HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

Two key Son of HIPAA rules mandated by the HITECH Act are now effective.  Both the FTC and HHS have finalized their security breach notification requirements and have assured the regulated community that they have six months to get their collective houses in order.

Please take the time to peruse both the HHS Son of HIPAA security breach notification rule and the FTC Son of HIPAA security breach notification rule.  I discussed the impact of the breach notification rules and their enforcement when they were issued as "guidance" and draft regs in April at HealthCamp Boston and will be posting more information about them in the near future.

A few points to consider for now:

• The HHS breach notification rule layers encryption standards -- how to render health information "unusable, unreadable or indecipherable" -- for data at rest, data in use and data in motion, on top of the HIPAA privacy and securty rules.
• Encryption is not required, but a security breach with respect to non-encrypted data triggers public notice requirements (i.e., alert the media) in addition to data subject notice requirements.
  
• The FTC rules widen the net, imposing HIPAA-"covered-entity"-like obligations on business associates including, e.g., PHR vendors and other non-covered-entity repositories of health information. 
• As an aside, greater regulation of other business associates under HIPAA will be effective in February; business associates will have to implement policies and procedures similar to those now required only of covered entities.
• Enforcement will be ratcheted up after six months.  Greater sanctions are available for regulators to impose, and the FTC is a tougher enforcer than HHS has been on the HIPAA front to date.

With all this in mind, now is the time to examine policies and procedures, update them to comply with new rules -- Son of HIPAA rules and related/overlapping FTC Red Flag Rules (effective November 1) and state data security rules -- train staff to follow the policies and procedures consistently, and communicate commitment to these standards to your various consituencies: patients, other health care providers, business partners, etc. 

The Harlow Group LLC stands ready to assist covered entities and PHR providers in assessing the regulatory landscape, conducting an audit of current policies and procedures, and moving from a gap analysis to developing a fully compliant program and staying ahead of the curve going forward.  Please be in touch to learn more about our approach.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Red Flags Rule: The FTC piles on, because HIPAA, ARRA and overlapping state laws just weren't enough

Update 11/3/09:  The FTC announced that implementation of the Red Flags Rule will be delayed once more, this time until June 1, 2010.  The announcement came on the heels of losing a court case to the American Bar Association -- the court ruled that the rule does not apply to lawyers -- and on the heels of a legislative attempt to bar its applicability to small health care, accounting and legal practices.  Stay tuned.  

Update 7/29/09:  The FTC announced today that implementation of the Red Flags Rule will be delayed once again, this time til November 1, 2009.  The agency promises to roll out additional information targeted at low-risk entities covered under the rule.  Thus far, nothing has changed with respect to the rule and its ultimate effect, so organizations subject to the rule should take the extra time to assess their compliance needs and implement their plans in advance of November 1.

After a couple of delays, the FTC Red Flags Rule will be effective August 1, 2009.  This rule requires "creditors" under certain "covered accounts" to maintain a heightened alertness to numerous categories of "red flags" that may indicate that the consumer who is the rightful account holder is the victim of identity theft.  If a red flag is triggered, the creditor must take steps to notify the consumer and correct any inappropriate information included the creditor's records.

As you probably already know, the FTC is extending its reach with this rule (among others) into the health care sector.  (Cf. the FTC's role in enforcing certain Son of HIPAA provisions.)  The AMA has all but dropped a draft complaint on the FTC's desk, citing assorted legal precedents in its correspondence with the FTC arguing that the Red Flags Rule should not apply to physician practices.  The FTC is unmoved -- except to the extent that it has been willing to delay the effective date twice (from November 2008 to May 2009 to August 2009).

At any rate, the August 1 effective date is around the corner, and affected health care entities need to develop and implement compliance plans now, if they haven't already.  (Even the AMA says so, and has published guidance and a sample policy for members.)

A few more general comments before stepping back and examining the language of the rule and its applicability to health care providers.

The federales are taking something of a common-sense approach here, recognizing that a compliance plan needs to be tailored to the specific entity, the nature of its "covered accounts" and its operations.  Bank of America, N.A. and Springfield Medical Associates, P.C. will have very different compliance plans, because their potential red flags and the potential risks are vastly different.

