Collegiate sports medicine revenue reimbursement workshop
1 / 49

Collegiate Sports Medicine - PowerPoint PPT Presentation

  • Updated On :

Collegiate Sports Medicine Revenue & Reimbursement Workshop. HIPAA & FERPA Considerations January 4- 7, 2006 Keith Webster MA, ATC University of Kentucky Chair, NATA Governmental Affairs Committee. HIPAA. Mandates the privacy and security of Protected Health Information (PHI)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Collegiate Sports Medicine' - Leo

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Collegiate sports medicine revenue reimbursement workshop l.jpg

Collegiate Sports MedicineRevenue & Reimbursement Workshop

HIPAA & FERPA Considerations

January 4- 7, 2006

Keith Webster MA, ATC

University of Kentucky

Chair, NATA Governmental Affairs Committee

Hipaa l.jpg

  • Mandates the privacy and security of Protected Health Information (PHI)

  • Portability of health insurance

  • Simplification of electronic billing

  • Coincides with existing state statutes, need pre-emption analysis

Nata gac l.jpg

  • GAC began to address HIPAA 2001

  • NATABOD issued response to Privacy modifications in April 2002

  • Contacted HHS in September, 2002

  • Meeting held in December, 2002 with HHS/ OCR

  • GAC, CUATC, SSATC, CIC, and NATA staff attended

Three major components l.jpg
Three Major Components

  • Privacy Rule- governs use, access, and protects confidentiality of PHI

  • Security Rule- secures PHI being transmitted electronically, 4/21/05

  • Transaction Rule- standardize procedure codes and electronic billing format

Privacy rule l.jpg
Privacy Rule

  • Protects the privacy of an individual’s health information

  • Governs use and disclosure of PHI

  • Provides patient’s access to their records

  • Patients have control of their records

  • Patients can file complaints about use and disclosure

  • Applies only to Covered Entities

Office of civil rights l.jpg
Office of Civil Rights

  • Civil penalties

    • Up to $25,000

  • Criminal penalties

    • Knowing disclosure:

      • $50,000 1 year imprisonment

    • False pretenses:

      • $100,000 5 years imprisonment

    • Intent to sell:

      • $250,000 10 years imprisonment

What is phi l.jpg
What is PHI?

  • There are 18 identifiers that constitute Protected Health Information

  • Includes:

    Name Medical Record #

    Address Telephone #

    DOB Fax #

    SS# Driver’s License #

    Photographs Email, URL, IP addresses

    Fingerprints Admit / Discharge Dates

    Any other unique ID #

Covered entity l.jpg
Covered Entity

Administrative Simplification Standards:

  • A health care provider who conducts certain transactions electronically

  • A health care clearinghouse

  • A health plan

What is a covered entity as a health care provider l.jpg
What is a Covered Entity?As a Health Care Provider:

The following is from the decision support tool found on the website

1. A person, business, or agency that:

  • Furnishes

  • Bills or

  • Receives payment for health care in the normal course of business

What is a covered entity l.jpg
What is a Covered Entity?

2.A person, business, or agency that conducts covered transactions, including:

  • Request to obtain payment from provider to a health plan for health care or;

  • In the absence of a direct claim, transmission of encounter information for reporting health care

More covered transactions l.jpg
More Covered Transactions

  • Checking on eligibility to receive care under the health plan

  • Coverage and benefits under the plan

  • Request to obtain authorization for referring someone to another provider

  • Inquiry/ response about status of a claim

Still more covered transactions l.jpg
Still More Covered Transactions

  • Transmission of payment, info about transfer of funds, payment processing info

  • Transmission of EOB’s

  • Coordination of benefits transaction is the transmission from any entity to a plan to determine payment responsibilities of the plan

What is a covered entity14 l.jpg
What is a Covered Entity?

3.Are any of the covered transactions transmitted in electronic form?

