HIPAA Administrative Simplification

Questions and Answers

What is the main objective of Principle III: Obligation to the Profession?

To reduce costs in healthcare management

To promote competition among healthcare providers

To uphold the integrity and dignity of the profession (correct)

To ensure profit maximization in healthcare

According to the OIG, what is the recommended approach to establishing a Compliance Committee?

A committee with a specific composition recommended by the OIG

A committee comprising only medical professionals

A committee with varying perspectives (correct)

A committee without a clear objective

What is a key element of an effective compliance program according to the text?

Mandatory reporting of non-compliance

Regular audits and inspections

Implementation of new technology

Proper education and training of employees (correct)

What is the recommended annual education and training requirement by the OIG?

1-3 hours per year

What is a topic that should be included in general compliance education?

Ethics

What is an example of a topic for specific/focused training?

Conflict of interest

What should a written annual training plan outline?

Training needs, timing, methods, and duration

What is the role of the Compliance Officer in a Compliance Program?

A focal point, but not the only point in a Compliance Program

What is the last resort in dealing with possible misconduct?

Termination

What is the goal of a Compliance Program?

Detection

Why are cover-ups generally not effective?

They cause more problems than they solve

Who should handle internal investigations?

Skilled investigators

How soon must repayment be made to Medicare?

Within 60 days

What is the time limit for returning overpayments?

6 years

What should be the focus of performance reviews?

Both positive and negative feedback

What is the timeframe for reporting misconduct to the OIG?

Within a reasonable period

What are the essential characteristics of a compliance program's enforcement and discipline?

Fair, equitable, and consistent

What should a written policy statement on disciplinary actions include?

A 5-point outline of disciplinary procedures

What is the consequence of failing to report an offense?

Equal discipline as the actual misconduct

Who is responsible for working with management in imposing discipline?

HR

What is the purpose of the first step in the progressive discipline process?

To secure the employee's understanding of the problem and a commitment to correcting behavior

What is the next step after a written warning in the progressive discipline process?

Escalation to a higher authority

What is the purpose of a written warning?

To emphasize the seriousness of the situation and stress the urgency of modified behavior

What is the consequence of intentional or reckless noncompliance?

Significant sanctions

What is the primary objective of the Administrative Simplification Section of Title II of HIPAA?

To develop standardized transaction standards for content and transmission of data

When were the Privacy Rule and Security Rule issued by DHHS?

2003 and 2005

What is the primary purpose of the Privacy Rule under HIPAA?

To assign rights to individual patients to control their health information

What is a key requirement of the HIPAA Privacy Rule?

Establishment of a Privacy Officer

What is the primary purpose of the HIPAA Security Rule?

To implement safeguards for the protection of health information

What is the relationship between HIPAA and state laws regarding the protection of health information?

HIPAA is a federal regulation and overrides state laws

What is the primary purpose of the HITECH Act?

To promote the adoption of electronic health records

What is the significance of the Omnibus Rule?

It provided additional protections for health information

What is the primary goal of the HIPAA Act in promoting electronic health records?

To reduce the administrative cost of healthcare

What is the result of the expansion of the application of business associate agreements to subcontractors of covered entities?

Subcontractors are required to comply with HIPAA regulations

What is the result of a breach of unsecured information under the HIPAA Act?

Notification is required, and the potential civil monetary penalties for violations of HIPAA are increased

What is the purpose of the Notice of Privacy Practices?

To describe how the covered entity uses and discloses PHI, and provide examples of how health information will be used or disclosed

What is the result of the exemption of the PHI of individuals who have been deceased for more than 50 years?

The PHI of deceased individuals is no longer protected under HIPAA

What is the purpose of the standard transactions under HIPAA?

To reduce the administrative cost of healthcare

What is the result of the prohibition on the sale of PHI without an individual authorization?

Covered entities are prohibited from selling PHI without individual authorization

What is the purpose of the right to access and obtain a copy of PHI?

To allow individuals to access and obtain a copy of their PHI

What is the result of the restriction on information provided to health plans for healthcare for which the individual paid in full out of pocket?

Health plans are restricted from accessing PHI for healthcare paid in full out of pocket

What is the purpose of the privacy regulations under HIPAA?

To place control over health information squarely in the hands of the individual who is the subject of the information

Study Notes

Principle III: Obligation to the Profession

• Compliance professionals should strive to uphold the integrity and dignity of the profession
• Should advance the effectiveness of compliance programs and promote professionalism in health care compliance
• Compliance Officer may be a focal point, but not the only point in a Compliance Program
• OIG urges a Compliance Committee be established to advise and assist the CO
• Committee should include varying perspectives and develop goals and objectives on an annual basis
  • Participating in the identification of risk
  • Regularly reviewing and assessing compliance P&Ps
  • Assisting with the development of the COC and P&Ps
  • Determining strategy to promote Compliance
  • Developing a system to solicit, evaluate, and respond to complaints and problems

Education and Training

• Education and Training are the first and possibly the most important lines of defense for a Compliance program
• Proper education of all officers, managers, and employees, and continual retraining, is a significant element of an effective compliance program
• General Training Topics:
  • Elements of the compliance program
  • The Code of Conduct
  • The reporting system
  • Individual accountability for reporting suspected non-compliance
  • Non-retaliation policy
  • Who is the Compliance Officer
  • Explanation of FWA
• OIG urges a specific number of education hours per year (1-3hrs per yr in corporate integrity agreements)
• General Compliance Education should include:
  • Ethics
  • Code of Conduct
  • Obligation to Report
  • Privacy
• Topics for specific/focused training include:
  • Actions outside scope of practice
  • Government and private payor reimbursement principles
  • Third-party relationships
  • Identification of a privacy breach
  • Stark/anti-kickback
  • Submission of a claim for physician services when rendered by a non-physician
  • Signatures for a physician without the physician's authorization
  • EMTALA
  • Conflicts of interest
  • Proper documentation of services rendered
  • Directions for conducting investigations
• Written annual training plan should outline the training needs, timing, methods, and duration

Enforcement and Discipline

• Discipline will be administered for non-compliance
• Employees have an obligation to report suspected non-compliance
• An outline of disciplinary procedures
• A list of the parties responsible for appropriate action
• A promise that discipline will be fair and consistent
• Failure to report an offense is a serious act of non-compliance and equally deserving of discipline as the actual misconduct
• HR is responsible for working with management in imposing discipline
• Compliance will monitor consistency for fairness and severity
• Intentional or reckless non-compliance = significant sanctions
• Progressive discipline = Multi-step process
  1. Employee's manager to discuss problem with employee
  2. Depending on the situation, next step might be to escalate the issues to a higher authority
  3. A written warning
  4. Next step could be suspension without pay, or a probationary period
  5. Final option is termination, if all other options are exhausted
• OIG Recommends a new employs policy:
  • Background checks
  • Reference checks
  • Reviews of the federal health care sanctions list

Responding to Offenses / CAPs

• If there's a reason to believe misconduct, response must be timely and appropriate
• Detected but uncorrected misconduct threatens an organization's credibility
• Cover-ups usually cause more problems than they solve
• The goal of a Compliance Program is detection
• Depending on severity, you may want to meet with your legal counsel
• OIG recommends an investigation anytime a potential violation is identified
• Internal investigations must be handled by skilled investigators and documented according to your policy
• OIG calls for prompt reporting of [misconduct] within a reasonable period
• If a [repayment] is due to Medicare, it must be made within 60 days of identification

Description

Learn about the HIPAA Administrative Simplification section, including standardized transaction standards and privacy rules to protect health information.