HCISSP Study Guide (2015)

Chapter 2. Healthcare Industry

Abstract

This chapter discusses the fundamental components of the healthcare industry. The focus will be a high-level perspective on the various components of the healthcare industry. We will emphasize various healthcare delivery models, associated support services, clinical research, healthcare technology, healthcare exchanges, and healthcare information flows.

Keywords

Health systems

Health information technology

Health insurance

Coding

Billing

Payment and reimbursement

Workflow

Clinical research

Records management

Third-party relationships

Health data characterization

Data interoperability

Data exchange

This chapter will help candidates

Understand fundamental components of the healthcare industry

Understand healthcare delivery models

Understand healthcare technology

Understand healthcare exchanges and healthcare information flows

Healthcare systems

Healthcare is delivered in a number and variety of ways in today’s modern healthcare system. Healthcare services range from being delivered by an individual physician to a global pharmaceutical company. In addition to a wide range and structure of healthcare providers, there are also a large number of third parties (vendors, business partners, etc.) that provide a range of support services (e.g., medical equipment suppliers, billing, technology). Another critical component of the healthcare system is the various government agencies and regulators.

Healthcare organizations

Organizations providing healthcare can be structured in a variety of ways, but are commonly classified into either for-profit or not-for-profit organizations. Each type of entity has its own objectives and challenges, but the underlying commonality is the delivery of high-quality healthcare services at a low cost. Healthcare costs have significantly increased in recent years and the costs are anticipated to continuously rise over the next several years. Healthcare organizations may also be impacted by their physical and jurisdictional locations, the specific types of healthcare services they deliver, and country-specific legal and regulatory requirements.

Healthcare provider

The U.S. Department of Health and Human Services (HHS) recognizes definitions for both healthcare providers and covered entities:

Healthcare provider – A provider of medical or health services and any other person or organization who furnishes, bills, or is paid for healthcare in the normal course of business.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)–covered entity – Any organization or corporation that directly handles personal health information (PHI) or personal health records (PHRs).

Organized physician services

Organized physician services evolved from single practitioner service model to provide more comprehensive care by an organization. This model enables an independent organization to deliver scalable patient care services that are not possible by a single physician.

The National Provider Identifier (NPI)

The NPI is a unique 10-character identification number for covered healthcare providers. Its purpose is to improve the efficiency and effectiveness of the electronic transmission of health information and is mandated as part of the Administrative Simplification provisions of the HIPAA. The Centers for Medicare & Medicaid Services (CMS) has developed the National Plan and Provider Enumeration System (NPPES), which is responsible for the assignment and administration of these unique identifiers.

Pharmaceutical industry

The pharmaceutical industry is composed of various types of enterprises that produce medicine and drugs used in the delivery of healthcare. It is important to note that in most cases, pharmaceutical companies do not deliver medicine and drugs directly to patients. Furthermore, pharmaceutical companies are heavily regulated and must adhere to a variety of laws and regulations regarding the research, testing, marketing, and production of drugs to ensure proper use and patient safety. Closely related are the organizations (commonly referred to as pharmacies) responsible for the direct medicine and drug distribution.

Payers

A payer in healthcare generally refers to entities other than the patient that finance or reimburse the cost of healthcare services. There are a number and variety of types of organizations that meet these criteria, but some of the more common types of entities include insurance companies, healthcare service contractors, self-insured organizations providing healthcare, and governments making payments for healthcare services.

A healthcare provider sends claims to a health plan to request payment for medical services.

Electronic Data Interchange (EDI)

According to the HHS, EDI “Is the electronic transfer of information, such as electronic media health claims, in a standard format between trading partners. EDI allows entities within the health care system to exchange medical, billing, and other information and to process transactions in a manner, which is fast and cost effective. With EDI there is a substantial reduction in handling and processing time compared to paper, and the risk of lost paper documents is eliminated. EDI can eliminate the inefficiencies of handling paper documents, which will significantly reduce administrative burden; lower operating costs, and improves overall data quality.” Under HIPAA, the following standard transactions must use EDI:

Claims and encounter information

Payment and remittance advice

Claims status

Eligibility

Enrollment and disenrollment

Referrals and authorizations

Coordination of benefits

Premium payment

Additionally, under HIPAA, the following specific code sets for diagnoses and procedures must also be used:

Healthcare Common Procedure Coding System (HCPCS) (Ancillary Services/Procedures)

CPT-4 (Physicians’ Procedures)

CDT (Dental Terminology)

ICD-9 (Diagnosis and Hospital Inpatient Procedures)

ICD-10 (As of October 1, 2014)

National Drug Codes (NDC)

Value-Added Networks (VANs)

Many healthcare organizations choose to work with VANs to aid in EDI. A VAN is a hosted service offering that acts as an intermediary between business partners such as hospitals and insurance payers. It simplifies the communications process by reducing the number of parties with which a company needs to facilitate EDI. VANs can offer a variety of support services for EDI and related activities and healthcare organizations should select the services most appropriate to their specific operating and regulatory models.

