Recommended
More Related Content
What's hot
What's hot (20)
Similar to Regulating Healthcare - Lecture D
Similar to Regulating Healthcare - Lecture D (20)
More from CMDLearning
More from CMDLearning (20)
Recently uploaded
Recently uploaded (20)
Regulating Healthcare - Lecture D
- 1. Introduction to Health Care and Public Health in the U.S. Regulating Health Care Lecture d This material (Comp 1 Unit 6) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/. 1
- 2. Regulating Health Care Learning Objectives - 1 • Describe the role of accreditation, regulatory bodies, and professional associations in health care in the U.S. (Lecture a) • Describe the basic concepts of law in the United States: the legal system, sources of law, classification of laws, the court system, and the trial process. (Lecture b) 2
- 3. Regulating Health Care Learning Objectives - 2 • Describe legal aspects of medicine involving the Affordable Care Act, professional standards in health care, medical malpractice, Tort reform, and Medicare and Medicaid Fraud and Abuse (Lecture c) 3
- 4. Regulating Health Care Learning Objectives - 3 • Describe key components of the Health Insurance Portability and Accountability Act (HIPAA) and describe efforts to promote patient safety in the U.S. (Lecture d) • Discuss the need for quality clinical documentation for the use of the health record as a legal document, communication tool and a key to prove compliance for health care organizations. (Lecture e) 4
- 5. Health Insurance Portability and Accountability Act (HIPAA) • Improves “portability” of health insurance – Employer plans may not limit coverage due to pre-existing conditions – If health insurance is lost, improves access to a group health plan – Protects from discrimination based on health status • Establishes requirements for the exchange of personally identifiable health information 5
- 6. HIPAA Privacy & Security • Privacy requirements – What health information must be protected https://www.hhs.gov/hipaa/for- professionals/privacy/laws-regulations/index.html • Security requirements – How to protect health information https://www.hhs.gov/hipaa/for- professionals/security/laws-regulations/index.html 6
- 7. HIPAA Covered Entities - 1 6.1 Figure: Flowchart for determining whether an entity is a HIPAA covered health provider or not. (CMS.gov, nd.) 7
- 8. HIPAA Covered Entities - 2 • Health care providers • Health plans – Insurance companies – Health maintenance organizations (HMOs) – Company insurance plans – Government agencies that pay for health care 8
- 9. HIPAA Covered Entities - 3 • Health care clearinghouses – Billing services – Repricing companies – Community health management information systems – Value-added networks and switches that perform clearinghouse functions 9
- 10. Business Associates • Entities that are engaged to assist covered entities in delivering health care services • Business Associate Agreement (BAA) • Must also comply with HIPAA rules 10
- 11. HIPAA Privacy Rule • Applies to protected health information (PHI) • Applies to all forms or medium • Individually identifiable health information – Name/address – Phone number – E-mail address – SSN – Photograph 11
- 12. Individually Identifiable Information • Information can be used to identify the individual – Physical or mental health condition – Provision of health care – Payment 12
- 13. Privacy Rule Requirements • Notify patients of rights • Allow patients to see their medical records • Implement and train employees on privacy procedures • Designate individual to be responsible for seeing that procedures are adopted and followed • Keep patient records secure 13
- 14. HIPAA Security Rule • Requires covered entities to use security measures to protect health information • Does not specify which technology must be used • Establishes minimum federal standards – State laws may require more rigorous safeguards 14
- 15. HIPAA Security Rule: General Guidelines • Covered entities must: – Ensure confidentiality, integrity, and availability – Anticipate threats and protect against them – Protect against impermissible uses or disclosures – Ensure workforce compliance 15
- 16. HIPAA Enforcement and Penalties - 1 • The Office of Civil Rights within the U.S. Department of Health and Human Services enforces HIPAA compliance • The HITECH Act extends privacy and security rules, provides for enhanced enforcement https://www.hhs.gov/hipaa/for- professionals/privacy/laws-regulations/combined- regulation-text/omnibus-hipaa- rulemaking/index.html 16
- 17. HIPAA Enforcement and Penalties - 2 • HIPAA Omnibus Rule, 2013 – Stringent requirements regarding notification of health information breach to the Department of Health and Human Services – Increased fines and penalties – Enhanced patient control of health information 17
- 18. Patient Safety - 1 • Regulation is an important mechanism used to improve patient safety • Landmark 1999 report (To Err is Human) – 44,000 to 98,000 people die in hospitals each year as a result of preventable medical mistakes – Mistakes cost hospitals $17 billion to $29 billion yearly 18
