Travel Health Insurance: Reimbursement Depends On Following The Rules

Travel Health Insurance: Reimbursement Depends On Following The Rules

 by: News Canada

(NC)Travelling, whether for business or pleasure, involves risk. A personal emergency may necessitate an early return, or you may need hospital treatment or air evacuation due to a medical problem. Travellers should be aware that the Ontario government health plan (OHIP) is rarely enough when it comes to medical treatment outside the country, so without supplementary insurance during an emergency, you could be exposed to considerable financial obligations.

Travel health insurance policies vary considerably, says the Financial Services Commission of Ontario (FSCO), an agency of the Ministry of Finance that regulates Ontario's insurance industry. FSCO reminds us to pay special attention to the definitions, pre-existing condition clauses, deductibles, as well as the limitations and exclusions sections of the policies. Ask for clear explanations of each and once you are satisfied, make your insurance purchase. But even then, says FSCO, there is a bit more work for you to do as follows:

Read the policy: Before leaving on your trip, read and become familiar with your policy and the coverage. It is your responsibility to know what you have purchased.

Take it with you: Include the policy with your travel documents. Keep both the emergency contact phone number available, as well as the number for your insurance company. Compile and include a list of current medications.

Get authorization (if possible): If a medical problem arises, the toll-free phone number provided will connect you to an emergency service centre. Be ready to supply all the facts and information and ask for clarification if you do not fully understand. Service centres manage and monitor your treatment and make the medical referrals. Before you go ahead with treatment however, be sure the service centre has obtained authorization from your home-based insurance company. If not, you may be personally obligated for medical services not approved.

Follow the payment process: Under some policies, you pay the hospital and are reimbursed later by the insurance company. Other policies provide payment directly to the medical facility or practitioner. The policy will tell you which procedure to follow.

More information on travel health insurance is available online at www.fsco.gov.on.ca. Or, for a copy of their booklet Shopping for Travel Health Insurance phone (416) 590-7298 (Toll Free: 1-800-668-0128).

- News Canada

Editors, these articles are for use in Ontario only

News Canada provides a wide selection of current, ready-to-use copyright free news stories and ideas for Television, Print, Radio, and the Web. News Canada is a niche service in public relations, offering access to print, radio, television, and now the Internet media, with ready-to-use, editorial "fill" items. Monitoring and analysis are two more of our primary services. The service supplies access to the national media for marketers in the private, the public, and the not-for-profit sectors. Your corporate and product news, consumer tips and information are packaged in a variety of ready-to-use formats and are made available to every Canadian media organization including weekly and daily newspapers, cable and commercial television stations, radio stations, as well as the Web sites Canadians visit most often. Visit News Canada and learn more about the NC services.

How to Buy Health Insurance Online

It is now possible to thoroughly research and buy health insurance online. Without health insurance, the smallest of incidents, accidents, or illness can leave you with expensive medical bills that most people would have difficulty paying. Even a short check up at the doctor's office for a sore throat, or minor illness can cost a couple hundred dollars. It's important for everyone to obtain health insurance, no matter how healthy you tend to be- because you simply cannot predict what might happen.

There are many things to consider when you get ready to purchase your insurance, and thankfully, the ability to obtain your insurance online has also enabled us a fast way to compare the prices of many different companies in a very short time. Can you imagine if you had to look up the phone numbers of twenty different insurance companies, then call each one- probably get placed on hold for a few minutes (or more!), and then give each company your information in order to receive a quote as to how much the policy will cost you? This would take hours, if not days, to complete your research on insurance, the different coverage available, and the cost of each.

The internet has brought us high speed search capabilities, and with the ease of typing in a few key phrases, you can learn all about the different coverage available for health insurance, compare the price of many companies- often, you can even find a web site that has already placed the different company's prices in an easy to read chart, so you can compare at a glance!

When you have thoroughly researched the different types of insurance policies and coverage available, you can actually buy health insurance online just as you would any other product or service you buy over the internet. Health insurance is a necessity, and being able to compare policies on-line means there is no excuse as to why you haven't made time to obtain insurance!

There are many things to consider when you get ready to purchase your insurance, and thankfully, the ability to obtain your insurance online has also enabled us a fast way to compare the prices of many different companies in a very short time. Can you imagine if you had to look up the phone numbers of twenty different insurance companies, then call each one- probably get placed on hold for a few minutes (or more!), and then give each company your information in order to receive a quote as to how much the policy will cost you? This would take hours, if not days, to complete your research on insurance, the different coverage available, and the cost of each.

