Electronic Medical Records |

North Memorial Health Care Pays $1.5M Plus HIPAA Settlement For Business Associate Agreement Deficiencies

March 16, 2016

North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. The settlement highlights the importance for healthcare providers, health plans, healthcare clearinghouses and their business associates to comply with HIPAA’s business associate agreement and other HIPAA organizational, risk assessment, privacy and security, and other requirements.

OCR’s announcement emphasizes the importance of meeting these requirements. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

The settlement comes from charges filed after OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html.

Settlement Latest Reminder To Manage HIPAA Risks

Following up on OCR’s imposition of its second-ever HIPAA Civil Monetary Penalty (CMP) and the latest in an ever-growing list of settlements by Covered Entities under HIPAA, the North Memorial settlement is another example of the substantial liability that Covered Entities face for violating HIPAA. To avoid these liabilities, Covered Entities must constantly be diligent to comply with the latest guidance of OCR concerning their obligations under HIPAA. As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements like the North Memorial settlement, even if Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever expanding list of enforcement actions by OCR.

Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities face growing responsibilities and liability for maintaining the security of ePHI. In response to HITECH, OCR continues to use a carrot and stick approach to encouraging and enforcing compliance. As demonstrated by OCR’s imposition of the second-ever HIPAA Civil Monetary Penalty (CMP) of $239,000 against Lincare and the ever-growing list of Resolution Agreements OCR announces with other Covered Entities, OCR continues to step up enforcement against Covered Entities that breach the Privacy and Security Rules. See OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000.

On the other hand, OCR also continues to encourage voluntary compliance by Covered Entities by sharing guidance and tools to aid Covered Entities to understand fulfill their HIPAA responsibilities such as the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Crosswalk) unveiled by OCR on February 24, 2016.The crosswalk that maps the HIPAA Security Rule to the standards of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) as well as mappings to certain other commonly used security frameworks.

While stating that the HIPAA Security Rule does not require use of the NIST Cybersecurity Framework, OCR says it hopes the Crosswalk will provide “a helpful roadmap” for HIPAA Covered Entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help Covered Entities safeguard health data in a time of increasing risks and help them to identify potential gaps in their programs. At the same time, OCR’s announcement of its release of the Crosswalk also cautions users that “use of the Framework does not guarantee HIPAA compliance.” Rather, OCR says “the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.

With a USA Today report attributing more than 40 percent of data breaches to the healthcare industry over the last three years 91 percent of all health organizations having reporting breaches over the last two years, OCR has made clear that it intends to zealously investigate and enforce the Security Rules against Covered Entities that violate the Security Rules against Covered Entities that fail to take suitable steps to safeguard the security of PHI as required by the HIPAA Security Rule. To meet these requirements, the HIPAA Security Rule requires that Covered Entities conduct and be prepared to product documentation of their audit and other efforts to comply with the Security Rule Most Covered Entities will want to consider including an assessment of the adequacy of their existing practices under the Crosswalk and other requirements disclosed by OCR in these assessments to help position the Covered Entity to defend or mitigate HIPAA CMP and other liabilities in the event of a HIPAA breach or audit.

Latest Guidance Clarifies Patient Rights To Access PHI & Allowable Charges

In addition to maintaining adequate security, HIPAA also requires Covered Entities to provide individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans in accordance with the HIPAA Privacy Rule. In response to recurrent difficulties experienced by individuals in exercising these rights, OCR recently published supplemental guidance to clarify and promote better understanding and compliance with these rules by Covered Entities.

OCR started this process in January, 2015 by releasing a comprehensive fact sheet (Access fact sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient.

Earlier this month, OCR followed up by publishing on March 1, 2016 a second set of FAQs addresses additional issues, including the fees individuals may be charged for copies of their health information and the right of individuals to have their health information sent directly to a third party if they so choose.

Covered entities and their business associates should move quickly to review and update their business associate agreements and other practices to comply with this new guidance as well as watch for further guidance and enforcement about these practices from OCR.

Other Key HIPAA Regulatory & Enforcement Changes Raise Responsibilities & Risks

OCR’s new guidance on access to PHI follows a host of other regulatory and enforcement activities. While the particulars of each of these new actions and guidance vary, all send a very clear message: OCR expects Covered Entities and their business associates to comply with HIPAA and is offering tools and other guidance to aid them in that process.. In the event of a breach or audit, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply. Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions.

Register For 3/30 Webex Briefing

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on the Covered Entities’ responsibility under HIPAA to provide access to patients to PHI by registering here to participate in the “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” Webex briefing by attorney Cynthia Marcotte Stamer that Solutions Law Press, Inc.™ will host beginning at Noon Central Time on Wednesday, March 30, 2016. Get additional information or register here.

About The Author

Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

Leave a Comment » | Academic medicine, Corporate Compliance, data breach, data security, Disease Management, DME, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Federal Health Center, Genetic Information, Health Care, Health Care Provider, Health Care Quality, Health IT, Health Plan, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Inpatient Rehabilitation Facility, managed care, Medical Malpractice, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Health, OCR, Outpatient, Pandemic, Patient Empowerment, Pharmacy, Physician, Privacy, Psychiatric, Rural Health Care, Technology, Telemarketing, Telemedicine | Tagged: business associate, covered entity, Health Care, Health Plan, HIPAA, Hospital, Medical Privacy, North Memorial, OCR, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

3/30 Webex Shares Latest On Security, Patient Access & Other HIPAA Developments

March 9, 2016

Solutions Law Press, Inc. ™ Invites You To A Special WebEx Briefing

HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments

Wednesday, March 30, 2016

1:00 P.M.-2:00 P.M. Eastern | 12:00 P.M.-1:00 P.M. Central 11:00 A.M-12:00 P.M. Mountain | 10:00 A.M-11:00 A.M. Pacific

Health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) face new imperatives to review and tighten their practices to ensure their practices comply with recently released guidance from the U.S. Department of Health & Human Services Office of Civil Rights (OCR)) emphasizing and clarifying the responsibilities of health care providers, health plans and the healthcare clearinghouses under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) to provide access to individuals that are the subject of protected health information or “PHI” to access or copies of their PHI in accordance with HIPAA’s rules and other recent HIPAA guidance and enforcement. With OCR’s recent release of added guidance and OCR enforcement statistics continuing to show HIPAA access rule violations among the most common HIPAA violations and OCR stepping up HIPAA enforcement, health care providers, health plans, healthcare clearinghouses can expect heightened scrutiny and enforcement of these requirements. Additionally, Covered Entities also should evaluate the adequacy of their other practices in light of other recent OCR guidance and enforcement actions.

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on HIPAA’s requirements to provide access to patients to PHI by registering here to participate in the Solutions Law Press, Inc.™ “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” WebEx briefing from Cynthia Marcotte Stamer on Friday, March 18, 2016. During the Briefing, Ms. Stamer will provide participants with:

√ An update on OCR enforcement actiions and guidance over past 12 months

√ A detailed discussion of OCR’s new guidance about when Covered Entities must provide PHI access or copies to patients

√ Discuss rules and best practices for verifying the identity and credentials of an individual requesting PHI as a patient or personal representative of a patient

√ Share tips for contracting and dealing with business associates to facilitate administration of patient PHI access and security compliance activities

√ Share other practical considerations & best practices for compliance and risk management

√ Respond to participant questions on a time permitting basis

√ More

ABOUT THE SPEAKER

Recognized as “Legal Leader™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” and an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble, singled out as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine;, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her more than 28 years extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care, health plan and employee benefits, workforce and related regulatory and other compliance, performance management, risk management, product and process development, public policy and other key operational concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance including extensive involvement with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others. Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on HIPAA and other privacy and data security risks and requirements as well as a broad range of other health, employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, HUD and Justice, as well as a state legislatures attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators as well supports clients in defending litigation as lead strategy counsel, special counsel and as an expert witness.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served as the scrivener for the ABA JCEB’s meeting with OCR on HIPAA for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, serves on the faculty and planning committee of many workshops, seminars, and symposia, and on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

REGISTRATION & PROGRAM DETAILS

Registration Fee per course is $75.00 per person. Registration Fee Discounts available for groups of three or more participants from the same organization. Limited opportunities for participation. Registration accommodated on a first come basis. Completed registration and payment required via website registration 48 hours in advance of the program. No checks or cash accepted. Persons not registered with completed payment at least 48 hours in advance will only participate subject to availability and completed registration and payment. Payment only accepted via website PayPal. Register Here!

The Webex will be conducted over the internet. Participants will receive access code and instructions for sign on to participate in the Webex and/or dial in to participate in the program via telephone after processing of completed registration. Participants must have access to a computer with internet access and to telephone access to dial in via telephone to participate in the program. Solutions Law Press, Inc. is not responsible for any interruption or interference in participation resulting from limitations in the internet connectivity, computer, telephone or other equipment used by the participant to access and participate in the program.

ABOUT SOLUTIONS LAW PRESS, INC.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders better anticipate legal and operational issues impacting their organization’s performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives. Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs. For additional information about upcoming programs, to inquire about becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com. These programs, publications and other resources are provided only for general informational and educational purposes, the applicability of which to any particular circumstances may be impacted by legal changes, the specific facts and circumstances or other factors. Consequently, neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are not intended to or shall not be construed as establishing an attorney-client relationship, to constitute legal advice or a substitute for legal advice, or otherwise provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties that any participant or any other party can rely upon the information or any statements presented herein. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com. If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to support@solutionslawyer.net. CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request. ©2016 Solutions Law Press, Inc.

Leave a Comment » | Academic medicine, Ambulatory care, ASC, Childrens Health Insurance Program, Clinical pathway, Conditions of Participation, Consumer Driven Health Care, data breach, data security, DEA, Disease Management, DME, Doctor, drug treatment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, FACTA, Federal Health Center, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Care Provider, Health Care Quality, health care reimbursement, Health IT, Health Plan, Health Plans, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Meaningful Use, Medicare Advantage, Mental Heatlh, OCR, Outpatient, Peer Review, Pharmacy, Physician, Privacy, Psychiatric, substance abuse treatment, Technology, Telemedicine, Wellness | Tagged: Breach Notification, Data Breech, Employer, GINA, Health Care, Health insurer, Health Plan, Health Plans, HIPAA, HIPAA Privacy, HIPAA Security, Hospital, Medical Privacy, PHI, Physician, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

HHS Proposes Stage 3 Meaningful Use EHR Incentive Programs & 2015 Edition Health IT Certification Criteria Rules

March 20, 2015

The U.S. Department of Health and Human Services, Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) on March 20, 2015 announced the release of the Stage 3 notice of proposed rulemaking for the Medicare and Medicaid Electronic Health Records (EHRs) Incentive Programs and 2015 Edition Health IT Certification Criteria which the Agencies believe will improve the way electronic health information is shared and ultimately improve the way care is delivered and experienced.

Under the Health Information Technology for Economic and Clinical Health Act, doctors, health care professionals and hospitals, including critical access hospitals, can qualify for Medicare and Medicaid incentive payments when they adopt and meaningfully use health IT technology certified by ONC. Since the programs began in 2011, more than 433,000 eligible professionals and eligible hospitals have received an incentive payment representing about 60 percent of eligible professionals in either the Medicare or Medicaid programs and about 95 percent of eligible hospitals.

The Meaningful Use Stage 3 proposed rule issued by CMS specifies new criteria that eligible professionals, eligible hospitals, and critical access hospitals must meet to qualify for Medicaid EHR incentive payments. The rule also proposes criteria that providers must meet to avoid Medicare payment adjustments (Medicaid has no payment adjustments) based on program performance beginning in payment year 2018. The rule gives more flexibility and simplifies requirements for providers by focusing on advanced use of electronic health records and eliminating requirements that are no longer relevant. The Stage 3 proposed rule’s scope is generally limited to the requirements and criteria for meaningful use in 2017 and subsequent years. CMS is considering additional changes to meaningful use beginning in 2015 through separate rulemaking. Learn more here.

The 2015 Edition Health IT Certification Criteria proposed rule aligns with the path toward interoperability – the secure, efficient, and effective sharing and use of health information –identified in ONC’s draft shared Nationwide Interoperability Roadmap. The proposed rule builds on past editions of adopted health IT certification criteria, and includes new and updated IT functionality and provisions that the Agencies believe support the EHR Incentive Programs care improvement, cost reduction, and patient safety across the health system.

“This Stage 3 proposed rule does three things: it helps simplify the meaningful use program, advances the use of health IT toward our vision for improving health delivery, and further aligns the program with other quality and value programs,” said Dr. Patrick Conway, M.D., M.Sc., CMS acting principal deputy administrator and chief medical officer. “And, in an effort to make reporting easier for health care providers, we will be proposing a new meaningful use reporting deadline soon.”

“ONC’s proposed rule will be an integral component in the shared nationwide effort to achieve an interoperable health system,” said Karen DeSalvo, M.D., M.P.H, M.Sc., national coordinator for health IT. “The certification criteria we have proposed in the 2015 Edition will help achieve that vision through provisions that consider the range of health IT users and uses across the care continuum, including those focused on interoperable standards, data portability, improved transparency, privacy and security capabilities, and increased oversight through ONC’s Health IT Certification Program.”

The Stage 3 proposed rule may be viewed here and the comment period ends on May 29, 2015. The 2015 Edition proposed rule may be viewed here and the comment period ends on May 29, 2015. The Draft 2015 Edition Certification Test Procedures may be viewed at HealthIT.gov, and the comment period ends on June 30, 2015.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here. You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Academic medicine, Accreditation, Affordable Care Act, Ambulatory care, ARRA, ARRA Funding, ASC, DEA, DME, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Evidence Based Medicine, FACTA, Health Care, Health IT | Tagged: Electronic Health Records, ERH, Health Care Reform, INteroperatbility, Meaningful Use | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Providers, Provide ACO, Reimbursement Reform Input To HHS

March 2, 2015

Physicians, nurses, hospitals and other health care providers, patients and others concerned about health care reimbursement and other health care reforms in the United States should sign up and participate in the new Health Care Payment Learning and Action Network (“Network”) the Department of Health and Human Services (HHS) is creating to help shape ongoing reform of the US health care delivery system to promote better care, smarter spending, and healthier people through the expansion of new health care payment models and other reforms. HHS is inviting private payers, employers, providers, patients, states, consumer groups, consumers, and other partners within the health care community to register here to participate in the Network activities including kickoff event scheduled for Wednesday, March 25, 2015.

HHS hopes cooperation through the Network will help the entire U.S. health care system match and exceed the following HHS goals for Medicare:

Tying 30 percent of payments to quality or value through alternative payment models, such as Accountable Care Organizations (ACOs) or bundled payment arrangements by the end of 2016, and
Tying 50 percent of payments to alternative payment models by the end of 2018. The Network will also support the broader goal of tying the vast majority of payments in the health care system to quality or value.

As HHS moves forward to promote ACOs and other reforms, it is particularly important that providers and patients provide feedback and input about the goals and ideas HHS is promoting as solutions for “improving” health care. While HHS often touts consolidation of care into ACOs and other reimbursement strategies using government generated standards of quality as the best means of improving quality and cost-effectiveness, many patients, providers and others worry that HHS ACO and other reimbursement reforms as presently implemented or contemplated by HHS cut costs at the expense of patients by denying reimbursement or other access for effective care options based on cost or ignore other patient needs in the name of cost savings. Active, consistent participation in these and other opportunities for input is critical for those concerned about these and other issues to question and shape the goals, assumptions and actions HHS, Congress and others take to change the U.S. health care system.

HHS says most Network meetings will occur virtually by teleconference or webinar. In-person meetings will occur in the Washington D.C. area. HHS plans to hold the first live streaming of the kickoff event on Wednesday, March 25, 2015. HHS will share details through e-mails to those registered online to participate in the network. Individuals and organizations concerned about ACO and other HHS-lead health care reforms are urged to register and participate in the Network as one of the ways to help monitor and shape health care reform as lead by HHS.

About Project COPE: The Coalition On Patient Empowerment & Coalition on Responsible Health Policy

Do you have feedback or other experiences to share about medical debit, ACA or other health care challenges? Have ideas for helping improve our system, helping Americans cope with these and other health care challenges or other health care matters? Know other helpful resources or experiences that you are willing to share? Are you concerned about health care coverage or other health care and disability issues or policy concerns? Join the discussion and share your input by joining Project COPE: Coalition for Patient Empowerment here.

Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these needs is the purpose of

The Coalition and its Project COPE are founded and operate based on the belief that health care reform and policy must be patient focused, patient centric and patient empowering. The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans. The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch. Americans can best improve health care by not waiting for someone else to step up: Step up and help bridge the gap when you or your organization can. Speak up to help communicate and facilitate when you can. Building health care neighborhoods filled with good neighbors throughout the community is the key.

The outcome of this latest health care reform push is only a small part of a continuing process. Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist. The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye. Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families. While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.

We also encourage you and others to help develop real meaningful improvements by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. The Coalition For Responsible Health Care Policy provides a resource that concerned Americans can use to share, monitor and discuss the Health Care Reform law and other health care, insurance and related laws, regulations, policies and practices and options for promoting access to quality, affordable healthcare through the design, administration and enforcement of these regulations.

Other Helpful Resources & Other Information

Examples of some of these recent health care related publications include:

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Leave a Comment » | Academic medicine, Affordable Care Act, Ambulatory care, Anti-KickBack, ASC, Border Health, Centers For Disease Control, Conditions of Participation, Consumer Driven Health Care, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Medical Records, Employer, Evidence Based Medicine, false claims act, FDA, Federal Health Center, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health Insurance Exchange, Health IT, Health Plan, Health Policy, Home Health, Hospital, Hospital, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Meaningful Use, Medicaid, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Fee Schedule, Medicare Prescription Drug Program, OIG, Outcomes Data, Patient Empowerment, Pharmacy, Physician, Prospective Payment, Public Policy, Rural Health Care, Stark, Telemedicine | Permalink
Posted by Cynthia Marcotte Stamer

Parkview Hospital To Pay $800K To Settle HIPAA Charges After Retiring Physician Blows The Whistle

July 6, 2014

Health care providers, health plans, heath care clearinghouses and their business associates heed both the lesson about properly protecting protected health information and the more subtle lesson about the role of employees and other whistleblowers in bringing these violations to the attention of regulators contained in the latest Health Insurance Portability & Accountability Act (HIPAA) resolution agreement.

Late last month, the Department of Health & Human Services Office of Civil Rights (HHS) announced that complaints of a retiring physician over the mishandling of her patient records by Parkview Health System, Inc. (Parkview) prompted the investigation that lead Parkview to agree to pay $800,000 to settle charges that it violated HIPAA’s Privacy Rule.

The resolution agreement settles charges lodged by HHS based on an OCR investigation into the retiring physician’s allegations that Parkview violated the HIPAA Privacy Rule by failing to properly safeguard the records when it returned them to the physician following her retirement.

As a covered entity under the HIPAA Privacy Rule, HIPAA requires that Parkview appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.

In an investigation prompted by the physician’s complaint, OCR found that Parkview breached this responsibility in its handling of certain physician patient records in helping the physician to transition to retirement.

According to OCR, in September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.

Subsequently on June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. OCR concluded this conduct violated the Privacy Rule.

To settle OCR’s charges that these actions violated HIPAA, OCR has agreed to pay the $800,000 resolution amount and to adopt and implement a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

The resolution agreement highlights the role that current or former physicians, employees or others can play in helping OCR to identify HIPAA violations. Health care providers and other covered entities and their business associates should take into account the likelihood that physicians on their own or other facility medical staffs, their employees and other participants in the care delivery system often may have and be motivated to report to government sensitive information about violations of HIPAA or other laws. Since HIPAA and most other laws prohibited covered entities from forbidding or retaliating against a person for objectiving to or reporting the concern and offer whistleblowers potential participation in the reporting and prosecution of violations, employees or other workforce members increasingly make the complaints bring violations to OCR and other regulators.

Whether from an internal employee complaint, a patient or competitor complaint or other source, HIPAA violations carry significant liability risks. The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates. In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes. Furthermore, enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same. When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

For Help With Investigations, Policy Review & Updates Or Other Needs

If you need assistance in auditing or assessing, updating or defending your HIPAA, or other health or other employee benefit, labor and employment, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or at (469)767-8872.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on HIPAA and other privacy and data security, health plan, health care and other human resources and workforce, employee benefits, compensation, internal controls and related matters.

