In 1798, President John Adams signed the Act for the Relief of Sick and Disabled Seamen. Passed by the Fifth U.S. Congress, the legislation authorized the deduction of 20 cents per month from a seamen’s wages to fund medical care for fellow sailors who were sick or injured. It was the first bit of public health legislation made at the federal level in the United States. Show
Today, federal, state, and local authorities — in addition to various regulatory agencies — establish rules intended to protect the public, promote access to care, and ensure that medical professionals both adhere to high standards and receive the compensation that is their due. Regulations are varied and complex. For this reason, healthcare management professionals need a thorough understanding of them to help ensure that the facilities they work for operate within the law. Here are five regulations that can widely affect the delivery and administration of healthcare in the United States: 1. HIPAAOriginally enacted to protect health insurance coverage for workers who lost or changed jobs, the Health Insurance Portability and Accountability Act of 1996 is now most-associated with the privacy of patient healthcare information. Under HIPAA, the Department of Health and Human Services (HHS) establishes boundaries on the use and release of health records. It also outlines safeguards to protect patients’ information and establishes civil and criminal penalties for violations. The law applies not only to hospitals and medical practices, but also to chiropractors, dentists, nursing homes, pharmacies, and psychologists. In addition, the law governs the activity of business associates such as third-party administrators, pharmacy benefit managers for health plans, billing and transcription companies, and professionals performing legal, accounting, or administrative work. The law’s provisions are far-reaching“All healthcare entities and organizations that use, store, maintain or transmit patient health information are expected to be in complete compliance with the regulations of the HIPAA law,” according to information presented by Datica, a digital health platform. “When completely adhered to, HIPAA regulations not only ensure privacy, reduce fraudulent activity and improve data systems but are estimated to save providers billions of dollars annually. By knowing of and preventing security risks that could result in major compliance costs, organizations are able to focus on growing their profits instead of fearing these potential audit fines.” HIPAA applies to verbal, written, and electronic patient records — and the use of electronic health records (EHR) is increasing. With more medical providers using EHRs, data breaches have increased. Some 351 breaches of more than 500 or more records, for a total exposure of more than 13 million patient records, had been reported as of Dec. 27, 2018, according to the HIPAA Journal. Stolen data is frequently used for identity theft and fraud. However, as both technology and hacking attempts evolved, Congress instituted additional regulations — and stronger penalties — to address EHR and cloud-based medical records issues, which led to the HITECH Act. 2. The HITECH ActThe Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February 2009 to promote the “adoption and meaningful use of health information technology,” according to the HHS website. It mandates audits of healthcare providers to determine whether they are compliant with HIPAA’s privacy and security rules. The HITECH Act can be considered the enforcement wing of HIPAA. Because healthcare records, unlike credit cards, can’t be canceled, changed, or reset in the event of a breach, healthcare providers have increasingly become the target of hackers. The act provides financial incentives for providers to offset the initial costs of switching to EHRs — as well as tougher data security requirements and penalties for both healthcare organizations and their business associates. Under the regulations, patients must be notified of any unauthorized access or use of their information. Protected health information (PHI) can only be shared by secured methods. Using traditional, unsecured email — a common way to share PHI electronically — can put an organization’s HIPAA compliance in jeopardy. The cost of non-compliance can be high, with organizations facing potential fines of up to $1.5 million per calendar year for each violation. They can also incur losses related to notifying patients affected by a breach, through investigations, audits, and other legal issues. Although no one could have predicted the COVID-19 pandemic, HIPAA and HITECH have proven themselves as being “ahead of the curve” in safeguarding a patient’s right to privacy. As social distancing protocols continue to reduce the number of face-to-face meetings in 2020, the increased flow of electronic information provides a seemingly ripe opportunity for malefactors to intercept sensitive data. However, due to the foresight of both initiatives, patients now have additional peace of mind that was enacted years — even decades — before the pandemic began. Healthcare Administrators looking to secure their infrastructure further should assess security compliance of their practice or organization, make sure proper electronic PHI procedures are in place, and update their HIPAA privacy and security policies. The federal government also concerns itself with compensation for physicians and healthcare providers. 3. MACRAThe Medicare Access & CHIP (Children’s Health Insurance Program) Reauthorization Act of 2015 addresses payment for doctors as well as cost controls for Medicare Part B. Part of an overall shift to value-based reimbursement, MACRA moves away from the Sustainable Growth Rate (SGR) payment formula and toward a treatment model based on quality of care and use of EHRs by the medical practice or facility. 4. Medical NecessityMedical necessity is one of the most important aspects of contemporary healthcare administration, even though it has no regulatory definition at the federal level or in most states. The concept of medical necessity states that if a treatment is not medically necessary, the payer — generally an insurance company, but also Medicare or Medicaid — won’t cover the cost. According to medical biller and coder resource MB-Guide, “Understanding medical necessity and how to document it is an important part of medical billing, because it is why an insurance company actually pays for a claim. If it’s not documented, it never happened.” Not all procedures are medically necessary. A practice administrator needs to understand the coverage policies for services to help avoid denied claims. 5. Chain of CustodyA “Chain of Custody” form, also known as a CCF or CoC, refers to “a document or paper trail showing seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence of a human specimen test,” according to the American Alliance Drug Testing website, which details Department of Transportation (DOT) drug testing procedures. The CCF is considered a legal document and can be invalidated if there’s any evidence of tampering. Labs that perform DNA or paternity testing follow similar documentation procedures and legal requirements. In-home curiosity DNA tests, such as those available from 23andMe or similar companies, may be prohibited in some states because no chain of custody can be established. The intricacies of today’s healthcare regulations require managers and administrators to be familiar with a diverse set of rules governing their profession. Maryville University’s online Master’s in Health Administration helps prepare students for careers in healthcare management. The program offers four concentrations — Data Management, Healthcare Strategies, Population Management, and Senior Services — as well as a General MHA. Sources The Boston Globe, “A historical look at health care legislation” Datica Health, “Why is HIPAA Important?” HIPPA Journal, “Largest Healthcare Data Breaches of 2018” MB-Guide.org, “Documenting Medical Necessity” New Net Technologies, “The HITECH Act: The Teeth and Claws of HIPPA” SOPHOS, Solution Brief: HIPAA/HITECH Compliance for Healthcare Organizations U.S. Department of Health & Human Services, Health Information Privacy U.S. Department of Heath & Human Services, HITECH Act Enforcement Interim Final Rule University of South Florida, Morsani College of Medicine, “Important Laws and Regulations in Health Informatics” The healthcare industry is constantly changing as lawmakers, payers, patients, and other stakeholders adapt to new realities. In health systems, it’s not just the governance, risk, and compliance (GRC) function’s job to stay on top of the law. Providers and support staff, too, must understand the changing legal landscape. The added complexities of the COVID-19 pandemic, in particular, have had a great impact on laws affecting healthcare this year. Check out our rundown of seven legal issues that providers and administrators should be aware of in 2021. 1. Telehealth law2020 was quite a year for telehealth law; the already growing area of law expanded exponentially, with waivers to decrease telehealth payment barriers, measures to protect patients, and audits to reduce fraud as stand-outs. In 2021, look for continued expansion of telehealth coverage. Starting with the Centers for Medicare & Medicaid Services (CMS) List of Medicare Telehealth Services, make sure your billing staff is up to date and aware of the codes, both permanent and temporary, that can be used to report telehealth services. It’s also important to understand the multiple regulations regarding telehealth that have been instituted this year.
All of these measures to decrease barriers to telehealth are happening at the same time that the Office of Inspector General (OIG) has increased the number of its audits in this area. Telehealth providers should take a proactive stance in reviewing their billed claims and the compliance of their telehealth programs to ensure they are in keeping with federal requirements. 2. HIPAA compliance and PHIThe last major update to the Health Insurance Portability and Accountability Act (HIPAA) occurred more than seven years ago. We should expect significant changes to the law, however, because the Office for Civil Rights (OCR) announced its new proposal in December 2020. The proposed updates center around a patient’s right to access protected health information (PHI) while also reducing barriers to healthcare operations and value-based reimbursement systems. A major proposed update includes allowing patients access to inspect their PHI in person and to take notes or photographs of their PHI. Another significant proposed change shortens the time that a provider is allowed to respond to a patient’s request for their records. Other proposed PHI-related changes include:
Also related to HIPAA compliance: In 2021, expect a trend toward increased enforcement action by the OCR related to its HIPAA Right of Access Initiative. There have been 18 such enforcement actions since 2019. OCR states that it’s undertaking this initiative to “support individuals’ right to timely access of their health records at a reasonable cost under the HIPAA Privacy Rule.” OCR often investigates a provider for a single instance of alleged failure to respond timely to a patient’s records request. One recent action resulted in a settlement of $30,000, and for the 18 actions since 2019, the settlements have ranged from $3,500 to $160,000. When settling with the OCR, a healthcare provider must also agree to a corrective plan and two years of OCR-mandated monitoring. It is important for every provider organization, large and small, to review their procedures for responding to patient record requests and to ensure that each request is responded to in a timely way. Currently, according to the Department of Health & Human Services (HHS), access to requested information should be provided within 30 days of receiving the request, unless there is a reason why it cannot be provided in that time frame and the patient is provided a written explanation. However, even if the provider has a valid reason for delay, the request must be fulfilled within 60 days of the initial request with only one extension allowed per patient. 3. Healthcare employers liability & ensuring safe work conditionsOne question we will undoubtedly encounter more in 2021 than last year is: In what ways will healthcare employers be liable (and thus responsible for damages) for their employees’:
Already, employees have filed hundreds of lawsuits and more than 100 class action suits, alleging their employers violated federal and state regulations regarding employee safety or labor issues. Providing a safe working environment for healthcare workers has always been important, but it’s even more so now in the COVID-19 era. The Centers for Disease Control (CDC) and the Occupational Safety and Health Administration (OSHA) have extensive guidelines for healthcare settings that healthcare provider organizations should consult. According to OSHA, healthcare providers should develop and implement infection control and preparedness plans and communicate those plans to workers through effective training. In addition, employers need to assess the risks and follow the hierarchy of controls for worker protection. Labor issues—especially allegations of retaliation, wrongful termination, or wrongful denial of leave—account for a significant percentage of the recent COVID-19-related lawsuits brought by employees. Healthcare employers must consult both federal and state sources for regulations regarding labor practices. In particular, two federal acts addressing the pandemic to be aware of are:
4. Long-term care and nursing homesLong-term care (LTC) facilities, nursing homes, and skilled nursing facilities have been hit hard by the COVID-19 pandemic, and as a result there are new federal guidance and requirements to ensure quality of care for these entities. Since March 2020, nearly all nursing facilities have received a targeted inspection by CMS. These will continue throughout 2021, and providers need to understand the changing guidance from CMS. As noted above with telehealth providers, LTC and nursing facilities should consult the CMS COVID-19 Emergency Declaration Blanket Waivers for Health Care Providers. A number of the blanket waivers that excluded certain requirements for nursing homes have expired, and those requirements will now be enforced. CMS recently updated its guidance for revised visitation recommendations and is now allowing responsible indoor visitation at all times and for all residents, regardless of vaccination status of the resident or visitor, except under certain circumstances that should limit visitation (e.g., confirmed COVID-19 status or quarantine). Other significant changes include CDC’s requirements for LTC and nursing facilities to report COVID-19 data weekly on:
Nursing facilities also are required to provide information about suspected and confirmed COVID-19 cases among residents and staff to residents and their families, within certain time frames. 5. False Claims ActThe Department of Justice (DOJ) recovered more than $2.2 billion in settlements and judgments related to the False Claims Act (FCA) in 2020, $1.8 billion of it related to the healthcare industry. The FCA is the basis for combating healthcare fraud and is the civil tool for the DOJ to redress false claims for federal funds. The 2020 actions involved drug and medical device manufacturers, managed care providers, hospitals, pharmacies, hospice organizations, laboratories, and physicians. The following are trends in FCA settlements thus far this year, and are expected to continue:
6. Patient safety and healthcare inequityAccording to the experts, racial and ethnic disparities in healthcare are among the top patient safety issues for 2021. We’ve seen this reflected in discrepancies in medical care among minorities with regard to access to healthcare, testing, and vaccination throughout the COVID-19 pandemic. The following studies illustrate the problem:
Healthcare organizations need to devote resources to improve health equity and can start by taking the following steps:
7. General access to healthcareFor many Americans, access to care has always been problematic, but a recent CDC study found that four in 10 U.S. adults have avoided access to care due to issues surrounding the COVID-19 pandemic. Further, 12% of adults have neglected emergency care during the pandemic, and 32% have gone without routine care. The study found that certain populations were more negatively affected than others, such as Black and Latinx patients, patients with chronic illness, and unpaid family caregivers. Access to health services is also a key domain of the social determinants of health. Barriers to access to healthcare could be due to poor access to transportation or limited healthcare resources, but the most significant barrier is a lack of insurance coverage. The Affordable Care Act has worked to increase insurance coverage to a greater percentage of Americans. In addition, the Medicaid Expansion aspects of the Act have helped narrow disparities in health coverage and access to care. However, not all states have expanded Medicaid. In 2021, we will be watching to see if the remaining 12 states will adopt and implement the Medicaid expansion and also what steps the Biden administration will take legislatively to extend coverage to more Americans. symplr Compliance offers legal and regulatory content in its risk assessment management module of our powerful and flexible platform. We provide the software, tools, and unique expert content you need to assess your regulatory compliance stance and discover the changes in healthcare laws that affect your organization. Learn more about symplr Compliance and our entire portfolio of GRC solutions. |