Red Flags Rule: The FTC piles on, because HIPAA, ARRA and overlapping state laws just weren't enough

After a couple of delays, the FTC Red Flags Rule will be effective August 1, 2009.  This rule requires "creditors" under certain "covered accounts" to maintain a heightened alertness to numerous categories of "red flags" that may indicate that the consumer who is the rightful account holder is the victim of identity theft.  If a red flag is triggered, the creditor must take steps to notify the consumer and correct any inappropriate information included the creditor's records.

As you probably already know, the FTC is extending its reach with this rule (among others) into the health care sector.  (Cf. the FTC's role in enforcing certain Son of HIPAA provisions.)  The AMA has all but dropped a draft complaint on the FTC's desk, citing assorted legal precedents in its correspondence with the FTC arguing that the Red Flags Rule should not apply to physician practices.  The FTC is unmoved -- except to the extent that it has been willing to delay the effective date twice (from November 2008 to May 2009 to August 2009).

At any rate, the August 1 effective date is around the corner, and affected health care entities need to develop and implement compliance plans now, if they haven't already.  (Even the AMA says so, and has published guidance and a sample policy for members.)

A few more general comments before stepping back and examining the language of the rule and its applicability to health care providers.

The federales are taking something of a common-sense approach here, recognizing that a compliance plan needs to be tailored to the specific entity, the nature of its "covered accounts" and its operations.  Bank of America, N.A. and Springfield Medical Associates, P.C. will have very different compliance plans, because their potential red flags and the potential risks are vastly different.

Affected health care providers need to understand that the Red Flag Rule requirements overlap with HIPAA and state privacy law requirements (and looming Son of HIPAA requirements in ARRA), but will not be satisfied by implementation of existing privacy policies and compliance plans.  Review of the intersection of existing policies and procedures with the new rule's requirements is the first order of business.

As with any other new regulatory scheme, preparing a compliance plan and putting it on the shelf won't cut it.  The rule calls for regular monitoring of the plan and issues that arise by a senior manager.  Furthermore, best practices would dictate the training of staff to deal with individual issues and, most importantly, with the affected consumers.

Even if not clearly subject to the Red Flags Rule, providers should undertake to comply, for a couple of interrelated reasons:

• Good patient PR.  Data security is top of mind these days.  Much of the effort required under the rule should be expended anyway simply to respond to market pressures calling for improved data security.
• Potential liability.  The creative trial attorney will seek to use the Red Flags Rule as establishing a standard of care for the stewardship of personal information.  The incensed jury will go along.  The health care provider caught in the middle between thieves and victims may be the only perceived deep pocket available.

OK, so what is a "creditor" and what is a "covered account?"

Any entity that accepts payment other than payment in full at the time of service is a creditor.  Health care providers that go the cash-on-the-barrelhead route aren't creditors; all others are creditors.

The FTC Guide defines covered accounts as follows: either

• a consumer account you offer your customers that’s primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions; or

• any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments or transactions – they always are “covered accounts” under the Rule – other types of accounts are “covered accounts” only if the risk of identity theft is reasonably foreseeable.

Any creditor with covered accounts must have a red flags rule compliance plan in place with policies and procedures for dealing with "red flags" -- i.e., signs that personal information may have been compromised.  The World Privacy Forum suggests that the following red flags are the ones most applicable in the health care context:

• A complaint or question from a patient based on the patient’s receipt of:
   o a bill for another individual
   o a bill for a product or service that the patient denies receiving
   o a bill from a health care provider that the patient never patronized or
   o a notice of insurance benefits (or Explanation of Benefits) for health services never received.
• Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.
• A complaint or question from a patient about the receipt of a collection notice from a bill collector.
• A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.
• A complaint or question from a patient about information added to a credit report by a health care provider or insurer.
• A dispute of a bill by a patient who claims to be the victim of any type of identity theft.
• A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.
• A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.

If a situation is flagged, a creditor must take steps to mitigate the risk of identity theft or continued identity theft.  Again, the World Privacy Forum notes:

There need to be uniform but appropriately flexible answers to these questions:

• What do we do when a patient claims fraud is in their files?
• What do we do when a patient says the bills are for services she did not receive?
• What do we do for patients and other impacted victims when we uncover a fraudulent operation?
• When we have a real case of medical identity theft, how can we work with patients to fix the records and limit future damages?
• What do we do when a provider has altered the patient records?
• How do we handle police reports and requests for investigation from victims?

