HIPAA compliance audits coming; bits of detail emerge. Get ready now!

OCR planning for the next round of HIPAA compliance audits continues.

A new information collection request will be filed soon (two months from now or so), according to the HIPAA audit questionnaire burden estimate published Monday, February 24. (H/T Art Gross, HIPAA Secure Now.) The filing shows that OCR intends to administer 1200 questionnaires to a mix of covered entities and business associates. The questionnaires are estimated to take 30 minutes to complete.

Once those questionnaires hit the street, the full force of OCR will not be far behind. In light of the latest multimillion dollar HIPAA penalty -- this one levied by the Puerto Rican government against an organization that might actually be around long enough to cough up the big bucks, as opposed to Cignet (and there's no telling what OCR might do in addition to that) -- let's just say it behooves all covered entities and busienss associates out there that have not yet put their house in order from a HIPAA/HITECH compliance perspective to do so now.

Do not pass Go. Do not collect $200. Go directly to: HIPAA Compliance.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Submit! To the Health Wonk Review

Next Thursday the HealthBlawger will hosting Health Wonk Review right here at HealthBlawg.

This edition will focus in part on:

• Irish-American heritage
• Women's history
• Kidneys
• Colorectal cancer
• Ancient Roman contributions to modern civilization
• Lions

Please submit your best examples of health wonkishness in these categories no later than 9 a.m. ET Wednesday February 26th, thank you (extra points for early submissions), and come back on the 27th to learn more than you ever wanted to know about health care policy ... and to see the meaning of these categories revealed.

Please submit posts for consideration to me at david AT harlowgroup DOT net, re: HWR or Health Wonk Review, including blog title and URL, post title and URL, name of author if not you, and 25 words or less about the post.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

SGR Fix - Can This Really Be Happening?

The Sustainable Growth Rate mechanism creating a zero-sum game for Medicare Part B reimbursement rates (dropping rates as volume picks up) has long been unsustainable, and so Congress has been messing around with short-term SGR fix legislation for years now. Every six to twelve months we've been hearing about the impending 20% or 30% Medicare pay cut about to hit physicians' pocketbooks, and the likely exit of physicians from the rolls of participating providers. However, the stars are now aligned in such a way that real progress seems likely: multiple powerful Congressional committees have signed off on a deal to replace the SGR rule with something more workable: A unified approach to financial incentives to physicians and other medical professionals who are Medicare participating providers intended to promote quality and enrollment in alternative payment arrangements.

The full text of the bill will be available here: It's H.R. 4015. Check out the SGR fix section-by-section-summary and the websites of the House Energy & Commerce Committee and the Senate Finance Committee too. The substance of the proposal is discussed below.

How has this happened?

Patients to Have Right to Access Lab Test Result Data

The lab test result data access rule is finally final.

See the HHS presser and the final rule, which is scheduled to be published on Thursday.

What does this mean? In a nutshell, patients in all 50 states are now guaranteed the right to access the results of tests conducted by freestanding labs. (The right to test results from labs within hospitals, other health care facilities and physician offices has already been in place under HIPAA, and a handful of states have already guaranteed direct patient access to freestanding lab test results.) The compliance date for the rule is eight months out, in early October, in order to give labs time to put necessary processes into place.

What exact changes were made to the regs? This was a surgical strike. The Clinical Laboratory Improvement Amendments (CLIA) regulations were revised to permit labs to provide results to patients, and the HIPAA regulations were revised to eliminate lab test results from the (very short) list of records not covered by HIPAA's patient access rule. Thus, if a patient asks, CLIA permits and HIPAA requires that a lab provide the results.

HIPAA Enforcement: Who's in Charge?

The recent FTC decision in the LabMD case (pdf) (full docket here) has HIPAA-watchers scratching their heads, tugging their beards, and generally wondering about reconciling FTC-style litigation-based regulation with OCR-style rule-based regulation of health care data privacy and security. The FTC has confirmed that it considers itself to have overlapping jurisdiction to enforce HIPAA under its general enabling legislation. 