Affected health care providers need to understand that the Red Flag Rule requirements overlap with HIPAA and state privacy law requirements (and looming Son of HIPAA requirements in ARRA), but will not be satisfied by implementation of existing privacy policies and compliance plans.  Review of the intersection of existing policies and procedures with the new rule's requirements is the first order of business.

As with any other new regulatory scheme, preparing a compliance plan and putting it on the shelf won't cut it.  The rule calls for regular monitoring of the plan and issues that arise by a senior manager.  Furthermore, best practices would dictate the training of staff to deal with individual issues and, most importantly, with the affected consumers.

Even if not clearly subject to the Red Flags Rule, providers should undertake to comply, for a couple of interrelated reasons:

• Good patient PR.  Data security is top of mind these days.  Much of the effort required under the rule should be expended anyway simply to respond to market pressures calling for improved data security.
• Potential liability.  The creative trial attorney will seek to use the Red Flags Rule as establishing a standard of care for the stewardship of personal information.  The incensed jury will go along.  The health care provider caught in the middle between thieves and victims may be the only perceived deep pocket available.

OK, so what is a "creditor" and what is a "covered account?"

Any entity that accepts payment other than payment in full at the time of service is a creditor.  Health care providers that go the cash-on-the-barrelhead route aren't creditors; all others are creditors.

The FTC Guide defines covered accounts as follows: either

• a consumer account you offer your customers that’s primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions; or

• any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments or transactions – they always are “covered accounts” under the Rule – other types of accounts are “covered accounts” only if the risk of identity theft is reasonably foreseeable.

Any creditor with covered accounts must have a red flags rule compliance plan in place with policies and procedures for dealing with "red flags" -- i.e., signs that personal information may have been compromised.  The World Privacy Forum suggests that the following red flags are the ones most applicable in the health care context:

• A complaint or question from a patient based on the patient’s receipt of:
   o a bill for another individual
   o a bill for a product or service that the patient denies receiving
   o a bill from a health care provider that the patient never patronized or
   o a notice of insurance benefits (or Explanation of Benefits) for health services never received.
• Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.
• A complaint or question from a patient about the receipt of a collection notice from a bill collector.
• A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.
• A complaint or question from a patient about information added to a credit report by a health care provider or insurer.
• A dispute of a bill by a patient who claims to be the victim of any type of identity theft.
• A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.
• A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.

If a situation is flagged, a creditor must take steps to mitigate the risk of identity theft or continued identity theft.  Again, the World Privacy Forum notes:

There need to be uniform but appropriately flexible answers to these questions:

• What do we do when a patient claims fraud is in their files?
• What do we do when a patient says the bills are for services she did not receive?
• What do we do for patients and other impacted victims when we uncover a fraudulent operation?
• When we have a real case of medical identity theft, how can we work with patients to fix the records and limit future damages?
• What do we do when a provider has altered the patient records?
• How do we handle police reports and requests for investigation from victims?

The answers to these questions need to viewed not just from the provider’s perspective, but also from the victim’s perspective, which can differ substantially.

There are a number of useful resources available for health care providers seeking to take stock of their situation, establish Red Flags Rule compliance policies and procedures, and undertake staff training on the subject.  For example, the FTC, the AMA and the World Privacy Forum have all released valuable guidance documents (all linked to above) that would assist any organization with coming into compliance. 

As with any effort of this sort, it is often valuable to have someone outside the organization come in to review existing policies, procedures and workflow in order to highlight potential risks and opportunities for improvement.  The HealthBlawger and members of the HealthBlawger's virtual consulting network are available to come in and assess, plan and help implement compliance strategies for organizations large and small touched by the Red Flags Rule.

Whatever the size or nature of your business, please take a moment to consider how the Red Flags Rule may apply to its operations, and how it may relate to other regulatory schemes such as HIPAA and state laws.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

2009 MPFS final regulations

The 2009 Medicare Physician Fee Schedule regulation was released in final form yesterday (on display), and will be published in the Federal Register on November 19.  It is chock full of payment and policy changes, detailed in three CMS fact sheets: (1) payment policies and rates; (2) MIPPA-related changes; and (3) e-prescribing incentives and PQRI updates.

