Lab Compliance and Anti-Kickback Laws and HIPAA

Question 1

What are the seven primary elements and principals of laboratory compliance plan?

Answer 1

1) Written policies and procedures and standards of conduct that promote labs commitment to compliance. Chief compliance officer and compliance committee
2) Ways to report suspected compliance violations
3) System to respond to allegations of illegal or improper activities and take disciplinary action against employees involved
4) Internal monitoring, audits and evaluative methods to assess compliance efforts
5) investigation and correction of identified problems

Question 2

What is medical necessity?

Answer 2

Lab should only submit claims to federally funded health care programs for services that lab has reason to believe are medically necessary

Requisition should contain ICD-10 codes

Lab should notify physicians annually regarding medical necessity policies

Lab should monitor test utilization over time to ensure only necessary tests are ordered

Question 3

What are some required billing policies?

Answer 3

ensure that CPT codes used to bill medicare or medicaid accurately describe services performed

use ICD-10 information from ordering physician

don’t use past information or programs that automatically insert codes without physician information or make up diagnostic information

labs should only submit claims for tests that were both ordered and performed

only bill for appropriate automated multi-channel chemistry tests

tests on list should not be billed individually unless only one test was performed

standing orders are permitted but must be monitored for validity

Question 4

What is the Stark Law?

Answer 4

Prohibits a physician from making referrals for the furnishing of testing to lab with which the physician or family member has a financial relationship

Group practice destination may allow exceptions

Applies to MEDICARE AND MEDICAID patients only

Allows labs to supply items to be used solely to collect or process specimens with equipment solely to communicate test results

Question 5

What is the anti-kickback statute?

Answer 5

Penalizes anyone who knowingly solicits, receives, offers or pays renumeration in cash or support for referring patients for laboratory testing (incentives/inducements)

Applies to MEDICARE AND MEDICAID services

Question 6

What is the Privacy Rule?

Answer 6

Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)

Establishes set of national standards for the protection of health information

Issued by US Dept of Health and Human Services to implement requirements of HIPAA 1996

Privacy Rule Standards address the use and disclosure of individuals’ health information called PHI by organizations subject to the privacy rule - covered entities and standards for individuals privacy rights to understand and control how their health information is used

Question 7

What are covered entities?

Answer 7

Organizations subject to the privacy rule

Question 8

Which office within HHS enforces Privacy Rule?

Answer 8

Office for Civil Rights (OCR) implements and enforces Privacy Rule with respect to voluntary compliance activities and civil money penalties

Question 9

List the 5 sections (Titles) of HIPAA

Answer 9

1) Focus on Health Care Access, Portability and Renewability
2) Preventing Health Care FraudP and Abuse; Administration simplification; medical liability reform = Privacy Rule, Transactions and Code Sets Rule, Security Rule, Unique Identifiers Rule (NPI), Enforcement Rule
3) Tax-related health provisions governing medical savings accounts
4) Application and Enforcement of group health insurance requirements
5) Revenue offset governing tax deduction for employers

Question 10

What does Title I of HIPAA regulate?

Answer 10

Focuses on health care access, portability and renewability

regulates availability of group and individual health insurance policies

Question 11

What are the 5 rules carried under title II to enforce Administrative Simplification?

Answer 11

Privacy rule, transactions and code sets rule, security rule, unique identifiers rule and enforcement rule

Question 12

What is the Privacy Rule?

Answer 12

Regulates the use and disclosure of PHI (protected health information) by covered entities

upon request, covered entities must disclose PHI to an individual within 30 days

must also provide and disclose PHI as required by law enforcement for investigation of suspected child abuse

Provides individuals with general right to access, inspect, obtain copy of PHI in a designated record set

Question 13

Under what circumstances can PHI be disclosed without written authorization?

Answer 13

PHI may be disclosed to law enforcement when requested by court orders

PHI can be revealed to facilitate treatment, payment or health care operations

Question 14

What are elements of the 2013 omnibus rule update to the privacy rule?

Answer 14

revised definition of significant harm in analysis of breach provides more investigation to covered entities with intent of disclosing breaches previously not reported

protection of PHI is until 50 years after death

HIPAA privacy rule may be waived during natural disaster

Question 15

What are the rights to access in the Privacy Rule?

Answer 15

Requires medical prviders to give individuals PHI access when requested by writing within 30 days

one 30 day extension is allowed if reason for delay is provided in writing to the requesting individual

Question 16

What health information is not required to be accessible to individuals upon request?

Answer 16

Psycotherapy notes of a provider and information gathered by provider to defend against a lawsuit

Question 17

What are the main requirements of Title I: Focus on Health Care Access, Portability and Renewability?

Answer 17

regulates availability of group and individual health insurance policies

requires coverage of and limits restrictions that group health plan places on benefits for pre-existing conditions

Group health coverage may only refuse benefits that relate to pre-existing conditions for 12 months after enrollment or 18 months for late enrollment

enables individuals to limit exclusion period taking into account how long they were covered before enrolling in the new plan after any breaks in coverage

covers creditable coverage which includes nearly all group and individual health plans, medicare and medicaid

singificant break = any 63 day period that individual goes without creditable coverage

Requires insurers to issue policies without exclusion to those leaving group health plans with creditable coverage exceeding 18 months and renew individual policies for as long as they are offered OR provide alternatives to discontinued plans for as long as insurer stays in the market without exclusion regardless of health condition

Question 18

What is established by Title II: Preventing Health Care Fraud and Abuse; Admiinistrative Simplification; Medical Liability Reform?