- 19. Patient Safety - 2 • The 1999 To Err is Human Report: – Individual errors are not the main problem – Faulty systems, processes, and other conditions lead to preventable errors 19
- 20. Medical Mistakes Today • Errors can result in medical malpractice lawsuits – 61% of doctors are sued at some point – Medical malpractice payouts totaled over $3 billion dollars in 2014 • Suffering from medical errors: not measurable 20
- 21. The Joint Commission Safety Initiatives - 1 • Sentinel Event Policy – Unexpected death, unexpected serious physical or psychological injury, or the risk of such an event • Patient Safety Advisory Group – Panel of experts who recommend National Patient Safety Goals – Also address newly developing safety issues 21
- 22. The Joint Commission Safety Initiatives - 2 • Universal Protocol for Preventing Wrong Site, Wrong Procedure and Wrong Person Surgery – Pre-surgery verification – Site marking – “Time out” before an incision is made • The Speak Up Initiative – Encourages patients to participate in their care – Free patient education materials 22
- 23. Agency for Health Care Research and Quality (AHRQ) • Part of U.S. Department of Health and Human Services. – www.AHRQ.gov • Improve safety and quality of care – Investing in research – Creating tools to put the results into practice – Generating measures and data used by providers and policymakers 23
- 24. National Health Care Quality Report • Effectiveness • Timeliness • Efficiency • Patient safety • Access to care • Patient centeredness 24
- 25. AHRQ: Health IT • Develops and disseminates information • Toolkits and educational materials are available to capture best practices in the use of technology • Research funding opportunities are also available 25
- 26. Regulating Health Care Summary – 1 – Lecture d • Patient privacy and safety are high priorities for all people employed in the health care industry • HIPAA has rules for the privacy and security of patient health information • The Joint Commission supports initiatives for reducing medical errors 26
- 27. Regulating Health Care Summary – 2 – Lecture d • Patient safety is an important focus for health care improvement • The Agency for Health Care Research and Quality is an important source of information regarding care improvement through the effective use of health IT 27
- 28. Regulating Health Care References – 1 – Lecture d References Agency for Health Care Research and Quality. 2014 National Health Care Quality Report. http://www.ahrq.gov/research/findings/nhqrdr/nhqdr14/index.html. Accessed January 27, 2017. Agency for Health Care Research and Quality. Health information technology portfolio. https://healthit.ahrq.gov/. Accessed January 27, 2017. Centers for Medicare and Medicaid Services. Are you a covered entity? https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA- ACA/AreYouaCoveredEntity.html. Accessed January 27, 2017. HIPAA Business Associates. http://www.hhs.gov/hipaa/for-professionals/covered- entities/index.html. Accessed January 27, 2017. Institute of Medicine. To Err is Human: Building a Safer Health System. November 1, 1999. http://www.nationalacademies.org/hmd/Reports/1999/To-Err-is-Human- Building-A-Safer-Health-System.aspx. Accessed January 27, 2017. Medical Liability. http://www.amednews.com/article/20100816/profession/308169946/2/. Accessed January 27, 2017. 28
- 29. Regulating Health Care References – 2 – Lecture d References Medical Malpractice Payout Analysis. Diederich Healthcare. http://www.diederichhealthcare.com/the-standard/2015-medical-malpractice-payout- analysis/. Accessed January 27, 2017. Office of Civil Rights. http://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/data/enforcement-highlights/index.html Accessed January 27, 2017. The Joint Commission. http://www.jointcommission.org. Accessed January 27, 2017. US Department of Health and Human Resources. Health information privacy. http://www.hhs.gov/hipaa/index.html. Accessed January 27, 2017. Charts, Tables, Figures 6.1 Figure: Adapted from https://www.cms.gov/Regulations-and-Guidance/Administrative- Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf. CMS (nd.) Acquired from http://www.cms.gov. Last accessed January 27, 2017. 29
- 30. Introduction to Health Care and Public Health in the U.S. Regulating Health Care Lecture d This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. 30
Editor's Notes
- Welcome to Introduction to Health Care and Public Health in the U.S.: Regulating Health Care. This is lecture d. The component, Introduction to Health Care and Public Health in the U.S., is a survey of how health care and public health are organized and how services are delivered in the U.S. It covers public policy, relevant organizations and their interrelationships, professional roles, legal and regulatory issues, and payment systems. It also addresses health reform initiatives in the U.S.
