Perceived Risk Outweighs Actual Harm in Assessing $1.5M HIPAA Fine

The Office of Civil Rights’ recent assessment of a $1.5 million fine for HIPAA violations should be a shrill wakeup call to all health care organizations that use (or allow their physicians to use) portable devices containing patient identifiable information.  The sanction stems from a physician’s lost laptop computer containing protected health information (ePHI).

Importantly, the OCR’s investigation could not establish whether ePHI was used or even accessed, partly because the device was lost in a foreign country.  However, it was not necessary to definitively conclude if any data had been compromised; the OCR was more concerned that the offending provider had not implemented appropriate measures mandated by the HIPAA Security Rule which could have reduced, mitigated or eliminated the risk altogether.  For the OCR, the heart of the matter was the fact that the covered entity failed to fully assess and evaluate the risk to the confidentiality and security of ePHI on portable devices used by its physicians in their personal activities, and failed to have a process to address when such devices are lost.  In this case, it was the incident itself that caused the organization to formalize and take responsive measures.  The barn door was closed after the horse got out.  To the OCR, the covered entity’s reactive, rather than proactive approach, was totally at odds with HIPAA Security Rule concerns and the mandated obligations of covered entities.

The facts are fairly simple.  A research physician from a Massachusetts specialty hospital facility was traveling to South Korea to give a lecture when he misplaced his backpack in a public area.  A personal laptop, containing health information of several thousand patients, was in the backpack.  The computer was eventually “detected” a few weeks later when it was connected to the internet, and its hard drive was later remotely “wiped”, however, the device was not recovered.  The incident was then reported to the OCR in accordance with the breach notification requirements of the HIPAA Security Rule.

This is an instructive case for a number of reasons.  For one, it is important to recognize that the OCR’s investigation was prompted by the obligatory “breach notification” it received from the provider.  The OCR’s inevitable investigation in turn revealed that there was significant noncompliance with multiple aspects of the Security Rule.  Notably, the OCR determined that the covered entity had lax control over, and little knowledge concerning its own physicians’ use of laptops issued to them by the organization.  Physicians were permitted unfettered access to the entity’s information, took their devices off-site where they were used for personal activities, and could remotely download information and install applications freely to these personal devices.  Further, while the laptop in question was password protected and had “LoJak” tracking and wiping software, encryption was not employed.  Further, many weeks passed before a hard drive wipe was effectuated and only after it was determined that the device had been connected to the internet.  In short, the OCR concluded that the entity had neither conducted an adequate security assessment nor established necessary policies or procedures addressing laptop use, and had not promulgated an appropriate response procedure.  Instead, it reacted to the lost laptop in a scramble of ad hoc activity and only instituted organization-wide changes as a result of this episode.

The most significant issue for the OCR in assessing a $1.5 million fine was not whether the incident caused actual harm to any patient, but the degree of risk of potential harm and whether reasonable steps and safeguards should have been in place to mitigate any data breach.  In short, the entity should have anticipated laptops would be lost and it should have addressed the attendant risks through a deliberate process and in a manner that is “situationally” appropriate for the organization.  Here, the organization abrogated such a duty, thus prompting a fine that may be disproportional to the perceived harm.  This outcome should prompt providers to seriously regard the HIPAA Security Rule, and the OCR’s enforcement efforts, and to abandon any “no harm, no foul” notions they might apply when security breaches occur and must be reported

What’s Hot on the OIG’s Workplan for 2013

work plan

 It’s that time again, when the OIG publishes its annual Work Plan for the coming year, providing insight and a proverbial “heads up” on the areas where potential concern and program integrity efforts are being focused.  Many of the focus areas are ongoing or have been the subject of previous Work Plans, and come as no surprise.  Nevertheless, it is important for practitioners to familiarize or reacquaint themselves with the 2013 Work Plan projects in order to recognize and prioritize compliance areas currently on the OIG’s radar.

