Slide 1 - Collegiate Sports Medicine Foundation

Document Sample
Slide 1 - Collegiate Sports Medicine Foundation Powered By Docstoc
					  Collegiate Sports Medicine
Revenue & Reimbursement Workshop

   HIPAA & FERPA Considerations

                 January 4- 7, 2006

              Keith Webster MA, ATC
              University of Kentucky
    Chair, NATA Governmental Affairs Committee
• Mandates the privacy and security of
  Protected Health Information (PHI)
• Portability of health insurance
• Simplification of electronic billing
• Coincides with existing state statutes,
  need pre-emption analysis
            NATA GAC
• GAC began to address HIPAA 2001
• NATABOD issued response to Privacy
  modifications in April 2002
• Contacted HHS in September, 2002
• Meeting held in December, 2002 with
  staff attended
     Three Major Components
• Privacy Rule- governs use, access, and
  protects confidentiality of PHI

• Security Rule- secures PHI being
  transmitted electronically, 4/21/05

• Transaction Rule- standardize procedure
  codes and electronic billing format
             Privacy Rule
• Protects the privacy of an individual’s
  health information
• Governs use and disclosure of PHI
• Provides patient’s access to their records
• Patients have control of their records
• Patients can file complaints about use and
• Applies only to Covered Entities
       Office of Civil Rights
• Civil penalties
  – Up to $25,000
• Criminal penalties
  – Knowing disclosure:
     •$50,000 1 year imprisonment
  – False pretenses:
     •$100,000 5 years imprisonment
  – Intent to sell:
     •$250,000 10 years imprisonment
                What is PHI?
•   There are 18 identifiers that constitute
    Protected Health Information

•   Includes:
    Name               Medical Record #
    Address            Telephone #
    DOB                Fax #
    SS#                Driver’s License #
    Photographs        Email, URL, IP addresses
    Fingerprints       Admit / Discharge Dates
                       Any other unique ID #
           Covered Entity
Administrative Simplification Standards:

• A health care provider who conducts
  certain transactions electronically
• A health care clearinghouse
• A health plan
     What is a Covered Entity?
       As a Health Care Provider:
  The following is from the decision support tool found
    on the website

1. A person, business, or agency that:

• Furnishes
• Bills or
• Receives payment for health care in the normal
  course of business
     What is a Covered Entity?

2. A person, business, or agency that
  conducts covered transactions, including:

• Request to obtain payment from provider to a
  health plan for health care or;
• In the absence of a direct claim, transmission of
  encounter information for reporting health care
   More Covered Transactions

• Checking on eligibility to receive care
  under the health plan
• Coverage and benefits under the plan
• Request to obtain authorization for
  referring someone to another provider
• Inquiry/ response about status of a claim
Still More Covered Transactions

• Transmission of payment, info about
  transfer of funds, payment processing info
• Transmission of EOB’s
• Coordination of benefits transaction is the
  transmission from any entity to a plan to
  determine payment responsibilities of the
     What is a Covered Entity?
3. Are any of the covered transactions
  transmitted in electronic form?

“Electronic form” includes:
• Internet
• Extranet
• Leased lines, dial-up lines, private networks
• Magnetic tape, disk, or CD media that are
  physically moved from one location to another
    You Are A Covered Entity If:

•   You furnish, bill, or receive payment for health
•   You conduct covered transactions AND
•   You transmit covered transactions in electronic

          AND if your attorney says so!
       Determine Legal Entity
• Single provider
• Affiliated Covered Entities (ACE’S)- made up of
  several CE’s that are under common ownership
  or control
• Organized Health Care Arrangement (OCHA)-
  a setting with multiple providers
• Hybrid- single legal entity and whose covered
  functions are NOT its primary functions-
  Example: an academic institution with a medical
               Consult your attorney
            Hybrid Entity
• Isolated activities involve Protected
  Health Information (PHI)
• Must identify those components
• Responsible for compliance in those areas
• Must protect from improper
  use/disclosure of PHI
      Requirements of the CE
• Adopt and implement privacy procedures
• Train employees so that they understand
  the procedures
• Designate a privacy officer to see that
  procedures are adopted and followed
• Secure patient records from unauthorized
• Account for disclosures
      Requirements of the CE

Notice of Privacy Practices (NPP)

• Fundamental new right to be informed of
  privacy rights and practices of covered
  health plans and providers
              NPP includes:
• How PHI is used and disclosed
• Individual’s rights regarding PHI with
  complaint process
• CE’s legal duty with statement that this is
  required by law
• Contact person for individual to receive further
• NPP can be layered- brief summary with “long”
• Effective date
           Providing the NPP
• CE is required to promptly revise and distribute
  after material changes
• NPP available to anyone requesting it
• NPP must be posted in office, website, etc
• CE must provide NPP to patient no later than
  first date of service
• CE must make good faith effort to get written
  receipt of NPP
• Acknowledgment of receipt can be combined
  with consent form
 Other Requirements of the CE
• Adopt and implement privacy procedures
  for its practice
• Train employees so that they understand
  the procedures
• Designate a privacy officer to see that
  procedures are adopted and followed
• Secure patient records from unauthorized
         Consent and Notice
• Consent for routine health care purposes
  is now optional
• Due to strengthened NPP and thus
  eliminates barrier to treatment
• Other consent requirements may be in
  affect i.e. State law
Must include these core elements:

•   Information to be used or disclosed
•   Persons authorized to make the use or disclosure
•   Persons authorized to receive PHI
•   Purpose of the use or disclosure
•   Expiration date
•   Patient’s signature and date
•   Personal representative authority
Must include the following notification statements:

• Individual may revoke authorization in writing
  with instructions
• Treatment and payment may not be conditioned
  on obtaining authorization or
• If conditioning is permitted, consequences of
  refusing to sign authorization
• Potential for the PHI to be redisclosed by the
Authorization can be mandated under
 “condition to participate”
Revocation would disqualify participant

Family Educational Rights and Privacy Act
  (FERPA) takes precedent over HIPAA
Privacy Rule defers to State law for <18 y.o.
     Uses and Disclosures for
 Treatment, Payment, and Health
     Care Operations (TPO)

• Permits this use and disclosure of PHI
  without authorization
• CE may disclose PHI for treatment
  purposes to providers who are not a CE
        Minimum Necessary
• A CE must develop policies and
  procedures that limit its disclosures for
  payment and health care operations to the
  minimum necessary
• Identify who needs access to PHI within
  the CE for job duties
• This does not apply when PHI is disclosed
  for treatment purposes
 Incidental Uses and Disclosures
• Permissible as long as there are reasonable
  safeguards and minimum necessary
• Avoid discussing PHI in elevators and
• Be aware of others in public places i.e.
  waiting rooms
• Secure file cabinets or records rooms
• Use passwords for computers
             Media Issues
• Establish policy- consider implications
• Determine procedure for authorizations
• HIPAA or FERPA compliance
• Per injury basis or blanket for season
• Right to refuse- consequences
• “Open Records” request- drug test results
              Business Associates
A person or entity that performs certain functions
  or activities that involve the use or disclosure of
  PHI on behalf of, or provides services to, a
  covered entity

  claims processing, data analysis, utilization
  review, quality assurance, billing, benefit

See: OCR Guidance Manual for details
            Security Rule

• Linked to Privacy Rule requirements
• Internal & External Safeguards
• E-mail encryption
• Formatting claim forms
• Research issues
• A covered entity may use or disclose PHI
  for research purposes once it has been de-
  identified regardless of provisions

• The Common Rule and FDA human
  subject protection regulations apply

• Allowed with individual authorization
Allowed without authorization under
 limited circumstances:

•   IRB/ Privacy Board approval
•   Preparatory to research
•   Research on PHI of decedents
•   Limited data sets with a data use agreement

See: OCR Guidance Manual for details
          Transaction Rule
 Standardize procedure codes and electronic
 billing format

Standard electronic transactions include:
*claims           *referrals
*eligibility inquiries & responses
*claim status inquiries & responses
*remittance advices
 National Provider Identification
         Numbers (NPI)

• Use in standard electronic transactions

• Replaces Health Care Provider Identifiers

• Most health plans, Medicare, and private
  insurers must accept NPI by 5/23/07
          How to get a NPI
• National Plan and Provider Enumeration
  System (NPPES) 1-800-465-3203

• Providers may apply online at:

• Need only one NPI for all health plans
      NPI On-line Application
• Entity type: Type 1 for individual
• Taxonomy: Type 22 Respiratory,
  Rehabilitative & Restorative Service
• Classification: 2255A2300X-
  Specialist/Technologist- Athletic Trainer
• Provide State License Number
 The Family Educational Rights
   and Privacy Act (FERPA)

• Federal law that protects the privacy of
  student education records
• For all schools that receive federal funds
• Gives parents certain rights with respect
  to their children’s education records
 The Family Educational Rights
   and Privacy Act (FERPA)
• Generally, schools must have written
  permission in order to release any
  information from a student’s education
• These rights transfer to the student when
  he/she reaches the age of 18 or attends
  post-secondary school
• Must notify parents & eligible students
       Disclosure without consent
• To school officials with legitimate
  educational interests
• School official: a person employed by the
  School …including health or medical staff;
  a person or company with whom the
  School has contracted to perform a special
  task, such as medical consultant or
S.1232g.(4)(B)“Education record” does not
(iv) Records on an eligible student which are
  made by a physician, or other recognized
  professional and used only for treatment
  of that student and are not available to
  anyone other than persons providing such
  treatment …
   Written Consent for education records

• Records to be released
• Reasons for such release
• To Whom
• A copy to parents and student if desired
  by parents
       References & Resources
• Decision Tools, Privacy Policy Guidance, and
  PHI Regulation Text:
• EDUCAUSE (targets higher ed):
• HIPAA Guidelines for Academic Medical
• Other links: &
• NATA updates:
       References & Resources

•   Guidelines for Academic Medical Centers:
•   Sample forms (repository):
•   FERPA:
•   To create news alerts for HIPAA, FERPA, etc:


Shared By: