What do you believe has the biggest impact on laws and regulations in the health care industry?

In 1798, President John Adams signed the Act for the Relief of Sick and Disabled Seamen. Passed by the Fifth U.S. Congress, the legislation authorized the deduction of 20 cents per month from a seamen’s wages to fund medical care for fellow sailors who were sick or injured. It was the first bit of public health legislation made at the federal level in the United States.

Today, federal, state, and local authorities — in addition to various regulatory agencies — establish rules intended to protect the public, promote access to care, and ensure that medical professionals both adhere to high standards and receive the compensation that is their due.

Regulations are varied and complex. For this reason, healthcare management professionals need a thorough understanding of them to help ensure that the facilities they work for operate within the law.

Here are five regulations that can widely affect the delivery and administration of healthcare in the United States:

1. HIPAA

Originally enacted to protect health insurance coverage for workers who lost or changed jobs, the Health Insurance Portability and Accountability Act of 1996 is now most-associated with the privacy of patient healthcare information.

Under HIPAA, the Department of Health and Human Services (HHS) establishes boundaries on the use and release of health records. It also outlines safeguards to protect patients’ information and establishes civil and criminal penalties for violations.

The law applies not only to hospitals and medical practices, but also to chiropractors, dentists, nursing homes, pharmacies, and psychologists. In addition, the law governs the activity of business associates such as third-party administrators, pharmacy benefit managers for health plans, billing and transcription companies, and professionals performing legal, accounting, or administrative work.

The law’s provisions are far-reaching

“All healthcare entities and organizations that use, store, maintain or transmit patient health information are expected to be in complete compliance with the regulations of the HIPAA law,” according to information presented by Datica, a digital health platform. “When completely adhered to, HIPAA regulations not only ensure privacy, reduce fraudulent activity and improve data systems but are estimated to save providers billions of dollars annually. By knowing of and preventing security risks that could result in major compliance costs, organizations are able to focus on growing their profits instead of fearing these potential audit fines.”

HIPAA applies to verbal, written, and electronic patient records — and the use of electronic health records (EHR) is increasing. With more medical providers using EHRs, data breaches have increased. Some 351 breaches of more than 500 or more records, for a total exposure of more than 13 million patient records, had been reported as of Dec. 27, 2018, according to the HIPAA Journal. Stolen data is frequently used for identity theft and fraud.

However, as both technology and hacking attempts evolved, Congress instituted additional regulations — and stronger penalties — to address EHR and cloud-based medical records issues, which led to the HITECH Act.

2. The HITECH Act

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February 2009 to promote the “adoption and meaningful use of health information technology,” according to the HHS website. It mandates audits of healthcare providers to determine whether they are compliant with HIPAA’s privacy and security rules.

The HITECH Act can be considered the enforcement wing of HIPAA. Because healthcare records, unlike credit cards, can’t be canceled, changed, or reset in the event of a breach, healthcare providers have increasingly become the target of hackers.

The act provides financial incentives for providers to offset the initial costs of switching to EHRs — as well as tougher data security requirements and penalties for both healthcare organizations and their business associates.

Under the regulations, patients must be notified of any unauthorized access or use of their information. Protected health information (PHI) can only be shared by secured methods. Using traditional, unsecured email — a common way to share PHI electronically — can put an organization’s HIPAA compliance in jeopardy.

The cost of non-compliance can be high, with organizations facing potential fines of up to $1.5 million per calendar year for each violation. They can also incur losses related to notifying patients affected by a breach, through investigations, audits, and other legal issues.

Although no one could have predicted the COVID-19 pandemic, HIPAA and HITECH have proven themselves as being “ahead of the curve” in safeguarding a patient’s right to privacy. As social distancing protocols continue to reduce the number of face-to-face meetings in 2020, the increased flow of electronic information provides a seemingly ripe opportunity for malefactors to intercept sensitive data.

However, due to the foresight of both initiatives, patients now have additional peace of mind that was enacted years — even decades — before the pandemic began.

Healthcare Administrators looking to secure their infrastructure further should assess security compliance of their practice or organization, make sure proper electronic PHI procedures are in place, and update their HIPAA privacy and security policies.

The federal government also concerns itself with compensation for physicians and healthcare providers.

 3. MACRA

The Medicare Access & CHIP (Children’s Health Insurance Program) Reauthorization Act of 2015 addresses payment for doctors as well as cost controls for Medicare Part B.

Part of an overall shift to value-based reimbursement, MACRA moves away from the Sustainable Growth Rate (SGR) payment formula and toward a treatment model based on quality of care and use of EHRs by the medical practice or facility.

4. Medical Necessity

Medical necessity is one of the most important aspects of contemporary healthcare administration, even though it has no regulatory definition at the federal level or in most states.

The concept of medical necessity states that if a treatment is not medically necessary, the payer — generally an insurance company, but also Medicare or Medicaid — won’t cover the cost.

According to medical biller and coder resource MB-Guide, “Understanding medical necessity and how to document it is an important part of medical billing, because it is why an insurance company actually pays for a claim. If it’s not documented, it never happened.”

Not all procedures are medically necessary. A practice administrator needs to understand the coverage policies for services to help avoid denied claims.

5. Chain of Custody

A “Chain of Custody” form, also known as a CCF or CoC, refers to “a document or paper trail showing seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence of a human specimen test,” according to the American Alliance Drug Testing website, which details Department of Transportation (DOT) drug testing procedures.

The CCF is considered a legal document and can be invalidated if there’s any evidence of tampering.

Labs that perform DNA or paternity testing follow similar documentation procedures and legal requirements. In-home curiosity DNA tests, such as those available from 23andMe or similar companies, may be prohibited in some states because no chain of custody can be established.

The intricacies of today’s healthcare regulations require managers and administrators to be familiar with a diverse set of rules governing their profession.

Maryville University’s online Master’s in Health Administration helps prepare students for careers in healthcare management. The program offers four concentrations — Data Management, Healthcare Strategies, Population Management, and Senior Services — as well as a General MHA.

Sources

The Boston Globe, “A historical look at health care legislation”

Datica Health, “Why is HIPAA Important?”

HIPPA Journal, “Largest Healthcare Data Breaches of 2018”

MB-Guide.org, “Documenting Medical Necessity”

New Net Technologies, “The HITECH Act: The Teeth and Claws of HIPPA”

SOPHOS, Solution Brief: HIPAA/HITECH Compliance for Healthcare Organizations

U.S. Department of Health & Human Services, Health Information Privacy

U.S. Department of Heath & Human Services, HITECH Act Enforcement Interim Final Rule

University of South Florida, Morsani College of Medicine, “Important Laws and Regulations in Health Informatics”

The healthcare industry is constantly changing as lawmakers, payers, patients, and other stakeholders adapt to new realities. In health systems, it’s not just the governance, risk, and compliance (GRC) function’s job to stay on top of the law. Providers and support staff, too, must understand the changing legal landscape. 

The added complexities of the COVID-19 pandemic, in particular, have had a great impact on laws affecting healthcare this year. Check out our rundown of seven legal issues that providers and administrators should be aware of in 2021.

1. Telehealth law

2020 was quite a year for telehealth law; the already growing area of law expanded exponentially, with waivers to decrease telehealth payment barriers, measures to protect patients, and audits to reduce fraud as stand-outs. In 2021, look for continued expansion of telehealth coverage. Starting with the Centers for Medicare & Medicaid Services (CMS) List of Medicare Telehealth Services, make sure your billing staff is up to date and aware of the codes, both permanent and temporary, that can be used to report telehealth services. 

It’s also important to understand the multiple regulations regarding telehealth that have been instituted this year. 

• Consult CMS’ COVID-19 Emergency Declaration Blanket Waivers for Health Care Providers, which give greater flexibility for Medicare telehealth services. 
• The Public Readiness and Emergency Preparedness Act (PREP Act) contains declarations that authorize healthcare personnel to use telehealth across state lines to order or administer covered countermeasures and to provide telehealth providers immunity from liability for claims concerning those countermeasures. 
• Look for increased state and federal measures that aim to protect the privacy of telehealth patients—but at the same time help to ensure an ease of reimbursement for telehealth providers including the necessary sharing of patient information for billing and treatment purposes.

All of these measures to decrease barriers to telehealth are happening at the same time that the Office of Inspector General (OIG) has increased the number of its audits in this area. Telehealth providers should take a proactive stance in reviewing their billed claims and the compliance of their telehealth programs to ensure they are in keeping with federal requirements.

2. HIPAA compliance and PHI

The last major update to the Health Insurance Portability and Accountability Act (HIPAA) occurred more than seven years ago. We should expect significant changes to the law, however, because the Office for Civil Rights (OCR) announced its new proposal in December 2020. The proposed updates center around a patient’s right to access protected health information (PHI) while also reducing barriers to healthcare operations and value-based reimbursement systems. 

A major proposed update includes allowing patients access to inspect their PHI in person and to take notes or photographs of their PHI. Another significant proposed change shortens the time that a provider is allowed to respond to a patient’s request for their records. Other proposed PHI-related changes include: 

• Allowing patients access to their electronic PHI at no charge in certain circumstances, and amending the permissible fee structure for record requests
• Reducing certain identity verification burdens regarding PHI in an electronic health record
• Excluding care coordination and case management uses and disclosures from the “minimum necessary” standard
• Replacing the “professional judgment” standard for PHI uses and disclosures with a standard based on the good faith belief that the use or disclosure is in the best interest of the individual
• Expanding the ability to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable”
• Eliminating the requirement to obtain a patient’s written acknowledgement of a provider’s Notice of Privacy Practices (NPP) and modifying the content requirements of the NPP

Also related to HIPAA compliance: In 2021, expect a trend toward increased enforcement action by the OCR related to its HIPAA Right of Access Initiative. There have been 18 such enforcement actions since 2019. OCR states that it’s undertaking this initiative to “support individuals’ right to timely access of their health records at a reasonable cost under the HIPAA Privacy Rule.” OCR often investigates a provider for a single instance of alleged failure to respond timely to a patient’s records request. One recent action resulted in a settlement of $30,000, and for the 18 actions since 2019, the settlements have ranged from $3,500 to $160,000. When settling with the OCR, a healthcare provider must also agree to a corrective plan and two years of OCR-mandated monitoring. 

It is important for every provider organization, large and small, to review their procedures for responding to patient record requests and to ensure that each request is responded to in a timely way. Currently, according to the Department of Health & Human Services (HHS), access to requested information should be provided within 30 days of receiving the request, unless there is a reason why it cannot be provided in that time frame and the patient is provided a written explanation. However, even if the provider has a valid reason for delay, the request must be fulfilled within 60 days of the initial request with only one extension allowed per patient.

3. Healthcare employers liability & ensuring safe work conditions

One question we will undoubtedly encounter more in 2021 than last year is: In what ways will healthcare employers be liable (and thus responsible for damages) for their employees’:

• Exposure to contracting COVID-19
• Labor issues related to the pandemic

Already, employees have filed hundreds of lawsuits and more than 100 class action suits, alleging their employers violated federal and state regulations regarding employee safety or labor issues.

Providing a safe working environment for healthcare workers has always been important, but it’s even more so now in the COVID-19 era. The Centers for Disease Control (CDC) and the Occupational Safety and Health Administration (OSHA) have extensive guidelines for healthcare settings that healthcare provider organizations should consult. According to OSHA, healthcare providers should develop and implement infection control and preparedness plans and communicate those plans to workers through effective training. In addition, employers need to assess the risks and follow the hierarchy of controls for worker protection.

Labor issues—especially allegations of retaliation, wrongful termination, or wrongful denial of leave—account for a significant percentage of the recent COVID-19-related lawsuits brought by employees. Healthcare employers must consult both federal and state sources for regulations regarding labor practices. In particular, two federal acts addressing the pandemic to be aware of are:

• Families First Coronavirus Response Act (FFCRA): Requires employers with fewer than 500 workers to provide employees with job-protected leave for reasons related to the COVID-19 pandemic, including if they need to care for a minor child or if the employee becomes ill. Employers must be aware of certain exclusions from leave entitlements for healthcare employees.
• Worker Adjustment and Retraining Notification Act (WARN): Requires employers of 100 or more employees to provide advance notice to employees when either permanently closing a job location or implementing a mass layoff. A recent court ruling declared that COVID-19 would not fall under the “unforeseeable business circumstance” exception to the notice requirement.

4. Long-term care and nursing homes

Long-term care (LTC) facilities, nursing homes, and skilled nursing facilities have been hit hard by the COVID-19 pandemic, and as a result there are new federal guidance and requirements to ensure quality of care for these entities. Since March 2020, nearly all nursing facilities have received a targeted inspection by CMS. These will continue throughout 2021, and providers need to understand the changing guidance from CMS. As noted above with telehealth providers, LTC and nursing facilities should consult the CMS COVID-19 Emergency Declaration Blanket Waivers for Health Care Providers. A number of the blanket waivers that excluded certain requirements for nursing homes have expired, and those requirements will now be enforced.

CMS recently updated its guidance for revised visitation recommendations and is now allowing responsible indoor visitation at all times and for all residents, regardless of vaccination status of the resident or visitor, except under certain circumstances that should limit visitation (e.g., confirmed COVID-19 status or quarantine).

Other significant changes include CDC’s requirements for LTC and nursing facilities to report COVID-19 data weekly on: 

• Suspected and confirmed cases among residents and staff
• Total deaths and COVID-19 deaths among residents and staff
• Amount of PPE supplies and ventilator capacity in the facility
• Resident beds and census
• Access to COVID-19 testing for residents
• Staffing shortages

Nursing facilities also are required to provide information about suspected and confirmed COVID-19 cases among residents and staff to residents and their families, within certain time frames.

5. False Claims Act

The Department of Justice (DOJ) recovered more than $2.2 billion in settlements and judgments related to the False Claims Act (FCA) in 2020, $1.8 billion of it related to the healthcare industry. The FCA is the basis for combating healthcare fraud and is the civil tool for the DOJ to redress false claims for federal funds. The 2020 actions involved drug and medical device manufacturers, managed care providers, hospitals, pharmacies, hospice organizations, laboratories, and physicians. The following are trends in FCA settlements thus far this year, and are expected to continue:

• An increase in whistleblower lawsuits: Some $1.6 billion of the FCA cases this year were brought by a whistleblower, called qui tam lawsuits. Because whistleblowers have inside information that is critical to identifying potential fraud in an organization that the DOJ would not have otherwise, the whistleblower shares in the money the DOJ recovers. The government paid out $309 million in 2020 to whistleblowers.
• An increase in settlements holding individuals responsible: In several FCA examples in 2020, individual doctors from a medical practice agreed to pay large amounts (in one case $4.25 million) to resolve civil allegations related to illegal kickbacks.
• The largest recoveries were from drug manufacturers that funded co-payments of Medicare patients to protect high drug prices: Two pharmaceutical manufacturers paid more than $148 million each to resolve claims that they illegally paid patient copays for their own drugs.
• The most common fraud schemes were opioid-related fraud, followed by kickback schemes.

6. Patient safety and healthcare inequity

According to the experts, racial and ethnic disparities in healthcare are among the top patient safety issues for 2021. We’ve seen this reflected in discrepancies in medical care among minorities with regard to access to healthcare, testing, and vaccination throughout the COVID-19 pandemic. The following studies illustrate the problem:

• The CDC published that the Hispanic or Latinx population makes up 18.5% of the U.S. population, but comprises 32.5% of COVID-19 deaths. 
• The Urban Institute’s Health Policy Center recently published a study that black patients experienced significantly worse quality of care compared to white patients in six of the 11 patient safety quality indicators that measure rates of adverse patient safety events, including five out of seven surgery-related safety indicators.

Healthcare organizations need to devote resources to improve health equity and can start by taking the following steps:

• Incorporate health equity into the strategy of the organization and educate employees on its importance.
• Assess the culture of the organization regarding health equity and develop goals to address weaknesses.
• Look to community resources and partner with them in their initiatives.
• Address any racism in the organization and develop a cultural competence strategy within the organization.

7. General access to healthcare

For many Americans, access to care has always been problematic, but a recent CDC study found that four in 10 U.S. adults have avoided access to care due to issues surrounding the COVID-19 pandemic. Further, 12% of adults have neglected emergency care during the pandemic, and 32% have gone without routine care. The study found that certain populations were more negatively affected than others, such as Black and Latinx patients, patients with chronic illness, and unpaid family caregivers. 

Access to health services is also a key domain of the social determinants of health. Barriers to access to healthcare could be due to poor access to transportation or limited healthcare resources, but the most significant barrier is a lack of insurance coverage. The Affordable Care Act has worked to increase insurance coverage to a greater percentage of Americans. In addition, the Medicaid Expansion aspects of the Act have helped narrow disparities in health coverage and access to care. However, not all states have expanded Medicaid. In 2021, we will be watching to see if the remaining 12 states will adopt and implement the Medicaid expansion and also what steps the Biden administration will take legislatively to extend coverage to more Americans.

symplr Compliance offers legal and regulatory content in its risk assessment management module of our powerful and flexible platform. We provide the software, tools, and unique expert content you need to assess your regulatory compliance stance and discover the changes in healthcare laws that affect your organization.  Learn more about symplr Compliance and our entire portfolio of GRC solutions.