Practices see rise in cyberattacks during COVID-19 pandemic
Healthcare entities, including medical practices and hospitals, are seeing an increase in the number of cyberattacks since the start of the COVID-19 pandemic. In particular, practices are vulnerable to ransomware, a type of malware that locks valuable digital files and then demand a ransom in order for these files to be unlocked. As well, stealing electronic health records can be more valuable than getting access to credit card numbers alone, allowing thieves to file fraudulent insurance claims, obtain prescription medication, and steal identities. To assist in protecting your practice against cyberattacks, members are encouraged to visit the MGMA HIPAA Resource Center to access resources such as the Cybersecurity Action Steps for Medical Practices tool and the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients resource developed by the federal government.
MGMA advocates for changes to tax treatment of Provider Relief Funds
The Internal Revenue Service clarified on July 6 that for-profit healthcare providers must pay taxes on any grant payments received from the Provider Relief Fund. In response to this announcement, MGMA urged Congress to change this policy to ensure these funds are not taxed. The CARES Act established both the Provider Relief Fund and the Paycheck Protection Program (PPP) and specifically addressed the taxability of the PPP by stating any PPP loan payments that are forgiven are not counted as taxable income. However, the Act did not address the tax treatment of the Provider Relief Fund. MGMA believes this was an oversight and is advocating for change.
Apply for Medicaid/CHIP Provider Relief Fund payment by July 20
July 20 is the deadline for eligible Medicaid and Children’s Health Insurance Program (CHIP) providers to apply for funding via the Enhanced Provider Relief Fund Payment Portal. The Department of Health & Human Services (HHS) expects to distribute $15 billion to eligible providers that did not previously receive a payment from the $50 billion General Distribution. The portal will allow such providers to report their annual revenue data to HHS and apply to receive a payment equal to at least two percent of reported gross revenues from patient care. For additional information on eligibility and the application process, providers can refer to the program’s application instructions.
HHS modifies substance use disorder privacy regulations
The Substance Abuse and Mental Health Services Administration, an agency within HHS, released a final rule modifying the 42 CFR Part 2 regulation governing the confidentiality of records for patients with substance use disorder (SUD). While HIPAA permits the sharing of patient data for treatment, payment, and healthcare operations without patient consent, Part 2 creates a separate standard for the sharing of SUD information that requires patient consent. Key modifications include:
· Treatment records created by non-Part 2 providers are explicitly not covered by Part 2, unless any SUD records previously received from a Part 2 program are incorporated into such records;
· SUD patients may consent to disclosure of Part 2 treatment records to a practice without naming an individual (previously, they would have had to identify a specific person in the practice); andNon-opioid treatment program and non-central registry treating providers are now eligible to query a central registry in order to determine whether their patients are already receiving opioid treatment.