The Deadline for “Grandfathered” Business Associate Agreements is Approaching

Are all of your business associate agreements updated to comply with the HIPAA Omnibus Rule?  Hopefully the answer by this time is yes.  Generally, the deadline for compliance with the new requirements for BA agreements under the Omnibus Rule was September 23, 2013.  However, there was an exception under the Omnibus Rule for compliant BA agreements that were in writing prior to January 25, 2013 and were not subsequently modified or renewed.  These so-called “grandfathered” BA agreements are not required to be updated until September 23, 2014.  As is always the case, the year has passed quickly and the deadline for updating these “grandfathered” BA agreements is almost here.  Now is the time to once again review all of your BA agreements to ensure they satisfy requirements under HIPAA, including those agreements that have been in place for years and may have eluded your attention until now.  Nutile Pitz & Associates is here to help with this and all your HIPAA compliance needs … FOR THE HEALTH OF YOUR BUSINESS.

Impaired Practitioners

Impaired Practitioners

In 2011, both the American Medical Association (AMA) and Federation of State Medical Boards (FSMB) issued policies regarding physician health and impairment, highlighting the impact of impaired practitioners on the healthcare community. While impairment often connotes substance abuse in the minds of many both the AMA and FSMB define impairment to include mental, physical and behavioral conditions that interfere with the ability to safely practice. If you have not personally dealt with a colleague, partner or employee within the healthcare community that has been impacted by impairment, you most likely know someone who has dealt with this sensitive issue.

Whether a condition exists that could impair a practitioner’s ability to safely practice is a determination that should be made by the appropriate third party (e.g. psychiatrist, neuropsychologist, certified drug and alcohol counselor, physician). However, learning to recognize possible impairment and knowing how to respond appropriately not only helps protect patients, but may help the potentially impaired practitioner find the help they need to continue, or return, to practice. Impairment, be it substance abuse or a mental health condition, can often be addressed proactively if the impaired individual is willing to participate.

However, impairment can lead to circumstances that require a report to be made to the appropriate entity, be it a hospital, the Nevada State Board of Medical Examiners (NSBME), the Nevada State Board of Osteopathic Medicine (NSBOM), or other state licensing agency. Practitioners should be aware of their statutory duty to report suspected impairment in certain circumstances.

While hospitals and other medical facilities have bylaws or other policies that direct how possible provider impairment is to be addressed, the issue becomes less clear in a practice setting.

Proactively developing a plan to discuss how a potential impairment issue should be addressed may save you from having to make difficult decisions at a time of potential crisis.

Finally, do not ignore potential impairment issues. Not only will you help protect patients from possible harm, but the great majority of practitioners who receive the appropriate help can continue to have long, successful careers in healthcare.

If you or your practice is struggling with how to address an impaired provider situation or wish to proactively develop strategies to address such issues when they arise, the attorneys of Nutile Pitz &Associates can help you through the process.

 

Is Your Compliance Program in Place and Effective?

Is Your Compliance Program in Place and Effective?

While compliance programs have been utilized by many health care providers for years to detect and correct noncompliant activity, the importance of such programs has been recently amplified in connection with the Patient Protection and Affordable Care Act (PPACA). Previously, compliance programs were often an optional tool for organizational compliance. Under PPACA, however, all health care providers will be required to implement and maintain effective compliance programs as a condition of enrollment in Federal health care programs, including Medicare. Especially in light of PPACA, compliance programs will remain a beneficial tool for health care organizations to detect and prevent noncompliant behavior and to demonstrate compliance in the event of a government audit. In practice, compliance programs for various types and sizes of health care organizations will be different; yet, core components are found in effective compliance programs of organizations of any size. The Office of the Inspector (OIG) has identified seven components as a starting point for any organization or provider to develop an appropriate compliance program:

-Internal Monitoring and Auditing - These activities are important at the commencement of a compliance program for baseline data and as an ongoing activity to show effectiveness of the program and to identify violations or risk areas.

-Written Standards and Procedures - Written standards and procedures are crucial to a compliance program as the documents which inform organization members of the compliance requirements with which they must comply.

-Designation of a Compliance Officer or Compliance Contacts - A compliance officer or compliance contacts oversee the compliance program to ensure that all functions are being implemented. Such individual(s) are identified to the members of the organization for reporting possible violations or compliance concerns.

-Training and Education - An organization’s members must be trained on the standards and procedures to which they will be held accountable. An organization should determine who needs training on various compliance functions, what type of training will be most effective to meet the organization’s needs and how often training should occur.

