when you are fraudulent and don’t know it…. · 2018-10-23 · enacted by the us congress and...
TRANSCRIPT
HIPAACompliance
Presented by:Mark A. Davini, DC, DABCNPaul P. Andrews, LMT, CCCA
Provide reliable education, resources and tools of practice
for clinical and business development, compliance and professional growth.
2
Mark A. Davini, DC, DABCN
• 1981 graduate of Palmer College of Chiropractic• 24 years in active practice• Diplomate in Chiropractic Neurology• Certified Chiropractic Industrial Consultant• Past Chairman of the MA Board of Registration of Chiropractors• Mass Chiropractic Society, Vice-President of Public Information and Education• Mass Chiropractic Society, Chairman of the Ethics Committee• Lecturer for various state and national associations continuing education programs to include
chiropractors, nurses, dentists, the Council on Licensing, Enforcement and Regulation for theCommonwealth of MA, University of Massachusetts Medical School.
• Dr. Davini holds 3 U.S. patents for a brace on Carpal Tunnel Syndrome• Co-Developer of TOP Education, LLC• Active in the defense of chiropractors involved in malpractice litigation.• Compliance Auditor/Clinical Monitor as well as a pattern practice analyst• Awarded 2 U.S. Patents on the “M-Brace” for Carpal Tunnel Syndrome• “Chiropractor of the Year” - Massachusetts Chiropractic Society in 1996.• “Doctor of the Year” - Worcester County Chiropractic Society in 1987
Paul P. Andrews, LMT, CCCA
• 1997 – Started as a Chiropractic Assistant
• 1999 – Began consulting for chiropractic offices
• 1999 – Began teaching seminars
• 2002 – Started Andrews Billing Solutions
• 2002 – MCS Valuable Service to the Chiropractic Profession Award
• 2003 – Membership Coordinator for the Massachusetts Chiropractic Society Inc. until 2009
• 2006 – Appointed to Mashpee, MA Board of Assessors
• 2006 – MCS Valuable Service to the Chiropractic Profession Award
• 2008 – Public Member, Massachusetts Board of Registration of Cosmetology. (Served as Board Chair from July 2013 – May 2015)
• 2013 – Board Member Massachusetts Board of Massage Therapists, (Serves as Board Chair from April 2015 to present)
• 2013 – Co-founded TOP Education, LLC with Dr. Mark Davini
• 2013 – Certified Chiropractic Clinical Assistant
4
KNOCK KNOCK.
WHO’S THERE?
HIPAA.
HIPAA WHO?
I CAN’T TELL YOU….
HIPPO HIPPO
HIPPA HIPPA
HIPAAHealth Insurance Portability And Accountability Act of 1996
Enacted by the US Congress and signed by President Bill Clinton in 1996. It has been known as the Kassebaum–Kennedy Act after two of its leading sponsors.
The Act Consists of Five Titles:
• Title I - protects workers & families insurance when they change or lose their jobs.
• Title II - sets national standards for EHR, insurance plans, and employers.
• Title III - sets guidelines for pre-tax medical spending accounts,
• Title IV - sets guidelines for group health plans
• Title V - governs company-owned life insurance policies
1996 -HHS enacted Privacy Rules to safeguard PHI
2003 -Privacy portion of HIPAA became effective
2005 -Security Rule enacted protecting ePHI
2006 -HIPAA II-Administrative Safeguards
2009 -HITECH ACT (Health Information Technology for Economic and Clinical Health) EHR incentives
2011 -Security Risk Analysis-Meaningful Use
2013 -Omnibus Final Rule
Final Rule Changes:
• Enforcement and Penalties
• Business Associates
• Breach Notification
• Expanded Patient Rights
• Electronic Health Records
• Marketing and Fundraising
Accountability:
• Standards and safeguards to maintain privacy that protect patients' health information provided to health plans, doctors, hospitals and other health care providers.
Portability:
• Portability allows eligible insureds to “port” (continue) their Group Life insurance coverage when they are in danger of losing that coverage because their employment is being voluntarily or involuntarily terminated.