The answers to these questions need to viewed not just from the provider’s perspective, but also from the victim’s perspective, which can differ substantially.

There are a number of useful resources available for health care providers seeking to take stock of their situation, establish Red Flags Rule compliance policies and procedures, and undertake staff training on the subject.  For example, the FTC, the AMA and the World Privacy Forum have all released valuable guidance documents (all linked to above) that would assist any organization with coming into compliance. 

As with any effort of this sort, it is often valuable to have someone outside the organization come in to review existing policies, procedures and workflow in order to highlight potential risks and opportunities for improvement.  The HealthBlawger and members of the HealthBlawger's virtual consulting network are available to come in and assess, plan and help implement compliance strategies for organizations large and small touched by the Red Flags Rule.

Whatever the size or nature of your business, please take a moment to consider how the Red Flags Rule may apply to its operations, and how it may relate to other regulatory schemes such as HIPAA and state laws.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

David Harlow and John Moore talk with Gregg Masters about HITECH Act, Certified EHRs and Meaningful Use on Blog Talk Radio

John Moore and I spoke with Gregg Masters on Blog Talk Radio today about the HITECH Act provisions in ARRA, certification of electronic health records systems, and the meaning of "meaningful use."

The Meaningful Use "matrix" laying out the five-year plan, laying out care goals, objectives and measures across five health outcomes policy priorities is available on the Health IT at HHS website. Those policy priorities:

1. Improve quality, safety, efficiency and reduce health disparities
2. Engage patients and families
3. Improve care coordination
4. Improve population and public health
5. Ensure adequate privacy and security protections for personal health information

The alphabet soup of government workgroups is working fast to firm up these and other definitions, which will help break up the logjam in EHR investment and implementation.

Have a listen and let us know what you think.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

#hcsm means Healthcare Communications and Social Media: Last night's legal edition was fast and furious

Tom Stitt and Dana Lewis host a weekly "tweetchat" on healthcare communications and social media, known as healthsocmed or hcsm.  Last night, Daniel Goldman, legal counsel at The Mayo Clinic, aka @danielg280, and I, aka @healthblawg, were lawyers-on-the-spot for a special legal edition.  There were interesting questions raised regarding social media, patients, providers, privacy, HIPAA, and lots more.  There were innumerable cross-conversations going on.  One participant noted later that over 900 tweets had been posted in the #hcsm tweetstream in the hour or so allotted (about twice the usual volume), which made it impossible to follow all of them in real time, unfortunately.  I had the chance to look over the stream afterwards, and offer some follow-up responses to questions not fully answered during the session. 

@HITshrink posted some organized excerpts from the stream on his blog; check them out for a more orderly taste of the experience.

Kudos to Tom and Dana for making this happen.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Blog Talk Radio: David Harlow featured in health care reform discussion on Gregg Masters' Net Health Reform

I had the pleasure of discussing the current crop of health care reform policy options with Gregg Masters and a number of callers today on Blog Talk Radio.  The hour-long show is available for your listening pleasure here (streaming or download).  Please let me know if you like the content and/or format.  Gregg (aka @2healthguru on twitter, where we first met) and I plan to produce future shows and are interested in your comments and suggestions on focused topics for discussion.

Thanks for listening and for your feedback.

For further reading, some of the materials we discussed include the three Senate Finance Committee policy options reports and related materials, Obama's letter to Senate Democrats, his radio/internet address from last weekend, Senator Kennedy's draft Affordable Health Choices Act, and the Tri-Committee draft released by the House Committees on Ways and Means, Energy and Commerce and Education and Labor.  There are a number of milestones on the march through committees and to the floors of both chambers, and on to the President's desk in October/November.  And finally, a useful tool for those of you keeping score at home is the Kaiser Family Foundation health reform proposal comparison.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Physician recruitment and contracting column published in ACHE Journal of Healthcare Management

The American College of Healthcare Executives' bimonthly journal has a column I wrote with my colleague, Ken Cohn, in the current issue: Field-Tested Strategies for Physician Recruitment and Contracting.  Please let us know what you think.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Retail Health Clinic Summit: Can we get there from here?

At one of the pre-summit workshops yesterday, Tom Charland (ex-MinuteClinic exec and now consultant) channeled Clay Christensen (Mr. Disruptive Innovation) for a while and laid it on the line: unless retail clinics find a way to beef up off-season volume for at least 5-6 years, they may be dead in the water.  In that time, if Christiansen is right, HSA/HDHPs will become much more prevalent than they are today -- prevalent enough so that retail clinics could safely opt out of health insurance plan provider networks and have a sufficient patient base to draw from.

