The Office of the National Coordinator for Health Information Technology (ONC) at the Department of Health and Human Services (HHS) has announced that two new organizations have been designated as Qualified Health Information Networks (QHINs) and have been added to the nationwide data exchange governed by the Trusted Exchange Framework and Common Agreement (TEFCA).

TEFCA was envisioned by the 21st Century Cures Ac to support nationwide interoperability and became operational in December 2023 when the first five QHINs were designated by ONC – eHealth Exchange, Epic Nexus, Health Gorilla, KONZA, and MedAllies. The addition of two new QHINs – CommonWell Health Alliance and Kno2 – brings the total up to seven.

ONC has confirmed that CommonWell Health Alliance and Kno2 can immediately begin supporting the exchange of data under TEFCA and can provide shared services and governance to securely route queries, responses, and messages across networks for healthcare stakeholders including patients, providers, hospitals, health systems, payers, and public health agencies.

“These additional QHINs expand TEFCA’s reach and provide additional connectivity choices for patients, health care providers, hospitals, public health agencies, health insurers, and other authorized health care professionals,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “On behalf of ONC, I want to congratulate CommonWell Health Alliance and Kno2 for their achievement.”

The post ONC Expands TEFCA with Two Additional Health Information Networks appeared first on HIPAA Journal.

Healthcare data breach incident response and reporting is a key area of regulatory compliance for organizations in the healthcare industry, yet there are many examples in HHS’ Breach Report where the Office of Civil Rights has had to “provide technical assistance regarding [compliance with] the HIPAA Breach Notification Rule”. This implies that covered entities and business associates are failing to respond to and report healthcare data breaches in a timely manner.  

The Archive section of HHS’ Breach Report is a mine of valuable information about the true causes of HIPAA data breaches. Most of the 5,000+ entries have a dropdown box which reveals the nature of the breach, how it occurred, and the steps taken by the notifying entity to mitigate the consequences of the breach and to prevent it happening again. However, in more than 1,500 cases it is noted the Office for Civil Rights provided technical assistance regarding the HIPAA Breach Notification Rule.

Most of the 5,000+ data breaches were avoidable. Had the covered entity or business associate responsible for the breach implemented reasonable safeguards and provided adequate HIPAA training, many would never have happened. But while there may be excuses for security shortcomings and human errors, there are no excuses for failing to comply with the HIPAA Breach Notification Rule because the few requirements of the Rule need little understanding.

A further cause for concern is that the 5,000+ data breaches in HHS’ Breach Report are data breaches affecting more than 500 individuals. Each year, HHS’ Office for Civil Rights is notified of more than 60,000 data breaches affecting fewer than 500 individuals. If approximately one-in-three of the accessible reports indicate failures of healthcare data breach incident response and reporting, this implies up to 20,000 data breaches each year are not responded to or reported in a timely manner.

What is a Healthcare Data Breach?

A HIPAA healthcare data breach is defined by HHS as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of Protected Health Information (PHI)”. As the Security Rule protects a subset of information covered by the Privacy Rule, the cause of a healthcare data breach can range from a nurse being overheard when discussing a patient’s health condition to a hacker misusing an employee’s credentials to access millions of records in a healthcare database.

It is important to be aware that since 2009, a healthcare data breach includes any event in which PHI is out of a covered entity’s or business associate’s control – i.e., due to a stolen laptop, ransomware attack, etc. Although it may not be possible to determine that an impermissible use or disclosure has occurred, a burden of proof exists for covered entities and business associates to demonstrate an impermissible use or disclosure has not occurred if not responding to or reporting the event.

It is also important to be aware that additional reporting requirements exist in some states, while other states exempt covered entities and business associates from reporting breaches of PHI, but not breaches of individually identifiable information maintained outside a designated record set (i.e., Colorado). Healthcare organizations should bear these additional requirements in mind when applying the following 5 best practices for healthcare data breach incident response and reporting.

