1

OIG Risk Areas: Reserved Bed Arrangements & HIPAA

AHCA Compliance Webinar SeriesAugust 25, 2009

Ken Burgess, Poyner SpruillJennifer Gimler Brady, Potter Anderson Corroon LLP

2

Where We’ve Been

Mechanics of compliance program– Compliance committee/officer

– Boards of Directors

– Auditing and monitoring systems

– Corporate philosophy statements

Compliance “risk areas” per OIG Anti-Kickback, False Claims, resident safety With section on auditing/monitoring sample

3

Today

Reserved bed arrangements– Potential for Anti-Kickback violations– And Medicare provider agreement violation

HIPAA– Privacy primarily– Focus on new HITECH provisions

4

Reserved Bed Arrangements

Payments or items of “in-kind” exchange to reserve beds for hospital patients– Especially with higher acuity residents– Or in areas with limited SNF beds

OIG Supplemental Guidance identifies this as potential risk area under federal Anti-Kickback statute

No items of value in exchange for referrals of federal program health care business

5

Reserved Bed Arrangements

Two resources / sources of reference and legal requirements

OIG 2008 Supplemental Guidance CMS Provider Reimbursement Manual, section

2105.3 Site: http://www.cms.hhs.gov/Manuals/PBM

6

Reserved Bed Arrangements

Per both, these are permitted IF price or exchange value not based on value or

volume of referrals from SNF to hospital– Potential for disguised kickback if:

• Double dipping by SNF – bed already occupied• Reserve more than hospital really needs• Payments = excessive – more than costs SNF to

hold bed or than SNF would lose by holding bed based on its occupancy and resident acuity mex

7

Reserved Bed Arrangements

Per OIG, these should be entered into only when hospital has legitimate need– Tip: records of monthly admissions by hospital, length

of waits, local areas census, hospital’s difficulty with placement

– May not be used based on future referrals from SNF to hospital• “I pay you X and you send me your hospital

business”

8

Best Source for Specifics: PRM Section 2105.3

Accepting a bed reservation payment for an occupied bed violates prohibition on accepting payment established for Medicare or Medicaid program– Violation of federal regs and your provider agreement– Doesn’t change rule in charging for “luxury items”

9

Specific Examples of Permitted & Impermissable BRAs

May only pay for days bed is vacant– May not also charge for difference in program payment

and a higher reservation fee established by the agreement

– So once bed is occupied, no further payment under agreement for that bed except “luxury items” as with any occupied bed

10

Specific Examples of Permitted & Impermissable BRAs

Need to establish reservation fee based on cost to SNF of holding the bed

Or amount SNF would reasonably lose by holding the bed (normal charge?)– Based occupancy rates– And resident acuity– Tip: establish as part of agreement some basis for fee

that considers these and other potentially relevant factors so its objective

11

Specific Examples of Permitted & Impermissable BRAs

In-kind exchanges:– Permitted if offered to all residents of SNF and not just

those in reserved beds or during period a reserved bed is occupied

Hospital gives RN to SNF– Must be full time and available to all residents– Not just “reserved bed” patients or when those beds are

occupied

12

Specific Examples of Permitted & Impermisable BRAs

Free pharmacy, lab, radiology services Free in-service education to SNF staff Or discounted charges to SNF for these same services

– Or others following these guidelines

– These are only examples so you can be creative within these parameters

The PRM also addresses how these costs are reported by SNF/hospital on cost reports

13

Auditing & Monitoring for Reserved Bed Arrangements

Detailed sample in webinar materials Look at:

– Are we doing these agreements?– What do our contracts say vis-à-vis these guidelines in

PRM / OIG Guidance?– Is legal counsel reviewing/approving?– Are we following those contracts in practice?– Is someone monitoring these periodically?

14

Auditing & Monitoring for Reserved Bed Arrangements

Who, by title, is responsible for executing and monitoring these agreements?

Are we interviewing SNF and hospital staff to ensure we are following, in practice, what our contracts say?

Are our billing/cost reporting folks properly recording or not recording these costs per the PRM’s guidelines?

