This morning I am in Baton Rouge, at the Louisiana Hospital Association conference center, sharing my perspectives on ACOs and the broad range of innovation in health care delivery and financing being ushered in under the Affordable Care Act.
Continuing Legal Education puts on its annual two-day extravaganza
introduction to health law this week (November 4-5). I'll be
speaking on post-acute care, and there is an all-star panel of speakers
filling out the entire two days. If you are -- as they used to say --
within the sound of my voice and have an interest, please come on
down. Bring your friends and neighbors. You can find more information
on topics, speakers and and registration on the MCLE Health Law Basics Plus page.
Update 7/29/09: The FTC announced today that implementation of the Red Flags Rule will be delayed once again, this time til November 1, 2009. The agency promises to roll out additional information targeted at low-risk entities covered under the rule. Thus far, nothing has changed with respect to the rule and its ultimate effect, so organizations subject to the rule should take the extra time to assess their compliance needs and implement their plans in advance of November 1.
After a couple of delays, the FTC Red Flags Rule will be effective August 1, 2009. This rule requires "creditors" under certain "covered accounts" to maintain a heightened alertness to numerous categories of "red flags" that may indicate that the consumer who is the rightful account holder is the victim of identity theft. If a red flag is triggered, the creditor must take steps to notify the consumer and correct any inappropriate information included the creditor's records.
As you probably already know, the FTC is extending its reach with this rule (among others) into the health care sector. (Cf. the FTC's role in enforcing certain Son of HIPAA provisions.) The AMA has all but dropped a draft complaint on the FTC's desk, citing assorted legal precedents in its correspondence with the FTC arguing that the Red Flags Rule should not apply to physician practices. The FTC is unmoved -- except to the extent that it has been willing to delay the effective date twice (from November 2008 to May 2009 to August 2009).
At any rate, the August 1 effective date is around the corner, and affected health care entities need to develop and implement compliance plans now, if they haven't already. (Even the AMA says so, and has published guidance and a sample policy for members.)
A few more general comments before stepping back and examining the language of the rule and its applicability to health care providers.
The federales are taking something of a common-sense approach here, recognizing that a compliance plan needs to be tailored to the specific entity, the nature of its "covered accounts" and its operations. Bank of America, N.A. and Springfield Medical Associates, P.C. will have very different compliance plans, because their potential red flags and the potential risks are vastly different.
Affected health care providers need to understand that the Red Flag Rule requirements overlap with HIPAA and state privacy law requirements (and looming Son of HIPAA requirements in ARRA), but will not be satisfied by implementation of existing privacy policies and compliance plans. Review of the intersection of existing policies and procedures with the new rule's requirements is the first order of business.
As with any other new regulatory scheme, preparing a compliance plan and putting it on the shelf won't cut it. The rule calls for regular monitoring of the plan and issues that arise by a senior manager. Furthermore, best practices would dictate the training of staff to deal with individual issues and, most importantly, with the affected consumers.
Even if not clearly subject to the Red Flags Rule, providers should undertake to comply, for a couple of interrelated reasons:
Good patient PR. Data security is top of mind these days. Much of the effort required under the rule should be expended anyway simply to respond to market pressures calling for improved data security.
Potential liability. The creative trial attorney will seek to use the Red Flags Rule as establishing a standard of care for the stewardship of personal information. The incensed jury will go along. The health care provider caught in the middle between thieves and victims may be the only perceived deep pocket available.
OK, so what is a "creditor" and what is a "covered account?"
Any entity that accepts payment other than payment in full at the time of service is a creditor. Health care providers that go the cash-on-the-barrelhead route aren't creditors; all others are creditors.
The FTC Guide defines covered accounts as follows: either
a consumer account you offer your customers that’s primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions; or
any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments or transactions – they always are “covered accounts” under the Rule – other types of accounts are “covered accounts” only if the risk of identity theft is reasonably foreseeable.
Any creditor with covered accounts must have a red flags rule compliance plan in place with policies and procedures for dealing with "red flags" -- i.e., signs that personal information may have been compromised. The World Privacy Forum suggests that the following red flags are the ones most applicable in the health care context:
• A complaint or question from a patient based on the patient’s receipt of: o a bill for another individual o a bill for a product or service that the patient denies receiving o a bill from a health care provider that the patient never patronizedor o a notice of insurance benefits (or Explanation of Benefits) for health services never received. • Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient. • A complaint or question from a patient about the receipt of a collection notice from a bill collector. • A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached. • A complaint or question from a patient about information added to a credit report by a health care provider or insurer. • A dispute of a bill by a patient who claims to be the victim of any type of identity theft. • A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance. • A notice or inquiry from an insurance fraud investigator for aprivate insurance company or a law enforcement agency.
If a situation is flagged, a creditor must take steps to mitigate the risk of identity theft or continued identity theft. Again, the World Privacy Forum notes:
There need to be uniform but appropriately flexible answers to these questions:
What do we do when a patient claims fraud is in their files?
What do we do when a patient says the bills are for services she did not receive?
What do we do for patients and other impacted victims when we uncover a fraudulent operation?
When we have a real case of medical identity theft, how can we work with patients to fix the records and limit future damages?
What do we do when a provider has altered the patient records?
How do we handle police reports and requests for investigation from victims?
