HIPAA mandates the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information.
The HIPAA Breach Notification Rule is part of the Health Information Technology for Economic and Clinical Health Act, which expands upon the Health Insurance Portability and Accountability Act of 1996 to protect privacy and security of individuals' health information. The rule regulates when and how to notify patients, HHS and in some cases, the media, if health care information has been exposed in a security breach. In addition to the annual notice of breaches to HHS, covered dentists are required to report breaches of unsecured protected health information involving 500 or more individuals to HHS without unreasonable delay, and in no event later than 60 calendar days after discovery of the breach.
Most recently, HHS published proposed rules which would modify the 1996 HIPAA privacy and security rules to incorporate changes Congress included in the 2009 federal economic stimulus package. The proposed changes were mandated by the HITECH Act, which was included in the economic stimulus package and designed to encourage hospitals and physicians to adopt electronic health records. At the time of writing, the draft rule was still open for public comment. The draft rule would allow patients to restrict certain disclosures to health plans and prohibit personal information from being sold without their consent. The rule also proposes treating billing companies, customer service contractors and other businesses the same as physicians, hospitals and insurers, which would subject them to fines and penalties if they violate privacy regulations. Earlier in 2010, HHS significantly increased the maximum penalty for HIPAA violations, to $50,000 per violation and $1.5 million annually. The proposed rule also would grant individuals greater access to their personal data and strengthen the federal Office for Civil Rights' regulatory power over HIPAA's privacy and security provisions.
2006, 2007, 2008, 2009, 2010, 2011, 2012
Forms for providing notice of a breach must be submitted electronically and a separate form must be completed for every breach. Forms may be accessed at http://transparency.cit.nih.gov/breach/.
For more information about submitting breach notification information to HHS, visit http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html
2009, 2010, 2011, 2012
Health information technology helps save lives and lower costs. Four major goals of HITECH to advance the use of health information technology (Health IT):
As a result of this legislation, the Congressional Budget Office estimates that approximately 90 percent of doctors and 70 percent of hospitals will be using comprehensive electronic health records within the next decade.
2009, 2010
Section 302 of the Tax Relief and Health Care Act of 2006 makes the RAC Program permanent and requires the Secretary to expand the program to all 50 states by no later than 2010.
The RAC demonstration program has proven to be successful in returning dollars to the Medicare Trust Funds and identifying monies that need to be returned to providers. It has provided CMS with a new mechanism for detecting improper payments made in the past, and has also given CMS a valuable new tool for preventing future payments.
2006, 2010
Section 132 of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) authorizes a new and separate incentive program for individual eligible professionals who are successful electronic prescribers (e-Prescribers) as defined by MIPPA.
This new incentive is separate from and is in addition to the quality reporting incentive program authorized by Division B of the Tax Relief and Health Care Act of 2006 - Medicare Improvements and Extension Act of 2006 (MIEA-TRHCA) and known as the Physician Quality Reporting Initiative (PQRI).
Eligible professionals do not need to participate in PQRI to participate in the E-Prescribing Incentive Program.
2008, 2009, 2010, 2011, 2012, 2013, 2014
The 2006 Tax Relief and Health Care Act (TRHCA) (P.L. 109-432) required the establishment of a physician quality reporting system, including an incentive payment for eligible professionals (EPs) who satisfactorily report data on quality measures for covered services furnished to Medicare beneficiaries during the second half of 2007 (the 2007 reporting period). CMS named this program the Physician Quality Reporting Initiative (PQRI).
The Medicare, Medicaid, and SCHIP Extension Act of 2007 (MMSEA), signed by the President on December 29, 2007, authorized the continuation of the PQRI for 2008 and 2009. MMSEA permitted program flexibility for 2008 by authorizing CMS to establish alternative mechanisms to previously established claims-based reporting of PQRI quality data. MMSEA provisions require alternative reporting periods and alternative criteria for satisfactorily reporting quality measures data through medical registries and reporting measures groups. In 2008, eligible professionals may earn an incentive payment of 1.5 percent of their total estimated allowed charges for Medicare Part B PFS covered professional services furnished during the respective reporting periods. While TRHCA established a cap on incentive payments for 2007, based on an average per measure payment amount, MMSEA removed the cap on incentive payments.
The Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) made the PQRI program permanent, but only authorized incentive payments through 2010. Eligible Professionals who meet the criteria for satisfactory submission of quality measures data for services furnished during the 2009 or 2010 reporting period will qualify to earn an incentive payment of 2.0 percent of their total estimated allowed charges for Medicare Part B PFS covered professional services furnished during that same period.
