Articles Posted in Compliance

Published on:

On May 29, 2012 the United States District Court for the Eastern District of North Carolina overturned the Medicare Appeals Counsel’s (MAC’s) decision regarding one evaluation and management (E/M) service claim.

Six years earlier, a CMS Program Safeguard Contractor audited Dr. Ojebuoboh. It was determined that the government had overpaid Dr. Ojebuoboh approximately $179,000. Dr. Ojebuoboh contested the overpayment through the five-step Medicare appeals process. Before the matter reached federal district court, the physician had managed to reduce the overpayment amount to $12,000.

On appeal to federal district court, Dr. Ojebuoboh argued, among other things, that the MAC reached the wrong decision as to services provided for three beneficiaries: WB, MT, and OW. At this stage, Dr. Ojebuoboh had the right to judicial review of specific claims, however; in order to overturn the prior holding he had to prove that the MAC’s decision was arbitrary and capricious. This is a difficult standard to prove as it presumes that the MAC’s decision is correct. The federal district court determined that the MAC must explain its reasons for denying the claims, yet; it need not thoroughly detail every element of every component.
Continue reading

Published on:

On May 31, 2012, Department of Health and Human Services (HHS) Director of the Office of Civil Rights Leon Rodriguez issued a memo to consumers regarding those consumers’ right to access their protected health information and medical records. In this memo, Rodriguez stressed that it is important for consumers and providers to remember that the Health Insurance Portability and Accountability Act (HIPAA) not only provides protection for personal health information, but also provides consumers with the right to view and obtain copies of health records.

Many providers, when dealing with HIPAA compliance, tend to focus on safeguarding protected health information, but fail to recognize the importance of patient rights including the right to access. Under HIPAA, patients have the right to view their health records from most providers, pharmacies, and health plans. Patients also have the right to obtain copies of those records in the form they choose, be it electronic or on paper, if the provider is able to do so.

Providers can charge patients a reasonable amount for the copies of health records the patient receives, and any cost for mailing the records. This amount is statutorily regulated in most states. It is important to note that a provider cannot charge a fee for searching for and retrieving records, and providers cannot withhold access to records because a patient has not paid for services received.
Continue reading

Published on:

The Office of Civil Rights (OCR) announced yesterday that its Health Insurance Portability and Accountability Act (HIPAA) Enforcement Training tools would be available to the general public today, June 5, 2012.

Since 2009, as part of the Health Information Technology for Clinical and Economic Health (HITECH) Act, State Attorneys General (SAGs) were given the authority to bring civil suit for HIPAA violations on behalf of the aggrieved patients. To assist SAGs, the OCR developed a wide range of HIPAA Privacy and Security Rules compliance, enforcement, and training tools.

Included in the materials are computer-based modules, and videos and slides from in-person training sessions covering the following topics:

  • General Introduction to the HIPAA Privacy and Security Rules
  • Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR’s role in enforcing the HIPAA Privacy and Security Rules
  • SAG roles and responsibilities under HIPAA and the HITECH Act
  • Resources for SAG in pursuing alleged HIPAA violations
  • HIPAA Enforcement Support and Results

These materials may be a helpful training tool for health care providers and privacy officers. The materials highlight to whom, what, where, when, and how HIPAA Rules will be enforced and provide basic summaries of the HIPAA Privacy and Security Rule requirements.
Continue reading

Published on:

On May 10, 2012 the United States Court of Appeals for the Ninth District decided that criminal charges under the Health Insurance Portability and Accountability Act (HIPAA) do not require that an individual have knowledge that their actions are illegal. The case, United States of America v. Zhou, is the first such case to establish that the knowledge requirements of a criminal HIPAA violation apply only to the fact that the information accessed was protected health information, and not that obtaining the information was in violation of HIPAA.

Under the statute, HIPAA provides that a criminal penalty applies to a person who knowingly and in violation of the statute, uses, obtains, or discloses protected health information. Zhou argued that the statute requires knowledge that the information obtained was protected health information, as well as knowledge that obtaining it was illegal. The court rejected the argument and determined that the language of HIPAA is plain. The court found that the word “and” unambiguously indicates that there are two elements of a violation, and that knowingly applies only to obtaining the protected health information, and not to the fact that obtaining the protected health information was illegal.

The statute at issue in the decision is 42 U.S.C §1320d-6a, which reads as follows:

(a) Offense A person who knowingly and in violation of this part–

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b) of this section. For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9 (b)(3) of this title) and the individual obtained or disclosed such information without authorization.

Penalties for violations of the statute can include fines of up to $250,000, imprisonment for up to 10 years, or both.
Continue reading

Published on:

As part of healthcare reform, Section 6401(a) of the Affordable Care Act requires all providers and suppliers who enrolled in the Medicare program prior to March 25, 2011 to revalidate their provider enrollment under the new screening criteria. Providers and suppliers who enrolled after March 25, 2011 do not need to revalidate at this time as they have already been screened.

