Patients’ medical records, which contain the complete, chronological, and comprehensive documentation of their health history and status, are used by providers to communicate and coordinate health care. The records are used by medical insurance specialists to prepare and support health care claims. Documentation of an examination includes the chief complaint (CC), the history, the examination, the diagnosis, and the treatment plan. The process leading to the patient’s informed consent for procedures is also documented. A progress report documents a patient’s response to a treatment plan and provides justification for continued treatment. At the end of a treatment plan, a discharge summary documents the patient’s final status and prognosis. If the provider-patient relationship is terminated, the reasons for termination and the status of the patient’s treatment plan are documented, and the patient is informed in writing.
Electronic medical records and paper records are each forms of medical documentation. EMRs have the advantage of immediate access to health information, computerized physician order management, clinical decision support, automated alerts and reminders, electronic communication and connectivity, patient support, administration and reporting, and error reduction.
The HIPAA Privacy Rule, a part of the Administrative Simplification provisions, regulates the use and disclosure of patients’ protected health information (PHI).
Under HIPAA, a covered entity is a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a HIPAA transaction. A business associate, such as a law firm or billing service that performs work for a covered entity, must agree to follow applicable HIPAA regulations to safeguard protected health information.
Protected health information (PHI) is individually identifiable health information that is transmitted or maintained by electronic media, including data such as a patient’s name, Social Security number, address, and phone number.
For use or disclosure for treatment, payment, or health care operations (TPO), no release is required from the patient. To release PHI for other than TPO, a covered entity must have an authorization signed by the patient. The authorization document must be in plain language and have a description of the information to be used, who can disclose it and for what purpose, who will receive it, an expiration date, and the patient’s signature.
The HIPAA Security Rule, a part of the Administrative Simplification provisions, requires covered entities to establish administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of health information.
The HIPAA Electronic Health Care Transactions and Code Sets establish standards for the exchange of financial and administrative data among covered entities. The standards require the covered entities to use common electronic transaction methods and code sets. The four National Identifiers are for employers, health care providers, health plans, and patients.
The Health Care Fraud and Abuse Control Program, part of HIPAA, was enacted to prevent fraud and abuse in health care billing. This law, as well as the Federal False Claims Act and other related laws are enforced by the Office of Inspector General (OIG).
A medical practice compliance plan includes consistent written policies and procedures, appointment of a compliance officer and committee, training plans, communication guidelines, disciplinary systems, ongoing monitoring and auditing of claim preparation, and responding to and correcting errors. Each part of the plan addresses compliance concerns of government and private payers. Having a formal process in place is a sign that the practice has made a goodfaith effort to achieve compliance.