A few highlights:

• MIPPA's 1.1 % MPFS rate increase in lieu of the previously-scheduled SGR pay cut
• Deferral of the proposed incentive payment and shared savings (gainsharing) Stark exception, together with a call for further comment
• Revision of the anti-markup rule
• Roll-out of IDTF standards and enrollment requirements to all physician-based and non-physician-practitioner-(NPP)-based IDTF-like services (with accommodation made for mobile IDTFs that operate "under arrangements" with hospitals)
  
• Imaging accreditation and appropriateness criteria under MIPPA (follow link to earlier HealthBlawg post on the subject)
  
• E-prescribing incentives -- available under MIPPA -- phases down from a bonus in the first five years for early adopters (2% in year 1, less as time goes by) to a penalty thereafter (ramps up over time to a 2% penalty) to drag the last holdouts, kicking and screaming, into the system
• 52 more PQRI measures -- 153 and counting -- for the CMS pay-for-reporting system, with a bump up in to potential bonus from 1.5% to 2% (also thanks to MIPPA)

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Updated 11/3/08

Yes Virginia, the GAO points a finger at diagnostic imaging providers

"Round up the usual suspects!" 

Once again, diagnostic imaging providers are singled out by the federales. This time the GAO says controls on diagnostic imaging utilization are needed -- including (yikes!) prior authorization requirements -- because diagnostic imaging costs have doubled between 2000 and 2006.  Sounds serious. Well, guess what?  While some advanced imaging costs have increased at a faster rate, the cost of employment-based health insurance has also doubled in the same time frame.  (In addition, this rampant growth story is half of an unintended consequences story -- service settings have changed: less hospital, more physician office.  Also, imaging, while expensive, is cheaper -- and easier on the patient -- than exploratory surgery . . . . )

My inbox has been graced with a couple of press releases on this topic from, yes, the usual suspects -- MITA and AMIC -- decrying the government's heavy-handedness. MITA referred to an interesting report on diagnostic imaging released last week by Avalere Health, which MITA had commissioned.  (Coincidentally, I met Avalere's founder, Dan Mendelson, last weekend -- but that's another story entirely.) 

The Avalere imaging report (an interesting read, by the way) points to the utility of a number of strategies worthy of wider consideration, rather than focusing like GAO on layering prior authorization requirements on top of retrospective utilization review.  These are,   

primarily [, ] three sets of approaches – updated and more comprehensive appropriateness guidelines; enhanced accreditation and certification programs; and expanded education and training – [which are] programs [that] can influence provider behavior, imaging quality, and patient care.

The first of these really caught my interest.  To the extent such a system can be implemented without adding significantly to the ordering clinician's administrative burden, I'm all in favor.  In fact, that's the sort of thing that should be propagated across the entire medical-industrial complex, not just imaging: expert EHR systems incorporating evidence-based medicine (EBM) into computerized physician order entry (CPOE). 

-- David Harlow

Medicare Physician Fee Schedule (2009 MPFS): Yes, there's a 5.7% cut, but it's packed with goodies like telehealth and gainsharing

Congress couldn't be bothered to stop grandstanding before July 4th long enough to undo the latest SGR-driven physician pay cut (over 10%). 

This week, CMS rolled out its 2009 MPFS with an SGR-mandated 5.7% cut in place, while at the same time advising physicians not to submit bills until Congress comes to its senses and undoes this year's 10% cut. 

If the proposed rule contained only this doom and gloom, there wouldn't be much to say about it.  However, CMS loves to stuff all sorts of goodies into these fee schedule rules, and the current proposed rule is no exception.  There are more measures to be added to the PQRI, but several other pieces are of greater interest:

First, physician practices will now be subject to IDTF rules.  The idea is to bring some standards to physician-office-based diagnostic testing.  This may bring a bit of dislocation as practices implement some new policies and procedures to assure compliance with standards, as well as work their way through the IDTF enrollment process.

