Health Law Blog - Healthcare Legal Issues

Archive for the ‘Uncategorized’ Category

Faxing Patient Health Information to Wrong Number – Compliance Risk Area

Tuesday, March 13th, 2018

Physician Revises Faxing Procedures to Safeguard PHI After Faxing PHI to Employer  by Mistake

faxing phi wrong numberA medical office recently settled with OCR after it allegedly disclosed a patient’s HIV status when the office mistakenly faxed medical records to the patient’s place of employment instead of to the patient’s new health care provider.  The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient.  To resolve this matter, OCR also required the practice to revise the office’s fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the incident and counseled staff on proper faxing procedures.

Two things pop about about this instance.  First, this was clearly a privacy violation.  The patient’s protected health information, which incidentally revealed his or her HIV status, we sent to the employer.  Secondly, it was evident from the facts that this was a mistake.  We aren’t told exactly how this mistake was made.  Was the fax number written down in the wrong box on the patient’s records?  Did the employee who faxed the records put the incorrect number on the fax cover sheet?  We may never know.  But this does raise the importance of being precise at all stages of the patient encounter to assure that no inadvertent violations occur.  Care you should be taken when information about the patient is initially entered into the system.  Individuals at all levels who may be responsible for transmitting PHI must be deliberate about their actions.  How many people have called or faxed something to the wrong person before?  How many people have written down the wrong telephone or fax number before?  Everyone?

This OCR settlement just illustrates that sometimes these small errors can have big implications.  It does not appear to have been any significant fines or loss of employment in this situation.  But we cannot downplay the potential embarrassment or other negative consequences of mistakes like these.  It is one thing to text your friend Bob rather than your friend Bobbie, and weirdly from Bob’s perspective say how wonderful last night was and how you can’t wait to see him again.  Telling a patient’s employer about their health condition can have consequences that are much harder to laugh off.

RCS-1 Model Worksheet Gives a Glimpse of a World Without RUG

Monday, March 12th, 2018

RCS-1 Sample Worksheet

Time Is Running Out on RUG System for Skilled Nursing Facility Reimbursement

It is currently anticipated that the RUG system, which is currently used to calculate reimbursement for Medicare Part A skilled nursing services, will be changed over the next year.  CMS is currently considering a new Resident Classification System that will completely change the way SNFs are reimbursed for their services.

Providers are getting glimpses of what may be included in the new calculation system.  CMS issued a draft sample worksheet using the RCS-1 system.  The stated purpose is to give providers a description of how the new system would work.  The worksheet gives a description of how a manual calculation would take place using the RCS-I methodology.

The sample draft worksheet that was issued by CMS is available here.  RCS_I_Logic-508_Final

Patient Access to Medical Records Created by Another Provider

Wednesday, March 7th, 2018

Private Practice Provides Access to All Records, Regardless of Source

A private practice denied an individual access to his records on the basis that a portion of the individual’s record was created by a physician not associated with the practice. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual’s request for an amendment when the covered entity did not create that the portion of the record subject to the request for amendment, no similar provision limits individuals’ rights to access their protected health information. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it.

Medical Alerts – HIPAA Implications of Flagging Patient Records

Tuesday, February 27th, 2018

Identification of AIDS Status Through Medical Alert System

Dentist Revises Process to Safeguard Medical Alert PHI

AIDS identification external alert HIPAAA recent OCR investigation of a dental practice’s flagging of patients records highlights a potential HIPAA violation.  The OCR investigation confirmed allegations that the dental practice flagged some of its medical records with a red sticker with the word “AIDS” on the outside cover.   Records were handled so that other patients and staff without need to know could read the sticker.  A patient complaint commenced an OCR investigation into whether the practice potentially identified the AIDS status of patients within the office.

When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant’s file. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Further, the covered entity’s Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology.

The lesson here is not to place special medical alerts on the outside of physical patient records.  This is a particularly bad practice in a dental office where the typical office setup can result in visual identification by other patients.  If a patient is being escorted by staff and is seen by other patients, the identification on the outside of the patient’s chart can easily be connected to the patient.  This creates a very sensitive potential violation of HIPAA and other laws protecting against disclosure of the AIDS status of individuals.

Providing Protected Health Information in Response to Subpoena

Thursday, February 22nd, 2018

OCR Citation for Improper Disclosure of PHI in Response to a Subpoena

unauthorized release phi subpoenaA health care provider or other covered entity under HIPAA is permitted to disclose protected health information if it receives a lawful order from a court or administrative tribunal.  this does not mean that a provider can simply release everything it has in a patient record when it receives a court order.  Some records, such as mental health or substance abuse records might have special protections or limitations that apply.  Additionally a provider should closely review the relevant order and only disclose the information that is specifically required by the order.

The ability to release information in response to a subpoena, as opposed to an order of a court, is subject to different rules.  Patient information can only be provided under subpoena if certain notification requirements of the Privacy Rule are met. The notification requirements require the provider who received the subpoena to obtain evidence that there were reasonable efforts to notify the person who is the subject of the information about the request.  This is intended to give the individual an opportunity to object to the disclosure, or obtain a protective order from the court.

The application of these rules are illustrated by a relatively recent OCR settlement involving a hospital that was accused of improperly disclosing PHI in response to a subpoena.  The hospital apparently failed to determine that reasonable efforts had been made to notify that individual whose PHI was being sought under the subpoena.  This had the effect of denying the individual the right to object or seek a protective order.

As part of the settlement with the Hospital, OCR required the hospital to revise its subpoena processing procedures. The new policies adopted by the offending hospital hold a lesson for all covered entities.  If a subpoena does not meet the requirements of the Privacy Rule, policy should require the covered entity to reach out to the party who issued the subpoena to explain the notification requirements.  Until those requirements are complied with, the information cannot be released.

Court Orders and Subpoenas – Release of Protected Health Information

Physician Orders : Why Are They So Important?

Wednesday, January 24th, 2018

The Importance of Physician Orders in Health Care

importance of physician ordersIn my last article on physician orders, I more or less ranted about the lack of a clear regulatory definition of physician orders. Yet, physician orders serve a variety of important purposes including communicating the physician’s direction for ancillary services and required diagnostic tests and securing the ability to receive reimbursement for services that flow from the physician’s encounter with the patient. The systematic use of physician orders also serves as proof that the physician is directing services to the patient and that conditions of participation of the facility, which require a physician driven process, are being complied with on a systematic basis.

Physician Orders as Conditions of Participation

Medicare law draws a distinction between conditions of participation and conditions of payment. Conditions of participation are compliance items, failure of which can result in corrective action and citations on survey. Failure of physician orders can result in survey deficiencies. The good news here is that a facility will normally be able to take action to correct a cited deficiency. If the failure of physician orders is systematic, other sanctions can attach; even including exclusion from governmental health program. But the garden variety, relatively isolated failure of a physician to timely sign an order can normally be corrected without devastating consequences.

Physician Orders As Condition of Payment

Physician orders can also be conditions of payment for specific services flowing from the physician’s encounter with the patient. This is where the real, serious regulatory exposure for failure to document physician orders occurs. Where an order is a condition of payment, claiming and accepting reimbursement results in an overpayment that should be repaid to Medicare. Failing to repay within 60 days of identification of the overpayment results in significant False Claims Act penalties that can far outweigh the original overpayment amount. Identification occurs when a provider “should know” that an overpayment exists which is why health care providers need to proactively look for missing physician orders as an identified risk as part of their compliance programs.

Physician Order Documentation Requirements

Health care providers will be familiar with the adage that “if it is not documented, it didn’t happen.” The same is true with respect to physician orders. A physician order that is not properly documented will be treated by payors as if the order does not exist. Even failure of seemingly technical failures to sign orders on a timely basis can result in payment denial or overpayment claims. In these cases, the provider is not entitled to reimbursement. If reimbursement is received, an overpayment will exist and I describe above the consequences of not repaying overpayments.

