Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) announced that there is going to be some sweeping regulatory modifications and waivers to provide the most versatility to medical professionals when caring for patients throughout the COVID-19 outbreak. The latest modifications will permit healthcare providers to work as medical care delivery coordinators in their zones.
The non-permanent changes to remove constraints are supposed to establish hospitals and health systems with no walls. Consequently, hospitals and health systems will have less trouble dealing with a likely substantial increase in COVID-19 patients during the coming days.
Under standard situations, federal constraints require hospitals to deliver healthcare services inside their established facilities, however, this won’t be feasible with a rise in patient numbers. With the number of COVID-19 cases growing bigger, hospitals will subsequently fill up their capacity. If they don’t have added sites to treat patients, they are going to be overloaded.
To make certain that all patients could be given treatment and nobody is left behind, the CMS has laid-back constraints and gave interim new guidelines that would permit the giving of treatment in other areas. Numerous ambulatory surgery facilities have opted to call off elective treatments for the period of the public health emergency. Hospitals and health systems will be authorized to utilize those areas including inpatient rehabilitation hospitals, as well as hotels and dormitories, and would still be entitled to obtain a refund for services with Medicare. The new areas may be utilized to give healthcare services to non-COVID-19 patients to provide inpatient beds for COVID-19 patients that must have intensive treatment and respirators.
The CMS stated that ambulatory surgery facilities have two choices.
They could either agree with community healthcare systems to deliver services on behalf of the healthcare facility
They may enroll and charge CMS being hospitals during the public health emergency proclamation if that is not conflicting with their State’s Emergency Preparedness or Pandemic Strategy.
Healthcare companies won’t be authorized to operate beyond established plans at the community level.
To further maximize capacity, the CMS has made a waiver that will let doctor-owned medical centers to get more beds without facing penalties. Hospitals are allowed to create drive-through screening stations for COVID-19, make use of off-campus testing centers, and coverage will be granted to lab techs who have to go to a Medicare beneficiary’s residence to acquire samples to conduct COVID-19 testing. CMS is giving added reimbursement for ambulances, which are probably needed to transport patients between healthcare centers and doctor’s surgeries to make certain they acquire the necessary treatment. Medicare coverage for respiratory-linked instruments and machines has currently been prolonged to cover any health reason.
Modifications were likewise made to assist in the fast expansion of healthcare employees. These changes involve making Medicare enrollment less difficult for providers and enabling teaching hospitals to permit medical residents to offer services with the oversight of a teaching doctor. The CMS has furthermore granted a blanket waiver to enable hospitals to deliver more benefits to assist their medical personnel, including several everyday meals, laundry service for their own clothes, or child care services during the time the doctors and other workforce are at the healthcare facility offering patient care.
Transformations were additionally made to lessen the administration load on healthcare workers with the CMS giving patients more value than paperwork by removal of paperwork requirements to make sure that doctors have more hours for caring for patients.
The CMS has already said that there’s more freedom for the accessibility of telehealth services, with refunds now being given for all Medicare beneficiaries in all places. Coverage is presently included for around 80 additional services made available via telehealth, provided those services are delivered by doctors allowed to deliver telehealth services.
These latest changes and waivers are just temporary and in effect throughout the national public health emergency for COVID-19, and then the CMS will review how to fully go back to the existing system.
Compliance with all demands of the Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, Breach Notification, and Omnibus Rules could be a big obstacle.
A lot of healthcare providers have set up a compliance program and thought that they were HIPAA-compliant, but they discover through a compliance review or HIPAA audit that they are not complying with a number of HIPAA provisions. Those errors could turn out to be really high pricey.
Compliance problems could quickly result in a data breach or can prompt the filing of a complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR), which is the principal enforcer of HIPAA compliance.
OCR looks into submitted complaints and reported data breaches to ascertain if a healthcare organization has violated HIPAA Rules. It performs compliance audits to evaluate compliance of HIPAA covered entities and business associates of covered entities with all facets of HIPAA regulations.
