News / Resources

Topics covered in this issue of the Health Law Update include:

• CMS Rule-A-Palooza Finalizes a Host of Medicare Payment Updates
• DOL Forum Addresses Automatic Enrollment Concerns Under PPACA
• HIPAA Exempts Employment Records From Privacy and Security—But ADA and GINA May Have Something to Say on That!
• New Texas Privacy Law Expands HIPAA/HITECH Requirements in Key Areas
• Are You Ready for a Data Breach?

CMS RULE-A-PALOOZA FINALIZES A HOST OF MEDICARE PAYMENT UPDATES

The Centers for Medicare & Medicaid Services (CMS) recently released some 2,000 pages of final rules updating Medicare payment policies and rates for fiscal year 2012 for acute care hospitals under the inpatient hospital prospective payment system (IPPS), long-term care hospitals (LTCH), skilled nursing facilities (SNFs) and inpatient rehabilitation facilities (IRF). An overview and highlights of the respective final rules follow below.

IPPS Hospitals and LTCHs

Generally effective for inpatient hospital discharges occurring on or after October 1, 2011, the IPPS final rule, which applies to acute care hospitals and LTCHs, is slated for publication in the August 18 Federal Register.

IPPS Payment Rate
Payments for inpatient stays in acute care hospitals will increase by 1.0 percent in FY 2012. This compares favorably to the proposed rule’s 0.5 percent rate reduction. The increase in reimbursement, as compared to the proposed rule, is due largely to CMS’s adoption of a 1.15 percent lower documentation and coding adjustment. The adjustment is designed to offset diagnosis-related group (DRG) creep resulting from better documentation rather than from actual increases in patients’ illness severity. Hospitals not providing quality data to CMS, however, will see a rate reduction of 1.0 percent.

Wage Index
In response to comments, CMS reversed its position from the proposed rule and will extend the “imputed” wage index floor policy that creates a rural hospital wage index floor in states that do not have any rural hospitals. The final rule also changed how pension costs are reported to Medicare for wage index and cost-finding purposes.

Add-On Payments
CMS did not approve any new, temporary add-on payments for the inpatient use of new technologies, but is extending the new technology add-on payment for a focused laser interstitial thermal therapy for brain tumors.

Medicare provides an add-on payment to hospitals that provide inpatient dialysis treatment to a high proportion of end-stage renal disease (ESRD) beneficiaries. The final rule clarifies that for purposes of ascertaining ESRD add-on payments, discharges of all Medicare Part A beneficiaries, including Medicare Advantage patients, will be used to determine the proportion of beneficiaries with ESRD.

Three-Day Window
CMS “clarified” that the three-day payment window (one-day payment window for LTCHs and certain other PPS-exempt hospitals) requires the bundling of certain preadmission services furnished to a patient at physicians’ practices that are wholly owned or wholly operated by the admitting hospital, into the DRG payment.

Under Arrangements
Hospitals may bill and receive payment for certain inpatient services provided “under arrangements” with third parties. Under the final rule, routine services such as room and board, nursing services and ICU services may be provided under arrangements only on the hospital’s premises where the patient is being treated. A hospital, however, may contract with an outside entity to provide therapeutic and diagnostic services under arrangements.

In the hospital within a hospital (HwH) context, CMS permits the furnishing of certain services (e.g., food and dietetic services, housekeeping and maintenance and other physical environment services) to be provided under arrangements to an HwH by the host hospital or by an entity that controls both hospitals. Such services, however, will be disallowed by CMS if the HwH inpatient is moved to another hospital.

Disproportionate Share Hospital and Indirect Medical Education Payments
Hospice bed days will be excluded from the calculation of patient days and beds to compute disproportionate share hospital and indirect medical education payments under the final rule. CMS’s rationale for the change is that hospice patients do not receive acute care services.

Readmission Reduction Program
The final rule implements the Hospital Readmissions Reduction Program (RRP) required by the Patient Protection and Affordable Care Act (PPACA). RRP was designed to provide hospitals with an incentive to improve care coordination. Beginning with discharges on or after October 1, 2012, CMS will reduce payments to hospitals that have excessive readmissions within 30 days of discharge for selected conditions. The final rule adopts measures for rates of readmissions for acute myocardial infarction, heart failure and pneumonia.