For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters. She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns. Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others. She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see www.CynthiaStamer.com or contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:

Leave a Comment » | Academic medicine, ASC, Childrens Health Insurance Program, Doctor, Electronic Medical Records, Employment, Federal Health Center, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Care Provider, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Indian Health, Medicare Advantage, Mental Heatlh, OCR, Pharmacy, Physician, Privacy, Rural Health Care | Tagged: Civil Monetary Penalties, HIPAA, Mass General, OCR, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Health Care & Other HIPAA Covered Entities Should Review New Reports As Part of HIPAA Risk Management Efforts

June 11, 2014

Health care providers, health plans and insurers, health care clearinghouses (collectively “Covered Entities”), their business associates, and others concerned about medical privacy regulations or protections should check out two new reports to Congress about breach notifications reported and other compliance data under the Health Insurance Portability & Accountability Act (HIPAA) by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Reviewing this data can help Covered Entities and their business associates identify potential areas of exposures and enforcement that can be helpful to minimize their HIPAA liability as well as to expect OCR enforcement and audit inquiries.

Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the two new reports discuss various details about HIPAA compliance for calendar years 2011 and 2012. They include the following:

Report to Congress on Breach Notifications, discussing the breach notification requirements and reports OCR received as a result of these breach notification requirements; and
Report to Congress on Compliance with the HIPAA Privacy and Security Rules, summarizing complaints received by OCR of alleged violations of the provisions of Subtitle D of the HITECH Act, as well as of the HIPAA Privacy and Security Rules at 45 CFR Parts 160 and 164 .
Covered entities and their business associates should review the finding reported as part of their compliance practices. Others concerned about medical or other privacy or data security regulations or events also may find the information in the reports of interest.

Under HIPAA, covered entities generally are prohibited from using, accessing or disclosing protected health information about individuals except as specifically allowed by HIPAA, In addition, HIPAA also requires Covered Entities to establish safeguards to protect protected health information against improper access, use or destruction, to afford certain rights to individuals who are the subjects of protected information, to obtain certain written assurances from service providers who are business associates before allowing those service providers to use, access or disclose protected health information when carrying out covered functions for the Covered Entity, and meet other requirements.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates. In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.

Enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the HITECH Act since March 26, 2013 and to have updated business associate agreements in place since September 23, 2013. Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

HIPAA Privacy Rule and Sharing Information Related to Mental Health published on
Spanish Language Model Notices of Privacy Practices published on 2/13/14
CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports published on 2/3/14; and
Proposed Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS) published on 1/7/14.

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

For Help With Investigations, Policy Review & Updates Or Other Needs

About Solutions Law Press

55 Hospitals To Pay $35M+ To Settle FCA Claims Charges On Kyphoplasty Procedures

July 6, 2013

Whistleblowers Played A Big Role, Collectively Will Receive $5.5 Million From Settlement Proceeds

Fifty-five hospitals in 21 states will pay a total of more than $34 million to settle Justice Department allegations that the health care facilities submitted false claims to Medicare for a minimally-invasive procedure used to treat certain spinal fractures that often are due to osteoporosis known as “kyphoplasty.”

The settlement stems from charges by the Justice Department and Department of Health & Human Services (HHS) Office of Inspector General (OIG) that the settling hospitals frequently billed Medicare for performing kyphoplasty procedures on the more costly inpatient basis, rather than an outpatient basis, in order to increase their Medicare billings when the kyphoplasty could have been performed safely and effectively as an outpatient procedure without any need for a more costly hospital admission.

With the settlements announced July 1, the Justice Department says it has now reached settlements with more than 100 hospitals totaling approximately $75 million to resolve allegations that they mischarged Medicare for kyphoplasty procedures. Justice Department officials credited whistleblowers with helping it to identify the charged misconduct in virtually all of the cases. They collectively will receive an estimated $5.5 million of the total of $34 million to be paid under the settlements.

55 Settlements Impact Systems & Providers Across The Nation

According to the Justice Department’s July 1 announcement of the settlements, the settling facilities, and the amounts they have agreed to pay, include 23 hospitals affiliated with HCA Inc., Nashville, TN, who have agreed to pay a total of $7,145,842.72. These include:

Aventura Hospital & Medical Center, Aventura, FL
Capital Regional Medical Center, Tallahassee, FL
Coliseum Medical Center, Macon, GA
Coliseum Northside Hospital, Macon, GA
Conroe Regional Medical Center, Conroe, TX
Denton Regional Medical Center, Denton, TX
Doctors Hospital of Sarasota, Sarasota, FL
Edmond Regional Medical Center, Edmond, OK
Fawcett Memorial Hospital, Port Charlotte, FL
Fort Walton Beach Medical Center, Fort Walton Beach, FL
Garden Park Medical Center, Gulf Port, MS
JFK Medical Center, Atlantis, FL
Los Robles Regional Medical Center, Thousand Oaks, CA
North Florida Regional Medical Center, Gainesville, FL
Northlake Medical Center, Tucker, GA
Oklahoma University Medical Center, Oklahoma City, OK
Palmyra Medical Center, Albany, GA
Redmond Regional Medical Center, Rome, GA
Southwest Florida Regional Medical Center, Fort Myers, FL
St. Lucie Medical Center, Port Saint Lucie, FL
Summit Medical Center, Hermitage, TN
Sunrise Hospital & Medical Center, Las Vegas, NV
Wesley Medical Center, Wichita, KS

Also 6 hospitals affiliated with Lifepoint Hospitals, Inc., Brentwood, TN, have agreed to pay a total of $2,522,502.69. These include:

Andalusia Regional Hospital, Andalusia, AL
Jackson Purchase Medical Center, Mayfield, KY
Lake Cumberland Regional Hospital, Somerset, KY
Minden Medical Center, Minden, LA
Russellville Hospital, Russellville, AL
Western Plains Medical Complex, Dodge City, KS

Also, 5 hospitals affiliated with Trinity Health, Livonia, MI, have agreed to pay a total of $3,910,017.53. These include:

Mercy Medical Center, – Dubuque, Dubuque, IA
Mercy Medical Center – Sioux City, Sioux City, IA
St. Joseph Mercy Hospital, Pontiac, MI
Mercy Health Partners, Muskegon, MI
Mount Carmel New Albany Surgical Hospital, New Albany, OH

Justice Department officials also report that 4hospitals affiliated with Morton Plant Mease BayCare Health System, Clearwater, FL, have agreed to pay a total of $2,378,325.45. These include:

Morton Plant Hospital, Clearwater, FL
Morton Plant North Bay Hospital, New Port Richey, FL
Mease Dunedin Hospital, Dunedin, FL
Mease Countryside Hospital, Safety Harbor, FL

Justice Department officials also say 3 hospitals affiliated with Baptist Memorial Health Care Corporation, Memphis, TN, have agreed to pay a total of $691,168. These are:

Baptist Memorial Hospital-Golden Triangle, North Columbus, MS
Baptist Memorial Hospital-Collierville, Collierville, TN
Baptist Memorial Hospital-Memphis, Memphis, TN

In addition, Justice Department officials say 2 hospitals affiliated with Covenant Health, Knoxville, TN, have agreed to pay a total of $1,845,641.74. These are Parkwest Medical Center in Knoxville, TN and Methodist Medical Center of Oak Ridge in Oak Ridge, TN.

Meanwhile, 2 hospitals affiliated with Bayhealth Medical Center, Newark, DE, also reportedly have agreed to pay a total of $1,115,306.37. These are Bayhealth Kent General Hospital, Dover, DE and Bayhealth Milford Memorial Hospital, Milford, DE.

In addition to these hospitals, the following facilities have agreed to pay the following settlements:

Atrium Medical Center, Middletown, OH, has agreed to pay $4,232,992.50
Altru Health System, Grand Forks, ND, has agreed to pay $1,492,690
Cedars Sinai Medical Center, Los Angeles, CA, has agreed to pay $1,485,846
Des Peres Hospital, St. Louis, MO, has agreed to pay $900,000
Mount Sinai Medical Center, Miami, FL, has agreed to pay $1,846,194.00
New England Baptist Hospital, Boston, MA, has agreed to pay $374,814.48
St. Anne’s Hospital, Fall River, MA, has agreed to pay $552,745
The Queen’s Medical Center, Honolulu, HI, has agreed to pay $1,055,249.57
Trover Health System, Madisonville, KY, has agreed to pay $1,162,837
Wayne Memorial Hospital, Goldsboro, NC, has agreed to pay $1,250,000.

In addition to today’s settlement, the government previously settled with Medtronic Spine LLC, the corporate successor to Kyphon Inc., for $75 million to settle allegations that the company defrauded Medicare by counseling hospital providers to perform kyphoplasty procedures as inpatient rather than outpatient procedures.

According to Tom O’Donnell, Special Agent in Charge of the Office of Investigations of the HHS-OIG New York Regional Office, “The settlements related to kyphoplasty billing that have been reached with over 100 hospitals represent one of the largest and most successful multi-party health care investigations in the nation.”

While these settlements relate specifically to kyphoplasty procedures, they send a message impacting all procedures and practice areas that they risk OIG and/or Justice Department prosecution if procedures are performed in a most costly manner to increase reimbursement which is not medically necessary. Justice Department officials warned health care providers that Justice and OIG will act “Whenever hospitals knowingly overcharge Medicare, critically needed resources are wasted and health costs are driven up.”

Whistleblower Involvement Played Big Role

As in other recently announced settlement agreements, see e.g., Whistleblower Collects $2.7 M of $14.5M Sound Inpatient Physicians Overbilling Settlement, whistleblower involvement played a key role in helping OIG and Justice to identify and prosecute the alleged misconduct.

According to the Justice Department, all but four of the settling facilities announced today were named as defendants in a qui tam, or whistleblower, lawsuit brought under the False Claims Act, which permits private citizens to bring lawsuits on behalf of the United States and receive a portion of the proceeds of any settlement or judgment awarded against a defendant. The lawsuit was filed in federal district court in Buffalo, N.Y., by Craig Patrick and Charles Bates. Mr. Patrick is a former reimbursement manager for Kyphon, and Mr. Bates was formerly a regional sales manager for Kyphon in Birmingham, Ala. The whistleblowers will receive a total of approximately $5.5 million from the settlements.

Mitigate Risks With Effective Oversight of Both Documentation & Operations

As Acting Assistant Attorney General for the Civil Division Stuart F. Delery noted in the settlement announcement. “Physicians who participate in Medicare and other federal health care programs must document and bill for their services accurately and honestly.” With qui tam and other whistleblower participation, the Justice Department, HHS and other federal and state fraud investigators go beyond merely challenging whether the medical record documentation supports the charges billed to question whether the medical record itself accurately reflects the care in fact delivered by relying upon testimony of employees or other “insiders” often with an axe to grind against the provider.

To mitigate these exposures, health care providers clearly should work diligently both to ensure that their billing and other compliance programs accurately, honestly and completely document the care provided and code and bill for those services in accordance with the currently applicable federal program rules. While these compliance and risk management programs are indispensable components of any effective health care fraud compliance program, health care providers also should recognize that the effectiveness of their health care fraud and other compliance program also may depend on the effectiveness of their operational and workforce oversight and management. Along with effective billing and other fraud detection and compliance programs, providers also need effective medical quality and records documentation, provider and workforce performance and management, investigations and other management programs.

As a key element of these activities, providers should constantly be on watch for evidence of gaps between the medical and billing documentation and the factual realities looking at broad range of sources. Providers should target these activities to cover both specific medical documentation, coding and care, and other operational indicators that could show a problem. With qui tam and other whistleblower claims rising, however, providers should keep in mind that mere auditing of records and billing patterns alone often fails to uncover key evidence of potential concerns.

To help identify potential areas of scrutiny, providers should carefully monitor and examine the adequacy of their compliance and risk management agreements against corporate integrity agreements with other providers who have reached settlements with the Department of Justice, HHS Office of Inspector General or other agencies like the TranS1 Inc. Corporate Integrity Agreement .

Health care providers also should take into account a plethora of other potential indicators including but not limited to peer review and quality assurance data, deficient as well as inexplicably exceptional medical record or other record keeping documentation, hotline, exist interview and other workforce feedback, disagreements among providers in patterns of care, political and interpersonal differences, and a host of other indicators that could show a valid compliance concern or a developing hostility that could become the incentive for a whistleblower or other complaint. Providers should document these and other efforts to investigate, monitor and redress potential concerns In addition, providers also should guard against qui tam, retaliation and other claims by ensuring that their human resources, peer review, credentialing, background and other investigations, privacy and other operational activities are designed, documented to be both legally compliant and defensible.

For More Information Or Assistance

Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer compliance and risk management policies and to respond to DEA and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on OCR Civil Rights rules and enforcement actions. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. ©2013 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press, Inc.. All other rights reserved.

Leave a Comment » | Academic medicine, Affordable Care Act, Anti-KickBack, ASC, Childrens Health Insurance Program, Conditions of Participation, Corporate Compliance, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, false claims act, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Laws, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, OIG, Outpatient, Patient Protection and Affordable Care Act, Pharmacy, Physician, Prescription Drugs, Public Policy, Reimbursement, Rural Health Care, Stark, Substance Abuse | Tagged: false claims act, HEAT, Hospitals, Medicaid Fraud, Medicare Fraud, Overbillng, Physicians, qui tam, Upcoding | Permalink
Posted by Cynthia Marcotte Stamer

Whistleblower Collects $2.7 M of $14.5M Sound Inpatient Physicians Overbilling Settlement

July 6, 2013

Former employee-turned Whistleblower Craig Thomas will collect $2.7 million out of the $14.5 million settlement that Sound Inpatient Physicians Inc. (SIP) will pay $14.5 million to settle allegations that it overbilled Medicare and other federal health care programs under a settlement announced by the Justice Department on July 3, 2013. The SIP announcement comes the same day the Justice Department announced medical device manufacturer TranS1 Inc., now known as Baxano Surgical Inc., will pay $6 million to resolve whistleblower-prompted FCA allegations that TranS1 Inc. caused health care providers to submit false claims to Medicare and other federal health care programs for minimally-invasive spine surgeries.

Both the SIP and TranS1 Inc. charges and settlement clearly show the ever-growing risk of Justice Department prosecution that providers face when billing Medicare or other government programs for care beyond the level delivered and documented in the medical record. The litigation and resulting settlement also show the too-often underappreciated rule that employees, vendors and other whistleblowing insiders increasingly play in the initiation and success of these prosecutions and how they impact the ability of providers charged with fraud to prove they have billed Medicare or other federal health plans accurately and honestly for services actually delivered in the manner documented in the record and in accordance with applicable Federal program rules.

To mitigate these exposures, health care providers both should strengthen their health care medical record documentation, billing and other fraud and compliance programs and their employee, vendor and other workforce relations and management processes.

Former SIP Employee’s Qui Tam Claim Prompted Suit

The settlement resolves charges that SIP fraudulently inflated billings to government programs brought in U.S. ex rel. Craig Thomas v. Sound Inpatient Physicians, Inc. and Robert A. Bessler, Civil Action No. C09-5301RBL (W.D. Wash.) that initially came to the government’s attention through a lawsuit filed by former SIP employee, Craig Thomas, under the qui tam, or whistleblower, provisions of the False Claims Act (FCA). The FCA allows private citizens to bring civil actions on behalf of the government and share in any recovery. Thomas will receive $2.7 million of the $14.5 million settlement for exposing Sound Physicians’ inflated claims.

In the lawsuit, the Justice Department alleged that SIP, a Tacoma, Washington-based employer of more than 700 hospitalists and post-acute physicians at 70 hospitals and a growing network of post-acute facilities in 22 states, between 2004 and 2012, knowingly submitted inflated claims to federal health benefits programs for its hospitalist employees for higher and more expensive levels of service than documented by hospitalists in patient medical records.

The SIP civil settlement illustrates the growing reliance on whistleblowers and other FCA tools by the Federal government in its rising campaign against false claims and other health care fraud by physicians, hospitals and other health care providers under the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative announced in May 2009 by Attorney General Eric Holder and Health and Human Services (HHS) Secretary Kathleen Sebelius. Since January 2009, the Justice Department claims to have recovered a total of more than $14.7 billion through FCA cases, with more than $10.7 billion of that amount recovered in cases involving fraud against federal health care programs.

TranS1 Inc. Whistleblower Gets $1M+ Out of $6M Settlement

Whistleblower claims also prompted the charges and settlement announced against medical device manufacturer TranS1 Inc. The Justice Department announced July 3 that TranS1 Inc. has agreed to pay the United States $6 million to resolve allegations under the FCA. Whistleblower Kevin Ryan, whose qui tam claim prompted the investigation that lead to the settlement will collect $1,020,000 from the settlement.

The settlement resolves Justice Department charges developed out of the qui tam action of a former employee that TranS1 knowingly caused health care providers to submit claims with incorrect diagnosis or procedure codes for minimally-invasive spine fusion surgeries using Trans1’s AxiaLIF System. That device was developed as alternative to invasive spine fusion surgeries. The United States alleges that TranS1 improperly counseled physicians and hospitals to bill for the AxiaLIF System by using incorrect and inaccurate codes intended for more invasive spine fusion surgeries. The Justice Department alleged that, as a result, health care providers received greater reimbursement than they were entitled to for performing the minimally-invasive AxiaLIF procedures.

The Justice Department also claimed TranS1 knowingly paid illegal remuneration to certain physicians for participating in speaker programs and consultant meetings intended to induce them to use TranS1 products, in violation of the Federal Anti-Kickback Statute, 42 U.S.C. § 1320a-7b(b), and thereby caused false claims to be submitted to federal health care programs. The Anti-Kickback Statute prohibits offering or paying remuneration to induce referrals of items or services covered by federally-funded programs and is intended to ensure that a physician’s medical judgments are not compromised by improper financial incentives and are based solely on the best interests of the patient.

In addition, the Justice Department alleged that TranS1 promoted the sale and use of its AxiaLIF System for uses that were not approved or cleared by the U.S. Food and Drug Administration, including use in certain procedures to treat complex spine deformity, and which were thus not covered by federal health care programs.

“A medical device manufacturer violates the law when it advises physicians and hospitals to report the wrong codes to federal health insurance programs in order to increase reimbursement rates,” said Rod J. Rosenstein, U.S. Attorney for the District of Maryland. “Health care providers are required to bill federal health care programs truthfully for the work they perform.”

As part of the settlement, TranS1 has agreed to enter into a corporate integrity agreement with the Office of Inspector General of the Department of Health and Human Services. That agreement provides for procedures and reviews to be put in place to avoid and promptly detect conduct similar to that which gave rise to this matter.

Mitigate Risks With Effective Oversight of Both Documentation & Operations

For More Information Or Assistance

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

OIG Urges CMS To Step Up Efforts To Recover “Overpayments”

July 2, 2013

The Department of Health & Human Services (HHS) Office of Inspector General (OIG) is recommending that the Centers for Medicare & Medicaid Services (CMS) step-up efforts to collect Medicare overpayments to providers currently considered uncollectable because the provider has failed to repay overpayments identified and demanded by CMS six or more months after CMS demands repayment. The recommendations made in OIG’s Medicare’s Currently Not Collectible Overpayments Report (Report) reflect the ever-growing emphasis of HHS on reducing Medicare and other federal program costs by aggressive enforcement of Medicare and other federal regulations against providers. While CMS has not concurred with all of OIG’s recommendations in the Report, providers can expect CMS to further tighten its overpayment processes in response to these and other OIG recommendations.

According to the Report, CMS identifies billions of dollars in alleged Medicare overpayments to health care providers each year. In fiscal year (FY) 2010, overpayments totaled $9.6 billion. While CMS identifies these amounts, the Report notes that CMS does not recover all overpayments. Under CMS current accounting policies, CMS classifies overpayments for which the provider has not repaid at least 6 months after the due date on the Medicare demand letter as “currently not collectible” (CNC). CMS does not report these CNC amounts in CMS’s annual financial statements because it considers these amounts unlikely to be recovered.

The Report summaries the results of an OIG study of these CNC amounts. In the study, OIG requested details from CMS about CNC overpayments in FY 2010 and summary financial data for FYs 2007 to 2010. CMS provided most of the data from its Healthcare Integrated General Ledger Accounting System (HIGLAS). OIG also surveyed CMS and all its claims processing contractors to identify (1) hindrances to debt collection and (2) strategies to reduce the number and dollar amount of overpayments that become CNC.

