530 likes | 784 Views
Identity Theft Concerns. Background. FACTA of 2003FTC regulationsMay 1st deadline was suspendedAugust 1st new deadline. August 1st new deadline. Does it Apply to Health Care Providers?. Red Flag Rule ID Theft Program. Step 1: Identify Relevant Red Flags by Considering Risk Factors. Step 2: Examine Sources and Categories of Red Flags.
E N D
1. TORCH Critical Access Hospital Conference
Kevin Reed
512.482.0614
512.482.0342 Fax
kreed@dwlaw.com
2. Identity Theft Concerns
3. Background FACTA of 2003
FTC regulations
May 1st deadline was suspended
August 1st new deadline
4. Does it Apply toHealth Care Providers? You are a “creditor” because you allow for the deferred payment for goods or services, which the FTC considers “credit.”
You maintain “accounts” (relationships established by residents to obtain services from you), and the accounts are “covered” because the accounts allow for multiple payments and/or there is a reasonably foreseeable risk of harm from identity theft.
You are a “creditor” because you allow for the deferred payment for goods or services, which the FTC considers “credit.”
You maintain “accounts” (relationships established by residents to obtain services from you), and the accounts are “covered” because the accounts allow for multiple payments and/or there is a reasonably foreseeable risk of harm from identity theft.
5. Red Flag Rule ID Theft Program Because you are a creditor that maintains covered accounts, you are required to develop and implement a written Identification Theft Prevention Program (“Program”).
A “red flag” is a pattern, practice or specific activity that indicates the possible existence of identity theft.
“Identity theft” means fraud committed or attempted using the identifying information of another person without authority.
Because you are a creditor that maintains covered accounts, you are required to develop and implement a written Identification Theft Prevention Program (“Program”).
A “red flag” is a pattern, practice or specific activity that indicates the possible existence of identity theft.
“Identity theft” means fraud committed or attempted using the identifying information of another person without authority.
6. Step 1:Identify Relevant Red Flags by Considering Risk Factors What types of covered accounts do we offer or maintain?
How are covered accounts opened?
How are our covered accounts accessed?
Have we had previous experience with identity theft?
What types of covered accounts do we offer or maintain?
How are covered accounts opened?
How are our covered accounts accessed?
Have we had previous experience with identity theft?
7. Step 2:Examine Sources and Categories of Red Flags Sources:
In our previous experience with identity theft, how did we learn that the theft had taken place?
How else could identity theft come to our attention?
Categories:
Examples from Guidance.
Alerts…from consumer reporting agencies or fraud detection services;
Presentation of suspicious documents (forged…photo doesn’t match);
Presentation of suspicious personal identifying information (SSN doesn’t correlate with DOB);
Suspicious activity related to a covered account; and
Notice from ID theft victims or others.
Sources:
In our previous experience with identity theft, how did we learn that the theft had taken place?
How else could identity theft come to our attention?
Categories:
Examples from Guidance.
Alerts…from consumer reporting agencies or fraud detection services;
Presentation of suspicious documents (forged…photo doesn’t match);
Presentation of suspicious personal identifying information (SSN doesn’t correlate with DOB);
Suspicious activity related to a covered account; and
Notice from ID theft victims or others.
8. Step Three:Determine how you will identify Red Flags Examples:
We will ask for more identifying information at the time of admission.
Upon any change of billing address, we will verify that the change of address was actually made by the resident’s responsible party before sending a bill to the new address.
Examples:
We will ask for more identifying information at the time of admission.
Upon any change of billing address, we will verify that the change of address was actually made by the resident’s responsible party before sending a bill to the new address.
9. Step Four:Determine how you will prevent and mitigateID Theft Take one or more of these steps, as appropriate:
Monitor accounts for evidence of identity theft;
Contact the resident/responsible party;
Change any passwords or other security devices that permit access to accounts;
Not open a new account;
Close an existing account;
Reopen an account with a new number;
Notify law enforcement; or
Determine that no response is warranted under the particular circumstances.
