Healthcare Technologies Accreditation Regulation and HIPAA Paper

Description

Instructions and assigned reading is attached below. If you have any questions please feel free to ask. Thanks!

M03_GART2674_01_SE_C03.QXD
3
8/4/09
1:52 PM
Page 42
Accreditation, Regulation,
and HIPAA
LEARNING OUTCOMES
H
I should be able to:
After completing this chapter, you

Discuss the importance of G
accreditation

List HIPAA transactions and uniform identifiers
G

Understand HIPAA privacy and security concepts
Sin a medical office

Apply HIPAA privacy policy
,

Discuss HIPAA security requirements
and safeguards

Follow security policy guidelines in a medical facility
S
H
Acronyms are used extensively inA
both medicine and computers. The following
acronyms are used in this chapter.
N
ACS
American College of Surgeons
FDA
Food and Drug Administration
I
CAP
College of American Pathologists
HHS
U.S. Department of Health and
C
Human Services
CARF
Commission on Accreditation of
Q
Rehabilitation Facilities
HCPCS
Healthcare Common Procedure
Coding System
CDC
Centers for Disease Control
and
U
Prevention
HIPAA
Health Insurance Portability and
A
Accountability Act
CMS
Centers for Medicare and
ACRONYMS USED IN CHAPTER 3
Medicaid Services (formerly
known as Health Care Financing
1
Administration)
ICD-9-CM International Classification of
Diseases, Ninth Revision, Clinical
Modification
COB
1
Coordination of Benefits
JCAHO
COP
Conditions of Participation
0
(Medicare)
Joint Commission on
Accreditation of Healthcare
Organizations (now referred to
simply as the Joint Commission)
MOU
Memorandum of Understanding
(between Government Entities)
NPI
National Provider Identifier
OCR
Office of Civil Rights
PHI
Protected Health Information
PIN
Personal Identification Number
PPS
Prospective Payment System
PRO
Peer Review Organization (now
Quality Improvement Organization)
CPT-4®
5
Current Procedural Terminology,
Fourth Edition
T
DEA
Drug Enforcement Agency
DRG
Diagnosis-Related Group
EDI
Electronic Data Interchange
EHR
Electronic Health Record
EIN
Employer Identification Number
EPHI
Protected Health Information in
Electronic Form
FBI
Federal Bureau of Investigation
S
42
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 43
ACCREDITATION, REGULATION, AND HIPAA
PSRO
Professional Standards Review
Organization
QIO
Quality Improvement Organization
(formerly Peer Review Organization)
UM
Utilization Management
WAN
Wide-Area Network
43
Accreditation and Regulation
Healthcare facilities and practitioners are licensed and regulated by federal, state, and local
governments and laws. Additional self-regulation by following a set of recognized standards
for healthcare organizations and voluntary participation inHaudits by accreditation organizations can assist in compliance with government requirements.
I
Government regulation influences healthcare delivery organizations
in two ways. First, entities are directly controlled by agencies that issue permits and
G licenses to operate facilities and
various departments within them. Second, healthcare organizations are influenced by the rules of
GThe most prominent among these
government agencies that reimburse them for treating patients.
is the Centers for Medicare and Medicaid Services (CMS). S
Centers for Medicare and Medicaid Services
,
Medicare and Medicaid have been in existence since 1965. Medicare provides healthcare coverage for people ages 65 and older as well as people with disabilities
S and those with end-stage renal
disease (kidney failure). Medicaid provides healthcare benefits (partially paid by the states) for
people who are poor, blind, or have a disability, for pregnantH
women, and for some persons over
age 65 (in addition to Medicare).
A
Medicare and Medicaid are both governed by a federal agency, the Centers for Medicare and
N and Human Services (HHS).
Medicaid Services, which is under the U.S. Department of Health
Both programs are administrated on a state level by intermediaries,
I companies that have a contract
to handle claims processing, payments, authorizations, and provider inquiries for a region or a state.
C local Blue Cross/Blue Shield plan.
Often these intermediaries are health insurance plans such as the
The influence of CMS on the healthcare delivery systemQ
cannot be underestimated. Here are
just a few examples of its influence:
U



Since its inception, Medicare has required utilization reviews to ensure that the services
A
provided were medically necessary. Utilization review is now referred to as utilization
management (UM). This led to the establishment of professional standards review
organizations (PSROs) to perform concurrent review of the services provided during a
1
patient’s stay. Subsequently this evolved into peer review organizations (PROs) to review
1 was admitted. PROs are now
the necessity for inpatient admissions even before the patient
referred to as quality improvement organizations (QIOs).
0 The QIO process is also used
by Blue Cross and private insurance plans and is the basis for the preadmission and
5 plans today.
preauthorization requirements common with many health
In an effort to control healthcare costs, Medicare and Medicaid
also established rates at
T
which facilities and providers would be reimbursed for approved services. By law,
S
providers could not collect more from a Medicare patient that the approved amount. This
again became the model emulated by many health insurance plans, where participating
providers enter into a contractual agreement ensuring that patients will not be charged
more than the amount “approved” by the plan.
In addition to payment systems that set the amount reimbursed for services delivered,
Medicare led the way in establishing a prospective payment system (PPS), which paid for
inpatient stays at a fixed amount based on the type of case, not the length of stay. The concept of diagnosis-related groups (DRGs) was created to establish the reasonable costs for
care based on the patient’s diagnosis at the time of discharge. The DRG concept was also
embraced by Blue Cross and other plans. PPSs are now being applied to outpatient services.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
44
8/4/09
1:52 PM
Page 44
CHAPTER 3


To ensure that patients receive quality care, Medicare established rules and standards of care
and required facilities to comply with its conditions of participation (COP). Among other
things, facilities are subject to audit and inspections to ensure the quality of the provider
and compliance with standard policies and procedures. One of the ways a healthcare
organization can comply is by voluntary participation in the accreditation process of the
Joint Commission (discussed below). Medicare and other agencies recognize the rigorous
standards of certain accreditation organizations that meet or exceed their own. Rather than
submit to the time-consuming process of inspections by Medicare, Blue Cross, multiple
agencies, and health plans, a facility can obtain a deemed status, whereby Medicare deems
that if the facility has met the Joint Commission standards it would have also met the COP
requirements.
When the Health Insurance Portability and Accountability Act (HIPAA) became law,
CMS was also instrumental in its implementation. HIPAA contained, among other things,
H
a subsection on administrative simplification
that required standardization of electronic
transactions as well as the setting
of
standards
for privacy and security of health records.
I
CMS exerted pressure on Medicare intermediaries to adopt the required standards for
their transactions or risk losing G
their contracts. CMS was also given the powers to enforce
the HIPAA security standards. (HIPAA
is discussed in more detail later in the chapter.)
G
These examples are only a few
S of the ways in which Medicare influences facilities,
providers, and other insurance plans. HIPAA, DRG, accreditation, and many of the other con, in more detail later.
cepts introduced here will be discussed
Federal, State, and Local Laws
S
In addition to the laws concerning safety, employees, business practices, and zoning that apply to
H
all types of businesses, healthcare entities
are subject to further regulations. For instance, all
states require healthcare facilities toAbe licensed. The caregivers (discussed in Chapter 1) who
work in the facilities must be licensed by the state as well.
N
State laws provide detailed regulations
concerning the operation of facilities, sanitation,
medical and nursing staff requirements,
I and patient records. Even within the licensure of the
hospital, the state may limit what services can be offered or require special licenses to operate
C
certain departments within the facility.
In some cases licensing decisions
Qcan be very political. A state may restrict which facilities
can perform certain cardiac procedures. For example, a hospital surgery department with surU
geons qualified in the procedures may have difficulty getting licensed because of the political
pressure exerted on the licensing board
A by larger competing hospitals in the region.
Licensing and state regulations differ by the facility type as well. For example, long-term
care and rehabilitation facilities are subject to requirements that are different from those that must
be followed by an acute care facility.1
State agencies that regulate and 1
license healthcare delivery conduct regular visits and inspections of healthcare facilities and their record keeping, operations, and compliance with state
requirements. Local governments in 0
many areas also require county or city licenses and may conduct inspections as well.
5
Earlier, we discussed CMS, an agency of the HHS, but there are additional federal agencies
T healthcare facilities. These include the Food and Drug
within HHS that also regulate or impact
Administration (FDA), Drug Enforcement
Agency (DEA), Centers for Disease Control and
S
Prevention (CDC), and the Office of Civil Rights (OCR). Licenses are required for providers who
prescribe drugs, the pharmacists who prepare and dispense drugs, and the caregivers who administer them. A license is also required to operate a hospital pharmacy. Licenses and regulations
also govern the use and handling of radioactive materials by radiology and nuclear medicine
departments in healthcare facilities.
In addition to the licenses and inspections we just discussed, healthcare facilities are also
required to report incidents that involve infectious diseases, child abuse, and certain injuries
such as gunshots. State and federal governments also require facilities to report a substantial
amount of statistical data concerning birth defects, cancer tumors, and the patients using the
facility.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 45
ACCREDITATION, REGULATION, AND HIPAA
45
The Joint Commission
As mentioned earlier, one way of meeting the requirements of operating a healthcare facility, and
limiting a number of the time-consuming audits and inspections by numerous agencies and
health insurance plans, is to voluntarily comply with the standards of a recognized accreditation
organization. For acute care facilities, the most respected entity is the Joint Commission.
The name Joint Commission is derived from its history. Nearly a century ago, the American
College of Surgeons (ACS) created a Hospital Standard Program describing how medical care
should be documented and how hospitals should be operated. These standards continued to
evolve. In 1952, the American Hospital Association and the Canadian Medical Association collaborated with the ACS to form a Joint Commission of Hospitals. Thirty-five years later, the
word Hospital was dropped because the standards-setting body had expanded to include longterm, behavioral health, and ambulatory care settings as well as acute care hospitals. The new
name was Joint Commission on Accreditation of Healthcare Organizations (JCAHO). Today the
work of JCAHO is so widely recognized that the nameHhas been shortened to the Joint
Commission.
I
The Joint Commission establishes the optimum standards for patient care, medical docuG submit to accreditation surveys
mentation, and clinical data. Facilities adhering to these standards
and audits by the Joint Commission to earn and maintain their
G accreditation. Here is the Joint
Commission’s list of benefits:
S








