HIPAA Compliance: Two Things to do Going Forward

Written By Joanne Ceballos 

Since the publication over 20 months ago of the HIPAA Final Omnibus Rule, there has been no shortage of recommendations and advice to health care providers from trade organizations, industry consultants, attorneys and the Office of Civil Rights of the U.S. Department of Health & Human Services (“OCR”) about the steps providers should take in order to achieve HIPAA compliance.  Last week marked a final deadline for Omnibus Rule compliance—September 23, 2014, was the date by which covered entities were required to update their agreements with business associates to include certain provisions required under the Rule.  

Despite the volume of available guidance, health care providers may not appreciate that the process they went through over the past year should be repeated on a regular basis. In particular, covered entities are required to review and modify their HIPAA security measures “as needed to continue provision of reasonable and appropriate protection of electronic protected health information [ePHI].”  45 CFR 164.306(e).  In other words, providers who create, store or transmit ePHI should conduct another HIPAA Security Risk Assessment when they make changes to their information systems, or when they are apprised of new potential external threats to existing systems.  The failure of providers to reassess their HIPAA security measures following changes in IT infrastructure and applications was a recurring deficiency discovered during OCR’s Pilot HIPAA Audit program, and will be a focus of the new round of audits OCR is beginning this fall.  Providers can minimize the possibility of having an outdated Security Risk Assessment by simply planning to conduct one on a regular basis, perhaps annually or biannually depending on the size of the covered entity’s operations.    

Another aspect of HIPAA compliance that providers should repeat on a regular basis is training regarding the requirements of the HIPAA Privacy and Security Rules.  While HIPAA regulations do not expressly require training to be conducted at prescribed intervals, another focus of the OCR’s audits this fall will be whether covered entities have provided training on the HIPAA standards that are necessary or appropriate for a workforce member to perform his/her job duties.  As with any type of training, in order for HIPAA training to be effective in facilitating employees’ understanding of the regulatory requirements in the context of their job duties, it should be conducted with some regularity, and at least on an annual basis.  Employees who handle medical records requests should receive more in depth training about the patient rights’ provisions of the HIPAA Privacy Rule.

If you are a provider who has invested time and effort over the past year reinvigorating your HIPAA compliance program, preserve the value of your investment by conducting risk assessments and training on an ongoing basis.

Physician Supervision Requirements under CMS Regulations - False Claims Act Cases on the Rise

Written By Melony Anderson
In 2013, the Department of Justice collected over $3.8 billion in qui tam and non-qui tam settlements and judgments under the False Claims Act (“FCA”).  Of the total amount collected, $2.7 billion, or 70% were in cases in which the Department of Health and Human Services (“HHS”) was the primary client agency.  In comparison, cases from the Department of Defense represented just 1% of the total collections.  Surprisingly, the total numbers for 2013 were actually slightly lower than 2012 numbers.  In 2012, total collections were $4.9 billion, with HHS cases representing $3.1 billion, or 63%. 

Notwithstanding the slight decrease in total judgments and settlements, it is clear that one type of case under the FCA is beginning to account for an increasing portion of the total:  cases where the government has alleged that the services were not properly supervised by a physician or a qualified non-physician provider (“NPP”), such as a licensed physical therapist.  

CMS regulations define three types of physician supervision: 

·        General supervision:  the physician or NPP must be available by telephone. 

·        Direct supervision:  the physician or NPP must be “immediately available” and “interruptible” throughout the performance of the procedure.  The physician or NPP does not need to be present in the room.  CMS will not explicitly define “immediate” but has said that the requirement is not met where the physician or NPP is “so physically far away…from the location where…outpatient services are being furnished that he or she could not intervene right away.” 

·        Personal supervision:  the physician or NPP must be in the room during the procedure.    

In order to bill Medicare or Medicaid for certain services, the service must have been appropriately supervised under these definitions.  The government takes the position that services billed but not properly supervised are not “reasonable and necessary” and are, therefore, false claims.  For example, MRIs with contrast require direct supervision.  Although the supervising physician need not be in the room during the treatment, the physician must be “immediately available” somewhere on the premises.  What is more, it is not enough that any physician or NPP is immediately available – the supervising physician or NPP must have within his or her State scope of practice and hospital privileges the ability to perform the service or procedure.   

