Community Health Systems 2015 Annual Report Download - page 34

Download and view the complete annual report

Please find page 34 of the 2015 Community Health Systems annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 220

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220

construction or acquisition of facilities or the addition of new services. As of December 31, 2015, we operated
111 hospitals in 15 states that have adopted CON laws for acute care facilities. If we fail to obtain necessary state
approval, we will not be able to expand our facilities, complete acquisitions or add new services in these states.
Violation of these state laws may result in the imposition of civil sanctions or the revocation of a hospital’s
licenses.
HIPAA Administrative Simplification and Privacy and Security Requirements. The Health Insurance
Portability and Accountability Act of 1996, or HIPAA, requires the use of uniform electronic data transmission
standards for healthcare claims and payment transactions submitted or received electronically. These provisions
are intended to encourage electronic commerce in the healthcare industry. The U.S. Department of Health and
Human Services, or HHS, has established electronic data transmission standards that all healthcare providers
must use when submitting or receiving certain healthcare transactions electronically. In addition, HIPAA requires
that each provider use a National Provider Identifier. As of October 1, 2015, all healthcare providers covered by
HIPAA are required to use updated standard code sets for certain diagnoses and procedures known as ICD-10
code sets. We have transitioned all of our hospitals to the ICD-10 coding system. This transition continues to
involve a significant focus on our technology and information systems, as well as costs related to training of
hospital employees and providers and corporate support staff involved with coding and billing. Use of the ICD-
10 code sets has required and continues to require significant changes; however, we believe that the cost of
compliance with these regulations has not had and is not expected to have a material adverse effect on our
business, financial position or results of operations. The Reform Legislation requires the HHS to adopt standards
for additional electronic transactions and to establish operating rules to promote uniformity in the
implementation of each standardized electronic transaction.
As required by HIPAA, HHS has issued privacy and security regulations that extensively regulate the use and
disclosure of individually identifiable health-related information and require covered entities, including health
plans and most healthcare providers, to implement administrative, physical and technical practices to protect the
security of individually identifiable health information that is electronically maintained or transmitted. Certain
provisions of the security and privacy regulations apply to business associates (entities that handle identifiable
health-related information on behalf of covered entities), and business associates are subject to direct liability for
violation of the regulations. In addition, a covered entity may be subject to penalties as a result of a business
associate violating HIPAA, if the business associate is found to be an agent of the covered entity. We have
developed and utilize a HIPAA compliance plan as part of our effort to comply with HIPAA privacy and security
requirements. The privacy regulations and security regulations have and will continue to impose significant costs
on our facilities in order to comply with these standards.
Covered entities must report breaches of unsecured protected health information to affected individuals
without unreasonable delay, but not to exceed 60 days of discovery of the breach by the covered entity or its
agents. Notification must also be made to HHS and, in certain situations involving large breaches, to the media.
HHS is required to publish on its website a list of all covered entities that report a breach involving more than
500 individuals. All non-permitted uses or disclosures of unsecured protected health information are presumed to
be breaches unless the covered entity or business associate establishes that there is a low probability the
information has been compromised. Various state laws and regulations may also require us to notify affected
individuals in the event of a data breach involving individually identifiable information.
Violations of the HIPAA privacy and security regulations may result in criminal penalties and in civil penalties
of up to $50,000 per violation for a maximum of $1,500,000 in a calendar year for violations of the same
requirement. HHS is required to perform compliance audits and has announced its intent to perform audits in
2016. In addition to enforcement by HHS, state attorneys general are authorized to bring civil actions seeking
either injunction or damages in response to violations of HIPAA privacy and security regulations that threaten
the privacy of state residents. HHS may resolve HIPAA violations through informal means, such as allowing a
covered entity to implement a corrective action plan, but HHS has the discretion to move directly to impose
monetary penalties and is required to impose penalties for violations resulting from willful neglect. Our facilities
21