•
OIG Recommended Compliance Resources è Click hereCross Reference:
BOK 04: AICPA Standards
1.9 OVERVIEW OF HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY (HIPAA) Note: Additional HIPAA Information can be located in Core Domain 04.01.08
HIPAA is the 1996 Health Insurance Portability and Accountability Act defined within 45 CFR § 160.102. The rule can be found in a condensed format at: http://www.hhs.gov/ocr/privacy/. HHS states, “the HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.” The law establishes standards and requirements for electronic transmission of health care information as well as requiring organisations “covered entities” exchanging health care information to follow national guidelines. These rules have been detailed as federal transaction and code set rules. These rules are:
• Requiring use of standard electronic transactions and data for certain administrative functions • Standardizing the medical codes that providers use to report services to insurers
• Creating specific identification number for employers (Standard Unique Employer Identifier (EIN) and for providers (National Provider Identifier (NPI).
Covered entities could be a health plan, clearinghouse or a provider and these entities must follow these regulations when dealing with a healthcare transaction.
HIPAA affects
• Anyone using health care or health insurance • Health insurers
• Doctors • Hospitals
• Employers providing health insurance • Life insurers
• Public health Agencies • Information systems vendors • Health service organisations • Billing agencies21
There are five titles to the HIPAA regulations. Highmark, Inc., a CMS contractor, details these as:
21 HIPAA Overview, Highmark, Inc. 2011;
1. Title I – “Health care access, portability and renewability,” – requires employers and health plans to allow a new employee’s medical insurance coverage to remain continuous without regard to pre-‐existing conditions.
2. Title II – has three components, which define new requirements for privacy and security of individually identifiable patient information.
a. Preventing health care fraud and abuse b. Administrative simplification
i. Known as Subtitle F reduces the administrative component of health care costs through the implementation of electronic data interchange (EDI) standards primarily by utilizing ASC X12 N transaction formats
c. Medical liability reform.
3. Title III – “Tax-‐related health provisions” which standardizes the amount you can save per person in a pre-‐tax medical savings account
4. Title IV – “Application and enforcement of group health plan requirements.” Broadened information on insurance reform provisions and provides detailed explanations.
5. Title V – “Revenue offsets” has regulations on how employees can deduct company-‐owned life insurance premiums for income tax purposes.
From an auditor standpoint this regulation is paramount. Patient identifying data must be kept confidential and all rules applying to HIPAA must be followed. Additionally, it will be important to continue to follow the HIPAA 5010 transaction set updates and implementation. This will allow for the progression to ICD-‐10.
It is essential that the auditor understands and be fluent in this regulation to ensure that the audit remains compliant. Other sources of information on HIPAA can be found at:
https://www.cms.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdf http://www.cms.gov/hipaageninfo/ http://www.hhs.gov/ocr/privacy/ http://whatishipaa.org/ http://www.ama-‐assn.org/ama1/pub/upload/mm/399/hipaa-‐5010-‐timeline.pdf
RESOURCE GUIDE AND CROSS REFERENCE
Resource Guide: • AHA-‐HIPAA
• AMA fact Sheet on HIPAA • CMS HIPAA General Information • HHS Privacy Website
• HIMSS -‐ HIPAA
• HIPAA and ICD-‐10 Implementation • HIPAA.ORG
• Journal of AHIMA -‐ May 2009
• OIG HIPAA Audit Report è click here
• OIG Recommended Compliance Resources è Click here Cross Reference: BOK 04: HIPAA
CORE DOMAIN 2A – MEDICAL AUDIT PROCESS AND METHODOLOGY
2A: MEDICAL AUDIT – INVESTIGATE AND VERIFY CHARGES AGAINST THE MEDICAL RECORD The definition of investigate is: to examine, study, or inquire into systematically; search or examine into the particulars of; examine in detail.
The definition of verify is: to prove the truth of, as by evidence or testimony; confirm; substantiate. So conducting an audit is to examine that the services provided are appropriate and documented in such a way that it supports the charges being billed. By reviewing the charges against the medical records, you are confirming the correctness or the “truth” of the hospital bill.
Verification of charges will include the investigation of whether or not:
• Services were delivered by the institution in compliance with the Physician’s plan of treatment (in appropriate situations, professional staff may provide supplies or follow procedures that are in accordance with established institutional policies, procedures include items that are
specifically documented in a record but are referenced in medical or clinical policies. All such policies should be reviewed, approved, and documented as required by the Joint Commission Accreditation of Healthcare Organizations or other accreditation agencies. Policies should be available for review to the auditor.)
• Services are documented in health or other appropriate records as having been rendered to the patient
• Charges are reported on the bill accurately
The health record documents clinical data on diagnoses, treatments and outcomes. It was not designed to be a billing document. A patient health record generally documents pertinent information related to care. The health record may not back up each individual charge on the patient bill. Other signed documentation for services provided to the patient may exist within the provider’s ancillary
departments in the form of department treatment logs, daily charges records, individual service/order tickets, and other documents.
Auditors may have to review a number of other documents to determine valid charges. Auditors must recognize that these sources of information are accepted as reasonable evidence that the services ordered by the physician were actually provided to the patient. Providers must ensure that proper policies and procedures exist to specify what documentation and authorization must be in the health record and in the ancillary records and/or logs. These procedures document that services have been properly ordered for and delivered to patients. When sources other than the health record are providing
such documentation, the provider should make those sources available to the auditor. (National Health Care Billing guidelines).22
2A-‐1 INVESTIGATE & VERIFY CHARGES AGAINST MEDICAL RECORDS – INPATIENT
Review of medical records for inpatient would include the admission summary sheet, discharge summary, progress notes, orders, labs, radiology, procedure and OR notes, nurse’s notes and medication record.1. Prospective clinical audits allow for accurate real time accrual of data, which reflects, current rather than historical practice. This audit is being done while the patient is still in house and therefore has the advantage of immediate access and more immediate results and opportunity for education.
2. Retrospective audits are post service and can be of most use when historical data is needed. 3. DRG audits determine the appropriateness of DRG assignment
4. Medical Necessity reviews the appropriateness of treatment, including level of care, for
example, was ICU indicated based on the medical record or could the patient have been moved to med/surg or a lower level of care and therefore a lower room charge.
5. Line by line audits focus on duplicate charges, bundling/unbundling, drug and supply charges, 6. Full chart reviews is an extensive review of the medical record to verify that the medical record
supports each billed item.