1

Medicolegal Issues and the Pharmacy

Chapter 2

© 2010 The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 2 2

Key Terms

• Abuse• Audit• Authorization• Business associate• Centers for Medicare and Medicaid Services (CMS)• Clearinghouses

• Code set• Compliance plans• Corporate integrity agreement• Covered entities• Current Procedural Terminology (CPT)• De-identified health information

Chapter 2 3

Key Terms (Continued)

• Designated record set (DRS)• Encryption• Fraud• Health care Common Procedure Coding System (HCPCS)

• Health Care Fraud and Abuse Control Program• Health Insurance Portability and Accountability Act (HIPAA) of 1996

Chapter 2 4

Key Terms (Continued)

• HIPAA Electronic Health Care Transactions and Code Sets (TCS)• HIPAA National Identifiers• HIPAA Privacy Rule• HIPAA Security Rule

• ICD-9-CM• Medical records• Minimum necessary standard• National Provider Identifier (NPI)• NCPDP Provider Identification Number• Notice of Privacy Practices (NPP)

Chapter 2 5

Key Terms (Continued)

• Office for Civil Rights (OCR)• Office of the Inspector General (OIG)• Password• Protected Health Information (PHI)• Qui tam

• Relator• Respondeat superior• Subpoena• Subpoena duces tecum• Transaction• Treatment, payment, and health care operations (TPO)

Chapter 2 6

Healthcare Regulation

• Both federal and state governments pass laws affecting the medical services offered to patients to protect their health

• Laws are also passed to protect the privacy of their health information and practices relating to this matter

• Pharmacy technicians must correctly handle patient’s health information

Chapter 2 7

Healthcare Regulation (Cont.)

• Federal Regulation• The Centers for Medicare and

Medicaid Services (CMS) is the federal agency that regulates health care, and performs many functions:

• Regulating laboratory testing• Preventing discrimination• Researching effectiveness• Evaluating health care quality

Chapter 2 8

Healthcare Regulation (Cont.)

• State Regulation• States are major regulators of the

health care industry• Insurance companies must have a

license• States may govern health care pricing,

policies, and situations in which coverage has been cancelled

Chapter 2 9

Pharmacy Records

• Patients’ medical records are stored in the pharmacy practice

• Patients control the amount and type of information that is released, excellent for legitimate pharmacy business uses

• Pharmacy insurance technician specialists handle request for information and must know what information can legally be shared with what entities

Chapter 2 10

Pharmacy Records (Cont.)

• HIPAA's Administrative Simplification Provisions:

• HIPAA Privacy Rule - covers patients’ health information

• HIPAA Security Rule – states the requirements to protect patients’ health information

• HIPAA Electronic Transaction and Code Sets Standards – regulates transactions, code sets, and identifiers

Chapter 2 11

Complying With HIPAA

• Covered entities are health care organizations required by law to obey HIPAA regulations

• Health plans – provider/payer of medical care and pharmacy benefits

• Health care clearinghouses – help providers with electronic transactions

• Health care providers - people or organizations that furnish, bill, or are paid for health care

Chapter 2 12

Complying With HIPAA (Cont.)

• Business Associates• Through agreements with their

business associates, covered entities must perform their work as required by HIPAA

• Includes law firms, accountants, information technology contractors, transcription companies, compliance consultants, and collection agencies

Chapter 2 13

HIPAA Privacy Rule

• First comprehensive federal protection for the privacy of health information

• The rule states covered entities must:• Have a set of privacy practices• Notify patients about their rights• Train employees to know the policies• Appoint a privacy official• Safeguard patients’ records

Chapter 2 14

Disclosure For TPO

• Patients’ PHI may be distributed for treatment, payment, and health care operations

• Treatment - providing and coordinating the patient’s medical care

• Payment - exchange of information with health plans

• Health care operations - general business management functions

Chapter 2 15

Minimum Necessary Standard

• Refers to taking reasonable safeguards to protect PHI from incidental disclosure

• Only the information the recipient needs to know is given

• Necessary faxing/e-mailing between physicians

• Patients’ family member picks up pharmacy supplies and a prescription

Chapter 2 16

Designated Record Set

• Refers to the medication and billing records the pharmacy maintains, within which patients have the right to:

• Access, copy, and inspect their PHI• Request amendments to their PHI• Obtain accounting of most disclosures• Receive pharmacy communications

from other means (i.e. Braille)• Make legitimate complaints

Chapter 2 17

Notice of Privacy Practices

• Covered entities must give each patient a notice of privacy practice at the first contact or encounter

• Document must also be clearly posted in the pharmacy

• Explains how patients’ PHI may be used and describes their rights

Chapter 2 18

Authorizations

• To release information for use other than for TPO, the covered entity must have the patient sign an authorization

• Information about substance abuse, STDs or HIV, and behavioral/mental health services may not be released without an authorization from the patient

• Authorizations contain all valid information and must follow set rules

Chapter 2 19

Requests for Information Other Than for TPO

• There are some exceptions for releases:• Court Orders – PHI may be released

for a judicial order, such as a subpoena• Workers’ Compensation Cases - state

law may provide for release of records to employers

• Statutory Reports – released to state health or social services departments

• Research Data – approved researchers

Chapter 2 20

De-identified Health Information

• There are no restrictions on the use or disclosure of de-identified health information

• This information neither identifies nor provides a reasonable basis to identify an individual

• Specific patient identifiers (names, record numbers, etc.) must be removed

Chapter 2 21

State Statutes

• Some state statutes are more stringent than HIPAA specifications

• State statutes may differ from HIPAA in some areas:

• Designated record set• Psychotherapy notes• Rights of inmates• Information complied for civil,

criminal, or administrative court cases

Chapter 2 22

HIPAA Security Rule

• Requires covered entities to establish safeguards to protect PHI

• Specifies how to guard data on computers and PC networks, the Internet, and storage disks

• Security measures rely on encryption, the process of encoding information in such a way that only the person (or computer) with the key can decode it

Chapter 2 23

Security Measures

• A number of other security measures help enforce the HIPAA Security Rule:

• Access control, passwords, and log files to keep intruders out

• Backups to replace items after damage• Security policies to handle violations

that do occur

Chapter 2 24

Access Control, Passwords, and Log Files

• Role-based access limits access so that only people who need information can see it

• Users must enter a user ID and a password to access information

• Passwords must be carefully selected• Words, sequences, or ID numbers

should not be used• Numbers and symbols are effective• They should be changed periodically

Chapter 2 25

Other Security Measures

• Backups - information should be backed up, which is the activity of copying files to another medium so that they will be preserved in case the originals are no longer available

• Security Policies - pharmacies have security policies that inform employees about their responsibilities for protecting electronically stored information

Chapter 2 26

Standard Code Sets

• A code set is any group of codes used for encoding data elements

• There are several relevant code sets:• ICD-9-CM – used for diagnoses• Current Procedural Terminology data

set –physician procedures and services• Healthcare Common Procedure Coding

System – reporting supplies, devices, and durable medical equipment

Chapter 2 27

HIPAA National Identifiers

• An identifiers is a unique number of predetermined length and structure

• HIPAA National Identifiers are for:• Employers• Health care providers• Health plans• Patients

Chapter 2 28

National Provider Identifier (NPI)

• The standard for the identification of providers when filing claims and other transactions

• Consists of nine numbers and a check digit

• Assigned by the federal government to individual providers

• Note that the NPI does not replace the NCPDP Provider Identification Number

Chapter 2 29

Other Legislation Affecting Pharmacy

• Medicare Prescription Drug Improvement and Modernization Act of 2003 (MMA)

• Provided seniors and individuals with disabilities access to prescription drug plans, with more choices, and better benefits under Medicare

• E-prescribing – enables physicians to send more efficient claims electronically

• Electronic health record – enables easily accessible PHI for multiple physicians

Chapter 2 30

Other Legislation Affecting Pharmacy (Cont.)

• Freedom of Choice• Pharmacy law that focuses on the plan

member and the pharmacy or pharmacist

• Allows the member to select a pharmacy of choice

• Patient cannot be financially penalized for obtaining benefits at a nonparticipating provider

Chapter 2 31

Other Legislation Affecting Pharmacy (Cont.)

• Prescription Drug Equity Act of 1997• Prohibits a prescription drug plan from

providing mail order coverage without also providing non-mail order prescription benefits

• Allows the patient to obtain benefits from a participating community pharmacy, not just through mail order

Chapter 2 32

Other Legislation Affecting Pharmacy (Cont.)

• Antitrust/Exclusive Pharmacy Contracts• Exclusive contracts exist when a

pharmacy in a particular area contracts with a benefit plan to be the only provider for plan members

• Must not violate antitrust laws in order to be legal

Chapter 2 33

Fraud and Abuse Regulations

• The Health Care Fraud and Abuse Control Program

• Created by HIPAA to uncover and prosecute fraud and abuse

• The HHS Office of the Inspector General (OIG) has the task of detecting health care fraud and abuse and enforcing all related laws

Chapter 2 34

Fraud and Abuse Regulations (Cont.)

• The federal False Claims Act (FCA)• Prohibits submitting a fraudulent claim

or making a false statement or representation in connection with one

• Encourages reporting suspected fraud and abuse against the government by protecting people against employer retaliation

Chapter 2 35

Fraud and Abuse Regulations (Cont.)

• Additional laws relating to health care exist to help control fraud and abuse

• Antikickback statutes• Self-referral prohibitions• The Sarbanes-Oxley Act of 2002• State laws

Chapter 2 36

Definition of Fraud and Abuse

• Fraud is an act of deception used to take advantage of another person

• Fraudulent acts are intentional; the individual expects an illegal or unauthorized benefit to result

• In federal law, abuse means an action that misuses money that the government has allocated

• May include billing for services that were not medically necessary

Chapter 2 37

Examples of Fraudulent and Abusive Acts

• The stealing of prescription pads• Patients altering a prescription• Drug abusers giving incorrect phone

numbers to represent physicians• Intentionally billing for services that were

not performed or documented• Reporting services at a higher level than

was carried out

Chapter 2 38

Enforcement and Penalties

• HIPAA privacy regulations are enforced by the Office for Civil Rights (OCR)

• Covered entities must comply and give the OCR access to its facilities, books, records, and systems for investigations

• The Office of the Inspector General (OIG) enforces rules relating to fraud and abuse

• OIG has the authority to investigate suspected fraud cases and to audit the records of providers and payers

Chapter 2 39

Compliance Plans

• Pharmacy practices must be sure that all staff members follow billing rules

• A compliance plans sets up the steps needed to:

• Audit and monitor compliance• Have consistent policies and procedures• Provide ongoing staff training and

communication• Respond to and correct errors

Chapter 2 40

Compliance Plans (Cont.)

• Goals of Compliance Plans• Prevent fraud and abuse• Ensure compliance with all laws• Help defend the practice if investigated

or prosecuted for fraud• Compliance plans demonstrate to outside

investigators that the practice has made honest, ongoing attempts to find and fix weak areas

Chapter 2 41

Compliance Plans (Cont.)

Seven Components of Compliance Plans:1. Consistent written policies and procedures2. Appointment of a compliance officer and

committee3. Training4. Communication5. Disciplinary systems6. Auditing and monitoring7. Responding to and correcting errors