CompTIA Healthcare IT Technician HIT-001 Cert Guide: Regulatory Requirements

Date: Aug 14, 2012

This chapter identifies and explains the roles of some important agencies and laws, HIPAA controls and compliance issues, types of health records and rules of record retention and disposal, and finally legal best practices, requirements, and documentation.

Regulatory requirements don’t sound like fun to read about. No matter how boring this topic is, it is relevant to HIT. The requirements keep you and others out of trouble. The agencies and laws are in place to protect patients’ rights and privacy and help you find resources.

Laws and regulations change and can be updated, so the most important point of this chapter is to know where to go to find current information. Also agencies, laws, and regulations vary from state to state, so you need to be aware of local policies in your state.

Use government websites and Internet search engines to find information. The government or .gov sites are the authoritative sources. Other websites might offer insight about where to look for answers or how other facilities handle issues. If you cannot fin what you need, look within your facility. Often all it takes to find information about a policy is to visit the department in your hospital that handles matters of policy on a daily basis.

This chapter begins by identifying and explaining the roles of some important agencies and laws.

Identifying Standard Agencies, Laws, and Regulations

Each of the agencies, laws, and regulations described in the following sections play a role in healthcare. The agencies of the U.S. government are responsible for implementing the laws and regulations created by Congress and enacted by the President. The common goal of the agencies, laws, and regulations is to improve the healthcare available to citizens. First, learn about the agencies.

Agencies Governing Healthcare

With changes in the government over the last few years, generous resources have been provided for the development and implementation of HIT. The government has focused funding toward advancing healthcare technology in the United States. The government created agencies to filter the monies to covered entities. Covered agencies work toward this same goal to advance healthcare technology. The government and covered agencies are tasked with ensuring the laws and regulations have compliance by healthcare providers and facilities.

covered entity—Health Insurance Portability and Accountability Act (HIPAA) is designed to protect health information used by health insurance plan providers,

healthcare clearinghouses, and healthcare providers. These three entities are classified as covered entities. Basically, a covered entity is anyone or any organization required to submit to HIPAA rules.

Health Insurance Portability and Accountability Act (HIPAA)—A law created in 1996 to provide a standard set of rules that all covered entities must follow to protect patient health information and to help healthcare providers transition from paper to electronic health records.

Following is a list of agencies that govern healthcare in the United States:

Department of Health and Human Services (HHS)
National Institute of Standards and Technology (NIST)

Department of Health and Human Services

The Department of Health and Human Services (HHS)—http://www.hhs.gov—is an agency of the U.S. government tasked with the following responsibilities:

Protect the health of Americans.
Provide a means for Americans who are least able to help themselves to access healthcare.
Contain and treat any national health emergencies.
Test and regulate food and drug supplies.

Figure 3-1 shows the HHS website.

Figure 3-1 The HHS website is current and informative with the need-to-know facts and how to access resources the HHS provides.

Photo credit: http://www.hhs.gov

The HHS contains several operating divisions, as shown in Table 3-1.

Table 3-1 Operating Divisions of the HHS

Division	Abbreviation
Administration for Children and Families	ACF0
Administration on Children, Youth, and Families	ACYF
Administration on Aging	AoA
Agency for Healthcare Research and Quality	AHRQ
Centers for Disease Control and Prevention	CDC
Centers for Medicare & Medicaid Services	CMS
Food and Drug Administration	FDA
Health Resources and Services Administration	HRSA
Indian Health Service	HIS
National Institutes of Health	NIH
National Cancer Institute	NCI
Office of the Inspector General	OIG
Substance Abuse and Mental Health Services Administration	SAMHSA

The more notable divisions of the HHS include the Food and Drug Administration (FDA), Centers for Disease Control and Prevention (CDC), and the National Institutes of Health (NIH). Now take a closer look at the divisions of the HHS involved in healthcare:

Centers for Medicare & Medicaid Services (CMS)
Office of the National Coordinator for HIT (ONC)
Office for Civil Rights (OCR)

Centers for Medicare & Medicaid Services (CMS)

The Centers for Medicare & Medicaid Services (CMS) branch—http://www.cms.gov—of the HHS is responsible for administrating Medicare and Medicaid. CMS also regulates the transaction standards of billing codes used to price healthcare expenses, such as electronic claims, remittance, eligibility, and claims status requests/responses. The current version of HIPAA transaction standards is Version 5010. All HIPAA-compliant facilities adopted this version January 1, 2012. CMS regulates medical diagnosis and inpatient procedure coding in healthcare. The current version is ICD-9. The new version, ICD-10, is required to be adopted by HIPAA-compliant facilities by October 1, 2013. Figure 3-2 shows the CMS website homepage.

