HIPAA Omnibus Final Rules and Penalties

On Friday January 25, 2013, the Department of Health and Human Services published the Final Rule modifying the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Non-Discrimination Act (“GINA”) as well as other modifications to the HIPAA rules. (See 45 CFR Parts 160 and 164, Federal Register Volume 78 Number 17.)

The omnibus rule actually contains four final rules. The first final modifications to HIPAA which were mandated by “HITECH” include modifications intended to improve the Rules which were issued as a proposed rule on July 14, 2010 include six modifications.

The first omnibus final rule includes direct liability modifications for business associates of covered entities for compliance with certain HIPAA privacy and security rule requirements. Strengthening of limitations on the use and disclosure of protected health information, expanded individuals’ rights to receive electronic copies of their health information, modification and redistribution of entities privacy practices protocols, modification of individual authorization forms and other requirements to facilitate research and disclosure of child immunization proof to schools as well as to enable access to decedent information and lastly the enforcement rules have been modified to address violations such as non-compliance with HIPAA rules due to willful neglect.

The second omnibus final rule adopts changes to the HIPAA enforcement rule that increase the civil monetary penalties in a tiered manner.

The third omnibus final rule involves the breach notification for unsecured protected health information under the “HITECH” act. This rule replaces the prior rules “harm” threshold with a more objective standard.

Finally, the fourth rule prohibits most health plans from using or disclosing genetic information for underwriting purposes.

These final rules take effect this month on March 26, 2013. Covered business entities and business associates must comply with the applicable requirements by September 23, 2013. The penalties for violating the final rules are now as follows:

TABLE 2 – CATEGORIES OF VIOLATIONS AND RESPECTIVE PENTALTY AMOUNTS AVAILABLE

Violation Category – Section 1176 (a)(1)

Each Violation

All such violations of an identical provision in a calendar year

(A)  Did Not Know(B)   Reasonable Cause

(C)   (i)Willful Neglect-Corrected

(C) (ii) Willful Neglect-Not Corrected

$100-$50,0001,000-50,000

10,000-50,000

50,000

$1,500,0001,500,000

1,500,000

1,500,000

Providers need to be aware of the penalties for violating the rules as we most recently reported to you the office of civil rights will not hesitate in sanctioning providers for violating the Act in amounts in excess of $1.5 million.

Portal not “Port-All”

doorBy: David Hirshfeld

Whether as a means of satisfying the Stage 2 “meaningful use” requirements of the HITECH Act, or in an effort simply to enhance the efficiency of their practices, many of our clients have been implementing electronic medical records software that includes patient portals.  A “patient portal” is an electronic doorway between patient and practice.  Portals often allow patients to check and download their own treatment records, and to use digital messages as a means of communicating with clinicians.  Portals can be awesome tools with which to enhance your practice, but they need to be implemented thoughtfully.

A portal is often an excellent way in which to add operational efficiencies that reduce costs, increase patient satisfaction, and increase positive outcomes; BUT, if not carefully monitored, they can become inadvertent points of entry for information, the meaning of which can only be appreciated when delivered in a face-to-face office visit, where other aspects of the patient’s condition would be evident (e.g. pallor, swelling, confusion).

Portals should be limited to more benign encounters, such as: patient registration, financial clearance, medical history, appointment scheduling / confirmation, specialty referrals, notification of test results, online bill payment, non-narcotic prescription renewals, follow-up of specific conditions for which there has been a course of in-person treatment that included an agreement as to the use of the portal for follow-up.

I recommend that practitioners train their patients how and to what extent they should use the portal by presenting patients with a “Terms of Use” agreement (that they must sign); and by reminding patients of the Terms of Use if and when they use the portal for an encounter that should have been handled by an in-office visit.

