Medicaid Disallows Reimbursement, Requires Reporting for Provider Preventable Conditions

Starting  July 1, 2013, the Washington Medicaid program will not pay a provider for the health care costs of treating conditions that the provider could have prevented.  The rule, WAC 182-502-0022, contains a long list of such conditions and adds a few more acronyms to health care speak, including:

(1) PPC – provider preventable conditions that include hospital and non-hospital acquired conditions;

(2) OPPC – other provider preventable conditions that are a PPC subset of conditions identified in WAC 246-302-030, and;

(3) HCAC – health care acquired conditions that are also a PPC subset occurring in an inpatient hospital setting.

Providers, including inpatient hospitals, must report any PPC to the Health Care Authority even if there is no intent to bill for services related to the PPC.  Health care professionals or designees responsible for or associated with a PPC involving a Medicaid patient must notify the Health Care Authority within forty-five (45) calendar days of confirming the PPC.

A similar reporting requirement applies to hospitals for OPPC.  And, of course, Medicaid patients are not liable for payment of an item related to a HCAC or an OPPC and must not be billed for any item or service related to a PPC.

For information about this new rule or Medicaid reimbursements please contact Greg Montgomery.

Stolen Laptop Leads to Stanford’s Fifth HIPAA Breach

Earlier this month Stanford reported its 5th HIPAA breach since 2009.  This is Stanford’s third largest breach, affecting nearly 13,000 patients.   A broken laptop containing protected health information of pediatric patients was stolen from a restricted area of the Lucile Packard Children’s Hospital at Stanford.  The laptop was un-encrypted and contained patient information including: name, medical record number, age telephone numbers, surgical procedures and treating physicians.  Though the laptop had a broken screen, there is still the possibility of extracting the data from the computer.

Stanford’s other breaches include a disclosure  of 20,000 patient records when a subcontractor of a business associate placed patient information on the web seeking assistance with using Excel, the data was left on the website for nearly a year.  This breach has resulted in a $20 Million class action law suit under California law.

Earlier this year, Stanford announced its largest breach, affecting 57,000 patient records when an unencrypted laptop with patient information was stolen from a physician’s car.  In addition, Stanford reported a breach in 2012 of 2,500 patient records following the theft of an unencrypted laptop from a physician’s office.  Lastly, in 2010, Stanford was hit with a fine after failing to notify the state of California of the theft of a laptop by an employee containing over 500 patient records.

Considering Stanford’s previous breaches, encryption of its laptops would be a good course of action to prevent future HIPAA data breaches.  Stanford has reported that it now encrypts its laptops, but the one that was most recently stolen was unencrypted because the screen was broken.

Lessons learned from Stanford’s misfortunes:  encrypt all PHI and destroy broken devices (remember though broken, the data is still valuable to thieves).

For assistance with  HIPAA and/or the breach notification rules please contact Elana Zana.

EHR Incentive Program Meaningful Use Stage 1 Updated

CMS has recently published a tip sheet consolidating for eligible professionals and hospitals the revisions made to the Stage 1 meaningful use measures that are effective in 2013.  These changes modify the following meaningful use objectives:

  • Public Health Reporting Objectives
  • Electronic Exchange of Key Clinical Information
  • Computerized Physician Order Entry (CPOE)
  • Record and Chart Changes in Vital Signs
  • Electronic Prescribing
  • Electronic Copy of and Electronic Access to Health Information (changes only applicable starting in 2014)

Some of the changes in the measures are required, while others are optional for 2013 but become required for 2014.  To view the Stage 1 changes tip sheet click here.

At the same time CMS also revised its Stage 1 Meaningful Use table of contents and tip sheets for each objective/measure for eligible professionals and hospitals/CAH.

If you have questions regarding the Medicare or Medicaid EHR Incentive Programs or meaningful use generally please contact Elana Zana.

OIG Updates its Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs

On May 8, 2013, the OIG issued an updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs (the “Updated Special Advisory Bulletin”).  The Updated Special Advisory Bulletin replaces and supersedes the OIG’s 1999 Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs.

The Updated Special Advisory Bulletin advises that the effect of an OIG exclusion is that the provider will receive no Federal Health care program payment for any items or services furnished by an excluded person or at the medical direction or on the prescription of an excluded person.  The prohibition on payment applies to all methods of Federal health care program payment.  It also extends to items or services beyond direct patient care.  Accordingly, OIG says that an excluded person is prohibited from serving in an executive or leadership role (i.e., as the CEO or CFO, general counsel, director of health information management or director of human resources) for a provider that furnishes items or services payable by Federal health care programs and is prohibited from providing other types of administrative and management services (i.e., health IT services and support, strategic planning, billing/accounting, staff training and human resources).

OIG urges providers to review each job category and contractual relationship to determine whether the item or service being provided is directly or indirectly, in whole or in part, payable by a Federal health care program.  If it is, OIG advises the provider to screen everyone that performs under that contract or category.  This would include, for example, screening nurses provided by staffing agencies or physician groups that contract with hospitals to provide ER coverage, and billing or coding contractors.  OIG warns that relying on the screening conducted by the contractor may not always be sufficient to protect the provider from CMP liability.