Version 5010—HIPAA mandated a standard format for electronic claims transactions. This standard was updated to grow with the functional needs of the healthcare industry. The http://www.cms.gov website offers more details about Version 5010.

ICD-9—HIPAA mandated a standard format for electronic provider and diagnostic codes. The current standard has limitations that restrict the full use of EMR/EHR software.

ICD-10—HIPAA mandated a standard electronic format for provider and diagnostic codes. The new standard is intended to grow with the functional needs of the healthcare industry. The http://www.cms.gov website offers more details about ICD-10.

Figure 3-2 The CMS website is current and informative with the need-to-know facts and how to access resources the CMS provides.

Photo credit: http://www.cms.gov

The purpose of coding is to equate expenses in a hospital into numbers. For example, whenever a doctor examines a patient, a nurse uses a syringe to administer a drug, or a patient receives a diagnosis, a code must be generated to represent the expense associated with providing this patient care. When healthcare providers enter information into a patient’s chart, that information eventually is sent to a medical coding specialist. This person is responsible for translating charted documentation about a patient’s stay in a hospital into codes so that insurance companies can be properly billed for the hospital’s expenses.

Covered entities must upgrade to Version 5010 billing codes to be prepared for the ICD-10 diagnostic and procedure codes. ICD-10 codes accommodate Version 5010. The reason for the transition to Version 5010 over a year and a half before the transition to ICD-10 is to make sure any kinks in the transition to Version 5010 have been addressed to reduce the possibilities of problems in the transition to ICD-10.

The need for the transition from ICD-9 to ICD-10 is because ICD-9 is too restrictive in the amount of information the code can communicate. With ICD-10, a code can report more specifically what was wrong with a patient and how the patient was treated. ICD-10 uses more character fields in the code and approximately 55,000 more available codes. For example, if a physician charts “initial encounter for a stress fracture of the right tibia,” in ICD-9, a coder could use only the code 733.9 to mean the limited information “stress fracture of the tibia.” This ignores a lot of specific information about this patient’s condition. Because this was the first encounter and of the right tibia would be coded using separate codes. With ICD-10, the coder can report more details in a single code using a longer code with more options to choose from. To report “initial encounter for a stress fracture of the right tibia” in ICD-10, a coder would report M84.361A as the code.

Office of the National Coordinator for Health Information Technology (ONC)

Office of the National Coordinator for Health Information Technology (ONC)—http://www.healthit.hhs.gov: This office of the HHS was created to promote national HIT infrastructure and oversee its development. The ONC was created by executive order in 2004 and written into legislation by the HITECH Act in 2009, which requires healthcare providers to move toward using electronic solutions to store and process patient data. The ONC tests and certifies all EMR/EHR solutions to be HIPAA-compliant. Healthcare providers and hospitals may use only the certified EMR/EHR solutions if they want to qualify for monetary incentives. Figure 3-3 shows the ONC website.

Figure 3-3 The ONC website is current and informative with the need-to-know facts and how to access resources the ONC provides.

Photo credit: http://www.healthit.hhs.gov

The U.S. government provides funding through various venues to encourage covered entities to transition to advanced healthcare technology. Covered entities are encouraged to meet deadlines for stages in the transition, for example, to EMR/EHR information systems. If they meet these goals, they are given money. The deadlines for the incentives are set before the deadlines of when covered entities are required to transition to advanced healthcare technology. If a covered entity misses the latter required deadline, the U.S. government starts applying penalties for not complying with the required deadline. It serves the covered entities well to be ahead of the game by transitioning to advanced healthcare technologies sooner rather than later.

Office of Civil Rights (OCR)

Office of Civil Rights (OCR)—http://www.hhs.gov/ocr: This office of the HHS is responsible to protect Americans against discrimination and enforce the Privacy and Security Rules of HIPAA. The OCR fulfills this responsibility through education to prevent violations and through investigation of complaints about violations of these rules. The OCR usually enables a covered entity to enforce rules and reprimand violations without intervening. Complaints about violations are filed through the OCR. See Figure 3-4 to see the OCR website.

