SGR Revisited

Congress reconvenes next week for a lame duck session.  While most observers seem to feel nothing will get done due to the upcoming changes in the composition of both the House and Senate, it is hard to believe they won't tackle the impending SGR problem.

As all physicians know, under the decade old law that adjusts Medicare rates paid to physicians if the actual utilization and costs exceed what is deemed the appropriate rate of growth, the physician reimbursement rates are to be reduced for the following year.  In past years, Congress has continually postponed the effective date of such reductions, which then accumulate annually. 

CMS in its final Medicare Physician fee Schedule for 2011 has made it clear that these accumulated SGR adjustments, the postponement of which ends this month, will take effect in December (with a 23% cut in payment rates December 1) and will continue in 2011 (with an additional 1.9% cut January 1).

Congress is between a rock and a hard place, as it certainly doesn't want to have deal with the uproar of the physician community and the potential refusal to treat more Medicare patients.  On the other hand, the financial structure of the PPACA changes is premised on letting the SGR adjustments take effect.  The additional cost of the health care reform without applying the SGR reductions has been estimated at between $250-350 Billion Dollars.  With the public screaming that reform is too expensive as now planned, what will the reaction be to another $250 Billion?

I see only one politically expedient solution for Congress:  allow a slight SGR reduction each year for the next couple of years, but continue to postpone a major fix until the new independent payment board takes over the annual responsibility for setting rates to address increasing medicare costs.  That Board can make SGR cuts and will not be directly subject to the physicians' or voters' wrath, or better yet, devise a better way to pay physicians and other providers.

At this point, let's hope the lame duck session of Congress is willing to at least take on this looming crisis before December.


HHS issues final regulations on "meaningful use"

Final regulations on "meaningful use" of electronic health records were released today by HHS. The 863-page rule specifies the initial criteria that hospitals and physicians hoping to obtain incentive support payments under the ARRA for their use of EHRs must meet.  The regulations will be published in the Federal Register on July 28, 2010.

State Medical Board Disciplinary Actions Against Physicians Rise 6% in 2009

In its annual report, the Federation of State Medical Boards reported a 6% jump in disciplinary actions taken against physicians in 2009, compared to only a 1% increase in 2008.  The 75-page report provides a summary of the 5,721 disciplinary actions instituted by 70 medical and osteopathic boards--an increase of 342 actions from the prior year.

The medical boards of Nebraska, New Hampshire and South Dakota more than doubled their disciplinary actions, while the Florida Board of Osteopathic Medicine and the South Carolina Board of Medical Examiners had the greatest reduction in disciplinary actions, reducing their number by 38 and 36, respectively.

D.C. Court Holds that the FTC Cannot Enforce its Red Flags Rule Against Attorneys

On December 1, 2009, the U.S. District Court for the District of Colombia issued a written opinion siding with the American Bar Association’s (ABA) challenge against the Federal Trade Commission’s (FTC) Red Flags Rule and prohibiting the FTC from enforcing its Rule against attorneys.

Among its reasons for so holding, the court declined to classify attorneys as “creditors” under the Rule.  The court stated that “credit is a specific subset of activity…which does not logically or commonly apply to attorney billing practices.”  The court went on to note that attorneys are not granting clients the right to postpone payment simply because they do not demand immediate payment from clients.  Rather, attorneys invoice clients for their own convenience, because of ethical rules which prohibit payment for services not yet rendered, and because of the unpredictable nature of the practice of law, which would make it unreasonable for attorneys to immediately calculate and collect their fees.

The court’s ruling could well have a significant impact beyond the legal arena, as several professions, including health care providers, have made similar arguments as to why they should not be subjected to the FTC’s Red Flags Rule.


And Yet Another Delay....Red Flags Rule Enforcement Date Pushed Back Until June 2010

The Federal Trade Commission (FTC) announced that it will delay the enforcement of its Red Flags Rule for a fourth time, extending the start date to June 1, 2010.  The FTC previously delayed enforcement until November 1, 2009, but decided on the further extension due to a request from members of Congress.

The Red Flags Rule addresses identity theft and requires certain "creditors" to develop identity theft prevention programs.  You can learn about the specific requirements of the Red Flags Rule in a prior DGS post.

Bill Introduced in the House Would Exclude Some Healthcare Providers from FTC Red Flags Rule

On October 8, 2009, Representative John Adler (D-NJ) introduced House Bill 3763 (PDF), which would exclude certain small businesses, including health care practices with 20 or fewer employees, from the FTC's Red Flags Rule.  The bill has been referred to the House Committee on Financial Services.  DGS will continue to track and report any noteworthy progress.

In July 2009, the FTC delayed enforcement of the Red Flags Rule for a third time, until November 1, 2009.  A prior DGS post provides more information on the requirements of the Red Flags Rule.

Congress Calls on HHS to Strengthen Breach Notification Rules

In a letter issued on October 1st, Congressional House leaders of the Energy and Commerce and Ways and Means committees oppose “the high bar” that the Department of Health and Human Services (HHS) has set for breach notification.

The breach notification regulations were enacted pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA).  Published as interim final regulations in the Federal Register on August 24, 2009, they require health care entities to notify individuals and HHS if there has been an unauthorized use or disclosure (‘breach”) of electronic personal health data. 
These regulations, however, include a “substantial harm” standard, which does not require breach notification to individuals or HHS if the breaching entity believes there is no significant risk of financial, reputational or other harm to the individual.

According to the letter, the substantial harm standard is not consistent with Congressional intent. “In drafting [the enacting statute], Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information.”