The Updated Special Advisory Bulletin warns that providers who arrange or contract with an excluded person face potential civil monetary penalties (“CMPs”) of up to $10,000 for each item or service furnished by the excluded person for which payment is sought, in addition to an assessment of up to three times the amount claimed and program exclusion.  OIG states that CMP liability would apply to the furnishing of all of the categories of items or services that are violations of an OIG exclusion, including direct patient care, indirect patient care, administrative and management services, and items or services furnished at the direction or on the prescription of an excluded person when the person furnishing the services either knows or should know of the exclusion.  Exclusion violations may also lead to criminal prosecutions or civil actions (i.e., claims under the False Claims Act).  OIG urges providers to use OIG’s self-disclosure protocol to self-disclose the employment of or contracting with an excluded person.

To best minimize risk of overpayment and CMP liability, OIG suggests that providers check the OIG’s List of Excluded Individuals and Entities (the “LEIE”) monthly.  OIG also recommends that providers use the LEIE as the primary source of information on exclusion.

To access the Updated Special Advisory Bulletin, click here.

If you have questions regarding exclusions from federal health care programs or provider contracting generally please contact Carrie Soli.

A Window into Hospital Charges – Medicare Releases Data on Charges and Reimbursements

On Wednesday, Medicare released on extensive spreadsheet documenting the average hospital charges and associated Medicare payments for 100 most common Medicare inpatient services.  The release of this data is unprecedented and provides consumers a valuable tool in assessing the cost of treatment.  The data provides insight into the cost for these procedures on both a local and national basis; permitting users to download the data and manipulate it by hospital, region, state, or a variety of other means.  To access the Excel file released by Medicare click here.

The data highlights the discrepancies in hospital charges and reimbursements both nationally and locally.  The release of this information is aimed at providing consumers a better understanding of the cost and reimbursements associated with these procedures.  As explained by HHS Secretary Sebelius “Currently, consumers don’t know what a hospital is charging them or their insurance company for a given procedure, like a knee replacement, or how much of a price difference there is at different hospitals, even within the same city.  This data and new data centers will help fill that gap.”  This data is in addition to the hospital comparison tool previously released by Medicare.

The release of this data has made both national and local news headlines: Puget Sound Business JournalNew York TimesUS News and World Report.

Tax-Exempt Hospitals: IRS Issues Proposed Regs Under IRC 501(r) Regarding Community Health Needs Assessments

In response to Congressional concerns that there was little to distinguish a for-profit hospital from a tax-exempt nonprofit hospital, Congress enacted IRC 501(r) which mandates that tax-exempt nonprofit hospitals:

1.        Conduct community health needs assessments;

2.        Establish and disclose financial assistance policies;

3.        Limit charges to needy individuals; and

4.        Follow reasonable billing and collection practices.

Treasury has issued proposed regulations under IRC 501(r).  The proposed regulations are in addition to Notice 2011-52 which sunsets October 5, 2013.  As noted above, among the requirements of IRC 501(r) is the requirement that the hospital conduct a community health needs assessment once every three years, and to have adopted an implementation strategy to meet the community health needs identified in the assessment.  IRC 501(r) carries some serious teeth.  Failure to comply with IRC 501(r) potentially jeopardizes a hospital’s tax-exempt status.  Also, hospitals that fail to conduct and implement a community health needs assessment may be liable for a $50,000 excise tax under IRC 4959.

The proposed regulations provide a flexible facts and circumstances regulatory scheme and a good roadmap as to how a hospital conducts a community health needs assessment.   More importantly, the proposed regs may be relied upon by a tax-exempt hospital until final or temporary regs replace them.  Some of the highlights from the Regs are:

1.        Hospitals may collaborate with other facilities in conducting a community health needs assessment, and facilities that serve all the same communities may issue a joint report;

2.        Facilities that collaborate with one another may duplicate portions of their reports;

3.        Each hospital must define the community it serves.  However, there is flexibility in the definition.  A hospital may define its community by geography, target populations, and principal functions;

4.        The community health needs assessment must assess and address the needs of medically underserved, lower-income and minority populations in the area it serves;

5.        The community health needs assessment must identify significant health needs, prioritize those needs, and identify measures and resources to address those needs;

6.        The proposed regs require that the facility obtain input from state, regional or local public health departments, and members of medically underserved populations; and

7.        The community health needs assessment must be widely available to the public, e.g. posted on the hospital’s website and making printed copies available.

Once the community health needs assessment is issued, the hospital has until the end of the year in which the needs assessment is issued to issue an implementation strategy which either explains how the hospital intends to address the need, or explain why it does not intend to address the need.

The proposed regulations also provide penalty relief where the error is inadvertent and due to reasonable cause, if it is corrected promptly upon discovery.  More serious errors  that are not willful or egregious may be excused if the facility corrects and provides disclosure.

