Health Law Attorney Blog

On November 17, 2011, the Centers for Medicare and Medicaid Services ("CMS") announced that it will delay enforcement action until March 31, 2012 for those Health Information Portability and Accountability Act ("HIPAA") covered entities that are not in compliance with the ASC X12 Version 5010, NCPDP Telecom D.0 and NCPDP Medicaid Subrogation 3.0 standards. CMS stated, however, that the compliance date remains January 1, 2012, but it will have discretionary application of its enforcement authority. In fact, according to an FAQ posted on the CMS website:

What will be the level of enforcement during the enforcement discretion period for X12 Version 5010 (Version 5010), NCPDP Telecom D.0 (NCPDP D.0) and NCPDP Medicaid Subrogation 3.0 (NCPDP 3.0) implementation?

The compliance date for implementation of these updated standards remains January 1, 2012. Because trading partner testing has not reached a threshold whereby a majority of covered entities may be able to comply by the compliance date, the Centers for Medicare & Medicaid Services' Office of E-Health Standards and Services (OESS), has announced that it would exercise its enforcement discretion with respect to any HIPAA covered entity that a complaint is filed against for violation of compliance with Version 5010, NCPDP D.0 and NCPDP 3.0 standards. The enforcement discretionary period is for 90 days after the January 1, 2012 compliance date.

If a complaint is received by CMS after January 1, 2012, the entity against which the complaint has been filed will be evaluated to determine its level of compliance. An assessment will be made of the filed-against entity's efforts to test and become compliant. OESS will take appropriate actions as permitted under the authority of the HIPAA enforcement rule, but will not assess any penalties and/or civil monetary penalties during this 90-day period.

Please note: this requirement applies to everyone who is covered by HIPAA, not just those who submit Medicare or Medicaid claims.

CMS' ICD-10 page may be found here.

Continue reading "CMS Announced 90-Day Discretionary Enforcement Period for Compliance with New HIPAA Standards" »

In August, we posted an entry regarding the newly announced Health Information Portability and Accountability Act of 1996 ("HIPAA") audits that would be underway, pursuant to Section 13411 of the Health Information Technology for Economic and Clinical Health Act ("HITECH"). Section 13411 provides, in its entirety:

SEC. 13411. AUDITS.
The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.

In implementing this provision, the Office of Civil Rights ("OCR") is conducting a pilot program ("Pilot") in which it will "perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the Pilot will begin November 2011 and conclude by December 2012." Business associates will not be audited at this time.

The OCR has promulgated a 3-step process for the Pilot:

(1) Developing audit protocols,
(2) Conducting a limited number of audits (20) to test the protocols, which includes the following four steps:

a. Auditee selection
b. Auditee notification
c. Test of protocol
d. Period of review and adjustment of protocols

(3) Conducting a full range of audits using revised protocol materials

The OCR aims at auditing a wide range of types and sizes of covered entities, including covered individual and organizational providers, health plans and healthcare clearing houses.

Covered entities being audited by the OCR can generally expect the following:

• Written notification by OCR that the covered entity has been selected for an audit and a request to provide documentation of the covered entity's privacy and security compliance efforts (OCR provides this sample Initial Notification Letter on its website)


• The covered entity will have 10 business days to supply the requested information


• Within 30-90 days from the date of the initial written notification, the OCR will conduct a site visit (lasting between 3 and 10 business days) involving interviews of key personnel and observations of processes and operations to determine compliance


• The auditors will develop a draft audit report and share it with the covered entity


• The covered entity will have 10 business days to discuss the identified concerns and describe corrective actions it has implemented to address the identified concerns


• Within 30 business days after receipt of the covered entity's response, the OCR will submit a final audit report, which will incorporate the steps the covered entity has already taken to resolve compliance issues

According to the OCR, "[a]udits are primarily a compliance improvement activity....Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem."

Continue reading "HIPAA Audit Pilot Program Underway" »

On September 14, 2011, the Centers for Medicare and Medicaid Services ("CMS") published in the Federal Register a proposed rule amending the Clinical Laboratory Improvement Amendments of 1988 ("CLIA") and the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") to specify that, upon request, a patient may gain access to his/her completed test reports directly from a laboratory ("Proposed Rule").