Figure 3-4 The OCR website is current, informative, and offers instructions on how to file a complaint about a privacy violation.

Photo credit: http://www.hhs.gov/ocr

National Institute of Standards and Technology (NIST)

National Institute of Standards and Technology (NIST)—http://www.nist.gov—This agency is part of the U.S. Department of Commerce. The goal of the NIST is to promote U.S. innovation and industrial competition. The NIST aims to advance standards and technology to improve American economic security and quality of life. In healthcare, the NIST aims to do the following:

Create opportunities for accelerated research and development of HIT.
Improve the usefulness of HIT and remote healthcare.
Develop the security of HIT.

Figure 3-5 shows the NIST website.

Figure 3-5 The NIST website is current and informative of its activities.

Photo credit: http://www.nist.gov

Now that you have learned about the agencies for healthcare, turn your attention to the programs and laws that these agencies offer and enforce.

Healthcare Programs

Government agencies use social programs to fulfill responsibilities tasked to the agency. Programs ensure accessibility of benefits to those who qualify. The two most significant healthcare programs are Medicare and Medicaid. Medicare and Medicaid are impressive by the numbers of beneficiaries and expense.

The Medicare—http://www.medicare.gov—social insurance program is for hospital and medical care for elderly and certain disabled citizens. Medicare is provided by the U.S. government. Medicare was created as an amendment to the Social Security Act in 1965. Medicare is regulated and administered at the federal level. Figure 3-6 shows the Medicare website homepage.

Figure 3-6 The Medicare website is current and informative with the need-to-know facts and how to access resources Medicare provides.

Photo credit: http://www.medicare.gov

The Medicaid—http://www.medicaid.gov—social welfare program is for health and medical services for certain citizens and families with low incomes and few resources. Medicaid is provided by the U.S. government. Medicaid was created as an amendment to the Social Security Act in 1965. Primary oversight of Medicaid is regulated at the federal level. All states participate in Medicaid; however, state participation to use Medicaid funding is voluntary. Each state administers this program using Medicaid funding. States also have control over eligibility standards, scope of services, and rate of payment for services. Figure 3-7 shows the Medicaid website.

Figure 3-7 The Medicaid website is current and informative with the need-to-know facts and how to access resources Medicaid provides.

Photo credit: http://www.medicaid.gov

Healthcare Laws

Government agencies use laws to define the scope of responsibilities tasked to the agency. Laws clarify the manner and intent of the government. HIPAA, ARRA, and HITECH are all acts of Congress meant to improve healthcare in the United States.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA)—http://www.hhs.gov/ocr/privacy—was created in 1996 to provide a standard set of rules for all covered entities to follow to protect patient health information and to help healthcare providers transition from paper to electronic health records. The Office of Civil Rights (OCR) enforces the following HIPAA rules:

Privacy Rule: Establishes national standards to protect individuals’ health information whenever a covered entity accesses this information. This rule establishes safeguards to regulate who can access e-PHI (electronic protected health information) and the reasons why someone needs to access e-PHI.

electronic protected health information (e-PHI)—HIPAA protects the electronic information that can be used to identify an individual. e-PHI is information created, used, or disclosed about a patient while providing healthcare.
Security Rule: Establishes national standards to protect the e-PHI of an individual. This rule establishes safeguards for how e-PHI is accessed.
Breach Notification Rule: Requires covered entities to notify affected individuals, the HHS secretary, and possibly the media when protected health information (PHI) has been breached.
Enforcement Rule: Establishes penalties for violations to HIPAA rules and procedures following a violation, such as investigations and hearings.

Figure 3-8 shows the enforcement activities and results on the HIPAA website.

Figure 3-8 The HIPAA website is current and informative of the need-to-know facts.

Photo credit: http://www.hhs.gov/ocr/privacy/hipaa/enforcement

American Recovery and Reinvestment Act (ARRA)

The American Recovery and Reinvestment Act (ARRA)—http://www.recovery.gov—was created in 2009 at the urging of President Obama to help citizens through the economic recession. This act is called the Recovery Act. The Recovery Act provided hundreds of billions of dollars for tax cuts, funding for entitlement programs, and federal contracts, grants, and loans. Specific to healthcare, the Recovery Act provides funding to HHS branches, such as the CMS and ONC. The Recovery Act is intended to help preserve and improve affordable healthcare in the United States. The Recovery Act also creates plans and incentives to assist Americans through challenges faced as a nation. Figure 3-9 shows the Recovery Act website.

