HIPAA Highlights: The Larger Compliance Picture

Editor's Note: This is the fourth in a five-part series on modifications to HIPAA recently unveiled by HHS on January 17, 2013.

Included in the Omnibus Rule (the “Final Rule”), issued by HHS on January 17, are provisions detailing the privacy, security, and enforcement rules, which were promulgated as a result of the Health Information Portability and Accountability Act (HIPPA) and expanded upon by the Health Information Technology for Electronic and Clinical Health Act (“HITECH”) Act. The Final Rule encompassed three sets of “Proposed Rules” that spanned from August 24, 2009 to July 14, 2010. The separate final rules included:

• Interim final breach notification rule (August 24, 2009);

• Interim final enforcement rule (October 30, 2009); and

• Proposed privacy, security and enforcement rules (July 14, 2010)

In general, the final rules reinforced the expectations and provisions set forth in the interim and proposed final rules. While some sections of 45 C.F.R. Parts 160 and 164 were changed; overall, the majority of sections either remained unchanged from the interim rules or provided greater detail. These changes and assurance of potential penalties provide both physicians and hospitals with an opportunity to assess their compliance from an enterprise risk management standpoint. This can mean a comprehensive approach by professionals to identify, mitigate, and monitor potential risks within an organization. By doing so for the various aspects of HIPAA/HITECH Act Final Rule implementation and compliance, providers may also discover related areas within the revenue cycle, such as ICD-10 and claims submissions, can be streamlined to reduce the risk of non-compliance and increase revenues.

A recent article in the Healthcare Financial Management Association’s HFM Magazine underscores the notion of strategic assessments enabling the University of Washington Medicine in Seattle to mitigate known risks and implications across the continuum of care. (S. Lucas, HFM Magazine, Preparing for ICD-10 – a system’s opportunity to integrate, pp. 98-104; Jan. 2013; log-in required for access).

Regardless of the initial compliance area being assessed, there is an opportunity for physicians and hospitals alike to look at complimentary initiatives in tandem. Whether an ICD-10 initiative already exists or a HIPAA/HITECH Act compliance is underway, providers should look at the two in a parallel fashion. After all, failing to comply with HIPAA/the HITECH Act, like improper ICD-10 coding, could ultimately impact the final claim submission to Medicare or Medicaid. This is because providers must attest to and certify the “accuracy, completeness, and truthfulness of all data related to the payment.” (42 C.F.R. §423.505(k)(1)). In the CMS Provider Agreements, the entity attests that they comply with all federal laws and regulations designed to prevent waste, fraud and abuse.

This is analogous to Medicare Part D Plan sponsor and subcontractor certifications. (42 C.F.R. §423.505(h)(1)). And, as a recent U.S. Federal District Court highlighted, “CMS regulations require that all subcontracts between Part D Plan sponsors and downstream entities, including pharmacies and PBMs, contain language obligating the pharmacy to comply with all applicable federal laws, regulations, and CMS instructions. (42 C.F.R. § 423.505(i)(4(iv), cited in U.S. ex rel. Spray v. CVS Caremark Corporation, case 2:09-cv-04672-RB, p. 5 (E.D. PA (Dec. 20, 2012)). Because 45 C.F.R. §160.103 expanded the definitions of business associates and subcontractors, and other sections impacted liability; analogously, failing to comply with all aspects of HIPAA/HITECH Act and the Final Rules, could constitute a false claim and have significant consequences.

By assessing HIPAA/HITECH Act and ICD-10 compliance from an enterprise risk management standpoint, medical practices and hospitals can mitigate the risk of submitting claims that render their respective provider agreements inapposite.