“Electronic form” includes:

  • Internet

  • Extranet

  • Leased lines, dial-up lines, private networks

  • Magnetic tape, disk, or CD media that are physically moved from one location to another

You are a covered entity if l.jpg
You Are A Covered Entity If:

  • You furnish, bill, or receive payment for health care

  • You conduct covered transactions AND

  • You transmit covered transactions in electronic form

    AND if your attorney says so!

Determine legal entity l.jpg
Determine Legal Entity

  • Single provider

  • Affiliated Covered Entities (ACE’S)- made up of several CE’s that are under common ownership or control

  • Organized Health Care Arrangement (OCHA)- a setting with multiple providers

  • Hybrid- single legal entity and whose covered functions are NOT its primary functions- Example: an academic institution with a medical center

    Consult your attorney

Hybrid entity l.jpg
Hybrid Entity

  • Isolated activities involve Protected Health Information (PHI)

  • Must identify those components

  • Responsible for compliance in those areas

  • Must protect from improper use/disclosure of PHI

Requirements of the ce l.jpg
Requirements of the CE

  • Adopt and implement privacy procedures

  • Train employees so that they understand the procedures

  • Designate a privacy officer to see that procedures are adopted and followed

  • Secure patient records from unauthorized use

  • Account for disclosures

Requirements of the ce19 l.jpg
Requirements of the CE

Notice of Privacy Practices (NPP)

  • Fundamental new right to be informed of privacy rights and practices of covered health plans and providers

Npp includes l.jpg
NPP includes:

  • How PHI is used and disclosed

  • Individual’s rights regarding PHI with complaint process

  • CE’s legal duty with statement that this is required by law

  • Contact person for individual to receive further information

  • NPP can be layered- brief summary with “long” version

  • Effective date

Providing the npp l.jpg
Providing the NPP

  • CE is required to promptly revise and distribute after material changes

  • NPP available to anyone requesting it

  • NPP must be posted in office, website, etc

  • CE must provide NPP to patient no later than first date of service

  • CE must make good faith effort to get written receipt of NPP

  • Acknowledgment of receipt can be combined with consent form

Other requirements of the ce l.jpg
Other Requirements of the CE

  • Adopt and implement privacy procedures for its practice

  • Train employees so that they understand the procedures

  • Designate a privacy officer to see that procedures are adopted and followed

  • Secure patient records from unauthorized use

Consent and notice l.jpg
Consent and Notice

  • Consent for routine health care purposes is now optional

  • Due to strengthened NPP and thus eliminates barrier to treatment

  • Other consent requirements may be in affect i.e. State law

Authorization l.jpg

Must include these core elements:

  • Information to be used or disclosed

  • Persons authorized to make the use or disclosure

  • Persons authorized to receive PHI

  • Purpose of the use or disclosure

  • Expiration date

  • Patient’s signature and date

  • Personal representative authority

Authorization26 l.jpg

Must include the following notification statements:

  • Individual may revoke authorization in writing with instructions

  • Treatment and payment may not be conditioned on obtaining authorization or

  • If conditioning is permitted, consequences of refusing to sign authorization

  • Potential for the PHI to be redisclosed by the recipient

Authorization27 l.jpg

Authorization can be mandated under “condition to participate”

Revocation would disqualify participant

Family Educational Rights and Privacy Act (FERPA) takes precedent over HIPAA

Privacy Rule defers to State law for <18 y.o.

Uses and disclosures for treatment payment and health care operations tpo l.jpg
Uses and Disclosures for Treatment, Payment, and Health Care Operations (TPO)

  • Permits this use and disclosure of PHI without authorization

  • CE may disclose PHI for treatment purposes to providers who are not a CE

Minimum necessary l.jpg
Minimum Necessary

  • A CE must develop policies and procedures that limit its disclosures for payment and health care operations to the minimum necessary

  • Identify who needs access to PHI within the CE for job duties

  • This does not apply when PHI is disclosed for treatment purposes

Incidental uses and disclosures l.jpg
Incidental Uses and Disclosures

  • Permissible as long as there are reasonable safeguards and minimum necessary standards