According to the Report, CMS reported $543 million in new CNC overpayments across all contractors in FY 2010. However, CMS provided detailed information on $69 million in CNC overpayments for only seven contractors. Citing contractor transitions, CMS did not provide detailed data for the remaining 32 contractors. For 54 percent of CNC overpayments associated with the seven contractors, the provider type was missing in HIGLAS. For the seven contractors, 97 percent of FY 2010 CNC overpayments were not recovered. According to contractors, inaccurate provider contact information delays or prevents some overpayment demand letters from reaching providers. In addition, CMS and contractors reported that expanding the types of provider identifiers used to recover payments could improve debt collection efforts.

Based on these findings, OIG recommended that CMS should:

Ensure the HIGLAS variable for provider type is populated for all overpayments,
Ensure that demand letters are mailed to the contacts and addresses identified by the provider, and
Use tax identification numbers and provider transaction access numbers in addition to national provider numbers for the collection of overpayments.

According to OIG, CMS partially concurred with the first recommendation, did not agree with our second recommendation, and concurred with our third recommendation. Accordingly, at minimum, providers should expect that CMS will step up use of tax identification and provider transaction access numbers in tracking down and collecting overpayments demanded by OIG.

The Report is just one of a plethora of activities that OIG, CMS and other HHS agencies, alone or in conjunction with the Department of Justice and other federal and state agencies are conducting in their campaign to control Medicare and other federal program costs by targeting provider reimbursements.With health care fraud and other billing audits and enforcement rising, hospitals and other health care providers should heed these reports as continuing reminders to tighten their billing practices to ensure defensibility in the event of an audit or other enforcement action.

For More Information Or Assistance

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

OCR Makes Technical Corrections To HIPAA Omnibus Final Rule; September 2013 Enforcement Deadline Looming

June 7, 2013

The Department of Health & Human Services Office of Civil Rights (OCR) is publishing Technical Corrections (Technical Corrections) to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notifications Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Rule) previously published on January 25, 2013. The Technical Corrections will appear in the June 7, 2013 Federal Register. Physicians, hospitals, clinics and other health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates should take into account the Technical Corrections as they rush to update business associate agreements, policies, practices, training and other HIPAA compliance to comply with the Omnibus Rule changes by the September 2013 deadline.

Technical Corrections To Omnibus Rule Released

OCR published the Omnibus Rule to implement changes to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (“the HIPAA Rules”) enacted by the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”) and section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008, as well as to address public comment received on the interim final Breach Notification Rule and to other changes to the HIPAA Rules. The Technical Corrections are scheduled for publication in the Federal Register on June 7, 2013.

The Technical Corrections correct various typographical errors and other oversights in the Omnibus Regulations as originally published. While many of these corrections have limited material impact, certain corrections do have substantive implications. For instance, by correcting errors in references to other provisions of the Omnibus Regulations, the Technical Corrections clarify that the authority of OCR to extend the time pursuant to § 160.508(c)(5) for violations before February 18, 2009 also applies to violations occurring on or after February 18, 2009, as there is for violations occurring prior to February 18, 2009.

Covered Entities and their business associates will need to review and take into account the Technical Corrections as they work to review and update their policies and practices for handling and disclosing personally identifiable health care information (“PHI”) in response to the Omnibus Rule.

Get Moving To Update HIPAA Compliance For New Omnibus Rule Requirements As Amended By Technical Corrections

Covered Entities and their business associates have a lot to accomplish between now and September to update their business associates and comply with other changes made by the Omnibus Rule by its September 2013 deadline. Among other things, the Omnibus Regulations:

Revise OCR’s HIPAA regulations to reflect the HITECH Act’s amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA’s civil and criminal penalties for violating HIPAA’s Privacy, Security, and Breach Notification rules;
Update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose PHI is breached, HHS and in some cases, the media when a breach of unsecured information happens;
Update interim enforcement guidance OCR previously published to implement increased penalties and other changes to HIPAA’s civil and criminal sanctions enacted by the HITECH Act;
Implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose PHI for marketing and fundraising purposes and prohibit Covered Entities from selling an individual’s health information without getting the individual’s authorization in the way required by the Omnibus Regulations;
Update OCR’s rules about the individual rights that HIPAA requires that Covered Entities to afford to individuals who are the subject of PHI used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic PHI in electronic form;
Revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of PHI protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
Clarifies and revises other provisions to reflect other interpretations and information guidance that OCR has issued since HIPAA was passed and to make certain other changes that OCR found appropriate based on its experience administering and enforcing the rules.

Liability & Enforcement Risks Heighten Need To Act To Review & Update Policies & Practices

The restated rules in the Omnibus Rule make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks. OCR even prior to the regulations has aggressively investigated and enforced the HIPAA requirements. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach; OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website; Providence To Pay $100000 & Implement Other Safeguards.

Coupled with statements by OCR about its intolerance, the HONI and other settlements provide a strong warning to covered entities of the need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

All Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable. In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For More Information Or Assistance

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experience with health plan privacy and data security matters, Ms. Stamer serves as the scribe for the ABA JCEB Annual Technical Session meeting with OCR each May and has worked, spoken and published extensively on these and other privacy and data security concerns and controls. Extensively published and a popular speaker on HIPAA and other data security matters, Ms. Stamer works extensively with health care providers, health plans, employers, insurance and financial services, technology and other clients on privacy, data seurity and other privacy and cybercrime concerns. She also serves as the Scribe for the ABA JCEB Agency Techical Sessions Meetings with the Office of Civil Rights which occur each May in Washington, D.C.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | Academic medicine, Affordable Care Act, Anti-KickBack, ASC, Childrens Health Insurance Program, Corporate Compliance, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Laws, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, OIG, Outpatient, Patient Protection and Affordable Care Act, Pharmacy, Physician, Prescription Drugs, Public Policy, Reimbursement, Rural Health Care, Stark, Substance Abuse | Tagged: Acute Care, CMS, Hospital, Medicare, PPS, Prospective Payment, Skilled Nursing, SNF | Permalink
Posted by Cynthia Marcotte Stamer

National Provider Calls: Medicare Shared Savings Program Application Process — Register Now

May 24, 2013

Medicare Fee For Service (FFS) providers and others interested in participating in Accountable Care Organizations (ACOs) should consider participating in the two National Provider Calls that the Centers for Medicare & Medicaid Services (CMS) plans to host on the Medicare Shared Savings Program (Shared Savings Program) outlined in final regulations published October 20, 2011 of the Affordable Care Act.

On Thursday, June 20, CMS subject matter experts will provide an overview and updates to the Shared Savings Program application process for the January 1, 2014 start date. A question and answer session will follow the presentations.
On Thursday, July 18, CMS subject matter experts will be available to answer questions about the Shared Savings Program and application process for the January 1, 2014 start date.

The Shared Savings Program Application web page has important information, dates, and materials on the application process. CMS encourages call participants to review the application and materials before the call.

To receive call-in information, interested participants must register for the call on the CMS Upcoming National Provider Calls registration website. Registration will close at 12pm on the day of the call or when available space has been filled. Since CMS says it will make no exceptions, interested persons should plan to register as soon as possible.

Following the conference calls, CMS plans to post the presentation on the FFS National Provider Calls web page. In addition, a link to the slide presentation will be emailed to all registrants on the day of the call.

CMS says certain continuing education credit may be awarded for participation in certain CMS National Provider Calls. Visit the Continuing Education Credit Information web page to learn more.

For More Information Or Assistance

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Former White House Cybersecurity Coordinator Schmidt, Stamer & Others Share Key HIPAA & Other Privacy & Data Security Insights 5/21 In LA

May 3, 2013

SLP Readers Get Discount: Go to
blocked::http://securitysummitla.eventbrite.com/” href=”http://securitysummitla.eventbrite.com/” data-mce-href=”http://securitysummitla.eventbrite.com/”://securitysummitla.eventbrite.com/ and enter Promotional Code: Health_Summit_125

Former White House Cybersecurity Coordinator Howard Schmidt and Solutions Law Press, Inc. editor attorney Cynthia Marcotte Stamer are two of an impressive lineup of leaders scheduled to share key HIPAA & other privacy and data security compliance and risk management strategies at the Healthcare HITECH Privacy and Security Summit at the Fifth Annual Information Security Summit on May 21 in Los Angeles. The program offers essential insights for hospitals, physicians, and other health care providers, health plans and insurers, employers and other health plan sponsors, fiduciaries and administrators, their business associates and other business partners and others on what their organizations should do to cope with the rapidly changing and expanding privacy and data security obligations of HIPAA and other federal and state laws.

With the rapidly approaching and privacy and data breach penalties and enforcement rising, health care providers, health plans, health care clearinghouses and their business associates must get moving to update business associate contracts, policies and notices and processes to meet changing HIPAA rules while managing ongoing compliance and risks.

Former Cybersecurity Coordinator Schmidt Keynotes

The Healthcare HITECH Privacy and Security Summit will bring together leaders in Privacy and Security within government and private industry for a day of collaboration, networking and presentations by leading Privacy and Security professionals sharing who HIPAA covered entities and business associates need to know to comply with new HITECH rules and OCR investigations.

Stamer Speaks On Latest HIPAA Rules & Developments

Solutions Law Press, Inc. editor attorney Cynthia Marcotte Stamer will help lay the foundation for the workshop by briefing participants on changes made to HIPAA rules by the new Omnibus HIPAA Rulemaking changes that the Office of Civil Rights (OCR) plans to start enforcing in September, 2013.

Armed with the latest insights from serving as the scribe for the ABA JCEB annual agency meeting with the Office of Civil Rights (OCR), Ms. Stamer, a practicing attorney and widely published author and speaker, will discuss required changes and other recommended steps and strategies that covered entities and their business associates should take to maintain HIPAA compliance and manage HIPAA and other related risks in light of the Omnibus HIPAA Rulemaking changes, new OCR guidance for health care providers about disclosures to avert threats to health or safety, recent audit and enforcement activities and other changing risks and responsibilities including:

The latest on OCR’s regulatory guidance, audit and investigation and enforcement rules, actions and strategies and their implications on covered entities and business associates;
Changes to breach notification rules and their implications on covered entities and their business associates;
Practical implications of new rules on who is covered and their responsibilities;
Required and recommended updates to policies, business associate and other agreements, privacy notices and other HIPAA compliance arrangements;
Effective training and other risk management strategies;
Planning for, investigating and mitigating PHI privacy breaches and other compliance concerns under new rules other selected events; and
Other selected strategies for coordinating HIPAA and other privacy and data breach responsibilities and risk management; and
Participant questions.

For a complete agenda, to register, to get details on sponsorship or for other information, see here.

For More Information Or Assistance

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | Academic medicine, Affordable Care Act, Anti-KickBack, ASC, Border Health, Childrens Health Insurance Program, Consumer Driven Health Care, Corporate Compliance, DME, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Laws, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, OIG, Outpatient, Patient Protection and Affordable Care Act, Pharmacy, Physician, Prescription Drugs, Public Policy, Reimbursement, Rural Health Care, Stark, Substance Abuse | Tagged: Breach Notification, Data Breach, Data Security PHI, HIPAA, personal financial information, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

CMS Proposes To Further Tighten Medicare Provider Enrollment Rules

May 1, 2013

The proposed rule would also strengthen certain provider enrollment provisions including allowing HHS to deny enrollment of providers affiliated with an entity that has unpaid Medicare debt, deny or revoke billing privileges for individuals with felony convictions, and revoke privileges for providers and suppliers who are abusing their billing privileges.

Since provider enrollment is the gateway to Medicare, CMS routinely evaluates its provider enrollment policies, and has implemented new safeguards as a result of the Affordable Care Act. In the February 2011 final screening rule (72 FR 5862). CMS identified additional changes in enrollment policy that would increase the integrity of the Medicare program. Now, CMS is proposing include the following provisions:

Add the ability to deny the enrollment of providers, suppliers and owners affiliated with an entity that has unpaid Medicare debt. This proposal would prevent individuals and entities from being able to incur substantial debt to Medicare, leave the Medicare program and then re-enroll as a new business to avoid repayment of the outstanding Medicare debt. We are proposing that CMS would only enroll individuals or entities if they repay the debt or enter into a repayment plan, if they are otherwise eligible for the program.
Deny enrollment or revoke the billing privileges of a provider or supplier if a managing employee has been convicted of certain felony offenses. This provision ensures that CMS can block or remove bad actors from the Medicare program to protect beneficiaries and safeguard the Medicare Trust Fund.
Permit CMS to revoke billing privileges of providers and suppliers that have a pattern or practice of billing for services that do not meet Medicare requirements. This proposal is intended to address providers and suppliers that regularly submit inaccurate claims in such a way that it poses a risk to the Medicare program.
Make the effective date of billing privileges consistent across certain provider and supplier types. Most practitioners and practitioner groups may only submit bills as of the filing date of their enrollment application. CMS is proposing to eliminate ambulance suppliers’ current ability to bill for up to a year prior to enrollment in the Medicare program. CMS is also proposing to require that ambulance providers and other provider and supplier types submit any claims within 60 days of revocation of billing privileges, consistent with the requirements for practitioners and practitioner groups.

For More Information Or Assistance

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

HHS Proposes Increasing Health Care Fraud Reporting Rewards To Up To $9.9 Million

May 1, 2013

The Department of Health and Human Services (HHS) Centers for Medicare & Medicaid Services (CMS) plans to increase rewards paid to Medicare beneficiaries and others whose tips about suspected fraud lead to the successful recovery of funds to as high as $9.9 million. Secretary Kathleen Sebelius announced proposed regulations that would increase the penalties on April 24. In addition, a new funding opportunity released this month supports the expansion of Senior Medicare Patrol (SMP) activities to educate Medicare beneficiaries on how to prevent, detect and report Medicare fraud, waste and abuse.

The Obama Administration has made health care fraud prosecutions and settlement a key element of its health care cost containment plan. Over the last three years, the administration claims its enforcement efforts have recovered over $14.9 billion in fraud, some of which resulted from fraud reporting by individuals.

Summary Of The SMP Incentive Reward Program Proposals

The SMP is a national, volunteer-based program that empowers Medicare beneficiaries to prevent and report Medicare fraud, waste, and abuse. Since 1997, HHS reports more than 7,000 referrals have been made to CMS and the Office of the Inspector General (OIG) for investigation since 1998.

Under the proposed changes, CMS is proposing to increase the potential reward amount for information that leads to a recovery of Medicare funds from 10 percent to 15 percent of the final amount collected. HHS currently offers a reward of 10 percent up to $1,000 under the current incentive reward program. In changes are modeled on an IRS program that has returned $2 billion in fraud since 2003, HHS proposes to increase the portion of the recovery on which CMS will pay a reward up to the first $66 million recovered – this means an individual could receive a reward of $9.9 million if CMS recovers $66 million or more.

HHS began paying rewards to individuals who reported tips that led to the recovery of funds in 1998. According to HHS, to date, HHS has recovered approximately $3.5 million as a result of this program and paid just $16,000 for 18 rewards. The proposed changes are similar to the IRS whistleblower program that has resulted in recoveries of over $2 billion since 2003.

To expand the SMP program’s capacity to reach more Medicare beneficiaries, the Administration for Community Living issued a new funding opportunity. Each of the current 54 SMP projects is eligible for varying funding levels, up to a total of $7.3 million across the program.

HHS says thhese proposed changes will support the administration’s comprehensive approach to program integrity, including the work being done with the Health Care Fraud Prevention and Enforcement Action Team, a joint effort between HHS and the Department of Justice to fight health care fraud. The Obama Administration credits this joint effort with recovering a record $4.2 billion in taxpayer dollars in fiscal year 2012.

The proposed increase in the reward for blowing the whistle on health care fraud is intended to fuel further reports by beneficiaries, workers and others of suspected health care fraud. Health care providers should share any concerns about the proposed increase in the rewards as well as review and tighten their health care fraud prevention and risk management to defend against rising exposures.

For more details, read a fact sheet on the proposed rule available here for more details.

For More Information Or Assistance

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

CMS Proposes Changes To Accute Care Hospital & Skilled Nursing Facility Propective Payment Rules

May 1, 2013

Acute care hospitals and skilled nursing facilities participating in Medicare should review proposed changes to key Medicare reimbursement rules and act quickly to share feedback on any provisions of significant concern.

The Centers For Medicare & Medicaid Services (CMS) is proposing changes to its Prospective Payment Systems and other reimbursement key reimbursement rules for Hospitals and Skilled Nursing Facilities for Fiscal Year (FY) 2014. Advance copies of the proposed rules were made available May 1.

CMS’ proposed rules on Prospective Payment System and Consolidated Billing for Skilled Nursing Facilities for FY 2014 are scheduled for official publication on May 1, 2013.

CMS’ proposed rules on Hospital Inpatient Prospective Payment Systems for Acute Care Hospitals and Long Term Care Hospital Prospective Payment System, etc. are scheduled for official publication on May 10, 2013.

Acute care hospitals and skilled nursing facilities should evaluate the implications of the proposed changes and provide relevant feedback as necessary to CMS.

For More Information Or Assistance

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

OCR Shares New Tools to Educate Consumers and Providers about HIPAA Privacy and Security

April 30, 2013

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has developed an array of new tools to educate consumers and health care providers about the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

Many consumers are unfamiliar with their rights under the HIPAA Privacy Rule. With that in mind, OCR has posted a series of factsheets, also available in eight languages, to inform consumers about their rights under the HIPAA Privacy Rule. These materials are available on OCR’s website here.

The fact sheets compliment a set of seven consumer-facing videos released earlier this year on OCR’s YouTube channel. An additional video, The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule’s requirements. The videos are available on the HHS OCR YouTube Channel at here.

OCR has also launched three modules for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org:

Patient Privacy: A Guide for Providers at here;
HIPAA and You: Building a Culture of Compliance here; and
Examining Compliance with the HIPAA Privacy Rule here.

The Medscape modules offer free Continuing Medical Education (CME) credits for physicians and Continuing Education (CE) credits for health care professionals.

For More Information Or Assistance

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | Academic medicine, Affordable Care Act, Anti-KickBack, ASC, Childrens Health Insurance Program, Corporate Compliance, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Laws, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, OIG, Outpatient, Patient Protection and Affordable Care Act, Pharmacy, Physician, Prescription Drugs, Public Policy, Reimbursement, Rural Health Care, Stark, Substance Abuse | Tagged: Covered Entities, Data, Health Care, Health Plans, HIPAA, HIPAA Audits, OCR, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

HHS Publishes Medicaid Expansion Final Regs, Invites Public Comment

April 1, 2013

The Department of Health & Human Services (HHS) has published its final rule with a request for comments that provides, effective January 1, 2014, the federal government will pay 100 percent of the cost of certain newly eligible adult Medicaid beneficiaries. These payments will be in effect through 2016, phasing down to a permanent 90 percent matching rate by 2020. The Affordable Care Act authorizes states to expand Medicaid to adult Americans under age 65 with income of up to 133 percent of the federal poverty level (approximately $15,000 for a single adult in 2012) and provides unprecedented federal funding for these states.

Under the Affordable Care Act, states that cover the new adult group in Medicaid will have 100 percent of the costs of newly eligible Americans paid for by the federal government in 2014, 2015, and 2016. The federal government’s contribution is then phased-down gradually to 90 percent by 2020, and remains there permanently. For states that had coverage expansions in effect prior to enactment of the Affordable Care Act, the rule also provides information about the availability of an increased FMAP for certain adults who are not newly eligible.

For the full text of the final rule, see http://www.ofr.gov/inspection.aspx.

For More Information Or Assistance

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | Academic medicine, Affordable Care Act, Anti-KickBack, ASC, Childrens Health Insurance Program, Corporate Compliance, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Laws, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, OIG, Outpatient, Patient Protection and Affordable Care Act, Pharmacy, Physician, Prescription Drugs, Public Policy, Reimbursement, Rural Health Care, Stark, Substance Abuse | Tagged: Covered Entities, Data, Health Care, Health Plans, HIPAA, HIPAA Audits, OCR, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

Hospitals with 2012 CMS Adverse Complaint Inspection Reports in AHCJ Data Bank Should Prepare Response

March 27, 2013

Acute-care and critical access hospitals that had adverse complaint inspections in 2012 by the Centers for Medicare & Medicaid Services (CMS) may want to prepare to respond to press and public inquiries. The Association of Health Care Journalists (AHCJ) updated its website, healthcareinspectionreports.com, to include details about deficiencies cited during complaint inspections at acute-care and critical access hospitals throughout the United States since January 1, 2011 obtained from CMS.

Although AHCJ cautions in its website that the posted data should not be used to rank hospitals because of omissions and limitations in the data, hospitals with posted reports in the data bank should expect that the reports on their hospital may draw the attention of the media, patients, health plans and others.

AHCJ publishes the reports, which historically have not been easily accessible to the general public. AHCJ cautions that the data is not necessarily complete and should not be used to rank hospitals within a state. AHCJ says data on acute-care and critical hospital access hospitals is incomplete because CMS has just begun gathering this data and releasing it in electronic format. AHCJ also says some reports are missing narrative details. Beyond that, CMS acknowledges that other reports that should appear may not. It does not include results of routine inspections or those of psychiatric hospitals or long-term care hospitals. It also does not include hospital responses to deficiencies cited during inspections. Those can be obtained by filing a request with a hospital or the U.S. Centers for Medicare and Medicaid Services (CMS).AHCJ to make future iterations of this data more complete. At this time, this data should not be used to rank hospitals within a state or between states. It can be used to review issues identified at hospitals during recent inspections.

Subject to these limitations, an individual wishing to review the available data can click on a state on the map will retrieve a list of all hospitals with their violations grouped together.

In anticipation of potential media or public review and reaction to the AHCJ website posting, hospitals with adverse reports posted on the website should consider acting proactively. Hospitals should consult with counsel and their public relations team to plan and prepare a factually accurate response to the shared reports and other suitable mitigation activities.

For More Information Or Assistance

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | Academic medicine, Affordable Care Act, Anti-KickBack, ASC, Childrens Health Insurance Program, Corporate Compliance, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Laws, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, OIG, Outpatient, Patient Protection and Affordable Care Act, Pharmacy, Physician, Prescription Drugs, Public Policy, Reimbursement, Rural Health Care, Stark, Substance Abuse | Tagged: health care quality, Health Plans, Hospitals, Public Relations | Permalink
Posted by Cynthia Marcotte Stamer

OCR Invites Comments On Plans to Survey HIPAA Covered Entities Audited Under 2012 HIPAA Audit Program

March 25, 2013

The Department of Health & Human Services (HHS) Office of Civil Rights (OCR) wants to ask the 115 health plans, health care clearinghouses, and health care providers (covered entities) that OCR audited in 2012 for compliance with Privacy and Security Rules of the Health Insurance Portability & Accountability Act (HIPAA) under its HIPAA Audit Program to share feedback about their experience. The planned survey announcement follows OCR’s recent released of restated HIPAA Privacy & Security Rules scheduled to take effect in September, 2013 and as OCR continues and expanding its HIPAA Audit Program in 2013. All together, the signs are clear that covered entities should update and strengthen their HIPAA compliance and risk management practices to withstand the tightened rules and enforcement.

OCR initiated the HIPAA Audit Program in 2012 to comply with Section 13411 of the Health Information Technology for Economic and Clinical Health Act’s requirement that it audit covered entity and business associate compliance with the HIPAA privacy, security, and breach notification rules. While it continues its HIPAA Audit Program in 2013, OCR also is evaluating the effectiveness of the HIPAA Audit Program audits in 2012.

To this end, OCR currently is conducting a review of the HIPAA Audit program to determine its efficacy in assessing the HIPAA compliance efforts of covered entities. As part of that review, OCR plans to ask covered entities audited under the HIPAA Audit Program in 2012 to complete an online survey about their experience. In anticipation of its conduct of the proposed surveys, OCR is inviting public comment on the burden to Covered Entities to complete the planned online survey, which OCR estimates will take two hours to complete through May 20, 2013. According to OCR, the survey will gather information on the effect of the audits on the audited entities and the entities’ opinions about the audit process. The online survey will be used to:

Measure the effect of the HIPAA Audit program on covered entities;
Gauge their attitudes towards the audit overall and in regards to major audit program features, such as the document request, communications received, the on-site visit, the audit report findings and recommendations;
Obtain estimates of costs incurred by covered entities, in time and money, spent responding to audit-related requests;
Seek feedback on the effect of the HIPAA Audit program on the day-to-day business operations; and
Assess whether improvements in HIPAA compliance were achieved as a result of the Audit program.

OCR says it will use the information, opinions, and comments collected using the online survey to produce recommendations for improving the HIPAA Audit program.

For instructions to comment or more details, see here.

For More Information Or Assistance

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | Academic medicine, Affordable Care Act, Anti-KickBack, ASC, Childrens Health Insurance Program, Corporate Compliance, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, Hospital, Laws, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, OIG, Outpatient, Patient Protection and Affordable Care Act, Pharmacy, Physician, Prescription Drugs, Public Policy, Reimbursement, Rural Health Care, Stark, Substance Abuse | Tagged: Covered Entities, Data, Health Care, Health Plans, HIPAA, HIPAA Audits, OCR, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

ONC-Authorized Certification Bodies & Accredited Testing Labs Scope Expansion for 2014 Edition Testing & Certification

January 12, 2013

The Office of the National Coordinator for Health Information Technology (ONC) is pleased to announce that ONC-Authorized Certification Bodies (ACBs) in the ONC HIT Certification Program are now authorized to test and certify EHR products in accordance with the 2014 Edition Standards and Certification Criteria, as outlined in the Health Information Technology: Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, 2014 Edition; Revisions to the Permanent Certification Program for Health Information Technology Final Rule. For additional information on the Accredited Testing Laboratories (ATLs) scope expansion, see www.nist.gov/nvlap. For more information on the ONC HIT Certification Program, see http://www.healthit.gov/certification.

For Representation, Training & Other Resources

If you need help monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Scheduled to serve as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR, Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here.

If you need help with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives. Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs. For additional information about upcoming programs, to explore becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship, to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com. CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.

Leave a Comment » | Academic medicine, DEA, DME, Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Provider, Health Care Quality, Health IT, HIPAA, HITECH Act, Hospital, Meaningful Use, OCR, Physician | Tagged: Health Care, HIPAA, OCR, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Medical Device Excise Tax Rules Supplemented

December 9, 2012

Medical device manufacturers heads up! The Internal Revenue Service (IRS) has adopted interim rules for relating to the excise tax on medical devices imposed by § 4191 (the “medical device excise tax”) of the Internal Revenue Code (the “Code”).

Section 4191, enacted by section 1405 of the Health Care and Education Reconciliation Act of 2010 in conjunction with the Patient Protection and Affordable Care Act (the Affordable Care Act) enacted a new excise tax on the sale of certain medical devices. The excise tax imposed by Code section 4191 is 2.3% of the price for which the taxable medical device is sold. The medical device excise tax is codified in chapter 32, subtitle D of the Code (“chapter 32”), which pertains to excise taxes imposed on the sale or use of taxable articles by manufacturers, producers, and importers (commonly referred to as “manufacturers excise taxes”). See § 48.0-2(a)(4)(i) of the Manufacturers and Retailers Excise Tax Regulations (Regulations). The Code defines the term “manufacturer” to include a “producer” and an “importer”.

On December 7, 2012, the Internal Revenue Service (IRS) and the Treasury Department issued TD 9604, containing final regulations under § 4191. The final regulations did not address certain issues that the IRS and the Treasury Department continue to study. These issues included the determination of price under § 4216(b); the tax treatment of medical software licenses; the taxability of donated medical devices; and the taxability of medical convenience kits.

The IRS recently followed up by issuing Notice 2012-77. Notice 2012-77 available here contains the IRS’ rules about:

How to determine price for purposes of the medical device excised tax under Code section 4216(b);
Donated taxable medical devices;
Licensing of taxable medical devices;
The tax treatment of medical convenience kits;
Transition relief to medical device manufacturers from the failure to deposit penalties imposed by § 6656; and
Invites comments from taxpayers about its rules.

As these rules take effect January 1, 2013, device manufacturers should review the new guidance and update their procedures to provide for timely determination and payment of any required device taxes. In addition, device manufacturers also will need to kep an eye out for potential changes in the rules. The IRS and the Treasury Department have said they may issue additional published guidance on these issues in the future.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help reviewing or commenting on the Tests Procedures or monitoring or responding to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, and A Fellow in the American Bar Association, State Bar of Texas and other prominent organizations, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to set up and administer medical privacy, EHR and other technology and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

You can get more information about her experience here.

Other Recent Updates & Resources

If you found this information of interest, you also may be interested in the following recent updates on health care, health plan and employee benefits, human resources and other risk management and compliance matters. Recent examples on health care compliance and risk management matters include:

Congress Sends Bill Amending Lab Testing Rule Violation Sanctions

Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!

$12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks

Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next

Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital

Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme

Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

Personal Consumer Information Protection In Health Care Operations Topic of Stamer’s 11/1 Speech

ONC Releases First Wave of EHR Test Procedures; More To Come

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

Health Care Orgs Disability Exposure High As $475K Paid To Settle Justice Department Charges Medical Fitness Screenings of EMTs, Others Violated ADA

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

AHRQ Issues New Guide for Use of Interactive Preventive Care Record

Nextcare Inc. $10 Million False Claims Act Settlement Shows Qui Tam Role In False Claims Act Prosecutions

For more resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, DME, medical device, medical device excise tax, Tax | Permalink
Posted by Cynthia Marcotte Stamer

Updated 2013 ACA Prescription Drug Fee Calculation & Payment Rules Released; 12/18 Deadline To File Form 8947

December 4, 2012

December 17, 2012 is the deadline for covered entities to file a Form 8947 as part if its reporting and payment of the Form 8947The Internal Revenue Service (IRS) Notice 2012-74 sets forth the instructions for calculation and reporting branded prescription drug fee for the 2013 fee year under Section 9008 of the Patient Protection and Affordable Care Act, as amended by section 1404 of the Health Care and Education Reconciliation Act of 2010 (Affordable Care Act).

The Act imposes an annual fee on covered entities engaged in the business of manufacturing or importing branded prescription drugs. The Branded Prescription Drug Fee Regulations in 26 C.F.R. Part 51 published on August 18, 2011 provide the method for calculating each covered entity’s annual fee and the fee year for purposes of these rules and how the fee must be reported and paid. See 76 Fed. Reg. 51245. These regulations also define terms for the administration of the fee.

Notice 2012-74/s instructions on the 2013 prescription drug fee discusses:

The submission of Form 8947, “Report of Branded Prescription Drug Information,”
The time and manner for notifying covered entities of their preliminary fee calculation;
the time and manner for covered entities to submit error reports for the dispute resolution; process; and
The time for the IRS to notify covered entities of their final fee calculation.

12/18/12 Deadline to File Form 8947

One of the deadlines for this process is rapidly approaching. Section 51.3T provides that annually, each covered entity may submit a completed Form 8947, “Report of Branded Prescription Drug Information,” in accordance with the instructions for the form. Generally, the form solicits information from covered entities on National Drug Codes, orphan drugs, designated entities, rebates, and other information specified by the form or its instructions. The form is to be filed by the date prescribed in guidance published in the Internal Revenue Bulletin.

Notice 2012-74 sets the deadline for a covered entity that chooses to submit Form 8947 for 2013 at December 17, 2012.

Preliminary Fee Calculation

For the 2013 fee year, the IRS will mail each covered entity a paper notice of its preliminary fee calculation by April 1, 2013. This mailing will include a National Drug Code (NDC) attachment (NDC attachment) that lists the covered entity’s NDCs and the sales data reported to the IRS by each government program pursuant to § 51.4T.

A covered entity may request that the IRS send a CD-ROM with the NDC attachment in Microsoft Excel format. The covered entity must make this request by March 15, 2013. This request must be made either by telephone to Ingrid Taylor at (908) 301-2118 or Mi Lim at (312) 292-3775 (not toll-free calls) or by email to it.bpd.fee@irs.gov. If a covered entity makes this request timely, the IRS will mail the covered entity its notice of preliminary fee calculation on paper and the NDC attachment on paper and CD-ROM by April 1, 2013.

Submitting Error Reports For The Dispute Resolution Process

For the 2013 fee year, a covered entity that chooses to submit an error report regarding its preliminary fee calculation must mail the error report by May 16, 2013. When the IRS mails each covered entity a notice of its preliminary fee calculation by April 1, 2013, the IRS will also send each covered entity a template on a CD-ROM that the covered entity must use to prepare its error report. All completed templates and the supporting documentation must be submitted on a CD-ROM to the IRS in a timely fashion.

Final Fee Calculation & Payment

The IRS will notify each covered entity of its final fee calculation for 2013 by August 31, 2013. In accordance with § 51.8T(c), each covered entity must pay this fee by September 30, 2013.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her experience here.

Other Recent Updates & Resources

OIG Recommends CMS, ONC Tighten EMR Incentive Program Rules To Improve Oversight

Congress Sends Bill Amending Lab Testing Rule Violation Sanctions

Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!

$12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks

Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next

Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital

Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme

Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

Personal Consumer Information Protection In Health Care Operations Topic of Stamer’s 11/1 Speech

ONC Releases First Wave of EHR Test Procedures; More To Come

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

Health Care Orgs Disability Exposure High As $475K Paid To Settle Justice Department Charges Medical Fitness Screenings of EMTs, Others Violated ADA

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

AHRQ Issues New Guide for Use of Interactive Preventive Care Record

Nextcare Inc. $10 Million False Claims Act Settlement Shows Qui Tam Role In False Claims Act Prosecutions

For more resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: CMS, Health Care Fraud, Health Care Fraud Task Force, Health Care Reimbursement, HHS, Hospitals, Inpatient, Medicare, OIG, outpatient, Physicians | Permalink
Posted by Cynthia Marcotte Stamer

Hospitals Urged To Tighten Inpatient & Outpatient Admission Records As OIG Audits Hospitals for New vs. Established Patients,

November 29, 2012

Hospitals should act quickly to adopt appropriate compliance policies and tighten outpatient and inpatient admissions recordkeeping and associated billing activities to minimize exposures signaled by audits announced by the Department of Health & Human Services (HHS) Office of Inspector General (OIG).

OIG reportedly is auditing inpatient and outpatient hospital claims for new and established patients to identify potential overcharges by some hospital-based outpatient clinics that may have resulted from treating established patients as if they were new patients. OIG’s Office of Audit Services reportedly sent letters to some hospitals in October, asking about a handful of claims for new patient visits that OIG suspects the hospital should have billed as established patient visits. In addition to requesting specific information about line items on the claims and their internal controls for billing new versus established patients and provide descriptions of written policies and procedures governing the facilities classification of new versus established patients and internal controls for detecting errors.

Medicare typically pays more for new versus established patients since CMS implemented the outpatient prospective payment system in 2000. Since 2008, CMS rules have specified that patients who visit the hospital outpatient clinic within three years are established patients, and after that they are new, with Medicare paying more for the latter. See(73 Fed. Reg. 68502, 68679 (November 18, 2009). Data mining technology increasingly used by CMS and other federal fraud investigators facilities the ability of Medicare and others to identify errors in coding and billing resulting from misclassication of existing patients as new.

Many hospitals may be exposed under this requirement for a variety of reasons including failure to appropriately track and coordinate inpatient and outpatient admission data, defaults built into recordkeeping systems and omissions to timely update practices or training. In contrast to the risk of overbilling from incorrectly treating patients as new, hospitals that bill all patients as established to overcome inadequacies in their ability to track new versus established patients often leave money on the table unnecessarily by foregoing added reimbursement that the facility otherwise would qualify for it could reliably identify new patients.

While strengthening coding and billing to ward of risks, may debate the appropriateness of CMS’ new versus existing patient distinction outside the physician office context. Critics contend that unlike in the physician office context, the level of care or resources delivered for a new patient compared to a patient who previously visited the hospital doesn’t generally differ. Parties with these concerns should continue to ensure appropriate compliance with existing rules while providing input and feedback to CMS and other regulators about their concerns with the policy’s suitability.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her experience here.

Other Recent Updates & Resources

OIG Recommends CMS, ONC Tighten EMR Incentive Program Rules To Improve Oversight

Congress Sends Bill Amending Lab Testing Rule Violation Sanctions

Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!

$12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks

Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next

Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital

Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme

Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

Personal Consumer Information Protection In Health Care Operations Topic of Stamer’s 11/1 Speech

ONC Releases First Wave of EHR Test Procedures; More To Come

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

Health Care Orgs Disability Exposure High As $475K Paid To Settle Justice Department Charges Medical Fitness Screenings of EMTs, Others Violated ADA

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

AHRQ Issues New Guide for Use of Interactive Preventive Care Record

Nextcare Inc. $10 Million False Claims Act Settlement Shows Qui Tam Role In False Claims Act Prosecutions

For more resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: CMS, Health Care Fraud, Health Care Fraud Task Force, Health Care Reimbursement, HHS, Hospitals, Inpatient, Medicare, OIG, outpatient, Physicians | Permalink
Posted by Cynthia Marcotte Stamer

OIG Recommends CMS, ONC Tighten EMR Incentive Program Rules To Improve Oversight

November 29, 2012

The Department of Health & Human Services Office of Inspector General is recommending the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) act to improve the effectiveness of its oversight and management of the Medicare electronic health record (EHR) incentive program. The recommendations are likely to impact on the requirements that hospitals and other professionals will be required to meet to get and keep EHR program incentive payments. Consequently, hospitals, physicians and other providers and their technology and other systems advisors and vendors should carefully watch and respond to changes that these two agencies implement in response to the OIG feedback.

According to an OIG study reported here, the CMS estimates that it will pay $6.6 billion in EHR incentive payments to providers under the program between 2011 and 2016. Many hospitals, physician organizations and other providers are making substantial investments in EHR and related technologies in reliance of expectation of receiving program incentive payments. Accordingly, parties hoping to qualify for incentive programs need to watch closely the actions that the agencies take in response to this OIG input or otherwise that impacts on qualification and audits.

OIG Study & Findings

OIG’s early assessment of CMS’s oversight of the Program found that because professionals and hospitals self-report data to prove fulfillment of program requirements, CMS’s efforts to verify these data will help make sure the integrity of Medicare EHR incentive payments.

The recommendation comes from an OIG study reviewing CMS’s oversight of professionals’ and hospitals’ self-reported meaningful use of certified EHR technology in 2011, the first year of the program. OIG evaluated self-reported information against program requirements. It also looked at CMS’s audit planning documents, regulations and guidance for the program and conducted structured interviews with CMS staff on CMS’s oversight.

Based on this evaluation, OIG foundCMS faces obstacles to overseeing the Medicare EHR incentive program that leave the program vulnerable to paying incentives to professionals and hospitals that do not fully meet the meaningful use requirements. OIG says CMS has not yet implemented strong prepayment safeguards, and has limited ability to safeguard incentive payments postpayment. OIG also reports that the ONC requirements for EHR reports may contribute to CMS’s oversight obstacles.

OIG Recommended Corrective Action

Based on its study, OIG is recommending that CMS take the following actions.

Obtain and review supporting documentation from selected professionals and hospitals prior to payment to verify the accuracy of their self‑reported information and
Issue guidance with specific examples of documentation that professionals and hospitals should maintain to support their compliance.

CMS did not agree with our first recommendation, stating that prepayment reviews would increase the burden on practitioners and hospitals and could delay incentive payments. Despite this CMS feedback, OIG nevertheless is continuing to recommend that CMS conduct prepayment reviews to improve program oversight. CMS concurred with our second recommendation.

OIG also recommended that ONC take the following actions:

Require that certified EHR technology be capable of producing reports for yes/no meaningful use measures where possible and
Improve the certification process for EHR technology to make sure applicants provide accurate EHR reports.

ONC concurred with both recommendations.

Recommended Provider Action

Hospitals and providers looking to take advantage of the HER incentive payments should carefully monitor the developments resulting from these recommendations and take proper actions to stay compliant with evolving requirements as they move forward.

Along with monitoring these responses, providers participating in the incentive program also need to stay abreast of other developments. For instance, last month, ONC announced the release of the Wave 7 2014 Edition Draft Test Methods (test procedures, tools, and applicable test data and files). See 2014 Edition Draft Test Procedures webpage. Additional waves of test methods are impending. ONC says it expects the final set of Test Methods to be available for use in early 2013.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her experience here.

Other Recent Updates & Resources

Congress Sends Bill Amending Lab Testing Rule Violation Sanctions

Learn Latest On OCR New HIPAA De-Identification Guidance & Other HIPAA Developments In 12/12 HIPAA Update Workshop!

$12M+ Settlement Recoveries In 2 Health Care Fraud Whistleblower Claims Shows Providers, Owners, Management & Staff Must Manage Compliance & Risks

Feds Health Fraud Suit Against Psychiatrists Shows Risks Providers Run From Aggressive Referral or Billing Activities

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

Recent OIG Audit Reports Provide Insights Where Fraud Audits Likely To Look Next

Hospital Chain HCA Inc. Pays $16.5 Million to Settle False Claims Act Allegations That Hospital

Detroit-Area Doctor Charged for Role in Alleged $40 Million Medicare Fraud Scheme

Five More Individuals Charged in Detroit for Alleged Roles in $24.7 Million Medicare Fraud Scheme

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

Personal Consumer Information Protection In Health Care Operations Topic of Stamer’s 11/1 Speech

ONC Releases First Wave of EHR Test Procedures; More To Come

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

Health Care Orgs Disability Exposure High As $475K Paid To Settle Justice Department Charges Medical Fitness Screenings of EMTs, Others Violated ADA

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

AHRQ Issues New Guide for Use of Interactive Preventive Care Record

Nextcare Inc. $10 Million False Claims Act Settlement Shows Qui Tam Role In False Claims Act Prosecutions

For more resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, CMS, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, OIG, ONC, PHI, Physicians, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

ONC Changes Start Time, Releases Agenda For 11/13 Virtual Workshop On Health IT Test Standards

November 9, 2012

The Office of the National Coordinator for Health IT (ONC) today (November 9, 2012) announced a preliminary agenda of topics and the procedures that health care providers and other interested parties wishing to participate in a public virtual workshop on the ONC Health Information Technology (IT) Certification Program and 2014 Edition Test Methods that ONC plans to host on Tuesday, November 13, 2012 from 8:15 AM-4:30PM EST.

The announced commencement time is 45 minutes earlier than the originally announced 9:00 AM start time that ONC had announced as the start time for the workshop in November 8 announcements.

To review the preliminary agenda for the workshop, see http://www.healthit.gov/policy-researchers-implementers/2014-edition-draft-test-methods.

According to today’s ONC announcement, parties wishing to participate in the virtual workshop should register for ONC Certification Technical Workshop on Nov 13, 2012 8:15 AM EST at https://attendee.gotowebinar.com/register/2114316126469925632 . ONC says that successful registrants will receive a confirmation email containing information about joining the webinar.

The planned workshop follows ONC’s anno0uncement of the release for review of the latest in a series of electronic medical records Test Standards that ONC has issued recently in its march to implement its mandate. ONC says all Test Methods will undergo public review and comment before being finalized and approved by ONC for use in testing and certification. ONC typically allows a two week period of public review and comment from the date posted for public review and comment on each Wave.

In keeping with this process, ONC is inviting interested persons to submit comments and suggestions to ONC.Certification@hhs.gov. All submissions should include “2014 Test Methods” in the subject line. ONC asks that parties submitting input to be as specific as possible in their comment submissions.

ONC says it expects the final set of Test Methods to be available for use in early 2013.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help reviewing or commenting on the Tests Procedures or monitoring or responding to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, ONC, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

ONC Releases Next Wave of 2014 Draft Test Methods For Public Review and Comment; Plans 11/13 Virtual Workshop

November 8, 2012

The Office of the National Coordinator for Health IT (ONC) today (November 8, 2012) announced the release of the Wave 7 2014 Edition Draft Test Methods (test procedures, tools, and applicable test data and files). To review the 2014 Edition draft Test Methods, visit the 2014 Edition Draft Test Procedures webpage. As a follow up to this announcement, ONC is inviting interested parties to participate in a public workshop on the ONC HIT Certification Program and 2014 Edition Test Methods on Tuesday, November 13^th, 9AM-4:30PM EST.

The Test Procedures announced today are the latest in a series ONC has issued recently. ONC says all Test Methods will undergo public review and comment before being finalized and approved by ONC for use in testing and certification. ONC typically allows a two week period of public review and comment from the date posted for public review and comment on each Wave.

ONC says it expects the final set of Test Methods to be available for use in early 2013.

To help interested parties stay informed about the Test Messages, ONC also announced today it will host a virtual public workshop on the ONC HIT Certification Program and 2014 Edition Test Methods on Tuesday, November 13^th, 9AM-4:30PM EST. According to ONC, the topics to be covered include 2014 Test Procedures, Test Tools, Test Data, ONC Timeline, and the Certified Health IT Product List (CHPL). ONC says additional details regarding access and agenda will be forthcoming. Watch the ONC website.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help reviewing or commenting on the Tests Procedures or monitoring or responding to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, ONC, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Massachusetts Ear Group To Pay $1.5 Million To Resolve HIPAA Charges

September 17, 2012

Physician practices and other health care providers, health plans, health care clearinghouses and their business associates have yet another $1 million plus reminder of the importance of taking proper steps to secure electronic protected health information and take other steps required to comply with the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) will pay the U.S. Department of Health and Human Services’ (HHS) $1.5 million and take a series of corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule under the resolution agreement available here (“Resolution Agreement”) announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) on September 17, 2012.

MEEI Resolution Agreement

The Resolution Agreement settles charges that resulted from an OCR investigation commenced in response to a HIPAA breach report submitted by MEEI reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects. The laptop information included patient prescriptions and clinical information.

OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the HIPAA Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices , and adopting and implementing policies and procedures to address security incident identification, reporting, and response. OCR’s investigation indicated that these failures continued over an extended period of time, demonstrating a long-term organizational disregard for the requirements of the Security Rule.

To settle the charges, MEEI will pay a $1.5 million settlement to OCR. In addition, the Resolution Agreement also requires MEEI to adhere to a corrective action plan which includes reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule, and retaining an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.

High Dollar Resolution Agreements Increasingly Common

The MEEI Resolution Agreement follows on the resolution agreement previously announced this year with Arizona-based Phoenix Cardiac Surgery, P.C. (PCS). That resolution agreement required PCS to pay $100,000 and take corrective action to implement policies and procedures to safeguard the protected health information of its patients to settle OCR charges PCS violated HIPAA.

Health care providers and other HIPAA-covered entities should heed the MEEI, PSC and other recent settlements as the latest signal of the risks that health care providers and other covered entities run by failing to adequately implement and administer appropriate HIPAA compliance practices.

Following the announcement by OCR last month that Blue Cross Blue Shield of Tennessee (BCBST) would pay $1,500,000 to resolve HIPAA violations charges, and the latest in a series of Resolution Agreements announced by OCR in recent years, the PCS highlights the willingness to sanction health care providers and other covered entities of all sizes. “The case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

Like the PCS, BCBST and other announced resolution agreements, the MEEI Resolution Agreement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. For tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here or contact Ms Stamer here or at (469) 767-8872.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Breach Notification, Health Care, Health Insurance Portability & Accountability Act, HIPAA, OCR, Office of Civil Rights, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

ONC Releases First Wave of EHR Test Procedures; More To Come

September 14, 2012

On September 7th the ONC published the first wave of draft Test Procedures and applicable test data files for the 2014 Edition Elelctronic Health Record (EHR) certification criteria for public review and comment. ONC will release additional Test Procedures in waves on a weekly or bi-weekly basis. Each set of draft test procedures will undergo a two week period of public review and comment from the date posted. You can now provide input on Wave One 2014 draft Test Procedures. Visit the site for detailed information on the 2014 Test Procedure development process at http://www.healthit.gov/policy-researchers-implementers/2014-edition-draft-test-procedures.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need help monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Affordable Care Act, EHR, Electronic Health Records, Health Care, health care IT, Health Care Provider, Health Plans, HIPAA, ONC, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

OCR Releases HIPAA Compliance Training Tool As Enforcement Risks Rise

September 14, 2012

Along with its stepped up enforcement and new audit programs, the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) is working to promote and encourage better voluntary compliance by physician and other health care providers by releasing a new interactive security and privacy training game to help educate healthcare providers and their staffs to make more informed decisions regarding privacy and security of health information. Using a game format, the game asks users to respond to privacy and security challenges often faced in a typical medical practice.

With the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) stepping up enforcement and sanctions for health care providers, health plans, health care providers and their businesses associates (covered entities) that violate the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules and OCR now auditing HIPAA compliance, covered entities should self-audit within the scope of attorney-client privilege and tighten as necessary existing policies, practices and documentation to comply with evolving requirements of HIPAA and other laws requiring the protection of protected health information (PHI), personal financial information and sensitive data.

As the HIPAA Privacy, Security and Breach Rules include mandates that covered entities train members of their workforce, the new game could be a helpful component for health care providers as part of their organization’s training efforts.

The mounting list of settlement agreements – most of which have required settlement payments of more than $1 million – that OCR has announced show the growing exposures that covered entities face when violating HIPAA. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. These settlements and sanctions prove the importance of covered entities strengthening their HIPAA compliance and adopting other suitable safeguards to keep up HIPAA compliance and minimize HIPAA and other exposures that can arise if PHI, personal financial information and other sensitive data. For tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Health Care, Health Plans, HIPAA, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

HHS/DOJ Partner With Private Health Plans To Further Ramp Up Health Care Fraud Heat!

July 30, 2012

Health care providers and payers should ensure that practices for billing private payers can withstand the scrutiny of federal and state health care fraud enforcers after the July 26, 2012 announcement of a ground-breaking new public-private antifraud initiative between federal and state health care fraud fighters and a private insurers under which private insurers will share an unprecedented amount of private health claims data, fraud detection practices, and other coöperation with federal and state official fraud prevention and prosecution efforts.

Government Health Care Fraud Fighters Partner With Private Insurers

The Federal health care fraud fighting departmental duo of the Departments of Health and Human Services (HHS) Justice (DOJ) last week expanded their network of fraud fighting resources by launching a “ground-breaking” partnership among the federal government, State officials, several leading private health insurance organizations, and other health care anti-fraud groups to prevent health care fraud. HHS and DOJ say the following organizations and government agencies are among the first to join this partnership:

America’s Health Insurance Plans
Amerigroup Corporation
Blue Cross and Blue Shield Association
Blue Cross and Blue Shield of Louisiana
Centers for Medicare & Medicaid Services
Coalition Against Insurance Fraud
Federal Bureau of Investigations
Health and Human Services Office of Inspector General
Humana Inc.
Independence Blue Cross
National Association of Insurance Commissioners
National Association of Medicaid Fraud Control Units
National Health Care Anti-Fraud Association
National Insurance Crime Bureau
New York Office of Medicaid Inspector General
Travelers
Tufts Health Plan
UnitedHealth Group
U.S. Department of Health and Human Services
U.S. Department of Justice
WellPoint, Inc.

HHS & DOJ Say Partnering With Private Insurers Will Give Ongoing Anti-Fraud Efforts Even More Punch

In announcing the new partnership on July 26, 2012, HHS Secretary Kathleen Sebelius and Attorney General Eric Holder touted this new voluntary, collaborative public-private arrangement as the “next step” in the Obama administration’s efforts to combat health care fraud.

“This partnership is a critical step forward in strengthening our nation’s fight against health care fraud,” said Attorney General Holder. “This Administration has established a record of success in combating devastating fraud crimes, but there is more we can and must do to protect patients, consumers, essential health care programs, and precious taxpayer dollars. Bringing additional health care industry leaders and experts into this work will allow us to act more quickly and effectively in identifying and stopping fraud schemes, seeking justice for victims, and safeguarding our health care system.”

“This partnership puts criminals on notice that we will find them and stop them before they steal health care dollars,” Secretary Sebelius said. “Thanks to this initiative today and the anti-fraud tools that were made available by the health care law, we are working to stamp out these crimes and abuse in our health care system.”

Partnership Allows Feds To Use Private Payer Claims Data, Knowledge & Other Fraud Detection Resources

According to HHS and DOJ, the new partnership is designed to share information and best practices in order to improve detection and prevent payment of fraudulent health care billings. Its goal is to reveal and halt scams that cut across a number of public and private payers. HHS and DOJ say the partnership will private insurers to share their anti-fraud insights more easily with investigators, prosecutors, policymakers and other stakeholders and law enforcement officials more effectively to identify and prevent suspicious activities, better protect patients’ confidential information and use the full range of tools and authorities provided by the Patient Protection & Affordable Care Act (Affordable Care Act) and other statutes to combat and prosecute illegal actions.

One unprecedented element of this partnership will involve the sharing of information on specific schemes, utilized billing codes and geographical fraud hotspots between the public and private partners. The partners say the planned sharing of claims data and other information will help partners prevent, detect and respond to potential health care billing fraud by:

Helping partners to take action, to prevent losses to both government and private health plans before they occur;
Improving their ability to spot and stop payments billed to different insurers for care delivered to the same patient on the same day in two different cities;
In the future to use sophisticated technology and analytics on industry-wide healthcare data to predict and detect health care fraud schemes.

Presumably, this will involve the extension of the use of state-of-the-art technology and data mining practices like those the Centers for Medicare & Medicaid Services (CMS) already uses to review claims, to track suspected fraud trends and flag suspected fraudulent activity.

Partnership Expands Use & Reach of New Affordable Care Act & Other Health Care Fraud Detection & Enforcement Tools & Collaboration

The partnership builds upon and extends the reach and use of expanded legal tools created by the Affordable Care Act and other laws that Federal and state officials are using in their highly publicized war against health care fraud, waste and abuse in Medicare, Medicaid, the Children’s Health Insurance Program (CHIP) and, increasingly, private insurance plans. Using these and other new tools, convictions under the Health Care Fraud and Abuse Control Program increased by over 27% (583 to 743) between 2009 and 2011, and the number of defendants facing criminal charges filed by federal prosecutors in 2011 increased by 74% compared with 2008 (1,430 vs. 821).

The Affordable Care Act and other legislative changes and related programs have significantly strengthened the powers of HHS, DOJ and other federal and state agencies to investigate and prosecute health care fraud. Among other things, these amendments and programs included :

Qui tam and other whistleblower incentives and programs that encourage employees, patients, competitors and others to report suspicious behavior;
Require providers, plans to self-identify, self-report and self-correct false claims and certain other non-compliance;
Increase the federal sentencing guidelines for health care fraud offenses by 20-50% for crimes that involve more than $1 million in losses;
Create penalties for obstructing a fraud investigation or audit;
Make it easier for the government to recapture any funds acquired through fraudulent practices;
Make it easier for the Department of Justice (DOJ) to investigate potential fraud or wrongdoing at facilities like nursing homes;
Under the risk-based provider enrollment rules, providers and suppliers wishing to take part in Medicare, Medicaid, and CHIP who federal officials view as posing a higher risk of fraud or abuse now must undergo licensure checks, site visits and other heightened scrutiny including ongoing monitoring as part of the new Automated Provider Screening (APS) system CMS implemented in December 2011. The APS uses existing information from public and private sources to automatically and continuously verify information submitted on a provider’s Medicare enrollment application including licensure status Secretary to impose a temporary moratorium on newly enrolling providers or suppliers of a particular type or in certain geographic areas if necessary to prevent or combat fraud, waste, and abuse.
Increased information sharing and coördination of investigations and enforcement among states, CMS, and its law enforcement partners at the Office of the Inspector General (OIG) and DOJ including the highly publicized activities of the Health Care Fraud Prevention and Enforcement Action Team (HEAT), a joint effort between HHS and DOJ to fight health care fraud.
The power of CMS, in consultation with OIG, to suspend Medicare payments and require States to suspend Medicaid and SCHIP payments to providers or suppliers during the investigation of a credible allegation of fraud;
The deployment and use of the sophisticated data collection and mining technologies of CMS’ new Fraud Prevention System, which since June 30, 2011 has used advanced predictive modeling technology to screen all Medicare fee-for-service claims before payment and target investigative resources on areas that this profile identifies as reflecting heightened risks of health care fraud vulnerability to allow regulators and prosecutors to more efficiently identify and respond to suspected fraudulent claims and emerging trends;
Focused fraud prevention, detection and enforcement activities on Home Health agencies, Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) suppliers and certain other categories of providers and suppliers that federal officials view as historically presenting heightened concerns;
Expansion of the overpayment detection and recovery activities ofthe Recovery Audit Contractor (RAC) program to Medicaid, Medicare Advantage, and Medicare Part D programs; and
Various other tools.

Health Plan Partnership Latest Wrinkle In Fed’s Efforts To Use Private Whistleblower & Other Resources To Find Fraud

The partnership with the health plans is the latest wrinkle in a growing network of private relationships and outreach that HHS and DOJ use to discover health care fraud. By partnering with health plans, HHS and DOJ have recruited the health plans to help federal officials find and redress potential fraud in public and private health plans.

HHS and DOJ already know the value of getting private citizens to watch for and report suspected illegal behavior. Indeed, expended qui tam and other whistleblower activities already are paying off big for federal officials. For example, a former executive’s qui tam claim helped bring about the settlement announced in June, 2012 under which Christus Spohn Health System Corporation recently paid more than $5 million to settle Justice Departmentclaims that it profited from violations of the False Claims Act by inappropriately admitted patients to inpatient status for outpatient procedures. The investigation leading to the settlement began in March 2008 after Christus – Shoreline’s former director of case management filed a lawsuit under seal under the qui tam provisions of the False Claims Act alleging the six hospitals were submitting false claims to the Medicare program by billing for services that should have been performed on an outpatient basis as if they were more expensive inpatient services. The allegations stated that these hospitals were routinely billing outpatient surgical procedures as if they required an inpatient level of care even though the patients often were discharged from the hospital in less than 24 hours. The federal False Claims Act empowers private citizens with knowledge of fraud against the United States to present those allegations to the United States by bringing a lawsuit on behalf of the United States under seal. If the government’s investigation substantiates those allegations, then the private citizen is entitled to share in any recovery. In this case, that person will receive 20% of the $5,100,481.74 recovery.

With qui tam and other reports of suspected fraud an increasingly frequent and valuable tool in the federal and state wars on health care fraud, officials have added a wide range of programs encouraging and in some cases financially rewarding individuals and businesses that report circumstances leading to fraud convictions. The partnership with health plans reflects the latest wrinkle in these efforts.

Health Care Providers & Health Plans Must Act To Manage Risks

In response to the growing emphasis and effectiveness of Federal officials in investigating and taking action against health care providers and organizations, health care providers covered by federal false claims, referral, kickback and other health care fraud laws should consider auditing the adequacy of existing practices, tightening training, oversight and controls on billing and other regulated conduct, reaffirming their commitment to compliance to workforce members and constituents and taking other appropriate steps to help prevent, detect and timely redress health care fraud exposures within their organization and to position their organization to respond and defend against potential investigations or charges. In light of the growing qui tam risks, health care providers also should tighten internal investigation, exit interview and other human resources and business partner oversight, reporting and investigation policies and practices to help find and redress potential fraud or other qui tam, retaliation and similar exposures early and more effectively.

For More Information Or Assistance

If you need help reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need help responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | Academic medicine, Anti-KickBack, ASC, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, false claims act, Federal Sentencing Guidelines, Grants, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health IT, Medicaid, Medical Malpractice, Medicare, Medicare Advantage, Mental Heatlh, Money Laundering, OIG, Outpatient, Physician, Prescription Drugs, Rural Health Care, Stark, Uncategorized | Tagged: CMS, DOJ, false claims act, Health Care, health care feraud, Health claims, Health Plans, HHS, Hospitals, Justice Department, OIG, qui tam, Whistleblower | Permalink
Posted by Cynthia Marcotte Stamer

Director of Texas Office of e-Health Coodination To Discuss Texas HIE Strategy in 3/14 HHS Sponsored Teleconference

March 14, 2012

On Wednesday, March 14, 2012 at 1 p.m. EDT, National eHealth Collaborative’s NeHC University will host Stephen Palmer, Director of the Office of e-Health Coordination at the Texas Health and Human Services Commission, to describe the HIE strategy being pursued by the state of Texas. Palmer will be joined by Kem McClelland of the Integrated Care Collaboration, Tony Gilman of the Texas Health Services Authority, and Bryan White of the North Texas Accountable Healthcare Partnership to showcase the Texas strategy in action and detail the progress that has been made on the ground.