5 Response and Reporting Best Practices

The following 5 best practices for healthcare data breach incident response and reporting are the minimum measures a healthcare organization should implement. The best practices follow a logical order and it is important they are conducted as quickly as possible. The longer an individual is unaware their personal information has been compromised, the less time they have to protect themselves against medical identity theft, fraud, and other misuses of the compromised data.

1.      Implement Internal Breach Reporting Procedures

The most important element of healthcare data breach incident response and reporting is getting a message to those responsible for response and reporting as soon as possible. In some cases, Security Incident and Event Management (SIEM) systems can be configured to automatically alert SOC teams to unauthorized network access, but it is more often the case a healthcare data breach is identified by a member of the workforce, a business associate, or a third party – such as a white hat hacker.

In such events, not only is it important for there to be an effective system of communication, but it is also important that internal breach reporting is encouraged by workforce members. It has been estimated that 40% of IT security incidents are “hidden” by workforce members because they believe they will get into trouble if they report them. Tougher sanctions will not resolve this issue, so organizations must develop a culture of forgiveness for IT incidents attributable to human error.

2.      Conduct a Risk Assessment to See if a Breach is Notifiable

While every breach must be responded to, not all are notifiable to affected individuals, HHS’ Office for Civil Rights, and – where applicable – State Attorneys General. Before notifying a data breach, HHS’ Office for Civil Rights recommends conducting a risk assessment to determine whether PHI has been impermissibly used or disclosed. The risk assessment should consist of at least the following factors:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk to the PHI has been mitigated.

It is not mandatory to conduct a risk assessment prior to notifying HHS’ Office for Civil Rights of a healthcare data breach; but if a risk assessment finds there is a low probability of PHI having been compromised – or that an exception exists to the HIPAA Breach Notification Rule – organizations can avoid the potential disruption of a compliance investigation. It is also a good business practice not to unnecessarily worry an individual that their personal data has been stolen if you don’t have to!

3.      Advise a Law Enforcement Agency of the Breach

There is a clause in the Breach Notification Rule (45 CFR §164.412) that permits organizations to delay making the required breach notifications if making the notifications would impede a criminal investigation. Without knowing what criminal investigations are ongoing – and notwithstanding that the FBI recommends reporting all Internet crime – it is impossible to determine whether a delay is justified without advising a law enforcement agency of the healthcare data breach.

In addition, it has been calculated that 35% of all data breaches in healthcare are attributable to “insider threats”. It may be in an organization’s best interests to request a law enforcement investigation in order to determine whether a breach is attributable to an insider, and whether it may be repeated. In all circumstances, the law enforcement agency will be able to advise the organization if the organization can go ahead with notifying the breach or if a delay would be advisable.

4.      Notify Individuals and Regulatory Agencies

Subject to the result of the risk assessment and law enforcement advice, individuals who are affected by the data breach should be notified of the data breach as quickly as possible. The content of the notifications and the method of notification are stipulated in 45 CFR §164.404, and it is important to note that the time allowed to notify affected individuals may be shorter in some states than the maximum of 60 days allowed by the by the HIPAA Breach Notification Rule.

With regards to notifying regulatory agencies, the notification requirements vary depending on the size and nature of the breach. For example, HHS’ Office for Civil Rights requires breaches affecting more than 500 individuals to be notified within 60 days, while the limit in Alabama is 1,000 individuals. In addition, in some states it is only necessary to notify data breaches attributable to cybercrime. In these cases, oral and paper data breaches do not have to be notified to the state.

5.      Address the Real Cause of the Breach

Returning to the Archive section of HHS’ Breach Report, many of the data breach descriptions claim the notifying entity or their business associate was the victim of an unspecified cyberattack, ransomware attack, or phishing attack. However, these events do not happen by themselves, and although cybercriminals have access to sophisticated malware, the cybercriminals still have to “get in the door” before the cybercriminals can deploy the malware and execute their attacks.

It has been reported that around 80% of data breaches categorized as “hacking and IT incidents” are attributable to weak, reused, and compromised passwords. Therefore, in terms of addressing the real cause of the breach, healthcare organizations should strengthen password policies, protect sensitive accounts with 2FA, and invest in susceptibility testing. Strengthening all users’ passwords – even those with no access to PHI – is the most effective way to prevent future data breaches.

Keeping Up To Date with Healthcare Data Breach Incident Response and Reporting Best Practices

Healthcare data security is an ongoing process – not only due to the increasing sophistication of internal and external threats, but also due to changing regulatory requirements. Keeping up to date with healthcare data breach incident response and reporting best practices could be vital to safeguard the confidentiality, integrity, and availability of PHI and – as has been proposed – to qualify for participation in CMS’ Medicare and Medicaid programs.

It can be difficult for healthcare organizations to monitor compliance with the healthcare data breach incident response and reporting requirements when compliance with other laws, regulations, and standards also has to be monitored. However, there are software solutions that can help resolve this issue, and organizations interested in investigating software solutions for keeping up to date with all healthcare compliance best practices are advised to seek professional compliance advice.

The post 5 Best Practices for Healthcare Data Breach Incident Response and Reporting appeared first on HIPAA Journal.

A bipartisan group of senators has formed a Medicare payment reform working group which is working on new legislation that will bring long-term reforms to physician payments under Medicare. The new legislation will ensure that healthcare providers receive fair compensation for the services they provide.

For many years, physicians have complained that they are not fairly compensated for providing services under Medicare. The 2015 Medicare Access and CHIP Reauthorization Act (MACRA) made significant strides toward a value-based payment system from a system that paid on quantity, and it aimed to provide physicians with a stable payment system; however, MACRA has not achieved its goals and further action is required to address the reimbursement challenges that come with a system that aligns payment incentives with patient outcomes.

U.S. Sens. Catherine Cortez Masto, (D-NV); Marsha Blackburn, (R-TN); John Barrasso, (R-WY); Debbie Stabenow, (D-MI); Mark Warner, (D-VA); and Minority Whip John Thune, (R-SD) formed the group with the primary goal of investigating and proposing long-term reforms to the physician fee schedule (PFS) and updating MACRA. “As the health care system has evolved since the inception of the Medicare program, the physician payment system has failed to keep pace with the actual cost of care and the improvements in new services and technologies,” explained the Senators. “We believe Congress must make changes to the current Medicare physician payment system to ensure financial stability for providers, improve patient outcomes, promote access to quality care, and incentivize the utilization of emerging health care technology.”

One of the first steps will be to reach out to stakeholders to obtain their feedback on the current problems and potential solutions. The feedback collected will inform the development of policies that will address Medicare physician payment for the long term, increase compensation for physicians who provide services under Medicare, and improve the quality of care for patients.

Action needs to be taken. A 3.4% Medicare payment rate cut took effect on January 1, 2024, on top of a 2% payment reduction in 2023, and the Medicare Economic Index (MEI) was 3.8% last year and 4.6% this year, which is the highest level it has been this century. The American Hospital Association (AHA) recently highlighted that there has been an inflation-adjusted 30% decline in Medicare reimbursement rates since 2001 and the payment freeze will not end until 2026, while the cost of keeping practices open is continuing to soar. “Physicians always put patients first. It is time for our political leaders to prioritize our nation’s physician workforce by correcting the flaws in a Medicare system that unfairly penalizes doctors for the care they provide,” said the AHA. “We can, and must, do better.”

The post Bipartisan Group of Senators Form Working Group to Address Medicare Physician Payment System appeared first on HIPAA Journal.

The U.S. Food and Drug Administration (FDA) has issued draft guidance to help registrants of drug establishments in submitting reports to FDA on the amount of each listed drug manufactured, prepared, propagated, compounded, or processed for commercial distribution.

In March 2020, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was enacted to aid response efforts and ease the economic impact of the Coronavirus Disease 2019 (COVID–19). One of the requirements of the CARES Act was to enhance the FDA’s ability to identify, prevent, and mitigate potential drug shortages by improving visibility into drug supply chains.

