Healthcare Regulations

A. Health Information Portability and Accountability Act (HIPAA) of 1996

1. Titles (there are only two)

Title I: protects workers and their families from loss of coverage when they change or lose their job

Title II: The Administrative Simplification (AS) provisions require establishment of national standards

2. Goals

  • Records portability
  • Reduce waste, fraud and abuse
  • Reduce costs
  • Protect patient privacy

3. Requirements

  • Dictates backup and restore P&P,
  • offsite backup with a provider including an SLA for rates,
  • scope and
  • minimum standards.

4. The Privacy Rule requires accounting of all disclosures of PHI by Covered Entities (CEs):

  • Providers
  • Health plans
  • Clearinghouses like billing operations
  • Business Associates (BA), which require a Business Associate Agreement (BAA)

Individually identifiable health information created by a CE or a BA is Protected Health Information (PHI):

  • Past, present or future
  • Mental and physical
  • Payment information
  • Provision information
  • As long as retained by provider
  • Even after death

Deidentified Information

Must be certified by statistician or expert

May be deidentified by an “encoder” program

18 key identifiers removed

Birth Date ONLY removed if patients are 90 or older!

Practical Requirements

  • Employee training
  • Privacy P&P
  • Privacy Officer
  • Entities must limit use or disclosure of PHI to the minimum necessary number of people.

Parents and family do NOT have an automatic right to patient records.

Birth parents of a foster child do NOT have a right to patient records.

Family members do NOT have a right to records for custody cases.

Privacy Rule is enforced by the Office for Civil Rights (OCR).

5. The Security Rule mandates technical safeguards and logging of all PHI releases.

Specifies Administrative, Technical and Physical safeguards for HIPAA compliance.

Regulates electronically transmitted or stored information (ePHI).

CEs must ensure officers and employees comply with the Security Rule, usually through training requirements.

Logging was first mandated by this rule.

6. The Identifier Rule mandates that CEs have a National Provider Identifier (NPI).

7. The Transaction and Code Sets Rule regulates electronic data interchange (EDI) formats.

Transactions include all documents, insurance claims, encounter records, insurance enrollment and disenrollment, eligibility documents, payment and remittance records, first reports of injury and coordination of benefits.


B. ARRA – the American Recovery and Reinvestment Act of 2009, overseen by the ONC

1. The HITECH Act requires providers and third parties to comply with HIPAA regulations.

  1. Tougher penalties
  2. Express permission of patient required for disclosure
  3. Sale of PHI limited
  4. Patients can audit records
  5. Encryption required
  6. Requires public notice of breach

Requires records of creation, modification, deletion or printing of anything containing PHI, including emails.

*Business Associates (BAs) now have to comply with the Security Rule the same as CEs.*

HHS must be notified of any data breach of more than 500 patients. (Patients must also be notified?)

HITECH Act Enforcement

Unknowing violations, despite due diligence
$1000 – $25,000/yr/violation. {CONFIRMED}

[CHECK NEW] For reasonable cause,
but not willful neglect,
$1000 – $100,000/yr/violation.

[CHECK NEW] For willful neglect (a civil penalty),
if corrected within 30 days from knowledge of violation,
$10,000 – $250,000/yr/violation.

For willful neglect that goes uncorrected,
$50,000 – $1,500,000/yr/violation
+ up to 1 year in prison.

Obtaining PHI through wrongful conduct that involves false pretenses,
+ up to 5 years in prison.


HIT Regional Extension Centers (RECs) promote HIT

Part IV specifies Medicare and Medicaid incentives for:

  • Prospective payment system (PPS) hospitals, paid based on diagnosis, not costs (a Medicare Part A system)
  • Critical access hospitals (CAHs), which get cost-based reimbursement from Medicare

HITECH and Meaningful Use

  • EHRs must be certified
  • Must be used in a meaningful manner, including electronic prescriptions
  • Must collect and submit quality-measure data
  • Must be used to exchange information to improve the quality of healthcare

Financial Incentives for EHR adoption under HITECH have been diminishing by year:

2012: $18,000

2013: $15,000

2014: $12,000

2015: $8,000

2016: $4,000

C. Code of Federal Regulations (CFR)

Title 21 CFR Part 11

Defines the criteria for electronic records and signatures to be considered trustworthy, reliable and equivalent to paper records.

Applies to FDA-regulated entities: drug makers, device manufacturers, biotech firms etc.

Requires controls and audit trails for system validations, electronic signatures and software and system documentation.

Part 20

Covers what info may or may not be shred with the general public.

