Upload
ed-gaines
View
95
Download
4
Tags:
Embed Size (px)
Citation preview
2015 ACEP Reimbursement
Las Vegas January 14, 2015.
Hot Topics in ED Coding
and Billing :
The Heat is On
Ed Gaines, JD, CCP Chief Compliance Officer
Zotec-MMP [email protected]
1
2
The Caveats . . . from my legal advisors…Do-we, Cheat-em and Howe, in honor of Tom Magliozzi
1st: these are my opinions—not organizations that I’m a part of.
2d: seek and obtain experienced professional advice in legal and/or accounting matters—and I will try to flag areas that such advice is warranted.
3d: “Information contained within this document is for general information only and should not be construed as legal advice. It is neither an offer to represent you, nor is it intended to create an attorney-client relationship. Please consult with an attorney for specific legal advice pertaining to your circumstances.”
And you may have been expecting one of my favorite lawyer caricatures ….
“Judge: Mr. Cirroc, are you ready to give your summation? Cirroc: [ stepping out] It's just "Cirroc", your Honor.. and, yes, I'm ready. [ approaches the jury box ] Ladies and gentlemen of the jury, I'm just a caveman. I fell on some ice and later got thawed out by some of your scientists. Your world frightens and confuses me! Sometimes the honking horns of your traffic make me want to get out of my BMW.. and run off into the hills, or wherever.. Sometimes when I get a message on my fax machine, I wonder: "Did little demons get inside and type it?" I don't know! My primitive mind can't grasp these concepts. But there is one thing I do know - when a man like my client slips and falls on a sidewalk in front of a public library, then he is entitled to no less than two million in compensatory damages, and two million in punitive damages. Thank you.”
3
5
Goals and Objectives:
Describe the basics of an effective compliance program, “compliance folklore” and hidden traps for the unwary
Identify pre-billing (e.g. coding) and post billing (e.g. refunds) risks and pitfalls
HIPAA “Omnibus Rule” implications
Analyze compliance risk management strategies
Volume was up pre-ACA
Impact
Why would gov’t and private payors care that much about the EDs from compliance & regulatory standpoint?
7
Used to be that you could have a list of acronyms and glossary but that was then and this is now. . . . . . . .
8
http://www.cms.gov/apps/acronyms/
Key Terms and Concepts in Compliance talk to be addressed:
Forward looking risk assessment.
Pre-billing, e.g. coding including modifiers.
Post-billing, e.g. refunds, credit balances.
Upcoding/undercoding, e.g. both can be issues.
Unbundling, e.g. abuse of the -25 or -59 modifiers
Corrective action plans/programs (CAPs).
Compliance—with what or whom?
9
Key Agencies/Players in compliance and fraud and abuse (F&A)
10
Executive Branch
Secretary of Health and
Human Services (HHS)
The Centers for Medicare & Medicaid Services
(CMS)
HHS Office of The Inspector
General (OIG)
US Attorney General
The US Attorney’s Office (USA)
Medicare Administrative
Contractors (MACs)
F&A recovers $7 for every $1
Fraud and Abuse defined in the context of healthcare: not what you may think
In general, fraud is defined as “knowingly” making false statements or representations of material facts to obtain some benefit or payment for which no entitlement would otherwise exist.
In healthcare, “Knowing” includes intentional acts but also deliberate ignorance or reckless disregard of the truth or falsity of the claim
Examples could include: 1. Knowingly billing a higher level of service or when the
documentation does not support the claim submitted. 2. Knowingly adding modifiers to claims without supporting
documentation for the modifier to obtain payment; 3. Knowingly failing to repay refunds or overpayments that are
identified as such and retaining government funds.
11
Fraud and Abuse defined:
Abuse is defined as practices that are— inconsistent with sound medical, business or fiscal
practices; or actions when there is no legal entitlement to
payment, or acts in which the intent to submit false information
cannot be proven. Examples:
Unknowingly billing a charge for a service that was recently bundled into the primary procedure.
Re-billing claims w/out legitimate basis.
12
The Physician’s Obligations Under Medicare (MCA):
http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/Avoiding_Medicare_FandA_Physicians_FactSheet_905645.pdf
13
CMS reminds us of the ACA’s mandate for compliance programs—subject to final regs.
