Home Health & Hospice Week

Business Associates matter to surveyors.

It’s not just the HHS Office for Civil Rights that will come down on you if you don’t abide by HIPAA rules. The newly finalized Interpretive Guidelines for the HH CoPs indicate that surveyors will be increasingly concerned about your HIPAA status as well.

Health Insurance Portability and Accountability Act compliance may not be the first thing that crosses your mind when you think about survey readiness. But the IGs released Aug. 31 beef up the section on HIPAA compliance.

The draft IGs the Centers for Medicare & Medicaid Services released last fall noted at §484.50(c)(6) (Have a confidential clinical record. Access to or release of patient information and clinical records is permitted in accordance with 45 CFR parts 160 and 164) that “compliance with this requirement is evidenced by HIPAA training for all staff, and monitoring Privacy Rule compliance to manage the risk of inappropriate PHI disclosure.”

Now, at tag G438, the finalized IGs add that, “Each covered entity and business associate is responsible for ensuring its compliance with the HIPAA Privacy, Security, and Breach Notification Rules, as applicable, including consulting appropriate counsel as necessary.”

Another change: The draft IGs said “the Privacy Rule sets national standards for when protected health information (PHI) may be used and disclosed.”

But the final IGs amend that to “The Privacy Rule sets national standards for covered entities (health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically) and their business associates, including appropriate safeguards to protect the privacy of protected health information (PHI) and the limits and conditions under which PHI is permitted or required to be used or disclosed.”

The guidance “makes very clear that HIPAA is going to be something surveyors are looking at,” stresses attorney Robert Markette Jr. with Hall Render in Indianapolis. And the changes indicate surveyors will focus on not only agencies, but their Business Associates’ HIPAA compliance.

Home health agencies can also expect surveyors to “look very closely at encryption and how you handle it,” Markette expects.

Do this: Devote some time and resources on your BAs and training your staff, Markette recommends. And don’t forget to document that you’re doing so.

Note: See the final IGs at www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/QSO18-25-HHA.pdf.