(Last updated 8/5/2022)

We recently looked at what healthcare leaders should focus on in 2021. Some of the biggest issues facing healthcare leaders this year include the ongoing COVID-19 pandemic, particularly vaccine rollouts, healthcare policy and regulation changes, emerging technologies, and the wants and needs of clinical staff. The issue of healthcare policy encompasses a topic that deserves its own discussion: healthcare compliance.

In our last blog, we specifically discussed what to expect from the Biden administration as well as the approaching full implementation of the Protecting Access to Medicare Act, or PAMA. In this blog, we’re going a step further and examining healthcare compliance in 2021 regarding three major regulations: HIPAA, PAMA, and Price Transparency.


Entering its 25th year in existence, HIPAA is very well-known by healthcare leaders. However, as medical technology continues to evolve, and a pandemic necessitates change across the entire healthcare spectrum, HIPAA compliance can become even more challenging. Healthcare executives must stay on top of all these challenges, and that entails how to remain HIPAA compliant in regards to each of them. Let’s break down HIPAA compliance in regards to both of these relevant categories.


The COVID-19 pandemic has disrupted every aspect of life. It has led to new regulations and amendments to existing ones. In particular, the pandemic has resulted in some temporary changes to HIPAA. In order to facilitate and prioritize treatment of COVID-19, the OCR has halted the enforcement of penalties for HIPAA violations in several instances. For the latest information on HIPAA and COVID-19, visit the HHS resource page on the topic.

HIPAA Violations in Relation to Vaccine Distribution

One of the most recent changes to HIPAA was the OCR’s January 19th decision to not impose penalties for HIPAA violations on covered healthcare entities and their business associates “in connection with the good faith use of online or web-based scheduling applications (collectively, “WBSAs”) for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency.” While the OCR still encourages healthcare entities to use safeguards to protect PHI in their vaccine scheduling procedures, covered providers will not be penalized if violations occur when the WBSA is used “in good faith.”

HIPAA Violations in Relation to Telehealth During the Pandemic

As with violations resulting from web-based scheduling applications for COVID-19 vaccinations, the OCR has also decided on a moratorium on enforcing certain telehealth-related HIPAA violations during the pandemic. In particular, the OCR’s Notification of Enforcement Discretion states covered entities “will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

The OCR elaborates that a provider will not be penalized in the event PHI is intercepted during a telehealth consultation as long as the provider abides by the guidelines of the Notification of Enforcement Discretion. These guidelines include a provision that telehealth visits be conducted via a non-public facing remote communication product with end-to-end encryption, such as Apple FaceTime, Facebook Messenger, and Skype. While these platforms aren’t ideal under normal conditions, exceptions are being made during the pandemic. Public-facing platforms, such as Facebook Live, TikTok, or public chatrooms are not acceptable telehealth platforms, and using them for telehealth visits could result in penalties.

For more info on the OCR’s policies regarding telehealth-related HIPAA violations during the COVID-19 pandemic, check out their FAQs page.

HIPAA & Technology in 2021

Recent years have seen increased adoption of new healthcare technologies such as telehealth and artificial intelligence (AI). The COVID-19 pandemic further accelerated the adoption of these technologies and more last year. As such, questions abound in regards to healthcare compliance when employing these technologies.

HIPAA & Telehealth

As we previously discussed, the OCR has eased some telehealth HIPAA restrictions in the wake of the COVID-19 pandemic. What about when the pandemic is over, though? While OCR hasn’t indicated whether HIPAA protocols in regards to telehealth will revert to their pre-COVID requirements once the pandemic is over, it’s important to have an understanding of them just in case. As HIPAA news and advice website HIPAA Journal points out, the HIPAA Security Rule provides the basis for remaining HIPAA compliant while using telehealth. The three main components of the Security Rule are:

  • ePHI (electronic protected health information) should only be accessed by authorized users
  • a secure communication system should be used to protect the integrity of ePHI
  • a system for monitoring communications containing ePHI should be implemented to prevent data breaches

It should be noted that SMS, email, and messaging platforms such as Skype are not considered “secure communication systems.” This is because information shared via these channels is stored on the service provider’s servers, creating a risk of the ePHI being breached. Instead, healthcare providers should use a secure messaging system that encrypts data and requires users to login when sharing ePHI.

PAMA (Protecting Access to Medicare Act)

The Protecting Access to Medicare Act, or PAMA, signed into law in 2014, aims to align Medicare reimbursement rates for Clinical Diagnostic Laboratory Tests (CDLTs) with the rates private insurers pay. PAMA requires applicable institutions to report private payer data to the Centers for Medicare and Medicaid Services, or CMS. The act’s full implementation has been delayed several times however, most recently due to the COVID-19 pandemic. As of this writing, reimbursement rate reductions are set to resume January 1, 2023. These rate reductions will be capped at 15% through 2024.

In addition to the rate reductions, PAMA also includes an Appropriate Use Criteria (AUC) mandate. This mandate requires physicians to consult a Clinical Decision Support Mechanism (qCDSM) when ordering advanced imaging exams and include proof of this consultation when submitting a claim. Currently the AUC program is in an education and testing phase, allowing physicians to familiarize themselves with qCDSMs and AUC. The penalty phase of the AUC mandate has been delayed indefinitely due to the COVID-19 pandemic. However, once the penalty phase begins, claims submitted without proper documentation of a Clinical Decision Support consultation will be denied.

Price Transparency

CMS Price Transparency Rule: What's required, how it's enforce, and what the penalties are

As of January 1, 2021, hospitals are required to disclose pricing information about items and services they provide under CMS’ price transparency rules. Hospitals must provide this pricing information online in two ways:

  1. A comprehensive machine-readable file with all items and services.
  2. A consumer-friendly display of shoppable services.

The goal of these price transparency rules is to allow patients to estimate the cost of medical services and give them the opportunity to shop around and compare prices for them. CMS is currently auditing a sample of hospitals to gauge compliance rates. This is part of CMS’ monitoring and enforcement plan, which also includes evaluating complaints of noncompliance made by individuals or entities to CMS and reviewing their analysis of noncompliance.

If CMS finds a hospital to be noncompliant, it may take any of the following actions, typically in this order:

  1. Provide a written warning to the hospital specifying the violations.
  2. Request the hospital submit a corrective action plan (CAP).
  3. Penalize the hospital in an amount of no more than $300 per day and/or publicize the penalty on a CMS website if the hospital doesn’t respond to CMS’ request for a CAP or doesn’t comply with the CAP requirements.

CMS has also stated that there are no waivers or exemptions since the price transparency rules have already been delayed by a year. However, CMS has ruled that hospitals will be deemed compliant if they offer an online cost estimator tool that provides consumers with real-time out-of-pocket costs. According to a report released on February 9 by consulting firm Guidehouse, about 70% of the 1,000 providers they surveyed are complying with the price transparency ruling. The “consumer-friendly display of shoppable services” option is more favorable for compliant providers, with 60% using this approach compared to 48% providing a machine-readable file.

For tips on improving price transparency and facilitating compliance, read this AMA article.

Tips for Tackling Healthcare Compliance

Maintaining healthcare compliance can be a daunting task. With new regulations cropping up every few years, it’s hard enough to simply stay on top of them. As 2020 showed, global emergencies can further complicate healthcare compliance by shifting executives’ focus and leading to regulatory changes. While tackling healthcare compliance is never easy, there are some measures healthcare leaders can take facilitate it:

  • Stay up-to-date on the latest healthcare compliance issues, including new, updated, and proposed regulations.
  • Hire a compliance officer or consulting firm or create a compliance committee to ensure the hospital is compliant.
  • Conduct a compliance audit to determine what the hospital is doing right and areas in which they can improve compliancy.
  • Ensure partners, vendors, and systems are HIPAA compliant and compliant with other applicable regulations.
  • Evaluate and Implement technologies that help achieve compliance, such as a Clinical Decision Support Mechanism.

While these measures aren’t exhaustive, they can provide the bedrock of your healthcare compliance initiatives.

At iPro, we can aid in your healthcare compliance efforts. Our ambulatory order management solution, iOrder, is HIPAA compliant and includes an integrated qCDSM. iOrder eliminates inappropriate orders through clinical decision support that checks for CPT/ICD-10 code mismatches. This satisfies the Appropriate Use Criteria requirement of PAMA and maximizes reimbursements.

If you’d like to learn more about iOrder and how we partner with you to achieve your goals, contact us today.