Medicare Administrative Contractors (MACs) will be sending revalidation notices to individual providers and suppliers between now and March 23, 2015. Providers and suppliers must complete the enrollment forms within 60 days of receiving the request from the MACs. If a provider fails to submit the provider enrollment forms after receiving the request, it may lead to a suspension of the provider’s Medicare billing privileges.

Providers and suppliers may not revalidate their provider enrollment until they have received a revalidation notice from their MAC. The CMS website provides a list of all the providers and suppliers to whom revalidation notices have been sent (See “download” section). The notices are listed according to the month in which the revalidation notice has been sent, and CMS updates these lists on a bimonthly basis. In case a revalidation notice has been sent but never received, every provider is encouraged to check the list to determine whether or not they are currently expected to revalidate. If you are listed, but have not received the request, you should contact your Medicare contractor.
Continue reading

Published on:

On May 3, 2012, the Centers for Medicare and Medicaid Services (CMS) announced, via the CMS blog, that CMS will not require data collection by applicable manufacturers and group purchasing organizations under the Physician Payments Sunshine Act (PPSA) before January 1, 2013. The announcement indicates that the final rule will be released later this year and that the additional time will allow CMS to address operational and implementation issues and provide time for organizations to prepare for data submission.

The PPSA was a section of the Affordable Care Act of 2010 intended to provide transparency in requiring reporting of payments or gifts to physicians, and physician ownership and investment interests. The proposed rule implementing the PPSA was released December 19, 2011, and the announced delay is partly a result of the comments received from stakeholders during the 60 day comment period. The final rule was originally scheduled to be released for implementation on January 1, 2012.

The proposed rule requires that applicable manufacturers that sell or distribute a covered drug, device, biological, or medical supply disclose certain payments or other transfers of value to covered recipients. A covered recipient is a physician, other than a physician who is an employee of the applicable manufacturer, or a teaching hospital. The rule also requires the disclosure of payments or transfers of value to the immediate families of covered recipients.
Continue reading

Published on:

On April 27, 2012 the Centers for Medicare and Medicaid Services (CMS) published a final rule that states new provider and supplier requirements. The final rule requires all providers and suppliers that qualify for a National Provider Identifier (NPI) to include their NPI on all enrollment applications for Medicare or Medicaid, and on all claims submitted for payment. The rule further states that any claim submitted without the appropriate NPIs will be denied. The final rule also requires that all prescriptions under Medicare Part D include an NPI for the prescribing physician. The rule is intended to help more efficiently and accurately detect fraud, and is estimated to save taxpayers an estimated $1.59 billion over ten years.

In a press release, CMS announced that the rule “ensures that only qualified, identifiable providers and suppliers can order or certify certain medical services, equipment, and supplies for people with Medicare.”

Additionally, the rule also requires that physicians and other professionals who are permitted to order and certify covered items and services for Medicare beneficiaries be enrolled in Medicare. In an effort to further track and monitor claims, Part B items and services ordered or referred by a physician or eligible professional can only be submitted if the physician or eligible professional has an approved enrollment record, or a valid opt out record in the Medicare Provider Enrollment, Chain, and Ownership System (PECOS).

Finally, the rule mandates document retention requirements for providers and suppliers that order and certify items and services for Medicare beneficiaries. Under the final rule providers and suppliers must maintain ordering and referring documentation, including the NPI, received from a physician or eligible non physician practitioner for seven years from the date of service. Further, failure to comply with the documentation retention requirements is reason for revocation.
Continue reading

Published on:

From July 2011 to February 2012 the Government Accountability Office (GAO) conducted a performance audit of the Centers for Medicare and Medicaid Services (CMS) efforts to strengthen the screening of providers and suppliers applying to take part in, and currently taking part in, the Medicare and Medicaid programs. On April 10, 2012 the GAO released its report to the Chairman of the Senate Finance Committee.

The purpose of the study was to determine weaknesses in the CMS enrollment procedures that leave the Medicare and Medicaid programs open to fraud and abuse. CMS currently has some procedures in place for screening applicants, and the GAO study reveals that there are planned procedures that will be proposed and implemented in 2012 to further improve the applicant screening process.

The Patient Protection and Affordable Care Act of 2010 (PPACA) provided CMS with increased authority to combat fraud and abuse in Medicare. Under this authority, CMS currently uses front end automated edits to check a provider’s National Provider Identifier to make sure it is active before processing a claim. PPACA also requires providers and suppliers be subject to licensure checks, and gives CMS the authority to require criminal background checks.

The GAO report addresses the extent to which CMS has implemented new provider and supplier enrollment screening procedures since the enactment of PPACA. On February 2, 2011 CMS published a final rule implementing a screening procedure based on a provider or supplier’s risk of fraud, waste, and abuse. These risk categories are limited, moderate, and high. Each risk category comes with varying degrees of application screening. High risk providers and suppliers could undergo unscheduled site visits and fingerprint based criminal background checks.

The report found that there are currently new screening procedures, the implementation of which remain in progress. CMS is in the process of drafting a proposed rule which will extend surety bond requirements for home health agencies, independent diagnostic testing facilities, and potentially outpatient rehabilitation facilities. Currently, surety bonds are only required for DMEPOS suppliers.

CMS is also planning to contract with Federal Bureau of Investigation-approved contractors to handle fingerprinting of providers and suppliers, and do criminal background checks of high risk applicants. CMS expects to have contracts in place for these screening procedures by the end of 2012.

PPACA has a requirement that Medicare providers establish compliance programs that contain core elements of compliance and ethics as established by CMS and the HHS OIG. A compliance program is a set of policies and procedures that a provider organization implements to help it act ethically and within the parameters of the law. CMS is working on developing a compliance program intended to help provider organizations prevent and detect violations of Medicare regulations, but there is no current target date for the implementation of this program.
Continue reading

Published on:

On April 12, 2012, the Office of Inspector General (OIG) for the Department of Health and Human Services (HHS) published an updated list of excluded providers, persons and entities from Medicare, Medicaid and other Federal health care programs, known as the List of Excluded Individuals and Entities (LEIE).

HHS is authorized by Section 1128 of the Social Security Act to exclude persons from participating in Federal health care programs. HHS has delegated this authority to the OIG. This delegation grants the OIG the authority to exclude individuals and entities from participating in Medicare, Medicaid and other Federal health care programs, as well as the authority to impose civil money penalties (CMP) for program-related misconduct. In addition, the Balanced Budget Act (BBA) of 1997 authorizes the OIG to impose additional CMP against any health care entity or provider that employs or enters into contracts with an excluded individual or entity if such an agreement involves providing any item or service to Federal program beneficiaries.

If an individual or entity is excluded from Federal health care programs, no federal payment may be made for any items or services. These items or services not only include those furnished by an excluded individual or entity, but also include any item or service that was directed or prescribed by an excluded physician when the furnishing entity knew or should have known of the exclusion and whether or not the payment is made to the non-excluded provider.

Section 1128 of the Social Security Act establishes which individuals and entities are excluded from Federal health care programs. The Act includes both mandatory and permissive exclusions. As the phrase implies, a mandatory exclusion is that in which the OIG must exclude from Federal health care programs (e.g. felony conviction relating to health care fraud). On the other hand, a permissive exclusion enables the OIG to use its discretion in determining whether exclusion is the correct remedial action to enforce (e.g. individuals controlling a sanctioned entity).

An excluded party may be subject to CMP if it violates its exclusion. A violation will be found if the excluded party submits, or causes to be submitted, a claim for Federal reimbursement for providing an item or service to a Federal program beneficiary. Furthermore, since program reinstatement is not automatic, a violation of an exclusion may severely diminish any possibility of being reinstated into Federal health care programs in the future. In addition, further CMP may be sought for any health care provider who employs or contracts with an excluded individual or entity when such agreement involves rendering any item or service that is to be reimbursed, directly or indirectly, by a Federal health care program.

The OIG advises health care providers to check the OIG List of Excluded Individuals/Entities prior to engaging in any agreement with another provider. The OIG website is updated regularly and provides up-to-date lists of all exclusions and reinstatements to the Federal health care programs. The lists for March of 2012 have recently been added to the database.
Continue reading

Published on:

Yesterday, the Department of Health and Human Services (HHS) announced a proposed rule that would simplify the administrative processes for health care providers by establishing a unique health plan identifier (HPID) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS estimates that the HPID would save the entire health care industry up to $4.6 billion over the next ten years.

Currently, multiple identifiers are used to identify health plans in standard transactions. These identifiers differ in length and format, which has created frustration among health care providers. Due to the current lack of a standard identifier, health care providers are faced with onerous burdens that lead to an inefficient use of their time. HHS has highlighted several of the problems associated with the lack of a standard identifier, which include: misrouting of transactions, rejected transactions due to insurance identification errors, and difficulty determining patient eligibility.

The proposed rule has been designed to eliminate the above mentioned problems by simplifying the administrative process for providers. The rule proposes that health plans have a unique identifier of a standard length and format in order to increase standardization within the HIPAA standard transactions. The standardization will enhance the automation and simplification in the provider’s administrative process. HHS believes that these enhancements will enable providers to avoid greater administrative costs by decreasing the amount of time providers will need to spend interacting with health plans, as well as decrease unnecessary material costs because the automated process will shift the currently-used manual transactions to an electronic transaction.

In addition to establishing a unique HPID, the proposed rule also adopts the use of an “other provider” identifier (OEID) for entities that are not health plans, health care providers, or individuals, but still need to be identified in HIPAA standard transactions. Finally, the proposed rule would also delay the required compliance date in which covered entities must comply with the International Classification of Diseases, 10th Edition (ICD-10), which are the new codes used to classify diseases. The compliance date for ICD-10, originally set for October 1, 2013, will be pushed back to October 1, 2014.
Continue reading

Contact Information