Georgia's Trusted Healthcare
& Medical Provider Attorneys

Healthcare Providers: Your Business Associates Could Cost You Millions

HIPAAHealthcare providers must ensure business associates adequately safeguard private health information

The Department of Health and Human Services (HHS) recently entered into a HIPAA settlement with a Minnesota hospital for $1.5 million because the hospital failed to have a written business associate agreement with one of its contractors.

Business associates are non-covered-HIPAA entities that require access to protected health information (PHI) to perform services for covered entities, often a contractor or subcontractor. The hospital’s policies failed to ensure the business associate adequately protected consumer’s PHI.

While HIPAA applies to certain covered entities, those entities must also ensure that any business associates also adequately secure PHI. HHS found that the Minnesota hospital overlooked two important aspects of the HIPAA rules.

  1. The hospital did not have a written, compliant business associate agreement with one of its IT contractors, and
  2. The hospital failed to have an accurate and thorough risk analysis of its entire IT infrastructure.

HHS investigated after the hospital reported that a laptop was stolen from an employee of the business associate. The laptop contained password protected but unencrypted PHI for almost 10,000 individuals.

The $1.5 million settlement underscores the importance of HIPAA compliance. Healthcare providers must ensure they have compliance agreements with anyone who has access to protected health information. One example of this is when a healthcare provider contracts IT services. Without compliance agreements, companies can be responsible for hefty fines even if a business associate actually causes the PHI security breach.

If you need help creating policies or contracts to protect safeguard private healthcare information, we can help. Please contact Jonathan Anderson at Janderson@JeyLaw.com or 678.325.3872.

DCH’s “Engagement Process” Now Official

DCH Policy As of July 2015, the Department of Community’s Health’s “Engagement Process” became an official part of its Policy and Manual, section 402.5(b).

The “Engagement Process” offers providers an opportunity to discuss findings of an audit or other proposed adverse action and to possibly resolve the matter prior to any request for an Administrative Review during an Engagement Conference.

However, we strongly advise you to contact an attorney prior to requesting an Engagement Conference to help ensure the best possible outcome. 

Here is what you need to know:

  • PURPOSE: The purpose of the Engagement Conference is to discuss a proposed adverse action “with the goal of informally resolving the matter.”
  • WHO INITIATES: You. A provider may request an Engagement Conference following receipt of Initial Findings of Notice of Proposed Adverse Action letter
  • PROVIDER TIME DEADLINE: This request must be in writing within seven (7) calendar days of receipt; and submitted to Engagement@dch.ga.gov.
  • DCH TIME DEADLINE: The Engagement Conference must be held with twenty-one (21) calendar days of the receipt of the Request.
  • WAIVER: If you do not participate in the Engagement Conference and fail to provide the Department prior written notice of your absence, you waive your right to an Engagement Conference. Notice should be submitted to Engagement@dch.ga.gov. This waiver does not preclude you from requesting an Administrative Review.
  • SETTLEMENT:“The Engagement Conference is considered settlement talks, and therefore, is not admissible in any pending or future proceeding, including Administrative Review or Administrative Hearing.” This includes conduct during conferences, notes, and correspondence.
  • ACCEPTANCE/REJECTION: You have seven (7) calendar days from the date of the Conference to accept or reject the offer in writing.
    • Acceptance must be in writing and waives your right to an administrative review.
    • If you reject the offer, you have the Right to Request an Administrative Review pursuant to Policy and Procedures Manual Sections 402.6 and 505.

Remember to print a copy of any communication you have with DCH and always ask for a “read receipt” when you send an email to DCH.

If you have received a Proposed Adverse Action from the Department, please contact Kimberly Sheridan at ksheridan@jeylaw.com or 678-708-4703 for assistance.

ICD-10 Deadline Less Than 3 Months Away – Need Help?

CMS Announces Measures To Help Ease Transition

The countdown to the ICD-10 has begun in earnest, and the Centers for Medicaid & Medicare Services (CMS) has made it clear that it will not back down on the deadline of October 1, 2015. However, CMS announced on July 6, that it is adopting policies to help ease the transition to ICD-10.

The ICD-9 code sets used to report medical diagnoses and inpatient procedures will be replaced by ICD-10 code. ICD-10 will affect diagnosis and inpatient procedure coding for everyone covered by the Health Insurance Portability Accountability Act (HIPAA), not just those who submit Medicare or Medicaid claims.

Although the American Medical Association (AMA)  has long opposed the ICD-10 conversion, it issued a joint press release with CMS on July 6. The press release addresses some of the AMA’s concerns and offers some concessions by CMS. To assuage concerns from healthcare providers about inadvertent coding errors that could lead to audits and penalties, CMS has named a CMS ICD-10 Ombudsman to triage and answer questions about the submission of claims. The ICD-10 Ombudsman will be located at CMS’s ICD-10 Coordination Center. CMS has also released provider training videos and an outline of its implementation plan.

Additionally, CMS has announced that for one year past the Oct. 1, 2015, deadline, it will reimburse for incorrectly coded claims as long as that erroneous code is in the same broad family as the right one.

Providers should note that claims for services provided on or after the compliance date will need to be submitted with ICD-10 diagnosis codes; but claims for services provided prior to the compliance date should be submitted with ICD-9 diagnosis codes.

It is important for providers to have their practices ready to implement ICD-10 on October 1, 2015. If you need help with the ICD-10 transition and implementation, call Jeyaram & Associates’ Kimberly Sheridan at 678-708-4703.

Physicians’ Compensation For Certain Referrals Could Violate Anti-Kickback Statue

Anti-KickbackOIG Reminds Physicians That They Will Be Held Liable For Illegal Payments Under The Anti-kickback Statute

On June 9, the Department of Health and Human Services Office of Inspector General (OIG) issued a Special Fraud Alert warning against potential liability for physicians who enter into certain financial arrangements with healthcare institutions.

The Fraud Alert states that “if even one purpose of the arrangement is to compensate a physician for his or her past or future referrals” the compensation arrangement would violate the federal Anti-kickback statute.

The Fraud Alert discussed a recent settlement regarding an arrangement between several physicians and a healthcare institution. It emphasized that the following factors resulted in an OIG determination that there was improper remuneration:

  • Payments to physicians took into account the physician’s volume or value of referrals and did not reflect fair market value for the services performed
  • Physicians did not actually provide the services called for under the arrangement
  • The arrangement relieved the physician of a financial burden that such physician would have otherwise incurred, e.g., a healthcare institution paid for the physician’s office staff at his or her practice

Although the Fraud Alert does not change any existing laws, it is a reminder that physicians (not just the hospitals) will be held liable for illegal payments. Physicians should heed OIG’s warning and ensure that arrangements with healthcare institutions do not violate any laws. All arrangements must not only comply with the federal Anti-kickback statute, but also other fraud and abuse laws such as the Stark Law, the Civil Money Penalties Law (CMP Law), and the state law Stark and Anti-kickback counterparts.

The Special Fraud Alert can be found here.

If you are a physician with questions about a current or proposed arrangement with a healthcare institution, please call Danielle Hildebrand or DJ Jeyaram at 678-325-3872 for legal counsel.