(How the New HIPAA Regulations Affect Billing Companies... continued) if an evaluation of the above factors, taken together, fails to demonstrate that there is a low probability that Phi has been compromised, breach notification will be required. RIGHT TO RESTRICT DISCLOSURE TO A HEALTH PLAN under the final rule, health care providers, upon request from an individual, must agree to restrict disclosure of Phi about the individual to a health plan if the disclosure would be for the purpose of carrying out payment or healthcare operations, and is not otherwise required by law, or the Phi pertains solely to a healthcare item or service for which the individual, or person acting on the individual’s behalf (other than the Categories of HIPAA Violations and Corresponding Penalty Amounts health plan), has paid the covered entity in full. to avoid payment issues, a health care provider may want to require payment in full at the time of the individual’s request for a restriction. health care providers may request assistance from billing companies to comply with this new restricted disclosure requirement. ENFORCEMENT Discretion the final rule gives ocr discretion to use informal means to resolve hiPaa violations. however, ocr is permitted to impose a civil monetary penalty without exhausting informal resolution efforts, especially when the hiPaa violation is due to willful neglect. the final rule also allows ocr to coordinate with other law enforcement agencies, such as state attorneys general and the federal trade commission, with respect to pursuing remedies against hiPaa violators. 14 hbma billing • may. june.2013 Tiered Penalty Amounts under the hitech act, there are four tiers of increasing penalty amounts that correspond to the levels of culpability associated with a hiPaa violation. the minimum fines range between $100 and $50,000 per violation, and are capped at $1.5 million for all violations of the same hiPaa provision during any calendar year (see below table). the lowest category of violation covers situations where the covered entity or business associate did not know, and by exercising reasonable diligence would not have known, of the hiPaa violation. the second lowest category of violation applies to violations due to reasonable cause and not to willful neglect. the third category applies to situations where the violation was due to willful neglect and was corrected within 30 days of when the covered entity or business associate knew, or should have known, of the violation. the fourth category applies to situations where the violation was due to willful neglect and not corrected within 30 days of when the covered entity or business associate knew, or should have known, of the violation. the final rule modifies the definition of “reasonable cause” to mean “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated hiPaa, but in which the covered entity or business associate did not act with willful neglect.” the final rule keeps the definition of “willful neglect” as the “conscious, intentional failure, or reckless indifference to the obligation to comply” with hiPaa. Counting Violations in the preamble to the final rule, ocr states that how it counts hiPaa violations for purposes of calculating a civil monetary penalty varies depending on the circumstances Violation Category did not know reasonable cause Willful neglect (timely corrected) Willful neglect (not timely corrected) Penalty Per Violation between $100 and $50,000 between $1,000 and $50,000 between $10,000 and $50,000 $50,000 All such violations of an identical provision in a calendar year $1.5 million $1.5 million $1.5 million $1.5 million
Billing_MJ13
To see the actual publication please follow the link above