- The learning objectives for Regulating Health Care are to: Describe the role of accreditation, regulatory bodies, and professional associations in health care in the U.S. Describe the basic concepts of law in the U.S.: the legal system, sources of law, classification of laws, the court system, and the trial process.
- Describe legal aspects of medicine involving the Affordable Care Act, professional standards in health care, medical malpractice, tort reform, and Medicare and Medicaid fraud and abuse.
- Describe key components of the Health Insurance Portability and Accountability Act, or HIPAA, and current issues concerning privacy and patient safety in the U.S. And discuss the need for quality clinical documentation for use of the health record as a legal document, communication tool, and a key to prove compliance for health care organizations.
- This lecture discusses key elements in maintaining patient confidentiality and promoting the safety of patients. Topics include the privacy and security provisions of HIPAA, nationwide efforts to improve patient safety, the role of the Joint Commission, and the federal Agency for Health Care Research and Quality. It is imperative that health care organizations maintain the privacy and confidentiality of patients’ health information. Because privacy is a critical legal and ethical concern, it is the subject of numerous regulations. HIPAA is a major source of patient privacy standards. HIPAA was originally signed into law in 1996, with the goal of improving the portability of health insurance, and increasing efficiency through the electronic exchange of patient information. Portability can be thought of as the ability to transfer health insurance coverage. For example, HIPAA limits the ability of a new employer plan to exclude people who have preexisting conditions. For employees who lose group health insurance coverage, HIPAA provides opportunities to enroll in another plan. HIPAA also gives certain individuals guaranteed access to individual health insurance policies. In addition, HIPAA prohibits discrimination against employees and their family members based on their health, including genetic disease. Recognizing that the electronic exchange of patient information may pose a risk to patient privacy, HIPAA establishes requirements that must be met when personally identifiable health information is shared between entities.
- This lecture concentrates on those parts of HIPAA that relate to the privacy and security of health information. Generally speaking, privacy requirements describe the kinds of information that must be protected and who must protect the information. Security requirements address the steps that must be taken to protect health information and who is responsible for protecting that information. HIPAA also specifies that individuals have the right to control how their health information is used. Detailed information about all aspects of HIPAA coverage and requirements can be found using the links on this slide.
- HIPAA privacy and security requirements apply to individuals and organizations called “covered entities” who transmit health information in electronic form. Transactions that must comply with HIPAA regulations include health plan enrollment and disenrollment, information sharing related to health care referrals, preauthorization of services, payment of insurance premiums, and payment for health care services.
- The first category of covered entities is health care providers. HIPAA defines health care providers quite broadly, to include not only individuals such as doctors and dentists, but also institutions, including clinics, hospitals, and nursing homes. Basically, any person or organization that provides health care, bills for health care, or is paid for health care is a covered entity. Health Care providers are covered entities even if they use a third party, such as a billing service, to transmit the protected electronic information. The second category of covered entities that must follow HIPAA privacy and security rules is health plans. For HIPAA purposes, health plans include health insurance companies, health maintenance organizations, or HMOs, company insurance plans, and government agencies that pay for health care.
- The third category of covered entities is health care clearinghouses, which are organizations that standardize health information. Examples include billing services, repricing companies that adjust prices based on insurance payments, and community health management information systems. Value-added networks and switches are also covered entities if they perform clearinghouse functions. A value-added network is a private network provider hired by a company to facilitate electronic data interchange or provide other network services. A switch refers to a type of computer network vendor.