Currently, CLIA provides that a laboratory may only disclose test results to three categories of individuals: (1) an "authorized person," (2) the person responsible for using the test results in the treatment context, and (3) the referring lab (42 CFR 493.1291(f)). "Authorized person" is defined as "the individual authorized under State law to order or receive test results, or both." Moreover, even though HIPAA requires patients have access to their protected health information ("PHI"), this right of access does not extend to PHI maintained by a covered entity that is subject to CLIA or exempt from CLIA (this exception can be found at 45 CFR 164.524(a)(1)(iii)).

Under the Proposed Rule, CMS proposes to remove such restrictions in the patient-access rules thereby allowing patients to obtain the laboratory testing results directly from the laboratory. CMS proposes to amend CLIA to allow patients, upon request, to have direct access to their laboratory test reports. In the preamble to the regulations, CMS stated that it would not dictate under CLIA how patients could request such access:

[T]he CLIA regulations would not spell out the mechanism by which patient requests for access would be submitted, processed, or responded to by the laboratories. In providing this latitude, we intend to allow patients and their personal representatives' access to patient test reports in accordance with the requirements of the HIPAA Privacy Rule.

CMS likewise proposes amending the HIPAA Privacy Rule to require covered entities that are laboratories subject to CLIA and those that are CLIA-exempt to have the same obligations as other covered entities with respect to providing individuals access to their PHI in accordance with the requirements 45 CFR 164.524. In other words, CLIA laboratories and CLIA-exempt laboratories would no longer be excepted from the requirement to give patients access to their PHI upon request.

CMS also notes that even though there may be a number of state laws prohibiting laboratories from releasing test reports directly to patients, the new regulations, if adopted, would preempt such laws.

Continue reading "Clinical Labs to Provide Patients Access to Completed Test Reports Under Proposed Rule" »

The Health Information Technology for Economic and Clinical Health Act ("HITECH") requires the Office of Civil Rights ("OCR") to conduct periodic audits of covered entities in connection with complying with the privacy and security requirements set forth in Health Insurance Portability and Accountability Act ("HIPAA"). In June, the OCR awarded KPMG, LLP (the "Contractor") a $9.2 million contract to administer HIPAA audits. During the first phase of audits, the OCR plans to visit 150 covered entities.

According to the Federal Business Opportunities website, after developing the audit protocol, the Contractor must meet the entities and perform the following audit activities:

• Site Visits - Site visits include interviewing with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management director, etc.), examining physical features and operations, evaluating the consistency of process to policy, and observing compliance with regulatory requirements;

• Audit Report - Submitting an audit report after each site visit consisting of the following:

o A timeline and methodology of the audit, best practices, raw data collection materials (e.g., completed checklists and interview notes), a certification indicating the audit is complete;

o Specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan;

o Recommendations to the contracting officer's technical representative ("COTR") regarding continued need for corrective action, if any, and description of future oversight recommendations; and

o A final report including, at a minimum:

- Identification and description of the audited entity--full name, address, EIN and contact person;

- Methods used to conduct the audit; and

- For each finding:

• Condition: The defect or non-compliant status observed, and evidence of each;

• Criteria: A clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules;

• Cause: The reason that the condition exists, along with identification of supporting documentation used;

• Effect: The risk or non-compliant status that results from the finding;

• Recommendations for addressing each finding;

• Entity corrective actions taken, if any;

• Acknowledgement of any best practice(s) or success(es); and

• Overall conclusion paragraph.

Continue reading "HIPAA Audit Procedures to Include Site Visits" »

In an August 1, 2011 letter to the U.S. Department of Health and Human Services Secretary, Kathleen Sebelius, the American Hospital Association ("AHA") urges the Centers for Medicare and Medicaid Services ("CMS") to reevaluate its HIPAA Privacy Rule Accounting of Disclosures Proposed Rulemaking ("Proposed Rule"). The AHA is the latest healthcare organization to urge the reconsideration of the Proposed Rule.

In its plea, AHA writes that the Proposed Rule is unable to "appropriately balance the relevant privacy interests of individuals with the substantial burdens on covered entities, including hospitals." Further, AHA points out that the potential length of the reports required under the Proposed Rule would likely create a large burden for the covered entities without much benefit to the patients.

In conclusion, the AHA letter includes the organization's recommendations for improvements to the disclosure rule. The AHA requests that HHS:
• "clarify the discussion of designated record sets, adopt its proposed exclusions to the accounting requirement and maintain existing exclusions" and preserve "a 60-day response requirement and limit an accounting to three years,"
• "reissue a request for information aimed at better reflecting the statutory requirements, the technological realities, and better alignment of the regulation's effectiveness with the compliance burdens" instead of creating the "new individual right to an access report,"
• withdraw "the preamble discussion in order to reflect longstanding department guidance,"
• adopt other changes in the event that it does not to abandon the access report.