Most recently, the Affordable Care Act (ACA) makes a number of changes to the PQRI, including authorizing incentive payments through 2014 and requiring a penalty, beginning in 2015, for eligible professionals who do not satisfactorily report. Eligible professionals who meet the criteria for satisfactory submission of quality measures data for services furnished during the 2011 reporting period will qualify to earn an incentive payment of 1.0 percent of their total estimated allowed charges for Medicare Part B PFS covered professional services furnished during that same period. For 2012 through 2014, eligible professionals may earn an incentive payment of 0.5 percent of their total estimated allowed charges for Medicare Part B PFS covered professional services furnished during the respective reporting periods. Beginning in 2015, eligible professionals who do not satisfactorily report PQRI measures may be subject to a payment adjustment, or penalty. Specifically, if an eligible professional does not satisfactorily report for the reporting period for the year, the PFS amount for covered professional services furnished by such professional during the year shall be less than the PFS amount that would otherwise apply by 1.5 percent for 2015 and 2.0 percent for 2016 and each subsequent year.
The ACA also authorizes an additional 0.5 percent incentive for 2011 through 2014 for eligible professionals who satisfactorily report and more frequently than is required to qualify for or maintain board certification status participates in a Maintenance of Certification Program (MOCP) for a year and successfully completes a qualified MOCP practice assessment for such year.
2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016
The Centers for Medicare and Medicaid Services (CMS) now requires all physicians and non-physician practitioners who are eligible to render and/or order items or services, or refer Medicare beneficiaries to other Medicare providers or suppliers for services, to have current enrollment records in Medicare. A current enrollment record is one that is in the Medicare Provider Enrollment, Chain and Ownership System (PECOS) and also contains the physician/non-physician practitioner's National Provider Identifier (NPI). A physician or non-physician practitioner who renders, orders, or refers and who does not have a current enrollment record that contains the NPI will cause the claim submitted by the Part B provider/supplier who furnished the ordered or referred item or service to be rejected.
2011
CMS will require all Medicare providers to revalidate their enrollment information, regardless if they have revalidated their information within the current five year revalidation timeframe. CMS’ new enrollment procedures are a result of Health Reform initiatives to minimize fraud within the Medicare program. This mandatory enrollment revalidation ties in with CMS’ new provider screening and risk categories to help ensure that only legitimate providers and suppliers are enrolled in Medicare, Medicaid, and CHIP, and that only legitimate claims are paid. CMS stated physicians that enrolled in Medicare prior to 2003 (the time when the PECOS enrollment system went into affect) and who have not completed a Medicare enrollment application since that time may voluntarily re-enroll. Those who choose not to voluntarily come into compliance will be asked to do so through a revalidation process, which ensures that Medicare has complete and current information on all Medicare providers and suppliers and guarantees continued compliance with Medicare requirements.
CMS has recently extended its revalidation deadline date from March 2013, to March 2015. It is critical to note that once a physician receives a request to revalidate, they are only given 60 days to respond to a contractor’s request. Physicians who do not respond to a revalidation request could face revocation of their billing privileges.
2011, 2015
ICD-10-CM is the new diagnosis coding system that is being developed as a replacement for ICD-9-CM, Volumes 1 & 2. The implementation deadline is October 1, 2013. ICD-10 codes must be used on all HIPAA transactions, including outpatient claims with dates of service, and inpatient claims with dates of discharge on and after October 1, 2013. Otherwise, your claims and other transactions may be rejected, and you will need to resubmit them with the ICD-10 codes. This could result in delays and may impact your reimbursements, so it is important to start now to prepare for the changeover to ICD-10 codes. This change does not affect CPT coding for outpatient procedures.
2008, 2009, 2010, 2011, 2012, 2013
Beginning October 2013, all entities covered under HIPAA must transition into the complete use of the ICD-10 coding and reimbursement system. Many providers and their staff have questions pertaining to this new coding system. The Centers for Medicare and Medicaid (CMS) have created four implementation handbooks to assist in the transition into ICD-10. These handbooks are step-by-step guides specifically for small and medium provider practices, large provider practices, small hospitals, and payers.
The appendix of each handbook references the direct audience and relevant templates which are available for download in both Excel and PDF files below. The templates are customizable and have been created to help entities clarify staff roles, set internal deadlines/responsibilities and assess vendor readiness.
2011
The Health and Human Services (HHS) Office of the Inspector General (OIG) is responsible for policing all HHS agencies including fighting fraud and abuse. The OIG conducts investigations in conjunction with other law enforcement agencies such as the Federal Bureau of Investigations (FBI), U.S. Postal Inspection Service and various state Medicaid Fraud Control units. Responsibilities include auditing, investigating and inspecting HHS programs and operations, identifying program weaknesses; leading activities to prevent fraud and abuse from occurring; finding wrongdoers and abusers of HHS programs and applying sanctions when necessary. The OIG may investigate individuals, facilities and entities for services claimed but not rendered or not medically necessary, claims that manipulate codes in an effort to inflate reimbursement amounts and other false claims submitted to obtain program funds.
