Want to Make HIPAA More Interesting? Try Playing Web Games

Many healthcare providers understand the importance of HIPAA compliance, but are not interested in reading detailed regulations and agency commentary to understand the rules.  If this describes any of your staff members, the Office of National Coordinator (ONC) for Health Information Technology may have a solution: play an online game.

In an effort to make HIPAA compliance a bit more fun, ONC has developed web games for both the HIPAA Privacy and Security Rules.  Each game provides a number of real-life patient privacy scenarios and asks the player to choose the correct course of action.

Sample scenarios include an employee’s access to unencrypted PHI on a home laptop, the purpose of an entity’s “contingency plan” under the Security Rule, and the use of e-mail to send unencrypted PHI.

The games might be something to try if you have found it difficult to make HIPAA compliance engaging for staff members.  Although the games are simple and fun, the issues that they address have huge significance for all covered entities and business associates.

You can access the games here.  What is your highest score?

For more information about HIPAA compliance, contact Casey Moriarty.

The Business Associate Agreement Battle – Understand the Key Issues

The September 2014 deadline for amending pre-existing HIPAA business associate agreements (BAA) is fast approaching.  Are you ready?  Under the HITECH Act, covered entities and business associates have just under seven months to negotiate and implement amendments to all BAAs entered into prior to January 25, 2013.

In the face of the unprecedented challenge of revising all pre-existing BAAs, covered entities and business associates need to act quickly, but also be mindful of the important terms in BAAs that can lead to increased liability, including the following:

  • Indemnification: Although not required by the HITECH Act, covered entities often push for strong indemnification language that requires the business associate to indemnify the covered entity for a business associate’s breach of protected health information (PHI) and violations of HIPAA.  Acceptable indemnification language for each party depends on the nature of the PHI involved in the transaction and the amount of PHI that is transmitted between the parties. 
  • Limitation of Liability: In order to reduce the risks of receiving and maintaining the covered entity’s PHI, many business associates push for BAA language that limits their liability to a certain amount (i.e. fees paid by covered entity in the underlying agreement).  A covered entity’s acceptance to a business associate’s “limitation of liability” terms can pose significant risks if the business associate violates HIPAA after the BAA is signed. 
  • Breach Notification Time Period: The HITECH Act requires business associates to notify covered entities of a breach of PHI within 60 days of discovery.  However, in order to protect relationships with patients affected by a breach, proposed BAAs from covered entities generally require a business associate to provide notification within 10 days or less.  A business associate’s acceptance to a shorter notification period can put tremendous pressure on it to investigate and disclose accurate information after a breach occurs.

These are just a few terms found in BAAs that can lead to increased liability and risks for covered entities and business associates.  Although it is critical to complete BAA amendments by the September 23, 2014 deadline, business associates and covered entities need to think critically about the language in BAAs prior to signature.

If you would like more information about negotiating business associate agreements, please contact Dave Schoolcraft, Elana Zana or Casey Moriarty.

Stolen Thumb Drive Proves Costly for Dermatology Practice

The Department of Health and Human Services (HHS) recently announced a $150,000 settlement with a dermatology practice in Massachusetts that arose out of a stolen thumb drive.  The unencrypted drive, which contained the health information of approximately 2,200 individuals, was stolen from a vehicle of one of the practice’s staff members.

Although HHS was concerned with the staff member’s failure to safeguard the health information, the large settlement amount resulted primarily from the practice’s lack of HIPAA policies and procedures.  Specifically, HHS determined that the practice: (1) had no breach notification policies, (2) had not conducted risk assessments for potential security vulnerabilities, and (3) did not adequately perform HIPAA training for its workforce.

This case provides an important warning to health care providers who do not have comprehensive HIPAA and HITECH policies and procedures.  Although the risk of being selected for an HHS HIPAA audit is still relatively low, it only takes one breach of health information for HHS to open an investigation that can result in costly penalties.

For more information about HIPAA and HITECH policies and procedures, please contact Casey Moriarty.

 

OIG’s Report Highlights Enforcement Successes in 2014

The Office of Inspector General (OIG) recently published its Semiannual Report to the U.S. Congress. This Report summarizes the OIG’s enforcement activities from March, 2013 to September, 2013.

The Report highlights the OIG’s significant efforts in the enforcement of fraud and abuse laws.  For fiscal year (FY) 2013, the OIG is expecting total recoveries of $5.8 billion, consisting of nearly $850 million in audit receivables and about $5 billion in investigative receivables.

Additionally, for FY 2013, the OIG brought 960 criminal and 472 civil actions against individuals or entities that engaged in health-care-related offenses.   Compared with FY 2012, the number of criminal actions in FY 2013 rose by 182 cases, and the number of civil cases rose by 105 cases.

According to the OIG, these enforcement results are partially due to the successes of the Health Care Fraud Prevention and Action Team (HEAT).  HEAT is a partnership between Federal, State, and local law enforcement to identify fraudulent health care schemes.   The program combines sophisticated data analysis and investigative intelligence to move quickly against violators of fraud and abuse laws such as the False Claims Act.

There is no doubt that the OIG’s accomplishments in FY 2013 will motivate investigators to root out more health care fraud and overpayment schemes in FY 2014.  To avoid a costly investigation and potential prosecution, providers should take extra care that they are following Medicare and Medicaid laws and properly billing for services rendered to patients.

You can read the entire OIG Semiannual Report here.

For more information about health care fraud and abuse laws, please contact Casey Moriarty.

OIG Okays Provision of Free Services to Uninsured and Underinsured Patients

On October 15, 2013, the Office of Inspector General (OIG) released an Advisory Opinion concerning a community health services organization’s provision of free dental care to financially needy uninsured and underinsured patients that are not covered by Medicaid.

The organization was concerned that the free services violated two aspects of the Medicaid law: (1) the Social Security Act prohibits providers from billing Medicaid charges for items or services substantially in excess of the provider’s “usual charges,” and (2) the Anti-Kickback Statute prohibits providers from offering remuneration to Medicaid patients to induce them to receive services from the provider.

In the Advisory Opinion, the OIG stated that when a provider calculates its “usual charges,” it need not consider free or substantially reduced charges to uninsured or underinsured patients with financial need.  Therefore, the OIG would not seek to exclude a provider from the Medicaid program for providing discounts to financially needy uninsured and underinsured patients.

The OIG also stated that the organization’s provision of free services to financially needy uninsured or underinsured patients does not violate the Anti-Kickback Statute because the free services will not be provided to Medicaid patients.  The Anti-Kickback Statute would only be implicated if a provider used the free services as a means to induce Medicaid patients to order additional services that could be billed to the Medicaid program.

The bottom line is that providers may offer free services to uninsured or underinsured patients with financial hardship.  With that said, it is critical that providers have uniform eligibility criteria to determine whether such patients actually are financially needy.  In separate guidance released in 2004  the OIG outlined factors that providers should consider in determining financial need, including:

  • The local cost of living;
  • A patient’s income, assets, and expenses;
  • A patient’s family size; and
  • The scope and extent of a patient’s medical bills.

By applying these factors uniformly at all times, providers can ensure that their provision of free or discounted services meets OIG requirements.

If you would like more information please contact Casey Moriarty.

Reducing the Risks of Third-Party Access to EHR Systems

UnityPoint Health, a health system located in Iowa, recently informed 1,800 patients of a breach of their health information.  UnityPoint learned of the breach after an audit discovered that a third party contractor’s employee had improperly gained access to the UnityPoint electronic health record (EHR) system and viewed the records of the 1,800 patients.

The UnityPoint breach shows the risks of allowing a third party contractors, known as “business associates,” to access health information in an EHR system  While such access may be required for certain activities, including billing, claims management, or utilization review, providers must be certain that the business associate agreements with such contractors include strong protections for the provider.

For example, business associate agreements should include requirements for the business associate to indemnify the provider for expenses resulting from HIPAA breaches, pay all notification costs associated with such breaches, and maintain insurance policies that provide coverage for a large breach.

Although strong language in a business associate agreement provides legal protection for a provider, it will do nothing to counteract the public relations fallout that results from notifying patients of a breach.  Therefore, providers should make every effort to contract with legitimate entities that understand HIPAA compliance.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.

Want to Get Paid for Inpatient Admissions? Follow CMS Certification Requirements.

In its final regulations for the 2014 Inpatient Prospective Patient System, the Centers for Medicare and Medicaid Services emphasized the importance of physician certifications. Under the regulations, Medicare will only pay for an inpatient admission if a physician certifies the medical necessity for the stay. The first piece of such certification is for the physician to complete an inpatient order when he or she expects that the patient will require a stay that crosses at least two midnights.

In addition to the order, physician certification for the inpatient stay also must include the following information:

  • Certification that the inpatient services were ordered in accordance with the Medicare regulations governing the order;
  • The reasons for either: (1) hospitalization of the patient for inpatient medical treatment or medically required inpatient diagnostic study; or (2) special or unusual services for cost outlier cases under the inpatient prospective payment system;
  • The estimated time the beneficiary requires or required in the hospital;
  • The plans for post hospital care, if appropriate, and as provided in the Medicare regulations; and
  • For Critical Access Hospitals (CAHs), the physician must certify that the patient will reasonably be expected to be discharged or transferred to a hospital within 96 hours after admission to the CAH.

Physicians must complete all certification for the inpatient stay prior to patient discharge. In order to help ensure Medicare payment for inpatient admissions, hospitals should educate physicians on the importance of certifications, and provide assistance to physicians in gathering necessary documentation.

CMS has prepared a guidance document about hospital inpatient admission orders and certification. For more information about inpatient admission certification, please contact Casey Moriarty.

Critical Access Hospital Reimbursement May Be In Trouble if CMS Changes Rules

The Centers for Medicare and Medicaid Services (CMS) has signaled its intent to increase enforcement of the location requirements for critical access hospitals (CAHs).  CMS created the CAH certification program to provide additional reimbursement for hospitals in rural areas that are located more than 35 miles from another hospital, or more than 15 miles from another hospital if the area has mountainous terrain.

Prior to 2006, states could designate certain hospitals as “necessary providers” that did not have to meet the location requirements.  Many of these “necessary provider” CAHs would not meet the current locations standards for the CAH designation.

A recent report from the Department of Health and Human Services (HHS) found that CMS would have saved $449 million in 2011 if it had decertified all CAHs that were 15 or fewer miles from their nearest hospitals.   In order to take advantage of these potential savings, CMS has stated that it will seek legislative authority to remove the “necessary provider” exemption, and require all CAHs to meet the location requirements.

In addition to removing the exemption, CMS has also agreed to pursue other changes to the CAH program, including:  (1) periodically reassess CAHs for compliance with all location-related requirements; and (2) apply a uniform definition of “mountainous terrain” to all CAHs.

It is important to note that these changes would require legislative action by Congress and currently there is no such legislation to take action on these recommendations.  Nevertheless, CAHs should keep a close eye on these potential changes as they could have a huge impact on the reimbursement levels of CAHs that do not currently meet the location requirements.  Please contact Don Black or Casey Moriarty for more information.

Private Payors Attempt to Apply 2% Sequester to Providers – CMS Says “No” (Mostly)

The recent sequester of federal spending triggered automatic, across the board cuts in the federal budget.  Included in these cuts is a 2% reduction in Medicare reimbursement to providers.  The cuts went into effect on April 1, 2013.

In the aftermath of sequestration, many private health insurance companies have attempted to reduce their reimbursement to providers for services provided to non-Medicare patients by the same 2% amount.  These insurers argue that the reimbursement rates in their contracts with providers are based on Medicare payment methodologies; therefore, they are entitled to implement the 2% cuts.  The truth is a bit more complicated.

According to Medicaid Administrative Contractors like Noridian the 2% payment reduction under sequestration is applied to claims only after determining the final  Medicare payment.   All fee schedules, prices, etc., are unchanged by sequestration – it is only the final payment amount that is reduced.

Therefore, if an insurer’s contract with a provider states that the insurer’s reimbursement is based on Medicare fee schedules, the insurer may have a difficult time arguing that it has a contractual right to reduce reimbursement by 2% based on sequestration.

Additionally, in a memo dated May 1, 2013, the Centers for Medicare and Medicaid Services addressed the impact of the sequestration cuts on Medicare Advantage Organizations (“MAOs”) and Medicare Part D sponsors.  According to CMS, the 2% cuts apply to reimbursement received by MAOs and Part D Sponsors, but such organizations can not pass on the cuts to contracted providers.   One exception to this rule is if the contract between the provider and the MAO or Part D sponsor has a specific provision that allows the organization to pass on sequestration cuts to providers.

Providers should carefully track their reimbursement rates to determine if private insurers are improperly taking advantage of sequestration’s Medicare cuts to lower their contractually required payments to providers.  If you would like assistance in protesting any private payor sequester related cuts please contact Casey Moriarty or Don Black.

OIG Launches New Online Submission Process for the Self-Disclosure Protocol

On July 8th, the Office of Inspector General (OIG) launched a new online submission process for the Self-Disclosure Protocol (SDP).  The SDP allows health care providers to voluntarily identify, disclose, and resolve instances of potential fraud involving federal health care programs, including Medicare and Medicaid.   The OIG has stated that individuals and entities that utilize the SDP will pay a lower amount of damages for violations than would normally be required in resolving a government-initiated investigation.

You can access the online submission process here.

The OIG hopes that the online submission tool for the SDP will streamline the process for providers that want to resolve violations without the time and expense of a government-directed investigation.  With that said, we suggest that providers have an attorney analyze any potential SDP issues prior to completing the online form.  As always, the health law attorneys at OMW are happy to help.

For more information about the SDP online submission process please contact Casey Moriarty.