Health insurance exchanges

Health insurance exchanges are centralized health insurance offerings available to individuals who do not currently have healthcare insurance. The exchanges are typically subsidized and/or managed by government program, the largest example beingHealthCare.gov. These exchanges typically offer competitive rates since insurers are spreading risk among a larger population and can offer “group” discounts and rates. Health insurance exchanges are supported by the U.S. government, and are the foundation of the Affordable Care Act.

Business associates

Since most healthcare service providers focus on delivering patient care, they look to other organizations to provide the necessary business support activities associated with modern healthcare delivery. Some common examples of business associates include accounting and financial services, claims processors, transcription services, consultants, etc. Under the HIPAA Privacy Rule, covered providers and health plans are allowed to disclose protected health information to business associates if the providers or plans obtain satisfactory assurances that the business associate will comply with the following practices to ensure patient information is properly safeguarded:

Use the information only for the purposes for which it was engaged by the covered entity.

Safeguard the information from misuse.

Help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule.

Health Information Technology (HIT)

According to the HHS, HIT “Involves the exchange of health information in an electronic environment. Widespread use of health IT within the health care industry will improve the quality of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care.” Some of the more common components include electronic medical records (EMRs), clinical decision support systems (CDSS), and computerized physician order entry (CPOE). In addition to HIT being used directly for the delivery of patient care services, healthcare organizations also use HIT for management and business support functions.

Medical devices

Medical devices are an integral part for many organizations’ delivery of today’s modern healthcare treatments and services. The World Health Organization (WHO) defines a medical device as “An article, instrument, apparatus or machine that is used in the prevention, diagnosis or treatment of illness or disease, or for detecting, measuring, restoring, correcting or modifying the structure or function of the body for some health purpose.” Types of medical devices often include self-care, electronic, diagnostic, surgical, durable medical equipment, acute care, emergency and trauma, long-term care, storage, and transport. Due to the varied types and widespread use of medical devices, healthcare organizations have a responsibility to properly protect patients and their associated health data when using medical devices for patient care. The U.S. Food and Drug Administration formally acknowledges and classifies medical devices. According to the FDA website, “The Food and Drug Administration (FDA) has established classifications for approximately 1,700 different generic types of devices and grouped them into 16 medical specialties referred to as panels. Each of these generic types of devices is assigned to one of three regulatory classes based on the level of control necessary to assure the safety and effectiveness of the device. The three classes and the requirements, which apply, to them are:

Device Class and Regulatory Controls

1. Class I General Controls

a. With Exemptions

b. Without Exemptions

2. Class II General Controls and Special Controls

a. With Exemptions

b. Without Exemptions

3. Class III General Controls and Premarket Approval.”

Meaningful use regulations

One of the most important changes to the U.S. healthcare system, and a significant driver of HIT, is meaningful use (MU). According to HealthIT.gov, “The Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs provide financial incentives for the ‘meaningful use’ of certified EHR technology. To receive an EHR incentive payment, providers have to show that they are ‘meaningfully using’ their certified EHR technology by meeting certain measurement thresholds that range from recording patient information as structured data to exchanging summary care records.”

There are a variety of organizational benefits to the adoption of electronic health record (EHR) technology and MU. Some of the more common benefits include accurate and updated information, and increased accessibility to both patients and healthcare providers.

Electronic health record

EHRs are the new cornerstone of today’s modern healthcare delivery and management. According to the Healthcare Information and Management Systems Society (HIMSS), “The Electronic Health Record (EHR) is a longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting. Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The EHR automates and streamlines the clinician’s workflow. The EHR has the ability to generate a complete record of a clinical patient encounter – as well as supporting other care-related activities directly or indirectly via interface – including evidence-based decision support, quality management, and outcomes reporting.” As you can see from this very comprehensive definition, the EHR plays a critical role in the overall operations of a healthcare organization and touches upon and often includes a tremendous amount of sensitive information. Therefore, healthcare organizations must understand the elements and information flows of EHRs and implement the appropriate privacy and security safeguards.

