- HIPAA - The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of an individual's health information and governs the way health care providers manage and disclose protected health information (PHI). Healthcare providers must introduce appropriate systems and practices to comply with HIPAA.
- ARRA-HITECH - The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the American Recovery and Reinvestment Act (ARRA) expand HIPAA privacy requirements and create new challenges for healthcare privacy and security teams. In particular, the act introduces new regulations governing the confidentiality of EHRs.
- FTC Red Flags Rule - The Federal Trade Commission (FTC) Red Flags Rule require healthcare providers to institute new systems and practices to combat identity theft. Providers have until June 1st 2010 to comply with this law.
- State Laws - U.S. healthcare providers must abide by both federal and state regulations. Forty-five states have enacted privacy breach notification laws - many of which are more stringent than federal laws.
- International Regulations - Healthcare privacy rules are not limited to the United States. The European Union and many individual countries and provinces in other parts of the world have implemented patient confidentiality laws.
Medical Document Retention Requirements:
Healthcare providers are bound by federal regulations for certain document retention requirements, relative to encounters with Medicare and Medicaid patients.
Photocopying Fees for Patient Records:
There are limits with regard to the level of fee that provider can charge for releasing copies of patient record, most of the states have their own set limits. In some situations, a provider’s violation of these limits can result in fines and other penalties.
Insurance Prompt Payment Laws:
Health insurance reimbursement delay is very common for healthcare providers these days, which can have a significantly adverse effect upon your cash flow. Collective efforts of both federal and state legislatures towards making sure this does not happen have resulted in the enactment and enforcement of prompt payment laws which require payers to adjudicate claims and render appropriate reimbursement within specific timelines. Healthcare providers must be fully aware of the prompt payment laws of their respective states so that they may effectively enforce their statutory rights and demand appropriate remedies.
Refund, Deduction and Recoupment of Overpayments:
Insurance overpayment recoupment and overpayment refund disputes are another common issue in modern medicine. The majority of states have enacted refund and recoupment laws, just like prompt payment laws, that govern a payer’s ability to demand a refund or to recoup previous overpayments. Since payers are becoming more aggressive in demanding repayment, it is important that you understand your rights under state law.
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) called for the establishment of standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy. The Administrative Simplification Regulations have been developed to implement these statutory provisions.
The Privacy Rule:
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The Security Rule:
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Breach Notification Rule:
Interim final breach notification regulations, issued in August 2009, implement section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act by requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
The HIPAA Enforcement Rule:
The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E.
Business Associates Provision:
HIPAA will be covering “business associates” of covered entities directly, beginning in February 2010.
Examples of entities that might fall under this newly-regulated category are vendors to the health care industry, such as IT providers, billing and phone services, third party administrators of health plans, and document or data storage companies
Other Administrative Simplification Rules:
In addition to the HIPAA Privacy, Security, and Enforcement Rules, the HIPAA Administrative Simplification Rule also includes the following rules and standards:
Transactions and Codes Set Standards:
Transactions are activities involving the transfer of health care information for specific purposes. Under HIPAA, if a health plan or health care provider engages in one of the identified transactions, they must comply with the standard for it, which includes using a standard code set to identify diagnoses and procedures. The Standards for Electronic Transactions and Code Sets, published August 17, 2000 and since modified, adopted standards for several transactions, including claims and encounter information, payment and remittance advice, and claims status Any health care provider that conducts a standard transaction also must comply with the Privacy Rule.
Identifier Standards for Employers and Providers:
HIPAA requires that health care providers have standard national numbers that identify them on standard transactions. The National Provider Identifier (NPI) is a unique identification number for covered health care providers. Covered health care providers and all health plans and health care clearinghouses use the NPIs in the administrative transactions adopted under HIPAA. The NPI is a 10-position, intelligence-free numeric identifier (10-digit number). This means that the numbers do not carry other information about healthcare providers, such as the state in which they live or their medical specialty.
The new penalties for HIPAA violations are as follows:
- $100 minimum per violation if the covered entity was unaware of the violation and would not have known by exercising reasonable diligence
- $1,000 minimum per violation resulting from a “reasonable cause”
- $10,000 minimum per violation for “willful neglect” that is corrected
- $50,000 minimum per violation for “willful neglect” that is not corrected
Fines for multiple violations of an identical provision max out at $1.5 million per calendar year.
CCHIT Time Rule:
Accuracy of time is required by CCHIT as it relates to the Electronic Health Record. Statement by CCHIT:
The system shall provide authorized administrators with the capability to read all audit information from the audit records in one of the following two ways:
- The system shall provide the audit records in a manner suitable for the user to interpret the information. The system shall provide the capability to generate reports based on ranges of system date and time that audit records were collected.
- The system shall be able to export logs into text format and correlate records based on time (e.g., UTC synchronization).
3) HL7 EHR Models and Profiles:
HL7 EHR Interoperability Model:
The HL7 EHR Interoperability Model (EHR/IM) establishes an industry consensus view of "What is EHR Interoperability?" It provides a reference list of characteristics of (and requirements for) interoperable EHR records.
HL7 EHR Functional Model:
The HL7 EHR Functional Model (EHR-S FM) specifies over 160 functions that may be present in an Electronic Health Record System.
HL7 Works in Process:
Current work involves specifying the requirements of a legal EHR. Under consideration for the HL7 Legal EHR Functional Profile includes:
Auditable Records: date and time stamps are important for audit capabilities with standardized time-keeping per the IHE consistent time profile.