HIPAA Compliance and HiTECH Act

In 1996 the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. It consists of Privacy, Security and Enforcement rules that pertain to the policies and procedure of all medical practices and healthcare providers.

With the passage of HIPAA, the federal government sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) – which is to say ALL HEALTHCARE PROVIDERS AND ALL PATIENT RECORDS – must ensure that all the required physical, network, and process security measures are in place and followed. Failure to do so will result in significant fines and penalties – and possibly criminal charges – imposed and/or brought by both HHS and states’ attorneys general.

To add to the concerns of providers, insurance companies are starting to refuse coverage to any practice that cannot demonstrate a high level of HIPAA compliance. Contact us to find out how compliant your practice or business is.

HiTECH

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 contains, among its many provisions, the final rule on breach notification, requiring disclosure of all protected health information (PHI). It also extended the scope of HIPAA’s privacy and security protections, and imposed mandatory penalties for noncompliance; it significantly increases the potential legal and financial liability for non-compliance; and it provides for more stringent enforcement.

The HITECH Act’s requirements become effective gradually beginning in 2010. At various intervals, additional requirements become effective until all of the Act’s requirements must have been put in place by all providers by 2020. Penalties for failing to comply are assessed on a per-event and per-patient record basis and range as high as $1.5 million in a calendar year.

Audits to ascertain the level of compliance by providers are scheduled to begin in 2015.

Full Spectrum Networks can assess your practice’s policies and procedures, and your network security as well as advise you on what must be done to bring your practice into compliance. To schedule a call or meeting with our assessment professionals, click .

Meaningful Use

The HITECH Act supports the concept of electronic health records – meaningful use [EHR-MU], established by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC). Meaningful Use is defined by the use of certified EMR/EHR technology in a meaningful manner (for example electronic prescribing); ensuring that the certified EMR/EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of care; and that in using certified EMR/EHR technology the provider must submit to the Secretary of Health & Human Services (HHS) information on quality of care and other measures.

CMS established an incentive payment to providers, who can demonstrate that they have engaged in efforts to adopt, implement or upgrade certified EMR/EHR technology. In order to encourage widespread EMR/EHR adoption, promote innovation and to avoid imposing excessive burden on healthcare providers, meaningful use was established using a phased approach, which is divided into three stages to be implemented in 2011, 2013 and 2015 respectively. The incentive payments range from $44,000 over 5 years for the Medicare providers and $63,750 over 6 years for Medicaid providers (starting in 2011). Participation in the CMS EHR incentive program is totally voluntary, however, if eligible providers (“EPs”) and eligible hospitals (“EHs”) fail to join in by 2015, there will be negative adjustments to their Medicare/Medicaid reimbursement fees starting at 1% reduction and escalating to 3% reduction by 2017 and beyond.

Audits

Audits begin n 2015 and every healthcare provider – physicians, dentists, optometrists, assisted living facilities, home healthcare providers, psycologists, etc. – and business associate (suppliers, vendors, etc.) is a potential target for an audit. The Office of Civil Rights (“OCR”) is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit.

General Timeline

When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The OCR notification letter will introduce the audit contractor, explain the audit process and expectations in more detail, and describe initial document and information requests. It will also specify how and when to return the requested information to the auditor. OCR expects covered entities and business associates who are the subject of the audit to provide requested information within 10 business days of the request for information.

OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. After fieldwork is completed, the auditor will provide the covered entity with a draft final report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.

In order to assure that you are best prepared to withstand an audit, your practice’s network security and HIPAA-required policies and procedures MUST be up to date. Call Full Spectrum Networks for an assessment of your practice’s or business’ level of compliance and a detailed report on any existing issues.