Here's my take: For a covered entity or business associate that has all its ducks in a row – HIPAA Privacy, Security and (for Covered Entities) Breach Notification policies and procedures, a completed risk analysis, training and testing of workforce documented – FTC regulation should not be problematic. I think that the FTC would be hard-pressed to find an entity that is in compliance with HHS HIPAA rules and relevant state law to be in violation of the FTC Act’s prohibition of “unfair … acts or practices.”

Health IT Wisdom at the End of 2013 and Start of 2014

I am quoted in a couple of year-end / new year pieces on health IT, appearing this week in iHealthBeat and FierceHealthIT.

With new developments over the past year in the realms of telehealth, mobile health and health data privacy and security, and opportunities for accountable care organizations, integration of connected health and implementation of HIPAA compliance plans, there is plenty of material for prognosticators.

Kate Ackerman, Editor-in-Chief at iHealthBeat asked 13 experts three questions.

Here are the questions and my answers; follow the link above to read 12 other perspectives.

Massachusetts Health Policy Commission Cost Trends Report

The Massachusetts Health Policy Commission released its preliminary cost trends report for 2013. In case anyone needed confirmation, Massachsuetts health care costs are above the national average.

The report says: “Spending in Massachusetts is the highest of any state in the U.S., crowding out other priorities for consumers, business, and government.”

Massachusetts Health Policy Commission 2013 Preliminary Cost Trends Report

The Massachusetts Medical Society summarized the report on its blog. Here are a few excerpts:

• Massachusetts is No. 1 in the country for personal health care expenditures:
  • Massachusetts: $9,278 per person
  • U.S.: $6,815
  • If you adjust the data for our older population, broad access to care, and higher overhead costs (wages, rent, supplies, etc.) the difference is still 20%.

HIPAA Compliance and The Harlow Group LLC

For years, I have been helping covered entities, business associates and downstream contractors understand HIPAA and other federal and state health care data privacy and security laws and regulations, and develop and maintain policies and procedures that will help them comply with the law. These businesses range from startups with consumer-facing or health care provider-facing apps and web-based services, to big data analytics shops to health care providers of all sorts. Now that OCR -- the federal HIPAA policeman -- is enforcing the HIPAA / HITECH omnibus rule through random audits, complaint investigations and sanctions, it is more important than ever for covered entities, business associates and downstream contractors to maintain a robust HIPAA compliance program. HIPAA enforcement efforts will likely be stepped up in 2014 (see the November 2013 OIG report on OCR's enforcement efforts, and OCR's response including its plans for the future.) 

The Harlow Group is pleased to announce the first of a number of HIPAA-related partnerships with ... The HIPAA Survival Guide. (Keep reading for discount information.)

Social Media Policies and "Spying" by Physicians

I recently spoke with Theresa Defino, editor of AIS Health's Report on Patient Privacy about the limits of social media "research" by or on behalf of health care providers. The impetus for this piece was a post written by Art Caplan about a patient being taken off the liver transplant list when social media posts including photos of the patient drinking alcohol came to the attention of the transplant team. (The patient was later put back on the list.)

Is this sort of "Big Brother" approach OK, or was it taken too far? (Follow the link to a discussion of the British case I mention in the article.)

Medical ethicist Art Caplan, my brother at the (HIPAA) bar Adam Greene and I were quoted in the AIS Health article. Greene noted that HIPAA does not cover the posting of information by or about a patient on a social network and its review by a provider. Caplan and I agreed that what's public is public, and what's private is private.

Digital Health: Apps, Analytics & Agencies

I spoke yesterday at the Massachusetts Bar Association's "Hot Topics in Healthcare" program. (Webcast live, and available behind a paywall at the link.)

Here are my slides:

Digital Health: Apps, Analytics & Agencies