TORCH Critical Access Hospital Conference

1. TORCH Critical Access Hospital Conference Kevin Reed 512.482.0614 512.482.0342 Fax kreed@dwlaw.com

2. Identity Theft Concerns

3. Background FACTA of 2003 FTC regulations May 1st deadline was suspended August 1st new deadline

4. Does it Apply toHealth Care Providers? You are a �creditor� because you allow for the deferred payment for goods or services, which the FTC considers �credit.� You maintain �accounts� (relationships established by residents to obtain services from you), and the accounts are �covered� because the accounts allow for multiple payments and/or there is a reasonably foreseeable risk of harm from identity theft. You are a �creditor� because you allow for the deferred payment for goods or services, which the FTC considers �credit.� You maintain �accounts� (relationships established by residents to obtain services from you), and the accounts are �covered� because the accounts allow for multiple payments and/or there is a reasonably foreseeable risk of harm from identity theft.

5. Red Flag Rule ID Theft Program Because you are a creditor that maintains covered accounts, you are required to develop and implement a written Identification Theft Prevention Program (�Program�). A �red flag� is a pattern, practice or specific activity that indicates the possible existence of identity theft. �Identity theft� means fraud committed or attempted using the identifying information of another person without authority. Because you are a creditor that maintains covered accounts, you are required to develop and implement a written Identification Theft Prevention Program (�Program�). A �red flag� is a pattern, practice or specific activity that indicates the possible existence of identity theft. �Identity theft� means fraud committed or attempted using the identifying information of another person without authority.

6. Step 1:Identify Relevant Red Flags by Considering Risk Factors What types of covered accounts do we offer or maintain? How are covered accounts opened? How are our covered accounts accessed? Have we had previous experience with identity theft? What types of covered accounts do we offer or maintain? How are covered accounts opened? How are our covered accounts accessed? Have we had previous experience with identity theft?

7. Step 2:Examine Sources and Categories of Red Flags Sources: In our previous experience with identity theft, how did we learn that the theft had taken place? How else could identity theft come to our attention? Categories: Examples from Guidance. Alerts�from consumer reporting agencies or fraud detection services; Presentation of suspicious documents (forged�photo doesn�t match); Presentation of suspicious personal identifying information (SSN doesn�t correlate with DOB); Suspicious activity related to a covered account; and Notice from ID theft victims or others. Sources: In our previous experience with identity theft, how did we learn that the theft had taken place? How else could identity theft come to our attention? Categories: Examples from Guidance. Alerts�from consumer reporting agencies or fraud detection services; Presentation of suspicious documents (forged�photo doesn�t match); Presentation of suspicious personal identifying information (SSN doesn�t correlate with DOB); Suspicious activity related to a covered account; and Notice from ID theft victims or others.

8. Step Three:Determine how you will identify Red Flags Examples: We will ask for more identifying information at the time of admission. Upon any change of billing address, we will verify that the change of address was actually made by the resident�s responsible party before sending a bill to the new address. Examples: We will ask for more identifying information at the time of admission. Upon any change of billing address, we will verify that the change of address was actually made by the resident�s responsible party before sending a bill to the new address.

9. Step Four:Determine how you will prevent and mitigateID Theft Take one or more of these steps, as appropriate: Monitor accounts for evidence of identity theft; Contact the resident/responsible party; Change any passwords or other security devices that permit access to accounts; Not open a new account; Close an existing account; Reopen an account with a new number; Notify law enforcement; or Determine that no response is warranted under the particular circumstances. Take one or more of these steps, as appropriate: Monitor accounts for evidence of identity theft; Contact the resident/responsible party; Change any passwords or other security devices that permit access to accounts; Not open a new account; Close an existing account; Reopen an account with a new number; Notify law enforcement; or Determine that no response is warranted under the particular circumstances.

10. Step 5: Administer the Program Decide whether the Board of Directors, a Board committee or an employee at the senior management will administrator of the Program. Basis for selection: Involvement in HIPAA compliance and steps currently taken to protect against identity theft. Knowledge of billing procedures. Appoint staff to implement Program and oversee, at some level, implementation and training. Review staff reports (annually, in response to breach) and propose changes to Program if necessary.Decide whether the Board of Directors, a Board committee or an employee at the senior management will administrator of the Program. Basis for selection: Involvement in HIPAA compliance and steps currently taken to protect against identity theft. Knowledge of billing procedures. Appoint staff to implement Program and oversee, at some level, implementation and training. Review staff reports (annually, in response to breach) and propose changes to Program if necessary.