The CARES Act updated the Federal Food, Drug, and Cosmetic Act (FD&C Act) to require persons who register with the FDA under section 510 of the FD&C Act, including repackers and relabelers, to submit annual reports to the FDA on the amount of each listed drug that was manufactured, prepared, propagated, compounded, or processed by such person for commercial distribution.

“With earlier awareness of persistent or emerging supply chain challenges, FDA is better informed and able to take more targeted and timely actions to promote stronger supply chains and reduce drug shortage risks,” explained the FDA.

The guidance document – Reporting Amount of Listed Drugs and Biological Products Under Section 510(j)(3) of the FD&C Act – describes the process that should be used for submitting reports on listed drugs and clarifies who is required to submit reports, what the reports must include, and the timing of reports. While reports are a legal requirement under the FD&C Act, the guidance does not establish legally enforceable responsibilities, instead, it details the FDA’s current thinking and includes best practices that should be followed.

The post FDA Issues Guidance on Reporting the Amount of Listed Drugs and Biological Products Under the FD&C Act appeared first on HIPAA Journal.

The Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule takes effect today (February 8, 2024). The Final Rule was issued through the HHS’ Office of the National Coordinator for Health Information Technology (ONC) and was released on December 13, 2023.

The Final Rule implements provisions of the 21^st Century Cures Act and updates the ONC Health IT Certification Program with new and updated standards to promote valid, safe, effective, and fair development and implementation of AI systems, in line with the principles and priorities of President Biden’s Executive Order 14110: Safe, Secure and Trustworthy Development and Use of Artificial Intelligence. The Final Rule is intended to advance ONC-certified health IT interoperability, algorithm transparency, and data standardization to improve patient outcomes and reduce healthcare costs and implements.

The Final Rule establishes new requirements for transparency for AI and other predictive algorithms that are part of ONC-certified health IT, which is utilized by more than 96% of hospitals and 78% of office-based physicians in the United States. The transparency requirements allow clinical users of systems that incorporate AI and machine learning algorithms to access a consistent, baseline set of information about the algorithms and assess them for fairness, appropriateness, validity, effectiveness, and safety.

The Final Rule adopts the United States Core Data for Interoperability (USCDI) Version 3 (v3) as the new baseline standard within the ONC Health IT Certification Program. USCDI v3 includes updates to prior USCDI versions that are aimed at advancing more accurate and complete patient characteristics data to promote equity, reduce disparities, and support public health data interoperability. While the Final Rule is now in effect, developers of certified health IT have until January 1, 2026, to move to USCDI v3, although that can make that move sooner.

The Final Rule also introduced new information blocking requirements to support information sharing, revised some information blocking definitions, and added a new exception to encourage secure, efficient, standards-based exchange of electronic health information under the Trusted Exchange Framework and Common Agreement (TEFCA).

The Final Rule also introduced new interoperability-focused reporting metrics for certified Health IT to give better insights into how certified health IT is used to support the care delivery, such as the 21st Century Cures Act requirement to adopt a Condition of Certification for developers of certified health IT to report metrics as part of their participation in the Certification Program.

With the Final Rule now in effect, it is important to ensure that IT systems, information sharing policies, data collection, and reporting practices are assessed to ensure they are compliant with these new requirements.

The post HTI-1 Final Rule Takes Effect Today appeared first on HIPAA Journal.

Healthcare compliance tracking software is a tool that helps healthcare organizations keep compliance programs on schedule by automating the management of activities such as risk assessments, policy and procedure reviews, workforce training, and incident management. When used effectively, healthcare compliance tracking software can help organizations avoid legal risks, better protect the privacy and security of health information, and improve the quality of patient care.

Healthcare organizations have a lot of regulations and standards to comply with. Not only are most healthcare organizations required to comply with HIPAA, OSHA, and FDA regulations, but they might also have to meet CMS’ conditions for participation in Medicare, the voluntary standards for Joint Commission accreditation, and industry-specific or role-specific state licensing requirements.

