HHS Nondiscrimination Provisions, Disability Provisions, and Language Provisions will have an effect on covered entities.
From the HHS website on Section 1557:
Section 1557 is the nondiscrimination provision of the Affordable Care Act (ACA). The law prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. Section 1557 builds on long-standing and familiar Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Section 1557 extends nondiscrimination protections to individuals participating in:
Any health program or activity any part of which received funding from HHS
Any health program or activity that HHS itself administers
Health Insurance Marketplaces and all plans offered by issuers that participate in those Marketplaces.
The Nondiscrimination in Health Programs and Activities final rule implements Section 1557 of the Affordable Care Act, which is the first federal civil rights law to broadly prohibit discrimination on the basis of sex in federally funded health programs. Previously, civil rights laws enforced by HHS’s Office for Civil Rights (OCR) broadly barred discrimination based only on race, color, national origin, disability, or age.
“A central goal of the Affordable Care Act is to help all Americans access quality, affordable health care. Today’s announcement is a key step toward realizing equity within our health care system and reaffirms this Administration's commitment to giving every American access to the health care they deserve," said HHS Secretary Sylvia M. Burwell.
The final rule helps consumers who are seeking to understand their rights and clarifies the responsibilities of health care providers and insurers that receive federal funds. The final rule also addresses the responsibilities of issuers that offer plans in the Health Insurance Marketplaces. Among other things, the final rule prohibits marketing practices or benefit designs that discriminate on the basis of race, color, national origin, sex, age, or disability. The final rule also prohibits discriminatory practices by health care providers, such as hospitals that accept Medicare or doctors who participate in the Medicaid program.
The final rule prohibits sex discrimination in health care including by:
Requiring that women must be treated equally with men in the health care they receive. Other provisions of the ACA bar certain types of sex discrimination in insurance, for example by prohibiting women from being charged more than men for coverage. Under Section 1557, women are protected from discrimination not only in the health coverage they obtain but in the health services they seek from providers.
Prohibiting denial of health care or health coverage based on an individual’s sex, including discrimination based on pregnancy, gender identity, and sex stereotyping.
It also includes important protections for individuals with disabilities and enhances language assistance for people with limited English proficiency including by:
Requiring covered entities to make electronic information and newly constructed or altered facilities accessible to individuals with disabilities and to provide appropriate auxiliary aids and services for individuals with disabilities.
Requiring covered entities to take reasonable steps to provide meaningful access to individuals with limited English proficiency. Covered entities are also encouraged to develop language access plans.
While the final rule does not resolve whether discrimination on the basis of an individual’s sexual orientation status alone is a form of sex discrimination under Section 1557, the rule makes clear that OCR will evaluate complaints that allege sex discrimination related to an individual’s sexual orientation to determine if they involve the sorts of stereotyping that can be addressed under 1557. HHS supports prohibiting sexual orientation discrimination as a matter of policy and will continue to monitor legal developments on this issue.
The final rule states that where application of any requirement of the rule would violate applicable Federal statutes protecting religious freedom and conscience, that application will not be required.
The Centers for Medicare & Medicaid
Services (CMS) has issued a final rule to establish consistent emergency
preparedness requirements for health care providers participating in Medicare
and Medicaid, stating that the regulation will increase patients’ safety during
emergencies and ensure more coordinated response to natural and manmade
“Over the past several years, and
most recently in Louisiana, a number of natural and manmade disasters have put
the health and safety of Medicare and Medicaid beneficiaries – and the public
at large – at risk. These new requirements will require certain participating
providers and suppliers to plan for disasters and coordinate with federal,
state tribal, regional, and local emergency preparedness systems to ensure that
facilities are adequately prepared to meet the needs of their patients during
disasters and emergency situations,” the agency’s Sept. 8 news release stated.
“Situations like the recent flooding
in Baton Rouge, Louisiana, remind us that in the event of an emergency, the
first priority of health care providers and suppliers is to protect the health
and safety of their patients,” said CMS Deputy Administrator and Chief Medical
Officer Dr. Patrick Conway, M.D., MSc. “Preparation, planning, and one
comprehensive approach for emergency preparedness is key. One life lost is one
too many.” “As people with medical needs are
cared for in increasingly diverse settings, disaster preparedness is not only a
responsibility of hospitals, but of many other providers and suppliers of
health care services. Whether it’s trauma care or long-term nursing care or a
home health service, patients’ needs for health care don’t stop when disasters
strike; in fact, their needs often increase in the immediate aftermath of a
disaster,” added Dr. Nicole Lurie, HHS’ assistant secretary for preparedness
and response. “All parts of the health care system must be able to keep
providing care through a disaster, both to save lives and to ensure that people
can continue to function in their usual setting. Disasters tend to stress the
entire health care system, and that’s not good for anyone.”
