Health Insurance Portability and Accountability Act (HIPAA)

Chapter 3


Health Insurance Portability and Accountability Act (HIPAA)




Key Terms



Abuse


Authorization for release of medical information


Business associate


Civil Monetary Penalties Law (CMPL)


Clearinghouse


Compliance


Covered entity


De-identification


Electronic data interchange (EDI)


Employer identification number (EIN)


Fraud


Health Care Fraud and Abuse Control Program (HCFAC)


Health Information Technology for Economic and Clinical Health Act (HITECH)


Health Insurance Portability and Accountability Act (HIPAA)


Health Insurance Portability and Accountability Act (HIPAA) Title I


Health Insurance Portability and Accountability Act (HIPAA) Title II


Incentive Program for Fraud and Abuse


Individually identifiable health information (IIHI)


Kassebaum-Kennedy Legislation


Medicaid Integrity Contractor (MIC)


Medicare Integrity Program (MIP)


National Provider Identifier (NPI)


Office of Civil Rights (OCR)


Office of the Inspector General (OIG)


Patient Protection and Affordable Care Act (PPACA)


Program Safeguard Contractor (PSC)


Protected health information (PHI)


Recovery Audit Contractor (RAC)


Tax identification number (TIN)


Zone Program Integrity Contractor (ZPIC)



Acronyms and Abbreviations


ANSI


American National Standards Institute


ARRA


American Recovery and Reinvestment Act


ASC


Accredited Standards Committee


CMPL


Civil Monetary Penalties Law


CPT


Current Procedural Terminology


DOJ


Department of Justice


EDI


Electronic data interchange


EIN


Employer identification number


EPHI


Electronic protected health information


HCPCS


Health Care Common Procedure Coding System


HCFAC


Health Care Fraud and Abuse Control Program


HIPAA


Health Insurance Portability and Accountability Act


HIPAA-AS


Health Insurance Portability and Accountability Act Title II: Administrative Simplification


HITECH


Health Information Technology for Economic and Clinical Health Act


ICD-9-CM


International Classification of Diseases, 9th Revision, Clinical Modification


ICD-10-CM


International Classification of Diseases, 10th Revision, Clinical Modification


ICD-10-PCS


International Classification of Diseases, 10th Revision, Procedure Coding System


IIHI


Individually identifiable health information


MIC


Medicaid Integrity Contractor


MIP


Medicare Integrity Program


NPI


National Provider Identifier


NPPES


National Plan and Provider Enumeration System


NPS


National Provider System


OCR


Office of Civil Rights


OIG


Office of the Inspector General


PPACA


Patient Protection and Affordable Care Act


PHI


Protected health information


PSC


Program Safeguard Contractor


RAC


Recovery Audit Contractor


TCS


Transaction Code Standards


TIN


Tax identification number


ZPIC


Zone Program Integrity Contractor



The objective of this chapter is to provide a basic understanding of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as it pertains to hospital billing and coding. The implementation of HIPAA has and will continue to have a major impact on health care delivery and the processing of health care transactions. HIPAA includes provisions to improve the portability of health insurance, combat fraud and abuse, and simplify the administration of health insurance. A detailed discussion of all HIPAA provisions is beyond the scope of this text. The chapter will provide a brief overview of the purpose and scope of HIPAA regulations. It is critical for hospital personnel to understand HIPAA regulations to ensure compliance. A discussion of HIPAA portability, administrative simplification, privacy, and security provisions will provide a basic understanding of the mandated standards and the consequence of non-compliance with those standards. The chapter will end with a discussion of the elements of a compliance plan.



HIPAA Overview


During the 1990s, the health care industry was facing major issues related to the rising cost of health care. Legislators continued to develop and implement reimbursement methods designed to control health care cost. Health care leaders were called on to identify other issues that contributed to the rising cost of health care. Several contributing factors were identified. The limited access and portability of health insurance coverage was one factor identified. Many individuals did not have health insurance coverage or lost insurance coverage because of limited access or the inability to continue coverage after a job change. Fraud and abuse were other factors identified. The government estimates that billions of dollars are lost to fraud and abuse on an annual basis. The administrative cost of processing health care transactions was seen as another factor. It is estimated that billions of dollars annually are spent on the administration of health insurance. Legislation was developed and passed to address the factors that contributed to the rising cost of health care. The Health Insurance Portability and Accountability Act (HIPAA), also known as the Kassebaum-Kennedy Legislation, was passed by Congress to improve access to health care; provide portability of health insurance coverage; combat waste, fraud, and abuse; and simplify the administration of health insurance.



