Dramatic modifications to the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules that will impact your practice are finalized and begin to take effect next month.
The omnibus final rule, developed to help implement HITECH regulations in the American Recovery and Reinvestment Act and shore up electronic privacy rules in the 17-year-old act, includes changes to how providers and payers must protect personal health information (PHI) and the focus of enforcement from voluntary to punitive. The rule also makes business associates (BA) more accountable for breaches of PHI, with the risk of financial penalties.
The Centers for Medicare & Medicaid Services (CMS) maintains the changes provide the public with increased protection as penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the HITECH breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. These changes broaden who is responsible and extends consequences to more parties, including small practice, payers, and BAs like billing services or clearing houses.
CMS says the new rule expands individual rights. For example, patients can request a copy of their electronic medical records in electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
The rule also streamlines individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and BAs up to one year after the 180-day compliance date to modify contracts to comply with the rule, the health agency says.
- The new rule increases liability for noncompliance for practices. Tiered penalties range from $100 to $50,000 per violation, depending on culpability. Under the new rule, HHS can impose monetary penalties without exhausting informal options.
- The new rule imposes direct liability for BAs and subcontractors, a change that puts billing services and their clients more at risk because a practice is now liable for what its billing service does.
- The rule introduces an objective test of whether PHI has been compromised and requires notification. The four elements are:
- Nature and extent of PHI in the incident
- Recipient of the PHI
- Acquisition or viewing status of PHI
- Mitigation of the risk after disclosure
- The new rule requires patient authorization for all communication of PHI for marketing purposes, closing a loophole that allowed health care organizations, drug companies, and others to use PHI for direct marketing to patients without permission.
- The new rule better defines what a BA is, clarifying how much interaction with PHI an entity can have before it becomes a BA, and establishing additional accountability for those entities.
- The rule loosens what can be used for fund-raising communications, allowing demographic information, dates of service, department, physician, outcome, and payer status for fund-raising and related BAs. Patient authorization is required.
- The rule makes it easier for your patients to authorize PHI to be used for more than one research effort, allowing a patient to designate PHI can be used for multiple and future research efforts at once.
Overall, the new rule clarifies the definition of a covered entity or BA, the responsibilities that each carry, and punishments associated with a lack of compliance. It doesn’t change the basics; an entity or BA must still have a plan, a designated compliance officer, education, analysis of gaps, and privacy notices for patients and their family members. Under the rule’s changes to definition of compliance, culpability, and correction, however, practices need to reassess efforts this year to avoid unexpected fines or punishment.
February 22nd, 2013
The Centers for Medicare & Medicaid Services (CMS) released 25 corrections to the 2012 HCPCS Level II ANWEB file. The corrections, released Jan. 30, include description and ambulatory surgery center (ASC) indicator changes, removal of codes, updated Berenson-Eggers Type of Service (BETOS) information, and revised effective dates.
Terminated or Removed
C9716 Creations of thermal anal lesions by radiofrequency energy should be terminated effective Jan. 1, 2012.
G0449 Annual face-to-face obesity screening, 15 minutes will not be created. Remove from file.
G0450 Screening for sexually transmitted infections, includes laboratory tests for chlamydia, gonorrhea, syphilis and hepatitis B will not be created. Remove from file.
G0446 Long description Intensive behavioral therapy to reduce cardiovascular disease risk, individual, fact-to-face, >annual<, 15 minutes is revised effective Nov. 8, 2011.
G8553 Both short description (Prescrip transmit via ERx sy) and long description (Prescription(s) generated and transmitted via a qualified ERx system) are changed effective Jan. 1, 2012.
J1561 Short description Gamunex, Gamunex-C, Gammaked is changed effective Jan. 1, 2012.
Revised Effective Dates
G0442 Annual alcohol misuse screening, 15 minutes is now effective Oct. 14, 2011.
G0443 Brief face-to-face behavior counseling for alcohol misuses, 15 minutes is also effective Oct. 14, 2011.
K0743 Suction pump, home model, portable, for use on wounds is now effective July 1, 2011.
C1886 Catheter, extravascular tissue ablation, any modality (insertable)—Add ASC “YY” indicator, effective Jan. 1, 2012.
C9728 Placement of endorectal intracavitary applicator for high intensity brachytherapy—Add ASC “YY” indicator, effective Jan. 1, 2008.
C9732 Insertion of ocular telescope prosthesis including removal of crystalline lens—Add ASC “YY” indicator, effective Jan. 1, 2012.
G0448 Insertion or replacement of a permanent pacing cardioverter-defibrillator system with transvenous lead(s), single or dual chamber with insertion of pacing electrode, cardiac venous system, for left ventricular pacing—Change TOS to “2,” effective Jan. 1, 2012.
J2265 Injection, minocycline hydrochloride, 1 mg—Remove ASC “YY” indicator, effective Jan. 1, 2012.
Q4123 Alloskin RT, per sq cm—Remove ASC “YY” indicator, effective Jan. 1, 2012.
Q4125 Arthroflex, per sq cm—Remove ASC “YY” indicator, effective Jan. 1, 2012.
Q4126 Memoderm, per sq cm—Remove ASC “YY” indicator, effective Jan. 1, 2012.
Q4127 Talymed, per sq cm—Remove ASC “YY” indicator, effective Jan. 1, 2012.
Q4128 FlexHD or Allopatch HD, per sq cm—Remove ASC “YY” indicator, effective Jan. 1, 2012.
Q4129 Unite biomatrix, per sq cm—Remove ASC “YY” indicator, effective Jan. 1, 2012.
J8561 Everolimus, oral 0.25, mg—Change BETOS to “01E,” effective Jan. 1, 2012.
CMS recommends updating data files as well as noting changes in codebooks.
February 10th, 2012