Medicare Compliance & Reimbursement

Fontes Rainer adds, “We are proud of today’s rule, which advances conscience protections, access to health care, and puts our health care system on notice that we will enforce the law. As a law enforcement agency, we are committed to this work.”

Highlights of the final rule, according to a fact sheet, include the following:

• Updated policies that note how conscience statutes apply to and protect more than just providers’ rights.
• A timeline and process for investigations, including how they'll be conducted, documentation requirements, response-time parameters, and how and when the Department of Justice (DOJ) will be involved.
• How outcomes may affect federal healthcare funding for involved entities.
• Importance of covered entities (CEs) posting conscience statute basics for patients.
• Explanation of the complaint process, including the who, what, when, and why, as well as the agency’s commitment to a speedy resolution whether informal or legal.
• Definition and guidance on the various statutes.

The new final rule will go into effect on March 11 and can be found in the Federal Register at www.govinfo.gov/content/pkg/ FR-2024-01-11/pdf/2024-00091.pdf.

2. OCR Offers New Guidance on Patient Visitation and Medicare Regs

Adjacent to its new rule on conscience statutes and provider/ patient protections, OCR spelled out hospitals’ and long-term care facilities’ obligations to align patient visitation policies with Centers for Medicare & Medicaid Services’ (CMS) regulations for non-discrimination in an announcement on Jan. 25.

OCR’s patient visitation guidance builds on initial policymaking first outlined in the Biden administration’s U.S. National Strategy to Counter Antisemitism, which was announced last May and combats religious discrimination. Additionally, OCR points out that harassment of any kind won’t be tolerated and highlights facilities’ responsibilities to ensure compliance with non-discrimination laws when they participate as Medicare or Medicaid providers.

“Under CMS regulations, hospitals, long term care facilities, and critical access hospitals, are prohibited from restricting, limiting, or otherwise denying visitation privileges on the basis of race, color, national origin, religion, sex, gender identity, sexual orientation, or disability and are required to have written visitation policies, procedures, and practices regarding such prohibitions,” the agency reminds in a release. “OCR enforces the bar on religious discrimination in these regulations.”

Links to the release and guidance on visitation rules are at www.hhs.gov/about/news/2024/01/25/hhs-office-civil-rights-issues-guidance-to-clarifying-obligations-ensure-religious-non-discrimination-patient-visitation.html.

3. OCR Finalizes SUD Confidentiality and Recordkeeping Proposals

In December 2022, OCR in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA) proposed modifying the Confidentiality of Substance Use Disorder Patient Records regulation (42 CFR, Part 2) to fulfill provisions outlined in the CARES Act (see Medicare Compliance & Reimbursement, Vol. 48, No. 24).

On Feb. 8, OCR and SAMHSA released a final rule with the revisions, which “increase coordination among providers treating patients for SUDs, strengthens confidentiality protections through civil enforcement, and enhances integration of behavioral health information with other medical records to improve patient health outcomes,” OCR explains in a release. The final rule aims to reinforce confidentiality while boosting care coordination. Part 2 regulatory hot spots include changes to:

• Patient consent on records disclosure
• Notices of privacy practices
• Patient rights on disclosures and subsequent restrictions
• HIPAA Breach Rule notification requirements for providers
• Patient consent on SUD counseling notes, similar to HIPAA rules on psychotherapy notes
• Segmentation of Part 2 data explanation
• Patient complaint process
• Safe harbors that protect SUD patients under investigation
• Criminal and civil enforcement of confidentiality violations similar to the HIPAA Rules

The final rule diverges from the proposed rule, however. For one, the final rule “requires that each disclosure made pursuant to patient consent must be accompanied by a copy of the consent or a clear explanation of the scope of the consent,” explain attorneys Jane Blaney, Jennifer J. Hennessy, and Aaron T. Maguregui with law firm Foley & Lardner LLP in online legal analysis. “This requirement will provide the recipients of records the information the recipient needs to understand the redisclosure permissions that may be available,” Blaney, Hennessy, and Maguregui say.

Find the fact sheet on the final rule at https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html and the final rule in the Federal Register scheduled for publication on Feb. 16 at www.federalregister.gov/public-inspection/2024-02544/ confidentiality-of-substance-use-disorder-patient-records.

4. Insider Threat Proves Costly for New York Hospital

OCR’s first settlement of the year showcases why HIPAA Security Rule compliance is critical to avoid penalties.

On Feb. 6, New York City-based Montefiore Medical Center agreed to settle potential HIPAA violations for a whopping $4.75 million. Plus, the non-profit hospital system also agreed to a two-year corrective action plan (CAP) that includes OCR monitoring.

After the New York City police uncovered a theft at Montefiore Medical Center, the hospital system performed an internal investigation. The organization found that an employee stole 12,517 individuals’ electronic protected health information (ePHI) and sold it to an identity theft ring, OCR says in a release.

A breach notification ensued, which sparked an OCR investigation. The feds discovered systemic security fails, including a lack of risk analysis and management, no policies and procedures for data incidents, and more. Due to these issues, Montefiore Medical Center didn’t address the breach until years after it happened, which is what led OCR to levy such a high monetary penalty.

“Cyber-attacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable,” says HHS Deputy Secretary Andrea Palm in a release. “Our priority is and always has been improving the quality of health care patients receive.”

Palm reminds, “Part of this health care is establishing a trust that medical records will not be exposed. HHS will continue to remind health care systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure.”

Read more about the cybersecurity incident, CAP, and resolution at www.hhs.gov/about/news/2024/02/06/hhs-office-civil-rights-settles-malicious-insider-cybersecurity-investigation.html.