Take one or more of these steps, as appropriate:
Monitor accounts for evidence of identity theft;
Contact the resident/responsible party;
Change any passwords or other security devices that permit access to accounts;
Not open a new account;
Close an existing account;
Reopen an account with a new number;
Notify law enforcement; or
Determine that no response is warranted under the particular circumstances.
10. Step 5: Administer the Program Decide whether the Board of Directors, a Board committee or an employee at the senior management will administrator of the Program.
Basis for selection:
Involvement in HIPAA compliance and steps currently taken to protect against identity theft.
Knowledge of billing procedures.
Appoint staff to implement Program and oversee, at some level, implementation and training.
Review staff reports (annually, in response to breach) and propose changes to Program if necessary.Decide whether the Board of Directors, a Board committee or an employee at the senior management will administrator of the Program.
Basis for selection:
Involvement in HIPAA compliance and steps currently taken to protect against identity theft.
Knowledge of billing procedures.
Appoint staff to implement Program and oversee, at some level, implementation and training.
Review staff reports (annually, in response to breach) and propose changes to Program if necessary.
11. Service Providers Must ensure that service providers that perform activities in connection with covered accounts do so in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
Solutions:
Contract addendum requiring adoption/compliance with your Program.
Must ensure that service providers that perform activities in connection with covered accounts do so in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
Solutions:
Contract addendum requiring adoption/compliance with your Program.
12. Step Six:Board Approval
13. Areas of Concern Does a provider system need individual facilities to adopt a Program?
When the government or insurance pays, are these covered accounts?
Do the rules apply to covered accounts that pre-date the effective date?
14. Enforcement The FTC can sue for up to $2,500 for each violation. State Attorneys General can sue for up to $1,000 per violation.
15. Conclusion Use of credit reports for residents/employees.
Address verification.
New Era: Strengthened HIPAA, electronic medical records, ID theft lawsuits. Compliance:
Benefits you by reducing liability exposure;
Protects residents from exploitation.
16. THE WHITE HOUSEOffice of the Press Secretary-------------------------------------------For Immediate Release April 8, 2009 EXECUTIVE ORDERESTABLISHMENT OF THE WHITE HOUSE OFFICE OF HEALTH REFORMBy the authority vested in me as President by the Constitution and the laws of the United States of America, and in the interest of providing all Americans access to affordable and high-quality health care, it is hereby ordered as follows:
17. The Stimulus Package
18. ARRA - American Recovery and Reinvestment Act of 2009
HITECH – Health Information Technology for Economic and Clinical Health Act
19. Signed February 17, 2009
Invest in infrastructure for nationwide Health Information Network
Medicare and Medicaid incentives to hospitals and physicians to adopt EHR
Expands HIPAA
Imposes national security breach notice
www.recovery.gov
Total funding: Texas will receive $15.5B - $1.5B to Medicaid
Signed February 17, 2009
Invest in infrastructure for nationwide Health Information Network
Medicare and Medicaid incentives to hospitals and physicians to adopt EHR
Expands HIPAA
Imposes national security breach notice
www.recovery.gov
Total funding: Texas will receive $15.5B - $1.5B to Medicaid
20. 2009 – 2/3 of Recovery Act funds spent by the states will be health-related – primarily as a result of the increase in Medicaid funding
By 2012 – health spending decreases to 1% - more to be spent on transportation, education, community development, energy and environment
HHS funding – Example of specific project: $200M in loan repayments for clinicians who join National Health Services Corps and work at least 2 years in facilities serving uninsured and underserved
In Texas, 229 Medical, 66 Dental, 33 Mental health
2009 – 2/3 of Recovery Act funds spent by the states will be health-related – primarily as a result of the increase in Medicaid funding
By 2012 – health spending decreases to 1% - more to be spent on transportation, education, community development, energy and environment
HHS funding – Example of specific project: $200M in loan repayments for clinicians who join National Health Services Corps and work at least 2 years in facilities serving uninsured and underserved
In Texas, 229 Medical, 66 Dental, 33 Mental health
21. Applies to employer who sponsors a group health plan and terminates/terminated an employee between 9/1/08 and 12/31/09
Existing COBRA rules
COBRA provides the right to purchase continuing group health coverage through previous employer’s group health plan.