HIPAA Legislation


HIPAA legislation is outlined under Public Law 104-191. HIPAA was passed by Congress in 1996. HIPAA provisions have been implemented in phases since the legislation was passed. Additional provisions of HIPAA are slated for implementation through 2016. The purpose of the act was to amend the Internal Revenue Code of 1986 to address many health care-related issues, including the continuance of insurance coverage, fraud and abuse, and administrative simplification. HIPAA legislation is broken down into the following five sections, referred to as titles:



This chapter will focus on HIPAA Titles I and II since they have the most significant impact today on health care providers and health insurers. The Health Insurance Portability and Accountability Act (HIPAA) Title I is referred to as Health Insurance Reform since its purpose is to ensure that individuals have access to health insurance coverage. Title I mandates improved access to health care and health coverage, and it imposes new regulations relating to the underwriting process performed by insurance companies to determine whether they will insure an individual. The Health Insurance Portability and Accountability Act (HIPAA) Title II is labeled Preventing Health Care Fraud and Abuse, Administrative Simplification, and Medical Liability Reform. Title II contains regulations aimed at protecting government programs from fraud and abuse. Another objective of HIPAA Title II is to standardize and simplify the processing of health care transactions. Figure 3-1 illustrates the five sections of HIPAA and provisions under HIPAA Title I and Title II.




HIPAA Title I: Health Insurance Reform (Health Care Access, Portability, and Renewability)


The original focus of HIPAA was to ensure portability or continuation of health insurance coverage for workers who lost or changed jobs. Prior to the implementation of HIPAA, insurance companies could deny individuals coverage based on preexisting conditions or health status. Individuals who lost their jobs or changed employment often were unable to obtain health insurance coverage due to preexisting medical conditions. Individuals who presented with a catastrophic illness, such as cancer or HIV infection, could be denied coverage or insurance companies could elect to drop coverage because of the expense of treating such illnesses. HIPAA Title I is designed to reform health insurance to protect health insurance coverage for millions of Americans when they change or lose their jobs. It is designed to guarantee health insurance access, portability, and renewal. Title I of HIPAA includes provisions to achieve three major objectives that relate to portability and continuance of health insurance coverage as outlined below:





HIPAA Title II: Preventing Health Care Fraud and Abuse and Administrative Simplification


Efforts to control the rising cost of health care led to the implementation of HIPAA legislation. HIPAA Title II: Prevention of Health Care Fraud and Abuse and Administrative Simplification addresses two areas identified as contributing to the rising cost of health care: fraud and abuse and the cost of administering health insurance. One major objective of HIPAA Title II is to save health care dollars through prevention of health care fraud and abuse. To accomplish this, HIPAA Title II contains provisions to increase prevention and detection of fraud and abuse activities. Another objective is to standardize the health insurance administration process to reduce the cost of processing health care transactions. Health care leaders estimate that administrative costs could be reduced by billions of dollars annually by increasing the use of electronic data interchange (EDI) for health care transactions such as claim submission and payer remittance. CMS defines electronic data interchange (EDI) as the exchange of routine business transactions from one computer to another in a standard format, using standard communications protocols. HIPAA Title II also contains provisions to standardize health care transactions for electronic processing.



Combat Waste, Fraud, and Abuse in Health Care


HIPAA Title II addresses the need to combat waste, fraud, and abuse in health care by increasing funding to support fraud detection activities, increasing civil monetary penalties for fraud and abuse through the creation of several programs: The Health Care Fraud and Abuse Program, The Incentive Program for Fraud and Abuse, and the Medicare Integrity Program.



The Health Care Fraud and Abuse Control Program (HCFAC)

The Health Care Fraud and Abuse Control (HCFAC) Program became effective in 1997. The program was created under HIPAA to identify fraud and abuse in federal programs, such as Medicare and Medicaid, and among private payers. HIPAA legislation established this program and allocated funds from the Medicare Part A Trust Fund to expand fraud and abuse control activities. The program is administered “under the joint direction of the Attorney General and the Department of Health and Human Services (acting through the Office of the Inspector General). The HCFAC program is designed to coordinate federal, state and local law enforcement activities concerning health care fraud and abuse. Monies recovered through fraud investigations must be deposited into the Federal Hospital Insurance Trust Fund, as mandated under HIPAA.”