The following recent settlements provide some insight into the types of services where the government is paying close attention: 

·        A Florida hospital and doctor group settled with the government for $3.5 million.  The allegations in that case were that the group billed Medicare, Medicaid and TRICARE for radiation oncology services (which require direct supervision) that were performed without the necessary supervision.  In particular, the government alleged that the services were often performed while the defendant doctors were on vacation or were working at another radiation oncology clinic.  

·        In April 2013, a North Carolina neurologist and his practice paid $2 million to resolve allegations under the False Claims Act that the neurologist had improperly billed for intravenous immunoglobulin therapy services, which require direct supervision.  The government alleged that the services had been performed by registered nurses when the neurologist was not present in the office suite.  There were no allegations that any patients had been harmed; what is more, in many instances there were other physicians on site and the neurologist himself was, in his words, “no more than 8 seconds away” from the office suite. 

·        A Georgia-based collection of companies settled a False Claims Act case for $1.2 million in April 2013.  The allegations in that case were that the companies had billed for contrast MRI procedures where only clerical staff and technicians were onsite.   

It is worth noting that most, if not all, of the major settlements involved physician supervision over services that require direct supervision, rather than general or personal.  This is perhaps not surprising:  general and personal supervision are clearly and understandably defined, whereas CMS has declined to provide specific time or distance limits that would meet the definition of “immediate” and “interruptible” for direct supervision.  

Direct supervision is required for most outpatient services.  The following is a non-exclusive list of services that require direct supervision:  

·        Diagnostic services furnished to outpatients, including drugs and biologicals required in the performance of those services (for example, MRIs with contrast);

·        IV therapy services, such as chemotherapy

·        Physical and occupational therapy (a licensed therapist must provide direct supervision)

·        Pulmonary, cardiac and intensive cardiac rehabilitation;

·        Glaucoma screening examinations; and

·        Services and supplies provided “incident to” a physician’s services in a non-institutional setting (such as a physician’s office)     

Understanding the level of supervision that a particular service or treatment requires is extremely important, particularly for health care providers who bill for services that they do not perform themselves.  The consequences for billing for services where the requisite level of supervision was not present could be dire and could include not only significant financial liability, but exclusion from federally funded healthcare programs. 

The Medicare Appeal Conundrum

Written By Nate Trexler

We have previously discussed in a number of forums the success achieved by providers in appealing Medicare claim audits and denials to the Administrative Law Judge (“ALJ”) level of the statutory appeal process.  Because of the success in overturning claim decisions, more and more providers have exercised their rights to appeal claim determinations or audits resulting in alleged overpayments.  The number of appeal requests submitted to the Office of Medicare Hearings and Appeals (“OMHA”) increased from approximately 1,250 per week in 2012 to 15,000 per week in 2014.  This incredible increase has caused a log jam, where the average processing time for an appeal request is now 464 days and providers are awaiting ALJ hearings in over 1 million appeals.

The OMHA simply cannot keep up.  This backlog resulted in a Center for Medicare Advocacy class action suit filed in August, seeking declaratory, injunctive, and mandamus relief to compel the federal Department of Health and Human Services to meet the 90-day statutory deadline for reviewing appeals of claim denials.  The American Hospital Association filed a similar lawsuit.

At the end of last year, faced with a backlog of pending appeals involving over 460,000 claims for services and entitlement, the OMHA suspended the assignment of new provider appeals to ALJs for at least 24 months.  Many in the healthcare industry point to increasing RAC audit denials as the reason for the strain on the appeal system.  The American Hospital Association reported that there was a 30-fold increase in RAC denials since 2010.  Hospital appeals have seen a corresponding increase from around 17 per hospital in 2010 to more than 300 per hospital in 2013.  According to the American Hospital Association, hospitals won nearly 70% of the claims for which the appeals process was completed.

In an effort to reduce the pending appeals, CMS has offered an “administrative agreement” to acute care hospitals and critical access hospitals that agree to waive their right to an appeal in exchange for a partial payment of 68% of the net payment amount.

CMS also announced two new initiatives it hopes will reduce the backlog: the Settlement Conference Facilitation Pilot and the Statistical Sampling Initiative.

The Settlement Conference Facilitation Pilot adopts an alternative dispute resolution process in order to negotiate settlements, rather than litigate the claims dispute through the administrative appeal process.  There are a number of criteria that must be met to be eligible, including the fact that it is only available to Part B claims and appeals filed in 2013 but not currently assigned to an ALJ.  This may be a viable alternative for physicians with Part B claims currently stalled in the process.

