Explain the hipaa transaction and code sets standard rules

Study Guide

HIPAA Compliance By

Jacqueline K. Wilson, RHIA

Reviewed By

Karen J. Fuller

About the Author

Jacqueline K. Wilson is a Registered Health Information

Administrator (RHIA) with more than 13 years of experience

managing, consulting, writing, and teaching in the health care

industry. She’s a professional writer who has authored training

manuals, study guides, and online courses, as well as articles

on a variety of topics. In addition, Ms. Wilson develops curricula

and teaches both traditional and online college courses in health

information technology, anatomy, medical terminology, standards

in health care, and other health care courses. She was previously

included in the distinguished national Who’s Who Among America’s

Teachers.

About the Reviewer

Karen Fuller, an RHIA and graduate in health information manage-

ment, has more than 13 years of experience in the health care

industry. She utilizes the knowledge and experience gained in

various health care settings to write for education companies and

health care corporations. Ms. Fuller works with a leading health

care research and information company where she has received

corporate certification in the areas of HIPAA privacy, security, and

compliance.

Copyright © 2012 by Penn Foster, Inc.

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the copyright owner.

Requests for permission to make copies of any part of the work should be mailed to Copyright Permissions, Penn Foster, 925 Oak Street, Scranton, Pennsylvania 18515.

Printed in the United States of America

All terms mentioned in this text that are known to be trademarks or service marks have been appropriately capitalized. Use of a term in this text should not be regarded as affecting the validity of any trademark or service mark.

INSTRUCTIONS TO STUDENTS 1

LESSON ASSIGNMENTS 5

LESSON 1: UNDERSTANDING HIPAA 7

LESSON 2: IMPLEMENTING AND ENFORCING HIPAA 33

GRADED PROJECT 45

SELF-CHECK ANSWERS 51

iii

C o

n t

e n

t s

C o

n t

e n

t s

INTRODUCTION

Welcome to your HIPAA Compliance course, which provides information that’s essential for working in today’s health care industry. This course covers the basic provisions of the Health Insurance Portability and Accountability Act (HIPAA), including what the act protects, how it affects patients and providers, and how HIPAA is enforced.

OBJECTIVES

When you complete this course, you’ll be able to

n Discuss the main purposes for the passage of the Health Insurance Portability and Accountability Act (HIPAA)

n Identify the key provisions of the HIPAA Administrative Simplification standards

n Describe the health care professionals and facilities that are covered entities under HIPAA

n Describe how health care personnel can comply with HIPAA standards

n Explain the contents of a medical record as the source of health information about patients

n Define protected health information (PHI) and electronic protected health information (ePHI)

n Discuss the required content of the HIPAA Notice of Privacy Practices (NPP)

n Explain patients’ rights regarding the use and disclosure of their PHI

n Describe HIPAA’s administrative, physical, and technical standards for the protection of ePHI

n Explain the purpose of the HIPAA Electronic Health Care Transactions and Code Set standards

n Describe several types of HIPAA transactions

1

In s

tr u

c tio

n s

In s

tr u

c tio

n s

Instructions to Students2

n List the HIPAA standards for medical code sets

n Describe how HIPAA’s rules are enforced

n Name the governmental agencies that are responsible for HIPAA enforcement

YOUR TEXTBOOK

Your textbook, HIPAA for Allied Health Careers, by Cynthia Newby, is the heart of this course. It contains the study material on which your examinations will be based. We’ve divided the textbook material into two lessons.

It’s very important that you read the material in the textbook and study it until you’re completely familiar with it. It’s a good idea to begin by skimming the contents at the front of the book. This will give you an overview of the entire textbook.

Each chapter in your textbook opens with an outline, a list of key terms, and some case examples that illustrate real-life scenarios involving the HIPAA regulations. At the end of each chapter, you’ll find a helpful summary of the information you’ve just read. Use your chapter readings and the objec- tives listed above to judge your understanding of the text material before you take your examinations.

Your textbook also contains many helpful hints, compliance tips, case studies, HIPAA cautions, and Internet resources to further your understanding of the reading. There’s also a glossary, an index, and an appendix of professional resources at the back of the book.

COURSE MATERIALS

You should have received the following learning materials for this course:

n Your textbook, HIPAA for Allied Health Careers, which contains the assigned readings

n This study guide, which will help you to understand the major ideas presented in the textbook in addition to providing background information about specific topics

The study guide also includes

n Self-checks for each lesson

n Answers to the self-checks

A STUDY PLAN

In studying your assignments, be sure to read all of the instructional material in both the textbook and the study guide. Here’s a good plan to follow:

1. Note carefully the page where the assignment begins and the page where it ends. These pages are indicated in the Lesson Assignments section in this study guide.