Employers with 20 or more employees
Employee keeps group health coverage for up to 18 months
New ARRA rules
Government will subsidize 65% of the cost of the COBRA premium for “assistance eligible individuals,”
“Assistance eligible individual” is an employee whose employment was terminated between September 1, 2008 and December 31, 2009
Eligible individuals involuntarily terminated since September 2008 will have a second chance to elect COBRA coverage.
Continuation applies to most health insurance plans. Premium reduction also available to small employers below the 20 threshold in states with “continuation coverage” plans.
Employees making less that $125,000 adjusted gross income ($250,000 if married/filing jointly) fully eligible for the subsidy for 9 months.
Subsidy phased over $125,000
Over $145,000 ($290,000 if married/filing jointly) not eligible
Subsidy eligibility ends if employee becomes eligible for Medicare or qualifies for other group health coverage.
Employee pays 35% of premium; Employer pays the other 65%.
Employer will be reimbursed for the 65% through a reduction in payroll taxes and/or federal income tax withholding, or a direct reimbursement from the U.S. Treasury Department.
If employee was terminated between September 1, 2008 and February 17, 2009 (the date of enactment of ARRA) and did not elect COBRA, a second special enrollment period is provided to elect the subsidized COBRA coverage.
By April 18, 2009, employers must notify employees of their new rights to elect COBRA
Applies to employer who sponsors a group health plan and terminates/terminated an employee between 9/1/08 and 12/31/09
Existing COBRA rules
COBRA provides the right to purchase continuing group health coverage through previous employer’s group health plan.
Employers with 20 or more employees
Employee keeps group health coverage for up to 18 months
New ARRA rules
Government will subsidize 65% of the cost of the COBRA premium for “assistance eligible individuals,”
“Assistance eligible individual” is an employee whose employment was terminated between September 1, 2008 and December 31, 2009
Eligible individuals involuntarily terminated since September 2008 will have a second chance to elect COBRA coverage.
Continuation applies to most health insurance plans. Premium reduction also available to small employers below the 20 threshold in states with “continuation coverage” plans.
Employees making less that $125,000 adjusted gross income ($250,000 if married/filing jointly) fully eligible for the subsidy for 9 months.
Subsidy phased over $125,000
Over $145,000 ($290,000 if married/filing jointly) not eligible
Subsidy eligibility ends if employee becomes eligible for Medicare or qualifies for other group health coverage.
Employee pays 35% of premium; Employer pays the other 65%.
Employer will be reimbursed for the 65% through a reduction in payroll taxes and/or federal income tax withholding, or a direct reimbursement from the U.S. Treasury Department.
If employee was terminated between September 1, 2008 and February 17, 2009 (the date of enactment of ARRA) and did not elect COBRA, a second special enrollment period is provided to elect the subsidized COBRA coverage.
By April 18, 2009, employers must notify employees of their new rights to elect COBRA
22. ARRA: Changes to HIPAA Here we go again . . .
25. Financial incentives through Medicare to encourage hospitals and non-hospital based physicians to purchase and implement electronic health record (EHR) technologyFinancial incentives through Medicare to encourage hospitals and non-hospital based physicians to purchase and implement electronic health record (EHR) technology
26. To be a meaningful EHR user, must:
demonstrate use of EHR technology in meaningful manner - includes use of electronic prescribing
demonstrate EHR technology improves the quality of care
submit information to HHS on clinical quality measures and other measures as specified by HHS.
