Earn CEU credit Cathy Garrey, Connect with your - Health Care ...

More documents

Recommendations

Info

Complying with the HIPAA Privacy Rule – What you need to know ...continued from page 59 demographic information) that is created or received by a health care provider, health plan, employer, or health care clearinghouse that relates to: n The past, present, or future health of an individual; n The provision of health care to an individual; or n The past, present, or future payment for health care to an individual AND that either o identifies the individual, or o there is a reasonable basis to be believe that the information could be used to identify the individual. In contrast, information that has been de-identified is not protected under the Privacy Rule. De-identification, however, is not simply removing the individual’s name from the information. In fact, in order for information to be truly “de-identified” for purposes of the Privacy Rule (and therefore outside of the Privacy Rule’s scope), either all eighteen identifiers enumerated in the Privacy Rule must be removed from the information or a person with “appropriate knowledge of and experience with” accepted principles and methods must determine that the risk is very small that the information could be used alone or in combination with other available information to identify the individual to whom the PHI relates. What uses and disclosures are permitted A covered entity may not use or disclose PHI unless that use or disclosure is permitted by the Privacy Rule. A covered entity may disclose, and in fact, is required to disclose PHI to the individual or the individual’s representative and to the Secretary of HHS for purposes of determining compliance with the Privacy Rule. Uses and disclosures that are “incident to” an otherwise permitted use or disclosure are also permitted under the Privacy Rule. For example, the Privacy Rule does not prohibit a physician from discussing a patient’s medical condition with that patient in a hospital room that is shared with another patient. Any PHI that the other patient may hear is an incidental disclosure of PHI and is permissible under the Privacy Rule. Perhaps most important in terms of most day-to-day uses and disclosures of PHI, the Privacy Rule permits covered entities to use and disclose PHI for purposes of treatment, payment, and health care operations (commonly referred to as TPO). Treatment includes the provision, coordination, or management of health care, the consultation between health care providers, and the referral of patients to other health care providers. Payment includes activities undertaken by a health plan to obtain premiums or to determine or fulfill obligations related to coverage and the provision of benefits. Payment also includes activities undertaken by a health care provider or health plan to obtain or provide reimbursement for health care. In defining payment, the Privacy Rule includes October 2008 62 Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
HM-MDaudit_1_08.qxd 1/25/08 4:10 PM Page 1 several specific examples, including, for example, determinations of coverage, billing, claims management, collection activities, and utilization review. Finally, health care operations is a very broad category of non-treatment and non-payment business activities undertaken by a covered entity. The Privacy Rule sets forth several specific examples of health care operations, including quality assessment and improvement activities, credentialing activities, arranging for legal services, medical review and auditing functions, and business planning and development. A covered entity may use or disclose PHI for its own TPO purposes. It also may disclose PHI for the treatment purposes of another health care provider or to another covered entity or health care provider for the recipient’s payment purposes. Moreover, albeit more limited in scope, a covered entity may disclose PHI for another covered entity’s health care operations purposes if: n The health care operations purposes are quality assessment, credentialing, training activities, or fraud and abuse detection; and n Both entities have or have had a relationship with the person to whom the PHI relates. In addition to these more day-to-day uses and disclosures, the Privacy Rule permits covered entities to use or disclose PHI for the following purposes, provided that the covered entity meets the applicable requirements for the particular use or disclosure as specifically set forth in the Privacy Rule: n To create or maintain a facility directory n To individuals involved in a person’s care or payment for that care n As required by law n For public health activities n For victims of abuse, neglect, or domestic violence n For health oversight activities n During the course of judicial and administrative proceedings n To law enforcement officials n For decedents n For organ donation n For research purposes n To avert a serious threat to public health or safety n For specialized government functions n For workers’ compensation purposes Manage your risk. Protect your revenue. Seven of the top 15 healthcare organizations as ranked by US News & World Report are using MDaudit to automate the administrative tasks of compliance auditing. Using strategic, risk-based audit methodology, they: • Increase audit productivity: More providers are audited in less time, allowing your staff to focus on changing provider behavior. • Quickly target risk areas: Risk-based audit scheduling helps you easily target non-conforming providers. • Improve reporting capabilities and consistency: Professional reports quickly illustrate areas of concern. • Monitor audit status across departments: Audit status and productivity is assessed at a glance. • Allow staff to focus on value-added activities: With more time and actionable information, your staff can focus on provider education to eliminate incorrect coding. To find out more and to schedule a free ROI analysis, call Hayes’ MDaudit team at 617-559-0404 or send an email to mdaudit@hayesmanagement.com. For all other uses and disclosures, that is, for all uses and disclosures that the Privacy Rule does not specifically permit, a Continued on page 65 www.HayesManagement.com Health Care Compliance Association • 888-580-8373 • www.hcca-info.org 63 October 2008
Page 1 and 2:
Volume Ten Number Ten October 2008
Page 3 and 4:
INSIDE Publisher: Health Care Compl
Page 5 and 6:
which ensures that the understandin
Page 7 and 8:
Table 1: 14 CLAS Standards U.S. Dep
Page 9 and 10:
Scholarship Recipients The Four Dua
Page 11 and 12: and need emergency care (e.g., an i
Page 13 and 14: Court analyzes first case under Sta
Page 15 and 16: It was established in 1969 in respo
Page 17 and 18: and get linked up with e-newsletter
Page 19 and 20: Social networking Many compliance p
Page 21 and 22: Focus on Organizational Compliance
Page 23 and 24: Medicare’s medical necessity crit
Page 25 and 26: Is no notice enough notice Legal pr
Page 27 and 28: Exploring the question: Does this r
Page 29 and 30: “Does this really make a complian
Page 31 and 32: Certification - the recognized mark
Page 33 and 34: suffice. This potential error can b
Page 35 and 36: Introducing Compliance & Ethics Soc
Page 37 and 38: who typically sell multiple plans o
Page 39 and 40: n State OIG that fight Medicaid fra
Page 41 and 42: Coordinating external requests for
Page 43 and 44: The what, why and how of Medicare C
Page 45 and 46: The what, why and how of Medicare C
Page 47 and 48: to hear the message first. Educatin
Page 49 and 50: COMPLIANCE ACADEMIES February 2-5 S
Page 51 and 52: or whistleblower lawsuit. Moreover,
Page 53 and 54: SEC Disclosure: Managing informatio
Page 55 and 56: Upcoming Regional Conferences Octob
Page 57 and 58: SEC Disclosure: Managing informatio
Page 59 and 60: Complying with the HIPAA Privacy Ru
Page 61: Health Care Compliance Association
Page 65 and 66: Complying with the HIPAA Privacy Ru
Page 67 and 68: PHI under false pretenses, that per
Page 69 and 70: Improving competitiveness and compl
Page 71 and 72: Speakers Sharon Anolik Blue Cross B
Page 73 and 74: commitment to overhaul deficient co
Page 75 and 76: e g i s t e r n o w f o r HCCA’s
Page 77 and 78: New principles can help advance ind
Page 79 and 80: New principles can help advance ind
Page 81 and 82: When to use a monitor Although some
Page 83 and 84: ASKLEADERSHIP John asks the leaders
Page 85 and 86: Enforcement actions in health care
Page 87 and 88: Corruption enforcement actions targ
Page 89 and 90: “I am a compliance professional a
Page 91 and 92: n M. Michelle Walker, LifePoint Hos
Page 94: 600 U.S. BANK PLAZA SOUTH 220 SOUTH
show all

Earn CEU credit Cathy Garrey, Connect with your - Health Care ...

Create successful ePaper yourself

Delete template?

Save as template?