hipaa and the legal medical record

HIPAA AND THE LEGAL MEDICAL RECORD

Chapter 2

Chapter 2 2

HIPAA AND THE LEGAL MEDICAL RECORD Learning Objectives

Discuss the importance of medical record documentation in the billing and payment process.

Define the facts that are included in patients’ protected health information (PHI).

Discuss the purpose of the HIPAA Privacy Rule.

Chapter 2 3

HIPAA AND THE LEGAL MEDICAL RECORD Learning Objectives

Describe what PHI can be released without patients’ authorization.

Discuss patients’ authorizations to use or disclose PHI.

Describe the purpose of a retention schedule. Discuss how to guard against potentially

fraudulent situations.

Chapter 2 4

Key Terms Acknowledgment of

Receipt of Notice of Privacy Practices

Authorization Clearinghouse Compliance plan Documentation Fraud

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Privacy Rule Medical records Minimum necessary

standard Notice of Privacy

Practices

Chapter 2 5

Key Terms (cont’d)

Office of Civil Rights (OCR)

Protected health information (PHI)

Retention schedule Subpoena Subpoena duces tecum Treatment, Payment, and

Operations (TPO)

Chapter 2 6

Patient Medical Records Contain all facts, facts, findings,findings, observations observations

of patients’ health historyof patients’ health history Provide for continuity of care and continuity of care and

communicationcommunication among providersamong providers Provide data data for medical research Are used for medical educationmedical education Document course of treatmentcourse of treatment Are used to prepare insurance claimsprepare insurance claims ARE LEGAL DOCUMENTS

Chapter 2 7

Documentation StandardsDocumentation Standards

DocumentationDocumentation – is the systematicsystematic, logicallogical, and consistent recordingrecording of a patient’s health status, history, examinations, tests results of treatments, and observations in chronological order in a patient medical record. Records must be clear:

Medical records must be completecomplete & accurate.accurate. If the records are handwritten, the entries should be

legible to others, Entries must be made in “Black Ink” (not pencil), and

dated.

Chapter 2 8

Documentation Standards Documentation Standards ContinueContinue

Entries must be signed & dated: Digital , transcribed or handwritten entries made

by the provider must have a signature/initials and title of the responsible provider and the date of service.

Chapter 2 9


Changes must be clearly made: An incorrect entry is marked with a single line single line thru

the words to be changed; the correct informationcorrect information is entered after it, so that the

previous copy can be read. CorrectionsCorrections are dateddated and signedsigned by the person

making the change. No part of a record should be otherwise altered,

removed, or destroyed.

Chapter 2 10


No blank spaces may be left between entries: Entries are made chronologicallychronologically, without spaces

between them, to prevent out-of order entries.out-of order entries.

Each patient should have a single record: Each patient should have only oneone medical record medical record

(unit record). A separate file should be in the patient’s Medical

Record when a Worker’s Compensation claims are involved.

Chapter 2 11


Records should use consistent vocabulary and format: All entries should reflect standardstandard, accepted medical medical

vocabularyvocabulary and abbreviations. abbreviations. All medical records in a practice consistently All medical records in a practice consistently should be

labeled labeled and have logical sections.logical sections.

Diagnostic information must be easy to locate: Past Past & & Present Present diagnoses should be placed so that they are diagnoses should be placed so that they are

easy to locateeasy to locate by each physician who uses the medical record.

Chapter 2 12


Practitioners’ entries must be made promptly: Entries Entries should be made in a timely mannertimely manner and ; FiledFiled in a consistent chronological orderchronological order, either

ascending or descending.

Chapter 2 13

Documentation Formats Document Formats – are used to organize

patients’ medical records. Problem-Oriented Medical Record

(POMR) Most common format used in the general

medical practices Contain a general section with data from the

initial patient examination and assessment.

Chapter 2 14

Documentation Formats Problem-Oriented Medical Record (POMR) - Cont

When patient makes subsequent visits, the reasons for those encounters are listed separately in a problem list, each with its own notes about the patient condition.

EXAMPLE: Patient must have a General section followed by sections labeled according to each encounter.

Progress Notes for each Problem are in the SOAP Format beginning with the Problem and then four points:

Subjective & Objective Assessment & Plan

Chapter 2 15

SOAP Format SSubjective

OObjective

AAssessment

PPlan

What the patient reports

The Objective information Includes: the physical exam

and laboratory reports or test.

The physician’s impression/conclusion, or diagnosis of the

Subjective & Objective information

Treatment and follow-up, advice

Chapter 2 16

Documentation Content

Providers – follows specific guidelines to document encounters.

Initial exam and assessment show the treatment plan for the patient.