Benefits of Joint Commission Accreditation and
, Certification
Strengthens community confidence in the quality and safety of care, treatment
and services
Provides a competitive edge in the marketplace S
Improves risk management and risk reduction H
Provides education on good practices to improve business
operations
A
Provides professional advice and counsel, enhancing staff education
N
Enhances staff recruitment and development
I
Recognized by select insurers and other third parties
May fulfill regulatory requirements in select statesC
Q
Joint Commission standards address the organization’s level of performance in key
U and infection control. The
functional areas, such as patient rights, patient treatment,
standards focus not simply on an organization’s ability
Ato provide safe, high-quality
care, but on its actual performance as well. The standards set forth performance expectations for activities that affect the safety and quality of patient care.1
1
To help organizations measure outcomes and improve the quality of care, ongoing collection
1 process. ORYX® is the name
of performance measures was incorporated into the accreditation
the Joint Commission gave to the initiative that integrates performance
and outcome measures
0
into the accreditation process.
5 measurement data to the Joint
Accredited hospitals now submit specific performance
Commission on a regular basis. The Joint Commission can then
T work with the facility to help it
improve its quality of care. CMS has worked with the Joint Commission to ensure that the agency
S
and the commission’s performance measures are precisely aligned.
Figure 3-1 shows the resulting improvements in hospital quality performance for selected illnesses reported by Joint
Commission—accredited hospitals over a six-year period of time.2
In addition to the Joint Commission, several other organizations accredit some of the same
facilities. Two important ones are discussed next.
1
Facts about the Joint Commission, www.jointcommission.org.
The Joint Commission 2008 Report.
2
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.qxd
46
8/22/09
4:59 PM
Page 46
CHAPTER 3
100
Percentage
90
80
Measure Set
70
Heart Attack Care
Heart Failure Care
H
Pneumonia Care
I
60
G
2002
2003
2004
2005
2006
2007
Year
G
FIGURE 3-1 Measures of improvement in heart
S
attack, heart failure, and pneumonia care.
,
College of American Pathologists
The College of American Pathologists (CAP) is the principal professional organization for boardS
certified pathologists. Among the organization’s diverse activities is the accreditation of medical
laboratories. “The goal of the CAPHLaboratory Accreditation Program is to improve patient
safety by advancing the quality of pathology
and laboratory services through education, standard
A
setting, and ensuring laboratories meet or exceed regulatory requirements.”3
Figure 3-2 shows a technicianN
in a laboratory; however, CAP accreditation surveys go
beyond the physical confines of theI laboratory, ensuring that nurses and caregivers who use
devices such as glucose meters to administer tests in patients’ rooms have been thoroughly
trained and are qualified to conduct C
those tests.
Q
U
A
FIGURE 3-2
A technician in a
CAP-accredited
laboratory.
1
1
0
5
T
S
3
About the Laboratory Accreditation Program, College of American Pathologists, www.cap.org.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 47
ACCREDITATION, REGULATION, AND HIPAA
47
Because the CAP accreditation process is so thorough, the Joint Commission accepts accreditation of a hospital laboratory by CAP as sufficient to meet the Joint Commission’s standards in
regard to that portion of their survey. CAP has also been designated by CMS as an authority,
whereby a laboratory facility with a CAP accreditation is deemed to have complied with
Medicare COP standards.
Commission on Accreditation of Rehabilitation Facilities
The Commission on Accreditation of Rehabilitation Facilities (CARF) provides accreditation for
organizations offering behavioral health, physical, and occupational rehabilitation services as
well as assisted living, continuing care, community services, employment services, and others.
Although the Joint Commission also offers accreditation of rehabilitation facilities, CARF’s
approach is more consultative and less like an inspection. There are also some services for which
CARF is the only accrediting body. Because the two commissions have somewhat different
requirements, they have worked together to offer coordinated
H surveys in cases where facilities
desire accreditation by both commissions.
I
CARF includes standards for adult day care, stroke specialty programs, person-centered
long-term care communities, and dementia care specialtyGprograms. CARF has developed
accreditation for other human services that are not associated with rehabilitation, for example,
G
the administration of one-stop career centers.4
HIPAA
S
,
Let us return to our discussion of HIPAA, which has had aSgreat impact on the field of health
information and the health information management professional. Although you may not initially
H discussed in this chapter, you
be positioned to make some of the policy and planning decisions
will be required to understand and comply with them in a healthcare
workplace. The remainder
A
of this chapter will provide you with a thorough understanding of HIPAA and its impact on your
Nprepared by the U.S. Department
job. The following sections make extensive use of documents
of Health and Human Services, the government authority onIHIPAA.
HIPAA’s Administrative Simplification Subsection C
Q Portability and Accountability
In 1996 Congress passed legislation called the Health Insurance
Act, or HIPAA. The law was intended to accomplish the following:
U





Improve portability and continuity of health insurance coverage.
A
Combat waste, fraud, and abuse in health insurance and healthcare delivery.
Promote use of medical savings accounts.
1
Improve access to long-term care.
1
Simplify administration of health insurance.
0 known as the Administrative
HIPAA law regulates many things. However a portion
5
Simplification Subsection of HIPAA covers entities such as
5 health plans, clearinghouses, and
healthcare providers. When you work in the healthcare field, these regulations govern your job
T
and behavior. Therefore, it is not uncommon for healthcare workers
to use the term HIPAA when
they actually mean only the Administrative Simplification Subsection
of HIPAA.
S
The Administrative Simplification Subsection has four distinct components:
1.
2.
3.
4.
Transactions and Code Sets
Uniform Identifiers
Privacy
Security
4
Answering Your Questions about CARF, www.carf.org.
HIPAA, Title 2, subsection f.
5
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
48
8/4/09
1:52 PM
Page 48
CHAPTER 3
HIPAA Transactions and Code Sets
The first section of the regulations to be implemented governs the electronic transfer of medical
information for business purposes such as insurance claims, payments, and eligibility. We will
discuss these and other electronic communications in more detail in a subsequent chapter.
When information is exchanged electronically both systems must use the same format in order
to make the information intelligible to the receiving system. Here is an example to help you understand this concept: Perhaps a friend has e-mailed you a picture or video file you could not open with
your computer. The most likely reason was that the file was in a format that your computer did not
recognize. So while your friend’s computer could display the image, your computer could not.
Before HIPAA, nearly every insurance plan used a format that contained variations which
made it different from other plans’ formats. This meant that plans could not easily exchange or
forward claims to secondary payers and that most providers could only send claims electronically
to a few plans. Too often the rest of the claims were sent on paper.
H
HIPAA standardized formats by requiring specific transaction
I data interchange (EDI). Two additional EDI transactions
standards for eight types of electronic
are not yet finalized. The HIPAA transactions
are:
G
EIGHT HIPAA TRANSACTIONS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Claims or equivalent encountersG
and coordination of benefits (COB)
Remittance and payment advice
S
Claims status
,
Eligibility and benefit inquiry and response
Referral certification and authorization
S
Premium payments
Enrollment and de-enrollment inHa health plan
Health claims attachments (not A
final)
First report of injury (not final)
N
Retail drug claims, coordination of drug benefits, and eligibility inquiries.
I
In an EDI transaction, certain portions of the information are sent as codes. For the receiving entity to understand the content C
of the transaction, both the sender and the receiver must use
the same codes.
Q
For example, in an insurance claim, charges for patient visits are sent as procedure codes
Umedical reasons for the procedure are sent in the claim as
instead of their long descriptions. The
diagnosis codes. HIPAA requires theAuse of standard sets of codes. Two of those standards are:


ICD-9-CM codes for diagnoses (and some inpatient procedures)
CPT-4 and HCPCS codes for outpatient
procedures
1
Under HIPAA, any coded information within a transaction is also subject to standards. Just
1
a few examples of the hundreds of other codes include codes for sex, race, type of provider, and
0
relation of the policy holder to the patient.
Health information technicians5are involved in coding claims, sending or managing electronic data transactions, and setting up or maintaining tables of standard codes used to ensure that
T
claims are correctly coded.
HIPAA Uniform Identifiers
S
You can see the importance of both the sending and receiving system using the same formats and
code sets to report exactly what was done for the patient. Similarly, it is necessary for multiple
systems to identify the doctors, nurses, and healthcare businesses sending the claim or receiving
the payment. ID numbers are used in a computer processing instead of names because, for example, there could be many providers named John Smith.
However, prior to HIPAA, each provider had multiple ID numbers assigned to them for use on
insurance claims, prescriptions, etc. A provider typically received a different ID from each plan and
sometimes multiple numbers from the same plan. This created a problem for the billing office to get
the right ID on the right claim and made electronic coordination of benefits all but impossible.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 49
ACCREDITATION, REGULATION, AND HIPAA
49
HIPAA established uniform identifier standards to be used on all claims and other data transmissions. These include:



National Provider Identifier (NPI): This type of identifier is assigned to doctors, nurses,
and other healthcare providers.
Employer Identifier: This identifier is used to identify employer-sponsored health
insurance. It is the same as the federal Employer Identification Number (EIN) employers
are assigned for their taxes by the Internal Revenue Service.
National Health Plan Identifier: This identifier has not yet been implemented, but when it
is it will be a unique identification number assigned to each insurance plan and to the organizations that administer insurance plans, such as payers and third-party administrators.
H
I
HIPAA documents refer to healthcare providers, insurance plans, and clearinghouses as
covered entities. A clearinghouse is a business that converts
G nonstandard HIPAA transactions into the correct format required by HIPAA.
Ga healthcare organization and
As a future HIM employee, think of a covered entity as
all of its employees.
S
,
COVERED ENTITY
S
Privacy and Security of Patient Records
H
The remaining two portions of HIPAA’s Administrative Simplification Subsection are concerned
A As someone who will work with
with the protection and confidentiality of patient information.
patient’s health records, it is especially important for you to understand
the regulations regarding
N
privacy and security.
I
HIPAA Privacy Rule
C
The HIPAA privacy standards are designed to protect a patient’s identifiable health information
Q the practice to deliver the best
from unauthorized disclosure or use in any form, while permitting
healthcare possible. When the HIPAA legislation was passed,
U “Congress recognized that
advances in electronic technology could erode the privacy of health information. Consequently,
A
Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.”6
1
1
P ROTECTED HEALTH INFORMATION
0
HIPAA privacy rules frequently refer to PHI or protected health information. PHI is the
5
patient’s personally identifiable health information.
T
S
Healthcare providers have a strong tradition of safeguarding private health information and
have established privacy practices already in effect for their offices. For instance:


By speaking quietly when discussing a patient’s condition with family members
in a waiting room or other public area;
By avoiding using patients’ names in public hallways and elevators, and posting
signs to remind employees to protect patient confidentiality;
6
Guidance on HIPAA Standards for Privacy of Individually Identifiable Health Information (Washington, DC: U.S.
Department of Health and Human Services Office for Civil Rights, December 3, 2002, and revised April 3, 2003).
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
50
8/4/09
1:52 PM
Page 50
CHAPTER 3


By isolating or locking file cabinets or records rooms; or
By providing additional security, such as passwords, on computers maintaining
personal information.
However, The Privacy Rule establishes, for the first time, a foundation of Federal protections for the privacy of protected health information. The Rule does not replace
Federal, State, or other law that grants individuals even greater privacy protections, and
covered entities are free to retain or adopt more protective policies or practices.7
To comply with the law, privacy activities in the average medical office might include the
following:







Providing a copy of the office privacy policy informing patients about their privacy rights
and how their information can be used.
H receiving a copy of the policy and/or signing a consent
Asking the patient to acknowledge
form.
I
Obtaining signed authorization forms and in some cases tracking the disclosures of patient
G
health information when it is to be given to a person or organization outside the practice
for purposes other than treatment,
G billing, or payment purposes.
Adopting clear privacy procedures.
S
Training employees so that they understand the privacy procedures.
,
Designating an individual to be responsible for seeing that the privacy procedures are
adopted and followed.
S individually identifiable health information so that they
Securing patient records containing
are not readily available to thoseHwho do not need them.
Let us examine some of these key
A points.
N
I
The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the
C and of most of their healthcare providers, as well as
privacy practices of their health plans
to be informed of their privacy rights with respect to their personal health information.
Q
Health plans and covered healthcare providers are required to develop and distribute a
U
notice that provides a clear explanation
of these rights and practices. The notice is
intended to focus individuals on A
privacy issues and concerns, and to prompt them to have
PRIVACY POLICY
discussions with their health plans and healthcare providers and exercise their rights.
Covered entities are required to provide a notice in plain language that describes:




1 use and disclose protected health information
How the covered entity may
about an individual.
1
The individual’s rights with respect to the information and how the individual
0
may exercise these rights, including how the individual may complain to the
5
covered entity.
The covered entity’s legalTduties with respect to the information, including a
statement that the covered entity is required by law to maintain the privacy of
S
protected health information.
Whom individuals can contact for further information about the covered
entity’s privacy policies.8
The privacy policy must meet the requirements of HIPAA law and the use or disclosure of
PHI must be consistent with the privacy notice provided to the patient.
7
Ibid.
Ibid.
8
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 51
ACCREDITATION, REGULATION, AND HIPAA
51
FIGURE 3-3
A patient
acknowledges
receipt of a
medical office’s
privacy policy.
H
I
G
G
S
,
CONSENT The term consent has multiple meanings in a S
medical setting. Informed consent
refers to the patient’s agreement to receive medical treatment having been provided sufficient
information to make an informed decision. Consent for H
medical procedures must still be
obtained by the practice.
A
Under the Privacy Rule the term consent is only concerned with use of the patient’s informaN
tion, and should not be confused with consent for the treatment itself. The Privacy Rule originally
required providers to obtain patient “consent” to use and disclose
I PHI except in emergencies. The
rule was almost immediately revised to make it easier to use PHI for purposes of treatment, payC
ment, or operation of the healthcare practice.
Under the revised Privacy Rule, the patient gives consentQto use their PHI by acknowledging
that they have received a copy of the privacy policy. Figure 3-3
U shows a patient receiving a copy
of a medical office’s privacy policy. The office has the patient sign a form acknowledging receipt
A
of the privacy policy.
Although most healthcare providers who see patients obtain HIPAA “consent” as part of the
routine demographic and insurance forms that patients sign, the rule permits some uses of PHI
1
without the individual’s authorization:



A healthcare entity may use or disclose PHI for its own1treatment, payment, and healthcare operations activities. For example, a hospital may 0
use PHI to provide healthcare to
the individual and may consult with other healthcare providers about the individual’s
5
treatment.
T as part of a claim for payment
A healthcare provider may disclose PHI about an individual
to a health plan.
S
A healthcare provider may disclose PHI related to the treatment or payment activities
of any healthcare provider (including providers not covered by the Privacy Rule).
Consider these examples:
A doctor may send a copy of an individual’s medical record to a specialist who needs
the information to treat the individual.
A hospital may send a patient’s healthcare instructions to a nursing home to which the
patient is transferred.
A physician may send an individual’s health plan coverage information to a laboratory
who needs the information to bill for tests ordered by the physician.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
52
8/4/09
1:52 PM
Page 52
CHAPTER 3
A hospital emergency department may give a patient’s payment information to an
ambulance service that transported the patient to the hospital in order for the ambulance provider to bill for its treatment

A health plan may use protected health information to provide customer service to its
enrollees.
Others within the office can use PHI also. For example, doctors and nurses can share the
patient’s chart to discuss what the best course of care might be. The doctor’s administrative staff
can access patient information to perform billing, transmit claims electronically, post payments,
file the charts, type up the doctor’s progress notes, and print and send out patient statements.
The office can also use PHI for operation of the medical practice, for example, to determine
how many staff they will need on a certain day, whether they should invest in a particular piece
of equipment, what types of patients they are seeing the most of, where most of their patients live,
and any other uses that will help make
H the office operate more efficiently.
Modifying HIPAA Consent “Individuals
I have the right to request restrictions on how a covered
entity will use and disclose protected health information about them for treatment, payment, and
G
healthcare operations. A covered entity is not required to agree to an individual’s request for a
G to which it agrees.
restriction, but is bound by any restrictions
“Individuals also may request to receive confidential communications from the covered entity,
S
either at alternative locations or by alternative means. For example, an individual may request that
, office, rather than her home. A healthcare provider must
her healthcare provider call her at her
accommodate an individual’s reasonable request for such confidential communications.”9
Authorization differs
S from consent in that it does require the patient’s
permission to disclose PHI. A signed “consent” document is not a valid permission to use or
H for a purpose that requires an “authorization” under the
disclose protected health information
Privacy Rule.
A
Some examples of instances that would require an authorization include sending the results
N and sending immunization records or the results of an
of an employment physical to an employer
athletic physical to the school.
I
The appearance of an authorization form is up to the practice, but the Privacy Rule requires
that it contain specific information.CSpecific elements required by HIPAA are highlighted in
yellow on the sample form shown inQ
Figure 3-4. The required elements are:
AUTHORIZATION