Personal health record

A PHR is very similar to an EHR. The primary difference is that the information and management of the record is managed at the individual patient level. HealthIT.gov states, “A personal health record (PHR) is an electronic application used by patients to maintain and manage their health information in a private, secure, and confidential environment.” PHRs:

Are managed by patients

Can include information from a variety of sources, including healthcare providers and patients themselves

Can help patients securely and confidentially store and monitor health information, such as diet plans or data from home monitoring systems, as well as patient contact information, diagnosis lists, medication lists, allergy lists, immunization histories, and much more

Are separate from, and do not replace, the legal record of any healthcare provider

Are distinct from portals that simply allow patients to view provider information or communicate with providers

Often times PHRs are associated with EHRs and the information from each type of record can be exchanged across the two record types. For this reason, it is important that the information contained within and the PHRs themselves be properly safeguarded. Healthcare organizations managing the technology supporting PHRs also have the responsibility to protect patient information. Additionally healthcare organizations need to partner with patients to ensure the patient understands their individual roles and responsibilities in managing their healthcare information and a PHR.

Health insurance

In order to comprehensively understand modern healthcare delivery, it is important to discuss the subject of health insurance. There are numerous types of health insurance and patients often have a variety of arrangements they can select from to assist in the payment or reimbursement for healthcare. However, a common theme among most health insurance plans is that an insurer will pay for some or all of the healthcare costs for a patient in exchange for a premium. In fact, HealthCare.gov defines health insurance as “A contract that requires your health insurer to pay some or all of your healthcare costs in exchange for a premium.” As indicated earlier, the number of types and specific details of health insurance can vary greatly from organization to organization. The following discussions will highlight some of the more common health insurance programs. However, it is important to note that the details of plans change frequently and organizations outside of the United States often have additional variances in their programs that are specific to the healthcare delivery customs for that country.

Private Health Insurance

Private health insurance is a type of insurance coverage where individuals are responsible for providing their own health insurance coverage. However, in most cases the patient’s employer provides all or some of the funding as an employee benefit. Private health insurance is currently the most prevalent form of health insurance in the United States. However, it is important to note that Medicare and Medicaid (two types of public health coverage) are also common in the United States.

Although private health insurance often has a wider network of healthcare providers and services, it often costs considerably more than public health insurance.

Public Health Insurance

The other major type of health insurance is public health insurance. This is an insurance program provided by the government. The primary benefit of a public health insurance program is that it can provide health insurance access and affordability to patients who could not obtain private health insurance. A major disadvantage of public health insurance is the eligibility requirements often associated with a government-managed health insurance program.

Health Insurance Programs

As discussed earlier, there are a variety of health insurance programs. The specifics arrangements of each program are left to the discretion of the insurer and the patient. A list and high-level description of common health insurance programs in the United States is shown as follows:

Payment models

There are a variety of payment models currently available in the healthcare industry. We will provide a high-level perspective as payment for healthcare services is an important component of the overall healthcare system. However, specific program details and operating models vary among organizations and we will focus on some of the more common payment models, which are listed as follows:

Fee for service – Reimbursement for specific, individual services provided to a patient.

Pay for coordination – Payment for specified care coordination services, usually to certain types of providers (e.g., nursing home).

Pay for performance – Defined as a payment or financial incentive (e.g., a bonus) associated with achieving defined and measurable goals related to care processes and outcomes, patient experience, resource use, and other factors.

Episode or bundled payments – Single payments for a group of services related to a treatment or condition that may involve multiple providers in multiple settings.

Comprehensive care/total cost of care payment – A single risk-adjusted payment for the full range of healthcare services needed by a specified group of people for a fixed period of time.

Healthcare coding

Healthcare coding is essential to the transactional aspect of healthcare delivery. According to the CMS, “Under HIPAA, the Secretary of Health and Human Services (HHS) adopted certain standard transactions for Electronic Data Interchange (EDI) of health care data. These transactions are: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment and disenrollment, referrals and authorizations, coordination of benefits and premium payment. If a covered entity conducts one of the adopted transactions electronically, they must use the adopted standard – either from ASC X12N or NCPDP (for certain pharmacy transactions). Covered entities must adhere to the content and format requirements of each transaction. Also, under HIPAA, HHS has adopted specific code sets for diagnoses and procedures to be used in all transactions. The HCPCS (Ancillary Services/Procedures), CPT-4 (Physicians Procedures), CDT (Dental Terminology), ICD-9 (Diagnosis and hospital inpatient Procedures), ICD-10 (As of October 1, 2014) and NDC (National Drug Codes) codes with which providers and health plan are familiar, are the adopted code sets for procedures, diagnoses, and drugs.”

