Posted on February 26, 2010 by Debra A. McCurdy

Enforcement of HITECH Business Associate Requirement

The HHS Office of Civil Rights (OCR) has indicated that the agency will be delaying enforcement of the HITECH Act provisions under which Business Associates are required to directly comply with the HIPAA Privacy and Security Rules.  Although the statutory compliance date for the Business Associate requirement is February 17, 2010, Adam Greene, an OCR attorney, "unofficially" indicated in a recent speech that HHS will be exercising its enforcement discretion to not enforce the new provision until after a proposed and final rule on this subject have been promulgated.

Tags: , , ,
Posted on February 25, 2010 by Debra A. McCurdy

Workshop on HIPAA Privacy Rule's De-Identification Standard (March 8-9, 2010)

HHS is hosting a workshop on March 8 and 9, 2010 on methods for de-identification of protected health information (PHI) as designated in the HIPAA Privacy Rule. The meeting is designed to bring together experts with practical technical and policy experience to inform the creation of guidance materials on de-identification approaches.

Tags: , ,
Posted on January 13, 2010 by Debra A. McCurdy

HIT Rules Released: HIT Standards and Definition of "Meaningful Use" and Criteria for Electronic Health Record Incentive Program

This post was written by Jacqueline B. Penrod.

On January 13, 2010, the Office of the National Coordinator for Health Information Technology (ONC) published an interim final rule (the “Standards Rule”) to adopt an initial set of standards, implementation specifications, and certification criteria for health information technologyDesigned to be “the first step in an incremental approach . . . to enhance the interoperability, functionality, utility and security of health information technology and to support its meaningful use,” the Standards Rule outlines capability requirements for electronic health records (EHR) systems and establishes standards for the exchange of information between systems. It also provides guidance with respect to maintaining the privacy and security of patient data and adherence to the requirements of the HIPAA Privacy Rule.   The rule is effective February 12, 2010, although comments will be accepted until March 15, 2010. Also on January 13, the Centers for Medicare and Medicaid Services (CMS) published a proposed rule (the “Incentive Rule”) implementing the EHR incentive payments provided for in the American Recovery and Reinvestment Act of 2009 (ARRA). Under the ARRA, hospitals and eligible professionals (EP) may qualify to receive incentive payments under the Medicare fee-for-service, Medicare Advantage, and Medicaid programs if they adopt and meaningfully use certified electronic health technology. Beginning in 2015, hospitals and EPs that do not adopt and meaningfully use such technology will have downward payment adjustments. The Incentive Rule sets forth a broad outline of the manner in which providers will be eligible for EHR incentive payments. It includes the long-awaited initial criteria to determine whether a hospital or EP is a “meaningful user” of certified EHR technology, as well as the methods which will be used to calculate the payments and adjustments. Functionality and clinical quality measures for each type of provider are proposed for each program. The Incentive Rule proposes a three-stage approach to assessing meaningful use of EHR technology, with progressive reliance on and use of electronic medical records. While the criteria for Stage 1 are set forth in detail, the criteria for the remaining two stages are expected to be developed later, taking into account progress in technology and within the health industry. The meaningful use criteria will be updated on a biennial basis; proposed criteria for Stages 2 and 3 are anticipated to be released in 2011 and 2013, respectively. The significant impact that the meaningful use criteria may have on reimbursement for providers warrants close scrutiny. The proposed rule is posted here. CMS will accept comments on the proposed rule until March 15, 2010. Reed Smith is preparing a client bulletin summarizing the Incentive Rule.

Tags: , , , , ,
Posted on November 11, 2009 by Debra A. McCurdy

HHS Rule Implements HITECH Changes to HIPAA Enforcement

The Department of Health and Human Services (HHS) has published an interim final rule with comment period strengthening Health Insurance Portability and Accountability Act (HIPAA) enforcement provisions, as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Specifically, the rule establishes a tiered penalty framework for HIPAA's Administrative Simplification Rules (i.e., Privacy Rule, Security Rule, Transactions and Code Sets Rules, Standard Unique Identifier for Employers, and Standard Unique Identifier for Health Care Providers). Under the HITECH Act, these provisions went into effect February 18, 2009. HHS will accept comments on the interim final rule until December 29, 2009, and the effective date of the rulemaking is November 30, 2009. A Reed Smith summary of the rule is available here

Tags: ,
Posted on October 15, 2009 by Debra A. McCurdy

Genetic Nondiscrimination Rules Published

On October 7, 2009, CMS published an interim final rule with comment period implementing sections certain provisions of the Genetic Information Nondiscrimination Act of 2008 (GINA) that prohibit discrimination based on genetic information in health insurance coverage and group health plans.  These interim final regulations are effective on December 7, 2009; comments will be accepted until January 5, 2010. In a related development, the Department of Health and Human Services (HHS), Office for Civil Rights, also published a proposed rule on October 7 that would modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy standards to implement GINA provisions addressing the privacy and confidentiality of genetic information and make certain other changes to the HIPAA privacy rule. Comments will be accepted until December 7, 2009.

