To the MOON and Beyond: Hospitals Must Provide Notice of Observation Status

There may be no noticeable difference between a hospital patient occupying a bed as an inpatient or one in observation status.  Yet, state and federal legislators have been concerned that the difference can have important consequences for the patient.  “Observation care” is considered by Medicare to be an outpatient service.  Patients classified as outpatients in the hospital may fail to achieve a three-day inpatient stay to qualify for subsequent Medicare coverage for skilled nursing facility care.  Patients in observation status may also have higher co-payments and charges for doctors’ fees and hospital services, as well as drugs.

Federal Law.  The Medicare Outpatient Observation Notice (“MOON”) was developed to inform all Medicare beneficiaries when they are receiving observation services and are not an inpatient of the hospital.  The MOON is mandated by the Notice of Observation Treatment and Implication for Care Eligibility Act (NOTICE Act), enacted in 2015. All hospitals and critical access hospitals (CAHs) are required to provide the MOON beginning no later than March 8, 2017.

Continue Reading

OCR Issues $475,000 Fine for Untimely Reporting of HIPAA Breach

On January 9, 2017, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) announced the first HIPAA enforcement action against a health care provider for failing to make a timely report of a breach of unsecured protected health information (PHI).  Presence Health (Presence) agreed to pay $475,000 and implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.  A covered entity is:

(1) A health plan,
(2) A health care clearinghouse, or
(3) A health care provider who transmits any health information in electronic form.

Similar breach notification provisions implemented and enforced by the Federal Trade Commission apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.  In addition, state breach reporting laws may impose other requirements.  California’s Health and Safety Code section 1280.15(b) requires a clinic, health facility, home health agency, or hospice to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the California Department of Public Health no later than 15 business days after detection.

Presence is one of the largest health care networks in Illinois.  It discovered the loss of paper-based operating room schedules, which contained PHI of 836 individuals, from the surgery center of Presence St. Joseph Medical Center in Joliet, Illinois.

OCR Director Jocelyn Samuels explains:

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.  Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

Three New Laws California Hospitals Need to Know

As the clock struck midnight on New Year’s Eve, a number of new California laws took effect.  Here are three that California hospital executives need to know:

  1. Notice of Observation Status (SB 1076)
    When a patient is being cared for in an inpatient unit of a hospital (or in an observation unit) the hospital must provide the patient with a written notice when the patient is in observation status.  The notice must inform the patient that the observation care is being provided on an outpatient basis and that this may affect the patient’s health care coverage reimbursement.  There are also signage and nursing ratio requirements for the designation and use of observation units in California hospitals.
  2. Critical Access Hospitals (AB 2024)
    If the medical staff of a federally-certified Critical Access Hospital (CAH) agrees, the CAH may now employ physicians and charge for their professional services.  The medical staff must determine by vote that employment of the physician is in the best interest of the communities the CAH serves. The CAH must file a report with the California Office of Statewide Health Planning by July 1 of each year.
  3. Reporting Loss of Encryption Key or Security Credential (AB 2828)
    Encryption only protects data if the thief does not have the encryption key.  This law requires that a privacy breach resulting from the loss of an encrypted device must be reported if an unauthorized person has access to the encryption key or security credential.