Long-awaited HIPAA changes coming soon to a practice near you

Just when you thought you had a good handle on the patient security and privacy rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), here comes some new ones.

The U.S. Department of Health and Human Services on Jan. 17 announced a final “omnibus” rule that it said would strengthen patient privacy protections, give patients greater control over their health records, and beef up the government’s ability to enforce the regulations.

The new rules go into effect March 26. Practices and others governed by HIPAA must comply with the regulations by Sept. 23.

While experts continue to parse through the new rules ­­– the entry in the Federal Register is 563 pages long – here are some immediate takeaways for family medicine practices:

• Requirements of privacy and security will now extend to a practice’s business associates, such as contractors and sub-contractors, making them directly liable for violations. So practices that have business associates working on their behalf need to have contracts or other arrangements to ensure they’re following the Privacy Rule and Security Rule in regards to protected health information.

• Notification requirements have been strengthened to clarify when security breaches must be reported.

• Patients can now ask for a copy of their medical record in an electronic format. Practices should develop new policies and prepare their staff to accommodate patients requesting these electronic copies.

• If a patient pays in cash, they can request that their provider not share information about their treatment with their health insurer. Practices will need to prepare their registration and billing staff to handle patient requests for this.

• There are new rules limiting how a provider can use patient information for marketing and fundraising efforts. Practices that use patient information for these activities will need to make sure they’re compliant before proceeding.

• Patients will face a much more streamlined process for authorizing the use of their information for research purposes. This makes it easier for parents and guardians to give permission to share proof of a child’s immunization with schools.

For a refresher on HIPAA and how practices should comply with the law, here’s a collection of Family Practice Management articles on the subject: http://www.aafp.org/fpm/hipaa. 

– Renae Moch, MBA, CMPE, practice management strategist for the AAFP, contributed to this story.

Posted at 07:27PM Jan 18, 2013 by David Twiddy, Associate Editor  |  Comments[0]

Timeline of regulations affecting physicians

Need help keeping track of all the legislative and compliance deadlines affecting your medical practice? Family Practice Management has compiled the following timeline, which will be updated regularly.

2011

Jan. 1: Medicare bonus for primary care
Primary care physicians will begin receiving a 10-percent quarterly bonus from Medicare if at least 60 percent of their Medicare charges are for primary care services. The bonus ends Dec. 31, 2015.

Jan. 1: E-Prescribing
The 2011 bonus payment for successful participation in Medicare’s e-prescribing incentive program is 1 percent, with a 1-percent payment reduction for those who do not comply.

Jan. 1: PQRI
The 2011 incentive for participation in the PQRI program is 1 percent; an additional 0.5 percent incentive is available for participation in a continuous assessment program, such as maintenance of certification.

Jan. 1: Meaningful Use
Beginning in 2011, physicians who demonstrate meaningful use of electronic health records could qualify for up to $44,000 in Medicare incentive payments.

March 31: PQRI
This is the last day to submit data for the 2010 PQRI and be eligible for a 2-percent Medicare bonus.

Oct. 1: ICD-9
New ICD-9 codes and revisions go into effect for 2011-2012.

Dec. 31: HIPAA
Providers must have completed external testing of the HIPAA version 5010 electronic standards with their business partners.

2012

Jan. 1: E-Prescribing
The 2012 bonus payment for successful participation in Medicare’s e-prescribing incentive program is 1 percent, with a 1 percent payment reduction for those who do not comply.

Jan. 1: PQRI
The 2012 incentive for participation in the PQRI program is 0.5 percent; an additional 0.5 percent incentive is available for participation in a continuous assessment program, such as maintenance of certification.

March 31: HIPAA
Providers must begin using the HIPAA version 5010 electronic standards when submitting claims to Medicare and private payers.

2013

Jan. 1: E-Prescribing
The 2013 bonus payment for successful participation in Medicare’s e-prescribing incentive program is 0.5 percent, with a 1.5 percent payment reduction for those who do not comply.

Jan. 1: PQRI
The 2013 incentive for participation in the PQRI program is 0.5 percent; an additional 0.5 percent incentive is available for participation in a continuous assessment program, such as maintenance of certification.

Jan. 1: Medicaid payments
In 2013 and 2014, all Medicaid payments for primary care services will be increased so that they are at least equal to Medicare payments.

Oct. 1: ICD-10
ICD-10-CM goes into effect.

2014

Jan. 1: E-Prescribing
Bonus payments for successful participation in Medicare’s e-prescribing incentive program cease; a 2-percent payment reduction begins for those who do not comply.

Jan. 1: PQRI
The 2014 incentive for participation in the PQRI program is 0.5 percent; an additional 0.5 percent incentive is available for participation in a continuous assessment program, such as maintenance of certification.

2015

Jan. 1: Meaningful Use
Providers who have failed to demonstrate meaningful use of electronic health records will be penalized with a 1-percent Medicare payment reduction.

Jan. 1: PQRI
A 1.5 percent penalty goes into effect for providers who do not participate in the PQRI program.

Dec. 31: Medicare bonus for primary care
The 10-percent Medicare bonus for primary care physicians ends.

2016

Jan. 1: Meaningful Use
Providers who have failed to demonstrate meaningful use of electronic health records will be penalized with a 2-percent Medicare payment reduction.

Jan. 1: PQRI
A 2-percent penalty goes into effect for providers who do not participate in the PQRI program.

2017

Jan. 1: Meaningful Use
Providers who have failed to demonstrate meaningful use of electronic health records will be penalized with a 3-percent Medicare payment reduction. (The Secretary of Health and Human Services has the option of extending the penalty beyond 2017 and increasing the amount to a maximum of 5 percent if fewer than 75 percent of physicians are using EHRs.)

Posted at 05:06PM Jun 15, 2010 by Brandi White, Senior Editor  |  Comments[0]

Red Flags rule deadline delayed ... again

The Federal Trade Commission (FTC) has announced that it will again delay enforcement of the identity theft Red Flags rule that was scheduled to take effect June 1. The new deadline is Dec. 31.

According to the FTC's press release, the request for the delay came from members of Congress who wanted more time to consider how entities covered by the rule would be affected.

This is the third time the deadline has changed. The original deadline was Aug. 1, 2009.

Posted at 10:24AM Jun 04, 2010 by Lynn Hofeldt  |  Comments[0]

Three new HIPAA rules take effect this month

Over the next two weeks, three significant HIPAA changes mandated by the Health Information Technology for Economic and Clinical Health Act will take effect. Is your practice ready?

Beginning Feb. 17, your practice's "business associates" (i.e., any organization to which your practice submits electronic patient information) must comply with the HIPAA security rule, and your agreements with these entities must be amended to reflect their new obligations. Your agreements should outline the responsibilities of each party in the event of a breach, including how long the business associate has to report a breach to your practice once it has been discovered and who will cover the costs of notifying patients about a breach.

Beginning Feb. 18, if a patient is paying in full out of pocket for health care services, he or she may request that your practice not disclose his or her medical information to a health plan or other entity, including state pharmacy registries. You must comply with these requests.

Beginning Feb. 22, enforcement of the Breach Notification Rule goes into effect. The rule requires HIPAA-covered entities (e.g., physicians, hospitals and health plans) and their business associates to notify patients of breaches of their health information. For breaches involving 500 people or less, you must provide written notice to each affected individual, describing the nature of the breach, the type of patient information disclosed, steps they can take to protect themselves and steps your practice is taking to remedy the situation. If the breach affects more than 500 individuals, you must notify prominent media outlets in the area and must immediately report the incident to the Department of Health and Human Services.

Posted at 09:53AM Feb 12, 2010 by Brandi White, Senior Editor  |  Comments[0]