CRNA Pass-through
Modifications to the HIPAA Privacy Regulations Final Rule
Changes in Provider Based Rules
CRNA Pass-through
To enable rural hospitals to secure anesthesia services for their patients, Medicare regulations include a rural hospital’s option for reasonable cost pass-through for the services of one full-time equivalent CRNA, as long as the hospital qualifies for “pass-through” treatment. The final hospital inpatient PPS regulations issued August 1, 2002 in the Federal Register, increased the threshold for the number of procedures per year from 500 to 800. Currently, a rural hospital can qualify for pass-through treatment if it can show that it did not provide more than 500 surgical procedures requiring anesthesia services during any one year.
Modifications to the HIPAA Privacy Regulations
The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) took effect on April 14, 2001. The privacy rule creates national standards to protect individual’s personal health information and gives patients increased access to their medical records. Most covered entities must comply with the Privacy Rule by April 14, 2003. Small health plans have until April 14, 2004 to comply with the Rule.
Final Modifications:
Marketing
The final Rule requires a covered entity to obtain an individual’s prior written authorization to use his protected health information for marketing purposes except for a face-to-face encounter or communication involving a promotional gift of nominal value. A covered entity is prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for the marketing activities of the third party, without the individual’s authorization. The Rule clarifies that doctors and other covered entities communicating with patients about treatment options or the covered entity’s own health-related products and services are not considered marketing.
Consent & Notice
The Rule requires covered entities to provide patients with notice of the patient’s privacy rights and the privacy practices of the covered entity. The strengthened notice requires direct treatment providers to make a good faith effort to obtain patients’ written acknowledgement of the notice of privacy rights and practices. The final Rule promotes access to health care by removing mandatory consent requirements that would inhibit patient access to health care. It provides covered entities with the option of developing a consent process that works for that entity and also allows consent requirements already in place to continue.
Incidental Use and Disclosure
Incidental uses or disclosures are not considered a violation of the Rule provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, if these requirements are met, doctors’ offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse’s stations without fear of violating the rule if overheard by a passerby.
Authorization
Patients will have to grant permission in advance for each type of non-routine use or disclosure, but providers will not have to use different types of forms.
Minimum Necessary
The December 2000 Privacy Rule generally requires covered entities to make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purposes. The final Rule exempts from the minimum necessary standards any uses or disclosures for which the covered entity has received an authorization. The Rule previously exempted only certain types of authorizations from the minimum necessary requirement, but since the rule will only have one type of authorization, the exemption is now applied to all authorizations.
Parents and Minors
Generally, the Privacy Rule provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice. The Final Rule clarifies that in the special cases in which the minor controls his own health information under such law and that law does not define the parents’ ability to access the child’s health information a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law.
Business Associates
The Final Rule gives covered entities (except small health plans) up to an additional year to change existing written contracts to come into compliance with the business associate requirements. The Department has also provided sample business associate contract provisions which are located in the Appendix to the final Rule.
Research
The Final Rule facilitates researchers’ use of a single combined form to obtain informed consent for the research and authorization to use or disclose protected health information for such research.
Limited Data Set
The Final Rule permits the creation and dissemination of a limited data set that does not include directly identifiable information for research, public health, and health care operations. In addition, to further protect privacy, the Final Rule conditions disclosure of the limited data set on a covered entity and the recipient entering into a data use agreement, in which the recipient would agree to limit the use of the data set for the purposes for which it was given and to ensure the security of the data, as well as not to identify the information or use it to contact any individual.
Group Health Plan Disclosures of Enrollment and Disenrollment Information
The Final Rule allows a group health plan, a health insurance issuer, or HMO acting for a group health plan to disclose to a plan sponsor such as an employer, information on whether the individual is enrolled in or has disenrolled from a plan offered by the sponsor without amending the plan documents.
Accounting of Disclosures
Under the December 2000 Privacy Rule, individuals have the right to receive an accounting of disclosures of protected health information made by the covered entity, with certain exceptions. The Final Rule exempts disclosures made pursuant to an authorization from the accounting requirements. The authorization process itself adequately protects individual privacy by assuring that the individual’s permission is given both knowingly and voluntarily. The Final Rule also exempts from the accounting requirements incidental disclosures and disclosures that are part of a limited data set.