Part 7

Enforcement policies for food, drugs and cosmetics

D. The Patient Self Determination Act (1990)

“Preserves the patient’s wishes, right, healthcare options and advanced directives even if the decision results in the death of the patient.”


E. The Patient Bill of Rights

Eight rights every patient has

  • To file a complaint


Legal practices

Informed Consent – consent of a patient to treatment or trial after understanding of facts and risks

Legally binding contracts require

  • Payment or consideration between parties
  • No illegal activities
  • Actions of parties must be described
  • Agreement without threat or duress

Memorandum of Understanding (MOU)

Good MOUs include:

  • use plain language
  • identify all parties
  • outline expectations of all parties
  • specify termination process

Rights of Minors

A minor child can request and receive treatment, without parental consent, for:

  • Drug or alcohol abuse
  • STDs

Service Level Agreements – define a provider’s responsibilities when providing a service by performance measures:

  • Downtime: maximum periods allowed
  • Downtime period: how long a service must be non-functional to be considered “down”
  • Monthly uptime percentage
  • Scheduled downtime for service
  • Service credit: compensation for downtime, often in “free time”

Waivers of Liability – signed by patient to indemnify providers (not allowed in some states)



Healthcare Operations

Medical IT System Types

Departmental System – serves only one department or domain

Hospital-wide System – bring together systems of all departments

Enterprise System – brings together multiple providers and locations

External System – shared by multiple organizations to report data to regulatory agencies or for regional health networks


IT Project Management

Project Managers:

  • Do review staff performance
  • Do set schedules
  • Do allocate resources
  • Do NOT set your pay rate


Work Types

Parallel: each worker does several tasks

Serial: each worker does a variety of tasks in a workflow

Unit Assembly: each worker does a single task, but not necessarily in an ordered workflow.

Unilateral: NOT a real work type, but a red herring


Organization Hierarchy



Staffing Coordinator

Billing Coordinator

Office Manager



Methods of Operation

Customs and practices used to achieve the goal of the organization

Scope of Work

The tasks involved in accomplishing goals.

Resource Types

Financial resources, including third-party payers like insurance or the government

Human resources



Provider Type is the service or occupation group of the practitioner.

Customary Charges are the “normal” or reasonable charges usually applied.

Sliding Scale fees, on the other hand, are based on the patient’s ability to pay.

Fee for Service is essentially payment for treatment, rather than payment by diagnosis

Capitulation is the rate charged “per capita” – per individual – in a group plan. Formally, it’s the monthly payment an insurance company sends to a provider as set by an annual capitation contract. The services a patient uses do not determine capitation payments (at least in this year’s contract).

An Indemnity Plan enables the insured to visit any doctor or facility and direct his own care.

A Point of Service plan allows the patient to choose a provider each time healthcare service is required.


The Patient Admission Process

This is Registration or Admitting, but it is NOT Intake!

Name, address, contacts, insurance info, next of kin, allergies, medications, prior conditions, etc.


Order of Operations

Procedure or service

Dictation of record






Operating Budge – forecasts the costs of operations, for instance employees, supplies and leases

Statistical Budget – forecasts future volume of operations by analyzing statistical/historical data

Master Budget – brings together the budgets for all business or operating units

Organizational Budget – perhaps a real thing in other contexts, but a red herring here


Planning Chart Types

Gantt Chart – horizontal lines

Venn Diagram – a red herring – a mathematical diagram representing all possible relations between finite data sets

PERT Diagram – a sequence represented by circles connected by lines

Critical Path –


Bedside Medication Verification

  1. Scan patient wristband,
  2. medication barcode, and
  3. staff ID


Preventive Services

  • Wellness visits
  • Screening diagnostics
  • Routine checkups


Filing Systems

Motorized revolving files: for very limited space in low-volume offices with one file clerk. Expensive to buy and maintain.

Filing cabinets with drawers: for small, low-volume facilities. Lockable/fireproof but big.

Compressible units with open files: for limited-space, medium-volume operations with 2-3 file clerks.

Open shelf files: for high-volume operations in which the presence of multiple filing staff provides (some) security. Less secure and bulky but fast.

Thinning is reducing a patient’s physical file for ease of handling. Excess papers are sent to be archived.


