in december, the office for civil rights (ocr) within the federal department of health and human services published new guidance documents related to the electronic exchange of health information. notably, ocr clarified some of the confusion surrounding the application of the health insurance portability and accountability act (hipaa) privacy standards to the development of online personal health records (phrs). if a hipaa covered entity such as a hospital or doctor's office hired a private phr company to develop phrs for their patients, the covered entity must safeguard the health information stored in the phr. ocr indicated this could be done through a hipaa business associate agreement between the covered entity and the phr company. where an individual patient rather than a covered entity elects to store their health care information directly with a phr company, hipaa basically does not apply to that company even if the company advertises that it is "hipaa-compliant." as a result, the health information stored in the phr might be subject to unregulated uses or disclosures not intended by the individual. ocr cautioned that individuals should review a phr company's privacy policies to see how their information will be protected, or not. if a covered entity receives a request from an individual to have health information sent to a phr company, ocr made it clear that the covered entity may do so with the individual's written authorization as required by hipaa. while the new ocr documents are helpful, there likely will be many legal issues associated with phrs as they become more commonplace.
12.30.08
this november, the american medical association (ama) encouraged physicians to do a check-up on the effectiveness of their claims processing with health plans. while some of the recommendations were straightforward such as "prepare and submit accurate claims," other concepts probably left many physicians wondering if the time and cost of reviewing health plan payments was a worthy effort. after all, figuring out health plan contracts can be like fumbling around inside a big black box. unfortunately, there is no magic fix. but, three basic tasks can help shed some light inside that dark box. the first task is to review and understand health plan contracts before they are signed off on. there are resources available for understanding contracts including one at the ama. sometimes, for example, health plans use negotiation tactics by saying blanketly "state law requires this" or "medicare law requires that" as a way to argue that contract language cannot be changed. the language may overreach though and is more than the law requires. in that case, be polite, and ask that the contract simply follow state or federal law. the second task, once a contract is entered into, is for a physician practice to respond to contract issues in a timely fashion. the only way to do that is to have contracts handy and to have a process in place to compare payments with actual reimbursement terms. yes, this kind of responsive administrative time does take some effort, but like anything worthwhile, it gets easier with practice. finally, if particular claims are problematic or if a more systemic issue is identified, the third task is to report on those matters either through an internal appeal process with a particular health plan or to a physician advocate such as the ama or a local trade association if matters appear broader than just one physician practice. by reviewing, responding to, and reporting on health plan contracting issues, a physician practice hopefully will improve its claims processing function.
11.30.08
"what are red flag rules?" the harried medical office manager asked her business attorney. "umm, something to do with the federal trade commission, but i will have to get back to you," he responded. and, that is pretty much what many physician offices seem to be asking these days. red flag rules are regulations created by the federal trade commission (ftc) which require financial institutions and creditors to implement written identity theft programs to detect, prevent, and mitigate instances of identity theft. obviously, the rules were intended to focus on financial institutions, but a huge gray area now exists about the application of the rules to the health care industry which already is governed by privacy and security regulations. the ftc's position seems to be that the rules would apply if a health care provider is deemed a creditor of a patient, and that could happen if the provider simply sends a bill to a patient after services are rendered. the american medical association warned the ftc about likely noncompliance given many physician practices were unaware of the rules. as a result, the ftc delayed the effective date of the rules from november 1, 2008 to may 1, 2009, but gave no indication that the rules clearly apply to health care providers. for now, all health care providers, including physicians, are cautioned to keep an eye on developments through their trade associations, and be prepared to devote some time and resources to implementing identity theft programs as an extension of their health care privacy and security obligations.
10.28.08
"i bought this new car..." someone named bob told the first year lawyer over the phone. "and, i heard i have three days to return it?" bob asked hopefully. "bob, i think you bought a car," replied the lawyer. in states like oregon, there is a law that provides a three-day rule or cooling off period for a narrow list of consumer purchases. unfortunately, for bob, new cars are not on the list. the lessons learned for bob readily can be applied to most health care contracting scenarios. once you sign a contract, you are bound by the terms of the contract. your cooling off period should take place before you actually sign the agreement. so take time to review the contract and understand its terms. if possible, obtain clarification of language that is vague or ambiguous. and, most importantly, if you have an attorney review the contract, make sure the review is done before you sign on the dotted line.
9.30.08
this month, the centers for medicare and medicaid services (cms) released a transmittal updating the medicare claims processing manual to include a new denial code for contractors to use when denying claims based on a violation of the physician self-referral statute (stark law). while the transmittal and the accompanying educational article sound benign, the legal and practical issues involved with implementation and use of a denial code by medicare claims processing contractors are unclear. the article states that contractors will use the code any time they deny a claim because a physician has a financial interest in a designated health services (dhs) provider and fails to meet a stark exception. the appearance of a new stark denial code implies two things: (1) cms is ramping up to look more closely at stark issues; and (2) cms is saying that stark violations can be analyzed at the carrier or intermediary level. simplification of stark is a nice ideal, but the actual complexity of the regulations calls into question how the code will be used. will carrier staffs begin to make judgment calls about the legality of physician referrals? if so, will there be a special appeal process for this new denial code? is the new code retroactive? cms has not provided any additional guidance other than to announce the denial code will become effective january 1, 2009. physicians and other entities such as hospitals should be asking themselves if they are stark compliant, and they should be asking their trade associations to question cms about how the code will be used.
