Prm Risk Management Notes

Document Sample
Prm Risk Management Notes Powered By Docstoc
					    OIG Risk Areas: Reserved Bed
    Arrangements & HIPAA

             AHCA Compliance Webinar Series
                      August 25, 2009
                Ken Burgess, Poyner Spruill
    Jennifer Gimler Brady, Potter Anderson Corroon LLP




1
    Where We’ve Been

     Mechanics of compliance program
       –   Compliance committee/officer
       –   Boards of Directors
       –   Auditing and monitoring systems
       –   Corporate philosophy statements
     Compliance “risk areas” per OIG
     Anti-Kickback, False Claims, resident safety
     With section on auditing/monitoring sample




2
    Today

     Reserved bed arrangements
      – Potential for Anti-Kickback violations
      – And Medicare provider agreement violation
     HIPAA
      – Privacy primarily
      – Focus on new HITECH provisions




3
    Reserved Bed Arrangements

     Payments or items of “in-kind” exchange to
      reserve beds for hospital patients
      – Especially with higher acuity residents
      – Or in areas with limited SNF beds
     OIG Supplemental Guidance identifies this as
      potential risk area under federal Anti-Kickback
      statute
     No items of value in exchange for referrals of
      federal program health care business




4
    Reserved Bed Arrangements

     Two resources / sources of reference and legal
      requirements
     OIG 2008 Supplemental Guidance
     CMS Provider Reimbursement Manual, section
      2105.3
     Site: http://www.cms.hhs.gov/Manuals/PBM




5
    Reserved Bed Arrangements

     Per both, these are permitted
     IF price or exchange value not based on value or
      volume of referrals from SNF to hospital
      – Potential for disguised kickback if:
         • Double dipping by SNF – bed already occupied
         • Reserve more than hospital really needs
         • Payments = excessive – more than costs SNF to
           hold bed or than SNF would lose by holding bed
           based on its occupancy and resident acuity mex




6
    Reserved Bed Arrangements

     Per OIG, these should be entered into only when
      hospital has legitimate need
      – Tip: records of monthly admissions by hospital, length
        of waits, local areas census, hospital’s difficulty with
        placement
      – May not be used based on future referrals from SNF to
        hospital
         • “I pay you X and you send me your hospital
           business”




7
    Best Source for Specifics: PRM Section
    2105.3

     Accepting a bed reservation payment for an
      occupied bed violates prohibition on accepting
      payment established for Medicare or Medicaid
      program
      – Violation of federal regs and your provider agreement
      – Doesn’t change rule in charging for “luxury items”




8
    Specific Examples of Permitted &
    Impermissable BRAs

     May only pay for days bed is vacant
      – May not also charge for difference in program payment
        and a higher reservation fee established by the
        agreement
      – So once bed is occupied, no further payment under
        agreement for that bed except “luxury items” as with
        any occupied bed




9
     Specific Examples of Permitted &
     Impermissable BRAs

      Need to establish reservation fee based on cost
       to SNF of holding the bed
      Or amount SNF would reasonably lose by
       holding the bed (normal charge?)
       – Based occupancy rates
       – And resident acuity
       – Tip: establish as part of agreement some basis for fee
         that considers these and other potentially relevant
         factors so its objective




10
     Specific Examples of Permitted &
     Impermissable BRAs

      In-kind exchanges:
       – Permitted if offered to all residents of SNF and not just
         those in reserved beds or during period a reserved bed
         is occupied
      Hospital gives RN to SNF
       – Must be full time and available to all residents
       – Not just “reserved bed” patients or when those beds are
         occupied




11
     Specific Examples of Permitted &
     Impermisable BRAs

      Free pharmacy, lab, radiology services
      Free in-service education to SNF staff
      Or discounted charges to SNF for these same services
       – Or others following these guidelines
       – These are only examples so you can be creative within these
         parameters
      The PRM also addresses how these costs are reported by
       SNF/hospital on cost reports




12
     Auditing & Monitoring for Reserved Bed
     Arrangements

      Detailed sample in webinar materials
      Look at:
       – Are we doing these agreements?
       – What do our contracts say vis-à-vis these guidelines in
         PRM / OIG Guidance?
       – Is legal counsel reviewing/approving?
       – Are we following those contracts in practice?
       – Is someone monitoring these periodically?




13
     Auditing & Monitoring for Reserved Bed
     Arrangements

      Who, by title, is responsible for executing and
       monitoring these agreements?
      Are we interviewing SNF and hospital staff to
       ensure we are following, in practice, what our
       contracts say?
      Are our billing/cost reporting folks properly
       recording or not recording these costs per the
       PRM’s guidelines?




14
     Auditing & Monitoring for Reserved Bed
     Arrangements

     If these “audits” find problems, are we revising
        policy/procedure, sharing with compliance officer
        & committee and reporting this, via compliance
        officer, to Board of Directors along with any
        corrective actions and monitoring of those
        periodically?
     Are we then making sure these changes are
        passed back to operations for implementation?




15
     HIPAA Privacy Rule Requirements

      General principle for uses and disclosures
      Permitted uses and disclosures
       –   To the individual
       –   Treatment, payment, health care operations
       –   Opportunity to agree or object
       –   Public interest and benefit
            • Required by law
            • Public health activities
            • Victims of abuse, neglect or domestic violence
            • Judicial and administrative proceedings



16
     HIPAA Administrative Requirements

      Privacy policies and procedures
      Workforce training and management
      Mitigation
      Data safeguards
      Retaliation and waiver
      Documentation and record retention




17
     HIPAA Authorized Uses and
     Disclosures
      Authorization required unless specifically
       exempted
      Psychotherapy notes – release requires
       authorization except
       – Originator may use in treatment, training, certain legal
         proceedings, and to avert serious and imminent threat
         to public health or safety




18
     HIPAA Notice and Other Individual
     Rights
      Privacy practices notice
      Access
      Amendment
      Disclosure accounting
      Restriction request




19
     HIPAA Business Associates

      Definition: a person or organization, other than a
       member of a covered entity’s workforce, that
       performs certain functions or activities on behalf
       of, or provides certain services to, a covered
       entity that involve the use or disclosure of
       protected health information
      Contract: the Privacy Rule requires that the
       covered entity include certain protections for the
       information in a business associate agreement




20
     HIPAA Security Rule Requirements
      General principle – protect confidentiality of
       electronic PHI
      Required specifications
      Addressable specifications
      Compliance process
       –   Assess
       –   Evaluate
       –   Implement
       –   Document
       –   Review
      Enforcement by Office of Civil Rights, as of
       August 2009
21
     HITECH Act

      Health Information Technology for Economic and
       Clinical Health Act
      Passed February 2009
      Enhances privacy and security requirements
      Changes enforcement structure
       – Increased sanctions for violations
       – Explicit authority for state AGs to pursue private claims
         on behalf of individuals
      Creates new obligations for breach notification,
       information sharing and business associate
       relationships

22
     HITECH Notification Requirements

      Expands obligation to contact individuals
       affected by a breach
      Applies only to unsecured protected health
       information
      Any breach must be reported to individuals
       where information is reasonably believed to have
       been accessed, acquired or disclosed
      Must be made within 60 days of breach
       discovery



23
     HITECH Notification Requirements

      Notice should include as much of the following
       information as possible
        – Description of what happened
        – Dates of breach and discovery
        – Types of information involved
        – Steps to take to protect against improper use
        – Actions taken in response to breach
        – Contact information for individuals to follow up




24
     HITECH Notification Requirements
      New methods of notice required
       – First class mail unless individual specified email
       – If contact information unavailable for 10 or more
         individuals, must post publicly
           • Home page of Web site
           • Notice in print or broadcast media
      Breaches must be documented and submitted
       annually to Secretary of HHS
      Breaches impacting 500 or more individuals
       requires immediate notification to HHS
       – If within the same state or jurisdiction, must notify major
         media outlets

25
     HITECH Notification Requirements:
     Secured Health Information
      Does not apply to secured health information
      Encrypted so as to be unusable, unreadable or
       indecipherable
      Subject to existing HIPAA rules
      Encryption must be developed or endorsed by
       organization accredited by American National
       Standards Institute
      Switching to encryption should be considered




26
     HITECH Business Associates

      All privacy requirements also apply to business
       associates that obtain or create protected health
       information
      Requirements must be incorporated into
       contracts
      Violations will be subject to civil and criminal
       penalties under the Social Security Act
      Effective no later than February 17, 2010
      Must notify covered entity of information
       breaches within 60 days of discovering breach


27
     Restrictions on Data Use

      If payment is out-of-pocket, individual has right to
       request that no information be disclosed
      Disclosure should be as limited data set –
       minimal identifying information or only what is
       necessary
      Accessing electronic health records must be
       tracked – individual can request up to three
       years of history
      Authorization required for use of any information
       for which entity receives direct or indirect
       payment

28
     HITECH Penalties

      Penalties significantly enhanced
      Four-tiered liability system
       – Inadvertent violation – $100-$50,000
       – Willful neglect that goes uncorrected – up to $50,000 for
         each case with an annual cap per entity of $1.5 million
       – State AGs can bring actions on behalf of residents –
         $100 per violation, up to $25,000 annually, plus
         attorneys’ fees
      Penalties already in effect




29
     To reach us:

     Jennifer Gimler Brady
     Direct dial: (302) 984-6042
     jbrady@potteranderson.com



     Potter Anderson & Corroon LLP
     1313 North Market Street
     PO Box 951
     Wilmington, DE 19899-0951
     www.potteranderson.com




30

				
DOCUMENT INFO
Description: Prm Risk Management Notes document sample