Date signed
U
Expiration date
A
To whom the information may be disclosed
What is permitted to be disclosed
1
For what purpose the information may be used.
1
Unlike the Privacy Rule concept of consent, authorizations are not global. A new authorization
is signed each time there is a different0purpose or need for the patient’s information to be disclosed.
Research Authorizations are usually5required for researchers to use PHI. The only difference in
a research authorization form is T
that it is not required to have an expiration date. The
authorization may be combined with consent to participate in a clinical trial study for example.
S
Research Exceptions To protect the patient’s information while at the same time ensuring that
researchers continue to have access to medical information necessary to conduct vital research, the
Privacy Rule does allows some exceptions that permit researchers to access PHI without individual
authorizations. Typically these are cases where the patients are deceased; where the researcher is
using PHI only to prepare a research protocol; or where a waiver has been issued by an internal
review board, specifying that none of the information will be removed or used for any other purpose.
9
Ibid.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 53
H
I
G
G
S
,
S
H
A
N
I
C
Q
U
A
1
1
0
5
T
S
FIGURE 3-4
Sample Authorization Form with elements required by HIPAA.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
54
8/4/09
1:52 PM
Page 54
CHAPTER 3
Marketing The Privacy Rule specifically defines marketing and requires individual
authorization for all uses or disclosures of PHI for marketing purposes with limited exceptions.
These exceptions are generally when information from the provider is sent to all patients in the
practice about improvements or additions to the practice or when information is sent to the
patient about his or her own treatments. For example, a reminder about an annual check-up is not
considered marketing.
Government Agencies One area that permits the disclosure of PHI without a patient’s authorization or consent is when it is requested by an authorized government agency. Generally such
requests are for legal (law enforcement, subpoena, court orders, etc.) or public health purposes.
A request by the FDA for information on patient’s who are having adverse reactions to a
particular drug might be an example. Another example might be an audit of medical records by
CMS to determine if sufficient documentation exists to justify Medicare claims.
The Privacy Rule permits the disclosure of PHI, without authorization, to public health
H or controlling disease or injury and for maintaining
authorities for the purpose of preventing
records of births and deaths. Similarly,
I providers are also permitted to disclose PHI concerning
on-the-job injuries to workers’ compensation insurers, state administrators, and other entities to
G
the extent required by state workers’ compensation laws.
To ensure that covered entities protect
G patients’ privacy as required, the Privacy Rule requires
that health plans, hospitals, and other covered entities cooperate with efforts by the HHS Office
S
for Civil Rights (OCR) to investigate complaints or otherwise ensure compliance.
,
The Privacy Rule minimum necessary standard is intended to limit
unnecessary or inappropriate access to and disclosure of PHI beyond what is necessary. For
example, if an insurance plan requests
S the value of a patient’s hematocrit test to justify a claim
for administering a drug, then the minimum necessary disclosure would be to send only the
H
hematocrit result, not the patient’s entire panel of tests.
MINIMUM NECESSARY
A
N
NO RESTRICTIONS ON PHI FOR TREATMENT OF THE PATIENT
I
The minimum necessary standardC
does not apply to disclosures to or requests by a healthcare provider for PHI used for treatment
purposes.
Q
U
A
“The minimum necessary standard does not apply to the following:






Disclosures to or requests by a healthcare provider for treatment purposes.
1
Disclosures to the individual who is the subject of the information.
1 to an individual’s authorization.
Uses or disclosures made pursuant
Uses or disclosures required for0compliance with the Health Insurance Portability and
Accountability Act (HIPAA) Administrative
Simplification Rules.
5
Disclosures to the Department of Health and Human Services (HHS) when disclosure of
T
information is required under the Privacy Rule for enforcement purposes.
S by other law.”10
Uses or disclosures that are required
“Many customary healthcare communications and practices play an
important or even essential role in ensuring that individuals receive prompt and effective
healthcare. Due to the nature of these communications, as well as the various environments in
which individuals receive healthcare, the potential exists for an individual’s health information to
be disclosed incidentally.
INCIDENTAL DISCLOSURES
10
Ibid.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 55
ACCREDITATION, REGULATION, AND HIPAA
55
For example, a hospital visitor may overhear a provider’s confidential conversation with
another provider or a patient, or may glimpse a patient’s information on a sign-in sheet or nursing station whiteboard.
The HIPAA Privacy Rule is not intended to impede customary and essential communications and practices and, thus, does not require that all risk of incidental use or disclosure be
eliminated to satisfy its standards. In fact the Privacy Rule permits certain incidental uses and
disclosures of protected health information to occur where there is in place reasonable safeguards and minimum necessary policies and procedures that normally protect an individual’s
privacy.11
Whether the practice has disclosed PHI
based on a signed authorization or to comply with a government agency, the patient is entitled to
know about it. Therefore, in most cases the medical office must track the disclosure.
The Privacy Rule gives individuals the right to receive H
a report of all disclosures made for
purposes other than treatment, payment, or operation of the healthcare facility. The report must
I provided to, a description of the
include the date of the disclosure, whom the information was
information, and the stated purpose for the disclosure. The patient
G can request the report at any
time and the practice must keep the records for at least six years.
A PATIENT’S RIGHT TO KNOW ABOUT DISCLOSURES
G
S
PATIENT ACCESS TO MEDICAL RECORDS In addition to protecting
privacy, the law generally
allows patients to be able to see and obtain copies of their medical records and request
,
corrections if they identify errors and mistakes. Health plans, doctors, hospitals, clinics,
nursing homes, and other covered entities generally must provide access to these records
within 30 days of a patient request, but may charge patients S
for the cost of copying and sending
the records.
H
HEALTH INFORMATION MANAGEMENT RESPONSIBILITIESA Managing the portions of the
HIPAA Privacy Rule discussed so far are almost always a function performed by the health
N medical records. Duties often
information management professionals responsible for patient
include ensuring that the appropriate forms for consent or authorization
are on file, that requests
I
for release of information are within the time frame of the authorization, that only the minimum
necessary portion of the chart is sent as a result of a request,Cand that the disclosure is properly
tracked. HIM professionals in the medical records office will
Qalso likely have responsibility for
providing patients with copies of their records and disclosure reports.
U
PERSONAL REPRESENTATIVES “There may be times when A
individuals are legally or otherwise
incapable of exercising their rights, or simply choose to designate another to act on their behalf
with respect to these rights. Under the Rule, a person authorized to act on behalf of the individual
1 representative.
in making healthcare related decisions is the individual’s personal
“The Privacy Rule requires covered entities to treat an 1
individual’s personal representative
as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the Rule. . .0. In addition to exercising the individual’s rights under the Rule, a personal representative may
5 also authorize disclosures of the
individual’s protected health information.”12
T privacy matters parallels their
In general, the personal representative’s authority over
authority to act on other healthcare decisions.
S
As an HIM professional you may need to determine who may authorize access to a
patient’s records on the patient’s behalf. When in doubt, consult with the privacy officer at your
facility. Figure 3-5 provides a chart of people who, by virtue of their relationship to a patient,
must be automatically recognized as the personal representative for certain categories of
individuals.
11
Ibid.
Ibid.
12
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
56
8/4/09
1:52 PM
Page 56
CHAPTER 3
FIGURE 3-5
Persons
automatically
recognized as
personal
representatives for
patients.
If the
Individual Is:
The Personal
Representative Is:
Examples:
An Adult or an
Emancipated
Minor
A person with legal authority
to make health care decisions
on behalf of the individual
Health care power of attorney
Court appointed legal guardian
General power of attorney
A Minor
(not emancipated)
A parent, guardian, or other
person acting in loco parentis
with legal authority to make
health care decisions on behalf
of the minor child
Parent, guardian, or other person
(with exceptions in state law)
Deceased
A person with legal authority
to act on behalf of the decedent
or the estate (not restricted to
health care decisions)
H
I
G
G
S
,
Executor of the estate
Next of kin or other family member
Durable power of attorney
In most cases, the parent, guardian, or other person acting as parent is the
personal representative and acts on behalf of the minor child with respect to PHI. Even if a parent
is not the child’s personal representative,
S the Privacy Rule permits a parent access to a minor
child’s PHI when and to the extent it is permitted or required by state or other laws.
H
Conversely, regardless of the parent’s
status as personal representative, the Privacy Rule
prohibits providing access to or disclosing
the
child’s PHI to the parent, when and to the extent
A
it is expressly prohibited under state or other laws.
N
“However, the Privacy Rule specifies three circumstances in which the parent is not the personal representative with respect to Icertain health information about the minor child. The three
exceptional circumstances when a parent is not the minor’s personal representative are:
MINOR CHILDREN



C
When State or other law does not
Qrequire the consent of a parent or other person before a
minor can obtain a particular healthcare service, and the minor consents to the healthcare
U
service;
A law authorizes someone other than the parent to make
When a court determines or other
treatment decisions for a minor;
When a parent agrees to a confidential relationship between the minor and the physician.
1
1
Example:
A physician asks the parent of a016-year-old if the physician can talk with the child confidentially about a medical condition and the parent agrees.”13
5
If state or other laws are silent or unclear about parental access to the minor’s PHI, the
T
Privacy Rule grants healthcare professionals the discretion to allow or deny a parent access to a
minor’s PHI based on their professional
S judgment.
BUSINESS ASSOCIATES “The HIPAA Privacy Rule applies only to covered entities—healthcare
providers, plans, and clearinghouses. However, most healthcare providers and health plans do
not carry out all of their healthcare activities and functions by themselves. Instead, they often use
the services of a variety of other persons or businesses.
13
Ibid.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.qxd
8/24/09
6:07 PM
Page 57
ACCREDITATION, REGULATION, AND HIPAA
57
“The Privacy Rule allows covered providers and health plans to disclose protected
health information to these business associates if the providers or plans obtain written satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from
misuse, and will help the covered entity comply with some of the covered entity’s duties
under the Privacy Rule.
“The covered entity’s contract or other written arrangement with its business associate must
contain the elements specified in the Privacy Rule. For example, the contract must:
Describe the permitted and required uses of protected health information by the business
associate;
Provide that the business associate will not use or further disclose the protected health
information other than as permitted or required by the contract or as required by law;
and
H
Require the business associate to use appropriate safeguards to prevent a use or disclosure
I for by the contract.”14
of the protected health information other than as provided



