New Rule Allows for Electronic Transmission of Controlled Substance Prescriptions

Posted on June 29, 2010 by Adil Daudi

A new Drug Enforcement Agency (DEA) rule could substantially impact the way prescriptions for controlled substances can be transmitted from a physician to a pharmacy. As physicians and pharmacies seek to cut costs and maximize efficiency, electronic record keeping and prescription filing has become more commonplace. In response, the DEA has relaxed previous restrictions on electronically filing controlled substance prescriptions. However, recognizing the high risks posed by abusing or forging controlled substance prescriptions, the DEA has created a system of requirements which must be met before a physician is able to take advantage of the new rule.

The DEA defines controlled substances as drugs and other substances that have a potential for abuse and psychological and physical dependence; these include opioids, stimulants, depressants, hallucinogens, anabolic steroids, and drugs that are immediate precursors of these classes of substances. Once classified as a controlled substance, drugs are then broken down into one of five categories depending on the potential for abuse and risk of dependance. Today, controlled substances account for between 11% and 12% of prescriptions written in the United States.

Under the previous rule, physicians were prohibited from electronically sending prescriptions for schedule II-V controlled substances to pharmacies. However, under the current rule, which was published March 31, 2010 in the Federal Register, physicians who meet certain requirements will be permitted to e-file those prescriptions beginning June 1, 2010. To be eligible to e-file controlled substance prescriptions, physicians must meet two of three factors. The “two-factor authentication protocol,” which seek to guard against fraudulent prescription filings by confirming the prescribers true identity includes:

  1. A password or PIN number,
  2. biometric data- either a fingerprint or iris scan, or 
  3. a “hard token”- a secured device separate from a computer that can provide a password to a physician at the time of e-filing.

To be eligible to e-file controlled substance prescriptions, physicians must validate their identity with a designated agency. When applying for the proper credentials to utilize e-filing programs, physicians must supply verifiable information such as government issued identification or financial account information.

Currently, Michigan laws vaguely address the current state of e-filing prescriptions for controlled substances. MCL 333.7333(7) states that physicians may electronically transmit prescriptions as long as they do not conflict with federal law. The law does not differentiate between controlled substance and non-controlled substance prescriptions. As a result, we may see future clarification from the Michigan legislature or the Board of Pharmacy regarding this issue. Importantly, physicians and pharmacies that currently possess the technology to e-file prescriptions must ensure that their systems comply with the new DEA “two-factor authentication protocol” requirements for controlled substances. Licensed physicians who cannot afford to implement the required technology or simply wish to opt out of the program are still able to produce physical prescriptions which can be presented at a pharmacy.

Smith Haughey Rice & Roegge will continue to monitor developments in this area and distribute updated information as it becomes available.

Summer clerk Brian Shekell contributed to this post.
 

Tags: , , , , , ,

MMSEA Section 111 Alert Regarding Risk Management Write-Offs by Health Care Providers

Posted on June 16, 2010 by Adil Daudi

On May 26, 2010, CMS officials finally clarified one of the outstanding issues for insured health care providers relative to the mandatory reporting requirements contained in Section 111 of the Medicare, Medicaid, and SCHIP Extension Act of 2007. Section 111 imposes an affirmative duty on certain “reporting entities” to make reports to the Centers for Medicare & Medicaid Services (CMS) of personal injury claims settled with Medicare beneficiaries.

For some time now, insured health care providers have been in a holding pattern as they wait for promised guidance from CMS as to whether a common practice by some health care providers to offer something of value to a patient as a risk management tool triggers a Section 111 reporting obligation. Typically, in these instances, a Medicare beneficiary does not retain legal counsel, does not come in making a demand for anything per se, but will have a complaint. And occasionally a provider will attempt to resolve the complaint with the Medicare beneficiary by, for instance, giving him/her a gift certificate for the hospital cafeteria.