Of particular interest for practitioners are the various OIG review projects involving ancillary services.  For example, the OIG is looking at outpatient therapy services by independent therapists, and will focus on high utilization of physical therapy to determine if claims were reasonable, medically necessary and properly documented.  Similarly, high-cost diagnostic radiological tests ordered by primary care and specialty physicians are being reviewed to determine whether utilization rates match industry practices.  The OIG also will review Part B payments for imaging services with an eye towards determining if utilization rates reflect industry practices and if practice expenses components within payment rates are commensurate with costs incurred.  Electrodiagnostic testing (needle electromyogram and never conduction) is a new area under review, particularly with respect to utilization rates by specialty, the concern being that such services are vulnerable to abuse and inappropriate financial gain.

Errors in billing and claims administration are also the subject of OIG review, with perennially recurring projects directed at incident-to services, place of service coding and E/M services.  A 2009 OIG review of prior claims found that non-physician practitioners often were not properly supervised or that unqualified non-physician practitioners performed services, in each case, resulting in payments that were not compensable.  Since Medicare payment for services in a non-facility setting, like a physician’s office, is often higher than in the rate that applies in other service locations, there is also concern over whether claims for Part B services performed in ASCs and Hospital outpatient departments were coded with the proper place of service.  Another, more recent area of focus involves the documentation supporting E/M services and questions whether Electronic Medical Record documentation processes may result in “cloned” entries (and potentially improper claims) rather than a deliberate process of selecting proper codes based on content of actual service.   Part B payment for chiropractic services are also being reviewed, with this area being the subject of ongoing OIG concern since chiropractic maintenance therapy being considered not medically necessary.

Apparently echoing a series of fairly recent OIG Advisory opinions, the 2013 Work Plan also identifies Polysomnography and Sleep Disorder Clinics as areas of potentially questionable billing patterns and possible overutilization.  High utilization rates have also raised questions regarding whether services are duplicative of diagnostic testing performed previously by attending physicians.  Another ongoing and increasing focus of OIG scrutiny is physician-owned distributors (POD) of high utilization orthopedic implant devices.  The Work Plan for 2013 specifically identifies PODs which provide hospitals with spinal fusion implant devices as being under OIG review to determine if such arrangements are associated with high utilization.

These are just some of the many areas of OIG review with which practitioners and facilities alike should become familiar in order to remain current with the health care regulatory compliance curve.

From Intervention to Prevention

“Healthcare Reform,” “PPACA” and “ACOs” all have one certain thing in common:  cost-saving change.  Though debate swirls about politics, timing and the particulars of change, it seems clear that the changing demographics of our country (aging baby boomers) in our economic climate is not sustainable as is.  And it’s no surprise that a compensation system based on how much is done and how much it costs leads to greater expense.  An economic reward system that drives costs up as more and more people are set to join the ranks of the insured (through mandated health insurance and expanded Medicaid) simply underscores the timing of the change.  What does that mean for physicians?

Physicians are asking three key questions:

  1. Is there a future for small or solo practices?
  2. Is fee for service really gonna change?
  3. What can I do right now to adapt?

The Future of the Small Practice

The only solid answer is “less.”  It really depends on complex things like the demographics of where the doctor practices and the number of competitors close by.  That said, as change happens, the hardest hit will likely be the smaller practices, since they lack the personnel and financial resources to weather the change and to invest in adaptation.  Many small practices will likely experience change in such a way that the best they can hope for is to survive, rather than thrive.  Even worse, solo practitioners already know what it’s like to handle all the duties as a physician, keep track of business operations and keep the patients flowing into the practice.  Exhausting.  Without substantial support and resources, it’s just not realistic for most solos to expect to keep up.

Even larger practices are not often run like a business.  The professionals that generate the revenue often manage as well.  Moreover, most medical practices do not market or do any serious “back office” magic (revenue cycle management).  As such, change hits small practices especially hard.  Implementing even new EHR requirements can be consuming for a small practice.  How will it be as changes are made to reduce cost and improve quality?  How will it be when practices begin to see there is opportunity in change, that they may actually make more money in a risk based compensation environment?  Rougher.  Like a herd of buffalo when attacked, circling together is a good strategy.