The Statistical Sampling Initiative is available to claim appeals currently assigned to one or more ALJs or filed during a specific time period.  The Initiative is designed to streamline the appeal process for providers with a large number of claims.  A statistician will select a sample and the ALJ will make a decision based on the sample.  After a decision is reached, a CMS contractor will extrapolate the result of the sample to all of the claims at issue.

These programs will not work immediately, and the 24-month delay remains until OMHA can handle the backlog.  This delay can have a noticeable impact on providers with solid defenses that claims were payable under the Medicare program.  While we strongly encourage an appeal through all levels of the statutory process, providers may face waiting years from when CMS recoups alleged overpayments to when an appeal is fully adjudicated and any potential funds are returned to the provider.  There is no doubt that the audit appeal process should be overhauled.  Likewise, the RAC program should be modified to avoid erroneous denials that tie up providers’ funds for long periods of time. 

In the meantime, providers should focus on internal compliance efforts to prepare for that next audit.

Delaware Facilities that Perform Invasive Medical Procedures: Prepare for Enforcement

Written by Nathan Trexler

Back in February, the Delaware Department of Health and Social Services published a final rule setting forth standards for never before regulated Delaware health care facilities: medical and dental offices.

Pain management physicians, podiatrists, and dentists that perform “invasive medical procedures” in their respective offices are now required to comply with new patient care, medical record, infection control, patient rights, and physical/environmental standards never before applicable to medical or dental offices.  Many Delaware providers may not realize that these regulations could apply to their practices.

An “invasive medical procedure” is defined as any medical procedure, including dental or podiatric procedures, in which the accepted standard of care requires anesthesia, major conduction anesthesia or sedation.  As you can see, whether the procedure is actually “invasive” does not factor into the meaning of the term at all.  For example, manipulation under anesthesia is not “invasive” in any sense, but the standard of care does require anesthesia.  Finally, “anesthesia” is defined broadly to include anxiolysis, conscious sedation, deep sedation, major conduction anesthesia, minimal sedation, moderate sedation or general anesthesia.  The definition of “anesthesia” explicitly excludes (1) local anesthesia, (2) the administration of less than 50% nitrous oxide in oxygen with no sedative or analgesic medications by any route, or (3) a single, oral sedative or analgesic medication administration in doses appropriate for the unsupervised treatment of insomnia, anxiety, or pain.

One of the more strenuous requirements for these offices is accreditation.  The regulations, per statutory direction, require any medical or dental office where invasive medical procedures are performed to be accredited by one of five different accrediting organizations.  The accreditation process can be lengthy and can pose considerable costs.  One accreditation organization that has been contacted reported that the minimum survey fee is roughly $4,300, with an application fee of $775.  This of course does not take into account the costs on a medical or dental practice for the staff time and effort necessary to help complete the accreditation process.  One accreditation organization reported that the accreditation process can take 4-6 months from the submission of an application. 

More problematic, however, is that accreditation organizations are not simply certifying Delaware facilities’ compliance with the Delaware regulations; they impose their own requirements.  For example, one accreditation organization requires a facility to have a governing body that is fully and legally responsible for the performance of the organization, which must satisfy a long list of specific governance requirements.  One such governance requirement is to establish a system of financial management and accountability and formulate long-range plans in accordance with the goals of the organization.  Other requirements govern the actual administration of the organization.  Many of the additional requirements not contemplated by Delaware law are entirely foreign to small medical and dental practices that are not accustomed to being treated like larger, formalized entities.

What is clear from correspondence with the Delaware Office of Health Facilities Licensing and Certification is that the standards, including accreditation, are ready to be enforced.  There are formalized complaint procedures contained in the regulations, and facilities are subject to sanctions, up to an order of closure or order to cease invasive medical procedures, for violations of the regulations.

All such facilities in operation as of July 5, 2011 were required to submit proof of accreditation or the application for accreditation by August 14, 2014.  The deadline has passed, so immediate steps must be taken to achieve compliance.  As for facilities that become operational after July 5, 2011, proof of accreditation must be submitted within 12 months of the first day of operation.  Compliance with the remaining requirements of the regulations must be achieved immediately.