HIPAA also expanded the definition of fraud to include language indicating that providers can be held liable if they knew or should have known that information on a claim was false. Fraud is defined as an intentional deception or misrepresentation that someone makes, knowing it is false, that could result in an unauthorized payment. The Centers for Medicare and Medicaid Services (CMS) outlines the following as the most common forms of fraud as illustrated in Figure 3-2:




Abuse is defined as actions or practices of health care providers that are inconsistent with accepted sound medical practice, which may result in improper payment. CMS outlines the following as the most common forms of abuse as illustrated in Figure 3-3:






Medicare Integrity Program (MIP)

Creation of the Medicare Integrity Program (MIP) was authorized under HIPAA legislation. The primary objective of the program is to develop and implement systems to safeguard Medicare payments. One function is to identify and investigate suspicious claims throughout Medicare to ensure that the program does not pay claims other insurers should pay. The MIP also ensures that Medicare pays only for covered services that are reasonable and medically necessary.


HIPAA legislation also granted CMS authority to hire contractors to perform fraud-fighting functions. CMS developed a program called Program Safeguard Contractor (PSC) in 1999 to carry out audits, to identify cases of fraud and abuse, conduct medical reviews, and perform other essential program integrity activities that were previously performed by Medicare contractors who processed claims. The transfer of fraud and abuse work from Medicare contractors to PSC was completed in 2006. The Program Safeguard Contractors were replaced by Zone Program Integrity Contractors (ZPIC) and these contractors are established in seven zones as illustrated in Figure 3-4. A contractor may be responsible for more than one zone. For example, the contractor for Zones 2 and 5 is AdvanceMed. CMS partners with other audit contractors such as Recovery Audit Contractors (RAC) and Medicaid Integrity Contractors (MIC). Recovery Audit Contractors (RAC) are audit contractors hired by CMS to carry out Medicare audits to identify and correct underpayments and overpayments, conduct medical reviews, and perform other essential program integrity activities. Medicaid Integrity Contractors (MIC) are audit contractors hired by CMS to carry out Medicaid audits, conduct medical reviews, and perform other essential Medicaid program integrity activities. Audits performed by these contractors can result in demands for repayment, civil and criminal penalties, and exclusion from government programs.





Simplify the Administration of Health Insurance


The Title II: Administrative Simplification portion of the HIPAA regulations is designed to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange (EDI). HIPAA Title II contains provisions that mandate the adoption of national standards for electronic health transactions, including standard transactions and code sets (TCS), and national identifiers for providers, health plans, and employers. The increased use of EDI brought with it concerns regarding the security and privacy of health data.


The implementation dates for HIPAA provisions are determined based on the publication date of the final rule. Before a rule (or law) becomes final, a preliminary draft is published in the Federal Register with a time frame for comments. After the comment period, the preliminary draft is revised to reflect the consensus of all comments received, and the final rule is published. Generally, once the final rule is published there is a 2-year plus 60-day period before the rule becomes effective. All covered entities are required to comply with the HIPAA regulations on the effective date published in the Federal Register. The Federal Register can be accessed at http://www.gpo.gov/fdsys/. Table 3-1 outlines implementation dates for various HIPAA regulations.



TABLE 3-1


HIPAA Regulations: Implementation Dates














































Date Implementation of HIPAA Regulations
August 21, 1996 HIPAA passed by Congress.
April 14, 2001 Privacy rule final implementation
October 16, 2003 Electronic Health Care Transactions and Code Sets
(Medicare will only accept paper claims under limited circumstances)
April 14, 2003–April 20, 2006 Privacy Standards, Employer Identifier Standard, Security Standards
(all covered entities and small health plans)
May 23, 2008 National Provider Identifier (all covered entities except small health plans)
January 1, 2012 ASC X12N Version 5010 Standards—replace Version 4010/4010A
January 1, 2013 Effective date for operating rules for eligibility for health plan and health claims status transactions
October 1, 2014 ICD-10-CM and ICD-10-PCS Code Sets for medical diagnosis and inpatient procedures. The original implementation date was October 1, 2013. The DHHS published a final rule that delays the ICD-10 compliance date to October 1, 2014.
December 31, 2013 Certification, Part 1—Health plan must certify data and information systems are in compliance with applicable standards and operating rules for health plan eligibility, health claims status, electronic funds transfer and health care payment and remittance advice.
January 1, 2014 Effective date of operating rules and standards for electronic funds transfers (EFT) and remittance advice
April 1, 2014 Penalties may be assessed against a health plan that has failed to meet the certification and compliance requirements for standards and operating rules.
December 31, 2015 Certification, Part 2—Health plan must certify that its data and information systems are in compliance with applicable standards and operating rules for: health claims or equivalent encounter information; enrollment and disenrollment in a health plan; health plan premium payments; referral certification and authorization and health claims attachments
January 1, 2016 Effective date of operating rules for health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, referral certification and authorization, health care claims attachments
Effective date of standard for health care claims attachments

(Revised data from Centers for Medicare and Medicaid Services, http://www.cms.gov/HIPAAGenInfo/.)




