FTC Interim Final Red Flags Rule a Reprieve for Health Care Providers

By:  Rodger Hochman, Board Certified in Health Law

On November 30, 2012, the Federal Trade Commission (FTC) issued its interim final “Red Flags Rule” which narrowed the definition of “creditor” in such a way that essentially confirms that most health care service providers are not subject to its requirements.

The Red Flags Rule was originally promulgated in reaction to the perceived risk of identity theft in various transactions involving financial institutions and creditors, and it required them to develop and implement a written identify theft program to combat these risks, including internal processes for identifying “red flags” of identity theft.  The application of the Red Flags Rule to health care service providers was controversial since it advanced a counterintuitive notion that a provider who engaged in ordinary course business activities, such as rendering health care services where insurance or other payment would be received later, was a “creditor” by definition, thus was equated with the business of financial institutions and subject to standards more applicable to the relationship between commercial creditors or lenders and their customers.

Under the original rule, any “creditor” was required to establish an identity theft program.  The definition included “any person who regularly extends, renews, or continues credit…”  The FTC interpreted this expansively to include physicians and other providers who accept insurance as payment or who permit payment plans, where payment in full was not received at the time of service.  Thus, if a physician or hospital were to accept a patient’s insurance coverage or bill the balance not covered by insurance to the patient, that was viewed as an extension of credit to the patient which triggered regulatory compliance obligations by the provider.  Although the FTC later clarified its position in saying that it applied only to creditors that regularly and in the ordinary course of business advance funds, there was still some ambiguity.

The interim final rule now makes clear that advancing funds does not include what is routine health care services billing and collection activities (such as deferring payment of fees in connection with providing services) and that most service providers are not subject to the rule.  Nevertheless, while the interim final rule confirms that most providers are not subject to the Red Flags Rule, entities that collect consumer data should still carefully consider how they collect and use such data.   To the extent that they use or provide patient information in connection with credit reporting services, the Red Flags Rule would apply.  Further, health care providers remain subject to the HIPAA/HITECH privacy and security rules with respect to all patient identifying information regardless of whether they are subject to the Red Flags Rule.

Perceived Risk Outweighs Actual Harm in Assessing $1.5M HIPAA Fine

The Office of Civil Rights’ recent assessment of a $1.5 million fine for HIPAA violations should be a shrill wakeup call to all health care organizations that use (or allow their physicians to use) portable devices containing patient identifiable information.  The sanction stems from a physician’s lost laptop computer containing protected health information (ePHI).

Importantly, the OCR’s investigation could not establish whether ePHI was used or even accessed, partly because the device was lost in a foreign country.  However, it was not necessary to definitively conclude if any data had been compromised; the OCR was more concerned that the offending provider had not implemented appropriate measures mandated by the HIPAA Security Rule which could have reduced, mitigated or eliminated the risk altogether.  For the OCR, the heart of the matter was the fact that the covered entity failed to fully assess and evaluate the risk to the confidentiality and security of ePHI on portable devices used by its physicians in their personal activities, and failed to have a process to address when such devices are lost.  In this case, it was the incident itself that caused the organization to formalize and take responsive measures.  The barn door was closed after the horse got out.  To the OCR, the covered entity’s reactive, rather than proactive approach, was totally at odds with HIPAA Security Rule concerns and the mandated obligations of covered entities.

The facts are fairly simple.  A research physician from a Massachusetts specialty hospital facility was traveling to South Korea to give a lecture when he misplaced his backpack in a public area.  A personal laptop, containing health information of several thousand patients, was in the backpack.  The computer was eventually “detected” a few weeks later when it was connected to the internet, and its hard drive was later remotely “wiped”, however, the device was not recovered.  The incident was then reported to the OCR in accordance with the breach notification requirements of the HIPAA Security Rule.

