Certified Hipaa Professional Chp

Health Insurance Portability and Accountability Act

August 21, 1996

The Kennedy-Kassembaum Bill

1) Improve Insurance portability and continuity, 2) Combat healthcare waste, fraud, and abuse, 3) Promote medical savings accounts, 4)Improve access to long-term care, 5) Simplify the administration of health insurance

1)Transactions and Code Sets, 2) Identifiers, 3) Privacy, 4) Security

Electronic Data Interchange

American Recovery & Retirement Act of 2009

HITECH

Health Information Technology for Economic and Clinical Health Act

March 26, 2013 / they had 180 days to become compliant September 23, 2013

Genetic Information Nondiscrimination Act of 2008 (GINA)

Patient Safety Organizations (Treated as Business Associates)

Health Information Organizations (Treated as Business Associates) i.e.... ePrescribing Gateways

Health Information Exchanges

Regional Health Information Organizations

Payers, Providers, Clearinghouses, Business Associates & their Subcontractors (final rule)

Business Associate a person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity itself.

Centers For Medicare and Medicaid Services (Formally known as HCFA) The division of health and human services responsible for health care. CMS is responsible for Medicare and parts of Medicaid. CMS maintains specifications for various certifications for various certifications and authorizations used by the Medicare and Medicaid programs. CMS also maintains various code sets.

(Formally known as HCFA) The division of health and human services responsible for health care. CMS is responsible for Medicare and parts of Medicaid. CMS maintains specifications for various certifications for various certifications and authorizations used by the Medicare and Medicaid programs. CMS also maintains various code sets.

An amendment to Title 1 of HIPAA that gives employees the right to continue health coverage as a private payer for a limited period of time once they leave a job.

A health plan, A healthcare clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction, Healthcare Provider

Are they performing a function for a CE (Covered Entity) or on their behalf (Yes), Are they a member of our workforce (No), Do they have access to PHI (Yes) --- Yes, No, Yes = BA

Health Information Exchanges (HIE) & Regional HIE's (RHIE), ePrescription Gateways, Patient Safety Organizations (PSO), All their subcontractors

BA must use PHI only for the purpose for which it was shared, Assume responsibility to safeguard PHI from misuse, Provide individuals with access to their Health Information, Notify the CE if there is a breach, Assess each risk and mitigate

The electronic exchange of information between computers, especially the exchange of health information among physicians and insurance companies.

The portion of the HIPAA law concerned with health insurance reform & portability. The main purpose of Title I is to ensure continuation of health coverage when employees change jobs. It also entitles people who leave a job to continue their health insurance coverage as a private payer for a limited period of time under COBRA.

The portion of the HIPAA law known as administrative simplification. Preventing healthcare fraud & abuse, administrative simplification, medical liability reform. It contains strict requirements for the uniform transfer rules of patient confidentiality.

A group of medical records. For providers, it includes medical and billing records but not other items, such as lab tests. For a health plan, the designated record set includes enrollment, payment, claim decisions, and medical management systems of the plan.

Or Electronic Health Record (EHR or EMR) Collection of health information that is immediately electronically accessible by authorized companies.

A document stating the privacy policies and procedures of a covered entity. (CE)

PHI that is stored or transmitted in electronic form.

Health Care Common Procedure Code Systems - A classification system for medical procedures, services, and supplies. It was set up to give providers a coding system that describes specific products, supplies, and services patients receive that are not in CPT.

HIPAA Electronic Health Care Transactions and Code Sets - HIPAA standards governing the electronic exchange of health information using standard formats and standard code sets

National Provider Identifier - Under HIPAA, a system for uniquely identifying all providers of health care services, supplies, and equipment.

Place of Service - Under HIPAA administrative code that indicates where medical services were provided.

Office of the Inspector General - Federal agency that investigates and prosecutes fraud against government health care programs such as Medicare.

Consolidated Omnibus Budget Reconciliation Act - An amendment to Title 1 of HIPAA that gives employees the right to continue health coverage as a private payer for a limited period of time once they leave a job.

Covered Entity

Department of Health and Human Services - The federal department that administers federal programs covering public health and welfare.

The electronic exchange of information between computers, especially the exchange of health information among physicians and insurance companies.

Group Health Plan - Medical insurance offered to employees and played for in part or in full by an employer.

Office for Civil Rights - The division of Health and Human Services responsible for enforcing the HIPAA privacy rules. Privacy is considered a civil right.

Designated Record Set - A group of medical records. For providers, it includes medical and billing records but not other items, such as lab tests. For a health plan, the designated record set includes enrollment, payment, claim decisions, and medical management systems of the plan.

Electronic Medical Records - Or Electronic Health Record (EHR or EMR) Collection of health information that is immediately electronically accessible by authorized companies.

Notice of Privacy Practices - A document stating the privacy policies and procedures of a covered entity. (CE)

Protected Health Information - The HIPAA terminology for individually identifiable health information in any medium

Treatment. Payment, and health care operations - Under HIPAA, the rule that patient's protected health information may be shared without authorization for the purposes of treatment, payment, and operations.

