September 23, 2013. Today is the day that many of those who use protected health information (PHI) must comply with new Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, which went into effect 180 days ago.
If you use PHI in your work, hopefully by now you are aware of those changes. For the first time, Privacy and Security rules apply not only to covered entities and business associates, but also to subcontractors who provide services to those business associates. This includes the security breach notification requirements when PHI is compromised.
An HHS press release earlier this year noted, “Some of the largest breaches reported to HHS have involved business associates.” With the expanded scope of the rules, look for more enforcement actions in the future.
These exchanges are insurance markets created under the Affordable Care Act in which consumers can buy individual policies and obtain subsidies to assist with premiums.
Governor Bill Haslam has sent a letter to the Secretary of Health and Human Services citing his concerns about “aggressive federal timelines, a lack of true flexibility for states, and misguided federal policies.”
Because Tennessee rejected the creation of a state-based exchange at the end of 2012, Tennesseans will participate in an exchange run solely by the federal government. The State estimates that 300,000 people may participate in the exchange, but some estimates set participation closer to 600,000.
The HIPAA-HITECH Omnibus Final Rule has been released and was officially published January 25, 2013. Businesses need to take steps to be compliant with many requirements by September 23, 2013. And there will be much work to do. Among other issues:
- There will be a need for changes in Notices of Privacy Practices.
- There will be greater enforcement efforts, which is already being seen in many places, and more emphasis on penalties.
- There are changes to breach notification requirements with more events being reportable.
- There is direct liability for Business Associates and Covered Entities will need to monitor Business Associates more closely.
- The Rule contemplates electronic copies of electronically stored information.
In early 2009, the Department of Health and Human Services (HHS) published the final rule that requires the implementation of HIPAA Accredited Standards Committee (ASC) X12 version 5010 for electronic claims, referrals, enrollment, patient eligibility inquiries, coordination of benefits (COB), and remittance advices. This replaces version 4010Ai. The new version is required to allow the transition in 2013 from ICD-9-CM to ICD-10 coding. In order to ensure the submission of electronic claims, healthcare providers have been working to prepare for the transition.
Covered entities were required to comply beginning January 1, 2012 (small plans have until January 1, 2013, to comply with the NCPDP Medicaid Subrogation 3.0 standard). Covered entities include healthcare providers, health plans, and healthcare clearinghouses.
The Center for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) will enforce the compliance standards. In November 2011, CMS announced, “While enforcement action will not be taken (until March 31, 2012), OESS will continue to accept complaints associated with compliance with Version 5010, NCPDP D.0 and NCPDP 3.0 transaction standards during the 90-day period. . . . If requested by OESS, covered entities that are the subject of complaints (known as ‘filed-against entities’) must produce evidence of either compliance or a good faith effort to become compliant with the new HIPAA [version] standards during the 90-day period.” You can access the announcement here.
Unless extended again, enforcement of compliance ASC X12 v5010 will begin midnight March 31, 2012.