This is an instructive case for a number of reasons.  For one, it is important to recognize that the OCR’s investigation was prompted by the obligatory “breach notification” it received from the provider.  The OCR’s inevitable investigation in turn revealed that there was significant noncompliance with multiple aspects of the Security Rule.  Notably, the OCR determined that the covered entity had lax control over, and little knowledge concerning its own physicians’ use of laptops issued to them by the organization.  Physicians were permitted unfettered access to the entity’s information, took their devices off-site where they were used for personal activities, and could remotely download information and install applications freely to these personal devices.  Further, while the laptop in question was password protected and had “LoJak” tracking and wiping software, encryption was not employed.  Further, many weeks passed before a hard drive wipe was effectuated and only after it was determined that the device had been connected to the internet.  In short, the OCR concluded that the entity had neither conducted an adequate security assessment nor established necessary policies or procedures addressing laptop use, and had not promulgated an appropriate response procedure.  Instead, it reacted to the lost laptop in a scramble of ad hoc activity and only instituted organization-wide changes as a result of this episode.

The most significant issue for the OCR in assessing a $1.5 million fine was not whether the incident caused actual harm to any patient, but the degree of risk of potential harm and whether reasonable steps and safeguards should have been in place to mitigate any data breach.  In short, the entity should have anticipated laptops would be lost and it should have addressed the attendant risks through a deliberate process and in a manner that is “situationally” appropriate for the organization.  Here, the organization abrogated such a duty, thus prompting a fine that may be disproportional to the perceived harm.  This outcome should prompt providers to seriously regard the HIPAA Security Rule, and the OCR’s enforcement efforts, and to abandon any “no harm, no foul” notions they might apply when security breaches occur and must be reported

HHS PROPOSES ONE-YEAR DELAY OF ICD-10 COMPLIANCE DATE

Via CMS Online 4-9-2012

Action:

The Department of Health and Human Services (HHS) today announced a proposed rule that would delay, from October 1, 2013 to October 1, 2014, the compliance date for the International Classification of Diseases, 10th Edition diagnosis and procedure codes (ICD-10).

The ICD-10 compliance date change is part of a proposed rule that would adopt a standard for a unique health plan identifier (HPID), adopt a data element that would serve as an “other entity” identifier (OEID), and add a National Provider Identifier (NPI) requirement. The proposed rule was developed by the Office of E-Health Standards and Services (OESS) as part of its ongoing role, delegated by HHS, to establish adopt standards for electronic health care transactions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). OESS is part of the Centers for Medicare & Medicaid Services (CMS).
Background

On January 16, 2009, HHS published a final rule to adopt ICD-10 as the HIPAA standard code sets to replace the previously adopted ICD–9–codes for diagnosis and procedure codes (see HIPAA Administrative Simplification; Modifications to Medical Data Code Set Standards to Adopt ICD-10-CM and ICD-10-PCS, 74 FR 3328). The compliance date set by the final rule was October 1, 2013.

Implementation of ICD-10 will accommodate new procedures and diagnoses unaccounted for in the ICD-9 code set and allow for greater specificity of diagnosis-related groups and preventive services. This transition will lead to improved accuracy in reimbursement for medical services, fraud detection, and historical claims and diagnoses analysis for the health care system. Many researchers have published articles on the far-reaching positive effects of ICD-10 on quality issues, including use of specific reasons for patient non-compliance and detailed procedure information by degree of difficulty, among other benefits.

Some provider groups have expressed serious concerns about their ability to meet the October 1, 2013 compliance date. Their concerns about the ICD-10 compliance date are based, in part, on implementation issues they have experienced meeting HHS’ compliance deadline for the Associated Standard Committee’s (ASC) X12 Version 5010 standards (Version 5010) for electronic health care transactions. Compliance with Version 5010 is necessary prior to implementation of ICD-10.

All covered entities must transition to ICD-10 at the same time to ensure a smooth transition to the updated medical data code sets. Failure of any one industry segment to achieve compliance with ICD-10 would negatively impact all other industry segments and result in rejected claims and provider payment delays. HHS believes the change in the compliance date for ICD-10, as proposed in this rule, would give providers and other covered entities more time to prepare and fully test their systems to ensure a smooth and coordinated transition among all industry segments.

Provisions of the proposed rule announced today

HHS is proposing to change the ICD-10 compliance date to October 1, 2014.

As stated, the ICD-10 compliance date change is part of a proposed rule that would adopt a standard for a unique health plan identifier (HPID), adopt a data element that would serve as an “other entity” identifier (OEID), and add a National Provider Identifier (NPI) requirement.

Standards compliance date

HHS proposes that covered entities must be in compliance with ICD-10 on October 1, 2014.

The proposed rule, CMS-0040-P, may be viewed at www.ofr.gov/inspection.aspx.

A news release on the proposed rule may be viewed at http://www.hhs.gov/news.

ACOs are S.T.U.P.I.D

We have probably never seen so much enthusiasm and spending on anything in our history as we are on healthcare reform. The point is to slow spending and improve quality by incentivizing cost-saving, quality-enhancing behavior. And the Accountable Care Organization is the new healthcare delivery model designed to save us from our greedy, over-utilizing selves. Here’s how it works:

First, you take a lot of primary care physicians and tell them they will get more money by (1) taking an expanded role in taking care of patients, and (2) reducing the expenses associated with that care. Then you tell them two really special things: first, you tell them “Uh, since we’re afraid that you will improperly reduce the amount of care the patients need, we won’t tell you which patients are in an ACO and which are not.” Second, you tell them “We really mean it when we tell you that we intend for you to make more money, but we won’t tell you exactly how we’re gonna do that. Trust us, ok?”

Second, you empower physicians to lead the charge. After all, they’re the only participants in ACOs that smart people think can control costs and quality. And you do this by telling them to (1) shell out about $26 Million to form an ACO, (2) go to Wharton and get an MBA, (3) educate themselves about all the intricacies of information technology and work out the kinks involved in implementing electronic medical records, and (4) keep taking care of those patients while you do all this. Finally, you keep the identity of patients secret from the physicians so there is no way to prepare care plans that take into account the diseases faced by the patients. No problem.

Third, you let patients run amok. They can go into an ACO…or not. They can go in and out of ACOs. They’re like kids that way, but they’re responsible for reading the 397 pages of ACO regs and then deciding whether they like the idea of not. Oh, and they have absolutely no incentive to sign up for ACO care. And why would they? “Hey, how about you go with this ACO, which will get more money if they spend less on you. How’s that sound?” How could this possibly be sold to Medicare patients? “This ACO will get paid for getting you well! Your primary care doctor that you’ve trusted for 20 years and who helps you get and stay healthy…that person doesn’t have the same incentive to get you well.” NOT.

Simplicity. There is none. Never before in our history have we seen something so simple (patient rationing) become so complicated (rationing = less expensive care). And so many acronyms and governmental departments and positions too! There are one sided models, two sided models and now a Pioneer model, for those who are especially adventurous. And did I mention that the basis for healthcare reform, the one that only the state of Washington has the courage to articulate, is really just rationing?

Troubling to pretty much everyone. Yes. Except for policy makers, there has yet to be any significant support for anything other than the IDEA that healthcare should cost less and be more outcome oriented. Even the Mayo, Geisinger and Cleveland systems have all politely declined at this point.

Unlimited flexibility. Yes, this is true, especially as it relates to patients. See, patients can be in a cost saving ACO or not. They can go in and out of them and the ACO will bear the cost. That’s right: patients can go in and out of them—ACO, non-ACO, and yet only the ACO will be penalized for cost increases. Let’s see, the ACO model is the cost saving model. And the plan is to allow patients to choose for society to save money or not. And the patients have zero incentives for participating in an ACO. And who is responsible for the behavior of these patients? Uh, well, we all are.

Patient accountability. This is completely lacking in the ACO model. There is absolutely nothing to incentivize patients for making healthy decisions and to punish them for making unhealthy ones. Also primary care driven. Not really. There aren’t enough to go around, but some guy who knows a doctor is free to see you now. Oh, also pro competitive, meaning everyone will wanna be an ACO, so that will create competition in the market and a tremendous drive to drive costs down and quality up. Ok, not really, but wouldn’t it be nice if that COULD happen. In fact, healthcare reform is functioning to do one sure thing—reduce competition, since only the biggest, strongest organizations can afford to compete or to be one.

Inexpensive. Nah. While the initial cost projections suggested about a $2 Million price tag for forming one, they are now up in the $12 to 26 Million range.

Direct and demonstrative. NOT. The entire healthcare reform delivery plan is like pushing a mouse through a maze by its tail.

Healthcare reform is like Alice in Wonderland at its best. It only makes sense on mind-altering drugs. Moreover, the shizo message from our policymakers on the whole issue is dumbfounding. “We are committed to lowering healthcare costs. ACOs will do this. Patients can be in them…or not.” Some legislators think they’ve created a panacea with ACOs, but then don’t want to compel them. It’s just political nonsense.

Look, slowing healthcare cost creep and quality enhancement are good things. We all (patients included) ought to be outcome driven and focused so that the end result is actually healthcare. ACOs just don’t and won’t do that, which may have something to do with the recent announcement by Mayo, Cleveland and Geisinger that they’re really not that interested in playing with them.


Ever Wanted to Know How Long Medicare Has to Recoup Medicare Overpayments?

Healthcare providers who participate in Medicare are sometimes surprised when the government later decides that an overpayment was made.  As a healthcare provider who accepts federally funded reimbursement, you may wonder how long the government has to make a claim against you for alleged overpayments.

For Medicare overpayments, the federal government and its carriers and intermediaries have 3 calendar years from the date of issuance of payment to recoup overpayment.  This statute of limitations begins to run from the date the reimbursement payment was made, not the date the service was actually performed.  CMS has instructed carriers not to recover payments that have not been reopened (where no attempts have previously been made to collect) within 4 years from the date of payment, unless the case involves fraud or similar fault.  CMS instructs carriers not to recover overpayments discovered later than 3 full calendar years after the year of payment, unless there is evidence that the physician or beneficiary was at fault with respect to the overpayment.   Liability of the physician for refunding an overpayment is based on fault- if the overpayment was a result of a lack of disclosure or information from the Medicare beneficiary, the liability may shift to the beneficiary.  See Medicare Carrier Manual §7100.

Healthcare providers should be aware that the 3 year statute of limitations does not apply to recovering overpayments made as result of false pretenses or fraud.  In bringing a civil action against an alleged perpetrator of fraud for civil penalties, the Federal False Claims Act[i] grants the government and qui tam whistleblowers either (i) 6 years from the date of violation or (ii) 3 years from the date the facts material to the right of action are known or reasonably should have been known by the government , but not to exceed 10 years from the date of violation[ii].  When a “violation” has occurred is arguable. The statute of limitations under the Federal False Claims Act could potentially start to toll on the date the false claim is submitted, but the government has argued that the statute of limitations does not toll until the date of payment on the claim by the government or even final settlement on a cost report with the government.  Also important to note is that failure to promptly refund a reimbursement previously discovered by a healthcare provider has been construed as a violation of the Federal False Claims Act.  In other words, if you discover an overpayment and wait for CMS to make an official refund request, you may still be subject to penalties and fines.

Furthermore, aside from civil monetary penalties, there are numerous criminal statutes under which the federal government could impose criminal penalties for health care fraud, including obstruction of a federal audit, mail fraud, conspiracy to defraud the government, RICO, the criminal false claims act, False Statements Act, the Social Security Act (wherein it is a felony to render any false statement or representation of material fact), federal anti-kickback statutes, and HIPAA.


[i] The Federal False Claims Act can be found at 31 U.S.C. §§ 3729-3733.

[ii] 31 U.S.C. §3731(b).

_____________________________________________________________________________________________

With over 20 years of healthcare law experience following his experience as legal counsel for the Florida Medical Association, Mr. Cohen is board certified by The Florida Bar as a specialist in healthcare law.  With a strong background and expertise in transactional healthcare and corporate matters, particularly as they relate to physicians, Mr. Cohen’s practice immerses him in regulatory, contract, corporate, compliance and employment related matters.  As Founder of The Florida Healthcare Law Firm, he has distinguished himself and his firm for providing exceptional legal services with the right pricing, responsiveness and ethics. He can be reached at (888)455-7702 and www.floridahealthcarelawfirm.com