8.29.08
in the midst of the political posturing over undoing physician medicare fee cuts this july, the centers for medicare and medicaid services (cms) released a report about the results of an aggressive pilot program to outsource audits of medicare claims to private audit firms. the recovery audit contractor (rac) program was created by the same federal law that implemented the medicare prescription drug program back in 2003. in short, cms stated that during the initial three year demonstration, $1.03 billion in medicare improper payments were detected. of that amount, cms reported that 96% of the payments (or $993 million) represented overpayments and only 4% (or $38 million) were underpayments. at first glance, those percentages are difficult to believe, and may be explained by the fact the private audit firms were paid roughly 20% (or $187 million) of what they recovered in overpayments due to their fees being calculated on a contingent basis. hence, there was little incentive for a rac auditor to locate or report underpayments. cms announced that the program will be expanded from the initial six to all fifty states. practically, there may be little an average provider can do to challenge an audit. there are appeal rights, but cms reported very few audits have been challenged (although some of the data indicated providers such as physicians initiated appeals more frequently than hospitals). presumably, the bulk of providers are cutting their losses if the legal costs of an appeal are determined to outweigh paying what was demanded to settle a dispute over alleged overpayments. providers should consider reporting rac audit activity to their local and state trade associations for informational purposes, and consult with counsel if rac audit techniques or results appear questionable. short of cutting back on medicare business to lower legal and financial risk, a provider will want to remain as up to date as possible on reimbursement guidelines from their regional carrier or intermediary and document any gray area issues. the rac process likely will not be finely tuned, but broad and difficult to challenge. rac work in oregon and washington is slated to start january 2009 or later.
7.28.08
"do you really have to document extra training for pain management?" the physician grumped. "yes," the office manager sighed. "why?" quipped the physician again. "because oregon law requires it." and so, the dialogue continues around the state of oregon for many health care professionals surprised to find out they have a pain management training requirement tied to their licensure. in 2007, the oregon legislature updated an existing law that mandates physicians, physician assistants, nurses, psychologists, chiropractors, naturopaths, acupuncturists, and pharmacists complete a one-time requirement of pain management education. the updated law added dentists, occupational therapists, and physical therapists to the list. pain management education includes one online course developed by the oregon department of human services (dhs) plus another six additional continuing education hours. licensing boards such as the oregon medical board (formerly the board of medical examiners) have put the requirement into an administrative rule. each licensed professional covered by the law should review their licensing board websites or administrative rules about the pain management requirement. the key issues for professionals are to watch out for deadlines (some may have passed) and maintain proper documentation in their own files about completing the online course and additional education. for example, currently licensed physicians have until january 2, 2009 to complete their education and the board instructs licensees to keep documentation in a safe place. dhs maintains a short list (and by no means the only list) of ongoing continuing education opportunities in addition to the online course.
6.25.08
on may 21, 2008, president bush signed into law a federal bill that starts to address the issue of genetic discrimination. the genetic information nondiscrimination act (gina) contains two basic parts. first, one set of standards seeks to regulate the use of genetic information by health insurers in the underwriting process. and, second, another set of standards attempts to prevent employers from using genetic information to discriminate against employees. much like the health insurance portability and accountability act (hipaa) from over a decade ago, gina likely will be followed by far more detailed agency regulations compared to the basic language of the statute. the issues of genetic discrimination and genetic privacy (which are different issues) are complex because of their deeply scientific roots and the fact it is unclear what some special interest groups want to do with knowledge or ownership of information about each individual's unique genetic code. in states, like oregon, which have both genetic discrimination and privacy protections, state legislators should be mindful of those interest groups that claim the state must align its own standards with federal standards (possibly lowering the state standard). remember, both hipaa and gina are highly negotiated baselines, not the best we can do. notably, there are many unanswered questions about the potential permitted uses of genetic information under gina. such as, why do health insurers need access to genetic information for research purposes? or, why are health insurers permitted to use genetic information for payment purposes? also, will the health insurance aspects of gina preempt similar or perhaps more protective state laws? to be clear, gina is a positive step toward creating an awareness about genetics and the law. but, genetic information is unlike other health information because it is uniquely personal and we are terribly uneducated about the potential uses of that information. as always with complex federal legislation, a significant amount of time likely will pass before we truly grasp the effect of gina.
