HIPAA Series Part III of III: HIPAA and the Delivery of Healthcare

The Part I installment, published in the February 2013 issue of HC Topics, provided an in-depth discussion of the historical underpinnings and foundation of the current HIPAA regulation.1   Last month’s Part II installment focused on the latest amendment to the HIPAA legislation, which significantly altered previously published requirements affecting business associates and their subcontractors.2 This third, and final, installment considers HIPAA regulation and significance within the context of the current healthcare marketplace.

Although HIPAA was first established in 1996, healthcare providers and consumers may still misinterpret application of the law in current patient care settings.3  Within the context of an ever-changing healthcare environment, most notably with regard to the implementation of electronic medical records and efforts to facilitate a more integrated system of care, the recent updates to HIPAA regulations and enhanced scrutiny of healthcare patient privacy practices may pose a continued compliance challenge for providers.

As the healthcare industry continues to transition from paper-based information management to electronic transactions and data management, in addition to the ICD-10 transition scheduled for October 2013, the current version of the HIPAA standards that regulate the transmission of specific health care information (Version 4010/4010AI) will be updated to ASC X12 Version 5010.4 The HIPAA Version 5010 will include updated technical, structural, and data content requirements; transactional business standardization; data transmission specifications, and, delineation of various patient codes to accommodate the increased complexity and changes to medical care, billing, and reimbursement.5 The transition to HIPAA Version 5010 will likely affect many healthcare industry stakeholders, including providers, health plans, healthcare clearinghouses, and business associates that participate in electronic transactions, all of which will also be affected by the new regulations governing business associates and subcontractors, as discussed in last month’s issue of HC Topics HIPAA Series Part II.6

While simultaneously implementing advancements in electronic healthcare data management in the current healthcare environment in an effort to increase quality of care and lower healthcare costs, healthcare providers must also contend with challenges related to enhanced HIPAA regulations.  As the methods and frequency of communication between providers, e.g., communication between outpatient and inpatient settings, among differing specialties and organizations, etc., become more integrated, the inherent risk of HIPAA violation may also increase.  To avoid the potential for non-compliance, healthcare systems and providers should consider introducing safeguards and oversight policies regarding communication processes to ensure consistent compliance, as well as to identify and correct potential deficiencies or areas of concern.

Providers and stakeholders in the healthcare arena must also consider the updated HIPAA regulations with regard to existing laws that govern and protect patient health information (PHI), such as the Red Flag Rules, the HITECH Act, and the Patient Safety and Quality Improvement Act.  The Red Flag Rules, implemented on November 1, 2009 by the Federal Trade Commission, requires healthcare providers to enforce written policies to identify and prevent identity theft, including PHI beyond that required by HIPAA, e.g., credit card numbers, tax identification numbers, business identification numbers and employer identification numbers.7  

One of the most significant amendments to HIPAA was implemented under the Health Information Technology for Economic Clinical Health (HITECH) Act, a portion of the  American Recovery and Reinvestment Act of 2009 (ARRA), signed into law February 17, 2009. The HITECH act provides incentives and penalties associated with the adoption of electronic health records (EHR), including electronic prescribing; information exchange between systems; and, qualitative reporting, among other metrics.8  Providers that aligned practices with many of the provisions in the original HITECH act likely have fewer changes to implement prior to the September 23, 2013 compliance deadline for covered entities under the updated HIPAA provisions.9

In addition to the Red Flag Rules and HITECH Act, the updated HIPAA regulations must be considered in relation to the Patient Safety and Quality Improvement Act of 2005 (PSQIA), which delineates guidelines and penalties for the protection and sharing of patient information related to patient safety events and quality improvement.10  Providers should note that, although the information covered by the PSQIA may include PHI also covered under HIPAA, dual penalties cannot be leveraged under both regulations.11

As PHI data transmission and management transitions with healthcare delivery integration and electronic system implementation, healthcare providers, including covered entities; business associates; and, subcontractors as defined by the latest amendment published on January 25, 2013, must remain compliant with current HIPAA regulations.  Additionally, providers must be aware of HIPAA requirements relative to additional healthcare regulation regarding the use, transmission, and management of PHI and other additional patient information. The most recent amendment to HIPAA regulations will likely have significant effects on various healthcare industry stakeholders, though the enforcement and scrutiny of provider compliance has not been extensively considered to date, with the ultimate impact of the new rules remaining to be seen post-implementation in 2013 and 2014.

HIPAA Series Part II: Effect on Business Associates

HIPAA Series Part I: History and Overview of   HIPAA Legislation

“HIPAA Series Part I: History and Overview of HIPAA Legislation,” Health Capital Topics Newsletter, Vol. 6, No. 2, February 2013

“HIPAA Series Part II: Effect on Business Associates”, Health Capital Topics Newsletter, Vol. 6, No. 3, March 2013

“A Privacy Law Often Misinterpreted”, by Paula Span, The New York Times, March 27, 2013, http://newoldage.blogs.nytimes.com/2013/03/27/a-privacy-law-often-misinterpreted/ (Accessed April 7, 2013)

“New Health Care Electronic Transactions Standards: Versions 5010, D.0, and 3.0” Centers for Medicare & Medicaid Services, January 2010, http://www.cms.gov/ICD10/Downloads/w5010 BasicsFctSht.pdf  (Accessed 11/29/11).

“Is Your Practice Ready for Version 5010” MGMA Connexion Supplement, October 2011, p. 9.

“HIPAA Series Part II: Effect on Business Associates”, Health Capital Topics Newsletter, Vol. 6, No. 3, March 2013

“Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule”, Federal Register, Vol. 72, No. 217, November 9, 2007, p. 63718, 63723

“American Recovery and Reinvestment Act of 2009” 111th Congress, 1st Session, January 6, 2009, Section 13001

“New HIPAA/HITECH Rules Implementation Roadmap: Countdown Begins to September 23, 2013 Compliance Deadline”, by Boris Segalis, Information Law Group, March 31, 2013, http://www.infolawgroup.com/2013/03/articles/hipaa/hipaahitechrules/ (Accessed April 9, 2013)

“Patient Safety and Quality Improvement”, U.S. Department of Health and Human Services, Federal Register, Vol. 73, No. 226, November 21, 2008, p. 70732

“Health Information Privacy: Delegation of Authority”, U.S. Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/psa/understanding/delegationofauthority.html (Accessed April 11, 2013)

Healthcare Valuation Banner Advisor's Guide to Healthcare Banner Accountable Care Organizations Banner