Banner
Home → Compliance Update

Compliance Update
The Stark Law Self-disclosure Protocol: Apply With Care Print E-mail
Written by Chris M. Morrison, Esq.   
Saturday, 05 February 2011 15:06

On September 23, 2010, the Centers for Medicare and Medicaid Services ("CMS") posted the Voluntary Self-referral Disclosure Protocol ("Protocol") on its website.  The Protocol allows providers and suppliers ("disclosing parties") to self-disclose actual or potential violations of the federal physician self-referral statute (42 U.S.C. §1395nn, commonly known as the Stark Law) and possibly settle their financial liability for such violations for less than the full amount due.  The Secretary of HHS (the "Secretary") was required to establish a self-disclosure protocol under the Patient Protection and Affordable Care Act ("PPACA").  PPACA also authorized the Secretary of HHS to reduce the amount due and owing for Stark Law violations.   

This article discusses generally some of the main provisions of the Protocol, as well as some of the risks and drawbacks that a disclosing party should consider before deciding to use the Protocol.  This article is not exhaustive of all aspects of the Protocol.

General Disclosure Requirements

A disclosure under the Protocol must contain three things:  a description of the actual or potential violation or violations; a financial analysis setting forth the total amounts believed to be due and owing; and a certification by the disclosing party that the information provided is truthful and based on a good faith effort to resolve the matter at hand.  The disclosure must be provided electronically and in hard copy to the addresses specified in the Protocol.   

The description must contain detailed factual disclosures and legal analysis regarding the actual or potential violation.  A summary of the required content is as follows:

  • Identifying information, including organizational relationships if the disclosing party is owned, controlled, or otherwise part of a system or network, and affected corporate divisions, departments or branches.
  • A description of the matter being disclosed, including the financial relationships and parties involved; the time periods of the violation and when the conduct was cured, if at all; the type of transaction or other conduct involved; and the names of the entities and individuals believed to be implicated and an explanation of their roles.
  • A statement regarding why the disclosing party believes a violation of the Stark Law may have occurred, including a complete legal analysis of the Stark Law's application to the conduct, any Stark Law exceptions that apply and/or that the disclosing party attempted to use, and which elements of the applicable exception(s) were and were not met.  It should also describe the potential causes of the violation, such as intentional conduct, lack of internal controls, or circumvention of corporate procedures or government regulations.
  • The circumstances of discovering the violation, and the measures taken both to address it and to prevent future abuses.
  • A statement of whether the disclosing party has a history of similar conduct or has any prior criminal, civil, and regulatory enforcement actions against it.
  • A description of the existence and adequacy of a pre-existing compliance program and efforts to prevent recurrence of the incident, including measures to restructure the non-compliant arrangement or relationship.
  • A description of notices provided to other government agencies in connection with the disclosed matter.
  • An indication of whether the disclosing party has knowledge that the matter is under current investigation or inquiry by a government agency or contractor.

The disclosing party is expected to conduct a financial analysis and furnish its findings to CMS as part of its initial submission.  The analysis should provide a total amount, itemized by year, that is actually or potentially due and owing for the period during which the disclosing party may have been out of compliance with the Stark Law.  The disclosing party must also describe the methodology it used to determine these amounts.

Finally, the disclosing party must provide a signed certification stating that, to the best of the individual's knowledge, the information provided contains truthful information and is based on a good faith effort to bring the matter to CMS' attention for the purpose of resolving any potential liabilities under the Stark Law.  This certification may be provided by the disclosing party's CEO, CFO or other authorized representative.   

Coordination with Other Agencies

CMS will coordinate with the Office of the Inspector General ("OIG") and the Department of Justice ("DOJ"), and may also refer the disclosed matter to law enforcement.  CMS may use the disclosure to prepare recommendations to OIG and DOJ for resolution of False Claims Act, civil monetary penalty, or other liability.  Thus, a disclosure under the Protocol may result in contact from other government agencies. 

Investigation Phase

After CMS receives the disclosure it will begin verifying the information provided.  During this process, CMS expects to receive documents and information from the disclosing party without having to use "compulsory methods," and to have access to all financial statements and other supporting documents without the assertion of privileges.  Any matters discovered during this process which are not part of disclosure will be treated as being outside the Protocol.   

CMS states that in the "normal course of verification" it will not ask disclosing parties to produce written communications subject to attorney-client privilege.  CMS might more aggressively seek documentation covered by attorney work product, but is "prepared to discuss" ways to get the underlying information without a waiver of privilege.  Assertion of privilege should be made advisedly, as the disclosing party's cooperation with CMS during the investigation process is a factor considered in reducing the disclosing party's financial liability, and failing to fully cooperate may result in removal from the Protocol.

To finish article, click here.

Chris M. Morrison is Of Counsel to GrayRobinson, P.A.'s Orlando office, and is board certified in health law by The Florida Bar.  Mr. Morrison can be contacted at (407) 843-8880 or by email at chris.morrison@gray-robinson.com

Last Updated on Saturday, 05 March 2011 15:35
 
OIG Soliciting Proposals and Recommendations Print E-mail
Written by Sandra P. Greenblatt, Esq.   
Thursday, 27 January 2011 15:53

HEALTH LAW UPDATE

On December 28, 2010, the Office of Inspector General (OIG) issued a proposed rule in the Federal Register (75 FR 81556) soliciting proposals and recommendations for developing new and modifying existing Safe Harbor regulations under the Federal Anti-Kickback Statute (Soc. Sec. Act §1128(b)) and for developing new OIG Special Fraud Alerts to provide guidance to the health care industry. The proposed rule states the OIG will consider the following factors in reviewing proposals for new or modified safe harbor provisions: (1) access to health care services, (2) quality of services, (3) patient freedom of choice among health care providers, (4) competition among health care providers, (5) cost to Federal health care programs, (6) potential over-utilization of health care services, (7) ability of health care facilities to provide services in medically underserved areas or populations, and (8) other factors, including the existence of potential financial benefit to health care providers that may take into account their decisions to order a health care item or service.

In determining whether to issue additional Special Fraud Alerts, the OIG will consider whether, and to what extent, the proposed practices may result in any of the above consequences related to the proposed Safe Harbor regulations, as well as the volume and frequency of the conduct that would be identified in the Special Fraud Alert. Comments must be delivered by February 28, 2011.

Sandra P. Greenblatt is a Board Certified Health Lawyer with 25 years of experience representing health care professionals and businesses in complying with the Federal and Florida fraud and abuse laws and regulatory, contractual and transactional health law matters.  If you are interested in submitting comments on the proposed rule to the OIG, she may be reached at (305) 577-9995 or sg@flhealthlawyer.com.

Last Updated on Saturday, 12 February 2011 14:47
 
HITECH ACT DECRYPTED Print E-mail
Written by Jeffrey Segal, M.D., J.D. & Michael J. Sacopulos, J.D.   
Monday, 24 January 2011 18:20

Understanding the law before you send your patients any e-mail

Snail mail is becoming less popular as the calendar pages turn. E-mail and social media networks have changed how we communicate. Before clicking the send button in an e-mail template, healthcare professionals should better understand that HIPAA violations have also entered a new era. More cases are prosecuted with assessment of both statutory civil fines and criminal penalties.  

A little background: Even though HIPAA passed in 1996, little prosecution followed when patient privacy was violated. Since the law took effect in 2003, nearly 45,000 complaints were filed with the Health and Human Services (HHS) Office for Civil Rights. Of these complaints, only 775 cases were referred to the Department of Justice or the Centers for Medicare and Medicaid Services for investigation. None resulted in direct civil monetary penalties (1).

Then, in 2009 the HITECH Act ("HIPAA on steroids") was enacted (2). This act intended to increase HIPAA confidentiality protections of Electronic Protected Heath Information (ePHI), instill tough civil and criminal penalties for violations, mandate notification of breaches of HIPAA protected heath information, and extend the definition of covered entities to include business associates (3). A tall order indeed.

For example under the tougher HITECH Act, in April 2010 a former employee of a hospital was sentenced to four months in prison for accessing the medical records of his coworkers and various celebrities. He had no "valid" reason for accessing these records (4).

According to the Health and Human Services (HHS), penalties have increased. Prior to the HITECH Act, the HHS Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision.

Just how "high tech" are physicians when it comes to communicating with patients?

A survey by the health information firm Manhattan Research in 2009 found that 42 percent of physicians had some online communication with patients. The American Academy of Family Physicians reported in a 2009 survey that just 6 percent of responding members had performed a Web-based consultation - that number was more than double the 2.6 percent who had done so in 2008 (5).

But is all of this electronic communication legal?

The HITECH Act requires that all communications involving ePHI be encrypted. HHS recently adopted National Institute of Standards and Technology guidelines for encryption. This means that if a physician wants to consult, refer, or prescribe for a patient by e-mail, the e-mail had better be encrypted. Of course most patients do not have software to decrypt. So what alternatives do healthcare providers have? And, more importantly, how can this be made easy and pragmatic? Email was designed to simplify, not complicate.

Healthcare providers may seek their patient's consent to communicating via unencrypted e-mail. While HHS does not provide a standard form for securing patient consent, basic "informed consent" strategies should apply. First, get the patient's consent in writing. The patient should not be given just a binary choice - but a menu of choices. For example, a patient may wish to electronically receive information on appointment dates but not test results. The consent document - as is standard with most routine HIPAA forms -should also note that the patient may withdraw his or her consent at a later time. This can be part of an expanded HIPAA form the patient signs when first seeing you in the office.

Here are some more recommendations when communicating with patients electronically:

1. A physician may be held responsible for a delay when responding to a patient's e-mail. Solution: A physician that wishes to accept e-mail from patients should use an auto response feature that informs the patient that a) the physician typically responds to e-mail within XXX number of hours/days; b) if the patient requires immediate attention, the patient should telephone the physician's office or contact an emergency healthcare provider.

2. If a patient initiates an e-mail with a physician, Rachel Seeger of HHS Office for Civil Rights says that it is assumed that the patient consents to unencrypted communication. "If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual (6)."

3. If a physician does end up sending a patient an e-mail, double check the recipients' e-mail address before clicking the send button. This is to prevent the e-mail from being sent to the wrong person, therefore sharing private information to an unintended party. Good advice also in the non-healthcare world.

4. Add any e-mail a patient sends (and any response) to the patient's chart.

5. In the HITECH Act code 170.210 section B states that the date, time, patient identification and user identification must be recorded when electronic health information is created, modified, deleted, or printed; and an indication of which actions occurred must also be recorded. This means if you send an email to a patient with protected health information - and delete it - you will need a record of what was deleted and when. This is not dissimilar to crossing out a line in a paper medical record- updating the record - with a date of the update.

6. Since communicating with patients via e-mail is becoming stricter, more physician offices and hospitals are using portals as a means of communication. This allows the patient to sign in with a secure username and password to view their records and communicate with their physicians. The security rule allows for Electronic Protected Heath Information (e-PHI) to be sent over an electronics open network, as long as it is adequately protected (7). Of course, this is more complicated than using Outlook or gmail.

The HITECH Act has ushered in a new era of technology requirements and standards that must be met by physicians. Given HHS's recent enforcement efforts, physicians should use caution when electronically communicating with patients. By working within the boundaries of the six points above, physicians should comply with the HITECH Act.

Jeffrey Segal, MD, JD, a neurosurgeon, is the founder and CEO of Medical Justice Services. Mike Sacopulos serves as general counsel for Medical Justice.  For more information email info@medicaljustice.com or visit www.MedicalJustice.com.

___________________________________________________

Sources:

(1) Elizabeth S. Roop, Pulling It Together- The HITECH Act and HIPPA, For The Record Vol.21, No. 17 at 10 (Sept. 14, 2009), URL: http:// Click here to view source.

 

(2)Click here to view source 

 

(3) Click here to view source

(4) DOJ Press Release (Jan. 8, 2010), URL: Click here to view source 

 

(5) Article (Dec 10, 2010) URL Click here to view source

 

 (6) Personal correspondence between author and Rachel Seeger, Senior Health Information Privacy Outreach Specialist, HHS Office of Civil Rights, December 28, 2010.

 

(7) Click here to view source

Last Updated on Thursday, 27 January 2011 15:56
 
The good, the bad, and the ugly - 2011 Final Policy and Payment Changes for Medicare Print E-mail
Written by Joe L. Miller   
Thursday, 09 December 2010 15:04

The Good

Believe it or not, there are some good things, particularly for primary care physicians, coming out of the 2011 Medicare Policy and Payment changes:

  • Elimination of Deductible and Coinsurance for most preventative services
  • Addition of reimbursement for an Annual Wellness visit
  • Incentive payments - 10% paid quarterly - to primary care physicians for primary care services - applies to all physicians with a primary care designation as well as nurse practitioners, clinical nurse specialists or physician assistants (primary care services must account for at least 60% of their Part B allowable charges)
  • Incentive payments - 10% paid quarterly - to general surgeons for Major Surgical Procedures in Health Professional Shortage Areas (HPSAs)

Not So Good to Downright Bad

  • Advanced imaging services (CT and MRI) will be paid less due to an adjustment in the equipment utilization rate assumption
  • Therapy services will be reimbursed 25% less for the second and subsequent services provided in the same visit
  • Medicare claims must be submitted in twelve (12) months or less from the date of service

Just Plain Ugly

"...the rule calls for Medicare physician payments to be slashed by 23% -- 25% on Dec. 1, 2010 and 2% on Jan. 1, 2011." (from AMA)

Click here to view the CMS Fact Sheet. 

About the author - Mr. Miller is a Principal at PYA and concentrates his practice on healthcare; providing tax planning, consulting and compliance services.  In September, PYA was listed by Modern Healthcare as a top 20 consulting firm.   

For more information, please visit www.PYAPC.com

Last Updated on Thursday, 23 December 2010 06:57
 
House passes Red Flags Program Clarification Act Print E-mail
Written by Sandra Greenblatt, Esq.   
Thursday, 09 December 2010 00:00

Is it time to celebrate the New Year?  On 12/8, the U.S. House of Representatives passed S. 3987, the "Red Flag Program Clarification Act of 2010"-legislation that limits the type of creditor that must comply with the "red flags" rule and  appears to permanently exempt physicians. Because the U.S. Senate unanimously passed the bill on Nov. 30, it is being sent to the White House where President Obama is expected to sign it into law before the Jan. 1, 2011, deadline.   Assuming the President signs the legislation, providers would still have to wait for the FTC's blessing before uncorking the bubbly.  For more information click here:  

A Red Flag Reprieve for Health Care Providers? The Door Remains Open Pending Federal Agency Action

Update 12.22.10 - The President has signed the legislation. We await the FTC's interpretation.

About the author:  Ms. Greenblatt is a Board Certified Health Law Attorney practicing in Miami.

Last Updated on Sunday, 02 January 2011 17:44
 
<< Start < Prev 41 42 43 Next > End >>

Page 42 of 43


Banner
Website design, development, and hosting provided by
Netphiles