- In addition to covered entities, HIPAA rules also apply to a covered entity’s business associates. If a covered entity engages businesses to help the covered entity deliver care, the covered entity must enter a Business Associate Agreement, also known as a BAA, with each business. The BAA must specify what the business associate has been engaged to do, and must require the business associate to comply with HIPAA rules. Business associates are responsible for their own compliance with HIPAA rules.
- The HIPAA Privacy Rule applies to what is termed protected health information, or PHI, that is held or transmitted by a covered entity or its business associates. The term PHI refers to individually identifiable health information that is transmitted electronically, maintained in electronic media, or transmitted or maintained in any other form or medium. Obvious examples of individually identifiable information are the patient’s name, address, telephone number, e-mail address, Social Security number, and photograph. However, many other kinds of information are considered capable of uniquely identifying the patient. These include birth date, admission date, discharge date, medical record number, and date of death, if applicable.
- Individually identifiable health information can be divided into three main categories. The first category, physical or mental health condition, refers to information that relates to a person’s past, present, or future physical or mental health condition. The second category, provision of health care, describes the health care services that have been or will be provided to the person. The third kind of protected information is payment information. All of this information is protected as long as there is a reasonable basis to believe that it can be used to identify the individual.
- One of the basic requirements of the HIPAA Privacy Rule is to notify patients about their privacy rights and how their information can be used. In addition, the HIPAA Privacy Rule gives patients the right to see their medical records. The Privacy Rule also has several requirements that relate to office policies and procedures. Covered entities must adopt and implement privacy procedures and train their employees to follow the procedures. Covered entities must also designate an individual to be responsible for ensuring that the privacy procedures are followed. Finally, covered entities must secure patient records so they are not easily accessible to those who do not need them.
- The HIPAA Security Rule sets out administrative, physical, and technical measures that covered entities must have in place to protect electronic health information. The Security Rule does not require the use of any specific technology, so that organizations can use the latest electronic communications and security technologies as they are developed. The law emphasizes that security is an ongoing process rather than a one-time goal. The HIPAA Security Rule establishes certain minimum standards. In some states, state law may require more rigorous safeguards than HIPAA specifies. In these cases, covered entities must follow the more stringent state laws.
- The U.S. Department of Health and Human Services has published a summary of the HIPAA Security Rule that lays out some general guidelines. The first is to ensure the confidentiality, integrity, and availability of all protected health information that covered entities create, receive, maintain, or transmit. The second general requirement is that covered entities must try to anticipate threats to the security and integrity of the information, and protect against them. Third, covered entities must protect against impermissible uses or disclosures of protected information. Fourth, covered entities must ensure employee compliance with HIPAA regulations.
- Compliance with HIPAA is enforced by the Office of Civil Rights of the U.S. Department of Health and Human Services. Failure to comply with these rules can result in substantial civil fines and criminal penalties. The HIPAA privacy and security rules were extended with Health Information Technology for Economic and Clinical Health, or HITECH, legislation in 2009, resulting in a widened scope of protections and enhanced enforcement.
- The HIPAA Omnibus Rule went into effect in 2013, resulting in more stringent requirements regarding notification of health information breach to the Department of Health and Human Services, increased fines and penalties, and enhanced patient control of health information.
- We now transition to the topic of patient safety and federal efforts focused on improved patient safety. In a landmark 1999 report, the nonprofit Institute of Medicine published a report called To Err is Human. This report was the first to deal in-depth and openly with the problem of medical errors on a nationwide scale. It concluded that between forty-four thousand and ninety-eight thousand people die in hospitals each year as a result of preventable medical errors, such as administration of the wrong drug or dosage. The report also showed that U.S. hospitals lose seventeen to twenty-nine billion dollars every year as a result of errors.
- The report noted that errors by individuals are not the predominant problem. Instead, it argued that faulty systems and procedures are most often to blame for preventable errors. An example of a faulty system is a hospital that stocks patient-care areas with full-strength drugs that are toxic until they are diluted, which may lead to use without proper drug preparation. While safety advancements have occurred since this landmark report, patient safety remains a concern, and is a focus of health care improvement efforts today.
