Congress is currently deliberating the Lower Health Care Costs Act of 2019, which, if passed, will bring changes in federal regulation surrounding transparency, privacy and HIPAA security regulations. Here's what private practice owners need to know in order to navigate these potential policy changes.
The Lower Health Care Costs Act in Brief
The National Law Review summarizes the five parts of this legislation, which all address different challenges within the healthcare system. Title I focuses on unexpected bills, including "surprise bills" and other charges, such as large deductibles for emergency out-of-network care or out-of-network ancillary services like lab tests or imaging (including ultrasound).
Title II is dedicated to reducing prescription drug costs by allowing more access to generic drugs, and will require pharmaceutical companies to justify upcoming price increases. Title III requires both providers and insurers to give patients estimates of their out-of-pocket costs for certain services. Title IV addresses prevention programs, focusing on tobacco control, vaccine uptake and provider training. Lastly, Title V aims to improve health information exchange and brings changes to HIPAA regulations.
Proposed HIPAA Regulation Changes
A large part of what Title V is meant to accomplish is improving IT security by lowering monetary civil penalties for HIPAA violations. The yearly cap was set at $1.5 million for any level of violation, but now all caps — except for the most grievous violations — will be reduced.
The Office of Civil Rights (OCR) will still assess culpability when imposing fines for HIPAA violations; culpability considers whether or not the provider knew about HIPAA violations, if the provider caused said violations, and if the security risk was corrected.
As Health IT Security explains, reducing fines for violations still gives providers an incentive to bolster their IT security. If a clinician under scrutiny is making a real effort to secure their patients' data by following Health Industry Cybersecurity Practices recommended by the federal government (or even exceeding recommendations), the OCR will take these cybersecurity efforts into account when assessing violations and fines.
Title V additionally proposes that the Government Accountability Office "assess the privacy and security" of health information that is shared with entities such as business associates that are not covered by HIPAA regulations. It also proposes examining how information is protected when it is shared with the patient through apps.
Opposition to the Act
In a July letter to the Roanoke Times, Carter Johnson, spokesperson for the Save Our Air Medical Resources Campaign, writes that the Lower Health Care Costs Act does not address the insurers' role in surprise medical bills for emergency or critical care. According to Johnson, services such as helicopter transport for a patient in crisis are often denied after the fact, or reimbursed at very low rates both in and out of network.
The Association of American Medical Colleges released a statement in June cautioning that the act could have the unintended consequence of limiting access to high-quality care from comprehensive cancer centers and teaching hospitals. Because the act controls the reimbursement rates for out-of-network care, patients who need higher-level, specialized care may ultimately be unable to afford these services.
In the same vein, hospitals caring for out-of-network patients would be reimbursed at a lower than normal rate, which could hurt trauma centers that receive patients from a wide catchment area.
Actions Practitioners Can Take Now
Small private practices are not immune to OCR investigations and fines. In some ways, private practices are perhaps the most vulnerable to HIPAA security breaches, since they are likely to have fewer resources to commit to their IT protocols.
This new act, while divisive, encourages physicians to spend money upfront in strengthening cybersecurity, rather than paying it later in the form of fines and reputation repair efforts.