Medical Insurance Ch 2
Centers for Medicare and Medicaid Services (CMS)
main federal government agency responsible for health care
What does the CMS do?
1. Regulating all laboratory testing other than research performed on humans
2. Preventing discrimination based on health status for people buying health insurance
3. Researching the effectiveness of various methods of health care management, treatment, and financing
4. Evaluating the quality of health care facilities and services
Health Insurance Portability and Accountability Act (HIPAA) of 1996
law designed to protect people's private health information, ensure health coverage for workers and their families when they change or lose jobs, and uncover fraud and abuse
patient's medical files and other clinical materials that are legal documents belonging to the pharmacy that created them
What are the 3 parts to HIPAA's Administrative Simplification provisions?
1. HIPAA Privacy Rule
2. HIPAA Security Rule
3. HIPAA Electronic Health Care Transactions and Code Sets standards
organizations that electronically transmit any information that is protected by HIPAA
Under HIPAA, three types of covered entities must follow the regulations. They are:
1. Health plans
2. Health care clearinghouses
3. Health care providers
companies that help providers handle electronic transactions such as pharmacy claims
in HIPAA terms, agencies that must comply with the law in order to do business with covered entities such as law firms, accountants, IT, contractors, transcription companies, compliance, consultants, and collection agencies.
HIPAA privacy rule
the first comprehensive federal protection for the privacy of health information
The HIPAA Privacy Rule says that covered entities must:
1. Have a set of privacy practices that are appropriate for its health care services
2. Notify patients about their privacy rights and how their information can be used or disclosed
3. Train employees so that they understand the privacy practices.
4. Appoint a privacy official responsible for seeing that the privacy practices are adopted and followed
5. Safeguard patients' records
protected health information (PHI)
individually identifiable health information that is transmitted or maintained by electronic media
This information includes
3. names of relatives and employers
4. birth date
5. telephone numbers
6. fax number
7. e-mail address
8. social security number
9. medical and/or pharmacy record number
10. health plan beneficiary number
11. account number
12. certificate or license number
13. serial number of any vehicle or other device
14. website address
15. fingerprints or voiceprints
16. photographic images
treatment, payment, and health care operations (TPO)
term referring to providing and coordinating a patient's medical care, the exchange of information with health plans, and general business management functions
minimum necessary standard
precautions a covered entity must take to limit the usage of protected health information by taking reasonable safeguards to protect it from incidental disclosure
The minimum necessary standard does not apply to any type of disclosure - oral, written, phone, fax, e-mail, or other - among providers for treatment purposes.
designated record set (DRS)
medication and billing records a pharmacy maintains
Patients have what rights within the DRS?
1. Access, copy, and inspect their PHI.
2. Request amendments to their health information
3. Obtain accounting of most disclosures of their health information.
4. Receive communications from pharmacies via other means, such as in Braille or in foreign languages.
5. Complain about alleged violations of the regulations and the pharmacy's own information policies.
Notice of Privacy Practices (NPP)
document explaining how patients' protected health information may be used and describing their rights.
Covered entities must give each patient a notice of privacy practices at the first contact or encounter.
document a patient must sign for a covered entity to use or disclose information other than for TPO
An authorization must include what?
1. A description of the information to be used or disclosed
2. The name or other specific identification of the person(s) authorized to use or disclose the information.
3. The name of the person(s) or group of people to whom the covered entity may make the use or disclosure
4. A description of each purpose of the requested use or disclosure
5. An expiration date
6. The signature of the individual (or authorized representative) and the date
7. A statement of the individual's right to revoke the authorization in writing
8. A statement about whether the covered entity is able to base treatment, payment, enrollment, or eligibility for benefits on the authorization
9. A statement that information used or disclosed after the authorization may be disclosed again by the recipient and may no longer be protected by the rule.
Requests for Information other Than for TPO. The exceptions are:
1. court orders
2. Workers' compensation cases
3. Statutory reports
order of the court directing a party to appear and testify
subpoena duces tecum
order of the court directing a party to appear, testify, and bring specified documents or items.
de-identified health information
health information that neither identifies nor provides a reasonable basis to identify an individual
There are no restrictions on the use or disclosure of de-identified health information.
HIPAA Security Rule
rule that requires covered entities to establish safeguards to protect a patient's protected health information.
process of encoding information in such a way that only the person or computer with key can decode it
key to information for individuals who have been granted access rights.
HIPAA Electronic Health Care Transactions and Code Sets (TCS)
code sets that make it possible for providers and health plans to exchange data using a standard format and standard code sets
electronic data that are regularly sent back and forth between providers, health plans, and employers.
any group of codes used for encoding data elements
mandated code set for diagnoses under TCS
Current Procedural Terminology (CPT)
mandated code set for physician procedures and services under TCS
Healthcare Common Procedure Coding System (HCPCS)
mandated code set for reporting supplies, orthotic and prosthetic devices, and durable medical equipment under TCS
HIPAA National Identifiers
numbers of predetermined length and structure used for identification purposes
They are used to identify employers, health care providers, health plans, and patients.
National Provider Identifier (NPI)
standard for the identification of providers when filing claims and other transactions
NCPDP Provider Identification Number
provides pharmacies with a unique national identifier for use in interactions with payers and claim processors
Medicare Prescription Drug Improvement and Modernization Act of 2003 (MMA)
provided seniors and individuals with disabilities access to prescription drug plans with more choices and better benefits.
Prescription Drug Equity Act of 1997
prohibits a prescription drug plan from providing mail-order coverage without also providing non-mail-order prescription benefits.
Health Care Fraud and Abuse Control Program
program created to uncover and prosecute fraud and abuse
Office of the Inspector General (OIG)
detects health care fraud and abuse and enforces all laws relating to them.
person who makes an accusation of suspected fraud
act of deception used to take advantage of another person
action that misuses money that the government has allocated
corporate integrity agreement
compliance action under which a provider's Medicare billing is monitored by the Office of the Inspector General
Office for Civil Rights (OCR)
enforcer of HIPAA privacy regulations
methodical examination of selected pharmacy records.
law stating that an employer is responsible for employees' actions
plans a pharmacy practice writes and implements to uncover compliance problems and correct them to avoid risking liability
According to OIG, voluntary plans should contain seven elements:
1. Consistent written policies and procedures
2. Appointment of a compliance officer and committee
5. Disciplinary systems
6. Auditing and monitoring
7. Responding to and correcting errors