Know your 5010 from your ICD-10
|
HIPAA.com discussed in its preceding posting this Interim Final Rule (IFR) for “adoption of standards and operating rules for Electronic Funds Transfers (EFT) and operating rules for remittance advice…”, as required by the Patient Protection and Affordable Care Act of 2010 (Public Law 111-148). [124 STAT. 153] The Office of Management and Budget (OMB) completed its regulatory review on January 3, 2012, and the IFR is available for pre-publication review prior to January 10, 2012, when it will be published in the Federal Register. The title of the IFR is: Administrative Simplification: Adoption of Standards for Health Care Electronic Funds Transfers (EFTs) and Remittance Advice.
|
|
The Centers for Medicare & Medicaid Services (CMS) of the Department of Health and Human Services (HHS) has sent to the Office of Management and Budget (OMB) its Interim Final Rule (IFR) for adoption of standards and operating rules for Electronic Funds Transfers (EFT) and operating rules for remittance advice. Following review by OMB, the IFR is expected to be published in the Federal Register before January 1, 2012, as required by statute [124 STAT. 153]
|
|
The Center for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) is responsible for enforcement of compliance with electronic transaction standards. January 1, 2012, is the date for covered entities to achieve compliance with ASC X12 Version 5010, NCPDP Telecom D.0, and NCPDP Medicaid Subrogation 3.0 transaction standards. CMS announced on November 17, 2011, that “[w]hile enforcement action will not be taken [from January 1-March 31, 2012], OESS will continue to accept complaints associated with compliance with Version 5010, NCPDP D.0 and NCPDP 3.0 transaction standards during the 90-day period…. If requested by OESS, covered entities that are the subject of complaints (known as ‘filed-against entities’) must produce evidence of either compliance or a good faith effort to become compliant with the new HIPAA [version] standards during the 90-day period.” [emphasis added]
|
|
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for privacy and security enforcement under Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act provisions. OCR has announced that it is initiating compliance audits beginning this month, as authorized by the HITECH Act. This action precedes the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules, expected before the end of 2011, and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications. To avoid the consequences of potential penalties for non-compliance, covered entities and business associates must now pay immediate attention to conducting a new or reviewing an existing risk assessment of threat and vulnerability to protected health information (PHI), mitigating identified risks through privacy and security safeguard policies and procedures, training their workforce members to safeguard privacy and security of PHI, and documenting those actions in writing.
|
|
On November 4, 2011, OCR reported a total of 364 such breaches, up from 345 in its previous post in October. The 364 breaches have impacted 18,190,451 persons in breaches reported by covered entities from September 22, 2009—the day prior to the effective date of the Breach Notification Rule—to September 14, 2011. The increase of 6,230,963 impacted individuals represents a skyrocketing jump of just over 52% from the 11,959,488 accounted for in the October post of 345 breaches. The growing number of individuals affected by privacy and security breaches heightens the need by OCR to issue the Final Privacy, Security, Breach Notification, and Enforcement Rules and strengthen enforcement and accountability through compliance audits and complaint and breach investigations to ensure compliance with those Rules. Covered entities and business associates must pay more attention to conducting risk assessments and mitigating risks through privacy and security safeguard policies and procedures, and especially training their workforce members to safeguard electronic, hardware, devices, and media containing protected health information (PHI). Investment now in HIPAA/HITECH Act privacy and security safeguards to minimize risk to PHI is a cost-effective and wise investment, especially in ENCRYPTING YOUR PHI on mobile and portable electronic devices and media with a high likelihood of being lost or stolen.
|
|
The Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Services (HHS) published a notice in the Thursday, November 3, 2011, Federal Register that extends the life of the “temporary certification program for health information technology” beyond its expected sunset date of December 31, 2011, to at least summer 2012.
|
|
As of October 25, 2011, OCR has reported 345 such breaches involving a total of 11,959,488 individuals. Not reflected yet in the OCR disclosed breaches are two involving 6.5 million individuals: a Nemours breach of 1.6 million individuals and a TRICARE breach involving 4.9 million individuals. OCR has indicated on several occasions this year that the final Omnibus Privacy, Security, Breach Notification, and Enforcement Rules will be published in the Federal Register by the end of 2011. It is time to get the enabling Final Rules published in the Federal Register. Perhaps then, and certainly after expected compliance with the Rules is required in 2012, covered entities and their business associates will sharpen focus on safeguarding protected health information that is created, stored, in motion, or disposed of, thereby lessening the likelihood and consequences of breaches and detection of non-compliance via audits and investigations.
|
|
On February 17, 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted as part of the so-called stimulus package known as the American Recovery and Reinvestment Act (Public Law 111-5). Enhanced privacy and security provisions—including extension of requirements to business associates of covered entities, specification of breach notification requirements for unsecured protected health information, and substantially increased penalties for non-compliance—were included in the HITECH Act. These provisions have been encapsulated in notices of proposed rulemaking and interim final rules. The federal government has indicated that Final Rules for Privacy, Security, Breach Notification, and Enforcement will be published in the Federal Register simultaneously—no later than the end of 2011, and expected in September as noted by the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB), with HDM Breaking News on July 7, 2011, reporting that the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) “confirms that anticipated timetable.” If so, and with compliance required for privacy and security changes 240 days following publication, compliance would be required most likely in May 2012. Note, that as interim final rules, breach notification requirements and enforcement penalties, already require compliance or are effective, respectively. Again, if your organization has not already done so, it is time to start or review your risk assessment, with guidance available from the National Institute of Standards and Technology (NIST), prepare your required policies and procedures for safeguarding protected health information based on risk assessment outcomes , and provide privacy and security safeguard training your workforce members on those policies and procedures Final rules will be out soon and the time to achieve compliance–240 days from publication–is short. We recommend that you start now.
|
see more entries »
Syndicate this site
Sign up for email updates
Follow HIPAA.com on Twitter