360 likes | 701 Views
OIG Risk Areas: Reserved Bed Arrangements & HIPAA. AHCA Compliance Webinar Series August 25, 2009 Ken Burgess, Poyner Spruill Jennifer Gimler Brady, Potter Anderson Corroon LLP. Where We’ve Been. Mechanics of compliance program Compliance committee/officer Boards of Directors
E N D
OIG Risk Areas: Reserved Bed Arrangements & HIPAA AHCA Compliance Webinar Series August 25, 2009 Ken Burgess, Poyner Spruill Jennifer Gimler Brady, Potter Anderson Corroon LLP
Where We’ve Been • Mechanics of compliance program • Compliance committee/officer • Boards of Directors • Auditing and monitoring systems • Corporate philosophy statements • Compliance “risk areas” per OIG • Anti-Kickback, False Claims, resident safety • With section on auditing/monitoring sample
Today • Reserved bed arrangements • Potential for Anti-Kickback violations • And Medicare provider agreement violation • HIPAA • Privacy primarily • Focus on new HITECH provisions
Reserved Bed Arrangements • Payments or items of “in-kind” exchange to reserve beds for hospital patients • Especially with higher acuity residents • Or in areas with limited SNF beds • OIG Supplemental Guidance identifies this as potential risk area under federal Anti-Kickback statute • No items of value in exchange for referrals of federal program health care business
Reserved Bed Arrangements • Two resources / sources of reference and legal requirements • OIG 2008 Supplemental Guidance • CMS Provider Reimbursement Manual, section 2105.3 • Site: http://www.cms.hhs.gov/Manuals/PBM
Reserved Bed Arrangements • Per both, these are permitted • IF price or exchange value not based on value or volume of referrals from SNF to hospital • Potential for disguised kickback if: • Double dipping by SNF – bed already occupied • Reserve more than hospital really needs • Payments = excessive – more than costs SNF to hold bed or than SNF would lose by holding bed based on its occupancy and resident acuity mex
Reserved Bed Arrangements • Per OIG, these should be entered into only when hospital has legitimate need • Tip: records of monthly admissions by hospital, length of waits, local areas census, hospital’s difficulty with placement • May not be used based on future referrals from SNF to hospital • “I pay you X and you send me your hospital business”
Best Source for Specifics: PRM Section 2105.3 • Accepting a bed reservation payment for an occupied bed violates prohibition on accepting payment established for Medicare or Medicaid program • Violation of federal regs and your provider agreement • Doesn’t change rule in charging for “luxury items”
Specific Examples of Permitted & Impermissable BRAs • May only pay for days bed is vacant • May not also charge for difference in program payment and a higher reservation fee established by the agreement • So once bed is occupied, no further payment under agreement for that bed except “luxury items” as with any occupied bed
Specific Examples of Permitted & Impermissable BRAs • Need to establish reservation fee based on cost to SNF of holding the bed • Or amount SNF would reasonably lose by holding the bed (normal charge?) • Based occupancy rates • And resident acuity • Tip: establish as part of agreement some basis for fee that considers these and other potentially relevant factors so its objective
Specific Examples of Permitted & Impermissable BRAs • In-kind exchanges: • Permitted if offered to all residents of SNF and not just those in reserved beds or during period a reserved bed is occupied • Hospital gives RN to SNF • Must be full time and available to all residents • Not just “reserved bed” patients or when those beds are occupied
Specific Examples of Permitted & Impermisable BRAs • Free pharmacy, lab, radiology services • Free in-service education to SNF staff • Or discounted charges to SNF for these same services • Or others following these guidelines • These are only examples so you can be creative within these parameters • The PRM also addresses how these costs are reported by SNF/hospital on cost reports
Auditing & Monitoring for Reserved Bed Arrangements • Detailed sample in webinar materials • Look at: • Are we doing these agreements? • What do our contracts say vis-à-vis these guidelines in PRM / OIG Guidance? • Is legal counsel reviewing/approving? • Are we following those contracts in practice? • Is someone monitoring these periodically?