The internet has brought us high speed search capabilities, and with the ease of typing in a few key phrases, you can learn all about the different coverage available for health insurance, compare the price of many companies- often, you can even find a web site that has already placed the different company's prices in an easy to read chart, so you can compare at a glance!

When you have thoroughly researched the different types of insurance policies and coverage available, you can actually buy health insurance online just as you would any other product or service you buy over the internet. Health insurance is a necessity, and being able to compare policies on-line means there is no excuse as to why you haven't made time to obtain insurance!

Brad Triggs provides more information and
free insurance quotes at his website:
http://www.insurelinq.com

How to Get NPI - National Provider Number for HIPAA-Compliant Medical Billing in 7 Steps

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated the adoption of standard unique identifiers for health care providers, as well as the adoption of standard unique identifiers for health plans. They become mandatory on May 23, 2007.

The purpose of these provisions is to improve the efficiency and effectiveness of the electronic transmission of health information. The Centers for Medicare & Medicaid Services (CMS) has developed the National Plan and Provider Enumeration System (NPPES) to assign these unique identifiers.

CMS has contracted with Fox Systems, Inc. to serve as the NPI Enumerator. The NPI Enumerator is responsible for dealing with health plans and providers on issues relating to unique identification.

HCFA Timetable

Changes in the HCFA 1500 form to accommodate the NPI number took place January 1, 2007. Until March 30, 2007, using NPI number on the HCFA form is optional but as of April 2, 2007, using NPI becomes mandatory.

Getting an NPI is free - Not Having One Can Be Costly: If you delay applying for your NPI, you risk your cash flow.

1. Enumerate: Enumeration is mandatory for both individual providers and organizations and subparts. When applying for your NPI, CMS urges you to include your legacy identifiers, not only for Medicare but for all payors. If reporting a Medicaid number, include the associated State name. This information is critical for payors in the development of crosswalks to aid in the transition to the NPI.
2. Update: Make sure to upgrade your software, HIPAA Transactions, CMS1500, UB04, and/or Dental claim form changes.
3. Communicate: Notify your payers once you have obtained your NPI number. As outlined in the Federal Regulation (The Health Insurance Portability and Accountability Act of 1996 (HIPAA)) you must also share your NPI with other providers, health plans, clearinghouses, and any entity that may need it for billing purposes -- including designation of ordering or referring physician.
4. Collaborate: Check the readiness of your payment partners (such as health plans, TPAs, clearinghouses, etc...)? Not all payers are ready to accept the NPI number at this time. Use both your existing (legacy) number and the NPI number when submitting electronic claims.
5. Test: Test transactions well before the deadline. Make sure to test HIPAA Transactions, e.g., 837 Claims, 835 Remittance Advice, and, if you submit paper claims, verify that the data is printed in the correct fields. The new HCFA form has new fields for identifier numbers on lines 17b, 32a and 33a.
6. Educate: Focus on staff working on insurance verification of eligibility and claim denial or underpayment follow up.
7. Implement: Once you obtain your NPI, it might take about 120 days to do the remaining work to use it. This includes working on your internal billing systems, coordinating with billing services, vendors, and clearinghouses, testing with payers.

Yuval Lirov, PhD, author of "Mission Critical Systems Management" (Prentice Hall), inventor of patents in Artificial intelligence and Computer Security, and CEO of Vericle.net Billing Technologies and Services. Vericle? unites hundreds of billing services across the nation. Its electronic medical billing software tracks payer performance from a single point of control and shares compliance rules globally. Yuval invites you to register to the next webinar on audit risk at BillingPrecision.com

HIPAA and Document Imaging

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and has made quite an impression on the world of digital document imaging and forms processing. Any company as a covered entity of HIPAA needs to take certain precautions when outsourcing any aspect of their operations that deal with personnel health information (PHI.) There are two main components to HIPAA that deal directly with the outsourcing of document imaging and claims processing. Privacy issues and Administrative Simplification are of the utmost importance to HIPAA.

If you have been to doctor?s office the last few years, you probably have been asked to sign all kinds of new forms; these forms are HIPAA privacy forms. It does not end with privacy and disclosure forms, people handling medical information must take special precautions when handling private medical information. This information includes but is not limited claims, patient history files, and enrollment files.

Whenever dealing with a Document Imaging Service provider you should always ask them about their HIPAA policies and procedures. Every one of their employees needs to sign an agreement stating they are aware they are handling people?s PHI. The company should have a zero tolerance policy on distributing or reading anyone?s PHI. Every care and precaution must be taken to ensure PHI remains private.