BOX 3-1   Test Your Knowledge


HIPAA OVERVIEW; HIPAA LEGISLATION



True/False





Short Answer




6. The original focus of this section under HIPAA was to ensure portability or continuation of health insurance coverage for workers who lost or changed jobs.


7. In the 1990s health care leaders were called on to identify other issues that contributed to the rising cost of health care. Contributing factors identified included limited access and portability of health insurance coverage, as well as fraud and abuse. List one other contributing factor.


8. List another name used when referring to the Health Insurance Portability and Accountability Act (HIPAA).


9. This section of HIPAA is designed to combat fraud and abuse in health care by increasing funding to support fraud detection activities, by increasing civil monetary penalties for fraud and abuse, and through the creation of several programs.


10. HIPAA legislation was passed by Congress in 1996 under what section of the law?



Indicate whether the following statements are fraud or abuse




Match the following descriptions with the appropriate program name.




16. ____ This program was created under HIPAA in 1997 to identify fraud and abuse in federal programs, such as Medicare and Medicaid, and among private payers.


17. ____ Creation of this program was authorized under HIPAA legislation and the primary objective of the program is to develop and implement systems to safeguard Medicare payments.


18. ____ This program was developed by CMS in 1999 to carry out audits, conduct medical reviews, and perform other essential program integrity activities that were previously performed by Medicare contractors who processed claims.


19. ____ Special fraud-fighting contractors that replaced Program Safeguard Contractors (PSC).


20. ____ A program created under HIPAA that provides incentives to Medicare beneficiaries and others who report fraud and abuse in the Medicare program.



HIPAA Regulations


The health care industry is governed and regulated in accordance with many state and federal regulations. Health care providers must implement systems to ensure compliance with all state and federal regulations. Compliance is the term used to describe the act of following standards in accordance with state and federal regulations. A number of federal laws mandate compliance and have provisions for sanctions against individuals or organizations that do not comply, particularly in the areas of privacy and security of patient information, billing, and coding guidelines and claim submission requirements. For example, the Civil Monetary Penalties Law (CMPL) of 1983 was passed for the purpose of prosecuting cases of Medicare and Medicaid fraud. This law contains provisions regarding sanctions that can be imposed on individuals or organizations convicted of fraudulent activities as defined in the Federal False Claims Act. The sanctions imposed under the CMPL are outlined below; however, it is important to note that they are periodically updated.





Enforcement and Penalties


HIPAA legislation mandates compliance with the standards and provisions involving administrative simplification, privacy, and security. Civil and/or criminal penalties may be imposed for non-compliance of HIPAA standards. A three-tier civil penalty structure for HIPAA violations was established under the American Recovery and Reinvestment Act (ARRA) of 2009 that was signed into law on February 17, 2009. The Secretary of the DHHS is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended). Criminal penalties can be imposed for the following violations:



Compliance requirements including the date of compliance, are published in the Federal Register. Figure 3-5 illustrates HIPAA objectives and enforcement agencies that can impose penalties for non-compliance. Three agencies responsible for enforcing standards and provisions are the Office of the Inspector General (OIG), the Centers for Medicare and Medicaid Services (CMS), and the Office of Civil Rights (OCR).




Office of the Inspector General (OIG)


The Office of the Inspector General (OIG) is an agency under the Department of Health and Human Services (DHHS) that is responsible for the detection and prevention of fraud and abuse. The OIG monitors compliance and enforces laws related to fraud and abuse (Figure 3-6). When a Medicare provider allegedly commits fraud, an investigation is conducted by the OIG. If evidence of fraud or abuse is found by the OIG, the case is referred to the Department of Justice (DOJ) for prosecution. Criminal, civil, and/or administrative sanctions for fraud convictions may include:






Office of Civil Rights (OCR)


The Office of Civil Rights (OCR) is an agency under the DHHS that is responsible for monitoring compliance and enforcement of HIPAA privacy and security standards. Complaints regarding privacy issues are submitted by individuals or other entities to the OCR in writing. The OCR conducts an investigation and determines required action. There are civil and criminal penalties for violating HIPAA privacy and security provisions. Penalties for violations can be imposed only on covered entities and business associates. Civil and criminal penalties are as follows:






Covered Entities


A covered entity is an organization involved with health care delivery that provides health care services, submits claims for services, or provides health care coverage. HIPAA identifies three types of covered entities that must follow the regulations as illustrated in Figure 3-7:






Stay updated, free articles. Join our Telegram channel

Mar 24, 2017 | Posted by in NURSING | Comments Off on Health Insurance Portability and Accountability Act (HIPAA)

Full access? Get Clinical Tree

Get Clinical Tree app for offline access