Answer 18

establishes policies and procedures for maintaining privacy and security of individually identifiable health information, outlines offenses and creates civil and criminal penalties for violations

creates programs to control fraud and abuse and administrative simplification rules

requires HHS to increase efficiency of health care system by creating standards

Question 19

What are examples of covered entities?

Answer 19

health care clearinghouse, health insurer, employer-sponsored health plan, medical provider

Question 20

Are providers allowed to charge a fee for medical records?

Answer 20

Yes reasonable amount for copying

electronic data must not be charged

Question 21

Are laboratories that are NOT HIPAA-covered entities required to disclose reports to the patient or personal representative?

Answer 21

not required by CLIA but it is permitted

subject to state law

Question 22

What is the Relative Disclosure in HIPAA?

Answer 22

hospitals may NOT reveal information over the phone to relatives of admitted patients

Question 23

What is Title II: Rule 2 - Transactions and Code Sets Rule?

Answer 23

HIPAA created to improve health care system efficiency by standardizing health care transactions

HIPAA added part C titled “Administrative Simplification” that simplifies healthcare transactions by requiring health plans to standardize transactions

for example filing for reimbursements electronically have to file claims using HIPAA standards to be paid

Question 24

What is Title II: Rule #3 Security Rule?

Answer 24

complements privacy rule
privacy rule pertains to all protected health information

3 types of security safeguards: administrative, physical and technical

Question 25

How is security rule different from privacy rule?

Answer 25

Privacy Rule pertains to all Protected Health Information

Security Rule is limited to Electronic Protected Health Information

Question 26

Administrative safeguards

Answer 26

covered entities must adopt written set of privacy procedures

designate privacy officer for developing and implementing required policies and procedures

procedures must address authorization, establishment, modification and termination

entities must show ongoing training for handling PHI

entities must back up their data and have disaster recovery procedures

internal audits required to review operations with goal of identifying security violations

procedures should document instructions for addressing and responding to security breaches

Question 27

Physical Safeguards

Answer 27

control physical access to protected data

control introduction and removal of hardware and software form the network and limit to authorized individuals

access to equipment containing health information controlled and monitored

require proper workstation use, keep monitor screens out of direct public view

if covered entities utilize contractors or agents, they too must be thoroughly trained on PHI

Question 28

technical safeguards

Answer 28

controling access to computer systems

protect communications containing PHI transmitted electronically over open networks

information systems housing PHI must be protected from intrusion

data within system must not be changed or erased in unauthorized manner

data corroboration including checksum, double keying, message authentication, digital signature to ensure data integrity and authenticate entities with which they communicate

documentation of HIPAA practices available to government

information technology documentation should include configuration settings on components of network

documented risk analysis and risk management programs required

Question 29

Rule #4 Unique Identifiers Rule

Answer 29

HIPAA covered entities such as providers completing electronic transactions, healthcare clearinghouses, large healthplans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions

NPI replaces all other identifiers used by health plans, medicare, medicaid and other govnerment programs

Question 30

what is NOT replaced by NPI?

Answer 30

DEA number
state license number
TIN (Tax identification number)

Question 31

What is NPI?

Answer 31

10 digit national provider identifier

alphanumeric last digit is checksum

unique and national, never re-used

a provider can only have one except for institutions

institution may have multiple NPI for different subparts

Question 32

Rule #5 Enforcement Rule

Answer 32

civil financial money penalties for violating HIPAA rules

procedures for investigations and hearings for HIPAA violations

Require changes in privacy practice or corrective action when noncompliant

Question 33

Most common entities required to take corrective action according to HHS by frequency

Answer 33

private practices
hospitals
outpatient facilities
group insurance plans
pharmacies

Question 34

Title III: Tax-related provisions governing medical savings accounts

Answer 34

standardizes amount that may be saved per person in pre-tax medical savings account

medical savings accounts available to employees covered under HDHP

Question 35

Title IV: Application and enforcement of group health insurance requirements

Answer 35

specifies conditions for group health plans regarding coverage of persons with pre-existing conditions

modifies and clarifies continuation of coverage requirements

includes COBRA clarification

Question 36

Title V: Revenue offset governing tax deductions for employers

Answer 36

provisions for company-owned life insurance for employers providing company-owned life insurance premiums

prohibits tax deduction of interest on life insurance loans, company endowments, contracts related to company

expands expatriation tax assessed against those deemed to give up US status for tax reasons

aments provisions of law relating to people who give up US citizienship status or permanent residence

ex-citizens names are part of public record through quartlerly publication of individuals who have chosen to expatriate

Question 37

Civil HIPAA Violations

Answer 37

unknowingly: 100 per / 25K max

reasonable cause NOT willful neglect: 1K / 100K

willfull neglect with correction. 10K / 250K

wilfull neglect NOT corrected. 50K / 1.5 million

Question 38

Criminal HIPAA Violations

Answer 38

PHI willfully and knowingly: up to 50K /1 year

false pretenses 100K /5 years

intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm: 250K / 10 years