In the interim, Tom and I agree that retail health clinics need to break out of current operating modes, particularly into chronic care / disease management.  In fact, I was quoted on this point towards the end of a thoughtful piece on retail health clinics in BNA's Health Care Policy Report last month.  Retail clinic providers (including one from Spain), other consultants, payor representatives, drug and device reps, urgent care center operators, and even the US Armed Forces (planning a pilot project foray into retail health clinics) all showed up for the Summit, which provided a mix of perspectives on challenges and opportunities facing this nascent industry.

Slides from my talk at the summit on the Massachusetts experience, and lessons for the future  -- especially the need to move into chronic care and to partner more effectively with health care systems -- are provided here for your viewing pleasure.  My work with all components of health care systems -- including physicians -- makes clear that these combinations have the potential to be very powerful, and makes equally clear that the groundwork must be laid carefully with physician partners and champions in order to ensure the success of such an undertaking.

Retail Health Clinic Summit 2009 - The Massachusetts Experience and Lessons Learned

View more OpenOffice presentations from DavidHarlow.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

FY 2010 IPPS: Federales sucker punch the hospital industry

CMS published the FY 2010 IPPS (hospital inpatient prospective payment system) rule and rates on Friday May 22.  I'll offer just some highlights of the 608-page monstrosity here, focusing on the short-term acute care portion; the long term acute care hospital (LTACH) rates are in here, too.

First and foremost: Acute care hospitals will enjoy just a 0.2% increase in DRG payments for the year beginning October 1, 2009.  The rule provides for a 2.1% adjustment for all hospitals reporting RHQPAPU measures (which is virtually everyone); 0.5% if not reporting.  The sucker punch: a 1.9% negative adjustment to adjust for the shift to the severity-adjusted MS-DRG system in FY 2008-09 and the concomitant attention to reporting, which the federales say resulted in higher reimbursements without a change in acuity.  There is a total 8.5% negative adjustment to be made which CMS is deferring so as not to whack the industry excessively just now.  Congress has come to the rescue once, reducing the cuts and deferring the day of reckoning, but that day has now come.  It remains to be seen whether Congress will seek to defeat or defer these cuts again (and again) a la the SGR.  Comments are invited; the AHA and others are already steamed.

One bright spot: orthopedic MS-DRG codes are bucking the trend and see a more significant increase.

A note of caution for hospitals: Even though complete documentation and coding led to the negative adjustment, folks need to continue to do a good job of documentation and coding, since that's what the MS-DRG system is all about.

On the RHQDAPU front: the federales are taking baby steps towards automating the reporting process, testing the transmission system direct from hospital records to a central repository with three measures not currently used for payment incentives.

This year the proposal is to add two new measures to the 44 currently in use (for FY 2011) (see chart in linked Federal Register document, 74 FR 24171-72, pp. 93-94 of pdf) , and 69 additional measures are identified that might be used in the future (74 FR 24172-73, pdf pp. 94-95).  Also interesting is the fact that one measure is being taken off the list based on research tying IV beta blockers to elevated mortality risk in certain populations, and related practice guidelines evolution.  In addition, other measures may come off the list if they've "topped out" with near-universal compliance -- like a pneumonia oxygenation assessment measure.  Comments are invited on determining when to retire criteria and also on the criteria for establishing new criteria.  These criteria are significant, so I quote this section of the commentary in full:

In the FY 2009 IPPS proposed rule, we solicited comments on several considerations related to expanding and updating quality measures, including how to reduce the burden on the hospitals participating in the RHQDAPU program and which approaches to measurement and collection would be most useful while minimizing burden (73 FR 23653 through 23654). In the FY 2009 IPPS final rule, we responded to public comments we received on these issues (73 FR 48613 through 48616). We also stated that in future expansions and updates to the RHQDAPU program measure set, we would be taking into consideration several important goals. These goals include: (a) Expanding the types of measures beyond process of care measures to include an increased number of outcome measures, efficiency measures, and patients’ experience-of-care measures; (b) expanding the scope of hospital services to which the measures apply; (c) considering the burden on hospitals in collecting chart-abstracted data; (d) harmonizing the measures used in the RHQDAPU program with other CMS quality programs to align incentives and promote coordinated efforts to improve quality; (e) seeking to use measures based on alternative sources of data that do not require chart abstraction or that utilize data already being reported by many hospitals, such as data that hospitals report to clinical data registries, or all-payer claims data bases; and (f) weighing the relevance and utility of the measures compared to the burden on hospitals in submitting data under the RHQDAPU program. Specifically, we give priority to quality measures that assess performance on: (a) Conditions that result in the greatest mortality and morbidity in the Medicare population; (b) conditions that are high volume and high cost for the Medicare program; and (c) conditions for which wide cost and treatment variations have been reported, despite established clinical guidelines. We have used and continue to use these criteria to guide our decisions regarding what measures to add to the RHQDAPU program measure set.

