The New HIPAA Rules are Out!

Ann Feldkamp Triebsch Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security , , , , ,

by Ann F. Triebsch

(Updated January 27, 2013)

On January 17, 2013, the Department of Health & Human Services (HHS), Office for Civil Rights (OCR), released the final HIPAA Omnibus Rule (Omnibus Rule) implementing the HITECH Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Omnibus Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s enforcement capabilities. The regulations are published in the January 25, 2013 Federal Register, and will be effective on March 26, 2013, with compliance required by September 23, 2013.

We will discuss the highlights of the new regulations, topic by topic, in this blog over the next few weeks, but we begin with a key piece of information relevant to existing business associate agreements. The new regs substantially increase the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. Business associates may also be liable for increased penalties for noncompliance based on the level of negligence, up to a maximum penalty of $1.5 million.

All of the new requirements will need to be reflected in business associate agreements (BAAs). If your current business associate agreement was signed on or before January 24, 2013, it will be deemed HIPAA compliant through September 23, 2014 (at which time the agreement will need to have been amended for compliance with the Omnibus Rule). After January 24, 2013, any new BAAs signed should comply with the Omnibus Rule, and be in place by September 23, 2013.

To read the Omnibus Rule, click here.

The Long-Awaited HIPAA Omnibus Rule Has Been Issued!

Margaret Young Levi Health Information Technology

Earlier today we predicted the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) would soon be released–and we were correct! 

Today the U.S. Department for Health & Human Services (HHS) issued a press release announcing the Rule would be as published on 01/25/2013. Click here to view the press release.  HHS believes “the changes in the final rulemaking provide the public with increased protection and control of personal health information”  by expanding requirements for business associates, increasing penalties for non-compliance, and clarifying HHS must be notified of breaches. The Rule expands patient’s rights to access and control use and disclosure of protected health infromation. 

A pre-publication PDF version of the Rule may be viewed here.

Long-awaited HIPAA Omnibus Rule may be released soon

Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security

“Rumor has it” that the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) will be released the week of January 21st or 28th. While similar rumors have abounded for many months, this one may have some merit.

It is reasonable to expect the Office of Management and Budget (OMB) to release the final OMNIBUS regulations as soon as late January or early February based on the fact that the OMB has had the rule for almost a year to perform a perfunctory final review. The Department for Health and Human Services (HHS) released the Rule to OMB for review, one of the last steps before publication in the Federal Register, on March 24, 2012. OMB had the standard 90-day period to perform its review, but requested an extension. Some have speculated that the pending election last year may have played a part in delaying the Rule.

The Modern Healthcare’s IT Everything blog also posted recently that “in February, there is a HIPAA summit mid-month” that “calls for regulators to give a talk on the final rule.” Read more here.

The much-anticipated HIPAA Rule is expected to contain implementing regulations for the following aspects of the HITECH Act: 1) data breach enforcement and penalty levels; 2) data breach notification requirements; 3) application of the HIPAA Security Rule requirements directly to business associates and subcontractors; 4) use of genetic information by health plans; 5) use of patient health information (PHI) for marketing and fundraising. HHS has said the final Rule will contain “significant modifications” to the current HIPAA Privacy Rule. The final Rule will not address the proposed change to the HIPAA Privacy Rule’s standard on accounting for disclosures (i.e., access by whom, when and for what purpose), a controversial proposal that was complex, burdensome and potentially very costly.

We also have heard that a notice of proposed rulemaking would be out in March proposing a methodology by which people harmed by a HIPAA violation could share in any settlement or civil monetary penalty.

Stay tuned . . .

OIG First Year Assessment of the EHR Incentive Program

Ann Feldkamp Triebsch Health Information Technology

by Ann F. Triebsch

 The HHS OIG released a report on November 28, 2012, assessing CMS’ first-year performance in overseeing the Medicare EHR Incentive Program.   The OIG did not give CMS high marks, but its primary recommended solution is being rejected, as it may have done more harm than good under the circumstances.   

 Self-Reporting Insufficient Basis.  Under the program, providers implementing EHR systems and attesting that they are “meaningfully us[ing]” them as defined by HITECH receive financial incentives, which can help offset the not-insubstantial costs of the systems.  The gathering of data for the attestation to CMS can be a time-consuming process.  CMS checks the data submissions via its own computer logic, and if the submission is approved, the incentive payment is sent. In its report, OIG says CMS has paid out about $4 billion in incentive payments to providers to date, with a total of $6.6 billion estimated by 2016.  However, OIG points out that because the computer logic checks are not complete or fool-proof, but rather rely on self-reported data, the incentive program is “vulnerable” to fraud, paying incentives where meaningful use requirements are not fully met.  OIG recommended that CMS undertake prepayment reviews of substantiating documentation from certain providers, based on risk analyses, rather than using the “pay and chase” model it is moving away from.

Sticking with the Plan.  CMS declined to follow OIG’s prepayment review recommendation, citing the increased up-front burden on providers, as well as delayed incentive payments.   CMS put it politely, but we couldn’t agree more.  Providers have incurred substantial debt to purchase these EHR systems, and some are throwing up their hands, or worse, in frustration as they make the switch from paper, input so much new data, learn their new systems and try to integrate them with other existing systems.  To delay the incentive payments, which are the carrot to encourage providers to adopt this technology that CMS and the Obama administration so fervently want, especially in the absence of any suspected or proven abuse to date, would be politically untenable, and counterproductive to the worthy goals of HITECH. 

 Other Recommendations.  CMS did agree with OIG’s other recommendation to issue guidance on the types of documentation it expects providers to maintain to support their compliance with the “meaningful use” requirements, and indicated it would soon be posting a FAQ document on this subject.  OIG recommended that the Office of the National Coordinator for Health Information Technology (ONC) require certified EHR technology to be capable of producing reports for yes/no meaningful use measures, where possible, which is not a current capability in many systems, and that it improve the certification process to ensure accurate EHR reports.  ONC concurred with these two recommendations.

While verification of meaningful use attestations always would have been a possible topic for CMS audits of providers, this OIG assessment of the first year of the EHR Incentive Program may provoke CMS to investigate the topic more closely.  But for now, CMS made a well-considered decision to keep its resources where they are, and not begin a witch-hunt when there is no sign of widespread evil intent.

CMS Issues Interim Final Rule on EHR Certification and Incentives

Margaret Young Levi EHR Certification Standards, Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law

On December 7, 2012, the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) published an interim final rule with comment period to make revisions to the 2014 Edition Electronic Health Record (EHR) and revisions to the EHR Incentive Program.  Specifically, this rule will:

  • Replace the Data Element Catalog (DEC) standard and the Quality Reporting Document Architecture (QRDA) Category III standard adopted in the final rule published on September 4, 2012 with updated versions of those standards.
  • Revise the Medicare and Medicaid EHR Incentive Programs by adding an alternative measure for the Stage 2 meaningful use (MU) objective for hospitals to provide structured electronic laboratory results to ambulatory providers, correcting the regulation text for the measures associated with the objective for hospitals to provide patients the ability to view online, download, and transmit information about a hospital admission, and making the case number threshold exemption for clinical quality measure (CQM) reporting applicable for eligible hospitals and critical access hospitals (CAHs) beginning with FY 2013.
  • Provide notice of CMS’s intention to issue technical corrections to the electronic specifications for CQMs released on October 25, 2012.

This interim final rule will be effective January 5, 2012.