Document Management

Device Capture – transmitting info directly from a medical device such as an echocardiogram

Document Archiving – ensuring documents in a medical record are stored securely and for an appropriate period

Document Imaging – scanning and indexing paper documents into an electronic system

Clinical Imaging – info in photographs or other imaging devices


Healthcare Diagnostic and Treatment Coding



  • Level II codes maintained by CMS
  • alphanumeric medical diagnostic codes
  • primarily non-physician services: ambulance, prosthetics
  • items, supplies and non-physician services not covered by CPT-4 codes (Level I)
  • one letter in the range A to V followed by 4 digits

“The Healthcare Common Procedure Coding System (HCPCS, often pronounced by its acronym as “hick picks”) is a set of health care procedure codes based on the American Medical Association‘s Current Procedural Terminology (CPT).” –


ICD-9 and ICD-10 – International Classification of Disease

  • Sponsored by WHO
  • Codes up to 6 characters
  • 3 character minimum
  • if there are more specific sub-codes, the 3-digit code will be in boldface followed by subsequent numbers
  • Diagnosis-based


RVS – Relative Value System codes

  • Created by insurers
  • Evolved into CPT


CPT-4 – Current Procedural Terminology (CPT)

  • Owned by AMA
  • Equals HCPCS Level 1
  • 5-digit codes plus modifiers

“The Current Procedural Terminology (CPT) code set is a medical code set maintained by the American Medical Association through the CPT Editorial Panel … CPT coding is similar to ICD-9 and ICD-10 coding, except that it identifies the services rendered rather than the diagnosis on the claim. ICD code sets also contain procedure codes but these are only used in the inpatient setting.” –


A system of Medicare diagnosis groupings using medical codes to define Medicare compensation.


National Codes

  • Created for CMS
  • for billing procedures and supplies for Medicare patients
  • Widely used by insurers


EHR Systems and Security

compress ratio of TIFF, and JPG,  wireless WPA and WPA2 difference,

Risk Assessment

Required by HIPAA.

Assess the risks to confidentiality, integrity and availability of EPHI.


Document Retention

AHIMA – American Health Information Management Association lists recommendations (the “shoulds” below).

HIPAA dictates a few “musts” below.

Birth records should be kept forever.

Xrays should be kept 5 years.

Mammograms should be kept up to 30 years

Emails discussing privacy and security policy must be retained for six (6) years.

Dental records must be retained for four (4) years.

Records containing materials specifically required by HIPAA must be retained for at least six (6) years after they were last in effect.

HIPAA does NOT dictate a retention period for medical records.

AHIMA does, however, recommend ten (10) years after most recent encounter.

AHIMA also recommends that fetal heart monitor records be kept till patient age 28 (10 years after majority).


Records Storage

HIPAA mandates that records be stored in secure, locked storage when not in use.

NOT in lockable mobile cabinets left in a front area.


Media Disposal




NOT Piercing


Common Software/materials System Issues

Patient demographics errors including formatting problems

Comm link errors


Common EHR Client System Types

Native application

Browser-based application

Remote terminal



Confidentiality – the legal and ethical responsibility of providers to maintain patient privacy (note how different this is from the IT definition)

Privacy – the individual’s right to control disclosure of their information

Data Security – technical and procedural methods for controlling confidential information

Conformity – NOT a security term, but a red herring



Use a topographic map for an external site survey.

SSIDs may be up to 32 characters.

SSIDs are case sensitive.


Healthcare Terminology and Acronyms


ADC – Automated dispensing cabinet, for Pharmacy

ADL -activities of daily living

ASC – Advanced Surgical Center

ASTM – American Society for Testing and Materials

ATCB – ONC Authorized Testing and Certification Body

BAA – Business Associate Agreement, required of third parties when providers share records with them (a BAA is NOT required from postal carriers)

CAH – Critical Access Hospitals (paid based on cost, not diagnosis)

CCD – Continuity of Care Document, an XML-based standard

CMS – Center for Medicare and Medicaid Services, a division of HHS

CPOE – Computerized Physician Order Entry: Lab, Rad and Pharmacy

CPT – Current Procedural Terminology

CSW – Clinical Social Worker

EDIS – Emergency department IS

eMAR – an electronic medication administration record, for Pharmacy, using barcode scanners at several points in the process

EPHI – Electronic Protected Health Information; Electronically transmitted or stored information

ERISA – Employee Retirement Income Security Act of 1974

Health Records:

EMR – Electronic Medical Records, usually in a stand-alone situation like a doctor’s office; an electronic version of the paper record.

EHR – Electronic Health Records are a collection of patient or population health information. One patient’s records from multiple sources and providers collectively are her EHR.

