Published on:

by

Recently, the Department of Health and Human Services Office for Civil Rights (OCR), released its annual report on breaches of protected health information (PHI). Under the Breach Notification Rule, covered entities are required to issue notifications following breaches of unsecured PHI. Examples of covered entities include health care providers and health plans, such as HMOs. Covered entities must notify affected individuals of a breach without unreasonable delay and no later than 60 calendar days following discovery of the breach. Notification to the individuals affected by the breach must include:

  • Covered entity’s contact information for individuals to ask questions and learn additional information;
  • A brief description of the breach, including the date of the breach and discovery of the breach, if known;
  • A description of the types of unsecured PHI involved in the breach;
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach; and
  • A brief description of what the covered entity is doing to investigate the breach, mitigate harm to individuals, and to protect against future breaches.

In addition, for breaches implicating fewer than 500 individuals, covered entities must submit a report to OCR no later than 60 days after the end of the calendar year in which the breach was discovered. Breaches involving 500 or more individuals require the covered entity to provide notice to OCR at the same time the affected individuals are notified. Covered entities must notify OCR by filling out and electronically submitting a form available on OCR’s website.

In its annual report to Congress on breaches of unsecured PHI, OCR reported 236 breaches of PHI which affected over 500 people in 2011 and 222 in 2012. The 236 breaches in 2011 affected in total 11,415,185 individuals, while 3,273,735 were affected in 2012. Per department policy, OCR conducted investigations of each breach that affected over 500 individuals.

Following their investigations, OCR found that the primary reason for breaches affecting over 500 people in 2011 and 2012 was theft of portable electronics or paper containing PHI. The second leading cause of breaches was unauthorized access of records containing PHI. For example, in 2011 the largest breach occurred because of a loss of backup tapes, affecting 4.9 million people. Similarly, in 2012, 116,506 individuals were affected when an unencrypted laptop containing PHI was stolen.

Continue reading
Published on:

by

The results of an audit conducted by the state of Michigan were released on Tuesday, June 17, 2014. The audit found that the state Medicaid program improperly spent $160 million over a three-year period – from October 2010 through August 2013 – on home care services under the Medicaid Home Help Program.

Home care services provide assistance to those residents with disabilities or cognitive impairments who wish to remain in their own homes instead of a care facility. Some services provided include assistance with eating, bathing, and dressing. The overpayments were the result of state administrators of the Medicaid Home Help program failing to obtain invoices and other required documents from service providers. Home care services differ from home health services in that home health services provide continuous medical treatment that a beneficiary would normally receive in an outpatient or inpatient setting, in the home, over extended periods of time. In order to be reimbursed for home health services, home health providers must also meet numerous requirements that home care providers are not subject to (e.g., the face-to-face requirements under the Affordable Care Act).

The Medicaid Home Help Program serves about 67,000 people per year and expenditures from the program account for about 18 percent of all joint federal-state Medicare spending in the state of Michigan. What is particularly important that providers should take note of – and keep a watchful eye out for – is that the state of Michigan may be required to pay back nearly $100 million to the Federal government under regulations governing the matching of state Medicaid expenditures with Federal dollars. If such a repayment is required, the state will likely seek to recoup part, if not all, of the funds from providers who were improperly paid. In fact, the director of the Department of Human Services (DHS) – one of the state agencies responsible for administering the program – says it has already begun the process of recouping payments from some providers. However, DHS notes that it does question the estimated amount of improper payments, challenging it on the basis that it was extrapolated from a small sample size.

Continue reading
Published on:

by

In May of 2014, the Office of the Inspector General (OIG) released a report detailing its findings regarding Medicare payments for evaluation and management (E/M) services. E/M services are performed by physicians in order to assess and manage a beneficiary’s health. The OIG found that coding errors in documents for routine patient E/M services have resulted in the Medicare program paying out billions of dollars in improper payments each year. Earlier in 2014, the OIG reported that the overall Medicare program lost about $50 billion during 2013. In conducting this study, 63 percent of the claims sampled by the OIG were for established patient office/outpatient visits. Only 4 percent of the visits the OIG analyzed were for initial or subsequent skilled nursing care.

The OIG reports that for the 2010 fiscal year, Medicare payments for E/M services totaled $32.3 billion, which accounted for almost 30 percent of all Part B payments. The OIG also noted that in 2012, physicians began to increase their billing of higher level codes, which resulted in higher payment amounts. In its report, the OIG found that 55 percent of E/M services were incorrectly coded and/or lacked sufficient documentation, including: 26 percent of E/M claims were up-coded; 15 percent of E/M claims were down-coded; 12 percent of E/M claims were insufficiently documented; and 7 percent of E/M claims were undocumented altogether. In order to ensure that payments for E/M services are properly coded and supported by sufficient documentation, the OIG made the following recommendations to CMS: (1) educate physicians on coding and documentation requirements for E/M services; (2) continue to encourage contractors to review E/M services billed for by high-coding physicians; and (3) follow up on claims for E/M services that were paid for in error.

