November 25, 2019

CMS Issues Final Rule on Price Transparency by Healthcare Facilities

By Little V. WestKaitlyn Luck, and Lisa Carlson

On November 15, 2019, CMS issued a final rule pursuant to President Trump’s June 24, 2019, Executive Order to ensure price transparency by healthcare facilities. This price transparency rule will go into effect January 1, 2021, and will require hospitals operating within the United States to establish, update, and publicize all standard charges for all items and services provided by the hospital. Hospitals will also be required to display, in a consumer-friendly manner, standard charges for at least 300 shoppable services provided by the hospital. The stated purpose of this rule is to “increase market competition, and ultimately drive down the cost of healthcare services, making them more affordable for all patients.”

Continue reading

November 7, 2019

Encrypt Your Devices or Face HIPAA Penalties

by Kim Stanger

This week, the Office for Civil Rights (“OCR”) announced a $3,000,000 HIPAA settlement arising from a medical center’s loss of an unencrypted laptop and flash drive. (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/urmc/index.html). This is simply the latest of many HIPAA settlements based on the failure to encrypt mobile devices. Similar settlements have arisen from lost or stolen smartphones, computers, hard drives, or other electronic media that were not properly encrypted.

Encryption is an addressable standard under the HIPAA Security Rule, which generally requires covered entities and business associates to “[i]mplement a mechanism to encrypt and decrypt electronic protected health information” and, for such data transmitted over a network, to “[i]mplement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)). The OCR explained the standard in a FAQ:

Continue reading

October 30, 2019

Contacting Parents, Spouses or Others to Obtain Payment

By Kim Stanger

Healthcare providers sometimes mistakenly assume that they cannot contact a patient’s spouse, parents, or other third parties to obtain payment without the patient’s consent. However, HIPAA generally allows healthcare providers to use or disclose protected health information for purposes of obtaining payment without the patient’s consent or authorization unless the provider has agreed otherwise with the patient. (45 CFR §§164.506(a), (c) and 164.524(a)). The Office for Civil Rights (“OCR”) published the following FAQ discussing this rule:

Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill?

Continue reading

October 28, 2019

CMS Issues Final Rule for Hospitals & Home Health Agencies for Patient Discharge Planning

By J. Malcolm (Jay) DeVoy and Lisa Carlson

On September 26, 2019, the Centers for Medicare and Medicaid Services and Department of Health and Human Services published commentary and its final rule affecting how hospitals, including critical access hospitals (“CAHs”), and home health agencies (“HHAs”) must plan and document the discharge of patients in order to avoid re-admissions.1 CMS published this new rule with commentary in the Federal Register on September 30, 2019.2

In order to “empower patients to make informed decisions about their care as they are discharged”3 from hospitals or transferred from HHAs to the post-acute care (“PAC”) setting, CMS adopted this final rule under the Improving Medicare Post-Acute Care Transformation Act (“IMPACT Act”) of 2014. CMS’s final rule is predicated on hospitals, CAHs and HHAs using the quality and resource use information CMS gathers from HHAs, skilled nursing facilities (“SNFs”), inpatient rehabilitation facilities (“IRFs”), and long-term care hospitals (“LTCHs”) under the IMPACT Act. Hospitals, CAHs, and HHAs must now provide this information to patients and their caregivers so that they may consider it when selecting the PAC provider or services they will utilize to continue their treatment. Continue reading

October 16, 2019

Federal and New Mexico Surprise Billing Protections

By Little V. West and Kaitlyn Luck

Surprise billing protections are part of both state and national policy agendas this year in an effort to provide health-care transparency and consumer transparency. New Mexico’s new law now protects consumers by specifically prohibiting health care providers from balance billing, and President Trump also signed an Executive Order with the same goals. New Mexico health care providers need to be aware of federal and state level developments regarding surprise billing because of the significant changes that could result in civil penalties for noncompliance if the proposed federal regulations are adopted.

On the state level, effective January 1, 2020, New Mexico’s Surprise Billing Protection Act (SB 337) (the Act) will generally prohibit providers from submitting a surprise bill to an insured person, or a collection agency, and provides for rights for insureds to appeal a health insurance carrier’s decision regarding a surprise bill. Among other things, the Act aims to prevent insured’s receipt of “surprise bills” by: (1) requiring a health insurance carrier to pay nonparticipating providers for emergency care necessary to evaluate and stabilize a covered person if a prudent layperson would believe such treatment is necessary, without requiring a prior authorization for such services; (2) requiring health insurance carriers to pay, and relieving an insured from liability for payment for, non-emergency care by an out-of-network provider when (a) the insured received care at an in-network facility, but did not have the ability or opportunity to choose an in-network provider who is available to provide covered services, or (b) medically necessary care is unavailable within the health benefit plan’s network; and (3) in nonemergency circumstances, requiring an out-of-network provider, with advance knowledge that the out-of-network provider is out of network, to inform the insured of that fact and to advise the insured person to contact their health insurance carrier to discuss the insured’s options. Balance billing is permitted by out-of-network providers to an individual who knowingly choses to receive services from the out-of-network provider. By July 1, 2020, the Act will require licensed health care facilities to post information about consumers’ rights.

