Compliance and HIPAA
Overview of Compliance and HIPAA Experience
The Health Law Partners, P.C. assists healthcare providers, suppliers, plans and organizations with their compliance needs. For example, our attorneys can assist with:
- Developing and updating billing compliance policies
- Developing training programs and presenting compliance in-service and education sessions with regard to billing, HIPAA privacy and HIPAA security
- Undertaking compliance investigations and responding to identified problems
- Directing auditing and monitoring
- Reviewing contracts and relationships for compliance with the Stark and Anti-kickback laws
- Drafting compliant contracts
- Counseling providers with regard to sensitive refund and disclosure issues
- Drafting and updating HIPAA privacy and security programs and policies
- Reimbursement matters
The HIPAA privacy rule (45 CFR Part 164) addresses the use and disclosure of health information ("protected health information" or "PHI") by covered entities (i.e., providers, health plans and clearinghouses). It also addresses standards for privacy rights that must be afforded individuals. According to the government, a major goal of the HIPAA privacy rule is to make sure that covered entities appropriately protect health information while allowing the flow of health information needed to provide and promote high quality health care. Given the diversity with regard to types and sizes of the entities covered by HIPAA, the privacy rule is designed to be flexible to cover the variety of uses and disclosures that need to be addressed. In summary, the HIPAA privacy rule:
- Provides restrictions on uses and disclosures of patient health information. The privacy rule sets forth the instances in which protected patient information can be used within the covered entity or disclosed to outside parties;
- Creates individual patient rights to inspect and copy their records, to amend erroneous information, to request certain restrictions on the use and disclosure of their information, to file written complaints, and to receive a notice of the entities' privacy policies;
- Requires covered entities to include certain privacy language in contracts with "Business Associates" regarding safeguarding patient information;
- Requires a covered entity to appoint a HIPAA Privacy Officer;
- Requires implementation of privacy policies and procedures;
- Requires the designation of a contact person or office who is responsible for receiving privacy complaints and who can provide information about the entity's privacy policies and procedures; and
- Requires covered entities to provide HIPAA privacy education to all employees.
The HIPAA security rule (45 CFR part 164) addresses the integrity, confidentiality, and availability of electronic protected health information ("EPHI"). EPHI means any protected health information that is maintained or transmitted in an electronic medium.
Although PHI that is not considered electronic protected health information (e.g., hardcopy billing records and hardcopy medical records) is not covered by the Security Rule, this information is still protected by the Privacy Rule, which also requires covered entities to "have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information."
The security rule sets forth certain general requirements. The general requirements mandate that covered entities do the following:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity creates, receives, maintains or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule; and
- Ensure workforce compliance.
In order to achieve the general requirements set forth above, covered entities are required to meet 18 standards. In order to meet each of these standards, the Security Rule sets forth "implementation specifications" that serve as the "instructions" for compliance with each standard. Some implementation specifications are "required" while others are "addressable." The standards and their related "implementation specifications" are broken down into three broad categories: administrative safeguards, physical safeguards, and technical safeguards.
The administrative safeguard standards require covered entities to analyze the risks of unauthorized disclosure of electronic protected health information within the organization, implement a number of required policies and procedures and maintain certain documentation to manage and minimize risk.
Physical safeguard standards deal with the security measures taken to protect buildings and equipment, which house electronic PHI, from natural and environmental hazards, and unauthorized intrusion.
Technical safeguard standards address the technological measures to safeguard and control access to electronic information, as well as the development and implementation of policies and procedures dealing with the use of technology.
HIPAA Privacy and Security Expanded by the American Recovery and Reinvestment Act: The Health Information Technology for Economic and Clinical Health Act ("HITECH Act" or the "Act") included in the American Recovery and Reinvestment Act significantly expands HIPAA privacy and security provisions. Some of the key aspects of the privacy and security portions of the Act include the following:
- Required Notification for Information Breaches:
Effective 30 days after the Secretary of the Department of Health and Human Services ("HHS") publishes interim final regulations (which regulations are due within 180 days from the enactment of the legislation), covered entities and business associates will be required to follow certain notification protocols when a person's unsecured protected health information has been breached. This includes individual notification to consumers and, depending on the number of individuals whose information is involved, media notification. Notification must also be made to the Department of HHS immediately if the breach involves 500 or more individuals. If the breach involves less than 500 individuals, the provider can maintain such information on a log, which must be provided annually to HHS.
- Required Accounting of Disclosures Involving Electronic Health Records:
As many providers are aware, under the current HIPAA regulations providers need not provide individuals with an accounting of disclosures of their health information if the disclosure is related to treatment, payment activities or health care operations ("TPO") of the provider. Although the implementation date is set into the future, under the HITECH Act, providers who use or maintain electronic health records will be required to account for TPO disclosures. In such cases however, the accounting period is limited to three years prior to the date on which the accounting is requested. The Act directs the Secretary of HHS to implement regulations on what information has to be collected about each disclosure.
- The Minimum Necessary Rule:
With regard to non-treatment situations, the current HIPAA regulations require providers to only use and disclose the minimum amount of PHI necessary to accomplish a permitted task. Until the government issues guidance on the meaning of minimum necessary, the HITECH Act includes a provision that in order for a provider to be in compliance with the minimum necessary rule; (1) to the extent practical, uses and disclosures must be limited to the "limited data set"; or (2) if needed by such entity, to the minimum necessary to accomplish the intended purpose. A limited data set is still considered PHI but involves data that has been stripped of certain identifiers. Note that the current exceptions to the minimum necessary rule still apply (e.g., treatment purposes).
- The Stakes Are Raised - Increased Enforcement:
The Act contains provisions so that penalties that apply to covered entities for violations also apply to business associates. Additionally, the HITECH Act revises and expands the current penalty provisions. The Act contains new provisions related to noncompliance due to "willful neglect" and requires the government to formally investigate any complaint of a violation if a preliminary investigation of the facts indicates a possible violation due to willful neglect. The HITECH Act also replaces the current penalty of $100 per violation with a new tiered-penalty system.
Of particular importance, the Act also includes a provision authorizing enforcement by State Attorney General offices if the attorney general of a State has reason to believe that an interest of one or more residents of that State has been or is threatened or adversely affected. In such cases, the Attorney General can bring a civil action on behalf of the state residents to enjoin any continuing violation or to obtain damages on behalf of the residents. The court may also award costs and reasonable attorney fees to the State.
- Business Associates:
The HITECH Act extended certain HIPAA requirements to business associates. Specifically, the Act applies the administrative, physical and technical safeguard requirements of the HIPAA security regulations to business associates. It also imposes obligations related to policies, procedures and documentation requirements.
- Prohibitions on Sale of Electronic Health Records or PHI:
In general, unless one of six exceptions apply, a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained a valid HIPAA authorization from the individual that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving the PHI. The exceptions to the general prohibition include when:
- The purposes of the exchange is for public health activities, as defined by the HIPAA regulations;
- The purpose is for research and the price charged reflects the costs of preparation and transmittal of the data for such purpose;
- The purpose is for treatment, subject to additional protections promulgated by regulation;
- The purpose is in connection with a transaction and due diligence involving the sale, transfer or merger of a Covered Entity;
- The purpose of the exchange is for remuneration that is provided by the Covered Entity to a Business Associate related to the Business Associate's activities involving the exchange of PHI that the BA undertakes on behalf of and at the request of the covered entity pursuant to the BA agreement;
- The purpose of the exchange is to provide an individual with a copy of the individual's PHI.
The Secretary is also authorized to develop additional exceptions. Notably, the effective date applies six months after the date of the promulgation of final regulations (the Secretary is responsible for promulgating regulations no later than 18 months after the enactment date of the Act).
- Access to Information In Electronic Format:
With regard to the current regulation allowing individuals access to their records, in the case that a covered entity uses or maintains an electronic health record, the individual has the right to obtain such information in electronic format, and if the individual so chooses, to direct the covered entity to transmit such copy to a designated person.
Helpful HIPAA Updates and Links:
September 2010 Medical Group Management Association (MGMA) Comments to the Proposed HIPAA Rules.
