Healthcare News from Capitol Hill and the Department of Health and Human Services


In an October 15 letter, the American Medical Association (AMA) and more than 100 other medical societies and physicians’ organizations urged Congress to consider a permanent replacement for the Medicare physician payment system. Under the Sustainable Growth Rate (SGR) formula used for Medicare Fee Schedule payments, doctors’ reimbursements for services are scheduled to be cut by 27% as of January 1, 2013.

The Centers for Medicare & Medicaid Services (CMS) is required to follow the SGR formula, which was adopted in the Balanced Budget Act of 1997. Since then, the year-end temporary “doc fix” has been an annual controversy. Many healthcare organizations, including the AMA and the American Hospital Association, have been urging Congress for years to find permanent solution to the problem. The Congressional Budget Office estimated in August that a permanent repeal of the SGR will cost the federal government $245 billion, and even another one-year fix will cost $18.5 billion.

The AMA’s letter, addressed to Senators Max Baucus (D-MT) and Orrin Hatch (R-UT), the leaders of the Senate Finance Committee, laid out a list of “principles and core elements that can form the basis for new federal policy on a transition from the SGR to a higher performing Medicare program.” Among them were allowing physician practices a choice of payment models; encouraging incremental changes with positive incentives and rewards, rather than penalties; basing quality measures on matters within a doctor’s control, rather than patients’ actions; and investing in a new infrastructure for Medicare to help doctors transition to new methods of health care delivery and payment.

Given the uncertainties of the current presidential campaign and the federal tax cuts and other laws that are set to expire on December 31 or take effect on January 1, it appears unlikely that Congress will address the proposed permanent fix before the end of this year. Representatives of both parties, however, have informally stated that implementing another one-year fix should not be a problem.


In a keynote address at the HIPAA Summit West in San Francisco on October 11, Leon Rodriguez, Director of the Department of Health and Human Services’ Office for Civil Rights, said that he expects enforcement of HIPAA’s privacy and security rules to continue to increase in 2013. OCR also plans to continue and expand a pilot audit project that has been examining 150 HIPAA covered entities in order to improve compliance.

New civil money penalty amounts have applied to HIPAA privacy and security rule violations since February 2009, and covered entities and business associates have been subject to new data breach notification obligations since September 2009. OCR began imposing monetary sanctions for violations in February 2010, and many industry observers noted a surge of enforcement actions, monetary penalties and settlements under HIPAA and the HITECH Act in 2012. Most enforcement cases handled by OCR to date have involved theft of data or storage devices, or unauthorized access or disclosure of data. Very few cases have involved computer hacking.

Rodriguez said that OCR has been focusing recently on high-profile cases and announcing the details of the particular privacy and security violations involved, in order to help other covered entities and their business associates better recognize the risks in handling protected health information. Minor cases tend to be settled more quickly and with less publicity. In data breach cases, OCR’s decision whether to pursue a monetary enforcement action will depend, in part, on whether the covered entity acted quickly and effectively to remedy and report the breach, he said.

OCR’s audit program thus far has uncovered a number of common issues affecting many covered entities, including the absence of “business associate agreements” between HIPAA covered entities and their business associates, insufficient policies and procedures limiting access to patient records, failures to perform required risk assessments, and insufficient breach notification plans. Although OCR has said that it will not initiate enforcement actions based on the pilot program’s audit results, these common failings will undoubtedly influence the potential penalties for any covered entity or business associate that incurs a data breach.

Rodriguez was unable to provide an update on the status of the forthcoming “HIPAA Omnibus Rule” that had been expected to be released by the end of the summer. OCR sent the Rule to the White House Office of Management and Budget for final review in March of this year, but no public statements have been made since OMB announced in June that it was extending the review period. Industry observers expect that the Rule, when finally released, will combine guidance regarding the HIPAA privacy, security and breach notification rules.