Lab Compliance and Anti-Kickback Laws and HIPAA Flashcards
What are the seven primary elements and principals of laboratory compliance plan?
1) Written policies and procedures and standards of conduct that promote labs commitment to compliance. Chief compliance officer and compliance committee
2) Ways to report suspected compliance violations
3) System to respond to allegations of illegal or improper activities and take disciplinary action against employees involved
4) Internal monitoring, audits and evaluative methods to assess compliance efforts
5) investigation and correction of identified problems
What is medical necessity?
Lab should only submit claims to federally funded health care programs for services that lab has reason to believe are medically necessary
Requisition should contain ICD-10 codes
Lab should notify physicians annually regarding medical necessity policies
Lab should monitor test utilization over time to ensure only necessary tests are ordered
What are some required billing policies?
ensure that CPT codes used to bill medicare or medicaid accurately describe services performed
use ICD-10 information from ordering physician
don’t use past information or programs that automatically insert codes without physician information or make up diagnostic information
labs should only submit claims for tests that were both ordered and performed
only bill for appropriate automated multi-channel chemistry tests
tests on list should not be billed individually unless only one test was performed
standing orders are permitted but must be monitored for validity
What is the Stark Law?
Prohibits a physician from making referrals for the furnishing of testing to lab with which the physician or family member has a financial relationship
Group practice destination may allow exceptions
Applies to MEDICARE AND MEDICAID patients only
Allows labs to supply items to be used solely to collect or process specimens with equipment solely to communicate test results
What is the anti-kickback statute?
Penalizes anyone who knowingly solicits, receives, offers or pays renumeration in cash or support for referring patients for laboratory testing (incentives/inducements)
Applies to MEDICARE AND MEDICAID services
What is the Privacy Rule?
Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)
Establishes set of national standards for the protection of health information
Issued by US Dept of Health and Human Services to implement requirements of HIPAA 1996
Privacy Rule Standards address the use and disclosure of individuals’ health information called PHI by organizations subject to the privacy rule - covered entities and standards for individuals privacy rights to understand and control how their health information is used
What are covered entities?
Organizations subject to the privacy rule
Which office within HHS enforces Privacy Rule?
Office for Civil Rights (OCR) implements and enforces Privacy Rule with respect to voluntary compliance activities and civil money penalties
List the 5 sections (Titles) of HIPAA
1) Focus on Health Care Access, Portability and Renewability
2) Preventing Health Care FraudP and Abuse; Administration simplification; medical liability reform = Privacy Rule, Transactions and Code Sets Rule, Security Rule, Unique Identifiers Rule (NPI), Enforcement Rule
3) Tax-related health provisions governing medical savings accounts
4) Application and Enforcement of group health insurance requirements
5) Revenue offset governing tax deduction for employers
What does Title I of HIPAA regulate?
Focuses on health care access, portability and renewability
regulates availability of group and individual health insurance policies
What are the 5 rules carried under title II to enforce Administrative Simplification?
Privacy rule, transactions and code sets rule, security rule, unique identifiers rule and enforcement rule
What is the Privacy Rule?
Regulates the use and disclosure of PHI (protected health information) by covered entities
upon request, covered entities must disclose PHI to an individual within 30 days
must also provide and disclose PHI as required by law enforcement for investigation of suspected child abuse
Provides individuals with general right to access, inspect, obtain copy of PHI in a designated record set
Under what circumstances can PHI be disclosed without written authorization?
PHI may be disclosed to law enforcement when requested by court orders
PHI can be revealed to facilitate treatment, payment or health care operations
What are elements of the 2013 omnibus rule update to the privacy rule?
revised definition of significant harm in analysis of breach provides more investigation to covered entities with intent of disclosing breaches previously not reported
protection of PHI is until 50 years after death
HIPAA privacy rule may be waived during natural disaster
What are the rights to access in the Privacy Rule?
Requires medical prviders to give individuals PHI access when requested by writing within 30 days
one 30 day extension is allowed if reason for delay is provided in writing to the requesting individual
What health information is not required to be accessible to individuals upon request?