Auditing & Monitoring for Reserved Bed Arrangements • Who, by title, is responsible for executing and monitoring these agreements? • Are we interviewing SNF and hospital staff to ensure we are following, in practice, what our contracts say? • Are our billing/cost reporting folks properly recording or not recording these costs per the PRM’s guidelines?
Auditing & Monitoring for Reserved Bed Arrangements If these “audits” find problems, are we revising policy/procedure, sharing with compliance officer & committee and reporting this, via compliance officer, to Board of Directors along with any corrective actions and monitoring of those periodically? Are we then making sure these changes are passed back to operations for implementation?
HIPAA Privacy Rule Requirements General principle for uses and disclosures Permitted uses and disclosures To the individual Treatment, payment, health care operations Opportunity to agree or object Public interest and benefit Required by law Public health activities Victims of abuse, neglect or domestic violence Judicial and administrative proceedings
HIPAA Administrative Requirements Privacy policies and procedures Workforce training and management Mitigation Data safeguards Retaliation and waiver Documentation and record retention
HIPAA Authorized Uses and Disclosures Authorization required unless specifically exempted Psychotherapy notes – release requires authorization except Originator may use in treatment, training, certain legal proceedings, and to avert serious and imminent threat to public health or safety
HIPAA Notice and Other Individual Rights Privacy practices notice Access Amendment Disclosure accounting Restriction request
HIPAA Business Associates Definition: a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information Contract: the Privacy Rule requires that the covered entity include certain protections for the information in a business associate agreement
HIPAA Security Rule Requirements General principle – protect confidentiality of electronic PHI Required specifications Addressable specifications Compliance process Assess Evaluate Implement Document Review Enforcement by Office of Civil Rights, as of August 2009
HITECH Act Health Information Technology for Economic and Clinical Health Act Passed February 2009 Enhances privacy and security requirements Changes enforcement structure Increased sanctions for violations Explicit authority for state AGs to pursue private claims on behalf of individuals Creates new obligations for breach notification, information sharing and business associate relationships
HITECH Notification Requirements Expands obligation to contact individuals affected by a breach Applies only to unsecured protected health information Any breach must be reported to individuals where information is reasonably believed to have been accessed, acquired or disclosed Must be made within 60 days of breach discovery
HITECH Notification Requirements Notice should include as much of the following information as possible Description of what happened Dates of breach and discovery Types of information involved Steps to take to protect against improper use Actions taken in response to breach Contact information for individuals to follow up
HITECH Notification Requirements New methods of notice required First class mail unless individual specified email If contact information unavailable for 10 or more individuals, must post publicly Home page of Web site Notice in print or broadcast media Breaches must be documented and submitted annually to Secretary of HHS Breaches impacting 500 or more individuals requires immediate notification to HHS If within the same state or jurisdiction, must notify major media outlets
HITECH Notification Requirements: Secured Health Information Does not apply to secured health information Encrypted so as to be unusable, unreadable or indecipherable Subject to existing HIPAA rules Encryption must be developed or endorsed by organization accredited by American National Standards Institute Switching to encryption should be considered
HITECH Business Associates All privacy requirements also apply to business associates that obtain or create protected health information Requirements must be incorporated into contracts Violations will be subject to civil and criminal penalties under the Social Security Act Effective no later than February 17, 2010 Must notify covered entity of information breaches within 60 days of discovering breach
Restrictions on Data Use If payment is out-of-pocket, individual has right to request that no information be disclosed Disclosure should be as limited data set – minimal identifying information or only what is necessary Accessing electronic health records must be tracked – individual can request up to three years of history Authorization required for use of any information for which entity receives direct or indirect payment
HITECH Penalties Penalties significantly enhanced Four-tiered liability system Inadvertent violation – $100-$50,000 Willful neglect that goes uncorrected – up to $50,000 for each case with an annual cap per entity of $1.5 million State AGs can bring actions on behalf of residents – $100 per violation, up to $25,000 annually, plus attorneys’ fees Penalties already in effect
To reach us: Jennifer Gimler Brady Direct dial: (302) 984-6042jbrady@potteranderson.com Potter Anderson & Corroon LLP1313 North Market StreetPO Box 951Wilmington, DE 19899-0951www.potteranderson.com