HHS Office for Civil Rights releases final HIPAA rule

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) on Jan. 17 released a final “omnibus” rule that updates several provisions in Health Insurance Portability and Accountability Act (HIPAA) regulations, as mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH). The omnibus rule:

• Replaces the “harm” threshold from the interim rule on breach notification with a more objective standard;
• Requires business associates to comply with specific HIPAA privacy and security requirements and imposes direct liability for their noncompliance with these regulatory standards;
• Incorporates the increased and tiered civil money penalty structure provided by HITECH;
• Limits the use and disclosure of protected health information (PHI) for marketing and fundraising; restricts the sale of PHI; permits greater flexibility in using and disclosing the PHI of decedents and the immunization records of students; and obligates covered entities to honor an individual’s request to restrict disclosure of PHI in certain circumstances; and
• Prohibits most health plans from using or disclosing genetic information for underwriting purposes, as required by the Genetic Information Nondiscrimination Act.

HIGHLIGHTS OF THE REVISED BREACH NOTIFICATION REQUIREMENTS

The final rule clarifies that, unless covered entities or business associates specifically demonstrate that there is a “low probability that the PHI has been compromised” or that one of the exceptions to the definition of breach included in the rule applies, breach notification is required to be provided. The use of this presumption in the risk approach of the final rule is intended to ensure that the breach notification obligations are interpreted and applied in a uniform way by all covered entities and business associates and to address some commenters’ concerns that the requirement, as stated in the interim final rule, was unclear and could be understood and implemented in unintended ways.

Rather than providing, as the interim final rule does, that no notice is required because “there is no significant risk of harm” to the individual from the breach of PHI, the final rule requires a demonstration that there is a low probability that the PHI has been compromised through a risk assessment that, at a minimum, examines all of the following factors:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; 
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.

Given the particular circumstances of the breach, however, it may be necessary to consider additional factors to assess appropriately the risk that the information has been compromised. OCR notes that the risk assessment factors above are “derived from [those] listed in the interim final rule as well as many of the factors suggested by commenters.”

OCR also concludes that the risk assessment approach in the final rule “should not be a new or different exercise” for covered entities and business associates because they already must “be performed routinely following security breaches and to comply with certain State breach notification laws.”

In addition, the final rule provides that notice is not required in certain situations where the unauthorized use, disclosure, acquisition or access of PHI is “so inconsequential that is does not warrant notification.” These situations are specific to statutory exemptions in the definition of breach included in HITECH. The final rule discussion also recognizes that “there may be other similar situations [in addition to the statutory exceptions] that do not warrant breach notification.” Disagreeing with commenters who urged a bright line rule for notification, OCR says: “We agree . . . that providing notification [in these inconsequential circumstances] may cause the individual unnecessary anxiety or even eventual apathy if notifications . . . are sent routinely.” In addition, OCR says that a bright line standard “would be extremely burdensome and costly for entities to implement.”

NEXT STEPS

The final HIPAA rule will be published in the Jan. 25 Federal Register, and takes effect March 26. However, covered entities and their business associates generally will have until Sept. 23 to comply with most of the rule’s provisions, including the changes to the breach notification requirements.

The final rule also provides for establishing a 180-day compliance window for future modifications to the HIPAA rules unless a future published final rule provides otherwise. Where a future modification of the HIPAA rules requires a longer compliance period, that longer period will be expressly provided for in the particular rulemaking.  

[ via American Hospital Association ]

OIG: Hospital-physician arrangement would not result in sanctions

In a new advisory opinion, the Department of Health and Human Services’ Office of Inspector General said it would not impose sanctions on a specific hospital compensation arrangement with a group of physicians, which includes a performance bonus for meeting certain patient service, quality and cost savings measures. OIG said it would not seek sanctions under the federal civil monetary penalty and anti-kickback laws due to certain circumstances or safeguards included in the arrangement to co-manage the hospital's cardiac catheterization labs.