Figure 3-9 The Recovery Act website is current and informative with the need-to-know facts and how to access resources the Recovery Act provides.

Photo credit: http://www.recovery.gov

Health Information Technology for Economic and Clinical Health (HITECH) Act

The Health Information Technology for Economic and Clinical Health (HITECH) Act—http://www.healthit.hhs.gov—focuses on creating incentive and opportunity for the advancement of HIT through the ONC. The programs funded in the HITECH Act collectively aim to make EMRs/EHRs relevant and beneficial resources to all Americans. The HITECH Act provides grants for education programs and monetary incentives. The HITECH Act also encourages communication within the healthcare community, within a state, and between states as HIT is advanced and implemented.

Now that you are familiar with programs and laws about healthcare, the following sections explain how these programs and laws are regulated.

Regulations of Healthcare Laws

Government agencies use regulations to ensure the intent of the government is carried out. It is in these regulations that healthcare providers and hospitals begin to understand the means and extent of the laws’ intent.

Two new buzzwords in HIT are meaningful use and eligible provider. The Recovery Act requires covered entities to use HIT in a meaningful way, which is where the term “meaningful use” came from. The meaningful use of HIT justifies the push to advance in technology and offer incentives to accomplish this goal. Starting in 2011, grants from the HITECH Act provide incentives with deadlines for healthcare providers to comply with the regulations identified by meaningful use. By 2015, all healthcare entities must demonstrate meaningful use to avoid financial penalties. Eligible providers are covered entities that want to receive monetary incentives by meeting meaningful use criteria. This qualification makes them eligible to receive incentive money.

Now that you know some background on the agencies, laws, and regulations, the following section shifts the focus to how the agencies and acts from the government regulate privacy.

Learning HIPAA Controls and Compliance Issues

The HHS publishes rules and regulations through HIPAA to provide standards that control and require compliance for the security of e-PHI. HIPAA Privacy and Security Rules provide the regulations that covered entities must follow to protect e-PHI. The HIPAA Enforcement Rule explains the consequences of violating the Privacy and Security Rules. These three rules are not just technical safeguards but also physical and administrative safeguards, including auditing, enforcement, and punishment standards. To fully understand these rules, you must understand the issues concerning these rules and the reasons for creating the rules. The following issues are explained as they relate to HIPAA.

Security: Keeping e-PHI secure is a concern for HIPAA because HIPAA is designed to protect e-PHI. The security measures include all the administrative, physical, and technical safeguards in any IS containing or processing e-PHI. This includes security protocols that HIT technicians must follow, such as administrating security access.
HIPAA security protects e-PHI created, received, used, or maintained by a covered entity. The OCR is responsible for enforcing HIPAA security. The following portions of HIPAA security ensure the confidentiality, integrity, and availability of e-PHI.
Violations: The breach of a HIPAA rule must be defined for covered entities to know boundaries of what is not acceptable behavior to maintain privacy of patients. A breach can be theft, unauthorized access or disclosure, loss, or improper disposal of e-PHI.

Fines: Normally, the OCR does not intervene when there is a violation to HIPAA rules. Instead, the covered entity that violates the rule issues voluntary compliance and corrective action that reaches a satisfactory resolution with the OCR. If the violating entity does not handle the offense properly, there are monetary penalties. HIPAA states the fine for each incident should not exceed $100 or $25,000 for identical violations within a calendar year. In 2009, the ARRA increased these amounts into a tiered structure, as outlined in Table 3-2.

Table 3-2 The ARRA Defines These Penalties If a Covered Entity Violates a HIPAA Rule

HIPAA Violation	Minimum Penalty	Maximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA.	$100 per violation, with anannual maximum of $25,000 for repeat violations	$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect.	$1,000 per violation, with an annual maximum of $100,000 for repeat violations	$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period.	$10,000 per violation, with an annual maximum of $250,000 for repeat violations	$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected.	$50,000 per violation, with an annual maximum of $1.5 million for repeat violations	$50,000 per violation, with an annual maximum of $1.5 million

Requirements: States have the capability to tighten the rules for security. When you start a new job, especially if you are in a new state, be sure to check with your local state regulations because the state may have different rules than what you knew from your last job. Covered entities must
- Ensure confidentiality, integrity, and availability of e-PHI they create, receive, maintain, or transmit.
- Identify risks to e-PHI and implement resolutions to anticipated threats.
- Ensure compliance by their workforce.

