Showing posts with label nprm. Show all posts
Showing posts with label nprm. Show all posts

July 30, 2023

HIPAA Prevents State LEOs from Grazing for PHI -- Doesn't It?

h/t to Samantha Holvey's concise and timely weekly Whealth Care newsletter for addressing a question that is probably on every HIPAA-savvy reader's mind of late: "Can State Attorneys General just randomly scan out of state health records to see whether one of their residents may have committed a health care 'crime'?" This might apply to potentially pregnant patients seeking reproductive diagnosis and treatment, or parents of transgender minors seeking gender-affirming care not available at home.

Having been engaged with HIPAA since its earliest days, I was prepared to repeat my customary, reassuring, "HIPAA is better privacy protection than we had before" speech, but I quickly realized that this time, I was not so sure. See, when we were implementing the three pillars of HIPAA (Privacy | Security | Transactions and Code Sets), back in the aughts, people were most concerned about organizations within the industry misusing the data, or letting it leak out for commercial exploitation.

Very few were worried about a malevolent government. The pre-HIPAA government guardrails that had been erected were still in place, and HIPAA itself was relatively neutral on the matter. Or at least, we implementers were relatively complacent. We thought that, occasional abuse aside, law enforcement organizations would go through existing legal channels to obtain patient records in pursuit of fraud, theft, controlled substance misappropriation, or malpractice.

Now, state after state is passing laws that not only criminalize healthcare procedures that have been common practice for decades, they extend that criminality to procedures performed in states whose own laws preserves their legality. Private citizens can earn bounties by revealing someone has crossed a state line to pursue such treatment. Or even helped fund such an excursion.

And while CMS has published regulatory guidance that explains what sorts of inquiries are already unacceptable under HIPAA, they have also released a Notice of Proposed Rulemaking (NPRM) to tighten the federal regulations against potential state governmental fishing expeditions. The comment period on the NPRM has closed. Can federal regulations be far behind? HIPAA history says not to be too confidents. Some NPRMs were allowed to languish for years. Other draft regulations were never formalized into a Final Rule.

January 17, 2023

Two Decades Later, CMS Releases Draft Rule on Claims Attachments

More than twenty years after the original HIPAA Transactions and Code Sets Final Rule established mandatory standards to simplify and expand the use of electronic data interchange (EDI) to transmit administrative healthcare messages electronically between providers and payers, CMS has finally released the Electronic Claims Attachment standard promised in that regulation.

CMS cartoon

More specifically, the draft regulation provides specifications for documents necessary to support both healthcare claims and prior authorizations. Also included are specifications for electronic signatures needed in association with these transmissions, and a version upgrade for some existing transactions already in use.

At a tidy 31 pages, the title is exuberantly verbose: Administrative Simplification: Adoption of Standards for Health Care Attachments Transactions and Electronic Signatures, and Modification to Referral Certification and Authorization Transaction Standard. The first pages of the narrative are both a history lesson and a reference library tracing the development and evolution of the industry wide collaboration known as Administrative Simplification or, to participants, portmanteaued as "AdminSimp." I say "library," because as the authors, in explaining how we got to this point, generously footnoted -- and linked -- the key documents that mapped that progress.

For example:

9 CAQH CORE Report on Attachments: ‘‘A Bridge to a Fully Automated Future to Share Medical Documentation’’, CAQH CORE, May 9, 2019: https://www.caqh.org/about/press-release/caqh-core-study-reveals-five-opportunities-increase-electronic-exchange-medical.


That press release then points to the white paper: CAQH CORE Report on Attachments: A Bridge to a Fully Automated Future to Share Medical Documentation.

The comment period on the new regulation is open until 5 p.m. on March 21, 2023.  CMS will be hosting two informational calls with Q&A over the next few weeks. I'll be attending the one on January 25.