HIPPA COMPLIANCE

What is HIPAA Compliance?

HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and business associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must also be in compliance.

The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).

If you are hosting your data with a HIPAA compliant hosting provider, they must have certain administrative, physical and technical safeguards in place, according to the U.S. Department of Health and Human Services. The physical and technical safeguards are most relevant to services provided by your HIPAA compliant host as listed below, with detail on what constitutes a HIPAA compliant data center.

• Physical safeguards include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).

• Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.

• Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.

• Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.

• Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.

============================================================

Physical Security

Physical security is a basic but critical layer of security your hosting provider must hold to the highest standards in order to lower your organization's risk, meet compliance standards, and prevent unauthorized access to IT infrastructure.

The physical security of our data centers is only one measure of safeguards independently audited on an ongoing basis with annual reporting to verify we have successfully implemented strong access control measures to protect our infrastructure. Physical security means only authorized personnel should have limited access to locked server racks, suites and cages.

All of our cloud hosting data centers require two-factor authentication for building access, including keycard logging and biometric identification. All visitors are required to sign in, wear badges, and follow proprietary security procedures. Our environmental controls include 24/7 monitoring, logged surveillance cameras, and multiple alarm systems. In addition, we make it a priority to know our clients and to inquire if we see a new face. It's good business, and good security.

Technical Security

Technical security, such as encryption, two-factor authentication, and intrusion protection is a core safeguard of sensitive data. It's important the application of security technologies falls within the context of a strategic approach that includes administrative and physical safeguards. Technical safeguards are not one size fits all. We will work with you to fit the right combination of security technologies to suit your tolerance for risk, compliance obligations, and resource demands.

The technical safeguards below are all included in our security packages to comply with PCI DSS standards and are a great addition to lower your risk of data loss if you need to follow HIPPA, SOC 2, or Safe Harbor guidelines.

Administrative Security

Administrative security includes our independent annual audits, hiring policies, staff training, and back-office processes that protect sensitive data. Equally important as ensuring the physical and technical security of your data environment, administrative security addresses the business-facing concerns of partnering with a third-party hosting provider.

If you collect, store or process credit cardholder data, you are required to meet PCI DSS compliance. With PCI, you are required to ensure third-party/service providers that may have an impact on the security of the cardholder data environment are able to meet compliance standards.

If you collect, store, or process patient health data, you are required to meet HIPAA compliance. With HIPAA, you are required to comply with the administrative safeguards within the HIPAA Security Standards that apply to:

• The size, complexity, and capabilities of the covered entity
• The covered entity's technical infrastructure, hardware, and software security capabilities
• The costs of security measures
• The probability and criticality of potential risks to ePHI

We can provide the administrative security you need in the form of contractual requirements and staff training as well as documented policies, procedures, and independent audit reports to lower your organization's risk of outsourcing its IT infrastructure needs.

Your Complete Security Toolkit

Protecting sensitive information and mission-critical applications is an essential and ongoing effort requiring coordinated partnership and a proactive approach to reducing risk by all parties.

We employ a defensive, in-depth approach to security with safeguards that encompass all of our people, processes, and technologies. We assess our security monitoring, capabilities, and responses on an ongoing basis to ensure we are keeping up with the evolving cybersecurity landscape. We proactively turn away prospects who request resources consistent with spamming or other unethical activities and work with clients with sensitive data to make sure they are taking adequate security precautions. Our choice of architecture includes technologies such as default encryption in our cloud and offsite backup and recovery solutions. This is consistent with our culture of compliance to keep data safe, secure, and private.

CURRENT PROCEDURE TERMINOLOGY (CPT)

Current Procedural Terminology (CPT) is a medical code set that is used to report medical, surgical, and diagnostic procedures and services to entities such as physicians, health insurance companies and accreditation organizations. CPT codes are used in conjunction with ICD-10-CM numerical diagnostic coding during the electronic medical billing process.

There are three types of CPT codes: Category 1, Category 2 and Category 3. The current version of the CPT codes is known as CPT 2018. CPT is a registered trademark of the American Medical Association (AMA).