2. Read the introduction to the assignment in the study guide.

3. Read the designated pages for that assignment in the textbook to get a general idea of their contents. Then study the assignment, paying careful attention to all details, including the compliance tips and HIPAA cau- tions referenced in the text.

4. When you’re comfortable with the material for each assignment, complete the self-check at the end of the assignment in your study guide. When you’ve finished the self-checks, compare your answers with those given at the end of the study guide. If you’ve missed any ques- tions, go back and review the related topic. This review will reinforce your understanding of the material.

5. Complete each assignment in this way.

6. When you feel that you understand all of the material presented in the lesson assignments, you may complete the examination for that lesson.

7. Follow this procedure for both of the two lessons.

8. Complete the Research Project after completing both lessons.

Instructions to Students 3

Remember, at any time, you can contact your instructor for information regarding the materials. The instructor can pro- vide you with answers to any questions you may have about the course or your study materials.

Now you’re ready to begin Lesson 1.

Good luck!

Instructions to Students4

Lesson 1: Understanding HIPAA

For: Read in the Read in study guide: the textbook:

Assignment 1 Pages 8–14 Chapter 1, Pages 1–19

Assignment 2 Pages 16–22 Chapter 2, Pages 25–52

Assignment 3 Pages 24–29 Chapter 3, Pages 59–82

Examination 460809 Material in Lesson 1

Lesson 2: Implementing and Enforcing HIPAA

For: Read in the Read in study guide: the textbook:

Assignment 4 Pages 34–36 Chapter 4, Pages 89–109

Assignment 5 Pages 39–41 Chapter 5, Pages 114–144

Examination 460810 Material in Lesson 2

Graded Project 46081100

5

A s

s ig

n m

e n

ts A

s s

ig n

m e

n ts

Note: To access and complete any of the examinations for this study

guide, click on the appropriate Take Exam icon on your “My Courses”

page. You shouldn’t have to enter the examination numbers. These

numbers are for reference only if you have reason to contact Student

Services.

NOTES

Lesson Assignments6

7

L e

s s

o n

1 L

e s

s o

n 1

Understanding HIPAA

INTRODUCTION

This first lesson is an introduction to the Health Insurance Portability and Accountability Act of 1996, or HIPAA. The provisions of the HIPAA law affect everyone who works in the health care field, so it’s important to understand what the law covers and how you need to comply with it. The lesson contains three reading assignments.

Assignment 1 starts out with a description of the two basic parts of the HIPAA law, Title I and Title II. Title I covers health insurance reform. Title II includes HIPAA’s adminis- tration simplification rules. You’ll learn about the basic goals and objectives of the HIPAA law in this assignment.

Assignment 2 reviews the HIPAA Privacy Standards, which protect patients’ private health information in medical records. A patient’s private health information can be shared or disclosed only under specific circumstances that are explained under the HIPAA rules.

Assignment 3 introduces the HIPAA Security Standards, which describe how electronic information about patients must be protected.

OBJECTIVES

When you complete this lesson, you’ll be able to

n Describe the major provisions of Title I and Title II of HIPAA

n Identify the key provisions of the HIPAA Administrative Simplification standards

n Describe the health care professionals and facilities that are covered entities under HIPAA

n Explain the difference between a covered entity and a business associate

HIPAA Compliance8

n List five responsibilities of covered entities under the HIPAA Privacy Rule

n Define protected health information (PHI) and electronic protected health information (ePHI)

n Discuss the required content of the HIPAA Notice of Privacy Practices (NPP)

n Explain the privacy standards relating to the release of PHI for treatment, payment, and operations (TPO) purposes

n Describe the situations in which authorization for release of PHI must be obtained

n Name several major exceptions to the HIPAA release of information requirements

n Explain patients’ rights regarding the use and disclosure of their PHI

n List the three goals of the HIPAA security standards

n Compare and contrast risk analysis and risk management

n Describe HIPAA’s administrative, physical, and technical standards for the protection of ePHI

ASSIGNMENT 1 Read this introduction to Assignment 1. Then, read Chapter 1, “The Goal of HIPAA: Administrative Simplification,” on pages 1–19 in your textbook HIPAA for Allied Health Careers.

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law on August 21, 1996 by the United States Congress. The main purpose of HIPAA is to increase the efficiency and effectiveness of health care, and to protect patient rights. It’s designed to help people build trust in the health care system.

Lesson 1 9

The law has two important parts, called Title I and Title II. Title I of HIPAA provides a basis for ensuring the portability of health insurance, which means that employees and their families can keep their health insurance when workers change jobs. Title II of HIPAA lays out specific rules that health insurance plans, health care providers, and employers must follow, and defines noncompliance penalties that can be applied when rules are broken. It also contains provisions to protect the privacy and security of people’s health care data.

