CMS Strengthens Enrollment Standards for DMEPOS Suppliers

Earlier today, CMS issued a final rule increasing restrictions on durable medical equipment, prosthetics, orthotics and supplies (“DMEPOS”) to prevent fraud. Not only did CMS strengthen existing standards that suppliers must satisfy to provide DMEPOS to Medicare patients, but the final rule also adds several new standards.  The rule becomes effective on September 27, 2010.

The new standards for DMEPOS suppliers to receive payment from the Medicare program include the following:


·         Suppliers must obtain a state license for supplying oxygen if the state requires a license;

·         Suppliers must remain open to the public for at least 30 hours per week, with certain exceptions;

·         Suppliers must continue to maintain ordering and referring documentation from physicians or licensed practitioners; and

·         Supplier must not share a practice location with other Medicare providers or suppliers, with certain exceptions.


In addition, the final rule expands the existing standards for DMEPOS suppliers to receive payment from the Medicare program, including ensuring that suppliers maintain a physical location on an appropriate site. The rule details several requirements as to what will be an appropriate site. CMS also included in the final rule language explaining that suppliers must be licensed to provide licensed services and cannot contract with another to provide those licensed services. 

Another Delay for the Red Flags Rule

In not-so-surprising news today, the FTC has delayed the enforcement date of the Red Flags Rule for the fifth time.  The new forbearance deadline is December 31, 2010 - however, if Congress passes legislation on this issue with an effective date before December 31, 2010, the FTC will begin enforcing this rule on that earlier effective date.  This delay follows on the heels of a lawsuit filed last Friday by the American Medical Association and other challenging the Rule's definition of "creditor" to the extent that it includes medical professionals.   

IRS Begins Issuing Regulations Under PPACA

The Internal Revenue Service has begun issuing regulations implementing the Patient Protection and Affordable Care Act (PPACA), the federal health reform law.  You can expect to see new regulations under the law coming out monthly for the remainder of the year.  At a recent speech to the American Health Lawyers Association, a spokesperson for CMS said that HHS is presently drafting 18 sets of new regulations that have to be in effect duri ng 2010, compared to its normal output of 2 - 3 sets.

The IRS's first rules relate to extending dependent coverage under a parent's health insurance to include children up to age 26.

Continue Reading...

OCR Still Working On HITECH Rulemaking, Delays Enforcement of Certain Provisions

On March 18, 2010, the Office of Civil Rights (OCR) published an update on its rulemaking and enforcement efforts under the HITECH Act. OCR made clear that the increased civil monetary penalties for HIPAA violations and enforcement of the breach notification rule have been effective since February 17, 2010 and February 22, 2010, respectively.

However, OCR stated that it continues to work on a Notice of Proposed Rulemaking (NPRM) regarding the following HITECH provisions: business associate liability; new limitations on the sale of protected health information, marketing and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.

OCR noted that although the effective date for many of these provisions has passed (February 17, 2010), the NPRM and subsequent final rule will provide specific information regarding the expected date of compliance and enforcement for the new requirements.

Of particular interest in this rulemaking will be whether the OCR will require parties to affirmatively amend their business associate agreements to reflect the new privacy and security requirements with which business associates must directly comply, or whether the new provisions are already incorporated into the agreements by operation of law.

DGS will continue to monitor OCR’s HITECH rulemaking progress and will post updates as they are available.

Healthcare Professionals Call on FTC for Exemption from its Red Flags Rule

Will health care providers be the second profession to escape the Federal Trade Commission's (FTC) Red Flags Rule?  The heads of the American Dental Association, the American Medical Association, the American Osteopathic Association, and the American Veterinary Medical Association hope so, and they're asking the FTC to declare that its identity theft prevention rule (Red Flags Rule or Rule) does not apply to their licensed professionals.

In light of the November 2009 United States District Court decision in American Bar Association v. FTC, which held that the Red Flags Rule did not apply to legal professionals, the healthcare organizations issued a joint letter to the FTC requesting the same treatment.

The healthcare organizations specifically requested that the FTC:  (1) Announce that the Rule will not be applied to licensed health care professionals until at least ninety days after the final resolution of the ABA litigation and (2) Commit that if the result of the final ABA litigation is that the Red Flags Rule will not be applied to lawyers, the FTC will not apply the Rule to licensed health care professionals either.

The letter noted the substantial cost and burdens on healthcare professionals in complying with the Rule and stated that if lawyers were exempt from the Rule it would be "manifestly unfair" to subject healthcare professionals it.

D.C. Court Holds that the FTC Cannot Enforce its Red Flags Rule Against Attorneys

On December 1, 2009, the U.S. District Court for the District of Colombia issued a written opinion siding with the American Bar Association’s (ABA) challenge against the Federal Trade Commission’s (FTC) Red Flags Rule and prohibiting the FTC from enforcing its Rule against attorneys.

