HCA Holdings 2011 Annual Report Download - page 27

Download and view the complete annual report

Please find page 27 of the 2011 HCA Holdings annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 159

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159

HIPAA Administrative Simplification and Privacy and Security Requirements
The Administrative Simplification Provisions of HIPAA require the use of uniform electronic data
transmission standards for certain health care claims and payment transactions submitted or received
electronically. These provisions are intended to encourage electronic commerce in the health care industry. HHS
has issued regulations implementing the HIPAA Administrative Simplification Provisions and compliance with
these regulations is mandatory for our facilities. The Health Reform Law requires HHS to adopt standards for
additional electronic transactions and to establish operating rules to promote uniformity in the implementation of
each standardized electronic transaction. In addition, HIPAA requires that each provider use a National Provider
Identifier. CMS has also published a final rule requiring the use of updated standard code sets for certain
diagnoses and procedures known as ICD-10 code sets. Implementing the ICD-10 code sets will require
significant administrative changes. By regulation, use of the ICD-10 code sets is required beginning October 1,
2013, but CMS has announced that it intends to extend this deadline.
The privacy and security regulations promulgated pursuant to HIPAA extensively regulate the use and
disclosure of individually identifiable health information and require covered entities, including health plans and
most health care providers, to implement administrative, physical and technical safeguards to protect the security
of such information. ARRA broadened the scope of the HIPAA privacy and security regulations. In addition,
ARRA extends the application of certain provisions of the security and privacy regulations to business associates
(entities that handle identifiable health information on behalf of covered entities) and subjects business associates
to civil and criminal penalties for violation of the regulations. On July 14, 2010, HHS issued a proposed rule that
would implement many of these ARRA provisions. If finalized, these changes would likely require amendments
to existing agreements with business associates and would subject business associates and their subcontractors to
direct liability under the HIPAA privacy and security regulations. We currently enforce a HIPAA compliance
plan, which we believe complies with HIPAA privacy and security requirements and under which a HIPAA
compliance group monitors our compliance. The privacy regulations and security regulations have and will
continue to impose significant costs on our facilities in order to comply with these standards.
As required by ARRA, HHS published an interim final rule on August 24, 2009, that requires covered
entities to report breaches of unsecured protected health information to affected individuals without unreasonable
delay but not to exceed 60 days of discovery of the breach by a covered entity or its agents. Notification must
also be made to HHS and, in certain situations involving large breaches, to the media. HHS is required to publish
on its website a list of all covered entities that report a breach involving more than 500 individuals. Various state
laws and regulations may also require us to notify affected individuals in the event of a data breach involving
individually identifiable information.
Violations of the HIPAA privacy and security regulations may result in civil and criminal penalties, and
ARRA has strengthened the enforcement provisions of HIPAA, which may result in increased enforcement
activity. As required by ARRA, HHS has announced a pilot program to perform audits of up to 150 covered
entities by the end of 2012. ARRA broadens the applicability of the criminal penalty provisions to employees of
covered entities and requires HHS to impose penalties for violations resulting from willful neglect. ARRA also
significantly increases the amount of the civil penalties, with penalties of up to $50,000 per violation for a
maximum civil penalty of $1,500,000 in a calendar year for violations of the same requirement. In addition,
ARRA authorizes state attorneys general to bring civil actions seeking either injunction or damages in response
to violations of HIPAA privacy and security regulations that threaten the privacy of state residents.
There are numerous other laws and legislative and regulatory initiatives at the federal and state levels
addressing privacy and security concerns. Our facilities remain subject to any federal or state privacy-related
laws that are more restrictive than the privacy regulations issued under HIPAA. These laws vary and could
impose additional penalties.
24