Medicare Compliance & Reimbursement
Don't Forget BAs Are Liable for HIPAA Breaches, Too
Question: We know that our practice must comply with the HIPAA Breach Notification Rule and notify the impacted individuals if there’s a breach. Are our business associates (BAs) liable, too, or are they off the hook when it comes to notifying? Codify Subscriber Answer: BAs, just like CEs, “have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach,” cautions the HHS Office for Civil Rights (OCR) guidance. In fact, much confusion exists over the role vendors and BAs play in care delivery and HIPAA compliance. And that’s why OCR released an updated fact sheet, reminding these partners exactly where their liability falls. The list of 10 provisions focuses on the BA’s responsibility to the Rules — and how failure to abide by them leads to OCR enforcement. Check out the direct liability of BAs at www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html. Reminder: Though the HIPAA Notification Rule does concern BAs and requires them to follow through on required notification procedures, remember that CEs have the extra duty of fulfilling other administrative requirements per OCR and HIPAA after a breach. According to the feds, CEs are held to a higher standard and must follow up after a breach with certain administrative requirements, including written breach notification “policies and procedures;” staff training on the protocols; and “sanctions against” employees who don’t comply with the rules. Expert advice: Don’t ignore a breach — accept it and follow the policies and procedures, advises attorney Lauren M. Ramos, with McGuireWoods LLP in Richmond, Virginia. “Collect all the facts as quickly as possible, mitigate the damages to [the] greatest extent possible, and loop in legal counsel as early as possible.” OCR looks favorably on those who comply with the HIPAA breach requirements, Ramos indicates. “Providers should remember that OCR does not investigate every breach, especially small ones. In fact, OCR likely investigates only a small percentage of all reported breaches. Following the correct procedures and reporting a breach does not mean that an OCR investigation is inevitable,” she counsels. Resource: Find OCR breach notification guidance at www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
Medicare Compliance & Reimbursement
- Quality Payment Program:
Feds Nix Some MIPS 2020 Proposals in Final Rule
Hint: Get ready for MIPS Value Pathways in 2021. Medicare offers few surprises in its [...] - Compliance:
MAC Offers Insight on Top Part B Errors
Tip: Ensure the primary EOB is correct for MSP claims. Many Part B providers find [...] - Medicare Beneficiary Identifiers:
HICNs Set to Reject on Jan. 1
Tip: Help your patients get their MBIs ASAP. In less than a month, the feds [...] - Reader Question:
Don't Forget BAs Are Liable for HIPAA Breaches, Too
Question: We know that our practice must comply with the HIPAA Breach Notification Rule and notify [...] - Reader Question:
Avoid Deviating From the Dictation Report Diagnoses
Question: I’ve got a report without a diagnosis that meets the CPT® code’s Local Coverage [...] - Industry Note:
Faulty Reconciliation Policy Cost Feds Millions
Outlier behavior can prove problematic for providers, but also for the federal programs that govern [...] - Industry Note:
Applications Are Open for Direct Contracting Models
If you’re interested in being part of Medicare’s risk and reward revolution, a Direct Contracting [...] - Industry Note:
Feds Release New Patients Over Paperwork Newsletter
After months with little communication on the flagship initiative to reduce administrative burdens in healthcare, [...]