15

Auditing & Monitoring for Reserved Bed Arrangements

If these “audits” find problems, are we revising policy/procedure, sharing with compliance officer & committee and reporting this, via compliance officer, to Board of Directors along with any corrective actions and monitoring of those periodically?

Are we then making sure these changes are passed back to operations for implementation?

16

HIPAA Privacy Rule Requirements

General principle for uses and disclosures Permitted uses and disclosures

– To the individual– Treatment, payment, health care operations– Opportunity to agree or object– Public interest and benefit

• Required by law• Public health activities• Victims of abuse, neglect or domestic violence• Judicial and administrative proceedings

17

HIPAA Administrative Requirements

Privacy policies and procedures Workforce training and management Mitigation Data safeguards Retaliation and waiver Documentation and record retention

18

HIPAA Authorized Uses and Disclosures

Authorization required unless specifically exempted

Psychotherapy notes – release requires authorization except– Originator may use in treatment, training, certain legal

proceedings, and to avert serious and imminent threat to public health or safety

19

HIPAA Notice and Other Individual Rights

Privacy practices notice Access Amendment Disclosure accounting Restriction request

20

HIPAA Business Associates

Definition: a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information

Contract: the Privacy Rule requires that the covered entity include certain protections for the information in a business associate agreement

21

HIPAA Security Rule Requirements

General principle – protect confidentiality of electronic PHI

Required specifications Addressable specifications Compliance process

– Assess– Evaluate– Implement– Document– Review

Enforcement by Office of Civil Rights, as of August 2009

22

HITECH Act

Health Information Technology for Economic and Clinical Health Act

Passed February 2009 Enhances privacy and security requirements Changes enforcement structure

– Increased sanctions for violations– Explicit authority for state AGs to pursue private claims

on behalf of individuals

Creates new obligations for breach notification, information sharing and business associate relationships

23

HITECH Notification Requirements

Expands obligation to contact individuals affected by a breach

Applies only to unsecured protected health information

Any breach must be reported to individuals where information is reasonably believed to have been accessed, acquired or disclosed

Must be made within 60 days of breach discovery

24

HITECH Notification Requirements

Notice should include as much of the following information as possible– Description of what happened– Dates of breach and discovery– Types of information involved– Steps to take to protect against improper use– Actions taken in response to breach– Contact information for individuals to follow up

25

HITECH Notification Requirements

New methods of notice required– First class mail unless individual specified email– If contact information unavailable for 10 or more

individuals, must post publicly• Home page of Web site• Notice in print or broadcast media

Breaches must be documented and submitted annually to Secretary of HHS

Breaches impacting 500 or more individuals requires immediate notification to HHS– If within the same state or jurisdiction, must notify major

media outlets

26

HITECH Notification Requirements: Secured Health Information

Does not apply to secured health information Encrypted so as to be unusable, unreadable or

indecipherable Subject to existing HIPAA rules Encryption must be developed or endorsed by

organization accredited by American National Standards Institute

Switching to encryption should be considered

27

HITECH Business Associates

All privacy requirements also apply to business associates that obtain or create protected health information

Requirements must be incorporated into contracts

Violations will be subject to civil and criminal penalties under the Social Security Act

Effective no later than February 17, 2010 Must notify covered entity of information

breaches within 60 days of discovering breach

28

Restrictions on Data Use

If payment is out-of-pocket, individual has right to request that no information be disclosed

Disclosure should be as limited data set – minimal identifying information or only what is necessary

Accessing electronic health records must be tracked – individual can request up to three years of history

Authorization required for use of any information for which entity receives direct or indirect payment

29

HITECH Penalties

Penalties significantly enhanced Four-tiered liability system

– Inadvertent violation – $100-$50,000– Willful neglect that goes uncorrected – up to $50,000

for each case with an annual cap per entity of $1.5 million

– State AGs can bring actions on behalf of residents – $100 per violation, up to $25,000 annually, plus attorneys’ fees

Penalties already in effect

30

To reach us:

Jennifer Gimler Brady

Direct dial: (302) 984-6042jbrady@potteranderson.com

Potter Anderson & Corroon LLP1313 North Market StreetPO Box 951Wilmington, DE 19899-0951www.potteranderson.com