In addition, if a healthcare organization operates in a state that has passed a data privacy law that does not exempt HIPAA covered entities and business associates, there may be occasions in which a provision of a state data privacy law preempts a provision of HIPAA – notwithstanding that some states exempt Protected Health Information, but not other types of identifiable information.

As a consequence of multiple regulations and standards, it is often difficult to keep on top of compliance activities. Even the best planned health compliance programs can be thrown off-schedule by an unforeseen event  – for example, the recent guidance that using tracking technologies on user-authenticated healthcare web pages could be a HIPAA violation.

How Healthcare Compliance Tracking Software can Keep Programs on Schedule

Healthcare compliance tracking software works by tracking program initiatives and activities to alert compliance teams when risk assessments are due for review, when policies and procedures need revising, and when workforce training needs to be provided or repeated – or, in the case of a security awareness training program, when the program needs to be updated to reflect emerging threats.

The same capabilities can be configured to manage Business Associate Agreements and the retention of compliance documentation, and to produce reports for upper management to show the value of investing in healthcare compliance tracking software. In some cases, the value of the investment can be that it is possible to demonstrate a good faith effort to comply with regulations and standards.

Thereafter – depending on the compatibility of the software with an existing IT infrastructure – healthcare compliance tracking software can be used to manage incident responses (i.e., compliance with the HIPAA Breach Notification Rule) or ensure corrective action plans remain on schedule to avoid an extension of the plan or a civil financial penalty for failing to comply with the plan.

The Benefits of Tracking Compliance Activities with Automation

The primary benefit of tracking compliance activities with automation is that healthcare compliance tracking software reduces the likelihood of human error due to an oversight or misinterpretation of a compliance activity. This reduces the likelihood of non-compliance and the consequences of non-compliance such as remedial action, legal risks, and financial costs (both direct and indirect costs).

In addition, by mitigating the risk that compliance activities will fall behind schedule, healthcare compliance tracking software helps better protect the privacy and security of health information. The benefit of this is that, when patients believe their health information will remain confidential, they are more likely to share details of their health conditions with healthcare providers.

With more information available to them, healthcare providers can make better informed decisions about diagnoses and treatment plans, which improves the quality of patient care and leads to better patient outcomes. Better patient outcomes not only reduce healthcare costs, but can improve staff morale and retention – saving healthcare organizations staff recruitment and training costs.

The above is just a snapshot of the capabilities and benefits of healthcare compliance tracking software. If you would like to know more about tracking compliance activities with automation, or developing a compliance program that accounts for the variety of regulations and standards, it is advisable to speak with a healthcare compliance expert.

The post What is Healthcare Compliance Tracking Software? appeared first on HIPAA Journal.

Compliance is important in healthcare because complying with the regulations that govern the healthcare industry can help avoid legal risks and penalties for non-compliance, protect the privacy and security of individually identifiable health information, and improve the quality and safety of patient care. In addition, demonstrating compliance with healthcare regulations can enhance the reputation of – and trust in – healthcare organizations and healthcare professionals.

Compliance in healthcare can mean different things to different people. For healthcare organizations, compliance can mean following the rules and regulations that apply to their operations. Depending on the nature of their operations, this can mean complying with (for example) HIPAA, OSHA, the Joint Commission standards, and the conditions of participation in Medicare. Most organizations also have to comply with local regulations relating to public health and emergency preparedness.

For members of organizations’ workforces, compliance in healthcare most often means complying with the organization’s policies and procedures. Although there are circumstances in which individuals can be personally liable for regulatory violations, in most cases the penalty for not complying with an organization’s policies and procedures is determined by the content of the organization’s sanctions policy (i.e., verbal/written warning, suspension, termination, etc.).