EPR – same as EHR

PHR – Personal Health Record, an electronic record maintained by the individual

HCPCS – Healthcare Common Procedure Coding System –

HHS – Department of Health and Human Services, the federal colossus

HITSP – Healthcare Information Technology Standards Panel

Information Systems


Pharmacy IS

Radiology IS

Lab IS (LIS)

IRB – Institutional Review Board

MAR –  Medication Administration Record, for Pharmacy (cf. eMAR)

MOU – Memorandum of Understanding, or MOA, Memorandum of Agreement

NPI – National Provider Identifier

OCR – Office for Civil Rights

ONC – Office of the National Coordinator for Health Information Technologies

PACS – Picture Archiving and Communication System

PERT (chart) – Program Evaluation and Review Technique

Physician portal – a view into HIS/EMR/EHR; unlike CPOE it’s for notes, not orders; allows electronic signatures

PPACA or ACA – Patient Protection and Affordable Care Act

PPS – Prospective Payment System (payment based on diagnosis, not cost), a Medicare Part A system

RECs – HIT Regional Extension Centers

Surgical Process

Surgical summary report – short, for immediate reference during postop

Cold feed – how the report above is sent; there is no ACK confirming receipt

Operative record – complete, detailed account, dictated

SNF – Skilled Nursing Facility

TPO – Treatments, payments and operations



-osis – condition or disease

-itis – inflammation – Arthritis is inflammation

-algia – pain

-crine – secreting, as in endocrine

-blast – an immature or forming condition

-ology – study of



Barium contrast – a video using injected barium to make objects show clearly

Echocardiogram – a video view of the heart

Electronic signature – a scanned copy of a signature on paper

Data Security – technical and procedural methods to control and manage confidential information.

Digital signature – a product of hashing and encryption with full legal legitimacy

Health Information

De-identified Health Information

Individually Identifiable Health Information

Archived Health Information

Demographic Health Information

Informed Consent – the conversation between patient and physician re. medical procedure being performed, reasons for it, benefits of it and risks.

Interface Engine – a “translator” that sits between multiple systems and reformats data for those systems

Nursing home vs. assisted living

Perioperative IS – the info system that manages patients in surgery

Privacy – “the individual’s right to control disclosure”

Specialty Hospital provides treatment for specific issues such as burns, cancer or women’s care

Thinning – reducing a patient’s chart when it gets too big to handle. Thinned records are sent to central medical records area.


Types of Plans

A Preferred Provider Organization (PPO) offers discounted services at in-network providers only.

A Health Maintenance Organization (HMO) provides services for a fixed, prepaid amount.


Types of IT in Medicine

Clinical IT – handling prescriptions, lab tests, images, medical procedures

Infrastructure IT – handling networks and major services

Financial IT – handling billing and finances

Administrative IT – handling staffing and operations IT


Types of Data




Signals – tracking from an instrument, e.g. EEG or EKG


Healthcare Organizations

Pay attention to HL7 codes



  • Federal, a dept of HHS
  • Serves over-65 and disabled


  • Federally monitored
  • Run by states so has many names
  • For low-income and eligible families


  • For active-duty members of US military


  • Federal Employee Health Benefits Program
  • For federal employees, retirees and their families


Organization/Facilities Types


Inpatient (admitted) vs. Outpatient

General Hospital – required to provide diagnosis and treatment for medical services including radiology, lab services and surgery.

Specialty Hospital – provides treatment for specific disorders such as cancer, burns or women’s health

Rehabilitation Hospital – provides diagnosis, treatment, restorative and adjustment services to the disabled

Psychiatric Hospital – provides diagnosis and treatment for individuals with mental illness or behavioral health disorders


Private Practices

Practitioners practice medicine without supervision (doctors, nurse practitioners)

Providers are in supervised settings (nurses, aides)


Acute Care Facility

Provides medical, surgical, pediatric and obstetric services that require fewer than 30 days hospital stay.


Assisted Living Facility

For elderly or those who need assistance with activities of daily living (ADL)



Health Maintenance Organization

Provides healthcare services for fixed, prepaid reimbursement.

Providers and subscribers voluntarily enroll.


Home Health Care

Often for IV care or PT



Care for terminally ill patients, either at home or in facilities.

24/7 care


Medical/hospital equipment

Medicare/Medicaid will reimburse most hospice costs for those eligible.


Nursing Homes/Convalescent Hospitals


Often run by Director of Nursing, an RN

Staffed by LPNs and non-licensed nursing assistants

For Medicare reimbursement, must meet criteria for a Skilled Nursing Facility (SNF)


Nonacute Care Facility

aka Long Term Care Facility

For individuals w/ long-term illnesses requiring hospital stays of over 30 days.

Alzheimer’s Disease etc.



Point of Service healthcare plan

Patient permitted to choose a provider each time healthcare services are needed.



Preferred Provider Organization

A network of providers that give a discount rate in return for higher volume.


Subacute Care Facility

Provides treatment for patients with an acute illness or injury on top of a chronic illness, like surgery patients who get pneumonia.