11. Service Providers Must ensure that service providers that perform activities in connection with covered accounts do so in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft. Solutions: Contract addendum requiring adoption/compliance with your Program. Must ensure that service providers that perform activities in connection with covered accounts do so in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft. Solutions: Contract addendum requiring adoption/compliance with your Program.

12. Step Six:Board Approval

13. Areas of Concern Does a provider system need individual facilities to adopt a Program? When the government or insurance pays, are these covered accounts? Do the rules apply to covered accounts that pre-date the effective date?

14. Enforcement The FTC can sue for up to $2,500 for each violation. State Attorneys General can sue for up to $1,000 per violation.

15. Conclusion Use of credit reports for residents/employees. Address verification. New Era: Strengthened HIPAA, electronic medical records, ID theft lawsuits. Compliance: Benefits you by reducing liability exposure; Protects residents from exploitation.

16. THE WHITE HOUSEOffice of the Press Secretary-------------------------------------------For Immediate Release�������������������� �������April 8, 2009�� EXECUTIVE ORDERESTABLISHMENT OF THE WHITE HOUSE OFFICE OF HEALTH REFORMBy the authority vested in me as President by the Constitution and the laws of the United States of America, and in the interest of providing all Americans access to affordable and high-quality health care, it is hereby ordered as follows:

17. The Stimulus Package

18. ARRA - American Recovery and Reinvestment Act of 2009 HITECH � Health Information Technology for Economic and Clinical Health Act

19. Signed February 17, 2009 Invest in infrastructure for nationwide Health Information Network Medicare and Medicaid incentives to hospitals and physicians to adopt EHR Expands HIPAA Imposes national security breach notice www.recovery.gov Total funding: Texas will receive $15.5B - $1.5B to Medicaid Signed February 17, 2009 Invest in infrastructure for nationwide Health Information Network Medicare and Medicaid incentives to hospitals and physicians to adopt EHR Expands HIPAA Imposes national security breach notice www.recovery.gov Total funding: Texas will receive $15.5B - $1.5B to Medicaid

20. 2009 � 2/3 of Recovery Act funds spent by the states will be health-related � primarily as a result of the increase in Medicaid funding By 2012 � health spending decreases to 1% - more to be spent on transportation, education, community development, energy and environment HHS funding � Example of specific project: $200M in loan repayments for clinicians who join National Health Services Corps and work at least 2 years in facilities serving uninsured and underserved In Texas, 229 Medical, 66 Dental, 33 Mental health 2009 � 2/3 of Recovery Act funds spent by the states will be health-related � primarily as a result of the increase in Medicaid funding By 2012 � health spending decreases to 1% - more to be spent on transportation, education, community development, energy and environment HHS funding � Example of specific project: $200M in loan repayments for clinicians who join National Health Services Corps and work at least 2 years in facilities serving uninsured and underserved In Texas, 229 Medical, 66 Dental, 33 Mental health

21. Applies to employer who sponsors a group health plan and terminates/terminated an employee between 9/1/08 and 12/31/09 Existing COBRA rules COBRA provides the right to purchase continuing group health coverage through previous employer�s group health plan. Employers with 20 or more employees Employee keeps group health coverage for up to 18 months New ARRA rules Government will subsidize 65% of the cost of the COBRA premium for �assistance eligible individuals,� �Assistance eligible individual� is an employee whose employment was terminated between September 1, 2008 and December 31, 2009 Eligible individuals involuntarily terminated since September 2008 will have a second chance to elect COBRA coverage. Continuation applies to most health insurance plans. Premium reduction also available to small employers below the 20 threshold in states with �continuation coverage� plans. Employees making less that $125,000 adjusted gross income ($250,000 if married/filing jointly) fully eligible for the subsidy for 9 months. Subsidy phased over $125,000 Over $145,000 ($290,000 if married/filing jointly) not eligible Subsidy eligibility ends if employee becomes eligible for Medicare or qualifies for other group health coverage. Employee pays 35% of premium; Employer pays the other 65%. Employer will be reimbursed for the 65% through a reduction in payroll taxes and/or federal income tax withholding, or a direct reimbursement from the U.S. Treasury Department. If employee was terminated between September 1, 2008 and February 17, 2009 (the date of enactment of ARRA) and did not elect COBRA, a second special enrollment period is provided to elect the subsidized COBRA coverage. By April 18, 2009, employers must notify employees of their new rights to elect COBRA Applies to employer who sponsors a group health plan and terminates/terminated an employee between 9/1/08 and 12/31/09 Existing COBRA rules COBRA provides the right to purchase continuing group health coverage through previous employer�s group health plan. Employers with 20 or more employees Employee keeps group health coverage for up to 18 months New ARRA rules Government will subsidize 65% of the cost of the COBRA premium for �assistance eligible individuals,� �Assistance eligible individual� is an employee whose employment was terminated between September 1, 2008 and December 31, 2009 Eligible individuals involuntarily terminated since September 2008 will have a second chance to elect COBRA coverage. Continuation applies to most health insurance plans. Premium reduction also available to small employers below the 20 threshold in states with �continuation coverage� plans. Employees making less that $125,000 adjusted gross income ($250,000 if married/filing jointly) fully eligible for the subsidy for 9 months. Subsidy phased over $125,000 Over $145,000 ($290,000 if married/filing jointly) not eligible Subsidy eligibility ends if employee becomes eligible for Medicare or qualifies for other group health coverage. Employee pays 35% of premium; Employer pays the other 65%. Employer will be reimbursed for the 65% through a reduction in payroll taxes and/or federal income tax withholding, or a direct reimbursement from the U.S. Treasury Department. If employee was terminated between September 1, 2008 and February 17, 2009 (the date of enactment of ARRA) and did not elect COBRA, a second special enrollment period is provided to elect the subsidized COBRA coverage. By April 18, 2009, employers must notify employees of their new rights to elect COBRA