Medical Coding Systems

Currently there are two medical coding systems used in the United States and include:

HCPCS:

Level I Current Procedural Terminology (CPT) codes and Level II National Codes

International Classification of Disease (ICD)

The HCPCS is used to report hospital outpatient procedures and physician services.

These coding systems support the healthcare system by providing functions for physician reimbursement, hospital payments, quality review, and the collection of statistical data.

The American Medical Association (AMA) publishes CPT codes. CPT codes are used to report medical procedures and services under public and private health insurance programs. The WHO maintains the ICD classification. Its primary purpose is to categorize diseases for morbidity and mortality reporting. As of this writing the WHO states, “ICD-10 was endorsed by the Forty-third World Health Assembly in May 1990 and came into use in WHO Member States as from 1994. The 11th revision of the classification has already started and will continue until 2017.” U.S.-based healthcare organizations should note that the United States has used a clinical modification of ICD (ICD-10-CM) for the additional purposes of reimbursement.

Systematized Nomenclature of Medicine (SNOMED) – Clinical Terms (CT)

According to the International Health Terminology Standards Development Organization (IHTSDO) (the not-for-profit organization that owns, maintains, and distributes SNOMED CT), “SNOMED CT provides the core general terminology for the electronic health record (EHR) and contains more than 311,000 active concepts with unique meanings and formal logic-based definitions organized into hierarchies. When implemented in software applications, SNOMED CT can be used to represent clinically relevant information consistently, reliably and comprehensively as an integral part of producing electronic health records.” Healthcare organizations use coding systems to enable aggregation of accounting and medical record data by disease, patient characteristics, or site of care. These systems often include the various patient classification systems such as Diagnosis-Related Groups (DRGs), Ambulatory Patient Groups (APGs), and Resource Utilization Groups (RUGs). The common classification systems are defined as follows:

DRG – Payment approach that focuses on inpatient hospitalizations, setting a price based on categories of illness.

APGs – Encompass a full range of ambulatory settings and designed to explain the amount and type of resources used in an ambulatory visit.

Ambulatory Payment Classifications (APCs) – Used by the U.S. government for hospital services provided to Medicare and Medicaid patients.

RUGs – Relies on specific documentation of patient care delivered, meaning patient resources used.

Medical billing

Medical billing is the part of the healthcare process where claims and payment information is managed and communicated with health insurance companies in order for the healthcare provider to receive payment (reimbursement) for services delivered to a patient. After a healthcare provider sees a patient, the diagnosis and procedure codes are assigned accordingly. These codes assist the insurance company in determining coverage and reimbursement for the rendered services.

HIPAA transaction and code sets

Under HIPAA, the TCS Standard/Rule mandates uniform electronic interchange formats for all covered entities. The TCS Rule only covers PHI in electronic form and is used with EDI standards and requires their use by all covered entities. It has selected its EDI standards from among the preexisting transaction and code set specifications of a variety of nongovernmental Designated Standards Maintenance Organizations (DSMOs).

The TCS Rule uses the American National Standards Institute (ANSI) Accredited Standards Committee (ASC) X12 transactions (ANSI X12N) standards as follows:

Health Care Claims or Equivalent Encounter Information (X12N 837)

Eligibility for a Health Plan (X12N 270/271)

Referral Certification and Authorization (X12N 278 or NCPDP for retail pharmacy)

Health Care Claim Status (X12N 276/277)

Enrollment and Disenrollment in a Health Plan (X12N 834)

Health Care Payment and Remittance Advice (X12N 835)

Health Plan Premium Payments (X12N 820)

Coordination of Benefits (X12N 837 or NCPDP for retail pharmacy)

National Uniform Billing Committee (NUBC)

The NUBC is a voluntary committee whose work is coordinated through the offices of the American Hospital Association (AHA) and includes participation of all the major national provider and payer organizations. The Committee monitors and manages the utilization of this standard uniform (UB) billing form and data set used throughout the industry for billing transactions.

Healthcare clearinghouse

Healthcare clearinghouses are organizations that process nonstandard data elements of health information into standard data elements. The clearinghouse receives unstructured healthcare transactions from a healthcare organization and translates the data into the format required and forwards the processed information to the appropriate partner organization (commonly a payer).

