Michael Kline and Elizabeth Litten were quoted in the Medical Practice Compliance Alert article, "6 Compliance Trends That Will Affect Physician Practices in 2015." Full text can be found in the January 5, 2015, issue, but a synopsis is below.
Your medical practice faces several compliance challenges this
year, with a greater emphasis on issues relating to newer treatment
models and billing error rates, and no let up on HIPAA. Here's
a rundown of what you can expect in 2015:
Expect even more HIPAA and related enforcement activities in 2015.
Expect even more HIPAA and related enforcement activities in 2015.
Providers will not see a reprieve in this area. Breaches of
patient and consumer data continue to proliferate; the tremendous
publicity that some breaches have received, such as the hacking of
Home Depot and Sony, will create more pressure on HHS' Office
for Civil Rights (OCR) to enforce HIPAA breaches, says Michael
Kline. "It's very personal to people when their health
data is filched; it's creepy," he points out. Practices
also should expect increased enforcement from the Federal Trade
Commission enforcing consumer protection laws and the Food and Drug
Administration protecting the integrity of medical devices, even
though those agencies don't have the same standards and clear
regulations that OCR does to enforce HIPAA, warns Elizabeth
Litten.
Additionally, expect more private litigation using HIPAA
compliance as the standard of care, even though HIPAA does not give
patients the right to sue for violations. The November 2014 ruling
in the Connecticut Supreme Court allowing HIPAA's requirements
as the standard of care in a state breach of privacy lawsuit will
spawn copycat lawsuits using HIPAA the same way for state breach of
privacy, negligence and other causes of action (MPCA 12/8/14).
"HIPAA won't preempt these state claims," warns
Kline.
Practices and business associates will refine their agreements, all as they come under more scrutiny.
Many practices and their business associates scrambled to sign business associate agreements, often using model forms from OCR and professional societies, to ensure that they had them in place by the September 2013 effective date — and for those who needed only to update an existing agreement, September 2014. But covered entities and business associates now are negotiating the language in those agreements and customizing them to their individual needs, such as choice of law and indemnification requirements, says Kline.
Practices and business associates will refine their agreements, all as they come under more scrutiny.
Many practices and their business associates scrambled to sign business associate agreements, often using model forms from OCR and professional societies, to ensure that they had them in place by the September 2013 effective date — and for those who needed only to update an existing agreement, September 2014. But covered entities and business associates now are negotiating the language in those agreements and customizing them to their individual needs, such as choice of law and indemnification requirements, says Kline.
One provision that practices may see more of in newer business
associate agreements is one that would allow a business associate
that deals with large amounts of data — such as a cloud
electronic health records vendor — to use the practice's
de-identified patient data for the business associates' own
uses. An industry is developing around the aggregation of data for
purposes such as research or predicting patient outcomes, and some
business associates are moving to capitalize on that data and use
it or market it to others. Practices will need to determine whether
they want to grant business associates such permission to use the
data that way, says Litten. The business associate activities also
will be under the microscope. The permanent HIPAA audit program,
slated to begin in 2015, is expected to audit business associates
as well as covered entities. Business associates' use of
subcontractors also will be examined more carefully, especially
those who use off-shore subcontractors, says Litten.
Regulators will start reviewing accountable care
organizations (ACOs) as they become more operational and more
patients obtain treatment through them.
For instance, while ACOs in CMS' Medicare Shared Savings
Program don't have to comply with all of the Stark,
anti-kickback and antitrust rules, they still need to comply with
some of them and they have to comply with the program's own
requirements, such as governance structure. State regulators also
will look at ACOs, many of which don't participate in the
Medicare Shared Savings Program, to determine how they're
structured and whether they are an insurance risk or a payment
risk, which can affect their licensing and compliance with state
laws. "This will be on a state-by-state basis. There is
inconsistency among states, and this area is rife with
uncertainty," says Kline.
Telemedicine will take a jump forward.
More practices will use telemedicine as an adjunct to their
operations to treat patients that can't come to the office, for
translation services, to bring more specialized services into a
setting and other uses. "The technology is getting better, and
the National Association of Medical Boards has sent out
guidance" that practices can use, says Litten. Payers also are
grappling with how to reimburse for telemedicine. But be prepared
for some road bumps, such as abuse of the service and
quality-of-care issues.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