22. ARRA: Changes to HIPAA Here we go again . . .

25. Financial incentives through Medicare to encourage hospitals and non-hospital based physicians to purchase and implement electronic health record (EHR) technologyFinancial incentives through Medicare to encourage hospitals and non-hospital based physicians to purchase and implement electronic health record (EHR) technology

26. To be a meaningful EHR user, must: demonstrate use of EHR technology in meaningful manner - includes use of electronic prescribing demonstrate EHR technology improves the quality of care submit information to HHS on clinical quality measures and other measures as specified by HHS. In 2011, meaningful EHR users will receive incentive payments for demonstrating meaningful use and demonstrated performance To be a meaningful EHR user, must: demonstrate use of EHR technology in meaningful manner - includes use of electronic prescribing demonstrate EHR technology improves the quality of care submit information to HHS on clinical quality measures and other measures as specified by HHS. In 2011, meaningful EHR users will receive incentive payments for demonstrating meaningful use and demonstrated performance

27. What is �Meaningful Use�? Very confusing; nobody knows The preliminary definition, based on the National Priorities Partnership�s report, identified a set of national priorities to help focus performance improvement efforts It is linked to the following goals:

28. �Meaningful Use� Goals Improve quality, safety, efficiency and reduce health disparities Engage patients and families Improve care coordination Improve population and public health Ensure adequate privacy and security protections for personal health information EXAMPLES: Hospitals will be required to report certain quality measures (such as use of high-risk medications in the elderly, % of smokers offered smoking cessation counseling) and submit quality reports stratified by race, ethnicity, gender, insurance type Hospitals will be required to report certain quality measures such as % of patients w/ electronic access to personal health information Hospitals must report data such as 30-day readmission rate and % of encounters where medication reconciliation is performed Hospitals must report % of reportable lab results submitted electronically Full compliance with HIPAA Privacy and Security RulesEXAMPLES: Hospitals will be required to report certain quality measures (such as use of high-risk medications in the elderly, % of smokers offered smoking cessation counseling) and submit quality reports stratified by race, ethnicity, gender, insurance type Hospitals will be required to report certain quality measures such as % of patients w/ electronic access to personal health information Hospitals must report data such as 30-day readmission rate and % of encounters where medication reconciliation is performed Hospitals must report % of reportable lab results submitted electronically Full compliance with HIPAA Privacy and Security Rules

29. Reporting Quality Measures It is unclear how hospitals will report the quality measures By the end of 2009, CMS will issue a proposed rule to clarify the definition, which hospitals and physicians must meet to be eligible for the health IT stimulus funds

31. Initial Amounts $2 million plus discharge-related amount Discharge-related amount: 1 - 1149 $0 1150 � 23,000 $200 23,000+ $0

32. Medicare Share Medicare Days (Part A & Medicare Advantage) � Inpatient Bed Days x Charges � Charity Care � Total Charges

33. Transition Factor 1st year 1.00 2nd year .75 3rd year .50 4th year .25 5th year no transition factor

34. Different calculation based on costs Contact CPA Medicare share + 20 percentage points but not more than 100%Different calculation based on costs Contact CPA Medicare share + 20 percentage points but not more than 100%

35. 2016 hospitals that fail to adopt EHR technology will be subject to penalties Hospitals failing to submit quality data 25% reduction in annual inpatient pps update Hospitals that are not �meaningful EHR users� will lose 25% of the update in 2016, an additional 50% in 2017, and 75% in 2018 2016 hospitals that fail to adopt EHR technology will be subject to penalties Hospitals failing to submit quality data 25% reduction in annual inpatient pps update Hospitals that are not �meaningful EHR users� will lose 25% of the update in 2016, an additional 50% in 2017, and 75% in 2018

