350 likes | 566 Views
Regulatory Issues Facing Community Providers IACP Webinar – March 11, 2015. Rebecca A. Brommel: brommel@brownwinick.com Michael E. Jenkins: jenkins@brownwinick.com Catherine C. Cownie: cownie@brownwinick.com Adam J. Freed: freed@brownwinick.com Website: www.brownwinick.com
E N D
Regulatory Issues Facing Community ProvidersIACP Webinar – March 11, 2015 Rebecca A. Brommel: brommel@brownwinick.com Michael E. Jenkins: jenkins@brownwinick.com Catherine C. Cownie: cownie@brownwinick.com Adam J. Freed: freed@brownwinick.com Website: www.brownwinick.com BLOG: www.brownwinick.com/BLOGHealthLaw
Department of Inspections & AppealsInvestigations and Procedures
Citations Generally • Where do citations come from? • Surveys • Complaint Investigations • Self-Reporting • Who investigates? • DIA – Health Facilities Division
Types of Violations • Class I – imminent danger or substantial probability of resultant death or physical harm • Class II – direct or immediate relationship to health, safety or security but no imminent danger nor substantial probability of resultant death or physical harm • Class III – not classified as I or II
Penalties • Class I - $2,000 to $10,000; double if intentional act by facility • Class II - $100 to $500; may be waived upon request if corrected within time specified in citation and if specified criteria are met • Class III – no penalty unless not corrected within the time specified; $50 per day • Fines can be trebled for repeated violations of Class I or II occurring within 12 month period • No citation if self-identify and correct a Class II or III violation, except for those involving abuse, personnel histories, failure to implement physician’s orders, failure to notify physician of accident, injury, or adverse change, failure to administer medications as ordered, failure to meet fire safety rules • Fines reduced by 35% if do not request formal hearing or if withdraw request for hearing within 30 days after penalty assessed and it’s paid within 30 days of receipt and notice
Step 1: Respond to Citation • Within 20 days • Notify that you seek informal conference or to contest citation • Or, if not contesting, remit fine amount • If Class II or III – written response acknowledging receipt and providing statement or plan of correction
Step 2: Informal Conference • Notify in writing – certain content requirements; ask for investigation materials • Held concurrently with “informal dispute resolution” (if Medicare or Medicaid certified) • “Independent Reviewer” • Results usually issued within 10 business days of conference • Reviewer may affirm, modify or dismiss • If the citation is changed, DIA issues an amended citation and then a new plan of correction must be issued for the amended citation
Step 3: After the Informal Conference • If no further dispute with Reviewer’s decision – pay fine OR • Within 5 days of Reviewer decision, notify DIA in writing of formal contest of citation
Step 4: Contested Case Proceeding • Discovery • Create record • Hearing in front of ALJ • Proposed decision
Step 5: Appeal to Director of DIA • Within 30 days of Proposed Decision • No new evidence unless material and good reasons for failure to present • Obtain Final Decision • Option: Request for Rehearing – specific reasons
Step 6: Appeal to District Court • Within 15 days of Final Decision • Briefing based upon record • No new evidence • Possibly oral argument • Ruling from Judge that can be appealed to state Supreme Court/Court of Appeals
Federal Proceedings • May be a separate proceeding • State proceedings stayed upon request • If successful at federal level, state follows decision
What Is A “Credible Allegation of Fraud” and Why Does It Matter to Me?
