HIPAA — Health Hippo

Health Hippo: HIPAA

US CODE || CFR || CASES || REPORTS || CONGRESSIONAL RECORD || BILLS || FEDERAL REGISTER

Whatsoever I shall see or hear in the course of my profession… I will never divulge, holding such things to be holy secrets.

A major goal of the Health Insurance Portability and Accountability Act (HIPAA) privacy rules is to assure that
individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. It attempts to strike a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the privacy rules are supposed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

U.S. Code

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (Public Law 104-191 104th Congress)
- TITLE I–HEALTH CARE ACCESS, PORTABILITY, AND RENEWABILITY
  - Sec. 101. Through the Employee Retirement Income Security Act of 1974.
  - Sec. 701. Increased portability through limitation on preexisting
    condition exclusions.
  - Sec. 702. Prohibiting discrimination against
    individual participants and beneficiaries based on health status.
  - Sec.
    703. Guaranteed renewability in multiemployer plans and multiple employer welfare arrangements.
  - Sec. 704. Preemption; State flexibility; construction.
  - Sec. 705. Special rules relating to group health plans.
  - Sec. 706. Definitions.
  - Sec. 707.
    Regulations.
  - Sec. 102. Through the Public Health Service Act.
  - Sec. 2701. Increased portability through limitation on preexisting
    condition exclusions.
  - Sec. 2702. Prohibiting discrimination against
    individual participants and beneficiaries based on health status.
  - Sec. 2711. Guaranteed availability of coverage for employers in the group market.
  - Sec. 2712. Guaranteed renewability of coverage for employers in the group
    market.
  - Sec. 2713. Disclosure of information.
  - Sec. 2721. Exclusion of certain plans.
  - Sec.
    2722. Enforcement.
  - Sec. 2723. Preemption; State flexibility;
    construction.
  - Sec. 2791. Definitions.
  - Sec. 2792. Regulations.
  - Sec. 103.
    Reference to implementation through the Internal Revenue Code of 1986.
  - Sec.
    104. Assuring coordination.
  - Sec. 111. Amendment to Public
    Health Service Act.
  - Sec. 2741. Guaranteed availability of
    individual health insurance coverage to certain individuals with prior group coverage.
  - Sec. 2742. Guaranteed renewability of individual health insurance coverage.
  - Sec. 2743. Certification of coverage.
  - Sec. 2744. State flexibility in individual market reforms.
  - Sec. 2745. Enforcement.
  - Sec. 2746.
    Preemption.
  - Sec. 2747. General exceptions.
  - Sec. 191. Health coverage availability studies.
  - Sec. 192. Report on Medicare reimbursement of telemedicine.
  - Sec. 193. Allowing federally-qualified HMOs to offer high deductible plans.
  - Sec. 194. Volunteer services provided by health professionals at free
    clinics.
  - Sec. 195. Findings; severability.
- TITLE II–PREVENTING HEALTH CARE FRAUD AND ABUSE; ADMINISTRATIVE SIMPLIFICATION; MEDICAL
  LIABILITY REFORM
  - Sec. 200. References in title.
  - Sec. 201. Fraud and abuse control program.
  - Sec. 202. Medicare integrity program.
  - Sec.
    203. Beneficiary incentive programs.
  - Sec. 204. Application of certain
    health antifraud and abuse sanctions to fraud and abuse against Federal health care programs.
  - Sec. 205. Guidance regarding application of health care fraud and abuse
    sanctions.
  - Sec. 211. Mandatory exclusion from participation in
    Medicare and State health care programs.
  - Sec. 212. Establishment of
    minimum period of exclusion for certain individuals and entities subject to permissive exclusion from Medicare and
    State health care programs.
  - Sec. 213. Permissive exclusion of individuals
    with ownership or control interest in sanctioned entities.
  - Sec. 214.
    Sanctions against practitioners and persons for failure to comply with statutory obligations.
  - Sec. 215. Intermediate sanctions for Medicare health maintenance organizations.
  - Sec. 216. Additional exception to anti-kickback penalties for risk-
    sharing arrangements.
  - Sec. 217. Criminal penalty for fraudulent
    disposition of assets in order to obtain Medicaid benefits.
  - Sec. 218.
    Effective date.
  - Sec. 221. Establishment of the health care fraud and abuse
    data collection program.
  - Sec. 231. Social Security Act civil monetary
    penalties.
  - Sec. 232. Penalty for false certification for home health
    services.
  - Sec. 241. Definitions relating to Federal health care offense.
  - Sec. 242. Health care fraud.
  - Sec.
    243. Theft or embezzlement.
  - Sec. 244. False statements.
  - Sec. 245. Obstruction of criminal investigations of health care offenses.
  - Sec. 246. Laundering of monetary instruments.
  - Sec. 247. Injunctive relief relating to health care offenses.
  - Sec. 248. Authorized investigative demand procedures.
  - Sec. 249. Forfeitures for Federal health care offenses.
  - Sec. 250. Relation to ERISA authority.
  - Sec.
    261. Purpose.
  - Sec. 262. Administrative simplification.
  - Sec. 1171. Definitions.
  - Sec. 1172.
    General requirements for adoption of standards.
  - Sec. 1173. Standards for
    information transactions and data elements.
  - Sec. 1174. Timetables for
    adoption of standards.
  - Sec. 1175. Requirements.
  - Sec. 1176. General penalty for failure to comply with requirements and standards.
  - Sec. 1177. Wrongful disclosure of individually identifiable health
    information.
  - Sec. 1178. Effect on State law.
  - Sec. 1179. Processing payment transactions.”.
  - Sec. 263. Changes in membership and duties of National Committee on Vital and
    Health Statistics.
  - Sec. 264. Recommendations with respect to privacy of
    certain health information.
  - Sec. 271. Duplication and coordination of
    Medicare-related plans.
- TITLE III–TAX-RELATED HEALTH PROVISIONS
  - Sec. 300. Amendment of 1986 Code.
  - Sec.
    301. Medical savings accounts.
  - Sec. 311. Increase in deduction for
    health insurance costs of self- employed indi- viduals.
  - Sec. 321.
    Treatment of long-term care insurance.
  - Sec. 322. Qualified long-term care
    services treated as medical care.
  - Sec. 323. Reporting requirements.
  - Sec. 325. Policy requirements.
  - Sec.
    326. Requirements for issuers of qualified long-term care insurance contracts.
  - Sec. 327. Effective dates.
  - Sec. 331.
    Treatment of accelerated death benefits by recipient.
  - Sec. 332. Tax
    treatment of companies issuing qualified accelerated death benefit riders.
  - Sec. 341. Exemption from income tax for State-sponsored organizations providing
    health coverage for high-risk individuals.
  - Sec. 342. Exemption from income
    tax for State-sponsored workmen’s compensation reinsurance organizations.
  - Sec.
    351. Organizations subject to section 833.
  - Sec. 361. Distributions
    from certain plans may be used without additional tax to pay financially devastating medical expenses.
  - Sec. 371. Organ and tissue donation information included with income tax refund
    payments.
- TITLE IV–APPLICATION AND ENFORCEMENT OF GROUP HEALTH PLAN
  REQUIREMENTS
  - Sec. 401. Group health plan portability, access, and
    renewability requirements.
  - Sec. 402. Penalty on failure to meet certain
    group health plan requirements.
  - Sec. 421. COBRA clarifications.
- TITLE V–REVENUE OFFSETS
  - Sec. 500.
    Amendment of 1986 Code.
  - Sec. 501. Denial of deduction for interest on
    loans with respect to company-owned life insurance.
  - Sec. 511. Revision of
    income, estate, and gift taxes on individuals who lose United States citizenship.
  - Sec. 512. Information on individuals losing United States citizenship.
  - Sec. 513. Report on tax compliance by United States citizens and residents living
    abroad.
  - Sec. 521. Repeal of financial institution transition rule to
    interest allocation rules.
- LEGISLATIVE HISTORY
42 U.S. Code Chapter 7, Subchapter XI, Part C Administrative Simplification
- Sec. 1320d Definitions
- Sec. 1320d-1 General requirements for adoption of standards
- Sec. 1320d-2 Standards for information transactions and data elements
- Sec. 1320d-3 Timetables for adoption of standards
- Sec. 1320d-4 Requirements
- Sec. 1320d-5 General penalty for failure to comply with requirements and standards
- Sec. 1320d-6 Wrongful disclosure of individually identifiable health information
- Sec. 1320d-7 Effect on State law
- Sec. 1320d-8 Processing payment transactions by financial institutions
- Sec. 1320d-9 Application of HIPAA regulations to genetic information
42 U.S. Code § 300kk Data collection, analysis, and quality
42 U.S. Code Chapter 6A, Subchapter XXVIII HEALTH INFORMATION TECHNOLOGY AND QUALITY
- Sec. 300jj . Definitions
- Part A Promotion of Health Information Technology
  - Sec. 300jj-11 Office of the National Coordinator for Health Information Technology
  - Sec. 300jj-12 HIT Policy Committee
  - Sec. 300jj-13 HIT Standards Committee
  - Sec. 300jj-14 Process for adoption of endorsed recommendations; adoption of initial set of standards, implementation specifications, and certification criteria
  - Sec. 300jj-15 Application and use of adopted standards and implementation specifications by Federal agencies
  - Sec. 300jj-16 Voluntary application and use of adopted standards and implementation specifications by private entities
  - Sec. 300jj-17 Federal health information technology
  - Sec. 300jj-18 Transitions
  - Sec. 300jj-19 Miscellaneous provisions
- Part B Incentives for the Use of Health Information Technology
- Part C Other Provisions

Code of Federal
Regulations

16 CFR CHAPTER I, SUBCHAPTER C FEDERAL TRADE COMMISSION
- PART 318 HEALTH BREACH NOTIFICATION RULE
  - Sec. 318.1 Purpose and scope.
  - Sec. 318.2 Definitions.
  - Sec. 318.3 Breach notification requirement.
  - Sec. 318.4 Timeliness of notification.
  - Sec. 318.5 Methods of notice.
  - Sec. 318.6 Content of notice.
  - Sec. 318.7 Enforcement.
  - Sec. 318.8 Effective date.
  - Sec. 318.9 Sunset.
42 CFR Part 495 STANDARDS FOR THE ELECTRONIC HEALTH RECORD TECHNOLOGY INCENTIVE PROGRAM
- SUBPART A General Provisions (495.2 – 495.10)
  - Sec. 495.2 Basis and purpose.
  - Sec. 495.4 Definitions.
  - Sec. 495.5 Requirements for EPs seeking to reverse a hospital-based determination under Sec. 495.4.
- SUBPART B Requirements Specific to the Medicare Program (495.100 – 495.110)
- SUBPART C Requirements Specific to Medicare Advantage (MA) Organizations (495.200 – 495.212)
- SUBPART D Requirements Specific to the Medicaid Program (495.300 – 495.370)
42 U.S. Code Chapter 6A, Subchapter XXVIII HEALTH INFORMATION TECHNOLOGY AND QUALITY
- Sec. 300jj Definitions
- Part A Promotion of Health Information Technology
- Part B Incentives for the Use of Health Information Technology
- Part C Other Provisions
- Sec. 300kk Data collection, analysis, and quality
Final Rule: Electronic Health Records Safe Harbor Under the Anti-Kickback Statute December 27, 2013. Updating the provision under which electronic health records software is deemed interoperable; removing the electronic prescribing capability requirement; extending the sunset provision until December 31, 2021; limiting the scope of protected donors to exclude laboratory companies; and clarifying the condition that prohibits a donor from taking any action to limit or restrict the use, compatibility, or interoperability of the donated items or services.
45 CFR SUBTITLE A, SUBCHAPTER C ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
- PART 160 GENERAL ADMINISTRATIVE REQUIREMENTS (160.101 – 160.552)
  - SUBPART A General Provisions (160.101 – 160.104)
  - SUBPART B Preemption of State Law (160.201 – 160.205)
  - SUBPART C Compliance and Investigations (160.300 – 160.316)
    - Sec. 160.300 Applicability.
    - Sec. 160.302 Definitions.
    - Sec. 160.304 Principles for achieving compliance.
    - Sec. 160.306 Complaints to the Secretary.
    - Sec. 160.308 Compliance reviews.
    - Sec. 160.310 Responsibilities of covered entities.
    - Sec. 160.312 Secretarial action regarding complaints and compliance reviews.
    - Sec. 160.314 Investigational subpoenas and inquiries.
    - Sec. 160.316 Refraining from intimidation or retaliation.
  - SUBPART D Imposition of Civil Money Penalties (160.400 – 160.426)
  - SUBPART E Procedures for Hearings (160.500 – 160.552)
    - Sec. 160.500 Applicability.
    - Sec. 160.502 Definitions.
    - Sec. 160.504 Hearing before an ALJ.
    - Sec. 160.506 Rights of the parties.
    - Sec. 160.508 Authority of the ALJ.
    - Sec. 160.510 Ex parte contacts.
    - Sec. 160.512 Prehearing conferences.
    - Sec. 160.514 Authority to settle.
    - Sec. 160.516 Discovery.
    - Sec. 160.518 Exchange of witness lists, witness statements, and exhibits.
    - Sec. 160.520 Subpoenas for attendance at hearing.
    - Sec. 160.522 Fees.
    - Sec. 160.524 Form, filing, and service of papers.
    - Sec. 160.526 Computation of time.
    - Sec. 160.528 Motions.
    - Sec. 160.530 Sanctions.
    - Sec. 160.532 Collateral estoppel.
    - Sec. 160.534 The hearing.
    - Sec. 160.536 Statistical sampling.
    - Sec. 160.538 Witnesses.
    - Sec. 160.540 Evidence.
    - Sec. 160.542 The record.
    - Sec. 160.544 Post hearing briefs.
    - Sec. 160.546 ALJ’s decision.
    - Sec. 160.548 Appeal of the ALJ’s decision.
    - Sec. 160.550 Stay of the Secretary’s decision.
    - Sec. 160.552 Harmless error.
- PART 162 ADMINISTRATIVE REQUIREMENTS (162.100 – 162.1902)
- PART 164 SECURITY AND PRIVACY (164.102 – 164.534)
  - SUBPART A General Provisions (164.102 – 164.106)
  - SUBPART B [Reserved]
  - SUBPART C Security Standards for the Protection of Electronic Protected Health Information (164.302 – 164.318)
    - Sec. 164.302 Applicability.
    - Sec. 164.304 Definitions.
    - Sec. 164.306 Security standards: General rules.
    - Sec. 164.308 Administrative safeguards.
    - Sec. 164.310 Physical safeguards.
    - Sec. 164.312 Technical safeguards.
    - Sec. 164.314 Organizational requirements.
    - Sec. 164.316 Policies and procedures and documentation requirements.
    - Sec. 164.318 Compliance dates for the initial implementation of the security standards.
    - Appendix A Security Standards: Matrix
  - SUBPART D Notification in the Case of Breach of Unsecured Protected Health Information (164.400 – 164.414)
    - Sec. 164.400 Applicability.
    - Sec. 164.402 Definitions.
    - Sec. 164.404 Notification to individuals.
    - Sec. 164.406 Notification to the media.
    - Sec. 164.408 Notification to the Secretary.
    - Sec. 164.410 Notification by a business associate.
    - Sec. 164.412 Law enforcement delay.
    - Sec. 164.414 Administrative requirements and burden of proof.
  - SUBPART E Privacy of Individually Identifiable Health Information (164.500 – 164.534)
    - Sec. 164.500 Applicability.
    - Sec. 164.501 Definitions.
    - Sec. 164.502 Uses and disclosures of protected health information: general rules.
    - Sec. 164.504 Uses and disclosures: Organizational requirements.
    - Sec. 164.506 Uses and disclosures to carry out treatment, payment, or health care operations.
    - Sec. 164.508 Uses and disclosures for which an authorization is required.
    - Sec. 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object.
    - Sec. 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required.
    - Sec. 164.514 Other requirements relating to uses and disclosures of protected health information.
    - Sec. 164.520 Notice of privacy practices for protected health information.
    - Sec. 164.522 Rights to request privacy protection for protected health information.
    - Sec. 164.524 Access of individuals to protected health information.
    - Sec. 164.526 Amendment of protected health information.
    - Sec. 164.528 Accounting of disclosures of protected health information.
    - Sec. 164.530 Administrative requirements.
    - Sec. 164.532 Transition provisions.
    - Sec. 164.534 Compliance dates for initial implementation of the privacy standards.

Cases

Concentra Health Services (2014)(agreed to pay $1,725,220 to settle potential violations of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, and will adopt a corrective action plan to evidence their remediation of these findings)
QCA Health Plan, Inc. (2014)(agreeing to a $250,000 monetary settlement and to correct deficiencies in its HIPAA compliance program resulting in the work station disclosure of 148 patients’ information)
Massachusetts Eye and Ear Infirmary (2012) ($1.5 million settlement followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects)
LabMD, Inc.
(2013)(FTC complaint alleges that respondent’s failure to employ reasonable and appropriate measures to prevent
unauthorized access to personal information, including dates of birth, SSNs, medical test codes, and health
information, caused, or is likely to cause, substantial injury to consumers that is not offset by countervailing
benefits to consumers or competition and is not reasonably avoidable by consumers. This practice was, and is, an
unfair act or practice)

Reports

National Telecommunications and Information Administration Recent Federal Register documents related to development of a consumer data privacy Code of Conduct.
Office of the President: Science and Technology Policy Office Recent Federal Register documents. Congress established the Office of Science and Technology Policy with a broad mandate to advise the President and others within the Executive Office on the effects of science and technology on domestic and international affairs.
Training Materials: Health Information Privacy Six educational programs for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules. Each of these programs is available with free continuing education credits for health care professionals.
Security Risk Assessment Tool This tool is not required by the HIPAA Security Rule, but is meant to assist providers and professionals as they perform a risk assessment.
How to Implement EHRs The first step in EHR implementation is to conduct an assessment of your current practice and its goals, needs, and financial and technical readiness.
Health Information Exchange Meaningful use requirements, new payment approaches that stress care coordination, and federal financial incentives are all driving the interest and demand for health information exchange.
What is Meaningful Use? The American Recovery and Reinvestment Act of 2009 authorizes CMS to provide incentive payments to eligible professionals and hospitals who adopt, implement, upgrade, or demonstrate meaningful use of certified electronic health record technology.
Guide to Privacy and Security of Health Information Protecting patients’ privacy and securing their health information is a core requirement for the Medicare and Medicaid Electronic Health Record (EHRs) Programs.
CMS and Its Contractors Have Adopted Few Program Integrity Practices To Address Vulnerabilities in EHRs (OIG 2014) Experts in health information technology caution that EHR technology can make it easier to commit fraud. For example, certain EHR technology features may be used to mask true authorship of the medical record and distort information to inflate health care claims.
Progress in Electronic Health Record Implementation Through HRSA Grants to Health Center Controlled Networks (OIG 2014) Most health centers established the capability for meaningful objectives related to capturing data. However, fewer health centers established the capability for meaningful use objectives related to sharing data. Establishing the capability for objectives relating to sharing data often requires health centers to incur additional EHR-related costs.
Marketplaces Faced Early Challenges Resolving Inconsistencies With Applicant Data (OIG 2014) Examines how the Federal and State health insurance marketplaces ensured the accuracy of information submitted by applicants for enrollment in qualified health plans and for advance payment of premium tax credits and cost sharing reductions.
Not All Internal Controls Were Effective in Ensuring That Individuals Were Enrolled in Qualified Health Plans According to Federal Requirements (OIG 2014) The deficiencies in internal controls that we identified may have limited the marketplaces’ ability to prevent the use of inaccurate or fraudulent information when determining eligibility of applicants for enrollment in QHPs.
CMS System for Sharing Information About Terminated Providers Needs Improvement (OIG 2014) As of June 1, 2013, MCSIS contained records on terminated providers submitted by CMS and 33 State Medicaid agencies and did not contain records from the remaining State Medicaid agencies. Contrary to CMS guidance, about one-third of the 6,439 records in MCSIS did not relate to providers terminated “for cause.” Over half of MCSIS records did not contain NPIs, a critical data element for accurately identifying providers. Additionally, one-third of MCSIS records did not identify the provider types and one quarter had no provider addresses.
Disclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OIG 2014) The Centers for Medicare & Medicaid Services (CMS) maintains millions of records containing financial and health-related information. Inappropriate disclosures of records or data maintained in a system of records (SOR) can result in loss of privacy and fraudulent activities. The Privacy Act of 1974 (Privacy Act) governs Federal agencies’ collection, use, and dissemination of individuals’ records maintained in an SOR. CMS maintains SORs, and its disclosures of records must be consistent with the Privacy Act.
Progress in Electronic Health Record Implementation Through HRSA Grants to Health Center Controlled Networks (OIG 2014) Most health centers established the capability for meaningful objectives related to capturing data. However, fewer health centers established the capability for meaningful use objectives related to sharing data. Establishing the capability for objectives relating to sharing data often requires health centers to incur additional EHR-related costs.
Trends in National Perceptions regarding Privacy and Security (ONC 2014) As electronic health record (EHR) adoption increases and the Health Information Exchange (HIE) expands, the Office of the National Coordinator for Health Information Techonology (ONC) seeks to monitor national perceptions regarding privacy and security.
Electronic Health Records: Fiscal Year 2013 Expenditure Plan Lacks Key Information Needed to Inform Future Funding Decisions (GAO 2014) The DOD/VA expenditure plan did not provide an accurate view of the cost of the work to be done, nor offer significant insight into the future path for building electronic health record interoperability between the departments. As such, the plan does not provide adequate information for Congress, VA, and DOD to use it as a basis for measuring program success, accounting for the use of current and future appropriations, and holding the departments accountable for achieving an interoperable electronic health record.
Electronic Health Record Programs: Participation Has Increased, but Action Needed to Achieve Goals, Including Improved Quality of Care (GAO 2014) For hospitals, participation increased from 45 percent of those eligible for 2011 to 64 percent of those eligible for 2012. For professionals, such as physicians, participation increased from 21 percent of those eligible for 2011 to 48 percent of those eligible for 2012. While increases occurred, a substantial percentage of providers that participated in 2011 did not participate in 2012.
Electronic Health Records: HHS Strategy to Address Information Exchange Challenges Lacks Specific Prioritized Actions and Milestones (GAO 2014) Determining specific actions and exchange-related milestones with specified time frames can help to ensure that the agencies’ principles and future actions result in timely improvements in addressing the key challenges reported by providers and stakeholders; this is particularly important because planning for Stage 3 of the EHR programs, which focuses on improving outcomes, is expected to begin as soon as 2014.
GAO’s Watchdog Report: Transcript for Electronic Health Records (GAO 2014) The use and exchange of electronic health records among health care providers could potentially improve outcomes and quality of care for patients. Two teams led by Linda Kohn, a director in GAO’s Health Care team, recently examined the use and exchange of electronic health records. GAO’s Sarah Kaczmarek sat down with Linda to talk about what they found.
Electronic Health Records: VA and DOD Need to Support Cost and Schedule Claims, Develop Interoperability Plans, and Improve Collaboration (GAO 2014) The Departments of Veterans Affairs (VA) and Defense (DOD) abandoned their plans to develop an integrated electronic health record (iEHR) system and are instead pursuing separate efforts to modernize or replace their existing systems in an attempt to create an interoperable electronic health record.
Electronic Health Records: Number and Characteristics of Providers Awarded Medicare Incentive Payments for 2011-2012 (GAO 2013) Hospitals and health care professionals, such as physicians, were awarded a total of approximately $6.3 billion in Medicare electronic health records (EHR) incentive payments for 2012, which is more than twice the $2.3 billion awarded to hospitals and professionals for 2011. Almost half of eligible hospitals and less than a third of eligible professionals received Medicare EHR incentive payments for 2012.
Modifications to the HIPAA Privacy, Security, Enforcement, and
Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the
Genetic Information Nondiscrimination Act (GAO 2013) Reviews the Department of Health and Human
Services, (HHS) new rule on modifications to the Health Insurance Portability and Accountability Act (HIPAA)
Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic
and Clinical Health Act and the Genetic Information Nondiscrimination Act.
Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent (GAO 2013) According to agency officials, the Department of Homeland Security’s role of collecting information and providing assistance on personally identifiable information (PII) breaches, as currently defined by federal law and policy, has provided few benefits. OMB’s guidance to agencies requires them to report each PII-related breach to DHS’s U.S. Computer Emergency Readiness Team (US-CERT) within 1 hour of discovery.
Clinical Data Registries: HHS Could Improve Medicare Quality and Efficiency through Key Requirements and Oversight (GAO 2013) Clinical data registries (CDR) have demonstrated a particular strength in assessing physician performance through their capacity to track and interpret trends in health care quality over time. CDRs could benefit from new IT standard setting that focuses on data elements needed for the measures that CDRs collect. One way HHS can influence whether EHR vendors use IT standards to design EHR systems that are compatible with CDR needs is through its setting of meaningful use requirements in its EHR incentive programs.
Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare EHR Incentive Program (OIG 2012) This study is an early assessment of CMS’s oversight of the Medicare electronic health record (EHR) incentive program, for which CMS estimates it will pay $6.6 billion in incentive payments between 2011 and 2016. Because professionals and hospitals self- report data to demonstrate that they meet program requirements, CMS’s efforts to verify these data will help ensure the integrity of Medicare EHR incentive payments.
Electronic Health Records: First Year of CMS’s Incentive Programs Shows Opportunities to Improve Processes to Verify Providers Met Requirements (GAO 2012) GAO reviewed implementing processes to verify whether providers met the Medicare and Medicaid EHR programs’ requirements and, therefore, qualified to receive incentive payments in the first year of the EHR programs. To receive such payments, providers must meet both (1) eligibility requirements that specify the types of providers eligible to participate in the programs and (2) reporting requirements that specify the information providers must report to CMS or the states, including measures that demonstrate meaningful use of an EHR system and measures of clinical quality.
Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology (OIG 2013) This study determined how hospitals that received EHR Medicare incentive payments, administered by the Centers for Medicare & Medicaid Services (CMS), had implemented recommended fraud safeguards for EHR technology.
Early Outcomes Show Limited Progress for the Transformed Medicaid Statistical Information System (OIG 2013) In response to a Congressional request, the Office of the Inspector General (OIG) agreed to determine the status of national Transformed Medicaid Statistical Information System (T-MSIS) implementation and determine whether early outcomes indicate that T-MSIS data will be complete, accurate, and timely upon national implementation.
Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare EHR Incentive Program (OIG 2012) This study is an early assessment of CMS’s oversight of the Medicare electronic health record (EHR) incentive program, for which CMS estimates it will pay $6.6 billion in incentive payments between 2011 and 2016.
Use of Electronic Health Record Systems in 2011 Among Medicare Physicians Providing Evaluation and Management Services (OIG 2012) We found that 57 percent of Medicare physicians used an EHR system at their primary practice location in 2011. Overall, 95 percent ofphysicians who used an EHR system to document EIl\1 services first began using it between 2001 and 2011. Of these physicians, the largest percentage (22 percent) began using EHR systems in 2011, the year that CMS commenced its incentive program.
Early Review of States’ Planned Medicaid Electronic Health Record Incentive Program Oversight (OIG 2011) We also found that data availability limits both the number of eligibility requirements that States plan to verify prior to payment and the completeness of those verifications. Depending on the eligibility requirement, States may have none, some, or all of the data they need to conduct a complete verification.
Medicare Part D Plan Sponsor Electronic Prescribing Initiatives (OIG 2009) This memorandum report describes Medicare Part D plan sponsors’ voluntary electronic prescribing (e-prescribing) initiatives (hereinafter referred to as initiatives) and implementation strategies to promote e-prescribing adoption.
Medicare Part D E-Prescribing Standards: Early Assessment Shows Partial Connectivity (OIG 2009) On behalf of the Secretary, the Centers for Medicare & Medicaid Services (CMS) established e-prescribing standards. Three of these standards enable the flow of eligibility, medication history, and formulary and benefits information between plan sponsors and prescribers at the point of care.
State Medicaid Agencies’ Initiatives on Health Information Technology and Health Information Exchange (OIG 2007) Twelve State Medicaid agencies have implemented a variety of HIT initiatives for Medicaid beneficiaries and participating providers. These include claims-based electronic health records initiatives, electronic prescribing initiatives, remote disease-monitoring initiatives, and personal health records initiatives.
HIPAA Readiness: Administrative Simplification for Medicare Part B Providers (OIG 2003) Electronic data interchange can eliminate the inefficiencies associated with handling paper documents. It reduces administrative costs and improves overall data quality for transactions, such as health care payments and coordination of benefits.
HIPAA Readiness: Administrative Simplification for Medicare Part A Providers (OIG 2003) Medicare Part A providers are making steady progress toward meeting the compliance target of October 16, 2003, for implementing the HIPAA electronic transaction standards and code sets. Providers are, however, concerned that their trading partners may not be fully compliant, and this would affect their own ability to implement the electronic standards.
HIPAA Readiness: Administrative Simplification (1) (OIG 2003) Overall, states are making progress in meeting the October 2003, deadline for implementing the HIPAA electronic transaction standards and code sets. All 51 states expect to be ready to implement the transactions, which will enable them to pay claims for Medicaid beneficiaries. The nine states that anticipate not being fully compliant on October 16, 2003, expect to continue to transact business using compliant and noncompliant electronic data until their systems are ready.
HIPAA Readiness: Administrative Simplification (2) (OIG 2003) The most significant barriers for the territories are the lack of financial and technical resources. Since the territories’ federal Medicaid funds are capped, they were ineligible for additional federal financial participation funds to implement the electronic transaction standards.
Health Insurance
Standards: New Federal Law Creates Challenges for Consumers, Insurers, Regulators (GAO 1998) Reviews the implementation of the Health Insurance Portability and Accountability Act (HIPAA), focusing on issues affecting: (1) consumers; (2) issuers of health coverage, including employers and insurance carriers; (3) state insurance regulators; and (4) federal regulators.
Encouraging Physicians to Use Paperless Claims (OIG 1996) HCFA could influence many of the physicians still filing paper claims to switch voluntarily to paperless systems. At the same time, we recognize that not ail of these physicians are likely to accept paperless claims and that HCFA needs to begin developing a policy framework that goes beyond expanded outreach, as a way of preparing for the day when paperless claims become the norm.
Health Insurance
Portability: Reform Could Ensure Continued Coverage for Up to 25 Million Americans (GAO 1995) Pursuant to a congressional request, GAO provided information on: (1) the protections offered by current state and federal health insurance portability reforms; (2) the number of people who could be affected by broader national portability standards; and (3) other issues related to the design of national portability
standards.
Health Insurance
Regulation: Variation in Recent State Small Employer Health Insurance Reforms (GAO 1995) Pursuant to a congressional request, GAO provided information on state legislation to improve portability, access, and rating practices for the small-employer and individual health insurance markets.
Electronic Data Interchange and Paperless Processing: Issues and Challenges (OIG 1994) This document raises issues regarding the trustworthiness and reliability of data as it moves from one partner in electronic commerce to another and from one process to another. These issues include confidentiality and privacy, management controls over operations, internal controls, audits and systems certifications, Medicare contractor conflict of interest, validity of contracts, and the integrity of information.
Electronic Media Claims and Contractors’ For-Profit Subsidiaries (OIG 1992) The three intermediaries, however, refuse to accept direct computer-to-computer EMC submissions for their private line of business unless the provider uses their subsidiary s software for the transaction. The contractors’ practices of requiring biling servces and health care providers to use the contractors’ for-profit EMC subsidiaries may violate Federal antitrust laws.