To participate register and join NeHC University’s Spotlight on the Texas Statewide HIE Strategy.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Breach Notification, business associate, Health Care, Health Plan, HIPAA, HITECH Act, OCR | Permalink
Posted by Cynthia Marcotte Stamer

$1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report

March 13, 2012

Resolution Agreement Also 1^st Announced With Health Plan

Health care providers, health plans and other covered entities beware and prepare! Reporting a large breach under the HITECH Act breach notification rules will trigger a Department of Health & Human Services (HHS) Office of Civil Rights (OCR) investigation into whether OCR should impose civil monetary penalties against the reporting covered entity under the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay OCR $1,500,000 and to take certain other actions specified in a corrective action plan to avoid civil monetary penalties for charges of HIPAA violations. The BCBST Resolution Agreement is particularly significant, both as:

The first reported enforcement action directly resulting from the filing by a covered entity of a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule; and
The first reported resolution agreement reached with a covered entity that is a health plan.

These notable enforcement firsts show the HITECH Breach Notification Rule’s significance as an OCR HIPAA enforcement tool, the heightened exposure to an OCR opening a HIPAA civil monetary penalty (CMP) investigation following a report, as well as the willingness of OCR to sanction health plans as well as other covered entities that breach HIPAA’s Privacy or Security Rules.

BCBST Investigation Began In Response to HITECH Act Breach Notification Rule Report

The OCR investigation that lead to the BCBST settlement began in response to BCBST making a report required under the Breach Notification Rule of the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee, which contained the protected health information (PHI) of over 1 million individuals. Read more details here.

The Breach Notification Rule enacted as part of amendments to HIPAA under the HITECH Act requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media as well as an annual consolidated report of smaller breaches to HHS.[1] Along with the Breach Notification Rules, the HITECH Act also increased the civil monetary penalties (CMPs) that covered entities like BCBST can incur for HIPAA violations. When it imposed its first ever CMP last year, OCR imposed a $4.3 million CMP against Cignet Health of Prince George’s County, Md. (Cignet).

In an apparent effort to impose a potentially larger CMP assessment arising from the investigation of its breach report, BCBST greed to pay $1,500,000 and adopt other corrective actions detailed in a corrective action plan.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The BCBST Resolution Agreements, like the Cignet CMP and other high dollar Resolution Agreements OCR has announced against various health care providers highlight the significance of the HITECH Act amendments to HIPAA’s enforcement and CMP rules, as well as the significance of its Breach Notification Rule as a tool in OCR’s investigation and enforcement efforts.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

The BCBST Resolution Agreement provides yet another reminder to covered entities and their business associates of the need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. Fortips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Breach Notification, business associate, Health Care, Health Plan, HIPAA, HITECH Act, OCR | Permalink
Posted by Cynthia Marcotte Stamer

ONC Releases Proposed Rules For Meaningful Use Stage 2

February 23, 2012

The Office of the National Coordinator for Health Information Technology (ONC) published its Notice of Proposed Rulemaking for Stage 2 Meaningful Use (Proposed Rule) in the Federal Register today (February 23).

The Proposed Rule available here outlines the next stage of meaningful use for the Electronic Health Record (EHR) Incentive Programs administered by CMS.

CMS has developed a fact sheet to give providers an overview of the rule and how Stage 2 expands upon Stage 1 of meaningful use. The fact sheet can be found here.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related technology, risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers, health care technology and other health industry clients to set up and administer privacy and technology; workforce and staffing; operations; compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | Academic medicine, Affordable Care Act, ASC, Corporate Compliance, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, FDA, Federal Health Center, Grants, Health Care, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Licensing, Meaningful Use, Medicaid, Medicare Fee Schedule, OCR, OIG, Outcomes Data, Physician, Physician Licensing, Public Policy, Reimbursement, Rural Health Care, Substance Abuse | Tagged: EMR, Health Care, health care IT, health care technology, HIPAA, HITECH Act, Hospitals, Meaningful Use, Physicians, Privacy, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Medical Identity Theft/Fraud Convictions Highlight Need For Health Care Providers To Safeguard Health Information, Guard Against Fraud Schemes

November 27, 2011

Convictions Highlight Health Care Data Bases Attractive, Vulnerable Target For Medicare Fraud Schemers

A Federal judge sentenced 25 year old Miami resident Yenky Sanchez, 25 to serve more than 5 years in Federal prison for his role in the theft of Medicare numbers and other information of elderly and disabled Florida residents as part of a plan to defraud Medicare, Medicaid and other federal programs. Coming on the heels of a November 3 conviction in West Virginia of Sargis Tadevosyan in a separate identity theft for Medicare fraud scheme, the convictions highlight the growing commitment and effectiveness of Federal and state investigators in investigating and prosecuting individuals who seek to use identity theft schemes to defraud Medicare or other federal programs.

Sanchez Conviction & Sentencing

The sentence arises from criminal charges brought by the U.S. Department of Justice (DOJ) in conjunction with other federal and state agencies, which charged Sanchez considered to commit health care fraud, authentication feature fraud and aggravated identity theft. According to DOJ documents, Sanchez, participated in a scheme with Raul Diaz-Perera, to steal and sell Medicare numbers and other data about clients of their employer, the Florida Department of Children and Families’ (DCF). Diaz-Perera previously was employed with DCF. According to the evidence at trial against Sanchez and a factual proffer filed with the court during the plea hearing for co-defendant Diaz-Perera, Sanchez used his position as employees at a DCF call center in downtown Miami to steal Medicare numbers and other personal information for purposes of committing health care fraud and identity theft. The intent of Sanchez and his co-conspirator was for those numbers to be used to fraudulently bill Medicare for services that were never provided to the DCF beneficiaries. Sanchez was convicted of conspiring to commit health care fraud, in violation of Title 18, United States Code, Section 1349; conspiring to commit authentication feature fraud, in violation of Title 18, United States Code, Sections 1028(a)(3) and (f); and aggravated identity theft, in violation of Title 18, United States Code, Section 1028A(a)(1). Based on these convictions, U.S. District Judge Cecilia M. Altonaga sentenced Sanchez on November 21, 2011 to 65 months in prison, followed by three years of supervised release. Judge Altonaga also imposed a $5,000.00 fine on Sanchez.

Tadevosyan Conviction

Federal officials previously also had scored another Medicare fraud/identity theft prosecution victory just a few short weeks earlier in West Virginia. On November 3, 2011, a federal jury convicted Armenia citizen Sargis Tadevosyan in connection with a health care fraud scheme that intended to defraud millions of dollars from Medicare. Tadevosyan was found guilty of two felony counts: conspiracy to commit health care fraud and wire fraud and aggravated identity theft. Tadevosyan faces up to 20 years in prison for the conspiracy conviction and a mandatory consecutive sentence of two years for aggravated identity theft and a $250,000 fine when he is sentenced on January 26, 2012.

In contrast to the small scale conspiracy that apparently occurred in the Sanchez case, the Tadovosyn scheme apparently was orchestrated by organized crime. Department of Health and Human Resources Office of Inspector General (HHS-OIG) uncovered the activities of Tadovosyn as part of its investigation of fraud schemes involving false front providers, whereby a company posed as a Medicare health care provider, and unlawfully billed Medicare as if they were providing legitimate services. Ultimately, investigators discovered that Tadevosyn and others were involved in defrauding Medicare and other health care payers as part of a scheme that used false front provider companies. In total, more than $4 million in Medicare claims were submitted by the false front providers. To co-conspirators of Tadevosyn pleaded guilty in September to aiding and abetting aggravated identity theft in connection to the health care fraud plot. Those two co-defendants are scheduled to be sentenced on December 1, 2011.

In announcing the Tadevosyan conviction, federal officials affirmed their commitment to finding and prosecuting identity theft targeting Medicare and other health insurance programs. “This investigation revealed that organized criminal groups are still brazenly attempting to steal taxpayer money from our national health insurance programs,” said Nicholas DiGiulio, Special Agent in Charge for the Inspector General’s Office of the United States Department of Health and Human Services. “Today’s results demonstrate that we will do whatever it takes to catch these individuals in the act before they receive a penny of taxpayers’ money.”

Federal Laws, Investigations & Prosecutions of Medical Identity Theft Schemes Tightening

Whether from deliberate schemes to misappropriate data or other less sinister compromises of personal health information or other sensitive data, health care providers, health plans and other businesses face rising responsibilities to protect data and increasing exposures for failing to do so.

Federal law imposes stiff sanctions against organizations and individuals that engage in theft of personal or other sensitive information, health or other federal program fraud or both. In an effort to stem the tide of health care and identity theft fraud, federal and state legislators and regulators have tightened federal and state laws to strengthen laws prohibiting health care fraud and identity theft, to require that health care providers, health plans, federal and state agencies and others that collect, possess or access sensitive personal health information, personal financial information or other sensitive date safeguard and protect sensitive information against improper access or misuse, to increase the penalties for violation of these federal and state laws and to provide law enforcement with expanded tools to investigate and prosecute violations of these laws. See e.g., Cybercrime and Identity Theft: Health Information Security Beyond HIPAA.

As a result of these new and expanded mandates, health care providers, health plans, financial organizations and a broad range of other businesses and governmental agencies face a host of complicated mandates to protect personal health information, personal financial information and other sensitive data under laws such as the Health Information Portability & Accountability Act (HIPAA), the Fair & Accurate Credit Transactions Act (FACTA), state and federal identity theft and data security and other laws and significant liability for failing to fulfill these responsibilities.

Health care providers, health insurers and others handling protected health information are particularly at risk when their data is compromised. Recent amendments to HIPAA require these entities and their business associates to tighten their data privacy and security safeguards and to monitor and timely report data breaches, as well as significantly expand their potential liability exposure for failing to comply with HIPAA’s requirements. See e.g., UCLA Health Systems Payment of $865,500 To Settle HIPAA Charges Shows Rising HIPAA Risk; CVS Settles Privacy Charges; Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As Office of Civil Rights Proposes Tighter HIPAA Privacy & Security Regulations; 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information; President Signs Long-Sought Red Flag Rule Exemption Into Law. As part of its ongoing implementation of stepped up enforcement responsibility and powers enacted as part of these recent amendments, the HHS Office of Civil Rights (OCR) announced on November 8, 2011 its kickoff of a new compliance audit effort. These developments send a forceful message that all businesses generally and health care providers, health plans, healthcare clearinghouses and their business associates specifically must get serious about compliance with the privacy, security and data breach requirements of HIPAA and other applicable law by implementing and administering the policies, procedures, training and oversight necessary to comply with these and other federal and state mandates regarding the protection of personal health information and other sensitive data. Learn more about the recent convictions and related data breach exposures here.

For Help With Compliance, Investigations Or Other Needs

If you need assistance providing compliance or other training, reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns/ She also regularly designs and presents risk management, compliance and other training for health care providers, professional associations and others. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | ARRA, Childrens Health Insurance Program, Doctor, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employer, FACTA, false claims act, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Medicaid, Medicare, Medicare Advantage, Mental Heatlh, Money Laundering, OCR, Reimbursement, Technology, Telemarketing, Telemedicine, Veterans Health Administration | Tagged: Data Security, FACTA, Health Care Fraud, HIPAA, Identity Theft, Justice Department, Medicaid, Medicare, OCR, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks

November 9, 2011

The kickoff of a new compliance audit pilot program provides another reason for health care providers, health plans, healthcare clearinghouses and their business associates to get serious about compliance with the privacy, security and data breach requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

OCR Pilot Audit Program Begins

On November 8, 2011, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) announced that it will begin auditing HIPAA compliance this month under a new pilot program.

As amended by the American Recovery and Reinvestment Act of 2009 in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to make sure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To carry out this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance between November 2011 and December 2012.

The commencement of OCR HIPAA compliance audits is yet another sign that covered entities and their business associates should get serious about HIPAA compliance. The audit program serves as a new part of OCR’s health information privacy and security compliance program. While OCR says that it presently views the pilot audits as primarily a compliance improvement tool, this does not mean violators should expect a free walk.

Even before the impending audits, HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. Earlier this year, OCR imposed a $4.3 Million Civil Money Penalty (CMP) against Cignet Health of Prince George’s County (Cignet) for violating HIPAA. Meanwhile, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. Under amendments made by the HITECH Act, state attorneys general also now are empowered to bring civil lawsuits against covered entities and business associates that commit HIPAA violations that injure citizens in their state under certain circumstances. Eventually, individuals injured by HIPAA violations also will get the right to share in a portion of certain HIPAA recoveries.

These and other audit and enforcement activities send a strong message that covered entities and their business associates need to get serious about HIPAA compliance. As stated by OCR Director Georgina Verdugo when announcing the Mass General Resolution Agreement, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” Verdugo added, “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.” Learn more here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Vice President of the North Texas Health Care Compliance Professionals Association, a member of the American College of Employee Benefit Counsel, Past Chair of the ABA RPTE Employee Benefits & Other Compensation Arrangements Group, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies. Ms. Stamer also regularly helps clients deal with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. Her insights on the required “culture of compliance” with HIPAA are frequently included in medical privacy related publications of the Atlantic Information Service, Modern Health Care, HealthLeaders and many others. Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here or may contact her at (469) 767-8872 or via e-mail here.

You can review other selected publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at www.solutionslawpress.com.

Leave a Comment » | Academic medicine, ASC, Centers For Disease Control, Childrens Health Insurance Program, DEA, Disease Management, DME, Doctor, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Employer, FACTA, Genetic Information, GINA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Inpatient Rehabilitation Facility, Medicaid, Medicare, Mental Heatlh, OCR, Outpatient, Pharmacy, Physician, Prescription Drugs, Privacy, Rural Health Care | Tagged: Data Security, Doctor, Health Care Provider, HIPAA, HITECH, home health, Hospital, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

UCLA Health Systems Payment of $865,500 To Settle HIPAA Charges Shows Rising HIPAA Risk

September 15, 2011

Health care providers, health plans, health care clearinghouses and their business associates got another wake up call about the growing importance of strengthening their policies, practices and safeguards of medical information and records that are “protected health information” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the announcement on July 7 that the University of California at Los Angeles Health System (UCLAHS) has reached an agreement with the U.S. Department of Health & Human Services Office of Civil Rights (OCR) to pay $865,500 and act to strengthen its health information privacy and security practices to settle charges of HIPAA violations.

The latest in a series of recently announced high-dollar Resolution Agreements, the UCLAHS Resolution Agreement highlights the growing risks that covered entities and their business associates run by failing to adequately adopt and administer the policies, systems and other management controls and training necessary to ensure that their organizations and their employees and other members of their workforce actually operationally comply with HIPAA.

Increased penalties, tighter rules and recent enforcement actions by OCR make it more important than ever that covered entities tighten their compliance and risk management policies and procedures.

As a result of amendments enacted as part of the HITECH Act, Congress modified and expanded the HIPAA audit and enforcement obligations of OCR, amended and expanded the potential penalties, made business associates liable for violation of the privacy rules like covered entities, added an obligation for covered entities and business associates to provide notification of breaches of unsecured PHI and tightened other HIPAA obligations. The HITECH Act also gave state attorneys general to bring civil lawsuits against covered entities and business associates that commit HIPAA violations that injure citizens in their state under certain circumstances. Eventually, individuals injured by HIPAA violations will get the right to share in a portion of certain HIPAA recoveries. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On　Website.

OCR enforcement actions and statistics make clear that OCR is serious about investigation and enforcement of HIPAA violations. This Spring, OCR assessed its first civil monetary penalty (CMP) under HIPAA – a $4.3 million against Cignet Health of Prince George’s County, Md. (Cignet) and entered into a series of Resolution Agreements under which CVS Pharmacy, Inc., General Hospital Corporation and Massachusetts General Physicians Organization Inc., Rite Aid and others paid a million or more dollars as part of the required terms of settlement. See e.g., Rite Aid Pays $1 Million HIPAA Privacy Settlement As OCR Tightens HIPAA Regulations; HIPAA Risks Soar As CVS Agrees To Pay $2.25 Million To Resolve HIPAA Charges & Stimulus Bill Amends HIPAA; Providence To Pay $100,000 & Implement Other Safeguards To Settle HIPAA Penalty Exposures Under HIPAA. Meanwhile, as of January 1, 2011, OCR reported that it had referred more than 484 Privacy Rule breach investigations to the Department of Justice for consideration for potential criminal prosecution and required changes in privacy practices and other corrective actions as part of the requirements for resolution of an additional 12,781 of cases investigated. In addition to these civil enforcement actions by OCR, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. OCR data confirms that the covered entities involved in these actions included health care providers, health plans, and others. See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health　Information

Lax HIPAA and other practices for protection of medical and other confidential personal information also increasingly exposes covered entities and other organizations to liability under state laws. State courts allow individual plaintiffs to rely on violations of HIPAA as the basis for bringing state privacy, retaliation or other actions. See, e.g. Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006). Private plaintiffs employed by covered entities also claim HIPAA related misconduct as the basis for their retaliation claims. See, e.g.,　 Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim.

HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can expose covered entities, members of their workforce and others improperly using, accessing or disclosing protected health information to liability under other federal or state laws. See, Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year.

These and other developments make clear that covered entities and their business associates must get serious about HIPAA compliance and risk management. These organizations should review and tighten privacy policies, breach and other monitoring, training and other practices to mitigate against exposures in light of recently tightened requirements and new enforcement risks.

For More Details Or Help With HIPAA & Other Risk Management & Compliance Needs

To learn more about the UCLAHS Resolution Agreement and other risk management tips, see UCLA Health Systems Payment of $865,000 To Settle HIPAA Charges Shows Rising HIPAA Risk.

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.　 For instance, On May 3, 2011, Ms. Stamer served as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR and will moderate a teleconference featuring comments by OCR’s Susan McAndrew for the Joint Committee on Employee Benefits scheduled for May 16. Her insights on the required “culture of compliance” with HIPAA also recently were quoted in medical privacy related publications of the Atlantic Information Service. Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here. To ask for legal help with these or other compliance concerns, inquire about arranging for compliance audit or training, or matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here. You can review other publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here and register to receive future updates about developments on these and other concerns from Ms. Stamer here. For important information concerning this communication click here.Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at www.solutionslawpress.com.

Leave a Comment » | Academic medicine, ASC, Disease Management, DME, Doctor, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Genetic Information, GINA, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Indian Health, Medicare Advantage, Mental Heatlh, OCR, Outpatient, Patient Empowerment, Pharmacy, Prescription Drugs, Rural Health Care | Tagged: business associate, Doctor, Health Care, Health Care Provider, Health Plans, HIPAA, Hospital, Physician | Permalink
Posted by Cynthia Marcotte Stamer

5/18 Deadline to Register For 5/19 CMS Provider Call on Medicare and Medicaid EHR Meaningful Use Incentive Programs

May 17, 2011

Wish you knew more about how to use electronic health records (EHRs) to earn incentive payments from the Centers for Medicare & Medicaid Services (CMS)? CMS plans to host a national provider education call to help you learn more about meaningful use on Thursday, May 19 at 2:30 p.m. EDT. During the call, CMS plans to discuss:

The definition of meaningful use
The requirements for Stage 1 of meaningful use (2011 and 2012)
How to attest to having met meaningful use
Overview of the meaningful use objectives specification sheets
- Stage 1 EHR Meaningful Use Specification Sheets for Eligible Professionals
- Stage 1 EHR Meaningful Use Specification Sheets for Eligible Hospitals
Q&A about meaningful use

In order to receive the call-in information, you must register for the call. It is important to note that if you are planning to sit in with a group, only one person needs to register to receive the call-in data. This registration is solely to reserve a phone line, NOT to allow participation. Registration will close at 2:30 p.m. EDT on May 18, 2011, or when available space has been filled. No exceptions will be made, so please be sure to register prior to this time. In order to register, you should:

Visit the registration page.
Fill in all required information and click “Register.”
You will be taken to the “Thank you for registering” page and will receive a confirmation email shortly thereafter. Please save this page in case your server blocks the confirmation emails. (If you do not receive the confirmation email, check your spam/junk mail filter as it may have been directed there.)
If assistance for hearing impaired services is needed, please email medicare.ttt@palmettogba.com no later than three business days before the call.

