Back in 1798, then-President John Adams signed the Act for the Relief of Sick and Disabled Seamen. Passed by the Fifth U.S. Congress, the legislation authorized deducting twenty cents a month from seamen’s wages to fund medical care for fellow sailors who were sick or hurt. It is widely considered to be the first time the federal government got involved in healthcare legislation.
Today, federal, state, and even local legislative bodies and regulatory agencies establish rules intended to protect the public, promote access to care, and ensure that medical professionals both adhere to high standards and receive the compensation that is their due. Regulations are varied and complex and healthcare management professionals need a thorough understanding of them to help ensure that the facilities they work for operate within the law.
Students in Maryville University’s online Master of Health Administration program can gain knowledge and strategies to help them succeed in today’s healthcare regulatory environment.
Here are five regulations, not all of which are in the spotlight, that can affect delivery and administration of healthcare in the United States on a daily basis:
1. HIPAA. Originally enacted to protect health insurance coverage for workers who lost or changed jobs, the Health Insurance Portability and Accountability Act of 1996 is now most associated with the privacy of patient healthcare information. Under HIPAA, the Department of Health and Human Services (HHS) establishes boundaries on the use and release of health records. It also outlines safeguards to protect patients’ information and establishes civil and criminal penalties for violations. The law applies not just to hospitals and medical practices but also to chiropractors, dentists, nursing homes, pharmacies, and psychologists, as well as to business associates such as third-party administrators, pharmacy benefit managers for health plans, billing and transcription companies and professionals performing legal, accounting, or administrative work.
The law’s provisions are far reaching.
“All healthcare entities and organizations that use, store, maintain or transmit patient health information are expected to be in complete compliance with the regulations of the HIPAA law,” according to an article on Datica, a digital health platform. “When completely adhered to, HIPAA regulations not only ensure privacy, reduce fraudulent activity and improve data systems but are estimated to save providers billions of dollars annually. By knowing of and preventing security risks that could result in major compliance costs, organizations are able to focus on growing their profits instead of fearing these potential audit fines.”
HIPAA applies to verbal, written, and electronic patient records – and the use of electronic health records (EHR) is increasing. With more medical providers using EHRs, data breaches have increased. Some 329 breaches of more than 500 records, for a total exposure of more than 16.4 million patient records, had been reported as of February 6, 2017, according to the HIPAA Journal article, “Largest Healthcare Data Breaches of 2016.” Stolen data is frequently used for identity theft and fraud.
Congress decided that additional regulations – and stronger penalties – were needed to address EHR and cloud-based medical records issues, which led to the HITECH Act.
2. The HITECH Act. The Health Information Technology for Economic and Clinical Health (HITECH) Act, was signed into law in February 2009 to promote the “adoption and meaningful use of health information technology,” according to the HHS website. It mandates audits of healthcare providers to determine whether they are in compliance with HIPAA privacy rules related to privacy and security rules.
The HITECH Act has been called the teeth and claws of HIPAA. Because healthcare records, unlike credit cards, can’t be canceled, changed, or reset in the event of a breach, healthcare providers have increasingly become the target of hackers.
The act provided financial incentives for providers to offset the initial costs of switching to EHRs – and also tougher data security requirements and penalties for both healthcare organizations and their business associates. Under the regulations, patients must be notified of any unauthorized access or use of their information. Protected health information (PHI) can only be shared by secured methods. Using traditional, unsecured email – a common way to share PHI electronically – can put an organization’s HIPAA compliance in jeopardy.
The costs of non-compliance can be high. Organizations can face fines as high as $1.5 million per calendar year for each violation. They also can incur losses related to notifying patients affected by a breach, investigations and legal issues, and audits.
Administrators should assess security compliance of their practice or organization, make sure proper electronic PHI procedures are in place, and update their HIPAA privacy and security policies.
The federal government also concerns itself with compensation for physicians and healthcare providers.
3. MACRA. The Medicare Access & CHIP (Children’s Health Insurance Program) Reauthorization Act of 2015 addresses payment for doctors as well as cost controls for Medicare Part B. Part of an overall shift to value-based reimbursement, MACRA moves away from the Sustainable Growth Rate (SGR) payment formula and toward a treatment model based on quality of care and use of EHRs by the medical practice or facility.
4. Medical Necessity. Medical necessity is one of the most important aspects of contemporary healthcare administration, even though it has no regulatory definition at the federal level or in the majority of states. The concept of medical necessity states that if a treatment is not medically necessary, the payer – generally an insurance company, but also Medicare or Medicaid – won’t cover the cost.
“Understanding medical necessity and how to document it is an important part of medical billing, because it is why an insurance company actually pays for a claim,” said the article, “Documenting Medical Necessity,” on MB-Guide, a website for medical billers and coders. “If it’s not documented, it never happened.”
Not all procedures are medically necessary. A practice administrator needs to understand the coverage policies for services to help avoid denied claims.
5. Chain of Custody. A “Chain of Custody” form, also known as a CCF or CoC, refers to “ a document or paper trail showing seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence of a human specimen test,” according to the American Alliance Drug Testing website, which details Department of Transportation (DOT) drug testing procedures. The CCF is considered a legal document and can be invalidated if the specimen shows evidence of tampering.
Labs that perform DNA or paternity testing follow similar documentation procedures and legal requirements. In-home curiosity DNA tests such as those available from 23andMe and similar companies may be prohibited in some states because no chain of custody can be established.
The intricacies of today’s healthcare regulations require managers and administrators to be familiar with a diverse set of rules governing their profession. Maryville University’s online Master of Health Administration program can help them gain the knowledge and strategies they need to succeed.
Maryville University’s Master of Health Administration
Maryville University’s online Master of Health Administration helps prepare students for careers in healthcare management. The program offers four concentrations – Data Management, Healthcare Strategies, Population Management, and Senior Services – as well as a General MHA. Contact Maryville University to learn more.