Docs, You’ve Been Hacked. What’s Next?

HIPAABy: Jacqueline Bain

Healthcare providers have heard the HIPAA disaster stories: a laptop containing patient information is left on the counter at the coffee shop; a thumb drive with patient files goes missing; a rogue employee accesses patient information she has no business accessing; hackers get into a practice’s server and hold the patient information for ransom.

HIPAA is a federal law designed for safe disclosure of patient’s protected health information.  The news headlines showcase giant penalties for violations.  However, Florida health care providers should also know that Florida has its own consumer protection statute, called the Florida Information Protection Act.  So while you’re busy worrying about your HIPAA exposure in any of these situations, remember that there is potential State exposure as well.

So what should a healthcare provider do if it believes there has been a hack or some other unauthorized disclosure?  Responses vary based on the situation presented, but below is a good jumping off point: Continue reading

Billing for Associates Fraught with Risk

ACO-Payment-300x225You’ve hired a new doctor to join your practice, but it will take several months to get the new doctor on your insurance plans and to add him or her to your group practice.  What do you do?  Can you bill for the new doctor’s services under your own provider name or number?  Can you hold the billing and submit it at a later date?

Billing for the new doctor’s services under the name or provider number of a physician who did not actually perform the service is fraud.  It’s as simple as that.  And it’s a serious offense, punishable as a criminal offence, regardless of the payer involved.  In other words, it’s not true to say “Well, it’s ok to do with HMOs, but not Medicare.”  It’s fraud for every payer.  And, with federal payers, it’s a federal crime!  So what do you do?

Physicians are very limited with respect to Medicare and Medicaid patients.  The new doctor must be added to the practice’s provider number, especially if the practice provides “designated health services” such as PT, rehab, clinical lab and diagnostic imaging.  Most practices time the hiring of the new doctor with adding him or her to the provider number and also ensuring that the new doctor is contracted with various payers, all of which can take several months.

There may be a little more flexibility with respect to PPOs and HMOs, though this is tricky.  These payers are usually adamant about credentialing the new doctor and about having him or her sign a participating provider agreement before providing services to their insureds.  In some very limited circumstances, a payer may expedite the process and may even suggest a billing arrangement that would otherwise constitute insurance fraud, but physicians still need to be careful with these arrangement.  When a payer suggests such an arrangement, it is absolutely essential that the proposal and agreement be in writing and review to ensure regulatory compliance.  Otherwise, the practice and the doctors involved may be subject to fraud based claims—e.g. violations of the state insurance laws and even the federal False Claims Act.

 

Closely Monitoring the 26.5% Medicare Physician Payment Threat

Via HCMA, SGR Advocacy Alert from the AMA – – – –  The negotiations between Speaker Boehner and President Obama on the Lame Duck tax and deficit reduction package are at an impasse. There is a very real threat of the 26.5 percent Medicare physician payment cut taking effect on January 1, 2013, at least temporarily.

If Congress does adjourn without addressing the payment cut being induced by the sustainable growth rate (SGR) formula, the Administration announced today that the Centers for Medicare and Medicaid Services will follow normal claims processing procedures.

That is, claims will not be held and Medicare carriers will process payments for physician services provided after December 31 under the normal 14-day cycle required by law.  Payment for these claims would be based on the new, lower fee schedule conversion factor of $25.0008, as opposed to the current rate of $34.0376.

At this time, it is impossible to predict whether the 112th Congress will find a way to pass a stop-gap measure before adjourning, how long such a measure would last, or how long payment cuts will be in effect before legislation can be passed after the 113th Congress convenes in January.  It is highly unusual for a new Congress to enact significant legislation in the first month of its session, but the circumstances facing our nation today are far from typical.

It is inexcusable that Congress is once again putting the 47 million Medicare patients and the practices of physicians who provide them needed health care at significant risk.  The Medicare program has become unreliable and its instability undermines efforts by physicians to implement new health care delivery models that stand to improve value for seniors and other beneficiaries through better care coordination, chronic disease management, and keeping patients healthy.

The AMA believes that the financial disruption this situation will cause for physicians and their practices is unacceptable, and we will continue to fervently convey this message in the strongest possible terms to Congress and the Administration, as we have for the past several weeks.  Our patient and physician grassroots networks have been activated, and we are seeking your voices to tell Congress just how deeply its inaction will affect you.

Despite these efforts, at this time we feel compelled to advise physicians to start making plans for steps they can take to mitigate this disruption and meet their own financial obligations in January, in case the 26.5 percent cut actually takes effect.  Given the potential impact on practice revenue in early January, physicians should be certain adequate arrangements are in place to sustain their practices.  For those physicians who are forced into the untenable position of limiting their involvement with the Medicare program because it threatens the viability of their practices, we urge that patients be notified promptly so that they, too, can explore other options to seek health care and medical treatment.

FTC Interim Final Red Flags Rule a Reprieve for Health Care Providers

By:  Rodger Hochman, Board Certified in Health Law

On November 30, 2012, the Federal Trade Commission (FTC) issued its interim final “Red Flags Rule” which narrowed the definition of “creditor” in such a way that essentially confirms that most health care service providers are not subject to its requirements.

The Red Flags Rule was originally promulgated in reaction to the perceived risk of identity theft in various transactions involving financial institutions and creditors, and it required them to develop and implement a written identify theft program to combat these risks, including internal processes for identifying “red flags” of identity theft.  The application of the Red Flags Rule to health care service providers was controversial since it advanced a counterintuitive notion that a provider who engaged in ordinary course business activities, such as rendering health care services where insurance or other payment would be received later, was a “creditor” by definition, thus was equated with the business of financial institutions and subject to standards more applicable to the relationship between commercial creditors or lenders and their customers.

Under the original rule, any “creditor” was required to establish an identity theft program.  The definition included “any person who regularly extends, renews, or continues credit…”  The FTC interpreted this expansively to include physicians and other providers who accept insurance as payment or who permit payment plans, where payment in full was not received at the time of service.  Thus, if a physician or hospital were to accept a patient’s insurance coverage or bill the balance not covered by insurance to the patient, that was viewed as an extension of credit to the patient which triggered regulatory compliance obligations by the provider.  Although the FTC later clarified its position in saying that it applied only to creditors that regularly and in the ordinary course of business advance funds, there was still some ambiguity.

The interim final rule now makes clear that advancing funds does not include what is routine health care services billing and collection activities (such as deferring payment of fees in connection with providing services) and that most service providers are not subject to the rule.  Nevertheless, while the interim final rule confirms that most providers are not subject to the Red Flags Rule, entities that collect consumer data should still carefully consider how they collect and use such data.   To the extent that they use or provide patient information in connection with credit reporting services, the Red Flags Rule would apply.  Further, health care providers remain subject to the HIPAA/HITECH privacy and security rules with respect to all patient identifying information regardless of whether they are subject to the Red Flags Rule.

#FHLF October 2011 Newsletter

Click Here to view our October 2011 Newsletter:
http://conta.cc/qFxblP