There are approximately 7,800 CPT codes ranging from 00100 through 99499.  Two digit modifiers may be appended when appropriate to clarify or modify the description of the procedure.

It is published in two versions – the first is the most common, CPT Physician’s Current Procedural Terminology. A second publication is also available – the CPT Physician’s Current Procedural Terminology Specially Annotated for Hospitals. The Hospital version contains all the information in the original version with the addition of special Medicare guidelines and notations for identifying criteria applicable to outpatient hospital billing.

The rules for assigning the appropriate code are complex, and so we advise individuals who are determining the appropriate codes receive the proper training and credentials.  This would include any office or clinic personnel who play a significant role in coding.

Category 1: Procedures and contemporary medical practices

Category 1 covers procedures and contemporary medical practices that are widely performed. Category 1 is the sections coders usually identify with when talking about CPT and are five-digit numeric codes that identify a procedure or service that is approved by FDA, performed by healthcare professionals nationwide, and is proven and documented.

Category 1 codes are broken down into six sections:

•          Evaluation and management

•          Anesthesiology

•          Surgery

•          Radiology

•          Pathology and laboratory

•          Medicine

Category 2: Clinical Laboratory Services

The Category 2 CPT medical code set consists of the supplementary tracking codes that are used for performance measures and are intended to help collect information about the quality of care delivered. The use of this medical code set is optional and is not a substitute for Category 1 codes.

Category 3: Emerging technologies, services and procedures

The Category 3 CPT code list consists of temporary codes that cover emerging technologies, services and procedures. They differ from the Category 1 medical CPT codes list in that they identify services that may not be widely performed by healthcare professionals, may not have FDA approval, and also may not have proven clinical efficacy. To be eligible, the service or procedure must be involved in ongoing and planned research. The purpose of these CPT codes is to help researchers track emerging technologies and services.

BODY POSITIONS

o    Anatomic position

standing erect, facing forward, arms at sides, palms forward, legs parallel, and toes pointed forward 

o    Decubitus position

lying down, specifically according to the part of the body resting on a flat surface, as in left or right lateral decubitus, or dorsal or ventral decubitus.

o    Dorsal recumbent position

on back, with legs bent and separated, feet flat

o    Fowler position

on back, head of bed raised about 18 inches and knees elevated

o    Knee-chest position

on knees, head and upper chest on table, arms crossed above head

o    Left lateral recumbent position

on left side, right leg drawn up

o    Lithotomy position

on back, legs flexed on abdomen, thighs apart

o    Prone

lying face down

o    Sims positon

on left side, right leg drawn up high and forward, left arm along back, and chest forward resting on bed

o    Supine

lying face up

o      Trendelenburg position

on back with head lowered by tilting bed back at 45 degree angle

ANATOMICAL DIRECTIONS

o      anterior (ventral)

toward the front (belly) of the body

o      posterior (dorsal)

toward the back of the body

o      medial

toward the midline of the body

o      lateral

toward the side of the body

o      proximal

nearer to the point of attachment or to a given reference point

o      distal

farther from the point of attachment or from a given reference point

o      superior

above

o      inferior

below

o      cranial (cephalic)

toward the head

o      caudal

toward the lower end of the spine

o      superficial (external)

close to surface of the body

o      deep (internal)

close to the center of the body

o      frontal plane

also called a coronal plane, is made at right angles to the midline and divides the body into anterior and posterior parts

o      sagittal plane

passes from front to back and divides the body into right and left portions, if the plane passes throught the midline, it is a mid-sagittal or medial plane

o      transverse plane

passes horizontally dividing the body into superior and inferior parts

MEDICAL TERMINOLOGY

Click here for common used terminology

Health care professionals and students are not the only one's who greatly benefit from knowing medical terminology. When any individual visits doctor's office or have the need to go to the hospital, he/she always hears some form of medical terminology. Whether they are referring to a test, diagnosis, part of your body or the need to see a specialist. 