Definitions:
P.I. - Private InformationP.H.I. - Protected Health Informatione.P.H.I. - Electronic Protected Health InformationT.P.O. - Treatment, Payment & OperationsC.E. - Covered EntityBA - Business AssociateBAA - Business Associate Agreement/ContractO.I.G. - Office of the Inspector GeneralH.H.S. - Health and Human ServicesO.C.R - Office of Civil RightsO.S.H.A. - Occupational Safety and Health AdministrationD.O.J. - Department of Justice
PHI – ePHI - PI
PHI – ePHI – PI Includes:• Paper Records, EHR Records, Billing Records, Transcriptions, Identity Protection
Treatment, Payment & Operations (TPO):
• Those procedures and protocols an office needs to perform daily business transactions, when sharing PHI – EPHI – PI
Groups Under HIPAA - Covered Entities (CE):
• Providers - Physicians, Dentists, Nurses, Psychologists, Pharmacies, Labs, Nursing Homes, DME Suppliers. (DCs are under Physicians)
• Health Plans - Health insurance Companies, HMOs, Government Programs
Groups Under HIPAA – Business Associates (BA):
• All 3rd party vendors and business partners that work with your PHI.
• Generally anyone who is not otherwise bound by HIPAA or state law, e.g. TX
• If a CE engages a BA to help carry out health care activities and functions, the CE must have a written Business Associate Agreement/Contract with the BA that establishes specifically what the BA does and requires the BA to also protect the privacy and security of PHI.
• Each BA must preserve PHI down the line, e.g. if they further subcontract out services.
• All BAs must sign a Business Associate Agreement/Contract
Business Associates Agreements/Contracts (BAA):
• Contracts with vendors or others that require limited or full access to PHI – EPHI – PI
• Written assurances the BAA will safeguard shared PHI
• Defines their responsibilities
• HIPAA now directly applies and subject to same penalties
• Subcontractors are considered BAs.
• BA are required to notify CE of a Breach on their end or downstream of them
Examples of who needs to sign a BAA:
• Legal
• Accounting
• Consulting
• Billing
• Information Technology (I/T) support
• Answering Services
• Records Storage
• Transcriptionists
• Downstream subcontractors
• Must continue down the line……..
Examples of who does not need to sign a BAA:
• Health Care providers
• Plan sponsors (HMOs, PPOs etc.)
• Government Agencies
• Banks
• Researchers
• Incidental Contact with PHI, e.g. janitorial service
• HIPAA has said that as long as the person or organization acts merely as a “conduit” for PHI without accessing it, they are not a BAs, e.g. postal service, private couriers, internet service providers.
• Conduits, e.g. Postal service
Business Associate Agreements are required by HIPAA between you and any person or entity that works with your office’s Protected Health Information and IS NOT an employee.
Structure
Administrative Simplification - Accountability
• HHS standardized the way ePHI is exchanged, e.g. speak the same language• Soon EHR will be required to have Stage 3 certification.• Applies to all forms of information-electronic, paper or oral.• Decreases administration costs• Decreases errors• Improves quality of info• Improves business to business communications• Improves security• Focus is on the right of the individual to control use of their PHI• Prohibits a CE from using or disclosing PHI unless otherwise allowed.• CEs must have a written established set of policies and procedures-Compliance Program• When state laws are more strict, the more strict standard applies. Example TEXAS HB300
Administrative Simplification - Categories:
• Transactions Standards - Standardizes procedures
• Code Sets - Standardizes reporting
• Identifiers - Standardizes electronic transactions and data
• Privacy Rule - Controls use and disclosure of PHI
• Security Rule - Safeguards procedures and protocols of PHI, specifically ePHI
Administrative Simplification - Transactions Standards:
• Claims
• Enrollment and disenrollment in health plans
• Response to eligibility, coverage, or benefit inquiries
• Payment to providers
• Premium payment to plans
• Claims status inquiries and responses
• Referrals and authorizations
Administrative Simplification - Code Sets:
• ICD-10 DX International Classification of Diseases
(ICD-11 just released for review)
• CPT Tx & Testing Current Procedural Terminology
• HCPCS II Supplies & Equipment Healthcare Common Procedure Coding System
• CDT Tx Current Dental Terminology
• NDC Tx National Drug Codes
Administrative Simplification - Unique Identifiers:
• Providers National Provider Identifier NPI
• Employers Employer Identification Number EIN
• Health Plan Health Plan Identifier HPID
• Patients Health Individual Identifier or Healthcare ID HII (on hold)
Administrative Simplification - Privacy Rule - Individual Rights:
• Right to request special protection.
