Ancillary Medical Services: Stark Law and Ethical Issues

There are three ways a person can pay for health services: 1.) out of pocket; 2.) private health plans; and 3.) government health plans. Physicians normally earn a living either providing professional services for the care and treatment of patients, or through investment and/or ownership of what are termed “ancillary services.”

Physician-owned pharmacies, imaging centers, and diagnostic laboratories, for example, would be considered “ancillary services.” Although the rules relating to ancillary services are maddeningly complex, there are certain general concepts which must be understood. First, you must never accept a “finder’s fee” for referring a patient to anyone, regardless of ownership. Patients have a right to expect the referral is based upon medical necessity and to the best provider, not the “highest bidder.” That said, let’s examine rules that apply to the referral of a patient for ancillary services, where you also own some interest.

Patient out-of-pocket (where the patient is solely responsible and pays out of pocket for an ancillary service) rules are least restrictive, but they are important. Generally, the AMA Code of Medical Ethics sets the standard. Historically, the AMA took a conservative and restrictive stance on the ability of physicians to earn income from ancillary services. This view was formed in the days when physicians were paid full value for professional services. The modern reality is the government deliberately employs “cost shifting,” (underpaying with the expectation the physician will make up the losses somewhere else). In cases strictly involving patient out-of-pocket payments (no government or private insurance involvement) the potential for a conflict of interest is still present where a physician refers a patient to an outside facility which the physician also owns. AMA Ethics opinion 8.032 states:

“Physicians should disclose their investment interest to their patients when making a referral, provide a list of effective alternative facilities if they are available, inform their patients that they have free choice to obtain the medical services elsewhere, and assure their patients that they will not be treated differently if they do not choose the physician-owned facility.”

Private health plans (including “self-funded” health plans) have the second- least restrictive set of rules. These private-pay restrictions may mirror Stark Law or the Anti-kickback Statute, and will either be set forth in a provider agreement, or in a claims processing manual; compliance with which the physician may be asked to certify. It is therefore important to know the contents of any contracts or manual provisions with which you may be required to certify agreement or compliance. Private insurance companies possess a greater awareness of AMA Ethics provisions than the average patient. With increasing regularity, private insurance companies have demonstrated a willingness to resort to ethics complaints before state medical board in an effort to recoup what they consider to be overpayments. With private insurance, the greater concern of an adverse event comes where the physician has promised to behave in one manner, but experience shows, the provider did something differently.

Government regulations are the most restrictive. Stark Law and the Anti-kickback Statute provide very detailed “safe harbor” rules which must be followed. For example, Stark Law may require the physician to not only notify the patient of ownership, but provide the names of five different alternative ancillary service providers of a Designated Health Service from which the patient may choose. The five main government rules and regulations are Stark Law, the Anti-kickback Statute, the False Claims Act, the Civil Monetary Penalties Statute, and the Exclusionary Statutes. Stark Law and the Anti-kickback Statute are based loosely upon AMA Ethics Opinions 6.02-04 (fee splitting) and 8.032 (conflicts of interest.) The False Claims Act also contains “whistleblower” provisions which aid the government in finding out about secret relationships which may violate Stark Law or the Anti-kickback Statute.

Finally, a number of states have adopted statutes which must be considered. The Texas Illegal Remuneration Act mirrors the federal anti-kickback prohibition but expands it to cover items and services reimbursed by any insurance payer (including self-funded payers), rather than just state- and federally funded health plans.

Today, more than ever, physicians are being presented with opportunities to invest in ancillary service providers. Even a small, minority stake in one of these may disqualify you from the ability to refer patients to the facility, and subject you to massive fines and possible criminal prosecution. Even the best business lawyers know very little about Stark Law. Before signing any agreement, find a healthcare lawyer through your state bar association to help you.

Read Article on Physicians Practice

The Real Reason for the Medicare Crisis

The term “scapegoat” can be found as far back as Leviticus, and the Pharmakós of ancient Greece. The abuse heaped upon physicians over Medicare shortfalls calls to mind the moment in the Oscar-winning “Good Will Hunting,” when the teacher played by Robin Williams’ reassures Matt Damon’s character about years of abuse, “It’s not your fault.”

This is the one message I would like to convey to physicians: the Medicare crisis isn’t your fault. It isn’t Stark Law violations or failure to properly chart or code. It isn’t physician-owned surgery centers. The fact is, Medicare has always been unsustainable. This fact simply can’t be swept under the rug any longer.

