HIPAA Final Rule


The Office for Civil Rights (OCR) published the final rule for changes to the Health Information Portability and Accountability Act (HIPPA) of 1996 in accordance with the Health Information Technology Economic Clinical Health Act (HITECH). It is a very extensive and in this blog we will just touch on a few of the amendments that will affect health care providers.


Business Associates –

Providers are required to establish business associate agreements with any contractors that transmit, receive, or maintais protected health information (PHI) on behalf of the provider or covered entity under HIPAA. One of the changes in the final rule is that it makes the business associates liable for violations to the HIPAA provisions. The final rule also clarified that providers don’t need to establish agreements with the contractors of a business associate. The business associate, with whom the provider has an agreement, is responsible to ensure its contractors have the appropriate agreements and protections in place for privacy and security.

Non-Compliance Penalties Increased –

Under the HITECH act, there are tiered penalty amounts for HIPAA violations. The minimum fines are range from $100 and $50,000 per violation. The amounts will cap at $1.5 million for all violations during the same calendar year. The four tiers are as follows, listing from the lowest violation to the highest. 1. Did not know – meaning by exercising reasonable diligence, associates and providers wouldn’t have known of the violation. 2. Reasonable cause – violations due to reasonable cause and not willful neglect. 3. Willful neglect (timely corrected) – violation due to willful neglect and was corrected within 30 days of when business associate or provider knew or should have known. 4. Willful neglect (not timely corrected) – violation due to willful neglect and was not corrected within 30 days of when business associate or provider knew or should have known. Below is also a chart of the tiered violations and penalties.

Violation Category                  Penalty Per Violation        Violations Identical In Calendar Year

Did not know                              Between $100 & $50,000             $1.5 Million

Reasonable Cause                    Between $1,000 & $50,000          $1.5 Million

Willful Neglect (corrected)          Between $10,000 & $50,000        $1.5 Million

Willful Neglect (not corrected)    $50,000                                        $1.5 Million


Notice of Privacy Practices –

Provders need to be aware of the requirements for their Notice of Privacy Practices (NPP) that will need revision and how they should be provided to patients. One of the key revisions to NPP should be a statement informing patients they have the right to be notified of a breach of unsecured PHI. Providers are not required to re-issue hard copies of NPP to patients, but providers need to post the revised NPP in a clear location and have new copies of the NPP available at patient request. Providers are allowed to post a summary of the revised NPP as long as a full version of the NPP is available (reception desk, table, etc.) for patients to acquire without adding additional burden. It is not appropriate for a patient to have to ask for copies of a full NPP.

Use and Disclosure Restrictions –

The final rule also includes restrictions on providers in regards to use and disclosure of PHI. Previous HIPAA regulations did not require providers to comply with a patient’s request on restrictions when disclosing information. There is now an exception that providers are required to agree to under certain curcumstances. The provider must agree if:

  • the disclosure is for payment or health care operations
  • disclosure is not required by law
  • PHI relates only to a health care item of service for which the provider has been paid in full (cash pay)

Medicare beneficiaries also have the right to refuse a provider to submit a billing to Medicare. In these cases, a provider is not required to submit a claim to Medicare for the covered service. What can be collected from the Medicare patient is still limited, as it always is.

It is recommended that in a situation where a patient restricts the provider from submitting claims for payment, that the provider request payment in full from the patient prior to providing services.

Breach notification –

A lot of the focus on the final rule was the requirement to notify patients if their PHI had been breached following an assessment that the breach would cause harm to the patient. The final rule also changed the definition of “breach” to clarify that an impermissible use or disclosure of PHI is presumed to be a breach unless the provider or business associate indicates a low probability that PHI has been compromised, thus replacing the “harm standard” with “low probability”. Providers are encouraged to assess compliance plans and include risk assessment to be undertaken by providers, covered entities, and business associates prior to detirmining whether a breach requires notification to the patient or other entities (HHS, media, etc.).


Other information and sources regarding the final rule can be accessed at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

And www.federalregister.gov/public-inspection


Providers are encouraged to seek legal counsel regarding compliance with applicable laws and HIPAA.



