Articles Posted in Compliance

Published on:

by

On February 12, 2021, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced the details of its previously-announced discretion in the enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act related to privacy, security, and date breaches. OCR will not penalize covered health care providers or their business associates for non-compliance under HIPAA for the good faith use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments during the COVID-19 pandemic.

During the COVID-19 public health emergency, HIPAA covered providers, such as large pharmacy chains, or business associates acting on behalf of the covered providers, may utilize WBSAs to schedule individual appointments for COVID-19 vaccinations. For the purposes of this exercise of discretion, a WBSA is an online or web-based application that only allows the intended parties to access the data and that provides individual appointment scheduling related to largescale COVID-19 vaccination. Technology that directly connects to electronic health records (EHR) systems used by covered providers is not included in this discretionary measure and does not constitute a WBSA. The HIPAA privacy rules allow business associates of a covered entity to use and disclose protected health information (PHI) for certain functions, only as dictated by a business associate contract or other agreement. However, during the COVID-19 pandemic, health care providers need to quickly schedule many appointments for COVID-19 vaccinations and often do this through WBSAs. Some of these online scheduling applications, and the way in which healthcare providers use them, may not comply with the HIPAA privacy rules.  Furthermore, vendors of the WBSAs may not know providers are using these applications to create and send PHI, potentially making the WBSA vendors business associates under HIPAA.

OCR will exercise discretion in the enforcement of HIPAA privacy rules and will not penalize covered healthcare providers, their business associates, or WBSA vendors who are technically business associates, for noncompliance as it relates to the scheduling of individual COVID-19 vaccination appointments during the COVID-19 pandemic. This enforcement discretion applies to covered healthcare providers and their business associates, which are, in good faith, using WBSAs to schedule COVID-19 vaccination appointments, as well as WBSA vendors whose platform is being used to schedule COVID-19 vaccination appointments. Discretion does not apply to covered providers or business associates for activities unrelated to the scheduling of COVID-19 vaccinations or if the covered providers or business associates fail to act in good faith. Instances where a covered provider or business associate are not acting in good faith include: the use of a WBSA that allows the sale of personal information collected, the use of a WBSA for purposes other than scheduling COVID-19 vaccination appointments, the use of a WBSA without reasonable safeguards to protect the PHI, and the use of a WBSA to screen individuals for COVID-19 before an in-person visit.

Continue reading
Published on:

by

A revocation of Medicare billing privileges can have devastating impacts on a healthcare provider. Not only does a revocation render the provider unable to bill the Medicare program for a period of time, but it can have wide-ranging impacts on a provider’s practical ability to operate or to practice in their chosen field.

Medicare billing privileges can be revoked for twenty-two enumerated reasons, including non-compliance with Medicare enrollment requirements, felony convictions, and failure to respond to requests for medical records. A recent expansion of CMS’s revocation authority also updated the ability to revoke a provider for an “abuse of billing privileges” to include a pattern or practice of submitting claims that do not meet Medicare requirements. In some cases, the Medicare Administrative Contractor (MAC) gathers the information and determines to revoke a provider. In other cases, the MAC forwards the information to the Centers for Medicare & Medicaid Services (CMS) and CMS makes the revocation determination. The revocation may be based on a prior interaction with the MAC or CMS, such as a prior audit of the provider. The provider may not necessarily be told during this interaction that it can lead to a revocation of billing privileges.

When CMS or a MAC revokes billing privileges, they will set a reenrollment bar, which dictates how long a provider must wait before it can reapply for Medicare billing privileges. CMS recently expanded its authority to set the reenrollment bar. In general, reenrollment bars may now be set between 1 and 10 years, depending on the circumstances, although certain provisions allow for longer bars. CMS may also decide to place a revoked provider on the CMS Preclusion List. The Preclusion List labels the provider a “bad actor” and cuts off their ability to bill Medicare Part C and Part D. A Medicare revocation or placement on the Preclusion List may also impact contracts outside the Medicare program. For example, commercial carriers may terminate participation agreements with a provider based on a Medicare revocation or placement on the Preclusion List.

Continue reading
Published on:

by

On February 17, 2021, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) updated its FAQ’s concerning the COVID-19 public health emergency. In the update, OIG gave guidance on its enforcement discretion regarding administrative services provided to COVID-19 vaccination sites on a per-vaccine basis. It should be noted that this guidance is not an advisory opinion, is not binding on OIG, and does not constitute a waiver of any statutory or regulatory requirement, though it may be helpful when structuring these arrangements.