Disclosure for Treatment, Payment, or Health Care Operations of Another Entity
The Final Rule clarifies that covered entities can disclose protected health information for the treatment and payment activities of another covered entity or a health care provider, and for certain health care operations of another covered entity. Health care operations includes quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management and care coordination, conducting training programs, and accreditation, licensing, or credentialing activities.
Changes in Provider Based Rules
CMS released its update to the hospital inpatient prospective payment system on August 1, 2002. The final rule made several changes to the provider-based rules.
CMS has revised Regulation Section 413.65(b)(2) to state that if a facility was treated as provider-based in relation to a hospital or CAH on October 1, 2000, it will continue to be treated as provider based in relation to that hospital or CAH until the start of the hospital’s first cost reporting period beginning on or after July 1, 2003. Previous to this final rule, the grandfathering provision was to expire on October 1, 2002.
Prior to October 1, 2002 (or, in the case of grandfathered facilities, prior to the start of the provider’s first cost reporting period beginning on or after July 2, 2003), a provider must submit a request for provider-based determination to CMS. Under the final rule, effective October 1, 2002, an attestation of provider-based status will have the same effect as a request for provider-based status, in that approval of an attestation will result in a determination that a facility or organization is provider-based.
Until a uniform request or attestation form is available, the provider should include the identity of the main provider and the facility or organization for which provider-based status is being sought and supporting documentation for purposes of applying the provider based status criteria in effect at the time the request or attestation is submitted. The provider must also enumerate each facility and state its exact location and the date on which the facility became provider-based to the main provider. For those facilities that are located on campus, no documentation is required to be submitted with the attestation. Documentation must be submitted for those facilities located off campus.
Under existing 42 CFR 413.65, all facilities seeking provider-based status with respect to a hospital or other main provider must meet a common set of requirements. These include requirements relating to common licensure, operation under the ownership and control of the main provider, administration and supervision, integration of clinical services, financial integration, public awareness and location in the immediate vicinity of the main provider. In the May 9, 2002 proposed rule, CMS proposed to simplify the requirements applicable to facilities located on the campus of the main provider. Both on-campus and off-campus facilities would be required to comply with the existing requirements regarding licensure, clinical services integration, financial integration, and public awareness. However, depending on where the facility is located, other requirements must be met.
On-Campus Facilities
On-campus facilities are no longer subject to the requirement relating to operating under the ownership and control of the main provider. CMS has also removed the administrative and supervisory requirements between the main provider and the organization seeking provider-based status. CMS believes, for example, that if a facility is located on the main campus of a provider, is operated under the main provider’s State license, is medically and financially integrated with that provider, and is held out to the public and other payers as part of that provider that the necessary degree of integration of the facility into the main provider can be assumed to exist.
Off-Campus Facilities
To ensure that off-campus facilities seeking provider-based status are appropriately integrated, CMS will continue to require the facility to operate under the ownership and control of the main provider. In addition, the reporting relationship between the facility seeking provider-based status and the main provider must have the same frequency, intensity, and level of accountability that exists in the relationship between the main provider and one of its departments. Finally, off-campus facilities must be located in the immediate vicinity of the main provider. More specifically, the facility must be located within a 35-mile radius of the main campus of the hospital that is the potential main provider and it must demonstrate that it serves the same patient population as the main provider.
Excluded Facilities
The final rule has not changed the facilities that are excluded from the provider-based rules. Ambulatory surgical centers; comprehensive outpatient rehabilitation facilities; home health agencies; skilled nursing facilities; inpatient diagnostic testing facilities and other facilities that furnish only clinical diagnostic laboratory tests; facilities furnishing only physical, occupational, or speech therapy to ambulatory patients while the $1500 cap remains suspended; and end-stage renal dialysis facilities are still not included in the scope of the requirements for determination of provider-based status.
Summary
Since attestation forms are not yet available, we recommend looking at this closer during the Spring of 2003.