[ via AHA News Now ]

AHA testifies on proposed IRS rule for charitable hospitals

At an Internal Revenue Service hearing on Dec. 5, an American Hospital Association witness highlighted four concerns with the agency’s proposed rule implementing requirements for tax-exempt hospitals under Section 501(r) of the Patient Protection and Affordable Care Act.

“The AHA and its members support Congress’ goals in enacting Section 501(r), and hospitals are committed to meeting its requirements,” said Andreanna Ksidakis, vice president, Office of the General Counsel at Sutter Health in Sacremento, CA. “The AHA’s comment letter and my remarks reflect input from hospitals across the country of all sizes, types and locations, including a member advisory group I had the privilege of leading in 2011 that represented over 300 hospitals. The message we uniformly heard was: one size does not fit all; do not interrupt what’s working; and focus on transparency and disclosure to the community.”

The AHA recommended that: the definition of “reasonable efforts” be changed to eliminate the overly prescriptive requirements; the effective date of the final regulations coincide with implementation of other key features of the Patient Protection and Affordable Care Act; enforcement guidance be issued prior to finalizing the regulations; and the final rule accommodate the unique circumstances of government hospitals that are 501(c)(3) organizations.

OIG: Medicare should improve appeals at ALJ level

Administrative law judges reversed decisions by qualified independent contractors and decided fully in favor of appellants in 56% of appeals of Medicare decisions related to claims for health care services and items in fiscal year 2010, according to a report released last week by the Department of Health and Human Services’ Office of Inspector General. ALJs differed from QICs in their interpretation of Medicare policies, their degree of specialization and their use of clinical experts, OIG found. Among other actions, the report recommends that the Office of Medicare Hearings and Appeals and Centers for Medicare & Medicaid Services provide coordinated training on Medicare policies to ALJs and QICs who decide appeals; identify and clarify Medicare policies that are unclear and interpreted differently; and revise regulations to provide more guidance to ALJs regarding the acceptance of new evidence.

In addition, OIG recommends that OMHA implement a quality assurance process to review ALJ decisions, and determine whether specialization among ALJs would improve consistency and efficiency. It also recommends that CMS increase its participation in ALJ appeals. When CMS participated, ALJs were less likely to decide fully in favor of appellants, the report notes.

[ via AHA News Now ]

AHA responds to New York Times editorial

In a letter on Oct. 4 to the New York Times, the American Hospital Association President and CEO Rich Umbdenstock said America’s hospitals strongly agree with the newspaper’s call for the government to establish national guidelines on how to bill properly for services, and has repeatedly made the same request.

“It’s critically important to recognize that more accurate electronic documentation and coding do not necessarily equate with fraud,” the letter adds, noting that government payment rules are highly complex. “No one questions the need to identify billing mistakes; but the flood of new auditors is deluging hospitals with redundant audits, unmanageable medical record requests and inappropriate payment denials. A recent American Hospital Association survey found that denials were appealed at a 75% success rate. What’s needed is clearer guidance, not additional audits that divert resources from patient care.”

The newspaper recently alleged that electronic health records may be used by some hospitals and physicians to increase their Medicare reimbursements through “upcoding” and the “cloning” of records. The AHA has proposed a framework for national guidelines for reporting hospital emergency department or clinic visits on 11 occasions since 2001.

AHA Comments to OMB on IRS' 501(r) Paperwork Burdens

Attached below is the American Hospital Association's comments to the Office of Management and Budget (OMB) related to the paperwork burdens of IRS’ information collection requirements related to implementation of some of the requirement of section 501(r). The attached comments were submitted to OMB on Aug. 23.

AHA's comments respond to the June 22 notice of proposed rulemaking (NPRM) issued by Treasury and the IRS to implement specifically Sections 501(r)(4) through 501(r)(6) of the Code which require that each hospital maintain a financial assistance policy (FAP), as well as an emergency medical care policy, limit amounts charged to individuals determined to be eligible under a facility’s FAP (FAP-eligible) and refrain from taking extraordinary collections actions (ECAs) until the facility has made reasonable efforts to determine an individual’s FAP-eligibility. The collection of information (COI) in the NPRM are subject to review by OMB under the Paperwork Reduction Act (PRA).