For more information about these proposed rules or tax law generally please contact Leslie Pesterfield.

False Claims Act Recoveries Top $14.2 Billion

On May 1, 2013, the  Department of Justice announced a settlement with two Montana hospitals that added $3.95 million to its recoveries under the False Claims Act.  According to the announcement, with this additional recovery,  the Department of Justice has used the False Claims Act to recover more than $14.2 billion in federal healthcare payments since January, 2009.

Once again, allegations of hospital-physician financial relationships that violated the Stark law prohibition against self-referral were the stated basis for the allegations of False Claims Act liability.  In this case, according to the announcement, it was alleged that the hospitals paid incentive compensation to certain physicians in a manner that took into consideration the value or volume of the referrals by the physicians to the hospital by improperly including certain designated health services in the formula for calculating physician incentive compensation.

This situation was voluntarily disclosed by the hospitals.  In this regard, an OIG representative was quoted as commenting:

 “There is an expectation that corporations providing services to Medicare and Medicaid beneficiaries adhere to the provisions of the Stark Law.  I applaud St. Vincent Healthcare and Holy Rosary Healthcare for recognizing their potential liability in this matter and making a disclosure”

As part of its on-going quarterly lunch time webinar series, the Ogden Murphy Wallace Healthcare Practice Group will provide a presentation on self-disclosure options and avoidance of state and federal false claims act liability in its June 4, 2013 webinar (to register click here).  If you have questions regarding self-disclosure and overpayments in general please contact Greg Montgomery.

Sequester Payment Reductions to Medicare EHR Incentive Payments

CMS has confirmed that the mandatory reductions in federal spending aka the sequester will affect the Medicare EHR Incentive Program payments made in 2013.  Accordingly, all Medicare EHR Incentive Program payments made to hospitals and eligible professionals will have a 2% reduction.  This reduction applies to any hospital or eligible professional that participates in the program with a reporting period ending on or after April 1, 2013. 

The 2% reduction will not apply to the Medicaid EHR Incentive Program.  Therefore, those hospitals and eligible professionals expecting Medicaid EHR Incentive Program payments will receive the full amount without any sequester related reduction. 

If you have questions regarding the Medicare or Medicaid EHR Incentive Program please contact Elana Zana.

New Court of Appeals Decision Provides Guidance on Medicaid Spenddown Requirements

The recent appellate decision in Multicare v. State of Washington Department of Social and Health Services (DSHS) sheds light on how hospitals should use a patient’s “spenddown” in the billing process for the Medicaid Medically Needy (MN) program.

The MN program assists low-income families with medical costs.  A family can qualify for the MN program if its income is less than a certain amount during a specific base period.  A family that exceeds the maximum income level can still qualify for the program if it pays medical expenses in an amount equal to or over the excess income.  For example, if a family’s income is $500 over the maximum level, it can still qualify for the MN program if it spends $500 on medical expenses.  This process of using excess income is called the “spenddown.”

In the Multicare case, DSHS alleged that the hospital billed the MN program without deducting the spenddown liability of patients.  According to DSHS, this billing practice resulted in overpayments to the hospital. The hospital argued that the spenddown requirements were an enrollment qualification, not a deduction from DSHS’s payments.  The Washington State Court of Appeals, however, sided with DSHS and found that hospitals must factor in a patient’s spenddown to determine DSHS’s payment obligations.

The Court provided examples of how to use a patient’s spenddown, including the following:  A patient has a spenddown liability of $500 and total hospital charges of $450.  The total charges would apply to the spenddown liability, resulting in a new spenddown of $50.  Since a spenddown remains, the patient is not enrolled in the MN program and DSHS has no payment obligations for the services provided by the hospital.  Instead, the patient would owe the Hospital the $450.

Hospitals should review their Medicaid billing policies to ensure compliance with the Multicare decision.  You can view the decision here.  If you have questions or would like to follow-up, please contact Don Black or Casey Moriarty.

HHS Announces New HIPAA Breach Settlement

HHS has announced its first HIPAA breach settlement involving less than 500 patients.  The announcement came on January 2, 2013 following a disclosure by the provider, Hospice of North Idaho.  The facts involved the theft of an unencrypted stolen laptop that contained ePHI for 441 individuals.  HHS found that the provider did not do a sufficient analysis of the risk to confidentiality of ePHI after the new rule went into effect and did not have in place appropriate policies or security measures to ensure the confidentiality of ePHI.  To settle the matter, the provider agreed to pay HHS $50,000 and enter into a corrective action plan.  More information about the settlement, including the settlement agreement can be found at this link on the HHS website.

This settlement shows that HHS takes breach notifications seriously.  At the same time, it appears that HHS will be open to entering reasonable settlement agreements to resolve this type of breach.  Mostly this demonstrates what we all know:  don’t put ePHI on unencrypted laptops or other mobile devices.  For more information, contact Dave Schoolcraft, Lee Kuo or Casey Moriarty.