G
It will generally fall to the privacy officer, or in larger healthcare organizations to the legal
department, to ensure that business associate agreements are
G on file for clearinghouses, transcription services, and other businesses with whom you will exchange PHI as an HIT or HIM
S
professional.
,
S
H
A
15
The First HIPAA Privacy Case
N
I
C McKay. “This case should serve as a reminder that misuse of
he first legal case under the privacy rule concerned the theft of patient information may result in criminal prosecution.”
patient demographic information (name, address, date of birth,Q
The case was investigated by the Federal Bureau of
Social Security number) by an employee in a medical office.
Investigation (FBI) and prosecuted by the United States Attorney’s
The former employee of a cancer care facility pled guilty in fed-U Office. The man was sentenced to a term of 10 to 16 months. He
eral court in Seattle, Washington, to wrongful disclosure of individ-A has also agreed to pay restitution to the credit card companies and
A REAL-LIFE STORY
T
ually identifiable health information for economic gain.
The ex-employee admitted that he obtained a cancer patient’s
name, date of birth, and Social Security number while employed
at the medical facility, and that he disclosed that information to
get four credit cards in the patient’s name. He also admitted that
he used several of those cards to rack up more than $9,000 in
debt in the patient’s name. He used the cards to purchase various
items, including video games, home improvement supplies,
apparel, jewelry, porcelain figurines, groceries, and gasoline for
his personal use. He was fired shortly after the identity theft was
discovered.
“Too many Americans have experienced identity theft and the
nightmare of dealing with bills they never incurred. To be a vulnerable cancer patient, fighting for your life, and having to cope with
identity theft is just unconscionable,” stated U.S. Attorney John
1
1
0
5
T
S
to the patient for expenses he incurred as a result of the misuse of
his identity.
Though identity theft is serious, the consequences are much
greater in a medical setting than if the same information had been
stolen from an ordinary business. Why? Because even the patient’s
name and date of birth are part of the PHI. Additionally, the disclosure of medical information for financial gain could have resulted
in a sentence of 10 years for each violation. The case serves as a
reminder for everyone in the healthcare field of the personal
responsibility for protecting PHI.
Although the patient privacy rule under HIPAA does not restrict
the internal use of health information by the staff for treatment,
payment, and operation of the healthcare facilities, you should
make every effort to protect your patients’ privacy and always
follow the privacy policy of the practice.
14
Ibid.
Press release, United States Attorney’s Office, Western District of Washington, August 19, 2004.
15
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.qxd
58
8/24/09
6:07 PM
Page 58
CHAPTER 3
CIVIL AND CRIMINAL PENALTIES
The OCR within HHS oversees and enforces the Privacy Rule, while CMS oversees and
enforces all other Administrative Simplification requirements, including the Security
Rule.
“Congress provided civil and criminal penalties for covered entities that misuse personal health
information. For civil violations of the standards, OCR may impose monetary penalties up to
$100 per violation, up to $25,000 per year, for each requirement or prohibition violated. Criminal
penalties apply for certain actions such as knowingly obtaining protected health information in
violation of the law. Criminal penalties can range up to $50,000 and one year in prison for certain offenses; up to $100,000 and upHto five years in prison if the offenses are committed under
“false pretenses”; and up to $250,000 and up to 10 years in prison if the offenses are committed
I
with the intent to sell, transfer or use protected health information for commercial advantage, per16
G
sonal gain or malicious harm.”
G
S
To fully comply with the Privacy Rule, it is necessary to understand and implement the require,
ments of the Security Rule. In this section
you will learn about the Security Rule.
HIPAA Security Rule
There are clearly areas in which the two rules supplement each other because both the
HIPAA Privacy and Security Rules are designed to protect identifiable health information.
S in all forms of communications, whereas the Security
However, the Privacy Rule covers PHI
Rule covers only electronic information.
H Because of this difference, security discussions are
assumed to be about the protection of electronic health records, but the Security Rule actually
A This is called EPHI.
covers all PHI that is stored electronically.
N
I
PHI—EPHI
C
The Security Rule applies only to EPHI, whereas the Privacy Rule applies to PHI that may be
Q
in electronic, oral, and in paper form.
U
A
If you are interested in becoming an IT professional, especially if you will work in the computer network or operations aspects of an HIS department, you will be involved in or responsible
for many of the aspects of security discussed
here. However, whether you work in HIM or IT, it
1
is important that you participate in the security training and follow the security policy and proce1
dures of your healthcare organization.
0
5
The Privacy Rule sets the standards
T for, among other things, who may have access to
PHI, while the Security Rule sets the standards for ensuring that only those who should
S have access. The primary distinctions between the
have access to EPHI will actually
THE PRIVACY RULE AND SECURITY RULE COMPARED
two rules follow:

Electronic versus oral and paper: The Privacy Rule applies to all forms of
patients’ protected health information, whether electronic, written, or oral. In
contrast, the Security Rule covers only protected health information that is in
electronic form. This includes EPHI that is created, received, maintained or
transmitted.
16
Fact Sheet: Protecting the Privacy of Patients’ Health Information (Washington, DC: U.S. Department of Health
and Human Services Press Office, April 14, 2003).
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.qxd
8/22/09
5:01 PM
Page 59
ACCREDITATION, REGULATION, AND HIPAA


59
“Safeguard” requirement in Privacy Rule: While the Privacy Rule contains
provisions that currently require covered entities to adopt certain safeguards
for PHI, the Security Rule provides for far more comprehensive security
requirements and includes a level of detail not provided in the safeguard
section of the Privacy Rule.
HHS regulates and enforces HIPAA using two different divisions for enforcement. OCR or Office of Civil Rights enforces the Privacy Rule while CMS
enforces the Security Rule.
Security Standards
The security standards in HIPAA were developed for two primary purposes. First, and
foremost, the implementation of appropriate security safeguards protects certain electronic healthcare information that may be at risk. Second,
H protecting an individual’s
health information, while permitting the appropriate access and use of that informaI
tion, ultimately promotes the use of electronic health information in the industry—an
G
important goal of HIPAA.
“The security standards are divided into the categories of administrative, physical,
G
and technical safeguards. Each category of the safeguards is comprised of a number of
S
standards, which generally contain of a number of implementation
specifications.