-Investigation of Alleged Violations and Appropriate Disclosures - When compliance issues are detected, an investigation should be conducted to determine if violations of law or the compliance program have occurred and, if so, action taken to remedy such violations. Depending on the type of violation, criminal or civil disclosures or return of overpayments may be necessary, as well as internal discipline.

-Open Lines of Communication - Methods for allowing an organization’s members to communicate about compliance issues should be implemented and well-publicized and could include providing contact information for the compliance officer and an anonymous hotline or reporting tool.

-Enforcement of Disciplinary Standards - An organization should alert its members to the disciplinary actions that will be imposed for failure to adhere to the compliance program and should apply sanctions consistently.

Health care organizations are well-advised to implement a compliance program or review the effectiveness of existing compliance programs. An effective compliance program can be of great benefit in identifying and responding to risk areas and possible noncompliant behavior. Additionally, compliance programs will soon be required for participation in Federal healthcare programs.

Nutile Pitz & Associates has attorneys Certified in Healthcare Compliance through the Compliance Certification Board (CCB). Contact us today for more information on compliance programs and assistance with all stages of the development and implementation of an effective program.

HIPAA OMBINUS RULE

HIPAA OMBINUS RULE

 On January 17, 2013, the Department of Health and Human Services issued the long-awaited HIPAA Omnibus Rule with an effective date of March 26, 2013. The Final Rule made significant changes to HIPAA’s Privacy Rule, Security Rule and Enforcement Rule. It is expected to have lasting ramifications for covered entities (e.g., physicians and health facilities) and their business associates. In this article we will focus on two main issues arising out of the Final Rule: (1) the new liability of business associates; and (2) the changes to the rule on data breach notification.

First, as we discussed in the May 2012 issue of the Nutile Pitz newsletter, the amendments to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH) directly regulates business associates for the first time. The Final Rule clarified that Business Associates are required to comply with the terms of a business associate agreement, provide PHI to the Secretary upon demand, comply with minimum necessary requirements to limit the use of PHI, provide an electronic copy of PHI to an individual or covered entity upon and individual’s request and to enter into business associate agreements with subcontractors that create or receive PHI on the business associate’s behalf.

Second, one of the biggest departures of CMS from the Interim Final Rule to the Omnibus Final Rule was the treatment of reporting procedures under the Breach Notification Rule. Under the Interim Final Rule to determine whether a breach needed to be reported required an analysis of whether there was a “significant risk of financial, reputational or other harm to the individual”. Under the Final Rule an impermissible disclosure of PHI is presumed to be a breach unless there is a low probability that the PHI has been compromised. In an attempt to provide more objectivity and consistency in reporting, CMS referenced a four-part test which requires the analysis of: (i) the nature and extent of the PHI involved; (ii) the unauthorized person who used the PHI or to whom disclosure was made; (iii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk to PHI has been mitigated. Finally, covered entities must update their HIPAA policies, including changes to the Notice of Patient Privacy and Business Associate Agreements, to meet the new requirements under the Final Rule by September 23, 013. Call NPA today if you need assistance in understanding your new responsibilities under the HIPAA Omnibus Rule, including updating necessary policies and procedures related to arrangements with business associates or breach notification.

Direct Primary Care

“Concierge” medical practices have existed for many years in various forms. Recently, due to changing healthcare models nationally, the direct primary care (DPC) practice is becoming more prevalent. Often referred to as “concierge medicine for the masses”, the DPC model typically looks different than traditional concierge practices, but shares some common traits with the more traditional concierge model. The term “concierge” medicine typically implies a “VIP” level of service and access, often including perks beyond medicalservices for a membership fee that can range up to several hundred dollars per month.

In contrast, DPC practices typically charge a much lower monthly fee and include basic primary care medical services and physician access in that fee. In both instances, the concierge or DPC practice charges the patient directly. Specific to most DPC practices, insurance companies are not billed for any services; rather, the relationship is directly between the provider and the patient. This factor is important for proponents of the DPC model because they contend this allows for a more meaningful physician-patient relationship and alleviates reimbursement issues.

The Patient Protection and Affordable Care Act1 (ACA) contains a specific provision related to DPC providers that is likely to further increase the prevalence of such practices. Specifically, insurers may provide coverage to patients through a “wraparound” relationship with a DPC that meets requirements established by the Secretary of the Department of Health and Human Services. Primary care is provided to patients through their relationship with a DPC and the insurer “wraps around” non-primary care services such as hospital care. The requirements for a DPC as contemplated by the ACA are not yet issued but discussion of this practice type is increasing and many companies are beginning to implement DPC models on a national level.