Progress Reports

Progress Reports documents the patient’s progress and response to the treatment plan

PAUSE & PRACTICEPAUSE & PRACTICE Figure 2-1Figure 2-1 – Page 24Page 24 Figure 2-2 Figure 2-2 – Page 25Page 25

Chapter 2 17

Protected Health Information Protected Health Information (PHI) & (PHI) & Medical RecordMedical Record

HIPAA’s (Health Insurance Portability and Accountability Act)

regulates how electronic patient information is stored and shared.

HIPAA’s has three rules that are important in medical office:1. HIPAA Privacy Rule – The Privacy requirements

cover patients’ health information.

2. HIPAA Security Rule – The security requirements state the administrative, technical, and physical safeguards that are required to protect patients’ health information.

Chapter 2 18

Protected Health Information Protected Health Information (PHI) & (PHI) & Medical RecordMedical Record

HIPAA’s three rules Cont:

3. HIPAA Electronic Transaction and Code Sets Standards – These standards require every provider who does business electronically to use the same health care transactions, code sets, and identifiers.

Chapter 2 19

Patients’ ProtectedPatients’ ProtectedHealth Information Health Information (PHI)(PHI)

HIPAA’s Privacy Rule – defines PHI PHI as individually identifiable health informationidentifiable health information that is transmitted by electronic media, such as:

Internet, or; Stored in office Computer Files

Chapter 2 20


Contains many factsfacts about a person, such as the patient’s: Name Birth date Telephone Address Employer Social Security Number

Chapter 2 21


HIPAA Privacy Rules (Health Insurance Portability & (Health Insurance Portability &

Accountability Act)Accountability Act) regulates the use and disclosure of patients’ Protected Health InformationProtected Health Information HIPAA Privacy RuleHIPAA Privacy Rule must be followed by:

Health Plans Health Care Clearinghouses Health Care Providers, and other businesses

Chapter 2 22


Privacy Practices – also set the things that medical offices must do to properly handle patients’ PHIPHI:: Medical offices must adopt privacy practicesprivacy practices that are

appropriate for its health care services.

The practicepractice must notify patientsnotify patients about their privacy privacy rightsrights and how their informationhow their information may be used used or disclosed.disclosed.

Chapter 2 23


Privacy Practices Continue Office employees must be trainedmust be trained so that they understand

the privacy practices.privacy practices.

A staff member must be appointedmust be appointed as the office’s privacy office’s privacy officialofficial and be responsible for seeing that privacy practices are adopted and followed.

Patients’ recordsPatients’ records containing individually identifiable health information must be maintained and storedmust be maintained and stored so that they are not readily available to those who do not need them.

Chapter 2 24


Notice & Acknowledgement of Receipt of Notice of Notice & Acknowledgement of Receipt of Notice of Privacy PracticePrivacy Practice To comply with the “Privacy Rule”, medical offices,

providers and Health Plans must give each patient an explanation of privacy practices during the patient’s first encounter.

To satisfy this requirement, medical offices give the patient a copy of their “Notice of Privacy Practices”“Notice of Privacy Practices”

The Notice explain how the patients’ PHIPHI may be used and describes their rights.

Patients must review & sign an “Acknowledgment of “Acknowledgment of Receipt of Notice of Privacy Practices”.Receipt of Notice of Privacy Practices”.

Chapter 2 25


Sharing Protected Health InformationSharing Protected Health Information The “Privacy Rule” determines the three (3) waysthree (3) ways PHIPHI can

be released without the patient’s permission: treatment,treatment, payment,payment, and operation operation (TPO)

TTreatment PPayment OOperation

Providing and coordinating the patient’s Providing and coordinating the patient’s medical care.medical care.The exchange of information with The exchange of information with Health plans.Health plans.

Business functions need to run the office.Business functions need to run the office.

Chapter 2 26


Minimum Necessary Standard - The principle that individually identifiable health informationindividually identifiable health information should be disclosed only to the extent needed only to the extent needed to support the purpose of the to support the purpose of the disclosure.disclosure.

Avoid using a Avoid using a FaxFax transmission for confidential transmission for confidential information.information.

Follow Follow medical office standardsmedical office standards when sending when sending confidential information via email.confidential information via email.

Chapter 2 27


Office of Civil Rights (OCR)/Health & Human Services (HHS) Investigate written Investigate written complaintscomplaints of patient who experience of patient who experience

privacy problems with the a provider.privacy problems with the a provider. Patient submit complaints within Patient submit complaints within 180 days180 days of occurrence. of occurrence. The Provider must cooperate with the OCR/HHS’ The Provider must cooperate with the OCR/HHS’

investigator, by granting access to: investigator, by granting access to: Facility, books, records and:Facility, books, records and: Systems, including relevant protected health information.Systems, including relevant protected health information.

Chapter 2 28

AuthorizationFor us or disclosure of PHI other than for treatment,

payment, or operation (TPO), the patient must sign

an authorization to release the information.

Example Alcohol and Drug Abuse may not be released

without a specific authorization from the patient

Chapter 2 29

Authorization - Continue

Authorization Document must be in plainlanguage and include:

Description of the information to be released Who can use or disclose the information Who will receive it For what purpose An expiration date Patient’s signature and date

Chapter 2 30

Exceptions to the Privacy RuleExceptions to the Privacy Rule

Release Under Court Order Subpoena - A court order to testify. Subpoena (duces tecum) – a court order to testify & to bring

specific documents or other items.

Workers Compensation State LawState Law may provide for release of records to employers in

workers’ compensation

Statutory Reports Certain information are required by State LawState Law to be released

to State Health State Health oror Social ServicesSocial Services

Chapter 2 31

Exceptions to the Privacy Rule

HIV & AIDS Every State requires AIDSAIDS cases to be reported. Most states also require reporting of the HIV reporting of the HIV

infection that causes the syndrome.infection that causes the syndrome. State LawState Law varies concerning whether only the fact

of a case is to be reported, or if the patient’s name must also be reported.

The Medical Office’s guidelinesMedical Office’s guidelines will reflect the State LawsState Laws & must be strictly observed to protect patient privacy & comply with regulations.

Chapter 2 32

Exceptions to the Privacy Rule

Research Data PHIPHI may be made available to researchers approved by the

practice.

Example:Example: If research is being conducted on a specific type of Diabetes,Diabetes, the practice may share information from the appropriate records for analysis.

De-Identified Health Information There is no restrictions on the use or disclosure of “de-identified”

health information that does not identify an individual.

Chapter 2 33

Retention Schedule – is a practice policypractice policy that governs which information from the patients’ medical record is to be stored.

Retention schedule is based on: The laws of states and, Federal regulations, if the office sees

Medicare or Medicaid patients.

Records Retention

Chapter 2 34

The Retention Schedule determines: What information should be kept, How long information should be kept, and In what medium,what medium, such as paper, microfilm or

computer files. Retain both patientpatient and practicepractice records

Records Retention - ContinueContinue

Chapter 2 35

Records Detail patient treatmentpatient treatment, insurance insurance

recordsrecords, and legal supportlegal support for the patient, if needed

Is a legal documentation of treatment Can be Audited for up to Seven (7) years

Records Retention - - ContinueContinue

Chapter 2 36

Intentional Misrepresentation HIPAA defines health care fraud as a crime

Set-up Health Care FraudHealth Care Fraud and Abuse ControlAbuse Control Program to coordinate federal, state and local law enforcement thru investigations, audits, evaluations & inspections.

If Fraud is determined: Law permits fines up to $10,000 per item or service which fraudulent

payment was received. Criminal penalties – fines & imprisonment if “knowingly” planning to

obtain money or property owned by the health care benefit program.

KnowinglyKnowingly is key word in fraud cases

Avoiding Fraud

Chapter 2 37

Fraudulent Situations include: Altering Charts Upgrading or falsifying procedures Over Billing

Compliance Plans (OIG)(OIG) Office of Inspector General – is a Government Agency that

investigates investigates and prosecutes prosecutes fraud against government health care programs, such as MedicareMedicare.

Avoiding Fraud

Chapter 2 38

OIG’s Compliance ProgramCompliance Program for Individual and Small Group Physician Practices to Write,Write, then Communicate to Staff.

1. Conducts audits and monitoring 2. Implements compliance and practice standards3. Appoints compliance officer4. Provides staff training5. Responds appropriately to problems6. Ensures avenues of communication7. Enforces standards/publicizes rules

Compliance Plans(OIG)(OIG)

Chapter 2 39

Avoid Fraud: Make sure that all insurance informationinsurance information is true true. Do not add add a diagnosis diagnosis or procedureprocedure code unless it is

accurate. If the Medical Insurance SpecialistMedical Insurance Specialist discovers that

something has been left outleft out, the Specialist must ask the ask the Physician to update the recordsPhysician to update the records before information is entered on the claim form.

Make sure that requested Audit RecordsAudit Records are available and signed by the Physician.

The Medical Insurance Specialist’s Role

Chapter 2 40

A _________________________ presents a medical office’s principles and procedures regarding PHI.

PHI

Individually identifiable health information that is transmitted electronically. _______

Quiz

Notice of Privacy Practices

retention schedule The ____________________ identifies what, where and for how long data is kept.

Patient information may be released to a family friend. (T/F) False, unless patient signs release.

Chapter 2 41

_________________________ is a Government agency that enforces the HIPAA Privacy Act?

QuizOffice of Civil Rights

(OCR)

_________________________ is Government agency that investigates and prosecutes fraud against government health care programs such as Medicare

Office of Inspector General (OIG)

hipaa and the legal medical record

Documents