Medicare Compliance & Reimbursement

HIPAA Round-Up:

Feds Follow Through With Final SUD Rule

Plus: See the latest settlement and regulatory updates.

Even though we’re only a few months into 2024, the feds have been busy on the HIPAA front, tweaking guidance, pushing through rules, and settling a $4.75 million violation.

Context: Last year, the HHS Office for Civil Rights (OCR) moved relatively slowly with policy changes and settlements as the nation transitioned out of the COVID-19 public health emergency (PHE). The agency focused on systemic issues with equity and disability discrimination, reproductive health, and Right of Access violations. For 2024, OCR has continued to combat discriminatory practices with a new rule and updated guidance, has implemented a CARES Act provision on the intersection of HIPAA and Substance Use Disorder (SUD) recordkeeping, and has settled a case with one of the biggest price tags in years — and it’s only February.

Read on for the scoop on four updates to know.

1. New Conscience Rights Rule Overhauls Previous Policy

In January, OCR rescinded the 2019 final rule “Protecting Statutory Conscience Rights in Health Care; Delegations of Authority.” That output, which was deemed unlawful in three separate district court cases, was replaced with the new final rule, “Safeguarding the Rights of Conscience as Protected by Federal Statutes.” This recent iteration better clarifies both provider and patient protections from religious and conscience discrimination while also fortifying individuals’ rights to healthcare without persecution, OCR says in a release.

“Protecting conscience rights and ensuring access to health care are critically important, no matter who you are, where you live, who you love, or your faith and conscience,” affirms OCR Director Melanie Fontes Rainer. “Our office has statutory mandates to protect people across the country and takes this responsibility very seriously,” she says in the release.

Fontes Rainer adds, “We are proud of today’s rule, which advances conscience protections, access to health care, and puts our health care system on notice that we will enforce the law. As a law enforcement agency, we are committed to this work.”

Highlights of the final rule, according to a fact sheet, include the following:

  • Updated policies that note how conscience statutes apply to and protect more than just providers’ rights.
  • A timeline and process for investigations, including how they'll be conducted, documentation requirements, response-time parameters, and how and when the Department of Justice (DOJ) will be involved.
  • How outcomes may affect federal healthcare funding for involved entities.
  • Importance of covered entities (CEs) posting conscience statute basics for patients.
  • Explanation of the complaint process, including the who, what, when, and why, as well as the agency’s commitment to a speedy resolution whether informal or legal.
  • Definition and guidance on the various statutes.

The new final rule will go into effect on March 11 and can be found in the Federal Register at www.govinfo.gov/content/pkg/ FR-2024-01-11/pdf/2024-00091.pdf.

2. OCR Offers New Guidance on Patient Visitation and Medicare Regs

Adjacent to its new rule on conscience statutes and provider/ patient protections, OCR spelled out hospitals’ and long-term care facilities’ obligations to align patient visitation policies with Centers for Medicare & Medicaid Services’ (CMS) regulations for non-discrimination in an announcement on Jan. 25.

OCR’s patient visitation guidance builds on initial policymaking first outlined in the Biden administration’s U.S. National Strategy to Counter Antisemitism, which was announced last May and combats religious discrimination. Additionally, OCR points out that harassment of any kind won’t be tolerated and highlights facilities’ responsibilities to ensure compliance with non-discrimination laws when they participate as Medicare or Medicaid providers.

“Under CMS regulations, hospitals, long term care facilities, and critical access hospitals, are prohibited from restricting, limiting, or otherwise denying visitation privileges on the basis of race, color, national origin, religion, sex, gender identity, sexual orientation, or disability and are required to have written visitation policies, procedures, and practices regarding such prohibitions,” the agency reminds in a release. “OCR enforces the bar on religious discrimination in these regulations.”

Links to the release and guidance on visitation rules are at www.hhs.gov/about/news/2024/01/25/hhs-office-civil-rights-issues-guidance-to-clarifying-obligations-ensure-religious-non-discrimination-patient-visitation.html.

3. OCR Finalizes SUD Confidentiality and Recordkeeping Proposals

In December 2022, OCR in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA) proposed modifying the Confidentiality of Substance Use Disorder Patient Records regulation (42 CFR, Part 2) to fulfill provisions outlined in the CARES Act (see Medicare Compliance & Reimbursement, Vol. 48, No. 24).

On Feb. 8, OCR and SAMHSA released a final rule with the revisions, which “increase coordination among providers treating patients for SUDs, strengthens confidentiality protections through civil enforcement, and enhances integration of behavioral health information with other medical records to improve patient health outcomes,” OCR explains in a release. The final rule aims to reinforce confidentiality while boosting care coordination. Part 2 regulatory hot spots include changes to:

  • Patient consent on records disclosure
  • Notices of privacy practices
  • Patient rights on disclosures and subsequent restrictions
  • HIPAA Breach Rule notification requirements for providers
  • Patient consent on SUD counseling notes, similar to HIPAA rules on psychotherapy notes
  • Segmentation of Part 2 data explanation
  • Patient complaint process
  • Safe harbors that protect SUD patients under investigation
  • Criminal and civil enforcement of confidentiality violations similar to the HIPAA Rules

The final rule diverges from the proposed rule, however. For one, the final rule “requires that each disclosure made pursuant to patient consent must be accompanied by a copy of the consent or a clear explanation of the scope of the consent,” explain attorneys Jane Blaney, Jennifer J. Hennessy, and Aaron T. Maguregui with law firm Foley & Lardner LLP in online legal analysis. “This requirement will provide the recipients of records the information the recipient needs to understand the redisclosure permissions that may be available,” Blaney, Hennessy, and Maguregui say.

Find the fact sheet on the final rule at https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html and the final rule in the Federal Register scheduled for publication on Feb. 16 at www.federalregister.gov/public-inspection/2024-02544/ confidentiality-of-substance-use-disorder-patient-records.

4. Insider Threat Proves Costly for New York Hospital

OCR’s first settlement of the year showcases why HIPAA Security Rule compliance is critical to avoid penalties.

On Feb. 6, New York City-based Montefiore Medical Center agreed to settle potential HIPAA violations for a whopping $4.75 million. Plus, the non-profit hospital system also agreed to a two-year corrective action plan (CAP) that includes OCR monitoring.

After the New York City police uncovered a theft at Montefiore Medical Center, the hospital system performed an internal investigation. The organization found that an employee stole 12,517 individuals’ electronic protected health information (ePHI) and sold it to an identity theft ring, OCR says in a release.

A breach notification ensued, which sparked an OCR investigation. The feds discovered systemic security fails, including a lack of risk analysis and management, no policies and procedures for data incidents, and more. Due to these issues, Montefiore Medical Center didn’t address the breach until years after it happened, which is what led OCR to levy such a high monetary penalty.

“Cyber-attacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable,” says HHS Deputy Secretary Andrea Palm in a release. “Our priority is and always has been improving the quality of health care patients receive.”

Palm reminds, “Part of this health care is establishing a trust that medical records will not be exposed. HHS will continue to remind health care systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure.”

Read more about the cybersecurity incident, CAP, and resolution at www.hhs.gov/about/news/2024/02/06/hhs-office-civil-rights-settles-malicious-insider-cybersecurity-investigation.html.