Congress, who brought us the “bridge to nowhere” has always been known for stupid spending decisions. The Medicare program on the other hand, was an altogether different animal. Congress didn’t promise to fund one bridge, one time. Medicare’s promise was to provide medical care for everyone over the age of 65, funded out of the U.S. Treasury, throughout the rest of time. Medicare is failing for several of reasons:

Globalization
The rate of medical inflation is often compared to the overall rate of inflation to illustrate that fees charged by the medical profession are out of control. But there are two numbers here. In a robust economy, the cost of everything else should have increased along with medical innovation. But it didn’t.  In 1965, we earned eight times more than workers in other countries, because we were the only ones able to manufacture anything. Europe, Japan, and much of Asia during WWII had been blown back to the Stone Age. Eventually, these countries would find their footing, and this would lead to natural overall deflation. But in healthcare, we still are the only innovators.

The Moral Hazard
A “moral hazard,” in insurance parlance, exists any time the presence of insurance creates the motive for the beneficiary to use the benefits. This is a fatal defect in any insurance program. Congress figured spending would increase, but underestimated “how much.” Spending doubled, then tripled, and it simply kept going up. This is to say, how much we usedskyrocketed, as opposed to the actual price of each unit.

The Medical Arms Race
If utilization weren’t enough of a problem, costs per visit also skyrocketed. Simply put, a free market that should have controlled pricesdidn’t.  As Maggie Mahar explained in “Money Driven Medicine (Harper –Collins, 2006), when the customer isn’t paying the bill, he naturally has no incentive to choose the least expensive facility. Instead, patients are driven by amenities or the facility which most resembles a five-star hotel.  Hospitals and physicians had to buy the newest gadget, even though old one worked just fine.

Advertising

“Are you tired after working a shift? You may have work shift disorder.” “Does your back hurt after lifting things. You may have ankylosing spondylitis.” “Do you want a free scooter? They are available at little or no cost to you.” Much has been written about the efforts of Madison Avenue to convince Americans they are sick. “Ask your doctor” if there is a pill for you, hides the fact that many patients will not only ask their doctor, they will keep asking until someone gives them a prescription. See, Payer, Lynn, “Disease Mongers,” John Wiley & Sons, 1992

None of these reasons has anything to do with Stark Law violations or unethical behavior. Scapegoating occurs because it is easier to cast blame, that to explain what is really going on.

Read Article on Physicians Practice

Five Key Areas of the New HIPAA Rules for Physicians

“The most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”

That’s how HHS Office for Civil Rights (OCR) Director Leon Rodriguez described the recent HIPAA “Omnibus” Rule. But at 163 three-column pages, reading the rule and associated commentary that was published on January 25 is a daunting task.  So I asked San Diego health lawyer, Martha Ann (Marty) Knutson to share her knowledge accumulated over two decades as a trial lawyer, general counsel and healthcare compliance officer.

MM: What are the most salient points you take out of the New HIPAA Rules ?

MK: First is the definition of “business associates.”

Figuring out who is a HIPAA “business associate” (BA) is a particularly challenging because the “rules” exist partly in the regulation text and partly in the voluminous commentaries and other materials that the OCR has produced to explain the concept – which it created in the first place. For example, this time OCR added a word – “maintains” – to the definition of who is a BA. This addition was apparently in response to an argument from record storage companies that they were not BAs but “mere conduits” of information similar to FedEx or the Postal Service; not actually “creating, receiving, or transmitting” protected health information (PHI). But the “conduit” concept is nowhere in the regulation – only in OCR interpretations of it.

The basic characteristics of BA status have survived the rule-making: (a) a non-employee; (b) performing work on “on behalf” of a covered entity; and (c) where the “function or activity” involves “creating, receiving, maintaining, or transmitting.” Potential BAs that perform a substantial part of their work within a physician office, for example a contracted physical therapist, may be treated as “workforce” and simply trained rather than signing a formal “business associate” agreement.

Typical BAs in a physician office practice include: the answering service, any vendors involved in creating or maintaining the practice’s medical records, the billing service, practice management consultants, and attorneys (if they need access to PHI). The rule imposes additional responsibilities on physicians for the missteps of their BA contractors; it’s not enough to simply have a BA contract. Physicians are expected to use “reasonable diligence” in selecting and monitoring the actions of their “agents.”  Physicians can also expect some push back from potential BAs because the rule now makes BAs and their subcontractors directly responsible for compliance.

But many other vendors and businesses still are not BAs: including the cleaning service, the copy repairperson, couriers, and banks. Physicians need to use “reasonable diligence” in limiting the PHI that any of these individuals may encounter, but do not need to enter into written BA agreements with them.

