New Privacy & Security Rules Included in Stimulus Bill

The economic stimulus package also includes new privacy and security requirements for the handling of medical records. Many of the provisions will become effective in 12 months. Although the focus of the legislation is on electronic records, most of the provisions apply to paper records as well.

The legislation expands the Health Insurance Portability and Accountability Act (HIPAA) to include business associates who work with medical records for doctors, hospitals and other covered entities. Under the legislation, business associates will be subject to criminal and civil penalties. This extension of HIPAA will greatly impact health IT companies.

The legislation also includes a requirement that covered entities and business associates notify individuals in the event of a security breach of their personal health data. Breaches that involve 10 or more patients must be posted on the covered entity or business associate's website. Breaches involving 500 or more patients must be disclosed to prominent media and must be immediately reported to HHS. These breach notification provisions will preempt less stringent state laws, creating a federal “floor” for notification requirements.

The Act also requires HHS to issue guidance within 18 months as to what constitutes the "minimum necessary" amount of data for purposes of HIPAA's requirement that the minimum necessary data may be disclosed for non treatment purposes.

The legislation also includes provisions for the following:

    • Prohibiting covered entities and business associates from selling individuals' health records without the individuals' specific consent;
    • Extending the HIPAA Privacy Rule to cover companies that offer EHRs to individuals; and
    • Providing that patients may block physicians from sending their information to insurance companies if patients pay for their appointments.

The Act increases penalties for HIPAA violations and gives states attorneys general enforcement rights on behalf of citizens. In addition, the Act requires that regional privacy advisers be appointed in HHS's 10 regional offices. The privacy advisers will be responsible for ensuring compliance with the new rules. Finally, a new Health IT Policy Committee and Health IT Standards Committee will become the lead advisory board to the Office of the National Coordinator for Health Information Technology at HHS, replacing the privately run National eHealth Collaborative.

CMS Releases Advance Notice of 2010 Medicare Advantage Capitation Rates and Drug Benefit Payment Policies

On February 20, 2009, Centers for Medicare & Medicaid Services (CMS) released its Advance Notice of Methodological Changes for Calendar Year (CY) 2010 for Medicare Advantage Capitation Rates and Part C and Part D Payment Policies. The Advance Notice includes proposed changes to Medicare Advantage capitation rates, risk adjustment of payments for Medicare Advantage and Medicare prescription drug plans, and updates to the Medicare Part D benefit. As required by statute, the Advance Notice was released 45 days prior to announcement of the final rates on April 6, 2009.

The Advance Notice includes a preliminary estimate of a 0.5 percent increase in the National Per Capita Medicare Advantage Growth percentage, which is applied to county-specific capitation rates. The county capitation rates define the upper limit for CMS payments to Medicare Advantage plans. The Advance Notice also announces proposed normalization factors for Part C and Part D risk scores, which are used to maintain average Part C and Part D risk scores at 1.0 for each payment year. The preliminary normalization factor for Part C risk scores is 1.041, and for Part D risk scores is 1.146.

In addition, CMS announced the annual updates to Medicare Part D benefit parameters for 2010, increasing the deductible, initial coverage limit and out-of-pocket threshold for the defined standard benefit for 2010 by 3.13 percent.

The Advance Notice addresses other topics, including further adjustments to the calculation of Part C and Part D risk scores, calculation of the Medicare Secondary Payer adjustment for Medicare Advantage plans, access standards for Medicare Advantage private fee-for-service plans operating in a network area for 2011 and changes to Medicare Part D drug cost reporting by Part D sponsors.

You may read the full text of the Advance Notice here, and the CMS Fact Sheet regarding the Advance Notice.

Changes Made to the RAC Program

The CMS announced that it will commence the Recovery Audit Contractor (RAC) program after settling protests filed by two unsuccessful bidders of the RAC program contracts. As discussed by CMS's Marie Casey at a recent American Health Lawyers Association meeting, there have been several changes made to the RAC program in an effort to make the program more transparent and accurate and less of a burden on providers. The significant changes to the RAC program include:

    • Limiting the "look-back" period to three years with the maximum look-back date of October 7, 2007;
    • Accepting imaged medical records from providers on CD/DVDs in lieu of paper records;
    • Limiting the number of medical records that are requested for review (e.g., for inpatient hospital claims, the number of records are limited to 10 percent of average monthly Medicare paid claims per 45 days with a maximum of 200 medical records per 45 days);
    • Requiring each RAC to employ a medical director who is a physician and certified coders to ensure that the audits are completed accurately; 
    • Requiring the RAC to return its contingency if a provider contests a RAC audit and the RAC loses at any level of the appeal; and
    • Posting new issues targeted by the audits on the RAC's website to allow for more transparency.