What’s A “Credible Allegation of Fraud”? It’s a trigger that requires Medicaid suspend payment to providers: 42 U.S.C. § 1396b(i)(2)(C) forbids federal spending on any provider or person “to whom the State has failed to suspend payments . . . when there is pending an investigation of a credible allegation of fraud” absent “good cause”
What’s A “Credible Allegation of Fraud”? • An “allegation, which has been verified by the State, from any source.” • Sources of these allegations may include: • 1) fraud hotline complaints, • 2) claims data mining, • 3) patterns identified through provider audits, civil false claims cases, and law enforcement investigations. • Allegations are considered credible when they have indicia of reliability and the State Medicaid Agency has reviewed all allegations, facts, and evidence carefully and acts judiciously on a case-by-case basis
What Are Some of the Sources of Credible Allegations of Fraud? • Audits by private insurers • Patient grievances filed with state inspectors • State surveys or investigations • Current and former employee tips • Analysis of payer datasets
What Are Some Examples of Credible Allegations of Fraud? Allegations of: • Upcoding and/or double billing • Investigations by the OIG and FBI • Inclusion of improper costs on cost reports • Billing for services not rendered • Submitting false claims • Falsifying documentation
Where Did This “Credible Allegation of Fraud” Come From? PPACA/Obamacare • Shifted oversight focus from “pay and chase” model to “shut off the tap” model • Prior to PPACA, federal regulations granted State agencies discretion to suspend payments in whole or in part upon “reliable evidence” of fraud • New regulations require suspension in whole when there is a “credible allegation of fraud” absent “good cause” not to suspend
When and How Will I Find Out About A Credible Allegation of Fraud? • Regulations require State to provide written notification within 5 days after the suspension’s effective date. (May delay for up to 30 days upon the request of law enforcement) • Notice must contain statements that : • Payments are being suspended in accordance with 45 CFR § 455.23 • To the general allegations as to the suspension action • The suspension is for a temporary period and describe the circumstances under which the suspension will be terminated • The types of Medicaid claims or business units to which the suspension is being applied • Inform the provider of its right to submit written evidence • Set forth the applicable state administrative appeals process
What Can My Organization Do When It Receives Notice of A Credible Allegation of Fraud? • Proceed with an administrative appeal • Submit information to IME • May submit information to prove that “good cause” exception exists to requirement of full suspension of payments • Negotiate a Settlement Agreement with Iowa Medicaid • Settlement Agreement will often turn back on partial payments to provider pending outcome of investigation
How Does Suspension End? • Notice of end of investigation • Resolution of issue via settlement agreement • Judicial resolution of issues
Overview HIPAA and HITECH Laws Applicable to Specific Categories of Medical Information Substance Abuse Mental Health AIDS Employment
Who is Required to Comply with HIPAA? • “Covered Entities” • Health plans • Health care clearinghouses • Health care providers who transmit health information in electronic form in connection with a covered transaction • “Business Associates” • Other Entity Types: • Hybrid • Affiliated Covered Entities • Organized Health Care Arrangement
Who is a “Business Associate”? A “business associate” is a person who: 1. “On behalf of [a] covered entity . . . but other than in the capacity of a member of the workforce of such covered entity . . . creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or” • “Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.” Source: 45 C.F.R. § 160.103
A “Business Associate” includes Subcontractors. A “business associate” includes: • “a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” Source: 45 CFR § 160.103
What is “Protected Health Information”? “Individually identifiable health information” that is: • Transmitted by electronic media; • Maintained in electronic media; or • Transmitted or maintained in any other form or medium.
Health Information Are Community Providers Subject to HIPAA? Business Associate PHI Community Provider Billing Company
Health Information Are Community Providers Subject to HIPAA? Business Associate PHI Community Provider Law Firm
Health Information Are Community Providers Subject to HIPAA? Community Provider PHI Community Provider
What is a Business Associate Required to Do? A business associate must provide “satisfactory assurances” that it will appropriately safeguard the information. The Business Associate provides the satisfactory assurances in a “Business Associate Agreement.”
What are the Penalties for Failure to Comply with HIPAA and HITECH? Civil Penalties: • CE or BA did not know and by exercising reasonable diligence would not have known of the violation: • $100 to $50,000 per violation. • Not to exceed $1,500,000 for identical violations during a year. • Violation due to reasonable cause and not willful neglect: • $1,000 to $50,000 per violation. • Not to exceed $1,500,000 for identical violations during a year. 45 C.F.R. § 160.404
What are the Penalties for Failure to Comply with HIPAA and HITECH? Civil Penalties (cont.): • Violation due to willful neglect but corrected within required time period (30 days): • $10,000 to $50,000 per violation. • Not to exceed $1,500,000 for identical violations during a year. • Violation due to willful neglect and not corrected: • $50,000 per violation. • Not to exceed $1,500,000 for identical violations during a year. 45 C.F.R. § 160.404
What are the Penalties for Failure to Comply with HIPAA and HITECH? Criminal Penalties: • Knowingly obtain or disclose PHI in violation: • Up to 1 year in prison • Offenses committed under false pretenses: • Up to 5 years in prison • Offenses committed for personal gain or malicious harm: • Up to 10 years in prison
Website: www.brownwinick.com Toll Free Phone Number: 1-888-282-3515 OFFICE LOCATIONS: 666 Grand Avenue, Suite 2000 Des Moines, Iowa 50309-2510 Telephone: (515) 242-2400 Facsimile: (515) 283-0231 616 Franklin Place Pella, Iowa 50219 Telephone: (641) 628-4513 Facsimile: (641) 628-8494 DISCLAIMER: No oral or written statement made by BrownWinick attorneys should be interpreted by the recipient as suggesting a need to obtain legal counsel from BrownWinick or any other firm, nor as suggesting a need to take legal action. Do not attempt to solve individual problems upon the basis of general information provided by any BrownWinick attorney, as slight changes in fact situations may cause a material change in legal result.