collegiate sports medicine revenue reimbursement workshop
Skip this Video
Download Presentation
Collegiate Sports Medicine Revenue & Reimbursement Workshop

Loading in 2 Seconds...

play fullscreen
1 / 49

Collegiate Sports Medicine - PowerPoint PPT Presentation

  • Uploaded on

Collegiate Sports Medicine Revenue & Reimbursement Workshop. HIPAA & FERPA Considerations January 4- 7, 2006 Keith Webster MA, ATC University of Kentucky Chair, NATA Governmental Affairs Committee. HIPAA. Mandates the privacy and security of Protected Health Information (PHI)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Collegiate Sports Medicine' - Leo

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
collegiate sports medicine revenue reimbursement workshop

Collegiate Sports MedicineRevenue & Reimbursement Workshop

HIPAA & FERPA Considerations

January 4- 7, 2006

Keith Webster MA, ATC

University of Kentucky

Chair, NATA Governmental Affairs Committee

  • Mandates the privacy and security of Protected Health Information (PHI)
  • Portability of health insurance
  • Simplification of electronic billing
  • Coincides with existing state statutes, need pre-emption analysis
nata gac
  • GAC began to address HIPAA 2001
  • NATABOD issued response to Privacy modifications in April 2002
  • Contacted HHS in September, 2002
  • Meeting held in December, 2002 with HHS/ OCR
  • GAC, CUATC, SSATC, CIC, and NATA staff attended
three major components
Three Major Components
  • Privacy Rule- governs use, access, and protects confidentiality of PHI
  • Security Rule- secures PHI being transmitted electronically, 4/21/05
  • Transaction Rule- standardize procedure codes and electronic billing format
privacy rule
Privacy Rule
  • Protects the privacy of an individual’s health information
  • Governs use and disclosure of PHI
  • Provides patient’s access to their records
  • Patients have control of their records
  • Patients can file complaints about use and disclosure
  • Applies only to Covered Entities
office of civil rights
Office of Civil Rights
  • Civil penalties
    • Up to $25,000
  • Criminal penalties
    • Knowing disclosure:
      • $50,000 1 year imprisonment
    • False pretenses:
      • $100,000 5 years imprisonment
    • Intent to sell:
      • $250,000 10 years imprisonment
what is phi
What is PHI?
  • There are 18 identifiers that constitute Protected Health Information
  • Includes:

Name Medical Record #

Address Telephone #

DOB Fax #

SS# Driver’s License #

Photographs Email, URL, IP addresses

Fingerprints Admit / Discharge Dates

Any other unique ID #

covered entity
Covered Entity

Administrative Simplification Standards:

  • A health care provider who conducts certain transactions electronically
  • A health care clearinghouse
  • A health plan
what is a covered entity as a health care provider
What is a Covered Entity?As a Health Care Provider:

The following is from the decision support tool found on the website

1. A person, business, or agency that:

  • Furnishes
  • Bills or
  • Receives payment for health care in the normal course of business
what is a covered entity
What is a Covered Entity?

2.A person, business, or agency that conducts covered transactions, including:

  • Request to obtain payment from provider to a health plan for health care or;
  • In the absence of a direct claim, transmission of encounter information for reporting health care
more covered transactions
More Covered Transactions
  • Checking on eligibility to receive care under the health plan
  • Coverage and benefits under the plan
  • Request to obtain authorization for referring someone to another provider
  • Inquiry/ response about status of a claim
still more covered transactions
Still More Covered Transactions
  • Transmission of payment, info about transfer of funds, payment processing info
  • Transmission of EOB’s
  • Coordination of benefits transaction is the transmission from any entity to a plan to determine payment responsibilities of the plan
what is a covered entity14
What is a Covered Entity?

3.Are any of the covered transactions transmitted in electronic form?

“Electronic form” includes:

  • Internet
  • Extranet
  • Leased lines, dial-up lines, private networks
  • Magnetic tape, disk, or CD media that are physically moved from one location to another
you are a covered entity if
You Are A Covered Entity If:
  • You furnish, bill, or receive payment for health care
  • You conduct covered transactions AND
  • You transmit covered transactions in electronic form

AND if your attorney says so!

determine legal entity
Determine Legal Entity
  • Single provider
  • Affiliated Covered Entities (ACE’S)- made up of several CE’s that are under common ownership or control
  • Organized Health Care Arrangement (OCHA)- a setting with multiple providers
  • Hybrid- single legal entity and whose covered functions are NOT its primary functions- Example: an academic institution with a medical center

Consult your attorney

hybrid entity
Hybrid Entity
  • Isolated activities involve Protected Health Information (PHI)
  • Must identify those components
  • Responsible for compliance in those areas
  • Must protect from improper use/disclosure of PHI
requirements of the ce
Requirements of the CE
  • Adopt and implement privacy procedures
  • Train employees so that they understand the procedures
  • Designate a privacy officer to see that procedures are adopted and followed
  • Secure patient records from unauthorized use
  • Account for disclosures
requirements of the ce19
Requirements of the CE

Notice of Privacy Practices (NPP)

