Whether you work at a hospital or own your own practice, it is vital that you establish a compliance program designed to help you avoid fraud, abuse, and privacy violations. Federal regulations around these activities include the
The anti-kickback statute makes it illegal for providers (including physicians) to knowingly and willfully accept bribes or other forms of remuneration in return for generating Medicare, Medicaid or other federal health care program business.
A physician cannot offer anything of value to induce federal health care program business. The anti-kickback statute has been revised to allow exceptions or safe harbors.
Stark II is Phase II of the law that prohibits physician self-referrals.
The law applies to any physician who provides care to Medicare, Medicaid or other federal health program recipients and says that the physician cannot refer the patient for certain designated health services to any entity with which the physician has a financial interest. That is, unless one of Stark's exceptions apply.
Stark III is short for Stark II, Phase III of the physician self-referral prohibition. Stark III provides further clarifications and modifications to Stark II, Phase II, especially regarding physicians in group practice and the relationships between physicians and hospitals.
Obligations to notify patients of a breach of their protected health information (PHI) has been expanded and clarified under the new rule. Under the previous rule, a breach was not presumed reportable and was determined by whether or not there was a likelihood of “harm to the individual.”
Under the new rule, a breach is presumed reportable unless a covered entity can demonstrate low probability that the patient’s privacy or security of PHI was compromised based on a four-factor risk analysis. The new rule does not change the actual reporting and timeframe requirements.
Practices must amend their NPPs to reflect the changes to privacy and security rules, including those related to breach notification, disclosures to health plans, and marketing and sale of PHI. In addition, if a practice participates in fundraising, an amendment will also need to be made to the NPP to inform patients of their right to opt-out of those communications.
The new rules eliminate the requirements to include communications concerning appointment reminders, treatment alternatives, or health-related benefits or services in NPPs. However, the rules do not require this information be removed either.
Amended NPPs will need to be posted in the office. Copies should be provided to all new patients and do not need to be redistributed to existing patients. Copies should be made available to anyone by request. Practices that maintain a website should post the updated NPP on their website, which is a requirement of the existing HIPAA Privacy Rule.
The new rules expand the list of individuals and companies who are considered business associates to include:
All entities transmitting and receiving electronic health care transactions must use the 5010 version of the standards, which require upgrading or replacing software used to conduct electronic transactions, such as claims submissions, eligibility inquiries, and receipt of electronic claims acknowledgments and reports.
Some standards that physician practices should take note of are:
One provision of the 21st Century Cures Act goes beyond parameters of the Health Insurance Portability and Accountability Act (HIPAA) to actually make blocking health information illegal.
Under HIPAA, covered entities such as physicians and other health care providers can share protected health information that pertains to treatment, payment, or operations, but sharing is not required. Under the Information Blocking Rule that CMS and the Office of the National Coordinator for Health IT (ONC) published to implement that provision of the Cures Act, health care providers must share electronic protected health information (ePHI) with other covered entities, as well as with additional entities as directed by the patient.
For the purposes of the rule, ePHI is the information in the patient’s medical record, limited ― until October 2023, anyway ― to only a core set of data elements.
Designed to require covered entities to share this information unless a designated exception can be applied, the Information Blocking Rule outlines several such exceptions, including preventing harm, protecting privacy and safeguarding health information security. Details about the exceptions can be found in this ONC fact sheet. If a physician’s practice chooses not to share information based on one of these exceptions, the practice is not in violation of the rule.
The Information Blocking Rule will go into effect on April 5, 2021, and physicians will need to begin complying with the information-sharing provisions at that time. Currently, however, no regulations governing penalties for physicians or health care organizations have been issued, and so no penalties can be imposed until that process has been completed.
Have questions? Find answers in this AAFP FAQ. You may also consult the following resources: