HIPAA mandates the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information.
The HIPAA Breach Notification Rule is part of the Health Information Technology for Economic and Clinical Health Act, which expands upon the Health Insurance Portability and Accountability Act of 1996 to protect privacy and security of individuals' health information. The rule regulates when and how to notify patients, HHS and in some cases, the media, if health care information has been exposed in a security breach. In addition to the annual notice of breaches to HHS, covered dentists are required to report breaches of unsecured protected health information involving 500 or more individuals to HHS without unreasonable delay, and in no event later than 60 calendar days after discovery of the breach.
Most recently, HHS published proposed rules which would modify the 1996 HIPAA privacy and security rules to incorporate changes Congress included in the 2009 federal economic stimulus package. The proposed changes were mandated by the HITECH Act, which was included in the economic stimulus package and designed to encourage hospitals and physicians to adopt electronic health records. At the time of writing, the draft rule was still open for public comment. The draft rule would allow patients to restrict certain disclosures to health plans and prohibit personal information from being sold without their consent. The rule also proposes treating billing companies, customer service contractors and other businesses the same as physicians, hospitals and insurers, which would subject them to fines and penalties if they violate privacy regulations. Earlier in 2010, HHS significantly increased the maximum penalty for HIPAA violations, to $50,000 per violation and $1.5 million annually. The proposed rule also would grant individuals greater access to their personal data and strengthen the federal Office for Civil Rights' regulatory power over HIPAA's privacy and security provisions.
2006, 2007, 2008, 2009, 2010, 2011, 2012
Forms for providing notice of a breach must be submitted electronically and a separate form must be completed for every breach. Forms may be accessed at http://transparency.cit.nih.gov/breach/.
For more information about submitting breach notification information to HHS, visit http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html
2009, 2010, 2011, 2012
Health information technology helps save lives and lower costs. Four major goals of HITECH to advance the use of health information technology (Health IT):
As a result of this legislation, the Congressional Budget Office estimates that approximately 90 percent of doctors and 70 percent of hospitals will be using comprehensive electronic health records within the next decade.
Section 302 of the Tax Relief and Health Care Act of 2006 makes the RAC Program permanent and requires the Secretary to expand the program to all 50 states by no later than 2010.
The RAC demonstration program has proven to be successful in returning dollars to the Medicare Trust Funds and identifying monies that need to be returned to providers. It has provided CMS with a new mechanism for detecting improper payments made in the past, and has also given CMS a valuable new tool for preventing future payments.
Section 132 of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) authorizes a new and separate incentive program for individual eligible professionals who are successful electronic prescribers (e-Prescribers) as defined by MIPPA.
This new incentive is separate from and is in addition to the quality reporting incentive program authorized by Division B of the Tax Relief and Health Care Act of 2006 - Medicare Improvements and Extension Act of 2006 (MIEA-TRHCA) and known as the Physician Quality Reporting Initiative (PQRI).
Eligible professionals do not need to participate in PQRI to participate in the E-Prescribing Incentive Program.
2008, 2009, 2010, 2011, 2012, 2013, 2014
The 2006 Tax Relief and Health Care Act (TRHCA) (P.L. 109-432) required the establishment of a physician quality reporting system, including an incentive payment for eligible professionals (EPs) who satisfactorily report data on quality measures for covered services furnished to Medicare beneficiaries during the second half of 2007 (the 2007 reporting period). CMS named this program the Physician Quality Reporting Initiative (PQRI).
The Medicare, Medicaid, and SCHIP Extension Act of 2007 (MMSEA), signed by the President on December 29, 2007, authorized the continuation of the PQRI for 2008 and 2009. MMSEA permitted program flexibility for 2008 by authorizing CMS to establish alternative mechanisms to previously established claims-based reporting of PQRI quality data. MMSEA provisions require alternative reporting periods and alternative criteria for satisfactorily reporting quality measures data through medical registries and reporting measures groups. In 2008, eligible professionals may earn an incentive payment of 1.5 percent of their total estimated allowed charges for Medicare Part B PFS covered professional services furnished during the respective reporting periods. While TRHCA established a cap on incentive payments for 2007, based on an average per measure payment amount, MMSEA removed the cap on incentive payments.
The Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) made the PQRI program permanent, but only authorized incentive payments through 2010. Eligible Professionals who meet the criteria for satisfactory submission of quality measures data for services furnished during the 2009 or 2010 reporting period will qualify to earn an incentive payment of 2.0 percent of their total estimated allowed charges for Medicare Part B PFS covered professional services furnished during that same period.