A good “Terms of Use” agreement ought to convey the following information to patients before they use the portal:

  • Identify the proper subject matter to be communicated through the portal and, just as important, the types of communications that should NOT be made through the portal.
  • In addition to communication, what other functions the portal will make available to the patient (e.g. what records can patients view, can they download, can they transmit to other providers, refill prescriptions, help practice to monitor an ongoing condition, etc.).
  • The portal is highly secure, more secure than conventional email, and should be the only way that patients should convey information to the practice other than in-person or, perhaps, on the telephone.
  • Everything conveyed to the practice through the portal will become part of the patient’s medical record.
  • Not only the physician, but other clinicians and practice staff may read communications made through the portal.
  • How quickly, and in what format, will the practice respond to patient communications made through the portal.
  • Whether and on what terms the practice will allow access to records of its minor patients.
  • How modifications to the “Terms of Use” and portal functionality will be conveyed to patients.
  • A primer, as simple as possible, on how to effectively use your practice’s portal.

Portals can be awesome tools with which to enhance your practice; but they need to be implemented thoughtfully, and in conjunction with patient training.

 

ACO Challenges Are Formidable

Final-ACO-RulesHanging this nation’s cost cutting/quality enhancing hopes on Accountable Care Organizations (ACOs) is bound to be frustrating and disappointing.  The ACO model seriously lacks sufficient real world grounding and is no magic pill.  Things like resources, operational capability and alignment (of financial incentives and direction) seem to have been overlooked or undervalued.

The ACO model is based on one fundamental assumption:  an expanded role of primary care physicians can slow cost increases and ensure better coordination of care.  That assumption is flawed for two reasons:  first, there is a large and growing primary care shortage; and second, the financial incentives in healthcare have driven a system based on acute, episodic interactions, leading to enormously fragmented clinical training and care.

We not only have inadequate resources to drive change away from acute, fee for services based care, but rather we lack resources that drive wellness. As one physician with a large hospital system recently said:  “We physicians are not trained to provide healthcare.  We’re trained to intervene when things go bad.”  Asking healthcare professionals and facilities to drive a model based on outcomes and resource consumption is theoretically possible, but a remarkable leap of faith (and training) is required, given they have made their livings off of sick people for so long.  That’s not to say that changing financial incentives from acuity to wellness and outcomes won’t work.  It’s just going to require training and proof that the players can make money with the new mandates.

As far as operations go, those with the greatest access to management, capital, IT and such are also the most expensive—hospitals.  It makes sense that the core objective of healthcare reform is to “squeeze the toothpaste tube” backwards from hospital to specialist to primary care physicians, but it’s a great leap of faith to expect that hospitals will or even can control costs.  In a healthcare system where providers admittedly are rewarded for doing more with more expensive things, the sharp turn required by the new law will require more than just a new law.  With all the current hospital-driven physician acquisitions, the increasing role of hospitals on the ACO issue looks at times more like turf guarding than any real cost-saving, quality enhancing move.

At the end of the day, all players have to answer the question “Did they reduce cost and enhance quality?”  It seems convincing that moving away from the fee for service model will change behavior.  We just need to make sure (1) there are sufficient resources to implement the change, and (2) financial and clinical issues are well balanced.  Time will tell, but meanwhile the current irony is that the most expensive link in the chain is best situated to actually operationalize the ACO concept.

Alignment is critical.  Financial alignment will require the players to believe they can all thrive in the new ACO model, yet physicians are historically leery of any hospital driven system.  In fact, given that hospitals are driving the ACO bus at the moment, the biggest fear among physicians is that they will be left out.  Even among physician-driven ACOs, the tension between primary care physicians and specialists is intense.  How much of any savings will go to primaries vs. specialists is no less divisive than the issue of the hospital/physician split of the shared savings.

Even more critical is the apparent lack of consideration given to the need for patient participation.  Where is the financial incentive for healthy patient choices and the disincentive for unhealthy patient choices?  Moreover, in a culture where more is more, why would anyone want to receive care from an organization that gets more by giving less?  Given further the ability of patients to wander in and out of ACOs and yet charge their ACO with the costs of non-ACO providers (who arguably have no stake at all in reducing expenses), the forecast for patient alignment is gloomy, but their buy in is critical.  It is difficult to see where patients have any stake in this change and would even be inclined to choose to be served by an ACO.  Many noted theorists have drilled on the glaring lack of patient alignment.  Rama Juturu and recent Wall Street Journal editorialists/economist Clayton Christensen have been outspoken about the need to enlist patients in the drive from intervention to prevention.  Patients that flock to ACOs (or whatever) will only do so if they see what’s in it for them.  The only thing an ACO can sell is results, outcomes.  And that’s gonna take time to measure and to sell.