In 2011, meaningful EHR users will receive incentive payments for demonstrating meaningful use and demonstrated performance
To be a meaningful EHR user, must:
demonstrate use of EHR technology in meaningful manner - includes use of electronic prescribing
demonstrate EHR technology improves the quality of care
submit information to HHS on clinical quality measures and other measures as specified by HHS.
In 2011, meaningful EHR users will receive incentive payments for demonstrating meaningful use and demonstrated performance
27. What is “Meaningful Use”? Very confusing; nobody knows
The preliminary definition, based on the National Priorities Partnership’s report, identified a set of national priorities to help focus performance improvement efforts
It is linked to the following goals:
28. “Meaningful Use” Goals Improve quality, safety, efficiency and reduce health disparities
Engage patients and families
Improve care coordination
Improve population and public health
Ensure adequate privacy and security protections for personal health information EXAMPLES:
Hospitals will be required to report certain quality measures (such as use of high-risk medications in the elderly, % of smokers offered smoking cessation counseling) and submit quality reports stratified by race, ethnicity, gender, insurance type
Hospitals will be required to report certain quality measures such as % of patients w/ electronic access to personal health information
Hospitals must report data such as 30-day readmission rate and % of encounters where medication reconciliation is performed
Hospitals must report % of reportable lab results submitted electronically
Full compliance with HIPAA Privacy and Security RulesEXAMPLES:
Hospitals will be required to report certain quality measures (such as use of high-risk medications in the elderly, % of smokers offered smoking cessation counseling) and submit quality reports stratified by race, ethnicity, gender, insurance type
Hospitals will be required to report certain quality measures such as % of patients w/ electronic access to personal health information
Hospitals must report data such as 30-day readmission rate and % of encounters where medication reconciliation is performed
Hospitals must report % of reportable lab results submitted electronically
Full compliance with HIPAA Privacy and Security Rules
29. Reporting Quality Measures It is unclear how hospitals will report the quality measures
By the end of 2009, CMS will issue a proposed rule to clarify the definition, which hospitals and physicians must meet to be eligible for the health IT stimulus funds
31. Initial Amounts $2 million plus discharge-related amount
Discharge-related amount:
1 - 1149 $0
1150 – 23,000 $200
23,000+ $0
32. Medicare Share Medicare Days (Part A & Medicare Advantage)
÷ Inpatient Bed Days x Charges – Charity Care
÷ Total Charges
33. Transition Factor 1st year 1.00
2nd year .75
3rd year .50
4th year .25
5th year no transition factor
34. Different calculation based on costs
Contact CPA
Medicare share + 20 percentage points but not more than 100%Different calculation based on costs
Contact CPA
Medicare share + 20 percentage points but not more than 100%
35. 2016
hospitals that fail to adopt EHR technology will be subject to penalties
Hospitals failing to submit quality data
25% reduction in annual inpatient pps update
Hospitals that are not “meaningful EHR users” will lose 25% of the update in 2016, an additional 50% in 2017, and 75% in 2018
2016
hospitals that fail to adopt EHR technology will be subject to penalties
Hospitals failing to submit quality data
25% reduction in annual inpatient pps update
Hospitals that are not “meaningful EHR users” will lose 25% of the update in 2016, an additional 50% in 2017, and 75% in 2018
36. HITECH requires HHS to:
Establish a program to expand health information technology
Issue grants to states and non-profits
Enhance broad participation
Provide technical assistance
Promote EHR and quality
Beginning January 1, 2010, ONC will issue grants to states to set up loan programs
Facilitate purchase of EHR
Enhance utilization of EHR
Train personnel
Improve security
States to add to grants in 2011
HITECH requires HHS to:
Establish a program to expand health information technology
Issue grants to states and non-profits
Enhance broad participation
Provide technical assistance
Promote EHR and quality
Beginning January 1, 2010, ONC will issue grants to states to set up loan programs
Facilitate purchase of EHR
Enhance utilization of EHR
Train personnel
Improve security
States to add to grants in 2011
37. Quality Efforts
38. Stark and Hospital/Physician Relations
39. Employment of Physicians by Hospitals
40. RACs and Other Program Integrity Contractors
41. Recovery Audit Contractors The goal of the Recovery Audit Contractors program is to identify improper payments — both overpayments and underpayments — made on claims for health care services provided to Medicare beneficiaries.
