Topics covered in this issue of the Health Law Update include:
In a move that resembles action successfully taken by the American Bar Association last year, three prominent professional physician associations have filed suit in federal court in the District of Columbia, challenging the applicability of the Federal Trade Commission’s (FTC) Identity Theft Prevention Program, or Red Flags Rule, to their members. After numerous administrative delays, enforcement of the FTC Red Flags Rule is set to commence June 1, 2010. Physicians, hospitals and other types of healthcare providers have been characterized by the FTC as “creditors” subject to the Rule’s requirement that covered persons undertake an identity theft risk assessment and implement policies and procedures designed to detect, prevent and mitigate potential and actual identity theft occurrences. Most hospitals and other institutional providers that regularly extend deferred payment and similar personal financial transactions, have already implemented Identity Theft Prevention policies and procedures to comply with the Red Flags Rules. The current lawsuit, filed by the American Medical Association, the American Osteopathic Association and the Medical Society for the District of Columbia, seeks declaratory and injunctive relief, arguing that the FTC exceeded its statutory authority under FACTA (the Fair and Accurate Credit Transactions Act) and failed to follow proper administrative rulemaking procedures. The suit, referencing the same court’s decision which blocked enforcement of the Red Flags Rule against lawyers, argues that regulation of professions is traditionally left to the states and Congress clearly would have indicated if it had intended physicians to be considered “creditors” under the Red Flags Rule statutory mandate.
For more information, please contact John S. Mulhollan,
Hidden hard drives in ordinary office and clinical equipment, if not carefully managed, can create patient privacy violations that may subject providers and their business associates to fines and penalties. Digital copiers, fax machines and multifunction printers, copiers and scanners built since 2002 contain hard drives much like those in a computer. These hard drives automatically store images of all of the documents copied, scanned or faxed by a provider. Additionally, in some cases, the activity of one of these machines linked to an unsecured network may be downloaded easily from the Internet. As a result, stored images on the hard drives of office and clinical equipment can create significant privacy compliance concerns for the healthcare industry. For example, Affinity Health Plan recently notified the media and more than 400,000 employees, providers and members that their personal information may have been breached as a result of information contained on a copier hard drive returned to an equipment lessor. A recent CBS station’s investigative reporter also found medical records on an old copier hard drive that a recycler was dismantling in the San Francisco area.
The information contained on the hard drives and other media buried in office and clinical equipment poses security and privacy risks under HIPAA, state medical privacy laws and state computer data security laws. The HIPAA Privacy Rule, as well as other state and federal laws, require providers to protect an individual’s personal health and identity information from unauthorized disclosure and access. These laws also require that providers institute safeguards to preclude the disclosure of this information without proper authorization.
The HIPAA Security Rule requires providers to implement policies and procedures to control the receipt and removal of hardware and electronic media that contain electronic protected health information from a facility, and to control the movement of these items within the facility. It also necessitates that policies and procedures be implemented to address the final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored.
Should a breach of unsecured protected health information occur, the HITECH Act regulations, in most cases, require a covered entity to notify the affected individuals and the Secretary of the U.S. Department of Health and Human Services (HHS) following the discovery of a breach. If more than 500 residents of a state are affected, the news media also must be notified. To assist in preparing digital media for final disposition, the HHS Office for Civil Rights (OCR) has issued guidance specifying which technologies and methodologies OCR deems appropriate for rendering protected health information unusable, unreadable or indecipherable. Consequently, care must be taken to assure data privacy when office and clinical equipment are removed from a provider’s facility, either for servicing or final disposition. With regard to leased office machines not within the provider’s control, staff must be notified and trained not to copy sensitive information on such equipment unless adequate precautions are taken to assure that sensitive information is not retained on the hard drive. Similarly, agreements entered into by providers with service companies and equipment lessors need to assure that such vendors will train their representatives on the provider’s privacy obligations and will take precautions to avoid a privacy breach.
For more information, please contact Robert M. Wolin,
The Centers for Medicare and Medicaid Services (CMS) recently advised providers that, pursuant to the Patient Protection and Affordable Care Act (PPACA), Medicare fee-for-service (FFS) claims with dates of service on or after January 1, 2010 that are received later than one calendar year beyond the date of service will be denied by Medicare.
Prior to PPACA, providers were permitted to submit claims for services furnished during the first nine months of the calendar year on or before December 31st of the following calendar year. For services furnished during the final three months of the calendar year, the provider could submit claims on or before December 31st of the second following year. PPACA reduces the maximum time for submission of all FFS claims to one calendar year after the date of service.
Furthermore, in accordance with section 6404 of PPACA, claims with dates of service before January 1, 2010 must be filed with Medicare contractors no later than December 31, 2010. Although CMS states that claims with dates of service prior to October 1, 2009 are subject to pre-PPACA filing rules, the December 31st deadline effectively applies to these claims because the dates of service fall within the first nine months of 2009. Thus, they must be submitted by December 31st of the following calendar year, or December 31, 2010.
CMS asserts the following system edits will apply:
Date of Service of Claim
Claims Denial Deadlines
One exception currently exists for the timely filing limitations: an “error or misrepresentation” of an employee, Medicare contractor or agent. CMS intends to issue further instructions if additional exceptions are adopted.
For more information, please contact Gregory N. Etzel,
Implementing Medicare hospital payment changes required by PPACA for FY 2011, CMS recently posted a display copy of a proposed supplemental rulemaking (Supplemental Rule) to its annual update issued April 19, 2010, for inpatient prospective payment system (IPPS) hospitals and long-term care hospitals (LTCHs). (For more information, please see the April 29, 2010, issue of the Health Law Update.)
According to CMS, PPACA payment changes contained in the Supplemental Rule will result in (1) a reduction of $820 million in aggregate payments across all IPPS hospitals; (2) a $13 million increase in payments to LTCH hospitals; (3) a slight increase in the proposed outlier thresholds for both; and (4) $400 million in payments for FY 2011 and 2012 for qualifying hospitals located in counties that rank, based on adjusted Medicare spending per beneficiary, among the lowest quartile in the country.
Other PPACA changes in the Supplemental Rule include improvements to the low-volume hospital adjustment and the wage index related to geographic reclassification. Programs extended under the Supplemental Rule include: (1) the Rural Community Hospital Demonstration Program (five years); (2) the Medicare Dependent Hospitals (MDHs) program (through October 1, 2012); and (3) certain requirements under the Medicare, Medicaid and SCHIP Extension Act of 2007 (MMSEA) affecting LTCH satellite facilities and co-located LTCHs (two years). The application of a specific payment adjustment for short stay outlier discharges from LTCHs and a one-time adjustment to the LTCH PPS rates also were given a two-year extension.
The proposed Supplemental Rule is slated for publication in the June 2, 2010 issue of the Federal Register. The deadline for comments is June 21, 2010. According to the agency, CMS will review these comments along with comments received on the April 19, 2010, IPPS/LTCH PPS proposed annual rulemaking and respond to all comments in its final rule.
Also scheduled for publication in the June 2, 2010, Federal Register is a CMS notice implementing PPACA-mandated payment reductions for IPPS hospitals and LTCHs for FY 2009, effective for discharges on or after April 1, 2010.
Houston partner Susan Feigin Harris will speak on “Health Care Reform—What’s Next” at the State Bar of Texas Annual Meeting in Fort Worth, Texas.
Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2010 Baker & Hostetler LLP
Subscribe to Baker Hostetler’s Health Law Update
EDITORPolicy AnalystKathleen P. Rubinstein, MPAkrubinstein@bakerlaw.com713.276.1650
NATIONAL CO-LEADERSThomas W. Kahletkahle@bakerlaw.com513.929.3414
Christopher J. Swiftcswift@bakerlaw.com216.861.7461
CHICAGORonald S. Okadarokada@bakerlaw.com312.416.6210
CLEVELANDSteven A. Eisenbergseisenberg@bakerlaw.com216.861.7903
John S. Mulhollanjmulhollan@bakerlaw.com216.861.7484
Emily E. Williamseewilliams@bakerlaw.com216.861.7373
Thomas S. Campanellatcampanella@bakerlaw.com216.861.6551
Susan Whittaker Hughesshughes@bakerlaw.com216.861.7841
COLUMBUSRichard W. Siehlrsiehl@bakerlaw.com614.462.2639
COSTA MESAGeorge T. Mooradiangmooradian@bakerlaw.com714.966.8800
DENVERDavid B. Wallerdwaller@bakerlaw.com303.764.4093
HOUSTONRobert M. Wolinrwolin@bakerlaw.com713.646.1327
Susan Feigin Harrissharris@bakerlaw.com713.646.1307
Donna S. Clarkdclark@bakerlaw.com713.646.1302
B. Scott McBridesmcbride@bakerlaw.com713.646.1390
Gregory N. Etzelgetzel@bakerlaw.com713.646.1316
Krista M. Barneskbarnes@bakerlaw.com713.646.1352
Sameer V. Mohansmohan@bakerlaw.com713.646.1309
Summer D. Swallowsswallow@bakerlaw.com713.646.1306
Tiffany D. Reyestdreyes@bakerlaw.com713.646.1357
LOS ANGELESNeil Carreyncarrey@bakerlaw.com310.442.8835
James D. Figurajfigura@bakerlaw.com310.979.8462
NEW YORKJohn J. Carneyjcarney@bakerlaw.com212.589.4255
ORLANDOG. Thomas Balltball@bakerlaw.com407.649.4004
Richard W. Siehlrsiehl@bakerlaw.com407.649.4076
WASHINGTON, DCTerry Connertontconnerton@bakerlaw.com202.861.1613