Prior to the call, presentation materials will be made available in the “Upcoming Events” section of the Spotlight page on the CMS EHR website.

Want more information about the EHR Incentive Programs?
Make sure to visit the EHR Incentive Programs website for the latest news and updates on the EHR Incentive Programs.

Sixty-two Regional Extension Centers (RECs) across the nation are prepared to offer customized, on-the-ground assistance for eligible professionals and hospitals registering for the CMS EHR Incentive Programs. To locate an REC near you, visit http://www.healthit.

In addition to the May 10 call, recordings of various other recent health information privacy and data security training offered by agencies within the Department of Health and Human Services also now is avaialble on the web. For instance, the National Institute of Standards and Technology (NIST) and the Office for Civil Rights (OCR) are making presentations from the 4th annual conference on “Safeguarding Health Information: Building Assurance through HIPAA Security” co-hosted in Washington, D.C. on May 10 & 11, 2011 available on line for review. The training is part of a series of continuing efforts by the agencies to outreach to various parties on the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996, as amended (HIPAA). Meanwhile, OCR’s Susan McAndrew on Monday shared insights on OCR’s HIPAA regulatory and enforcement agenda at a teleconference to be hosted by the American Bar Association Joint Committee on Employee Benefits at Noon Central on May 16, 2011. Recordings of these presentations are or will be accessible on the sponsoring organizations from their websites. For details about reviewing the May 10-11 presentations, see the 2011 HIPAA Conference website here. For details about the May 16 teleconference, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. On May 3, 2011, Ms. Stamer served as the appointed scribe for the ABA Joint Commitee on Employee Benefits Agency meeting with OCR and will moderate a teleconference featuring comments by OCR’s Susan McAndrew for the Joint Committee on Employee Benefits scheduled for May 16. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns/ She also regularly designs and presents risk management, compliance and other training for health care providers, professional associations and others including highly popular programs on “Sex Drugs & Rock ‘N Role: Managing Personal Misconduct in Health Care,” “Managing Physician Performance” and others.. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | Academic medicine, ASC, DEA, Disease Management, DME, Doctor, Electronic Health Records, Electronic Medical Records, Employer, Genetic Information, GINA, Health Care Provider, Health IT, Health Plan, HIPAA, HITECH Act, Hospital, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, OCR, Physician | Tagged: Health Care, HIPAA, Medical Confidentiality, OCR< Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

OCR/NIST Share Training Online, OCR’s McAndrew To Speak On May 16 Teleconference

May 10, 2011

The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) are making presentations from the 4th annual conference on “Safeguarding Health Information: Building Assurance through HIPAA Security” co-hosted in Washington, D.C. on May 10 & 11, 2011 available on line for review. The training is part of a series of continuing efforts by the agencies to outreach to various parties on the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996, as amended (HIPAA). Meanwhile, OCR’s Susan McAndrew is scheduled to share insights on OCR’s HIPAA regulatory and enforcement agenda at a teleconference to be hosted by the American Bar Association Joint Committee on Employee Benefits at Noon Central on May 16, 2011.

The Security Rule sets federal standards to protect the confidentiality, integrity and availability of electronic protected health information by requiring HIPAA covered entities and their business associates to implement and maintain administrative, physical and technical safeguards. Presentations cover a variety of current topics including updates on HHS health information privacy and security initiatives, OCR’s enforcement of health information privacy and security activities, integrating security safeguards into health IT and security automation, insider threat trends and safeguards, and more.

The conference is designed to explore the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the agencies share their practical strategies, tips and techniques for implementing the HIPAA Security Rule.

For details about reviewing the May 10-11 presentations, see the 2011 HIPAA Conference website here. For details about the May 16 teleconference, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

ONC Touts Research On Health IT Benefits In Health Affairs Article

March 20, 2011

Researchers from the Office of the National Coordinator for Health Information Technology (ONC) and other Department of Health & Human Services (HHS) leaders are touting new studies they say show the benefits of investing in health information technology (health IT).

Under the Health Information Technology for Economic and Clinical Health Act (HITECH), part of the American Recovery and Reinvestment Act of 2009, as much as $27 billion Medicare and Medicaid incentive payments will be available to eligible professionals, eligible hospitals, and critical access hospitals when they adopt certified EHR technology and successfully demonstrate “meaningful use” of the technology in ways that improve quality, safety, and effectiveness of patient-centered care.

On March 8, 2011, ONC researches reported results of a comprehensive review of recent studies it says show the effects of health IT on key aspects of health care on the ONC website and in Health Affairs.

According to Donald Berwick, M.D., administrator of the Centers for Medicare & Medicaid Services, the study supports the investments that the HITECH Act makes in health IT. “These new findings are very significant in helping to confirm that our Nation has made the right choice in moving aggressively toward adoption of health information technology,” said Dr. Berwick. “These new findings are very significant in helping to confirm that our Nation has made the right choice in moving aggressively toward adoption of health information technology.”

The review included articles published from July 2007 up to February 2010, following up on earlier reviews of articles from 1995 to 2004 and from 2004 to 2007. This latest review initially surveyed more than 4,000 peer-reviewed articles, of which 154 were found qualified for the parameters of the study, a number similar to the previous efforts. In addition to quality and efficiency of care, the authors categorized additional outcomes including access to care, preventive care, care process, patient safety, and provider or patient satisfaction.

According to the authors, a current review of 154 peer-reviewed studies from July 2007 to February 2010 found:

More than 92 percent reached positive overall conclusions on the effects of health IT;
30 percent found mixed but predominantly positive results; and
Ten articles were found to have negative or mixed-negative results.

ONC reports that the review also reflected a new balance of evidence between HIT “leader” organizations and other entities, especially smaller medical practices. In previous years, much evidence has come from the “leaders.” The current review shows increased evidence of benefits for others as well.

Examples of positive results highlighted by ONC in its reports include:

One study found that at three New York City dialysis centers, patient mortality decreased by as much as 48 percent while nurse staffing decreased by 25 percent in the three years following implementation of electronic health records (EHRs).
In an inpatient study, a clinical decision support tool designed to decrease unnecessary red blood cell transfusions reduced both transfusions and costs, with no increase in patient length-of-stay or mortality.
Another study addressing HIT in 41 Texas hospitals found that hospitals with more advanced HIT had fewer complications, lower mortality and lower costs than hospitals with less advanced HIT.

ONC researchers report that negative findings in the study were most often associated with provider or staff satisfaction related to difficulties in the process of transitioning from paper-based to electronic-based records and care. The researchers conclude these findings “highlight the need for studies that document the challenging aspects of implementing HIT more specifically and how these challenges might be addressed,” such as through strong leadership or staff participation when adopting and implementing HIT.

Reflecting on the findings, Surgeon General Regina Benjamin, M.D., said, “My own personal experience in switching my practice from paper to EHRs showed that the change requires some initial effort; however, it did not interrupt work flow in the clinic. The results are better care for patients and new opportunities for the physician and staff to improve quality outcomes.” Dr. Benjamin switched to EHRs in her Gulf Coast Alabama family practice after two hurricanes and a fire destroyed the clinic’s paper records.

At the Agency for Healthcare Research and Quality, where research into health informatics has been supported since 1968, agency Director Carolyn Clancy, M.D., called attention to the importance of rapid information feedback and current evidence as the Nation pursues HIT implementation. “As we have known, and this new review of the available literature shows, HIT holds tremendous potential to improve health care quality. It is important that we continue to use experience from the field and scientific evidence to guide our efforts to improve the quality and safety of health care for all Americans.”

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns/ She also regularly designs and presents risk management, compliance and other training for health care providers, professional associations and others including highly popular programs on “Sex Drugs & Rock ‘N Role: Managing Personal Misconduct in Health Care,” “Managing Physician Performance” and others.. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | DME, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Federal Health Center, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HITECH Act, Hospital, Hospital, Laws, Meaningful Use, Medicaid, Medicare, Medicare Advantage, Physician, Public Policy, Reimbursement | Tagged: EHR, Electronic Health Records, Electronic Medical Records, EMR, Health Care, Health IT, Health Technology, Heatlh Care Reform, HITECH Act, ONC | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Providers Brace For New HIPAA Enforcement As OCR Announces Hospital Resolution Agreement Requiring $1 Million Settlement Payment

February 25, 2011

Announcement Made 2 Days After OCR Announces $4.3 Million HIPAA Civil Penalty Against Cignet

General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General) has agreed to pay the U.S. government $1,000,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced the Resolution Agreement two days after announcing that its first official assessment of a civil monetary penalty CMP under HIPAA – a $4.3 million against Cignet Health of Prince George’s County, Md., (Cignet). Read more details here

HIPAA Privacy Rule restricts the use, access and disclosure by covered entities of PHI and other individually identifiable health care information to those outlined within the Rules. Under HIPAA covered entities also are responsible for establishing and enforcing policies and procedures that safeguard PHI against improper use, access or disclosure by employees, business associates, and other third parties. Noncompliance with the Privacy and Security Rules exposes a covered entity to criminal prosecution and penalties, civil penalties or both. The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities) to safeguard the privacy of patient information, including such information during its disposal. Under amendments to HIPAA enacted under the HITECH Act, business associates now also are accountable and subject to direct liability for failing to comply with HIPAA’s requirements. Amendments to HIPAA under the HITECH Act, further expand the risks and responsibilities of health care providers and other covered entities.

Announced just two days before the Mass General Resolution Agreement, the Cignet CMP announced February 22, 2011 is the first CMP ever assessed by OCR under the HIPAA Privacy Rule. The assessment resulted after OCR found Cignet violated 41 patients’ HIPAA rights and committed other HIPAA violations. The $4.3 million CMP against Cignet applies the expanded HIPAA violation categories and increased HIPAA civil monetary penalty amounts authorized by HIPAA amendments made by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Read more details.

Even before the Mass General Resolution Agreement and Cignet CMP announcements, HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. While OCR had not assessed any civil monetary penalties against any covered entity for violation of HIPAA before Cignet, OCR’s collection of $1 Million from Rite Aid in a 2010 Resolution Agreement, $2.25 million from CVS Pharmacy, Inc. under a 2009 Resolution Agreement and $100,000 from Providence Health & Services under a 2008 Resolution Agreement demonstrated that covered entities could face significant civil liability for willful violations of the Privacy Rules. In addition to these civil enforcement actions by OCR, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. OCR data confirms that the covered entities involved in these actions included health care providers, health plans, and others. Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for covered entities and their business associates that fail to properly manage their HIPAA compliance obligations and risks.

The Mass General and Cignet announcements and other enforcement actions demonstrate that OCR is moving forward on its announced plans to hold health plans, health care providers, health care clearinghouses (covered entities) and their business associates that violate HIPAA accountable. Added to other recent developments, the Mass General and Cignet enforcement actions demonstrate that OCR’s commitment to enforcing HIPAA and illustrate the significant exposures that covered entities and business associates risk by disregarding their HIPAA obligations.

As stated by OCR Director Georgina Verdugo when announcing the Mass General Resolution Agreement, stating, “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” Verdugo added, “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. Health plans and other covered entities as well as their business associates should tighten privacy policies, breach and other monitoring, training and other practices to mitigate against exposures in light of recently tightened requirements and new enforcement risks. To minimize the potential that the health plan’s sharing of information with the employer will create or spread HIPAA or other privacy risks to the employer or members of its workforce, employers and other plan sponsors and members of their workforce also should take steps to ensure not only that their health plan documents, policies and procedures, as well as those policies and practices applicable to the employer, its human resources, and benefits advisors when accessing or handling health plan or other medical information on behalf of the employer, rather than the plan, are appropriately designed and administered.

Act To Manage HIPAA Exposures

In response to these expanding exposures, covered entities and their business associates should review the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Cignet, Rite Aid, Provident and CVS enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable. As part of these compliance and risk management efforts, most covered entities and their business associates will find it advisable to devote significant attention to the business associate relationship and its associated business associate agreements.

For Help With Investigations, Policy Review & Updates Or Other Needs

About Solutions Law Press

HHS Imposes 1st HIPAA Privacy Civil Penalty of $4.3 million

February 22, 2011

Health Care Providers Should Strengthen HIPAA Compliance & Defenses As Risks Rise

$4.3 million is the amount of the civil monetary penalty (CMP) that the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has ordered Cignet Health of Prince George’s County, Md., (Cignet) to pay for violating the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule.

The first CMP ever assessed by OCR under the HIPAA Privacy Rule, the Cignet CMP assessment is the latest in a series of developments documenting the rising risks that health care providers, health plans, health care clearinghouses and their business associates (“covered entities”) face for violations of HIPAA. Covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to mitigate against exposures in light of recently tightened requirements and new enforcement risks. Read more details.

Even before the announcement of the Cignet CMP, the HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. As of January 1, 2011, OCR reports that 12,781 of the cases it has investigated have been resolved by requiring changes in privacy practices and other corrective actions by the covered entities and has referred more than 484 Privacy Rule breach investigations to the Department of Justice for consideration for potential criminal prosecution.

While OCR had not assessed any civil monetary penalties against any covered entity for violation of HIPAA before Cignet, OCR’s collection of $2.25 million from CVS Pharmacy, Inc. under a 2009 Resolution Agreement and $100,000 from Providence Health & Services under a 2008 Resolution Agreement demonstrated the willingness of OCR to pursue significant civil remedies against covered entities that it determined willfully violated the Privacy Rules.

For Help With Compliance, Investigations Or Other Needs

If you need assistance auditing or tightening your existing HIPAA and other confidentiality practices or addressing other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer medical privacy and other compliance and risk management policies and to respond to OCR, FTC, medical board and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns including a number of programs and publications on Medicare quality and other compliance concerns. Her publications and insights on HIPAA and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

Leave a Comment » | Academic medicine, ARRA, ASC, Centers For Disease Control, Disease Management, DME, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Federal Health Center, Genetic Information, Health Care, Health Care Provider, Health Care Quality, Health IT, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Indian Health, Medicaid, Medical Licensure, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, OCR, Peer Review, Pharmacy, Physician, Privacy, Reimbursement, Telemedicine | Tagged: covered entity, Health Care, HIPAA, Hospital, Medical Confidentiality, OCR, Physician, Privacy Rule, Security Rule | Permalink
Posted by Cynthia Marcotte Stamer

Red Flag Rule Relief For Health Care Providers, Lawyers & Other Service Providers Awaits President’s Signature

December 8, 2010

Congress has approved and sent to the President for signature legislation exempting doctors, dentists, hospitals, veterinarians, and other health care providers, lawyers, accountants, consultants and other service providers that allow customers to pay for their services and supplies over time from the burdensome “Red Flag Rules” of the Fair and Accurate Credit Transactions Act of 2003 (FACTA).

FACTA’s Red Flag Rules generally require “creditors” to comply with burdensome identity theft prevention and monitoring rules issued by the Federal Trade Commission (FTC). Under current FTC regulations set to take effect December 31, 2010, health care providers, attorneys, consultants or other service providers become covered creditors simply by allowing customers finance and pay charges to the service provider over time.

Yesterday (December 7, 2010), the House of Representatives by voice vote passed H.R. 6420, the “Red Flag Program Clarification Act of 2010.: Like the Senate version of the Bill, S. 3987, passed by the Senate on November 30, 2010, the Red Flag Program Clarification Act (“Act”) is intended by Congress to make clear that doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers, lawyers and other service providers will no longer be classified as ‘creditors’’ for the purposes of the Red Flags Rules just because they do not receive payment in full from their clients when they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

Assuming the President signs the Act into law, the Red Flag Rule’s definition of “creditor” generally would continue to apply to a person who obtains or uses consumer reports in connection with a credit transaction, furnishes information to consumer reporting agencies in connection with credit transactions, or advances funds based on the recipients obligation to repay (or permit the funds to be repaid through specific property of the recipient), or otherwise is a creditor that the Federal Trade Commission (FTC) by rule determines should be covered as a creditor that offers or maintains accounts subject to a reasonably foreseeable risk of identity theft. However, a person that only “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person” will be expressly excluded from the definition of “creditor” for purposes of the Red Flag Rules.

The Act’s passage follows a multi-year battle by health care providers and other professional services providers to reverse the FTC’s interpretation of the Red Flag Rules as applicable to service providers that allow customers and clients to pay for services and supplies over time. The outcry about the FTC’s interpretation of the scope of the rules and the perceived cost and complexity of their provisions lead the FTC to delay implementation several times. See e.g., Health Care Red Flag Rule Compliance Deadline Extended To August 1; Prompt Action Still Required. The relief provided under the Act is particularly welcomed by health care providers, who already face significant civil and criminal liability exposures under the health-industry specific privacy and data security requirements of the Health Insurance Portability & Accountability Act (HIPAA). See CVS Settles Privacy Charges; Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As Office of Civil Rights Proposes Tighter HIPAA Privacy & Security Regulations; 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information.

While when signed into law the Act will the technical burdens that health care providers and other service industry businesses by exempting them from FACTA’s Red Flag Rules, these and other businesses generally face significant responsibilities and risk under other federal electronic crimes, and other federal and state data security, identity theft and other laws and precedent, as well as pursuant to contractual commitments incorporated into a broad range of agreements in response to FACTA, HIPAA and other risk management concerns. Even after the President signs the Act into law, however, health industry and other businesses still may face contractual obligations to continue to comply with many of its mandates under contractual commitments incorporated into various agreements in anticipation of the effective date of the Red Flag Rule requirements. Health industry and other businesses expecting to enjoy relief from the Red Flag Rules as a result the Act should review contractual and other obligations to properly understand their continuing legal responsibilities and, where warranted, consider seeking the removal of contract amendments to remove provisions incorporated into contracts solely in anticipation of Red Flag Rules mandates to the extent this limited relief permits. Since the relief granted under the terms of the statute is quite narrow and limited, however, organizations should review carefully their operations to verify that their operations do not encompass other activities that would cause them to continue to qualify as creditors for purposes of the Red Flag Rules to avoid compliance exposures from over-estimating the scope of relief.

For More Information or Assistance

If you need assistance evaluating or responding the health industry or other privacy and data security concerns or other technology and process, compliance, risk management, transactional, operational, enforcement or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872, cstamer@solutionslawyer.net.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising physicians, hospitals and other health industry clients about quality assurance, peer review, licensing and discipline, and other medical staff performance matters. She continuously advises health industry clients about the use of technology, process and other mechanisms to promote compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational needs. As part of this experience, she has worked extensively with health care providers, payers, health care technology and consulting and other health industry clients, as well as other businesses, on privacy, data security, trade secret and related matters. A popular lecturer and widely published author on health industry concerns, Ms. Stamer also publishes and speaks extensively on health care staffing and human resources, compensation and benefits, technology, medical staff, public policy, reimbursement, privacy, technology, and other health and managed care industry regulatory, and other operations and risk management concerns for medical societies and staffs, hospitals, the HCCA, American Bar Association, American Health Lawyers Association and many other health industry groups and symposia. Her highly popular and information packed programs include many highly regarded publications on HIPAA, FACTA, medical confidentiality, state identity theft and privacy and other many other related matters. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. To review some of her many publications and presentations, or for additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

For More Information

We hope that this information is useful to you. You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources. If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. For important information concerning this communication click here. .

Leave a Comment » | Corporate Compliance, Electronic Health Records, Electronic Medical Records, FACTA, Federal Sentencing Guidelines, Health Care, Health IT, HIPAA, HITECH Act | Tagged: FACTA, H.R. 6420, Health Care, HIPAA, Red Flag Program Clarification Act, Red Flag Rules, S. 3987 | Permalink
Posted by Cynthia Marcotte Stamer

DEA Cautions Practitioners Must Restrict Delegation of Controlled Substance Prescribing Functions, Urges Adoption of Written Policies & Agreements

November 2, 2010

Physicians, dentists, veterinarians, hospitals, and other persons prescribing or managing practitioners that prescribe controlled substances should require written agreements with staff and others communicating controlled substance prescriptions on their behalf and implement other suitable controls to ensure compliance with Drug Enforcement Administration requirements for prescribing controlled substances according to a new DEA Statement of Policy On Role of Authorized Agents in Communicating Controlled Substance Prescriptions To Pharmacies (Statement) published by the Department of Justice Drug Enforcement Administration (DEA) on October 6, 2010.

