Four Health Care Rules and Regulations You Should Know about
HIPAA, Cures, No Surprises & Price Transparency
Working in a Health Tech companies, you are working in a highly regulated space. If you are like me, you have some vague notions about health related regulations, rules, acts of congress etc. etc., but the details can get a little hazy.
This is an attempt to lay out some of the most commonly referenced regulations and what they do so you can stop pretending and nodding along and start speaking with authority.
The ones covered in this post are:
HIPAA
Cures
No Surprises Act
Hospital Price Transparency
HIPAA
Very often misspelled as HIPPA. HIPAA stands for The Health Information Portability and Accountability Act of 1996.
I’m pretty familiar with this one, as I have to do a training on it a couple times a year. Hopefully, you are too.
This basically says that you can’t look at someone’s sensitive health data (aka Protected Health Information), unless you are a certain covered entity and you are using it for specific purposes.
I summarize the provisions below, basically paraphrasing the information provided by the CDC here.
Types of covered entities:
Healthcare Providers
Healthplans - this is insurers, HMOs, Medicare, Medicaid, Employer-sponsored health plans, etc.
Healthcare Clearinghouses- these are organizations that process and transmit health data to and from other covered entities
Business associates - basically businesses that work with covered entities to help with some business function. Examples include claims processing, analysis, billing, and many other things
Permitted Uses:
Covered entities are allowed to use or disclose PHI for some very specific purposes, listed below:
Disclosure to the individual patient
Treatment, payment & Healthcare operations
Giving the individual the option to agree or object to the disclosure of PHI to another entity
Limited dataset for research, public health or healthcare operations.
Public interest & benefit activities, with permission of the individual
Security Rule
Covered entities are required to comply with HIPAA’s security rule which means they must:
Ensure confidentiality, integrity and availability of PHI
Detect threats to the security of PHI
Protect against anticipated uses or disclosures that are not allowed
Certify work force compliance
Light commentary:
Less restriction than many people, including doctors might think.
ONC’s Cures Act Final Rule
This draws from the information on the healthit.gov website here.
https://www.fda.gov/regulatory-information/selected-amendments-fdc-act/21st-century-cures-act
What is the ONC?
You can learn a little bit about the ONC here.
The ONC is the Office for the National Coordinator for Health Information Technology. It’s the federal entity that tries to coordinate efforts to standardize and regulate electronic health information access, use and exchange.
That means that they regulate EHRs, PHRs, eRx and related technologies.
Here’s a little infographic from their site:
When did Cures take effect?
October 2020
What does it do?
Designed to give patients and their providers secure access to their PHI. The hope is to create a competitive and flourishing ecosystem of applications to provide patients with better access to their health information and more choices in their healthcare.
The ONC hopes to do this by creating standard APIs which will allow people to access structured electronic health data on smart phone apps.
There is a provision requiring that patients be able to access all their electronic information at no cost.
Information blocking provision
What is information blocking?
Information blocking refers to any attempt by a player in the electronic health data ecosystem to interfere with access to electronic health data.
There is incentive to block information sharing by players protecting their market position. For example, large EHRs may not want to share data through open standards as it makes it easier for providers to switch EHRs.
What does the Cures Act do about it?
Basically that means if you are certified by ONC you have to provide patients and providers access to health data through open APIs.
It prohibits restrictions on access or exchange of electronic health data.
It prohibits implementing health IT in a way that would increase the complexity of access or exchange of health data
What are the exceptions?
There are 8 exceptions to the rule that are spelled out in this handy graphic from the ONC:
Light commentary:
I have some personal experience in this space. In practice, there isn’t a huge incentive to implement the APIs in a super easy friendly ways, so many players in the ecosystem make only a nominal effort to follow the letter of the rule without making their data easy to parse or super standard.
No Surprises Act
https://www.cms.gov/nosurprises
Throughout 2021 and 2022, Federal HHS, Labor, and Treasury departments released three documents in the series ‘Requirements Related to Surprise Billing’:
How do these rules help consumers?
If a patient gets care from an out-of-network provider (often without their full knowledge that the provider is out of network), they can be responsible for any difference in what their health plan covers and the cost of care. That’s called ‘balance billing).
If you don’t know that your care isn’t fully covered, this cost can be a surprise.
The No Surprises rules:
Ban surprise bills from emergency services
Make it so you can’t be charged more than your in-network cost-sharing for emergency services, and any cost-sharing you pay will count towards deductibles and maximum out of pocket limits from your plan
Ban out-of-network charges and balance bills for supplemental care (eg. radiology or anesthesiology) by out-of-network providers working at in-network facilities
Require that providers give you easy to understand information when you get out-of-network care, and options to avoid balance bills.
Requires uninsured or self pay patients to receive good-faith estimates for your care & gives access for you to file a dispute if you are charged >$400 above the estimate
How do these rules affect providers, facilities and air ambulances?
Providers can now follow the outlined IDR processes when they don’t receive the agreed upon payment from insurers or patients.
Providers must give uninsured or self pay people good faith estimates of expected charges. If there is a dispute over bills, providers and patients can follow a new process to resolve the dispute.
Short Commentary
As with many of these rules, I expect hospitals to only comply as much as they are forced to by CMS, and I have heard that providers for the most part are still not very proactive about meeting the requirements spelled out above. I hope that CMS is funded for the necessary enforcement of these rules, or else they might not do as much good as they seem.
That said, the dispute processes should allow care navigators and professionals in the know to prevent the patients they are responsible for from getting duped or overcharged (I have seen this in action too).
Hospital Price Transparency
https://www.cms.gov/hospital-price-transparency
One bizarre and awful feature of the American healthcare system for a long time has been the fact that consumers never know what a hospital visit will cost them until long after their stay when they receive an often exhorbitant bill in the mail, which they may then have to spend time and effort negotiating with the hospital and their insurance company.
I’m sure readers will know some horror stories in this genre. I know I do.
Hospital Price Transparency, which took effect Jan 1, 2021, aims to fix this, or at least make it better.
Now, hospitals will be required to provide pricing information for all services and products they provide in two ways:
A machine-readable format
A consumer friendly format of ‘shoppable’ services.
CMS plans to begin auditing hospitals for compliance starting in January, 2023.
Medicare.gov also has the ‘Care Compare’ website, which, in principle, will allow consumers to compare prices across hospitals in their area.
Short commentary
This is a rule that will be potentially great for patients! I suspect that hospitals will attempt to get around the regulation and find loop holes wherever they can. Probably some will opt to pay penalties instead of being fully compliant and therefore the rule will not be as effective in practice as it seems in theory. Still, this is a big step forward in correcting one of the most glaring injustices of the American Healthcare system, and is very exciting!
Additional Resources:
https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index