In order to prepare for the implementation of the permanent RAC program, Casey advised providers to conduct their own internal reviews to determine if they are compliant with Medicare rules, track denied claims and implement procedures to avoid improper payments.

New Jersey Physician Self-Referral Law Passed by the Assembly

On February 5, 2009, the New Jersey Assembly passed Senate Bill 787, which amends the Physician Self-Referral Law. The bill is headed to Gov. Jon Corzine to be signed into law. As reported in a previous issue of the Pulse, the bill adds restrictions for licensure of new ambulatory care facilities (ACFs), single room surgical facilities, facilities jointly or solely owned by a hospital and transfers of ownership or relocation of existing ACFs. Surgical practices will be required to register with HSS within one year of the effective date of the law and will be subject to annual reporting requirements. As a requirement of registration, a surgical practice will be required to obtain certification, as an ACF provider, by CMS or an accrediting body recognized by CMS. In addition, existing ACFs will be required to obtain ambulatory care accreditation within one year of the law’s effective date, and new ACFs must be accredited as a condition of HSS licensure.

Significantly, the bill removes the statutory exception for physician self-referrals to radiation therapy and lithotripsy services for the first time since the Physician Self-Referral Law was enacted in 1991. Only practitioners who currently, or within one year from the date of enactment of the bill, will have a significant beneficial interest in radiation therapy or lithotripsy services will be permitted to continue to refer patients to those services, provided they comply with the bill’s disclosure requirements.

The HITECH Act & Beyond: Funding for the Adoption of Health Care IT

Under the Stimulus Package signed into law by President Obama on February 17, $19 billion has been appropriated to fund the promotion of a national infrastructure for the electronic exchange of health information and the widespread adoption of electronic health record (EHR) technology. The $19 billion includes $2 billion appropriated under the Health Information Technology for Economic and Clinical Health (HITECH) Act. These funds are to be spent by the Department of Health and Human Services (HHS) to fund private and public/private initiatives to promote the adoption of health information technology. Congress has instructed HHS to expend these funds "as quickly as possible consistent with prudent management."

The remaining $17 billion is in the form of incentive payments to be made to "eligible professionals" and hospitals that are "meaningful users" of health information technology. These incentive payments will commence in fiscal year 2011, and are phased out over a four-year period for hospitals and over five years for "eligible professionals."

The key provisions of the HITECH Act include:

    • $17 billion in incentive payments to Medicare and Medicaid hospitals and "eligible professionals" that become "meaningful users" of EHR technology. The formula for determining hospital payments involves a $2 million base payment adjusted by a variety of factors, including annual Medicare discharges and inpatient days. Meaningful use includes: (i) electronic exchange of health information to improve the quality of care, such as promoting coordination of care; and (ii) reporting on clinical quality measures (which will become more stringent over time).
    • An appropriation of $2 billion to support regional and state initiatives that promote the adoption of EHR technology and best practices. 
    • The formal establishment of the Office of the National Coordinator for Health Information Technology (HIT), and creation of the HIT Policy Committee and the HIT Standards Committee.

In addition to the $19 billion discussed above, the stimulus package includes significant funding for other health-related initiatives, including:

    • $1.5 billion for grants for construction, renovation, equipment and acquisition of HIT systems for community health centers;
    • $1 billion for wellness and prevention programs;
    • $1 billion for grants or contracts to construct, renovate or repair existing nonfederal research facilities;
    • $1.1 billion for comparative effectiveness research;
    • $500 million for grants to community health centers;
    • $500 million to expand training of primary care professionals;
    • $360 million for construction of research facilities; and
    • Improved privacy and security protections for health information as health IT usage increases.
Source: Health Law Regulatory Update