providers are not appropriately safeguarding Phi. further, although providers are not required to re-issue hard copies of their revised nPP to all patients, providers “must post the revised nPP in a clear and prominent location and have copies of the nPP at the delivery site or individuals to request to take with them.” alternatively, providers are permitted to post a summary of the nPP “so long as the full notice is immediately available (such as on a table directly under the posted summary) for individuals to pick up without any additional burden on their part. it would not be appropriate, however, to require the individual to have to ask the receptionist for a copy of the full nPP.” Restrictions on Uses and Disclosures the final rule clarifies a provider’s duty when a patient requests a restriction on the use and disclosure of his or her Phi as required by hitech. the regulations implementing hiPaa previously provided that providers were not required to agree to a patient’s request for a restriction. the final rule implements section 13405(a) of the hitech act by providing an exception in which providers are required to agree to such a restriction under certain circumstances. namely, the provider must agree to the restriction if: 1. the disclosure is for payment or health care operations; 2. such disclosure is not otherwise required by law; and 3. the Phi pertains only to a health care item or service for which the patient (or someone or an entity other than a health plan on behalf of the patient) has paid the provider for in full. interestingly, the final rule acknowledged that providers have a duty, under the mandatory claim submission provisions of section 1848(g)(4) of the social security act, to submit certain claims to medicare. the drafters, however, noted that a medicare beneficiary has the right to refuse to allow the provider to submit the bill to medicare, and “in such cases, a medicare provider is not required to submit a claim to medicare for the covered service and may accept an out of pocket payment for the service from the beneficiary. however, the limits on what the provider may collect from the beneficiary continue to apply to charges for the covered service, notwithstanding the absence of a claim to medicare.” additionally, the quandary of a provider required to unbundle certain services was also addressed. Providers who are not able to unbundle services without divulging the restricted 20 hbma billing • may. june.2013 information are encouraged to advise their patients of the inability to comply with the restriction and allow the patient to pay for the particular service out of pocket. further, the final rule clarified that providers are not required to create entire separate medical records regarding the information restricted, but do “need to employ some method to flag or make a notation in the record” in order to avoid inadvertent disclosures of the information. Notification of Breach most of the focus on the interim final rule surrounded the requirement to notify an individual if his or her Phi had been breached following the provider’s assessment that the breach would likely cause harm to the individual. the final rule changed the definition of breach and essentially eliminated the “harm threshold” provision. it now sets forth a presumption that harm has occurred that can be overcome by the provider demonstrating that there is a “low probability” the Phi was disclosed. therefore, providers will need to revamp their hiPaa compliance Plans to reflect the new risk assessment that now must be undertaken prior to determining whether a “breach” requires notification to the patient, the media, or the secretary of hhs. Ms. Ditto is an attorney specializing in healthcare and medical malpractice defense, practicing at the firm of Fee Smith Sharp & Vitullo. She is licensed in Georgia, Tennessee, and Texas. Prior to her career as an attorney, she was a registered nurse. She may be reached at cditto@feesmith.com. Resources 1. the final rule was published in pages 5566-5702 of Volume 78 no. 17 of the federal register on january 25, 2013, and may be accessed at www.gpo.gov/fdsys/pkg/fr-2013-01- 25/pdf/fr-2013-01-25.pdf. 2. for simplicity’s sake, the new requirements will be referred to as amendments to hiPaa, and information provided in the hhs’s guidance. 3. this article is not an exhaustive summary of the final rule nor is it intended to substitute for legal advice. Providers are encouraged to seek legal counsel regarding compliance with any applicable law, including hiPaa. (HIPAA Final Ruling continued)
Billing_MJ13
To see the actual publication please follow the link above