Compliance in healthcare is also important to patients. Not only are patients more likely to disclose confidential information about themselves when they feel the information will remain confidential – which can result in more accurate diagnoses and treatment plans, and better patient outcomes – but they are more likely to comply with treatment plans and therapies – resulting in less patient testing, fewer avoidable hospital visits, lower readmissions, and reduced costs for healthcare organizations.

However, although compliance in healthcare can means different things to different people, the benefits of compliance are connected. When a healthcare organization complies with regulations, it provides a safer, better educated workforce that can deliver a better standard of care to patients. When workforce members comply with organizational policies and procedures, it can reduce costs and better protect patient data, and when patients comply with their treatment plans and therapies, workforce morale and retention increases, further reducing costs for healthcare organizations.

Compliance for Healthcare Organizations

Compliance for healthcare organizations is complicated by the number of rules and regulations they have to comply with, the way regulations can overlap, and the frequency with which they can change. In larger organizations, compliance teams may be required to manage the volume of rules and regulations and the frequency with which they can change, while HR, legal, and IT teams may also be involved in developing policies and procedures and monitoring compliance with them.

Compliance for healthcare organizations is not only a legal obligation, but also a moral and ethical one. Healthcare organizations have a duty to uphold the standards of their profession and to act in the best interests of their patients. Complying with the applicable rules and regulations helps healthcare organizations deliver high-quality care that meets the needs and expectations of their patients, as well as the requirements of the law in order to avoid legal risks and penalties.

Why is Workforce Compliance Important in Healthcare?

Workforce compliance is important in healthcare because members of the workforce are the public face of healthcare organizations. By demonstrating an understanding of regulatory compliance and complying with the policies and procedures implemented by the healthcare organization, members of the workforce can build trust between patients and healthcare providers – which, not only benefits patients, but which can also result in increased workplace morale and job satisfaction.

Failing to comply with organizational policies can be professionally detrimental to workforce members. While minor violations of organizational policies and procedures might only result in a verbal warning or compliance retraining, serious or repeated violations can lead to sanctions that remain permanently on an employment record – or, in the worst cases, lead to suspension, termination of contract, and loss of license to practice.

Why is Patient Compliance Important in Healthcare?

Patient compliance, also known as medication adherence, is the degree to which patients follow the instructions of their healthcare providers. It is an important metric in the effectiveness of treatments, the prevention of complications, and the improvement of patient outcomes. However, patient compliance in healthcare is surprisingly low. According to the World Health Organization, only about 50% of patients in developed countries adhere to their prescribed therapies.

Improving patient compliance in healthcare requires a multifaceted approach that involves educating and counseling patients about their condition and treatment options, providing them with clear and simple instructions and reminders, and addressing their concerns and preferences. However, in order for this approach to work, it is necessary for patients to trust their healthcare providers – something that can be accomplished by organizational and workforce compliance in healthcare.

Improving Compliance in Healthcare

Compliance is not a one-time event, but an ongoing process that requires constant monitoring, evaluation, and improvement. Healthcare organizations need to have effective compliance programs that include policies, procedures, training, auditing, and reporting. Sanctions also need to be applied fairly and consistently. Compliance programs should be tailored to the needs and risks of each organization, and should be updated regularly to reflect the changes in the industry and to the law.

One way to improve compliance in healthcare is by deploying healthcare compliance software that can be customized for each organization’s compliance requirements. Solutions of this nature help organizations cope with multiple regulations, adapt to changing regulations, increase compliance efficiency, support growth and expansion, and improve patient outcomes. To find out if healthcare compliance software may be a solution for your organization, speak with a healthcare compliance expert.

The post Why is Compliance Important in Healthcare? appeared first on HIPAA Journal.

Outsourced healthcare compliance is when external experts or agencies take responsibility for some of an organization’s compliance obligations – either working inhouse as a separate compliance unit, working inhouse as a consultant to a compliance team, or working remotely via healthcare compliance software. They can also work as outsourced compliance experts for one particular regulation (i.e., HIPAA), or one element of multiple regulations (i.e., workforce training).