Among its reasons for so holding, the court declined to classify attorneys as “creditors” under the Rule.  The court stated that “credit is a specific subset of activity…which does not logically or commonly apply to attorney billing practices.”  The court went on to note that attorneys are not granting clients the right to postpone payment simply because they do not demand immediate payment from clients.  Rather, attorneys invoice clients for their own convenience, because of ethical rules which prohibit payment for services not yet rendered, and because of the unpredictable nature of the practice of law, which would make it unreasonable for attorneys to immediately calculate and collect their fees.

The court’s ruling could well have a significant impact beyond the legal arena, as several professions, including health care providers, have made similar arguments as to why they should not be subjected to the FTC’s Red Flags Rule.


And Yet Another Delay....Red Flags Rule Enforcement Date Pushed Back Until June 2010

The Federal Trade Commission (FTC) announced that it will delay the enforcement of its Red Flags Rule for a fourth time, extending the start date to June 1, 2010.  The FTC previously delayed enforcement until November 1, 2009, but decided on the further extension due to a request from members of Congress.

The Red Flags Rule addresses identity theft and requires certain "creditors" to develop identity theft prevention programs.  You can learn about the specific requirements of the Red Flags Rule in a prior DGS post.

Bill Introduced in the House Would Exclude Some Healthcare Providers from FTC Red Flags Rule

On October 8, 2009, Representative John Adler (D-NJ) introduced House Bill 3763 (PDF), which would exclude certain small businesses, including health care practices with 20 or fewer employees, from the FTC's Red Flags Rule.  The bill has been referred to the House Committee on Financial Services.  DGS will continue to track and report any noteworthy progress.

In July 2009, the FTC delayed enforcement of the Red Flags Rule for a third time, until November 1, 2009.  A prior DGS post provides more information on the requirements of the Red Flags Rule.

A lighthearted look at HITECH

Take a couple of minutes and enjoy one physician's musical look at HITECH.

Congress Calls on HHS to Strengthen Breach Notification Rules

In a letter issued on October 1st, Congressional House leaders of the Energy and Commerce and Ways and Means committees oppose “the high bar” that the Department of Health and Human Services (HHS) has set for breach notification.

The breach notification regulations were enacted pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA).  Published as interim final regulations in the Federal Register on August 24, 2009, they require health care entities to notify individuals and HHS if there has been an unauthorized use or disclosure (‘breach”) of electronic personal health data. 
These regulations, however, include a “substantial harm” standard, which does not require breach notification to individuals or HHS if the breaching entity believes there is no significant risk of financial, reputational or other harm to the individual.

According to the letter, the substantial harm standard is not consistent with Congressional intent. “In drafting [the enacting statute], Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information.”

The letter urges HHS to revise or repeal the harm standard provision and calls for greater transparency through a “black and white standard,” which would allow individuals to assess the level of harm caused by a breach of their health information, and permit them to judge the quality of an entity’s privacy protection based on the true number of breach occurrences.

Negotiating Medical Office Building Leases

Entering into a Medical Office Building (MOB) Lease can often implicate Anti-Kickback and Stark law issues.  In Beware, Negotiating Medical Office Building Leases, which was recently published in the Colorado Real Estate Journal, I discuss how MOB leases can potentially violate Anti-Kickback and Stark laws and provide guidance on how to structure these leases to comply with federal and state law.

FTC and HHS Issue Breach Notification Rules for Electronic Health Information

As part of the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), Congress directed the Federal Trade Commission (“FTC”) and the Department of Health and Human Services (“HHS”) to issue rules requiring certain entities to notify consumers if there has been a breach in the security of their personal health information. 

The FTC rule applies to vendors of personal health records, which provide online repositories for storage and tracking of health information, and entities that offer third-party applications for personal health records. These applications could include, for example, a blood pressure cuff whose readings consumers can upload to their personal health record. 

The HHS rule, developed by the Office for Civil Rights (OCR), applies to healthcare providers and other HIPAA covered entities.

Under the rules, those entities subject to either rule must notify consumers if there is a “breach” involving their “unsecured” health information. Additionally, if a service provider or business associate of one of the entities has a breach of its own, it must notify the entity, which in turn must notify consumers.

A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of protected health information, which results in the compromise of the security or privacy of such information.

Entities that secure their electronic health records through encryption or destruction are not required to provide notification in the event of a breach, as long as they follow HHS guidance on the proper methods of securing information. As an accompaniment to its rule, HHS issued an update to its current guidance (PDF) on acceptable encryption and destruction methodologies, which would render sensitive information unusable to unauthorized individuals. The policy on encryption is technical in nature and entities would be well-advised to have their IT consultants carefully review, and as deemed necessary, implement the HHS guidance.

Continue Reading...

OIG Finds That Unqualified Nonphysicians Are Performing "Incident To" Services and Calls on CMS to Revise its Rule

Medicare Part B permits physicians to bill for services that were provided by nonphysicians “incident to” the physicians’ services.  However, in a report issued by the OIG on August 6th, the Office of Inspector General (OIG) concluded that 21% of the time these “incident to” services were being performed by unqualified nonphysicians.

Nonphysicians were deemed to be unqualified when either (1) they were not properly licensed or certified under State laws, regulations, or Medicare rules, or (2) they provided rehabilitation therapy even though they had not been trained accordingly.