September 2010 American Hospital Association Comments to the Proposed HIPAA rules.
August 24, 2009 – HHS issues Interim Final Rule requiring notification of breaches of unsecured protected health information.
February 16, 2006 – HHS issues the Final HIPAA Enforcement Rule.
February 20, 2003 – HHS issues the Final Rule adopting HIPAA security standards.
August 14, 2002 – HHS issues the Final Rule implementing modifications to the HIPAA Privacy Rule.
December 28, 2000 – HHS issues the Final Rule adopting HIPAA privacy standards.
August 21, 1996 – HIPAA statute enacted.
Centers for Medicare & Medicaid Services (CMS) - Department of Health and Human Services (HHS) - The CMS website provides a summary of the HIPAA requirements and answers to frequently asked questions.
Office of Civil Rights (OCR) - Department of Health and Human Services (HHS) - OCR is charged with enforcing civil penalties under HIPAA. The OCR site provides important information regarding the HIPAA law, regulations, and OCR HIPAA enforcement activities.
Helpful Compliance Updates and Links:
February 2, 2011 – CMS indicates that it will continue its rulemaking regarding mandatory compliance plans.
September 23, 2010 – CMS issues Proposed Rule for mandatory compliance programs.
March 23, 2010 – Section 6401(a) of the Patient Protection and Affordable Care Act (PPACA) requires providers and suppliers to establish compliance programs as a condition of enrollment in the Medicare, Medicaid and CHIP Programs.
An HLP Blog Entry discusses the mandatory compliance plan provision of PPACA.
Office of Inspector General (OIG) Compliance Guidance – The OIG has established numerous guidelines for various providers and suppliers in the industry, including the following:
OIG’s Roadmap for New Physicians – A great primer for all physicians on complying with some of the most pertinent laws in today’s healthcare regulatory landscape.
OIG’s Provider Compliance Training – Useful resources for understanding the fundamentals of healthcare compliance.
"New HIPAA Rules Issued: A Primer for Radiology Providers", by Adrienne Dresevic, Esq. and Clinton Mikel, Esq., AHRA Link, February 2013.
Clinton Mikel, Esq. is the author of American Bar Association related to HIPAA Megarule (Free for ABA Health Law Section Members, available for purchase by others) - "HIPAA Privacy, Security, Enforcement & Breach Notification: Redlined Final Omnibus Rule", ABA Health Law Section, January, 2013.
"Changes to the Breach Notification Risk Assessment Under the HIPAA Megarule", by Clinton Mikel, Esq., ABA Health esource, January 2013.
"Anesthesia Practices Should Prepare for More Audit Activity", by Abby Pendleton, Esq. and Jessica L. Gustafson, Esq., Communique, Winter 2011.
" Sleeping Giants: Compliance in the Age of Electronic Medical Records", by Ranjan Sachdev, MD, MBA, CHC, Abby Pendleton, Esq., and Jessica L. Gustafson, Esq., Association of Healthcare Internal Auditors New Perspectives, Winter 2011.
“Compliance Can Be Tricky in the Age of Electronic Medical Records,” by Abby Pendleton, Esq. and Jessica L. Gustafson, Esq., Michigan Medical Law Report, Spring 2011.
"Regulatory Review: Medicare Screening Requirements Finalized, Mandatory Compliance Programs Still Pending", by Adrienne Dresevic, Esq. and Carey F. Kalmowitz, Esq., AHRA Link, February 2011.
"Regulatory Review: The New Face of Physician Compliance Programs: Physicians Must Manage New Stark Law Risks under the Health Care Reform Act," by Adrienne Dresevic, Esq. and Carey F. Kalmowitz, Esq., AHRA Link, September 2010.
“Proposed HIPAA Regulations: What Physician Practices Need to Know,” by Abby Pendleton, Esq., Jessica L. Gustafson, Esq., and Stephanie Ottenwess, Esq., Michigan Medical Law Report Fall 2010.