• Right to request confidential communications.
• Right to inspect and copy PHI-ePHI-PI.
• Right to amend and supplement PHI-ePHI-PI.
• Right to an accounting of disclosures.
• Right to a paper or electronic copy of Privacy Notice.
• Right not to disclose to their commercial health plan items or services they paid for in full out-of-pocket.
• Right to have clearly written explanations of how their PHI will be used, stored and disclosed.
• Right to detailed authorizations for disclosures made other than for TPO
• Right to minimum necessary info to comply with request
• Right to not disclose genetic information to health plans
• To receive a NOTICE of PRIVACY PRACTICES
Administrative Simplification - Privacy Rule - Individuals Rights using EHR:
• Access to ePHI in electronic form
• Designate 3rd party to receive ePHI
• Maintain accounting of disclosers for 3 years
In North Carolina, hospitals must keep medical records of adult patients for 11 years after the patient’s discharge, and of minor patients until the minor’s 30th birthday. It is recommended that other health care providers keep their medical records at least 6 years. Records related to treatment received under Medicare must be kept 7 years. Many providers keep their records for longer periods of time.
Administrative Simplification - Privacy Rule - Cannot Disclose Individually Identifiable Information:
• Identifiers in PHI that can be linked back to an individual.Examples:• Name• Address• E-Mail• Insurance number• SSN• Photographs• Biometrics
Administrative Simplification - Privacy Rule - Disclosure Exceptions
• Emergencies involving imminent threat to health and safety to the individual or the public• Where required by law• Law enforcement• Judicial proceedings• Health care oversight activities federal and state• Public health activities• Specialized government functions• Worker’s Compensation• To coroners, Medical Examiners, funeral directors
Administrative Simplification - Privacy Rule - Disclosures that are Incidental:
• Sign in sheets
• Patient charts at bedside
• Doctors talking in semi private rooms
• Doctors talking with staff (if reasonable tone is used)
• Make all efforts to avoid casual display, e.g. lay files name down on desk.
• Do not reference patients on social media even if not by name.
• Maintain low volume with all discussions.
Administrative Simplification - Privacy Rule - Disclosures Permissible w/o Authorization:
Treatment, Payment & Operations: TPO those procedures and protocols an office needs to perform daily business transactions, when sharing PHI – EPHI – PI:• Medical Tx
• Determination of eligibility of coverage
• Billing
• Claims Management
• Conducting quality assessments
• Evaluation of healthcare performance
• Referring to another health care provider
• Providing SOAPs when a carrier requests them
• Providing information if requested by a Medicare CERT contractor or licensing board, or other authorized government agency, etc.
Administrative Simplification - Privacy Rule - Disclosure Authorizations Required:
• Clinical Research
• Releasing information to drug companies
• Fundraising
• Patient facilitator
• Marketing
Administrative Simplification - Privacy Rule- Disclosure Authorization Inclusions:
• Must describe the intended use in specific terms
• May not be a condition for patient to receive Tx
• Cannot be combined within the Privacy Notice
Administrative Simplification – Privacy Rule if PHI used for research:
• State expiration date or language stating valid unless revoked
• Provides instruction on how to revoke
Administrative Simplification - Privacy Rule- Disclosure Minimum Necessary:
• CEs must make all reasonable efforts not to disclose more than the minimum amount of PHI necessary to accomplish the intended purpose for the disclosure.
Administrative Simplification - Privacy Rule - De-Identification:
• Signed authorization to use Individually Identifiable Information
• De-Identify the information by ensuring all Individually Identifiable Information is deleted.
• Individually Identifiable Information may be use as long as no means of re-identification is disclosed.
Administrative Simplification - Security Rule:
• Federally mandated “floor” of protection• Comprehensive• Scalable• Technology neutral
ePHI Examples:
• EHR• Electronic claims• Computerized data bases• Digital radiography• Email and Texts• Printed ePHI from EHR
Administrative Simplification - Security Rule - Purpose:
• Ensure confidentiality, integrity, and availability of ePHI
• Protects against reasonably anticipated hazards to ePHI (fires, floods etc.)
• Protects against any reasonably anticipated uses or disclosures of ePHI
• Ensure compliance by workforce
Administrative Simplification - Security Rule - Reference:
• 95% of healthcare offices have internet
• 25% have no firewalls
• 65% integrate web applications
• 24%conduct Security Risk Analysis
• 71% have EHR
Administrative Simplification - Security Rule - General Requirements:
• Technical Safeguard controlling access to computer systems
• Physical Safeguards controlling physical access to PHI
• Administrative Safeguards demonstration of compliance with security Rule
Nee
d f
or
secu
rity
Administrative Simplification - Security Rule - Administrative Safeguards:
• Lower level Security Management
• Workforce Security
• Security awareness and training
• Emergency Action Plan/Contingency Plan
• Setting standards to protect PHI, more specifically ePHI
• Assigning a Privacy Officer/Compliance Officer
• Records Retention of minimum 6 years
• Procedures and protocols in place in support of rights and safeguards
• Business Associate Agreements/Contracts
Examples:
• Compliance program in place
Administrative Simplification - Security Rule - Physical Safeguards:
• Median level Security Management
• Facility Access Controls
• Workstation Use
• Workstation Security
• Device and media controls
Examples:
• Servicers in secure space, backups, locked cabinets screen savers
Administrative Simplification - Security Rule - Technical Safeguards:
• Highest level Security Management
• Access control
• Audits
• Security Risk Analysis
• Personnel Authentication
• Transmission Security
Examples:
• Usernames & password maintenance, logs, firewalls
Administrative Simplification - Security Rule - Technical Safeguards - Mobile Devices:
Administrative Simplification - Security Rule - Flexibility:
• It takes into account CE size, complexity, and capabilities
• Their infrastructure, hardware, and software capabilities
• Cost of security measures
• Probability and criticality of potential risks to ePHI
• Access to and use of ePHI
Insurance Reform – Portability
• Limitation on Pre-existing conditions• Prohibits discrimination• Prevents Insurance form imposing limits on pre-existing• Guarantees renewal of health insurance policies once in place
BREACH
“Unauthorized acquisition, access, use, or disclosure of PHI which compromises the security of the PHI.”
Breach – has happened when:
• Unsecured PHI is discovered by the CE.
• PHI is compromised, i.e. breach poses threat of financial, reputational, or other harm to the individual.
Breach – has not happened when:
• There is an unintentional acquisition, access, use or disclosure of PHI by an employee if act was in good faith, within scope of authority with no repercussions.
• There is inadvertent disclosure from HIPAA to HIPAA entities.
• After the disclosure there is no reasonable expectation the information was retained, e.g. mis-mailed EOB that was returned to the office unopened.
Breach - Notification:• HIPAA requires a defined written procedure for notification policy of a breach of PHI-EPHI-PI.
• Breach with 500 of more, report at same time as individuals
• If less than 500 maintain report and log. Report annually within 60 days of end of calendar year.
• If more than 500, requires a Press Release
Breach - Risk Assessment:
• What PHI was involved, e.g. social security number worse than internal ID number
• Who use or received the PHI, e.g. another HIPAA entity or not
• Was the PHI actually acquired, e.g. actual or opportunity. Laptop stolen and recovered. Analysis shows the encryption was not compromised
• To what extent have risks been mitigated, e.g. assurances from unauthorized recipient misdirected fax was destroyed
Breach - Individual Notification:
• First day is day of discovery
• Without unreasonable delay and in no case later than 60 calendar days.
• Standard Notice to affected individuals, e.g. written letter first class
• Substitute Notice if standard Notice contact info outdated
• If less than 10, e.g. entities web site home page posting-email-telephone
• If 10 or greater, must be in the form of a Conspicuous Posting for 90 days, e.g. Entities web site home page-broadcast media.
• Must offer a toll free number to contact
Enforcement and Penalties:
• Civil Offense: Fines from $100 to $50, 000 per violation caps out at $25,000 to 1.5 M for recurring same violation in a calendar year.
Enforcement through the Office of Civil Rights (OCR) within HHS
• Criminal Offense: Unauthorized use or disclosure with intent to sell, transfer or otherwise result in personal gain. Fines up to $250,000 and up to 10 years in prison.
Enforcement through the Department of Justice.
