Getting a handle on HIPAA and HITECH

From the March ACP Internist, copyright © 2010 by the American College of Physicians

After the frenzied and stressful implementation of the various Health Insurance Privacy and Accountability Act (HIPAA) rules over five years ago (Privacy and Transactions and Code Sets in 2003 and Security in 2005), things were just beginning to settle down. Hospital and physician staff were getting a handle on what they could and could not do. Patients were beginning to get used to all the forms and their rights. But with every major new regulation, there will always be changes and adjustments, and so too with HIPAA.

Along comes the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009. One section of this massive legislation addresses the privacy and security concerns associated with the electronic transmission of health information. Not only has legislation made a difference, so have a few years of experience, as well as more electronic health record implementations, more e-prescribing, and an increasingly cyber-focused populace.

The obligations of physician practices are still to ensure the privacy and security of protected health information. However, there are some new aspects that practices should know about.

Enforcement. HITECH established civil and criminal penalties for HIPAA violations. While the Office of Civil Rights is the designated agency in charge of enforcement of the Privacy and Security Rules, the Department of Health and Human Services (HHS) established minimum and maximum civil penalties for various levels of violation. It is important for practices to know that violations, whether intentional or not, can result in significant penalties if not handled promptly and appropriately.

Breach notification. This new rule took effect in September 2009 and enforcement began Feb. 22. This rule specifies what a practice (or business associate) should do if a privacy or security breach occurs. The rule defines what a breach is, how to determine if a breach has occurred, and what to do. ACP recommends that practices review how to keep protected health information private and secure, and include a review of business associate agreements.

5010 transactions. HHS adopted new standards, known as version 5010 of the X12 standard, that covered entities must use when conducting electronic transactions. These include claims, claims status requests and responses, payment to providers, eligibility requests and responses, referral requests and responses, enrollment and disenrollment in a health plan, and Coordination of Benefits. The implementation of 5010, set for Jan. 1, 2012, will require changes to software, systems and perhaps procedures for billing Medicare and other payers. Testing of the new transactions should begin by early 2011 but practices should start preparing this year.

ICD-10. Beginning October 2013, ICD-10, which has nearly 10 times as many codes, will replace ICD-9 for diagnostic coding in outpatient settings and for both diagnosis and procedure codes in inpatient settings. Changing from ICD-9 to ICD-10 will be no small task for practices. ACP will be developing guidance on how to prepare for the transition to ICD-10 at a later time.

For more detailed information on these new regulatory changes, visit ACP’s newly revised HIPAA resource page.

• Jul/Aug 2010
• Jun 2010
• May 2010
• Apr 2010
• Mar 2010

ACP Career Connection

Looking for a new internal medicine or subspecialty position?

ACP Career Connection can help you find your next job in internal medicine. Search internist and subspecialist positions nationwide that suit your criteria and preferences. Jobs are posted about two weeks before print publication of Annals of Internal Medicine, ACP Internist, and ACP Hospitalist. Exclusive “Online Direct” opportunities are updated weekly. Check us out online.

Assess your knowledge and identify areas needing further study with this completely new, original body of scholarly work written by experts in each subspecialty.

Find out more about MKSAP 15.

The first release of MKSAP 15 Updates is also now available!

Plan ahead and register now for Internal Medicine 2011! Pre-course and reserved session registrations are now available. Start now!