HIPAA Blog

[ Friday, January 30, 2004 ]

 

(OT) Probably bad law: I don't know too much about the Florida state anti-kickback law, but a state appeals court in Florida just ruled it unconstitutional. The 3rd District Court of Appeals affirmed a Florida trial court that found the state statute unconstitutional because it goes farther than the federal anti-kickback law. As you probably know, the federal anti-kickback law makes it illegal to offer or receive remuneration (often misspelled renumeration), in cash or in kind, directly or indirectly, in exchange for the referral of patients for services that will be paid for by governmental programs. The federal law does have some "safe harbors," which outline specific arrangements that might theoretically fall into the definition but that the government has determined are not in violation of the federal law. In other words, if you have an arrangement that might be considered to result in indirect remuneration for referrals (like a services agreement where the party paying for the services is also getting referrals from the party providing the service), but that meets the safe harbor restrictions (the agreement is in writing, for a year or more, for fair market value, not dependent on referrals, etc. etc. etc.), the arrangement is deemed to not violate the federal anti-kickback law.

Apparently, the Florida anti-kickback law has a different definition of what constitutes a kickback, and does not have safe harbors. Therefore, an arrangement that does not violate the federal law (because it fits in a safe harbor) might violate Florida law. The court determined that the Florida law "criminalizes certain activity that is protected under the federal antikickback statute and stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress. "

Huh? First, the safe harbors come from HHS, not from Congress. Secondly, the safe harbors don't "protect" the activities listed in them, like they are defined rights; instead, the safe harbors "protect" the participants in those activities from prosecution for a federal offense, not from prosecution for a related but differently-defined state law offense. It's sort of like saying, if the federal government imposes a 55 mph speed limit, the states can't set a lower limit. Now, an argument could be made that the state shouldn't be involved in passing laws that impact Medicare, since that's a federal program; but the Florida law impacts both Medicare and Medicaid (as well as private pay patients, I think -- see caveat below), and Medicaid is at least in part a state program.

I'm no expert on the Florida law (and the Texas law is different -- and toothless) and I haven't read the full Florida decision, but this does not seem like good law. Not that I want to see lots of fraud and abuse enforcement, either. But it makes no sense that just because the federal government says "we prohibit this but not that" means that the state government can't say "we prohibit that" (unless the federal government has explicitly preempted state law interference and taken over the entire field of play, which isn't -- or shouldn't be -- the case here).

Jeff [4:45 PM]

[ Thursday, January 29, 2004 ]

 

HIPAA complaints, TCS section: You all know that HHS (US Dept. of Health and Human Services) has tasked OCR (HHS' Office of Civil Rights) to be the enforcement agency for HIPAA. Actually, OCR is the enforcement agency of the HIPAA Privacy and Security standards. And you know that the Administrative Simplification subtitle of Title II of HIPAA (sometimes shortened to AdSi or AdminSimp) -- remember, HIPAA includes health insurance portability, medical savings accounts, fraud and abuse, and a bunch of other malarky in the other titles and subtitles -- can effectively be divided into 3 parts: Privacy, Security, and Transaction and Code Sets (or TCS). [Yes, I know, what about identifiers? Those fall into TCS, which is sometimes called Transactions, Code Sets and Identifiers, but isn't usually called TCSI. Hey, I'm trying to make this simple, and it ain't easy.] Anyway, the point I'm trying to get to here is that OCR isn't tasked with enforcement of all of HIPAA, much less all of AdSi: it's only tasked with enforcement of Privacy and Security. Of course, those are the biggest slices of the pie, at least as regards the parts we non-techies talk about. The other slice, TCS, is enforced by HHS' Office of HIPAA Standards, or OHS. Actually, OHS is an office of CMS [which was originally tasked to enforce TCS, but which delegated it to OHS]. CMS, of course, stands for the Centers for Medicare and Medicaid Services (which should have been CMMS, but the second M was dropped (i) as a cost-saving measure and (ii) to comply with OTN regulations [OTN is the Office of TLA Nomenclature {TLA stands for Three Letter Acronym}]). So, to recap: Privacy and Security belong to OCR, but TCS belongs to OHS, a subsidiary of CMS.

Why do I bring this up? Because OHS now has a complaint mechanism for people in the healthcare stream of commerce to complain about other people in the healthcare stream of commerce not using the HIPAA TCS rules of the road. This AdSi enforcement tool is called ASET, which apparently stands for Administrative Simplification Enforcement Tool. You can find more information on it here. If you are a provider or a payor and someone else is not using the HIPAA TCS standards to conduct transactions, and that intransigence is preventing you from getting paid, you can file a complaint against them. OHS will check out the complaint and notify the offending party, and give them a chance to correct their systems to no longer be an offending party. To file a complaint using ASET, you have to register; they say that's so they can track the complaint, but it could be that they're just a bunch of Men In Black trying to get your information. Anyway, that means no anonymous complaints.