AHA's comments express concerns that the proposals dictate uniformity rather than offer flexibility for meeting these obligations from the ACA and, in doing so, appear to foreclose better and perhaps more effective methods of achieving transparency and accountability for financial assistance and billing and collection practices.  AHA specifically urges OMB to evaluate the time commitment and commensurate costs imposed on hospitals and to review AHA’s comments to the IRS as evidence that alternative and more efficient means can be employed to achieve the goals of Section 501(r).

The NPRM does not provide guidance on the Community Health Needs Assessment requirement in 501(r)(3); and, in the preamble, the agencies acknowledged that those proposed regulations will be forthcoming. When issued, of course, these proposed regulations will impose additional COI requirements on hospitals, as AHA states in their comments here.

Download OMB Proposed Burden Estimate 501r 8-23-12 Final

Project launches online resource on health information law

The George Washington University Hirsh Health Law and Policy Program has launched an online resource on federal and state laws governing access, use, release and publication of health information. The website offers information on laws and regulations such as the Health Insurance Portability and Accountability Act’s privacy rule, HITECH Act and Patient Protection and Affordable Care Act and will include information on health information aspects of state health insurance exchanges as it becomes available.

The project is part of the Robert Wood Johnson Foundation’s Legal Barriers program.

Compliance-officer stress worries Levinson

Addressing an audience of thousands in Las Vegas, HHS Inspector General Daniel Levinson said he's concerned about the high levels of stress among healthcare compliance officers.

Levinson cited a January report in Modern Healthcare that said a survey had found nearly 60% of hospital compliance officials—whose job is to make sure organizations follow laws and ethical requirements—wake up in the middle of the night in states of high anxiety from job-related stress. As many as 60% have considered quitting in the past year, according to the survey by the Health Care Compliance Association.

Read more from Modern Healthcare here.

HHS reports on progress reducing regulatory burdens

The Department of Health and Human Services on Jan. 31 issued a progress report on its efforts to reduce regulatory burdens, as ordered by the president a year ago. Noted changes include a proposed rule revising the Medicare Conditions of Participation for hospitals; and final rules implementing a new credentialing/privileging process for physicians who provide telemedicine services, and removing the new physician signature requirement for clinical laboratory tests.

According to the report, HHS plans to release four proposed rules easing regulatory burdens early this year. They include a rule that merges the Healthcare Integrity and Protection Data Bank into the National Practitioner Data Bank, Food and Drug Administration rules amending the performance standards for laser products and establishing preventive controls for food facilities, and a Centers for Disease Control and Prevention rule allowing the use of digital radiography in medical screening of coal miners for lung disease.

CMS elects not to propose changes to EMTALA

As requested by the American Hospital Association, the Centers for Medicare & Medicaid Services on Jan. 31 said it has decided not to propose changes to the current Emergency Medical Treatment and Labor Act regulations. While the agency said that a hospital has satisfied its EMTALA obligation when it admits an individual "in good faith in order to stabilize the [emergency medical condition]," it is providing an additional 60 days to comment on the applicability of EMTALA to hospitals with specialized capabilities.

"Hospitals fully support the intent of EMTALA - to ensure individuals get an appropriate screening and needed emergency services," said AHA President and CEO Rich Umbdenstock. "CMS' current policy is the most appropriate way to achieve EMTALA's goals, and we support CMS' decision not to change those policies. We appreciate CMS' approach. Hospitals take seriously their EMTALA responsibilities - and all other responsibilities - to their patients and will continue to provide care to patients at the right time and in the right setting."

The notice will be published in the Feb. 2 Federal Register. AHA intends to urge that the regulations for hospitals with specialized capabilities remain unchanged.