Medicare Compliance & Reimbursement

Reader Question:

Understand Both Your State Privacy Laws and HIPAA

Published on Fri Oct 11, 2019

Question: With all the new state laws going into effect to protect patients’ privacy, we’re not sure which rule to follow. Do we abide by HIPAA or our individual state’s law?

New York Subscriber

Answer: Actually, it’s a good idea to know the nuances and requirements of both to protect your patients and your practice.

Why? If your state’s laws regarding privacy are more stringent than those under the HIPAA Privacy Rule, following the HHS Office for Civil Rights (OCR) guidance will do your facility more harm than good.

“In the unusual case where a more stringent provision of state law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of state law, and the state law prevails,” stresses OCR guidance. The agency goes on to explain that “where the more stringent state law and Privacy Rule are not contrary, covered entities must comply with both laws.”

So, even though it may seem like an extra step in compliance planning, it is essential for you to review and integrate your state’s requirements into your protocols on protecting and securing patients’ protected health information (PHI).

“Luckily, a good job with HIPAA compliance can provide a good framework for compliance with all of the state laws an entity could be subject to,” says Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, Vermont.

Put these five extra steps in your plan to ensure you’re compliant with state regulations:

“Coordinate a review of applicable local laws,” advises Sheldon-Dean.
Check with your EHR vendor to ensure state requirements are met as well as federal ones.
Analyze the differences between state and federal rules for encryption, breach notification and timelines, and personal information, covering both sets of standards in your plan.
Evaluate and implement state policies that protect specialty-specific sensitive information that may extend beyond HIPAA.
“Add the necessary pieces and changes to your existing privacy and security policy and procedure set,” stresses Sheldon-Dean.

It’s better to be safe than sorry and cover all your bases in regard to your state’s laws. “Many of these rules call for the same precautions, safeguards, and procedures, and it’s better to make your existing privacy documents more robust instead of creating parallel policies and procedures for each rule or law,” Sheldon-Dean explains.

Medicare Compliance & Reimbursement

Medicare Policy:
CMS Aims to Cut More Burdens with Another Rule
Flexibility is key to new policies. Medicare has pumped out an unusually long list of [...]

Modifiers:
Keep These Surgeon-Specific Modifiers on Standby
Know the nuances for coding and classifying additional surgeons. Operative reports aren’t easy to compile [...]

Dates & Deadlines:
Register These Must-Knows As 2019 Winds Down
Tip: Expect HICNs to Reject Starting Jan. 1. If you’re trying to keep your records [...]

Industry Notes:
CMS Updates Dual Eligible Guidance On ABNs
Plus: Feds Charge 35 with genetic testing scheme. Don’t miss the feds latest ABN change [...]

Reader Question:
Understand Both Your State Privacy Laws and HIPAA
Question: With all the new state laws going into effect to protect patients’ privacy, we’re [...]

Reader Question:
Review Time Rules for E/M Services
Question: I’m confused about coding E/M services by time. Do we have to document the [...]

View All