36. HITECH requires HHS to: Establish a program to expand health information technology Issue grants to states and non-profits Enhance broad participation Provide technical assistance Promote EHR and quality Beginning January 1, 2010, ONC will issue grants to states to set up loan programs Facilitate purchase of EHR Enhance utilization of EHR Train personnel Improve security States to add to grants in 2011 HITECH requires HHS to: Establish a program to expand health information technology Issue grants to states and non-profits Enhance broad participation Provide technical assistance Promote EHR and quality Beginning January 1, 2010, ONC will issue grants to states to set up loan programs Facilitate purchase of EHR Enhance utilization of EHR Train personnel Improve security States to add to grants in 2011

37. Quality Efforts

38. Stark and Hospital/Physician Relations

39. Employment of Physicians by Hospitals

40. RACs and Other Program Integrity Contractors

41. Recovery Audit Contractors The goal of the Recovery Audit Contractors program is to identify improper payments � both overpayments and underpayments � made on claims for health care services provided to Medicare beneficiaries. Texas implementation begins in summer 2009. Connolly Consulting is the contractor for Texas.

42. Medicare receives over 1.2 billion claims per year! That's 4.5 million claims per work day, 574,000 claims per hour and 9,579 claims per minute. The Claim RACs identified and corrected improper payments on only 0.3 percent ($1.03 billion) of the claims received. The RAC demonstration cost only 20� for each dollar collected. The 3-year pilot in 3 states collected over $1 billion. Did You Know?

43. Background:RAC Legislation Medicare Modernization Act Section 306: Required RAC demonstration Tax Relief and Healthcare Act of 2006, Section 302: Requires permanent and nationwide RAC program by no later than January 1, 2010

44. Background:Demonstration Findings Demo RACs were given $317 Billion in claims paid Demo RACs found $1 Billion in improper payments Demo RACs repaid $37 Million to providers 6.8% of determinations made by the demo RACs were overturned on appeal (as of 6/30/08)

45. Assigned to NY in the Pilot (ended 3/08) Established in 1979 as �recovery audit pioneer� �Introduced medical claim data mining audits to the healthcare industry in 1998� and is now a recognized �recovery audit expert� Viant Payment Systems is subcontractor

47. RAC Review Process RACs choose issues to review based on data mining techniques, OIG and GAO reports, CERT reports and the experience and knowledge of staff Two types of review Automated (no medical records) Complex (medical records) New issues for review will be posted to RACs� websites RACs will be able to look back 3 years from the date the claim was paid RACS will NOT be able to review claims paid prior to October 1, 2007 RACs use same Medicare policies as FIs, Carriers and MACs: NCDs, LCDs and CMS manuals RACS are required to use nurses, therapists, certified coders and physician CMD

48. Requesting Medical Records RACs will send letters requesting medical records like Carrier/FI/MAC and CERT RACs must pay for inpatient hospital records Failure to submit requested record in 45 days = denial CMS has established medical record limits Providers are encouraged to have a point of contact Providers can submit medical records via: Mailed paper copy; or Fax; or Mailed CD/DVD

49. RACs are required to reimburse PPS providers The reimbursement is 12� per page for reproduction of medical records. No vouchers requesting payment. RACs will automatically issue payments to the hospitals for photocopying charges. RACs pay for copying monthly within 45 days of receiving the record.  Reimbursement

50. FAQs There is not a specific rollout plan for Texas since RAC reviews are done by a service-specific issue and not by individual provider Connolly has not established a date when its website will be available to post claim status The Discussion period begins when notification is made about an improper payment and applies to both automated and complex reviews. Connolly anticipates beginning automated reviews for Texas in late June 2009. Connolly will be unable to verify the accuracy of a provider�s choice in their point-of-contact.

51. Summary of Medical Record Limits (for FY 2009) Inpatient Hospital, IRF, SNF, Hospice 10% of average monthly Medicare claims (max of 200) per 45 days per NPI

52. What Can I Do to Get Prepared? Know where previous improper payments have been found (OIG, CERT, Demo RAC Reports) Know if you are submitting claims with improper payments Get ready to respond to RAC medical record requests fully and promptly Appeal when necessary

53. CMS/THA Provider Outreach Training Available Online through PowerPoint http://www.tha.org/HealthCareProviders/Advocacy/FederalIssues/RAC/RAC%20Orientation_combined%20presentation_042909.ppt

54. Thank you! Kevin A. Reed kreed@dwlaw.com