HIPAA Blog

[ Friday, January 30, 2004 ]

 

(OT) Probably bad law: I don't know too much about the Florida state anti-kickback law, but a state appeals court in Florida just ruled it unconstitutional. The 3rd District Court of Appeals affirmed a Florida trial court that found the state statute unconstitutional because it goes farther than the federal anti-kickback law. As you probably know, the federal anti-kickback law makes it illegal to offer or receive remuneration (often misspelled renumeration), in cash or in kind, directly or indirectly, in exchange for the referral of patients for services that will be paid for by governmental programs. The federal law does have some "safe harbors," which outline specific arrangements that might theoretically fall into the definition but that the government has determined are not in violation of the federal law. In other words, if you have an arrangement that might be considered to result in indirect remuneration for referrals (like a services agreement where the party paying for the services is also getting referrals from the party providing the service), but that meets the safe harbor restrictions (the agreement is in writing, for a year or more, for fair market value, not dependent on referrals, etc. etc. etc.), the arrangement is deemed to not violate the federal anti-kickback law.

Apparently, the Florida anti-kickback law has a different definition of what constitutes a kickback, and does not have safe harbors. Therefore, an arrangement that does not violate the federal law (because it fits in a safe harbor) might violate Florida law. The court determined that the Florida law "criminalizes certain activity that is protected under the federal antikickback statute and stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress. "

Huh? First, the safe harbors come from HHS, not from Congress. Secondly, the safe harbors don't "protect" the activities listed in them, like they are defined rights; instead, the safe harbors "protect" the participants in those activities from prosecution for a federal offense, not from prosecution for a related but differently-defined state law offense. It's sort of like saying, if the federal government imposes a 55 mph speed limit, the states can't set a lower limit. Now, an argument could be made that the state shouldn't be involved in passing laws that impact Medicare, since that's a federal program; but the Florida law impacts both Medicare and Medicaid (as well as private pay patients, I think -- see caveat below), and Medicaid is at least in part a state program.

I'm no expert on the Florida law (and the Texas law is different -- and toothless) and I haven't read the full Florida decision, but this does not seem like good law. Not that I want to see lots of fraud and abuse enforcement, either. But it makes no sense that just because the federal government says "we prohibit this but not that" means that the state government can't say "we prohibit that" (unless the federal government has explicitly preempted state law interference and taken over the entire field of play, which isn't -- or shouldn't be -- the case here).

Jeff [4:45 PM]

[ Thursday, January 29, 2004 ]

 

HIPAA complaints, TCS section: You all know that HHS (US Dept. of Health and Human Services) has tasked OCR (HHS' Office of Civil Rights) to be the enforcement agency for HIPAA. Actually, OCR is the enforcement agency of the HIPAA Privacy and Security standards. And you know that the Administrative Simplification subtitle of Title II of HIPAA (sometimes shortened to AdSi or AdminSimp) -- remember, HIPAA includes health insurance portability, medical savings accounts, fraud and abuse, and a bunch of other malarky in the other titles and subtitles -- can effectively be divided into 3 parts: Privacy, Security, and Transaction and Code Sets (or TCS). [Yes, I know, what about identifiers? Those fall into TCS, which is sometimes called Transactions, Code Sets and Identifiers, but isn't usually called TCSI. Hey, I'm trying to make this simple, and it ain't easy.] Anyway, the point I'm trying to get to here is that OCR isn't tasked with enforcement of all of HIPAA, much less all of AdSi: it's only tasked with enforcement of Privacy and Security. Of course, those are the biggest slices of the pie, at least as regards the parts we non-techies talk about. The other slice, TCS, is enforced by HHS' Office of HIPAA Standards, or OHS. Actually, OHS is an office of CMS [which was originally tasked to enforce TCS, but which delegated it to OHS]. CMS, of course, stands for the Centers for Medicare and Medicaid Services (which should have been CMMS, but the second M was dropped (i) as a cost-saving measure and (ii) to comply with OTN regulations [OTN is the Office of TLA Nomenclature {TLA stands for Three Letter Acronym}]). So, to recap: Privacy and Security belong to OCR, but TCS belongs to OHS, a subsidiary of CMS.

Why do I bring this up? Because OHS now has a complaint mechanism for people in the healthcare stream of commerce to complain about other people in the healthcare stream of commerce not using the HIPAA TCS rules of the road. This AdSi enforcement tool is called ASET, which apparently stands for Administrative Simplification Enforcement Tool. You can find more information on it here. If you are a provider or a payor and someone else is not using the HIPAA TCS standards to conduct transactions, and that intransigence is preventing you from getting paid, you can file a complaint against them. OHS will check out the complaint and notify the offending party, and give them a chance to correct their systems to no longer be an offending party. To file a complaint using ASET, you have to register; they say that's so they can track the complaint, but it could be that they're just a bunch of Men In Black trying to get your information. Anyway, that means no anonymous complaints.

And remember, ASET is only for complaints about TCS. If you've got privacy complaints, you've got to go here. And if you've got security complaints, you just have to wait another year before those are final.

UPDATE: See my 3/1 post above. CMS will also oversee Security, and OCR is only tasked with Privacy. Since there won't be much action on Security for a while (we've got over a year before the rules become final, and you can't file any complaints until then), it hasn't become an issue. And since Privacy and Security are so linked in my mind in practical terms, I personally think it's a mistake to put Security under CMS instead of OCR. I understand the (good) arguments why (it's more technical, like TCS), but think the hand-in-glove nature of Security and Privacy means they should be enforced by the same folks. Anyway, I'm still glad it's not the OIG.

Jeff [10:52 AM]

[ Wednesday, January 28, 2004 ]

 

Where banking and healthcare intersect: I just read an interesting article in HealthLeaders on how HIPAA is impacting banking and setting the stage for a particular finance-industry segment: medical banking. Here's a snippet:

"Applying HIPAA equally across market sectors promises to transform healthcare financing and operations in a manner that helps multiple healthcare stakeholders. Today as national banks embrace HIPAA, medical providers insist on HIPAA-compliance and consumers demand privacy, the stage is being set for 'medical banking' to flourish as an industry model that reduces costs."

Jeff [9:02 AM]

[ Thursday, January 22, 2004 ]

 

New Provider Identifier Rule Coming Tomorrow: As you know, part of the Transactions and Code Sets rules relate to the use of standard identifiers for the various participants in the health care industry. All payors, providers, and recipients of care will get unique identifiers. CMS has sent out notices that tomorrow it will issue its final rule of provider identifiers. That means it'll be final this coming May 23, and you'll have to switch over by May 23, 2005. I'll link it when I get it.


UPDATE: Here's the link, in PDF format.

Another UPDATE: It's dawned on me, after reading a little more on the NPI rules, that it'll actually be FOUR YEARS from this May before providers have to switch over to the new numbers. First, it's two years before the feds have to start implementing the new numbers, then another two years before the providers have to start using them. So, stretch out, relax . . . you've got time.

Jeff [10:45 AM]

 

Happy New Year! Chinese new year, that is. Year of the Monkey, or so I'm told.

Jeff [10:43 AM]

[ Thursday, January 15, 2004 ]

 

Random HIPAA news:

I have subscribed to get emails from Medical News Wire, including its HIPAA Wire and Hospital Compliance wire, and often get very good information from them. You too can subscribe by going here.

Anyway, there are a few interesting articles from them over the past few days which I thought I'd share:

Understanding Security Incidents: What is a security incident, and what do you need to do when one occurs? You have obligations under HIPAA to document when they happen and your response. Three key elements to successfully doing so are (i) tracking the incidents, (ii) looking for patterns and trends to help you anticipate (and prevent) the next one or otherwise cure vulnerabilities, and (iii) creating security awareness. If you've heard me speak on HIPAA, you've probably heard me say that getting started with HIPAA compliance is the best way to make HIPAA compliance happen. In many ways, HIPAA is a corporate cultural issue, and the best way to make HIPAA awareness a part of your corporate culture is to engage in high-visibility activities that turn HIPAA compliance into a self-fulfilling prophecy. Just as you can leverage your staff into doing the HIPAA heavy lifting just by getting them to think about it (hey, an army of consultants will know less about your practice's particular HIPAA vulnerabilities than your staff does), an active security program, led by security incident reporting and analysis, will keep your staff focused on HIPAA security.