HIPAA was created to help with several important problem areas within the health care industry. The laws was designed to

n Improve the portability and continuity of health care coverage in insurance markets

n Combat waste, fraud, and abuse in the health care system, and also in the insurance industry

n Improve access to long-term care

n Simplify health insurance administration

n Provide a means to pay for reforms

n Protect the privacy of a patient’s personal information and health care data

n Provide for the electronic and physical security of personal information and health care data

n Simplify billing and other health care transactions

The areas in which the enactment of HIPAA has most affected health care include the following:

n The privacy of health information

n The establishment of standards for electronic transac- tions (such as electronic medical records, insurance claims, and so on)

n The security of electronic health information (such as electronic medical records)

HIPAA Compliance10

HIPAA’s Two Titles

HIPAA is a complex federal legislative act that’s organized into two parts: Title I and Title II. Each part covers different health care topics. Let’s take a closer look at each of these parts now.

HIPAA Title I: Health Insurance Reform

Title I of the HIPAA act provides individuals with rights relat- ing to their insurance portability when they change jobs. Title I also outlines certain requirements for government- based medical coverage (such as Medicare and Medicaid) and private insurance. Under the HIPAA rules, individuals who apply for medical insurance coverage under Medicare can’t be denied insurance because of a preexisting medical condition. Title I of HIPAA also regulates the insurance coverage that’s provided through private insurance compa- nies, such as employer-sponsored group health plans (the insurance people receive through their employers). Federal programs, such as Medicare and Medicaid, are also covered by other federal laws.

Hint: Be sure to review pages 4–5 in your textbook to get a brief overview of the different types of private health insur- ance plans that are available for employees and retired employees.

Employer-sponsored group health insurance plans are regulated by the Employee Retirement Income and Security Act of 1974 (ERISA). Most other health insurance plans (that is, other than employer-sponsored health insurance plans) are regulated by state-based insurance commissions. The state department of insurance agencies creates coverage require- ments for various plans.

The Consolidated Omnibus Budget Reconciliation Act (COBRA) is a law that gives employees who are leaving a job the oppor- tunity to continue their health insurance coverage under their employer’s plan, so that they don’t have a gap in med- ical insurance. Under COBRA, the employee will continue to pay for insurance under the employer’s plan, usually at a

Lesson 1 11

rate higher than the standard employee insurance. However, the rate is still usually lower than they would have to pay for a new individual insurance policy that’s not group-based with the employer.

HIPAA Title II: Administrative Simplification (AS)

The Administrative Simplification (AS) provisions of Title II of the HIPAA act required the United States Department of Health and Human Services (HHS) to establish national stan- dards for the security of electronic health care information. The final rule adopting the HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to assure the confidentiality of electronic protected health information.

The main goal of the Administrative Simplification (AS) provi- sions is to cut costs and reduce administrative overhead in the health care field. In addition, the AS provisions encourage organizations to use electronic data interchange (EDI) trans- actions. EDI is an exchange of information that’s completed through computer transactions using established criteria.

Specifically, Title II gives the Department of Health and Human Services the authority to do the following:

n Mandate the use of standards for the electronic exchange of health care data

n Specify what medical and administrative code sets should be used within those standards

n Require the use of national identification systems for health care patients, providers, payers, and employers

n Specify the types of measures required to protect the security and privacy of individually identifiable health information (IIHI)

It’s important to understand the difference between the terms privacy and security as they relate to health information. You can think of it like a sealed letter that’s kept in a locked mailbox. A sealed envelope will keep the letter private, and prevent people from reading the letter’s contents by accident.

HIPAA Compliance12

However, only the locked mailbox will keep the letter secure, and prevent someone from stealing the letter. When you’re dealing with a person’s sensitive health care details, you need to keep the information private (only the patient and author- ized professionals should be able to see it or hear it) and you need to keep it secure (protect it from being stolen). These are the exact reasons why the HIPAA rules were created.

Covered Entities

Covered entities are all of the organizations that are required to follow HIPAA regulations by state and federal laws. Covered entities provide care to patients during the normal course of business, and they also send protected information electronically. The Administrative Simplification (AS) stan- dards under HIPAA defines covered entities as any of the following:

n A health care provider. Note that a health care provider is any health care professional or organization (such as a doctor, hospital, or clinic) that provides medical and health care to individuals, and that conducts certain transactions in electronic form.

n A health care clearinghouse. A health care clearinghouse is an entity that processes or aids in the processing of information. In simple terms, this means a medical billing service, community health information system, or other similar company.

n A health care plan. A health care plan refers to health insurance coverage by a group, organization, or person that pays for and administers the health insurance.

