Providing Telemedicine Services? Pay Attention To State Licensing Requirements

Advancements in telemedicine offer exciting treatment possibilities for rural communities. Through audio-visual technology, patients in small communities now have the opportunity to access the expertise of specialists at large medical facilities in metropolitan areas.

However, along with all of the promise of telemedicine technologies, there are also some important legal issues that health care providers need to understand.  One of the most important issues is whether physicians who provide treatment advice to a patient through telemedicine must be licensed in the state where the patient is located.  For example, if a patient is located in Washington State, can a physician who is only licensed in Oregon provide telemedicine services to the patient?

The Federation of State Medical Boards (FSMB) has recently addressed the licensure issue in the Model Policy for the Appropriate Use of Telemedicine Technologies.  The Policy  makes it clear that a physician must be licensed by, or under the jurisdiction of, the medical boards of the state where the patient is located.

It is unclear whether state medical boards will follow the Model Policy from FSMB.  For example, Washington State law currently allows physicians licensed in another state to “practice medicine” in Washington so long as they do not open an office or appoint a place of meeting patients or receiving calls within Washington. (RCW 18.71.030). Of course, this provision could change in the future.

In order to avoid the unlawful practice of medicine when providing telemedicine services, physicians and healthcare facilities should take time to understand the licensing regulations in the state where the patient is located.

For more information on the legal issues related to telemedicine, please contact Casey Moriarty.

Want to Make HIPAA More Interesting? Try Playing Web Games

Many healthcare providers understand the importance of HIPAA compliance, but are not interested in reading detailed regulations and agency commentary to understand the rules.  If this describes any of your staff members, the Office of National Coordinator (ONC) for Health Information Technology may have a solution: play an online game.

In an effort to make HIPAA compliance a bit more fun, ONC has developed web games for both the HIPAA Privacy and Security Rules.  Each game provides a number of real-life patient privacy scenarios and asks the player to choose the correct course of action.

Sample scenarios include an employee’s access to unencrypted PHI on a home laptop, the purpose of an entity’s “contingency plan” under the Security Rule, and the use of e-mail to send unencrypted PHI.

The games might be something to try if you have found it difficult to make HIPAA compliance engaging for staff members.  Although the games are simple and fun, the issues that they address have huge significance for all covered entities and business associates.

You can access the games here.  What is your highest score?

For more information about HIPAA compliance, contact Casey Moriarty.

The Business Associate Agreement Battle – Understand the Key Issues

The September 2014 deadline for amending pre-existing HIPAA business associate agreements (BAA) is fast approaching.  Are you ready?  Under the HITECH Act, covered entities and business associates have just under seven months to negotiate and implement amendments to all BAAs entered into prior to January 25, 2013.

In the face of the unprecedented challenge of revising all pre-existing BAAs, covered entities and business associates need to act quickly, but also be mindful of the important terms in BAAs that can lead to increased liability, including the following:

  • Indemnification: Although not required by the HITECH Act, covered entities often push for strong indemnification language that requires the business associate to indemnify the covered entity for a business associate’s breach of protected health information (PHI) and violations of HIPAA.  Acceptable indemnification language for each party depends on the nature of the PHI involved in the transaction and the amount of PHI that is transmitted between the parties. 
  • Limitation of Liability: In order to reduce the risks of receiving and maintaining the covered entity’s PHI, many business associates push for BAA language that limits their liability to a certain amount (i.e. fees paid by covered entity in the underlying agreement).  A covered entity’s acceptance to a business associate’s “limitation of liability” terms can pose significant risks if the business associate violates HIPAA after the BAA is signed. 
  • Breach Notification Time Period: The HITECH Act requires business associates to notify covered entities of a breach of PHI within 60 days of discovery.  However, in order to protect relationships with patients affected by a breach, proposed BAAs from covered entities generally require a business associate to provide notification within 10 days or less.  A business associate’s acceptance to a shorter notification period can put tremendous pressure on it to investigate and disclose accurate information after a breach occurs.

These are just a few terms found in BAAs that can lead to increased liability and risks for covered entities and business associates.  Although it is critical to complete BAA amendments by the September 23, 2014 deadline, business associates and covered entities need to think critically about the language in BAAs prior to signature.

If you would like more information about negotiating business associate agreements, please contact Dave Schoolcraft, Elana Zana or Casey Moriarty.

Stolen Thumb Drive Proves Costly for Dermatology Practice

The Department of Health and Human Services (HHS) recently announced a $150,000 settlement with a dermatology practice in Massachusetts that arose out of a stolen thumb drive.  The unencrypted drive, which contained the health information of approximately 2,200 individuals, was stolen from a vehicle of one of the practice’s staff members.

Although HHS was concerned with the staff member’s failure to safeguard the health information, the large settlement amount resulted primarily from the practice’s lack of HIPAA policies and procedures.  Specifically, HHS determined that the practice: (1) had no breach notification policies, (2) had not conducted risk assessments for potential security vulnerabilities, and (3) did not adequately perform HIPAA training for its workforce.

This case provides an important warning to health care providers who do not have comprehensive HIPAA and HITECH policies and procedures.  Although the risk of being selected for an HHS HIPAA audit is still relatively low, it only takes one breach of health information for HHS to open an investigation that can result in costly penalties.

For more information about HIPAA and HITECH policies and procedures, please contact Casey Moriarty.

 

OIG’s Report Highlights Enforcement Successes in 2014

The Office of Inspector General (OIG) recently published its Semiannual Report to the U.S. Congress. This Report summarizes the OIG’s enforcement activities from March, 2013 to September, 2013.

The Report highlights the OIG’s significant efforts in the enforcement of fraud and abuse laws.  For fiscal year (FY) 2013, the OIG is expecting total recoveries of $5.8 billion, consisting of nearly $850 million in audit receivables and about $5 billion in investigative receivables.

Additionally, for FY 2013, the OIG brought 960 criminal and 472 civil actions against individuals or entities that engaged in health-care-related offenses.   Compared with FY 2012, the number of criminal actions in FY 2013 rose by 182 cases, and the number of civil cases rose by 105 cases.

According to the OIG, these enforcement results are partially due to the successes of the Health Care Fraud Prevention and Action Team (HEAT).  HEAT is a partnership between Federal, State, and local law enforcement to identify fraudulent health care schemes.   The program combines sophisticated data analysis and investigative intelligence to move quickly against violators of fraud and abuse laws such as the False Claims Act.

There is no doubt that the OIG’s accomplishments in FY 2013 will motivate investigators to root out more health care fraud and overpayment schemes in FY 2014.  To avoid a costly investigation and potential prosecution, providers should take extra care that they are following Medicare and Medicaid laws and properly billing for services rendered to patients.

You can read the entire OIG Semiannual Report here.

For more information about health care fraud and abuse laws, please contact Casey Moriarty.

OIG Okays Provision of Free Services to Uninsured and Underinsured Patients

On October 15, 2013, the Office of Inspector General (OIG) released an Advisory Opinion concerning a community health services organization’s provision of free dental care to financially needy uninsured and underinsured patients that are not covered by Medicaid.

The organization was concerned that the free services violated two aspects of the Medicaid law: (1) the Social Security Act prohibits providers from billing Medicaid charges for items or services substantially in excess of the provider’s “usual charges,” and (2) the Anti-Kickback Statute prohibits providers from offering remuneration to Medicaid patients to induce them to receive services from the provider.

In the Advisory Opinion, the OIG stated that when a provider calculates its “usual charges,” it need not consider free or substantially reduced charges to uninsured or underinsured patients with financial need.  Therefore, the OIG would not seek to exclude a provider from the Medicaid program for providing discounts to financially needy uninsured and underinsured patients.

The OIG also stated that the organization’s provision of free services to financially needy uninsured or underinsured patients does not violate the Anti-Kickback Statute because the free services will not be provided to Medicaid patients.  The Anti-Kickback Statute would only be implicated if a provider used the free services as a means to induce Medicaid patients to order additional services that could be billed to the Medicaid program.

The bottom line is that providers may offer free services to uninsured or underinsured patients with financial hardship.  With that said, it is critical that providers have uniform eligibility criteria to determine whether such patients actually are financially needy.  In separate guidance released in 2004  the OIG outlined factors that providers should consider in determining financial need, including:

  • The local cost of living;
  • A patient’s income, assets, and expenses;
  • A patient’s family size; and
  • The scope and extent of a patient’s medical bills.

By applying these factors uniformly at all times, providers can ensure that their provision of free or discounted services meets OIG requirements.

If you would like more information please contact Casey Moriarty.

Reducing the Risks of Third-Party Access to EHR Systems

UnityPoint Health, a health system located in Iowa, recently informed 1,800 patients of a breach of their health information.  UnityPoint learned of the breach after an audit discovered that a third party contractor’s employee had improperly gained access to the UnityPoint electronic health record (EHR) system and viewed the records of the 1,800 patients.

The UnityPoint breach shows the risks of allowing a third party contractors, known as “business associates,” to access health information in an EHR system  While such access may be required for certain activities, including billing, claims management, or utilization review, providers must be certain that the business associate agreements with such contractors include strong protections for the provider.

For example, business associate agreements should include requirements for the business associate to indemnify the provider for expenses resulting from HIPAA breaches, pay all notification costs associated with such breaches, and maintain insurance policies that provide coverage for a large breach.

Although strong language in a business associate agreement provides legal protection for a provider, it will do nothing to counteract the public relations fallout that results from notifying patients of a breach.  Therefore, providers should make every effort to contract with legitimate entities that understand HIPAA compliance.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.

Want to Get Paid for Inpatient Admissions? Follow CMS Certification Requirements.

In its final regulations for the 2014 Inpatient Prospective Patient System, the Centers for Medicare and Medicaid Services emphasized the importance of physician certifications. Under the regulations, Medicare will only pay for an inpatient admission if a physician certifies the medical necessity for the stay. The first piece of such certification is for the physician to complete an inpatient order when he or she expects that the patient will require a stay that crosses at least two midnights.

In addition to the order, physician certification for the inpatient stay also must include the following information:

  • Certification that the inpatient services were ordered in accordance with the Medicare regulations governing the order;
  • The reasons for either: (1) hospitalization of the patient for inpatient medical treatment or medically required inpatient diagnostic study; or (2) special or unusual services for cost outlier cases under the inpatient prospective payment system;
  • The estimated time the beneficiary requires or required in the hospital;
  • The plans for post hospital care, if appropriate, and as provided in the Medicare regulations; and
  • For Critical Access Hospitals (CAHs), the physician must certify that the patient will reasonably be expected to be discharged or transferred to a hospital within 96 hours after admission to the CAH.

Physicians must complete all certification for the inpatient stay prior to patient discharge. In order to help ensure Medicare payment for inpatient admissions, hospitals should educate physicians on the importance of certifications, and provide assistance to physicians in gathering necessary documentation.

CMS has prepared a guidance document about hospital inpatient admission orders and certification. For more information about inpatient admission certification, please contact Casey Moriarty.

Critical Access Hospital Reimbursement May Be In Trouble if CMS Changes Rules

The Centers for Medicare and Medicaid Services (CMS) has signaled its intent to increase enforcement of the location requirements for critical access hospitals (CAHs).  CMS created the CAH certification program to provide additional reimbursement for hospitals in rural areas that are located more than 35 miles from another hospital, or more than 15 miles from another hospital if the area has mountainous terrain.

Prior to 2006, states could designate certain hospitals as “necessary providers” that did not have to meet the location requirements.  Many of these “necessary provider” CAHs would not meet the current locations standards for the CAH designation.

A recent report from the Department of Health and Human Services (HHS) found that CMS would have saved $449 million in 2011 if it had decertified all CAHs that were 15 or fewer miles from their nearest hospitals.   In order to take advantage of these potential savings, CMS has stated that it will seek legislative authority to remove the “necessary provider” exemption, and require all CAHs to meet the location requirements.

In addition to removing the exemption, CMS has also agreed to pursue other changes to the CAH program, including:  (1) periodically reassess CAHs for compliance with all location-related requirements; and (2) apply a uniform definition of “mountainous terrain” to all CAHs.

It is important to note that these changes would require legislative action by Congress and currently there is no such legislation to take action on these recommendations.  Nevertheless, CAHs should keep a close eye on these potential changes as they could have a huge impact on the reimbursement levels of CAHs that do not currently meet the location requirements.  Please contact Don Black or Casey Moriarty for more information.

Private Payors Attempt to Apply 2% Sequester to Providers – CMS Says “No” (Mostly)

The recent sequester of federal spending triggered automatic, across the board cuts in the federal budget.  Included in these cuts is a 2% reduction in Medicare reimbursement to providers.  The cuts went into effect on April 1, 2013.

In the aftermath of sequestration, many private health insurance companies have attempted to reduce their reimbursement to providers for services provided to non-Medicare patients by the same 2% amount.  These insurers argue that the reimbursement rates in their contracts with providers are based on Medicare payment methodologies; therefore, they are entitled to implement the 2% cuts.  The truth is a bit more complicated.

According to Medicaid Administrative Contractors like Noridian the 2% payment reduction under sequestration is applied to claims only after determining the final  Medicare payment.   All fee schedules, prices, etc., are unchanged by sequestration – it is only the final payment amount that is reduced.

Therefore, if an insurer’s contract with a provider states that the insurer’s reimbursement is based on Medicare fee schedules, the insurer may have a difficult time arguing that it has a contractual right to reduce reimbursement by 2% based on sequestration.

Additionally, in a memo dated May 1, 2013, the Centers for Medicare and Medicaid Services addressed the impact of the sequestration cuts on Medicare Advantage Organizations (“MAOs”) and Medicare Part D sponsors.  According to CMS, the 2% cuts apply to reimbursement received by MAOs and Part D Sponsors, but such organizations can not pass on the cuts to contracted providers.   One exception to this rule is if the contract between the provider and the MAO or Part D sponsor has a specific provision that allows the organization to pass on sequestration cuts to providers.

Providers should carefully track their reimbursement rates to determine if private insurers are improperly taking advantage of sequestration’s Medicare cuts to lower their contractually required payments to providers.  If you would like assistance in protesting any private payor sequester related cuts please contact Casey Moriarty or Don Black.