The goals of the RHQDAPU articulated here bear close reading.  These are core values that CMS is seeking to refine further -- comments are welcome -- and it seems to me that these core values will continue to inform quality measurement and value based purchasing initiatives of the agency in the future.  The main problem I have with the approach taken to date (and I've been saying this for quite a while) is that the federales -- and other payors -- are asking providers to track too many indicators.  It is possible to track a small number of indicators that are predictive of other quality performance measures.  (Two key people who agree with this perspective are Don Berwick of the Institute for Healthcare Improvement and Leah Binder of the Leapfrog Group, each of whom I've had the opportunity to talk with about this issue, among other things.)  My other problems with the approach are that too little of the total payment is at stake (2%), and that the system is set up as a pay-for-reporting system, not a pay-for-performance system.     

No new hospital-acquired conditions (HACs) are being added to the no pay for never events rule this year.  A very significant fact was tucked away near the very end of the publication (74 FR 24669; pdf p. 591): The no pay for never events rule is only expected to save the federales $21-22 million a year, because most cases with HACs have other comorbidities that result in higher MS-DRG payments anyway.  Sounds to me like this is a rule crying out to be rewritten:  All the hoo-ha over hospital-acquired conditions and no pay for never events and the federales are saving just a measly $21 million a year???  Either tighten it up so that real savings can be achieved or toss it.

Update May 26, 2009: And while the hospitals are down, CMS is cutting indirect GME capital reimbursement to nil.  At least one state hospital association sees these changes as leading to layoffs and closures.

There are many more proposed changes and updates in this reg, but the last I'll touch on here is the EMTALA sanction waiver, which would essentially provide a 72-hour waiver of EMTALA (except for patient dumping based on source of payment) in case of implementation of a hospital disaster protocol.  There is, of course, a pandemic infectious disease exception (for all you swine flu eschatologists out there) extending the 72-hour waiver til the end of a declared public health emergency.

The comment period is open through June 30; a final rule is expected by the end of July, and new rules and rates will be effective October 1.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HealthCamp Boston / SocialPharmer Boston Twitterstream via Cover It Live

HealthCamp Boston and SocialPharmer Boston are taking place today.  For those of you on site, please live tweet using hashtags #hcbos or #socpharm.  For those of you following along at home, please follow those hashtags in your reader of choice, or right here.  Separate windows are provided for #hcbos and #socpharm (each will have more than one thread, so mashing them together seemed too unwieldy).  The twitterstream will be archived here for future reference.  Information on audio and video archives will be available via the event website at some point in the future.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HealthCamp Boston April 21 - Come join in the fun, or follow along at home

HealthCamp Boston and SocialPharmer Boston are happening tomorrow, April 21.  If you can't make it in person and would like to follow the events of the day, check back here at HealthBlawg for CoverItLive windows: one will be set to follow the #hcbos twitterstream, the other, the #socpharm stream.  If you are on twitter, use your reader of choice.  The tweets will be archived here for future reference.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

MGH pediatric heart surgery: Volume, volume, volume, or, How low can you go?

Today's Boston Globe reports that Massachusetts General Hospital has voluntarily suspended operation of its pediatric cardiac surgery program, following two significant negative outcomes.  MGH is conducting an internal investigation, much as UMass Memorial suspended its heart surgery program while investigating higher-than-average CABG mortality rates a while back (see HealthBlawg interview with UMMMC general counsel Doug Brown on its cardiac surgery program).  David Torchiana and MGH will certainly be able to identify opportunities for improvement, as did UMMMC, by going through this exercise.  UMass Memorial restarted its program after implementing quality improvements it identified through the review process.  The question on many minds today is whether it makes sense for MGH to continue to run such a program, with the relatively low volume that it has, given the resources and existing programs of Boston's nearby Children's Hospital.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting