HIPAA Audit Protocol Released by OCR

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Office for Civil Rights (OCR) released an audit protocol for audits of Health Insurance Portability and Accountability Act (HIPAA) covered entities on their website. The audit protocol covers audit procedures and requirements for assessing compliance with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. This information is extremely valuable for covered entities. Covered entities can use the audit protocol to prepare for HIPAA audits and focus compliance efforts.

The audit protocol is available as a searchable database on the OCR's website. Click here to view the OCR's audit protocol in its entirety.

First Round of HIPAA Audits Completed; Audits Continue Through December 2012.

The OCR recently announced that the first round of HIPAA audits have been completed. Official details concerning the audits were announced at an OCR and National Institute of Standards and Technology (NIST) conference held June 6, 2012. HIPAA audits will continue through December 2012. Click here to see our blog on the OCR's HIPAA audit report and preparing for HIPAA audits.

Contact Health Law Attorneys Experienced in Audits of Health Providers.

The Health Law Firm represents physicians, medical practices, hospitals, and other health providers and covered entities in audits, including Medicare audits, Medicaid audits, and HIPAA audits. The Health Law Firm also assists health providers in establishing compliance with HIPAA regulations. If you have received notification of an impending audit contact The Health Law Firm immediately.
To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at http://www.thehealthlawfirm.com/.

Sources Include:
Office of Civil Rights. "Audit Protocol." Office of Civil Rights. (2012). From:
http://ocrnotifications.hhs.gov/hipaa.html

About the Author:  George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  http://www.thehealthlawfirm.com/  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

Internet Calendar Postings at the Center of Alleged HIPAA Privacy Violation Settlement

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

A physician group has reached a settlement with the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) over alleged Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations. The settlement was reached on April 17, 2012. It requires Phoenix Cardiac Surgery (PCS) to pay OCR $100,000. PCS is also required enter into a one-year corrective action plan (CAP). The Resolution Agreement and Corrective Action Plan can be viewed here.

HIPAA Complaint Resulted from Internet Calendar Postings.
OCR's investigation of PCS was launched after a complaint was received in 2009. Click here to view a HIPAA complaint that you can file online. The complaint alleged that PSC disclosed protected health information (PHI) on patients on the Internet. After investigating the complaint, the OCR alleged that PCS violated the HIPAA privacy and security rules.

According to the OCR, PCS posted clinical and surgical appointments on a publicly accessible, Internet calendar. The OCR also alleged that PCS employees e-mailed protected health information to their personal e-mail accounts. Furthermore, PCS allegedly did not have adequate administrative, physical and technical safeguards in place to protect patient data. The OCR alleged that PCS did not appoint a security officer as required by HIPAA or perform an accurate and thorough risk assessment, also required by HIPAA. The CAP required by the settlement will require PCS to implement policies to ensure full compliance with HIPAA's privacy and security rules.

Are You In Compliance with HIPAA?

The Health Insurance Portability and Accountability Act of 1996, sometimes referred to as the Kennedy-Kassenbaum Act, was enacted into law as Public Law (P.L.) 104-191, 110 Stat. 1936. Among its many different provisions, it included basic minimums to ensure the privacy of personal medical information. Its main privacy provisions are codified in federal law in different sections of the U.S. Code.

Health Providers Must be Cautious When Working With Electronic Health Information.
This case provides a good example of the downside of information technology (IT). While electronic health information assists in increasing accessibility and efficiency, it can also increase a practice's risk of violating HIPAA's Privacy Rule and Security Rule. All medical practices that utilize electronic health information need to ensure that they have effective IT security, education, policies and procedures in place to protect themselves from HIPAA's violations.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at http://www.thehealthlawfirm.com/ or call (407) 331-6620 or (850) 439-1001.

Sources Include:

HHS Press Office. "HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards." U.S. Department of Health and Human Services. (Apr. 17, 2012). Press Release. From http://www.hhs.gov/news/press/2012pres/04/20120417a.html

Lewis, Nicole. "Online Calendar Mistakes Cost Doctors Group $100,000." Information Week. (Apr. 23, 2012). From http://www.informationweek.com/news/healthcare/security-privacy/232900727

Sterling, Robyn. "HHS Settlement for Lack of HIPAA Safeguards." Proskauer Privacy Law Blog. (Apr. 25, 2012). From http://www.jdsupra.com/post/documentViewer.aspx?fid=e548966a-d7eb-4f47-a0af-de15db487dbb/

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.thehealthlawfirm.com/ The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

Medicare Prohibits Waiver of Co-pays and Deductibles; Professional Courtesy Deemed 'Unlawful'

The heavily regulated health care environment of today makes it difficult to practice the time-honored tradition of professional courtesy. Professional courtesy originally referred to the provision of health care to physician colleagues or their families free of charge or at a reduced rate. Many argue, rightfully so, that the Hippocratic Oath even requires this for the patient who is a physician and his or her family. More recently the scope of professional courtesy has been extended to include patients who may face financial hardship, and physicians commonly forgive or waive co-payments to facilitate patient access to necessary medical care.