And remember, ASET is only for complaints about TCS. If you've got privacy complaints, you've got to go here. And if you've got security complaints, you just have to wait another year before those are final.

UPDATE: See my 3/1 post above. CMS will also oversee Security, and OCR is only tasked with Privacy. Since there won't be much action on Security for a while (we've got over a year before the rules become final, and you can't file any complaints until then), it hasn't become an issue. And since Privacy and Security are so linked in my mind in practical terms, I personally think it's a mistake to put Security under CMS instead of OCR. I understand the (good) arguments why (it's more technical, like TCS), but think the hand-in-glove nature of Security and Privacy means they should be enforced by the same folks. Anyway, I'm still glad it's not the OIG.
Jeff [10:52 AM]

[ Wednesday, January 28, 2004 ]

 

Where banking and healthcare intersect: I just read an interesting article in HealthLeaders on how HIPAA is impacting banking and setting the stage for a particular finance-industry segment: medical banking. Here's a snippet:

"Applying HIPAA equally across market sectors promises to transform healthcare financing and operations in a manner that helps multiple healthcare stakeholders. Today as national banks embrace HIPAA, medical providers insist on HIPAA-compliance and consumers demand privacy, the stage is being set for 'medical banking' to flourish as an industry model that reduces costs."
Jeff [9:02 AM]

[ Thursday, January 22, 2004 ]

 

New Provider Identifier Rule Coming Tomorrow: As you know, part of the Transactions and Code Sets rules relate to the use of standard identifiers for the various participants in the health care industry. All payors, providers, and recipients of care will get unique identifiers. CMS has sent out notices that tomorrow it will issue its final rule of provider identifiers. That means it'll be final this coming May 23, and you'll have to switch over by May 23, 2005. I'll link it when I get it.


UPDATE: Here's the link, in PDF format.

Another UPDATE: It's dawned on me, after reading a little more on the NPI rules, that it'll actually be FOUR YEARS from this May before providers have to switch over to the new numbers. First, it's two years before the feds have to start implementing the new numbers, then another two years before the providers have to start using them. So, stretch out, relax . . . you've got time.
Jeff [10:45 AM]

 

Happy New Year! Chinese new year, that is. Year of the Monkey, or so I'm told.
Jeff [10:43 AM]

[ Thursday, January 15, 2004 ]

 

Random HIPAA news:

I have subscribed to get emails from Medical News Wire, including its HIPAA Wire and Hospital Compliance wire, and often get very good information from them. You too can subscribe by going here.

Anyway, there are a few interesting articles from them over the past few days which I thought I'd share:

Understanding Security Incidents: What is a security incident, and what do you need to do when one occurs? You have obligations under HIPAA to document when they happen and your response. Three key elements to successfully doing so are (i) tracking the incidents, (ii) looking for patterns and trends to help you anticipate (and prevent) the next one or otherwise cure vulnerabilities, and (iii) creating security awareness. If you've heard me speak on HIPAA, you've probably heard me say that getting started with HIPAA compliance is the best way to make HIPAA compliance happen. In many ways, HIPAA is a corporate cultural issue, and the best way to make HIPAA awareness a part of your corporate culture is to engage in high-visibility activities that turn HIPAA compliance into a self-fulfilling prophecy. Just as you can leverage your staff into doing the HIPAA heavy lifting just by getting them to think about it (hey, an army of consultants will know less about your practice's particular HIPAA vulnerabilities than your staff does), an active security program, led by security incident reporting and analysis, will keep your staff focused on HIPAA security.

Speedbumps, not Roadblocks. Most providers view HIPAA hassles as temporary aggravations that, once overcome, will result in better, safer care, rather than as permanent problems that will prevent the delivery of care. That's good, since delivering care is what providers do. According to the Long Island Business News, the biggest problem for providers facing HIPAA compliance issues is interpreting the regulations and finding out what is reasonable. You don't need to buy a $50,000 shredder, but you also can't just throw records in the trash. Balance is the key, and once providers (and other covered entities) get a handle on that, they'll be able to navigate the HIPAA speedbumps better.

Lack of Information in Data Fields Leads to Denied Claims: According to physician consulting firm MedSynergies, physician practices are seeing a growing number of claims rejected by payors for failure to include information in all required data fields. Often, it is hard for the practice to determine what information is missing and what is needed, which makes it difficult for practices to meet filing timeframes. Should this be happening, since HIPAA should have standardized all fields? Perhaps, but HIPAA did allow payors to ask for additional information in particular fields, and not all payors are using strict X-12 formats. Of course, even understanding the X-12 form 837 (the standard claims submission form) is almost impossible if you don't understand computer code (which I, as a proud liberal arts major, don't, at all).

One thing is clear, whether under HIPAA requirements, managed care or payor contracts, Medicare/Medicaid, or state Prompt Claims laws: providers need to keep on top of their billing and coding processes to make sure that they are providing the right information to get paid and doing so in a timely fashion. Failure to provide the right information, OR failure to provide it within the required time frames, can result in rejected claims which just might be lost forever (or at least fall outside the "prompt pay" law requirements that give providers some leverage over payors).
Jeff [12:06 PM]

[ Thursday, January 08, 2004 ]

 

More OT (but with a HIPAA angle): You've probably heard of the Tenet Redding Hospital case, where unnecessary heart surgery procedures were being performed by cardiologists at a Tenet hospital in California, and Tenet paid a big ($54 million) settlement, since it was accused of buying those referrals from the cardiologists. Well, the case came about because of a couple of whistleblowers, who have just been awarded $8.1 million of the settlement amount. Ready for the "movie of the week" angle? The whistleblowers were two Catholic priests, Fr. John Corapi and Fr. Joseph Zerga.

The HIPAA angle: this can serve as a cautionary tale to covered entities who don't think they need to worry too much about their HIPAA compliance. There is a definite incentive for people who you think are your friends to turn you in to the Feds if there are fines and penalties involved. If you're violating HIPAA to such an extent that you might get hit with monetary penalties, you should consider yourself to have a bounty on your head. Additionally, note that HIPAA prevents a covered entity employer from retaliating against an employee that reports a HIPAA violation. If you're not 100% all square on your HIPAA compliance, expect that any disgruntled, about-to-be-fired employee will report you in an attempt to save their own job.
Jeff [10:54 AM]

 

Non-Profit corporations and excess benefits: This is off the HIPAA topic, but is big news for big nonprofit healthcare corporations. The IRS has issued guidance to its field/auditing staff in the Exempt Organizations arena outlining what the IRS thinks are automatically excess benefit transactions. If you deal with nonprofits much, you know that if a nonprofit pays an excess benefit to an insider (for example, it pays its CEO an overinflated salary), it is "private inurement" and an "excess benefit." In the old days, the IRS' only option was to yank the tax-exempt status of the nonprofit. About 10 years ago, the IRS initiated the concept of the "intermediate sanction" for excess benefit transactions, where both the organization paying the benefit and the recipient of the benefit were taxed on the excessive portion of the benefit at such a level that would basically confiscate it. Instead of the "death penalty" for the tax-exempt organization, it was a confiscatory tax on the recipient of the excess benefit.

The problem with excess benefit transactions (as well as with private inurement and "private benefit" -- transactions that would be inurement but the recipient is not an "insider" with the nonprofit organization -- and other types of improper uses of funds) is that a compensation arrangement that may look outrageous when compared to one analog might look rational compared with another. Take, for instance, the money paid to Richard Grasso of the NYSE. While compared to the money paid to the CEOs of the AMEX and the NASDAQ, he was highly overpaid, but compared to the compensation of the heads of the Dow Industrial companies, he was a little underpaid. How does the IRS make a determination whether the money paid to a nonprofit's executive is too much? Basically, it's left to the field agents who audit the nonprofits to make the initial call, but how do they decide if it's money wasted (we're talking about nonprofit organizations here; executives shouldn't expect to make a lot of money working for a nonprofit) or money well spent (you have to pay competitive salaries to the private sector to get in the big names, and the big names will run the organization better and get bigger contributors as well)?

The IRS has now provided guidance to its auditors to use as a guideline for the auditors to determine what is an excess benefit transaction. The IRS usually provides this type of written guidance for two reasons: to keep its auditors all on the same page and consistent in their reviews, and to give the affected industries a "heads-up" on what the IRS is thinking and how it will review things, so the industries can make sure their ducks are in a row.

The guidance here is pretty useful if you're a nonprofit with highly-compensated officers and/or directors. Even if you don't think the compensation is particularly high, it would be a good idea to check out this guidance and make sure you've got a paper trail to justify what you're spending (cash, wages, compensation, etc.) and making available (gifts, benefits, perks, etc.) to your officers, directors, physicians, benefactors, etc.