Workflow management

Due to the significant emphasis on healthcare reform and in order to comply with various legal, regulatory, and industry best practices, healthcare organizations work on ways to improve their processes, deliver high-quality care more efficiently, and simultaneously reduce costs. Since many healthcare processes are complex and data intensive, and include both clinical and administrative activities, healthcare organizations are turning to various kinds of workflow management systems to manage healthcare activities. Healthcare organizations are seeking automated solutions and applications that simplify the routine delivery of patient healthcare. Although workflow management systems can vary in type, size, and function from organization to organization, there are several common applications within the healthcare industry. The workflow management applications common to the healthcare industry address routine administrative (billing, claims, etc.) and clinical (patient management, charting, etc.) activities.

Regulatory environment

Although Chapter 3 will go into great detail about the specific security, privacy, and oversight issues impacting the healthcare industry, it is important to recognize the overall and significant impact the regulatory environment has on the healthcare industry. Since the healthcare industry is heavily regulated, laws and regulations drive many of an organization’s daily operations, in order to safeguard patient health information. Understanding the complexity of the regulatory environment is fundamental to understanding how the healthcare industry is required to deliver services. Additionally, understanding of the regulatory environment allows organizations to develop policies and procedures that simultaneously deliver effective patient care, meet business objectives, and comply with legal and regulatory requirements.

Public health reporting

According to the HHS, “The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information to carry out their public health mission. Accordingly, the rule permits covered entities to disclose protected health information without authorization for specified public health purposes.”

Clinical research

Clinical research is an integral part of the healthcare industry. It allows for advances in healthcare and improved patient care. However, such advances are dependent on excellent research and proper research methodologies such as Good Clinical Research Practice (GCP). According to the WHO, GCP is a process that incorporates established ethical and scientific quality standards for the design, conduct, recording, and reporting of clinical research involving the participation of human subjects and provides public assurance that the rights, safety, and well-being of research subjects are protected.

Authorization and informed consent

In regards to clinical research an authorization is different than informed consent. An authorization is an individual’s permission for a covered entity to use or disclose PHI for a specific purpose (e.g., a research study). Informed consent, on the other hand, is the individual’s permission to participate in the research study. An authorization is required to contain specific elements and required statements in accordance with the Privacy Rule.

These elements and statements include:

A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.

The names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure.

The names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure.

A description of each purpose of the requested use or disclosure.

Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure (“end of the research study” or “none” is permissible for research, including for the creation and maintenance of a research database or repository).

Signature of the individual and date – If the individual’s legally authorized representative signs the authorization, a description of the representative’s authority to act for the individual must also be provided.

Institutional review boards

All clinical research studies in the United States are reviewed by the FDA and governing bodies called institutional review boards (IRBs), whose job is to make sure participants’ rights are fully protected and that participants are not exposed to any unnecessary risks. An IRB is charged with protecting the rights and welfare of people involved in research. This is accomplished by making sure critical activities and industry best practices are being followed. Although a comprehensive discussion on clinical trial best practices is outside the scope of this discussion, healthcare organizations participating in this sector must recognize that a comprehensive program that is compliant with all applicable laws and regulations must be in place when performing clinical trials.

Healthcare records management

Proper healthcare records management is a critical part of today’s healthcare systems. As the healthcare industry strives for efficiency and automation, proper management of healthcare records becomes increasingly important. Furthermore, effective healthcare records management programs support compliance with various legal and regulatory requirements. Although each organization will need to develop a program that meets its specific needs, two essential elements are generation and maintenance of records (including quality and access control, and management and distribution) and proper destruction of healthcare records. Healthcare record information must be properly managed and safeguarded from start (record generation) to finish (record destruction) and the entire time in between. Although each organization will need to comply with specific organizational, jurisdictional, and legal/regulatory data retention requirements, there are some industry best practices that should be followed around proper data destruction. According to the HHS, the HIPAA Privacy and Security Rules offer the following guidance on proper data destruction:

“Depending on the circumstances, proper disposal methods may include (but are not limited to):

Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.

Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.

In justifiable cases, based on the size and the type of the covered entity, and the nature of the PHI, depositing PHI in locked dumpsters that are accessible only by authorized persons, such as appropriate refuse workers.

For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).”