Tags: , , ,
Posted on August 17, 2009 by Debra A. McCurdy

Secretary Delegates HIPAA Security Rule to OCR

On August 4, 2009, the Department of Health and Human Services (HHS) published a notice delegating to the Director of the Office for Civil Rights (OCR) the authority to administer and enforce the HIPAA Security Rule, functions which previously had been delegated to CMS. HHS expects that combining the authority for administration and enforcement of the federal HIPAA standards for health information privacy and security under OCR will eliminate duplication and increase efficiencies in how HHS protects health information

Tags: ,
Posted on May 22, 2009 by Debra A. McCurdy

CMS HIPAA Version 5010 Conference Call (June 9, 2009)

On June 9, 2009, CMS is holding a conference call entitled“HIPAA Version 5010 - What you need to know."   This is the first in a series of national provider training calls on the transition to HIPAA Version 5010.  Space is limited and preregistration is required.

Tags: ,
Posted on March 19, 2009 by Debra A. McCurdy

No Delay in HIPAA Code Set/Standard Rules

The Obama Administration has been reviewing regulations issued late in the Bush Administration, including HHS final rules published January 16, 2009 that mandate the use of updated diagnosis and procedure codes (the ICD-10-CM rule) and updated standards for electronic health care and pharmacy transactions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Administration has decided not to delay implementation of these final rules or reopen the rules for comment.

Tags: , ,
Posted on March 4, 2009 by Debra A. McCurdy

American Recovery and Reinvestment Act -- Health Information Privacy/Incentives, Medicaid Funding & Other Health Provisions

This post was written by Karl A. Thallner, Jr., Carol C. Loepere, Debra A. McCurdy, Brad M. Rostolsky, Jacqueline B. Penrod, and Amie E. Schaadt.

On February 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”). The sweeping $790 billion economic stimulus package includes a number of health care policy provisions. Reed Smith's Health Care Memorandum summarizes the major health policy provisions of the Act.

Tags: , , , , , , , , , , , , , , , , ,
Posted on February 18, 2009 by Debra A. McCurdy

Economic Stimulus Package/Health Provisions

On February 13, 2009, the House and Senate approved the conference report to accompany H.R. 1, the American Recovery and Reinvestment Act.  President Obama signed the bill into law on February 17, 2009.  The $790 billion economic stimulus package includes a number of health care policy provisions.  Among other things, the final agreement includes:

  • $19 billion to accelerate the adoption of health information technology systems;
  • Strengthened federal privacy and security provisions to protect personally-identifiable health information;
  • Approximately $87 billion in additional federal matching funds over two years to help states maintain their Medicaid programs in the face of state budget shortfalls;
  • $1.1 billion to support comparative effectiveness research;
  • $1 billion for a new Prevention and Wellness Fund; and
  • Provisions to help unemployed workers maintain health insurance coverage under the Consolidated Omnibus Budget Reconciliation Act (COBRA) law.
  • A provision blocking a fiscal year 2009 reduction in Medicare payments to teaching hospitals related to capital payments for indirect medical education;
  • A provision blocking a fiscal year 2009 Medicare payment cut to hospice providers related to a wage index payment add-on;
  • Technical corrections to the Medicare, Medicaid, and SCHIP Extension Act of 2007 related to Medicare payments for long-term care hospitals;
  • A temporary increase in states’ annual disproportionate share hospital allotments;
  • An extension of moratoria on Medicaid regulations for targeted case management, provider taxes, and school-based administration and transportation services through June 30, 2009, and a new moratorium on a Medicaid regulation related to hospital outpatient services through June 30, 2009;
  • An extension of Transitional Medical Assistance and the Qualified Individual program; and
  • Medicaid prompt payment requirements for nursing facilities and hospitals.

Information on the versions of the measure approved earlier by the House and Senate is available here.    

Update:  On February 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”).  Reed Smith's Health Care Memorandum summarizes the major health policy provisions of the Act.

 

Tags: , , , , , , , , , ,
Posted on January 27, 2009 by Debra A. McCurdy

Implementation of ICD-10 Coding

The Department of Health and Human Services (HHS) published a final rule on January 16, 2009 adopting new code sets to be used by the public and private sectors for reporting diagnoses and inpatient procedures in health care transactions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Specifically, the rule adopts the International Classification of Diseases, Tenth Revision, Clinical Modification (ICD–10–CM) for diagnosis coding, and the International Classification of Diseases, Tenth Revision, Procedure Coding System (ICD–10–PCS) for inpatient hospital procedure coding. These codes replace the International Classification of Diseases, Ninth Revision, Clinical Modification (ICD–9–CM) Volumes 1 and 2, and the International Classification of Diseases, Ninth Revision, Clinical Modification Volume 3 for diagnosis and procedure codes, respectively. HHS notes that the shortcomings of the current ICD-9 system include limited ability to accommodate new procedures and diagnoses; lack of specificity and detail; inconsistent terminology, and lack of codes for preventive services. On the other hand, HHS expects adoption of the ICD-10 code set to support value-based purchasing and reporting of quality data and ensure more accurate payments for new procedures. While HHS believes the new systems will result in significant long-term savings, short-term implementation costs (training, productivity losses, and systems changes) could reach almost $2 billion. The rule is effective October 1, 2013, two years later than provided in the August 22, 2008 proposed rule. 

