The Department of Health & Human Services (HHS) has announced changes for two important compliance mandates. A short-term extension of an additional 90-days delays the enforcement of HIPAA 5010 standards until June 30, 2012. A more far-reaching compliance change involves a proposed rule to delay until October 1, 2014, implementation of ICD-10-CM/PCS, which was originally scheduled for October 1, 2013.
The Centers for Medicare and Medicaid Services (CMS) announced that the extension for enforcement of 5010 was based upon industry feedback, which revealed that testing between some covered entities and their trading partners had not yet reached a threshold that would allow them to meet an earlier compliance date. The CMS Office of E-Health Standards and Services (OESS) also stated that it had received reports that many covered entities are still awaiting software upgrades.
Under pressure from the AMA, MGMA, and several other groups, HHS Secretary Kathleen G. Sebelius introduced on April 9, 2012, a proposed rule that the ICD-10 implementation requirements be extended until October 1, 2014.
“ICD-10 codes are important to many positive improvements in our healthcare system,” Secretary Sebelius said. “We have heard from many in the provider community who have concerns about the administrative burdens they face in the years ahead, and we are committed to working with providers to reexamine the pace at which HHS and the nation implement these important improvements to our healthcare system.” ICD-10 codes provide more specificity for diagnoses and procedures, requiring precise medical record documentation, and are designed to help improve patient care and accuracy in reimbursement, as well as fraud detection and patient non-compliance.
HHS stated that all covered entities must be compliant with ICD-10 at the same time in order to ensure a smooth transition to the new code sets and that failure of one industry segment to achieve compliance would negatively impact all other industry segments, which would result in rejected claims and provider payment delays. HHS considered three main issues in the deadline extension, including realization that the transition to 5010 has not been as smooth as expected, many surveys still show a lack of readiness by providers and payers for the transition, and providers are concerned about a lack of resources due to investment in competing statutory initiatives. In addition to extending ICD-10 implementation, the proposed rule includes directives for adoption of new standards for a Unique Health Plan Identifier, as well as a National Provider Identifier.
Healthcare providers are also awaiting the final Health Information Technology for Economic and Clinical Health Act (HITECH) regulations amending the HIPAA privacy and security regulations. Although the Final Rule was expected at the end of 2011, the HHS Office of Civil Rights (OCR) is still addressing numerous policy reviews and responding to more than 300 comments it has received, so the Final Rule for HITECH has not yet been released.
Despite the ongoing delay in HITECH, covered entities and business associates should continue to review, update, and implement their HIPAA privacy and security policies and procedures with diligence. Some key HIPAA privacy and security components include:
Disclosure of PHI (Protected Health Information) is permitted only when used for treatment, payment, and operations (TPO), except when records are subpoenaed, required by law, or requested by public agencies such as the FDA or law enforcement.
Under HIPAA, patients have the right to review their records and to request a copy. According to Kentucky statutes the first copy is free, with a modest charge allowed for additional copies.
When releasing records, only the minimum information necessary to respond to the inquiry should be released and a log documenting to whom the records were released is required.
No consent is required when PHI is released for public health activities, such as to the FDA for drug efficacy, public health concerns, or cases involving abuse, neglect, and domestic violence, although release documentation must be logged.
Third party entities, including attorneys, accountants, and billing companies, who have access to PHI are required to have Business Associate Agreements with Covered Entities (CE) in order to protect inappropriate disclosure of PHI, and they must return or destroy any records containing PHI upon conclusion of their contracts with the Covered Entities.
Privacy Notices must be posted in patient waiting areas and patient acknowledgement of receipt of Privacy Practices must be retained in the patient’s medical record.
HIPAA disclosure logs must be maintained for at least six years. A Covered Entity must also maintain privacy policies and procedures, privacy notices, and records for disposition of any complaints for six years after the last effective date.
The HITECH Final Rule will definitely address increased enforcement for protection of patient health information, especially with respect to breach notification regulations, which require Covered Entities and Business Associates to report a breach of unsecured PHI, including loss or theft of unsecured PHI. Stronger enforcement of breach reporting is mandated under the HITECH Act final regulations, along with provisions for civil and criminal penalties. Prior to release of the Final Rule, self audit of HIPAA policies and practices is strongly encouraged.
Formerly, government audits were only conducted when breaches were reported, however, investigations are now being conducted randomly. The audit services firm KPMG began random audits in January of 2012, under a $9 million contract with the HHS Office for Civil Rights. Initially the audits will focus on Covered Entities of various sizes, with only 10 business days allowed for provision of the requested documentation. According to attorney and HITECH expert, William O’Toole, “mandatory penalties will be imposed for willful neglect on the part of the health care provider. It is not possible to explain today what ‘willful neglect’ could be interpreted to mean in the future, but sound advice to providers includes once again a careful review of your existing policies and procedures with regard to the protection of patient information.”
Helpful websites for further information regarding HIPAA can be found at: www.hhs.gov/ocr/privacy/hipaa/understanding.html
We are committed to working with providers to reexamine the pace at which HHs and the nation implement these important improvements to our healthcare system
Patricia Cordy henricksen, MS, CHCA, CPC-I, CPC, CCP-P, PCS, ACS-PM, is the Executive Vice President of Medical Services, www.soterionmedical.com