Transcript Compliance Plans

Medicolegal Issues
and the Pharmacy
Chapter 2
1
© 2010 The McGraw-Hill Companies, Inc. All rights reserved.
Key Terms
• Abuse
• Audit
• Authorization
• Business associate
• Centers for
Medicare and
Medicaid Services
(CMS)
• Clearinghouses
• Code set
• Compliance plans
• Corporate integrity
agreement
• Covered entities
• Current Procedural
Terminology (CPT)
• De-identified health
information
Chapter 2
2
Key Terms (Continued)
• Designated record
set (DRS)
• Encryption
• Fraud
• Health care
Common Procedure
Coding System
(HCPCS)
• Health Care Fraud
and Abuse Control
Program
• Health Insurance
Portability and
Accountability Act
(HIPAA) of 1996
Chapter 2
3
Key Terms (Continued)
• HIPAA Electronic
Health Care
Transactions and
Code Sets (TCS)
• HIPAA National
Identifiers
• HIPAA Privacy Rule
• HIPAA Security
Rule
Chapter 2
• ICD-9-CM
• Medical records
• Minimum necessary
standard
• National Provider
Identifier (NPI)
• NCPDP Provider
Identification Number
• Notice of Privacy
Practices (NPP)
4
Key Terms (Continued)
• Office for Civil
Rights (OCR)
• Office of the
Inspector General
(OIG)
• Password
• Protected Health
Information (PHI)
• Qui tam
• Relator
• Respondeat superior
• Subpoena
• Subpoena duces
tecum
• Transaction
• Treatment, payment,
and health care
operations (TPO)
Chapter 2
5
Healthcare Regulation
•
•
•
Both federal and state governments pass
laws affecting the medical services offered
to patients to protect their health
Laws are also passed to protect the privacy
of their health information and practices
relating to this matter
Pharmacy technicians must correctly
handle patient’s health information
Chapter 2
6
Healthcare Regulation (Cont.)
•
Federal Regulation
• The Centers for Medicare and
Medicaid Services (CMS) is the federal
agency that regulates health care, and
performs many functions:
• Regulating laboratory testing
• Preventing discrimination
• Researching effectiveness
• Evaluating health care quality
Chapter 2
7
Healthcare Regulation (Cont.)
•
State Regulation
• States are major regulators of the
health care industry
• Insurance companies must have a
license
• States may govern health care pricing,
policies, and situations in which
coverage has been cancelled
Chapter 2
8
Pharmacy Records
•
•
•
Patients’ medical records are stored in the
pharmacy practice
Patients control the amount and type of
information that is released, excellent for
legitimate pharmacy business uses
Pharmacy insurance technician specialists
handle request for information and must
know what information can legally be
shared with what entities
Chapter 2
9
Pharmacy Records (Cont.)
•
HIPAA's Administrative Simplification
Provisions:
• HIPAA Privacy Rule - covers patients’
health information
• HIPAA Security Rule – states the
requirements to protect patients’ health
information
• HIPAA Electronic Transaction and
Code Sets Standards – regulates
transactions, code sets, and identifiers
Chapter 2
10
Complying With HIPAA
•
Covered entities are health care
organizations required by law to obey
HIPAA regulations
• Health plans – provider/payer of
medical care and pharmacy benefits
• Health care clearinghouses – help
providers with electronic transactions
• Health care providers - people or
organizations that furnish, bill, or are
paid for health care
Chapter 2
11
Complying With HIPAA (Cont.)
