August 19, 2019

August 16, 2019

Subscribe to Latest Legal News and Analysis

Proper Disclosure and Documentation the Focal Point in New Health Insurance Portability and Accountability Act (HIPAA) and Medicare Rules

New HIPAA Rule Affects Providers’ Notice of Privacy Practices

The Health Insurance Portability and Accountability Act (“HIPAA”) requires health care providers to inform patients of the providers’ legal duties and the patients’ rights regarding protected health information (“PHI”). Providers do so in their Notice of Privacy Practices. The recent HIPAA omnibus rule promulgated by the United States Department of Health and Human Services alters and emphasizes obligations related to Notice of Privacy Practices.

The Notice of Privacy Practices that providers have used previously will remain largely unchanged, but certain additional requirements now exist. These requirements include informing patients of certain uses and disclosures of PHI requiring the patient’s authorization (such as selling a patient’s PHI and most uses and disclosures of psychotherapy notes), stating that the provider will notify the patient if PHI is breached, stating that the patient has the right to opt out of fundraising and providing information on how to do so, and stating that the patient has the right to restrict disclosure of PHI to the patient’s insurer if the patient fully pays for treatment out-of-pocket (i.e., without the insurer paying for any of the bill).

The new rule also clarifies that if physicians receive remuneration from a third party (e.g., pharmaceutical reps) that incentivizes the use of the third party’s product (e.g, drugs), the provider needs authorization before disclosing a patient’s PHI to the third party. Any such authorization requires a notice that the provider is receiving payment from the third party for the disclosure. Providers – and particularly physicians – must be aware of these new marketing requirements because payments may be indirect (for example, payment for golf events, hotel stays, and other non-direct monetary payments). Any marketing for which a physician is reimbursed should be closely scrutinized under the new rule, given the potential civil and criminal penalties HIPAA may impose.

The new rule becomes effective September 23, 2013.

Medicare Requires Retention of Physician Orders for Seven Years

Effective October 1, 2012, any physician or other provider who orders or certifies Medicare-covered durable medical equipment, prosthetics, orthotics, and supplies (“DMEPOS”), clinical laboratory services, imaging services, or home health services and the provider or supplier who actually furnishes such supplies or services must maintain the ordering documentation for at least seven years from the date of service and provide access to the documentation upon the request of CMS or a Medicare contractor. These obligations arise from 42 C.F.R. 424.516 and CMS Transmittal 431, which provides instructions to Medicare contractors on the enforcement of these requirements.

According to the federal regulations and Transmittal 431, provider orders must include the following:

  1. all written and electronic documents relating to written orders, requests, and certifications for Medicare-covered services and supplies; and
  2. the NPI of the ordering/certifying physician or provider.

Medicare Contractors cannot use this new regulation to request order and certification documentation dated before July 6, 2010. We encourage all providers who order or provide Medicare-covered services and supplies to update their document retention policies to comply with this new requirement.

© 2019 Dinsmore & Shohl LLP. All rights reserved.


About this Author

Stacey A. Borowicz, Regulatory, Health care industry, attorney, Dinsmore Shohl,

Stacey Borowicz is an accomplished attorney who dedicates the majority of her business and regulatory practice to health care providers. Stacey brings with her more than a decade of front line experience in the health care industry as she acquired a rare set of skills as a medical researcher/scientist prior to entering the practice of law.

Stacey's experience in the healthcare representation is diverse and includes Medicare/Medicaid audit and overpayment appeals, voluntary disclosures and refunds. Stacey also brings a wealth of experience in...