MM: What about changes to Notices of Privacy Practices (NPP)?

MK:  The rule requires that certain statements be added into the practice NPP related to, as applicable, marketing, fundraising, psychotherapy notes, a new right to limit disclosures related to services that the patient pays for in full, and notifications of privacy breaches. Physicians must post the revised NPP in their office and make copies available there, but need not mail a copy of the revised notice to each patient.

MM: I understand there are new marketing limitations?

MK: Third-party funded marketing for products and services can no longer be directed to patients without their prior written authorization. This prohibition does not include face-to-face communications / recommendations or distribution of promotional gifts (even if subsidized) of “nominal” value. Physicians can market their own facilities and services – without prior authorization – to their patients, even when the communication is funded by a third party, but acknowledging that assistance would be prohibited without a prior authorization from the patient.

MM: What about copies of the EHR?

MK: One challenging part of the rule is its creation of a patient right to receive a “machine readable” copy of portions of the EHR related to him / her. Although physicians can charge the actual costs of responding to such a request, standard “retrieval” costs are prohibited. Now would be a good time to figure out practically how to do this, because the response time has been narrowed to 30 days (and some state laws require even faster responses.)

MM: When do the new rules take effect?

MK:  The “effective date” of the rule is March 26, 2013 but OCR has also granted a six-month period for physicians to get into compliance with the new requirements, so the “compliance date” is September 22, 2013.  Some existing BA agreements may also qualify for a “grandfathering” period for up to 12 months past that.

Read Article on Physicians Practice

Code Correctly to Avoid RAC Audits at Your Practice

On December 17, 2012 CMS published “Medicare Fee-For-Service Recovery Audit Myths.”  Try as I might, more eloquent words cannot better describe my thoughts, than the two-word colloquium preferred by my 13-year-old: “Defensive much?”

The “myths” sought to be debunked are (in no particular order):

1. RACs deny every claim that they review.

2. Every RAC denial is overturned on appeal

3. RACs have non-clinicians conduct review of medical records

4. RACs create their own policies and are not bound by CMS regulations

5. RACs can review as many claims as they want from a provider

6. RACs don’t have physicians on staff

7. RACs do not tell anyone what they are reviewing

8. RACs outsource all the medical review to staff in India and the Philippines.

Twenty-five years of trial experience have taught me many lessons about the art of persuasion. Chief among these is a simple rule: “Hostile” audiences will usually disregard the “negation” of any declarative statement. (“We are [not] out to get you,” will generally only serve to validate an unreceptive audience’s suspicion.)  I could only ponder what might motivate CMS to produce this “RAC Apologist’s Manifesto.” Unlike John Adams’ explanation for his defense of the British soldiers accused of the Boston Massacre (“somebody had to do it,”) I can’t begin to imagine what CMS hoped to accomplish. 

CMS’ argument, (RAC auditors aren’t incompetent buffoons,) not only begs to mind the obverse inference, acceptance of the premise ignores Office of the Inspector General’s (OIG’s) Regional Inspector General Ann Maxwell’s congressional testimony six months prior which directly criticized Medicaid Auditors misidentification in all but 25 of 113,378 files reviewed (auditors were wrong in 113,353 out of 113,378 cases)-because the auditors don’t know what they are doing.

The years have also taught me an additional lesson: It is a good idea to spend less time marveling how clumsily an overwhelming enemy wields its sword, when time could be better spent “getting out of the way of the strike’s thrust.”  

So I called my friend, Mary Pat Whaley, a coding expert with Manage My Practice, LLC, based in Durham, N.C., who agreed to share some of her insights.

MM: What can physicians do to minimize the chances of an unfavorable audit?

MW: There are a number of things physicians can do immediately to reduce risk of adverse audits:

First:Clear up the confusion over midlevel providers (MLPs)

Most practices use nurse practitioners or physician assistants to provide care to patients.
Few are sure, however, of the rules surrounding billing for MLPs. There’s a good reason for this; most payers, including Medicare, have individual guidelines for reimbursing MLPs.

Second:At least annually, internally audit your coding/billing department,
your billing service or third-party vendor.

Maybe you’ve had turnover in your coding or billing department, or maybe you wonder if your billing service is doing everything exactly right. If you have coders (in-house or third-party) assigning/abstracting codes from your medical records, they should be audited annually to make sure you are protected. Top-notch coders and billers will welcome an opportunity to have their work audited, and if your coders, billers, billing service, or third-party vendors are defensive about an audit, it should make you wonder why. The good news is that one of the best risk management strategies you can have is a solid coding and billing compliance plan, and an important part of the plan is the annual audit. You will find it difficult to protect yourself against compliance issues if you do not perform annual monitoring and auditing as required by the OIG.

Third: Do not assume either newly hired physicians, or seasoned veterans understand and are properly trained as to CMS’ current expectations.

Many physicians come out of residency with little or no coding or documentation experience. Often, veteran physicians with a great deal of practical experience are not current on CMS’ ever-expanding expectations. New physicians and all new hires, regardless of practical experience, should have initial education on coding and documentation and should be audited when they have been seeing patients for four to six weeks.

Fourth: Proper training and regular outside auditing is an excellent defense against the dual hazards of over- and undercoding.

I find that many of my clients are so fearful of the consequences of “overcoding,” they needlessly sell themselves short. The truth is, “overcoding” and “undercoding”  are like navigating between “Scylla and Charybdis.” Overcoding certainly carries the danger of a devastating audit, but conversely, your practice cannot survive if you are not charging appropriately for what you do. This is where an outside coding consultant can help.

…While no amount of diligence or experience can guarantee a clean bill of health, it is important to realize the RAC audit program is so new, many RAC auditors are learning as they go. An experienced independent coding consultant with years of experience may be able to explain with greater certainty and conviction exactly what CMS manuals require.

Read Article on Physicians Practice

HIPAA Highlights: Interpreting the New Rule Modifications

Editor’s Note: This is the first in a five-part series on modifications to HIPAA recently unveiled by HHS on January 17, 2013.

For non-lawyers and lawyers alike, scrolling through over 500 pages of regulations can be daunting to say the least (See the most recent modifications to HIPAA rules by the federal government, released on January 17, 2012). Because of the sheer magnitude, subtleties may easily be overlooked. One must approach the reading and possible interpretation like that of a contract. Reading the HITECH Act/HIPAA Final Rules requires physicians to consider not only a single item, but also other items in the same text, court opinions, and related laws to get the full picture.

Typically, courts look to the “four corners” of the document when determining the meaning of a particular provision. Depending on the state law, extrinsic evidence may be considered. Crucially, when a court, attorney, or sophisticated business person reads a contract, they look for internal definitions, as well as to other portions of the document to determine a meaning. Hence, merely looking at one segment of the entire document may not give the full picture. As a result, the parties to the contract may end up litigating over the particular terms.

Likewise, the reading of the recent HITECH Act/HIPAA Final Rules [78 Fed. Reg. 5566 (Jan. 25, 2013)], which include the application of various provisions set forth in the HITECH Act, should be approached in a similar manner. When reading laws and regulations for their meaning, one should always consider the doctrine of in pari materia.

Literally translated, the Latin phrase in pari materia means “on the same subject.” Black’s Law Dictionary 807 (8th ed. 2004). The doctrine of in pari materia is a rule of statutory construction providing “that statutes that are in pari materia may be construed together, so that inconsistencies in one statute may be resolved by looking at another statute on the same subject.” Id. The Texas Court of Criminal Appeals has recently described the doctrine of in pari materia:

It is a settled rule of statutory interpretation that statutes that deal with the same general subject, have the same general purpose, or relate to the same person or thing or class of persons or things, are considered to be in pari materia though they contain no reference to one another, and though they were passed at different times or at different sessions of the legislature.
(Azeez v. State, 248 S.W.3d 182, 191 (Tex. Crim. App. 2008)).

The doctrine of in pari materia, unlike the “four-corners” approach to reviewing a contract, should be considered in two ways: 1.) reading different parts of the same law or regulation to determine a meaning; and 2.) reading two separate but related laws or regulations. A common example would be reading the Stark Laws in tandem with the Antikickback Laws. (Martin Merritt, Compliance Tips for Your Medical Practice ). But, there is one caveat. In contract law, a person may argue that the contract is a “contract of adhesion” — that is, a contract is so imbalanced in favor of one party over the other that it was not fairly bargained for. A common example is provisions that are buried, slanted, or print that is so small that a reasonable person would not consider it. Often, the opposing party is not in a position to bargain. In relation to the HITECH Act/HIPAA Final Rules, the government and the making of laws and regulations diverges. In reality, the government did consult those potentially impacted when it called for comments in accordance with the Administrative Procedure Act (P.L. 79-404, 60 Stat. 237).

Let’s apply an example from the HITECH Act/HIPAA Final Rules. Section 164.308 has been interpreted to mean that both the interim final rule and final rule imposed administrative safeguards compliance on business associates and their subcontractors. And, business associates and not covered entities are responsible for business associate subcontractor compliance. Reading this alone can be interpreted to mean that the actions of a business associate’s subcontractor will have no impact on the covered entities liability.