2011
ACOs are groups of doctors, hospitals, and long-term care facilities, who come together voluntarily to provide high quality care to the Medicare patients they serve. The intention is that the coordinated care these ACOs provide, will ensure patients, especially the chronically ill, get the right care at the right time with the goal of avoiding unnecessary duplication of services and unnecessary costs. When an ACO succeeds in both delivering high quality care and spending health care dollars more wisely, it will share in the savings it achieves for the Medicare program.
2011, 2012
Predictive Modeling systems use step-by-step procedures and other calculative methods to predict fraudulent provider enrollment records and stolen provider/beneficiary identification numbers.
Predictive Modeling is building on the new anti-fraud tools and resources provided by the Affordable Care Act to help move CMS beyond its former payment recovery operations to a new approach. This approach focuses on preventing fraud and abuse before a payment is ever made.
2011
By harmonizing standards, different information systems, networks, and software applications will be able to "speak the same language" and work together technically to manage and use consistent, accurate, and useful health information for providers and consumers.
The Office of the National Coordinator established the Health Information Technology Standards Panel (HITSP), a public-private partnership with broad participation across more than 300 health related organizations, to identify and harmonize data and technical standards for healthcare. HITSP operates with an inclusive governance model established through the American National Standards Institute (ANSI).
2011, 2013, 2015
The American Recovery and Reinvestment Act authorizes the Centers for Medicare & Medicaid Services (CMS) to provide a reimbursement incentive for physician and hospital providers who are successful in becoming "meaningful users" of an electronic health record (EHR). These incentive payments begin in 2011 and gradually phase down. Starting in 2015, providers are expected to have adopted and be actively utilizing an EHR in compliance with the "meaningful use" definition or they will be subject to financial penalties under Medicare.
The Meaningful Use proposed rule included a set of objectives -- 23 for hospitals and 25 for clinicians -- health care providers must meet to demonstrate meaningful use. In response to comments from some stakeholders that the "all-or-nothing" approach was too demanding and inflexible, CMS divided the objectives into two groups: a core set of objectives -- 14 measures for hospitals and 15 measures for physicians and "eligible providers" -- that must be met and a set of 10 additional tasks from which providers can choose any five to implement during Stage 1 of the federal incentive payment program.
Federal officials will release additional information on the Stage 2 and Stage 3 meaningful use requirements over the next few years.
2009, 2010, 2011, 2013, 2015
With the emergence of health information technology (health IT) and the demonstrated benefits of the electronic management of health information, purchasers and other users of health IT systems need to be assured that the systems that will: (1) Provide needed capabilities; (2) Securely manage information and protect confidentially; and (3) Work with other systems without reprogramming. Health IT certification can provide this assurance, increasing confidence that healthcare professionals have in health IT systems when they make purchase decisions and confidence that consumers have that their information is secure and appropriately available.
2009, 2010, 2011, 2015
The FTC Breach Notification Rule requires compliance by vendors of Personal Health Records (PHR), such as web-based repositories used for tracking an individual's health information and entities offering third-party applications for PHRs, such as information uploaded from a blood pressure cuff or pedometer. The final FTC Breach Notification Rule clarifies that it applies both to vendors of PHR and related entities, irrespective of any jurisdictional tests. Consequently, a wide variety of entities are subject to its requirements.
The FTC Breach Notification Rule does not apply to HIPAA-covered entities or business associates, including for example, instances involving physicians who offer a PHR to their patients. To avoid consumers receiving duplicate notices for the same breach, the FTC clarifies that if a PHR vendor is both a business associate and deals directly with consumers, it need not notify a customer receiving a breach notification on behalf of a HIPAA-covered entity.
2009, 2010
Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs — or "red flags" — of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
2009, 2010
Encourage adoption of EHRs by clinicians and hospitals; Assist clinicians and hospitals to become meaningful users of EHRs; and Increase the probability and adopters of EHRs will become meaningful users.
Assistance with the implementation, effective use, upgrading and ongoing maintenance of HIT, EHRs, to healthcare providers nationwide; broad participation of individuals from industry, state government and universities; active dissemination of best practices, participation, utilization and integration of health information.
Development of regional centers for all providers to access information and assistance.
2009
On March 23, 2010, the President signed the Patient Protection and Affordable Care Act (PPACA). This Act will provide quality affordable health care for Americans, improve the role of public programs, improve the quality and efficiency of health care, and prevent chronic disease and improve public health. The Patient Protection and Affordable Care Act of 2010 - CMS Provisions download contains information on CMS published regulations, CMS policy instructions, key implementation dates, and other accomplishments that relate to PPACA as of July 23, 2010.
2010
On March 30, 2010, the President signed the Health Care and Education Reconciliation Act amending the Patient Protection and Affordable Care Act signed the week prior.
2010