Enforcement and Penalties:
Category Each Violation Max/year for multiple identical violations
_____________________________________________________________________________• Did not know $ 100 to $50,000 $1.5 Million• Reasonable cause $ 1,000 to $50,000 $1.5 Million• Willful neglect $10,000 to $50,000 $1.5 Million
corrected < 30 days• Willful neglect $50,000 $1.5 Million
not corrected < 30 days
Examples:• Verifying benefits within earshot of other patients or other people
• Booking diagnostics for a patient within earshot of other patients or other people
• Talking about a patient within earshot of others
• Greeting family and friends of patientso Asking how “Bob’s doing” o Acknowledging them as patients
• Discussing patients with co-workers in the public
• Subpoena requestso Is Authorization attachedo Is Plaintiff Attorney challenging release of records
• Is new staff being trained for HIPAA compliance
• Is it documented
How does this all work in the office?
Your Compliance Program
I am already compliant because…
My claims get paid without question.
I have a HIPAA manual …. somewhere.
I paid an attorney to create my Personnel Policy.
I bought a compliance binder, let me get the dust off it and I’ll show you.
Simple Quiz
Do you have a personalized, state specific compliance program in place?
Do you have a designated Compliance Officer?
Do you have Business Associate Agreements/Contracts in place?
Do you have annual Security Risk Analyses?
Do you complete mandated annual trainings for all staff?
Do you have your office and staff screened through Federal and State Exclusion Lists?
Do you have regular internal audits, i.e. Facility-Billing-Coding-Documentation-HIPAA-Personnel?
Do you have logs, personnel policies, procedures manual, training program etc.?
If no to one or more, you are probably not “compliant”
Definitions:
Compliance - Conformity in fulfilling official requirements
Compliance Officer - Qualified individual oversees implementation & administration of Compliance Program
Compliance Program - Policies and procedures defining Compliance in your office
Compliance Manual - Written expression of your Compliance Program
A compliance program should thread into the fabric of your daily operations
“The daily application of a compliance program must transcend just words and include practical applications defined in a workable manual.”
Office of the Inspector General
Compliance Program – Why have one:
• Enhances patient care.
• Optimizes proper payment of claims and minimize denials.
• Reduces the chances of costly utilization reviews.
• Avoids conflicts with a self referral and anti-kickback statutes.
• Effective and consistent training of new hires.
• Improves employee performance and morale.
• Improves and grow your practice.
• Minimizes Fraud, Waste and Abuse.
And…
It’s the Law
There is more to Compliance than just HIPAA
HIPAA is only one component of Compliance.
Compliance Program:
• The process is the mental exercise of getting all your office “ducks in a row”.
• Requires a CO
• A true compliance program has many integrated components…
• Must define your office and procedures
• Must have ongoing and active audits and methods for corrective action.
• Must have a defined personnel management program with ongoing trainings.
• Must follow HIPAA
• Must have records/logs of the above
• Must comply with OIG, Medicare
• Must be specific and written.
• All elements needs to be reviewed and incorporated into a manual.
Compliance Officer – Responsibilities:• Qualified individual taking on the the “job” of Compliance Officer. CO=KoR=PO• Integration and maintenance of the Compliance Program and manual• Oversees maintenance of office structure, appearance, sanitation, and equipment• Identification of potential hazards within office• Oversees office philosophy within the guidelines of the laws, regulations and policies• All aspects of the provider patient relationship• Inter-Health Professionals and external organization communications• Human Resources oversight, e.g. due diligence when hiring, employee and provider training,
complaint process• Identity safeguard program• Oversees accuracy of billing, coding and documentation• Conducts Audits• Oversees information security• Maintains Business Associates
OIG7 Core Elements
Compliance – OIG 7 Elements Issues:
• Only a guide for designing an individual compliance program.
• There is no "one-size-fits-all” compliance program.
• Each state has different laws, rules and regulations.
• Every practice is unique.