Global Per Admission Spending Performance Measure
CMS adopts a global per admission spending performance measure for use in both the hospital inpatient quality reporting program and the hospital value-based purchasing program in the final rule. The new measure, which will affect payments beginning in October 2013, will assess Part A and Part B beneficiary spending during a period that begins three days prior to a hospital admission and ends 30 days after discharge. The final rule is an improvement for hospitals as CMS had originally proposed ending the period 90 days after discharge.

Inpatient Quality Reporting
The agency also has made a number of changes to the Hospital Inpatient Quality Reporting Program in the final rule. CMS (1) retired four measures beginning with January 1, 2012, discharges (three adult smoking cessation counseling measures and a measure related to the timing of receipt of the initial antibiotic dose following arrival at the hospital); (2) suspended data collection for four measures, starting with January 1, 2012, discharges (aspirin upon arrival, ACEI/ARB for left ventricular systolic dysfunction, beta-blocker prescribed at discharge and appropriate hair removal); (3) added four healthcare-associated infection measures—one for FY 2014 and three for FY 2015 (catheter-associated urinary tract infection for 2014 and influenza vaccination coverage among healthcare personnel, methicillin-resistant Staphylococcus Aureus (MRSA) bacteremia and C. difficile standardized infection ratio for 2015); (4) added a measure for participation in a registry for general surgery for FY 2014; and (5) added a series of stroke and venous thromboembolism measures for FY 2015.

Hospital-Acquired Conditions
CMS decided not to follow its proposal to add a new hospital-acquired condition (HAC) in FY 2012 for contrast-induced acute kidney injury. The agency also added two new ICD-9-CM diagnosis codes to the falls and trauma HAC category, two new codes to the surgical site infection following certain bariatric procedures HAC category and one new code to the deep vein thrombosis and pulmonary embolism following certain orthopedic procedures HAC category.

LTCH Payment Rate
For FY 2012, LTCH payments will be updated by a net increase of 2.5 percent due to a 1.8 percent payment rate increase and other policy changes. The final rule also implements a LTCH pay-for-reporting program beginning in October 2012 and a 2.0 percent payment penalty for nonreporting beginning in October 2013 for three quality measures: catheter-associated urinary tract infection, central line catheter-associated bloodstream infections and new or worsening pressure ulcers.

SNFs

Under the final SNF rule, scheduled for publication in the August 8 Federal Register, SNFs will sustain a 12 percent payment reduction. Largely due to a recalibration of case-mix levels, the decrease in SNF payments for FY 2012 is specifically comprised of an 11.1 percent reduction for the recalibration, a 2.7 percent market-basket increase and a 1.0 percent productivity cut required under PPACA. The therapy reporting rules also were enhanced by CMS in the final SNF rule to more accurately link therapy and payment levels. Finally, group therapy payment now will be allocated based on the number of patients in the group, with group size limited to four patients.

IRFs

Due for publication in the August 5 Federal Register, the IRF final rule includes a net payment increase of 2.2 percent above FY 2011 levels. A quality reporting system that requires IRFs to submit data on catheter-associated urinary tract infections and new or worsening pressure ulcers also will be implemented by the final IRF rule. Beginning in FY 2014, IRFs that do not submit the quality measure data will receive a 2.0 percent payment reduction. In a change from the proposed IRF rule, CMS froze the facility-level adjustments at FY 2011 levels for one additional year to study the current methodologies.

For more information about the final rules or for assistance in drafting and submitting your comments to CMS, please contact Robert M. Wolin, or 713.646.1327.

top of page

DOL FORUM ADDRESSES AUTOMATIC ENROLLMENT CONCERNS UNDER PPACA

The U.S. Department of Labor (DOL) recently conducted a public forum to address questions and concerns about how to implement changes made by PPACA to the Fair Labor Standards Act. PPACA requires that employers with more than 200 full-time employees automatically enroll new full-time employees in one of the employer’s health plans, provide notice of enrollment and allow employees to opt out of coverage. The automatic enrollment requirement will significantly impact the way many employers provide healthcare to their employees and will undoubtedly increase participation in employer-sponsored plans.