The entire text of the letter may be viewed here.

Continue reading "AHA Urges CMS to Reevaluate the HIPAA Privacy Rule Accounting of Disclosures Proposed Rulemaking" »

On May 31, 2011, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking ("Proposed Rule") in relation to the Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rule ("Privacy Rule"). The Proposed Rule concerns changes to the accounting disclosures requirement of the Privacy Rule.

The Proposed Rule intends to divide §164.528 of the Privacy Rule (the accounting of disclosures of protected health information provision) to provide two distinct, but complementary, rights for individuals. These rights would include an individual's expanded accounting of disclosures right and an individual's right to a report revealing who has accessed his or her protected health information contained in an electronic designated record set.

The revised accounting of disclosures right, to be modified by HHS under HIPAA authority, intends to improve the workability and effectiveness of the provision. This right would provide information about hardcopy and electronic disclosures made from a designated record set to outside persons and the covered entity's business associates for specific purposes (e.g., legal actions, workers' compensation). The full accounting of disclosures would provide more detailed information for certain disclosures that would most likely impact an individual. The information would be maintained for a three-year period (a reduction from the current six-year requirement). HHS proposes that all covered entities and business associates implement the modified requirements of the accounting of disclosures provision starting 180 days from the final date of the regulation (240 days after publication).

As part of its authority under the Health Information Technology for Economic and Clinical Health Act ("HITECH"), HHS is proposing to create the right to an access report. This right intends to give individuals information about others' access to the patients' protected health information contained in an electronic designated record set. The right would cover a three-year period as well, but it would only provide individuals with a report of who accessed the electronic record and would not include the reasons for the access. The date, time, and name of person accessing the information (or the entity if the individual's name is unavailable) would be included in the report; the description of the type of information disclosed and the user's action would also be included if available. No distinction would be made between "uses" and "disclosures" of the information in the report. HHS proposes that business associates and covered entities provide individuals with the access report right under the provision beginning January 1, 2013 (for electronic designated record set systems acquired after January 1, 2009) or January 1, 2014 (for electronic designated record set systems acquired as of January 1, 2009).

Since the rights within the provision are limited to protected health information within a designated record set, some business associates will not be affected by the requirement that covered entities include the applicable disclosures and uses of their business associates.

Public comments on the Proposed Rule will be accepted until August 1, 2011. Comments may be submitted online at http://www.regulations.gov/ (search for the Proposed Rule).

Continue reading "HIPAA Privacy Rule Modifications Proposed by HHS" »

In its first civil monetary penalty issued for a covered entity's violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the Department of Health and Human Services (HHS), through its Office of Civil Rights (OCR), imposed a $4.3 million penalty on Cignet Health of Prince George's County, Maryland (Cignet) in its Notice of Final Determination. In the October 20, 2010 Notice of Proposed Determination, the OCR found that Cignet denied 41 patients access to their medical records when requested. Subject to certain exceptions, 45 CFR 164.524 provides that an individual has a right of access to inspect and obtain a copy of his/her protected health information in a designated record set no later than 30 days (60 days for information that is not maintained or accessible to the covered entity on-site) after the covered entity's receipt of the request. Moreover, the OCR found that Cignet failed to cooperate with the OCR's investigations and that the failure to cooperate was due to Cignet's willful neglect to comply with the Privacy Rule.

Continue reading "Cignet Health's Violation of HIPAA Privacy Rule Resulted in $4.3 Million Penalty" »

For those providers and entities that think HIPAA violations are no big deal or that have yet to implement required policies and procedures, they are well advised to review the Department of Health and Human Services July 27, 2010 press release announcing a $1 million dollar settlement related to allegations of violations of HIPAA.

Rite Aid Corporation and its 40 affiliated entities (RAC) agreed to pay $1 million to settle violations under the HIPAA Privacy Rule. The Office of Civil Rights (OCR) which enforces the HIPAA Privacy and Security Rules opened its investigation of RAC after a television media station reported on incidents where pharmacies were shown to have disposed of prescriptions and labeled pills bottles that contained individuals' identifiable information in trash containers accessible to the public.

Such an act of disposing of individuals' health information in places that is accessible to an unauthorized person is in violation of several requirements found in the HIPAA Privacy Rule. The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers including pharmacies, to protect the privacy of patient information, including such information during its disposal.

