more recent less recent

the patient and the driver’s license

1.11.12

“We need to make a copy of your driver’s license,” insisted the young front desk assistant at the doctor’s office. “Why?” asked the reluctant gray-haired patient. “Well, this is just something we are required to do for HIPAA,” responded the assistant. “Really? What if I do not let you?” the patient huffed.

Who is right? All too often today, we hear responses in health care settings that “we must do this,” or “we are required to do that,” or the dreaded “HIPAA makes us do this.” Unfortunately, quite a few of these seemingly mandated legal requirements are merely myths, HIPAA myths, if you will. (HIPAA refers to the federal Health Insurance Portability and Accountability Act.) Laws like HIPAA were well-meant, but given the complexity of the regulations that make up HIPAA, there can be quite a bit of confusion about what to do and what not to do. So, what to do?

Well, the first rule of thumb is to review the actual statute or regulation that supposedly calls for the required action. An example of required action would be posting a notice of your office’s privacy practices (see, e.g., 45 Code of Federal Regulations, Section 164.520). Do not simply implement a policy in your office because someone else is doing it that way. If you have a difficult time, however, locating what is called primary legal authority, call your trade association and ask them to help you (you could call your legal advisor, we love to hear from clients, but your association may have that information handy without ticking time on a legal clock).

The next thing to do is inject a healthy dose of common sense into your policies especially when a patient may be asked to do something. And, notably, consider the patient’s perspective when you are about to require them to help you comply with a law. Here, let’s use the driver’s license as an example. A driver’s license contains a fair amount of personal information along with the usually unflattering photograph. There is the patient’s home address, the license number, a rough approximation of height and weight (most of us fudge a little, right?), and even more intimate details like date of birth, medical restrictions such as use of eyeglasses, organ donor status, and your signature. Personal stuff. So, you probably should have a better sense now that the seemingly innocuous request to photocopy that personal document may be met with the huffing and some puffing by the now disgruntled patient.

Okay, back to the first rule of thumb, are you required by a statute or regulation to photocopy a driver’s license? Short answer says, no. What? No? But, what about HIPAA? This scenario actually may not be a real HIPAA myth but an identity theft protection myth (obviously not as quotable, in a legal literature sense, as the term “HIPAA myth”). A few years back, the Federal Trade Commission (FTC) threatened that physicians would have to develop identity theft protection compliance plans under a regulatory program known as the Red Flags Rule. One of the requirements there would have been for a doctor’s office to verify the identity of the person presenting in the office. How do you do that? Check a driver’s license or other photo identification. The regulations did not require making a photocopy of the identification, but many folks probably assumed that was a simple way to check off compliance with verifying the patient was who they said they were. Is the Red Flags Rule law for physician practices? No, not at this time, and likely not any time too soon, if ever. The FTC backed off its decision to require physicians to comply with the rule largely due to legal action by the American Medical Association and the passage of clarifying legislation by Congress. Many doctor offices, however, did start implementing pieces of an identity theft protection program. For offices that have been duped by misuse or outright fraud of health insurance cards, having a procedure in place to verify the patient’s identity made sense. That process still makes sense today.

Legally, though, putting a photocopy of a driver’s license in a file could create more issues in the long run. Why? In addition to federal laws regarding the privacy and security of protected health information (i.e., HIPAA), there may be state legal requirements about privacy and identity protection issues too. For example, in Oregon, there is a law that addresses protection of personal information (see, Oregon Revised Statutes 646A.600). Both a driver’s license number and the identification card are included in the definition of “personal information” that must be safeguarded by a business that maintains that information in its files. There is a legal requirement to notify the person regarding any breach of that information, and there could be penalties assessed up to $1,000 for each violation of the state law.

So what about the request to photocopy a driver’s license? While there is no legal prohibition against photocopying a license and most patients probably do not think about the request too deeply, the decision about how to proceed does come down to a legal risk assessment along with some common sense and public relations consideration.

From a legal perspective, putting more personal information in your files such as a photocopy of a driver’s license does increase legal risk especially if that the information falls into the wrongs hands. Be mindful of federal and state reporting requirements too if there is a breach of that information. Providers accept that risk anyway with protected health information under HIPAA, so adding more information may not be a burdensome risk to accept. From a common sense and public relations perspective though, a patient should not be made to feel like their privacy is being invaded any more than is necessary. Yes, they are consenting to treatment and to telling their health care provider intimate details about their medical history. As for other private information like a driver’s license, think about whether you want to absolutely require a copy versus just spot checking the id, and noting that it was checked. Also, if a picture of a patient is desired for recordkeeping, rather than maintaining the driver’s license copy in the file, consider taking your own picture without all that other personal information.

In closing, as with all HIPAA myths, the law could change. Someday perhaps a definitive identification process will be legally mandated in the health care setting. If you hear about that, what will you do? If your response is to ask to see the statute or regulation, well done, and class dismissed.

 

Fall In Review

12.27.11

“What has happened in health care since the end of summer?” asked the wayfaring senior partner. “Seriously?” responded the frustrated junior associate.

A. Health reform plods along.

Much of what dominates the health care industry these days is preparing and planning for federal health reform set forth in the Patient Protection and Affordable Care Act (“PPACA”) enacted in March 2010. While most reform efforts were targeted at the insurance side of health care, a lot of smaller programs and initiatives were included in the legislation. The practical effect of those initiatives will trickle out over the next few years. For example, Section 6402(d) of the law provided that Medicare and Medicaid overpayments must be reported and returned within 60 days after the date on which the overpayment was identified. Just what “identified” means in practice and how far the scope of potential new provider liability will stretch back in time for unreturned overpayments is open to debate. Apparently, the Centers for Medicare and Medicaid Services (CMS) is engaged in rulemaking to clarify what is being dubbed the “60 day rule,” but there has been no indication of when rules, if any, will be forthcoming. Given the potential for new and significant liability associated with delays in returning overpayments, the industry waits patiently to learn the type of implementing regulations CMS will have in mind (i.e., Draconian or a more balanced approach). At the very least, providers will need to be cautious when engaged in retrospective audits of claims during any compliance program activity.

B. Supreme Court to hear a narrow issue.

While many think the Supreme Court might overturn PPACA, that probably will not be the case. Five Circuit Courts have ruled to date on PPACA challenges. The Third and Fourth Circuits respectively dismissed challenges there due to court rules that the party bringing the lawsuit really could not do so (i.e., the party lacked standing) or the subject matter was not appropriate for that court (i.e., the court had no legal authority to hear the case). Both the Sixth Circuit and DC Circuit upheld the controversial mandate that all individuals purchase health insurance. The Eleventh Circuit, however, said the mandate was unconstitutional. In November 2011, the Supremes granted certiorari for (i.e., agreed to review) the Eleventh Circuit decision. Notably, the Court restricted the questions presented to narrow legal issues. The first and most controversial issue is whether the individual mandate to purchase health insurance is constitutional. A second and less publicized issue is whether the proposed Medicaid expansion exceeds the enumerated powers of the federal government. A yes or no answer to either issue in all likelihood means little legally to the rest of the 2010 federal legislation (even though it might mean a lot practically and financially). There is an outside chance the Supremes could strike down the entire act, but that result would be very remote. Will there be more confusion to come? Sure, especially since oral argument, and maybe an opinion, will not occur until next year in the midst of Presidential election campaigns.

C. To be, or not to be, an ACO.

A five-page section of PPACA, Section 3022, included a pilot program called the Medicare Shared Savings Program. The gist of the program was to allow providers to form entities called Accountable Care Organizations (“ACOs”) that would attempt to deliver cost-effective care to Medicare fee for service beneficiaries. In return, the ACO would be eligible for extra payments based upon savings related to the care of those patients. Initial rules proposed for the program were so onerous that most health care providers showed little interest. The rules were relaxed somewhat this past October.