As indicated by this report, providers can expect greater scrutiny of their E/M claims by CMS audit contractors. In our experience, CMS audit contractors routinely down-code the level of E/M service billed by providers. Often times, these services are down-coded because CMS determined that the level of E/M service billed is not supported by the accompanying medical records (e.g., the visit note did not support the level of medical decision making component required by the code that was billed). With the increased audit attention relating to E/M services, providers must ensure that they are thoroughly documenting the services provided, and that each component of the E/M service is supported by the medical record. Failure to do so could leave providers vulnerable to audit contractors.

Continue reading
Published on:

by

In the past year, thousands of health care providers across the country have been excluded without cause from their insurance plan’s provider networks. The proliferation of narrow networks – defined as health insurance plans that limit the doctors and hospitals available to their subscribers – has caused a backlash amongst providers, who claim the insurers’ terminations will squeeze beneficiaries on access to care, and disrupt longstanding patient-physician relationship, emergency department care, and referral networks.

Although the Affordable Care Act did not create narrow networks, the reform law accelerated the trend by limiting insurer’s ability to continually lower benefits and exclude unhealthy individuals. Without other ways to compete, controlling providers and limiting choice is the insurers’ best way to lower premiums and thus compete on the exchanges. Insurers claim that narrow networks control costs and allow for higher quality, better coordinated care.

In most cases, however, patients choose insurance plans based on the plan’s access to a specific provider network. Patients subscribe and re-subscribe to one-year commitments with the primary intent to access their long-term primary care physicians or other regularly seen providers. Patients often build relationships with these providers over several years, even decades. Now, without notice or the ability to switch their plan, the patients’ physician is suddenly out-of-network and cost-prohibitive.

Continue reading
Published on:

by

On May 28, 2014, the U.S. Department of Justice (DOJ) settled a whistleblower lawsuit against Medtronic, Inc. for $9.9 million. Medtronic, the fourth largest medical device supplier in the world, was accused of violating the Anti-Kickback Statute and False Claims Act by paying kickbacks to physicians for using Medtronic’s defibrillators and pacemakers.

The allegations came to light after former Medtronic employee-whistleblower notified authorities of the illicit payments, which occurred between 2001 and 2009. In addition to tying kickbacks to the usage of Medtronic products, the complaint details that Medtronic allegedly produced business development and marketing plans for the doctors at no cost, paid doctors to speak at events with the goal of increasing referrals, and gave doctors tickets to sporting events. The complaint further outlines that Medtronic’s sales staff provided doctors with lavish trips and gifts, and even offered cash payments for the utilization of Medtronic devices. Also, business plans were in place in which sales representatives were allegedly instructed to visit doctors’ offices to review patient charts and flag those who they thought should receive an implant despite patients not meeting the criteria for an implantable device.

This settlement should encourage providers to ensure their physician arrangements do not violate provisions of the Anti-Kickback Statute, False Claims Act, or any other fraud and abuse laws. Wachler & Associates healthcare attorneys regularly counsel providers in proactively addressing potential kickback violations and defending providers against government allegations. If you or your healthcare entity have any questions regarding the Anti-Kickback or Statute Stark Law, or wish to have your arrangement reviewed by our attorneys please contact an experienced health care attorney at Wachler & Associates at 248-544-0888.

Published on:

by

On May 12, 2014, the U.S. Department of Health and Human Services (HHS) issued a Proposed Rule to increase the Office of Inspector General’s (OIG) authority to combat fraud and abuse under the Civil Monetary Penalty (CMP) Regulations. The Proposed Rule implements changes enacted by the Patient Protection and Affordable Care Act of 2010 (ACA), which expanded OIG’s ability to assess CMP fines against individuals or entities that defraud Federal healthcare programs. Under the proposed rule, OIG may assess CMPs against individuals or entities for:

  1. Failure to grant OIG timely access to documents, as determined on a case-by-case basis;
  2. Ordering or prescribing medicine or services that the person knows or should know may be paid for by a federal health care program while excluded;
Continue reading
Published on:

by

A Centers for Medicare and Medicaid Services (CMS) rule implemented in October of 2012, as the result of the Affordable Care Act, has some doctors very nervous. The rule, commonly dubbed the “grace period rule”, provides that individuals who purchased a government subsidized health insurance plan from the marketplace will have their medical bills covered for 30 days by their insurer if the patient falls behind on their payments for premiums. However, the rule provides that for the following 60 days, insurers may place a “stay” or even ultimately deny payments to the treating physician if the patient does not pay his or her premium. Under the rule, even if insurers cover claims during the last 60 days of the grace period, they may seek to recoup those funds if the insurance coverage is ultimately canceled. Prior to the rule’s implementation, insurers generally cancel a policy if a member falls behind more than 30 days and the insurer is usually on the hook for bills incurred before that cancellation.

The rule makes it so that physicians would have to seek payment for services rendered directly from the patient, which can be a long and uncertain process. The rule could impact solo physicians and small physicians groups, in addition to specialists, on a much greater scale due to their inability to absorb the costs of lost payments. For specialists, the high costs of their services could have an extremely negative impact on their bottom lines if they end up having to absorb the costs of lost payments for services rendered.

The American Medical Association (AMA) has publicly expressed concerns about the rule, fearing that it “could pose a significant financial risk for medical practices” and would leave doctors on the hook for unpaid patient bills after the insurer cancels the patient’s policy. The AMA has also urged the Obama administration to provide further guidance on how and when insurers must notify physicians on when their patients fall behind on premiums. The state of Washington, for example, passed a “prompt notification” law earlier in May. The Washington law would require insurance companies to provide information about whether a member is in the 90 day grace period, if a doctor or hospital requests such information. Other states are debating whether to pass legislation substantially similar to Washington’s “prompt notification” law.

Continue reading
Published on:

by

Last week, the Office of the Inspector General (OIG) released a Proposed Rule that changes its provider exclusion authority and significantly alters certain provider exclusion procedures and the substantive bases for exclusion from a Federal healthcare program. The Proposed Rule was released in conjunction with another Proposed Rule on the same date regarding Civil Monetary Penalties (CMPs). Comments regarding the rules are due on July 8.

§ 1128 of the Social Security Act grants the OIG authority to exclude certain individuals and entities from participation in Federal healthcare programs. If the OIG determines that an individual or entity has engaged in certain prohibited conduct, it must ban such a person or entity from participation in Federal healthcare programs for a statutorily mandated five year minimum period. However, many bases for exclusion are merely “permissive”, where the OIG retains discretion in deciding whether to exclude an individual or entity.

The Proposed Rule provides the OIG with three new bases upon which they may permissively exclude a provider or entity: the failure of ordering, referring, or prescribing providers to furnish payment information under Section 1128(b)(11); knowingly making, or causing to be made, false statements, omissions, or misstatements of material fact on a federal health care program application under Section 1128(b)(16); or convictions in connection with obstruction of a healthcare audit under Section 1128(b)(2).

Continue reading
Published on:

by

On May 1, Recovery Audit Contractor (“RAC”) for Region B, CGI Federal, Inc., (“CGI”) filed a lawsuit against the United States Department Health and Human Services (“HHS”) in the United States Court for Federal Claims.

In the lawsuit, CGI seeks an injunction against the HHS’s award of new RAC contracts and to eliminate the new payment terms that prohibit RACs from being paid until after the second level of appeal. The lawsuit comes after CGI’s pre-award bid protests, where CGI asked for a change to the new payment terms, were denied by the Government Accountability Office (“GAO”).

Towards the end of 2013 and the beginning of 2014, CMS sent out a request for quotes (RFQ) for new RAC contracts. The Statement of Work, which accompanied the RFQ, contained most of the changes to which CGI objects. CGI’s main objection is to the changes in the payment terms. Under the current system, RACs bill and receive their contingency fees after the first level of appeal of a claim determination, which takes roughly 120 days. Under the new model, RACs would not receive their contingency fees until after the second level of appeal, which could span anywhere from 120 to over 400 days.

Continue reading
Published on:

by

On Wednesday, New York Presbyterian Hospital and Columbia University agreed to settle claims with the Department of Health and Human Services (HHS) Office for Civil Rights for a collective $4.8 million stemming from a data breach in 2010. This matter, along with other similar cases, should serve as an important warning to healthcare providers and other HIPAA covered entities that personal health information (PHI) of patients must be protected, especially in the electronic age. If a data network is breached and PHI is made available, HHS will use its enforcement powers to assess punitive penalties and institute corrective actions in order to achieve compliance.

Under the terms of the settlement, New York Presbyterian will pay $3.3 million while Columbia University will pay $1.5 million. Both entities must also institute corrective action plans. The settlement represents the highest combined total financial penalty issued to an entity covered by HIPPA. As part of the settlement, the entities must undergo a risk analysis, develop a risk management plan, revise policies and procedures, train staff and provide progress reports.

The investigation and subsequent settlement were brought on by a data breach incident in 2010 where the shared data system for New York Presbyterian and Columbia University was breached and the records of 6,800 patients were made available on the internet. The data breach occurred when a physician attempted to deactivate a personally owned computer server on the network. The Office for Civil Rights alleged that that due to a lack of technical safeguards, deactivation of the server resulted in PHI being accessible via internet search engines.

Continue reading
Contact Information
210 E 3rd St #204
Royal Oak, MI 48067
Phone: 248-544-0888
Fax: 248-544-3111

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2016 – 2025, Wachler & Associates, P.C.
JUSTIA Law Firm Blog Design