OCR has increased its HIPAA compliance enforcement activities in recent years. In 2018, OCR charged covered entities and business associates with $28,683,400 in financial penalties in relation to 11 enforcement actions. In 2019, OCR issued financial penalties for 10 compliance investigations.
Resolving HIPAA Compliance Problems
Compliancy Group is aware of the great importance of HIPAA compliance and the challenges encountered by HIPAA-covered entities and business associates when attempting to employ and retain an efficient compliance program.
To make the HIPAA compliance process simpler, Compliancy Group has designed a software program that leads entities throughout the compliance process. The software program called The Guard streamlines all the things that an organization must do to accomplish HIPAA compliance, minimize risk, and avert penalties.
The Compliancy Group is hosting webinars from time to time to demonstrate the simplicity of using The Guard for completing the HIPAA compliance process.
With the help of Compliancy Group’s webinar and their compliance coaches, covered entities and business associates can realize compliance and meet all federal requirements. Find out more about the webinars being hosted by the Compliancy Group on this page.
A law business is filing a legal case against Medical Records Online (MRO), a healthcare release-of-information solution provider, for charging an overpriced fee on law businesses and insurance providers when furnishing digital copies of patients’ medical records.
Cipriani & Werner of Pittsburgh filed the legal case in federal court in Camden, NJ. The lawsuit pertains to MRO charges for furnishing a copy of a patient’s health records meant for a personal injury case against the store Kohl’s, which the law agency represents.
Cipriani & Werner procured the medical records of the plaintiff in the lawsuit from John F. Kennedy Medical Center, located in Edison, NJ. The MRO billed $528 for 518 pages of medical records of the plaintiff. The law agency was billed a $10 search fee and $1 per page, despite the fact the data was furnished digitally as a PDF file.
Cipriani & Werner states MRO violated the New Jersey Declaratory Judgement Act when it billed unlawful fees well over the highest limit. Other claims made include:
a claim under the New Jersey Consumer Fraud Act with respect to unconscionable commercial practices
for a breach of New Jersey common law
for a breach of contract for breaking the implied contract of good faith and fair dealing
The New Jersey Administrative Code permits a $10 search fee to be demanded for providing copies of medical data to third parties, a fee of $1 per page, and the actual charge of postage and media for distributing the records (e.g. a compact disc). Cipriani & Werner comments the bill should have only included a $10 search fee and there should be no per-page cost considering that the information was not printed.
The lawsuit claims that irrespective of whether MRO was furnishing copies of merely a number of pages of information or hundreds of pages, the cost to MRO of replicating electronically stored data and sending them to the client took an identical amount of time and work. Cipriani & Werner mentioned the overall process took only 5 minutes.
The Schnader Harrison Segal & Lewis law agency of Cherry Hill, NJ that represents MRO states that the service charge was absolutely legal and was according to state polices.
The lawsuit refers to a 2015 memorandum from the New Jersey State Department which disallows health record providers from asking for per-page fees for electronically transmitted copies of medical records and for per-page rates to be placed when records are provided to purchasers by means of computer equipment. Nonetheless, in this lawsuit, the state department memo is not applicable because the department of Health in New Jersey has no authority over MRO and the memo didn’t proceed through official rule-making steps in the State of New Jersey.
The class members are mostly legal professionals and insurance firms who ordered copies of electronic medical data from MRO from September 2015 up to February 2020, who were, in the same way, asked to pay for electronic copies of health records in civil cases. The lawsuit merely names MRO, not any healthcare organization that uses MRO for taking care of requests for copies of medical data.
The New York Governor signed the SHIELD Act or Stop Hacks and Improve Electronic Data Security Act into law last July 2019. The New York SHIELD Act broadened the requirements of breach notification for businesses that gather the personal data of residents in New York. The data security provisions of the New York SHIELD Act became effective starting March 21, 2020.
There are businesses exempted from the requirements of the New York SHIELD Act including
small businesses that have less than 50 staff
small businesses having fewer than $3 million in gross income for the last 3 fiscal years
small businesses whose year-end total assets are under $5 million
With the above-mentioned businesses, their data security program may be scaled based on the size and complex nature of the business, the types of business activities, and the sensitivity of the private information obtained.