         For the health care professional, it's imperative to know the medical terminology. Medical terminology can contain a prefix, root word, a combining vowel and a suffix to create medical terms. These terms can contain multiple root words, combining vowels etc. It is must to be very precise when dictating a term; if someone misuses a letter or word, he/she will be changing the term, which could lead to unnecessary tests, appointments and treatment or an incorrect diagnosis of a patient.

Prefix: A prefix is placed at the beginning of a word to modify or change its meaning. Pre means "before." Prefixes may also indicate a location, number, or time. 

Root: central part of a word.      

Suffix:  The ending part of a word that modifies the meaning of the word.

--------------------------------------------------------------------------------------------------------------------------

Singular versus plural rules:

Rule one:

Terms that end in "a", for plural add an "e". Example: vertebra (singular), vertebrae (plural).

Rule Two:

Terms that end in "is", for plural change it to "es". Example: diagnosis (singular), diagnoses (plural)

Rule Three:

Terms that end in "ex" or "ix" for plural replace with "ices". Example: cervix (singular), cervices (plural)

Rule Four:

Terms that end in "on" for plural replace it with "a". Example: criterion (singular), criteria (plural)

Rule Five:

Terms that end in "um" for plural replace it with "a". Example: bacterium (singular), bacteria (plural)

Rule Six:

Terms that end in "us" for plural replace it with "i". Example: bronchus (singular), bronchi (plural)

Rule Seven:

Terms that end in "itis" for plural replace it with "itides". Example: arthritis (singular), arthritides (plural)

Rule Eight:

Terms that end in "nx" for plural replace it with "nges". Example: phalanx (singular), phalanges (plural)

Rule Nine:

Terms that end in "y" for plural replace it with "ies". Example: therapy (singular), therapies (plural)

Rule Ten:

Terms that end in "x" for plural replace it with "ces". Example: thorax (singular), thoraces (plural)

-------------------------------------------------------------------------------------

CLASSIFICATION IN ICD-10-CM

Range	Topic
A00-B99	Certain infections and parasitic diseases
C00-D49	Neoplasms
D50-D89	Diseases of the blood and blood-forming organs and certain disorders involving the immune mechanism
E00-E89	Endocrine, nutritional and metabolic diseases
F01-F99	Mental, Behavioral and Neurodevelopmental disorders
G00-G99	Diseases of the nervous system
H00-H59	Diseases of the eye and adnexa
H60-H95	Diseases of the ear and mastoid process
I00-I99	Diseases of the circulatory system
J00-J99	Diseases of the respiratory system
K00-K95	Diseases of the digestive system
L00-L99	Diseases of the skin and subcutaneous tissue
M00-M99	Diseases of the musculoskeletal system and connective tissue
N00-N99	Diseases of the genitourinary system
O00- O9A	Pregnancy, childbirth, and puerperium
P00-P96	Certain conditions originating in the perinatal period
Q00-Q99	Congenital malformations, deformations and chromosomal abnormalities
R00-R99	Symptoms, signs, and abnormal clinical laboratory findings, not elsewhere classified
S00-T88	Injury, poisoning, and certain other consequences of external causes
V00-Y99	External causes of morbidity
Z00-Z99	Factors influencing health status and contact with health services

MEDICAL CODING KEY TERMS

There are a number of important terms you’ll want to familiarize yourself with as you learn more about coding. Let’s look at some of these now.

CATEGORY (CPT)

The CPT code set is divided into three Categories. Category I, which is the largest and most commonly used, describes medical procedures, technologies and services. Category II is used for performance management and additional data. Category III houses the codes for emerging and experimental medical procedures and services.

CATEGORY (ICD)

In ICD, the category is the first three characters of the code, which describes the basic manifestation of the injury or sickness. In some cases, the category is all that is needed to accurately describe the condition of the patient, but more often than not the coder must list a more detailed description of the injury or illness (see “Subcategory,” and “Subclassification”). In ICD-10-CM, all categories are alphanumeric.

CLINICAL MODIFICATION

This designation, created by the National Centre for Health Statistics, is added to the ICD codes sets when they are implemented in the United States. Many countries expand and clarify ICD code sets for their national use; the US, for example, expanded ICD-10 from 14,000 codes to over 68,000 individual codes. This term is abbreviated “-CM” and is added to the end of the ICD code title. For instance, ICD-10-CM can be read “International Classification of Diseases, Tenth Revision, Clinical Modification.