OIG addressed the question of whether a non-provider philanthropic entity could contract to provide administrative services to a healthcare provider relating to the operation of COVID-19 vaccination sites and be compensated on a per-vaccine basis. The entity would provide administrative services including arranging for the physical vaccination sites, data systems, online and web-based scheduling, site development and training, and reporting to state agencies. The healthcare provider would provide clinical staff, oversee administration of the vaccine, and bill third-party payors, including federal healthcare programs.

After billing for the vaccine administration, the healthcare provider would retain a certain amount per hour for compensation and to cover staffing costs. The remainder of the compensation would flow to the entity providing the administrative services. OIG specified that there would be no other arrangements between the entity, the healthcare provider, any beneficiary, or other person capable of arranging for referrals for items or services payable by a federal healthcare program.

Continue reading
Published on:

by

Many Medicare practitioners, providers, and suppliers do not directly bill for the services they supply and similarly do not directly receive reimbursement. Billing and reimbursement may occur through an employment or independent contractor relationship, through a billing company, or through another arrangement. However, each of these arrangements must comply with the Medicare assignment of payment rules that dictate how and to whom the practitioner, provider, or supplier may assign their right to receive reimbursement from Medicare.

The general rule is that Medicare will pay assigned benefits only to the physician, practitioner, or supplier who furnished the service, and not to another person or entity. To reassign payment to another person or entity, an arrangement must meet one of several enumerated exceptions. The most common exceptions are:

Payment to Agent: Medicare may make payment, in the name of the provider, to an agent who furnishes billing or collection services. In general, the agent or billing company may not have a financial interest in the dollar amount billed or the actual collection of payment, and the agent must act under payment disposition instructions which the provider may modify or revoke at any time. Different provisions may apply if the agent merely prepares bills and does not receive payment for the provider or supplier.

Continue reading
Published on:

by

Targeted Probe and Educate (TPE) reviews are a popular audit tool for Medicare Administrative Contractors (MACs) to assess a healthcare provider or supplier’s compliance with Medicare billing requirements. A TPE review consists of up to three rounds of claims review, with education to the provider after each round. A provider or supplier navigating a TPE review should take care to comply with the program’s requirements and timelines and should be aware of the potential consequences of a review.

The Centers for Medicare & Medicaid Services (CMS) initially introduced TPE reviews as a pilot program in only a few jurisdictions. In 2017, CMS expanded the program nationwide and has continued to update and refine the program since its introduction.

A provider who is placed on a TPE review will first receive a Notice of Review letter. This letter will describe the reason that the provider has been placed on TPE review and will provide a brief outline of the process. This letter will not request medical records but will generally indicate that medical records requests will be forthcoming. This letter will likely warn that, if a provider/supplier fails to improve the accuracy of its claims after three rounds, the MAC will refer the provider/supplier to CMS for additional action, such as prepayment review, extrapolation of overpayments, referral to a RAC, or other disciplinary action. Providers should be aware that a TPE can lead to revocation of Medicare billing privileges and placement on the CMS Preclusion List.

Continue reading
Published on:

by

On January 14, 2021, the Centers for Medicare & Medicaid Services (CMS) issued a final rule codifying a definition for “reasonable and necessary” coverage under Medicare Part A and Part B. CMS hopes codifying the meaning of “reasonable and necessary” will provide clarity and consistency to the current process of coverage determination for items and services under Part A and Part B. The final rule takes effect on March 15, 2021.

The definition of “reasonable and necessary” has three components: an item or service is required to be 1) safe and effective, 2) not experimental or investigational, and 3) appropriate for Medicare patients. Whether an item or service is appropriate for Medicare patients will be based on the duration and frequency deemed appropriate for the item or service and whether the item or service:

  • Is provided in accordance with accepted standards of medical practice
Continue reading
Published on:

by

On January 15, 2021, the Centers for Medicare & Medicaid Services (CMS) finalized the agency’s “CMS Interoperability and Prior Authorization” rule to improve the prior authorization process and give patients more control in accessing and understanding their health data. Under the rule, certain payers, such as Medicaid and CHIP managed care plans, state Medicaid and CHIP fee-for-service programs (FFS) and those that issue individual market Qualified Health Plans (QHPs) on the federally-facilitated exchanges (FFEs)) must create and utilize technology known as application programing interfaces (APIs). APIs are commonly used in smartphone applications, and when incorporated into electronic health records (EHR), can enable simple and immediate access to health data for providers.