That said, the vision has to be clear.  Why circle together?  Most medical practices are combining and growing to guard market share, not to manage costs or measure and demonstrate quality.  This is probably the biggest reason why we see larger practices in single specialties, not multi-specialty or primary/specialty based practices.  Most physicians that are adapting by joining larger practices are doing so for the same reason why buffalos circle together—the threat of change.  Though size alone is no panacea, larger practices are definitely in a better position to adapt.

Let’s face it:  few are running after change in healthcare right now.  Few see the opportunity and are leading the charge.  Most are waiting or are just setting the stage.  And most large practices are, at best, a good platform where change can be implemented and costs can be shared and spread among a larger pool.

Will There be a Change to Fee for Service Payment?

Yep.  Simple as that.  It’s already happening.  Bundled payments are in place, even in Florida.  Capitation is old hat for many now.

When?  Over time…  Not right away.  Even ACOs aspirants are selecting just one sided risk, testing the water as they see how well they do to reduce costs, improve quality and “earn” their right to bonus money.  Physicians that think fee for service will thrive for decades are kidding themselves, at least in the insured market.  Is there a basis for it in a “second tier” or concierge sort of environment?  Probably.

What Can I Do Right Now?

First, accept that we are approaching a new paradigm of healthcare delivery.  The current model of disease/injury crisis management has prepared no one for the move from intervention to prevention.  And yet, systems that are solidly based in wellness and prevention stand to profit most from the change we all face.

Second, look to shore up you business model.  That means:

  1. Look to join a larger practice that is committed to thriving in the future risk-based compensation scenario.  If the practice is there just to thrive in a fee for service environment and has no commitment to thriving in a risk based compensation model, keep looking;
  2. Market.  Most practices do not market at all, and yet consumers are selecting medical care in the most unlikely environment—the internet;
  3. Look at anything concierge-like.  Most of the public conversation centers around the insured market, mostly the Medicare Shared Savings Program (which has spawned the ACO concept).  What about the rest of the consumers?  As the insured market gets squeezed (remember that consumers are feeling the pressure too with heightened copays, deductibles and benefit limits), you can expect growth of the “second tier,” those who want more and are willing to pay for it;
  4. Build in wellness and prevention.  Not all practices lend themselves to wellness related services that can reduce healthcare costs, but those that do must look at ways to offer cost-saving, wellness and prevention-oriented services;
  5. Enlist the patients.  The concept of “partnering” with patients is strange, but consider the amount of savings and the enhancement of outcomes if physicians could incentivize healthy patient behavior.  Though absent from the public policy conversation, health care businesses that build in patient accountability stand to win big in a payment system that rewards clinical outcomes and cost savings.

Change is frightening.  Even “good” change is frightening.  Just look at all the upset stomach meds sold at airport kiosk counters.  Physicians have a terrific burden at this time.  They not only hold our health in their hands.  They are expected to have skills and time to help create a new environment in which care will be delivered.  Denying change in the healthcare sector is a waste of time and energy.  Looking for ways to thrive in it and even drive it is wise.

Doctors: Beware Signing ACO Documents

There continues to be terrific interest in accountable care organizations (ACOs), which are of course a financially risk-based model of providing healthcare to patients who choose to enroll in the Medicare Shared Risk Program.  ACO organizations are often led by hospitals and hospital systems, though occasionally by physician organizations.  One of the key common threads among these provider led ACOs is the fear of being left out of “the game,” the fear of losing out financially.  This fear, however, can lead physicians to run headlong into danger if and when they sign ACO documents.

 

One of the key ways ACOs get formed involves a stack of contracts being created, then shoved under physicians’ noses.  Doctors afraid to lose out tend to just sign.  The organizations are really to blame here, when the documents fail to contain material terms to deal with things like:  credentialing criteria, disciplinary procedures, financial provisions, how the financial up side or down side can affect physician compensation.  The documents are simply slid under their noses and, in fear of being left out, they get signed!  Or, as my buddy Rodger says “Ready, shoot, aim.”