Data sharing

Healthcare organizations must note that under HIPAA’s transaction, privacy, and security rules, when sharing protected health information, it should be properly safeguarded. Each of the HIPAA transactions, privacy, and security rules also references agreements or contracts among organizational entities. According to the American Health Information Management Association (AHIMA), “The HIPAA transactions, security, and privacy regulations identify five agreements and relationships that can be established between healthcare entities to achieve economies of scale and lessen HIPAA’s administrative burden. They are:

Affiliated covered entity (ACE)

Business associate contract

Chain of trust agreement

Data use agreement

Organized healthcare arrangement (OHCA)

Trading partner agreement”

Understanding external third-party relationships

In order for healthcare organizations to deliver quality care, at a low cost, and efficiently, they must often work with external organizations to achieve their healthcare delivery goals. The specifics of each relationship vary among individual healthcare organizations and their selected third-party partners. If a vendor receives PHI from a healthcare organization, the vendor is considered a business partner. The term business partner is formally defined under HIPAA, and all business partners of a healthcare organization must agree in writing to certain mandatory provisions regarding the proper safeguarding, use, and disclosure of protected health information. Healthcare organizations must take note that the HIPAA Transaction Rule describes the use of a Trading Partner Agreement.

The Trading Partner Agreement specifies various technical requirements for communications protocols, such as:

How the transactions are to be addressed

What character set must be used

Whether receipt will be acknowledged

Although the Transaction Rule does not require a Trading Partner Agreement, if one is used, the rule specifies what may not be included in the agreement. The Trading Partner Agreement cannot:

Change any definition, data condition, or use of a data element

Add any data elements or segments to the maximum defined data set

Require use of any codes or data elements that are marked “not used” or are not present in the implementation guide

Change the meaning or intent of the standard’s implementation specification

Information flow and life cycle in the healthcare environments

Healthcare organizations create, receive, and distribute massive amounts of sensitive data that flow internally (e.g., within organizational boundaries and among its employees) and externally (e.g., with third-party relationships) in the delivery and management of modern healthcare services. This information flow will vary among healthcare organizations based on the type, size, and healthcare services that are delivered. There are a number of technologies and strategies that organizations can deploy to address their specific operating, business, and regulatory requirements. Although a detailed discussion is outside the scope of this book, and it is the responsibility of each individual organization to select technology solutions that meet their needs, there are some common considerations that all organizations need to consider when addressing information flow and life cycle within their specific operating environment. The common considerations often include information flow and data mapping, security and privacy issues, data quality, data management and retention, and data destruction.

Health data characterization

Since most healthcare organizations have a tremendous amount of data, much of which is PHI, they face many data management challenges on the daily basis. In order to properly protect and manage data, they should be characterized by the organization. Data characterization is best considered an umbrella term that encompasses the following:

Classification – Labels similar data types into groups based on sensitivity level (e.g., confidential, public use) allowing for consistency and proper data handling across the organization.

Taxonomy – Is a hierarchical organizational system that structures data into categories and subcategories. It is used to simplify vocabulary and avoid confusion since it becomes a commonly understood and agreed-upon classification.

Analytics – Various scientific and mathematically based processes that can support data management in a healthcare organization.

Healthcare Provider Taxonomy Codes

The National Uniform Claim Committee (NUCC) for standardized classification of healthcare providers maintains the Healthcare Provider Taxonomy Codes (HPTCs).

The NUCC updates the code set twice a year with changes effective April 1 and October 1. The CMS in partnership with the NUCC maintains the following code lists:

Health Care Code Lists:

Claim Adjustment Reason Codes (CARC)

Remittance Advice Remark Codes (RARC)

Claim Status Category Codes

Claim Status Codes

Health Care Service Type Codes

Health Care Services Decision Reason Codes

HPTCs

Provider Characteristics Codes

Insurance Business Process Application Error Codes

Health Insurance Exchange Code Lists:

Payment-type codes

Report-type codes

Data analytics

Industry experts have not agreed upon the exact definition of data analytics. The ever-changing technology, industry-specific uses, and organizational nuances add to the challenge of a universal definition. However, most organizations agree that data analytics involves the collection, processing, and scientific or mathematical analysis of the organization’s business intelligence (information generated from its systems and applications). The output of this information can be used by organizations in a variety of ways. Additionally, there are several common types of analytics and methodologies (e.g., statistical, contextual, quantitative, predictive) and a detailed review is outside the scope of this discussion. However, regardless of the definition or methodology selected, organizations find tremendous value in adopting data analytics. The adoption of such programs leads to greater efficiency, improved organizational knowledge, and increased business value. For healthcare organizations this can mean anything from the analysis of business services (e.g., how many new patients joined our service through social media recommendations) to clinical research (e.g., which medicines were most effective for treating a particular disease). It is important to note that healthcare organizations must properly safeguard any patient health information used or generated in analytics.

Data interoperability and exchange

According to the HIMSS, “Interoperability is the ability of different information technology systems and software applications to communicate, exchange data, and use the information that has been exchanged. Data exchange schema and standards should permit data to be shared across clinicians, lab, hospital, pharmacy, and patient regardless of the application or application vendor.” HIMSS continues to explain that there are three levels of HIT interoperability. It defines the levels as:

Foundational – Interoperability allows data exchange from one information technology system to be received by another and does not require the ability for the receiving information technology system to interpret the data.

