HCA Holdings 2012 Annual Report Download - page 28

Download and view the complete annual report

Please find page 28 of the 2012 HCA Holdings annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 161

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161

receives at least $5 million annually in Medicaid payments must have written policies for all employees,
contractors or agents, providing detailed information about false claims, false statements and whistleblower
protections under certain federal laws, including the FCA, and similar state laws. In addition, federal law
provides an incentive to states to enact false claims laws comparable to the FCA. A number of states in which we
operate have adopted their own false claims provisions as well as their own whistleblower provisions under
which a private party may file a civil lawsuit in state court. We have adopted and distributed policies pertaining
to the FCA and relevant state laws.
HIPAA Administrative Simplification and Privacy and Security Requirements
The Administrative Simplification Provisions of HIPAA require the use of uniform electronic data
transmission standards for certain health care claims and payment transactions submitted or received
electronically. These provisions are intended to encourage electronic commerce in the health care industry. HHS
has issued regulations implementing the HIPAA Administrative Simplification Provisions and compliance with
these regulations is mandatory for our facilities. As required by the Health Reform Law, HHS is in the process of
adopting standards for additional electronic transactions and establishing operating rules to promote uniformity
in the implementation of each standardized electronic transaction. In addition, HIPAA requires that each provider
use a National Provider Identifier. CMS has also published a final rule requiring the use of updated standard code
sets for certain diagnoses and procedures known as ICD-10 code sets. Implementing the ICD-10 code sets will
require significant administrative changes. Use of the ICD-10 code sets is required beginning October 1, 2014.
The privacy and security regulations promulgated pursuant to HIPAA extensively regulate the use and
disclosure of individually identifiable health information, known as “protected health information,” and require
covered entities, including health plans and most health care providers, to implement administrative, physical and
technical safeguards to protect the security of such information. ARRA broadened the scope of the HIPAA
privacy and security regulations. In addition, ARRA extends the application of certain provisions of the security
and privacy regulations to business associates (entities that handle protected health information on behalf of
covered entities) and subjects business associates to civil and criminal penalties for violation of the regulations.
On January 17, 2013, HHS released a final rule that implements many of these ARRA provisions and becomes
effective March 26, 2013. The final rule subjects business associates and their subcontractors to direct liability
under the HIPAA privacy and security regulations and will likely require amendments to existing agreements
with business associates. In addition, a covered entity may be subject to penalties as a result of a business
associate violating HIPAA, if the business associate is found to be an agent of the covered entity. Covered
entities and business associates must comply with the final rule by September 23, 2013, except that existing
business associate agreements may qualify for an extended compliance date of September 23, 2014.
Covered entities must report breaches of unsecured protected health information to affected individuals
without unreasonable delay but not to exceed 60 days of discovery of the breach by a covered entity or its agents.
Notification must also be made to HHS and, in certain situations involving large breaches, to the media. HHS is
required to publish on its website a list of all covered entities that report a breach involving more than 500
individuals. In its 2013 final rule, HHS modifies this breach notification requirement by creating a presumption
that all non-permitted uses or disclosures of unsecured protected health information are breaches unless the
covered entity or business associate establishes that there is a low probability the information has been
compromised. Various state laws and regulations may also require us to notify affected individuals in the event
of a data breach involving individually identifiable information.
Violations of the HIPAA privacy and security regulations may result in civil and criminal penalties, and
ARRA has strengthened the enforcement provisions of HIPAA, which may result in increased enforcement
activity. For example, ARRA broadens the applicability of the criminal penalty provisions to employees of
covered entities and requires HHS to impose penalties for violations resulting from willful neglect. Under
ARRA, HHS is required to conduct periodic HIPAA compliance audits of covered entities and their business
associates. HHS conducted compliance audits of 115 covered entities in 2012 and has announced its intent to
24