Second, Medicare is proposing to cover telehealth -- telephone or email encounters for established patients (with payments on par with in-person visits).  A smattering of commercial insurers already do this, but this step, if finalized, will promote more efficient use of scarce primary care provider resources and will likely pave the way for further adoption in the private sector.

Third, CMS has issued its first generally applicable proposed gainsharing rule, presented as the new "Incentive Payment and Shared Savings Programs" subsection of the Stark rules. (See the commentary at 73 FR 38548-58 (7/7/08) and the regs at 8604-06; pages 48-58 and 104-06, respectively, of the 2009 MPFS rule.) 

Interestingly, there is no anti-kickback safe harbor promulgated to go along with the Stark exception, so any gainsharing program would still have to comply with AKS.  Since the OIG has issued about a dozen advisory rulings on the AKS issues raised by gainsharing, the CMS suggestion that one may now go out and gainshare so long as one complies with AKS appears, at first blush, to be less than thrilling. The fact that the federales saw the need to amend the Stark rules to allow for gainsharing also raises an interesting question about prosecutorial discretion with respect to gainsharing programs implemented under OIG advisories . . . .  In any event, the criteria set forth in this proposed reg dovetail with criteria set forth in the OIG gainsharing advisories.  Two differences of note: (1) the requirement that an outside clinical expert bless the plan (parallel to the specialty society blessings of best practices obtained by Goodroe for the gainsharing plans approved through the OIG process) and (2) the ability to run a gainsharing program for up to 3 years (vs. the 1-year limit in the OIG advisories).

I suppose we'll have to wait for a parallel amendment to the AKS regulations before providers can engage in gainsharing behavior willy-nilly.  CMS demonstrations such as the PHCD specifically waived both Stark and AKS.  CMS noted repeatedly in its commentary, however, that the new Stark exception covers a broader range of P4P initiaitives than just gainsharing, and some of them could fit within existing AKS safe harbors.  This is where the action will be, assuming final promulgation of the reg this fall.

Finally, CMS noted in the commentary that this draft was admittedly narrow, since it was difficult to draft a gainsharing rule of general applicability that could encompass all the sorts of things that providers might wish to do, and it is soliciting comments on a variety of specific points. 

The comment period is open through August 29 and a final regulation is expected by November 1, effective January 1, 2009.

-- David Harlow

(Updated 7/9/08)

CMS contractors seek to bring evidence-based medicine to diagnostic imaging

In last week's mail bag:

L&M Policy Research, LLC, and its partners, the National Imaging Associates and the Lewin Group, have been contracted by the Centers for Medicare & Medicaid Services to develop imaging efficiency measures. In preparation for additional work on this project, L&M would like to take the opportunity to ask the public for suggestions for imaging efficiency measures that could potentially be considered for development. For this project, the development of the efficiency measures is focused on applying evidence-based medicine to improve the efficient use of imaging technologies based on clinical practice guidelines and tied to health care quality outcomes.

The form for responses is on line.  This work is a continuation of a project initiated last year and discussed in an earlier HealthBlawg post on the imaging efficiency study. 

While the imaging provider community goes under the microscope, the Medicare FFS plans, sold (at least in part) through some unsavory marketing practices and getting at least 12% more than what it costs traditional Medicare for a beneficiary's care march forward, with some plans to regulate marketing, but no plans to limit spending (and a presidential promise to veto any such limit).  The Health Affairs blog reported on this problem a couple months ago and served up one potential solution from the journal -- an alternative approach to setting Medicare FFS plan rates. 

Here's hoping that the federales don't shy away from some potentially enormous savings as a result of the political clout of the managed care lobby and the home district politics of rural-state Senators.  (By the way, would you like to buy a bridge?)

-- David Harlow
.

Anti-markup rule delay for some . . . Happy New Year from CMS

CMS is pushing out the effective date of the anti-markup rule for some.  The rule, to be published in the January 3, 2008 Federal Register,

delays until January 1, 2009 the applicability of the anti‑markup provisions in §414.50, as revised at 72 FR 66222, except with respect to the technical component of a purchased diagnostic test and with respect to any anatomic pathology diagnostic testing services furnished in space that:  is utilized by a physician group practice as a "centralized building" (as defined at §411.351 of this chapter) for purposes of complying with the physician self-referral rules; and does not qualify as a "same building" under §411.355(b)(2)(i) of this chapter.