Administrative safeguards: In general, these are,the administrative functions that should be implemented to meet the security standards. These
include assignment or delegation of security responsibility to an individual
S
and security training requirements.
H
Physical safeguards: In general, these are the mechanisms
required to protect
electronic systems, equipment and the data they hold,
from
threats,
environA
mental hazards and unauthorized intrusion. They include restricting access to
EPHI and retaining off-site computer backups. N
I the automated processes
Technical safeguards: In general, these are primarily
used to protect data and control access to data. They
Cinclude using authentication controls to verify that the person signing onto a computer is authorized to
Qas it is being stored and/or
access that EPHI, or encrypting and decrypting data
transmitted.
U
A Rule also contains several
“In addition to the safeguards [listed above], the Security
standards and implementation specifications that address organizational requirements,
as well as policies and procedures and documentation requirements.”17
1
1
Implementation Specifications
0
An implementation specification is an additional detailed instruction
for implementing a particular standard. Implementation requirements and features within
the
categories were listed in
5
the Security Rule by alphabetical order to convey that no one item was considered to be more
T
important than another.
Implementation specifications in the Security Rule areS
either “required” or “addressable.”
Addressable does not mean optional.
To help you understand the organization of safeguards, security standards, and implementation specifications, a matrix of the HIPAA Security Rule is provided in Figure 3-6. The matrix
is a part of the official rule and published as an appendix to the rule. You may wish to refer to
Figure 3-6 as we discuss each of the following sections.
17
Adapted from Security 101 for Covered Entities, HIPAA Security Series (Baltimore, MD: Centers for Medicare
and Medicaid Services, November 2004 and revised March 2007).
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
60
8/4/09
1:52 PM
Page 60
CHAPTER 3
Security Standards Matrix
Administrative Safeguards
Standards
Section of Rule
Implementation
Specifications
Required or
Addressable
Security Management
Process
§ 164.308Addressable(1)
Risk Analysis
Required
Risk Management
Required
Assigned Security
Responsibility
§ 164.308Addressable(2)
Workforce Security
§ 164.308Addressable(3)
Information Access
Management
§ 164.308Addressable(4)
Security Awareness and
Training
Security Incident Procedures
Contingency Plan
Evaluation
Business Associate
Contracts and Other
Arrangement
FIGURE 3-6
§ 164.308Addressable(7)
Required
Information System
Activity Review
Required
Required
H
I
G
G
S
,
§ 164.308Addressable(5)
§ 164.308Addressable(6)
Sanction Policy
S
H
A
N
I
C
Q
U
A
Authorization and/or
Supervision
Addressable
Workforce Clearance
Procedure
Addressable
Termination Procedures
Addressable
Isolating Health Care
Clearinghouse Function
Required
Access Authorization
Addressable
Access Establishment
and Modification
Addressable
Security Reminders
Addressable
Protection from
Malicious Software
Addressable
Log-In Monitoring
Addressable
Password Management
Addressable
Response and Reporting
Required
Data Backup Plan
Required
Disaster Recovery Plan
Required
Emergency Mode
Operation Plan
Required
Testing and Revision
Procedure
Addressable
Applications and Data
Criticality Analysis
Addressable
Written Contract or
Other Arrangement
Required
§ 164.308Addressable(8)
§ 164.308(b)(1)
1
1
0
HIPAA’s Security Standards matrix.18
5
T
Administrative Safeguards19 S
Required
The name Security Rule sounds like it would be mostly technical, but the largest category of the
rule is administrative safeguards. The administrative safeguards comprise more than half of the
HIPAA security requirements.
18
Security Standards: Administrative Safeguards, HIPAA Security Series #2 (Baltimore, MD: Centers for Medicare
and Medicaid Services, May 2005 and revised March 2007), 27–29.
19
Adapted from Security Standards: Administrative Safeguards, HIPAA Security Series #2 (Baltimore, MD: Centers
for Medicare and Medicaid Services, May 2005 and revised March 2007).
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 61
ACCREDITATION, REGULATION, AND HIPAA
61
Physical Safeguards
Standards
Section of Rule
Implementation
Specifications
Required or
Addressable
Facility Access Controls
§ 164.310Addressable(1))
Contingency Operations
Addressable
Facility Security Plan
Addressable
Access Control and
Validation Procedures
Addressable
Maintenance Records
Addressable
Workstation Use
Workstation Security
Device and Media Controls
§ 164.310(b)Required
Required
§ 164.310(c)Required
Required
§ 164.310(d)(1)
Disposal
H
I
G
G
S
,
Technical Safeguards
Standards
Section of Rule
Access Control
§ 164.312Addressable(1)
Audit Controls
Integrity
§ 164.312(b)
Person or Entity
Authentication
§ 164.312(d)
Transmission Security
164.312(e)(1)
§ 164.312(c)(1)
S
H
A
N
I
C
Q
U
A
Required
Media Re-use
Required
Accountability
Addressable
Data Backup and
Storage
Addressable
Implementation
Specifications
Required or
Addressable
Unique User
Identification
Required
Emergency Access
Procedure
Required
Automatic Logoff
Addressable
Encryption and
Decryption
Addressable
Mechanism to
Authenticate Electronic
Protected Health
Information
Addressable
Required
Required
Integrity Controls
1
Encryption
1
0
FIGURE 3-6 HIPAA’s Security Standards matrix.
5 (Continued)
T
Administrative safeguards are the policies, procedures, S
and actions required to manage the
Addressable
Addressable
implementation and maintenance of security measures to protect EPHI. We discuss each standard
in the following sections.
The Security Management Process standard is the first
step. It is used to establish the administrative processes and procedures. There are four
implementation specifications in the Security Management Process standard:
SECURITY MANAGEMENT PROCESS
1. Risk Analysis
Identify potential security risks and determine how likely they are to occur and how
serious they would be.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
62
8/4/09
1:52 PM
Page 62
CHAPTER 3
2. Risk Management
Make decisions about how to address security risks and vulnerabilities. The risk analysis
and risk management decisions are used to develop a strategy to protect the confidentiality,
integrity, and availability of EPHI.
3. Sanction Policy
Define for employees what the consequences of failing to comply with security policies
and procedures are.
4. Information System Activity Review
Regularly review records such as audit logs, access reports, and security incident tracking
reports. The information system activity review helps to determine if any EPHI has been
used or disclosed in an inappropriate manner.
Similar to the Privacy Rule, which requires an individual
be designated as the privacy official,H
the Security Rule requires one individual be designated the
security official. The security officialI and privacy official can be the same person, but do not have
to be. The security official has overall responsibility for security; however, specific security
responsibilities may be assigned to G
other individuals. For example, the security official might
designate the IT Director to be responsible
G for network security. Figure 3-7 shows a staff meeting
at which security policy is being reviewed.
ASSIGNED SECURITY RESPONSIBILITY
S
Within the Workforce Security standard there are three addressable
,
implementation specifications:
WORKFORCE SECURITY
1. Authorization and/or Supervision
Authorization is the process of determining
whether a particular user (or a computer system)
S
has the right to carry out a certain activity, such as reading a file or running a program.
H
2. Workforce Clearance Procedure
A with authorized access to EPHI receive appropriate
Ensure that members of the workforce
clearances.
N
3. Termination Procedures
I
Procedures must be in place to remove access privileges as soon as an employee, contracC
tor, or other individual leaves the organization.
FIGURE 3-7
Office staff review
security policy and
appoint a security
official.
Q
U
A
1
1
0
5
T
S
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 63
ACCREDITATION, REGULATION, AND HIPAA
63
Restricting access to only those persons and entities
with a need for access is a basic tenet of security. By managing information access, the risk of
inappropriate disclosure, alteration, or destruction of EPHI is minimized. Note: This safeguard
supports the “minimum necessary standard” of the HIPAA Privacy Rule.
The Information Access Management standard has three implementation specifications:
INFORMATION ACCESS MANAGEMENT
1. Access Authorization
In the Workforce Security standard (see preceding section) the healthcare organization
determined who has access. This section requires the organization to identify who has
authority to grant that access and the process for doing so.
2. Access Establishment and Modification
Once a covered entity has clearly defined who should be allowed access to what EPHI and
under what circumstances, it must consider how access is established and modified.
H
3. Isolating Healthcare Clearinghouse Functions
A clearinghouse is a unique HIPAA-covered entity whose
I function is to translate nonstandard transactions into HIPAA standards. In the very rare case that your healthcare organizaG
tion also operates a clearinghouse, the rule requires the isolation of clearinghouse computers
from other systems in the organization.
G
S
Regardless of the administrative safeguards an organi, if the workforce is unaware them.
zation implements, those safeguards will not protect the EPHI
Many security risks and vulnerabilities within an organization are internal. This is why the
security awareness and training for all new and existing members of the workforce is required by
S whenever changes at the facility
this standard. In addition, periodic retraining should be given
could affect the security of EPHI. An employee is being trained
H in Figure 3-8.
The Security Awareness and Training standard has four implementation specifications:
SECURITY AWARENESS AND TRAINING
A
1. Security Reminders
N
Security reminders might include notices in printed or electronic
form, agenda items and
specific discussion topics at monthly meetings, and focused
I reminders posted in affected
areas, as well as formal retraining on security policies and procedures.
C
Q
U
A
1
1
0
5
T
S
FIGURE 3-8
Training a new
employee on
Security Policy and
Procedures.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
64
8/4/09
1:52 PM
Page 64
CHAPTER 3
2. Protection from Malicious Software
One important security measure that employees need to be reminded of is that malicious
software is frequently brought into an organization through e-mail attachments and programs that are downloaded from the Internet. As a result of an unauthorized infiltration,
EPHI and other data can be damaged or destroyed, or at a minimum, require expensive
and time-consuming repairs.
3. Log-in Monitoring
Security awareness and training should also address how users log onto systems and how
they are supposed to manage their passwords. Typically, an inappropriate or attempted log-in
is when someone enters multiple combinations of user names and/or passwords to attempt to
access an information system. Fortunately, many information systems can be set to identify
multiple unsuccessful attempts to log in. Other systems might record the attempts in a log or
audit trail. Still other systems might disable a password after a specified number of unsucH
cessful log-in attempts.
I
4. Password Management
In addition to providing a password
G for access, employees must be trained on how to safeguard it. Establish guidelines for creating passwords and changing them periodically.
G
SECURITY INCIDENT PROCEDURES SSecurity incident procedures address how to identify
security incidents and require that the
, incident be reported to the appropriate person or persons.
Examples of possible incidents include:






Stolen or otherwise inappropriately obtained passwords that are used to access EPHI
S
Corrupted backup tapes that do not allow restoration of EPHI
Virus attacks that interfere withH
the operations of computers containing EPHI
Physical break-ins leading to theAtheft of media with EPHI on it
Failure to terminate the accountN
of a former employee that is then used by an unauthorized
user to access information systems with EPHI
I
Providing media with EPHI, such as a PC hard drive or laptop, to another user who is not
authorized to access the EPHI. C
Q specification for this standard.
There is one required implementation
U
1. Response and Reporting
Establish adequate response and
Areporting procedures for these and other types of
events.
1if your organization experiences a power outage, a natural
CONTINGENCY PLAN What happens
disaster, or other emergency that disrupts
1 normal access to healthcare information? A contingency
plan consists of strategies for recovering access to EPHI should the organization experience a
0 The goal is to ensure that EPHI is available when it is
disruption of critical business operations.
needed.
5
The Contingency Plan standard includes five implementation specifications:
T
1. Data Backup Plan
S safeguard and a required implementation specification.
Data backup plans are an important
Most organizations already have backup procedures as part of current business practices.
2. Disaster Recovery Plan
These are procedures to restore any loss of data.
3. Emergency Mode Operation Plan
When operating in emergency mode due to a technical failure or power outage, security
processes to protect EPHI must be maintained.
4. Testing and Revision Procedure
Periodically test and revise contingency plans.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 65
ACCREDITATION, REGULATION, AND HIPAA
65
A REAL-LIFE STORY
Contingency Plans Ensure Continued Ability to Deliver Care
By Tanya Townsend
Tanya Townsend is the director of information technology at Saint Clare’s Hospital
in Schofield, Wisconsin.
S
aint Clare’s is a new hospital that opened in 2005. We use alldigital health records; that is, there are no paper patient records,
charts, or orders. As I talk to other hospitals and IT professionals
about our accomplishments one question I am frequently asked is
“What are your contingency plans in case of a power or system
failure?”
Much of our plan is designed to avoid an outage in the first
place. We have several redundancies in place to prevent that. For
example, we have two WAN (wide-area network) connections;
completely separate links going out different sides of the building
to our core data center. The idea is that if one of those lines were
to become disconnected for any reason, the other would seamlessly continue to function. In actual capacity they are balanced to
make sure that can be accomplished. We also have redundancies
on the local-area network with wireless access points. As mobile
as we are, we are very dependent on wireless.
For data protection we have multiple data centers. On the
hospital side we have two different data centers that are redundant. On the ambulatory side there are three. In addition to these
data centers, we also back up all the data real-time to another
off-site location in Madison, which is a couple of hours away.
Should we lose connectivity because both links are down we
have a satellite antenna on the roof that can access the backup
data in Madison. So as long as you can still power up your com-
H
I
G
G
S
,
S
H
A
N
I
C
Q
U
A
puter, you can get to the historical information. Electrical power
can be supplied by an emergency generator that is designed to
come online automatically in the event of a power loss.
Should the systems ever be completely down, we still need to
take care of patients. In that event we have downtime procedures
for utilizing paper forms that would allow us to continue to function.
The necessary forms can be printed on demand but we have some
preprinted copies on hand in case a power loss prevented us from
printing. Once the system again becomes available, we have a policy
and process for incorporating that paper documentation back into
the system so we are not forced to carry that paper record forward.
The other area where we have built redundancy is our voice
communications. We are using Voice-over-IP technology for our
telecommunications, so a power or network outage would mean
our phones wouldn’t work either. We plan for that by having cell
phones and radios available. We also have certain phones that
use traditional phone lines so we can continue to communicate.
We do a practice run, a mock downtime situation twice a year.
One time is just simulated, but for the second one we actually take
the systems down to make sure that we know how we are going
to function. We also have planned outages, where we need to take
the system down because we are upgrading it or doing maintenance on it. We continue to strive to keep those outages as brief as
possible, but in those events we go to our downtime procedures
and we continuously learn and improve on these.
5. Application and Data Criticality Analysis
1
Analyze software applications that store, maintain, or transmit
EPHI and determine how
important each is to patient care or business needs. A prioritized
list of specific applications
1
and data will help determine which applications or information systems get restored first
0
and/or which must be available at all times.
5
Ongoing evaluation of security measures is the best way to ensure that all EPHI
T
is adequately protected. Periodically evaluate strategy and systems to ensure that the security
S
requirements continue to meet the organization’s operating environments.
EVALUATION
The Business Associate
Contracts and Other Arrangements standard is comparable to the Business Associate Contract
standard in the Privacy Rule, but is specific to business associates that create, receive, maintain,
or transmit EPHI. The standard has one implementation specification:
BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENTS
1. Written Contract or Other Arrangement
Covered entities should have a written agreement with business associates ensuring the
security of EPHI. Government agencies that exchange EPHI should have a memorandum
of understanding in place.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
66
8/4/09
1:52 PM
Page 66
CHAPTER 3
FIGURE 3-9
Review facility
security and
emergency
contingency plans
periodically.
H
I
G
G
S
,
S
The Security Rule defines physical safeguards
as “physical measures, policies, and procedures to
H
protect a covered entity’s electronic information systems and related buildings and equipment,
A
from natural and environmental hazards, and unauthorized intrusion.”
N
FACILITY ACCESS CONTROLS The Facility Access Controls standard deals with policies and
I
procedures that limit physical access to electronic information systems and the facility or
C access controls, like all security measures, should be
facilities in which they are housed. Facility
reviewed periodically (Figure 3-9).There
Q are four implementation specifications:
1. Access Control and ValidationUProcedures
Access control and validation procedures determine which persons should have access to
A based on their roles or functions.
certain locations within the facility
Physical Safeguards20
2. Contingency Operations
Contingency operations refer to1physical security measures to be used in the event of the
activation of contingency plans.
1
3. Facility Security Plan
0and documents the safeguards used to protect the facility
The facility security plan defines
or facilities. In addition, all staff5or employees must know their roles in facility security.
Some examples of facility safeguards include:
T
• Locked doors, signs warning of restricted areas, surveillance cameras, alarms
S
• Property controls such as property control tags and engravings on equipment
• Personnel controls such as identification badges, visitor badges, and/or escorts for
large offices
• Private security service or patrol for the facility.
20
Adapted from Security Standards: Physical Safeguards, HIPAA Security Series #3 (Baltimore, MD: Centers
for Medicare and Medicaid Services, February 2005 and revised March 2007).
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 67
ACCREDITATION, REGULATION, AND HIPAA
67
4. Maintenance Records
Document facility security repairs and modifications such as changing locks, making routine maintenance checks, or installing new security devices.
WORKSTATION USE Inappropriate use of computer workstations can expose your organization to
risks, such as virus attacks, compromise of information systems, and breaches of confidentiality.
The organization should specify the functions that are proper on HIS workstations. The
workstation use policies also apply to workforce members who work off-site using workstations
that can access EPHI. This includes employees who work from home, in satellite offices, or in
another facility.
While the Workstation Use standard addresses the policies and
procedures for how workstations should be used and protected, the Workstation Security
standard addresses how workstations are to be physically protected from unauthorized users.
WORKSTATION SECURITY
H
DEVICE AND MEDIA CONTROLS The Device and Media Controls
I standard provides policies and
procedures that govern the receipt and removal of hardware and electronic media that contain
G within the facility.
EPHI into and out of a facility, and the movement of these items
The Device and Media Controls standard has four implementation
specifications:
G
1. Disposal
S
When disposing of any electronic media that contains EPHI, make sure it is unusable
,
and/or inaccessible.
2. Media Re-use
S may want to reuse it. The
Instead of disposing of electronic media, the IT department
EPHI must be removed before the media can be reused.H
3. Accountability
A
When hardware and media containing EPHI are moved from one location to another, a
N
record should be maintained of the move. Portable computers and media present a special
I
challenge. Portable technology is getting smaller, less expensive,
and has an increased
capacity to store large quantities of data, making accountability
even
more important and
C
challenging.
Q
4. Data Backup and Storage
This specification protects the availability of EPHI and U
is similar to the data backup plan
detailed in the Contingency Plan administrative standard.
A
Technical Safeguards21
1
The Security Rule defines technical safeguards as “the technology and the policy and procedures
1and control access to it.”
for its use that protect electronic protected health information
Because security technologies are likely to evolve faster
0 than legislative rules, specific
technologies are not designated by the Security Rule. Where the CMS guidance documents
5 to illustrate the standards and
provide examples of security measures and technical solutions
implementation specifications, these are just examples. The Security
Rule is technology neutral;
T
healthcare organizations have the flexibility to use any solutions that help them meet the
S
requirements of the rule.
ACCESS CONTROL The Access Control standard outlines the procedures for limiting access to
only those persons or software programs that have been granted access rights by the Information
Access Management administrative standard (discussed earlier). Figure 3-10 shows one of the
most common methods of access control.
21
Adapted from Security Standards: Technical Safeguards, HIPAA Security Series #4 (Baltimore, MD: Centers
for Medicare and Medicaid Services, May 2005 and revised March 2007).
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
68
8/4/09
1:52 PM
Page 68
CHAPTER 3
FIGURE 3-10
A clinician logs on
to Allscripts
Enterprise using a
Unique User ID and
Secure Password.
(Courtesy of Allscripts,
LLC.)
H
I
G
G
S
,
S
H
A
N
I
C
Q
U are associated with the Access Controls standard:
Four implementation specifications
1. Unique User Identification A
The Unique User Identification specification provides a way to identify a specific user, typically by name and/or number. This allows the organization to track specific user activity
1 functions performed when logged into those systems.
and to hold users accountable for
2. Emergency Access Procedure 1
Emergency access procedures are
0 documented instructions and operational practices for
obtaining access to necessary EPHI during an emergency situation. Under emergency
conditions access controls may 5
be very different from those used in normal operational
circumstances.
T
3. Automatic Logoff
S
As a general practice, users should log off the system they are working on when their
workstation is unattended. However, there will be times when workers may not have the
time, or will not remember, to log off of a workstation. Automatic logoff is an effective
way to prevent unauthorized users from accessing EPHI on a workstation when it is left
unattended for a period of time.
Many applications have configuration settings for automatic logoff. After a predetermined
period of inactivity, the application will automatically log off the user. As an example, your
own computer may set up to go back to its log-in screen when you leave it unattended for too
long. Though the operating system is not actually closing your applications, the concept is
similar in that no one can see what was previously on your screen until you log in again.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 69
ACCREDITATION, REGULATION, AND HIPAA
69
4. Encryption and Decryption
Encryption is a method of converting regular text into code. The original message is
encrypted by means of a mathematical formula called an algorithm. The receiving party uses
a key to convert (decrypt) the coded message back into plain text. Encryption is part of access
control because it prevents someone without the key from viewing or using the information.
AUDIT CONTROLS Audit controls are “hardware, software, and/or procedural mechanisms that
record and examine activity in information systems.” Most information systems provide some
level of audit controls and audit reports. These are useful, especially when determining if a
security violation occurred. This standard has no implementation specifications.
Protecting the integrity of EPHI is a primary goal of the Security Rule. EPHI that is
improperly altered or destroyed can result in clinical quality problems, including patient safety
issues. The integrity of data can be compromised by both technical and nontechnical sources.
There is one addressable implementation specification in
Hthe Integrity standard.
INTEGRITY
1. Mechanism to Authenticate Electronic Protected Health
I Information
Once risks to the integrity of EPHI data have been identified during the risk analysis,
G
security measures are put in place to reduce the risks.
G
This standard requires “procedures to verify that a person
S is the one claimed.” It has no
or entity seeking access to electronic protected health information
implementation specifications.
,
Some examples of ways to provide proof of identity for authentication include the following:
PERSON OR ENTITY AUTHENTICATION