Now, back to your regularly scheduled HIPAA junk.
Jeff [10:38 AM]

[ Wednesday, January 07, 2004 ]

 

Survey says . . . again:

Phoenix Health Systems again is asking for input for their quarterly HIPAA survey. You can start here, and follow the prompts to give your input.
Jeff [5:33 PM]

[ Monday, January 05, 2004 ]

 

2003 in Review: Here's an interesting article from the San Francisco Chronicle outlining the top 10 health stories from 2003. One local reference issue and a gratuitous slam of President Bush included to make sure you know it's coming from the Left Coast.
Jeff [12:20 PM]

[ Friday, January 02, 2004 ]

 

What's going on with your privacy program now?

Medical Newswire recently published some helpful hints on what you should be doing with your privacy program. Even though you got everything in place back in April, things change, you encounter new challenges, and you should adjust, adapt, and fine tune your privacy program to account for it. Five strategies outlined by Medical Newswire that make a lot of sense:

Review your forms. Make sure your NoPP and BAA say what they should. If you didn't develop authorizations or other forms, you might want to do that now. Do you have any new business associates? Perhaps your staff or patients have asked questions about your NoPP that would lead you to think some area or another is unclear and could use better wording. Perhaps they've been filling in the forms incorrectly; if so, see if you can determine why they're making mistakes, and fix the problem. Keep in mind, however, that if you materially change your NoPP, you can't use PHI from prior patients until they've signed the new NoPP.

Update your policies and procedures. This is something you should always be working on, but it is especially important with your privacy plan. Make sure your policies and procedures really reflect the way you run your office (or change the way you run your office). Incorporate changes that your staff recommends, based on issues they've encountered that result in conflicts.

Keep up with state and federal law changes. Make sure you have changed anything you need to change based on the Security Rule. What is your local bar association doing to coordinate subpoenas for medical records? If you get lots of incorrect subpoenas, see if you can coordinate with the requesting attorneys to make sure they know to use the right forms.

Requet feedback. From your staff, your patients, your vendors, your business associates, your referring/referrant physicians, and hospitals and other providers that you deal with. This will help you fine tune where you need it, and will also let you know if your practice is "culturally attuned" to HIPAA (if you needed a big change in corporate culture to implement HIPAA, seek out feedback that will let you know if those changes have been made and are adopted by your workforce.

Training never ends. Don't let HIPAA awareness fade, especially if it was hard to establish in the first place.
Jeff [5:26 PM]

 

Some clean-up items:

CMS recently announced the top 9 problems in TCS usage, noting that half of all electronic claims for Medicare have some defect from the pure X12 standard. The top problems:

Errors in the provider's SS# or Tax ID number (data element NM109);
Enveloping isues with ISA and GS segments;
Invalid taxonomy codes;
Invalid characters in the data stream (software problems?);
Missing subscriber data elements, such as date of birth or gender;
Missing or incorrectly coded address information (data elements N3 and N4);
Missing contact phone number of person submitting claim;
Sending billing provider and rendering provider loops when they are the same entity; and
Invalid date formats.

I don't know what several of those are, but it looks like billing software hasn't kept pace with where it needs to be for HIPAA TCS compliance.
Jeff [5:10 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012 February 2012 March 2012 April 2012 May 2012 June 2012 July 2012 August 2012 September 2012 October 2012 November 2012 December 2012 January 2013 February 2013 March 2013 April 2013 May 2013 June 2013 July 2013 August 2013 September 2013 October 2013 November 2013 December 2013 January 2014 February 2014 March 2014 April 2014 May 2014 June 2014 July 2014 August 2014 September 2014 October 2014 November 2014 December 2014 January 2015 February 2015 March 2015 April 2015 May 2015 June 2015 July 2015 August 2015 September 2015 October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 April 2016 May 2016 June 2016 July 2016 August 2016 September 2016 October 2016 November 2016 December 2016 January 2017 February 2017 March 2017 April 2017 May 2017 June 2017 July 2017 August 2017 September 2017 October 2017 November 2017 December 2017 January 2018 February 2018 March 2018 April 2018 May 2018 July 2018 August 2018 September 2018 October 2018 November 2018 December 2018 January 2019 February 2019 March 2019 April 2019 May 2019 June 2019 July 2019 August 2019 September 2019 October 2019 November 2019 December 2019 January 2020 February 2020 March 2020 April 2020 May 2020 June 2020 July 2020 August 2020 September 2020 October 2020 November 2020 December 2020 January 2021 February 2021 March 2021 April 2021 May 2021 June 2021 August 2021 September 2021 October 2021 November 2021 December 2021 January 2022 February 2022 March 2022 April 2022 May 2022 June 2022 July 2022 August 2022 September 2022 October 2022 November 2022 December 2022 February 2023 March 2023 April 2023 June 2023 July 2023 August 2023 September 2023 October 2023 November 2023 December 2023 January 2024 February 2024 March 2024 April 2024

[ Advertisers ]

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
PracticeSuite Practice Management Blog
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here