Texas implementation begins in summer 2009. Connolly Consulting is the contractor for Texas.
42. Medicare receives over 1.2 billion claims per year! That's 4.5 million claims per work day, 574,000 claims per hour and 9,579 claims per minute.
The Claim RACs identified and corrected improper payments on only 0.3 percent ($1.03 billion) of the claims received.
The RAC demonstration cost only 20˘ for each dollar collected.
The 3-year pilot in 3 states collected over $1 billion. Did You Know?
43. Background:RAC Legislation Medicare Modernization Act Section 306: Required RAC demonstration
Tax Relief and Healthcare Act of 2006, Section 302: Requires permanent and nationwide RAC program by no later than January 1, 2010
44. Background:Demonstration Findings Demo RACs were given $317 Billion in claims paid
Demo RACs found $1 Billion in improper payments
Demo RACs repaid $37 Million to providers
6.8% of determinations made by the demo RACs were overturned on appeal (as of 6/30/08)
45. Assigned to NY in the Pilot (ended 3/08)
Established in 1979 as “recovery audit pioneer”
“Introduced medical claim data mining audits to the healthcare industry in 1998” and is now a recognized “recovery audit expert”
Viant Payment Systems is subcontractor
47. RAC Review Process RACs choose issues to review based on data mining techniques, OIG and GAO reports, CERT reports and the experience and knowledge of staff
Two types of review
Automated (no medical records)
Complex (medical records)
New issues for review will be posted to RACs’ websites
RACs will be able to look back 3 years from the date the claim was paid
RACS will NOT be able to review claims paid prior to October 1, 2007
RACs use same Medicare policies as FIs, Carriers and MACs: NCDs, LCDs and CMS manuals
RACS are required to use nurses, therapists, certified coders and physician CMD
48. Requesting Medical Records RACs will send letters requesting medical records like Carrier/FI/MAC and CERT
RACs must pay for inpatient hospital records
Failure to submit requested record in 45 days = denial
CMS has established medical record limits
Providers are encouraged to have a point of contact
Providers can submit medical records via:
Mailed paper copy; or
Fax; or
Mailed CD/DVD
49. RACs are required to reimburse PPS providers
The reimbursement is 12˘ per page for reproduction of medical records. No vouchers requesting payment.
RACs will automatically issue payments to the hospitals for photocopying charges.
RACs pay for copying monthly within 45 days of receiving the record. Reimbursement
50. FAQs There is not a specific rollout plan for Texas since RAC reviews are done by a service-specific issue and not by individual provider
Connolly has not established a date when its website will be available to post claim status
The Discussion period begins when notification is made about an improper payment and applies to both automated and complex reviews.
Connolly anticipates beginning automated reviews for Texas in late June 2009.
Connolly will be unable to verify the accuracy of a provider’s choice in their point-of-contact.
51. Summary of Medical Record Limits (for FY 2009) Inpatient Hospital, IRF, SNF, Hospice
10% of average monthly Medicare claims (max of 200) per 45 days per NPI
52. What Can I Do to Get Prepared? Know where previous improper payments have been found (OIG, CERT, Demo RAC Reports)
Know if you are submitting claims with improper payments
Get ready to respond to RAC medical record requests fully and promptly
Appeal when necessary
53. CMS/THA Provider Outreach Training Available Online through PowerPoint http://www.tha.org/HealthCareProviders/Advocacy/FederalIssues/RAC/RAC%20Orientation_combined%20presentation_042909.ppt
54. Thank you! Kevin A. Reed
kreed@dwlaw.com