In conducting its research, the OIG analyzed Medicare Part B claims made during the first quarter of 2007.  By randomly selecting 250 days in which physicians billed for more than 24 hours of services during a single day, it was able to identify services not provided by the physicians themselves.

When physicians’ billed hours exceeded 24 hours/day, the OIG found that half of the services were performed by nonphysicians, and that 21% of these “incident to” services were performed by nonphysicians who were not qualified to do so.  During that three-month period in 2007, Medicare paid out $12.6 million for services provided by unqualified nonphysicians.

Based on these findings, the OIG recommend that the Centers for Medicare and Medicaid Services (CMS) revise its “incident to” rule in the following ways:


1.      CMS should require physicians who bill for services they did not personally perform to ensure that the nonphysicians performing these services possess the appropriate training, certification and/or licensure pursuant to Medicare regulations and State law.

2.      CMS should require physicians who bill Medicare for services not personally performed by them to use a service code modifier in order to identify those services on their Medicare claims.

3.      CMS should address and take appropriate action in regard to those service claims that were identified as having been billed by physicians and performed by nonphysicians that were not, by definition, “incident to” services (e.g., initial patient visits).  In addition, CMS should address those claims for rehabilitation services where it was found that the nonphysician did not have adequate training as a therapist.


In its response, CMS agreed with #1 and #3 of the OIG recommendations, but stated that it needed to further examine the feasibility of creating a service code modifier, as recommended in #2.

Read the full OIG report as well as CMS' response--Prevalence and Qualifications of Nonphysicians Who Performed Medicare Physician Services.

FTC Again Delays Enforcement of its Red Flags Rule

The Federal Trade Commission (FTC) issued a press release on July 29, 2009, announcing another three-month delay in its enforcement of the Red Flags Rule. The enforcement date, which had been scheduled for August 1, 2009, will now be postponed until November 1, 2009.

The Red Flags Rule is an anti-fraud regulation, aimed at reducing identity theft by requiring "creditors" to develop programs to identify, detect and respond to "red flags," that might indicate an act of identity theft.  (You can learn more specifics about the Red Flags Rule in a prior DGS post.)

This delay was issued in response to the House Appropriations Committee’s recent request that the FTC defer enforcement in order to minimize the impact of the Rule on health care providers and other small businesses.

In its press release, the FTC publicized that it will increase its efforts to educate small businesses about compliance requirements and that it intends to provide additional materials and guidance to do so. A specific link for small and low-risk entities will be set up on the FTC’s Red Flags Rule website to enable these entities to easily access materials that are relevant to their compliance needs. 

The FTC already offers a Red Flags Rule FAQs section, which addresses many compliance and enforcement issues.

Summary of Colorado Fraud & Abuse Statutes and Regulations

Davis Graham & Stubbs originally compiled this summary of Colorado fraud & abuse statutes and regulations for the American Health Lawyers Association (AHLA).  These state laws generally compliment and enhance the federal Stark and Anti-Kickback statutes. 

With the Obama administration's increased efforts to combat health care fraud, it's important for all healthcare providers to be apprised of what the fraud and abuse laws prohibit, as well as the legal exceptions to these laws.

(The summary is reprinted with permission from the AHLA.  Copyright 2009 American Health Lawyers Association, Washington, D.C.

"Red Flags" Rule: New FTC Regulations Require Healthcare Providers to Combat Identity Theft.


On August 1, 2009, the Federal Trade Commission (“FTC”) will begin enforcement of its "Red Flags" Rule, which is aimed at reducing identity theft.  The Rule requires creditors to look for "red flags" that signal possible identity theft, and applies to any “creditor” that maintains “covered accounts.” 

While most healthcare providers wouldn't usually think of themselves as traditional creditors, the Rule's definitions are broad enough to bring them into that realm.

Under the Rule, creditor is defined as any person or organization that “regularly extends, renews, or continues credit.” 

  • When a healthcare provider allows a patient to pay for medical services after they are rendered or accepts payments over a period of time, that provider is acting as a creditor. 

Covered accounts include:

  1. Accounts maintained by a creditor which are primarily for personal, family, or household purposes and are designed to permit multiple payments or transactions, or
  2. Any other account for which there is a “reasonably foreseeable risk to consumers” of identity theft.
  • Patient accounts likely fit within both of these categories.

Given the above, most healthcare providers will indeed need to comply with the "Red Flags" Rule.

View this "Red Flags" Rule PowerPoint presentation for a quick overview of the Rule's requirements and the consequences of noncompliance.

You can also consult the FTC's simplified "How-To Guide" , which provides the basics for complying with the Red Flags Rule.

Significant HIPAA Modifications in the American Recovery and Reinvestment Act

The American Recovery and Reinvestment Act of 2009 (commonly called the "Stimulus Bill") contains sweeping changes to HIPAA.  HIPAA has been expanded to reach entities not previously governed by HIPAA, and the penalties for violating HIPAA have increased dramatically.  The devil is in the details, however, and those details remain unknown until the implementing regulations are issued.  For a more detailed summary of the Stimulus Bill's changes to HIPAA, please see our DGS client alert on this issue.