its purpose is to ensure the availability of records for use by government agencies and other third parties.

Recovery Audit Contractor (RAC) program

mandated by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) to find and correct improper Medicare payments paid to health care providers participating in fee-for-service Medicare.

regulations

mandated guideline written by administrative agencies (e.g., CMS); regulations interpret laws and mandates.

regulatory law

see regulation: mandated guideline written by administrative agencies (e.g., CMS); regulations interpret laws and mandates.

release of information (ROI)

requires the patient or representative to sign an authorization to release protected health information (PHI), which is reviewed for authenticity and processed within a HIPAA-mandated 60-day time limit; requests for ROI include those from patients, physicians and other health care providers, third-party payers, Social Security Disability attorneys, and so on.

release of information log

used to document patient information released to authorized requestors; data is entered manually (e.g., three-ring binder) or using ROI tracking software.

rural health information organization (RHIO)

a type of health information exchange network that brings together health care stakeholders within a defined geographic area and governs health information exchange among them for the purpose of improving health and care in that community.

safe harbors

arrangements and transactions that are not prohibited by the anti-kickback statute. Safe harbors specify certain elements of an arrangement or transaction that must be present to earn their protection, and they must be structured and carried out exactly according to the safe harbor’s terms.

security

involves the safekeeping of patient information by controlling access to hard copy and computerized records; protecting patient information from alteration, destruction, tampering, or loss; providing employee training in confidentiality of patient information; and requiring employees to sign a confidentiality statement that details the consequences of not maintaining patient confidentiality.

self-referral disclosure protocol (SRDP)

process that enables providers of services and suppliers to self-disclose actual or potential violations of the physician self-referral statute.

Stare decisis

Latin for “the thing speaks for itself,” which means it requires courts to apply precedent law in the same manner to cases with the same facts.

Stark I

a physician self-referral law that prohibits physicians from referring Medicare patients to clinical laboratory services in which the physicians or their family members have a financial ownership/investment interest and compensation arrangement.

Stark II Physician Self-Referral Law

expanded Stark I by prohibiting referrals of Medicare and Medicaid patients for designated health care services (DHCS)

statutes

also called statutory law; laws passed by legislative bodies (e.g., federal Congress and state legislatures).

statutory law

see statutes: also called statutory law; laws passed by legislative bodies (e.g., federal Congress and state legislatures).

subpoena

an order of the court that requires a witness to appear at a particular time and place to testify.

subpoena duces tecum

requires documents (e.g., patient record) to be produced.

treatment, payment, and health care operations (TPO)

activities defined by the HIPAA Privacy Rule, including treatment (provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another); payment (various activities health care providers take to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care); and health care operations (certain administrative, financial, legal, and quality improvement activities necessary to run its business and to support the core functions of treatment and payment).

UB-04 flat file

unique bit string

computer code that creates an electronic signature message digest that is encrypted (encoded) and appended (attached) to an electronic document (e.g., CMS-1500 claim).

United States Core Data for Interoperability (USCDI)

the standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange (HIE)

Whistleblowers

protected individuals that make specified disclosures relating to funds covered by the act (e.g., Medicare payments).