Nutile Pitz & Associates News

Wednesday, July 23, 2014

The Deadline for “Grandfathered” Business Associate Agreements is Approaching

Are all of your business associate agreements updated to comply with the HIPAA Omnibus Rule? Hopefully the answer by this time is yes. Generally, the deadline for compliance with the new requirements for BA agreements under the Omnibus Rule was September 23, 2013. However, there was an exception under the Omnibus Rule for compliant BA agreements that were in writing prior to January 25, 2013 and were not subsequently modified or renewed. These so-called “grandfathered” BA agreements are not required to be updated until September 23, 2014. As is always the case, the year has passed quickly and the deadline for updating these “grandfathered” BA agreements is almost here. Now is the time to once again review all of your BA agreements to ensure they satisfy requirements under HIPAA, including those agreements that have been in place for years and may have eluded your attention until now. Nutile Pitz & Associates is here to help with this and all your HIPAA compliance needs … FOR THE HEALTH OF YOUR BUSINESS.

Wednesday, July 16, 2014

Impaired Practitioners

In 2011, both the American Medical Association (AMA) and Federation of State Medical Boards (FSMB) issued policies regarding physician health and impairment, highlighting the impact of impaired practitioners on the healthcare community. While impairment often connotes substance abuse in the minds of many both the AMA and FSMB define impairment to include mental, physical and behavioral conditions that interfere with the ability to safely practice. If you have not personally dealt with a colleague, partner or employee within the healthcare community that has been impacted by impairment, you most likely know someone who has dealt with this sensitive issue.

Whether a condition exists that could impair a practitioner’s ability to safely practice is a determination that should be made by the appropriate third party (e.g. psychiatrist, neuropsychologist, certified drug and alcohol counselor, physician). However, learning to recognize possible impairment and knowing how to respond appropriately not only helps protect patients, but may help the potentially impaired practitioner find the help they need to continue, or return, to practice. Impairment, be it substance abuse or a mental health condition, can often be addressed proactively if the impaired individual is willing to participate.

However, impairment can lead to circumstances that require a report to be made to the appropriate entity, be it a hospital, the Nevada State Board of Medical Examiners (NSBME), the Nevada State Board of Osteopathic Medicine (NSBOM), or other state licensing agency. Practitioners should be aware of their statutory duty to report suspected impairment in certain circumstances.

While hospitals and other medical facilities have bylaws or other policies that direct how possible provider impairment is to be addressed, the issue becomes less clear in a practice setting.

Proactively developing a plan to discuss how a potential impairment issue should be addressed may save you from having to make difficult decisions at a time of potential crisis.

Finally, do not ignore potential impairment issues. Not only will you help protect patients from possible harm, but the great majority of practitioners who receive the appropriate help can continue to have long, successful careers in healthcare.

If you or your practice is struggling with how to address an impaired provider situation or wish to proactively develop strategies to address such issues when they arise, the attorneys of Nutile Pitz &Associates can help you through the process.

Thursday, July 10, 2014

Is Your Compliance Program in Place and Effective?

While compliance programs have been utilized by many health care providers for years to detect and correct noncompliant activity, the importance of such programs has been recently amplified in connection with the Patient Protection and Affordable Care Act (PPACA). Previously, compliance programs were often an optional tool for organizational compliance. Under PPACA, however, all health care providers will be required to implement and maintain effective compliance programs as a condition of enrollment in Federal health care programs, including Medicare. Especially in light of PPACA, compliance programs will remain a beneficial tool for health care organizations to detect and prevent noncompliant behavior and to demonstrate compliance in the event of a government audit. In practice, compliance programs for various types and sizes of health care organizations will be different; yet, core components are found in effective compliance programs of organizations of any size. The Office of the Inspector (OIG) has identified seven components as a starting point for any organization or provider to develop an appropriate compliance program:

-Internal Monitoring and Auditing - These activities are important at the commencement of a compliance program for baseline data and as an ongoing activity to show effectiveness of the program and to identify violations or risk areas.

-Written Standards and Procedures - Written standards and procedures are crucial to a compliance program as the documents which inform organization members of the compliance requirements with which they must comply.

