In 1798, President John Adams signed the Act for the Relief of Sick and Disabled Seamen. Passed by the Fifth U.S. Congress, the legislation authorized the deduction of 20 cents per month from a seamen’s wages to fund medical care for fellow sailors who were sick or injured. It was the first bit of public health legislation made at the federal level in the United States.
Today, federal, state, and local authorities — in addition to various regulatory agencies — establish rules intended to protect the public, promote access to care, and ensure that medical professionals both adhere to high standards and receive the compensation that is their due.
Regulations are varied and complex. For this reason, healthcare management professionals need a thorough understanding of them to help ensure that the facilities they work for operate within the law.
Here are five regulations that can widely affect the delivery and administration of healthcare in the United States:
Originally enacted to protect health insurance coverage for workers who lost or changed jobs, the Health Insurance Portability and Accountability Act of 1996 is now most-associated with the privacy of patient healthcare information.
Under HIPAA, the Department of Health and Human Services (HHS) establishes boundaries on the use and release of health records. It also outlines safeguards to protect patients’ information and establishes civil and criminal penalties for violations.
The law applies not only to hospitals and medical practices, but also to chiropractors, dentists, nursing homes, pharmacies, and psychologists. In addition, the law governs the activity of business associates such as third-party administrators, pharmacy benefit managers for health plans, billing and transcription companies, and professionals performing legal, accounting, or administrative work.
The law’s provisions are far-reaching
“All healthcare entities and organizations that use, store, maintain or transmit patient health information are expected to be in complete compliance with the regulations of the HIPAA law,” according to information presented by Datica, a digital health platform. “When completely adhered to, HIPAA regulations not only ensure privacy, reduce fraudulent activity and improve data systems but are estimated to save providers billions of dollars annually. By knowing of and preventing security risks that could result in major compliance costs, organizations are able to focus on growing their profits instead of fearing these potential audit fines.”
HIPAA applies to verbal, written, and electronic patient records — and the use of electronic health records (EHR) is increasing. With more medical providers using EHRs, data breaches have increased. Some 351 breaches of more than 500 or more records, for a total exposure of more than 13 million patient records, had been reported as of Dec. 27, 2018, according to the HIPAA Journal. Stolen data is frequently used for identity theft and fraud.
However, as both technology and hacking attempts evolved, Congress instituted additional regulations — and stronger penalties — to address EHR and cloud-based medical records issues, which led to the HITECH Act.
2. The HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February 2009 to promote the “adoption and meaningful use of health information technology,” according to the HHS website. It mandates audits of healthcare providers to determine whether they are compliant with HIPAA’s privacy and security rules.
The HITECH Act can be considered the enforcement wing of HIPAA. Because healthcare records, unlike credit cards, can’t be canceled, changed, or reset in the event of a breach, healthcare providers have increasingly become the target of hackers.
The act provides financial incentives for providers to offset the initial costs of switching to EHRs — as well as tougher data security requirements and penalties for both healthcare organizations and their business associates.
Under the regulations, patients must be notified of any unauthorized access or use of their information. Protected health information (PHI) can only be shared by secured methods. Using traditional, unsecured email — a common way to share PHI electronically — can put an organization’s HIPAA compliance in jeopardy.
The cost of non-compliance can be high, with organizations facing potential fines of up to $1.5 million per calendar year for each violation. They can also incur losses related to notifying patients affected by a breach, through investigations, audits, and other legal issues.
Although no one could have predicted the COVID-19 pandemic, HIPAA and HITECH have proven themselves as being “ahead of the curve” in safeguarding a patient’s right to privacy. As social distancing protocols continue to reduce the number of face-to-face meetings in 2020, the increased flow of electronic information provides a seemingly ripe opportunity for malefactors to intercept sensitive data.
However, due to the foresight of both initiatives, patients now have additional peace of mind that was enacted years — even decades — before the pandemic began.
Healthcare Administrators looking to secure their infrastructure further should assess security compliance of their practice or organization, make sure proper electronic PHI procedures are in place, and update their HIPAA privacy and security policies.
The federal government also concerns itself with compensation for physicians and healthcare providers.
The Medicare Access & CHIP (Children’s Health Insurance Program) Reauthorization Act of 2015 addresses payment for doctors as well as cost controls for Medicare Part B.
Part of an overall shift to value-based reimbursement, MACRA moves away from the Sustainable Growth Rate (SGR) payment formula and toward a treatment model based on quality of care and use of EHRs by the medical practice or facility.
4. Medical Necessity
Medical necessity is one of the most important aspects of contemporary healthcare administration, even though it has no regulatory definition at the federal level or in most states.
The concept of medical necessity states that if a treatment is not medically necessary, the payer — generally an insurance company, but also Medicare or Medicaid — won’t cover the cost.
According to medical biller and coder resource MB-Guide, “Understanding medical necessity and how to document it is an important part of medical billing, because it is why an insurance company actually pays for a claim. If it’s not documented, it never happened.”
Not all procedures are medically necessary. A practice administrator needs to understand the coverage policies for services to help avoid denied claims.
5. Chain of Custody
A “Chain of Custody” form, also known as a CCF or CoC, refers to “a document or paper trail showing seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence of a human specimen test,” according to the American Alliance Drug Testing website, which details Department of Transportation (DOT) drug testing procedures.
The CCF is considered a legal document and can be invalidated if there’s any evidence of tampering.
Labs that perform DNA or paternity testing follow similar documentation procedures and legal requirements. In-home curiosity DNA tests, such as those available from 23andMe or similar companies, may be prohibited in some states because no chain of custody can be established.
The intricacies of today’s healthcare regulations require managers and administrators to be familiar with a diverse set of rules governing their profession.
Maryville University’s online Master’s in Health Administration helps prepare students for careers in healthcare management. The program offers four concentrations — Data Management, Healthcare Strategies, Population Management, and Senior Services — as well as a General MHA.