Posted In: Health Care
By Laura F. Fryan & Nicole M. Thorn on December 10, 2019
As a new year and a new decade approach, let’s recap the major 2019 compliance issues and events that will carry into 2020. Ready your practice or facility with this compliance checklist:
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. Any company that has data from a California resident is subject to this law. Because the scope of the law is so broad, any company with a website that has visitors from California may need to comply with the CCPA. The crux of this law allows any California resident to request that a company delete whatever personal data the company has on the resident, and companies must have specific privacy policies and other policies in place to comply with this law. Contact us to understand how to comply.
► Change in Medicare Beneficiary Identifiers:
Effective January 1, 2020, claims using a Medicare beneficiary’s social security number will be denied with few exceptions. Regardless of the service date of your claims, your practice or facility must be using the new MBI format for all Medicare and Railroad Medicare patients to avoid denials. Read more here.
► Price Transparency:
Hospitals — have this on your radar early in 2020 so you can coordinate with the necessary facilities to comply. Beginning January 1, 2021, hospitals must provide publicly, including on their website:
- "Standard charges," which include gross charge amounts, as well as negotiated minimum and maximum payment amounts for 300 services.
- The amount the hospital would accept in cash from a patient.
- This information must include the HCPCS codes and descriptions, and all must be provided in a “machine-readable format” such that consumers can compare services across multiple providers and choose what they believe to be their best option.
- Stay tuned for the final rules after the government’s comment period closes on December 31 for changes in the Stark and Anti-Kickback Laws.
- CMS and OIG were instructed to give health care entities more flexibility in their ability to work together to organize value-based models.
- Both agencies provided proposed exceptions and loosened some elements of both laws to help health care providers do just that.
- When finalized, these adjustments will likely open doors to new business opportunities for your health care practice.
► HIPAA Compliance:
- OIG saw the highest number of reported HIPAA breaches in its history in June 2019.
- Despite the fact that most health care companies have HIPAA engrained in their everyday life, we continue to see an uptick in breaches, mostly due to the sophistication of cybercriminals.
- In 2020, make sure your practice/company has conducted a security risk analysis and that it was actually effective.
- OIG has recently called out covered entities that merely “checked the boxes” on their risk analysis and/or turned a blind eye to the results of their analysis.
► General Data Protection Regulation:
This international law became effective in May 2018, but you can still come into compliance now if you discover that your practice or facility has contact in any manner with European Union citizens. Here’s a refresher:
- Any organization that has a presence on the internet and collects personal information from EU citizens is subject to GDPR.
- These data collection points include forms that collect personal information such as an email address for a newsletter subscription or for other marketing purposes. It can also include a mere internet protocol (IP) address native to nearly every computer and mobile device.
- It is likely that EU citizens, even if they are not your patients, have visited your website or social media pages due to the international reach of these sites.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2022 Brouse McDowell. All rights reserved.