Require something known only to that individual,
such as a password or PIN.
Require something that individuals possess, such as
a smart card, a token, or a key. An example of a
smart card is shown in Figure 3-11.
Require something unique to the individual such as
a biometric. Examples of biometrics include fingerprints, voice patterns, facial patterns, or iris patterns.
Most covered entities use one of the first two methods of authentication. Many small provider offices rely on
a password or PIN to authenticate the user.
S
H
A
N
I
C
Q
U
A
TRANSMISSION SECURITY Transmission Security is the
“measures used to guard against unauthorized access to
electronic protected health information that is being
transmitted.” The Security Rule allows for EPHI to be sent 1
over an electronic open network as
long as it is adequately protected. This standard has two implementation
specifications:
1
1. Integrity Controls
0
Protecting the integrity of EPHI in this context is focused on making sure that the EPHI
5 method for protecting the
is not improperly modified during transmission. A primary
integrity of EPHI being transmitted is through the useTof network communications
protocols. Using, these protocols, the computer verifies that the data sent is the same as
S
the data received.
FIGURE 3-11
A staff ID card that
uses Smart Card
Technology.
(Courtesy of Digital
Identification Solutions,
LLC.)
2. Encryption
As previously described in the Access Control standard, encryption is a method of converting an original message of regular text into encoded or unreadable text that is eventually
decrypted into plain comprehensible text.
Encryption is necessary for transmitting EPHI over the Internet. Various types of
encryption technology are available, but for encryption technologies to work properly,
both the sender and receiver must be using the same or compatible technology. Currently
no single interoperable encryption solution for communicating over open networks
exists.
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
70
8/4/09
1:52 PM
Page 70
CHAPTER 3
Organizational, Policies and Procedures, and Documentation Requirements22
In addition to the administrative, physical, and technical safeguards, the Security Rule also has
four other standards that must be implemented. These are not listed in the Security Standards
matrix (Figure 3-6), but must not be overlooked.
The two implementation specifications of this standard are:
ORGANIZATIONAL REQUIREMENTS
1. Business Associate Contracts
If business associates create, receive, maintain, or transmit EPHI, they must be contractually required to meet the Security Rule requirements.
2. Other Arrangements
When both parties are government entities, there are two alternative arrangements:
a. A memorandum of understanding (MOU) can be developed that accomplishes the
H
objectives of the Business Associate
Contracts section of the Security Rule.
b. A law or regulation applicable
to
the
business associate can be applied that accomI
plishes the objectives of the Business Associate Contracts section of the Security Rule.
G
This standard requires covered entities to implement security
G
policies and procedures, but does not define either “policy” or “procedure.” Generally, policies define
S describe how the organization carries out that approach,
an organization’s approach. Procedures
setting forth explicit, step-by-step instructions that implement the organization’s policies.
POLICIES AND PROCEDURES
,
DOCUMENTATION
The Documentation standard has three implementation specifications:
1. Time Limit
S
Retain the documentation required by the rule for six years from the date of its creation or
H whichever is later.
the date when it last was in effect,
A
2. Availability
Make documentation available to
Nthose persons responsible for implementing the procedures to which the documentation pertains.
I
3. Updates
C and update as needed, in response to environmental or
Review documentation periodically,
operational changes affecting the
Qsecurity of the electronic protected health information.
The Security Rule also requiresU
that a covered entity document the rationale for all security
decisions.
A
Chapter 3 Summary
Accreditation and Regulation
Healthcare facilities and practitioners are licensed and regulated by federal, state, and local governments. In addition,
voluntary compliance with standards set by recognized
accreditation organizations can assist in meeting government requirements.
Government regulation influences healthcare delivery
first by requiring licensure of both the facilities and their
providers and, second, by requiring them to meet certain
1
1
conditions to participate in programs such as Medicare that
0
reimburse them for treating patients.
5 The Centers for Medicare and Medicaid Services (CMS)
is an agency of the U.S. Department of Health and Human
T
Services (HHS).
S
• Medicare provides healthcare coverage for people
ages 65 and older as well as people with disabilities
and those with end-stage renal disease (kidney
failure).
22
Adapted from Security Standards: Organizational, Policies and Procedures and Documentation Requirements, HIPAA
Security Series #5 (Baltimore, MD: Centers for Medicare and Medicaid Services, May 2005 and revised March 2007).
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
8/4/09
1:52 PM
Page 71
ACCREDITATION, REGULATION, AND HIPAA
• Medicaid provides healthcare benefits (partially paid
by the states) for people who are poor, blind, or have a
disability, for pregnant women, and for some persons
over age 65 (in addition to Medicare).
71
3. Privacy
4. Security.
HIPAA regulates health plans, clearinghouses, and healthcare providers as “covered entities” with regard to these four
areas.
HIPAA standardized EDI (electronic data interchange)
formats by requiring specific transaction standards. These
are currently used for eight types of transactions between
covered entities. This section also requires the use of standardized code sets such as HCPCS, CPT-4, and ICD-9-CM.
HIPAA also established uniform identifier standards,
which will be used on all claims and other data transmissions. These standards include:
Both programs are administrated on a state level by
intermediaries, companies that contract to handle claims
processing, payments, authorizations, and provider inquiries
for a region or a state.
In many cases, Blue Cross/Blue Shield, and commercial
health insurance plans make rules similar to those set by
CMS regarding preauthorization, payments, and coverage of
medical services.
State laws provide detailed regulations concerning the
operation of facilities, sanitation, medical and nursing staffH
requirements, and patient records. Even within the licensureI • A national provider identifier (NPI) for doctors, nurses,
and other healthcare providers
of the hospital, the state may limit what services can be
G

A federal employer identification number that is used
offered or require special licenses to operate certain departto identify employer-sponsored health insurance
ments within the facility. Local city and county governmentsG

A National Health Plan Identifier, which is a unique
may also regulate or license healthcare facilities.
S
identification number that will be assigned to each
In addition the licenses and inspections, healthcare facilinsurance plan and to the organizations that administer
ities are also required to report incidents of infectious dis-,
insurance plans, such as payers and third-party
eases, child abuse, and certain injuries such as gunshots. State
administrators.
and federal governments also require the facilities to report a
substantial amount of statistical data concerning birthS Privacy and Security of Patient Records
defects, cancer tumors, and the patients using the facility. H
HIPAA’s Privacy and Security Rules use two acronyms:
Participating providers and facilities are subject to
inspection and audit by CMS as well as other insuranceA • PHI, which stands for protected health information
programs. Compliance with standards set by the JointN • EPHI, which stands for protected health information in
Commission, CAP, CARF, and other approved organizations
an electronic format.
can earn the facilities deemed status, meaning the accreditedI
The HIPAA privacy standards are designed to protect a
facility is deemed to have complied with CMS’s conditionsC
patient’s identifiable health information from unauthorized
of participation (COP).
disclosure or use in any form, while permitting the practice
The Joint Commission, formerly known by the acronymQ
to deliver the best healthcare possible. Privacy activities in
JCAHO, is the leading accreditation organization for acuteU
the average medical office might include:
care facilities. In addition, the Joint Commission also accredits
A
long-term, behavioral health, and ambulatory care settings.
• Providing a copy of the office privacy policy informing
Acute care hospitals submit statistical data quarterly to the
patients about their privacy rights and how their
can be used.
Joint Commission as part of a quality improvement initiative.
1 • information
The College of American Pathologists (CAP) provides
Asking the patient to acknowledge receiving a copy of
the policy and/or signing a consent form.
accreditation of medical laboratories as part of the organiza-1

Obtaining signed authorization forms and in some cases
tion’s commitment to excellence in medical testing.
0
tracking the disclosures of patient health information
The Commission on Accreditation of Rehabilitation
when it is to be given to a person or organization
Facilities (CARF) provides accreditation for organizations5
outside the practice for purposes other than treatment,
offering behavioral health, physical, and occupational reha-T
billing, or payment purposes.
bilitation services as well as assisted living, continuing care,
S • Adopting clear privacy procedures.
community services, employment services, and others.
• Training employees so that they understand the privacy
procedures.
HIPAA
• Designating an individual to be responsible for seeing
The Health Insurance Portability and Accountability Act,
that the privacy procedures are adopted and followed.
or HIPAA, was passed in 1996. The Administrative Simpli• Securing patient records containing individually
fication Subsection (Title 2, subsection f) (hereafter just
identifiable health information so that they are not
called HIPAA) has four distinct components:
readily available to those who do not need them.
1. Transactions and Code Sets
2. Uniform Identifiers
Providing the patient with a copy of the privacy policy implies consent for the practice to use PHI for almost
Health Information Technology and Management, First Edition, by Richard Gartee. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
M03_GART2674_01_SE_C03.QXD
72
8/4/09
1:52 PM
Page 72
CHAPTER 3
anything related to treating the patient, running the medical
practice, and getting paid for services. However, HIPAA
consent is not the same as medical consent for treatment.
HIPAA authorization differs from HIPAA consent in
that it does require the patient’s permission to disclose PHI.
Some examples of instances that would require an authorization would include sending the results of an employment
physical to an employer and sending immunization records
or the results of an athletic physical to the school.
The authorization form must include the date signed, an
expiration date, to whom the information may be disclosed,
what is permitted to be disclosed, and for what purpose the
information may be used. The authorization must be signed by
the patient or a representative appointed by the patient. Unlike
the open concept of consent, authorizations are not global. A
new authorization is signed each time there is a different purpose or need for the patient’s information to be disclosed.
Practices are permitted to disclose PHI without a
patient’s authorization or consent when it is requested by an
authorized government agency. Generally such requests are
for legal (law enforcement, subpoena, court orders, etc.)
public health purposes or for enforcement of the Privacy
Rule itself. Providers are also permitted to disclose PHI concerning on-the-job injuries to workers’ compensation insurers,
state administrators, and other entities to the extent required
by state law.
Whether the practice has disclosed PHI based on a
signed authorization or to comply with a government
agency, the patient is entitled to know about it. The Privacy
Rule gives the individuals the right to receive a report of all
disclosures m…
Purchase answer to see full
attachment

We offer the bestcustom writing paper services. We have done this question before, we can also do it for you.

Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.