DGS Health Law Blog : Denver Health Care Lawyers & Attorneys : Davis Graham & Stubbs Law Firm : HIPAA & Patient Privacy : Colorado, Rocky Mountain West

As part of the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), Congress directed the Federal Trade Commission (“FTC”) and the Department of Health and Human Services (“HHS”) to issue rules requiring certain entities to notify consumers if there has been a breach in the security of their personal health information. 

The FTC rule applies to vendors of personal health records, which provide online repositories for storage and tracking of health information, and entities that offer third-party applications for personal health records. These applications could include, for example, a blood pressure cuff whose readings consumers can upload to their personal health record. 

The HHS rule, developed by the Office for Civil Rights (OCR), applies to healthcare providers and other HIPAA covered entities.

Under the rules, those entities subject to either rule must notify consumers if there is a “breach” involving their “unsecured” health information. Additionally, if a service provider or business associate of one of the entities has a breach of its own, it must notify the entity, which in turn must notify consumers.

A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of protected health information, which results in the compromise of the security or privacy of such information.

Entities that secure their electronic health records through encryption or destruction are not required to provide notification in the event of a breach, as long as they follow HHS guidance on the proper methods of securing information. As an accompaniment to its rule, HHS issued an update to its current guidance (PDF) on acceptable encryption and destruction methodologies, which would render sensitive information unusable to unauthorized individuals. The policy on encryption is technical in nature and entities would be well-advised to have their IT consultants carefully review, and as deemed necessary, implement the HHS guidance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Medicare Part B permits physicians to bill for services that were provided by nonphysicians “incident to” the physicians’ services.  However, in a report issued by the OIG on August 6^th, the Office of Inspector General (OIG) concluded that 21% of the time these “incident to” services were being performed by unqualified nonphysicians.

Nonphysicians were deemed to be unqualified when either (1) they were not properly licensed or certified under State laws, regulations, or Medicare rules, or (2) they provided rehabilitation therapy even though they had not been trained accordingly.

In conducting its research, the OIG analyzed Medicare Part B claims made during the first quarter of 2007.  By randomly selecting 250 days in which physicians billed for more than 24 hours of services during a single day, it was able to identify services not provided by the physicians themselves.

When physicians’ billed hours exceeded 24 hours/day, the OIG found that half of the services were performed by nonphysicians, and that 21% of these “incident to” services were performed by nonphysicians who were not qualified to do so.  During that three-month period in 2007, Medicare paid out $12.6 million for services provided by unqualified nonphysicians.

Based on these findings, the OIG recommend that the Centers for Medicare and Medicaid Services (CMS) revise its “incident to” rule in the following ways:

1.      CMS should require physicians who bill for services they did not personally perform to ensure that the nonphysicians performing these services possess the appropriate training, certification and/or licensure pursuant to Medicare regulations and State law.

2.      CMS should require physicians who bill Medicare for services not personally performed by them to use a service code modifier in order to identify those services on their Medicare claims.

3.      CMS should address and take appropriate action in regard to those service claims that were identified as having been billed by physicians and performed by nonphysicians that were not, by definition, “incident to” services (e.g., initial patient visits).  In addition, CMS should address those claims for rehabilitation services where it was found that the nonphysician did not have adequate training as a therapist.

In its response, CMS agreed with #1 and #3 of the OIG recommendations, but stated that it needed to further examine the feasibility of creating a service code modifier, as recommended in #2.

Read the full OIG report as well as CMS' response--Prevalence and Qualifications of Nonphysicians Who Performed Medicare Physician Services.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an effort to consolidate HIPAA administration and enforcement within the Office of Civil Rights ("OCR"), the Secretary of the Department of Health and Human Services ("HHS"), Kathleen Sebelius, has moved the administration and enforcement of the HIPAA Security Rule away from the Centers for Medicare & Medicaid Services and has delegated that authority to the OCR, the office that administers and enforces the Privacy Rule.  According to Secretary Sebelius, “Privacy and security are naturally intertwined, because they both address protected health information.  Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency.”  This reconfiguration provides further evidence that HHS is gearing up to increase HIPAA enforcement in light of the changes set forth in the HITECH Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link