CMS reports that it reviewed current
Medicare emergency preparedness regulations for providers and suppliers and
concluded the regulatory requirements were not comprehensive enough to address
the complexities of emergency preparedness; they did not address the need for
communication to coordinate with other systems of care within cities or states;
contingency planning; or training of personnel. So the final rule requires
Medicare and Medicaid participating providers and suppliers to meet these four
industry best practices:
1.Emergency plan: Based on a risk
assessment, develop an emergency plan using an all-hazards approach focusing on
capacities and capabilities that are critical to preparedness for a full
spectrum of emergencies or disasters specific to the location of a provider or
2.Policies and procedures: Develop and
implement policies and procedures based on the plan and risk assessment.
3.Communication plan: Develop and maintain
a communication plan that complies with both federal and state laws.
4.Training and testing program:
Develop and maintain training and testing programs, including initial and
annual training, and conduct drills and exercises or participate in an actual
incident that tests the plan.
CMS said these standards are
adjusted to reflect the characteristics of each type of provider and supplier.
For example, outpatient providers and suppliers such as ambulatory surgical
centers and end-stage renal disease facilities won’t be required to have
policies and procedures for provision of subsistence needs; hospitals, critical
access hospitals, and long-term care facilities will be required to install and
maintain emergency and standby power systems based on their emergency plan.
In response to comments, CMS removed
the requirement for additional hours of generator testing, added flexibility to
choose the type of exercise a facility conducts for its second annual testing
requirement, and decided to allow a separately certified facility within a
health care system to take part in that system’s unified emergency preparedness
The regulations will take effect on
November 15, 2016. Healthcare providers
and suppliers affected by the rule must comply and implement all regulations
one year after the effective date. More specific information about the
Emergency Preparedness Rule can be found here.
Providers/Suppliers Facilities Impacted by the Emergency Preparedness Rule:
2. Religious Nonmedical Health Care Institutions (RNHCIs)
monthly cyber awareness alert from
the Department of Health and Human Services’ Office for Civil Rights (OCR) prods
organizations to closely evaluate the risks their employees pose.
Insider threat is becoming one
of the largest threats to organizations and some cyberattacks may be
insider-driven. Although all insider threats are not malicious or intentional,
the effect of these threats can be damaging to a Covered Entity and Business
Associate and have a negative impact on the confidentiality, integrity, and
availability of its ePHI. According to a survey recently conducted by Accenture
and HfS Research, 69% of organization representatives surveyed had experienced
an insider attempt or success at data theft or corruption. Further, it was
reported by a Covered Entity that one of their employees had unauthorized
access to 5,400 patient’s ePHI for almost 4 years.
US CERT defines a malicious
insider threat as a current or former employee, contractor, or business partner
who meets the following criteria:
has or had authorized
access to an organization’s network, system, or data;
has intentionally exceeded
or intentionally used that access in a manner that negatively, affected the
confidentiality, integrity, or availability of the organization’s information;
or information systems.
According to a survey
conducted by U.S. Secret Service, CERT Insider Threat Center, CSO Magazine, and
Deloitte, the most common e-crimes committed by insiders are:
access to or use of organization information;
of private or sensitive data;
of viruses, worms, or other malicious code;
theft of intellectual
Covered Entities and
Business Associates should consider:
policies and procedures to mitigate the possibility of theft of ePHI, sabotage
of systems or devices containing ePHI, and fraud involving ePHI. These policies
and procedures should enforce separation of duties and least privileges, while
also applying rules that control and manage access, configuration changes, and
authentication to information systems and applications that create, receive,
maintain, or transmit ePHI.
screening processes on potential employees to determine if they are trustworthy
and appropriate for the role for which they are being considered. Effective screening
processes can be applied to allow for a range of implementations, from minimal
to more stringent procedures based on the risk analysis performed by the entity
and role of the potential employee. Examples of potential screening processes
could include checks of the HHS OIG LEIE (List of Excluded Individuals and
Entities) to check for health care fraud and related issues and criminal
history checks to verify past criminal acts. When implementing a screening
process, please be sure to review and comply with any applicable federal, state
or local laws regarding the use of screening processes as part of the hiring
US CERT steps to protect ePHI from insider threats:
1. Consider threats from
insiders and business associates in enterprise-wide risk assessments.
2. Clearly document and
consistently enforce policies and controls.
3. Incorporate insider threat
awareness into periodic security training for all employees.
4. Beginning with the hiring
process, monitor and respond to suspicious or disruptive behavior.
5. Anticipate and manage
negative issues in the work environment.
6. Know your assets.
7. Implement strict password
and account management policies and practices.
8. Enforce separation of duties
and least privilege.
9. Define explicit security
agreements for any cloud services, especially access restrictions and
10. Institute stringent access
controls and monitoring policies on privileged users.
11. Institutionalize system
12. Use a log correlation
engine or security information and event management (SIEM) system to log,
monitor, and audit employee actions.
13. Monitor and control remote
access from all end points, including mobile devices.
14. Develop a comprehensive
employee termination procedure.
15. Implement secure backup and
16. Develop a formalized
insider threat program.
17. Establish a baseline of
normal network device behavior.
18. Be especially vigilant
regarding social media.
19. Close the doors to
unauthorized data exfiltration.