News and Insights
Visit regularly for up-to-date information on relevant news, firm announcements and additions to our AZ Health Law Blog.
The HITECH Act, which amended HIPAA, requires the Office for Civil Rights (“OCR”) to audit physician practices and other “covered entities” for compliance with HIPAA requirements. The OCR performed a pilot phase of 115 audits conducted between November 2011 and October 2012. The OCR will target all types of covered entities, including “small providers,” which include most physician practices.
The OCR’s audit assesses compliance against 77 security standards, or “protocols,” and 88 protocols relating to privacy and breach notification standards. In its initial 20 audits, the OCR found that 77% of the privacy audit issues, and 61% of the security audit issues, occurred in the small providers. The protocols emphasize extensive documentation, including written policies and risk assessments, compliance activities, training programs, and even documentation of decisions not to take certain compliance or security steps.
The OCR will review practices’ “processes, controls, and policies” to assess whether the practices are complying with the Privacy, Security, and the Breach Notification Rules. The audit mandate requires the OCR to review Privacy Rule requirements including (1) notice of privacy practices for “protected health information” (“PHI”), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. For the Security Rule, the OCR will review a practice’s administrative, physical, and technical safeguards. The OCR will assess a practice’s compliance with the Breach Notification Rule, including a practice’s assessment of the chances of experiencing a breach; what to do in the event of a breach; and the ongoing obligations in the event of a breach. Deficiencies found in audits of “business associates” of practices, which will be performed in a later audit waive, may lead to an audit of the practice.
The OCR’s discovery of a violation of HIPAA requirements may result in significant fines and potential exclusion from the Medicare program.
Medicare and AHCCCS have requirements that may affect a provider’s policy for assessing missed appointment fees to the beneficiaries of those programs.
Medicare policy prohibits charging Medicare beneficiaries for covered services other than the applicable deductible and coinsurance amounts. CMS took the position that missed appointment fees are not charges for covered services but are instead charges for missed business opportunities. CMS nevertheless requires that Part B suppliers, including physicians, can charge beneficiaries a missed appointment fee so long as the fee is assessed equally against all patients, including non-Medicare beneficiaries. There is no restriction on the amount that may be assessed.
AHCCCS is a different story. The Federal government has placed significant restrictions on a provider’s ability to assess fees for missed appointments, notwithstanding A.R.S. § 36-2930.01, which permits providers to assess a $25 fee for missed appointments. As part of the Section 1115 Waiver, under which AHCCCS operates, the Federal government permits a missed appointment fee to be charged subject to several restrictions, including the following:
1. The fee is no greater than $3;
2. The provider must submit a policy to AHCCCS for approval prior to assessing the fee;
3. The provider must notify the beneficiary of the policy on an annual basis;
4. The provider must have a policy of notifying the beneficiary of upcoming appointments;
5. The fee may be assessed only against beneficiaries that live outside of Maricopa and Pima counties;
6. Providers must notifying AHCCCS beneficiaries, on an annual basis, of the fee related policies; and
7. The provider must keep an accounting of occasions the fee is assessed.
The government could argue that failure to comply with these restrictions is a violation of the Provider Agreement with AHCCCS. The Federal government’s approval for assessing the fee must be renewed again prior to January 1, 2013. If the policy is not renewed, then the assessment of a fee for late appointments would be a violation of Medicaid regulations.
The Office of Inspector General of the Department of Health and Human Services (“OIG”) published a report in May 2012 finding that physicians have “steadily increased” code levels billed for evaluation and management (E/M) services between 2001 through 2010. The OIG used claims data to analyze and identify physicians who consistently billed higher level E/M codes during that time period. The OIG concluded that the use of higher level codes resulted in Part B Medicare payments increasing by 43 percent over those years.
The report indicates that, although the average billing level increased across the board, nearly 1,700 indentified physicians consistently billed at the two highest levels for E/M services within a specific visit type at least 95 percent of the time. These higher-billing level physicians practice in nearly all states, and treat patients within the same practice specialties as the broader percentage of physicians providing E/M services.
The OIG did not determine whether the physicians actually billed appropriately, but recommended that CMS review physicians who bill higher level E/M codes for “appropriate action.” Increased scrutiny into claims data and sophisticated technology could lead to focused reviews of provider data by carriers, Medicare program integrity auditors, and the OIG.