Happy New Year.

Update 1/3/08: Find the rule here.

-- David Harlow

IDTF rule changes proposed as part of 2008 Medicare physician fee schedule

The 2008 MPFS includes proposed changes to IDTF enrollment requirements, clarifying and amending some of the changes made last year (see the IDTF-related excerpt from the rulemaking discussion): 

1.  An IDTF must name its Medicare contractor as certificate holder on its liability insurance policy (provision is made for the self-insured).

2.  Most reportable changes (e.g. staff changes) must be reported within 90 days rather than 30 days.  Key changes -- ownership, location, general supervision and adverse legal actions -- must still be reported within 30 days.

3.  Specific requirements will be imposed regarding documentation of complaints and complaint investigations, parallel to those already in place for other provider types.

4.  CMS will eliminate the requirement that supervising physicians must be responsible for overall operation and administration of an IDTF, including employment of personnel and assuring regulatory compliance.  (It was all a misunderstanding, they say.)

5.  No retroactive effective date of enrollment earlier than the filing date of a complete enrollment application that is later approved.

6.  No sharing of space, equipment or staff with another provider organization; no subleasing of operations to another individual or organization.  (Intended to apply to fixed-site IDTFs; CMS is soliciting comments regarding applicability to mobile IDTFs.)

A few quick comments: 

Some of these proposed changes will be welcomed by IDTFs (OK, just #2 and #4).  The others would create new burdens.  The insurance certificate requirements represents new heights of meddlesomeness.  The complaint investigation requirements are not unreasonable.  The enrollment effective date change may pose cash flow issues for new IDTFs. 

The resource sharing restriction will be the most disruptive change.  If it is finalized as currently written, this new requirement may force the revisiting of many existing contractual relationships, and could prove to be rather disruptive to numerous established IDTFs and their business partners.

-- David Harlow 

News of first HIPAA security audit trickles out

While neither the federales nor the hospital in question has confirmed the story, an Atlanta hospital has reportedly been the target of a HIPAA security rule audit.  This month, Computerworld reproduced the laundry list of inquiries and document requests presented by the feds.  An instructive list, and worth the attention of other covered entitites.

HIPAA enforcement continues to gather steam.

Based on a recent government-funded study, it appears that many covered entities have been experiencing some confusion about the precise nature of their obligations under HIPAA.  In the face of heightened scrutiny and enforcement, compliance becomes an even more important priority.

The Harlow Group LLC, together with its affiliated experts in complementary disciplines, stands ready to assist covered entities with compliance audits, planning and implementation of their HIPAA compliance strategies.

-- David Harlow 

OIG issues the Compendium of Unimplemented OIG Recommendations

Read the full Compendium.  Or just take a look at the priority recommendations.  There's something for everyone. 

The OIG scopes out its "priority" recommendations as being "comprised of both monetary and non-monetary recommendations, representing various time frames. The list comprises three categories: savings, integrity and efficiency, and quality of care." 

The quantified "priority" unimplemented OIG recommendations would save over $6bln if implemented.

The OIG announcement follows: 

The "Compendium of Unimplemented Office of Inspector General Recommendations" combines the "Red Book" (unimplemented monetary recommendations) and the "Orange Book" (unimplemented nonmonetary recommendations) into one publication. The "Red Book" focused on significant Office of Inspector General (OIG) cost-saving recommendations that had not been fully implemented. The "Orange Book" focused on unimplemented recommendations to improve HHS programs. Full implementation of the recommendations in this compendium could achieve substantial savings and increase the effectiveness of the Department’s programs.

Each narrative contains a background summary, findings, recommendation(s), status, report number(s), and report issue date(s). In the case of monetary recommendations, there is also an estimate of the savings that may be achieved by implementing the recommendations. The estimated value of each monetary recommendation is based on the specifics of each review and not extrapolated beyond the scope of the original review. The actual savings to be achieved depends on the specific legislative, regulatory, or administrative actions. However, the estimates provide a general indication of the magnitude of savings possible.

-- David Harlow