Speedbumps, not Roadblocks. Most providers view HIPAA hassles as temporary aggravations that, once overcome, will result in better, safer care, rather than as permanent problems that will prevent the delivery of care. That's good, since delivering care is what providers do. According to the Long Island Business News, the biggest problem for providers facing HIPAA compliance issues is interpreting the regulations and finding out what is reasonable. You don't need to buy a $50,000 shredder, but you also can't just throw records in the trash. Balance is the key, and once providers (and other covered entities) get a handle on that, they'll be able to navigate the HIPAA speedbumps better.

Lack of Information in Data Fields Leads to Denied Claims: According to physician consulting firm MedSynergies, physician practices are seeing a growing number of claims rejected by payors for failure to include information in all required data fields. Often, it is hard for the practice to determine what information is missing and what is needed, which makes it difficult for practices to meet filing timeframes. Should this be happening, since HIPAA should have standardized all fields? Perhaps, but HIPAA did allow payors to ask for additional information in particular fields, and not all payors are using strict X-12 formats. Of course, even understanding the X-12 form 837 (the standard claims submission form) is almost impossible if you don't understand computer code (which I, as a proud liberal arts major, don't, at all).

One thing is clear, whether under HIPAA requirements, managed care or payor contracts, Medicare/Medicaid, or state Prompt Claims laws: providers need to keep on top of their billing and coding processes to make sure that they are providing the right information to get paid and doing so in a timely fashion. Failure to provide the right information, OR failure to provide it within the required time frames, can result in rejected claims which just might be lost forever (or at least fall outside the "prompt pay" law requirements that give providers some leverage over payors).

Jeff [12:06 PM]

[ Thursday, January 08, 2004 ]

 

More OT (but with a HIPAA angle): You've probably heard of the Tenet Redding Hospital case, where unnecessary heart surgery procedures were being performed by cardiologists at a Tenet hospital in California, and Tenet paid a big ($54 million) settlement, since it was accused of buying those referrals from the cardiologists. Well, the case came about because of a couple of whistleblowers, who have just been awarded $8.1 million of the settlement amount. Ready for the "movie of the week" angle? The whistleblowers were two Catholic priests, Fr. John Corapi and Fr. Joseph Zerga.

The HIPAA angle: this can serve as a cautionary tale to covered entities who don't think they need to worry too much about their HIPAA compliance. There is a definite incentive for people who you think are your friends to turn you in to the Feds if there are fines and penalties involved. If you're violating HIPAA to such an extent that you might get hit with monetary penalties, you should consider yourself to have a bounty on your head. Additionally, note that HIPAA prevents a covered entity employer from retaliating against an employee that reports a HIPAA violation. If you're not 100% all square on your HIPAA compliance, expect that any disgruntled, about-to-be-fired employee will report you in an attempt to save their own job.

Jeff [10:54 AM]

 

Non-Profit corporations and excess benefits: This is off the HIPAA topic, but is big news for big nonprofit healthcare corporations. The IRS has issued guidance to its field/auditing staff in the Exempt Organizations arena outlining what the IRS thinks are automatically excess benefit transactions. If you deal with nonprofits much, you know that if a nonprofit pays an excess benefit to an insider (for example, it pays its CEO an overinflated salary), it is "private inurement" and an "excess benefit." In the old days, the IRS' only option was to yank the tax-exempt status of the nonprofit. About 10 years ago, the IRS initiated the concept of the "intermediate sanction" for excess benefit transactions, where both the organization paying the benefit and the recipient of the benefit were taxed on the excessive portion of the benefit at such a level that would basically confiscate it. Instead of the "death penalty" for the tax-exempt organization, it was a confiscatory tax on the recipient of the excess benefit.

The problem with excess benefit transactions (as well as with private inurement and "private benefit" -- transactions that would be inurement but the recipient is not an "insider" with the nonprofit organization -- and other types of improper uses of funds) is that a compensation arrangement that may look outrageous when compared to one analog might look rational compared with another. Take, for instance, the money paid to Richard Grasso of the NYSE. While compared to the money paid to the CEOs of the AMEX and the NASDAQ, he was highly overpaid, but compared to the compensation of the heads of the Dow Industrial companies, he was a little underpaid. How does the IRS make a determination whether the money paid to a nonprofit's executive is too much? Basically, it's left to the field agents who audit the nonprofits to make the initial call, but how do they decide if it's money wasted (we're talking about nonprofit organizations here; executives shouldn't expect to make a lot of money working for a nonprofit) or money well spent (you have to pay competitive salaries to the private sector to get in the big names, and the big names will run the organization better and get bigger contributors as well)?

The IRS has now provided guidance to its auditors to use as a guideline for the auditors to determine what is an excess benefit transaction. The IRS usually provides this type of written guidance for two reasons: to keep its auditors all on the same page and consistent in their reviews, and to give the affected industries a "heads-up" on what the IRS is thinking and how it will review things, so the industries can make sure their ducks are in a row.

The guidance here is pretty useful if you're a nonprofit with highly-compensated officers and/or directors. Even if you don't think the compensation is particularly high, it would be a good idea to check out this guidance and make sure you've got a paper trail to justify what you're spending (cash, wages, compensation, etc.) and making available (gifts, benefits, perks, etc.) to your officers, directors, physicians, benefactors, etc.

Now, back to your regularly scheduled HIPAA junk.

Jeff [10:38 AM]

[ Wednesday, January 07, 2004 ]

 

Survey says . . . again:

Phoenix Health Systems again is asking for input for their quarterly HIPAA survey. You can start here, and follow the prompts to give your input.

Jeff [5:33 PM]

[ Monday, January 05, 2004 ]

 

2003 in Review: Here's an interesting article from the San Francisco Chronicle outlining the top 10 health stories from 2003. One local reference issue and a gratuitous slam of President Bush included to make sure you know it's coming from the Left Coast.

Jeff [12:20 PM]

[ Friday, January 02, 2004 ]

 

What's going on with your privacy program now?

Medical Newswire recently published some helpful hints on what you should be doing with your privacy program. Even though you got everything in place back in April, things change, you encounter new challenges, and you should adjust, adapt, and fine tune your privacy program to account for it. Five strategies outlined by Medical Newswire that make a lot of sense:

Review your forms. Make sure your NoPP and BAA say what they should. If you didn't develop authorizations or other forms, you might want to do that now. Do you have any new business associates? Perhaps your staff or patients have asked questions about your NoPP that would lead you to think some area or another is unclear and could use better wording. Perhaps they've been filling in the forms incorrectly; if so, see if you can determine why they're making mistakes, and fix the problem. Keep in mind, however, that if you materially change your NoPP, you can't use PHI from prior patients until they've signed the new NoPP.

Update your policies and procedures. This is something you should always be working on, but it is especially important with your privacy plan. Make sure your policies and procedures really reflect the way you run your office (or change the way you run your office). Incorporate changes that your staff recommends, based on issues they've encountered that result in conflicts.

Keep up with state and federal law changes. Make sure you have changed anything you need to change based on the Security Rule. What is your local bar association doing to coordinate subpoenas for medical records? If you get lots of incorrect subpoenas, see if you can coordinate with the requesting attorneys to make sure they know to use the right forms.

Requet feedback. From your staff, your patients, your vendors, your business associates, your referring/referrant physicians, and hospitals and other providers that you deal with. This will help you fine tune where you need it, and will also let you know if your practice is "culturally attuned" to HIPAA (if you needed a big change in corporate culture to implement HIPAA, seek out feedback that will let you know if those changes have been made and are adopted by your workforce.

Training never ends. Don't let HIPAA awareness fade, especially if it was hard to establish in the first place.

Jeff [5:26 PM]

 

Some clean-up items:

CMS recently announced the top 9 problems in TCS usage, noting that half of all electronic claims for Medicare have some defect from the pure X12 standard. The top problems:

Errors in the provider's SS# or Tax ID number (data element NM109);
Enveloping isues with ISA and GS segments;
Invalid taxonomy codes;
Invalid characters in the data stream (software problems?);
Missing subscriber data elements, such as date of birth or gender;
Missing or incorrectly coded address information (data elements N3 and N4);
Missing contact phone number of person submitting claim;
Sending billing provider and rendering provider loops when they are the same entity; and
Invalid date formats.

I don't know what several of those are, but it looks like billing software hasn't kept pace with where it needs to be for HIPAA TCS compliance.

Jeff [5:10 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template