Most recently, the Affordable Care Act (ACA) makes a number of changes to the PQRI, including authorizing incentive payments through 2014 and requiring a penalty, beginning in 2015, for eligible professionals who do not satisfactorily report. Eligible professionals who meet the criteria for satisfactory submission of quality measures data for services furnished during the 2011 reporting period will qualify to earn an incentive payment of 1.0 percent of their total estimated allowed charges for Medicare Part B PFS covered professional services furnished during that same period. For 2012 through 2014, eligible professionals may earn an incentive payment of 0.5 percent of their total estimated allowed charges for Medicare Part B PFS covered professional services furnished during the respective reporting periods. Beginning in 2015, eligible professionals who do not satisfactorily report PQRI measures may be subject to a payment adjustment, or penalty. Specifically, if an eligible professional does not satisfactorily report for the reporting period for the year, the PFS amount for covered professional services furnished by such professional during the year shall be less than the PFS amount that would otherwise apply by 1.5 percent for 2015 and 2.0 percent for 2016 and each subsequent year.
The ACA also authorizes an additional 0.5 percent incentive for 2011 through 2014 for eligible professionals who satisfactorily report and more frequently than is required to qualify for or maintain board certification status participates in a Maintenance of Certification Program (MOCP) for a year and successfully completes a qualified MOCP practice assessment for such year.
2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016
The Centers for Medicare and Medicaid Services (CMS) now requires all physicians and non-physician practitioners who are eligible to render and/or order items or services, or refer Medicare beneficiaries to other Medicare providers or suppliers for services, to have current enrollment records in Medicare. A current enrollment record is one that is in the Medicare Provider Enrollment, Chain and Ownership System (PECOS) and also contains the physician/non-physician practitioner's National Provider Identifier (NPI). A physician or non-physician practitioner who renders, orders, or refers and who does not have a current enrollment record that contains the NPI will cause the claim submitted by the Part B provider/supplier who furnished the ordered or referred item or service to be rejected.
CMS will require all Medicare providers to revalidate their enrollment information, regardless if they have revalidated their information within the current five year revalidation timeframe. CMS’ new enrollment procedures are a result of Health Reform initiatives to minimize fraud within the Medicare program. This mandatory enrollment revalidation ties in with CMS’ new provider screening and risk categories to help ensure that only legitimate providers and suppliers are enrolled in Medicare, Medicaid, and CHIP, and that only legitimate claims are paid. CMS stated physicians that enrolled in Medicare prior to 2003 (the time when the PECOS enrollment system went into affect) and who have not completed a Medicare enrollment application since that time may voluntarily re-enroll. Those who choose not to voluntarily come into compliance will be asked to do so through a revalidation process, which ensures that Medicare has complete and current information on all Medicare providers and suppliers and guarantees continued compliance with Medicare requirements.
CMS has recently extended its revalidation deadline date from March 2013, to March 2015. It is critical to note that once a physician receives a request to revalidate, they are only given 60 days to respond to a contractor’s request. Physicians who do not respond to a revalidation request could face revocation of their billing privileges.
ICD-10-CM is the new diagnosis coding system that is being developed as a replacement for ICD-9-CM, Volumes 1 & 2. The implementation deadline is October 1, 2013. ICD-10 codes must be used on all HIPAA transactions, including outpatient claims with dates of service, and inpatient claims with dates of discharge on and after October 1, 2013. Otherwise, your claims and other transactions may be rejected, and you will need to resubmit them with the ICD-10 codes. This could result in delays and may impact your reimbursements, so it is important to start now to prepare for the changeover to ICD-10 codes. This change does not affect CPT coding for outpatient procedures.
2008, 2009, 2010, 2011, 2012, 2013
Beginning October 2013, all entities covered under HIPAA must transition into the complete use of the ICD-10 coding and reimbursement system. Many providers and their staff have questions pertaining to this new coding system. The Centers for Medicare and Medicaid (CMS) have created four implementation handbooks to assist in the transition into ICD-10. These handbooks are step-by-step guides specifically for small and medium provider practices, large provider practices, small hospitals, and payers.
The appendix of each handbook references the direct audience and relevant templates which are available for download in both Excel and PDF files below. The templates are customizable and have been created to help entities clarify staff roles, set internal deadlines/responsibilities and assess vendor readiness.
The Health and Human Services (HHS) Office of the Inspector General (OIG) is responsible for policing all HHS agencies including fighting fraud and abuse. The OIG conducts investigations in conjunction with other law enforcement agencies such as the Federal Bureau of Investigations (FBI), U.S. Postal Inspection Service and various state Medicaid Fraud Control units. Responsibilities include auditing, investigating and inspecting HHS programs and operations, identifying program weaknesses; leading activities to prevent fraud and abuse from occurring; finding wrongdoers and abusers of HHS programs and applying sanctions when necessary. The OIG may investigate individuals, facilities and entities for services claimed but not rendered or not medically necessary, claims that manipulate codes in an effort to inflate reimbursement amounts and other false claims submitted to obtain program funds.
ACOs are groups of doctors, hospitals, and long-term care facilities, who come together voluntarily to provide high quality care to the Medicare patients they serve. The intention is that the coordinated care these ACOs provide, will ensure patients, especially the chronically ill, get the right care at the right time with the goal of avoiding unnecessary duplication of services and unnecessary costs. When an ACO succeeds in both delivering high quality care and spending health care dollars more wisely, it will share in the savings it achieves for the Medicare program.
Predictive Modeling systems use step-by-step procedures and other calculative methods to predict fraudulent provider enrollment records and stolen provider/beneficiary identification numbers.
Predictive Modeling is building on the new anti-fraud tools and resources provided by the Affordable Care Act to help move CMS beyond its former payment recovery operations to a new approach. This approach focuses on preventing fraud and abuse before a payment is ever made.
By harmonizing standards, different information systems, networks, and software applications will be able to "speak the same language" and work together technically to manage and use consistent, accurate, and useful health information for providers and consumers.
The Office of the National Coordinator established the Health Information Technology Standards Panel (HITSP), a public-private partnership with broad participation across more than 300 health related organizations, to identify and harmonize data and technical standards for healthcare. HITSP operates with an inclusive governance model established through the American National Standards Institute (ANSI).
2011, 2013, 2015
The American Recovery and Reinvestment Act authorizes the Centers for Medicare & Medicaid Services (CMS) to provide a reimbursement incentive for physician and hospital providers who are successful in becoming "meaningful users" of an electronic health record (EHR). These incentive payments begin in 2011 and gradually phase down. Starting in 2015, providers are expected to have adopted and be actively utilizing an EHR in compliance with the "meaningful use" definition or they will be subject to financial penalties under Medicare.
The Meaningful Use proposed rule included a set of objectives -- 23 for hospitals and 25 for clinicians -- health care providers must meet to demonstrate meaningful use. In response to comments from some stakeholders that the "all-or-nothing" approach was too demanding and inflexible, CMS divided the objectives into two groups: a core set of objectives -- 14 measures for hospitals and 15 measures for physicians and "eligible providers" -- that must be met and a set of 10 additional tasks from which providers can choose any five to implement during Stage 1 of the federal incentive payment program.
Federal officials will release additional information on the Stage 2 and Stage 3 meaningful use requirements over the next few years.
2009, 2010, 2011, 2013, 2015
With the emergence of health information technology (health IT) and the demonstrated benefits of the electronic management of health information, purchasers and other users of health IT systems need to be assured that the systems that will: (1) Provide needed capabilities; (2) Securely manage information and protect confidentially; and (3) Work with other systems without reprogramming. Health IT certification can provide this assurance, increasing confidence that healthcare professionals have in health IT systems when they make purchase decisions and confidence that consumers have that their information is secure and appropriately available.
2009, 2010, 2011, 2015
Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs — or "red flags" — of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
Encourage adoption of EHRs by clinicians and hospitals; Assist clinicians and hospitals to become meaningful users of EHRs; and Increase the probability and adopters of EHRs will become meaningful users.
Assistance with the implementation, effective use, upgrading and ongoing maintenance of HIT, EHRs, to healthcare providers nationwide; broad participation of individuals from industry, state government and universities; active dissemination of best practices, participation, utilization and integration of health information.
Development of regional centers for all providers to access information and assistance.
On March 30, 2010, the President signed the Health Care and Education Reconciliation Act amending the Patient Protection and Affordable Care Act signed the week prior.
On April, 9 2012, the Centers for Medicare and Medicaid Services released an announcement of their proposed rule which will delay the implementation of ICD-10-CM for an entire year. The new October 1, 2014 implementation date is to provide the healthcare industry extra time to prepare for the transition. The proposed rule also stated that problems implementing the HIPAA Version 5010 for electronic claims submission had a factor in the ICD-10-CM delay. CMS originally considered delaying ICD-10-CM for two years until 2015, but decided that would have too much of a financial burden on those organizations who have prepared for the October 1, 2013 implementation date.
On August 22, 2012, the Centers for Medicare and Medicaid Services (CMS) published the final rule delaying the ICD-10-CM implementation date from October 1, 2013 to October 1, 2014. CMS extended the implementation date due to the lack of business process preparation and knowledge of the updated medical code sets within the healthcare field. ICD-10-CM is an updated, more specific set of coding guidelines created to take the place of ICD-9-CM. CMS states their belief that delaying the implementation by one full year “will give the covered healthcare providers and other covered entities more time to prepare and fully test their systems to ensure a smooth and coordinated transition by all covered entities.”
Despite the delay, the AAOMS will continue to move forward with their efforts to educate its members on ICD-10-CM using workshops and other resources to prepare members and their staff. The AAOMS wants to be sure its members have ample opportunity and time to prepare for the transition to ICD-10. ICD-10 is a more complex and more specific code set; therefore some may feel they need to attend two or more workshops before they are fully knowledgeable. There is also some speculation that some carriers may allow the early submission of ICD-10-CM claims as trial for those organizations looking for practice. AAOMS encourages providers and their staff to continue their education towards ICD-10-CM as planned due to the extensive changes ICD-10-CM will bring. For information pertaining to AAOMS’ ICD-10-CM Coding Workshops visit www.aaoms.org. Additional resources are available at www.aaoms.org.
2008, 2009, 2010, 2011, 2012, 2013
The Centers for Medicare and Medicaid Services have released a new requirement for physicians, providers and suppliers billing Medicare carriers for radiological services paid for under the Medicare Physician Fee Schedule. This requirement is in response to annual reports from audits performed by the Office of Inspector General which shows the “significant” percentage of physician claims which have incorrectly coded the Place of Service (POS) codes. CMS has also clearly defined how to properly code the POS when the technical component of a test is done in a separate place than the professional component.
Effective October 1, 2012 all providers who perform the professional component/interpretation of a radiology test in their office or practice, must reflect the same place of service (POS) code where the technical component/ or actual face-to-face portion of the test was performed. This means if the patient received the radiological testing in a setting such as an outpatient hospital or Ambulatory Surgery Center (ASC), but the test was read by a physician in his or her office, the physician who read the report must bill the code to describe where the actual face-to-face test was performed. A few examples of POS codes which an OMS may bill would be:
NOTE: Physicians are not to use POS code 11 (office) for ASC based services unless the physician has an office at the same physical location of the ASC which meets all other requirements for operating as a physician office at the same physical location as the ASC. See the ASC state operating manual on the CMS website for the correct billing criteria.
An example of the correct way to use a POS code would be: A beneficiary receives an MRI at an outpatient hospital near his/her home. The outpatient hospital submits a claim that would correspond to the Technical Component (TC) portion of the MRI. The physician furnishes the interpretation or Professional Component (PC) portion of the beneficiary’s MRI from his/her office location – POS code 22(Outpatient Hospital) shall be used on the physician’s claim to indicate that the beneficiary received the face-to-face portion of the MRI, the TC, at the outpatient hospital. Although, reporting the outpatient place of service code, the physician should enter the address and ZIP code of his/her office location so that the appropriate payment locality can be determined.
The Affordable Care Act (ACA) requires all HIPAA covered entities to be compliant with the applicable HIPAA standards and associated operating rules. The ACA defines the operating rules for the HIPAA transaction standards as “the necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation specifications”. There are three sets of operating rules that were created by the Committee on Operating Rules for Information Exchange (CORE). CORE is an initiative implemented by the Council for Affordable Quality Healthcare (CAQH). The CAQH describes the operating rules as an addition to existing standards to make electronic transactions more predictable and consistent, regardless of the changing technology. Beyond reducing cost and administrative hassles, operating rules foster trust among all participants.
The CAQH CORE operating rules will offer physician practices the ability to determine a patient’s eligibility and financial responsibility for specific services prior to or while the patient is still in the office so they may accept payment from patients at the time of service. Electronic eligibility verification will now provide the patient’s co-payment, co-insurance and remaining deductible amounts, while the claim status feature will provide for timely acknowledgment and status reporting, including error and remark codes. The first set of operating rules (Phase I and Phase II), implemented on January 1, 2013 were enforced March 31, 2013. Phase I and Phase II specify eligibility and claim status for HIPAA covered entities. More information on the first two phases can be found below:
The second set of operating rules (Phase III) has a compliance date of January 1, 2014 for all HIPAA covered entities. Phase III is for the implementation of the national operating rules for Electronic Funds Transfer (EFT) and Electronic Remittance Advice (ERA). More information on Phase II can be found below:
The third and final set of HIPAA operating rules effective as of January 1, 2016, will mandate health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, referral certification and authorization, and claims attachment. The third set of HIPAA operating rules is not categorized as a specific phase. More information on the third set of rules that will be implemented in 2016 can be found on the CAQH Timeline at http://www.caqh.org/ORMandate_timeline.php.
2013, 2014, 2016
On March 23, 2010, President Obama signed the Patient Protection and Affordable Care Act (PPACA), or the Affordable Care Act (ACA). The ACA is aimed at increasing the rate of health insurance coverage for Americans and reducing the overall costs of health care. The ACA contains many mandates to help reduce Medicare spending such as:
For more information relating to the ACA and all of its provisions, see the CMS provisions download below.