- Medical mistakes often result in lawsuits for malpractice. A study by the American Medical Association found that approximately 61 percent of all physicians will have been sued at some point in their careers. Medical malpractice payouts totaled over 3 billion dollars in 2014. The cost of human suffering from medical errors is probably not measurable. However, it is the reason that patient safety remains a top priority for the entire health care workforce.
- As discussed earlier in this unit, the Joint Commission, or TJC, is a nonprofit organization that accredits hospitals and other health care organizations. However, TJC also plays a major role in efforts to improve patient safety. In fact, more than half of its activities are directly related to that goal. One of these initiatives is called the Sentinel Event Policy. TJC defines a sentinel event as one that resulted or could have resulted in an unexpected death or serious harm. Some sentinel events relate to the patient’s health, such as death of an apparently healthy baby or a bad reaction to a blood transfusion. Other sentinel events relate to conditions in the hospital, such as the discharge of a baby to the wrong family, or the abduction or rape of a patient. Whenever a sentinel event occurs, the health care organization is expected to conduct a thorough analysis of the situation that caused it or allowed it, and take steps to prevent the event from happening again. Organizations are encouraged to report sentinel events to TJC, so other health care organizations can learn from the analysis. The Patient Safety Advisory Group is a panel of safety experts, nurses, physicians, pharmacists, and other professionals. Working with TJC staff, this group establishes annual National Patient Safety Goals, which are lists of tips for health care professionals to follow to prevent errors. For example, when taking a blood sample, a health care professional must label the specimen container before moving on to the next patient to avoid inadvertent labeling mistakes. The Patient Safety Advisory Group also helps TJC detect and address newly emerging safety issues.
- The Universal Protocol is an initiative designed to prevent surgical errors. An important part of the protocol is for health care professionals to conduct a pre-procedure verification process, making sure that they have the right patient, that they plan to conduct the right procedure, and that they plan to operate on the correct site—for example, the patient’s left leg, not the right leg. Other steps in the Universal Protocol are to mark the intended site of the surgery and for the surgical team to take a “time out” before making any incision. During the time out, the team members communicate with one another and verify once again that they have the correct patient and the correct surgical site, and that all agree about what procedure they are about to perform. The Speak Up Initiative encourages patients to take an active role in the decisions that are made about their health care. Patients are urged to speak up if they have a question or concern, and to educate themselves about their disease and the medications they take. The program provides educational materials for patients on topics including surgery, infection prevention, medication safety, medical tests, and patient rights. Speak Up materials are free and can be downloaded from the Joint Commission website, which is listed in the References section of this presentation.
- The Agency for Health Care Research and Quality, or AHRQ, is part of the U.S. Department of Health and Human Services. The AHRQ Web site contains a wealth of information for both health care providers and the public at AHRQ dot gov. The agency is charged with improving the safety and quality of care that patients receive. Key activities include investing in research to understand how to improve safety and quality, creating tools to help put the results of research into practice, and generating measures and data used by providers and policymakers in decision making.
- Every year, AHRQ issues a National Health Care Quality Report, which focuses on national trends in the quality of health care. The report discusses health care effectiveness, timeliness, and efficiency; patient safety; access to care; and the effectiveness of health care professionals at putting patients at the center of their efforts.
- AHRQ develops and disseminates evidence to inform policy and practice on how health information technology can improve the quality of health care. The AHRQ website offers resources focused on topics such as consumer health IT applications, electronic medical records systems, workflow, and health information exchange. The site also links to top peer-reviewed articles that provide insight into designing and implementing appropriate health IT systems. Furthermore, AHRQ provides grant funding for projects designed to improve processes and procedures in health IT. Information about these grants is available on their website, which is provided in the Resources section of this presentation.
- This concludes lecture d of Regulating Health Care. In summary, it is imperative, both ethically and legally, that everyone involved in health care maintain patient privacy and safety. HIPAA enforces rules about the privacy and security of patient health information. The Joint Commission supports initiatives for reducing medical errors, including the Sentinel Event Policy, the National Patient Safety Goals, the Universal Protocol for surgery, and the Speak Up Initiative.
- Finally, the Agency for Health Care Research and Quality is an important source of information about how to improve the safety and quality of patient care through the effective use of Health IT.
- References slides. No audio.
- References slides. No audio.
- No Audio.