As part of the settlement agreement, Rite Aid also agreed to take the following corrective action to improve its policies and procedures to safeguard the privacy of its customers: (1) revise and distribute policies and procedures regarding disposal of protected health information and sanction workers who do not follow them; (2) train employees on the new requirements; (3) conduct internal monitoring; and (4) engage a qualified and independent third-party to conduct compliance reviews and render report to HHS.

Continue reading "Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case" »

In addition to the many aspects of the new HIPAA rules modifying the existing HIPAA Privacy and Security Rules, if the proposed rules are finalized, covered entities will be required to make "material modifications" to their Notice of Privacy Practices ("Notice") therefore triggering obligations to revise and distribute the "new" Notices. For example, covered entities will have to revise their Notices consistent with new changes to the patient rights portion of the rule. Specifically, although the current rules allow a covered entity to decline to accept a patient's request for restrictions as stated in the Notice, the proposed rules require a covered entity to agree to a patient's request not to disclose protected health information ("PHI") to a health plan if the purpose of the disclosure to the plan is for carrying out payment or health care operations and the PHI pertains solely to health care services for which the patient or, another person on behalf of the patient, has paid the covered entity in full. In other words, a patient can restrict a health care provider from disclosing PHI to the patient's health plan as long as the patient pays out of pocket for the service in full. Importantly, if the patient's payment is not honored (e.g., the check bounces), the provider is permitted to submit the PHI to the health plan in order to be paid for the service. The health care provider need only comply with the restriction for services in which the provider is paid in full. The Office of Civil Rights ("OCR") makes clear that it does not believe that the intent of the HITECH ACT was to allow patients to avoid their payment obligations to health care providers. The proposed regulations also would require changes to the Notice regarding notifying patients which uses and disclosures require an authorization. The proposed rules would also require covered entities to disclose to patients that most disclosures for PHI for which the covered entity receives remuneration require authorization. The Notice will also have to be revised to reflect the new requirements concerning marketing and subsidized treatment communications. The OCR is also soliciting comments on whether the Privacy Rule should require that the Notice contain a required statement advising patients of the new breach notification obligations with respect to breaches of unsecure information.

Notably, the OCR states that the change to the existing patient rights rule and other changes noted above are "material" thus requiring all covered entities who have Notice obligations to revise their Notices and reissue them. This means that although the handing out of a Notice to a patient is typically a one-time obligation (i.e., continuing patients need not be offered a Notice at every visit), the provider will now have to ensure that all patients are provided a new Notice at their next visit and maintain a copy of the patient's acknowledgment that they have been given a copy of the new Notice. Many providers have not revised their Notices since inception of the Privacy Rule and thus have not had the burden of providing all existing and continuing patients with new Notices. Importantly for health plans, the OCR recognizes that revising and redistributing Notices within 60 days of material changes for health plans is a costly process and thus the OCR is seeking comments on ways in which plans could inform individuals of the changes without imposing a large burden. The OCR is considering many options such as replacing the current 60 day requirement with a requirement that the plan redistribute the new Notice in the next annual mailing such as at the beginning of the plan year or during the open enrollment period and is also considering whether it should make no changes. Obviously, it is in the best interest of plans to proactively comment to the OCR on this important issue.

Continue reading "New HIPAA Rules Will Require Covered Entities To Issue New Notice of Privacy Practices" »

The Department of Health and Human Services ("HHS") today announced a notice of proposed rulemaking regarding HIPAA Privacy and Security. The proposed rule is issued in connection with the amendments and expansion to HIPAA made as part of the Health Information Technology and Economic Clinical Health Act (the "HITECH Act"), enacted as part of the American Recovery and Reinvestment Act of 2009.

The proposed rule is intended to strengthen and expand enforcement of HIPAA Privacy, Security and Enforcement Rules by granting broader patient rights and stronger protections when business associates handle individually identifiable health information.

HHS also launched today a privacy website, designed to inform the public regarding existing HHS health information privacy efforts and policies. HHS also announced that its website for HIPAA breach notifications is to be updated and will now include a search function and summaries of past health information privacy breaches.

Continue reading "Health Information Privacy and Security Strengthened through New Proposed Rule" »

Wisconsin Physician Services (an existing Medicare Carrier and Medicare Administrative Contractor) issued a reminder today on its website for providers concerning the new deadlines for Medicare claims submission. The CMS Medlearn matters article dated May 7, 2010 and effective January 1, 2010 on the subject provides specific details relative to the topic.