•
Business Associates
• Through agreements with their
business associates, covered entities
must perform their work as required by
HIPAA
• Includes law firms, accountants,
information technology contractors,
transcription companies, compliance
consultants, and collection agencies
Chapter 2
12
HIPAA Privacy Rule
•
First comprehensive federal protection for
the privacy of health information
• The rule states covered entities must:
• Have a set of privacy practices
• Notify patients about their rights
• Train employees to know the policies
• Appoint a privacy official
• Safeguard patients’ records
Chapter 2
13
Disclosure For TPO
•
Patients’ PHI may be distributed for
treatment, payment, and health care
operations
• Treatment - providing and coordinating
the patient’s medical care
• Payment - exchange of information
with health plans
• Health care operations - general
business management functions
Chapter 2
14
Minimum Necessary Standard
•
Refers to taking reasonable safeguards to
protect PHI from incidental disclosure
• Only the information the recipient
needs to know is given
• Necessary faxing/e-mailing between
physicians
• Patients’ family member picks up
pharmacy supplies and a prescription
Chapter 2
15
Designated Record Set
•
Refers to the medication and billing
records the pharmacy maintains, within
which patients have the right to:
• Access, copy, and inspect their PHI
• Request amendments to their PHI
• Obtain accounting of most disclosures
• Receive pharmacy communications
from other means (i.e. Braille)
• Make legitimate complaints
Chapter 2
16
Notice of Privacy Practices
•
Covered entities must give each patient a
notice of privacy practice at the first
contact or encounter
• Document must also be clearly posted
in the pharmacy
• Explains how patients’ PHI may be
used and describes their rights
Chapter 2
17
Authorizations
•
To release information for use other than
for TPO, the covered entity must have the
patient sign an authorization
• Information about substance abuse, STDs
or HIV, and behavioral/mental health
services may not be released without an
authorization from the patient
• Authorizations contain all valid
information and must follow set rules
Chapter 2
18
Requests for Information
Other Than for TPO
•
There are some exceptions for releases:
• Court Orders – PHI may be released
for a judicial order, such as a subpoena
• Workers’ Compensation Cases - state
law may provide for release of records
to employers
• Statutory Reports – released to state
health or social services departments
• Research Data – approved researchers
Chapter 2
19
De-identified Health Information
•
There are no restrictions on the use or
disclosure of de-identified health
information
• This information neither identifies nor
provides a reasonable basis to identify
an individual
• Specific patient identifiers (names,
record numbers, etc.) must be removed
Chapter 2
20
State Statutes
•
Some state statutes are more stringent
than HIPAA specifications
• State statutes may differ from HIPAA in
some areas:
• Designated record set
• Psychotherapy notes
• Rights of inmates
• Information complied for civil,
criminal, or administrative court cases
Chapter 2
21
HIPAA Security Rule
•
•
•
Requires covered entities to establish
safeguards to protect PHI
Specifies how to guard data on computers
and PC networks, the Internet, and
storage disks
Security measures rely on encryption, the
process of encoding information in such a
way that only the person (or computer)
with the key can decode it
Chapter 2
22
Security Measures
•
A number of other security measures help
enforce the HIPAA Security Rule:
•
Access control, passwords, and log files
to keep intruders out
• Backups to replace items after damage
• Security policies to handle violations
that do occur
Chapter 2
23
Access Control, Passwords, and
Log Files
•
Role-based access limits access so that only
people who need information can see it
• Users must enter a user ID and a password
to access information
• Passwords must be carefully selected
• Words, sequences, or ID numbers
should not be used
• Numbers and symbols are effective
• They should be changed periodically
Chapter 2
24
Other Security Measures
•
•
Backups - information should be backed
up, which is the activity of copying files to
another medium so that they will be
preserved in case the originals are no
longer available
Security Policies - pharmacies have
security policies that inform employees
about their responsibilities for protecting
electronically stored information
Chapter 2
25
Standard Code Sets
•
A code set is any group of codes used for
encoding data elements
• There are several relevant code sets:
• ICD-9-CM – used for diagnoses
• Current Procedural Terminology data
set –physician procedures and services
• Healthcare Common Procedure Coding
System – reporting supplies, devices,
and durable medical equipment
Chapter 2
26
HIPAA National Identifiers
•
An identifiers is a unique number of
predetermined length and structure
• HIPAA National Identifiers are for:
• Employers
• Health care providers
• Health plans
• Patients
Chapter 2
27
National Provider Identifier (NPI)
•
The standard for the identification of
providers when filing claims and other
transactions
• Consists of nine numbers and a check
digit
• Assigned by the federal government to
individual providers
• Note that the NPI does not replace the
NCPDP Provider Identification Number
Chapter 2
28
Other Legislation Affecting
Pharmacy
•
Medicare Prescription Drug Improvement
and Modernization Act of 2003 (MMA)
• Provided seniors and individuals with
disabilities access to prescription drug
plans, with more choices, and better
benefits under Medicare
• E-prescribing – enables physicians to send
more efficient claims electronically
• Electronic health record – enables easily
accessible PHI for multiple physicians
Chapter 2
29
Other Legislation Affecting
Pharmacy (Cont.)
