Lesson 1

AN INTRODUCTION TO HIPAA

What is HIPAA?

HIPAA – is the Health Insurance Portability and Accountability Act. A federal law
created in 1996.
- Signed into Law by Pres. Bill Clinton last August 21, 1996.
- It is considered the most significant healthcare legislation since Medicare
in 1965.

Why outsource?
1. Lower Cost
2. Manpower – skilled
3. Quality of work of Filipinos is better than any Asian countries.

Health Insurance
Portability and
Accountability Act
(HIPAA)

Administrative Insurance
Simplification Reform
[Accountability] [Portability]

Transactions,
Code Sets, & Privacy Security
Identifiers
Compliance Compliance
Compliance Date: Date:
Date: 04/14/2003 2005
10/16/2002 or
MLS – Medical Language Specialist
CMT – Certified Medical Specialist
MTs – are the one who interpret files clinical course, diagnosis & prognosis
Main Life of MTs – Quality Work
Asset of MT Companies – human resource/people
PHI – Patient Health Information (security & privacy of the file)
T - Transcribe
E - Edit
P - Proofread
T - Transmit
Medical Billing – process of submitting and follow up or claims to insurance
companies in order to receive payment for services rendered by a healthcare
provider.
NACHA – National Automated Clearinghouses Association

jso,rn09 Page 1
 WHO’S AFFECTED? Providers
Clearinghouses
(NACHA)
Hospitals
Billing Agencies
HIP
AA Health Plan
Pharmacies
Laboratories
Indirect Applicability: All organizations
that exchange data with those directly
covered under the HIPAA through Chain of
Trust Agreements and/or contracts
PRE-HIPAA FACTS
• No standards existed to guide organizations in how to store, process,
communicate, or secure data
• Management and clinical information software differed from organization
to organization, even if it was purchased from the same vendor
• Lack of standard data format proven to be a barrier, too costly and
complex for most organization to overcome
• Over 450 different electronic claim formats exist
• Lack of transaction uniformity among existing standards makes it difficult
for communication to occur

WHAT IF WE DO NOT COMPLY?

Non-Compliance
• $100 for each violation
• Maximum of $25,000 per year per specific provision
Unauthorized Disclosure or Misuse of Patient Information
• Penalties up to $250,000
• Prison time up to 10 years

TRANSACTIONS, CODE SETS, IDENTIFIERS

a. Transaction
- The exchange of information between two parties to carry out financial or
administrative activities related to health care
b. Code Set
- Any set of codes used to encode data elements, such as table of terms,
medical concepts, medical diagnostic or procedure codes. A code set
includes the codes and description of the codes
c. Identifiers
- Standard, unique health identifiers (numbers/digits/alphanumeric) for
each health care provider, employer, health plan, and individual (patient)

jso,rn09 Page 2
PRIVACY vs. SECURITY
• Privacy
- Refers to WHAT is protected – Health information about an individual and
the determination of who is permitted to use, disclose, or access the
information.
• Security
- Refers to HOW private information is safeguarded – Insuring privacy by
controlling access to information and protecting it from inappropriate
disclosure and accidental or intentional destruction or loss.

PRIVACY
Overview:
Due to the constraints imposed by scope of HIPAA, privacy regulation is
applicable only to:
o “Covered” Entities – Healthcare Providers that transmit electronic
health information, Health Plans, and Clearing houses
o “Protected” Health Information (PHI) – Transmitted or maintained in
any form or medium (includes paper and oral)

HIPAA Privacy Definitions… just a few…

• “Protected Health Information”
• “Authorization”
• “Treatment, Payment, Healthcare, Operations”
• “Patient Notice”
• “Uses and Disclosures”
• “Minimum Necessary”
• “Business Associate Agreements”

Protected Health Information (PHI)

• Individual (Patient) identifiable health information relating to the past,
present or future health conditions of the individual.
• This covers all information, whether maintained electronically, in paper form
or communicated orally.
• PHI cannot be released unless authorized by the patient or for treatment,
payment, or healthcare operations.

