On July 8, the Department of Health and Human Services (HHS) released a proposed rule to modify the HIPAA privacy, security, and enforcement rules, extending HIPAA compliance requirements to subcontractors of business associates (BA) and strengthening patient rights to health information privacy.
According to the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules for HHS, the proposed ‘significant’ modifications include:
- A requirement that BAs of HIPAA-covered entities be under most of the same rules as the covered entities
- New limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes
- Prohibition of the sale of PHI without an authorization
- Expansion of individuals’ rights to access their information and to restrict certain types of disclosures of PHI to health plans
- Provisions that strengthen and expand HIPAA’s enforcement rule
HHS will receive comments for up to 60 days after the proposed rule’s July 14 publication in the Federal Register, after which it will release an interim final rule. According to HHS, it will give covered entities and BAs 180 days after the final rule becomes effective to comply with most of the provisions.
The HHS Office of the National Coordinator for Health Information Technology (ONC) released a final rule June 18 establishing a certification program for health information technology. The rule describes the temporary certification program for EHRs, and what organizations need to do to be authorized to test and certify EHR technology.
“[EHR technology certification] assures healthcare providers that the EHR technology they adopt has been tested and includes the required capabilities they need in order to use the technology in a meaningful way to improve the quality of care provided to their patients,” according to the June 18 HHS press release.
The rule specifically establishes a temporary certification program that will help ensure the availability of certified technology prior to October, when some providers become eligible for EHR meaningful use incentive payments. It also states that a permanent program that will eventually replace the temporary one, according to the ONC.
To qualify for incentive payments organizations must use certified technology per the Medicare and Medicaid EHR Incentive Programs provisions. The program was authorized in the 2009 Health Information Technology for Economic and Clinical Health Act enacted as part of the American Recovery and Reinvestment Act.
The final rule takes effect June 24, when it will be published in the Federal Register. The ONC expects to release the permanent certification program final rule later this fall, according to the press release.
The Centers for Medicare & Medicaid Services (CMS) has revised the interpretive guidelines for anesthesia delivered in hospitals. The changes focus on the differences between anesthesia and analgesia services, where the patient does not lose consciousness.
The memo released by CMS provides hospitals with information on what practitioners may provide anesthesia services, what hospital policies should include regarding who is allowed to administer these services, guidelines on the supervision of anesthesiology assistants, and a list of information that must be included in a patient’s anesthesia record.
The May 25 issue of the Federal Register includes a notice of proposed changes to the Medicare and Medicaid Conditions of Participation (CoPs) regarding the credentialing and privileging of telemedicine providers.
The proposed rule would permit the governing body at a hospital where a patient is receiving telemedicine services to rely on information from a hospital where the provider is currently privileged (distant-site) when making its own privileging decisions. In order to rely on information from the distant-site, the hospital where services are being received must ensure that
- “the distant-site hospital providing the telemedicine services is a Medicare-participating hospital;
- the individual distant-site physician or practitioner is privileged at the distant-site hospital providing telemedicine services, and that this distant-site hospital provides a current list of the physician’s or practitioner’s privileges;
- the individual distant-site physician or practitioner holds a license issued or recognized by the State in which the hospital, whose patients are receiving the telemedicine services, is located; and
- with respect to a distant-site physician or practitioner granted privileges by the hospital, the hospital has evidence of an internal review of the distant-site physician’s or practitioner’s performance of these privileges and sends the distant-site hospital this information for use in its periodic appraisal of the individual distant-site physician or practitioner.”
The proposed rule would also require that the periodic review information submitted to the distant-site include adverse events and complaints received about the physician or practitioner.
The proposed rule was created to address the redundant collection of information at both the distant-site and the site where services are received.
CMS is collecting comments through July 26.
For more information, click here:
http://edocket.access.gpo.gov/2010/pdf/2010-12647.pdf
The Office for Civil Rights (OCR) published a request for information seeking comments to better inform upcoming rulemaking that will expand an individual’s right to receive an accounting of disclosures under the HIPAA Privacy Rule. Currently, the HIPAA Privacy Rule does not require a covered entity to list disclosures to carry out treatment, payment, and health care operations.
However, the Health Information Technology for Economic and Clinical Health (HITECH) Act provides that an individual has a right to receive information about disclosures made through a covered entity’s electronic health record for purposes of carrying out treatment, payment, and health care operations.
This request for information seeks comments so that OCR can learn more about the interests of individuals and the burden on covered entities with respect to accounting for disclosures for purposes of treatment, payment, and health care operations. The request for information is available at: http://edocket.access.gpo.gov/2010/pdf/2010-10054.pdf
In its semi-annual regulatory agenda in the Federal Register Monday, the Department of Health & Human Services (HHS) announced that modifications to the HIPAA privacy, security and enforcement rules will be coming in May.
HHS did not detail exactly which proposed rules would be released, but regulations expected to be issued include the following:
- Business associate (BA) liability
- New limitations on the sale of personal health information, marketing, and fundraising communications
- Stronger individual rights to access electronic medical records and restricting the disclosure of certain information
Watch the von Briesen Health Law Blog for further updates.
As part of the Patient Protection and Affordable Care Act signed into law on March 23, 2010, insurance companies will now be barred from imposing pre-authorization requirements on EMTALA care. The Act also requires insurers to pay hospitals not under contract with them for EMTALA services on the same basis as they pay their own in-network hospitals.
Under the new law, insurance plans cannot (1) require a prior authorization for screening and stabilization services as defined under EMTALA; (2) impose any requirement or condition on a non-contracted hospital that is more restrictive than those it imposes on hospitals with contracts; (3) impose different coinsurance or copayment requirements on non-network hospitals than they impose on in-network hospitals; or (4) apply any other coverage restriction (other than otherwise permissible cost-sharing and pre-existing condition exclusions).
The new provision does not apply to services provided in an emergency department if those services are not required to determine whether an “emergency medical condition” exists and to stabilize such a condition.
The new requirements for insurance payment for EMTALA services become effective on or after September 23, 2010.
OCR recently issued a “HITECH Act Rulemaking and Implementation Update” on its website, confirming it expects to release proposed rules regarding privacy and security provisions of HITECH. OCR did not say when it will release the rules, but did say it will release the provisions through notice and comment rulemaking.
The Joint Commission’s (TJC) Board of Commissioners has approved the Task Force revision of MS.01.01.01 (formerly MS.1.20) for implementation.
MS.01.01.01 will be effective beginning March 31, 2011, and TJC will be releasing educational documents in the next few days to help facilities understand the standard and how to implement it. There are also plans to hold an audio-conference in April, which will allow participants to ask TJC staff specific implementation questions.
Feedback from TJC’s field review, which ended earlier this year, revealed that sixty-six percent of respondents thought that the Task Force’s revision was a positive improvement, four percent thought it was worse, and the remaining respondents wanted more clarification.
Continue to check vonbriesenhealth.com for further updates.
On March 1, 2010, changes to section 1921 of the Social Security Act will go into effect. Section 1921 is intended to provide increased protection against unfit and fraudulent healthcare providers. The new rule expands the information contained in the National Practitioner Data Bank (NPDB) to include adverse licensure actions taken against all licensed healthcare practitioners by state and federal licensing agencies, peer review organizations, and private accreditation organizations. Under the rule, this data will be available for the first time to non-federal institutions. As the NPDB is recognized as one of the main credentialing resources, these changes have raised a lot of questions among medical services professionals.
Click here to view the Federal Register, which includes charts that offer a side-by-side comparison of the HCQIA (NPDB), Section 1921 (NPDB), and Section 1128E (HIPDB) to answer the questions:
- Who reports?
- What information is available?
- Who can query?
