HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Author Archive

Nov
23

Q&A: Accessing the UB-04 form

Posted by: | Comments (0)
Email This Post Print This Post

Q. Do I have the right as a Medicare beneficiary to access the UB-04 form that a hospital submits as a bill for payment to Medicare? May I access and receive a copy of my coding abstract? I understand that these documents are part of the electronic data that is part of my record, which is considered part of the designated record set.

A. The Privacy Rule gives you the right to access ­records in the designated record set. This is defined as information used by a covered entity to make decisions about individuals. For providers, the designated record set includes medical and billing records. For health plans, the designated record set includes enrollment, payment, claims adjudication, and case management records.

The UB-04 form is a billing record, so it is part of the designated record set to which you have access.

The coding summary is an administrative record and may not be considered part of your medical record. If the covered entity defines the medical record to exclude administrative records, such as coding summaries, the covered entity may deny your request to access your coding summary. However, codes that were submitted for billing will appear on the UB-04.

Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question in the December issue of the HCPro, Inc. newsletter Briefings on HIPAA.

Categories : HIPAA Q&A
Comments (0)
Aug
31

Q&A: PHI for parents

Posted by: | Comments (1)
Email This Post Print This Post

Q. Can you tell me whether the parent of a patient now over 18 years of age may receive information relating to a medical bill for services provided when the patient was still a minor?

A. Because the patient is now of legal age, you should obtain the patient’s written authorization to release this information to the parent. Alternatively, you can release the information directly to the patient, who can decide whether to share it with the parent.

 Editor’s note: This answer, provided by Mary Brandt, MBA, RHIA, CHE, CHPS, was published in the August 2012 edition of the HCPro, Inc. newsletter Briefings on HIPAA.

Categories : HIPAA Q&A
Comments (1)

Q. I’m having problems with managed care companies requesting PHI for their Healthcare Effectiveness Data and Information Set (HEDIS) quality reviews. When I ask them for the individual’s signed enrollment agreement to ensure that disclosure is appropriate, some of them tell me this is covered in our Notice of Privacy Practices (NPP). This doesn’t seem correct to me. Our NPP tells patients how we use their PHI, not how the managed care company uses it. Is it okay to release this information to the managed care company without the patient’s authorization?

A. Your interpretation is correct; your NPP explains how your organization uses PHI, not how payers may use it. However, you are permitted to disclose PHI to other CEs (such as managed care companies) for their healthcare operations, which would include HEDIS quality reporting. You don’t need the patient’s authorization for this disclosure, as long as both of the CEs have a relationship with the patient.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations.

 

Categories : HIPAA Q&A
Comments (3)

Q. What constitutes a privacy breach that requires notification to patients? Recently, a thief broke into an employee’s car and took her address/memo book. The book contained patients’ last names only and a medical ID number, or maybe first and last names with medical ID numbers, and an occasional note regarding the care or a question the patient asked. How should we handle this?

A. The American Recovery and Reinvestment Act of 2009 (ARRA) defines a breach as an unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. This incident meets the definition of a breach under ARRA.

You can find additional guidance in the interim final rule for breach notification for unsecured PHI, which became effective September 23, 2009. It remains in effect as of press time, pending issuance of a new final rule (see related story on the rule sent to OMB). The interim final rule includes a harm threshold provision, which allows an organization to omit notification of affected patients if it determines that the use or disclosure poses no significant risk of “financial, reputational, or other harm” to the individual.

Although this incident does constitute a privacy breach, you must evaluate the information contained in the address book to determine whether a significant risk of harm exists. For entries that include only the patient’s name and medical record number, the risk is probably not significant. If the notes regarding care or questions asked reveal the patient’s diagnosis, the risk may be significant.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations.
 

Comments (3)
Mar
26

HIPAA Q&A: De-identifying pill bottles

Posted by: | Comments (2)
Email This Post Print This Post
Q. Some of the medications we receive for our assisted living residents are in blister packs. After the pack is emptied, the labels are easily torn off and shredded. However, some medications are received in a multidose pill bottle. Is using a felt-tip marker an acceptable means to de-identify these labels before placing the bottles in the trash?

A. Yes. Obliterating patient identification (including name and medical record number) with a permanent marker is a good way to protect patient privacy before disposing of these containers.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations.  

Categories : HIPAA Q&A
Comments (2)