Anesthesia Industry eAlerts
Sent to subscribers every Monday morning, our eAlerts deliver timely updates on regulatory, legislative and practice management developments of interest to anesthesia professionals.
Complete the simple form below to subscribe.
Swan-Ganz Values Increase; HITECH Act Regulations Tighten Up HIPAA Privacy and Security Requirements
September 8, 2009
|
Payments for Swan-Ganz Catheters to Increase The Centers for Medicare and Medicaid Services (CMS) has announced an increase in the valuation of facility practice expenses CPT® code 93503, “Insertion and placement of flow directed catheter (e.g., Swan-Ganz) for monitoring purposes.” The national allowed amount for a Swan-Ganz increases by $27.05 (0.75 new practice expense RVUs x $36.07, conversion factor for procedures and visit services). Geographic adjustments will make the increment applicable to your own practice vary slightly. The increase will apply automatically to claims filed with Medicare after October 5, 2009, when the carriers will have loaded new data tapes on their computers. The higher values apply to services provided on or after January 1, 2009, however. The carriers are not going to initiate reviews and automatically pay past claims, but they must adjust any claims paid at the old rate that you bring to their attention. For further information, download CMS’s MedLearn Matters article. Your private payers probably use the same relative values as Medicare, but they may update them at different times. Check your own contracts to see whether the additional 0.75 relative value units should be retroactively adjusted, or whether they are payable prospectively only, and if so, from what date. Then verify your payments. |
HITECH Act Creates New HIPAA Security and Privacy Requirements
The Stimulus Package adopted in Washington last spring, the American Recovery and Reinvestment Act of 2009, included legislation known as the HITECH Act (Health Information Technology for Economic and Clinical Health). The HITECH Act requires anesthesia practices and other health care providers to notify individuals when their protected health information is breached. The Department of Health and Human Services (HHS) recently adopted the regulations necessary to enforce the new rules, significantly expanding some of the privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA). The regulations will become effective on September 23, 2009.
Under the HITECH regulations, if there is (1) a breach of (2) unsecured (3) protected health information as defined by HIPAA, the anesthesia practice: must (4) notify each individual whose unsecured PHI has been, or is reasonably believed by the practice to have been, accessed, acquired, used or disclosed as a result of such breach.
(1) Breach: "the acquisition, access, use, or disclosure of protected health information… which compromises the security or privacy of the protected health information.’’ The breach only “compromises security or privacy if it creates “a significant risk of financial, reputation or other harm to the individual.” There is no breach if one authorized individual inadvertently or improperly discloses the data to another authorized person working within the same organization.
In order to determine whether the harm threshold has been met, covered entities must perform and document a fact-specific risk assessment that takes into account, among other things, the following factors: (a) the person or entity to whom the information was improperly disclosed; (b) whether immediate mitigating steps eliminated or reduced the risk of harm to the individual and (c) the nature and amount of PHI involved in the use or disclosure. The regulations thus impose a new responsibility on organizations to conduct and document formal risk assessments in connection with each improper use or disclosure.
(2) Unsecured: Not encrypted or made unusable by a method approved by HHS.
(3) Protected health information: PHI as defined by HIPAA. The HITECH Act regulations create an exception, however, for “limited data sets,” also defined by HIPAA.
(4) Notify each individual: provide notice of breaches to affected individuals, to the Secretary of HHS and, if there are more than 500 affected individuals in a particular state, to prominent media outlets. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis.
Notice must be provided without unreasonable delay but in no event more than 60 days after discovery, subject to temporary delays if requested by law enforcement officials. The practice must generally provide written notice to the patient by mail but may send notice by e-mail if the patient has agreed to receive communications in this manner. Alternative notification methods are permitted if the practice lacks contact information for some or all of the affected individuals.
Another change brought about by the HITECH Act is the extension of the notification duty to “business associates” (BAs) of the “covered entity,” for our purposes, the practice. Previously under HIPAA, notification was only required in connection with mitigating damages from an unauthorized disclosure. Now the duty is absolute, and both BAs and the practice itself must notify individuals of breaches of their PHI.
Additionally, HITECH requires BAs to abide by many of the same privacy and security requirements as medical practices and other healthcare providers. Before HITECH, a BA, such as an attorney reviewing PHI, was required to sign an agreement promising to protect the PHI that s/he was accessing, but was not himself or herself regulated by HIPAA. Thus, BAs had only contractual liability to the practice if the BA violated the rules of the agreement. On the other hand, if the practice violated HIPAA, it was subject to specific penalties and fines by the government.
Under HITECH, BAs must now comply with much of the Privacy and Security Rule, and face many of the same penalties and fines if they violate HIPAA regulations. That is, BAs are now accountable to the government if they improperly use or disclose PHI, or fail to adequately secure PHI.
Accordingly, to ensure compliance with the HITECH regulations, anesthesia practices and their business associates should update their BA agreements to reflect the requirements of HITECH. They should adopt policies and procedures for breach notification and conduct training programs for their employees and agents.
This new round of rules was the result of planning for a future nationwide health information exchange and the need to ensure consumer confidence that personal health information would be kept private. The good news is that HHS has indicated that it will not impose penalties based on violations of the regulations prior to February 22, 2010.
ABC will be working with clients to ensure that privacy and security policies, protocols and business associate agreements are updated as necessary. All readers should consider doing likewise. There is no more authoritative guide than the HITECH regulations themselves, which are hyperlinked to this Announcement.
With best regards,
Tony Mira
President and CEO