Each payer obligated under this rule must build a documentation search program driven by an API, and make the program public, allowing providers to access health documentation and prior authorization requirements from various EHR platforms. Once a provider determines what each prior authorization requires, the authorization can then be submitted electronically. Moreover, the payers are required to implement, under the already established Patient Access API, laboratory results and other claims and encounter data, as well as information regarding a patient’s pending and active prior authorizations.

Payers must also communicate this data with a patient’s provider if asked, and with other payers, should a patient’s coverage or provider change. This will allow patients, providers, and payers to have all the necessary data when needed, automating the process and reducing the administrative burden on providers. As a result, providers will be less likely to work with incomplete health information and the likelihood of repeat prior authorization requests will decrease, resulting in more time the provider has to spend with the patient. Notably, Medicare Advantage plans are not included in this new rule and not subject to its requirements; however, CMS is continuing to consider whether Medicare Advantage plans should be included.

Continue reading
Published on:

by

On January 12, 2021, the Department of Health and Human Services (HHS) issued sweeping new directives regarding the procedures the Department will follow when relying on guidance documents, initiating enforcement actions, making jurisdictional determinations, and allowing prior notice and opportunity to be heard on agency determinations. These directives apply to civil and administrative enforcement proceedings and adjudications and take effect immediately.

First, HHS directed that the Department may not use guidance documents to impose binding requirements or prohibitions on persons outside of the executive branch except as authorized by law or expressly incorporated into a contract. That is, noncompliance with a standard or practice found only in a guidance document will not constitute a violation of the applicable statute or regulation. Further, the Department may refer to a guidance document in a civil enforcement action only if it has notified the public of the guidance in advance.

Second, HHS directed that the Department will only apply standards and practices, including in initiating a civil enforcement action or making an agency decision, that have been publicly stated in a way that would not cause unfair surprise. Of note, HHS defined “unfair surprise” to include when the Department initiates litigation following a lengthy period of conspicuous inaction.

Continue reading
Published on:

by

On December 18, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued new guidance on the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The guidance addresses important questions related to the definition of a health information exchange (HIE), when covered entities can disclose protected health information (PHI) to an HIE without the individual’s authorization, whether covered entities need a direct request from the public health authority (PHA) to disclose PHI, and whether a covered entity must provide notice to individuals regarding disclosures of PHI for public health purposes. In addition, the guidance provides examples for providers and entities relevant to HIPAA and the COVID-19 pandemic.

Questions addressed in the guidance include:

What is a health information exchange (HIE)?

Continue reading
Published on:

by

On December 16, 2020, the Department of Health and Human Services (“HHS”) announced that it would begin Phase 3 of general distributions under the Provider Relief Fund (“PRF”) and that Phase 3 would be larger than initially planned. The PRF is a $175 billion fund created Congress through the CARES Act and administered by HHS to provide financial relief to healthcare providers during the COVID-19 pandemic. The PRF is administered by HHS through the Health Resource Services Administration (“HRSA”). HHS has subdivided the PRF into various general and targeted distributions.

Earlier in 2020, HHS had made two general distributions under the PRF. The Phase 1 general distribution consisted of $50 billion in financial payments, released in two successive tranches of $30 billion and $20 billion, to healthcare providers based to providers who billed Medicare. The Phase 2 general distribution consisted of an additional $18 billion in financial payments to providers that billed Medicaid, dentists, assisted living facilities, and providers that were not eligible under the terms of Phase 1 due to a change in ownership.

On October 1, 2020, HHS announced the Phase 3 general distribution. The Phase 3 general distribution was initially planned to consist of $20 billion on financial payments to providers who were either excluded from the initial two phases, or who were eligible under the first two phases but required additional funding to cover ongoing financial losses accrued during the pandemic. The following providers are eligible for Phase 3 General Distribution funding: (1) Providers who have previously received, rejected, or accepted a General Distribution PRF payment; (2) behavioral health providers, including those that have previously received funding; and (3) healthcare providers that began practicing January 1, 2020 through March 31, 2020. All providers who receive payments must attest to receiving the payment and accept the associated Terms and Conditions.

Continue reading
Contact Information
210 E 3rd St #204
Royal Oak, MI 48067
Phone: 248-544-0888
Fax: 248-544-3111

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2016 – 2025, Wachler & Associates, P.C.
JUSTIA Law Firm Blog Design