Forum panelists discussed a number of approaches to defining a “full-time employee,” agreeing that employer flexibility will be essential, while also recognizing a need to coordinate the definition of full-time employee with other PPACA provisions that rely on a 30-hour benchmark. Panelists considered a “look-back” approach (allowing employers to enroll employees not initially expected to qualify as full-time on the date of hire), a “reasonably-expects” standard (based on the number of hours an employee is expected to work at the time of hire) and a “maximum flexibility” standard (permitting employers to define full-time employee based on the unique circumstances of their workforce).

Panelists agreed that employees should be auto-enrolled in an employer’s lowest premium, self-coverage option. Further, an initial election to opt out should be continued or “rolled over” each year, unless an affirmative change is made, in order to prevent the need for employees to opt out each year. The automatic enrollment notice should be easy to understand and should detail the premium amount, the payroll deduction process, additional coverage options and the available opt-out procedures, among other items. Finally, the opt-out period should provide sufficient time for employees to determine their coverage needs, but not create unwieldy administrative burdens for employers due to refunds or ongoing enrollments and disenrollments.

Although no guidance has yet been released on the PPACA requirement, the forum’s questions and discussion offered employers an insight into the issues the DOL is considering and areas for which guidance may be forthcoming. Employers are not required to institute the auto-enrollment features until the implementing regulations are issued.

For more information, please contact Jennifer A. Mills, or 216.861.7874; Leigh Ann Wilson, or 614.462.2603 or Tasia E. McIntyre, or 614.462.4736.

top of page

HIPAA EXEMPTS EMPLOYMENT RECORDS FROM PRIVACY AND SECURITY—BUT ADA AND GINA MAY HAVE SOMETHING TO SAY ON THAT!

According to a recently released opinion letter by the DOL’s Equal Employment Opportunity Commission (EEOC), employers must ensure that strict confidentiality and separation is provided to personnel records containing personal medical information, and that occupational health information must not be intermingled in an electronic health record (EHR) of an individual patient. Given that the Health Insurance Portability and Accountability Act (HIPAA) normally exempts employment records from the scope of its privacy and security requirements, why should healthcare providers and health plans be concerned by this EEOC opinion?

There are two important reasons. First, healthcare providers and health plans are themselves employers and should be concerned with maintaining strict confidentiality of medical information maintained in their employees’ personnel files. Second, while HIPAA exempts “employment records” from application of the HIPAA Privacy and Security Standards applied to protected health information (PHI), the EEOC states that personal health information maintained for medical purposes (e.g., PHI) and occupational (or work-related) medical information should not be maintained in a single EHR, and the latter information clearly is subject to strict confidentiality requirements under both the Americans with Disabilities Act (ADA), and the Genetic Information Nondiscrimination Act (GINA). Therefore, providers, health plans and employers should adopt appropriate restrictions and separation with respect to EHRs that contain both types of health information.

The question often is asked by employers, “do HIPAA’s privacy and security regulations apply to the medical information in our Human Resources Department personnel files?” As far as it goes, the answer under HIPAA is “no.” Employment records held by a covered entity (or by an employer) are excluded from the definition of PHI under 45 C.F.R. § 164.103. (Note, however, that enrollment, treatment, payment and related records of an employer-sponsored health plan are deemed to be PHI under HIPAA, if individually identifiable.) However, as the recent EEOC opinion letter states, the prohibitions under ADA and GINA with respect to asking or inquiring about certain aspects of the health status of an employee or potential hire apply equally to paper and electronic health records as they do to verbal questions asked in an interview.