5.27.08
on april 15, 2008, the department of health and human services enforcement arm, known as the office of inspector general (oig), posted another in a series of open letters to providers who do business with the federal health care programs. this latest letter addressed the issue of making voluntary self-disclosures to the government about potential health care fraud. in short, oig tried to assure providers that if they file their disclosure correctly, they likely will receive credit for voluntarily coming forward. as always, the devil will be in the details. unfortunately, there is so little public information available about the inner workings of the oig's disclosure protocol and process, that it is difficult to know if the open letter signals any major change for oig. jumping at the disclosure protocol as a way to shield a provider organization from fraud allegations can be a trap for the unwary. why? well, even oig acknowledges that settlement negotiations with entities filing under the protocol will start at some multiple of the alleged damages to the health care programs. so for matters involving overpayments or erroneous billing errors (versus outright fraud or false claims), a filing under the protocol could box a disclosing entity into admitting it may have violated federal law when it did not really do so. what does appear to be a new offering, however, is the statement that oig generally will not require a disclosing provider to enter into a corporate integrity agreement (cia) or certification of compliance agreement (cca) as part of a settlement with oig (assuming the provider has adopted effective compliance measures). a cia and cca basically are contracts between the provider and oig that mandate audits and reports for a number of years. presumably, the beneficiaries of such a change in practice under the protocol will be limited to larger health care organizations with sophisticated compliance plans. new lessons? perhaps, but as always with compliance issues, providers should correctly identify the problem and appropriately develop a corrective action plan. whether that plan involves a protocol filing will still need to be carefully considered.
4.25.08
"is it legal for my doctor to prescribe me a new medicine for an off-label use?" the panicky patient asked the doctor's nice nurse. the nurse simply said "we do it all the time so it must be okay." the patient wondered if the nurse was right. in general, there seems to be some confusion about off-label drug use in the medical community. off-label basically means that a drug is being prescribed for a medical purpose that is not indicated on the labeling for the drug approved by the federal food and drug administration (fda). from a legal perspective, the issue distills down to the difference between off-label "use" versus off-label "marketing." this month, a former ceo of a drug company was indicted on criminal charges for off-label marketing of a drug. under the ceo's watch, the company apparently promoted a drug for a use that was not approved by the fda and relied on sketchy medical information to develop its promotional campaign. typically, drugs regulated by the fda, only may be marketed for approved purposes listed on the labeling for the drug. sounds logical. but, if a physician learns that a drug may be effective in treating another disease, could the physician prescribe the drug for a non-approved use? given the potential for confusion about prescribing drugs, the american medical association developed a policy that clarifies physicians may use an fda-approved drug for an unlabeled indication when such use is based upon both sound scientific evidence and sound medical opinion (see policy h-120.988). in sum, marketing for off-label use, bad, prescribing for off-label use, okay, if it is consistent with the practice of good medicine.
3.27.08
"are my online medical records protected by privacy laws?" asked the savvy client of his stately lawyer. "it depends," was the lawyerly lawyer response. but, what a good question. typically, only "covered entities" such as a doctor's office are required to follow the federal privacy and security protections for medical record information. those protections are part of the health insurance portability and accountability act (hipaa) and its accompanying regulations. hipaa protections may not apply, however, to private online database companies that simply store medical record information for the convenience of patients. in all likelihood, a doctor's office would want some written assurance from the database company (i.e., through a business associate agreement) that if they forward medical record information at the patient's request, the company will follow hipaa's protections. state privacy laws may apply too, but each state is different. further, enforcing privacy violations against a national online company may be difficult especially if there is a user agreement containing clauses that permit use of information for marketing or other purposes. notably, congress introduced legislation in response to the legal dilemma, but the bill, as they say, is stuck in committee. should congress fail to address the legal issues and patients sign up to put more information directly online themselves, the rule of thumb will remain: buyer beware.
2.28.08
in oregon last month, the state supreme court erased a statutory damages cap in malpractice lawsuits brought against employees of the state's public teaching hospital. in clarke v. oregon health sciences university, the court reasoned that while a $200,000 cap on tort damages was okay with respect to the public hospital itself, the cap was not okay when applied to negligent employees. in other words, when the oregon legislature passed a law in 1991 that shielded health care providers employed at the hospital from any tort liability, it unconstitutionally eliminated a remedy that should have been available to negligently injured patients. because this case was predictable in the wake of earlier oregon tort cap challenges, the court sent the strongest message possible to the state legislature to restore a more appropriate cap immediately. in the short term, eliminating the cap probably will make medical treatment at the hospital more conservative and less cutting edge. that would be unfortunate. no, the sky is not falling, and business solutions exist to manage the new risk. but, the fact that health care providers at one institution will be exposed to substantially greater damages seems like a pretty darn good reason to start a renewed debate about that dreaded phrase: "tort reform." can one state legislature use the momentum of a tort case to create a fairer, more accessible, and balanced compensation system for medical injuries not just for one institution but the entire health care system statewide? perhaps that is a pipe dream. the debate, however, is worth thinking about and undertaking if conducted appropriately.
1.31.08
Copyright 2000-2008 healthlawoffice.com