For the majority of HIPAA-covered entities, compliance is going to be quite simple. Entities that comply with the Health Insurance Portability and Accountability Act (HIPAA) are regarded as compliant with the New York SHIELD Act.
New York SHIELD Act Requirements for HIPAA Covered Entities
Compliance with HIPAA is not a guarantee that an entity is compliant with the New York SHIELD Act. Although there is a certain overlap, the coverage of the New York SHIELD Act is different from the data types covered by HIPAA. HIPAA-covered entities collecting the personal information of New York State residents must ensure compliance with the data security provisions of the SHIELD Act for those data types. See the picture below.
One good example of when the SHIELD Act is applicable and HIPAA doesn’t is for IT systems that store employee information but not protected health information (PHI) like the Social Security numbers or driver’s license numbers. Though the HIPAA does not cover the information, the SHIELD Act calls for the implementation of reasonable administrative, technical, and physical safety measures to make sure of the protection of data. See the Data Security Requirements of the SHIELD Act in the image below.
The Department of Health and Human Services’ Office of Inspector General (OIG) performed a review of the National Institutes of Health (NIH). The audit findings showed that technology management problems in the NIH digital health records system and IT systems endanger the patients’ protected health information (PHI).
NIH got $5 million in congressional appropriations in FY 2019 to supervise the NIH grant programs and procedures. Congress wants to make sure that cybersecurity controls were available to secure sensitive information and find out if NIH follows with the Federal regulations.
CliftonLarsonAllen LLP (CLA) performed the review on July 16, 2019 for OIG to figure out the efficiency of some NIH IT controls and to examine how NIH obtains, processes, retains and transfers electronic Health Records (EHR) in its Clinical Research Information System (CRIS), which included the EHRs of NIH Clinical Center patients.
NHS has around 1,300 doctors, PhD researchers and dentists, 830 nurses, and approximately 730 allied healthcare specialists. In 2018, the Clinical Center had greater than 9,700 new patients, more than 4,500 inpatient admissions, and above 95,000 outpatient consultations.
CLA discovered that NIH had employed controls to make certain the integrity, availability and confidentiality of health information included in its EHR and data systems, nevertheless, those measures didn’t work properly. Subsequently, unauthorized people may have accessed the information in their EHR system and information systems. Data was at stake of impermissible disclosure, changes, and disruption.
The National Institute of Standards and Technology (NIST) suggests basic and substitute EHR processing websites ought to be separate by area. The geographical separation lowers the threat of accidental disruptions and helps to make certain vital operations could be gained back when lengthy interruptions take place. OIG identified the principal and substitute sites were established in nearby buildings in the NIH campus. When a tragic event had transpired, there was a high probability of the two websites being impacted.
The hardware employed for the EHR system was possibly reaching the end of life or was on lengthened support. Four servers were using a Windows operating system which Microsoft doesn’t support ever since 2015. NIH paid for longer support up to January 2020, nevertheless, OIG learned there was no reliable transition package. OIG likewise learned that NIH wasn’t deactivating user accounts quickly upon the end of the contract of staff members or leaving NIH. Of 26 user accounts that had been non-active for over 365 days, 19 weren’t deactivated. Of the 61 terminated user accounts, 9 remain active. Of the 25 new CRIS users, 3 had modified their permissions without completing a form to complete the alteration.
NIH advised CLA that it had postponed software updates until the finalization of system enhancements. NIH was updating its hardware while in the fieldwork, improvements to CRIS is expected. Software changes were scheduled to be carried out after the finalization of the hardware update.
NIH had employed a programmed tool to search for non-active accounts and erase them, however, the tool wasn’t totally employed during fieldwork. There were concerns with the tool, for instance, problems following persons who switched departments.
OIG advised employing a substitute processing website in a geographically specific place and to do something to offset risks linked with the existing substitute website until the new website is set up. Policies and procedures ought to be executed to make certain that software is enhanced before the end of life, and NIH has to make certain that its automatic tool is performing as designed. NIH agreed with all advice and has detailed the things that were and will be done to ensure the execution of the advice.