-Designation of a Compliance Officer or Compliance Contacts - A compliance officer or compliance contacts oversee the compliance program to ensure that all functions are being implemented. Such individual(s) are identified to the members of the organization for reporting possible violations or compliance concerns.

-Training and Education - An organization’s members must be trained on the standards and procedures to which they will be held accountable. An organization should determine who needs training on various compliance functions, what type of training will be most effective to meet the organization’s needs and how often training should occur.

-Investigation of Alleged Violations and Appropriate Disclosures - When compliance issues are detected, an investigation should be conducted to determine if violations of law or the compliance program have occurred and, if so, action taken to remedy such violations. Depending on the type of violation, criminal or civil disclosures or return of overpayments may be necessary, as well as internal discipline.

-Open Lines of Communication - Methods for allowing an organization’s members to communicate about compliance issues should be implemented and well-publicized and could include providing contact information for the compliance officer and an anonymous hotline or reporting tool.

-Enforcement of Disciplinary Standards - An organization should alert its members to the disciplinary actions that will be imposed for failure to adhere to the compliance program and should apply sanctions consistently.

Health care organizations are well-advised to implement a compliance program or review the effectiveness of existing compliance programs. An effective compliance program can be of great benefit in identifying and responding to risk areas and possible noncompliant behavior. Additionally, compliance programs will soon be required for participation in Federal healthcare programs.

Nutile Pitz & Associates has attorneys Certified in Healthcare Compliance through the Compliance Certification Board (CCB). Contact us today for more information on compliance programs and assistance with all stages of the development and implementation of an effective program.

Tuesday, July 8, 2014

HIPAA OMBINUS RULE

On January 17, 2013, the Department of Health and Human Services issued the long-awaited HIPAA Omnibus Rule with an effective date of March 26, 2013. The Final Rule made significant changes to HIPAA’s Privacy Rule, Security Rule and Enforcement Rule. It is expected to have lasting ramifications for covered entities (e.g., physicians and health facilities) and their business associates. In this article we will focus on two main issues arising out of the Final Rule: (1) the new liability of business associates; and (2) the changes to the rule on data breach notification.

First, as we discussed in the May 2012 issue of the Nutile Pitz newsletter, the amendments to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH) directly regulates business associates for the first time. The Final Rule clarified that Business Associates are required to comply with the terms of a business associate agreement, provide PHI to the Secretary upon demand, comply with minimum necessary requirements to limit the use of PHI, provide an electronic copy of PHI to an individual or covered entity upon and individual’s request and to enter into business associate agreements with subcontractors that create or receive PHI on the business associate’s behalf.

Second, one of the biggest departures of CMS from the Interim Final Rule to the Omnibus Final Rule was the treatment of reporting procedures under the Breach Notification Rule. Under the Interim Final Rule to determine whether a breach needed to be reported required an analysis of whether there was a “significant risk of financial, reputational or other harm to the individual”. Under the Final Rule an impermissible disclosure of PHI is presumed to be a breach unless there is a low probability that the PHI has been compromised. In an attempt to provide more objectivity and consistency in reporting, CMS referenced a four-part test which requires the analysis of: (i) the nature and extent of the PHI involved; (ii) the unauthorized person who used the PHI or to whom disclosure was made; (iii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk to PHI has been mitigated. Finally, covered entities must update their HIPAA policies, including changes to the Notice of Patient Privacy and Business Associate Agreements, to meet the new requirements under the Final Rule by September 23, 013. Call NPA today if you need assistance in understanding your new responsibilities under the HIPAA Omnibus Rule, including updating necessary policies and procedures related to arrangements with business associates or breach notification.

Direct Primary Care

“Concierge” medical practices have existed for many years in various forms. Recently, due to changing healthcare models nationally, the direct primary care (DPC) practice is becoming more prevalent. Often referred to as “concierge medicine for the masses”, the DPC model typically looks different than traditional concierge practices, but shares some common traits with the more traditional concierge model. The term “concierge” medicine typically implies a “VIP” level of service and access, often including perks beyond medicalservices for a membership fee that can range up to several hundred dollars per month.