Continue reading

October 1, 2019

Diverting Ambulances and EMTALA

By Kim Stanger

Hospitals—especially rural hospitals—may want to divert inbound ambulances to other facilities, especially when the patient requires services that the hospital may be unable to provide. However, improper diversions may violate the Emergency Medical Treatment and Active Labor Act (“EMTALA”), 42 USC § 1395dd. EMTALA violations may result in penalties of $53,484 to $106,965, depending on the number of beds at the hospital. (42 CFR § 1003.510 and 45 CFR § 102).

EMTALA generally applies to individuals who come to the hospital’s emergency department. In addition to those persons who actually arrive at the hospital, “comes to the emergency department” is defined to include an individual who:

(3) Is in a ground or air ambulance owned and operated by the hospital for purposes of examination and treatment for a medical condition at a hospital’s dedicated emergency department, even if the ambulance is not on hospital grounds1 … [or]
(4) Is in a ground or air nonhospital-owned ambulance on hospital property for presentation for examination and treatment for a medical condition at a hospital’s dedicated emergency department. However, an individual in a nonhospital-owned ambulance off hospital property is not considered to have come to the hospital’s emergency department, even if a member of the ambulance staff contacts the hospital by telephone or telemetry communications and informs the hospital that they want to transport the individual to the hospital for examination and treatment. The hospital may direct the ambulance to another facility if it is in “diversionary status,” that is, it does not have the staff or facilities to accept any additional emergency patients. If, however, the ambulance staff disregards the hospital’s diversion instructions and transports the individual onto hospital property, the individual is considered to have come to the emergency department.

Continue reading

September 6, 2019

Business Associates’ Use of Information for Their Own Purposes

by Kim Stanger

Business associates may want to use a covered entity’s protected health information (“PHI”) for the business associates’ own purposes, e.g., for their own product development, data aggregation, marketing, etc. However, with very limited exceptions, HIPAA prohibits business associates from doing so without the patient’s written authorization. Misusing PHI may expose the business associate to HIPAA fines, criminal penalties, breach of contract claims by the covered entity, and perhaps civil liability to individuals whose PHI was improperly used. (Seee.g., 42 U.S.C. § 1320d-6; 45 C.F.R. § 160.404).

Limits on Use or Disclosure of PHI.

The business associate’s authority to use or disclose PHI derives from the covered entity’s authority. The covered entity may only use the patient’s PHI for certain purposes without the patient’s authorization, e.g., for the covered entity’s own treatment, payment or healthcare operations. (45 C.F.R. § 164.502). HIPAA allows covered entities to share PHI with business associates to assist the covered entity in performing authorized activities for or on behalf of the covered entity, but with very limited exceptions, the same limits that apply to the covered entity also apply to the business associate, e.g., absent the patient’s written authorization, it may only use the information for purposes of the covered entity’s treatment, payment, healthcare operations or other permitted use. (Id.). The business associate agreement (“BAA”) between the covered entity and business associate must specify the permissible uses of PHI. 45 C.F.R. § 164.502(e) states:

Continue reading

August 22, 2019

IMGMA Q/A: Sharing PHI for Treatment Purposes

by Kim Stanger

Republished with permission from Idaho Medical Group Management Association (MGMA). Original article appeared in Idaho MGMA’s September 2019 e-newsletter.

Question:  May I share records with another healthcare provider without the patient’s authorization?

Answer:  It depends on the purpose.  If the disclosure is for purposes of the patient’s treatment, including continuation of care, then you may disclose the information without the patient’s authorization or consent unless you have agreed otherwise with the patient.  (See 45 CFR 164.522(a)).  The HIPAA privacy rule states, “[a] covered entity may disclose protected health information for treatment activities of a health care provider.”  (45 CFR 164.506(c)(2)). 

Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

Continue reading

July 15, 2019

New Patient Rights Rules for Idaho Hospitals

by Kim Stanger

The Idaho Department of Health and Welfare has implemented new patient rights rules for hospitals effective July 1, 2019.  (See IDAPA 16.03.14.220 to .350).  The rules were advanced by patient advocacy groups and, to a large degree, incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals.  Because many of those regulatory conditions did not apply to critical access hospitals (“CAHs”), CAHs may need to implement new policies and procedures to satisfy the rules.  All Idaho hospitals as well as providers rendering services in hospitals should check their existing policies and practices against the new rules, including the following:

Continue reading