The Statement reflects that the DEA is concerned that about practitioners improperly delegating medical need determinations and other responsibilities for prescribing controlled substances. The Statement indicates that practitioners using agents to communicate controlled substance prescriptions should ensure that their delegations are appropriately documented by written agreements with the agents detailing the scope of their authority and implement background checks, monitoring, written and operational policies and procedures governing delegations and other controlled substance prescribing and other controls to appropriately comply with DEA controlled substance prescription mandates.

Under the Comprehensive Drug Abuse Prevention and Control Act of 1970 (CSA) and the Controlled Substances Import and Export Act (CSIEA) (21 U.S.C. 801-971), a valid prescription issued by a DEA-registered practitioner is required for dispensing a controlled substance. Existing rules prohibit DEA-registered practitioners from delegating their authority to prescribe controlled substances. To be effective (i.e., valid), a DEA-registered practitioner must issue the required prescription for a controlled substance for a legitimate medical purpose as determined by the practitioner acting in the usual course of professional practice. The registered practitioner actually must make the required determination of legitimate medical purpose underlying a controlled substance prescription. He cannot delegate responsibility for determining the legitimacy of the medical purpose for a controlled substance prescription or other core responsibilities.

While DEA rules prohibit a registered practitioner from delegating his core responsibilities pertaining to prescribing controlled substances to anyone else, DEA rules allow an individual practitioner to authorize an agent to perform a limited role in communicating controlled substance prescriptions to a pharmacy in order to make the prescription process more efficient. The ability to delegate these communication responsibilities is very restricted and requires that the practitioners apply appropriate controls to prevent delegation of core prescribing responsibilities.

In the Statement, the DEA cautions that DEA requires that DEA registered practitioners must be prepared to demonstrate that the registered practitioner alone makes all required medical determinations to prescribe the communicated controlled substances when delegating responsibility to communicate controlled substance prescriptions to pharmacies on their behalf to nurse or other person acting as the practitioner’s agent. The Statement warns that delegation must be limited to participation in the communication of the prescription in accordance with DEA requirements. The Statement urges practitioners allowing agents to participate in the communication of controlled substance prescriptions to make those delegations pursuant to written agreements with t he agent and to adopt other safeguards to maintain compliance with DEA rules. To learn more, see here

For More Information Or Assistance

If you need assistance reviewing or responding to the DEA prescribing guidance contained in the Statement or addressing other health care related risk management or compliance concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer compliance and risk management policies and to respond to DEA and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance evaluating or responding to the Health Care Reform Law or health care compliance, risk management, transactional, operational, reimbursement, or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872, cstamer@Solutionslawyer.net.

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

Leave a Comment » | Controlled Substances, Corporate Compliance, DEA, Doctor, Electronic Medical Records, Health Care, Health Care Provider, Health Care Quality, Hospital, Licensing, Medical Licensure, Medical Malpractice, Physician, Physician Licensing, Prescription Drugs, Substance Abuse | Tagged: Controlled Substances, DEA, Health Care, Physicians, practitioners, prescribing, prescriptions | Permalink
Posted by Cynthia Marcotte Stamer

HHS to Host Regional 11/18 Meeting in LA as Part of HITECH Act Psychotherapy Notes &Testing Data Study

October 19, 2010

The Substance Abuse and Mental Health Services Administration (SAMHSA) in cooperation with the Office for Civil Rights (OCR) is conducting a Confidentiality and Privacy Issues Related to Psychological Testing Data study pursuant to section 13424 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) to assess whether the HIPAA Privacy Rule’s special protections relating to the use and disclosure of psychotherapy notes should also be applied to “test data that is related to direct responses, scores, items, forms, protocols, manuals or other materials that are part of a mental health evaluation.”

As part of this study, SAMHSA is hosting public meetings to bring together professionals in the areas of mental health and privacy protection to discuss current practices and the policy implications surrounding this very important issue. The next regional public meeting will be held at the Sheraton Los Angeles Gateway Hotel in Los Angeles, California on November 18, 2010. The details of this meeting, as well as the project staff contact information, are contained in the embedded brochure below.

You can register for this meeting directly: here , or via the same announcement on OCR’s website here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Leave a Comment » | Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health IT, Health Plan, HIPAA, HITECH Act, Hospital, Hospital | Tagged: HIPAA, HITECH Act, Medical Confidentiality, Psychotheraphy Notes | Permalink
Posted by Cynthia Marcotte Stamer

Monday 9/13 Deadline To Comment Proposed HITECH Act HIPAA Privacy Rules; 9/14 Meeting Studies Proposed Changes

September 10, 2010

9/14 NTHCPA Meeting on Strategies for Managing HIPAA Privacy Compliance After The HITECH Act

Health care providers, payers, healthcare clearinghouses and their businesses associates (Covered Entities) face a Monday, September 13, 2010 deadline to comment on proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules proposed by the U.S. Department of Health & Human Services Office for Civil Rights (OCR) on July 8, 2010 in response to amendments enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. If adopted as proposed, the more than 220 page Notice of Proposed Rulemaking (NPRM) will significantly tighten the requirements that existing Standards for Privacy of Individually Identifiable Health Information (Privacy Rule); the Security Standards for the Protection of Electronic Protected Health Information (Security Rule); and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) applicable to Covered Entities under HIPAA. With the risks of HIPAA noncompliance highlighted by OCR’s August announcement that drugstore giant RiteAid would pay $1 million to settle OCR charges that it violated the existing HIPAA’s Privacy & Security Rules and considering , Covered Entities Learn more about Rite Aid Resolution Agreement here. Learn more about Breach Notification Rules here.

The North Texas Health Care Compliance Professionals Association invites health industry compliance professionals share and learn Strategies for Managing HIPAA Privacy Compliance After the HITECH Act by participating in its September 14, 2010 meeting from 11:30 a.m. – 1:30 p.m. hosted by Cynthia Marcotte Stamer, P.C., at One Hanover Park, 16633 North Dallas Parkway, 6^th Floor, Addison Room, Addison, Texas 75001.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers and other health industry clients with HIPAA and other privacy and data security, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. Ms. Stamer also regularly conducts training on HIPAA and other health industry compliance, management and operations matters. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Leave a Comment » | Doctor, Electronic Health Records, Electronic Medical Records, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Physician, Privacy, Technology, Telemedicine | Tagged: Breach Notification, EPHI, Health Care, HIPAA, HIPAA Security, HITECH, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Initial EHR Certification Bodies Named

August 30, 2010

The Office of the National Coordinator for Health Information Technology (ONC) today (August 30, 2010) named Certification Commission for Health Information Technology (CCHIT), Chicago, Ill. and the Drummond Group Inc. (DGI), Austin, Texas as the first technology review bodies authorized to test and certify electronic health record (EHR) systems for compliance with the standards and certification criteria that were issued by the U.S. Department of Health and Human Services earlier this year. The announcement comes less than two months after issuance of final meaningful use rules. Read more here.

For More Information or Assistance

If you need assistance responding to the EHR meaningful use, HITECH and other privacy, or other health industry regulatory, reimbursement or other operational or compliance concerns, please contact the author of this update, attorney Cynthia Marcotte Stamer. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients with licensure, contracting, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. Ms. Stamer also regularly publishes and conducts training on these and other compliance, management and operations matters. You can contact Ms. Stamer to inquire about engaging her services or for information about training or other resources that she provides at (469) 767-8872 or via e-mail here. To get more information about Ms. Stamer and her health industry experience, see here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

About Solutions Law Press

Solutions Law Press™ provides health industry and other risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available for review here. If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. For important information concerning this communication click here.

Leave a Comment » | ARRA Funding, Doctor, Electronic Health Records, Electronic Medical Records, Evidence Based Medicine, Health Care, Health Care Finance, Health Care Quality, Health IT, Hospital, Meaningful Use, Medicaid, Medicare, Medicare Advantage, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case As OCR Moves To Tighten Privacy Rules

August 3, 2010

One of the nation’s largest drug store chains, Rite Aid Corporation and its 40 affiliated entities (Rite Aid) will pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The U.S. Department of Health and Human Services (HHS) Office of Civil Rights announcement of the HIPAA resolution agreement with Rite Aid and the concurrent negotiation of a separate consent order of potential FTC Act violations between Rite Aid and the Federal Trade Commission (FTC) follows HHS’ announcement of proposed changes to its HIPAA Privacy Rules and associated penalties in response to changes enacted under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The Rite Aid settlement and the proposed Privacy Rule changes illustrate the growing penalty risks that health care providers, health plans, healthcare clearinghouses and their business associates (Covered Entities) face for violating the Privacy Rules.

Rite Aid Resolution Agreement

The Rite Aid resolution agreements settle charges that Rite Aid failed to appropriately safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information. The settlements apply to all of Rite Aid’s nearly 4,800 retail pharmacies and follow an extensive joint investigation by the HHS Office for Civil Rights (OCR) and the FTC.

OCR opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public in a variety of Rite Aid locations in cities across the United States. OCR and FTC previously settled a similar case involving the national drug store chain CVS in February 2009.

The HIPAA Privacy Rule requires covered entities to safeguard the privacy of patient information and other “protected health information” including during its disposal. In addition to the detailed requirements for protection and safeguarding of protected health information and electronic protected health information under the Privacy Rules, breach notification rules added to HIPAA under the HITECH Act also generally require that Covered Entities investigate and provide timely notification of breach to patients, OCR and in some cases the media when “unsecured protected heath information” is breached. Meanwhile, the FTC Act and associated regulations require those retailers and certain other parties receiving personal financial information to comply with certain requirements for the protection and use of that information and to provide certain notifications of their privacy polices for protecting personal financial information.

The joint OCR and the FTC investigations raised concerns that:

Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
Rite Aid failed to adequately train employees on how to dispose of such information properly; and
Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program under which Rite Aid agreed to:

Revise and distribute its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
Train workforce members on these new requirements;
Conduct internal monitoring; and
Engage a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

In addition, under its FTC consent order, Rite Aid separately agreed to external, independent assessments of its pharmacy stores’ compliance with the FTC consent order.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years.

Proposed Privacy Rule Changes

The Rite Aid resolution agreement and consent order follows the July 8, 2010 publication by OCR of proposed changes to its existing HIPAA Privacy, Security, and Enforcement Rules in response to amendments enacted under the HITECH Act. Because of the lead time required to implement needed changes in policies, technology and training, Covered Entities need to begin preparations to adjust their health information privacy and data security policies and practices in anticipation of the finalization and implementation of these rules as well as to act quickly to submit their comments about the proposed changes. .

The more than 220 page Notice of Proposed Rulemaking (NPRM) proposes to revise the existing Standards for Privacy of Individually Identifiable Health Information (Privacy Rule); the Security Standards for the Protection of Electronic Protected Health Information (Security Rule); and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) issued under HIPAA.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers and other health industry clients with HIPAA and other privacy and data security, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. Ms. Stamer also is regularly conducts training on HIPAA and other health industry compliance, management and operations matters. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Leave a Comment » | Affordable Care Act, American's Affordable Health Choices Act, Doctor, E-Prescribing, Electronic Medical Records, Employer, FACTA, Health Care, Health Care Reform, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Indian Health, Inpatient Rehabilitation Facility, Laws, Meaningful Use, Medicare, Medicare Advantage, Medicare Prescription Drug Program, OCR, Pharmacy, Prescription Drugs, Technology, Telemedicine | Tagged: Breach Notification, Data Security, FACTA, FTC, HIPAA, HITECH, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

Office of Civil Rights Proposes Changes To HIPAA Privacy, Security & Civil Sanctions Rules

July 9, 2010

Stay Tuned To Solutions Law Press For More Details

Get ready for even tighter privacy and security rules and more enforcement! The U.S. Department of Health & Human Services Office for Civil Rights (OCR) on July 8, 2010 proposed changes to its existing Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules in response to amendments enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Because of the lead time required to implement needed changes in policies, technology and training, health care providers, health plans, healthcare clearinghouses and their business associates should evaluate and begin preparations to adjust their health information privacy and data security policies and practices in anticipation of the finalization and implementation of these rules.

Solutions Law Press is finalizing arrangements to host a briefing on the proposed changes in August and planning more detailed updates on these developments. Stay tuned to Solutions Law Press for additional updates and details about a future briefing on these proposed HIPAA changes and other developments affecting HIPAA and other health plan and human resources matters. In the meanwhile, you may want to check out other existing Solutions Law Press updates and resources about HITECH Act and other HIPAA developments such as HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers and other health industry clients with HIPAA and other privacy and data security, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Leave a Comment » | Corporate Compliance, Doctor, Electronic Health Records, Electronic Medical Records, Employer, FACTA, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Indian Health, OCR, Physician, Technology | Tagged: Data Breach, Data Securty, Health Care Provider, Health Plans, Healthcare Clearinghouse, HIPAA, OCR, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

NCPDP SCRIPT 10.6 Approved As Medicare Part D/Advantage E-Prescribing Option

July 1, 2010

The Centers for Medicare & Medicaid Services (CMS) today (July 1, 2010) issued an interim final rule (Rule) that permits the voluntary use of the National Council for the Prescription Drug Programs (NCPDP) Prescriber/Pharmacist Interface SCRIPT standard, Implementation Guide, Version 10, Release 6 (Version 10.6) (NCPDP SCRIPT 10.6) for conducting certain e-prescribing transactions for the Medicare Part D electronic prescription drug program. Review the Rule here.

Prior to the adoption the Rule, only NCPDP SCRIPT 8.1 was authorized for use in communicating Medicare Part D medication history among sponsors, prescribers and dispensers. The Rule revises Regulation §423.160(b)(4) to specify that entities now may use either NCPDP SCRIPT 10.6 or 8.1 for the communication of Medicare Part D medication history among sponsors, prescribers, and dispensers.

Along with the rule, CMS issued a request for comments on the Rule. The deadline for interested parties to comment is 5 p.m. Eastern Daylight Time on August 30, 2010.

Section 101 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) (Pub. L. 108-173) requires that Prescription Drug Plan (PDP) sponsors, Medicare Advantage (MA) organizations offering Medicare Advantage-Prescription Drug Plans and other Medicare Part D sponsors (Plans) provide for electronic transmittal the prescribing provider, dispensing pharmacy and the dispenser of information about:

Eligibility,
Benefits (including drugs included in the applicable formulary, any tiered formulary structure and any requirements for prior authorization),
The drug being prescribed or dispensed and other drugs listed in the medication history,
The availability of lower cost, therapeutically appropriate alternatives (if any) for the drug prescribed, and
Certain other information.

Before the Rule, CMS had approved NCPDP SCRIPT 8.1 for conducting these electronic transmittals.

As a consequence of the Rule, Plans, prescribers and dispensers now may use either NCPDP SCRIPT 10.6 or 8.1 when conducting e-Prescribing to conduct:

Get message transaction.
Status response transaction.
Error response transaction.
New prescription transaction.
Prescription change request transaction.
Prescription change response transaction.
Refill prescription request transaction.
Refill prescription response transaction.
Verification transaction.
Password change transaction.
Cancel prescription request transaction.
Cancel prescription response transaction.
Fill status notification transaction.
For the communication of Medicare Part D medication history among sponsors, prescribers, and dispensers.

The MMD does not require that prescribers or dispensers implement e-Prescribing, prescribers and dispensers who electronically transmit prescription and certain other prescription-related information for Medicare Part D covered drugs prescribed for Medicare Part D eligible individuals, directly or through an intermediary, must comply with any applicable final standards that are in effect. The Rule provides new choices on how to accomplish this.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers and other health industry clients with reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. You can get more information about her health industry experience here. If you need help with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Leave a Comment » | Controlled Substances, DEA, Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, Hospital, Hospital, Meaningful Use, Medicare, Medicare Advantage, Pharmacy, Physician, Prescription Drugs, Privacy, Reimbursement, Telemedicine | Tagged: E-Prescribing, Health Care, Health Plans, Medicare Advantage, Medicare Part D NCPDP SCRIPTI, Payers, Physicians, Providers | Permalink
Posted by Cynthia Marcotte Stamer

DEA/DOJ Release Interim Final E-Prescribing Rules

March 25, 2010

Health care providers wishing to electronically prescribe controlled substance should begin reviewing and updating their practices and technology to comply with requirements of the Interim Final Regulations scheduled for publication in the Federal Register on March 31, 2010. Read details at http://wp.me/ptOGJ-94

An advance copy of the new Interim Final Regulation with Request for Comments released March 24, 2010 by the Drug Enforcement Administration (DEA) and Department of Justice on Electronic Prescribing of Controlled Substance on is posted for review here.

Concurrent with publication of the Interim Final Rule, the DEA is inviting comment on DEA is seeking additional comments on the following issues: identity proofing, access control, authentication, biometric subsystems and testing of those subsystems, internal audit trails for electronic prescription applications, and third-party auditors and certification organizations.

About The Author

If you need assistance with health industry human resources or other management, concerns, wish to inquire about compliance, risk management or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or (469) 767-8872.

Nationally and internationally recognized for more than 22 years of work with health industry technology, privacy and data security, regulatory compliance, reimbursement, workforce and staffing, licensure and accreditation, and other quality, risk management, operations and public policy matters organizations, publications, workshops and presentations and leadership Cynthia Marcotte Stamer has worked extensively with physicians, health systems, specialty and other pharmacy, telemedicine and other health technology, and other health industry clients on a diverse range of operational, product and process development, regulatory, licensure, public policy and risk management protections relating to e-prescribing, telemedicine, interoperable and other electronic health and medicine arrangements and other health care internal controls, process and privacy and technology matters. The publisher of the Solutions Law Press Health Care Update, and Solutions Law Press Health Care Privacy & Technology Update, Ms. Stamer also is a popular speaker and author of these and other health industry topics. She regularly publishes, speaks and conducts training for health industry and other organizations, the ABA, American Health Lawyers Association (AHLA), Health Care Compliance Association, Institute of Internal Auditors, various medical society and other professional organizations, the Medical Group Management Association, and many other organizations. Her many publications and programs include“Changing Regulations Will Ease Way for E-Prescribing, But Physicians Shouldn’t Jump the Gun,” “Telemedicine, E-Prescribing & Electronic Health Records: Opportunities & Exposures,” “Telemedicine & E-Prescribing: Evolving Ethical, Licensing & Reimbursement Rules & Realities,” the “Tort & Other Liability” Chapter of the ABA Health Law Section/BNA E-Health & Technology Treatise, “Protecting & Using Patient Data in Disease Management Opportunities, Liabilities and Prescriptions,” Chapter 1: Privacy.” The Quest for Interoperable Electronic Health Records: A Guide to Legal Issues in Establishing Health Information Networks (AHLA 2005) (Contributing Author), “Cybercrime and Identity Theft: Health Information Security beyond HIPAA,” “Privacy & Securities Standards-A Brief Nutshell” and numerous other programs and publications on telemedicine and e-prescribing, HIPAA and other privacy and data security, and other related internal controls and operational matters. Publishers of her many highly regarded writings on health industry and human resources matters include the Bureau of National Affairs, Aspen Publishers, ABA, AHLA, Spencer Publications, World At Work, SHRM, Business Insurance, James Publishing and many others. You can review other highlights of Ms. Stamer’s health care experience here, and employment experience here. Her insights on these and other matters appear in Managed Care Executive, Modern Health Care, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, MDNews, Kentucky Physician, and many other national and local publications.

Other Resources

If you found this information of interest, you also may be interested in reviewing other updates and publications by Ms. Stamer including:

For More Information

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

Leave a Comment » | Centers For Disease Control, Controlled Substances, Corporate Compliance, DEA, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, false claims act, FDA, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, HIPAA, HITECH Act, Hospital, Licensing, Meaningful Use, Medicaid, Medical Licensure, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Privacy, Reimbursement, Telemedicine | Tagged: Controlled Substances, DEA, E-Prescribing, Health IT, Health Technology, HIPAA, HITECH Act, Meaningful Use, Telemedicine | Permalink
Posted by Cynthia Marcotte Stamer

Share this:

HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Partnership Expands Use & Reach of New Affordable Care Act & Other Health Care Fraud Detection & Enforcement Tools & Collaboration

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Health Care Providers Should Strengthen HIPAA Compliance & Defenses As Risks Rise

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Recent Posts

Archives

About Cynthia Marcotte Stamer

Share this blog

Archives

Solutions Law Press Health Care Update