In contrast, DPC practices typically charge a much lower monthly fee and include basic primary care medical services and physician access in that fee. In both instances, the concierge or DPC practice charges the patient directly. Specific to most DPC practices, insurance companies are not billed for any services; rather, the relationship is directly between the provider and the patient. This factor is important for proponents of the DPC model because they contend this allows for a more meaningful physician-patient relationship and alleviates reimbursement issues.

The Patient Protection and Affordable Care Act1 (ACA) contains a specific provision related to DPC providers that is likely to further increase the prevalence of such practices. Specifically, insurers may provide coverage to patients through a “wraparound” relationship with a DPC that meets requirements established by the Secretary of the Department of Health and Human Services. Primary care is provided to patients through their relationship with a DPC and the insurer “wraps around” non-primary care services such as hospital care. The requirements for a DPC as contemplated by the ACA are not yet issued but discussion of this practice type is increasing and many companies are beginning to implement DPC models on a national level.

On a state level, DPC practices should be careful to consider potential implications regarding insurance regulation. Some states have specifically addressed DPC practices through legislation (sometimes also referred to as “retainer” practices) and have explicitly excluded DPC practices from, or included them in, insurance regulation. To date, Nevada has not addressed DPC practices in statute and regulation, but overarching laws regarding health insurance in Nevada can provide some guidance. DPC practices need to be mindful of how they structure their relationship with patients so as not to run afoul of insurance or other business laws. Specifically, examining if a DPC practice will assume risk or the type of that risk and carefully crafting the agreement between the practice and patients will help a DPC practice get off to a good start. A health care attorney familiar with the DPC practice model can help providers navigate the state and Federal legal maze. Our attorneys at Nutile Pitz & Associates would be happy to help you navigate the complex issues facing this latest primary care model.

Wednesday, July 2, 2014

PPACA FRAUD PREVENTION AND ENFORCEMENT – HOW YOUR PRACTICE MAY BE IMPACTED

The Patient Protection and Affordable Care Act of 2010 (“PPACA”) has dramatically changed the landscape of healthcare for providers. PPACA includes an increased focus on fraud prevention and enforcement. Healthcare providers should be familiar with the fraud prevention and enforcement provisions that may impact their practices, such as those discussed below.

MANDATORY COMPLIANCE PROGRAMS: While compliance programs have been voluntary for practitioners in the past, section 6401 of PPACA mandates that all providers of healthcare who participate in federal healthcare programs must implement a compliance program which must contain certain core elements. While the Secretary of HHS is directed to establish the core elements in consultation with the OIG and to establish the date by which such programs are to be implemented, to date, neither implementation dates or core elements have been forthcoming. However, some guidance already exists regarding what the essentials of a compliance program should include both from the OIG and through the Federal Sentencing Guidelines as amended in 2010. For more information on the elements of an effective compliance plan, please look to the Nutile Pitz & Associates June 2012 newsletter. Practitioners are encouraged to begin development of compliance plans as soon as possible.

ANTI-KICKBACK STATUTE (“AKS”): Section 6402(f)(1) of PPACA provides that the filing of a claim that includes items or services resulting from an violation of the AKS constitutes a false or fraudulent claim under the False Claims Act, exposing the offending practitioner to possible civil penalties. Of perhaps even greater concern to practitioners is Section 6402(f)(2) which provides that the person submitting the claim need not have any actual knowledge or specific intent to violate the False Claims Act as previously required to establish liability under the statute. These modifications make the need for an effective compliance program of even greater importance for practitioners.

IN-OFFICE ANCILLARY SERVICES EXCEPTION. Under Section 6003 of PPACA (and the Final Rule promulgated by CMS) practitioners who refer for MRIs, CTs, or PETs under the in-office ancillary services exception to Stark must now provide patients with written notice of a minimum of five other suppliers of the service within a twenty-five mile radius at the time the referral is made. Practitioners must document that they have provided such notice to the patient.

