Health Law News and Notes

On August 3 the HHS Secretary Kathleen Sebelius announced that authority for the administration and enforcement of the HIPAA Security rule will now be delegated to the Office for Civil Rights (OCR). The Security Rule was previously administered and enforced by CMS.  According to a press release issued by HHS, the delegation of both rules to the OCR will avoid duplication and improve efficiencies.  As Ms. Sebelius explained, “[P]rivacy and security are naturally intertwined, because they both address protected health information.  Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency.” 

The HIPAA Privacy Rule issues federal protections for ”protected health information” held by covered entities, and the OCR has been in charge of the enforcement of this rule since 2003.  The Security Rule requires similar administrative, technical, and physical security safeguards that are specific to protected health information that is in electronic form. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) mandated improved enforcement of the Privacy Rule and Security Rule.  

The news release can be accessed here.

Wachler & Associates was featured in today’s edition of the Detroit Legal News for our work  defending RAC audits.   

To read the article, click here.

For more information and updates about RAC audits, please see our special RAC website at www.RACattorneys.com.

The Federal Trade Commission (FTC) announced today that it will delay the enforcement date of the Red Flags Rule until November 1, 2009.  This is the third delay prompted, in part, by concerns expressed by the health care community.  The FTC announced that this most recent delay will give those subject to the rule more time to develop and implement written identity theft prevention programs.

The FTC originally announced the Red Flags Rule last summer.  As previously blogged here, a health care provider who regularly bills patients after completion of services, allows patients to set up payment plans, or helps patients get credit from other services will fall under the rule’s broad definition of creditor.  Providers who are subject to the rule are required to develop and implement a written Identity Theft Prevention Program.  The policy must deal with the identification, detection and response to specific “red flags.”

At Wachler & Associates, P.C. we have been working with health care providers to develop reasonable and practical Red Flags Rule compliance policies that satisfy the legal requirements of the rule.  If you need asssistance, please contact us.

On July 8, Michigan Attorney General Mike Cox announced a proposal to create a new state office that would audit the state’s Medicaid program.  Cox stated that the new program would save the state $100 million per year in fraudulent claims. 

The new agency, the Michigan Office of Medicaid Inspector General, would oversee state Medicaid contracts, inspect health care records and investigate complaints of waste or abuse. 

Currently, the Medicaid Fraud Control Unit is in charge of inspecting the state’s Medicaid program.  This Unit is to supplement the Michigan Department of Community Health’s Office of Audit.  However, Cox in his July 8th announcement criticized the MDCH audit office for not being aggressive enough.  The new Michigan Office of Medicaid Inspector General, according to Cox, will be an innovative plan to “save millions of tax dollars and ensure care is available to those who need it.”

This announcement comes at a time when the Federal government is also ramping up its Medicaid Fraud enforcement efforts through the Medicaid Integrity Program (MIP) which involves the use of private contractors to audit providers and identify overpayments.

On June 24, CMS released its most updated RAC Review Phase-In strategy.  CMS has divided the states into three categories: Yellow States, Green States and Blue States. 

For the yellow/green states, the earliest possible dates for reviews are:

-         June 2009: Automated Review - Black & White Issues.

-         Aug/Sept 2009: DRG Validation - complex review & Complex Review for coding errors.

-         Fiscal year 2010: DME Medical Necessity Reviews - complex review.

-         Calendar year 2010: Medical Necessity Reviews - complex review.

For the blue states, the earliest possible dates for reviews are:

-         August 2009: Automated Review - Black & White Issues.

-         Oct/Nov 2009: DRG Validation - complex review & Complex Review for coding errors.

-         Fiscal year 2010: DME Medical Necessity Reviews - complex review.

-         Calendar year 2010: Medical Necessity reviews - complex review.

 The yellow and green states are: Montana, Wyoming, North Dakota, South Dakota, Minnesota, Michigan, Indiana, Utah, New Mexico, California, Nevada, Colorado, Arizona, Texas, Oklahoma, Florida, South Carolina, Maine, New York, New Hampshire, Vermont, Massachusetts, Rhode Island, and Hawaii. 

 The blue states are: Washington, Oregon, Idaho, Nebraska, Kansas, Iowa, Missouri, Illinois, Wisconsin, Arkansas, Louisiana, Alabama, Mississippi, Georgia, Tennessee, North Carolina, Virginia, West Virginia, Kentucky, Ohio, Pennsylvania, Maryland, Connecticut, New Jersey, Delaware, and Alaska. 

For more information about RAC audits, including links to resources such as the phase-in plan, please visit www.racattorneys.com

The U.S. Department of Health and Human Services announced today that fifty-three people have been indicted for more than $50 million in alleged Medicare false claims. The individuals were accused of various Medicare fraud offenses, criminal false claims and violations of anti-kickback statutes.  The two main areas of Medicare fraud were infusion therapy and physical/occupational therapy providers. The indictments are a result of the Medicare Fraud Strike Force in Detroit.

The Strike Force team is a joint effort between the Department of Justice and Health & Human Services (HHS) to collaborate the efforts of federal, state and local investigators to fight Medicare fraud through the use of Medicare data analysis and community policing.  Since its inception, the Strike Force team has obtained indictments of more than 250 individuals and organizations that had billed the Medicare program for more than $600 million.

The team stems from the Health Care Fraud Prevention & Action Team (HEAT).  HEAT focuses on preventing fraud and enforcing current anti-fraud laws throughout the country.  The expansion of the Strike Force in Detroit was an effort to build upon existing partnerships between law enforcement agents, prosecutors and staff from the Justice Department and HHS.

To read the full press release, click here.

Andrew Wachler was featured in a recent Michigan Medical Law Report article discussing RAC Medicare Audits.

Important points made by Wachler include:

-         Even though there is a great emphasis on health care reform and containing costs, the RAC program is aggressive to the point of being abusive as it should not allow incentives to auditors to find alleged overpayments to providers.

-         RAC auditors, paid on a contingency fee, have recovered $1 billion in overpayments, but have only found only $37.8 million in underpayments to providers.

-         He encourages providers to not be low-hanging fruit and to appeal RAC audits assertively.

-         Wachler has defended providers in California, Massachusetts and New York with a 90% success rate.

-         To learn more about RAC audits visit: www.racattorneys.com

Beginning in 2011,  as part of the American Recovery and Reinvestment Act of 2009 (ARRA), health care providers may begin receiving incentives for adoption and “meaningful use” of Electronic Health Record (EHR) technology.  Incentives will be largest for early adopters and will phase down until 2015, after which penalties may be imposed for non-adoption of “meaningful use” of EHR technology.

The Health IT Policy Committee met today, June 16, 2009 to discuss the definition of  “meaningful use” and the types of goals, outcomes and reports that should be used to measure “meaningful use”.  The committee has created a process by which providers and other interested parties can submit comments on the proposed measures for “meaningful use”.  To see the committee’s notes as well as a matrix setting forth criteria and outcomes discussed, and for the comment submission instructions, please click here.

Despite objections by the American Medical Association and other health care provider organizations, the FTC has steadfastly maintained that most health care providers will need to comply with the “Red Flags Rules” which are set to go into effect August 1, 2009.

The “Red Flags Rules” are regulations jointly developed by the FTC, the Federal bank regulatory agencies, and the National Credit Union Administration to curb the incidence of identity theft, and in the case of health care providers, medical identity theft.

Health care providers are required to comply with the regulatory requirements if they meet the rule’s definition of a “creditor.”  A “creditor” for the purposes of the “Red Flags Rules” includes “any person who regularly extends, renews, or continues credit” or “any person who regularly arranges for the extension, renewal or continuation of credit.”

The FTC has broadly interpreted this language to include any health care provider who regularly bills patients after completion of services, allows patients to set up payment plans, or helps patients get credit from other sources.

The Rules apply to “covered accounts” which includes any account for which there is a “reasonable risk” of identity theft.  The FTC has specifically stated that it considers patient accounts to bear a “reasonable risk of identity theft” because of increasing concerns about identity fraud in the context of medical care.

Providers who are subject to the Red Flags Rules are required to implement a written Identity Theft Prevention program that is designed to detect, prevent and mitigate identity theft.

Providers who have effective policies in place for compliance with HIPAA Privacy and Security will already meet many of the requirements for the Red Flags Rules with regard to prevention of identity theft.  However, in order to be compliant with the Red Flags Rules, providers also need a policy specifically dealing with identification, detection and response to “Red Flags” which are defined as “a pattern, practice or specific activity that indicates the possible existence of identity theft.”

Violation of the Red Flags Rules can result in civil penalties of up to $2,500 per violation and can also damage a provider’s reputation and expose them to additional theories of liability.

If you have questions or need assistance with drafting a Red Flags Rule Compliance policy, or if you have not yet implemented a HIPAA Security Compliance plan, please contact us at www.wachler.com

I will be presenting a webinar through CBI on HIPAA changes resulting from the Stimulus Bill.  For more information including registration information, please click here.