Under the privacy rule of HIPAA there is a security rule which has three parts:

1. Administrative Safeguards ? are policies and procedures designed to clearly show how an organization will comply with the HIPAA act.
2. Physical Safeguards - Physical access to PHI must be restricted and controlled to guard against inappropriate access to such data.
3. Technical Safeguards ? Any organization engaged in the handling of PHI must control access to computer systems and protect communications containing PHI. These communications must be protected against interception.

The primary goal of the Administrative Simplification portion of HIPAA is to simplify and streamline the administration of health care. Essentially, standards are created to facilitate various types of health care electronic transactions. No one insurer can ask any claims submitter to file in any other electronic formats other than those mandated by HIPAA.

A little bit of work up front will pay off in time. If you use an experienced service bureau or clearinghouse to process your claims, they will be able to convert your paper claims according to the standards set fourth by HIPAA with little effort. Once you successfully submit claims in the HIPAA standard ANSI 837 format, submitting to another insurer will be a piece of cake.

Under the old system, one health care provider could require all claims submissions to be in a HL7 format while another could require a custom text string. There were about 400 different ways to submit an electronic claim before HIPAA. Now there is one way, HIPAA's Way.

• Less setup for new claims submitters (One size fits all)
• Easier training for new staff
• Faster payments

If you feel the company you are doing business with is not serious about HIPAA, find another company to do business with. In the end you are responsible for the actions of your contracted vendors. Any vendor dealing with PHI is also considered a covered entity of HIPAA and therefore legally bound by the act.

We are a NY document imaging company dedicated to finding you the right solution for all your digital data needs. We believe in providing you with all the necessary information and expertise to help you make a sound decision regarding your data processing projects. For more information visit our website at http://www.paper-scanning-services.com

Deriving Due Care Practices from HIPAA and GLBA

Recent years have shown a trend in corporations being held responsible for information security negligence. In particular, the Federal Trade Commission (FTC) and the Attorney General of New York have been actively pursuing companies that fail to follow effective security practices. Many high-visibility cases illustrate how companies are being required to implement stronger security controls, the Guess case being a good example.

In June 2003, Guess, Incorporated agreed to settle FTC charges that it exposed consumers' personal information to commonly known attacks by hackers, contrary to the company's claims. "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection. The settlement required that Guess implement a comprehensive information security program that would be certified as meeting or exceeding the standards in the consent order by an independent professional within a year.

The Problem

A key reason why corporations demonstrate poor or inconsistent information security controls is the lack of a widely accepted and comprehensive set of good security practices. Standards bodies such as the U.S. National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) publish security standards with varying degrees of corporate acceptance and use. The Information Systems Security Association (ISSA) has identified the need for a universally agreed-upon collection of essential security practices and is currently developing the Generally Accepted Information Security Principles (GAISP)--although how well accepted these principles will be upon publication remains to be seen.

The Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule and the Gramm Leach Bliley Act (GLBA) Interagency Guidelines are customer privacy laws specifying the security rules that must be followed by the healthcare and financial services industries respectively. If entities covered by these laws fail to follow the required security practices they may not only be exposing their customers' private information but may also be subject to regulatory penalties and fines. These laws, in essence, define information security due care standards--the security practices that must be followed to avoid liability--for the healthcare and financial services industries. The entities covered by these laws, however, only represent approximately 25% of the U.S. Gross Domestic Product. Other industries must rely upon their best judgment to protect customer information--clearly not an effective approach as the cases mentioned earlier demonstrate.

Most companies certainly want to do the right thing and protect their customers' information, but avoiding legal liability and harm to their reputation are also factors that motivate them to implement appropriate information security controls. While most corporate information security professionals probably think they understand how to protect customer information, many wouldn't be comfortable attesting that their practices would protect their employer from liability. Lacking a commonly accepted set of security practices, many corporate information security professionals are uncertain how to secure customer information in a way that also limits their company's liability.

Proposed Solution

The best approach for companies that wish to protect their customer's information and potentially avoid liability is to implement the security practices required by both HIPAA and GLBA. There are 12 security practices in common between these two customer privacy laws. By following these 12 practices, companies will be practicing information security due care and can potentially avoid liability. Indeed, all of the security requirements mandated in the settlement of the cases mentioned earlier are among the 12 practices in common between HIPAA and GLBA.

What is Due Care?

