Presentation on theme: "1 OIG Risk Areas: Reserved Bed Arrangements & HIPAA AHCA Compliance Webinar Series August 25, 2009 Ken Burgess, Poyner Spruill Jennifer Gimler Brady, Potter."— Presentation transcript:
1 OIG Risk Areas: Reserved Bed Arrangements & HIPAA AHCA Compliance Webinar Series August 25, 2009 Ken Burgess, Poyner Spruill Jennifer Gimler Brady, Potter Anderson Corroon LLP
2 Where We’ve Been Mechanics of compliance program –Compliance committee/officer –Boards of Directors –Auditing and monitoring systems –Corporate philosophy statements Compliance “risk areas” per OIG Anti-Kickback, False Claims, resident safety With section on auditing/monitoring sample
3 Today Reserved bed arrangements –Potential for Anti-Kickback violations –And Medicare provider agreement violation HIPAA –Privacy primarily –Focus on new HITECH provisions
4 Reserved Bed Arrangements Payments or items of “in-kind” exchange to reserve beds for hospital patients –Especially with higher acuity residents –Or in areas with limited SNF beds OIG Supplemental Guidance identifies this as potential risk area under federal Anti-Kickback statute No items of value in exchange for referrals of federal program health care business
5 Reserved Bed Arrangements Two resources / sources of reference and legal requirements OIG 2008 Supplemental Guidance CMS Provider Reimbursement Manual, section 2105.3 Site: http://www.cms.hhs.gov/Manuals/PBM
6 Reserved Bed Arrangements Per both, these are permitted IF price or exchange value not based on value or volume of referrals from SNF to hospital –Potential for disguised kickback if: Double dipping by SNF – bed already occupied Reserve more than hospital really needs Payments = excessive – more than costs SNF to hold bed or than SNF would lose by holding bed based on its occupancy and resident acuity mex
7 Reserved Bed Arrangements Per OIG, these should be entered into only when hospital has legitimate need –Tip: records of monthly admissions by hospital, length of waits, local areas census, hospital’s difficulty with placement –May not be used based on future referrals from SNF to hospital “I pay you X and you send me your hospital business”
8 Best Source for Specifics: PRM Section 2105.3 Accepting a bed reservation payment for an occupied bed violates prohibition on accepting payment established for Medicare or Medicaid program –Violation of federal regs and your provider agreement –Doesn’t change rule in charging for “luxury items”
9 Specific Examples of Permitted & Impermissable BRAs May only pay for days bed is vacant –May not also charge for difference in program payment and a higher reservation fee established by the agreement –So once bed is occupied, no further payment under agreement for that bed except “luxury items” as with any occupied bed
10 Specific Examples of Permitted & Impermissable BRAs Need to establish reservation fee based on cost to SNF of holding the bed Or amount SNF would reasonably lose by holding the bed (normal charge?) –Based occupancy rates –And resident acuity –Tip: establish as part of agreement some basis for fee that considers these and other potentially relevant factors so its objective
11 Specific Examples of Permitted & Impermissable BRAs In-kind exchanges: –Permitted if offered to all residents of SNF and not just those in reserved beds or during period a reserved bed is occupied Hospital gives RN to SNF –Must be full time and available to all residents –Not just “reserved bed” patients or when those beds are occupied
12 Specific Examples of Permitted & Impermisable BRAs Free pharmacy, lab, radiology services Free in-service education to SNF staff Or discounted charges to SNF for these same services –Or others following these guidelines –These are only examples so you can be creative within these parameters The PRM also addresses how these costs are reported by SNF/hospital on cost reports
13 Auditing & Monitoring for Reserved Bed Arrangements Detailed sample in webinar materials Look at: –Are we doing these agreements? –What do our contracts say vis-à-vis these guidelines in PRM / OIG Guidance? –Is legal counsel reviewing/approving? –Are we following those contracts in practice? –Is someone monitoring these periodically?
14 Auditing & Monitoring for Reserved Bed Arrangements Who, by title, is responsible for executing and monitoring these agreements? Are we interviewing SNF and hospital staff to ensure we are following, in practice, what our contracts say? Are our billing/cost reporting folks properly recording or not recording these costs per the PRM’s guidelines?