The letter urges HHS to revise or repeal the harm standard provision and calls for greater transparency through a “black and white standard,” which would allow individuals to assess the level of harm caused by a breach of their health information, and permit them to judge the quality of an entity’s privacy protection based on the true number of breach occurrences.

Negotiating Medical Office Building Leases

Entering into a Medical Office Building (MOB) Lease can often implicate Anti-Kickback and Stark law issues.  In Beware, Negotiating Medical Office Building Leases, which was recently published in the Colorado Real Estate Journal, I discuss how MOB leases can potentially violate Anti-Kickback and Stark laws and provide guidance on how to structure these leases to comply with federal and state law.

FTC and HHS Issue Breach Notification Rules for Electronic Health Information

As part of the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), Congress directed the Federal Trade Commission (“FTC”) and the Department of Health and Human Services (“HHS”) to issue rules requiring certain entities to notify consumers if there has been a breach in the security of their personal health information. 

The FTC rule applies to vendors of personal health records, which provide online repositories for storage and tracking of health information, and entities that offer third-party applications for personal health records. These applications could include, for example, a blood pressure cuff whose readings consumers can upload to their personal health record. 

The HHS rule, developed by the Office for Civil Rights (OCR), applies to healthcare providers and other HIPAA covered entities.

Under the rules, those entities subject to either rule must notify consumers if there is a “breach” involving their “unsecured” health information. Additionally, if a service provider or business associate of one of the entities has a breach of its own, it must notify the entity, which in turn must notify consumers.

A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of protected health information, which results in the compromise of the security or privacy of such information.

Entities that secure their electronic health records through encryption or destruction are not required to provide notification in the event of a breach, as long as they follow HHS guidance on the proper methods of securing information. As an accompaniment to its rule, HHS issued an update to its current guidance (PDF) on acceptable encryption and destruction methodologies, which would render sensitive information unusable to unauthorized individuals. The policy on encryption is technical in nature and entities would be well-advised to have their IT consultants carefully review, and as deemed necessary, implement the HHS guidance.

Continue Reading...

OIG Finds That Unqualified Nonphysicians Are Performing "Incident To" Services and Calls on CMS to Revise its Rule

Medicare Part B permits physicians to bill for services that were provided by nonphysicians “incident to” the physicians’ services.  However, in a report issued by the OIG on August 6th, the Office of Inspector General (OIG) concluded that 21% of the time these “incident to” services were being performed by unqualified nonphysicians.

Nonphysicians were deemed to be unqualified when either (1) they were not properly licensed or certified under State laws, regulations, or Medicare rules, or (2) they provided rehabilitation therapy even though they had not been trained accordingly.

In conducting its research, the OIG analyzed Medicare Part B claims made during the first quarter of 2007.  By randomly selecting 250 days in which physicians billed for more than 24 hours of services during a single day, it was able to identify services not provided by the physicians themselves.

When physicians’ billed hours exceeded 24 hours/day, the OIG found that half of the services were performed by nonphysicians, and that 21% of these “incident to” services were performed by nonphysicians who were not qualified to do so.  During that three-month period in 2007, Medicare paid out $12.6 million for services provided by unqualified nonphysicians.

Based on these findings, the OIG recommend that the Centers for Medicare and Medicaid Services (CMS) revise its “incident to” rule in the following ways:


1.      CMS should require physicians who bill for services they did not personally perform to ensure that the nonphysicians performing these services possess the appropriate training, certification and/or licensure pursuant to Medicare regulations and State law.

2.      CMS should require physicians who bill Medicare for services not personally performed by them to use a service code modifier in order to identify those services on their Medicare claims.

3.      CMS should address and take appropriate action in regard to those service claims that were identified as having been billed by physicians and performed by nonphysicians that were not, by definition, “incident to” services (e.g., initial patient visits).  In addition, CMS should address those claims for rehabilitation services where it was found that the nonphysician did not have adequate training as a therapist.


In its response, CMS agreed with #1 and #3 of the OIG recommendations, but stated that it needed to further examine the feasibility of creating a service code modifier, as recommended in #2.

Read the full OIG report as well as CMS' response--Prevalence and Qualifications of Nonphysicians Who Performed Medicare Physician Services.

"Red Flags" Rule: New FTC Regulations Require Healthcare Providers to Combat Identity Theft.


On August 1, 2009, the Federal Trade Commission (“FTC”) will begin enforcement of its "Red Flags" Rule, which is aimed at reducing identity theft.  The Rule requires creditors to look for "red flags" that signal possible identity theft, and applies to any “creditor” that maintains “covered accounts.” 

While most healthcare providers wouldn't usually think of themselves as traditional creditors, the Rule's definitions are broad enough to bring them into that realm.

Under the Rule, creditor is defined as any person or organization that “regularly extends, renews, or continues credit.” 

  • When a healthcare provider allows a patient to pay for medical services after they are rendered or accepts payments over a period of time, that provider is acting as a creditor. 

Covered accounts include:

  1. Accounts maintained by a creditor which are primarily for personal, family, or household purposes and are designed to permit multiple payments or transactions, or
  2. Any other account for which there is a “reasonably foreseeable risk to consumers” of identity theft.
  • Patient accounts likely fit within both of these categories.

Given the above, most healthcare providers will indeed need to comply with the "Red Flags" Rule.

View this "Red Flags" Rule PowerPoint presentation for a quick overview of the Rule's requirements and the consequences of noncompliance.

You can also consult the FTC's simplified "How-To Guide" , which provides the basics for complying with the Red Flags Rule.