HIPAA (Health Insurance Portability & Accountability Act

Protecting the patients’ privacy is an essential part of the physician/patient relationship. The most important issues that a physician needs to be aware of in doing business with Valley health Plan (VHP) are the following key points: 1. Providers are responsible for all of the Protected Health Information (PHI) created as the result of keeping records and billing for services. Any requests made to VHP by a patient to restrict or alter medical record information will be referred back to the provider’s office. 2. Providers must use the appropriate codes for services and ensure that the treating provider is identified. Providers must ensure that that all electronic or paper claims transmissions are secure and in the correct format. 3. Providers must give all of your patients the HIPAA privacy rules and their rights to requesting alterations or restrictions of their medical records 4. Providers must maintain a secure environment that protects PHI from an unauthorized person. 5. Provider’s staff Members may only use only the PHI that is necessary to perform their job responsibilities. 6. Providers may transmit PHI to other parties without patient consent only for the purposes of treatment, payment, or operations (including regulatory reporting and compliance). 7. Providers may not release PHI to another party without the patient’s authorization for purposes other than Treatment, Payment or Operations. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 addresses the efficiency and effectiveness of data exchange for administrative and financial transactions and the security and privacy of healthcare information. Among the key components of the regulations are: 1) Standards for Privacy of Individually Identifiable Health Information; 2) Transaction Codes and Identifiers; and 3) Security and Electronic Signature Standards. HIPAA regulations require health plans, providers and healthcare clearinghouses to protect the privacy of patient information. To monitor compliance, VHP will review procedures and practices for confidentiality and medical record documentation as part of the site audits and Medical Records Review. The Department of Health and Human Services is required to adopt “national uniform standards” for the following areas: a) Financial Transactions: includes claims and encounters, enrollment, claim status, insurance eligibility, referrals, and claim payment and remittance b) Code Sets: includes Diagnosis and Procedure coding (ICD9, CPT4, NDC, and HCPCS), involving disease, injuries, impairments, drugs, procedures, and billing c) Unique Identifiers: includes Individuals, Providers, Employers, and Health Plans d) Security: includes administrative security management procedures, physical access safeguards, technical security services and mechanisms, and electronic signature requirements e) Privacy and Health Information Disclosure: includes privacy protection practices and procedures to monitor release of information

Providers are not required to submit claims electronically, but they are required to use the standard format for all claims submitted electronically. Payers, on the other hand, must have the capability to send and receive electronic transactions using the designated standards.

The Transaction standards for Health Care Claims or Equivalent Encounter Information, Coordination of Benefits, Enrollment/Dis-enrollment, Eligibility, Health Plan Premium Payments, and Referral Certification and Authorization includes:

Local codes have been eliminated in the standard transactions. The standard code sets are: a) ICD-9-CM, Volumes 1 and 2 Diagnosis, and ICD-9-CM, Volume 3 for Procedures, to be used for all Inpatient Hospital Services, and applicable Outpatient Services b) The combination of HCPCS and CPT-4 for physician services and other health care services c) HCPCS for other substances, equipment, supplies, and other items used in health care services d) NDC for drugs and biologics e) The Code on Dental Procedures and Nomenclature for dental services

The proposed security requirements can be categorized in the following four areas: 1) Administrative Procedures – to guard data integrity, confidentiality, and availability. Documents formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data 2) Physical Safeguards – to provide physical protection of equipment and access to equipment control, including systems hardware, data storage devices, and secure workstation locations 3) Technical Security Services – these services include the processes that are put in place to protect, control, and monitor information access, including employee termination procedures, and unique user identification and authentication 4) Technical Security Mechanisms – to prevent unauthorized access to data that transmits over a communications network. Includes the processes that are put in place to prevent unauthorized access to data transmitted over the communications network, such as network and integrity controls, message authentication, and data encryption

Privacy regulations establish basic rights for patients who have protected health information. Regulations propose that individuals have a right to receive a written notice of information practices of the entity, and that they have a right to request and amend inaccurate or incomplete protected health information. The entity must provide a means for individuals to lodge complaints about the entity’s information practices. Covered entities must designate a privacy official, and develop a privacy training program for employees, implement safeguards to protect health information from misuse, and develop a system of sanctions for employees and business partners who violate the entity’s policies and procedures.

Page 55 of 65