Because of the government's aggressive approach to ensure that all claims are billed correctly, the once common practice of professional courtesy is now considered illegal. According to the Department of Health and Human Services (HHS), Office of Inspector General (OIG), "It is unlawful to routinely waive co-payments, deductibles, coinsurances or other patient responsibility payments." (67 Fed. Reg. 72,896 (Dec. 9, 2002)). This applies to health care and services paid by Medicare, TRICARE/CHAMPUS, and any other program paid partially or in full with federal funds. It also includes professional courtesy, as well as "take what insurance pays" (TWIP) policies.

Although we know of no prior instance of the OIG or Department of Justice prosecuting a physician’s extension of professional courtesy, arrangements for free or discounted care implicate fraud and abuse laws, including the Federal False Claims Act, and the Federal Anti-Kickback Statute. There have also been private insurance fraud actions based on illegally waiving co-pays and providing discounts that were not extended to the insurer, as well as Federal actions for these violations and using waivers and discounts to induce Medicare patients to use other health care services.

Physicians must be extra cautious in bestowing professional courtesy, including discounts and waivers, so that they are not punished for genuinely good deeds. While there may be situations where it is defensible to not charge for services to health care professionals, the physician should assure that this professional courtesy is not linked to referrals, either in reality or in appearance.

Waiving Co-Pays
Some physicians commonly reduce the cost of care for patients by waiving the co-pay. However, waiving a co-payment has been interpreted as a fraudulent misrepresentation of physician charges against all types of payers. For example, under traditional Medicare, physicians are paid eighty percent (80%) of the "allowable amount" or the "actual charge," whichever is less. In the instance where Medicare allows $100, the program pays $80 and the co-payment amount is $20. By the physician accepting "what insurance pays" as the only payment, this is viewed as the physician's having an actual charge of $80, so the resulting payment from Medicare should be only $64. Therefore, by Medicare's rules. the physician has overcharged Medicare.

Discounts
In the health care industry, a discount is a reduction in the normal charge based on a specific amount of money or a percentage of the charge. To comply with government and insurance policies, the discount must apply to the total bill, not just the part that is paid by the patient. For example, if a patient owes a 20% co-pay on a $25 charge ($5) and the physician applies a discount of $5, then the patient must pay $4 and the insurance company will pay $16.
In addition, private insurance plans and some federal programs have a "most favored nation" clause in their contracts with physicians. This entitles the plan to pay the lowest charge the physician bills to anyone. Any pattern of discounts could result in a reduction in the physician’s allowable reimbursement schedule to the discounted amount.

"Kickbacks" and Inducements to Refer Patients
The federal government and some states have specific laws governing financial transactions between health care providers, including the Medicare Fraud and Abuse laws and the Stark I and Stark II. These laws prohibit any incentives that influence physicians to refer patients. For example, a physician who only extended professional courtesy to other health care providers who referred him or her patients would violate the law.

These laws have been interpreted very broadly by the courts. Any payment or inducement that might have a tendency to affect referral decisions is prohibited, even if it has other valid purposes. Professional courtesy based on being on the same hospital staff would raise the same issues, although the link to referrals is more tenuous. Giving professional courtesy to all physicians without conditions would be more defensible, but if the government could show that a disproportionate number of physicians receiving the courtesy were also referring physicians, the court would probably rule that this was a prohibited inducement.

Penalties
In the past, if physicians violated the terms of their contracts with private insurers, the insurer could refuse to pay the claim and/or deselect the physician from the plan. The insurer could also sue the physician for fraud. However, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)\ it is now a federal crime to defraud private insurance companies. Violations can result in fines and criminal prosecution.

The federal government can also refuse to pay the claim and can ban the physician from participation in Medicare and Medicaid. In addition, when the physician files a claim for services that were provided in ways that violate the federal regulations, that claim violates the False Claims Act (FCA). Violations of the FCA are punishable by a $5000 per claim fine and imprisonment.

For more information on waiving co-pays and deductibles, health care discounts, professional courtesy and other billing issues, please visit our website at www.TheHealthLawFirm.com.