The opinion letter, written by the EEOC Office of Legal Counsel, states, “[a]ccessing an individual’s medical records directly is no different from asking an individual for information about current health status, which the Commission considers a request for [disability or] genetic information where it is likely to result in the acquisition of such information, particularly family medical history.” Therefore, employers must respect the confidentiality of all medical information maintained for employment purposes, whether an EHR or paper medical record, and be careful when seeking authorization from employees to access their EHR or other medical records for work-related purposes. If done in an inappropriate way related to obtaining disability or genetic information regarding a job applicant or current employee, such access can run afoul of the confidentiality and nondiscrimination provisions under ADA and GINA. The EEOC opinion letter makes clear that employers must ensure that personal health information about applicants or employees cannot be accessed, except under the circumstances and to the extent permitted under ADA and GINA.

The result of the EEOC opinion effectively requires that employers should, if not already doing so, take steps to ensure that: (1) various types of medical information about employees sought or maintained for purposes of disability determinations, work-related functions or accommodations, FMLA and other types of medical leave, are obtained lawfully in compliance with ADA, GINA and state confidentiality and nondiscrimination laws, and (2) medical information contained in employment files is segregated into confidential areas (whether paper or electronic) with access rights restricted only to such lawful purposes, as opposed to general access rights typically afforded to a wider range of management and human resources personnel.

The EEOC opinion letter also states that when personal health information (read: PHI) is maintained together with occupational health information in a single EHR or paper medical record, particularly one that allows someone with access to the EHR or paper record to view any information therein without restriction, a real possibility of a violation of ADA or GINA exists if the purpose of such access is prohibited under such laws. Thus, healthcare providers and health plans, both in their capacity as HIPAA-covered entities and in their capacity as employers, need to ensure appropriate separation and access controls exist with respect to both PHI and employment/occupational health information maintained in paper or electronic form. Failure to do so could result in potential liability under ADA and GINA, as well as the more typical risk of a “breach” under HIPAA’s requirement to notify patients when their medical records have been accessed or acquired in an unauthorized, or illegal, manner.

For more information, please contact John S. Mulhollan, or 216.861.7484.

top of page

NEW TEXAS PRIVACY LAW EXPANDS HIPAA/HITECH REQUIREMENTS IN KEY AREAS

Residents of the state of Texas recently received additional protections when Governor Rick Perry signed a measure into law protecting patients’ data in EHRs and increasing penalties for violation of the healthcare privacy laws. The new law is effective September 1, 2012.

Since the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) in September 2009, healthcare providers and other covered entities have reported thousands of privacy breaches pursuant to HITECH to the Office of Civil Rights (OCR). HITECH defines a healthcare data breach in the electronic age and specifies requirements that covered entities must follow in response to a breach, including investigation, notification and reporting. Once a breach is identified, HITECH requires a covered entity to conduct an investigation and a risk of harm analysis, determine to whom and how a breach notification should be made, and report to the OCR either at the time of the breach or in an annual report. The federal government recently has trained the states’ attorneys general in HITECH specifics increasing the states’ enforcement activity. In response, many states have adopted HIPAA and HITECH outright or stricter privacy and data breach laws. The Texas legislation follows this trend of states enacting state level privacy laws that generally follow HITECH, for the protection of consumers’ electronic PHI and breach notification following unauthorized access.

The Texas Law

The Texas law expands privacy rights contained in HIPAA, mandates stricter training requirements for covered entities, enacts harsher penalties for the wrongful disclosure of PHI and develops additional state level agencies to address and enforce healthcare privacy laws in Texas. Under the new Texas statute, covered entities, such as hospitals, physicians, health plans, healthcare clearinghouses and their business associates, are required to comply with the federal HIPAA privacy standards. According to the preemption provision in HIPAA, this stricter Texas law will apply to all covered entities in the state. Adopting HIPAA, the new law states that an individual’s PHI may not be disclosed without the patient’s authorization, except for purposes of treatment, payment, healthcare operations, insurance purposes, and as otherwise authorized by state or federal law. Covered entities must provide notice to patients of their policies on their website or other prominent place where patients will see it. The law also requires that a covered entity provide an ongoing training program to its workforce covering state and federal law on PHI as it relates to their scope of employment. Such training is to be customized to each employee’s scope and duties at the covered entity. Each employee shall receive training once every two years, and each new employee must complete privacy training within 60 days of hire. The covered entity is to maintain signed documentation of the employees’ attendance at training.

Increased Penalties

The legislation increases the penalties for the wrongful disclosure of PHI, including monetary penalties, criminal penalties and potential loss of professional and institutional licenses. The civil penalties have been increased to $5,000 per negligent violation, $25,000 per knowing or intentional violation and $250,000, if knowing or intentional and the disclosure is for financial gain. The law allows a safe harbor capping the penalties at $250,000, if the disclosure was made to another covered entity, was encrypted, the recipient did not use or release the PHI, and covered entity has developed and implemented security policies, including training of employees. While this may not seem like much of a safe harbor, the maximum penalty for repeat offenders is increased to $1.5 million. Further, a healthcare provider’s professional or institutional license may be revoked for repeated violations under the new law, and the covered entity also may be excluded from state-funded healthcare programs, such as Medicaid and the Children’s Health Insurance Program. The following are considered when assessing penalties: (1) the seriousness of the violation, (2) the covered entity’s compliance history, (3) significant risk of harm to the individuals, (4) certification of the covered entity, (5) the amount necessary to deter further violations, and (6) efforts to correct the problem. The law also strengthens penalties when a person or entity fails to appropriately notify affected individuals of unauthorized access of their personal information to $100 per each consecutive day for each affected individual not to exceed $250,000 and creates a felony for theft of PHI taken electronically.

Additional Texas Infrastructure

The Texas law puts into place a regulatory framework with the Texas Health and Human Services Commission, Texas Health Care Authority, Texas Department of Insurance and the Texas Attorney General’s office having audit authority to ensure privacy compliance. The Attorney General is charged with setting up a complaince system and privacy information website, already seen in several other states. The Texas Health Care Authority is charged with developing standards for electronic sharing of PHI in compliance with HIPAA/HITECH, to ensure security maintenance and disclosure of records. The legislation also establishes infrastructure to allow covered entities to be certified by the state as compliant with HIPAA and the new state privacy and security standards.

Differences With Federal Law

Much of the Texas law tracks HIPAA/HITECH requirements verbatim. In some instances, the Texas law goes further and is stricter than HIPAA/HITECH in scope and in enforcement. Taken in conjunction with existing Texas law, the HIPAA/HITECH risk of harm analysis is not included as part of the breach determination, instead requiring notification “as quickly as possible” when electronic data is breached, regardless of the potential harm. The breach notification requirements under the Texas law apply to any business in Texas that wrongfully discloses PHI, not just HIPAA Covered Entities and Business Associates. Further, the employee training requirements expand HIPAA, which does not require ongoing training of employees but only training within a reasonable time after hire and when any material change in privacy policies and procedures are made. The Texas training requirement also must be tailored to the employee’s role in the organization, which is more burdensome than the HIPAA requirement.

Overall, the new Texas healthcare privacy law adopts the standards enacted under HIPAA/HITECH and expands the law in key areas. The law mandates stricter training requirements for covered entities, enacts harsher penalties for the wrongful disclosure of PHI and develops additional state infrastructure to address and enforce healthcare privacy laws in Texas. Covered entities in Texas and those doing business with Texas residents face stricter privacy and data breach requirements with state and federal regulatory agencies working in consort.

If you need assistance with HIPAA/HITECH or state privacy law compliance, please contact Lynn Sessions, or 713.646.1352 or John S. Mulhollan, or 216.861.7484.

top of page

ARE YOU READY FOR A DATA BREACH?

Join us for a Webinar on Wednesday, August 10, 2011
1:00 - 2:00 PM EST

With multimillion-dollar penalties assessed against healthcare institutions and the exponential increase in the use of mobile technology within the healthcare industry, HIPAA/HITECH regulations have created a minefield of compliance issues. This informative webinar, which highlights insights from data breach experts Jerry Ferguson, Lynn Sessions, John Mulhollan and Craig Hoffman will assist in-house counsel, compliance, risk management and IT officers in forming a strong response to a data breach incident. In addition, our speakers will offer timely, practical tips and processes that can help covered entities and business associates prevent a data breach in the first place.

REGISTER NOW!

top of page

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2011 Baker & Hostetler LLP