Surgical Centers and Ambulatory Surgical Centers (ASCs)

Outpatient and inpatient


Healthcare Regulatory Bodies

Department of Commerce

NIST – National Institute of Standards and Technology

  • Coordinates standards
  • Coordinates infrastructure testing
  • Improve EHR usability
  • Extend healthcare’s reach through technology
  • R&D

Defines requirements of SLAs, but does NOT involve financial penalties for failure

Malcolm Baldrige National Quality Award


NIST, ONC and HITSP (Healthcare Information Technology Standards Panel, a public/private partnership) create ISO standards for interoperability.

Department of Health and Human Services (HHS)

“Responsible for protecting the health of all Americans.”

12 Operating Divisions, including CMS

Center for Medicare and Medicaid Services (CMS)

CMS runs Medicare for people over 65

Part A – Inpatient care

Part B – Outpatient care

Prescription Drug Coverage

Heavily involved in HIPAA implementation

Their standards are often adopted across the medical industry.

17 Staff Divisions

ONC – Office of the National Coordinator for Health Information Technology

“The Office of the National Coordinator for Health Information Technology (ONC) is at the forefront of the administration’s health IT efforts and is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide health information exchange to improve health care. ONC is organizationally located within the Office of the Secretary for the U.S. Department of Health and Human Services (HHS).”

ONC certifies EHR systems

  • Standards and certification criteria for EHS
  • Certification programs
  • Metadata definitions

National Committee on Vital and Health Statistics

Governing body that sets standards for the transmission of PHI.


The agency that certified Xrays for use on humans.

Title 21 CFR

Part 21: Individual records maintained, used and disclosed by the FDA

Part 7: Recalls of drugs, food or cosmetics

Part 11: Electronic records and digital signatures defined

Digital signatures are used for:

  • Medicare certifications
  • Remote site patient records,
  • Referrals
  • Computerized Physician Order Entry

ASTM – American Society for Testing and Materials

E1384 – Components and contents of patient records; definitions of nomenclature

Basically this involves ensuring records contain required information.

NCQA – National Committee for Quality Assurance

A U.S. independent nonprofit accrediting body for managed health care organizations

Uses HEDIS, Healthplan Employer Data and Information Set, to measure and publish info about managed care plans for employers and consumers.

The Joint Commission for the Accreditation of Healthcare Organizations

Monitors the safety and effectiveness of treatments provided by healthcare providers.

Requires a review of all delinquent medical records at least once every 90 days.

Requires dictation and transcription of acute history and physicals within 24 hours.

Requires that history and physical of chronic care patients be dictated and transcribed within 30 days.

Requires that a patient’s medical record be completed within 30 days (for instance, after discharge).


Digital Images and Communication in Medicine

Dictates standards for handling, storing, printing and transmitting medical images.

HL7 (Health Level 7)

International community of healthcare SMEs and info scientists.

Promotes informatics standards to improve healthcare info delivery.

Creates standards for exchange, management and integration of EHI.

Dictates data field types and contents.

Provider Type specifies the major grouping of the service or occupation of the practitioner.

Other bodies

OSHA dictates safety for all workers.



CompTIA Healthcare IT Technician Certification

63531 Healthcare IT Technician

Course/Class Number: 63531/59724
Class Title: 63531 Healthcare IT Technician, Section SPA
Monday, Wednesday, Friday 8:00 am – 12:00 pm; 3 sessions starting April 14, 2014, ending April 18, 2014

Text: CompTIA Healthcare IT Technician HIT-001 Authorized Cert Guide, Joy Dark and Jean Andrews, 2012


  • Understand regulatory requirements
  • Know healthcare terminology/acronyms
  • Be familiar with practice workflow
  • Adhere to code of conduct policies
  • Engage security best practices
  • Support Electronic Health Records (EHR) systems

According to CompTIA:

The CompTIA Healthcare IT Technician certification exam covers:

  • U.S. regulatory requirements
  • Organizational behavior
  • IT operations
  • Medical business operations
  • Security

Or stated differently:

  • Regulations, agencies and laws
  • HIPAA controls and compliance
  • Backup and record retention, disposal and archiving
  • Healthcare IT security
  • EMR access roles
  • Setup and management of EHR/EMR PCs, servers and networks
  • Legal practices, requirements and documentation

 According to Dark and Andrews:

  • Healthcare Organizational Behavior
  • Healthcare Regulatory Requirements
  • Healthcare Business Operations
  • Healthcare IT Security, Privacy, and Confidentiality
  • Healthcare IT Operations

Texts and Materials