WHO

The World Health Organization. This international body, which is an agency of the United Nations, oversees the creation of ICD codes and is one of the most important organizations in international health.

CMS

The Center for Medicare and Medicaid Services. This federal agency updates and maintains the HCPCS code set and is one of the most important organizations in healthcare today.

NCHS

The National Center for Health Statistics. The NCHS is a government agency that tracks health information, and is responsible for creating and publishing both the clinical modifications to ICD codes and their annual updates.

CPT

Current Procedural Terminology. Published, copyrighted, and maintained by the American Medical Association, CPT is a large set of codes that describe what procedure or service was performed on a patient. This code is divided into three Categories, with the first Category being the most important and widely used. CPT codes are an integral part of the reimbursement process. These codes are five characters long and may be numeric or alphanumeric.

HCPCS

Healthcare Common Procedure Coding System, pronounced Hick-Picks. This is main procedural code set for reporting procedures to Medicare, Medicaid, and a large number of other third-party payers. Maintained by CMS (See “CMS”), HCPCS is divided into two levels. Level I is identical to CPT, and is used in the same way. Level II describes the equipment, medication, and out-patient services not included in CPT.

MODIFIER

A modifier is a two-character code that is added to a procedure code to demonstrate an important variation that does not, by itself, change the definition of the procedure. CPT codes have numeric modifiers, while HCPCS codes have alphanumeric modifiers. These are added at the end of a code with a hyphen, and may provide information about the procedure itself, that’s procedure’s Medicare eligibility, and a host of other important facets. The CPT modifier -51, for example, notifies the payer that this procedure was one of multiple procedures. The HCPCS modifier –LT, on the other hand, describes a bilateral procedure that was performed only on the left side of the body.

MODIFIER EXEMPT (CPT)

Certain codes in CPT cannot have modifiers added to them. This is a fairly short list that can be found in the appendices of the CPT manual.

TECHNICAL COMPONENT

The portion of a medical procedure that concerns only the technical aspect of the procedure, but not the interpretative, or professional aspect (See “Professional component”). A technical component might include the administration of a chest X-ray, but would not include the assessment of that X-ray for disease or abnormality.

EVALUATION AND MANAGEMENT (CPT)

Evaluation and Management, or E&M, is a section of CPT codes used to describe the assessment of a patient’s health and the management of their care. The codes for visits to doctor’s office and trips to the emergency room, for instance, are included in E&M. E&M is found at the front of the CPT manual, despite being out of numerical order. The codes for E&M are 99201 – 99499.

ICD

The International Classification of Diseases is a set of medical diagnostic codes established over a hundred years ago. Maintained today by the WHO, ICD codes create a universal language for reporting diseases and injury. In the United States, we were using ICD-9-CM, while the rest of the world uses some form of ICD-10. The US too upgraded to ICD-10-CM in 2015. ICD-10-CM codes are alphanumeric. They have a three-character category, which describes the injury or disease, which is typically followed by a decimal point and three-to-four more characters, depending on the code set, which give more information about the manifestation and/or location of the disease.

SUBCATEGORY

In ICD codes, the subcategory describes the digit that comes after the decimal point. This digit further describes the nature of the illness or injury, and gives additional information as to its location or manifestation.

SUBCLASSIFICATION

The subclassification follows the subcategory in ICD codes. The subclassification further expands on the subcategory, and gives additional information about the manifestation, severity, or location of the injury or disease. In ICD-10-CM there is also a subclassification that describes which encounter this is for the doctor—whether this is a first treatment for the ailment, a follow-up, or the assessment of a condition that is the result of a previous injury or disease .

Z-CODES

Z-codes are sections of ICD-10-CM that describe patient visits related to circumstances other than disease or injury. This includes live-born infants, people with risk or disease due to family history, people encountering health services for specific or mandated evaluation or aftercare, and a host of other not easily classifiable situations.