15
https://oig.hhs.gov/compliance/provider-compliance-training/files/Provider-Compliance-Training-Presentationv2.pdf
http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/Avoiding_Medicare_FandA_Physicians_FactSheet_905645.pdf
OIG’s 2015 Work Plan Highlights:
Provider-Based Svs: OIG is reviewing CMS’ current criteria. 2015 CMS Final Physician Fee Schedule Rule
changes to POS 22. Physician Place of Service (POS) coding errors.
“New vs. Established” E/M Svs.—Urgent Care Clinic issue and office based POS, e.g. “moonlighters” Part B News 9/15/14
Medicaid credit balances (C/Bs) & refunds.
16
OIG Report on Improper Payments for E/M June 2014 Random sample of 657 records, universe of 369
Million Part B claims for 2010. 21% E/M error rate or $6.7 Billion paid in error. 42% E/Ms were incorrect coding, more 19% had insufficient documentation.
OIG excluded important documentation issues.
Top 1% (“high coding physicians”): 56% errors 99% of E/M errors for this cohort were over-
coding. https://oig.hhs.gov/oei/reports/oei-04-10-00181.asp
17
CMS has new Medicare billing revocation authority per final rule published 12/5/14.
Medicare privileges may be revoked for a pattern or practice of non-compliant billing (as opposed to sporadic or occasional denials).
Factors include: 1. % of claims submitted that were denied. 2. Total # of denials 3. Reasons for denials 4. Time period for the pattern of denials 5. Provider’s Hx of “final adverse actions” 6. Length of time the provider has been enrolled.
https://s3.amazonaws.com/public-inspection.federalregister.gov/2014-28505.pdf
18
Stat sampling & extrapolation to prove FCA liability vs. FCA damages, Life Care Centers of America (USDC ED Tenn. 9/29/14).
Extrapolation defined.
Here: feds used 400 inpatient records to extrapolate FCA liability to the universe of 54,396 Pt. admissions/154,621 claims.
Hypothetical: say 1% of the 400 records were found to be coded and billed w/ > “mere negligence”
If 1% of universe meet “deliberate ignorance” or “reckless disregard” stds., then FCA penalties are $8.5 ($5,500 per claim min.) to $17 Million ($11,000 per claim max.).
http://www.beckershospitalreview.com/legal-regulatory-issues/sampling-extrapolation-to-prove-fca-liability-approved-by-district-court.html
19
Strategy for CCP requirement for compliance policies: pre-billing controversial issues.
Examples of areas for policy/procedure development: 1. CC charts—request for time statement or not? 2. Deficient hx, ex or MDM documentation—
request add’l information or not? 3. What is “additional work up planned”? 4. What is “prescription drug management”? 5. How does the individual EDP’s acuity analysis
look versus Medicare data, his/her group or similar practices?
20
21
“So what? Why do I need a culture of compliance and ethics in my
group/company?”
The Federal False Claims Act (FCA)
Sources of liability,
Whistleblowers and Qui Tam Relators.
FCA: All Federal Payors: Medicare (MCA), Medicaid (MCD), Tricare and FEHBP. Governmental payors defined: MCA, MCD, Tricare and the Federal Employees Health
Benefit Plan (FEHBP) Exchange plans??? DHHS says no
FCA liability may be found in any one of the following as “knowing” or “knowingly” submitting false claims:
Knowingly allows or encourages falsity. Deliberate ignorance of the truth or falsity. Reckless disregard of truth or falsity.
The FCA does not require specific intent to defraud.
22
23
$5,500 minimum/$11,000 max penalty per CMS 1500 claim form federal penalties. Plus treble damages (overpayment). State False Claims Act may be in addition
to the federal liability. Relators=Qui Tam provisions of the FCA 15-30% of the FCA recovery + attorney’s fees
FCA (cont.)
FCA Penalties v. Overpayment Liabilities—who’s liable and for what? FCA penalties ($5500 min.
per claim) apply if 1 or more of the 3 standards are met.
“knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval” 31 USC Section 3729
So FCA penalties apply jointly/severally to the Physician Group AND to the Billing Company (B/C)
Distinguish the “overpayment” liability (damages), over-coded Level IV to Level V.
Remittance of MCA reimbursement to the group’s lock box.
Phys. Group is liable for the difference in Level V and Level IV: $57.00 (2015 RVUs).
24
25
Request billing company or hospital errors and omissions insurance information.
Understand the scope and limitations of coverage, e.g. no B/C coverage for overpayments?
“Fraud” &“Intentional Acts” exclusions.
Deductibles and AM Best Rating of the E&O Carrier:
A++, A+ (Superior) A, A- (Excellent) B++, B+ (Good)
Mitigation Strategy: ED Groups
Hot Topics Round 1:
26
Electronic medical (health) records
(EMR/EHRs),
OIG Studies
And Strategies to
Address Issues.
CMS Transmittal 438 Introduces a new concept: “Limited Space Templates” (Nov. 2012):
Templates are ok, but . . .
“Limited Space Templates” are “discouraged”
http://www.cms.gov/Regulations-and-Guidance/Guidance/Transmittals/Downloads/R455PI.pdf
27
http://oig.hhs.gov/oei/reports/oei-01-11-00571.pdf
28
The January 2014 OIG Report: Study #2
Report cites two documentation practices that can be used to commit fraud: Copy and paste or cloning, and Over-documentation.
29
Tips and Strategies re: EMR risks, from the physician perspective:
“CUT AND PASTE: can be considered fraudulent misrepresentation if importing into YOUR medical record information generated by OTHERS without appropriate attribution.
MACROS: may be compliant if the information they shortcut into the medical record is tailored to specifically reflect the PATIENT-SPECIFIC findings, and that all the QUESTIONS/FINDINGS that the macro incorporates were, in fact, ASKED/FOUND by the provider.”
30
EMR/EHR 5 Strategies for risk mitigation:
1st: track the problematic functionality, e.g. cut & paste or pre-population of notes w/ default narratives,
2d: Looking for similarities in structured fields, e.g. whether same pain scales were found across diags. (Report on Medicare Compliance 11/17/14)
3d: prohibit pre-population of notes w/ default narratives, e.g. particularly w/ the HPI for Medicare.
31
What to do? Strategies Re: EMR compliance issues from legal perspective.
4th: Conduct independent coding audits re: cut/paste and overdocumentation: check the actual chart output/printed against Medicare MAC guidance for TP/residents and NPPs.
5th: Establish & audit clearly defined “electronic signatures”, for orders at shift change and “standing orders” w/ hospital and staff: Palmetto GBA Medicare MAC: the physician’s
name and date appearing in chart w/ log in and password is an electronic signature.
(MPIM Chapter 3)
32
Hot Topics Round 2:
Issues in Short Stay Admissions v.
Observation and Emergency Dept. Physician (EDP)
Newly Announced Qui Tam
settlements & cases
33
Two ED physicians file a Qui Tam against HMA alleging kickbacks offered for admissions.
http://www.beckershospitalreview.com/legal-regulatory-issues/former-ed-directors-claim-hma-offered-kickbacks-to-admit-medicare-patients.html
Two separate sets of allegations against two separate HMA hospitals and HMA corp.
Allegation that HMA required “50% admit rate for MCA pts.”
DOJ has joined the case.
HMA denies allegations.
34
According to the Charlotte Observer Jan. 3, 2014:
http://www.charlotteobserver.com/2014/01/02/4583725/doctors-allege-for-proft-owner.html#.VI9BrDHF-4I
35
Short-stay Admissions vs. Observation continues to be a hot topic
Allegations and outstanding litigation remains against HMA on related issues.
CMS announced in Jan. 2011 that Interqual or Milliman criteria are no guarantee that the admission will pass audit review.
http://www.cms.gov/MLNMattersArticles/Downloads/SE1037.pdf
Highly unlikely that the Feds will endorse “software driven” decision making for admit criteria—yet a role to be played for objective criteria.
http://www.modernhealthcare.com/article/20140804/NEWS/308049939/
36
MedPac is intent on addressing multi-layered issues w/ Obs and short stay IPs
Options:
1. Qualify Obs. toward SNF coverage;
2. Reduce $ differences for 1 day IP vs. Obs
3. Permit hospitals to waive charges for self administered drugs for Pts in Obs.
38
CMS Signature Requirements Requirements Met
Legible full signature
Legible first initial & last name
Illegible signature. over typed/printed name
Initials over typed or printed name
Requirements NOT Met Initials alone
Unsigned typed note with providers typed name
Unsigned handwritten note
“signature on file”
Illegible full or partial signature
Stamp signatures
CMS MLN MM6698
March 16, 2010
40
‘If the sig. requirements are not met, the reviewer will conduct the review without considering the documentation with the missing signature.
WPS Medicare MAC, J5 Part B: Definition of electronic signatures for EMRs and Orders.
41
http://www.wpsmedicare.com/j5macpartb/departments/cert/signature-guidance.shtml
http://www.wpsmedicare.com/j8macpartb/departments/medical_review/2010_0510_mrchecklist.shtml
42
43
Risk Areas: Teaching Physicians (TP), Residents and Students CMS Transmittal 1780: TP linkage statement
and key portion note.
CMS Transmittal 811: EMR “macro” statements may not be sufficient.
Students – MD, PA or NP – not licensed practitioners!
Students CANNOT document the Chief Complaint, HPI, perform the Exam or participate in the Decision-Making = NONBILLABLE.
Consult with coding and billing gurus on specific areas of risk in the TP settings:
Critical care documentation by the resident critical time for the TP.
Major and minor procedure requirements for TP presence and documentation.
Check for specific MAC guidance on the specificity of the TP statement.
Errors and Omissions Insurance required of your coding and billing company.
45
Definition of Shared Service
"A split/shared E/M visit is defined by Medicare Part B payment policy as a medically necessary encounter with a patient where the physician and a qualified NPP each personally perform a substantive portion of an E/M visit face-to-face with the same patient on the same date of service. A substantive portion of an E/M visit involves all or some portion of the history, exam or medical decision making key components of an E/M service." CMS Transmittal 1776 (emphasis added)
47
Limitations of “shared visit billing” for NPPs
The physician/NPP shared service concept applies ONLY to E/Ms—not procedures performed by NPPs.
NPPs must be enrolled with Medicare and procedures billed under their NPIs, not the EDPs. Check practice mgmt. systems for separate NPP
tracking and enrollment.
Health plans are increasingly trying to adopt Medicare’s 85% reimbursement.
48
Shared Visit or “Face to Face” Concepts
From CMS IOM Publication 100-04, Chapter 12, Section 30.6.1(B) and Section 30.6.13 (H) and CMS Transmittal 1776:
Physician and NPP must be from same group practice.
Both must personally perform “face to face” encounter of the E/M.
Both must document the part(s) they perform
49
“Leased employment” structures for NPPs
General Hospital EIN/Tax ID
MDs are W2s of XYZ ED Group or
Faculty Practice Plan
NPPs are W2 employees of
General Hospital
50
3. ED NPPs are supervised by ED MDs
2. Three way leased employment contract w/ hospital, NPPs and XYZ.
4. NPPs retain hospital benefits & stability.
1. Hospital permits XYZ to bill for NPPs—effectively a subsidy.
Documentation requirements for shared visits—CGS Part B MAC (OH & KY)
“In all cases documentation must substantiate the medical necessity of the shared/split visit … & the medical record should contain enough detail to allow a reviewer to:
• Identify both providers
• Link the physician notes to those of the NPP
• Include legible signatures from both providers
• Confirm that the physician and the NPP both saw the Pt face-to-face
• Include legible/electronic signature”
51
CGS—what is a “face to face encounter”?
CGS provides 2 examples: #1 “ I have personally performed a face to face
diagnostic evaluation on this Pt. My findings are as follows: Pt presents w/ abscess, onset 3 days ago. Has tried warm compress & hot shower for relief. Exam shows right gluteal abscess 3cm warm, tender and fluctuant. Incision & drainage not indicated, started on MRSA antibiotic coverage.” /s/ by supervising physician
52
http://www.cgsmedicare.com/partb/pubs/news/2013/1113/cope23908.html
CGS’ acceptable “face-to-face” documentation.
Example #2: “I have personally performed a face to
face diagnostic evaluation on this Pt. I have reviewed and agree w/ the care plan. Hx and Ex by me shows: abdomen was tender to touch, no rebound. Labs/CT scan negative. IM Toradol given for pain. Pt discharged home.” Signed by supervising physician
53
WPS, J8 MAC (MI & IN) : Examples of Unacceptable Documentation for Shared E/M Visits.
‘"I have personally seen and examined the patient independently, reviewed the PA's Hx, exam and MDM and agree with the assessment and plan as written’ signed by the physician” “Documentation by the NPP stating ‘The
patient was seen and examined by myself and Dr. X., who agrees with the plan’ with a co-sign of the note by Dr. X.”
http://www.wpsmedicare.com/j8macpartb/resources/provider_types/inpatientsplitem.shtml
54
Hidden Traps for
The Unwary in Pursuing
Self Pay (Self Responsible)
Balances:
Waiving Cost Sharing, TCPA & FDCPA
55
Definitions:
“Guarantor”: one responsible for payment (which may be the Pt. or not)
Co-insurance and/or deductibles that Pt. responsibility have been renamed as “cost sharing”.
Distinguish Pt. Self-Responsible vs. Pt. self-responsible after insurance.
56
What is Balance Billing
In-network Provider:
Healthcare provider has negotiated a rate with the insurance plan and agreed to accept that rate as payment in full (there is no “balance”). Guarantor is responsible for the deductible, co-pay, co-insurance, and
non-covered charges (“cost sharing”) This is not balance billing.
Out-of-network Provider:
Insurance company and provider have not agreed to a rate. Thus, no contract has been signed. Guarantor is responsible for the difference between full billed charges
and what insurance pays. In other words, there is usually a balance If the Guarantor gets a bill for the balance, it’s balance billing
57
What is “balance billing” in the OON context?
The difference between: 1. the out-of-network provider’s charge and 2. the amount paid by the insurance place
for out-of-network service. Billed Charge $500 Insurance “Allowable” $300 Balance (difference between $200 Allowable & Charge to the “guarantor”
58
Medical debt is skyrocketing and shows no signs of lessening: Nearly 4 fold increase in Pts. w/ deductibles of $1K or > since 2006,
per the Kaiser Family Foundation http://www.cnbc.com/id/102070499 Bronze plans (60% of actuarial value [AV]) are high deductible
health plans (HDHPs)—little to no first dollar coverage for physician services. Some limits to cost sharing up to 250% of federal poverty
levels (FPL) Silver plans (70% of AV) may have better 1st $ coverage but
similar limits on cost sharing up to 250% of FPL.
20 yrs. ago: 2 Pt statements + “pre-collect” letter.
Today’s challenge: software, systems and process in place to repeatedly and lawfully contact the patient regarding payment. Telephone Consumer Protection Act (TCPA) and Fair Debt Collection Practices Act (FDCPA)
59
60
“Insurance only” & discounting Based on Financial Need: OIG 1st: OIG Fraud Alert: Routine Waiver of Co-
payments or Deductibles, 12/19/94. Waivers may implicate the federal anti-
kickback statute if one purpose is generate more patient volume.
2d: OIG Guidance Feb. 2, 2004: there is no prohibition on discounting services based on financial need.
Factors: 1. local cost of living, 2. patient income and expenses, 3. family size and 4. extend of patient’s bill.
61
BCBS of Alabama’s Provision: waivers are ok for professional courtesy or financial need; otherwise, waiver=breach of contract.
Tips for “prompt pay discount” plans:
Written plan w/ counsel input as state law may control.
Offered to both Pts. & health plans that pay w/in X days, consistent application & communication.
Apply the discount to “usual and customary charges” on the front end.
Discount amount tied to savings of billing/collection costs, e.g. 20-30%
http://www.texmed.org/template.aspx?id=25341
62
Health plans are watching Pt. cost sharing discount programs carefully
TJ Kennedy v. CIGNA, 924 F. 2d 698 (7th Cir. 1991) is one of the leading cases re: waivers of Pt cost sharing.
http://www.law360.com/articles/459700/cigna-knocks-40m-hospital-reimbursement-suit-in-5th-circ
http://www.americanbar.org/publications/aba_health_esource/2014-2015/september/out_of_network.html
63
Strategies for Avoiding Traps and Enhancing Pt. Responsible Balances:
Telephone Consumer Protection Act (TCPA) 1991.
Federal law prohibits automated dialers to cell phones (any # where the called party is charged a fee) w/out the Pt’s prior express consent.