So it is important for physicians and other providers to understand the requirements for physician orders as they pertain to the services that they provide. Not getting it right can have very serious consequences. False Claims Act penalties are triple the original overpayment, plus up to $22,000 per claim. A systematic failure to properly use physician’s orders can result in draconian levels of damages under the False Claims Act.

Physician Orders Legal and Regulatory Article Series

Physician Order Reimbursement Issues

Physician Orders – Why Are They So Important?

The Verbal Order Minefield

Authenticating Verbal Orders : Compliance Requirements

Third Party Authentication of Verbal Orders

Physician Order – CMS Guidelines on Texting Physician Orders

Excessive Use of Multiple Removal Codes – Dermatology Fraud and Abuse

Tuesday, June 27th, 2017

Criminal Conviction of Dermatologist Excessive Use of Multiple Removal Codes – 2015

dermatology false claimsA Chicago area dermatologist was convicted of committing Medicare fraud by submitting false claims for more than 800 patients that led to payment of reimbursement of approximately $2.6 million.  The doctor was accused of falsely diagnosing patients and submitting bills without proper documentation of the necessary condition.  Most of the claims appear to have involved diagnosis of actinic keratosis, or sun-induced skin lesions that have potential to become cancerous.   The doctor was found guilty of criminal charges arising from this matter in 2015.

The dermatologist was alleged to have falsely documented hundreds of cases of medically unnecessary cosmetic treatments he reported as involving the removal of lesions (CPT 17004).  According to court records, the physician billed under the CPT code applicable to the removal of 15 or more lesions on a more or less routine basis.  These treatments were allegedly performed on hundreds of repeat patients over a number of years.  Many of the patients received this treatment on 10 or more visits.  Medicare reimbursed this treatment by paying up to $352.40 per treatment.  When these numbers are summarized, it becomes difficult to deny that abuse was going on in this case.  Evidence presented suggested the dermatologist falsely claimed to have removed more than 150 pre-cancerous lesions from approximately 350 Medicare patients, more than 450 patients covered by Blue Cross and Blue Shield, and additional patients covered by Aetna and Humana health insurance.

This case appears to have been a relatively clear case of actual fraud rather than failure to properly document the nature of the service.  Even though the case represents an extreme situation, it still holds some lessons for providers who are not attempting to commit fraud.  A few lessons that can be extracted from this case include:

  • Care should be taken when using multiple removal codes such as 17004.  These types of codes should not be used systematically.  Over time, the removal numbers add up to indicate potential fraud.
  • The record should be accurately and completely documented to support use of multiple removal codes.
  • Care should be taken not to bill codes relating to time increments or work units that, in the aggregate, result in an unrealistic amount of time in a given day.  Granted, some providers are more efficient than others, but at some point multiple procedure time units become excessive and can be statistically sampled to determine whether the individual doctor is within a standard range of services.

Differential Valuations and the Anti-kickback Statute

Monday, April 3rd, 2017

Ambulatory Surgery Case Demonstrates Differential Value Theory of Renumeration

ASC Fraud and Abuse RemunerationA relatively recent case involving buy-in terms in an ambulatory surgery center demonstrates how different valuations for referral sources and non-referral sources can be evidence of remuneration under the Medicare Anti-Kickback Statute (42 U.S.C. § 1320a-7b(a)-(b)).  The case also demonstrates how the initial investment terms that favor referral sources can foreclose reliance on safe harbor regulations.

The case involved an ambulatory surgery center management company what purchased an interest in an ambulatory surgery center.  The company then offered shares of the company for investment to physicians who were in a position to refer surgical cases to the surgery center.  The physician investment was structured to meet the terms of the safe harbor regulations for ambulatory surgery center investments (“ASC Safe Harbors”).  The ASC Safe Harbors provide protection from remuneration that is received by a referring physician as a return on investment as long as the physician meets certain minimum practice revenue and surgical volume requirements. Physician investors must generally receive at least 1/3 of their practice income from the provision of surgical procedures and perform at least 1/3 of their surgical procedures in the center in which they hold an investment interest.

