Health Care Law Reform : Health Care Lawyer & Attorney : McDermott Will & Emery Law Firm : Managed Care, Product Regulations

The Facts

On October 30, 2009, the U.S. Department of Health and Human Services issued an Interim Final Rule (the Rule) to amend the existing administrative simplification enforcement regulations adopted pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Rule implements amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) enacted as part of the American Recovery and Reinvestment Act of 2009. Prior to enactment of the HITECH Act, covered entities under HIPAA (health care providers that conduct certain transactions in electronic form, health plans and health care clearinghouses) were subject to HIPAA civil money penalties of up to $100 per violation, with an annual cap of $25,000 for identical violations within a calendar year. The Rule preserves this structure for violations occurring prior to February 18, 2009. Violations occurring on or after February 18, 2009 are subject to a new penalties scheme, which ranges from a minimum per-offense penalty of $100 to $50,000, depending on the level of culpability. The Rule also increases the annual cap for identical violations from $25,000 to $1.5 million, and alters the available affirmative defenses to a HIPAA enforcement action. Business associates are directly subject to the new enforcement scheme beginning February 17, 2010. HIPAA’s criminal penalties remain unchanged.

What’s at Stake

The new HIPAA civil money penalties scheme that will be enforced under the Rule substantially increases the potential penalties for HIPAA violations by covered entities occurring on or after February 18, 2009. Business associates will be directly subject to HIPAA, including the new enforcement scheme, for the first time beginning February 17, 2010. Prior to February 17, 2010, business associates are only subject to HIPAA requirements through contracts with covered entities.

Steps to Consider

Covered entities and business associates should review their current HIPAA compliance policies and procedures to ensure they are meeting amended requirements.  Business associates that previously lacked HIPAA privacy and security policies and procedures should implement policies and train their work force. McDermott has prepared HIPAA privacy policies and forms for covered entities and business associates.  A preview of the manual's table of contents for covered entities can be viewed here, and the business associates table of contents can be viewed here.

• Email This
• Print
• Share Link

The Facts
The proposals under consideration in the Senate Finance Committee’s first of three anticipated health reform option papers, released on April 29, 2009, would impose new transparency obligations on physicians, hospitals, nursing homes and pharmaceutical manufacturers. Transparency proposals include amending the Stark Law in-office ancillary services exception to require physicians to disclose financial interests in certain imaging services; eliminating the Stark Law “whole hospital” and rural provider exceptions with limited grandfather provisions; requiring manufacturers to disclose financial relationships with physicians; and requiring nursing homes to disclose ownership information, implement employee compliance programs and report staffing data. The Committee also proposes to strengthen compliance requirements and enforcement activity by increasing funding to federal enforcement programs, strengthening the screening process for Medicare program provider applications, requiring providers to implement compliance programs as a condition of participation in Medicare and Medicaid, and amending the Civil Monetary Penalties (CMPs) Law to increase penalties and extend the use of CMPs for certain violations.

What’s at Stake
The federal government may increase enforcement activities bolstered by easier access to publicly available information on existing arrangements and relationships. Providers could face increased penalties or suspension of payment for compliance failures. 

Steps to Consider

• Assess and audit current approaches to management of financial relationships, and closely evaluate the implications of publicly disclosing the details of these relationships.
• Evaluate the additional investment of time and resources to meet the proposed transparency requirements.
• Review and update compliance plans.

• Email This
• Print
• Share Link