Outsourced healthcare compliance services can perform a wide range of compliance tasks, including risk assessments, policy development, training programs, audits, and ongoing compliance monitoring. By outsourcing these tasks, healthcare organizations can leverage specialized knowledge and experience not readily available in-house or lacking the resources to keep up to date with changes to federal, state, and industry regulations.

The Benefits of Outsourced Healthcare Compliance

Outsourced healthcare compliance has the primary benefit of enabling organizations to concentrate on core healthcare operations while entrusting some or all of their compliance obligations to experts. Some of the other benefits of outsourced healthcare compliance include:

Access to Specialized Knowledge

It is difficult for small compliance teams to keep up to date with every federal, state, and industry healthcare compliance requirement. Outsourced healthcare compliance provides access to experienced compliance professionals who are not only up to date with current compliance requirements, but who are also aware of changes under consideration.

Enhanced Efficiency

Due to having specialized knowledge of all applicable compliance regulations, outsourced healthcare compliance services can enhance efficiency by eliminating duplicated requirements – for example, HIPAA, OSHA, and CMS’ conditions for participation in Medicare all include similar emergency preparedness requirements.

Risk Reduction

Having specialized knowledge can also help organizations reduce the risk of non-compliance in cases where (for example) a provision of state law preempts a provision of HIPAA or additional training requirements exist due to the nature of an organization’s operations. Reducing the risks of non-compliance reduces the likelihood of penalties for non-compliance.

Better Trained Workforce

Due to their experience with different types of healthcare organizations, outsourced healthcare compliance services are often more familiar with how workforces absorb and apply training. This means training sessions can be better compiled and delivered by an external source to increase the likelihood of a better trained and compliant workforce.

Cost Savings

Outsourcing healthcare compliance can lead to cost savings by avoiding the requirement to hire an employee with the necessary compliance experience (i.e., a HIPAA Privacy Official). By comparison, outsourcing healthcare compliance allows organizations to pay for external compliance services on an as-needed basis.

How to Evaluate External Compliance Services

Selecting an external compliance service requires careful consideration of several key factors. It is important that, if a service provider is offering a technology solution, that the technology solution is customizable to meet all the organization’s compliance obligations. It is also important the provider offers technical and administrative support to deploy and configure the solution.

Other tips include ensuring the provider can demonstrate expertise in healthcare compliance, and an  understanding of industry regulations and best practices. It may also be necessary to research the provider’s reputation via a reputable source to assess their previous successes and failures – particularly with regards to integrating their technology solution into an existing IT infrastructure.

Finally, it is vital that prospective outsourced healthcare compliance experts provide reasonable expectations of what their services might entail. These expectations should include loss of organization control and the potential for a lengthy transition period – during which time there may be operational disruptions. In all cases, before engaging an outsourced healthcare compliance service, it is best to seek independent compliance advice.

The post The Benefits of Outsourced Healthcare Compliance appeared first on HIPAA Journal.

A clearinghouse in healthcare is a middleman between a healthcare provider and a health plan that checks claims from healthcare providers to ensure they don´t contain errors before forwarding them to a health plan for payment. Having a middleman to check for accuracy reduces workloads for both healthcare providers and health plans and accelerates the payment of claims.

A clearinghouse in healthcare has several definitions – and can have several interpretations of the definitions. For health plans and healthcare providers subject to the HIPAA Administrative Simplification Regulations, it can be important to understand how the Department of Health and Human Services defines a clearinghouse in healthcare to avoid unintentional HIPAA violations.

What is a Healthcare Clearinghouse under HIPAA?

In the definitions section of the HIPAA Administrative Simplification Regulations (§160.103), a healthcare clearinghouse under HIPAA is defined as a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches, that performs either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data HIPAA elements, or

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Wasn’t HIPAA Supposed to Standardize the Claims Process?

To an onlooker from outside the industry, it might seem strange that healthcare providers and health plans still use healthcare clearinghouses when one of the objectives of the HIPAA Administrative Simplification Regulations was to standardize the claims process in order to reduce inefficiencies and reduce the likelihood of fraud in the healthcare industry.

