Leading the Business of Healthcare
RCM Advisor

Quarter 2 2023 - Volume 28, ISSUE 2

30 Years of Compliance Updates in the Healthcare Industry

Compliance Issues

By Chad Schiffman

There have been a number of compliance updates in the healthcare industry over the past 30 years. During this time, compliance programs have become a priority and critical for ensuring organizations adhere to laws, regulations, statutes, professional and ethical compliance standards, and guidance.

Below is a review and a brief description of one or more important compliance updates for each year over the past 30 years. While there are several to choose from each year, in our opinion, the following updates have had a significant impact on the healthcare industry.  

Timeline of Updates  

1993 / Family and Medical and Leave Act (FMLA) was signed into law by President Bill Clinton. FMLA provides certain employees with up to 12 weeks of annual unpaid, job-protected leave. It also requires that employee group health benefits be maintained during the leave.

1994 / The Vaccines for Children Program was created in 1993 and became operational in 1994. The Vaccines for Children program is an entitlement program (a right granted by law) for eligible children ages 18 and younger.

1995 / Senate’s Health Information Reform Bill. This bill eventually became Title I of HIPAA. Title II included the Administrative Simplification Rules, Title III addressed medical savings accounts, Title IV focused on group health insurance requirements, and Title V addressed tax deductions for employers providing company-owned life insurance premiums. The House and Senate eventually passed these five Titles of HIPAA in 1996 before they were signed into law.

1996 / Perhaps one of the most significant updates during the past 30 years was when President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) on August 21, 1996. The urgency for HIPAA came from two separate incidents; one was a healthcare worker's newspaper leak, disclosing that tennis legend Arthur Ashe was HIV-positive, and the second was a separate, unrelated impermissible disclosure of country singer Tammy Wynette's health records being sold to tabloids. Congress recognized and considered the advancements in electronic technology and its potential impact on health information privacy.

1997 / The Office of Inspector General (OIG) started issuing guidance documents for various healthcare industry types to help organizations develop and implement effective compliance programs to prevent and detect conduct that violates laws, regulations, or the OIG's guidelines.

1998 / Compliance Program Guidance for Third-Party Medical Billing Companies, Hospitals, Home Health Agencies, and Clinical Laboratories.

1999 / Compliance Program Guidance for Durable Medical Equipment, Prosthetics, Orthotics, and Supply Industry; Compliance Program Guidance for Hospices; and Guidance for Medicare+ Choice Organizations. The Proposed HIPAA Privacy Rule was published in 1999.

2000 / The U.S. Department of Health and Human Services (HHS) adopted code sets (ICD-9, CPT-4, National Drug Codes, Code on Dental Procedures and Nomenclature, and HCPCS) and standards for electronic transactions. OIG also issued its Compliance Program guidance for Individual and Small Group Physician Practices and Nursing Facilities that year. The Final HIPAA Privacy Rule was published at this time.

2001 / Administrative Simplification Act was signed. Going forward, electronic submission of Medicare claims became a requirement. A Final Rule addressing the correction to the effective and compliance date of the HIPAA Privacy Rule was published.

2002 / Modifications to the HIPAA Privacy Rule were proposed and made final this year. President Bush launched the Health Center Growth Initiative, significantly expanding the number of community health centers serving the medically underserved.

2003 / The HIPAA Privacy Rule went into effect. The Privacy Rule sets national standards for the protection of identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and healthcare providers who conduct standard healthcare transactions electronically. The Medicare Modernization Act was signed into law in late 2003.

2004 / The United States Sentencing Commission sent to Congress significant changes to the federal sentencing guidelines for organizations, which should lead to a new era of corporate compliance. The amendment to the guidelines strengthened the criteria an organization must follow in order to create an effective compliance and ethics program. An effective compliance and ethics program is essential for an organization seeking to mitigate its punishment (including fines and terms of probation) for a criminal offense.

2005 / The HIPAA Security Rule went into effect. The Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).

2006 / The HIPAA Breach Enforcement Rule went into effect. This Rule contains important provisions relating to compliance and investigations, the imposition of civil monetary penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.

2007 / Phase III of the Stark Law was published on September 5, 2007 (although certain provisions were delayed until 2008). Phase III was significant because it contains the “stand in the shoes” provisions that address compensation arrangements.

2008 / The Genetic Information Nondiscrimination Act (GINA) was signed into law. GINA protects individuals against discrimination based on their genetic information in health coverage and in employment.

[ ADVERTISEMENT: Story continues below. ]

2009 / This was another big year for compliance updates, including enactment of the American Reinvestment and Recovery Act, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Breach Notification Rule. The HITECH Act authorized incentives for adopting and using Health Information Technology – the launch of Meaningful Use. Regulations developed by the HHS Office for Civil Rights (OCR) require healthcare providers and other HIPAA-covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary, and the media in cases where a breach affects more than 500 individuals.  The International Classification of Diseases, 10th Revision, Procedure Coding System (ICD-10) Final Rule was also signed into law with a compliance date of October 1, 2013 – a compliance date that would later be updated.

2010 / The Patient Protection and Affordable Care Act (ACA) was signed into law by President Obama. The goal of the ACA was to ensure that every American could afford a health insurance plan. The ACA also expanded the Medicaid program for several states. However, not all states have expanded their Medicaid programs.  