  • Avoid discussing PHI in elevators and hallways

  • Be aware of others in public places i.e. waiting rooms

  • Secure file cabinets or records rooms

  • Use passwords for computers

Media issues l.jpg
Media Issues

  • Establish policy- consider implications

  • Determine procedure for authorizations

  • HIPAA or FERPA compliance

  • Per injury basis or blanket for season

  • Right to refuse- consequences

  • “Open Records” request- drug test results

Business associates l.jpg
Business Associates

A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity


claims processing, data analysis, utilization review, quality assurance, billing, benefit management

See: OCR Guidance Manual for details

Security rule l.jpg
Security Rule

  • Linked to Privacy Rule requirements

  • Internal & External Safeguards

  • E-mail encryption

  • Formatting claim forms

  • Research issues

Research l.jpg

  • A covered entity may use or disclose PHI for research purposes once it has been de-identified regardless of provisions

  • The Common Rule and FDA human subject protection regulations apply

  • Allowed with individual authorization

Research36 l.jpg

Allowed without authorization under limited circumstances:

  • IRB/ Privacy Board approval

  • Preparatory to research

  • Research on PHI of decedents

  • Limited data sets with a data use agreement

    See: OCR Guidance Manual for details

Transaction rule l.jpg
Transaction Rule

Standardize procedure codes and electronic billing format

Standard electronic transactions include:

*claims *referrals

*eligibility inquiries & responses

*claim status inquiries & responses

*remittance advices

National provider identification numbers npi l.jpg
National Provider IdentificationNumbers (NPI)

  • Use in standard electronic transactions

  • Replaces Health Care Provider Identifiers

  • Most health plans, Medicare, and private insurers must accept NPI by 5/23/07

How to get a npi l.jpg
How to get a NPI

  • National Plan and Provider Enumeration System (NPPES) 1-800-465-3203

  • Providers may apply online at:

  • Need only one NPI for all health plans

Npi on line application l.jpg
NPI On-line Application

  • Entity type: Type 1 for individual provider

  • Taxonomy: Type 22 Respiratory, Rehabilitative & Restorative Service Providers

  • Classification: 2255A2300X- Specialist/Technologist- Athletic Trainer

  • Provide State License Number

The family educational rights and privacy act ferpa l.jpg
The Family Educational Rights and Privacy Act (FERPA)

  • Federal law that protects the privacy of student education records

  • For all schools that receive federal funds

  • Gives parents certain rights with respect to their children’s education records

The family educational rights and privacy act ferpa43 l.jpg
The Family Educational Rights and Privacy Act (FERPA)

  • Generally, schools must have written permission in order to release any information from a student’s education record

  • These rights transfer to the student when he/she reaches the age of 18 or attends post-secondary school

  • Must notify parents & eligible students annually

Ferpa disclosure without consent l.jpg
FERPADisclosure without consent

  • To school officials with legitimate educational interests

  • School official: a person employed by the School …including health or medical staff; a person or company with whom the School has contracted to perform a special task, such as medical consultant or therapist…

Ferpa l.jpg

S.1232g.(4)(B)“Education record” does not include:

(iv) Records on an eligible student which are made by a physician, or other recognized professional and used only for treatment of that student and are not available to anyone other than persons providing such treatment …

Ferpa written consent for education records l.jpg
FERPAWritten Consent for education records

  • Records to be released

  • Reasons for such release

  • To Whom

  • A copy to parents and student if desired by parents

References resources l.jpg
References & Resources

  • Decision Tools, Privacy Policy Guidance, and PHI Regulation Text:

  • EDUCAUSE (targets higher ed):

  • HIPAA Guidelines for Academic Medical Centers:

  • Other links: &

  • NATA updates:

References resources48 l.jpg
References & Resources

  • Guidelines for Academic Medical Centers:

  • Sample forms (repository):

  • FERPA:

  • To create news alerts for HIPAA, FERPA, etc:

Discussion l.jpg