On a state level, DPC practices should be careful to consider potential implications regarding insurance regulation. Some states have specifically addressed DPC practices through legislation (sometimes also referred to as “retainer” practices) and have explicitly excluded DPC practices from, or included them in, insurance regulation. To date, Nevada has not addressed DPC practices in statute and regulation, but overarching laws regarding health insurance in Nevada can provide some guidance. DPC practices need to be mindful of how they structure their relationship with patients so as not to run afoul of insurance or other business laws. Specifically, examining if a DPC practice will assume risk or the type of that risk and carefully crafting the agreement between the practice and patients will help a DPC practice get off to a good start. A health care attorney familiar with the DPC practice model can help providers navigate the state and Federal legal maze. Our attorneys at Nutile Pitz & Associates would be happy to help you navigate the complex issues facing this latest primary care model.

PPACA FRAUD PREVENTION AND ENFORCEMENT – HOW YOUR PRACTICE MAY BE IMPACTED

PPACA FRAUD PREVENTION AND ENFORCEMENT – HOW YOUR PRACTICE MAY BE IMPACTED

The Patient Protection and Affordable Care Act of 2010 (“PPACA”) has dramatically changed the landscape of healthcare for providers. PPACA includes an increased focus on fraud prevention and enforcement. Healthcare providers should be familiar with the fraud prevention and enforcement provisions that may impact their practices, such as those discussed below.

MANDATORY COMPLIANCE PROGRAMS: While compliance programs have been voluntary for practitioners in the past, section 6401 of PPACA mandates that all providers of healthcare who participate in federal healthcare programs must implement a compliance program which must contain certain core elements. While the Secretary of HHS is directed to establish the core elements in consultation with the OIG and to establish the date by which such programs are to be implemented, to date, neither implementation dates or core elements have been forthcoming. However, some guidance already exists regarding what the essentials of a compliance program should include both from the OIG and through the Federal Sentencing Guidelines as amended in 2010. For more information on the elements of an effective compliance plan, please look to the Nutile Pitz & Associates June 2012 newsletter. Practitioners are encouraged to begin development of compliance plans as soon as possible.

ANTI-KICKBACK STATUTE (“AKS”): Section 6402(f)(1) of PPACA provides that the filing of a claim that includes items or services resulting from an violation of the AKS constitutes a false or fraudulent claim under the False Claims Act, exposing the offending practitioner to possible civil penalties. Of perhaps even greater concern to practitioners is Section 6402(f)(2) which provides that the person submitting the claim need not have any actual knowledge or specific intent to violate the False Claims Act as previously required to establish liability under the statute. These modifications make the need for an effective compliance program of even greater importance for practitioners.

IN-OFFICE ANCILLARY SERVICES EXCEPTION. Under Section 6003 of PPACA (and the Final Rule promulgated by CMS) practitioners who refer for MRIs, CTs, or PETs under the in-office ancillary services exception to Stark must now provide patients with written notice of a minimum of five other suppliers of the service within a twenty-five mile radius at the time the referral is made. Practitioners must document that they have provided such notice to the patient.

STARK SELF-REFERRAL DISCLOSURES. Section 6409 of PPACA provides for the establishment of a voluntary ANTI-KICKBACK STATUTE (“AKS”): Section 6402(f)(1) of PPACA provides that the filing of a claim that includes items or services resulting from an violation of the AKS constitutes a false or fraudulent claim under the False Claims Act, exposing the offending practitioner to possible civil penalties. Of perhaps even greater concern to practitioners is Section 6402(f)(2) which provides that the person submitting the claim need not have any actual knowledge or specific intent to violate the False Claims Act as previously required to establish liability under the statute. These modifications make the need for an effective compliance program of even greater importance for practitioners.

IN-OFFICE ANCILLARY SERVICES EXCEPTION. Under Section 6003 of PPACA (and the Final Rule promulgated by CMS) practitioners who refer for MRIs, CTs, or PETs under the in-office ancillary services exception to Stark must now provide patients with written notice of a minimum of five other suppliers of the service within a twenty-five mile radius at the time the referral is made. Practitioners must document that they have provided such notice to the patient.

DISCLOSURES OF OVERPAYMENT. Section 6402(d) of PPACA establishes that overpayments must be reported and returned within 60 days after the date on which overpayment was identified or by the date any corresponding cost report is due. Retaining overpayments after the deadline for reporting and returning them may subject the provider to liability under the False Claims Act. It should be noted that the SRDP promulgated by CMS does provide that submission of a disclosure under the SRDP suspends the 60-day requirement until a settlement agreement is entered between the provider and CMS or the provider withdraws from the SRDP or CMS removes the provider from the SRDP.

