10) HIPAA Flashcards
Describe the Health Insurance Portability And Accountability Act (HIPAA) of 1996
Protects privacy and security of certain health info
- Privacy Rule - Establishes national standards for the protection of all individually identifiable health info
- Security Rule - Establishes a national set of security standards for protecting certain health info that is held or transferred in electronic form
Who are covered entities under HIPAA?
- HCP’s
- The Health Plan
- Health Care Clearinghouse
What are business associates? Are they covered under HIPAA?
A person/entity that performs certain fxns/activities that involve the use or disclosure of PHI on behalf of or provides services to a covered entity
- Attorneys, Accountants, Consultants, Claims Processing, Data Analysis, Quality Assurance, Utilization/Review, etc
- Not a covered entity!
Describe the Details of the Privacy Rule
- Protects most individually identifiable health info
- Gives pt’s rights to access their medical records, request changes, and inquire about how they have been accessed
- Restricts access by others
- Restricts access to only the people who really need to see the info → Federal crime to access info you don’t need
- States that all pt’s need to be informed about the facility’s privacy practices/policies
- Allows for pt’s to give authorization for disclosure beyond tx/business operations
Protected Health Information (PHI)
Individually identifiable health info including info related to pt demographics, MHx, provision of health care, and past/present/future payment for care
- Any info that can be used to ID a pt even if it doesn’t include names
When is pt authorization not required for sharing of PHI?
- 2 PT’s are tx’ing
- Disclosure to family, friends, and others involved in the pt’s care → Requires some professional judgement
- Sharing to ensure public health & safety
- Sharing to prevent/lessen imminent danger
- Facility directories
What should a HIPAA privacy notice include?
- The required heading
- A statement of use and disclosures
- A statement of individual rights
- A statement of the covered entity’s duties
- Directions for how to complain
- Contact info
Describe the Details of the Security Rule
Defines confidentiality as that e-PHI isn’t available/disclosed to unauthorized persons
- Requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI
Under the Security Rule, what must covered entities do?
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, and transmit
- ID and protect against reasonably anticipated threats to the security or integrity of the info
- Protect against reasonably anticipated, impermissible uses, or disclosures
- Ensure compliance by their workforce
Breach
An impermissible use/disclosure under the privacy rule that compromises the security or privacy of the PHI
Breach Notification Rule
Requires that HIPAA-covered entities and their business associates provide notification following a breach of unsecured PHI
What things regarding PT practice need to be considered for HIPAA?
- Pt ID
- Eval Procedures
- Sign in/Out Processes
- Physical layout of the facility
- Computer security
What can happen for HIPAA violations?
Civil or Criminal Sanction
- Civil = Fines bc of an honest mistake
- Criminal = Fines or jail time for personal gain
True or False: The degree of non-compliance makes a huge difference in penalties
True
What are the causes of improper payment?
- Improper billing
- Improper coding
- Poor documentation
If an insurance company/Medicare/Medicaid suspects that they improperly paid you, what can happen?
- They can audit you
- You’ll have to give them back the extra money
- You could be reported to the State
- You could be excluded from Medicare/Medicaid
- Jail Time
How does the fraud prevention system work on a basic level?
Insurance companies/Medicare/Medicaid can audit you and analyze your data
- Target new grads, outliers, and PT’s w/a pattern of problems
What’s the difference btwn fraud and abuse?
Abuse - An honest mistake; No pattern
Fraud - Deliberately and knowingly doing something wrong on purpose
False Claims Act
Anti-Kickback Statue
Can’t pay a physician so they refer pt’s to you
Physician Self-Referral (Stark) Law
MD’s who own PT clinics can’t profit from a business they refer to
Criminal Health Care Fraud Statute
Whistleblower Statute
Protects the whistleblower
What are the general penalties for violating anti-fraud laws/statutes?
- Fines
- Prison
- Exclusion from federal programs
What is a compliance program and what are the benefits? What are some of the top issues?
Consultant (compliance officer) that a facility hires to make sure they’re following the rules
- Benefits = If there’s a problem, you have proof that you have made an attempt to follow the rules
- Top Issue = Documentation
What are the types of Medicare/Medicaid fraud and abuse violations?
Why is so much effort invested in program integrity?
To prevent fraud and abuse
Who can deliver PT services that can be billed under Medicare?
- PT’s
- PTA’s
- Physicians
- PA’s
- NPP’s
Incident-to Billing
MD can bill for another HCP’s services “incident-to” their own services
When physicians bill for PT services incident-to, how are they paid in relation to PT’s and why?
They’re paid more, just bc they’re physicians
What types of payment for referrals are acceptable under Medicare?
Corporate Integrity Agreement
Settlement
How long is the look-back period for Medicare recovery audit contractors?
7yrs