The problem with the way that the investment interest was structured was the different valuation that applied to the purchase that was made by the management company and the investment offer made to the referring physicians.  The management company purchased its investment at a much higher price than was offered to the physicians.  The differential valuation violated a threshold requirement of the safe harbor regulations that prohibits the initial investment interest to be based, in whole or in part, on the volume or value of referrals that the investor might make to the entity.  It was very difficult for the parties to justify the different value applied to physician investment.  The only apparent difference appeared to be that the physician investors were the referral sources for the surgery center.

This case specifically involved an ambulatory surgery center investment but the concept of differential valuation could apply in other situations involving the Anti-Kickback Statute.  Different values paid to or received from referral sources and non-referral sources can suggest that at least one of the reasons for the differential is the volume or value of potential referrals.  This points out a general area of risk assessment for all health care providers.  Areas where different pricing is applied to referral sources and non-referral sources could signify a potential violation of the Anti-Kickback Statute.

Anti-Discrimination Plans/Part D Sponsors

Monday, January 30th, 2017

Anti-Discrimination Rules in Medicare Advantage Plans

42 CFR 422.110, 422.2268(c), 423.2268(c)

Plans/Part D Sponsors may not discriminate based on race, ethnicity, national origin, religion, gender, sex, age, mental or physical disability, health status, claims experience, medical history, genetic information, evidence of insurability or geographic location. Plans/Part D Sponsors may not target beneficiaries from higher income areas or state/ imply that plans are only available to seniors rather than to all Medicare beneficiaries. Only Special Needs Plans (SNPs) and MMPs may limit enrollments to individuals meeting eligibility requirements based on health and/or other status. Basic services and information must be made available to individuals with disabilities, upon request.

Requirements Pertaining to Non-English Speaking Populations Medicare Health Plans

Sunday, January 29th, 2017

Requirements Pertaining to Non-English Speaking Populations

42 CFR 422.111(h)(1), 422.112(a)(8), 423.128(d)(1)(iii), 422.2264(e), 423.2264(e)

All Plans’/Part D Sponsors’ call centers must have interpreter services available to call center personnel to answer questions from non-English speaking or limited English proficient (LEP) beneficiaries. Call centers are those centers that receive calls from current and prospective enrollees. This requirement is in place regardless of the percentage of non-English speaking or LEP beneficiaries in a plan benefit package (PBP) service area. Plans/Part D Sponsors must make the marketing materials identified in sections 30.6, 30.7, 30.9, and the Part D Transition Letter(s) available in any language that is the primary language of at least five (5) percent of a Plan’s/Part D Sponsor’s PBP service area. Final populated translations of all marketing materials must be submitted in HPMS (see section 90.2 for material submission process).

Historically, regardless of the five (5) percent service area threshold, CMS required that all Plans/Part D Sponsors communicated the availability of language assistance services in the fifteen most common non-English languages spoken in the US via the Multi-Language Insert (MLI). The MLI was required to accompany the Summary of Benefits (SB), Annual Notice of Change (ANOC)/Evidence of Coverage (EOC), and the enrollment form. Because Section 1557 of the Patient Protection and Affordable Care Act contains a similar yet more robust requirement, CMS will now defer to the requirements under Section 1557 when it comes to communicating the availability of language assistance services. Plans/Part D Sponsors should consult with the Office for Civil Rights (OCR), the Federal Agency responsible for Section 1557, for questions pertaining to Section 1557 Compliance. In addition, OCR has a Section 1557 resource website that can be accessed at: https://www.hhs.gov/civil-rights/for-individuals/section-1557/index.html

 

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

Search
Disclaimer
The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.