PHI includes all of the following:

1. Names 10.License Numbers
2. Addresses including Zip 11.Vehicle Identification
3. Codes Numbers
4. All Dates 12.Account Numbers
5. Telephone and Fax Numbers 13.Biometric Identifiers
6. E-mail Addresses 14.Full Face Photos
7. Social Security Numbers 15.Any other Unique Identifying
8. Medical Record Numbers Number, Characteristic or
9. Health Plan Numbers Code

jso,rn09 Page 3
AUTHORIZATION
A covered entity may not use or disclose protected health information
without a valid written authorization from the individual.
An authorization must be specific and cannot be combined with other
documents.

Treatment, Payment and Operations

• Treatment – the provision, coordination or management of health care and
related services by one or more health care providers, including consultation
or referral.
• Payment – collection of premiums, reimbursement, coverage determinations,
risk adjusting, billing, claims management, medical necessity determinations,
utilization review, and pre-authorization of services.
• Health Care Operations – specified activities by or for a health plan or health
care provider that are related to its “covered functions”, including quality
assessment and improvements; peer review, training and credentialing of
providers; business planning; and business management.

Patient Notice
• Description of uses and disclosures of protected health information made by
the covered entity.
• Every patient will receive a copy of the Patient Notice and will be asked to
sign an “Acknowledgement.”

Uses and Disclosures

• Use – Employment, application, utilization, examination or analysis of
information within a covered entity that holds the information.
• Disclosure – Release, transfer, provision of access to, or divulging in any
other manner of information outside the covered entity holding the
information.

SECURITY
Overview:
Purpose – To protect both the system and the information it contains from
unauthorized access and misuse.

Encompasses – All safeguards in a covered entities structure including:

Information systems (hardware/software), Personal policies, Information
practice policies and Disaster Preparedness.

SECURITY -> FINAL RULE JUST PUBLISHED in effect April 2005

Administrative Procedures – To ensure security plans, policies, procedures,

training and contractual agreements exist

Physical Safeguards – To provide assigned security responsibility and controls

over all media and devices

jso,rn09 Page 4
 Technical Security Services – To provide specific authentication,
authorization, access and audit controls to prevent improper access to
electronically stored information.

Technical Security Mechanisms – To established communication/network

controls to avoid the risk of interception and/or alteration during electronic
transmission of information.
FINAL NOTE on PRIVACY and SECURITY

The privacy and security rules are flexible and scalable

to account for the nature of each organization’s
culture, size and resources.

Each organization will determine its own privacy

policies and security practices within the
context of the HIPAA requirements
and its own capabilities and needs.

HIPAA Frequently Asked Questions (FAQ)

1. Is PHI the same as the medical record?
a. No. HIPAA protects more than the official medical record. A great deal
of other information is also considered PHI, such as billing and
demographic data. Even the information that a person is a patient here
is Protected Health Information.
2. What if I’m accidentally overheard discussing a patient’s PHI record?
a. It is not a violation as long as you were taking reasonable precautions
and were discussing the protected health information for a legitimate
purpose. The HIPAA privacy rule is not meant to prevent care providers
from communicating with each other and their patients during the
course of treatment. These “incidental disclosures” are allowed under
HIPAA.
3. If I overhear patient care information in the stairway or in the hallway, how
should I handle it?
a. If it seems appropriate, remind the speakers of the policy in private. If
the conversation clearly violates policies or regulations, report it to the
Privacy Officer.
4. I work in the hospital and don’t need to access PHI for my job, but every now
and then a patient’s family asks me about a patient. What should I do?
a. Explain that you do not have access to that information, and refer the
individual to the patient’s health care provider.
5. What will happen if the PHI regulations have been violated?
a. The Health System may face civil or criminal penalties and be
substantially fined. Further, employees who knowingly misuse
protected health information may be subject to prosecution, fines
and/or imprisonment up to ten years, in addition to any University
disciplinary actions.
6. What else can I do for security?
a. Don’t allow others, such as family members, to use the equipment.
They might accidentally access confidential information.

jso,rn09 Page 5
 7. What are the different penalties for those who deliberately misuse protected
health information?
a. For knowing misuse of PHI – up to 1 year imprisonment, or $50,000
fine or both
b. For obtaining PHI under false pretenses – up to 5 years imprisonment,
or $100,000 fine or both
c. For using PHI for commercial advantage, personal gain or malicious
harm – up to 10 years imprisonment, or $250,000 fine or both.

jso,rn09 Page 6