Purpose: to regulate overly aggressive telemarketing/automated “robo-calls” & permit consumers to “opt out”, e.g. “Do Not Call List”
Today: estimated > than 1 of 3 households are mobile-only
64
Hidden Trap #3: be careful w/ language in Pt. statements, “pre-collect letters” & phone calls:
Fair Debt Collection Practices Act (FDCPA) strictly regulates collection agencies when/where/how Pts are contacted.
Intent: prohibit abusive debt collection practices, and false, deceptive or misleading representations to collect a debt.
Mandatory notification statements to debtors (known as the “mini-Miranda” statements.
Strict liability statute w/ Attorney Fees and Class Action potential.
67
Be careful in Pt. statement language & phone calls
FDCPA: definition of “debt collector” excludes creditors (physician groups) and those who act for creditors (B/Cs) AND FDCPA applies to only to debts that are “in
default” (15 USC Section 1692a(6)(F)(iii).
Exception: One federal circuit court of appeals has held that a mortgage servicer who treated a mortgage loan as if it was in default (when it was not actually in default) will be considered a debt collector, see Bridge v.Ocwen Federal Bank, FSB, __ F.3d__, 1470148 (6th Cir. 2012)
(MI, OH, KY and TN are all in the 6th Circuit)
68
69
Refunds and credit balances and
unclaimed property– areas of compliance
that have nothing to do with coding
and billing.
CREDIT BALANCES
Definitions: Credit balance – a balance on a patient account or encounter
that is less than $0.00 Small credit balance - a non-governmental credit balance less
than a maximum of -$10.00 Recoupment – the process of a payor recovering a claim
overpayment from a future remittance. This is often referred to as a “take-back”, set-off or voucher deduction.
Governmental payors include Medicare (including Medicare Advantage/HMO), Medicaid FFS and HMOs, Tricare/CHAMPUS and the Federal Employees Health Benefit Program (FEHBP) (administered by Blue Shield [Federal Blue] and several other health plans).
Unclaimed property: small credit balances or returned refund checks that remain unclaimed for an extended period of time.
70
71
Fraud Enforcement and Recovery Act of 2009 (FERA), Enacted 5/20/09
FERA removed any doubt that the failure to refund gov’t payor credit balances is a potential False Claims Act issue
Whistleblowers, attorney’s fees and potentially the US DOJ
FERA created the so-called “reverse” False Claims.
72
Post billing Issues: New obligations for provider overpayment refunds under PPACA.
PPACA now requires that “overpayments” are identified after “reconciliation” and must be repaid within 60 days Gov’t payors=Medicare (MCA), Medicaid (MCD),
TriCare (TC) and Fed. Employees Health Benefit Plan (FEHBP). “Written explanation” must be provided, per
section 6402. CMS’ proposed rule is that the look-back period
should be 10 years. http://www.hbma.org/news/public-news/n_a-look-at-cms-
proposed-rule-on-reporting-and-returning-overpayments
REGULATIONS AND STATUTES
CMS issued Proposed Rules 2/13/12. The 60 day clock runs when the
overpayment is identified; “Identified” means that the person has
had the opportunity to undertake “reasonable inquiry” AND That the person has actual knowledge
of the overpayment OR Is deliberately ignorant of the
overpayment;
73
CMS’ Examples of “identification” of overpayments:
Examples per CMS where the “identification” standard have been met even though the exact amount of the overpayment may not be known: A provider or supplier reviews billing or payment records and
learns that it incorrectly coded and/or billed certain services, resulting in increased reimbursement.
A provider or supplier learns that services were provided by an unlicensed or excluded individual on its behalf.
A provider or supplier performs an internal audit and discovers that overpayments exists.
Through these examples, CMS suggests that “actual knowledge” is present if the provider knows of an overpayment issue, even if the provider has not determined the amount of the overpayment.
74
Recoupments And Credit Balance Procedures
W/ governmental payers, BCs should refund governmental payers and not defer to the recoupment process.
The only time the recoupment process should be relied on for governmental payers is if it is known they will not accept and/or return refund checks.
Relying on the recoupment process can lead to unanticipated risk if recoupment does not occur, No recoupment taken w/in 60 day period, Additional monitoring of the accounts by staff.
75
76
Pre-billing and post-billing risk areas:
HIPAA on steroids
a/k/a The HITECH Act and the
Omnibus Final Rule.