Structural – Interoperability is an intermediate level that defines the structure or format of data exchange (i.e., the message format standards) where there is uniform movement of healthcare data from one system to another such that the clinical or operational purpose and meaning of the data is preserved and unaltered. Structural interoperability defines the syntax of the data exchange. It ensures that data exchanges between information technology systems can be interpreted at the data field level.

Semantic – Interoperability provides interoperability at the highest level, which is the ability of two or more systems or elements to exchange information and to use the information that has been exchanged. Semantic interoperability takes advantage of both the structuring of the data exchange and the codification of the data including vocabulary so that the receiving information technology systems can interpret the data. This level of interoperability supports the electronic exchange of patient summary information among caregivers and other authorized parties via potentially disparate EHR systems and other systems to improve quality, safety, efficiency, and efficacy of healthcare delivery.

Integrating the Healthcare Enterprise

According to the Integrating the Healthcare Enterprise (IHE) website, IHE “Is an initiative by health care professionals and industry to improve the way computer systems in health care share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient care. Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively.”

Health Level Seven International

According to the Health Level Seven International (HL7) website, “Health Level Seven International (HL7) is a not-for-profit, ANSI-accredited standards developing organization dedicated to providing a comprehensive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery, and evaluation of health services.” Since HL7 utilizes open system architecture, any healthcare organization adopting HL7 standards can interface with any other organization, system, or application also using HL7.

Digital Imaging and Communications in Medicine (DICOM)

According to the Association of Electrical Equipment and Medical Imaging Manufacturers, DICOM is “The international standard for medical images and related information (ISO 12052). It defines the formats for medical images that can be exchanged with the data and quality necessary for clinical use. DICOM is implemented in almost every radiology, cardiology imaging, and radiotherapy device (X-ray, CT, MRI, ultrasound, etc.), and increasingly in devices in other medical domains such as ophthalmology and dentistry.”

Legal medical records

According to the HIMSS, “Healthcare organizations across the country recognize the benefits of Electronic Health Records (EHRs) to improve care, reduce costs, and improve efficiency.” However, organizations must also recognize the legal implications of the EHR. An organization’s healthcare records must meet all statutory, regulatory, and professional requirements for both clinical and business purposes. HIMSS recommends, “EHR selection criteria must include ensuring that a given EHR is appropriately designed and can be appropriately used to ensure adherence to federal and state rules, as well as institutional requirements and additional certification standards that may apply to their organization.” Although the specifics will vary among individual organizations, HIMSS suggests the following policy elements be included by healthcare organizations when addressing the legal elements of EHRs:

Unique health record created and maintained for each patient

Content requirements including author, date, time, and authentication

Access, privacy, confidentiality, and security policies

Policies and procedures for amendments, corrections, timeliness, completeness, and late entries

Policies and procedures for forms, templates, and voice recognition and dictation

Policies and procedures for records retention, records archiving and destruction, coding and abstracting, data quality management, and reporting

Definitions

Practice Exam

1. A healthcare provider is:

a. A provider of medical or health services in the normal course of business

b. Synonymous with a covered entity under HIPAA

c. Any organization or corporation that directly handles PHI

d. None of the above

2. A covered entity is:

a. A provider of medical or health services in the normal course of business

b. Synonymous with a healthcare provider under HIPAA

c. Any organization or corporation that directly handles PHI

d. None of the above

3. EDI is:

a. Electric data interchange

b. Electronic dental interchange

c. Electronic data interchange

d. Electronic data import

4. Business associates:

a. Provide medical services

b. Provide support services to medical providers

c. Are not required to comply with HIPAA

d. Both b and c

5. HIT is an acronym for:

a. Healthcare information technician

b. Health information technology

c. Healthcare information technology

d. Health information technician

6. Medical devices are classified into:

a. Three regulatory categories

b. Six regulatory categories

c. One regulatory category

d. None of the above

7. An EHR is:

a. An electronic health record

b. Different from a personal health record

c. Synonymous with a personal health record

d. Both a and b

8. Meaningful use is:

a. A major driver of health information technology

b. Optional for smaller organizations

c. Only beneficial for healthcare organizations

d. None of the above

9. The two basic types of health insurance are:

a. PPO and POS

b. Medicare and Medicaid

c. Public and private

d. HMO and PPO

10. Healthcare coding is:

a. Essential to the transactional aspect of healthcare delivery

b. Required under HIPAA

c. Only important to large healthcare organizations who use third-party billing services