Improving Documentation

1314902_medical_doctorThe purpose of ICD-10 is to provide more detailed information on the care being provided. There are many steps that need to be taken in order for a practice to prepare for the ICD-10 conversion that is coming October 1, 2014. One of the key changes that will need to be made by some, if not most, physicians is what type of information is being documented in a patient’s medical records and determining whether that information is enough.

Looking at how diagnosis information is being documented will help physicians and coding staff be better prepared for the ICD-10 switch.

Here is a suggested process on how you can better prepare your documentation for ICD-10.

Pull a handful of medical records on some of your more commonly used diagnoses. Review those records with your coding staff, and have them determine if your current documentation provides enough information to associate the appropriate ICD-10 code. If it doesn’t, then you’ll know improving documentation is a necessary change for your practice.

But what kind of information are you supposed to include in your documentation to be able to code for ICD-10???

The best way to think of what the differences are between ICD-10 and ICD-9 is to think of ICD-10 as “expanded”. Most diagnoses in ICD-10 are expanded to include things like body locations, types, causes etc. Laterality is an example of what is expanded in ICD-10. So, documentation for diagnoses needs to include information on which side of the body is affected (right, left, or bilateral). Below are a few other examples of how ICD-10 is expanding on a particular diagnosis and the documentation that will need to be in the medical records.

Fractures –

  • Site
  • Laterality
  • Type
  • Location

Injuries –

  • External Cause – You will need to provide “how” the injury occurred.
  • Place of occurrence – Where did the injury take place?
  • Activity code – What was the patient doing that caused the injury?
  • External cause status – Indicate if the injury was related to another source (military, work, etc.)

Diabetes Mellitus –

  • Type of Diabetes
  • Complication or manifestation
  • Body system affected
  • If type 2 diabetes, long-term insulin use

Making your documentation as detailed as possible will help your coding staff assign the appropriate codes and help reduce the potential for rejected claims. ICD-10 shouldn’t affect patient care. All it is doing is requiring more detailed information. Most of the information is likely already being provided to you during the patient’s visit. It is just making sure you’re recording everything your coding staff will need to chose the correct code.

Improving documentation will improve coding staff turnaround time on billings and in turn reduce the amount of rejected claims for coding issues and so will help you to maintain a consistent revenue stream.


Top Claim Denials

laptopA lot of medical practices and billing vendors often wonder what the top claim denials of payment are. Of course there are many reason why a claim can be denied, especially with all the changes the billing industry is going through today. However there are three denials that providers tend to see more than others. Provider offices and billing services alike must put in a combine effort in order to insure billing accuracies and fewer denials. Luckily the top three denials throughout the industry, are also some of the easiest to correct.

1. Incorrect or incomplete patient identifying information.

This can be from any number of required identifying information missing from claims. Dates of birth, patients name miss spelled or not matching, incorrect social security number, transposed, missing or incorrect ID number or subscriber number.

The best way to avoid incorrect or missing patient identifying information is to verify all information from the patient at time of service. Make copies of the patients ID cards from their insurance carriers. It is also best to have a copy of their state issued identification card (drivers license, ID card, etc.) or federal identification (passport). Have copies of the identifying information will ensure proper spelling and correct entry of patients information.


2. Coverage terminated.

With the changing economy and Healthcare Reform, more and more employers and patients are changing health plans more frequently. Always verify patients insurance card information and that it is still current. If possible, verify benefits with the insurance carrier prior to rendering services.


3. Services not covered/Require prior authorization.

Like the first two, verifying patients coverage and that services are covered benefits or inquiring if services require authorization prior to rendering services, will help provider offices to avoid billing patients for non covered services. Most insurance carriers provide patients enrollment packets and manuals when they begin new coverage. expired sites . And although most carriers hold the patient liable for verifying if services/providers are covered, most time patients fail to do so.


Verifying patient identifying information, benefits, and coverage will help ensure accurate information for billing and quicker payment from payers.