At the end of the day, the threat of ACOs (and any vehicle to control healthcare costs more effectively) isn’t that they won’t work.  It’s that cost concerns will outstrip clinical ones.  While it can be argued that the employment of physicians by traditionally adverse players (like hospitals) will likely reduce the tension between them, it is precisely that tension that has always held the threat of “money over quality” at bay.  What will happen as hospitals and other healthcare players employ more and more physicians?  One can only hope that it is not silence and that, as found in some well established systems in the Midwest and West, respect for the different and necessary roles of ensuring both quality and economic survival will balance out, regardless of the healthcare delivery model that emerges.

Final Privacy Rule Affects Clinical Research Organizations

The final HITECH Act rule was published on January 25th, and it includes revisions to HIPAA.  The two things affected by the new rule are (1) compound authorizations, and (2) authorizations for future research.

Compound authorizations are basically authorizations for two separate uses of protected health information (PHI).  The new rule allows combining an authorization for a research study with any other written permission for the same study, such as authorization to participate in the research.  The core elements of a valid authorization remain in place.  The intent is just to provide some flexibility in clinical research settings.

Traditionally, authorizations had to be study specific.  The new rule allows authorizations not to be study specific, but they have to describe future uses or disclosures in a way that patients will understand that their PHI could be used in future research.

Final Privacy Rule Affects Clinical Research Organizations

The final HITECH Act rule was published on January 25th, and it includes revisions to HIPAA.  The two things affected by the new rule are (1) compound authorizations, and (2) authorizations for future research.

Compound authorizations are basically authorizations for two separate uses of protected health information (PHI).  The new rule allows combining an authorization for a research study with any other written permission for the same study, such as authorization to participate in the research.  The core elements of a valid authorization remain in place.  The intent is just to provide some flexibility in clinical research settings.

Traditionally, authorizations had to be study specific.  The new rule allows authorizations not to be study specific, but they have to describe future uses or disclosures in a way that patients will understand that their PHI could be used in future research.

What You Need to Know About the Physician Feedback/Value-Based Payment Modifier Program

Via CMS.gov

What?
The Physician Feedback/Value-Based Payment Modifier Program provides comparative performance information to physicians and medical practice groups, as part of Medicare’s efforts to improve the quality and efficiency of medical care.  By providing meaningful and actionable information to physicians so they can improve the care they deliver, CMS is moving toward physician reimbursement that rewards value rather than volume.

The Program (which is specific to Fee-For-Service Medicare—not Medicare Advantage) contains two primary components:

  • The Physician Quality and Resource Use Reports (QRURs, or sometimes referred to as “the Reports”) Select “QRUR Templates…” option from the menu on the left side of the page
  • Development and implementation of a Value-based Payment Modifier (value modifier)

Select “Value-based Payment Modifier” from the options on the left side of the page.

Why? 
This program supports the transformation of Medicare from a passive payer to an active purchaser of higher quality, more efficient health care through the value-based purchasing (VBP) initiative.  Physician feedback reporting was initiated under Section 131 of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), and was expanded by section 3003 of the Affordable Care Act of 2010. The Affordable Care Act directed CMS to provide information to physicians and medical practice groups about the resources used and quality of care provided to their Medicare Fee-For-Service patients, including quantification and comparisons of patterns of resource use/cost among physicians and medical practice groups. Most resource use and quality information in the QRURs is displayed as relative comparisons of performance among similar physicians or groups.  Section 3007 of the Affordable Care Act mandated that, by 2015, CMS begin applying a value modifier under the Medicare Physician Fee Schedule (MPFS).  Both cost and quality data are to be included in calculating payments for physicians. By 2017, the Value-based Payment Modifier is to be applied to all physicians who bill Medicare for services provided under the physician fee schedule.

READ ON

Closely Monitoring the 26.5% Medicare Physician Payment Threat

Via HCMA, SGR Advocacy Alert from the AMA – – – –  The negotiations between Speaker Boehner and President Obama on the Lame Duck tax and deficit reduction package are at an impasse. There is a very real threat of the 26.5 percent Medicare physician payment cut taking effect on January 1, 2013, at least temporarily.

