Print
|
|

Before you initiate e-mail communication with your patients, you must consider the confidentiality issues that arise out of such communication. Providers can minimize potential liability exposure under HIPAA by implementing policies specifically addressing the HIPAA Security Rule and HIPPA Privacy Rule issues implicated by such communication, including encryption, informed consent, record retention and auto-reply message use.
HIPAA Security Rule Issues
Encryption technology should be utilized when communicating with a patient via e-mail.
HIPAA Privacy Rule Issues
A provider should obtain written informed consent from every patient with whom the provider may communicate via e-mail. The consent should inform the patient of the following:
- That the provider will only e-mail the patient at the e-mail address specifically identified by the patient on the informed consent form
- That the provider cannot guarantee that the communication will not be intercepted, misdirected or undelivered
- That e-mail communications from the patient to the provider should be limited to communications pertinent to the patient's care and treatment
- That the patient should not e-mail the provider in an emergency situation
- That the patient should only respond to e-mail communications from the provider that come from e-mail addresses that have been previously identified to the patient by the provider
- That if the patient does not comply with the guidelines of the informed consent form, the provider reserves the right to terminate e-mail communications with the patient.
|
Recovery Audit Contractors (RACs) are independent contractors selected by CMS to identify and recoup improper Medicare payments. During 2009, the Centers for Medicare and Medicaid Services (CMS) have begun using RACs on a nationwide basis. The nationwide rollout is an expansion of a 3-year demonstration project that identified over $1 billion in improper payments.
RAC activities are scheduled to commence in Ohio on or after August 1, 2009. The RAC selected for Region B, which includes Ohio, is CGI Technologies and Solutions, Inc., with some activities to be subcontracted to PRG Schulz, Inc.
A RAC can review any claims paid by Medicare after October 1, 2007. RACs will use proprietary software to identify claims for noncovered or medically unnecessary services, claims for incorrectly coded services, duplicate claims, and other payment errors.Although RACs may identify both underpayments and overpayments, 96% of the claims identified in the demonstrationproject were overpayments. RACs do not identify fraud and abuseor Stark self-referral violations.
RACs are compensated on a contingency basis based on a percentage of what they collect or underpayments they identify. This provides RACs with the incentive to be overly aggressive and means that you should be prepared to challenge a RAC audit. A RAC must give the provider a detailed rationale for any identified overpayments. A provider has the right to submit a rebuttal statement and may appeal the RAC's decision using Medicare's administrative appeals process. RACs cannot settle an overpayment for less than its full value.
Responding promptly to a RAC request is critical. If a provider does not respond within 45 days, the RAC can automatically declare the payment to be improper and seek recovery of that amount. In order to be prepared for a RAC medical record request, I recommend that you identify an individual who will be responsible for responding to RAC requests and educate them about the program. I also strongly recommend conducting an internal billing compliance audit to try and identify problem areas.
Interest begins accruing on the overpayment from the date the demand letter is sent by the RAC. RACs must offer an installment plan to repay Medicare. The intermediary will withhold Medicare payments until the debt is satisfied in full or an alternative payment arrangement is made.
|
In March, the Office of Inspector General (OIG) announced two significant changes to its provider self-disclosure protocol.
First, the OIG narrowed the scope of the self-disclosure protocol by announcing that it will no longer accept self-disclosures that involve only a Stark physician self-referral violation. There must also be an anti-kickback violation. This change removes a disclosure option formerly available to providers who discover Stark violations, particularly minor or technical violations.
Second, the OIG established a $50,000 minimum for all self-disclosure settlements. The OIG notes that $50,000 is the minimum civil monetary penalty that may be imposed for an anti-kickback violation. This change was made to "better allocate provider and OIG resources in addressing anti-kickback issues," according to the OIG.
|
The American Recovery and Reinvestment Act of 2009 signed into law by President Obama on February 17, 2009 (the "Stimulus Package") makes significant amendments to COBRA which are effective April 18, 2009. These changes affect all employers who are subject to COBRA.
The amendments to COBRA address a concern that individuals who are faced with the loss of employment may lose health care coverage because they cannot afford the expensive monthly premium through COBRA benefits.
Effective April 18th, COBRA provides that any "eligible employee" who is involuntarily terminated between September 1, 2008 and December 21, 2009 is entitled to premium assistance for COBRA coverage for up to 9 months.
What is Premium Assistance?
Eligible employees who elect to receive COBRA coverage will pay only 35% of the premium for the coverage. The remaining 65% will be subsidized by the former employer. See the sidebar article for details regarding who is an eligible employee.
The Stimulus package provides that individuals above certain income thresholds must include the premium subsidy in their income tax return.
Treatment of Employees Terminated Prior to Enactment
Any eligible employee who elected or declined COBRA coverage prior to April 18, 2009 must be provided with a written notice of the employee's right to premium assistance. The notice must be sent no later than April 18, 2009.
An employee who declined COBRA coverage will be given a second chance to elect coverage and receive premium coverage.
An employee who elected COBRA coverage and has been paying more than 35% of the premium during the period between March 1, 2009 and the date the notice is sent is entitled to reimbursement of the excess payment within 60 days or a credit towards future payments in the excess amount to be used within 180 days. There is no reimbursement for premiums in excess of 35% between September 1, 2008 and March 1, 2009.
Employer's Obligations
An employer must pay 65% of the COBRA premium for all eligible employees. The employer may use the premium assistance as an offset on its payroll taxes. This credit is reported on the employer's quarterly tax return using Form 941.
If the premium assistance is greater than the employer's payroll taxes, then the employer is entitled to a reimbursement of the difference from the federal government.
If the employer is not charging the employee the full COBRA premium, the employer is not entitled to reimbursement of the 65% premium assistance.
Employer Notice Requirements
If an employer has terminated an employee on or after September 1, 2008, the employer needs to provide new COBRA notices to the employee, regardless of the reason for termination.
All employers subject to COBRA must be prepared to provide a revised COBRA notice to an employee who is terminated, other than for gross misconduct.
The notice must include:
- The forms necessary for establishing eligibility
- Name, address, and phone number of the administrator and any other person with information on the premium assistance
- Description of special election period, if applicable
- Description of obligation to notify the employer if you are no longer eligible for COBRA coverage
- Description of right to COBRA coverage and the premium assistance, as well as any conditions to these rights
- Description of option, if any, to enroll in another health care plan offered by the employer with the same or lower premium
Employer Policies
Employers should consider implementing the following policies:
- Distribution of notices to appropriate beneficiaries
- Payment of the 65% premium
- Reimbursement
- Crediting overpayments made by employees
- Offering alternative coverage
- Special enrollment periods
- Waiver of coverage
- Monitoring duration of premium assistance.
|
The World Privacy Forum, a non-profit public interest research and consumer education group, has recommended the following red flags for health care providers:
- Complaint or question from a patient based on the patient's receipt of: (1) a bill for another individual; (2) a bill for a product or service that the patient denies receiving; (3) a bill from a healthcare provider that the patient never patronized; or (4) a notice of insurance benefits for health services never received.
- Records showing medical treatment that is inconsistent with a physical examination or medical history as reported by the patient.
- Complaint or question from a patient about the receipt of a collection notice from a bill collector.
- Patient or insurance company report that coverage for legitimate hospitals stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.
- Complaint or question from a patient about information added to a credit report by a health care provider or insurer.
- Dispute of a bill by a patient who claims to be the victim of any type of identity theft.
- Patient who has an insurance number but never produces an insurance card or any other physical documentation of insurance.
- Notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.
|
Starting May 1, 2009, the Federal Trade Commission (FTC) rules regarding identify theft protection take effect (Red Flag Rules). These rules require financial institutions and creditors to develop policies to address the risks of identity theft. The FTC is currently interpreting the Red Flag Rules broadly to apply to many health care providers.
A "Red Flag" is defined as a pattern, practice or specific activity that could indicate identity theft. If a health care provider falls under the Red Flag Rule as a creditor, the provider must develop and implement a written identity theft prevention program which includes the duty to mitigate identify theft.
The Red Flag Rules and the FTC's informal interpretation of them suggest that they will be applied to many health care providers, including physicians in all practice settings. Simply accepting credit cards as a form of payment does not bring physicians under the umbrella of the regulations. However, there is an ongoing debate as to whether a health care provider who accepts payment for medical services in a form other than a full, lump-sum cash payment made at the time service is rendered is a creditor under the regulations. This includes ordinary billing and collection practices such as payment plans, deferred billing programs and most submissions to insurance.
The FTC has taken the position that a physician is a creditor if the physician does not regularly demand payment in full, either in advance or at the time services are rendered, and instead bills a patient after services are rendered. The FTC also believes a physician is a creditor if he or she agrees to bill a patient's health insurance first, but holds the patient ultimately accountable for any non-covered portion of their fee, as is routinely the case with respect to co-pays, deductibles and services not covered by insurance.
The American Medical Association (AMA) disagrees with the FTC's interpretation that physicians are creditors and therefore subject to the regulations. The AMA and 26 national medical associations recently submitted a letter to the FTC requesting a legal analysis and citation to judicial precedent that supports the broad view that the Red Flag Rules are applicable to physicians.
In the interim, I recommend that health care providers consider implementing policies addressing identity theft red flags.
|
The Centers for Medicare and Medicaid Services ("CMS") has issued a proposed rule defining the "period of disallowance" ("POD") during which referrals are prohibited based on failure to satisfy a Stark Law exception and no Medicare reimbursement may be paid for such referrals. Under the proposed rule, when non-compliance is not related to compensation, the POD would extend until "the date the financial relationship satisfies all of the requirements" of an applicable Stark exception. For example, if a signature were missing from a written agreement required by an exception, the period of disallowance would end on the date that the signature is secured.
CMS proposes to impose an additional standard with respect to non-compliance resulting from compensation-related issues, such as payment of excess compensation or failure to collect sufficient compensation. In those instances, the POD would extend until the excess compensation is returned, or fair market value compensation is paid, and the arrangement otherwise complies with a Stark Law exception. Under the proposed rule, simply fixing the payment relationship on a going-forward basis would not be sufficient to end the period of disallowance. In addition, this proposal would firmly establish that one cannot eliminate or reverse a Stark law violation by recovering the past excess compensation, and that such action would merely enable the parties to end the period of disallowance.
CMS has declined to address how long the period of disallowance would last if a non-compliant arrangement simply terminates, but is not brought into compliance. For example, CMS explained in the preamble that if a below-market lease arrangement simply expires, "the inference may be raised that the below-market rent was in exchange for future referrals, including referrals made beyond the expiration of the lease agreement." As a result, CMS explained that the period of disallowance "could extend" for some period beyond the expiration of the written lease agreement, but declined to issue a proposal to define the period.
|
Effective October 1, 2008, the Centers for Medicare and Medicaid Services ("CMS") has a new enforcement tool to ensure compliance with the Federal Stark anti-referral prohibitions ("Stark Law"). CMS can now impose a "Period of Disallowance" ("POD") for physician-hospital contracts that do not comply with Stark. The POD is a "penalty box" during which time the government will not pay for Medicare/Medicaid services because the contract is out of compliance. The penalty starts the day the contract falls out of compliance and continues until the contract comes back into compliance.
What Causes a Stark POD?
- No contract before services provided
- Physician not making required payments to the hospital (i.e. loan repayment, rent)
- Physician services continue after the contract ends
- Hospitals paying physicians compensation outside of contract limits
- Non-cash gifts/benefits to physicians over annual threshold of $338
What Happens During the Stark POD?
When a period of disallowance occurs:
- Physician cannot refer any Medicare/Medicaid patients to the hospital
- Hospital cannot bill Medicare/Medicaid for any services from that physician
- Hospital must refund any prior payments received from Medicare/Medicaid
- Physician must repay all amounts owed to the hospital
The proposed rules leave many questions unanswered, particularly regarding when the POD begins and ends.