Current Dental Terminology - HIPAA-mandated code set for procedures performed in a dental office. (Hint Dentist)

Current Procedural Terminology - HIPAA-mandated procedural code set developed, owned, and maintained by the American Medical Association. (Hint Physician)

Applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form.

"Individually identifiable health information" held or transmitted by a covered entity in any form whether media, electronic, paper, or oral.

Define and limit the circumstances in which an individual's PHI may be used or disclosed by covered entities.

No. Need to adopt appropriate safeguards where information being shared is the minimum necessary.

Yes (state, regulation, or court orders )

PHI from which certain specified direct identifiers or individuals and their relatives, household members and employees have been removed used for research, health care operations, and public health purposes.

Improve Insurance Portability& Continuity, Combat Health Care Waste, Fraud, & Abuse, Promote Medical Savings Accounts, Improve Access to Long-Term Care, Simplify the administration of health insurance

Title 2

Access to Information, How Information is shared, Protecting Privacy

Title 2

Title 1

Computerized Physician Order Entry (e-prescribing)

Payers, Providers, Clearinghouses, BA - Business Associates & Subcontractors

Healthplans, Healthcare Clearing House, Healthcare Providers.

2/23/2010

Patient Identifiable Information

60 day's (test) - Real life "moved to 30 day's"

Original Up to $100 / Updated 2010 $25,000

$1,000 for each violation - May not exceed $100,000

$10,000 for each violation - May not exceed $250,000

Original up to $50,000 updated 2010 $1.5 Million

Up to $250,000 fine & Up to 10 years in jail

Up to $100,000 & Up to 5 years in jail

Up to $50,000 & up to 1 year in jail

Confidentiality of PHI in all formats (Paper, oral, or electronic) "All Formats"

PHI electronically captured, stored, used or transmitted. "Electronic PHI Only"

(Test) 60 day's - Actual 30 day's (Both to HHS and patients affected)

Unauthorized acquisition, access, use, or disclosure of PHI

Unintentional acquisition, access, or use of PHI (For example an office worker goes to the printer as a lab result prints for a nurse), Inadvertent disclosures by an individual who is otherwise authorized at a facility operated by an CE or BA, Situations in which the unauthorized person would not reasonably have been able to retain the info

Breaches involving less than 500 patients in the same state (Report to HHS annually)

Individually Identifiable Health Information

Receipts of $5 million or less, Group Health Plans with fewer than 50 participants, Small Health Plans were given an extra year to become HIPAA compliant

National Employer Identifier

Provider uses to check patient eligibility for coverage

Health plan provides coverage eligibility response

Provider uses to find out about existing claim

Patient coverage, eligibility, status of claims, review

Deal with enrollment and payments

Security is generally defined as having controls, countermeasures, and procedures in place to ensure "appropriate" protection of information assists & control access to valued resources

1990's collaboration between 7 countries

National Institute of Standards & Technology

Minimizing the vulnerability of assets & resources 1) Assets is anything of value - EPHI 2) Vulnerability "weakness that could be exploited" 3) threat "potential violation of security"

Confidentially, Integrity, & Availability of EPHI

1) limit access "need to know" 2) allow disclosure privileges only to users who are trained and authority to make decisions 3) install reliable authentication methods and control employee access to medical data

"Documentation = Administration"

Administrative, Physical, Technical

Data Integrity, source integrity, data has not been altered or destroyed, security backup / disaster recovery

Patients right over the use & disclosure of personal PHI When, how, and to what extent PHI is shared Access to personal PHI All forms of PHI are protected electronic, written, oral

Confidentially

Electronic data (not oral, or paper)

Administrative, Physical, and Technical ( layers)

"Required" = must do Addressable ( two options) Option 1 "reasonable and appropriate" Contributes to protecting PCI = do it Option 2 does not make sense, organization to small, to costly, exposure risk minimal - need to document why and have a plan

"training, Documentation, policies, etc

Facility access, systems, monitoring, environmental controls

Access control, passwords, identification authentication, network configuration - logical...

Even= request Odd = response

Admin, physical, technical

Address disciplinary actions - employee needs to know legal action potential and organizational repercussions

Facilities access control Workstation use Workstation security Device and Media Controls

Security Management Process Assigned Security Responsibility Workforce Security Info access management Security "awareness / training" Security incident procedures Contingency plan Evaluation Business associate agreement

Access Control Audit Control Integrity Person or entity authentication Transmission security

National Drug Code

National Health Identifier for Individuals ( not established / might never be implemented)

National Plan and Provider Enumeration System

American National Standards Institute

Header Data content Trailer

TCS - transaction code sets Identifiers Privacy rule Security rule

Washington publishing company

18 specific items and information cannot be reconstructed

International Classification of Diseases - codes matching procedures / diagnoses ICD10 much more detailed

National Council of Prescription Drug Program