2011 / The start of Stage 1 of Meaningful Use: Data capture and sharing. To qualify for incentive payments through the Centers for Medicare & Medicaid Services (CMS) EHR Incentive Programs, eligible providers and hospitals must demonstrate meaningful use of an electronic health record (EHR). In other words, “meaningful use” sets the specific objectives that eligible professionals and hospitals must achieve to participate in the EHR Incentive Programs.

2012 / Stage 1 of Meaningful Use continued. HHS adopted Operating Rules for Healthcare Electronic Funds Transfers (EFT) and Remittance Advice Transactions Final Rule. HHS also adopted the Health Plan Identifier (HPID) standard and delayed the ICD-10 compliance date by one year to October 1, 2014.

2013 / March 26, 2013, the Final Omnibus Rule went into effect. Modifications were made to the HIPAA Privacy, Security, and Enforcement Rules. Key updates included providing patients greater protection of their health information, granting rights of access to individuals, and compliance obligations of business associates that perform certain functions or activities involving the use or disclosure of protected health information on behalf of, or providing services to, a covered entity. OSHA began implementing the Globally Harmonized System for information regarding hazardous materials to ensure they are communicated in a consistent manner in organizations and “throughout the globe.”

2014 / Stage 2 of Meaningful Use which was referred to as “Advanced Clinical Processes.” The National Institute of Standards and Technology (NIST) released the NIST Cybersecurity Framework 1.0. While voluntary, this framework provided guidance on critical infrastructure that governments and organizations would later adopt throughout the United States and worldwide. The ICD-10 compliance date was delayed another year until October 1, 2015.

2015 / October 1, 2015 ended up becoming the official compliance date of ICD-10. One of the most significant updates was the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), which repealed the Medicare sustainable growth rate (SGR) methodology for updates to the physician fee schedule (PFS). MACRA replaced this with a new approach to payment called the Quality Payment Program. The Quality Payment Program had two pathways for participation: Advanced Alternative Payment Models (Advanced APMs) and the Merit-based Incentive Payment System (MIPS) for eligible clinicians or groups under the PFS.

2016 / Section 1557 of the Affordable Care Act protections took effect on March 23, 2010; however, the implementing regulations that HHS issued became effective on July 18, 2016. This required healthcare organizations to post nondiscrimination notices, and to provide language assistance with qualified interpreters when necessary. Also, this year, the 21st Century Cures Act (Cures Act) became law. The Cures Act included information blocking regulations and is said to support seamless and secure access, exchange, and use of electronic health information (EHI).

2017 / For each year from 1997, the Office of Inspector General (OIG) issued an annual work plan. Occasionally, the work plan was updated twice per year. Starting in 2017, the OIG moved to a web-based form of the work plan with monthly updates. The OIG’s Work Plan includes various projects, audits, and evaluations that are underway each year and beyond. MIPS went into effect in 2017. MIPS rolled out three existing quality and value reporting programs (PQRS, Value-Based Modifier, and Meaningful Use) into one points-based program. MIPS is one of two Quality Payment Programs, the other being APMs.

2018 / CMS published a final rule removing certain training requirements that applied to the first tier, downstream, and related entities (FDRs) of the Medicare Advantage program and for Plan D Sponsors. Toward the end of the year, OCR issued a publication indicating common findings of enforcement activities. OCR stressed the importance of performing an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI.

2019 / The OCR’s Right of Access Initiative went into effect in 2019. According to the OCR, the Right of Access Initiative was launched “to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.” The Right of Access Initiative has and is expected to continue to be an enforcement priority for the OCR.

2020 / The COVID-19 pandemic ushered in several important updates. Two of the most important updates for the healthcare industry: Telehealth and OCR enforcement discretion. HHS waived some of its telehealth restrictions, which led to telehealth services increasing dramatically. During the pandemic, HHS said they would not impose penalties with certain regulatory requirements under HIPAA against covered entities and healthcare providers in connection with the good faith provision of telehealth.  

2021 / OCR published proposed modifications to the HIPAA Privacy Rule. These updates are said to support individuals' engagement in their healthcare, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry. For example, it is no longer required to have a signed acknowledgment of receipt of the Notice of Privacy Practices. Additionally, there is a shortened response time on individuals’ right to access to 15 calendar days from the current 30-day requirement. These and other proposed HIPAA Privacy Rule updates are expected to be final in 2023.

2022 / While the Information Blocking Provision of the Cures Act became active in 2021, in 2022, the definition of EHI expanded beyond the definition of ePHI as defined by HIPAA. As of October 6, 2022, the Cures Act prohibits healthcare providers from blocking or interfering with access to any EHI maintained in the designated record set.

2023 / Coding Guidelines, including coding and documentation for evaluation and management (E/M) services, went into effect. Notable changes include: the level of E/M services is based on the level of medical decision-making as defined for each service or the total time for the E/M service performed on the date of the encounter; history and exam are no longer used to select the level of code. There were also changes to prolonged services codes.

To be continued...

In other words, compliance updates are constantly coming out. The compliance updates included in this article represent a fraction of the updates that are published each year, but they are some important updates that have had a significant impact on the healthcare industry. 

Chad Schiffman joined Healthcare Compliance Pros (HCP) in 2014 as the director of compliance. He has over 20 years combined experience in healthcare, information technology and compliance consulting services. Chad is primarily involved in consulting with healthcare clients about their HIPAA and HIPAA HITECH-related issues including breach determination, breach mitigation and corporate OIG and CMS compliance.