HIPAA 2023!

HHS Proposed Rule – electronic transactions and privacy rule enforcement action.

For horse racing aficionados, the phrase, “and they’re off” should ring a bell! One week into 2023 and attention is being placed on HIPAA and the HITECH Act.

First, on January 3, 2023, HHS-OCR announced another settlement under its Right of Access Initiative bringing the total resolutions to 43. There are three aspects of this $16,500 settlement for not providing patients their medical records in a timely manner which are notable:

  1. The entity that paid the fine and entered into a corrective action plan (CAP) is a full-service diagnostic laboratory;
  2. The length of time between the initial request by a patient’s legal representative and the receipt of the records was seven (7) months (NOTE: federal HIPAA’s timeframe is 30 days, unless there is a good faith basis for an additional 30-day extension, then the time allotted is 60 days); and
  3. The CAP includes two (2) years of monitoring by HHS-OCR.

Second, comments are being sought until March 21, 2023 regarding the Centers for Medicare & Medicaid Services (CMS)-issued proposed rule, Adoption of Standards for Health Care Attachments Transactions and Electronic Signatures, and Modification to Referral Certification and Authorization Transaction Standard (CMS-0053-P). (87 Fed. Reg. 78438 (Dec. 22, 2022)). Although the primary purpose of this proposed is to implement requirements related to HIPAA and the Affordable Care Act (ACA), one area to note it the potential impact on Stark Law, Anti-Kickback Statute, and False Claims Act scrutiny because it proposes the adoption of“a modification to the standard for the referral certification and authorization transaction (X12 278) to move from Version 5010 to Version 6020.” Referrals are the sine qua non of scrutiny under the Stark Law, AKS, and FCA. Importantly, not all referrals are impermissible. Also, as stated on CMS’ website, “[a]ny provider who accepts payment from any health plan or other insurance company must comply with HIPAA if they conduct the adopted transactions electronically.”

Other key provisions of the proposed rule include the following:

  1. Implement requirements of the Administrative Simplification subtitle of HIPAA and ACA such as adopting standards for “health care attachments” transactions related to supporting health care claims and prior authorization transactions;
  2. Electronic signatures’ standard for utilization with health care attachments transactions; and
  3. “Section 1175 of the Social Security Act prohibits health plans from delaying the transaction, or adversely affecting or attempting to adversely affect, a person or the transaction itself on the ground that the transaction is in standard format.”

HIPAA, cybersecurity, as well as enforcement of fraud, waste, and abuse laws, will remain a priority for HHS, the Department of Justice, and other government agencies in 2023. Compliance and risk management are essential to avoiding potential government investigations, adverse actions, and legal proceedings.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.