This chapter is from the book
Identifying Standard Agencies, Laws, and Regulations
- Covered entities are health plans, health clearinghouses, and healthcare providers.
- The U.S. Department of Health and Human Services (HHS) is tasked with protecting the health of Americans and providing a means to access healthcare by Americans who are least able to help themselves, containing and treating any national health emergencies, and testing and regulating food and drug supplies.
- The Centers for Medicare & Medicaid Services (CMS) is responsible for administrating Medicare and Medicaid, as well as regulating standards of electronic transactions of claims, provider, and diagnostic codes.
- Version 5010 is the most recent standard format for electronic claims transactions.
- ICD-10 is the most recent standard format for electronic provider and diagnostic codes.
- The Office of the National Coordinator for HIT (ONC) is responsible for certifying EMR/EHR solutions as HIPAA-compliant.
- The National Institute of Standards and Technology (NIST) advances HIT security and usefulness of remote healthcare.
- Medicare is a social insurance program to provide hospital and medical care for elderly and certain disabled citizens.
- Medicaid is a social welfare program to provide health and medical services for certain citizens and families with low incomes and few resources. Medicaid participation by states is voluntary. Medicaid is administrated by states.
- Health Insurance Portability and Accountability Act (HIPAA) is a set of rules for protecting e-PHI (electronic protected health information).
- The Office of Civil Rights (OCR) enforces the HIPAA rules.
- HIPAA has four primary rules: Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule.
- The American Recovery and Reinvestment Act (ARRA), called the Recovery Act, aims to help citizens through the economic recession. In healthcare, the Recovery Act provides funding to HHS branches to help preserve and improve affordable healthcare in the United States.
- The Health Information Technology for Economic and Clinical Health (HITECH) Act creates incentive and opportunity for the advancement of HIT through the ONC.
- Meaningful use is the demonstration by healthcare entities to use HIT in a meaningful way.
- Participants in the incentive programs are called eligible providers.
Learning HIPAA Controls and Compliance Issues
- HIPAA aims to ensure confidentiality, integrity, and availability of e-PHI.
- In the event of a violation, or breach, of HIPAA rules, fines may be imposed by the OCR.
- Covered entities are required to ensure confidentiality, integrity, and availability of e-PHI they create, receive, maintain, or transmit; identify and address risks to e-PHI; and ensure compliance by their workforce.
- Written permission must be obtained before e-PHI may be released or distributed to anyone HIPAA does not allow.
- Covered entities must use role-based access control to restrict access to e-PHI by its personnel.
Learning Rules of Record Retention and Disposal
- The three types of health records are public, private, and legal.
- The public health record is used for the collection of public health data to be analyzed by researchers.
- The private health record is the health record created and maintained by an individual.
- The legal health record is collected and retained for use by the patient or legal services.
- Health records must be retained for a minimum of six years. States may add to the length of time for record retention.
- Disposed records must be unreadable, indecipherable, and unable to be reconstructed.
Learning Legal Best Practices and Documentation
- Waivers of liability are forms used by healthcare entities to be protected from being inappropriately responsible for harm or debt.
- Business associate agreements (BAA) are used to ensure a mutual understanding of safeguards of e-PHI between a covered entity and a contracted third party.
- Service-level agreements (SLA) are used to establish how e-PHI is shared and used, as well as expectations of service provided.
- Memoranda of understanding (MOU) are used within a covered entity to ensure understanding of the safeguards of e-PHI among departments or personnel who may not normally be exposed to sensitive information.