SUSPENSION OF PAYMENTS PENDING INVESTIGATION. Section 6402(h) has expanded the power of the Secretary of HHS to allow suspension of payments under Medicare and Medicaid pending the investigation of “credible” allegations of fraud. The final rule provides that a credible allegation of fraud” includes fraud hotline complaints; claims data mining or pattern identified through provider audits, civil false claims cases and law enforcement. Allegations are considered to be credible when they “have indicia of reliability.”

Fraud prevention and enforcement measures have significantly increased under PPACA. The list of fraud prevention and enforcement measures provided here does not encompass all fraud and abuse measures of PPACA and practitioners must be extremely vigilant to avoid potentially running afoul of the provisions of PPACA. The first step in doing so is to begin the development and implementation of a compliance plan. Nutile Pitz and Associates has attorneys who are able to assist you in the development of such programs and can help you with any questions you may have regarding PPACA and the impact it may have on healthcare providers.

Thinking of Becoming a Medi-Spa Medical Director? Proceed with Caution!

Thinking of Becoming a Medi-Spa Medical Director? Proceed with Caution!

Frequently, physicians agree to act as the medical director for “medi-spas” without giving much thought to what responsibilities go along with the position. Jumping into a medical -directorship without doing your due diligence and making an informed decision can find you facing investigations from state or federal regulatory boards of agencies.

If you are contemplating becoming a medi-spa medical director, remember these facts:

-While, the administration of cosmetic substances and performance of treatments with medical grade lasers may be delegated to medical assistants or licensed nurses, a licensed physician, PA or APN MUST see a patient prior to ordering/prescribing the administration or dispensing of a cosmetic substance or the performance of a procedure.

-You are responsible for the supervision and training of individuals providing care to patients. Unlicensed individuals are considered medical assistants; the terms medical aesthetician and laser technician do not exist in Nevada law. If a PA or APN is on staff, you should ideally be acting as their supervising/collaborating physician.

-You may not practice outside the scope of your training or experience or supervise others who are performing acts outside that scope. It you do not have the proper experience and training, you may not be involved with a medical –spa.

-Ensure that only drugs that you have approved are ordered and are properly stored. Be aware of how drugs are ordered and how much is ordered. A Nevada dispensing registration for the location is required if any drug is dispensed.

-Purely aesthetic treatments must be provided by licensed aestheticians. Be aware that the Nevada State Board of Cosmetology has specific requirements for locations providing aesthetic treatments.

-All agreements to act as a medical director of a medical spa should be in writing and should be reviewed by a health care attorney prior to execution.

State licensing and regulatory boards have taken disciplinary action against physicians for their involvement in medi-spas; disciplinary action that can have far reaching consequences for you and your practice.

If you are contemplating becoming involved with a medical spa, we highly suggest talking with an attorney well versed in health care law. Nutile Pitz & Associates has attorneys who are experience in the pitfalls of medical spas and can assist you in making informed and careful decisions about medical spa involvement.

Dealing with a Licensing Board

Dealing with a Licensing Board

Most licensed professionals do not give much thought to their professional licensing board, except perhaps briefly during licensure renewal. However, licensees should understand that boards not only have an impact on the regulation of the industry, but a formal board action can have a profound effect on a licensee’s practice. Below are some brief tips for licensees with respect to dealing with a licensing board:

-Respond promptly to board correspondence. If your licensing board is contacting you, typically it requires some action or response on your part in a limited period of time.  Failure to respond appropriately and timely may result in adverse consequences to your license. Do not panic if your licensing board informs you that you are under investigation. Most boards are legally required to investigate some or all complaints filed against its licensees.  Seeking legal advice immediately upon such notification can help the process go much smoother. While the majority of cases will resolve quickly, working cooperatively with the board through your attorney can help you avoid delays and potential pitfalls during the investigative process. It will also help you during the disciplinary process should a complaint proceed to a more formal level.

-Read your board’s newsletter or e-mails. Professional licensing boards often have regular newsletters and/or e-mail blasts to keep their licensees informed of important information – e.g., changes in regulations or practice decisions. Failure to give these at least a cursory review may result in you missing important information for your practice.

-Personally verify all information for license applications/renewals. While office managers or credentialing organizations may assist in the processing of your licensure renewal, you bear the ultimate responsibility of ensuring that your initial or renewal application is complete and accurate. Omissions or misrepresentations, regardless of whether they are intentional, may result in an investigation and in some cases, discipline against your license.

-Always remember that your board is ultimately there for the purpose of protecting the public and not to protect you, the licensee.

Nutile Pitz & Associates has attorneys who can help you through any interaction with your professional licensing board. Contact us today for more information on how to deal with any current Board issues, or how to best avoid potential future issues.

Changing Rules Under HIPAA/HITECH

Changing Rules Under HIPAA/HITECH

Just when everyone began to feel more comfortable with the rules governing patient privacy and medical record security, the rules are changing. The Health Insurance Portability and Accountability Act of 1996, or HIPAA, and its resulting regulations have largely been in effect since April 15, 2003. However, the stakes were raised with the passage of the Health Information Technology for Economic and Clinical Health Act, commonly referred to as HITECH, which was part of the American Recovery and Reinvestment Act of 2009. In the past, much criticism was leveled against HIPAA because of the appearance that it did not go far enough in its enforcement efforts and its regulation over thousands of people and entities that have access to or maintain patient’s private medical information. That is now changing, and practitioners, health care facilities and, specifically, those businesses and persons in arrangements with practitioners and facilities must take note.

Below are several of the key changes arising out of HITECH:

 HITECH directly regulates business associates for the first time. While not subjecting business associates to all of the obligations of covered entities (such as providing privacy notices), the statute requires business associates to comply with the HIPAA provisions mandating administrative, physical and technical safeguards;

HITECH establishes the first national data security breach notification law. It requires Covered Entities to provide notice of a breach of unsecured protected health information (PHI) to each individual without unreasonable delay, but in no event later than sixty (60) days from discovery of the breach. There are additional notification requirements when more than 500 individuals are involved.

Enforcement is strengthened under HITECH. Greater civil money penalty amounts apply to the HIPAA Privacy and Security Rule violations occurring after February 18, 2009.

For the first time patient victims of HIPAA violations will have the opportunity to share in any penalties imposed against a Covered Entity. HHS is required to adopt such a methodology within three years of HITECH’s enactment, which is now upon us in 2012.

So why should you care about the changing rules? Again, one of the biggest reasons relates back to the criticism that HIPAA was not going far enough to deter unpermitted disclosures of patients’ private medical information. To address this issue under HITECH the Office of Civil Rights is charged with arranging for the performance of mandatory HIPAA audits. HHS is required to implement periodic audits of compliance with the HIPAA Privacy and Security Rules, and up to 150 random HIPAA compliance audits will be performed by the end of 2012. While in the past, audits had been performed only at entities which had been the subject of a complaint, the new rule calls for audits whether or not there is a complaint. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. Additionally, every audit will include a site visit and result in an audit report. Call NPA today to discuss updating your HIPAA policies and procedures.

A BRIEF HISTORY OF NUTILE PITZ & ASSOCIATES

Maria Nutile, after 14 years of practicing law, took her aspirations, dreams and ambitions in to her own hands and left the “large-firm” world to open what would become a highly successful boutique law firm focusing on business and health care law. In addition to maintaining her commitment to being accessible to her clients, it is also wildly apparent that the other values the firm was founded on still ring true today – customer service, building relationships with each client and constant study and education to always be on top of shifts in the law. So, while the values remain the same, the makeup and address of the firm have changed over time. In 2002 Maria set the wheels in motion, a year later she was joined by, now partner, Susan Pitz, a recent graduate of UNLV’s William S. Boyd School of Law. Within two years, they had outgrown their original “homey” setting and looked to Henderson for a change – in 2005 the doors opened on the location they still call home today.

After being in Las Vegas for just 1 year Maria Nutile saw this was a totally unique city-especially for businesses. . .10 years later the firm helps business people both new to the valley and locals alike to navigate this unique climate.

As quickly as Las Vegas changes it seems ever steady compared to the world of health care law. Healthcare reform is upon us and with it a new set of rules is facing the industry. Furthermore, with the implication and modifications of existing healthcare regulations (e.g., Stark law, HIPAA and anti-trust laws), the team at NutilePitz & Associates is constantly studying the law and how they apply to their clients here in Nevada, the west and throughout the nation. You will often see one of the attorneys speaking at Universities, legal and medical seminars and other educational venues sharing this knowledge.

As they celebrate their 10th year here in Southern Nevada, Nutile Pitz & Associates pride themselves in providing just that to their clients – stability.