New HIPAA/HITECH Rules: 180 Day Countdown
Last week marked the effective date of the Department of Health and Human Services (HHS) Office of Civil Rights comprehensive modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (“the Rules”). The arrival of the effective date commences the 180-day period for covered entities to come into compliance with most of the Rule’s requirements.
The Rules and the HHS commentary are lengthy and complex. In this post, we offer a detailed look at the Rules’ key changes that are likely to affect most covered entities. We also discuss several additional requirements that will mostly affect covered health care providers and some non-covered entities. To help organizations devise a compliance strategy, the blog post also suggests action items, where appropriate.
Key Dates:
- March 26, 2013: The Rules became effective.
- September 23, 2013: Covered entities must comply with most of the new Rules’ provisions.
- September 25, 2013: Disclosures of PHI become subject to the new restrictions on sale of PHI.
- September 22, 2014: Covered entities must bring all of their Business Associate Agreements (“BAAs”) into compliance with the Rules; the new Rules also apply this requirement to Business Associates’ agreements with their covered subcontractors.
While the Rules in some respects represent a major departure from the existing HIPAA and HITECH requirements, many of the new provisions accept without change the requirements that the HHS had previously proposed in the interim final HITECH Breach Notification Rule, in October 2009, and in the proposed Privacy, Security and Enforcement Rules updates in July 2010 (the “Interim Rules”). Entities that have aligned their practices with the Interim Rule will, therefore, have fewer changes to implement.
Overview of the New Rules
The changes that the Rules bring for most organizations include:
- The expansion of the definition of Business Associates to include subcontractors that access PHI;
- The imposition of direct liability under the Rules on Business Associates for compliance with certain HIPAA Privacy and Security Rule requirements;
- Additional and revised provisions that covered entities and Business Associates must include in their BAAs, and a requirement for all existing BAAs to comply with the new Rules by September 22, 2014;
- Additional disclosures in covered entities’ HIPAA Privacy Notices, including informing individuals of their right to be notified of breaches of their PHI;
- Substantial lowering of the threshold for notification of affected individuals in the event of a breach of PHI, and a requirement to conduct a documented risk assessment in the event notification is not provided in reliance on the harm threshold; and
- An expansion of individuals’ rights to access their PHI.
Several other significant changes are primarily relevant to covered health care providers and certain non-covered third parties. These changes include:
- Individuals’ enhanced ability to restrict disclosures of certain PHI; this revision affects mostly covered health care providers;
- Restrictions on the circumstances in which adherence programs can be conducted without individuals’ authorization; these changes are most relevant to pharmacies and adherence communications providers and their service providers, and non-covered organizations that sponsor adherence communications; and
- Clarification of the circumstances in which providers of patient health record portals are subject to HIPAA; these requirements primarily concern covered and non-covered portal owners, sponsors and operators.
To read the entire article: CLICK HERE
New HIPAA/HITECH Rules Implementation Roadmap: Countdown Begins to September 23, 2013 Compliance Deadline By Boris Segalis on
Someone Wants Your Practice! (And they’ll take it with help from your CEO and surgeons…)
I know, I know, a bold statement that surely does not apply to YOUR particular anesthesiology group, at YOUR particular practice. Sorry, but guess again and read on…
The following is a very accurate synopsis of a real phone call between the national sales director of a national anesthesia management company, and your hospital’s CEO or CMO – Please, PLEASE read this. It matters.
“Hi Mr. CEO, I am Dr So-and-So, from Such-and-Such Anesthesiology Services, the leading national provider of professional anesthesia services in the United States. I am calling to make sure you are completely satisfied with your anesthesia providers.”
[CEO inserts statement confirming satisfaction.]
“Oh good, I am glad you are. So many CEOs we call are not satisfied, and do not have anesthesia groups that not only save hospitals money, but MAKE money for their hospitals. We know how hard a job you have, with less than a 4% margin, and most anesthesia groups do nothing to help contribute to that. Often times we are called when hospitals are reviewing the groups they supplement and stipend, and are asked how we can help.”
[CEO inquires how anesthesia can make money for the hospital.]
“Well pardon me, but I assumed that if you were happy with your group, they helped substantially with the new value based purchasing (VBP) and did everything possible to avoid taking a stipend from your facility. We know the financial difficulties facing hospitals everywhere (through our local California and national experience) and do everything we can to assist you in maximizing your deserved collections from the government and private payors. In addition, we really do not want a stipend if we can avoid one (legal Medicare Anti-Kickback issues, etc.) We can help you with recruitment and retention of anesthesia personnel, and are able to reduce substantially any stipend via excellent management of the highly expensive and rare resources available to you.”
[CEO inquiries how this can all be done…]
And with the CEO’s attention captured, the sales director proceeds to sell the merits of his company’s professionally managed anesthesia department. The points of the argument include the following: by hiring medical directors with management education and experience, operating with cost efficiency by physician supervision of CRNAs in a care team model, requiring professional standards of conduct for all, continual tracking of patient and surgeon satisfaction, will make the CEO’s job easier by helping the hospital to function at the highest level of efficiency. Furthermore, this anesthesia management company realizes that the Department of Anesthesiology is the lynchpin for most hospital procedures, both in and out of the OR, so it ensures that their anesthesiologists sit on all relevant committees and boards, and are proactively involved in seeking and implementing cost savings measures. To drive home the arguments, the sales director will close the conversation with the offer to send sample satisfaction and performance reports, testimonials and blinded financial projections, as well as make a presentation to the hospital Board of Directors.
If you think I have fabricated the essence of this sales pitch, think again. Virtually all of this information is readily available in current white papers of leading national anesthesia service providers.
So what to do? Here is a checklist to take back the future of your anesthesia department:
- RELATIONSHIPS. Develop an excellent one with your CEO and CMO: The value of friends in high places and early warning of something amiss in your group (giving you time to fix it) is invaluable.
- ACT LIKE A PROFESSIONAL. Show up for work in tie, white jacket or sport coat. Dress like you want to be treated.
- ACT LIKE A DOCTOR. Call patients the night before their procedure and find a way to talk with them again post-op – even if it is by phone. Patients love this and it counts!
- MEMBERSHIP IN THE CSA AND ASA. Use them if you get into trouble – we have excellent resources that can both rescue a group and get it prepared for negotiations – you do NOT have to be alone!
- INVOLVEMENT. Get and stay very involved in your hospital’s day-to-day operations, by joining committees:
- OR Management
- Quality Improvement
- Surgical Care Improvement Project (SCIP)
- Pharmacy and Therapeutics
- Emergency/Trauma
- ICU
- If you have someone with some experience or knowledge try for finance board committees and hospital board committees (i.e. quality, etc.)
- Take the lead when there is a problem – infection issue? Anesthesiology wants to chair the committee looking into that.
- SAVE MONEY. Find ways to save your hospital money and tell them about it. Use the concept of VPB and your group’s commitment to that concept. (For example, continuous peripheral nerve blocks, epidurals, pain consults and other things that allow patients to receive early therapy and earlier discharge.)
- EDUCATE. Send a member of your group to the ASA’s Certificate in Business Administration Course – and tell the hospital you are doing it to find ways to help the OR run better and more efficiently.
- GET EVIDENCE. Develop a satisfaction survey for patients and surgeons and share it with the hospital, including follow up action taken to improve any deficiencies. (They will discover these anyway and you might as well as be the first to notice.)
- BE PERFECT. Specifically on quality metrics such as antibiotics, temperature control, beta blockade, and tell the hospital how well you are doing!
- GET A CONSULTANT. if you receive a stipend, make sure you have an outside consultant, hired by you, do the math and analysis of what the hospital wants, what it needs, and what it can afford, It is complicated and you need to let the facility know you are aware of the complications, your responsibility, and the Department of Justice rules and regulations.
This is very, very real and happening in multiple places in California and nationally. You must do for your department what these anesthesia service providers claim they can do in your place, and do it better. You can stop it. Get involved, get on the committees, and support your societies. If you don’t, someone else will be camping in your back yard.
by Keith Chamberlin, M.D. – Jan. 30, 2012 California Society of Anesthesiologists