Companies that handle the personal information of their customers may be breaking the law and not know it, as evidenced by the Guess case. This ignorance may partly stem from substantial gaps of prosecutable computer crimes that exist in federal criminal code and individual state criminal statutes. Federal and state criminal statutes are slow to evolve to adequately prosecute crimes based on the fast-changing technology of information systems. Companies and information security professionals may find little direction in criminal codes and statutes to help them avoid inadvertently breaking the law when it comes to protecting their customers' personal information.

Since there is little guidance for companies to follow when it comes to avoiding criminal or civil liability or harsh settlements from the FTC, they need to consider how legal standards are created in the first place. Legal standards are developed based on the concept of due care, which is the care that an ordinarily prudent person would have exercised under the same or similar circumstances. Failure to practice due care is equivalent to demonstrating negligence. Companies that demonstrate negligence relative to their information security practices are susceptible to lawsuits, fines, and other sanctions, whereas companies that practice due care should be largely protected from such punishments.

Where to Find Due Care Information Security Practices

Companies that wish to find due care information security practices need look no further than to two major federal laws that regulate the protection of customer information: HIPAA and GLBA. While both HIPAA and GLBA enacted a lot more than just customer privacy requirements, they both have spawned substantial regulatory guidance on security controls for protecting customer information. The regulations for HIPAA are called the Final Security Rule and those for GLBA are referred to as the Interagency Guidelines.

While some of the requirements in these regulations are industry-specific, there is a lot of commonality between the two. In particular, 12 security practices were found in both the HIPAA Final Security Rule and the GLBA Interagency Guidelines. The fact that these two sets of regulations intersect in 12 places is no coincidence. This is a clear signal from the federal government of the level of due care it expects the country's health care providers and financial institutions to practice. If these are the standards of due care that must be practiced by industries that represent about a quarter of the country's GDP, it stands to reason that other industries will be expected to follow these same practices.

HIPAA & GLBA Security Due Care Practices in Common

The 12 security practices in common between HIPAA and GLBA are all "high-level" practices. There are no specific technology controls. Some practices are required while others are required only if a risk assessment conducted by the entity determines that the practice is appropriate.

The HIPAA Final Security Rule and the GLBA Interagency Guidelines were designed to provide guidance to senior management. How the practices are implemented is left largely up to the companies to determine.

Following is the list of the 12 security practices in common between HIPAA and GLBA (please refer to the HIPAA/GLBA Due Care Practice Matrix in the Laws and Regulations section of the OpenCSOProject for detailed analysis and references):

 

1. Assess and Control Risk
2. Assign Security Responsibility
3. Appropriate Access and Authorization
4. Security Awareness and Training
5. Incident Response and Reporting
6. Disaster Recovery
7. Security Evaluation
8. Vendor Contracts
9. Facility Access Controls
10. Data Integrity Controls
11. Encryption
12. Security Monitoring Procedures

 

Validation from Recent Enforcement Actions

If the companies in the FTC settlement cases mentioned earlier had faithfully implemented these 12 practices, they would not have suffered any penalties and their customers’ information would have been protected. For instance, in the Guess case, the FTC ordered Guess to:

 

• Designate an employee or employees to coordinate and be accountable for the information security program (HIPAA/GLBA Due Care Practice #2: Assign Security Responsibility);
• Identify material internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment must include consideration of risks in each area of relevant operation. (HIPAA/GLBA Due Care Practice #1: Assess and Control Risk);
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards' key controls, systems, and procedures. (HIPAA/GLBA Due Care Practice #7: Security Evaluation);
• Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that Guess knows or has reason to know may have a material impact on its information security program. (HIPAA/GLBA Due Care Practice #7: Security Evaluation)

 

These four requirements would have been fulfilled by following just three of the 12 HIPAA/GLBA Due Care Practices: Assess and Control Risk, Assign Security Responsibility, and Security Evaluation. The other settlement cases had similar requirements, also covered by the HIPAA/GLBA Due Care Practices. It is clear that the security practices required by both HIPAA and GLBA establish a basis of due care.

Conclusion

Companies are finding that they will pay the price for not maintaining strong security controls and protecting their customers' information. They must proactively implement and maintain prudent security processes to demonstrate that they are practicing due care. Until a universally accepted set of information security practices is produced, the best approach for companies is to implement the security practices required by both HIPAA and GLBA.

Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and is the founder and site administrator for the OpenCSOProject, a knowledge base for security professionals. To download security policies, articles and presentations, click here: Security Officer Forums.