•
Freedom of Choice
• Pharmacy law that focuses on the plan
member and the pharmacy or
pharmacist
• Allows the member to select a
pharmacy of choice
• Patient cannot be financially penalized
for obtaining benefits at a
nonparticipating provider
Chapter 2
30
Other Legislation Affecting
Pharmacy (Cont.)
•
Prescription Drug Equity Act of 1997
• Prohibits a prescription drug plan from
providing mail order coverage without
also providing non-mail order
prescription benefits
• Allows the patient to obtain benefits
from a participating community
pharmacy, not just through mail order
Chapter 2
31
Other Legislation Affecting
Pharmacy (Cont.)
•
Antitrust/Exclusive Pharmacy Contracts
• Exclusive contracts exist when a
pharmacy in a particular area contracts
with a benefit plan to be the only
provider for plan members
• Must not violate antitrust laws in order
to be legal
Chapter 2
32
Fraud and Abuse Regulations
•
The Health Care Fraud and Abuse Control
Program
• Created by HIPAA to uncover and
prosecute fraud and abuse
• The HHS Office of the Inspector
General (OIG) has the task of detecting
health care fraud and abuse and
enforcing all related laws
Chapter 2
33
Fraud and Abuse Regulations
(Cont.)
•
The federal False Claims Act (FCA)
• Prohibits submitting a fraudulent claim
or making a false statement or
representation in connection with one
• Encourages reporting suspected fraud
and abuse against the government by
protecting people against employer
retaliation
Chapter 2
34
Fraud and Abuse Regulations
(Cont.)
•
Additional laws relating to health care
exist to help control fraud and abuse
• Antikickback statutes
• Self-referral prohibitions
• The Sarbanes-Oxley Act of 2002
• State laws
Chapter 2
35
Definition of Fraud and Abuse
•
Fraud is an act of deception used to take
advantage of another person
• Fraudulent acts are intentional; the
individual expects an illegal or
unauthorized benefit to result
• In federal law, abuse means an action that
misuses money that the government has
allocated
• May include billing for services that
were not medically necessary
Chapter 2
36
Examples of Fraudulent and
Abusive Acts
•
•
•
•
•
The stealing of prescription pads
Patients altering a prescription
Drug abusers giving incorrect phone
numbers to represent physicians
Intentionally billing for services that were
not performed or documented
Reporting services at a higher level than
was carried out
Chapter 2
37
Enforcement and Penalties
•
HIPAA privacy regulations are enforced
by the Office for Civil Rights (OCR)
• Covered entities must comply and give
the OCR access to its facilities, books,
records, and systems for investigations
• The Office of the Inspector General (OIG)
enforces rules relating to fraud and abuse
• OIG has the authority to investigate
suspected fraud cases and to audit the
records of providers and payers
Chapter 2
38
Compliance Plans
•
Pharmacy practices must be sure that all
staff members follow billing rules
• A compliance plans sets up the steps
needed to:
• Audit and monitor compliance
• Have consistent policies and procedures
• Provide ongoing staff training and
communication
• Respond to and correct errors
Chapter 2
39
Compliance Plans (Cont.)
•
Goals of Compliance Plans
• Prevent fraud and abuse
• Ensure compliance with all laws
• Help defend the practice if investigated
or prosecuted for fraud
• Compliance plans demonstrate to outside
investigators that the practice has made
honest, ongoing attempts to find and fix
weak areas
Chapter 2
40
Compliance Plans (Cont.)
Seven Components of Compliance Plans:
1. Consistent written policies and procedures
2. Appointment of a compliance officer and
committee
3. Training
4. Communication
5. Disciplinary systems
6. Auditing and monitoring
7. Responding to and correcting errors
Chapter 2
41