HIPAA enables certain hospital personnel to access patient information to perform job duties. However, if a patient wants his patient information released to a person or organization that is not a covered entity, the covered entity must receive written permission to access and distribute the e-PHI.

This website shows an example of a release form used in New York: http://www.nycourts.gov/forms/Hipaa_fillable.pdf. For example, a patient might need this form to release medical information to an athletic program.

A covered entity might access e-PHI to distribute to the individual or its own personnel for treatment of the patient or to retrieve payment from the patient’s insurance provider without acquiring a release form. Access permission is restricted based on the role of the personnel, called role-based access control. Personnel should have access to e-PHI only as required to fulfill their job descriptions, no more, no less. Ultimately the CFO has the final say in what access to the information systems used in the hospital is granted to hospital personnel. The CFO makes these determinations by approving access to each job role when each IS is initially configured. Therefore, the CFO does not need to be involved with assignments for each employee. When a professional starts a job at a healthcare facility, he is given access to e-PHI as defined by his job. For example, all lab technicians should have access as defined for a lab technician. All nurses should have access as defined for a nurse. A lab technician and a nurse might not have the same access. While performing duties of their job, these personnel do not require signed release forms from patients. The personnel is required to sign an acknowledgment of understanding HIPAA rules. These access policies are controlled by the covered entity and are expected to comply with HIPAA and state regulations.

The HHS offers case studies of HIPAA violations on its website. An example of one case study was a hospital employee who left a voicemail for a patient on the patient’s home answering machine. The message included the medical condition and treatment plan of the patient. However the patient did not live alone and others in the household listened to the message. The patient had specifically asked to be contacted at her work phone number. The hospital employee did not follow confidential communication requirements as set by the hospital. To resolve this violation, the hospital implemented new policies for communication. For example, the policy set rules for the minimum information required to leave in a voicemail so as to not reveal PHI. The hospital also trained employees how to review registration information from patients to verify special instructions from the patient on how to contact them. Finally, the hospital integrated training for these new policies into the annual refresher series for employees.

With the background surrounding agencies, laws, and regulations covered, now turn your focus to a topic a little more practical: the rules of record retention and disposal.

Learning Rules of Record Retention and Disposal

Documentation requirements are defined by HIPAA, but some requirements vary from state to state. The state defines how long records must be kept, called record retention. HIPAA defines how records are disposed of and how they are kept in storage (archived). The three types of records are public, private, and legal. All these follow the same rules for retention and disposal.

Types of Health Records

Health information comes in three different types. A patient’s public health record is used for research and to create reports for public health data. For example, if a state requires a hospital to report how many patients are at risk for getting the flu, the public health records are accessible to calculate this information. Figure 3-10 shows the reporting function of an example EHR IS. Public health records are not intended to connect individuals to their health records.

A private health record is the health record created and maintained by an individual. The benefit of a private health record is the individual is completely aware of all healthcare received and is available to the individual no matter where she may be a patient. A private health record is great for chronically ill patients or for an individual who is a guardian of another individual.

Figure 3-10 The reporting feature of an EHR IS provides a list of patients at risk for the H1N1 virus.

Photo credit: http://www.practicefusion.com

An individual may keep a private health record in any format she prefers. She may simply place her health records in a file folder on her computer or move it to a jump drive for added security and mobility. She might decide to keep her health records with a web-based service designed for private health records. The benefit of using a web-based service is that many healthcare providers can access and easily format the data from these services for the HIS used at the facility with the permission from the individual.

A legal health record is the health record created by healthcare providers. The regulations for legal health records are set by the state and healthcare organization with a few basic standards set by the federal government. The legal health record can be requested by the patient or legal services. For example, if a patient brings up a lawsuit due to received healthcare, the court might need the legal health record to know what was charted in the patient’s health record.

Record Retention

HIPAA sets a minimum timeframe for record retention of six years and for two years after a patient’s death, and Medicare requires Medicare beneficiaries’ records be retained for five years. HIPAA enables the states to create laws to dictate their own policy for record retention so long as the state law meets minimum HIPAA requirements. If a state requires more time for record retention, covered entities in that state must comply with the state law.

States have the freedom to determine how long documents need to be stored before disposal. States retain records anywhere from 6 to 20 years. Some states choose to vary the length of record retention based on resources, type of patient, events during the course of care, or any other stipulation.

When you start a new job, check with your state’s legislature website or ask someone in the medical records department at your facility. For example, if your new job is to implement a new EMR/EHR IS in a hospital, you would need to know how long to program the EMR/EHR IS to retain the health records.

Record Disposal

HIPAA states that record disposal is the responsibility of covered entities. Physical documentation can be shredded, burned, or pulverized. PHI on electronic media is sometimes disposed of by cleaning, purging, or destroying the device. The covered entity is at fault if any physical or electronic PHI is recovered at any point after the disposal of records.

The basic rule when disposing of an electronic device that contained e-PHI is to make sure the data on the device is unreadable, is indecipherable, and cannot be reconstructed. Following are three ways records on electronic media can be disposed of:

Cleaning the device is when irrelevant data (1s and 0s) is written on the memory several times. This method is considered unacceptable in the healthcare environment by many technicians. The only reason cleaning a device is okay is when the device has never had PHI on it; for example, the gift shop computer or the server used to control HVAC in the facility.
Purging or degaussing is when exposure to a strong magnetic field is used to purge data from the device.
Destroying a device is when physical destruction is used to render a device useless. For example, you can drive a nail through a hard drive to make sure no one can recover the data that was once on that hard drive.

Learning Legal Best Practices and Documentation

Whether or not it is convenient, HIT technicians must deal with legal issues. You need to make sure you are covered for all possible legal issues, so if any issues come up you will be prepared. Best practices and documentation need to be established for HIT technicians because of the necessity to be prepared for a legal issue. For example, HIT technicians are responsible for having the ability to audit all PHI accessed. With the ability to audit activity in information systems, if someone in the hospital violates HIPAA by viewing a patient’s record they should not, the IS can track who accessed the e-PHI that was violated. As another example, when you depend on a vendor to support the equipment in the lab, a contract with the vendor is needed to know the time frame the vendor has to reply to repair needs. If the vendor is slow to respond to your repair requests, you have the contract to remind the vendor of its agreements with consequences to not meeting the commitments outlined.

Hospitals and healthcare providers must use legal best practices to protect themselves from unwarranted lawsuits. Waivers of liability are forms used by healthcare entities to be protected from being inappropriately responsible or sued for harm or debt. An example of a waiver of liability relates to Medicare. Medicare has a law that states healthcare providers are only responsible for providing services that are reasonable and necessary for a patient’s health. However if a patient wants further healthcare, the patient can sign a waiver of liability to receive services not covered by Medicare if he agrees to pay out-of-pocket for the expense of the extra services.

HIPAA requires that when a covered entity requires the services of a person, company, or organization outside the organization, the covered entity must enter into contracts with these third parties. The purpose of this business associate agreement (BAA) is to establish rules for safeguarding e-PHI. Third parties need access to e-PHI to fulfill obligations to a covered entity. For example, a vendor needs access to data that might contain e-PHI to research a bug that needs to be fixed with the next update to an IS.

Access allowed to business associates must be limited to the minimum amount of access required to perform necessary functions and activities of the job. This access is controlled by role-based access. This access must have the ability to be audited for activity of the business associates, the same as how auditing abilities are required for internal e-PHI activity.

For example, third parties need a BAA to access e-PHI data to perform the following functions:

Insurance claims processing
Data analysis
Quality assurance
Private practice office management

Covered entities often require third-party assistance with operations; for example, a software vendor might be contracted to support software and provide regular updates and bug fixes. It is recommended to have a service-level agreement (SLA). An SLA, much like a BAA, establishes how information is to be shared and used. It also sets expectations for service provided so everyone is on the same page and understanding.

In the previous example, a covered entity might use an IS vendor to support that IS and provide updates for bug fixes. The covered entity needs an SLA with the vendor. The SLA establishes the security protocols for the electronic transfer of e-PHI to the company as needed to resolve problems. The SLA also covers the protocol to reset passwords to access the software. The SLA establishes the support protocol, such as if users should call the vendor directly when an issue arises or if the users at a covered entity must go through the IT department to receive support from the vendor.