In preparation for the October 1st effective date of the new Stark regulations, hospitals in town have conducted a comprehensive audit of their physician contracts and are aggressively pursuing a resolution to Stark Law violations in order to avoid imposing a period of disallowance on any physician. Many hospitals have put in place compliance enforcement policies and audit policies in order to keep a closer eye on physician contract compliance.
|
Peer review is not just for big health care providers, such as hospitals. Small providers, such as physician groups, can effectively use peer review as a tool to improve quality of care. In my experience, the protection that Ohio law provides peer review activity is underutilized by the small health care provider.
It is well established in Ohio law that peer review activities will not impose liability on a provider and are not subject to disclosure in legal proceedings. In 2003, the Ohio legislature emphasized the importance of peer review by expanding its protection to enable affiliated entities to share peer review information.
Peer Review Defined
A "peer review committee" means a committee that conducts quality review activities involving the competence of, professional conduct of, or quality of care provided by a health care provider. A peer review committee often takes the form of a utilization review committee, quality assessment committee, performance improvement committee, or credentialing committee.
Peer Review Protection
Ohio law stipulates that "no health care entity shall be liable in damages to any person for any acts, omissions, decisions, or other conduct within the scope of the functions of a peer review committee." This protection also applies to the individuals involved in the peer review process. An individual who participated in peer review cannot be forced to testify about the peer review activity.
It is important to understand that incident reports and risk management reports are also protected by Ohio law. These reports are not subject to discovery and are not admissible in evidence in a trial of a tort action. Any individual who has knowledge of the contents of such a report cannot be required to testify as to such content.
Peer Review in the Small Provider
In order to take advantage of the protection afforded to peer review activities by Ohio law, all proceedings and records within the scope of a peer review committee must be held in confidence. In order to maintain the confidentiality of such information, a small provider must put in place policies and procedures establishing a peer review protocol. In addition, peer review and risk management records should be kept in a secure location.
A peer review policy should specify the number of people who will comprise the peer review committee, the frequency of meetings and how items will be brought before the committee. The policy should also specify what type of items will be automatically reviewed. For example, the peer review policy of a surgical practice may specify that a committee comprised of 3 physicians and the office manager review all surgical complications, readmissions, and blood transfusions on a quarterly basis. The policy should also put in place protections to minimize the disclosure of information to the minimum information necessary for effective peer review.
|
In a unanimous decision on June 9, 2008, the U.S. Supreme Court resolved a conflict among the circuit courts regarding the proof required to establish liability under the False Claims Act (FCA) when claims are submitted to a non-federal entity.
The whistleblower case involved allegedly false claims submitted by a subcontractor to a prime contractor shipbuilder for the Navy. An example of the case's application to the healthcare industry is where a private entity conducting federally funded medical research is defrauded by a vendor.
The court held that a plaintiff must prove that the false record or statement induced payment by the Government and was material to the Government's decision to pay or approve the false claim. The court explains that a "direct link" between the false statement and the loss to the Federal Treasury must be proven: "If a subcontractor or another defendant makes a false statement to a private entity and does not intend the Government to rely on that false statement as a condition of payment, the statement is not made with the purpose of inducing payment of a false claim 'by the Government.' In such a situation, the direct link between the false statement and the Government's decision to pay or approve the false claim is too attenuated to establish liability."
The court found that without this link, the FCA would be impermissibly expanded to recognize fraud directed at private entities which would "threaten to transform the FCA into an all-purpose antifraud statute."
|
Purpose: The Federal False Claims Act (FCA) exists to fight fraud, or false claims, against the federal government.
What is a "false claim"?: A false claim may take many forms, including, for example, overcharging for a service, charging for a service you did not perform, delivering less than the claimed services, underpaying money owed the government; miscoding a claim.
What is a "qui tam" action?: A whistleblower action is referred to as a qui tam action. Qui tam is the Latin abbreviation for a phrase meaning "who sues on behalf of the King as well as for himself."
Applicability: In general, the FCA covers fraud involving any federally funded contract or program, with the exception of tax fraud.
Damages & Penalties: Under the FCA, anyone who knowingly submits or causes the submission of false claims to the government is liable for damages of up to three times the erroneous payment, plus civil penalties of $5,500 to 11,000 per false claim.
Mechanism: A private individual - called the whistleblower - who possesses and comes forward with information regarding false claims is authorized to file a case in federal court and sue, on behalf of the government, those entities that engaged in fraud. These are called "qui tam" suits. The Department of Justice decides on behalf of the government whether to join the whistleblower in prosecuting these cases.
Whistleblower's Share: If the case is successful, the whistleblower may share in the recovery. The amount of the whistleblower's share depends on multiple factors, including whether the whistleblower initiated the FCA claim.
Whistleblower Rights and Protections: The FCA provides a remedy for whistleblowers who are discharged, demoted, suspended or "in any way discriminated against in the terms and conditions of employment by his or her employer" in retaliation for filing an FCA case. If the court finds a whistleblower was terminated or otherwise mistreated for filing an FCA qui tam lawsuit, the employee is entitled to reinstatement at the same level, two times the back pay owed plus interest, and compensation for "special damages" sustained as a result of the discrimination, such as attorney's fees.
|
Recently, a philanthropic physician asked me whether he could donate to a charity in the name of a referring physician without running afoul of the Federal Fraud & Abuse Law. My response was that such a donation would be considered remuneration under the Fraud & Abuse Law because the donation would be an intangible inducement for the referring physician to make the referral.
Much to my surprise, a new advisory opinion sanctions a charitable donation in the name of a referring physician to a charity of the physician's choice as long as:
- The physician is not entitled to a tax deduction or other monetary benefit from the donation; and
- The referring physician certifies that neither he/she, nor any immediate family member, holds a position on the board of the designated charity, is employed by the charity, or has any other financial relationship with the charity (including any financial relationship through their medical practice).
The OIG feels that a charitable donation in this instance will not constitute remuneration under the Fraud & Abuse Statute.
|
If you are bringing an independent contractor physician (or chiropractor) into your practice, chances are that you want that physician to be considered a "physician in the group practice" under the Stark Anti-Referral Laws so that you can bill for ancillary services provided by the physician.
In order to be considered a "physician in the group practice" under Stark Law, an independent contractor physician must furnish patient care services for the group practice under a contractual arrangement directly with the group practice to provide services to the group practice's patients in the group practice's facilities.
What happens if the independent contractor wants the agreement to be with his/her professional corporation?
Consider the following scenarios:
Scenario 1 - Contract with Group Practice: A physician group practice (Group 1) has a written contractual agreement with another physician group practice (Group 2) for the services of a physician in Group 2. Group 1 would bill Medicare for the services of the physician (Physician A) as Group 1 services. Must Physician A sign a contractual agreement directly with Group 1 in order to be considered a "physician in the group practice" with respect to Group 1 (so as to permit Group 1 to bill for the services provided to its patients by Physician A)?
The Center for Medicare and Medicaid Services (CMS) provides the following answer to this question:
Physician A may either sign an agreement directly with Group 1 or sign the agreement between Group 1 and Group 2. If the latter option is selected, the written agreement between Group 1 and Group 2 must identify Physician A by name and also identify the services that he or she is to perform for Group 1.
Scenario 2 - Contract with Professional Corporation Must a physician who is the sole physician in a professional corporation, become a signatory to a written agreement between the physician organization and a physician group for whom the physician will be providing professional services as an independent contractor?
CMS Answer: No. For purposes of satisfying the requirements of an exception to Stark, we consider a physician who is standing in the shoes of his/her professional organization to have signed the written agreement when the authorized signatory of the physician organization has signed the agreement.
|
I have always advised my clients that they can provide a discount to patients who pay cash for services. The question has always been how big a discount can a patient receive? The Department of Health and Human Services Office of Inspector General (OIG) recently provided guidance on this issue in the form of an Advisory Opinion.
The Advisory Opinion permits offering 5-15% discounts to all patients for prompt payment of their cost-sharing amounts and amounts owed for non-covered services (for which Medicare patients received an advanced beneficiary notice).
The OIG recognizes that it is legitimate for a health care provider to provide prompt pay discounts aimed at reducing accounts receivables and cost of debt collection, and boosting cash flow.
The key factor in determining the discount amount is that it must bear a "reasonable relationship to the amount of collection costs that would be avoided." The OIG also acknowledged that the discount may very depending on the timing of the payment and the size of the remaining balance owed by the patient.
In order to avoid the inference that the discount is an incentive to induce patients to self-refer, the discount should be provided to all patients and the health care provider should not advertise the fact that it provides discounts. I recommend posting a notice at your reception desk informing patients of the discount.
|
Purpose: The Federal False Claims Act (FCA) exists to fight fraud, or false claims, against the federal government.
What is a "false claim"?: A false claim may take many forms, including, for example, overcharging for a service, charging for a service you did not perform, delivering less than the claimed services, underpaying money owed the government; miscoding a claim.
What is a "qui tam" action?: A whistleblower action is referred to as a qui tam action. Qui tam is the Latin abbreviation for a phrase meaning "who sues on behalf of the King as well as for himself."
Applicability: In general, the FCA covers fraud involving any federally funded contract or program, with the exception of tax fraud.
Damages & Penalties: Under the FCA, anyone who knowingly submits or causes the submission of false claims to the government is liable for damages of up to three times the erroneous payment, plus civil penalties of $5,500 to 11,000 per false claim.
Mechanism: A private individual - called the whistleblower - who possesses and comes forward with information regarding false claims is authorized to file a case in federal court and sue, on behalf of the government, those entities that engaged in fraud. These are called "qui tam" suits. The Department of Justice decides on behalf of the government whether to join the whistleblower in prosecuting these cases.
Whistleblower's Share: If the case is successful, the whistleblower may share in the recovery. The amount of the whistleblower's share depends on multiple factors, including whether the whistleblower initiated the FCA claim.
Whistleblower Rights and Protections: The FCA provides a remedy who whistleblowers who are discharged, demoted, suspended or "in any way discriminated against in the terms and conditions of employment by his or her employer" in retaliation for filing an FCA case. If the court finds a whistleblower was terminated or otherwise mistreated for filing an FCA qui tam lawsuit, the employee is entitled to reinstatement at the same level, two times the back pay owed plus interest, and compensation for "special damages" sustained as a result of the discrimination, such as attorney's fees.
STATE FALSE CLAIMS ACT INITIATIVE The Deficit Reduction Act of 2005 (signed into law on February 8, 2006) provides financial incentives for states to enact laws dealing with false of fraudulent claims that parallel the federal False Claims Act (Federal FCA). This provision was included in an effort to contain the perceived escalation in Medicaid fraud, waste, and abuse.
A state will be eligible for a 10% increase in its share of federal Medicaid fraud recoveries if it has a False Claims Act which meets the following four requirements:
- It establishes liability to the state for false and fraudulent claims described in the Federal FCA with respect to any Medicaid expenditure;
- It contains provisions that reward and facilitate qui tam (whistleblower) actions for false or fraudulent claims;
- It allows whistleblowers to file actions under seal, with a 60 day review period by the State Attorney General; and
- It provides for a civil penalty that is not less than that authorized by the Federal FCA.
|
Have you ever wondered how many laws you might break if you submit a fraudulent claim to the Federal government? A provider who submits a fraudulent claim to the Federal government is exposed to liability under the following statutes:
Criminal Statutes - Related to Fraud & Abuse
-
Health Care Fraud
(18 USC 1347)
-
Theft or Embezzlement in Connection with Health Care
(18 USC 699)
-
False Statements Relating to Health Care Matters
(18 USC 1035)
-
Obstruction of Criminal Investigations of Health Care Offenses
(18 USC 1518)
-
Mail and Wire Fraud
(18 USC 1341 and 1343)
-
Criminal Penalties for Acts Involving Federal Health Care Programs
(42 USC 1320a-7b)
Civil and Administrative Statutes - Related to Fraud & Abuse
-
The False Claims Act
(31 USC 3729-3733)
-
Civil Monetary Penalties Law
(42 USC 1320a-7b
2007 OIG Fraud Statistics
The Department of Health and Human Services Office of Inspector General (OIG) reported $2.18 billion investigative receivables in fiscal year 2007 (up from $578 million in 2006).
OIG reported exclusions of 3,308 individuals and entities for engaging in fraud or abuse with respect to federal healthcare programs and/or their beneficiaries; 447 criminal actions; and 262 civil actions.
|
The HIPAA Privacy Rule provides for both civil and criminal penalties. The Department of Justice (DOJ) recently issued an internal opinion that limits DOJ criminal prosecutions under HIPAA. The DOJ Opinion leaves many questions unanswered and it remains to be seen what effect the DOJ Opinion will have on prosecutions of HIPAA.
Under HIPAA, a person may face criminal penalties if the person "knowingly and in violation" of HIPAA:
-
Uses or causes to be used a unique health identifier, such as a National Provider Identification Number;
-
Obtains individually identifiable health information relating to an individual; or
-
Discloses individually identifiable health information to another person.
The DOJ Opinion limits prosecutions to:
- Covered entities, that is, healthcare providers who engage in electronic transactions and are subject to the HIPAA Privacy Rule;
- Certain directors, officers, and employees of covered entities who may be criminally liable "directly ... in accordance with general principles of corporate criminal liability";
- Third parties who cause, aid or abet, counsel, command, induce, procure or conspire with a covered entity to act in violation of HIPAA are liable under "principles of aiding and abetting liability and of conspiracy."
If convicted, a person faces the following criminal penalties:
-
A fine of not more than $50,000, imprisonment of not more than a year, or both for a "routine" crime;
-
A fine of up to $100,000, jail time of up to 5 years, or both if the offense is committed under false pretenses;
-
A fine of not more than $250,000, imprisonment of not more than 10 years, or both if the offense is committed with intent to sell transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.
The only HIPAA Privacy criminal prosecution to date involved an employee at a cancer treatment center who obtained protected health information for a patient and used the information to obtain credit cards in the patient's name. He was sentenced in 2004 to 16 months in jail. Under the new DOJ Opinion guidelines this case would not have been prosecuted under HIPPA because the individual was not a covered entity.
|
The Department of Health and Human Services (DHHS) has issued guidance regarding the use of portable electronic devices, under the HIPAA Security Rule. The guidance is particularly relevant for health care providers that allow remote access to electronic protected health information (EPHI) through portable devices or external systems not owned or managed by the provider.
The DHHS Guidance sets forth strategies that may be reasonable and appropriate for organizations that conduct some of their business activities through (1) the use of portable devices that store EPHI (such as USB flash drives); and (2) offsite access or transport of EPHI via laptops, personal digital assistants (PDAs), home computers or other equipment not owned by the covered entity.
The DHHS Guidance cautions that covered entities should be "extremely cautious" about allowing offsite use of, or access to, EPHI and makes it clear that offsite use of EPHI should only be used when necessary for business purposes, not merely when convenient. In addition, remote access to EPHI should only be granted to authorized users based on their role within the organization and their need for EPHI.
The HIPAA Security Rule requires covered entities to assess the flow of EPHI and put in place protections which are reasonable and appropriate to safeguard the confidentiality and integrity of EPHI.
When evaluating the need for offsite use of, or access to, EPHI, a covered entity should:
-
conduct a risk analysis addressing access, storage and transmission;
-
adopt policies and procedures for safeguarding EPHI; and
-
train its workforce on the security issue relating to offsite access to EPHI and the policies adopted by the covered entity.
The DHHS Guidance contains a risk assessment tool which I have incorporated into this newsletter for your convenience. The "Risk" column of the tool includes general problems that could occur when work is done off-site. The "Possible Risk Management Strategies" column suggests basic solutions first, followed by more complex solutions more appropriate for organizations with advanced technology capabilities.
|
In my experience, very few physician offices have gone through the exercise of complying with the HIPAA Security Rule, despite the fact that the compliance date for covered entities was April 21, 2005.
Compliance with the HIPAA Security Rule is essentially a risk management exercise.
In order to comply with the Security Rule each covered entity must:
-
Assess its own security risks
-
Determine its risk tolerance or risk aversion
-
Devise, implement and maintain appropriate security to address its business requirements
-
Document its security decisions
-
Appoint an Information Security Officer
-
Amend privacy policies and procedures to coordinate with security policies and procedures
-
Amend Business Associate Agreements
To facilitate this risk management exercise, the Security Rule has developed "standards" and "specifications" that each covered entity must address as part of its compliance efforts. Each "standard" concerns some type of organizational structure or administrative, physical or technical safeguard required for security purposes. Standards are implemented by one or more "specifications" which are specific requirements or instructions for implementing a standard. The Security Rule outlines 18 standards covering 36 implementation specifications.
Security Rule Implementation Specifications
The Security Rule is implemented by specifications. A covered entity must address at least 13 "required" specifications. The rule also outlines "addressable" specifications that a covered entity must consider in its compliance process.
The fact that a specification is "addressable" does not mean that it is optional. For each "addressable" specification, a covered entity must chose one of three courses of action:
-
Implement the specification
-
Implement an alternative security measure to accomplish the purposes of the standard
-
Not implement anything if the specification is not reasonable and appropriate AND the standard can still be met
If a covered entity decides to implement an alternative measure or not to implement any measure, the covered entity must document the decision, the rationale and how the standard is being met.
Standard Example:
Standard |
Required Specifications |
Addressable Specifications |
|
Access Control |
Unique User Identification Emergency Access Procedure |
Automatic Logoff Encryption and Decryption |
|
It Could Happen To You
Violations of the Privacy Rule of the Health Insurance Portability and Accountability Act ("HIPAA") can and will happen in your office or facility. The most likely scenario is the verbal disclosure of protected health information. If a provider takes proactive measures to prevent HIPAA violations and addresses HIPAA complaints in an appropriate manner, the liability associated with a HIPAA violation will be minimized.
Simple Rules for Avoiding Verbal HIPAA Violations
-
Professionals should only share patient information if there is a legitimate professional reason to do so
-
Patient issues should not be discussed in a common area of the office unless the common area is closed to third parties (i.e. drug representatives, patients, etc.) and the staff is aware that conversations in the area may be protected under HIPAA; and
-
Information should never be repeated outside of the office
Responding to the Allegation of a HIPAA Violation
Upon receipt of a HIPAA complaint, a provider has an obligation to:
-
Document the complaint
-
Determine whether a HIPAA violation occurred and how information was disclosed
-
Mitigate damages and prevent further disclosure of information
-
Provide the patient with an accounting of the disclosure upon request
-
Apply appropriate sanctions against employees who fail to comply with HIPAA policies; and
-
Document the sanctions that have been applied, if any
Imposition of Employee Sanctions
HIPAA requires that appropriate sanctions be imposed against employees who violate the Privacy Standards. These sanctions may take the form of a reprimand, requirement to attend additional HIPAA training, suspension without pay or even termination. It is important to understand that the imposition of sanctions against an employee raises a number of employment law issues and the HIPAA compliance officer should consult with a labor attorney prior to the imposition of sanctions in order to minimize liability.
HIPAA Follow-Up
The privacy officer must take appropriate steps to avoid future disclosures of confidential information. These steps may take the form of additional HIPAA training, circulation of an inter-office memo and/or the revision of an office policy and should be documented by the compliance officer. As a proactive measure, in order to avoid verbal disclosures of protected information, a provider should identify high risk areas in the practice setting which pose a high probability of a breach of confidentiality (i.e. high profile patient or office common areas).
HIPAA Enforcement
The DHHS Office of Civil Rights ("OCR") is charged with enforcing the Privacy Rule. OCR's enforcement initiative is to promote voluntary compliance with the Privacy Rule. OCR seeks to resolve matters by informal means before issuing findings of non-compliance. To this end, OCR seeks the cooperation of a covered entity in obtaining compliance and often provides technical assistance to help covered entities achieve voluntary compliance. There are several local providers who are currently under investigation for HIPAA violations. For the most part, they have found OCR to be helpful and non-adversarial. If you are contacted by OCR, you should immediately contact your legal counsel. Your legal counsel should be your contact person for the investigation.
|
Is Professional Liability Insurance Enough?
Professional liability insurance is not enough to protect your assets from liabilities which arise in your work environment. In today's professional liability insurance market, it is more important than ever to explore additional options to protect your assets. I recommend that health care professionals approach asset protection as if they do not have any professional liability coverage.
Asset protection strategies are designed to either protect an asset from a creditor or make the asset less attractive to a creditor. Asset protection planning should begin with consideration of the following three strategies:
-
Retitle assets into your spouse's name.
This is a very simple and effective strategy for families in which only one spouse has professional liability and all assets are marital property. If both spouses are professionals, we look at which spouse has less professional risk (i.e. pediatrician vs. neurosurgeon).
-
Maximize your investment in assets which creditors cannot reach.
These assets include life insurance, IRA's, annuities and qualified retirement plans. The main problem with this strategy is that you lose control of the assets.
-
Contribute assets into a limited liability company.
Transferring assets into a limited liability company (LLC) or limited partnership does not protect the assets from creditors. However, it does make the asset less attractive to a creditor because the interest in the company is not transferable and does not provide the creditor with control of the company. Holding assets in an LLC will make it more likely that the creditor will not go after the assets held by the company or will settle for less than full value on the claim.
These strategies will work to protect the asset or make the asset less attractive to creditors as long as the asset is transferred before a liability arises. Asset protection strategies should be implemented before you are served with a malpractice lawsuit. The transfer of an asset after a liability arises will likely be considered to be a fraudulent transfer.
|
The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) recently released the 2007 Medical Staff Standards for Hospitals (2007 Standards). The 2007 Standards include significant changes to the medical staff credentialing process.
The 2007 Standards include the following three new concepts for credentialing and privileging:
-
General Competence
Six areas of "General Competencies" have been developed in a joint initiative with the Accreditation Council for Graduate Medical Education (ACGME) and the American Board of Medical Specialties (ABMS). These General Competencies are: (1) patient care; (2) medical/clinical knowledge; (3) practice-based learning and improvement; (4) interpersonal and communication skills; (5) professionalism; and (6) systems-based practice. JCAHO believes that incorporation of these General Competencies into the 2007 Standards permits medical staffs to develop a more comprehensive assessment of a practitioner's professional practice.
-
Ongoing Professional Practice Evaluation
Most medical staffs evaluate practitioners on a biennial basis in conjunction with the recredentialing process. The 2007 Standards establish a change from a cyclical model of the credentialing and privileging process to the "Ongoing Professional Practice Evaluation" process. The Standards recommend that a practitioner's professional performance be continually assessed under the premise that ongoing assessment permits earlier detection and resolution of performance issues.
-
Focused Professional Practice Evaluation
The 2007 Standards introduce the concept of "Focused Professional Practice Evaluation" as a process which permits a medical staff to concentrate assessment on a particular facet of a practitioner's performance. Use of this model would be appropriate when additional data or evaluation is necessary to substantiate one of the areas of general competence. A more focused evaluation process would be beneficial if questions develop about a practitioner's professional practice during the Ongoing Professional Evaluation (discussed above).
|
Over
33,000 people are currently excluded from Federal healthcare programs. The
effect of an exclusion from a Federal health care program is that no Federal
health care program payment may be made for any items or services (1) furnished
by an excluded provider, or (2) directed or prescribed by an excluded provider.
Civil monetary penalties may be imposed against health care providers or
entities that employ or enter into contracts with excluded individuals for the
provision of services or items to Federal program beneficiaries. The Office of
the Inspector General (OIG) urges health care providers and entities to check
the OIG List of Excluded Individuals/Entities prior to hiring or contracting
with individuals or entities and to periodically check the OIG web site for
determining the participation/exclusion status of current employees and
contractors.
Where To Look For Excluded Providers?
Search the following major government databases:
-
OIG List of Excluded Individuals/Entities (LEIE)
contains the names of thousands of persons and businesses that are excluded
from participation in federal health care programs. Go to: http://www.oig.hhs.gov/fraud/exclusions/listofexcluded.html
-
Excluded Parties Listing System (EPLS)
contains names of parties excluded by over 50 federal agencies. It is important
to check this database because the OIG claims the right to exclude a party from
your employment for "fraud/theft/embezzlement/breach of fiduciary
responsibility, or other financial misconduct with respect to any act or
omission in a program, other than a health care program operated in whole or in
part by any Federal, State, or local government agency." Go to: http://www.epls.gov/epls/search.do
-
Specially Designated National (SDN) List contains names of suspected
terrorists you should not employ. Go to: http://www.ustreas.gov/offices/enforcement/ofac/sdn/index.shtml
Document Search Efforts
It is important to document your search efforts. This documentation may
mitigate damages if you hire an excluded individual who did not appear as a
match during your search.
Tips for Successful Searching
Each website allows you to enter in a name and click a button to find if there
is a match in the database. It is important to note that computer matching is
very dependent on correct spellings.
Search tips:
-
Use correct first names, not nicknames (i.e. Benjamin not Ben)
-
Watch out for initials substituted for first names (use full name) (i.e.
William Blake Wilson not W. Blake Wilson)
-
Pay attention to hyphenated surnames (search for Mary Tyler-Johnson and Mary
Tyler Johnson)
-
Check compound surnames in a similar manner (i.e. search for Mary Tyler
Johnson, Mary Tyler and Mary Johnson)
-
Other known names should also be checked (i.e. maiden names)
What Happens When You Find a Match?
If your search finds a match, you must then determine whether the match is
really the individual that you are inquiring about or someone else.
|
The
recently published 2008 Physician Fee Schedule Rule (Final Rule) will have
far-reaching implications in the way physicians provide diagnostic testing.
The final rule permits physicians to purchase and bill for diagnostic tests,
but does not permit them to profit from such tests. The final rule addresses
CMS' concern regarding diagnostic services provided in "centralized buildings"
and those where physician groups purchase or contract for the provision of
diagnostic tests. The basis for concern is the potential for a physician to
realize a profit on the tests, which might then lead to over utilization
resulting in higher costs to the Medicare program.
The final rule imposes an anti-markup provision on the technical component
(TC) and professional component (PC) of diagnostic tests that are ordered by a
billing physician or other supplier if the TC or PC is purchased from an
"outside supplier" or if it is performed at a site other than the office of the
billing physician or other supplier.
Under the anti-markup provisions, the amount at which a physician practice may
bill Medicare for diagnostic tests may not exceed the lowest of the following
amounts:
-
The performing supplier's net charge to the billing physician or other supplier
-
The billing physician or other supplier's actual charge
-
The fee schedule amount for the test that would be allowed if the performing
supplier billed directly
CMS creates a new definition for an "office of the billing physician or
supplier" without any reference to the definition of "same building" in the
Stark law in-office ancillary services exception. The office of the billing
physician or supplier is defined as the "medical office space where the
physician or other supplier regularly furnishes patient care." If the billing
physician or other supplier is a physician organization, the "office of the
billing physician or supplier" is defined as the space in which the physician
organization provides "substantially the full range of patient care services
that the physician organization provides generally."
The rule is effective January 1, 2008.
Physician Fee Schedule Conflict With Stark In-Office Ancillary Services
Exception
The anti-markup provisions in the 2008 Physician Fee Schedule Rule (Final Rule)
are separate and distinct from the Stark anti-referral law (Stark Law).
Historically, practices looked to the Stark Law in-office ancillary services
exception when structuring the provision of diagnostic testing. For example, a
radiology group with its offices on the second floor of a medical office
building may have located its MRI machine on the first floor of the building in
compliance with Stark Law "same building" criteria.
Under the Final Rule, any MRI test would be subject to the anti-markup
provision because the MRI is not located in the office where the physician
practice provides substantially the full range of services.
In conclusion, diagnostic tests not performed in a physician practice's office
space may no longer be economically feasible. If a physician group complied
with the Stark in-office ancillary services exception and located an MRI on a
different floor of the same building where the practice office is located, the
practice will not be able to include any costs related to the MRI equipment in
its net charge to Medicare for the technical component.
|
The new Stark II Phase III regulations include significant changes to the rules
governing how a group practice may interact with a recruited physician.
The Stark Physician Recruitment Exception prohibited a group practice from
imposing any practice restrictions on the recruited physician other than
conditions related to quality of care. This prohibition proved to have a
serious detrimental effect of the ability of hospitals to recruit physicians
and created confusion as to what type of restrictions were permitted.
In response to numerous comments, the Phase III regulations prohibit
physician practices from imposing any practice restrictions that "unreasonably
restrict" the recruited physician's ability to practice medicine in the
geographic area served by the hospital. The Centers for Medicare and Medicaid
Services provides guidance in the preamble to the regulations that infers that
the following restrictions are permitted:
-
Moonlighting
-
Patient and/or employee non-solicitation
-
Requirement to treat Medicaid and indigent patients
-
Confidentiality
-
Requirement for recruited physician to repay losses that are absorbed by group
in excess of any hospital payment
-
Liquidated damages if physician leaves group and remains in community
|
The new Stark II Phase III regulations, effective December 4, 2007, make
substantive changes to the Stark Law Physician Recruitment Exception.
Recruitment Exception Basics
Stark Law permits a hospital to provide financial incentive to a physician to
induce the physician to relocate to the geographic area served by the hospital
in order to be a member of the medical staff of the hospital if:
-
the physician is not required to refer patients to the hospital;
-
the amount of remuneration is not determined in a manner that takes into
account the volume or value of any referrals by the referring physician; and
-
the arrangement meets the requirements of any regulations promulgated to
protect against program or patient abuse.
Expansion to Include Rural Health Clinics
Historically, the recruitment exception has been available to hospitals and
federally qualified health centers. The Phase III regulations expand the
exception to permit rural health clinics to recruit physicians.
Allocation of Expenses Under Income Guarantee
Stark Law provides that a physician group may not allocate more than its
actual, additional incremental costs attributable to the recruited physician
under an income guarantee arrangement. The Phase III regulations clarify that
any income guarantee, whether it is based on net income, gross income,
revenues, or some other variation, triggers the application of the actual,
additional incremental cost limitation. However, the Phase III regulations
provide a narrow exception permitting a physician group to allocate expenses
per capita, not to exceed 20% of practice's aggregate costs, if the physician
is replacing a deceased, retiring, or relocation physician in a rural area or
Health Professional Shortage Area (HPSA).
Prohibition of Practice Assumption of Repayment Obligation
In the preamble to the Phase III regulations, the Centers for Medicare and
Medicaid Services warn against a group practice eliminating the physician's
obligation to reimburse the practice if a repayment obligation is triggered
under the recruitment arrangement. CMS has made it clear that this would create
a financial relationship between the group and the physician that would not
meet an exception to the Stark Law.
Non-Physician Recruitment
The Phase III regulations confirm that the Stark Recruitment Agreement
Exception does not apply to payments made by a hospital to subsidize a
physician group's recruitment of a mid-level practitioner.
Clarification of Hospital Geographic Area
The recruitment exception requires that the recruited physician relocate
his/her medical practice to the "geographic area served by the hospital."
Historically, this area was defined as the area composed of the "lowest number
of contiguous zip codes from which the hospital draws at least 75% of its
inpatients."
The Phase III regulations clarify that:
-
"Contiguous zip code areas" must be next to each other (not next to the zip
code in which the recruiting entity is located)
-
Physician may relocate into a "hole" zip code area if the "hole" is surrounded
by contiguous zip codes
-
If a hospital draws fewer than 75% of inpatients from contiguous zip codes, the
geographic service are is defined as all of the contiguous zip codes
-
Hospital may use any zip code configuration if multiple configurations meet the
threshold of inpatient admissions
-
Hospital may use different areas for different recruitment arrangements as long
as the definition is met on the date the agreement is signed
-
Geographic service area is determined at the hospital level (not the hospital
system level)
|
Stark Law prohibits a physician from referring Medicare patients for certain
"designated health services" (DHS) to entities with which the physician (or an
immediate family member of the physician) has a financial relationship, unless
an exception applies. Stark Law also prohibits an entity from billing for
services pursuant to a tainted referral.
With the issuance of the new Phase III regulations, effective December 4,
2007, the Centers for Medicare and Medicaid Services (CMS) has finally adopted
a complete set of final regulations interpreting the Stark Law. However, the
Preamble to the regulations indicates that CMS is not done tinkering with the
Stark Law and implies that future revisions will focus on indirect
compensation, percentage based compensation and the scope of the in-office
ancillary services exception.
The Phase III regulations are a mix of new concepts, clarifications of old
concepts and technical corrections. The new concepts will have a significant
impact on some segments of the health care market and will force reexamination
of a wide range of financial relationships involving physicians and DHS
providers.
Major changes include the application of a "stand in the shoes" concept to
physicians and their group practices, revamping the rules governing physician
recruitment, and expanding the fair market value exception to cover payments
made by a physician as well as payment made to a physician.
The new regulations also make changes to the following Stark exceptions:
-
Retention Payments in Underserved Areas
-
Intra-Family Rural Referrals
-
Compliance Training
-
Academic Medical Center
-
Personal Services Arrangements
-
Charitable Donations by a Physician
-
Non-monetary Compensation
-
Professional Courtesy
-
Temporary Non-Compliance
Future articles will focus on how the new Stark regulations will impact the
financial relationship between physicians and DHS providers.
|
As an attorney, it is my job to provide each of my clients with advice that
will protect the client's business interests. One of the best ways to protect
your business interests is to execute a written contract with each employee and
independent contractor working in your practice.
Top 5 Reasons to Have a Good Contract in Place
-
Impose restrictive covenants
-
Protect medical records
-
Protect confidential information
-
Impose indemnification obligations
-
Address legal compliance issues
Impose Restrictive Covenants
Restrictive covenants and the mechanism for enforcing them should be customized
to the specific situation in order to best protect your business interests.
Restrictive covenants can take any of the following forms:
-
Non-competition: This covenant will be enforceable if the scope, geographic
area and duration are reasonable. A typical duration is 1-2 years. The scope
must be narrowly crafted to protect your legitimate business interests (i.e.
practice as a physical therapist). The geographic area will vary with the
situation (i.e. 7 miles for a primary care physician in an urban area vs. an
entire county for a surgeon in a rural area).
-
Employee non-solicitation: This covenant will prevent the solicitation of your
employees, an important business asset.
-
Patient/customer non-solicitation: This covenant protects one of your most
important business assets. The covenant typically covers direct solicitation
(i.e. phone calls, direct mailings) and permits indirect solicitation (i.e.
newspaper ads, general mailings).
The contract should provide for injunctive relief if any of the restrictive
covenants are violated. You might also consider including a liquidated damages
provision specifying the amount of money that must be paid if the restrictive
covenant is violated. Liquidated damages can take the form of a per day penalty
or a lump sum payment.
Protect Medical Records
Medical records are typically the property of the business and a departing
individual should only be provided with limited access to the records for
certain legitimate business purposes (i.e. malpractice suit or audit). When the
departing individual is a medical professional, it is very important to specify
how patients will be notified of the departure and the mechanism for
transferring medical records if a patient wants to continue to see the
individual at a new practice location.
Protect Confidential Information
The covenant should specify the type of information you consider to be
confidential to your business. The more specific the description of
confidential information, the easier it will be for you to enforce the
restriction. A business that is a covered entity under HIPAA should include in
the contract a confidentiality provision in compliance with the HIPAA Privacy
Standards.
Legal Compliance The contract should specify that the individual
will comply with the policies of the business and its legal compliance efforts.
The contract should also provide that the contract terminates in the event any
aspect of the contract becomes illegal.
Indemnification Indemnification provisions are not typically
included in employment agreements but should be included in independent
contractor agreements.
If you have questions or comments about this week's Legal Corner article,
contact Orly Rumberg at legal@yourcity.md.
Orly will review all questions and post answers to the most frequently asked
questions regarding this topic next week. If your question is not answered in
this forum, you may consider contacting Orly Rumberg directly at
legal@yourcity.md.
©2010, Schwartz Manes Ruby & Slovin, A Legal Professional Association. All
rights reserved.
|
|
|
|
|