• Too general
• Outline is vague and not tailored to small practices
• Organizationally not user friendly
• No clear direction
A Compliance Manual
should contain the following components
Compliance Program - Manual:
Compliance Program - Manual:
• Business Associate Agreements
• Security Risk Analysis
• OSHA
• Monthly Updates:
o Personnel changeo Complaints of incidentso HIPAA Breach protocolo Repairs or maintenanceo Ongoing trainingso Ownership and/or name change
Compliance Program - Manual:
• Mandated Trainings:o Medicare Waste, Fraud and Abuseo HIPAAo HIPAA and mobile deviceso Sexual Harassment in the workplaceo Emergency Action Plan
• List of Excluded Individuals/Entities (LEIE)o Federal/Stateo Medicare/Medicaido System for Award Management (S.A.M.) is a Federal Government web site that consolidates the
capabilities in Central Contractor Registration (CCR)/FedReg, Online Representations and Certifications Applications (ORCA) and the Excluded Parties List System (EPLS).
Federal and state Exclusion Lists - List of Excluded Individuals/Entities (LEIE) - Guidelines:
• List of Excluded Individuals/Entities (LEIE) provides information to the health care industry, patients and public regarding individuals/entities currently excluded from all Federal health care programs.
• OIG updates monthly.
• Databases include names known to the OIG at the time of exclusion, any former names (e.g. maiden name, etc.) should be searched in addition to the current name.
• Hyphenated name should be checked individually and together.
• You can search up to five names at once.
• Maintain documentation of all search results.
❑ Assign a Compliance Officer
❑ Screen staff and office name through the federal and state exclusion lists.
❑ Schedule Audits
❑ Define procedures and policies, e.g. Breach Policies
❑ Post Your Privacy Notice in a public area
❑ Post your Non-Discrimination Notice
❑ Acknowledgment
❑ Business Associate Agreements/Contract (BAA) in place
❑ Risk Analysis and Management annually
❑ Out-of-Pocket option
❑ Notifications for use of PHI-EPHI-PI
❑ Job Descriptions with levels of access needed
❑ SOCIAL MEDIA RESTRICTION POLICY
❑ Get a written acknowledgment of they have been offer and or received a copy of the Privacy Notice
❑ File the Acknowledgment in their chart/file
❑ Offer each patient a Privacy Policy
❑ If they say no, get a written acknowledgment of they have been offered the Privacy Notice
❑ File the Acknowledgment in their chart/file
❑ Protect PHI from public view
❑ Files with names
❑ X-ray folders
❑ Credit Card info
❑ Lock charts and other info from non authorized access
Privilege Membership and RCOA
• Attendance to TOP Education Live Webinars, Seminars and classes on a variety of topics.
• Attendance to Open Forum Q/A Webinars to ask any questions on any topics.
• Access to a Privilege Member’s only website that includes:
• Online resources for a wealth of downloadable materials and links.
• Access to Videos on Demand for specific training on a variety of topics.
• Discounts on many products and services offered by TOP Education.
• FREE Compliance program value $599.00 alone.
• List TOP Education as your OCCM** in your Compliance Program.
• A dedicated email for Privilege Members only to ask any questions.
• Privilege Members only events.
• Pick and choose the information and hours you want.
• Send your new and existing staff at no additional cost.
Save $398.00We will waive the one time set up fee of $299.00
and you receive your 12th month free when you sign up today!.
Join now and save big!
Privilege Membership w/ RCOA$99 per month!
Extra Special Savings Today!Privilege Membership plus RCOA
82
Join now and save big!Go to:
toolsofpractice.comClick the ”Join” tab and then
“Privilege Membership with RCOA”
On check out use the discount coupon code
CC2018(make sure to hit apply)
Web Site: toolsofpractice.comContact: [email protected]
Disclaimer
Dr. Mark A. Davini and Paul Andrews make no guarantee on the effectiveness of anyform, reference or sample supplied and are subject to any prevailing laws. They aremeant as guidelines and instructional. There is no legal advice given. There is noimplied or direct representation for any Insurance Carrier, Agent or organization. Allquestions regarding a specific insurance carrier should be made to the providerservices department for that specific carrier.
Compliant billing procedures should be maintained at all times. Any questions withregard to a specific service code should be directed to a current AMA © certifiedreference book for Current Procedural Terminology. Any questions on diagnosiscoding should be directed to a current AMA © certified reference book onInternational Classifications for Diseases.
All References, Forms, Samples and other documentation and materials are foreducational purposes. Any and all contents of the presentation and supplementalmaterials require completion and review by the intended user.