"Health care reform measures, increased audit scrutiny, and more reasons why compliance programs matter," by Abby Pendleton, Esq. and Kathryn Hickner-Cruz, Esq., Michigan Medical Law Report, Vol. 6, No. 2, Summer 2010. p.12
"HIPAA enforcement strengthened, penalties increased," by Jessica L. Gustafson, Esq. and Abby Pendleton, Esq., Michigan Medical Law Report, Vol. 5, No. 4, Winter 2010.
"AHLA Deciphering Codes: Fraud & Abuse for Coders and Coding Insight for Healthcare Lawyers," a chapter in the AHLA/AAPC Coding Manual, Abby Pendleton, Esq., published in 2010.
"Risk and Compliance Practices for Nursing Facilities," by Carey F. Kalmowitz, Esq. and Walter S. Wheeler, III, Esq., Michigan Medical Law Report, Vol. 4, No. 4, Winter 2009
"Planning for Compliance," by Abby Pendleton, Esq. and Adele P. Jorissen, Esq., Anesthesia Business Consultants Communique, Fall 2008
"Compliance Corner: OIG Workplan 2008," by Abby Pendleton, Esq. and Jessica L. Gustafson, Esq., Anesthesia Business Consultants Communique, Spring 2008
"3 Cost-Effective Compliance Tips to Jump Start Your Compliance Efforts," by Abby Pendleton, Esq., Communique, Fall 2006
"Billing: Three key compliance tips that every physician should implement," co-authored: Abby Pendleton, Esq., Michigan Medical Law Report, Vol. 1, No. 4, pg. 5, 10, Winter 2005
"Compliance Auditing: Three Key Issues That Every Physician Should Consider," co-authored: Abby Pendleton, Esq., Michigan Medical Law Report, Vol. 1, No. 3, Fall 2005
"Have you Engaged in Compliance Activities Lately?" co-authored: Abby Pendleton, Esq. and Robert S. Iwrey, Esq., MSA Ventilator, December 2003
"Final HIPAA Security Rule Allows Greater Flexibility," co-authored: Abby Pendleton, Esq., The Health Lawyer, The ABA Health Law Section, April 2003
"New HIPAA Privacy Guidance Reduces ASC Fears," co-authored: Abby Pendleton, Esq., FASA Update: Journal of the Federated Ambulatory Surgery Association, Volume XX, Number 1, January/February, 2003
"Proactive Compliance as an Audit Defense Strategy,” by Abby Pendleton, Esq. and Robert S. Iwrey, Esq., The Ventilator, January 2002
"CPT 2000: Pain Management Coding Compliance," co-authored: Abby Pendleton, Esq., Anesthesia Business Consultants Communique, Winter, 2000
"OIG Softens its Overall Approach in Releasing the Final Compliance Guidance for Individual and Small Group Physician Practices," co-authored: Abby Pendleton, Esq., The Health Lawyer, The ABA Health Law Section, October 2000
"OIG Issues Draft Compliance Guidance for Individual and Small Group Physician Practices," co-authored: Abby Pendleton, Esq., The Health Lawyer, The ABA Health Law Section, June 2000
"Continuing Education is Key to Compliance," co-authored: Abby Pendleton, Esq., Anesthesia News, November 1999
"OIG Issues Compliance Guidance for the Hospice Industry and Medicare + Choice Organizations," co-authored: Abby Pendleton, Esq., The Health Lawyer, The ABA Health Law Section, October 1999
"Anesthesia Time: Compliance Tips," co-authored: Abby Pendleton, Esq., Anesthesia Business Consultants Communique
"HIPAA Security Workbook and Toolkit," co-authored: Abby Pendleton, Esq., FASA
"HIPAA Privacy Workbook and Toolkit," co-authored: Abby Pendleton, Esq., FASA
"HIPAA Security Workbook and Toolkit," co-authored: Abby Pendleton, Esq., United Communications Group
"HIPAA Privacy Workbook and Toolkit," co-authored: Abby Pendleton, Esq., United Communications Group
HIPAA and Compliance Questions?
HIPAA and compliance inquiries can be directed to Abby Pendleton, Esq. at (248) 996-8510 or (212) 734-0128.