Rules, Regulations, and Standards Flashcards
Maintains a list of approved accreditation organizations for health care providers, as providers and suppliers who have been accredited by one of these national accrediting agencies are exempt from state surveys in determining if they are in compliance with Medicare - mandated conditions.
Centers for Medicare and Medicaid Services (CMS)
Approved Medicare accreditation organizations include:
The Joint Commission, Community health association program, and the Accreditation Commission for Health Care.
Whose role is it to update documentation requirements based on changes to regulatory or accreditation standards?
The Nursing Informatics Specialist
This committee created the standards associated with administrative medical insurance tasks.
The Accreditation Standards Committee (ASC)
This set of standards are used nationwide, helps with claims, enrollment, and determining insurance eligibility.
X12N
This council developed pharmacy standards for the U.S. Electronic claims processing under this standard was first introduced in 1992, and has gone on to make up nearly 100% of retail pharmacy claims being processed in real - time.
The National Council for Prescription Drugs Program (NCPDP)
Another NCPDP set of standards, focuses on the communication of information within and between different healthcare facilities.
HL7
Reimbursement systems
Pay for Performance (P4P) or Value - based purchasing
What is the primary objective of P4P programs?
to reward the health care providers when patients have good results.
P4P payment
related to quality versus quantity of service.
Under the Medicare Inpatient Prospective Payment System (IPPS), patient must be given…
A present - on - admission (POA) Medicare severity diagnosis - related group (MS-DRG) diagnosis.
What is the “Y” POA indicator on Medicare claims?
Medicare pays for a condition if a hospital acquired condition (HAC) is present on admission.
What is the “N” POA indicator on Medicare claims?
Medicare will not pay for condition if a HAC is present on discharge but not on admission.
What is the “U” POA indicator on Medicare claims?
Medicare will not pay for condition if a HAC is present and documentation is not adequate to determine if the condition was present on admission.
What is the “W” POA indicator on Medicare claims?
Medicare will not pay for condition if a HAC is present and if the health care provider cannot determine if the condition was present on admission.
Medicare instituted, what, for serious, preventable, hospital - acquired conditions and complications for which Medicare will not reimburse hospitals?
Do not pay list
Why does Medicare have a Do not pay list?
to control quality of care and to cut costs
How many categories are currently on the do not pay list for Medicare?
over forty
What department handles negligence and malpractice?
Risk Management
Indicates that improper care has not been provided.
Negligence
Indicates that an individual failed to provide reasonable care or to protect/ assist another, based on the standards and expertise.
Negligent conduct
Willfully providing inadequate care while disregarding the safety and security of another
Gross negligence
Involves the injured parties contributing to the harm done.
Contributory negligence
Attempts to determine what percentage of negligence is attributed to each individual involved.
Comparative Negligence
If health care providers provide patients access to them via e-mail or messaging and do not respond promptly to those messages, then they be liable for what?
Malpractice
Types of patient data misuse include:
Identity theft
Unauthorized access Privacy violations
Security breaches
Health records often contain identifying information, such as Social Security numbers, credit card numbers, birthdates, and addresses, making patients vulnerable.
Identify theft
Although EHRs and computerized documentation systems are password protected, providers sometimes share passwords or unwittingly expose their passwords when logging in, inadvertently allowing access to information about patients.
Unauthorized access
Even professionals authorized to access a patient’s record may share private information with others, such as family or friends.
Privacy violations
Data are vulnerable to security breaches of careless, inadequate security, especially when various business associates, such as billing companies, have access to private information.
Security breaches
Those who use proprietary software should require all those working with the data, including third parties, sign ____________________, to prevent information regarding the software or data from being stolen or misused.
a Nondisclosure agreement
Stealing proprietary data is most common when …
people leave an organization and is often used to benefit a new employer.
Stealing legally protected information is an act of?
Fraud
The Health insurance portability and accountability act of 1996 mandates ____________ and _______________ to ensure that health information and individual privacy are protected.
Privacy and Security
Protected information includes any information included in the medical record (electronic or paper), conversations between the physician and other health care providers, billing information, and any other form of health information. Procedures must be in place to limit access and disclosures.
Privacy Rule
Any electronic health information must be secure and protected against threats, hazards, or nonpermitted disclosures, in compliance with established standards.
Security Rule
Limiting access to those authorized, use of unique identifiers for each user, automatic logoff, encryption and decryption of protected health care information, authentication that health care data have not been altered or destroyed, monitoring of logins and security of transmission.
Security Requirements
This must include a unique identifier, procedures to access the system in emergencies, time out, and encryption/ decryption
Access controls
The two major factors for security of patient information include:
Information should be transmitted accurately and quickly.
Clinical and non - clinical systems should be fully integrated.
Requested information should be supplied within _______________ of the request.
24 hours
Passed in 1996 to protect patient privacy rights
Health Insurance Portability and Accountability Act (HIPAA)
Compliance dates: Electronic transactions and code sets are to be identified.
October 16, 2002
Compliance dates: Privacy standards are to be set.
April 14, 2003
Compliance dates: Standards for employer identification are to be set.
July 30, 2004
Compliance dates: Standards for system and data security are to be set.
April 21, 2005
Compliance dates: Standards for provider identification are to be set.
May 23, 2007
Freedom from intrusion, or control over the exposure of self or personal information. In Healthcare, an individual’s right to privacy includes remaining anonymous by request, deciding what information is collected and that information is used.
Privacy
The careful sharing of private information to people who have a valid interest in helping the individual.
Confidentiality
Occurs when someone other than the authorized system personnel access a private computer system.
System Penetration
The willful destruction of computer equipment (or database records).
Sabatoge
Majority of sabotage occurrences come from?
Angry or unhappy employees
There are several ways that __________ occur in computer systems: poor design, incorrect data entry, or retrieval of an incorrect entry.
Error
May cause the system to shut down entirely for an undefined length of time.
Disasters
The biggest security problem for health database systems is. …
Unauthorized User
An employee of the company that has legitimate access to the database system, but access of information beyond what is needed for their job or task.
Unauthorized User
Five types of malicious computer programs:
Viruses
Worms
Trojan Horses
Logic Bombs
Bacteria
Can damage data, but may only be an annoyance.
Viruses
Computer must be running in order for these to spread
Viruses
Named after the pattern of damage they perform
Worms
Use LAN and WAN practices to spread and reproduce
Worms
Appear to be performing a legitimate task, but actually do something else.
Trojan Horse
These malicious programs do not self- replicate.
Trojan Horse
These malicious programs can be easily confined once found.
Trojan Horse
Triggered by a specific bit of data.
Logic Bombs
Can be hidden in a normal program.
Logic Bombs
Type of virus
Logic bombs & Bacteria
Are not attached to existing programs
Bacteria
Malicious software
Viruses or Trojan horses
Two types of programs are essential to the security of today’s computers
Antivirus software and spyware detection software
The process of using mathematical formulas to code data so that it is unrecognizable if it is intercepted by someone outside of the system.
Encryption
Three ways that encryption can be handled by the company:
At the desktop, administrated, or server wide.
How many levels are there for user authentication security?
Three
What level of Authentication Security:
Once an individual is logged into the system (using their name and password), their name appears on the screen and their access is tracked as they use the system.
Level One
What level of Authentication Security:
Users are automatically logged out after some period of inactivity and must log in again.
Level One
What level of Authentication Security:
Must update their password on a regular basis.
Level One
What level of Authentication Security:
Most Secured level
Level Three
What level of Authentication Security:
Encrypted key- based authentication
Level Two
What level of Authentication Security:
User must present computer access card (CAC) to the system before they can log in.
Level Two
What level of Authentication Security:
Automatic log out if CAC is too far from the computer.
Level Two
What level of Authentication Security:
Uses something unique to the individual such as: fingerprint, retinal scan, or face recognitition
Level Three; Biometric authentication
What level of Authentication Security:
Cannot be lost or stolen
Level Three
How many characters for a secured password?
Eight
Records of activity related to systems and applications, users’ access, and use of systems and applications.
Audit Trials
A security tool that allows administrators to track individual users, identify the cause of problems, note data modification and misuse of equipment, and reconstruct computer events.
Audit Trials
Include event records and keystroke monitoring
Audit trials
Audit trials at this level generally record any logins, including identification, date, and time, devices used, and functions.
System Level
Audit trials at this level monitor activity within the application, including opened files, editing, reading, deleting, and printing.
Application Level
items used to authenticate a person’s identity and allow access to a system.
Tokens
Generate one time passwords
SecureID by RSA
These include driver’s licenses and employee badges but provide very little security as they can easily be falsified or stolen.
ID cards
These combine use of the token with other information, such as user name and password.
Challenge- response tokens
These contain microchips with information that can be programmed to allow access, like a debit card.
Smart cards
Track who is accessing a system and the duration of access.
Databases
May occur as the result of a number of different problems.
Security failures
Penetration can result from undetected vulnerabilities.
System Penetration
System penetration perpretrators
cyberhackers, hackers, computer specialists, authorized users, unauthorized users, and opportunists.
This includes physical damage to the system or purposeful alterations in applications
Destruction/ sabotage
May result from poor design, incorrect entries, system changes, poorly trained personnel, and absence of adequate procedures, policies and education
Password management
How many categories of threats to a computer system are there?
Four
Can be either natural or man made.
Environmental Disasters
These include blizzards, earthquakes, epidemics, floods, tornadoes, and hurricanes.
Natural Disaster
Chemical contamination, power outages, accidents when hardware is being transported, and toxic fumes.
Man- made environmental disasters
One of the major causes of problems with a computer system.
Human errors
Includes overwriting files, accidently deleting files, and overloading the system with unnecessary programs.
Human errors
Includes theft, malicious programs, terrorism, and cybercrime.
Human mischieft
Includes disconnecting wiring, CPU crashes, and storage drive failure
Equipment failure
the American Recovery and Reinvestment Act of 2009 included:
Health Information Technology and Economic and Clinical Health Act (HITECH)
Provides incentive payments to Medicare practitioners to adopt electronic health records (EHRs)
HITECH
Provides penalties in the form of reduced Medicare payments for those who do not adopt EHRs, unless exempted by hardship.
HITECH