If Congress does adjourn without addressing the payment cut being induced by the sustainable growth rate (SGR) formula, the Administration announced today that the Centers for Medicare and Medicaid Services will follow normal claims processing procedures.

That is, claims will not be held and Medicare carriers will process payments for physician services provided after December 31 under the normal 14-day cycle required by law.  Payment for these claims would be based on the new, lower fee schedule conversion factor of $25.0008, as opposed to the current rate of $34.0376.

At this time, it is impossible to predict whether the 112th Congress will find a way to pass a stop-gap measure before adjourning, how long such a measure would last, or how long payment cuts will be in effect before legislation can be passed after the 113th Congress convenes in January.  It is highly unusual for a new Congress to enact significant legislation in the first month of its session, but the circumstances facing our nation today are far from typical.

It is inexcusable that Congress is once again putting the 47 million Medicare patients and the practices of physicians who provide them needed health care at significant risk.  The Medicare program has become unreliable and its instability undermines efforts by physicians to implement new health care delivery models that stand to improve value for seniors and other beneficiaries through better care coordination, chronic disease management, and keeping patients healthy.

The AMA believes that the financial disruption this situation will cause for physicians and their practices is unacceptable, and we will continue to fervently convey this message in the strongest possible terms to Congress and the Administration, as we have for the past several weeks.  Our patient and physician grassroots networks have been activated, and we are seeking your voices to tell Congress just how deeply its inaction will affect you.

Despite these efforts, at this time we feel compelled to advise physicians to start making plans for steps they can take to mitigate this disruption and meet their own financial obligations in January, in case the 26.5 percent cut actually takes effect.  Given the potential impact on practice revenue in early January, physicians should be certain adequate arrangements are in place to sustain their practices.  For those physicians who are forced into the untenable position of limiting their involvement with the Medicare program because it threatens the viability of their practices, we urge that patients be notified promptly so that they, too, can explore other options to seek health care and medical treatment.

FTC Interim Final Red Flags Rule a Reprieve for Health Care Providers

By:  Rodger Hochman, Board Certified in Health Law

On November 30, 2012, the Federal Trade Commission (FTC) issued its interim final “Red Flags Rule” which narrowed the definition of “creditor” in such a way that essentially confirms that most health care service providers are not subject to its requirements.

The Red Flags Rule was originally promulgated in reaction to the perceived risk of identity theft in various transactions involving financial institutions and creditors, and it required them to develop and implement a written identify theft program to combat these risks, including internal processes for identifying “red flags” of identity theft.  The application of the Red Flags Rule to health care service providers was controversial since it advanced a counterintuitive notion that a provider who engaged in ordinary course business activities, such as rendering health care services where insurance or other payment would be received later, was a “creditor” by definition, thus was equated with the business of financial institutions and subject to standards more applicable to the relationship between commercial creditors or lenders and their customers.

Under the original rule, any “creditor” was required to establish an identity theft program.  The definition included “any person who regularly extends, renews, or continues credit…”  The FTC interpreted this expansively to include physicians and other providers who accept insurance as payment or who permit payment plans, where payment in full was not received at the time of service.  Thus, if a physician or hospital were to accept a patient’s insurance coverage or bill the balance not covered by insurance to the patient, that was viewed as an extension of credit to the patient which triggered regulatory compliance obligations by the provider.  Although the FTC later clarified its position in saying that it applied only to creditors that regularly and in the ordinary course of business advance funds, there was still some ambiguity.

The interim final rule now makes clear that advancing funds does not include what is routine health care services billing and collection activities (such as deferring payment of fees in connection with providing services) and that most service providers are not subject to the rule.  Nevertheless, while the interim final rule confirms that most providers are not subject to the Red Flags Rule, entities that collect consumer data should still carefully consider how they collect and use such data.   To the extent that they use or provide patient information in connection with credit reporting services, the Red Flags Rule would apply.  Further, health care providers remain subject to the HIPAA/HITECH privacy and security rules with respect to all patient identifying information regardless of whether they are subject to the Red Flags Rule.

