Plan for the Worst, Hope for the Best: Why You Must Have a HIPAA Risk Assessment

“The single biggest and most common compliance weakness is the lack of a timely and thorough risk analysis.”

-Leon Rodriguez, former head of the U.S. Health and Human Services Office for Civil Rights

When the Office for Civil Rights (“OCR”) auditor drops by your health facility to ensure that you are complying with HIPAA, one thing is for certain: he will be asking to see your Risk Assessment. Do you have one? Is it completed? Has it been used to develop and implement appropriate policies and procedures?

Audit Risks Are Real

The OCR is cracking down on covered entities’ and business associates’ compliance with HIPAA. Audits are becoming commonplace and resulting in more and more providers being hit with fines and sanctions. You may think that even if you are subject to an audit, then penalty will be a slap on the wrist. Think again. The maximum penalty for a HIPAA violation is now $1.5 million. Maybe you are too small of a provider to be the target of an audit? Think again, again. In January of 2013, Hospice of North Idaho agreed to pay the Department of Health and Human Services (“HHS”) $50,000 to settle potential HIPAA violations stemming from a 2010 incident involving a stolen, unencrypted laptop. It was the first HIPAA breach settlement involving less than 500 people. The hospice did not have a risk assessment in place.

Risk Assessments Are Not Optional

A HIPAA risk assessment is a thorough investigation and analysis of areas where there is potential risk of violating HIPAA laws. A risk assessment is not optional and it is not just a checklist. Covered entities, and now business associates, are required to have an assessment done. Specifically, entities must:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

These assessments are critical to compliance with the HIPAA Security Rule. An assessment should include questions addressing administrative, physical, and technical safeguards, and the Breach Notification Rule. Many assessments are created in the form of a table and not only analyze the level of the risk, but also whether there is a policy in place and who should be responsible for ensuring each provision is implemented.

Risk Assessments Are Just the First Step

Once your facility’s risk assessment is complete, then it and any relevant accompanying documents should be kept in your HIPAA security files. Assessing risks is only a first step. You must use the results of your risk assessment to develop and implement appropriate policies and procedures. The use of a privacy officer is highly recommended. Consider offering training to employees where a sign-in sheet is required and certifications are provided once training is complete. This kind of documentation will be very beneficial when the OCR auditor is at your door.

If you are a provider and would like help creating and implementing a HIPAA risk assessment, contact the health care attorneys at McBrayer, McGinnis, Leslie & Kirkland, PLLC. We are available to provide privacy and security training, along with a risk assessment tool which can be catered to individual providers. It is not a question of if there is a breach at your facility, but rather when. Let us help you be prepared.

Molly LewisMolly Nicol Lewis is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Lewis concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at mlewis@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of state law and does not constitute legal advice.

Structuring Healthcare Provider Agreements for Compliance

On June 23rd, the Healthcare Law Blog discussed the Fraud Alert recently issued by the Office of Inspector General of the United States Department of Health and Human Services regarding physician compensation arrangements which telegraphed the Office of Inspector General’s intention to increase scrutiny of financial arrangements between physicians and providers to whom physicians make referrals. In today’s post, we examine the steps physicians and other healthcare providers should take to ensure that any financial relationships are in compliance with federal statutes and regulations.

The first fundamental task to determine if an arrangement is compliant with applicable laws is to review the written agreement between the parties to determine if its terms are in keeping with regulatory requirements. The following questions should be asked:

  1. What are the services to be performed under the agreement?
  1. Are the services to be performed needed and is the arrangement commercially reasonable?
  1. Is the compensation for the services consistent with fair market value and how was fair market value determined?
  1. Does the compensation take into account, in any manner, the volume or value of referrals made by the physician?
  1. Is the physician carefully documenting the services that are being performed by keeping time sheets or similar documentation and submitting that documentation to the healthcare entity in a timely manner to justify the compensation being paid?

While the Anti-Kickback Statute prohibits many types of arrangements that result in prohibited referrals, Congress created statutory exceptions to the Anti-Kickback Statute prohibition. The statute does not apply to certain payment practices as specified by the Secretary of the United States Department of Health and Human Services. Pursuant to this Congressional authorization, the Secretary of Health and Human Services issued Safe Harbor Regulations to set forth certain legitimate arrangements which are categorically protected from prosecution or the imposition of sanctions under the Anti-Kickback Statute if all the elements of a Safe Harbor are satisfied.

Business - meeting in an office; lawyers or attorneys (only handThe Safe Harbor that is best suited to medical directorship arrangements between a physician and another healthcare provider is the Safe Harbor for personal services and management contracts. This Safe Harbor exempts from the definition of “remuneration” under the Anti-Kickback Statute any payment made as compensation between a principal and an agent for the services of the agent if all the elements of the Safe Harbor are met. The Safe Harbor for personal services and management contracts is set forth by regulation at 42 C.F.R. § 1001.952(d). Physicians and other healthcare providers should examine any medical directorship or similar arrangements in light of this particular Safe Harbor regulation to determine if its requirements are satisfied.

The Stark Statute prohibits referrals to and the filing of claims for “designated health services” where Medicare is the payment source if the referring physician has a direct or indirect financial relationship with the entity providing the designated health service. However, the Stark Statute and implementing regulations set forth exceptions to the general prohibition against referrals where a financial relationship exists between the parties.

The Stark exception that is best suited to medical directorship arrangements between a physician and another healthcare provider is the regulatory exception for personal services arrangements between a physician and an entity in which the physician is to provide specified services to the entity. The regulatory exception for personal services arrangements is set forth by regulation at 42 C.F.R. § 411.357(d). Physicians and other healthcare providers should examine any medical directorship or similar arrangements in light of this regulation and ensure that all of the required elements of the exception are satisfied and properly documented.

With the Office of Inspector General intending to focus its enforcement scrutiny on physician compensation arrangements, physicians and other healthcare providers would be well-advised to conduct their own self-examination of any and all existing arrangements through their compliance program or through their counsel in order to be prepared for any investigation by the Office of Inspector General and to demonstrate the legality of the arrangements.

Chris ShaughnessyChristopher J. Shaughnessy is an attorney at McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Mr. Shaughnessy concentrates his practice area in health care law and is located in the firm’s Lexington office.  He can be reached at cshaughnessy@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law activities and does not constitute legal advice.

ALERT – Supreme Court Upholds Affordable Care Act Insurance Subsidies

In a 6-3 decision on Thursday, June 25th, the United States Supreme Court upheld the legality of the government healthcare insurance subsidies provided under the Patient Protection and Affordable Care Act (“ACA”) in the case of King v. Burwell. At issue was language in the ACA that granted subsidies to taxpayers enrolled in an insurance plan through “an Exchange established by the State.” 26 U.S.C. §§36B(b)(2)(A).

The opinion, written by Chief Justice John Roberts, interpreted the ACA’s language to include the Federal Exchange as an equivalent to a state-run exchange. The opinion suggested that the language required the context of the surrounding provisions to make sense in the law, and that the ACA provides many other examples of what the court referred to as “inartful drafting.”

Justice Scalia penned a blistering dissent, joined by Justice Thomas and Justice Alito, suggesting that the majority imbued meaning not present into the phrase to achieve the result in the opinion.

The decision preserves subsidies for lower-income individuals required, under the ACA, to purchase health insurance, regardless of whether that insurance is purchased through a state or federal exchange. This case was the second major challenge to the ACA with a potential to force significant changes to the law; the Supreme Court upheld the major tenets of the law in both cases.

The provisions of the ACA are now likely to remain in place, and healthcare providers will likely continue to experience the effects of the law. The attorneys of McBrayer can assist healthcare providers complying with the regulatory features of the ACA and other healthcare laws as well as counsel them on how to best capitalize on the incentives and programs offered through the law.

OIG Fraud Alert Targets Physician Compensation Arrangements

It bears repeating so much that even the Office of Inspector General of the Department of Health and Human Services just issued a Fraud Alert on it – physician compensation arrangements are fraught with potential violations of the Anti-Kickback Statute (“AKS”) as well as the Stark Statute and regulations. The AKS is a large enough trap that it catches even the most above-board agreements in its net, and physicians should be wary of the implications. Likewise, the Stark Statute and regulations are broad and are strict liability laws: if you do not meet a Stark exception, the referral and the resulting claim are tainted and the money received based upon the tainted claim must be repaid to the government.

Fraud Background Conceptual Design.The OIG alert announced that the office had reached settlements with 12 physicians in questionable medical directorship or office staff arrangements. Under these directorships, the payments took into account the volume of referrals, and the physicians did not perform the services that the agreements contemplated. Some of these arrangements provided that an affiliated health care entity paid for the front office staff of the physicians, which also relieved the physicians of the burden of paying for those staff and thus qualified as a form of remuneration. The important takeaway from this particular alert is that the arrangements in question did not reflect fair market value for the bona fide services provided by the physicians. Even if one purpose of the arrangement is to compensate the physician for past or future referrals, the agreement will run afoul of the AKS. These fraud alerts don’t have the force of law, but they do provide guidance as to how the OIG views provider agreements – a form of “heads-up” as to where the OIG sees the signs of fraud. In the wake of the recent Fraud Alert, Modern Healthcare has reported that officials have announced that the Office of Inspector General will be hiring additional attorneys to examine these relationships and pursue actions against physicians where warranted.

In its most basic form, the AKS prohibits giving or receiving anything of value to induce referrals that generate any business that is compensable by a federal healthcare program. The AKS isn’t the only prohibition on such arrangements, though. The Stark law also prohibits physicians from referring Medicare or Medicaid patients to an entity with which the physician has any kind of financial relationship, unless the financial relationship fits within an exception set forth in the statute or regulations. Even more potentially disturbing is that the definition of “referral” has been given an even more expansive definition in some federal courts, casting the net even further.

Both laws can snare even basic, boilerplate arrangements between physicians and others. As healthcare laws and regulations grow to encourage new forms of provider arrangements and clinical integration, providers should become increasingly aware of how these arrangements may interact with or trigger antifraud laws and carefully draft agreements and structure arrangements with antifraud laws in mind.

For more information on how to create physician agreements that don’t violate federal antifraud laws, please come back for Thursday’s post.

Chris Shaughnessy Christopher J. Shaughnessy is an attorney at McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Mr. Shaughnessy concentrates his practice area in health care law and is located in the firm’s Lexington office.  He can be reached at cshaughnessy@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law activities and does not constitute legal advice.

The False Claims Act – the Basics Every Provider Should Know, Part Two

On Tuesday, we discussed the history and basic elements of a violation of the False Claims Act. Today’s post will explore the penalties and enforcement of the Act.

FCA penalties are harsh, as they are designed to truly deter attempts to defraud the federal government. The penalty for an FCA violation begins with treble damages, requiring the offender to pay three times the amount of the false claim back to the government. Each violation also incurs civil penalties, which currently range from $5,500 to $11,000 and are periodically adjusted for inflation. The statute of limitations for FCA violations can extend to ten years after the violation, so civil penalties incurred per violation can really add up!

heap of dollars with stethoscopeImportantly, if an offender catches a false claim early, reports it to the government at least 30 days before an investigation or prosecution commences, and cooperates with any subsequent investigation of the claim, the court will reduce the penalty to only double damages. Such potential relief is no substitute for scrupulous billing practices, however.

While a false claim alone is not sufficient to trigger the provisions of the FCA, the Affordable Care Act requires the return of any overpayment under a federal healthcare program within 60 days of identification of the overpayment.[1] If the overpayment is not returned within that 60-day window, it is considered a violation of the FCA.

Finally, it is important to understand that the FCA is enforced through qui tam lawsuits as well as direct governmental action. Qui tam lawsuits are better known as whistleblower suits, and literally any person can bring such a suit. These suits are not brought merely out of a sense of civic duty – qui tam plaintiffs receive rewards of at least 15 percent and up to 25 percent of the government’s proceeds from pursuing the claim. If the government doesn’t intervene to pursue the claim, the relator’s share then increases to between 25 and 30 percent. This reward means that potential whistleblowers have a true incentive to seek out billing fraud and abuse.

The key to avoiding FCA liability is through effective compliance. Billing staff should be thoroughly trained in all billing practices. Thorough and meticulous records should also support every aspect of billing and be retained for an extended period of time. Internal audits should review regulatory compliance, and any issues discovered should be immediately corrected.

For more information on the False Claims Act and how it relates to healthcare providers, contact your McBrayer healthcare attorney today.

Anne-Tyler MorganAnne-Tyler Morgan is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Morgan concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at atmorgan@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

[1] § 1320a–7k(d)

The False Claims Act – the Basics Every Provider Should Know, Part One

The federal False Claims Act (“FCA”)[1] casts an incredibly long shadow, covering every transaction between the federal government and a private party seeking payment from it. Enacted at the height of the Civil War in 1863, the law was designed to keep military suppliers honest in their dealings with a government already strapped from fighting a war. Since then, the FCA has served as an almost nuclear deterrent to those who would attempt to defraud the government when requesting payment for services. In 2014, the Department of Justice managed to recover $5.69 billion under the law. False claims in federal healthcare programs accounted for $2.3 billion of that figure, which makes the FCA, as well as its interaction with other laws such as the Affordable Care Act, fraught with difficulty for unwary healthcare providers.

A studio shot of a doctor with dollar banknotes and handcuffsFCA liability accrues when a person knowingly submits a false claim to the government, causes another to submit a false claim to the government, or knowingly makes a false record or statement to get a false claim paid by the government. There is also liability under the law for those who conspire to violate it, as well as a “reverse false claims” provision that attaches liability when a person acts to avoid paying the government.

The most important element of FCA liability for a healthcare practitioner is knowledge. A false claim filed with the government is not, in and of itself, a violation of the FCA. A violation only occurs when a claimant files a claim with knowledge that it is false. Deliberate ignorance and reckless disregard for the truth or falsity of the claim are both defined in the statute as “knowledge.”[2] While there is no requirement of actual intent to defraud the government,[3] the FCA can attach liability to a practitioner who is negligent or careless in his or her filing practices. For Medicare- and Medicaid-enrolled practitioners who file claims with governmental entities on a daily basis, this potential liability should sound a strong warning.

Please come back Thursday for our discussion of the penalties and enforcement of the FCA.

Anne-Tyler MorganAnne-Tyler Morgan is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Morgan concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at atmorgan@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

[1] 31 U.S.C. §§3729-3733

[2] 31 U.S.C. §3729(b)(1)(A)

[3] 31 U.S.C. §3729(b)(1)(B)

What changes are in store with the new CMS Proposed Rule for Medicaid managed care?

On June 1, 2015 the Centers for Medicare & Medicaid Services (“CMS”) issued a proposed rule, revising the provisions of the Medicaid managed care (“MMC”) program for the first time in over twelve years. [1] The effects of these new regulations, if adopted, will be far-reaching, because the vast majority of Medicaid beneficiaries, especially in Kentucky, receive services through managed care plans. Medicaid expansion under the Patient Protection and Affordable Care Act (“ACA”) has led to growth in the number of people eligible for Medicaid managed care. The 201-page proposed regulation attempts to modernize Medicaid managed care and Children’s Health Insurance Programs (“CHIP”) so that they align with rules for other payers, including Medicare Advantage (“MA”) and qualified health plans (“QHPs”).

Team Of Expert Doctors Examining Medical Reports at Hospital

In 2011, 90% of Kentucky’s Medicaid beneficiaries were on managed care plans. On November 1, 2011, Kentucky Medicaid moved to a statewide managed care model to handle the costs of the dramatic growth in the Medicaid population after Medicaid Expansion under the ACA.[2] After November 1, 2011, Kentucky Medicaid added three new managed care organizations and as a result, Medicaid managed care plans now serve all areas of Kentucky.[3] Since Kentucky has implemented a statewide Medicaid managed care model, CMS’ proposed changes will have significant impact on Kentucky’s Medicaid program as a whole.

The new regulations remove discrepancies between the MMC program and other programs, such as MA. For instance, Medicaid and CHIP were the only health benefit programs that did not have a minimum medical loss ratio (“MLR”) for managed care. However, the new rule removes the MLR exemption and requires that managed care organizations (“MCOs”), pre-paid inpatient health plans (“PIHPs”), and pre-paid ambulatory health plans (“PAHPs”) meet a minimum MLR threshold of 85 percent. Since the MLR requires that a benefits program spend a set portion of its premium revenues on patient care and quality improvement, CMS believes the new MLR will provide a fiscal check on MCOs by preventing the retention of excessive amounts of revenue for administration and/or profit. The proposed regulation allows States to change capitation payments and collect remittances from MCOs that do not meet the MLR standard.

In addition, the proposed rule requires a statewide Medicaid quality strategy with a quality rating system similar to the MA and QHPs rating system.

Some of the key provisions of the proposed rule seek to improve the Medicaid beneficiary experience. The new rule would provide beneficiary protections by setting a standard for managed care enrollment that protect enrollees during the MCO selection process. Under the rule, States would have to provide potential enrollees with fee-for-service coverage for at least fourteen (14) calendar days, while the potential enrollees select a managed care plan. States must also provide potential enrollees with counseling and assistance in selecting a managed care plan.

In addition, CMS proposes requiring network adequacy and access standards similar to Health Exchange standards for Medicare Advantage plans in order to increase patient access to care. To ensure that Medicaid patients have timely access to necessary care, CMS’ proposal requires that States adopt quantitative time and distance standards for primary care, obstetrics and gynecology, behavioral health, hospitals, and pharmacies. Thus, Kentucky will have to create quantitative standards to measure patient access in terms of time and distance. CMS also requires that States monitor and maintain transparency of network adequacy through data reporting.

According to CMS’ press release, the goals of the new Medicaid managed care policy are to:

  • Support States’ efforts to encourage delivery system reform initiatives within managed care programs that aim to improve health care outcomes and beneficiary experience while controlling costs; and
  • Strengthen the quality of care provided to beneficiaries by strengthening transparency and measurement, establishing a quality rating system, and broadening state quality strategies and consumer and stakeholder engagement;
  • Improve consumer experience in the areas of enrollment, communications, care coordination, and the availability and accessibility of covered services;
  • Implement best practices identified in existing managed long term services and supports programs;
  • Align Medicaid managed care policies to a much greater extent with those of Medicare Advantage and the private market;
  • Strengthen the fiscal and programmatic integrity of Medicaid managed care programs and rate setting;
  • Align the CHIP managed care regulations with many of the proposed revisions to the Medicaid managed care rules strengthen quality and access in CHIP managed care programs.

The Proposed Rule can be found here. Comments on the Proposed Rule will be accepted until July 27, 2015. For help in interpreting the Proposed Rule or in preparing a formal Comment on the Proposed Rule, contact the attorneys at McBrayer.

Emily HordEmily M. Hord is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Hord concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at ehord@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice

[1] Medicaid and Children’s Health Insurance Program (CHIP) Programs; Medicaid Managed Care, CHIP Delivered in Managed Care, Medicaid and CHIP Comprehensive Quality Strategies, and Revisions Related to Third Party Liability, 80 Fed. Reg. 31097 (June 1, 2015)(to be codified at 42 C.F.R. §§ 431, 433, 438, 440, 457, 495)

[2] http://medicaidmc.ky.gov/Pages/faq.aspx?fc=010#34

[3] http://medicaidmc.ky.gov/Pages/index.aspx