Getting a handle on HIPAA and HITECH

Just as practice staff adjusted to HIPAA regulations, along comes a new set of rules addressing privacy and security. More rules, more enforcement##mdash;and more penalties. Learn how to avoid mistakes.

After the frenzied and stressful implementation of the various Health Insurance Privacy and Accountability Act (HIPAA) rules over five years ago (Privacy and Transactions and Code Sets in 2003 and Security in 2005), things were just beginning to settle down. Hospital and physician staff were getting a handle on what they could and could not do. Patients were beginning to get used to all the forms and their rights. But with every major new regulation, there will always be changes and adjustments, and so too with HIPAA.

Along comes the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009. One section of this massive legislation addresses the privacy and security concerns associated with the electronic transmission of health information. Not only has legislation made a difference, so have a few years of experience, as well as more electronic health record implementations, more e-prescribing, and an increasingly cyber-focused populace.

The obligations of physician practices are still to ensure the privacy and security of protected health information. However, there are some new aspects that practices should know about.

Enforcement. HITECH established civil and criminal penalties for HIPAA violations. While the Office of Civil Rights is the designated agency in charge of enforcement of the Privacy and Security Rules, the Department of Health and Human Services (HHS) established minimum and maximum civil penalties for various levels of violation. It is important for practices to know that violations, whether intentional or not, can result in significant penalties if not handled promptly and appropriately.

Breach notification. This new rule took effect in September 2009 and enforcement began Feb. 22. This rule specifies what a practice (or business associate) should do if a privacy or security breach occurs. The rule defines what a breach is, how to determine if a breach has occurred, and what to do. ACP recommends that practices review how to keep protected health information private and secure, and include a review of business associate agreements.

5010 transactions. HHS adopted new standards, known as version 5010 of the X12 standard, that covered entities must use when conducting electronic transactions. These include claims, claims status requests and responses, payment to providers, eligibility requests and responses, referral requests and responses, enrollment and disenrollment in a health plan, and Coordination of Benefits. The implementation of 5010, set for Jan. 1, 2012, will require changes to software, systems and perhaps procedures for billing Medicare and other payers. Testing of the new transactions should begin by early 2011 but practices should start preparing this year.

ICD-10. Beginning October 2013, ICD-10, which has nearly 10 times as many codes, will replace ICD-9 for diagnostic coding in outpatient settings and for both diagnosis and procedure codes in inpatient settings. Changing from ICD-9 to ICD-10 will be no small task for practices. ACP will be developing guidance on how to prepare for the transition to ICD-10 at a later time.

For more detailed information on these new regulatory changes, visit ACP's newly revised HIPAA resource page.