However, healthcare billing is a challenging process. There are currently four medical data code sets permitted by HIPAA, one of which – ICD-10 – has more than 68,000 codes to represent different diagnoses and treatments. Once you multiply these by the number of HCPCS codes (for medical services and medical supplies) and numerous National Drug Codes, it is easy to see how errors can be made.

To further complicate the issue, there are thousands of health plans and thousands of hospitals in the United States. Some will have up-to-date claims software, others will not. A clearinghouse in healthcare not only has to ensure claims are correct but also that they are delivered to the health plan for payment if a healthcare provider and health plan use incompatible software.

Other challenges to take into account include state laws relating to the payment of healthcare claims, co-pays, and deductibles. It would be extremely difficult for a healthcare provider to manage all the codes and variables associated with the claims process accurately, which could delay payments and potentially result in cashflow problems for healthcare organizations on tight budgets.

Why it is Important to Understand what a Clearinghouse in Healthcare is

For health plans and healthcare providers subject to the HIPAA Administrative Simplification Regulations, it is important to understand when a clearinghouse in healthcare qualifies as a Covered Entity and when a clearinghouse in healthcare qualifies as a Business Associate to ensure that – in the latter case – a Business Associate Agreement is in place to comply with the HIPAA requirements.

A clearinghouse qualifies as a Covered Entity when it conducts business-to-business transactions as described in the definitions above. However, if Covered Entity A conducts its own clearinghouse activities (i.e., a healthcare provider that bills health plans directly), and is contracted by Covered Entity B to conduct clearinghouse activities on its behalf, Covered Entity A becomes a Business Associate of Covered Entity B, and it is necessary for a Business Associate Agreement to be in place.

Health plans and healthcare providers unsure about when a clearinghouse in healthcare qualifies as a Covered Entity and when it qualifies as a Business Associate should seek professional compliance advice.

What is a Healthcare Clearinghouse? FAQs

What is a Healthcare Clearinghouse in Medical Billing?

A healthcare clearinghouse in medical billing converts medical billing data into a standard format that can be understood by different payers and checks the claims for errors or missing information. A clearinghouse also verifies the patient’s insurance eligibility, submits the claims electronically, and tracks their status. A clearinghouse helps to streamline the billing process, reduce denials, and speed up reimbursements for healthcare providers.

How do Healthcare Clearinghouses Ensure the Security of Medical Data?

Healthcare clearinghouses ensure the security of medical data in several ways:

Compliance with HIPAA Regulations – Clearinghouses are required to comply with the applicable standards of the Health Insurance Portability and Accountability Act (HIPAA), which mandates the secure and confidential handling of sensitive patient data.

Secure Data Transmission – Healthcare clearinghouses function as electronic hubs that allow healthcare providers to transmit claims to health plans in ways that ensure Protected Health Information (PHI) remains secure.

Data Normalization – Clearinghouses process and convert medical claims into a standardized format, a process termed “normalization”. This involves transmuting the diverse data formats from healthcare providers into a uniform structure that health plans can readily process.

Claim Scrubbing – Healthcare clearinghouses review each claim (a process known as claim scrubbing) before it reaches the health plan, thereby minimizing errors, identifying potential security issues, and speeding up the reimbursement process.

By implementing these measures, healthcare clearinghouses play a pivotal role in ensuring accurate, efficient, and secure data exchange in the healthcare industry.

Are Healthcare Providers Required to Use a Clearinghouse?

Healthcare providers are not explicitly required to use a clearinghouse for processing medical claims. However, while it’s not a requirement, many healthcare providers choose to use a clearinghouse because of the benefits they offer – such as eligibility verification, electronic remittance advice, and the ability to handle a variety of medical claims. The decision to use a clearinghouse may depend on various factors, including the size of the healthcare provider, the volume of claims processed, and the resources available for handling claims internally.

The post What is a Clearinghouse in Healthcare? appeared first on HIPAA Journal.