 

Regardless of a doctor’s view of ACOs, no document ought to be signed unless all the questions raised by them are addressed, very clearly and in writing.  Be at the table with ACO organizers and do your best to design a good system, but don’t be naïve to think that the unaddressed portions will magically get filled in somehow in a way that benefits you or that even makes sense.  At the very least, wait until the document is complete, then consider if you want to sign it.

DME Leads: When is a Lead a Referral?

By: David W. Hirshfeld, Esq.

Durable medical equipment is commonly sold through sales leads generated through telephone and/or internet contact.  These leads often begin with a seemingly innocuous internet survey or an application for something unrelated to DME.  This “raw” lead may be as basic as a person’s name, telephone number or email address, and age.  The lead is then further developed and “qualified” by obtaining more details about the subject; such as: whether and by whom the subject is insured, what (if any) medical issues does the subject suffer from, the name of the subject’s physician.  Ultimately, the lead is sold to a DME vendor who uses the lead to accomplish the sale of medical equipment or supplies.  In the course of a lead’s birth and life, it is handled by a chain of companies, some of whom purchase the lead, add a level of detail to it, and sell it for a higher price.  In the past year or so, several lead generation companies from the “middle of the chain” have come to me asking me whether their business model gives rise to an illegal kickback.  After a bit of research, I gave the lawyerly answer: “It depends.”

The Federal anti-kickback statute provides that it is a felony for a person or entity to knowingly and willfully offer or pay any remuneration to induce a person to refer an individual for the furnishing or arranging for the furnishing of any item for which payment may be made under a Federal health care program, or the purchase or lease or the recommendation of the purchase or lease of any item for which payment may be made under a Federal health care program.[1]  Florida’s corollary to this Federal law is the Florida Patient Brokering Act, but the Florida statute applies to all health care services, regardless of whether paid for by a Federal program.[2]  The Federal law creates criminal liability, and includes a knowledge requirement.  Congress recognized that business models exist that may appear as willfully paying remuneration in exchange for a referral, but which have more innocent motivations, and are less likely to result in abuse to the health care program at issue.  In order to give the health care industry a measure of comfort, Congress created several “safe harbors.”  If a business model fits within a safe harbor, then it is deemed to not be an illegal kickback under Federal and Florida law.

The Department of Health and Human Services Office of the Inspector General (“OIG”) is the agency charged with enforcing the Federal anti-kickback statute.  In November 2008 the OIG considered a situation in which an advertising company created a website that would give prospective patients contact information for a list of chiropractors in their area, in response to a zip code entered by the prospect.  The prospect paid nothing for the service, but the chiropractors paid the advertiser a fee for each call or contact from the website that lasted over thirty seconds, regardless of whether the contact resulted in a prospect becoming a patient.  This scenario is as close as the OIG has come to opining on a typical DME lead generation.

The OIG found that the chiropractors’ advertising service was not a prohibited kickback, and cited four factors as convincing: (i) the advertising company is not a health care provider or supplier, and is only affiliated with the health care industry through the arrangement at issue; (ii) the advertising program did not target Federal health care program beneficiaries; (iii) the fees paid by the health care practitioners did not depend upon whether the prospect actually became a patient; and (iv) the advertising program did not steer patients to a particular chiropractor.

When applied to the DME context, the OIG opinion and the anti-kickback statutes suggest that leads can be sold for a per-lead fee as long as the leads are not priced, and do not contain information so detailed, such that the purchaser can cherry-pick those leads it wants to purchase based on the likelihood that the lead will result in an actual sale of covered DME.  For example, a “raw” lead comprised simply of a prospect’s name, contact information, and interest in speaking with a DME supplier is probably the sort of lead that could be sold for a per-lead fee without running afoul of the anti-kickback prohibitions.  As more and more information is added to the lead, such as the type of DME products of interest to the prospect, information regarding the prospect’s insurer and plan coverage, the purchaser will be better able to determine whether the lead is likely to result in a sale of DME (a “qualified” lead).  At a certain level of detail, a lead morphs from lead that can be sold on a per-lead basis, to a referral that cannot.