Now, read Sections164.314 (breach reporting requirements), 160.300 (imposition of direct monetary penalties on business associates), and 160.402 (explanation of the agency relationship between covered entities, business associates and subcontractors) in relation to 164.308. Moreover, when a recent United States District Court opinion (United States ex rel. Spray v. CVS Caremark Corp., 2:09-cv-04672 (E.D.PA Dec. 20, 2012)) is considered that upheld the nexus in liability between a covered entity and a subcontractor in relation to Medicare Part D claims submissions and the False Claims Act, covered entities can suffer consequences for not doing adequate due diligence and requesting substantiated assurances on a business associate’s subcontractor compliance.

Therefore, physicians should pay close attention not only to the correlation between the various provisions contained within the HITECH Act/HIPAA Final Rules but, also, current case law and other law. In doing so, along with coordinating with counsel, physicians may mitigate both their immediate and long-term liability risk.

Read Article on Physicians Practice

The New Sunshine Act Regulations for Physicians

The long-awaited “Sunshine Act” regulations for physicians are out.  Included in Section 6002 of the Affordable Care Act, the Sunshine Act has been a part of federal law since March 23, 2010. It took three years for CMS to formulate a final 285-page rule, effective 60 days from publication in the Federal Register, currently set for publication February 8, 2013.

This final rule will require applicable manufacturers of drugs, devices, biologicals, or medical supplies covered by Medicare, Medicaid, or the Children’s Health Insurance Program (CHIP) to report annually to the HHS secretary certain payments or transfers of value provided to physicians or teaching hospitals (“covered recipients”).

Although “transparency” is the stated purpose, the title implies something more. “Sunlight (not simple transparency) is the “best disinfectant.” The phrase was made famous by U.S. Supreme Court Justice Louis Brandeis in a 1913 Harper’s Weekly article, “What Publicity Can Do.” Congress intended to put an end to a rotten practice, not merely make it more transparent.

“Disclosure brings about accountability, and accountability will strengthen the credibility of medical research, the marketing of ideas and, ultimately, the practice of medicine,” Sen. Chuck Grassley (R-Iowa), who co-authored the legislation, said in a statement. “The lack of transparency regarding payments made by the pharmaceutical and medical device community to physicians has created a culture that this law should begin to change substantially.”

This “culture” has to do with the way pharmaceutical and device manufacturers went about their business, which was detailed earlier this year in Practice Notes:

Stark Law and Gifts Sent to Your Medical Practice

Stark Law and Pharmaceutical Company Kickbacks

Stark Law, the AKS, and AMA Ethical Opinions on Drugs and Devices

When It is Legally Acceptable to Accept Gifts at Your Medical Practice

Agency rules have the same force as statutes, but because federal agencies do not hold hearings; the public is permitted to comment on the first draft. An agency will respond to public comments in the final rule (explaining why the comments, if any, were either included or rejected.) This public participation adds a considerable amount of length to the 285-page final Sunshine Act rule. Distilled to its bare bones:

1. Starting Aug. 1, 2013, drug and device companies will be required to gather data about payments, gifts, and other transfers of value given to physicians and teaching hospitals, including shares or ownership in a company. 

2. Manufacturers and group purchasing organizations will be responsible to report the data including physician ownership and investment interests to CMS by March 31, 2014. 

3. Payments to a “covered recipient” means: 1.) a physician, other than a physician who is an employee of an applicable manufacturer; or 2.) a teaching hospital.

4. Payment includes: consulting fees, compensation for services other than consulting, honoraria, gifts, entertainment, food, travel (including the specified destinations), education, research, charitable contribution, royalty or license, current or prospective ownership or investment interest, direct compensation for serving as faculty or as a speaker for a medical education program, grants, any other nature of the payment, or other transfer of value.

5. There is a de minimis provision of $10 per gift, or annual aggregate of $100 which do not need to be reported.

6. Discounts and rebates need not be reported.

7. Product samples are excluded from reporting.

8. Penalties for failure to report are $1,000 to $10,000 per payment which is not reported with an annual limit of $150,000, unless the payment is “knowingly” omitted, in which case the penalty shall be at least $10,000 with an annual limit of $1,000,000.

The over-all effect of the Sunshine Act on physician practices is simple. Under Stark Law a physician may not refer patients for designated health services (DHSs) including prescription drugs and devices, where the physician or a close family member has an ownership, or financial relationship. Under the Anti-Kickback Statute, a physician may not prescribe drugs or devices if the physician has been paid in cash or in kind, if one purpose of the payment was to influence referrals.

The Sunshine Act will make it much more difficult to conceal such payments by an industry which has had a storied history of such payments.

Read Article on Physicians Practice

Avoiding Obstruction of Justice in Healthcare Cases

This week I was having lunch with Sarah Wirskye, my friend and “go-to” white-collar defense lawyer, when the topic came up of “obstruction of Justice” in healthcare cases. Sarah agreed to share her experience with us in the following interview (Turns out, it’s not what you think.):

Merritt: “Obstruction of justice” is what cops threaten on Law & Order to get the witness to talk – right?

Wirskye: No. “Obstruction” in healthcare investigations usually means interfering with a government agency’s work in one of three categories: 1.) statements and actions toward the government; 2.) statements and actions toward third parties; and 3.) deleting, altering, or failing to produce documents. We are seeing a sharp rise in cases where the healthcare provider really didn’t think he or she was doing anything wrong.

Merritt: How can a person accidentally “obstruct justice?”

Wirskye: In the healthcare context, the offense does not involve what all of us would view as “obstruction” – for example, bribing a juror – but rather more obscure obstructive conduct. For example, an innocent misstatement, adding or removing helpful information in documents, or inadvertently failing to produce a responsive document may be viewed as obstruction by the government. Obstruction is usually easier for the government to prove than explaining complex healthcare fraud schemes to the jury. Martha Stewart’s trial is a great example of the force of the obstruction statutes. She was criminally convicted of obstruction for covering up actions, not the underlying crime.

Merritt: Are there special rules in the healthcare context?

Wirskye: In 1996, as a part of HIPAA, Congress added a new criminal statute which provides “[w]hoever willfully prevents, obstructs, misleads, delays or attempts to prevent, obstruct, mislead, or delay the communication of information or records relating to a violation of a federal health care offense to a criminal investigator shall be fined under this title or imprisoned not more than 5 years, or both.”

However prosecutors often use other obstruction statues which may be easier to prove. For example, section 1519, part of the Sarbanes-Oxley act, was highly controversial when enacted because it removes certain key proof burdens. Significantly, the government does not have to prove which specific “pending proceeding” the accused attempted to obstruct. Prosecutors must however, still establish the following: 1.) the accused knowingly directed the obstructive act to affect an issue or matter within the jurisdiction of any United States department or agency; and 2.) the accused acted at least “in relation to” or “in contemplation” of such issue or matter.

Merritt: Can you give us some examples?

Wirskye: There are three primary areas in which healthcare providers potentially violate the obstruction statutes:

Government Interviews of the Provider: While an intentional or blatant lie to an investigator is likely an easy obstruction case for the government to prove (if the other elements of the statute are satisfied), even an innocent misstatement may be construed as obstruction of justice.

Government Interviews of Third Parties: This sometimes occurs when a healthcare provider is under investigation, and he or she tells the employees not to talk about certain topics or not to talk to the government. I have seen cases in which the instruction to not speak to the government may be for the “protection of the employee” so the employee does not become “scared.” Again, these actions were characterized as obstruction by the government.

Documents: Destroying, failing to produce, or altering incriminating information in documents is a fairly easy obstruction case for the government to prove if the other elements of the statute are satisfied. However, merely “cleaning up the files” before production may be construed as obstruction of justice. You should never do this. In the event that any additional notes must be made (which I do not recommend), those notes should be dated with the present date so that it is clear this information was added after the document request. Finally, something as simple as deleting an e-mail may also be construed as obstruction.

Merritt: Any final thoughts?

Wirskye: Overall, if you are under administrative, civil, and certainly a criminal investigation, it is helpful to have counsel to guide you through the process of interacting with the government and potential witnesses so there are no allegations of obstruction.

Sarah Wirskye is a partner with the Dallas law firm of Meadows, Collier, Reed, Cousins, Crouch & Ungerman, L.L.P.

Read Article on Physicians Practice

Your Medical Practice Photocopier Could Be a HIPAA Liability Time Bomb

Digital photocopiers, scanners, and telefax machines are essential to modern medical office. They are also potential HIPAA liability time bombs. An investigative report by CBS News reveals that nearly every printer, copier, scanner and telefax machine built since 2002 contain hard drives which capture images of every document processed.

In order to see how widespread the problem might be, CBS followed John Juntunen, COO and founder of Digital Copier Security, in Sacramento, Calif., as he purchased four copiers based upon price and number of copies printed. In less than two hours, he bought four machines for about $300 each.

Using forensic software available for free on the Internet, he was able to download images captured from all four machines. Shockingly, one was from a New York insurance company and contained copies of medical records, including a diagnosis of cancer, blood test results and drug prescriptions.

The Federal Trade Commission, Bureau of Consumer Protection Business Center offers a publication, “Copier Data Security: A Guide for Businesses.” According to the FTC, when you buy or lease a copier, evaluate your options for securing the data on the device. Most manufacturers offer data security features with their copiers, either as standard equipment or as optional add-on kits. Typically, these features involve encryption and overwriting.

Encryption is the scrambling of data using a secret code that can be read only by particular software. Digital copiers that offer encryption encode the data stored on the hard drive so that it cannot be retrieved even if the hard drive is removed from the machine.

Overwriting – also known as file wiping or shredding – changes the values of the bits on the disk that make up a file by overwriting existing data with random characters. By overwriting the disk space that the file occupied, its traces are removed, and the file can’t be reconstructed as easily.

Depending on the copier, the overwriting feature may allow a user to overwrite after every job run, periodically to clean out the memory, or on a preset schedule. Users may be able to set the number of times data is overwritten. Generally, the more times the data is overwritten, the safer it is from being retrieved. However, for speed and convenience, some printers let you save documents (for example, a personnel leave slip) and print them straight from the printer hard drive without having to retrieve the file from your computer. For copiers that offer this feature, the memory is not overwritten with the rest of the memory. Users should be aware that these documents are still available.

Overwriting is different from deleting or reformatting. Deleting data or reformatting the hard drive doesn’t actually alter or remove the data, but rather alters how the hard drive finds the data and combines it to make files: The data remains and may be recovered through a variety of utility software programs.

Yet another layer of security that can be added involves the ability to lock the hard drives using a passcode; this means that the data is protected, even if the drive is removed from the machine.

While the website for HHS’ Office of Civil Rights, (which is responsible for HIPAA enforcement) does not contain a specific publication on the use of photocopiers in the medical setting, the site does provide a link to the above FTC publication under the reference title: “Safeguarding Electronic Protected Health Information on Digital Copiers.”  This indicates the OCR expects medical offices to educate themselves about the potential hazards and risks posed by modern photocopier hard drives.

Read Article on Physicians Practice

Compliance Tips for Your Medical Practice

“Spring cleaning” is the perfect time to clean up your act at home. Professionally, in an era where healthcare compliance liability lurks around every corner and lax billing practices can cost you thousands, why not make a commitment to review your medical practice policies as the New Year begins?

It all starts with a list, and to help with this, I caught up with Angela Miller, CHC, CMC, president of Dallas-based, Medical Auditing Solutions LLC for some pointers.

“The start of the new year is time for a fresh start   – to be proactive and stay in compliance,” Miller says.  “Here are a few proactive tips I advise my clients follow, to prevent ‘headaches’ and ‘wallet aches’ later.”

1. A compliance program is required as of March 2013 by any provider including dental that bills Medicare, Medicaid, and/or programs funded by federal or state governments. “Compliance program” in these terms relates to HHS’ Office of the Inspector General’s (OIG) compliance guidance on billing, coding, contracts, and relationships which is now required under the Affordable Care Act. There are approximately 40 policies, that include screening all employees monthly against state and federal exclusion databases.

2. Ensure a healthcare attorney reviews any joint venture, employment work contracts, and possibly leases for potential Stark and Anti-Kickback violations. OIG will be reviewing contractual relationships as part of the compliance work plan.

3. HIPAA is more than the privacy notice provided to patients. All providers – no matter the insurance – must comply with HIPAA and the HITECH Act. The days of using the family member who dabbles in IT/computer work are over, unfortunately. HIPAA and HITECH cover the security of all protected health information (PHI) both paper and electronic, so you must have policies and procedures , a responsible party, and an external IT security audit at least annually.

4. The external audit company should have experience in healthcare or banking because the banks have had these security requirements for years. The penalties are too steep to risk this audit to just any IT company.

