In the last few months, settlements related to potential violations of HIPAA and the Security Rule have ranged from $31,000 to $5.5 million. The smallest settlement amount, $31k, for potential HIPAA violations related to one missing Business Associate Agreement (“BAA”) between a pediatric group and an ePHI records storage company that had come under HHS’ Office of Civil Right’s (“OCR”) scrutiny. The pediatric group used the ePHI record storage company since 2003, yet could not locate or provide a signed BAA to the OCR prior to 2015. The outcome of the OCR’s compliance review indicates that internal risk analysis and risk management was not thoroughly undertaken.
The largest settlement reached was $5.5 million to be paid by Memorial Healthcare Systems (“MHS”) located in south Florida. MHS operates 6 hospitals, an urgent care center, a nursing home, and numerous ancillary healthcare facilities. Additionally, MHS is affiliated with physician offices through an Organized Health Care Arrangement. MHS experienced a breach that potentially compromised the ePHI of over 115,000 individuals, when impermissible access by its employees and impermissible disclosure to affiliated physicians occurred through the use of the login credentials of an affiliated physician’s former employee. Although MHS reported the breach and had policies and procedures in place related to HIPAA and the Security Rule, it had not implemented procedures for reviewing, modifying, and/or terminating users’ rights of access as required by HIPAA. Further, MHS failed to regularly review records of information system activity, in applications that maintain ePHI, by employees or workforce users or users at affiliated physician practices, even though MHS had identified such risk during risk analysis conducted from 2007 to 2012.
As healthcare professionals, we take pride and care in the detail in maintaining our employee files. Certain items must be separated from the others, files securely locked and out of reach from co-workers hands. Personnel’s personal information must be protected. We all know these things and probably already have a procedure in place for compliance.
Whether your facility has been deemed accredited or just starting up, employee files must be maintained, reviewed, audited, and kept according to retention requirements. Knowing which laws apply aids in keeping your business compliant. For example, pursuant to ERISA laws, there is no specific time period to maintain records that reflect age, marital status and/or service records. The Social Security Acts states that employees’ social security numbers must be kept four years from the tax due date or payment of tax, whichever is later. So, there’s a lot of tracking going on.
Medical web-based businesses have been on the rise, while the number of HIPAA enforcement actions by the US Department of Health and Human Services (HHS) has risen exponentially as well. Since the beginning of this year, HHS has announced several large settlements with companies that failed to comply with HIPAA’s requirements. For example, in January, HHS announced a $2.2 million settlement with a health insurance company when a breach resulted from a stolen portable USB device containing PHI. Also, In February, HHS announced a penalty of $3.2 million against a medical center for a breach that arose from a theft of an unencrypted laptop containing PHI. This enforcement activity is becoming the norm, so it is best to ensure that your medical website is legally compliant.
If you are handling any PHI on or through your website, you must ensure that your website is HIPAA compliant. Here are some recommendations to address the security and privacy of PHI that your website may manage (please note that this is not a comprehensive list):
One of the biggest challenges faced by addiction treatment providers today, especially in Palm Beach County, Florida, arises in the context of unprecedented pressure by law enforcement, newspapers and insurers. The threat of being targeted by law enforcement is an enormous thing in itself. Add to that the mainstream media’s insatiable desire for readers, the industry’s drop into insurer red flagging and recoupment, the political football nature of addiction and addiction treatment, and treatment providers can lapse into a state of paralyzed tunnel vision, a sort of mass hypnosis. Here’s the problem: providers dealing with the current crisis environment have a lot to lose if they take their eye off the bigger picture. The more absorbed they become in “crisis mode,” the more likely they will miss important details in an increasingly regulated and changing industry. Losing the ability to see the entire picture (and trends) and quickly adapting to it can have costly (and even deadly) consequences.
The addiction treatment industry is like any other healthcare provider—enormously and increasingly regulated, highly scrutinized and always dynamic. The moment it took on features of traditional healthcare (e.g. lab and physician services), it left the relatively warm and fuzzy comfort of behavioral health providers, sorta. “Sorta” because medical behavioral health (e.g. psychology and counseling) has not had it easy in the past 10 years, as it came under crushing price compression with managed care driven networks and other price cutting middlemen that have often been owned or controlled by insurance companies. Addiction treatment providers in the pure behavioral health space were “saved” from all this till about three years ago because they were out of network and not the focus of insurer driven price cuts. As payors (and their price cut incentivized middle men) looked for more ways to drive up profits, the competitive and disorganized addiction treatment sector became a natural (and unprepared) sector to hit. And they hit it hard! Clearly, the Perfect Storm. Addiction treatment providers now have no option but to learn to swim hard and fast in the ever changing river of the healthcare business industry.
Concepts like Anti-Kickback Statute, Patient Brokering Act and Safe Harbor have become ingrained in the minds of nearly every addiction treatment provider’s thought process, especially in Florida. Providers now seem to fully embrace ideas like–
There’s a federal law (the Anti-Kickback Statute, the “AKS”) that can bring criminal liability for marketing done incorrectly;
There’s a state law, the Florida Patient Brokering Act (“PBA”), that can do the same;
Complying with the federal safe harbors and the bona fide employee exception is important, even when there are no state or federal healthcare program dollars involved;
Paying anyone for marketing, not just on a commission based sales model, without fully appreciate the applicable laws is dangerous, costly and invites criminal inquiries and liability; and
Achieving compliance with applicable federal law should be part of any recovery business’ overall compliance plan.
Recovery providers must become familiar with not only the AKS and state restrictions like the PBA, but also the law’s permitted examples, so called “Safe Harbors,” which specify specifically permitted arrangements (42 CFR 1001.952). The “personal services arrangement and management contract” Safe Harbor, for instance, has particular application in the area of marketing, as does the AKS exception for “bona fide employment arrangements,” which apply to “bona fide” W-2 employees (entailing direction, supervision and control), but not independent contractor relationships.
So, you’ve received a letter from the Zone Program Integrity Contractor or “ZPIC” to review for the accuracy and justification of services reimbursed by the Medicare program. Now What?!
First, remain calm. Chances are an audit by ZPIC will go well if you have been diligent in completing patients’ medical records, justifying medical necessity, and your billing is accurate and well supported by the patients’ medical records. Even if errors are discovered, most errors do not represent fraud, that is, the errors were not committed knowingly, willfully and intentionally. Still, a ZPIC audit can be daunting and if Medicare has noticed a pattern of billing that it considers suspect, or there has been a complaint against you, the ZPIC audit will be rigorous, and often adversarial. The ZPIC’s job is to protect the program from potential fraud. It will conduct data analysis, including statistical outliers within a well-defined group, or other analysis to detect patterns within claims or groups of claims that might suggest improper billing. Data analysis can be undertaken as part of a general review of claims pre or post submission, or in response to information about specific problems arising from complaints, provider or beneficiary input, fraud alerts, CMS reports, Medicare Area Contractors, or independent governmental or nongovernmental agencies.
Most of the commercial payors are paying PHP (Partial Hospitalization Plan) and IOP (Intensive Treatment Plan) at a bundled daily rate. Many of the plans are now adding urine drug screens to the bundled daily rate and imposing a cap on the number of screens that can be done during an admission. Plans are paying rates that are much nearer to a Medicare rates. Payments based on a reasonable percentage of a provider’s charge are becoming harder to find, as the calculation of what is a usual and customary rate of payment continues to decline.
Yet, a great portion of substance abuse facilities are operating with more clinical staff, at a higher level through licensure, with better Electronic Medical Systems, more programs to combat some of the symptoms of addiction and with a greater awareness of compliance with state and federal guidelines. Even with these necessary improvements, reimbursements continue to decline.
Did you know as a residential treatment provider, your facility must know what is, and what is not, above your ceiling tiles? Does your facility have a “No Smoking” sign at the main entrance? Do you know which way the doors are supposed to close? Want to grow your business? Plan on expanding? You will need an ILSM (Interim Life Safety Measure) completed; and, the ILSM must include an infection control acknowledgment.
In simplicity, buildings serving patients must comply with the NFPA 101 (2012 edition) Life Safety Code. Has your organization identified a Safety Officer? Has the Safety Officer identified Life Safety Code problems? If your answer is “No” to these two basic questions, it may be time for your practice to implement a Life Safety program.
Known as “Minimum Fire Safety Standards for Residential Alcohol and Drug Abuse Treatment and Prevention Programs, mental Health Residential Treatment Facilities and Crisis Stabilization Units”, this rule chapter must be applied and adhered to in all 24 hour, 7 day per week healthcare facilities, just like a traditional hospital.
There has been a growing trend in the substance abuse rehabilitation industry to provide services through a non-profit, tax-exempt organization. Unfortunately, there is also a growing trend relating to IRS audits of non-profits. An audit by the IRS can yield many negative outcomes, including the revocation of a treatment center’s tax exempt status and fines imposed on the organization and/or its Directors when the non-profit fails to operate within the rules applicable to 501(c)3 non-profit organizations.
A non-profit may be able to fly under the IRS’s radar for a few years, but as the years pass, the chances that non-profit non-compliance will be caught by the IRS grows exponentially. To protect your non-profit, please follow some of these basic rules:
It was just less than a year ago that medical device developer, Olympus Corp, agreed to pay a $646 million settlement to resolve claims of illegal kickbacks to physicians and hospitals. This is considered to be the largest settlement amount in the history of violations to the Anti-kickback Statute. The federal Anti-Kickback Statute (“Anti-Kickback Statute”) is a criminal statute that prohibits the exchange (or offer to exchange), of anything of value, in an effort to induce or reward the referral of federal health care program business. Conviction for a single violation under the Anti-Kickback Statute may result in a fine of up to $25,000 and imprisonment for up to five (5) years. In addition, a conviction will result in mandatory exclusion from participation in federal health care programs. The government may also assess civil money penalties, which could result in treble damages plus $50,000 for each violation of the Anti-Kickback Statute.
Between 2006 and 2011, Olympus offered consulting deals among many other bribes to influence physicians to order and prescribe Olympus medical devices. These consulting agreements provided for large up-front payments to physicians under the guise of medical device development. Olympus failed to focus on compliance and didn’t have policies and procedures in place to prevent illegal arrangements such as these. These physicians were retained as consultants, but most provided very little consulting services; they were utilized as device promoters. Physicians have a duty to order medical devices solely on the traditional standards of quality, price, and appropriateness for the medical conditions treated. Moreover, the ordering of medical devices by a physician must never be influenced by personal financial gain.