Tags: , ,
Posted on January 27, 2009 by Debra A. McCurdy

HIPAA Electronic Transactions Standards

On January 16, 2009, HHS published a final rule announcing updated HIPAA electronic transaction standards, including updated versions of the health care transactions standard (i.e., for claims, remittance, and eligibility requests) and the pharmacy claims transactions standard. The rule also adopts a standard for Medicaid pharmacy subrogation transactions, through which state Medicaid agencies recoup payments for pharmacy services when a third party payer has primary financial responsibility. The compliance date is January 1, 2012 (although small health plans have an additional year to comply with the Medicaid pharmacy subrogation standard). Separately, HHS published a notice announcing the Secretary’s recognition of certain Healthcare Information Technology Standards Panel Interoperability Specifications and the standards they contain as ‘‘Interoperability Standards’’ for health information technology.

Tags: , ,
Posted on December 22, 2008 by Debra A. McCurdy

HIPAA Privacy Rule and the Electronic Exchange of Health Information

On December 15, 2008, the HHS Office for Civil Rights announced new guidance on how the HIPAA Privacy Rule can facilitate electronic health information exchange in a networked environment. In addition, the guidance addresses electronic access by an individual to his or her protected health information and how the Privacy Rule may apply to the use of personal health records.  

Tags: , ,
Posted on November 17, 2008 by Debra A. McCurdy

CMS Enforcement of HIPAA Security Rule

The HHS Office of Inspector General (OIG) has issued a report entitled "Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 (HIPAA) Oversight." By way of background, the HIPAA security rule requires health plans, providers, and other covered entities that transmit health information in electronic form to: (1) ensure the integrity and confidentiality of the information, (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information, and (3) protect against unauthorized uses or disclosures of the information. The OIG found that CMS had no effective mechanism to ensure that covered entities adequately implemented the HIPAA security rule or that electronic protected health information was being adequately protected. The OIG recommended that CMS establish policies and procedures for conducting HIPAA security rule compliance reviews of covered entities. While CMS disagreed with the OIG’s findings, the agency agreed to establish policies for conducting compliance reviews.

Tags: , ,
Posted on September 26, 2008 by Debra A. McCurdy

HIPAA Guidance Documents

The Department of Health and Human Services (HHS) has published two new HIPAA Privacy Rule guidance documents that discuss when a health care provider may share a patient’s health information with the patient’s family, friends, or others involved in the patient’s care. One guide is designed for health care providers and the other is aimed at consumers.

Tags: ,
Posted on August 22, 2008 by Debra A. McCurdy

Proposed Rule Adopting ICD-10-CM.

On August 22, 2008, HHS proposed new code sets to be used by the public and private sectors for reporting diagnoses and inpatient procedures in health care transactions under the Health Insurance Portability and Accountability Act (HIPAA) effective October 1, 2011. Specifically, the proposed rule would adopt the International Classification of Diseases, Tenth Revision, Clinical Modification (ICD–10–CM) for diagnosis coding, and the International Classification of Diseases, Tenth Revision, Procedure Coding System (ICD–10–PCS) for inpatient hospital procedure coding. These new codes would replace the International Classification of Diseases, Ninth Revision, Clinical Modification (ICD–9–CM) Volumes 1 and 2, and the International Classification of Diseases, Ninth Revision, Clinical Modification (CM) Volume 3 for diagnosis and procedure codes, respectively. HHS believes the adoption of the ICD-10 code set will: support value-based purchasing by accurately defining services and providing specific diagnosis and treatment information; support comprehensive reporting of quality data; ensure more accurate payments for new procedures; result in fewer rejected and improper claims; and facilitate comparisons to international data. While HHS expects the transition to the new codes to save billions of dollars in the long-term, short-term implementation costs (training, productivity losses, and systems changes) could reach hundreds of millions of dollars. HHS will accept comments on the proposed rule, including the cost/benefit assumptions, until October 21, 2008. 

Tags: , ,
Posted on August 22, 2008 by Debra A. McCurdy

HIPAA Electronic Transaction Standards

On August 22, 2008, HHS published a proposed rule that would adopt updated versions of the standards for electronic transactions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule also would adopt a transaction standard for Medicaid Pharmacy Subrogation and two standards for billing retail pharmacy supplies and professional services, and would clarify who the “senders” and “receivers” are in the descriptions of certain transactions. HHS will accept comments on the proposed rule until October 21, 2008.  

Tags: , ,
Posted on May 21, 2008 by Debra A. McCurdy

HIPAA Enforcement Data

HHS has posted new information about its HIPAA privacy enforcement efforts, including state-specific case investigation results and complaint and enforcement data.
Tags: ,