The answers to these questions need to viewed not just from the provider’s perspective, but also from the victim’s perspective, which can differ substantially.
There are a number of useful resources available for health care providers seeking to take stock of their situation, establish Red Flags Rule compliance policies and procedures, and undertake staff training on the subject. For example, the FTC, the AMA and the World Privacy Forum have all released valuable guidance documents (all linked to above) that would assist any organization with coming into compliance.
As with any effort of this sort, it is often valuable to have someone outside the organization come in to review existing policies, procedures and workflow in order to highlight potential risks and opportunities for improvement. The HealthBlawger and members of the HealthBlawger's virtual consulting network are available to come in and assess, plan and help implement compliance strategies for organizations large and small touched by the Red Flags Rule.
Whatever the size or nature of your business, please take a moment to consider how the Red Flags Rule may apply to its operations, and how it may relate to other regulatory schemes such as HIPAA and state laws.
Take some advice from the HealthBlawger in screening new employees. Check out some specifics in the current edition of DecisionHealth's Medicare Compliance Alert, offered in point-counterpoint format with tips from my friend Bill Mandell.
Last year, Massachusetts amended its Medicaid laws to require that beneficiaries headed to nursing facilities be screened to see if they could be placed instead in less restrictive settings. The Commonwealth then applied for a so-called Section 1115waiver from Medicaid rules in order to reallocate federal funds ordinarily devoted to health care facility based care to community based care. The Massachusetts program is called Community First.
This sort of thing is clearly better for beneficiaries, and easier on the public fisc. It also echoes a longstanding effort to keep seniors in community settings, where they can be more active, and to resist medicalizing the normal aging process. The PACE program (aka the Program for All-inclusive Care for the Elderly, begun at the On Lok community health center in San Francisco a couple decades ago) graduated a few years ago from a waiver/demonstration program to a regularly recognized program for federal funding purposes. PACE keeps seniors who are eligible for nursing facility placement out of nursing facilities, arranging for all needed services through community health centers (adult day health, home health, etc.).
Assisted living facilities also sprang up over the past couple of decades as an alternative, or in some cases way-station to, nursing facilities.
There are also programs designed to keep health care facilities from being too much like health care facilities: viz. the Green House model of homelike nursing facilities.
Services cost another $3,600 to $4,000 per person a month at West Peabody, covered through the Medicaid and Medicare programs, because the residents have medical and physical conditions that would otherwise qualify them for government-paid nursing home care. The total cost per day is less than the $187 average state payment for nursing home care, but more than the state pays for the least-ill nursing home residents.
The story continues:
Because the houses are not subject to state regulation like nursing homes, some question whether residents would be adequately protected. There have been occasional abuses in state-funded homes for the mentally ill.
Organizers say there are multiple checks and balances in the way the houses are run. One of the regular duties of the elder service agencies is to investigate abuse and neglect for the state. The agencies' staff monitors the care provided in the houses. And other professionals, obligated to report abuse, are regular visitors.
The market for these services is likely robust and it will be interesting to follow the growth of this initiative in Massachusetts and elsewhere.
From the AHLA website, a valuable resource for health care providers, patients and families:
AHLA has released A Guide to Legal Issues in Life-Limiting Conditions. The document was produced as part of AHLA's public interest commitment to serve as a public resource on selected healthcare legal issues. Read or download the Guide online. The Guide has been summarized into six, easy to read one-pagers that will provide a general overview of the issues covered in each chapter of the Guidebook.
A Legal Guide to Life-Limiting Conditions provides an overview of the key legal and practical issues that arise in the care of individuals who face a life-limiting condition or who care for a loved one with a life-limiting condition. As an aid to the planning process, the Guide is organized around the continuum of care, beginning with healthy individuals who are able to live at home and following the continuum to independent retirement communities, assisted living, long term care, and an eventual return to the home with the aid of hospice services.
Following the recommendations of a commission established by the legislature in 2004, the Massachusetts Department of Elder Affairs adopted final revised assisted living regulations in August. The new regulations may be viewed here. A redline against the prior version is available here. Certified assisted living facilities have until December 10 to come into compliance with the new regulations. Some operational changes may be required, and facilities' residency agreements and operating plans will have to be revised.
While some of the revisions are limited to improved wordsmithing and correctives to situations that have arisen in the past, a number of changes appear to medicalize some services provided by ALFs. At first blush, this is puzzling. After all, with the adoption of the assisted living statute in Massachusetts in 1994, the Commonwealth took the position that assisted living services are not health care services; now, the changes to the regulations are a tacit recognition that assisted living facilities house care that encompasses health care services. The policy and fiscal question raised by this admission is whether the Commonwealth -- and other states -- should assume once more the financial responsibility for services provided to some assisted living residents (beyond the limited avenues currently open to such funding, such as Massachusetts' group adult foster care program) as they do for care provided to some nursing facility residents, through the Medicaid program.
Leaving the policy question aside, it is clear that the industry welcomes at least some of these higher standards. In fact, the industry supported legislation in the last session that would have done some of the same things (see this old press release) as it helps high-quality providers, and providers of specialized services (e.g.,dementia units) differentiate themselves from others in the industry.
Stay tuned as ALFs learn more about the new regulations at Elder Affairs training sessions next month, and as they work on revisions to operating plans, residency agreements, and facility staffing and operations.