D. Medicaid, how many, how much?

2014 looms as a confusing and potentially dark year for the state-managed Medicaid program. At that time, Section 2001 of PPACA will become effective and will change the eligibility requirement for the program. Nationally, Medicaid is expected to expand by at least 16 million recipients. States like Oregon and Washington have little public information available about how many new recipients will be added to their programs and how much such an expansion will cost. In the initial years of program expansion, the federal government picks up most of the tab for the added cost even though it is a joint federal and state funded program. Over time, however, states will have to bear more and more of the cost. Oregon itself currently covers about one in every six residents in its Medicaid program. Does 2014 mean the number could be closer to one in five, one in four? New York is projecting one in three will be Medicaid eligible. This is one of the critical unknowns associated with federal health reform, and will be of particular concern to states because of recession-induced budget issues.

health reform: aco game on?

5.2.11

“Should we form an ACO?” questioned the primary care physician at a presentation by legal counsel at a business meeting of her medical group. “Do you mean an ACO or Medicare ACO?” replied the group’s general counsel. “What’s the difference?” quizzed the physician. “Well, quite a bit,” replied the lawyer.

The term ACO, short for accountable care organization, became the latest and greatest acronym to come out of federal health reform efforts from March 2010. ACO as a generic term means an organization of health care providers that agrees through some sort of clinical management to be accountable to its population of patients for improving their care within the health system and hopefully doing so by using fewer health care dollars. The policy concepts related to ACOs largely are based upon another clinical model known formally as the Triple Aim. That is generic ACO lingo.

ACO as a new Medicare term, however, has a wholly different meaning and a legal meaning at that. A Medicare ACO means an entity that has applied and has been approved to participate in the demonstration project labeled the Medicare Shared Savings Program. As a participating Medicare ACO, fee-for-service Medicare beneficiaries will be assigned to entities of providers around the country that organize themselves into an ACO. Beneficiaries serviced in the Medicare managed care program, that is, Medicare Advantage, will not be part of the project.

In early April 2011, the Centers for Medicare and Medicaid Services (CMS) published proposed regulations that outlined the type of entities that are eligible to serve as Medicare ACOs and what those entities must do to be eligible to receive a portion of the shared savings they realize in reducing health care expenditures for assigned fee-for-service beneficiaries. In addition to the CMS proposed regulations, the Office of Inspector General, the Federal Trade Commission, the Department of Justice, and the Internal Revenue Service issued statements regarding the application of existing federal law to Medicare ACOs and explained the need for possible waivers or exceptions for ACO activity. The initial dust up generated by proposed regulations and agency statements has subsided, but now consultants, lawyers, business managers, and clinical leaders for health care providers around the country are grappling with the concept of “do we apply?”

As an April 7, 2011 New England Journal of Medicine article reported, in an earlier but similar Medicare demonstration project, the participating organizations spent an average of $1.7 million to ramp up for the project and did not realize any reward for their effort in the first year of the project and only minimal return in later years. There was no information about how much of the costs of ramping up were related to complying with regulatory oversight versus investments in the organization’s infrastructure and patient care resources.

The proposed regulations clearly indicate that Medicare ACOs will be highly regulated, monitored, and audited. CMS will be motivated to demonstrate success in the program, and likely will triage applicants to make certain that only organizations with a chance of succeeding will make it through. Given the looming threat of fraud and abuse violations and antitrust risk, multiple federal agencies will be peering into the operations of every participating organization. That clearly presents added legal risk for any organization.

So what to do? Study, study, study. Study the proposed regulations and agency commentary. Study prior Medicare fee-for-service demonstration projects. Study whatever actual numbers exist that can help shed light on the cost-benefit of spending significant financial resources chasing a piece of shared savings in your organization’s Medicare fee-for-service line of business.