A lead generation company can sell highly detailed qualified leads if that sales relationship fits within the safe harbor for “Personal Services and Management Contracts.”[3]  That safe harbor requires that: (a) the aggregate compensation to be paid under the contract must be fixed in advance; (b) the compensation must be consistent with fair market value in an arm’s-length transaction; and (c) the compensation must not be determined in a manner that takes into account the volume or value of any referrals or business otherwise generated between the parties for which payment may be made by a Federal health care program.  The requirement that the compensation be fixed in advance does not tolerate a per-lead fee.   Fixed in advance would be a weekly, hourly, annual fee.

So, if you are in the lead generation business, your liability for buying or selling health care referrals probably depends upon how detailed and “qualified” the lead is at the time of your transaction.  The safe tack is to structure your transactions so that they fit within the safe harbor for Personal Services and Management Contracts so that just in case your leads are qualified enough to constitute “referrals.”

This article focuses on anti-kickback liability associated with DME leads, but there is also liability attached to how the lead is originated, and how the prospect is contacted.  Lead generation companies are often well-served by committing their relationships to written agreements with advice from appropriate counsel.

[1] 42 U.S.C. §1320a-7b(b)

[2] FL Statutes §456.054 and §817.505

[3] 42 C.F.R. §1001.952(d)

2012 Florida Legislature Impacts Healthcare

Florida legislation healthcare policy lawmaking government session

When Florida’s legislators meet each year, change is sure to follow.  Some of the changes this year include:

Therapeutic Spa Services are now defined under the nursing home law (Chapter 400) as “bathing, nail and hair care services and other similar services related to personal hygiene.”  The new law will likely trigger the development of regulations that will affect how such services can be provided to residents of nursing homes and related facilities.

The Florida Health Care Clinic Law (400.990) has been changed to allow exempt “big businesses” from the licensure requirements.  Those include—entities that have $250 Million or more in annual sales (if one of the owners is a Florida licensed healthcare professional who is responsible for compliance) and those which employ 50 or more Florida licensed M.D.s or D.O.s who provide services under single tax ID number.  These changes may help physician integration moves but also benefit large corporate healthcare providers.

The state anti kickback law (483.245) was expanded to clarify that it is illegal for a clinical lab to provide (in any way at all) personnel to perform “any functions or duties” in a doctor’s office unless the lab and the doctor’s office are owned by the same legal entity.  Clinical labs may not, for instance, lease space in doctor’s offices to collect specimens.

 

Perhaps the most hotly regulated aspect of healthcare lately has been in the area of controlled substance prescription and dispensing.  A new law expands the exemption from the controlled substance prescribing standards to certain board eligible doctors (not just board certified ones), to rheumatologists and to doctors who prescribe medically necessary controlled substances to a patient during an inpatient hospital stay.   As such, the exemption from the controlled substance prescribing standards—board eligible or certified anesthesiologists, physiatrists, rheumatologists, neurologists or medical specialist who have completed a fellowship in pain medicine; board certified doctors with privileges as a hospital or ASC; doctors who prescribe medical necessary controlled substances to patients during inpatient stays at hospitals.

 

The Florida Healthcare Law Firm Goes National

Email Announcement

Followers & Friends – BIG Announcement coming out today! If you haven’t seen our new NATIONAL platform, check it out here at www.nationalhealthcarelawfirm.com and stay tuned for our #healthcare #legal news at 2pm EST !!!

Supreme Court upholds Obama health care law

Via @USAToday

The Supreme Court upheld President Obama’s health care law today in a splintered, complex opinion that gives Obama a major election-year victory.

Basically. the justices said that the individual mandate — the requirement that most Americans buy health insurance or pay a fine — is constitutional as a tax.

Chief Justice John Roberts — a conservative appointed by President George W. Bush — provided the key vote to preserve the landmark health care law, which figures to be a major issue in Obama’s re-election bid against Republican opponent Mitt Romney.

The government had argued that Congress had the authority to pass the individual mandate as part of its power to regulate interstate commerce; the court disagreed with that analysis, but preserved the mandate because the fine amounts to a tax that is within Congress’ constitutional taxing powers.