Florida Board of Medicine Set to Tackle Telemedicine Issue

Florida laws that pertain to telemedicine are precious few.  In fact, there is really only one regulation dead on target, and that requires face to face physician contact with a patient in order to write a prescription.  The impact of the hormone replacement therapy (HRT) providers was pretty immediate, but the legal issues related to telemedicine are just not currently addressed in Florida law.  Does providing a telemedicine consult create a physician patient relationship?  What are the requirements related to the medical records arising out of the consult, and who owns the records?  These issues and many more are simply not handled.  And yet, if it is true that telemedicine will be an important tool in the effort to both broaden the availability of care while reducing associated costs, we can be sure that Florida law will evolve on these issues. Continue reading

Perceived Risk Outweighs Actual Harm in Assessing $1.5M HIPAA Fine

The Office of Civil Rights’ recent assessment of a $1.5 million fine for HIPAA violations should be a shrill wakeup call to all health care organizations that use (or allow their physicians to use) portable devices containing patient identifiable information.  The sanction stems from a physician’s lost laptop computer containing protected health information (ePHI).

Importantly, the OCR’s investigation could not establish whether ePHI was used or even accessed, partly because the device was lost in a foreign country.  However, it was not necessary to definitively conclude if any data had been compromised; the OCR was more concerned that the offending provider had not implemented appropriate measures mandated by the HIPAA Security Rule which could have reduced, mitigated or eliminated the risk altogether.  For the OCR, the heart of the matter was the fact that the covered entity failed to fully assess and evaluate the risk to the confidentiality and security of ePHI on portable devices used by its physicians in their personal activities, and failed to have a process to address when such devices are lost.  In this case, it was the incident itself that caused the organization to formalize and take responsive measures.  The barn door was closed after the horse got out.  To the OCR, the covered entity’s reactive, rather than proactive approach, was totally at odds with HIPAA Security Rule concerns and the mandated obligations of covered entities.

The facts are fairly simple.  A research physician from a Massachusetts specialty hospital facility was traveling to South Korea to give a lecture when he misplaced his backpack in a public area.  A personal laptop, containing health information of several thousand patients, was in the backpack.  The computer was eventually “detected” a few weeks later when it was connected to the internet, and its hard drive was later remotely “wiped”, however, the device was not recovered.  The incident was then reported to the OCR in accordance with the breach notification requirements of the HIPAA Security Rule.

This is an instructive case for a number of reasons.  For one, it is important to recognize that the OCR’s investigation was prompted by the obligatory “breach notification” it received from the provider.  The OCR’s inevitable investigation in turn revealed that there was significant noncompliance with multiple aspects of the Security Rule.  Notably, the OCR determined that the covered entity had lax control over, and little knowledge concerning its own physicians’ use of laptops issued to them by the organization.  Physicians were permitted unfettered access to the entity’s information, took their devices off-site where they were used for personal activities, and could remotely download information and install applications freely to these personal devices.  Further, while the laptop in question was password protected and had “LoJak” tracking and wiping software, encryption was not employed.  Further, many weeks passed before a hard drive wipe was effectuated and only after it was determined that the device had been connected to the internet.  In short, the OCR concluded that the entity had neither conducted an adequate security assessment nor established necessary policies or procedures addressing laptop use, and had not promulgated an appropriate response procedure.  Instead, it reacted to the lost laptop in a scramble of ad hoc activity and only instituted organization-wide changes as a result of this episode.

The most significant issue for the OCR in assessing a $1.5 million fine was not whether the incident caused actual harm to any patient, but the degree of risk of potential harm and whether reasonable steps and safeguards should have been in place to mitigate any data breach.  In short, the entity should have anticipated laptops would be lost and it should have addressed the attendant risks through a deliberate process and in a manner that is “situationally” appropriate for the organization.  Here, the organization abrogated such a duty, thus prompting a fine that may be disproportional to the perceived harm.  This outcome should prompt providers to seriously regard the HIPAA Security Rule, and the OCR’s enforcement efforts, and to abandon any “no harm, no foul” notions they might apply when security breaches occur and must be reported