  • Fundamental new right to be informed of privacy rights and practices of covered health plans and providers
npp includes
NPP includes:
  • How PHI is used and disclosed
  • Individual’s rights regarding PHI with complaint process
  • CE’s legal duty with statement that this is required by law
  • Contact person for individual to receive further information
  • NPP can be layered- brief summary with “long” version
  • Effective date
providing the npp
Providing the NPP
  • CE is required to promptly revise and distribute after material changes
  • NPP available to anyone requesting it
  • NPP must be posted in office, website, etc
  • CE must provide NPP to patient no later than first date of service
  • CE must make good faith effort to get written receipt of NPP
  • Acknowledgment of receipt can be combined with consent form
other requirements of the ce
Other Requirements of the CE
  • Adopt and implement privacy procedures for its practice
  • Train employees so that they understand the procedures
  • Designate a privacy officer to see that procedures are adopted and followed
  • Secure patient records from unauthorized use
consent and notice
Consent and Notice
  • Consent for routine health care purposes is now optional
  • Due to strengthened NPP and thus eliminates barrier to treatment
  • Other consent requirements may be in affect i.e. State law

Must include these core elements:

  • Information to be used or disclosed
  • Persons authorized to make the use or disclosure
  • Persons authorized to receive PHI
  • Purpose of the use or disclosure
  • Expiration date
  • Patient’s signature and date
  • Personal representative authority

Must include the following notification statements:

  • Individual may revoke authorization in writing with instructions
  • Treatment and payment may not be conditioned on obtaining authorization or
  • If conditioning is permitted, consequences of refusing to sign authorization
  • Potential for the PHI to be redisclosed by the recipient

Authorization can be mandated under “condition to participate”

Revocation would disqualify participant

Family Educational Rights and Privacy Act (FERPA) takes precedent over HIPAA

Privacy Rule defers to State law for <18 y.o.

uses and disclosures for treatment payment and health care operations tpo
Uses and Disclosures for Treatment, Payment, and Health Care Operations (TPO)
  • Permits this use and disclosure of PHI without authorization
  • CE may disclose PHI for treatment purposes to providers who are not a CE
minimum necessary
Minimum Necessary
  • A CE must develop policies and procedures that limit its disclosures for payment and health care operations to the minimum necessary
  • Identify who needs access to PHI within the CE for job duties
  • This does not apply when PHI is disclosed for treatment purposes
incidental uses and disclosures
Incidental Uses and Disclosures
  • Permissible as long as there are reasonable safeguards and minimum necessary standards
  • Avoid discussing PHI in elevators and hallways
  • Be aware of others in public places i.e. waiting rooms
  • Secure file cabinets or records rooms
  • Use passwords for computers
media issues
Media Issues
  • Establish policy- consider implications
  • Determine procedure for authorizations
  • HIPAA or FERPA compliance
  • Per injury basis or blanket for season
  • Right to refuse- consequences
  • “Open Records” request- drug test results
business associates
Business Associates

A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity


claims processing, data analysis, utilization review, quality assurance, billing, benefit management

See: OCR Guidance Manual for details

security rule
Security Rule
  • Linked to Privacy Rule requirements
  • Internal & External Safeguards
  • E-mail encryption
  • Formatting claim forms
  • Research issues
  • A covered entity may use or disclose PHI for research purposes once it has been de-identified regardless of provisions
  • The Common Rule and FDA human subject protection regulations apply
  • Allowed with individual authorization

Allowed without authorization under limited circumstances:

  • IRB/ Privacy Board approval
  • Preparatory to research
  • Research on PHI of decedents
  • Limited data sets with a data use agreement

See: OCR Guidance Manual for details

transaction rule
Transaction Rule

Standardize procedure codes and electronic billing format

Standard electronic transactions include:

*claims *referrals

*eligibility inquiries & responses

*claim status inquiries & responses

*remittance advices

national provider identification numbers npi
National Provider IdentificationNumbers (NPI)
  • Use in standard electronic transactions
  • Replaces Health Care Provider Identifiers
  • Most health plans, Medicare, and private insurers must accept NPI by 5/23/07
how to get a npi
How to get a NPI
  • National Plan and Provider Enumeration System (NPPES) 1-800-465-3203
  • Providers may apply online at:
  • Need only one NPI for all health plans
npi on line application
NPI On-line Application
  • Entity type: Type 1 for individual provider
  • Taxonomy: Type 22 Respiratory, Rehabilitative & Restorative Service Providers
  • Classification: 2255A2300X- Specialist/Technologist- Athletic Trainer
  • Provide State License Number
the family educational rights and privacy act ferpa
The Family Educational Rights and Privacy Act (FERPA)
  • Federal law that protects the privacy of student education records
  • For all schools that receive federal funds
  • Gives parents certain rights with respect to their children’s education records
the family educational rights and privacy act ferpa43
The Family Educational Rights and Privacy Act (FERPA)
  • Generally, schools must have written permission in order to release any information from a student’s education record
  • These rights transfer to the student when he/she reaches the age of 18 or attends post-secondary school
  • Must notify parents & eligible students annually
ferpa disclosure without consent
FERPADisclosure without consent
  • To school officials with legitimate educational interests
  • School official: a person employed by the School …including health or medical staff; a person or company with whom the School has contracted to perform a special task, such as medical consultant or therapist…

S.1232g.(4)(B)“Education record” does not include:

(iv) Records on an eligible student which are made by a physician, or other recognized professional and used only for treatment of that student and are not available to anyone other than persons providing such treatment …

ferpa written consent for education records
FERPAWritten Consent for education records
  • Records to be released
  • Reasons for such release
  • To Whom
  • A copy to parents and student if desired by parents
references resources
References & Resources
  • Decision Tools, Privacy Policy Guidance, and PHI Regulation Text:
  • EDUCAUSE (targets higher ed):
  • HIPAA Guidelines for Academic Medical Centers:
  • Other links: &
  • NATA updates:
references resources48
References & Resources
  • Guidelines for Academic Medical Centers:
  • Sample forms (repository):
  • FERPA:
  • To create news alerts for HIPAA, FERPA, etc: