Prm Risk Management Notes

Document Sample
Prm Risk Management Notes Powered By Docstoc
					    OIG Risk Areas: Reserved Bed
    Arrangements & HIPAA

             AHCA Compliance Webinar Series
                      August 25, 2009
                Ken Burgess, Poyner Spruill
    Jennifer Gimler Brady, Potter Anderson Corroon LLP

    Where We’ve Been

     Mechanics of compliance program
       –   Compliance committee/officer
       –   Boards of Directors
       –   Auditing and monitoring systems
       –   Corporate philosophy statements
     Compliance “risk areas” per OIG
     Anti-Kickback, False Claims, resident safety
     With section on auditing/monitoring sample


     Reserved bed arrangements
      – Potential for Anti-Kickback violations
      – And Medicare provider agreement violation
     HIPAA
      – Privacy primarily
      – Focus on new HITECH provisions

    Reserved Bed Arrangements

     Payments or items of “in-kind” exchange to
      reserve beds for hospital patients
      – Especially with higher acuity residents
      – Or in areas with limited SNF beds
     OIG Supplemental Guidance identifies this as
      potential risk area under federal Anti-Kickback
     No items of value in exchange for referrals of
      federal program health care business

    Reserved Bed Arrangements

     Two resources / sources of reference and legal
     OIG 2008 Supplemental Guidance
     CMS Provider Reimbursement Manual, section
     Site:

    Reserved Bed Arrangements

     Per both, these are permitted
     IF price or exchange value not based on value or
      volume of referrals from SNF to hospital
      – Potential for disguised kickback if:
         • Double dipping by SNF – bed already occupied
         • Reserve more than hospital really needs
         • Payments = excessive – more than costs SNF to
           hold bed or than SNF would lose by holding bed
           based on its occupancy and resident acuity mex

    Reserved Bed Arrangements

     Per OIG, these should be entered into only when
      hospital has legitimate need
      – Tip: records of monthly admissions by hospital, length
        of waits, local areas census, hospital’s difficulty with
      – May not be used based on future referrals from SNF to
         • “I pay you X and you send me your hospital

    Best Source for Specifics: PRM Section

     Accepting a bed reservation payment for an
      occupied bed violates prohibition on accepting
      payment established for Medicare or Medicaid
      – Violation of federal regs and your provider agreement
      – Doesn’t change rule in charging for “luxury items”

    Specific Examples of Permitted &
    Impermissable BRAs

     May only pay for days bed is vacant
      – May not also charge for difference in program payment
        and a higher reservation fee established by the
      – So once bed is occupied, no further payment under
        agreement for that bed except “luxury items” as with
        any occupied bed

     Specific Examples of Permitted &
     Impermissable BRAs

      Need to establish reservation fee based on cost
       to SNF of holding the bed
      Or amount SNF would reasonably lose by
       holding the bed (normal charge?)
       – Based occupancy rates
       – And resident acuity
       – Tip: establish as part of agreement some basis for fee
         that considers these and other potentially relevant
         factors so its objective

     Specific Examples of Permitted &
     Impermissable BRAs

      In-kind exchanges:
       – Permitted if offered to all residents of SNF and not just
         those in reserved beds or during period a reserved bed
         is occupied
      Hospital gives RN to SNF
       – Must be full time and available to all residents
       – Not just “reserved bed” patients or when those beds are

     Specific Examples of Permitted &
     Impermisable BRAs

      Free pharmacy, lab, radiology services
      Free in-service education to SNF staff
      Or discounted charges to SNF for these same services
       – Or others following these guidelines
       – These are only examples so you can be creative within these
      The PRM also addresses how these costs are reported by
       SNF/hospital on cost reports

     Auditing & Monitoring for Reserved Bed

      Detailed sample in webinar materials
      Look at:
       – Are we doing these agreements?
       – What do our contracts say vis-à-vis these guidelines in
         PRM / OIG Guidance?
       – Is legal counsel reviewing/approving?
       – Are we following those contracts in practice?
       – Is someone monitoring these periodically?

     Auditing & Monitoring for Reserved Bed

      Who, by title, is responsible for executing and
       monitoring these agreements?
      Are we interviewing SNF and hospital staff to
       ensure we are following, in practice, what our
       contracts say?
      Are our billing/cost reporting folks properly
       recording or not recording these costs per the
       PRM’s guidelines?

     Auditing & Monitoring for Reserved Bed

     If these “audits” find problems, are we revising
        policy/procedure, sharing with compliance officer
        & committee and reporting this, via compliance
        officer, to Board of Directors along with any
        corrective actions and monitoring of those
     Are we then making sure these changes are
        passed back to operations for implementation?

     HIPAA Privacy Rule Requirements

      General principle for uses and disclosures
      Permitted uses and disclosures
       –   To the individual
       –   Treatment, payment, health care operations
       –   Opportunity to agree or object
       –   Public interest and benefit
            • Required by law
            • Public health activities
            • Victims of abuse, neglect or domestic violence
            • Judicial and administrative proceedings

     HIPAA Administrative Requirements

      Privacy policies and procedures
      Workforce training and management
      Mitigation
      Data safeguards
      Retaliation and waiver
      Documentation and record retention

     HIPAA Authorized Uses and
      Authorization required unless specifically
      Psychotherapy notes – release requires
       authorization except
       – Originator may use in treatment, training, certain legal
         proceedings, and to avert serious and imminent threat
         to public health or safety

     HIPAA Notice and Other Individual
      Privacy practices notice
      Access
      Amendment
      Disclosure accounting
      Restriction request

     HIPAA Business Associates

      Definition: a person or organization, other than a
       member of a covered entity’s workforce, that
       performs certain functions or activities on behalf
       of, or provides certain services to, a covered
       entity that involve the use or disclosure of
       protected health information
      Contract: the Privacy Rule requires that the
       covered entity include certain protections for the
       information in a business associate agreement

     HIPAA Security Rule Requirements
      General principle – protect confidentiality of
       electronic PHI
      Required specifications
      Addressable specifications
      Compliance process
       –   Assess
       –   Evaluate
       –   Implement
       –   Document
       –   Review
      Enforcement by Office of Civil Rights, as of
       August 2009
     HITECH Act

      Health Information Technology for Economic and
       Clinical Health Act
      Passed February 2009
      Enhances privacy and security requirements
      Changes enforcement structure
       – Increased sanctions for violations
       – Explicit authority for state AGs to pursue private claims
         on behalf of individuals
      Creates new obligations for breach notification,
       information sharing and business associate

     HITECH Notification Requirements

      Expands obligation to contact individuals
       affected by a breach
      Applies only to unsecured protected health
      Any breach must be reported to individuals
       where information is reasonably believed to have
       been accessed, acquired or disclosed
      Must be made within 60 days of breach

     HITECH Notification Requirements

      Notice should include as much of the following
       information as possible
        – Description of what happened
        – Dates of breach and discovery
        – Types of information involved
        – Steps to take to protect against improper use
        – Actions taken in response to breach
        – Contact information for individuals to follow up

     HITECH Notification Requirements
      New methods of notice required
       – First class mail unless individual specified email
       – If contact information unavailable for 10 or more
         individuals, must post publicly
           • Home page of Web site
           • Notice in print or broadcast media
      Breaches must be documented and submitted
       annually to Secretary of HHS
      Breaches impacting 500 or more individuals
       requires immediate notification to HHS
       – If within the same state or jurisdiction, must notify major
         media outlets

     HITECH Notification Requirements:
     Secured Health Information
      Does not apply to secured health information
      Encrypted so as to be unusable, unreadable or
      Subject to existing HIPAA rules
      Encryption must be developed or endorsed by
       organization accredited by American National
       Standards Institute
      Switching to encryption should be considered

     HITECH Business Associates

      All privacy requirements also apply to business
       associates that obtain or create protected health
      Requirements must be incorporated into
      Violations will be subject to civil and criminal
       penalties under the Social Security Act
      Effective no later than February 17, 2010
      Must notify covered entity of information
       breaches within 60 days of discovering breach

     Restrictions on Data Use

      If payment is out-of-pocket, individual has right to
       request that no information be disclosed
      Disclosure should be as limited data set –
       minimal identifying information or only what is
      Accessing electronic health records must be
       tracked – individual can request up to three
       years of history
      Authorization required for use of any information
       for which entity receives direct or indirect

     HITECH Penalties

      Penalties significantly enhanced
      Four-tiered liability system
       – Inadvertent violation – $100-$50,000
       – Willful neglect that goes uncorrected – up to $50,000 for
         each case with an annual cap per entity of $1.5 million
       – State AGs can bring actions on behalf of residents –
         $100 per violation, up to $25,000 annually, plus
         attorneys’ fees
      Penalties already in effect

     To reach us:

     Jennifer Gimler Brady
     Direct dial: (302) 984-6042

     Potter Anderson & Corroon LLP
     1313 North Market Street
     PO Box 951
     Wilmington, DE 19899-0951


Description: Prm Risk Management Notes document sample