STARK SELF-REFERRAL DISCLOSURES. Section 6409 of PPACA provides for the establishment of a voluntary ANTI-KICKBACK STATUTE (“AKS”): Section 6402(f)(1) of PPACA provides that the filing of a claim that includes items or services resulting from an violation of the AKS constitutes a false or fraudulent claim under the False Claims Act, exposing the offending practitioner to possible civil penalties. Of perhaps even greater concern to practitioners is Section 6402(f)(2) which provides that the person submitting the claim need not have any actual knowledge or specific intent to violate the False Claims Act as previously required to establish liability under the statute. These modifications make the need for an effective compliance program of even greater importance for practitioners.

DISCLOSURES OF OVERPAYMENT. Section 6402(d) of PPACA establishes that overpayments must be reported and returned within 60 days after the date on which overpayment was identified or by the date any corresponding cost report is due. Retaining overpayments after the deadline for reporting and returning them may subject the provider to liability under the False Claims Act. It should be noted that the SRDP promulgated by CMS does provide that submission of a disclosure under the SRDP suspends the 60-day requirement until a settlement agreement is entered between the provider and CMS or the provider withdraws from the SRDP or CMS removes the provider from the SRDP.

SUSPENSION OF PAYMENTS PENDING INVESTIGATION. Section 6402(h) has expanded the power of the Secretary of HHS to allow suspension of payments under Medicare and Medicaid pending the investigation of “credible” allegations of fraud. The final rule provides that a credible allegation of fraud” includes fraud hotline complaints; claims data mining or pattern identified through provider audits, civil false claims cases and law enforcement. Allegations are considered to be credible when they “have indicia of reliability.”

Fraud prevention and enforcement measures have significantly increased under PPACA. The list of fraud prevention and enforcement measures provided here does not encompass all fraud and abuse measures of PPACA and practitioners must be extremely vigilant to avoid potentially running afoul of the provisions of PPACA. The first step in doing so is to begin the development and implementation of a compliance plan. Nutile Pitz and Associates has attorneys who are able to assist you in the development of such programs and can help you with any questions you may have regarding PPACA and the impact it may have on healthcare providers.

Wednesday, June 25, 2014

Thinking of Becoming a Medi-Spa Medical Director? Proceed with Caution!

Frequently, physicians agree to act as the medical director for “medi-spas” without giving much thought to what responsibilities go along with the position. Jumping into a medical -directorship without doing your due diligence and making an informed decision can find you facing investigations from state or federal regulatory boards of agencies.

If you are contemplating becoming a medi-spa medical director, remember these facts:

-While, the administration of cosmetic substances and performance of treatments with medical grade lasers may be delegated to medical assistants or licensed nurses, a licensed physician, PA or APN MUST see a patient prior to ordering/prescribing the administration or dispensing of a cosmetic substance or the performance of a procedure.

-You are responsible for the supervision and training of individuals providing care to patients. Unlicensed individuals are considered medical assistants; the terms medical aesthetician and laser technician do not exist in Nevada law. If a PA or APN is on staff, you should ideally be acting as their supervising/collaborating physician.

-You may not practice outside the scope of your training or experience or supervise others who are performing acts outside that scope. It you do not have the proper experience and training, you may not be involved with a medical –spa.

-Ensure that only drugs that you have approved are ordered and are properly stored. Be aware of how drugs are ordered and how much is ordered. A Nevada dispensing registration for the location is required if any drug is dispensed.

-Purely aesthetic treatments must be provided by licensed aestheticians. Be aware that the Nevada State Board of Cosmetology has specific requirements for locations providing aesthetic treatments.

-All agreements to act as a medical director of a medical spa should be in writing and should be reviewed by a health care attorney prior to execution.

State licensing and regulatory boards have taken disciplinary action against physicians for their involvement in medi-spas; disciplinary action that can have far reaching consequences for you and your practice.

If you are contemplating becoming involved with a medical spa, we highly suggest talking with an attorney well versed in health care law. Nutile Pitz & Associates has attorneys who are experience in the pitfalls of medical spas and can assist you in making informed and careful decisions about medical spa involvement.