Many types of health insurance plans are included in the HIPAA regulations, including the following:

n Employer-provided group health plans

n Preferred provider organizations (PPOs)

n Health maintenance organizations (HMOs)

n Federal insurance agencies (Medicare and Medicaid)

Lesson 1 13

n Long-term care insurance plans

n Medicare supplemental insurers

n The TRICARE program (for military personnel)

n The CHAMPVA program (for veterans)

n Indian Health Service programs (for Native Americans)

n Federal Employees Health Benefits (FEHB)

n State-based child health care plans (such as CHIP)

However, there are also some types of medical insurance benefits that fall outside of the HIPAA standards. These types of benefits include disability income, accident income, automobile liability insurance, general liability insurance, workers’ compensation, or medical payments that occur through an automobile insurance policy.

Providers

Under the HIPAA regulations, these covered entities are health care providers who bill for services that are provided to a patient during the normal course of business. A provider submits a claim to the patient’s insurance carrier (such as a private insurance agency, Medicare, or Medicaid) in order to receive payment for the services he or she provided to the patient. The services provided can include an annual checkup, a diagnostic test, a laboratory test, a preventive screening, or a surgical procedure, as well as diagnosis, treatment, and care for an illness. The covered provider entities may be a hospital, skilled nursing facility, outpatient rehabilitation facility, hospice organization, home health organization, pharmacy, physician’s office, dental office, chiropractor, podiatrist, therapist, or laboratory.

HIPAA Compliance14

Business Associates

Sometimes, a covered entity will retain an outside person or business to perform a function on the entity’s behalf, who will also need to have access to the covered entity’s pro- tected health information. According to HIPAA, these outside professionals are called business associates. Some common examples of business associates are the following:

n Medical billing companies

n Law offices

n Accountants

n Information technology (IT) contractors

n Medical transcription companies

n Collection agencies

n Third-party claim administrators (TPAs)

These business associates must follow HIPAA standards in order to do business with a covered entity.

After you’ve carefully read pages 1–19 in the textbook HIPAA for Allied Health Careers, complete Self-Check 1. Check your answers with those provided at the back of this study guide. When you’re sure that you understand the material from Assignment 1, move on to Assignment 2.

Lesson 1 15

Self-Check 1

At the end of each section of HIPAA Compliance, you’ll be asked to pause and check

your understanding of what you’ve just read by completing a “Self-Check” exercise.

Answering these questions will help you review what you’ve studied so far. Please

complete Self-Check 1 now.

Questions 1–8: Indicate whether each statement is True or False.

______ 1. Title II of HIPAA expands the COBRA law with additional continuation of coverage.

______ 2. HIPAA’s Administrative Simplification rules prohibit the use of electronic data

interchange (EDI).

______ 3. Examples of covered entities under HIPAA includes health plans, health care

providers, and health care clearinghouses.

______ 4. Title I of HIPAA covers the Privacy and Security Rules.

______ 5. A health care clearinghouse provides insurance to a patient.

______ 6. If business associates want to do business with a covered entity, they must

follow HIPAA standards.

______ 7. Under the concept of preemption, state laws supersede HIPAA rules in most

situations.

______ 8. The Centers for Medicare and Medicaid Services (CMS) is responsible for enforcing

the HIPAA privacy standards.

(Continued)

HIPAA Compliance16

ASSIGNMENT 2 Read this introduction to Assignment 2. Then, read Chapter 2, “The HIPAA Privacy Standards,” on pages 25–52 in your text- book HIPAA for Allied Health Careers.

The Medical Record

The HIPAA privacy standards include guidelines for electronic medical records. The information in a medical record is the documentation that relates to a patient’s illness, course of

Self-Check 1

Questions 9–12: Select the one best answer to each question.

9. According to HIPAA, home-based medical coders, third-party claim administrators, and medical transcription companies are defined as

a. clearinghouses. c. covered entities. b. health care providers. d. business associates.

10. Which of the following is another name for Title II of HIPAA?

a. Administrative Simplification c. NPRM b. COBRA d. Health Insurance Reform

11. Which of the following is an agency of the HHS that’s charged with enforcing privacy standards?

a. The Office of Management and Budget (OMB) b. The Office of Personnel Management (OPM) c. The Office for Civil Rights (OCR) d. The Office of the Inspector General (OIG)

12. The health care organizations that are required by law to obey the HIPAA regulations are called

a. employers. c. business associates. b. covered entities. d. facility directors.

Check your answers with those on page 51.

Lesson 1 17

treatment, and care. Medical records are considered to be legal documents, and they may be very important documen- tation in court cases (for example, if a physician or a hospital is sued by a patient).

According to state and federal laws, health care professionals are required to include specific information in a patient’s medical record to document every encounter with the patient. An encounter is defined as any patient visit with a physician or other qualified health care provider (such as a nurse practitioner, therapist, or physician assistant) to diagnose a condition or treat an illness or injury.

