4/19/2012 9:51 AM
Final HIPAA/HITECH rules are in sight! Last month, the rules reached the White House Office of Management and Budget (OMB), the final stop in the federal internal review process.
The rules will modify HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as necessary to implement the privacy, security, enforcement, and breach notification provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH), and will modify the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act of 2008 (GINA).
Generally, HITECH requires that covered entities under HIPAA notify affected individuals of a breach of unsecured protected health information, as well as the Secretary of the Department of Health and Human Services (HHS) and the media if a breach affects more than 500 individuals. If a breach affects fewer than 500 individuals, the breach must be reported to HHS on an annual basis. Additionally, HITECH mandates that business associates of covered entities report breaches directly to the covered entity. HITECH also strengthens civil and criminal enforcement of HIPAA rules in a number of ways, e.g., by establishing tiered ranges of increasing minimum penalty amounts and by not allowing covered entities to escape penalties by claiming that the violation was unknown unless the covered entity corrects the violation within 30 days of discovery.
GINA modifies the HIPAA Privacy Rule by clarifying that genetic information is health information and as such prohibits the use and disclosure of genetic information by covered health plans for underwriting purposes.
The OMB has 90 days to review the final rules, which will be published in the Federal Register.
In other HIPAA news, HHS announced a proposed rule in early April to implement several administrative simplification provisions required under Health Care Reform.
First, the proposed rule requires health plans to establish a unique health plan identifier of a standard length and format. Currently, when health plans and TPAs bill providers, they are identified in a non-standard format. This process is very time-consuming for providers and results in a number of errors. By requiring health plans to establish a unique identifier, HHS hopes that providers will be able to automate and simplify their transactional processes, resulting in costs savings for providers and health plans.
Second, the proposed rule delays the effective date for ICD-10 codes from October 1, 2013, to October 1, 2014. ICD-10 codes are the International Classification of Diseases, 10th Edition diagnosis and procedure codes. The updated set of codes contains new procedures and diagnoses and will improve the information available for quality improvement efforts and payment.
Comments on the proposed rule are due 30 days after publication in the Federal Register.