15 Auditing & Monitoring for Reserved Bed Arrangements If these “audits” find problems, are we revising policy/procedure, sharing with compliance officer & committee and reporting this, via compliance officer, to Board of Directors along with any corrective actions and monitoring of those periodically? Are we then making sure these changes are passed back to operations for implementation?
16 HIPAA Privacy Rule Requirements General principle for uses and disclosures Permitted uses and disclosures –To the individual –Treatment, payment, health care operations –Opportunity to agree or object –Public interest and benefit Required by law Public health activities Victims of abuse, neglect or domestic violence Judicial and administrative proceedings
17 HIPAA Administrative Requirements Privacy policies and procedures Workforce training and management Mitigation Data safeguards Retaliation and waiver Documentation and record retention
18 HIPAA Authorized Uses and Disclosures Authorization required unless specifically exempted Psychotherapy notes – release requires authorization except –Originator may use in treatment, training, certain legal proceedings, and to avert serious and imminent threat to public health or safety
19 HIPAA Notice and Other Individual Rights Privacy practices notice Access Amendment Disclosure accounting Restriction request
20 HIPAA Business Associates Definition: a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information Contract: the Privacy Rule requires that the covered entity include certain protections for the information in a business associate agreement
21 HIPAA Security Rule Requirements General principle – protect confidentiality of electronic PHI Required specifications Addressable specifications Compliance process –Assess –Evaluate –Implement –Document –Review Enforcement by Office of Civil Rights, as of August 2009
22 HITECH Act Health Information Technology for Economic and Clinical Health Act Passed February 2009 Enhances privacy and security requirements Changes enforcement structure –Increased sanctions for violations –Explicit authority for state AGs to pursue private claims on behalf of individuals Creates new obligations for breach notification, information sharing and business associate relationships
23 HITECH Notification Requirements Expands obligation to contact individuals affected by a breach Applies only to unsecured protected health information Any breach must be reported to individuals where information is reasonably believed to have been accessed, acquired or disclosed Must be made within 60 days of breach discovery
24 HITECH Notification Requirements Notice should include as much of the following information as possible –Description of what happened –Dates of breach and discovery –Types of information involved –Steps to take to protect against improper use –Actions taken in response to breach –Contact information for individuals to follow up
25 HITECH Notification Requirements New methods of notice required –First class mail unless individual specified email –If contact information unavailable for 10 or more individuals, must post publicly Home page of Web site Notice in print or broadcast media Breaches must be documented and submitted annually to Secretary of HHS Breaches impacting 500 or more individuals requires immediate notification to HHS –If within the same state or jurisdiction, must notify major media outlets
26 HITECH Notification Requirements: Secured Health Information Does not apply to secured health information Encrypted so as to be unusable, unreadable or indecipherable Subject to existing HIPAA rules Encryption must be developed or endorsed by organization accredited by American National Standards Institute Switching to encryption should be considered
27 HITECH Business Associates All privacy requirements also apply to business associates that obtain or create protected health information Requirements must be incorporated into contracts Violations will be subject to civil and criminal penalties under the Social Security Act Effective no later than February 17, 2010 Must notify covered entity of information breaches within 60 days of discovering breach
28 Restrictions on Data Use If payment is out-of-pocket, individual has right to request that no information be disclosed Disclosure should be as limited data set – minimal identifying information or only what is necessary Accessing electronic health records must be tracked – individual can request up to three years of history Authorization required for use of any information for which entity receives direct or indirect payment
29 HITECH Penalties Penalties significantly enhanced Four-tiered liability system –Inadvertent violation – $100-$50,000 –Willful neglect that goes uncorrected – up to $50,000 for each case with an annual cap per entity of $1.5 million –State AGs can bring actions on behalf of residents – $100 per violation, up to $25,000 annually, plus attorneys’ fees Penalties already in effect
30 To reach us: Jennifer Gimler Brady Direct dial: (302) 984-6042 firstname.lastname@example.org Potter Anderson & Corroon LLP 1313 North Market Street PO Box 951 Wilmington, DE 19899-0951 www.potteranderson.com
Your consent to our cookies if you continue to use this website.