To document a patient encounter, the provider must include the following information, at a minimum:

n The patient’s name

n The date of the encounter

n The reason for the encounter

n A documented medical history and physical examination

n A review of laboratory and diagnostic tests if performed

n A review of medications, if the patient was prescribed drugs

n A diagnosis

n A plan of care or notes that identifies the procedures and treatments given

n The signature of the provider who saw the patient

HIPAA Compliance18

What Is Protected Health Information?

According to the Federal government, protected health information (PHI) is defined as “individually identifiable health information maintained in or transmitted by electronic media.” PHI is information that can specifically identify a unique individual, and may include any of the following:

n A person’s name

n Home address

n Names of relatives

n Name of employer

n Date of birth

n Home telephone number or fax number

n Personal e-mail address

n Social Security number

n Medical record number

n Health insurance plan beneficiary number or account number

n Driver’s license number

n Vehicle serial number

n Web site address

n Fingerprints

n Photograph

Protected health information also includes data about sensi- tive health conditions that patients usually want to keep very private, such as alcohol and drug dependence, mental health issues, sexually transmitted diseases, infectious diseases, and HIV or AIDS. A higher standard of privacy applies to these types of conditions under HIPAA’s rules.

Lesson 1 19

Individually identifiable health information may reside on or travel via electronic avenues, such as the Internet, extranets and intranets, leased lines, dial-up lines, private networks, magnetic tape, and compact disk media.

Minimum Necessary Standard

The minimum necessary standard is a component of the HIPAA Privacy Act that attempts to limit the disclosure of protected health information. The standard requires hospitals, insurance plans, health care providers, and other organizations to make as much effort as possible to limit the disclosure of PHI to the “minimum necessary” amount that’s needed for individual employees to do their jobs. For example, in a health clinic, the information in a patient’s electronic medical record would be disclosed only to the doctor providing services and the office employee who’s recording and billing the services. The private health information wouldn’t be provided to all of clinic’s employees. These procedures reduce the risk of someone accessing or disclosing protected health information incorrectly.

Business Associates and PHI

The HIPAA Privacy Rule defines business associates (BA) as individuals or corporations that work with covered entities, such as medical billers, accountants, lawyers, accreditation agencies, and any other independent contractors that provide services. Since these business associates themselves aren’t bound by HIPAA privacy rules, it’s necessary for the covered entity to ensure that patients’ PHI is protected when business associates come into contact with the information.

For example, in the course of preparing tax documents, a physician’s accountant might need to review claims and bills that contain individually identifiable health information. To ensure that the PHI will be held in confidence, the HIPAA Privacy Rule requires that covered entities have contracts with their business associates that cover confidentiality. The Privacy Rule also imposes liability if that confidentiality is breached.

HIPAA Compliance20

Notice of Privacy Practices (NPP)

The Notice of Privacy Practices (NPP) is a document that out- lines the privacy policies and procedures of a physician’s office or hospital. The NPP tells the patient how the facility will use his or her medical information, how it will disclose this information, and how it will protect the information. The NPP also tells patients how they can access their own medical information.

It’s very important that employees receive proper training to ensure that everyone understands the HIPAA rules. Patients must also be informed of the HIPAA rules that protect them. Usually, a doctor’s office will provide each patient with a Notice of Privacy Practices document one time. Then, the patient will be asked to sign a separate form called an Acknowledgment of Receipt of Notice of Privacy Practices. The acknowledgment form states that the patient has read the privacy practices and understands his or her rights regarding the privacy of their health information.

HIPAA requires every health care provider to make a good- faith attempt to have each patient sign the acknowledgment form. The health care provider must

n Provide a full notice of privacy practices (not a summary) to each patient at least once

n Obtain a signed acknowledgment from the patient that he or she received the NPP

n Keep the signed acknowledgment form in the patient record, or a description of a good-faith attempt to get a signed acknowledgment

n Document a patient’s refusal to sign (if the patient refuses) and retain it in the patient record

Most importantly, the provider is not allowed to refuse treat- ment if the patient refuses to sign the acknowledgment.

It’s the responsibility of an organization’s appointed HIPAA officer to ensure that all employees are trained in the HIPAA rules. The HIPAA law states that employee training records must be kept on file for six years. It also mandates that

Lesson 1 21

employers provide annual employee reviews on HIPAA poli- cies and procedures, and periodic retraining for employees (when necessary) to explain new responsibilities.

Disclosure of PHI

The term disclosure refers to the release, transfer, or provi- sion of protected health information to someone outside the entity that holds the information. For example, a doctor’s office would be the entity holding a patient’s private informa- tion, and anyone else who requests to see that information (such as an insurance carrier) would be an outside entity. In some cases, PHI can be released to outside entities with- out special permission; in other situations, the patient must provide a specific authorization for PHI to be disclosed.

In the ordinary process of providing medical care, it’s sometimes necessary for a patient’s private information to be disclosed to others. For example, a doctor’s office may need to provide PHI to a hospital, or to another doctor’s office where a patient is being treated. Or, the patient’s insurance company may need to see a patient’s PHI in order to pay a claim. These necessary, everyday situations are called treatment, payment, and health care operations (TPO) under HIPAA. Disclosures of health information are permitted for TPO without special authorization.

However, there are also some circumstances in which restric- tions will apply to the release of PHI. If PHI is to be released for some purpose other than treatment, payment, or health care operations, the patient must be asked to sign a written authorization to release the information.

An authorization is simply permission to do something. In relation to protected health information, an authorization means that the patient gives permission for his or her PHI to be shared or disclosed for some reason. For example, a patient may give written authorization for PHI to be used in a research study or for marketing purposes, or to be disclosed to relatives or an employer.

HIPAA Compliance22

Your textbook describes a number of situations where a patient’s written authorization will be required to release PHI. It also reviews the rights of patients as related to accessing their own health care information. Be sure to review these concepts carefully.

After you’ve carefully read pages 25–52 the textbook HIPAA for Allied Health Careers, complete Self-Check 2. Check your answers with those provided at the back of this study guide. When you’re sure that you understand the material from Assignment 2, move on to Assignment 3.

Self-Check 2

Questions 1–6: Indicate whether each statement is True or False.

______ 1. The HIPAA Privacy Rule was the first federal law designed to protect the privacy

of health information.

______ 2. A provider isn’t allowed to treat a patient unless he or she signs an Acknowledgement

of Receipt of Notice of Privacy Practices.

______ 3. Protected health information includes any data that can identify a unique individual.

______ 4. A covered entity must have a signed authorization in order to use a patient’s protected

health information for marketing.

______ 5. Patients can file a complaint to the Office for Civil Rights when their privacy has been

violated by a health care provider.

______ 6. A provider can’t send a patient’s PHI to a health insurance plan for payment without

a signed authorization from the patient.

(Continued)

Lesson 1 23

Self-Check 2

Questions 7–12: Select the one best answer to each question.

7. According to HIPAA rules, what is the minimum amount of time that a provider must retain a patient’s signed Acknowledgment of Receipt of Notice of Privacy Practices?

a. 10 years c. 1 year b. 6 years d. 3 years

8. A medical record that’s stored in a combination of paper forms and electronic forms is called a

a. designated record set. c. hybrid record. b. minimum necessary record. d. de-identified record.

9. The release, transfer, provision of access to, or divulging of protected health information outside the entity that holds the information is called

a. authorization. c. documentation. b. incidental use. d. disclosure.

10. Patients who observe privacy problems in their provider’s offices can complain to the

a. Office for Civil Rights (OCR). b. Department of Health and Human Services (HHS). c. National Center for Health Statistics. d. Office of the Inspector General (OIG).

11. A correction of a finalized entry in a medical record that has been identified as incorrect is called a(n)

a. incident. c. complaint. b. disclosure. d. amendment.

12. According to the HIPAA Privacy Rule, which of the following is considered to be a part of a designated record set?

a. Requests for lab tests c. Appointment schedules b. Billing records d. Birth records

Check your answers with those on page 51.

HIPAA Compliance24

ASSIGNMENT 3 Read this introduction to Assignment 3. Then, read Chapter 3, “The HIPAA Security Standards,” on pages 59–82 in your text- book HIPAA for Allied Health Careers.

The HIPAA Security Rule

This part of your textbook reviews the details of the HIPAA Security Rule, which describes the administrative, physical, and technical safeguards that are needed to keep protected health information safe, and prevent unintended disclosures. According to the HIPAA Security Rule, covered entities must have security standards in place to protect PHI that’s stored or transmitted in electronic form (that is, on computer sys- tems) from improper usage and disclosure.

Administrative safeguards include establishing office security policies and procedures, and training staff on how to access information securely.

Physical safeguards include limiting the physical access to the computer systems on which electronic PHI is stored.

Technical safeguards focus on the policies and procedures for accessing PHI data, including the restriction of access through the use of passwords and other individual authenti- cation methods.

Electronic Protected Health Information

One important point about the HIPAA Security Rule is that it focuses on electronic health information, and doesn’t deal with the security of paper medical records or documents. (In contrast, the HIPAA Privacy Rule protects health information in any format, whether it’s paper information or electronic information.)

Lesson 1 25

Remember that a patient’s protected health information (PHI) includes any individually identifiable information in any form, including name, address, Social Security number, birth date, telephone number, e-mail address, and hospital admission number (or patient number).

The main purposes of the HIPAA security standards are to

n Ensure the confidentiality of electronic patient health information

n Ensure the integrity of electronic patient health information

Note that the HIPAA security standards don’t outline specific actions that a covered entity must take to protect electronic patient information. Instead, the standards provide goals and examples that organizations can follow to protect health information. Individual covered entities are allowed to have different security policies and procedures that are appropri- ate for their size and the type of care they provide.

Threats to Information Security

Even though patient information is probably safer when stored in an electronic medical record than in paper form, it doesn’t mean that the information can’t be damaged or lost. Computers and other electronic storage media are vulnerable to a number of different threats that can damage or destroy stored information. The following are some of the common ways in which the security of protected health infor- mation can be threatened:

n Natural disasters, such as fires, floods, earthquakes, and explosions

n Power loss or utility outages

n Malware (such as computer viruses) or computer hacking

n Problems during computer updates or upgrades

n Deliberate theft or sabotage by employees or contractors

HIPAA Compliance26

Note that malware is any type of harmful computer program that can be transmitted into a computer system, typically through e-mail attachments or Internet downloads. Malware can damage or destroy the data that’s stored on a computer or a connected storage device. A covered entity can protect stored electronic health information by installing antivirus software on individual employees’ computers and on the organization’s network. Antivirus software is able to find and remove viruses from the computer system before any damage occurs to the stored data.

Important data may be damaged or lost during computer updates or upgrades, or when new computers or software programs are installed. Therefore, it’s very important that established procedures be followed carefully at all times.

An additional threat can come from the unauthorized access of data by employees or others who have access to computer systems. For example, someone may attempt to access data for the purposes of identity theft. In hospitals or doctor’s offices that service celebrity patients, employees may try to obtain information to disclose or sell to the media. Or, a disgruntled employee may access patient information or cause damage to the organization’s computerized data to seek revenge on the employer.

Because of these internal and external threats to computer systems, it’s critical to ensure that patient information is kept secure. One way to do this is to appoint a security officer who will be responsible for developing security plans and evaluating their effectiveness.

Your textbook describes a variety of methods that can be used to protect stored computer data, including firewalls, passwords, encryption, locks, and antivirus software. Be sure to review these carefully.

Lesson 1 27

Administrative Standards

A large part of the HIPAA Security Rule covers administrative standards for protecting electronic health information. The administrative standards describe policies and procedures that covered entities must implement in the workforce to protect patients’ private information. The administrative standards include the following nine key requirements:

1. The covered entity must perform a risk analysis, and then develop a plan to manage the risk.

2. The covered entity must appoint a security officer to manage security policies.

3. Each employee must be allowed only the minimum necessary access to PHI.

4. Employees must have authorization to access information.

5. Employees must receive security training.

6. A procedure must be prepared to address security incidents.

7. The covered entity must have a contingency plan to protect PHI in a disaster.

8. The covered entity must periodically evaluate and update its security procedures.

9. If the covered entity has any business associates, there must be wording in their contracts that require HIPAA compliance.

This is only a brief summary of the nine main provisions of the HIPAA administrative standards. Your textbook describes these topics in much greater detail, so be sure to examine this information carefully.

Physical Standards

Physical security refers to the protection of the environment where PHI is stored. This includes the building, rooms, equipment, and computer hardware where a covered entity keeps its records. The physical safeguards that are used to

HIPAA Compliance28

protect information at a doctor’s office, hospital, or insurance company are the same things that would be used to protect expensive merchandise in a retail store (such as diamonds in a jewelry shop), and may include

n Locks on doors

n Alarm systems

n Video surveillance monitors

n Fire detection equipment

n Patrolling security guards

It’s important to remember that while PHI must be protected from unauthorized access, there will also be times when employees will need to access the information for regular treatment, payment, and health care operations. Thus, there must be a careful balance between allowing appropriate access and limiting improper access. The patients’ private information must be protected, but at the same time, you can’t make it so difficult to access information that the daily office activities are slowed to a crawl.

The HIPAA physical security standards include the following four main provisions:

1. Only authorized persons should be allowed to enter the building.

2. The access to PHI on workstations should be limited to “minimum necessary.”

3. Workstations must be protected from theft or removal.

4. The use of devices, such as backup tapes and flash drives, must be controlled.

Technical Standards

Technical safeguards refer to the procedures and policies for using technology, and the related control of access to data. The HIPAA standards don’t require that any specific methods be used; they simply provide security guidelines.

Lesson 1 29

Some of the key provisions of the technology safeguards include the following requirements:

n Individuals must be authorized to access PHI.

n Covered entities must preserve the integrity of PHI by preventing its alteration or destruction.

n Authentication must be provided to prove that an individual has the right to access data.

n Covered entities must use secure transmission systems or encryption to protect private information that’s trans- mitted electronically (for example, by e-mail).

n Covered entities must use audit controls to monitor security breaches.

Note that authentication is the process of proving who you are before you can access private information on a computer sys- tem. Authentication can be provided by password, a unique possession such as a key or ID card, or through a biometric feature (fingerprint, voice pattern, or eye pattern). Unique user identification is required for every employee who needs access to PHI.

If an outside entity needs to access data on an organization’s computer system over a network or through an Internet connection, the outside entity can be required to provide a digital certificate for identification. A digital certificate is an electronic file that certifies the identity of the individual or organization that’s requesting information access.

Audit controls are devices or software that monitor security breaches. Audit controls establish audit trails that log employees’ identification numbers when they access certain parts of the electronic medical record.

After you’ve carefully read pages 59–82 in the textbook HIPAA for Allied Health Careers, complete Self-Check 3. Check your answers with those provided at the back of this study guide. When you’re sure that you understand the material from these three assignments, complete the examination for Lesson 1.

HIPAA Compliance30

Self-Check 3

Questions 1–10: Indicate whether each statement is True or False.

______ 1. Under HIPAA, computer passwords are examples of administrative safeguards that

protect ePHI.

______ 2. The process of creating policies and procedures to protect ePHI is called risk analysis.

______ 3. The process of ensuring that someone is in fact who he or she claims to be is called

authentication.

______ 4. The HIPAA Security Rule covers any PHI that’s in an electronic format.

______ 5. Locks on the doors to the computer room are examples of technical safeguards

that protect ePHI.

______ 6. Security includes planning for threats or hazards that haven’t yet happened.

______ 7. The three goals of the HIPAA security standards are to ensure the confidentiality,

integrity, and availability of ePHI.

______ 8. The protection of information by transferring it into an unreadable format before

it’s distributed is called authorization.

______ 9. A type of software that scans a computer system for malware is called a digital

certificate.

______ 10. Policies and procedures are examples of physical safeguards that protect ePHI

under HIPAA.

(Continued)

Lesson 1 31

Self-Check 3

Questions 11–16: Select the one best answer to each question.

11. According to the HIPAA security standards for electronic protected health information, issues such as access controls, audit controls, integrity, and authentication are covered under

a. physical standards. c. technical standards. b. administrative standards. d. organizational standards.

12. One of the goals of the HIPAA security standards is to ensure the _______ of electronic protected health information, which means that the information is shared only among authorized individuals and organizations.

a. integrity c. accuracy b. availability d. confidentiality

13. To protect electronic health information, _______ is used to prevent unauthorized entry into a computer network, to prevent unauthorized data from exiting the network, and to control what users can access on the Internet.

a. a firewall c. antivirus software b. encryption d. role-based authorization

14. Under the HIPAA Security Standards, according to the category of _______ standards, covered entities are required to implement policies and procedures that limit unauthorized access to facilities and computer systems where electronic protected health information is stored.

a. physical c. technical b. administrative d. emergency

15. To protect electronic health care data from serious threats such as computer software or hardware failures, fires, earthquakes, floods, or terrorist acts, a covered entity must have a(n)

a. firewall. c. antivirus program. b. disaster recovery plan. d. security incident procedure.

16. Appointing a security official for a newly opened health clinic is an example of satisfying

a. a technical security standard. b. a physical security standard. c. an administrative security standard. d. an implementation specification.

Check your answers with those on page 52.

HIPAA Compliance32

NOTES

33

L e

s s

o n

2 L

e s

s o

n 2

Implementing and Enforcing HIPAA

INTRODUCTION

The first part of this lesson contains an introduction to the electronic data interchange (EDI) requirements that are specified by HIPAA. Under the HIPAA rules, all health care transactions must follow certain standards. You’ll learn about these standards and how to comply with them. The second part of the lesson covers the enforcement of HIPAA rules, and how workers can comply with the rules to prevent fraud and abuse in the health care industry.

OBJECTIVES

When you complete this lesson, you’ll be able to

n Explain the purpose of the HIPAA Electronic Health Care Transactions and Code Sets standards

n Name eight types of HIPAA transactions

n Identify the key purpose of the Administrative Simplification Compliance Act

n List the HIPAA standards for medical code sets

n Compare and contrast the ICD-9-CM diagnosis codes, CPT and HCPCS procedure and supply codes, and ICD-9-CM Volume 3 procedure codes

n Explain the purpose of the HIPAA final enforcement rule

n Distinguish between civil and criminal cases

n Describe the roles of the Office for Civil Rights (OCR) and the Department of Justice (DOJ) in the enforcement of the HIPAA privacy standards