77
The HITECH Act of 2009 took HIPAA to the next level PHI is individually identifiable health
information maintained or transmitted in any form: electronic, paper-based, verbally, other formats (PHI elements are listed in appendix)
Health Information Technology for Clinical & Economic Health (HITECH) Act, Feb. 2009. HHS Guidance Issued April 2009: http://www.hhs.gov/ocr/privacy/hipaa/understan
ding/coveredentities/hitechrfi.pdf Omnibus HITECH Final Rule effective 9/23/2013.
78
The HITECH Act of 2009: Congress and DHHS are Raising the Bar on ePHI.
Section 13402 of HITECH requires “notification” by the covered entity following “breach” of “unsecured PHI.”
“Unsecured PHI”= paper that is not “unusable, unreadable or indecipherable.”
PHI “at rest” (paper or electronic).
PHI “in motion”: electronic demographic SSLs and/or transfers via email of ePHI, e.g. Excel or PDFs files of patient specific ePHI.
79
The HITECH Act of 2009 (cont.)
phi is not “unsecured" if ePHI has been “encrypted”.
Encryption standard is a technical standard—need to understand standard.
ePHI “in motion” (e.g. emailed files) must be per VPN standards in guidance.
So what? If unencrypted laptop is stolen or ePHI files on USB drive are lost, there may be a “notification event” for physician group.
80
The HITECH Act of 2009 (cont.): what if ePHI is “unsecured” and “breached”?
“Breach”=unauthorized acquisition, access, or use + compromises information. Omnibus rule Sept. 2013 major impact on
“breach”.
Covered entity (CE) must notify patients within 60 calendar days of discovery of breach: Notice to patients via US Mail and posting on the
website of the CE; Notice to “prominent media outlets” if ≥ 500
patients.
Notice on the DHHS website required ≥ 500 patients.
If this doesn’t keep your HIPAA security officer up at night nothing will.
81
http://www.modernhealthcare.com/article/20140818/NEWS/308189946
Omnibus Final Security Rule, general compliance effective date of Sept. 23, 2013
Expansion of HIPAA security obligations & potential liabilities from prior Interim Final Rule in ‘09.
Business associates (BAs), e.g. billing and collection companies, and IT vendors…..
who create, receive, maintain or transmit PHI in order to perform function on behalf of Covered Entity (CE), e.g. physician group and/or hospital,
regulated directly by HIPAA & directly liable for HIPAA violations
Each BAA sub-contractor in the chain is also potentially liable.
82
Omnibus Rule expands HIPAA security obligations and potential liabilities for CEs/BAs.
Rule creates the “presumption” of HIPAA “breach”
The acquisition, access, use, or disclosure of unsecured PHI is not permitted under the Privacy Rule, unless a CE or BA demonstrates a low probability that the PHI has been compromised based on a risk assessment considering at least 4 factors. The nature and extent of PHI involved, including types of
identifiers and likelihood of re-identification. The unauthorized person who used PHI or to whom disclosure
was made. Whether PHI was actually acquired or viewed. The extent to which the risk to PHI has been mitigated.
83
HHS Bulletin: HIPAA Privacy in Emergency Situations, Nov. 2014 After Ebola Cases:
PHI may be share w/out Pt. authorization: 1. For “treatment”, e.g. care coordination, management
of Pt., consults & referrals, and w/ family/care givers 2. To public healthcare authorities to prevent or control
disease, injury or disability, and sharing Ebola info. w/ CDC is specifically cited; and
3. To prevent or reduce serious or imminent threat to health or safety of the public.
HIPAA Privacy & Security apply to CEs (hospital/group/EM Doc) and BAs (B/C). http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf
84
Tips and strategies to mitigate HITECH risks:
"We love encryption, and those who use encryption love it, too,” Leon Rodriguez, Director of the Office for Civil Rights Director, 1/5/2013 Encryption assures that the information is unreadable, unusable or
undecipherable. Qualifies the entity “safe harbor” under the breach notification rule.
Encryption should cover any stationary data in your environment Desktops and laptops, backup tapes, USB drives (thumb and portable),
servers, mobile devices All laptops and desktops that contain ePHI should be encrypted Flash drives that hold ePHI should be encrypted All mobile devices (iOS and Android) should be have secure
transmission software/appliance. Encryption must be in line with NIST standards
Cyber Liability Policies or Rider to existing Errors & Omissions Policy.
85
Compliance Summary:
Effective programs constantly perform risk assessment and analysis, perform vigorous Q/A, provide training and education and take corrective action.
Zero tolerance for retaliation or hostile environments to questioning.
“Worry about the questions that you not asking—not about the one’s that you are asking.”
86
Contact information:
Ed Gaines, JD, CCP
Chief Compliance Officer
Zotec Partners
Greensboro, NC
877-271-2506
Follow me on Twitter: @EdGainesIII
http://twitter.com/EdGainesIII
87
Appendix: Distinctions between professional courtesy and waiving cost sharing:
http://www.thehealthlawfirm.com/blog/posts/no-good-deed-goes-unpunished-for-physicians-who-extend-professional-courtesy-or-waive-co-pays-medicare-prohibits-waiver-of-co-pays-and-deductibles.html
88
Appendix: Gaining Consent for TCPA
“[I/patient/other identifier] acknowledge and agree that [insert company name], or any of [your/its] affiliates, including any bill collection or debt collection companies may contact me by telephone or by text message to any telephone number I provide to you, or at any other telephone number associated with my account, including wireless telephone numbers, which I understand could result in charges. I further agree that you may use any method of contact to any of these telephone numbers, including prerecorded or artificial voice messages, text messages and automatic dialing devices. You may also contact me via electronic mail using any email address I have provided to you for use. I acknowledge the contact information provided to you is private to me and I take sole responsibility for maintaining the privacy of any of the information I provide to you. I further understand that in order to revoke my consent to be contacted, I must send a written revocation of my consent to [insert company name] or to the affiliate contacting me on behalf of [insert company name].” (emphasis added)
© Frost-Arnett Company, All Rights Reserved
89
The HHS “Wall of Shame” for breaches of ≥ 500. Direct Costs of
Notification and offering credit monitoring may exceed $30/patient.
Legal fees related to federal and state privacy + costs of litigation in state court w/ possible class action status.
Indirect costs w/ loss of reputation w/ patients and providers.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
90
Appendix: what Is PHI?
Data is “individually identifiable” if they include any of the 18 types of identifiers for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual:
18 Types of Identifiers Name Address (all geographic subdivisions
smaller than state, including street address, city, county, zip code)
All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
Telephone numbers Fax number Email address Social Security number Medical record number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Device identifiers or serial numbers Web URL Internet Protocol (IP) address numbers Finger or voice prints Photographic images Any other characteristic that could
uniquely identify the individual
91
Appendix: The HITECH Act: can you say “nuclear winter?”
Featured Health Business Daily Story, Nov. 15, 2011
When Protecting PHI, Don’t Forget Ubiquitous But Risky Back-up Tapes
Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.
(November 2011, Volume 11 and Issue 11 )
“It wasn’t a sophisticated hacker from a rogue nation or a failure of fancy technology that caused the largest health care data breach on record. The recent loss of data on 4.9 million TRICARE patients happened when a thief made off with back-up tapes left in a worker’s car.
Tapes that were not encrypted but were apparently en route to be encrypted. Tapes that, despite advances in data storage over the last decade, are still in use in perhaps a majority of hospitals today.
Until now, back-up tapes haven’t gotten much attention. That should change given they are at the center of this unprecedented breach, now the focus of a $4.9 billion proposed class-action lawsuit and investigation by the Office for Civil Rights.”
92
Appendix: The full text of the
Palmetto Statement regarding teaching physician
documentation and EMRs.
93
Appendix: Resources, References and Links: HHS Office of Inspector General (OIG)
http://oig.hhs.gov/compliance/compliance-guidance/index.asp lOIG’s compliance guidance to third-party billing
agencies (Dec. 1998) OIG’s compliance guidance to individual physicians and
small group practices (Sept. 2000) ACEP’s Fraud, Compliance, and Emergency Medicine
(Aug. 2004), on the ACEP Practice Resources Website at www.acep.org
Scribe Article: http://aishealth.com/archive/rmc050911-01
94
95
Appendix: Additional Physician Compliance Resources
OIG Advisory Opinions & training slides: http://oig.hhs.gov/fraud/advisoryopinions.asp
http://oig.hhs.gov/compliance/provider-compliance-training/files/Provider-Compliance-Training-Presentationv2.pdf