HIPAA Blog

[ Monday, February 26, 2024 ]

 

[Note: This should have been posted early January -- I just noticed it was still in Draft]

HHS announces data blocking penalties: The information blocking rule (IBR) is part of the 21st Century Cures Act, which itself is sort of a hodge-podge of a law addressing a bunch of different healthcare research and IT related matters.  Of course, the Cures Act itself follows in a long line of healthcare policymaking that is both omnibus in presentation and reactive and/or deductive in focus.

Remember, HIPAA started out as a law intended to force insurance companies to provide coverage to an applicant who had similar insurance in the immediate months prior.  One way to "scam" insurance is to not participate when you are healthy and only buy it when you are sick, which it the practical equivalent of not buying fire insurance until your house is on fire.  If you can do so, you avoid paying into the insurance risk pool when you'd lose money, and only pay in when you'll get more back.  In other words, you're "free-riding" on other insurance purchasers.  

It's understandable that insurers want to prevent free-riders, and one way to do it is by refusing to cover pre-existing conditions.  If you don't buy insurance until you're sick, and then show up at the insurer's door with an expensive illness, the insurer will say, "OK, you're covered, but not for what you already got."  That's fair.  However, what if you didn't game the system, you weren't a free-rider: you had insurance previously, but you just need new insurance because (e.g.) you got a new job.  For the insurance company, it's still a pre-existing condition, but it's not fair to the insured.  Ultimately, for a lot of people, the pre-existing condition hurdle meant they were stuck in their current job and couldn't take a better one.  That's "job-lock."

HIPAA was originally drafted to target job-lock: if you had "creditable" health insurance coverage within the last 6 months, a new insurer can't deny you for a pre-existing condition.  Remember, the first 2 letters of HIPAA don't stand for health information privacy, but for health insurance portability.  It's a great idea that every politician could support.  However, great ideas get other ideas attached to them, ideas that might not pass into law on their own, but would pass if they were attached to a great idea.  

Several new foci got attached to HIPAA's portability provision, some with merit but none universally supported.  First, regulators wanted the healthcare industry to be more efficient.  At that time, healthcare was a laggard in adopting information technology; most healthcare providers used primarily paper records, and a large portion of billing was done on paper (and that done electronically was done using multiple systems with no coherent or consistent programming logic).   The drafters of HIPAA thought that if all electronic transactions in healthcare were standardized, more people would bill and pay electronically, and the system would be more efficient.  Thus, the transactions and code sets (T&CS) rule was adopted.

However, if all that data is going to be digitized and sent electronically, the data would be at much greater risk in electronic format than in paper format (you can't make money trying to steal paper records, and a breach of a physical paper storage room is a lot easier to catch and prevent).  If we're going to encourage electronic data interchange in healthcare, we also need to ramp up data privacy and security practices.  Thus, the privacy and security rule were adopted.

You see, Portability begat T&CS standards, which in turn begat Privacy and Data Security standards.  And you know that the HITECH Act contains a lot of HIPAA updates and revisions, including the data breach reporting standards.

One of the main foci of the HITECH act (remember, the title is "Health Information Technology for Economic and Clinical Health") was the "meaningful use" rule: the encouragement/forcing of healthcare providers to adopt electronic medical records (EMRs); this was actually a follow-on to the genesis of HIPAA's transaction and code sets, as well as the data privacy and security requirements.  While the T&CS rule was intended to entice the industry to become more digital, not enough providers moves in that direction, particularly small health providers.  Many continued their paper ways.  Congress knew that one way to get them to move would be to give them money to do so: if a healthcare provider uses electronical technology in a meaningful way (i.e., becomes a "meaningful user" of it, i.e. adopts an EMR), CMS will pay it money; if it does not, CMS will reduce what it pays for Medicare and Medicaid patients.  

The IBR is intended to address an issue that has come up with regard to EMR companies intentionally designing their systems to be less-than-fully compatible with other EMRs. 



HHS posts penalties

Hospitals, medical groups push back against penalties



Jeff [9:12 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template