d. Both a and b

11. HCPCS is an acronym for:

a. Healthcare Communication Procedure Coding System

b. Healthcare Common Procedure Communication System

c. Healthcare Common Procedure Coding System

d. None of the above

12. SNOMED CT is an acronym for:

a. Systematized Nomenclature of Medicine Clinical Terms

b. Systematized Nomenclature of Medicine Clerical Terms

c. Systematized Naming of Medical Clinical Terms

d. None of the above

13. TCS is an acronym for:

a. Transactions and Code Sets

b. Technology and Code Sets

c. Transfer and Code Sets

d. None of the above

14. SNOWMED CT often includes:

a. Diagnosis-Related Groups (DRGs)

b. Ambulatory Patient Groups (APGs)

c. Resource Utilization Groups (RUGs)

d. All of the above

15. The National Uniform Billing Committee:

a. Is a voluntary committee

b. Is coordinated through the American Hospital Association

c. Manages standards for uniform billing

d. All of the above

16. A healthcare clearinghouse:

a. Provides patient care

b. Only processes Medicare and Medicaid claims

c. Only processes private insurance claims

d. None of the above

17. Public Health Reporting Regulations:

a. Are addressed under HIPAA

b. Require patient authorization

c. Only apply to public health insurance programs

d. None of the above

18. Health records management:

a. Is important from beginning to end of the health record

b. Addresses data and quality management

c. Addresses record destruction

d. All of the above

19. Data characterization includes:

a. Classification

b. Taxonomy

c. Analytics

d. All of the above

20. DICOM is an acronym for:

a. Digital Imaging and Compliance in Medicine

b. Digital Integrity and Communications in Medicine

c. Digital Imaging and Communications in Medicine

d. Direct Imaging and Communications in Medicine

Practice Exam Answers

1. a

2. c

3. c

4. d

5. b

6. a

7. d

8. a

9. c

10. d

11. c

12. a

13. a

14. d

15. d

16. d

17. a

18. d

19. a

20. a

References

http://www.hhs.gov/.

http://www.minnesotamedicine.com/Past-Issues/Past-Issues-2011/February-2011/Five-Payment-Models-The-Pros-the-Cons.

http://www.himss.org/library/ehr/.

http://www.healthit.gov/providers-professionals/faqs/what-personal-health-record.

https://nppes.cms.hhs.gov/NPPES/NPIRegistryHome.do.

https://www.healthcare.gov/glossary/health-insurance/.

http://www.who.int/medical_devices/definitions/en/.

http://www.fda.gov/medicaldevices/deviceregulationandguidance/overview/classifyyourdevice/default.htm.

http://www.healthit.gov/policy-researchers-implementers/meaningful-use-regulations.

http://medical-dictionary.thefreedictionary.com/payer.

http://aspe.hhs.gov/admnsimp/final/txfin00.htm.

http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/TransactionCodeSetsStands/index.html?redirect=/transactioncodesetsstands/02_transactionsandcodesetsregulations.asp.

https://www.healthcare.gov/get-covered-a-1-page-guide-to-the-health-insurance-marketplace/.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/.

https://www.healthcare.gov/what-are-the-different-types-of-health-insurance/.

http://www.cms.gov/Medicare/Coding/MedHCPCSGenInfo/index.html?redirect=/medhcpcsgeninfo/.

http://www.who.int/classifications/icd/en/.

http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/cpt/about-cpt.page?

http://www.ihtsdo.org/snomed-ct/.

http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/TransactionCodeSetsStands/index.html?redirect=/transactioncodesetsstands/02_transactionsandcodesetsregulations.asp.

http://www.x12.org/.

http://www.nubc.org/aboutus/index.dhtml.

http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/publichealth/.

http://apps.who.int/prequal/info_general/documents/GCP/GCP_handbook.pdf.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/research/research.pdf.

http://www.phrma.org/sites/default/files/pdf/042009_clinical_trial_principles_final.pdf.

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.

http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_014066.hcsp?dDocName=bok1_014066.

http://www.wpc-edi.com/reference/.

http://www.gartner.com/it-glossary/analytics/.

http://www.hl7.org/.

http://medical.nema.org/Dicom/about-DICOM.html.

http://www.himss.org/library/interoperability-standards/what-is.

http://www.ihe.net/.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf.

http://www.himss.org/files/HIMSSorg/content/files/LegalEMR_Flyer3.pdf.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/medicalrecords.html.