Psycotherapy notes of a provider and information gathered by provider to defend against a lawsuit
What are the main requirements of Title I: Focus on Health Care Access, Portability and Renewability?
regulates availability of group and individual health insurance policies
requires coverage of and limits restrictions that group health plan places on benefits for pre-existing conditions
Group health coverage may only refuse benefits that relate to pre-existing conditions for 12 months after enrollment or 18 months for late enrollment
enables individuals to limit exclusion period taking into account how long they were covered before enrolling in the new plan after any breaks in coverage
covers creditable coverage which includes nearly all group and individual health plans, medicare and medicaid
singificant break = any 63 day period that individual goes without creditable coverage
Requires insurers to issue policies without exclusion to those leaving group health plans with creditable coverage exceeding 18 months and renew individual policies for as long as they are offered OR provide alternatives to discontinued plans for as long as insurer stays in the market without exclusion regardless of health condition
What is established by Title II: Preventing Health Care Fraud and Abuse; Admiinistrative Simplification; Medical Liability Reform?
establishes policies and procedures for maintaining privacy and security of individually identifiable health information, outlines offenses and creates civil and criminal penalties for violations
creates programs to control fraud and abuse and administrative simplification rules
requires HHS to increase efficiency of health care system by creating standards
What are examples of covered entities?
health care clearinghouse, health insurer, employer-sponsored health plan, medical provider
Are providers allowed to charge a fee for medical records?
Yes reasonable amount for copying
electronic data must not be charged
Are laboratories that are NOT HIPAA-covered entities required to disclose reports to the patient or personal representative?
not required by CLIA but it is permitted
subject to state law
What is the Relative Disclosure in HIPAA?
hospitals may NOT reveal information over the phone to relatives of admitted patients
What is Title II: Rule 2 - Transactions and Code Sets Rule?
HIPAA created to improve health care system efficiency by standardizing health care transactions
HIPAA added part C titled “Administrative Simplification” that simplifies healthcare transactions by requiring health plans to standardize transactions
for example filing for reimbursements electronically have to file claims using HIPAA standards to be paid
What is Title II: Rule #3 Security Rule?
complements privacy rule
privacy rule pertains to all protected health information
3 types of security safeguards: administrative, physical and technical
How is security rule different from privacy rule?
Privacy Rule pertains to all Protected Health Information
Security Rule is limited to Electronic Protected Health Information
Administrative safeguards
covered entities must adopt written set of privacy procedures
designate privacy officer for developing and implementing required policies and procedures
procedures must address authorization, establishment, modification and termination
entities must show ongoing training for handling PHI
entities must back up their data and have disaster recovery procedures
internal audits required to review operations with goal of identifying security violations
procedures should document instructions for addressing and responding to security breaches
Physical Safeguards
control physical access to protected data
control introduction and removal of hardware and software form the network and limit to authorized individuals
access to equipment containing health information controlled and monitored
require proper workstation use, keep monitor screens out of direct public view
if covered entities utilize contractors or agents, they too must be thoroughly trained on PHI
technical safeguards
controling access to computer systems
protect communications containing PHI transmitted electronically over open networks
information systems housing PHI must be protected from intrusion
data within system must not be changed or erased in unauthorized manner
data corroboration including checksum, double keying, message authentication, digital signature to ensure data integrity and authenticate entities with which they communicate
documentation of HIPAA practices available to government
information technology documentation should include configuration settings on components of network
documented risk analysis and risk management programs required
Rule #4 Unique Identifiers Rule
HIPAA covered entities such as providers completing electronic transactions, healthcare clearinghouses, large healthplans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions
NPI replaces all other identifiers used by health plans, medicare, medicaid and other govnerment programs
what is NOT replaced by NPI?
DEA number
state license number
TIN (Tax identification number)
What is NPI?
10 digit national provider identifier
alphanumeric last digit is checksum
unique and national, never re-used
a provider can only have one except for institutions
institution may have multiple NPI for different subparts
Rule #5 Enforcement Rule
civil financial money penalties for violating HIPAA rules
procedures for investigations and hearings for HIPAA violations
Require changes in privacy practice or corrective action when noncompliant
Most common entities required to take corrective action according to HHS by frequency
private practices
hospitals
outpatient facilities
group insurance plans
pharmacies
Title III: Tax-related provisions governing medical savings accounts
standardizes amount that may be saved per person in pre-tax medical savings account
medical savings accounts available to employees covered under HDHP
Title IV: Application and enforcement of group health insurance requirements
specifies conditions for group health plans regarding coverage of persons with pre-existing conditions
modifies and clarifies continuation of coverage requirements
includes COBRA clarification
Title V: Revenue offset governing tax deductions for employers
provisions for company-owned life insurance for employers providing company-owned life insurance premiums
prohibits tax deduction of interest on life insurance loans, company endowments, contracts related to company
expands expatriation tax assessed against those deemed to give up US status for tax reasons
aments provisions of law relating to people who give up US citizienship status or permanent residence
ex-citizens names are part of public record through quartlerly publication of individuals who have chosen to expatriate
Civil HIPAA Violations
unknowingly: 100 per / 25K max
reasonable cause NOT willful neglect: 1K / 100K
willfull neglect with correction. 10K / 250K
wilfull neglect NOT corrected. 50K / 1.5 million
Criminal HIPAA Violations
PHI willfully and knowingly: up to 50K /1 year
false pretenses 100K /5 years
intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm: 250K / 10 years
