chapter 5

© 2009 The McGraw-Hill Companies, Inc. All rights reserved.

1

McGraw-Hill

Chapter 5

HIPAA Enforcement

HIPAA for

Allied Health Careers


2

McGraw-Hill

LEARNING OUTCOMESAfter studying this chapter, you should be able to:

1. Explain the purpose of the HIPAA final enforcement rule.2. Distinguish between civil and criminal cases.3. Describe the roles of the Office for Civil Rights (OCR) and the

Department of Justice (DOJ) in the enforcement of the HIPAA privacy standards.

4. Describe the role of the Centers for Medicare and Medicaid Services (CMS) in the enforcement of the HIPAA security, transactions, code sets, and identifiers standards.

5. Describe the civil case procedure followed by OCR and CMS.6. Discuss the role of the Office of Inspector General (OIG) of the

Health and Human Services Department (HHS) in enforcing HIPAA.

7. Compare fraud and abuse.8. Discuss the laws that underpin the OIG’s fraud and abuse

enforcement actions.9. Describe the purpose of an OIG Work Plan.10. List the recommended elements of a compliance plan.


3

McGraw-Hill

Key Terms

• abuse • administrative law judge (ALJ)• advisory opinion• audit• audit reports• benchmark• certification of compliance agreement (CCA)• civil money penalties (CMP)• civil violation• code of conduct• compliance plan• compliance program guidance


4

McGraw-Hill

KEY TERMS (cont’d)

• corporate integrity agreement (CIA)• criminal violation• Deficit Reduction Act (DRA) of 2005 • Department of Justice (DOJ)• excluded parties• external audit• False Claims Act (FCA)• fraud • Health Care Fraud and Abuse Control Program • HIPAA final enforcement rule• internal audit• Office of the Inspector General (OIG)


5

McGraw-Hill

Key Terms (cont’d)

• OIG Fraud Alert • OIG Work Plan• qui tam • relator• Stark II• triggered reviews• upcoding


6

McGraw-Hill

The HIPAA Enforcement Rule

• HIPAA Enforcement Agencies

– Office for Civil Rights (OCR) enforces HIPAA privacy rule.

– Department of Justice (DOJ) prosecutes criminal violations of HIPAA privacy rules.

– Centers for Medicare and Medicaid (CMS) enforces HIPAA nonprivacy standards.

– HHS Office of the Inspector General (OIG) combats fraud and abuse in health care.


7

McGraw-Hill

The HIPAA Enforcement Rule (cont’d)

• Civil Case Procedures

– Voluntary compliance depends on publicity as a deterrent.

– Civil money penalties are applied infrequently.


8

McGraw-Hill


• Criminal Case Procedures

– Knowingly obtaining PHI in violation of HIPAA$50,000 1 year

– Offenses done under false pretenses$100,000 5 years

– Using PHI for profit, gain, or harm$250,000 10 years


9

McGraw-Hill


• Who Is Responsible: The Covered Entity, Business Associates, or Employees?

– Only covered entities can be charged with HIPAA violations.

– Only the enforcing agencies can bring charges.

– CE must follow rules regarding business associate violations.


10

McGraw-Hill

Fraud and Abuse Regulations

• The Health Care Fraud and Abuse Control Program

– HHS OIG has task of detecting fraud and abuse.

– DOJ prosecutes cases found.


11

McGraw-Hill

Fraud and Abuse Regulations (cont’d)

• Federal False Claims Act

– Prohibits false claims.

– Prohibits false statements regarding a claim.

– Protects relators in qui tam cases.


12

McGraw-Hill

Fraud and Abuse Regulations

• Additional Laws

– Antikickback Act of 1986

– Stark Laws

– Sarbanes-Oxley Act

– Deficit Reduction Act (DRA)


13

McGraw-Hill


• Definition of Fraud and Abuse

– Fraud is an intentional act to gain illegal financial advantage, such as upcoding.

– Abuse is unsound medical or business practices resulting in waste of government money.


14

McGraw-Hill


• OIG Investigations, Audits, and Advice– The OIG Work Plan– Advisory Opinions– Audit Reports– OIG Fraud Alerts– OIG Advisory Bulletins– Excluded Parties– Corporate Integrity Agreements (CIAs)– Certificate of Compliance Agreement (CCA)


15

McGraw-Hill


• OIG’s Civil Money Penalties– Can be imposed for a wide variety of HIPAA

violations.– Can be imposed under the Emergency Medical

Treatment and Active Labor Act that require hospitals to:

» Operate an emergency department» Provide stabilizing treatment or an

appropriate transfer for an emergency medical condition

» Accept appropriate transfers of individuals with emergency medical conditions


16

McGraw-Hill

Strategies for Compliance: The Compliance Plan

• Guidance on Compliance Plans

– Compliance program guidance has been issued by the OIG for various types of providers.

• Parts of a Compliance Plan– The seven element of a good plan are:

1. Written policies and procedures2. Appointment of a compliance officer and committee3. Training4. Communication5. Auditing and monitoring 6. Disciplinary systems7. Responding to and correcting errors


17

McGraw-Hill

Strategies for Compliance: The Compliance Plan (cont’d)

• Written Policies and Procedures

– Code of conduct

– Written compliance policies and procedures

– Retention of records and information systems

– Performance evaluations


18

McGraw-Hill


• Compliance Officer and Committee: Compliance officer analyzes:

– Federal and state statutes – Government-sponsored program regulations

(Medicare and Medicaid)– Medicare Carriers Manual and Coverage Issues

Manual– Other health plans’ regulations– Current and past years’ OIG Work Plans– OIG Fraud Alerts and audit reports


19

McGraw-Hill


• Ongoing Training

– Keeping staff up to date

• Effective Lines of Communication

– How noncompliant actions are reported


20

McGraw-Hill


• Ongoing Auditing and Monitoring

– Regular internal audits triggered by benchmarking– External audits required by an enforcing agency

• Disciplinary Guidelines and Policies– Policies in place that apply to all employees

• Corrective Action

chapter 5

Documents