5. Now for the fun topic: cash flow management. Providers are concerned with getting business, but rarely inspect billing and collections until it is a crisis.

a. The mail must be opened daily. Medicare has response requirements and if you miss those, you can have your number revoked and might not get it back for two years.

b. Do not have the same person open mail, post cash, and make deposits.

c. Do not hire the cheapest billing person. Check references. Do not hire someone without physician billing experience. Ask them to code scenarios for you or quiz them on their knowledge. Too many medical practices end up in a cash crunch or in trouble because the billing person does not bill correctly. If the person bills incorrectly, because she is told to do so by the provider, take a cautionary note this will eventually come back to haunt the practice.

d. Ensure that your billing person keeps up with the billing rules/changes.

e. Ensure your staff known when it is appropriate to bill “incident-to” the physician and when to bill under the mid-level. This has been a huge audit item for Medicare and commercial plans.

f. Chart documentation will either help you or kill you. It must be legible by three people to be considered valid. The documentation must warrant the billable services submitted. Every office visit is not a level 3-4-5 service. If you have high-risk cases, then use appropriate diagnosis coding to indicate previous or history of miscarriage, abortion, hypertension, etc.

g. Meet at least monthly with your biller or billing/practice management company to review summary reports of revenue, accounts receivable aging by payer, write offs, and denials.

Thanks to Angela for these important tips for a safe and successful 2013.

Read Article on Physicians Practice

Healthcare Providers Fight Back vs. Recoupment Audits, Slow Payments

As dollars became scarcer in the 1990s, health insurance companies increasingly employed “post-claims underwriting” as a basis for denying claims or rescinding policies. Some relief is expected from the Affordable Care Act’s elimination of “pre-existing conditions” as a basis for denial of claims.

But the reform law does not put an end to denials based upon medical necessity, or a refusal to pay because the service or DME is “experimental.” Equally alarming is the practice of “pay-then-pull-back” recoupment audits, which can devastate the finances of providers of all sizes. Now, providers are fighting back.

In Tri3 Enterprises v. Aetna, the U.S. Department of Labor (DOL) has filed a November 30, 2012, amicus brief in the Third Circuit Court of Appeals in the appeal of a New Jersey federal district court ruling against a provider who filed a federal case against Aetna. In cases where only a provider agreement governs, (the policy is not an employee benefit) it is easier for insurers to cease payments and demand overpayment refunds, because such actions are often sanctioned by state anti-fraud laws. But when an ERISA plan also exists, (the plan is an employee benefit) adopting such an aggressive stance might not be so simple. In this case, Aetna authorized and paid Tri3 for non-segmented pneumatic compressors, i.e., medical devices, but then retroactively sought to recoup the payments after and audit by the ominously named Special Investigations Unit (SIU) determined the equipment to be “experimental.”

Aetna allegedly refused to treat its decision as a “claims denial” and refused to provide the procedural protections accorded under ERISA and its regulations to such decisions. Tri3 argues that under authority of ERISA, the DOL adopted rules protecting both insured individuals as well as providers who have accepted assignment of the claim from the insured. Tri3 claims in addition to the fact that the medical devices had been previously approved in other cases, and approved for payment in the instant case, it has a right to challenge the reversal and demand for recoupment under ERISA’s administrative claims review process. The trial court disagreed, dismissing the case for failure to state a claim ruling, “it is clear from the complaint that the central issue of the dispute is Aetna’s allegation that Tri3 had misrepresented to Aetna the nature of the medical device that had been supplied to insureds.” The DOL has filed a brief on appeal favoring the provider’s position and arguing for a reversal of the trial court. The outcome will likely hinge upon whether the Third Circuit views Aetna’s action as an attempt to recover from fraud and abuse, (i.e., Tri3 misrepresented the nature or use of the devices) or whether the matter is more accurately characterized as a coverage dispute which might fall within ERISA appeals process.

As to slow payments, medical providers are using technology to fight back in a different way: enlisting the aid of former foes in the plaintiff’s bar to go after carriers who delay payments for covered treatment. Texas powerhouse lawyer Mikal Watts of Watts Guerra Craft LLP says his firm has “built up a solid docket of over 500 medical providers, representing hospitals, large doctor groups, and pharmacies seeking to enforce Texas’ Medical Provider Prompt Pay laws.” According to Watts, “the problem in the past for medical providers is that there was no efficient way to enforce prompt pay laws for small claims.” Watts uses sophisticated computer models from medically knowledgeable data analysis companies to identify patterns and initiate legal proceedings on a cost-effective contingency fee basis. “In total, we have identified hundreds of millions of dollars due our clients,” says Watts.

Historically, ERISA had been an impediment for individuals whose claims have been denied. ERISA preempts state law remedies, including an award of attorney’s fees to the successful party. Most employees could not afford to pay out of pocket for an attorney to pursue the claim under their group plan. Watts points out that Texas, and many other states, carefully drafted “slow pay” statutes with an eye toward avoiding ERISA’s limiting provisions.

As with any legal issue, you should consult an experienced health attorney if you have specific questions about your rights under assignment of benefits agreements or “slow pay” laws in your state or jurisdiction.

Read Article on Physicians Practice