For an organization willing to accept significant federal oversight, being deemed a Medicare ACO would grant the organization superior bragging rights especially when negotiating with commercial payors outside of the federal health care programs. For organizations, however, just starting out with concepts such as clinical integration or shared savings, moving toward making ideals such as the Triple Aim operational, well, that should make both business and legal sense.

If an organization can demonstrate to payors, federal or otherwise, that not only can it care for a group of patients, effectively improve the overall health status of those patients, and save health care dollars to boot, that basically is a new product in the health care marketplace. Creating those efficiencies should be rewarded, and that can be done as an ACO, in a generic sense, or a Medicare ACO, in a highly regulated sense.

hipaa: enforcement begins

3.5.11

In rather dramatic fashion like the tornado in the Wizard of Oz, enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy law twirled into action. Two publicized cases telegraphed clearly that the federal government’s enforcement arm for HIPAA, the Office for Civil Rights, within the Department of Health and Human Services, will begin assessing significant monetary penalties against health care providers who fail to comply with HIPAA.

The first OCR case resulted in a $4.3 million penalty against a Maryland health clinic that failed to respond to patient requests for copies of medical records. The clinic later failed to respond to OCR’s investigation and subpoena (and that conduct ended up representing a large portion of the penalty). The second case drew a $1 million penalty against a teaching hospital in Massachusetts that lost medical records when an employee left them on a subway. Obviously, these are significant penalties and likely intended to draw attention to OCR’s new enforcement work.

HIPAA privacy standards have been contemplated since 1996 and in play legally since 2003 so why all the brouhaha now? Well, tucked in the American Recovery and Reinvestment Act of 2009 (also known as the “Stimulus Bill”) were two developments (among many others) that changed HIPAA from a feel-good standards-based privacy law to an aggressive reporting and penalty-driven law. Simply put, what the Stimulus Bill did was: (a) grant OCR the ability to assess significant monetary penalties against providers who fail to comply with HIPAA; and (b) create new standards and reporting requirements for breaches of HIPAA’s security standards. This latter change was significant because it focused on breaches related to unsecured information such as paper medical charts.

What to do? Well, if you detect issues related to HIPAA, stop and think: Am I in compliance? If not, or if you have no clue, it may be time to work on some compliance planning. If you have a breach situation, take it seriously and get someone in to evaluate the breach and take corrective action. As Dorothy once said: “We are not in Kansas anymore.”

health reform: a federal summit on acos

10.1.10

On Tuesday, October 5, 2010, the federal government will host a workshop on legal issues related to the development of accountable care organizations (“ACOs”).

ACO became a buzz word in the wake of health insurance reform this past March 2010. Two sections of the Patient Protection and Affordable Care Act (Public Law 111-148) created pilot programs in the Medicare and Medicaid programs to test out the concept of using an ACO to deliver cost-effective medical care (see sections 2706 and 3022). Although these were minor sections of the reform law, ACO development has received a tremendous amount of attention in medical and legal communities.

There has been so much attention that the federal government is bringing together panels of speakers from the Federal Trade Commission (“FTC”) and the Department of Health and Human Services (“HHS”) to talk about the two main risk areas for ACO development: antitrust and antifraud laws.

The collaboration between independent health care providers usually presents some risk of anti-competitive conduct in a particular geographic market as well as some risk of Medicare or Medicaid violations if patient referrals are inappropriately paid for. Hopefully, the summit will explain those issues clearly and provide listeners some insight on whether there will be changes made to the legal playing field or if providers are left to figure all this out with the laws remaining as is.

For those who cannot attend the workshop in person, there will be options to listen in via a web cast (morning and afternoon sessions) or teleconference (afternoon session only). The reason to listen in will be to figure out what the FTC and HHS are concerned about and what industry leaders may be pushing for. If there are gaps in representation of industry stakeholders at the workshop, that should become evident too.