The announcement will have a major impact on the nation’s health care system, the actions of both federal and state governments, and the course of the November presidential and congressional elections.

A key question for the high court: The law’s individual mandate, the requirement that nearly all Americans buy health insurance, or pay a penalty.

Critics call the requirement an unconstitutional overreach by Congress and the Obama administration; supporters say it is necessary to finance the health care plan, and well within the government’s powers under the Commerce Clause of the U.S. Constitution.

While the individual mandate remained 18 months away from implementation, many other provisions already have gone into effect, such as free wellness exams for seniors and allowing children up to age 26 to remain on their parents’ health insurance policies. Some of those provisions are likely to be retained by some insurance companies.

Other impacts will sort themselves out, once the court rules:

— Health care millions of Americans will be affected – coverage for some, premiums for others. Doctors, hospitals, drug makers, insurers, and employers large and small all will feel the impact.

— States — some of which have moved ahead with the health care overhaul while others have held back — now have decisions to make. A deeply divided Congress could decide to re-enter the debate with legislation.

— The presidential race between Obama and Republican challenger Mitt Romney is sure to feel the repercussions. Obama’s health care law has proven to be slightly more unpopular than popular among Americans.

Full Story Here: http://content.usatoday.com/communities/theoval/post/2012/06/Supreme-Court-rules-on-Obama-health-care-plan-718037/1#.T-xqPhd5F9E

June 30th Deadline to e-Prescribe to Avoid Medicare Adjustment Penalty

June 30, 2012 is the deadline for submitting ten (10) Part B Fee for Service (FFS) claims to Medicare to avoid the 2013 Adjustment (penalty) of 1.5% against 2013 reimbursements.

Exception: if a provider submitted 25 e-prescribing events successfully in 2011, they have already met the reporting requirement to avoid the 2013 penalty. Otherwise, this upcoming June 30, 2012 deadline will apply. If you’ve started e-prescribing and are continuing to do so, do not stop at just 10 for this year to avoid the reduced reimbursement for 2013. This should be continually noted on all Medicare claims regardless to avoid any future penalties into the coming years as they will continue to require this as there will be a 2% reduction for year 2014 as well.

The Florida Healthcare Law Firm Announces National Expansion

NHLFLogo
(Delray Beach, FL) June 21st, 2012 – The Florida Healthcare Law Firm, one of Florida’s leading healthcare law firms, today announced a major increase in their legal practice capabilities with the official launch of the National Healthcare Law Firm, a d/b/a and new portal of the firm. The expansion to a national platform providing healthcare legal services to physicians and healthcare businesses is one that significantly increases resources for clients who lack qualified local healthcare counsel. While the Florida Healthcare Law Firm has for years assisted clients outside the state of Florida*, this new development further cements the firm’s commitment to providing ethical legal counsel in the healthcare industry.

“We are very excited about it. The fact that we serve clients all over the country has been a small secret for a while but we realized there’s a huge demand and decided to just go for it,” said Jeffrey L. Cohen, Esq. Founder and President of Florida Healthcare Law Firm.

According to Cohen, “It’s just a strange area of the law.  Nearly everything in healthcare business is regulated; leases, employment agreements, compensation.  Things you wouldn’t think are regulated are strongly regulated.  And there are large fines and criminal penalties for getting it wrong!  Our clients understand that healthcare business of any kind has serious legal risks and that they need uniquely qualified help.”

To request a service list or for any other firm information, call Autumn Piccolo at 888-455-7702 or visit the firm’s website at www.nationalhealthcarelawfirm.com or www.floridahealthcarelawfirm.com

*     *     *

Acknowledged throughout the country for its service and excellence, Florida Healthcare Law Firm is one of the nation’s leading providers of healthcare legal services. Founded by Jeffrey L. Cohen, Esq and headquartered in South Florida, FHLF provides legal services to physicians and healthcare businesses with the right pricing responsiveness and ethics. From healthcare clinic regulation, home health agency representation and physician contracting to medical practice formation/representation and federal and state compliance matters, the Florida Healthcare Law Firm is committed to bringing knowledge and experience to a diverse group of clients.