However, sometimes covered entities need to ensure that personnel and departments within their facility understand the rules regarding access to sensitive information. A memorandum of understanding (MOU) establishes a mutual understanding with personnel or departments that wouldn’t normally have access to sensitive information. For example, cafeteria workers might see PHI occasionally as they prepare meals for patients with special dietary needs. An MOU is needed to make sure the cafeteria workers understand the HIPAA rules about patient privacy.

HIT in the Real World

Even though healthcare IT technicians are not healthcare providers, we still are exposed to PHI. We are exposed to PHI even when working remotely. Actually, HIT technicians often have god-like access to data in a hospital because we must have the capability to troubleshoot all systems at any given time. For example, when you troubleshoot problems in the information systems at a hospital, you often encounter problems that require you to ask for a patient’s name, MRN, procedure ordered, or test results. All this information is protected by HIPAA. HIPAA enables healthcare IT technicians to access this information as long as you use the information only in the performance of your job duties.

Having family members in the medical field, I was already familiar with HIPAA and how privately patient information should be respected. When I started my job in the healthcare entity, I was required to complete a short HIPAA study course, pass a test to verify I had read the information, and sign contracts that I would not divulge PHI outside of necessary work duties. Even though I knew the rules, I was still surprised at how many times I needed to obtain patient data while working.

In one specific case, I was troubleshooting the perioperative IS at a facility in Georgia. A nurse was explaining to me that a printed report was not showing information about patients that should have been on the printed document, and we couldn’t quite communicate properly on the phone what she was talking about. So the nurse faxed to me the printed document with a note written showing what she was trying to explain. I remember I was pleased with my colleague because she had taken the time to black out as much PHI as she could and still allow me to see the information I needed to do my job. Even though she knew that I was privileged to the information, she couldn’t fax that much information and risk hitting the wrong number on the fax machine and having it go to the wrong person.

It’s these careful efforts that we make in our daily jobs that prove we are honorable professionals who take e-PHI seriously. People notice and appreciate these efforts. It’s worth it to do your best to honor your obligations even if you are not noticed by someone who might reward your efforts.

Chapter Summary

Identifying Standard Agencies, Laws, and Regulations

Covered entities are health plans, health clearinghouses, and healthcare providers.
The U.S. Department of Health and Human Services (HHS) is tasked with protecting the health of Americans and providing a means to access healthcare by Americans who are least able to help themselves, containing and treating any national health emergencies, and testing and regulating food and drug supplies.
The Centers for Medicare & Medicaid Services (CMS) is responsible for administrating Medicare and Medicaid, as well as regulating standards of electronic transactions of claims, provider, and diagnostic codes.
Version 5010 is the most recent standard format for electronic claims transactions.
ICD-10 is the most recent standard format for electronic provider and diagnostic codes.
The Office of the National Coordinator for HIT (ONC) is responsible for certifying EMR/EHR solutions as HIPAA-compliant.
The National Institute of Standards and Technology (NIST) advances HIT security and usefulness of remote healthcare.
Medicare is a social insurance program to provide hospital and medical care for elderly and certain disabled citizens.
Medicaid is a social welfare program to provide health and medical services for certain citizens and families with low incomes and few resources. Medicaid participation by states is voluntary. Medicaid is administrated by states.
Health Insurance Portability and Accountability Act (HIPAA) is a set of rules for protecting e-PHI (electronic protected health information).
The Office of Civil Rights (OCR) enforces the HIPAA rules.
HIPAA has four primary rules: Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule.
The American Recovery and Reinvestment Act (ARRA), called the Recovery Act, aims to help citizens through the economic recession. In healthcare, the Recovery Act provides funding to HHS branches to help preserve and improve affordable healthcare in the United States.
The Health Information Technology for Economic and Clinical Health (HITECH) Act creates incentive and opportunity for the advancement of HIT through the ONC.
Meaningful use is the demonstration by healthcare entities to use HIT in a meaningful way.
Participants in the incentive programs are called eligible providers.

Learning HIPAA Controls and Compliance Issues

HIPAA aims to ensure confidentiality, integrity, and availability of e-PHI.
In the event of a violation, or breach, of HIPAA rules, fines may be imposed by the OCR.
Covered entities are required to ensure confidentiality, integrity, and availability of e-PHI they create, receive, maintain, or transmit; identify and address risks to e-PHI; and ensure compliance by their workforce.
Written permission must be obtained before e-PHI may be released or distributed to anyone HIPAA does not allow.
Covered entities must use role-based access control to restrict access to e-PHI by its personnel.