For example, Section 6404 of the PPACA has amended the timely requirements to reduce the maximum time period of submissions of all Medicare Fee-For-Service (FFS) claims to one calendar year after the date of service. Additionally Section 6404 mandates that all claims for services furnished prior to January 1, 2010 must be filled with the appropriate Medicare claims processing contractor no later than December 31, 2010.

Section 6404 will impact all physicians, providers, and suppliers submitting claims to Medicare contractors for services to Medicare beneficiaries. Currently, Medicare contractors are adjusting their relevant system edits to ensure that claims with dates of service prior to October 1, 2009 will be subject to a pre-PPACA timely filling rules and associated edits.

While section 6404 does authorize CMS to make specific exceptions to the timely filing requirement, currently, the only exception is found in the filing regulations at 42 CFR section 424.44(b)(1), for "error or misrepresentation" of an employee, Medicare contractor, or agent of the Department that was performing Medicare functions.

Continue reading "System Changes Necessary to Implement the Patient Protection and Affordable Care Act (PPACA) Section 6404- Maximum Period for Submission of Medicare Claims Reduced to Not More than 12 Months" »

A final rule establishing the temporary certification program for electronic health record ("EHR") technology was released today by the Office of the National Coordinator for Health Information Technology ("ONC"). As explained by the HHS press release and in a previous HLP blog about the proposed rule, the HITECH Act of 2009 established incentives for providers for using EHR, but specified that the technology they use must be certified EHR technology. The new final rule sets out the certification program, which will help ensure that the EHR technology providers are using is safe and effective--and fits the "meaningful use" criteria that allows them to qualify for the incentives. Details about the certification program at the Health IT website of HHS.

For more information, contact Robert S. Iwrey, Esq. at (248) 996-8510.

In a not surprising turn of events, days before the June 1st deadline, the Federal Trade Commission ("FTC") announced that it is again delaying the enforcement of the identity theft regulations through December 31, 2010. This latest delay came at the request of certain members of Congress while Congress considers legislation that would affect the scope of entities covered by the identity theft regulations. This is the 5th time that the enforcement has been delayed and physicians are hopeful that a permanent solution will be forthcoming. The legislation under consideration would exempt from the law health care practices with fewer than 20 employees. The FTC's official announcement can be found here. HLP will continue to keep you updated on this topic.

On May 7, 2010, the Office of Civil Rights (OCR) issued guidance on the risk analysis requirement of the HIPAA Security Rule. Many providers have not paid close attention to the actual requirements of the HIPAA Security Rule. In addition to covered entity providers that must comply with the security regulations, business associates that have not implemented the requirements of the HIPAA Security Rule must also do so, thanks to the HITECH Act. The newest OCR guidance should be reviewed as well as past guidance documents. This guidance focuses on the first step in identifying and implementing safeguards consistent with the HIPAA Security Rule. According to OCR, "the guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements." The OCR guidance does draw from recommendations from the National Institute of Standards and Technology (NIST) even though only federal agencies are actually required to follow guidelines set by NIST. We encourage providers and business associates to review the guidance as the HIPAA Security Rule emphasizes that the risk analysis process is a key element in achieving compliance with the regulatory requirements and it is an ongoing evolving process.

For more information, you can visit the HHS Health Information Privacy Page, or contact Abby Pendleton, Esq. or Kathryn Hickner-Cruz, Esq. at (248) 996-8510.

The HIPAA Privacy rule currently provides the right of an individual to receive an "accounting of disclosures," essentially a listing, of occurrences where a HIPAA covered entity has disclosed the individual's information to others--but this rule has not considered disclosures made for treatment, payment, and health care operations information that must be included in the accounting.

Now, the HITECH Act has expanded the list of what must be included in the accounting of disclosures. HITECH, which regulates the use of electronic health records ("EHRs"), provides individuals the right to receive information about disclosures made using the individual's EHR, including for the purposes of advancing treatment, payment, and health care operations. The Health and Humans Services Office of Civil Rights ("OCR") is required to set forth rules that balance the rights of individuals with the burden of reporting on HIPAA covered entities.

OCR has issued a request for information from individuals and providers as the first step in its rulemaking, which you can review here.

For more information on HIPAA and HITECH, please visit the HLP's Compliance and HIPAA page, or contact Kathryn Hickner-Cruz, Esq. or Abby Pendleton, Esq. at (248) 996-8510.