Learning Rules of Record Retention and Disposal

The three types of health records are public, private, and legal.
The public health record is used for the collection of public health data to be analyzed by researchers.
The private health record is the health record created and maintained by an individual.
The legal health record is collected and retained for use by the patient or legal services.
Health records must be retained for a minimum of six years. States may add to the length of time for record retention.
Disposed records must be unreadable, indecipherable, and unable to be reconstructed.

Learning Legal Best Practices and Documentation

Waivers of liability are forms used by healthcare entities to be protected from being inappropriately responsible for harm or debt.
Business associate agreements (BAA) are used to ensure a mutual understanding of safeguards of e-PHI between a covered entity and a contracted third party.
Service-level agreements (SLA) are used to establish how e-PHI is shared and used, as well as expectations of service provided.
Memoranda of understanding (MOU) are used within a covered entity to ensure understanding of the safeguards of e-PHI among departments or personnel who may not normally be exposed to sensitive information.

Key Terms

breach notification rule
business associate agreement (BAA)
covered entity
electronic protected health information (e-PHI)
eligible provider
enforcement rule
Health Insurance Portability and Accountability Act (HIPAA)
healthcare clearinghouse
ICD 9
ICD 10
legal health record
meaningful use
memorandum of understanding (MOU)
privacy rule
private health record
public health record
service-level agreement (SLA)
Version 5010
waiver of liability

Acronym Drill

Acronyms sometimes get confusing, especially when a single sentence can have four or five. As an HIT professional, you must know the acronyms and what they stand for. Fill in the blank with the correct acronym for the sentence.

The divisions of the _____ involved in healthcare are the _____, the _____, and the _____.
Answer: __________________________________________________________
The new standard of medical diagnosis and inpatient procedure coding, called _____, is required to be adopted by October 1, 2013, by ______-compliant facilities.
Answer: __________________________________________________________
The _____ tests and certifies all _____ solutions to be _____-compliant.
Answer: __________________________________________________________
The _____ enforces ______ rules to protect ______.
Answer: __________________________________________________________
An _____ is used to establish how information is shared and to set expectations for service provided.
Answer: __________________________________________________________

Review Questions

Which branch of the HHS controls the electronic standards of transaction for an insurance claim? And what is the current standard?
Answer: __________________________________________________________
Which HHS division is responsible for enforcing HIPAA rules?
Answer: __________________________________________________________
Do federal or state agencies administrate Medicare? Medicaid?
Answer: __________________________________________________________
What does the HIPAA Enforcement Rule determine?
Answer: __________________________________________________________
What are the goals of the meaningful use of technology in healthcare?
Answer: __________________________________________________________
Why would an eligible provider want to demonstrate the meaningful use of technology?
Answer: __________________________________________________________
What are possible breaches of e-PHI?
Answer: __________________________________________________________
What is the purpose of a public health record?
Answer: __________________________________________________________
What is the basic rule of thumb of record disposal?
Answer: __________________________________________________________
Why are SLAs important and what do they establish?
Answer: __________________________________________________________

Practical Application

The .gov websites are a great resource for HIT professionals. Suppose your boss asks you to develop a contract to be used to establish the SLA with a software vendor to support the software and provide fixes to bugs discovered. Rather than reinventing the wheel by making up your own contract, use an Internet search engine to find templates for contracts and checklists. Find a template on the http://www.hhs.gov website for an SLA/MOU document. Write down the websites where you found the documents.
Answer: __________________________________________________________

__________________________________________________________________

__________________________________________________________________
Search online for two case examples and resolution agreements to HIPAA violations. You can find several in news articles, and the http://www.hhs.gov website gives some examples where acceptable resolutions agreements were reached. What was the cause of the breach? What were the consequences of the breach? What was the resolution agreement reached? Were policies implemented to prevent the violation from happening again?
Answer: __________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________
While in the waiting room at the free clinic with three other patients, Nurse Jack calls out, “Patti Patient.” Patti Patient begins to walk to Nurse Jack. Before leaving the waiting room, Nurse Jack asks Patti Patient, “Has the herpes cleared up yet?” Is this a HIPAA violation? Why?
Answer: __________________________________________________________

__________________________________________________________________

__________________________________________________________________