CMS had previously indicated that it considers at least some write-offs of charges and other offers of items of value to Medicare beneficiaries to be a form of “self-insurance” that may trigger Section 111 reporting obligations. CMS' recent Alert, which addresses risk management write-offs, clarifies that reductions in the amount due on a medical bill and other efforts at offering something of value, constitutes self-insurance for the purpose of the Medicare Secondary Payer provisions. CMS notes, however, that the specific factual scenario will determine whether reporting under Section 111 is required. According to the Alert:

• No Report Required. In instances where the entity is a physician, provider or supplier and has reduced its charges or written-off a portion of the charge to a Medicare beneficiary as a risk management tool, the provider, physician or other supplier is expected to submit a claim to CMS reflecting the unreduced permissible (e.g., limiting charge) charges and showing the amount of the reduction provided or write-off as a payment from liability insurance (including self-insurance). CMS indicates that its interests are protected through this billing procedure and no Section 111 reporting is required.

• Reporting Required. In instances where a provider, physician, or other supplier has provided property of value to a Medicare beneficiary as a risk management tool when there is evidence, or a reasonable expectation, that the individual has sought or may seek medical treatment as a consequence of the underlying incident giving rise to the risk, the entity shall report the write-off or value of the property provided as a TPOC from liability insurance (including self-insurance). Significantly, CMS states in the Alert that if the value of the property provided is less than the TPOC reporting threshold, it need not be reported under Section 111.

With respect to the first instance, providers, physicians and other suppliers should assess internal practices to determine whether claims submitted to CMS reflect the unreduced permissible charge and also show the amount of the reduction provided or write-off. Per CMS’ Alert, deductions or discounted services must be reflected in the provider's original billing and are therefore not subject to reporting.

In instances where a provider, physician or other supplier provides property of value to a beneficiary, the critical inquiry in evaluating whether a report will be required concerns whether there is a “reasonable expectation the individual has sought or may seek medical treatment as a consequence of the underlying incident giving rise to the risk.” Providers should take to care to develop plans to internally document the basis for this conclusion.

Finally, CMS officials also disclosed that they plan to issue an updated Version 4.0 of the User Guide in July 2010.

Tags: , , , , ,

CMS Updates Signature Guidelines

Posted on June 11, 2010 by Adil Daudi

On May 16, 2010, the Centers for Medicare and Medicaid Services (CMS) issued Transmittal 327 which revises the signature requirements for medical review activities of Medicare claim review contractors. Transmittal 327 has an effective date of March 1, 2010 and an implementation date of April 16, 2010, but the changes are effective retroactively to the November 2010 report period for comprehensive error testing. The transmittal updates Chapter 3, Section 3.4.1.1 of the Medicare Program Integrity Manual to require that services provided or ordered for medical review purposes are authenticated by the author. The previous version of this section only required authentication by a legible identifier. Specifically, Transmittal 327 amends Section 3.4.1.1 to:

  1. Expressly state that stamp signatures are not acceptable. The transmittal clarifies that the method of authentication for services provided or ordered for medical review purposes must be by handwritten or electronic signature.
  2. Add a new exception for clinical diagnostic tests when a treating physician, who authenticates medical documentation by handwritten or electronic signature, indicates that he or she intended the clinical diagnostic test be performed. The amended section suggests that such medical documentation could be in the form of a progress note.
  3. Provide that if handwritten signatures are illegible, reviewers should consider evidence in a signature log or attestation statement to determine the identity of the author.
  4. Finally, when providers fail to meet handwritten signature requirements of Section 3.4.1.1, reviewers should contact providers to inquire as to whether they want to submit an attestation statement or signature log within 20 calendar days.

Interestingly, Transmittal 327 appears to reconcile with similar regulations concerning signatures and authentication of orders, which are contained in the Medicare Conditions of Participation at 42 CFR 482.24(c)(1), by expressly indicating that other regulations and CMS instructions take precedence over signature guidelines set forth in Section 3.4.1.1. Thus, only when the relevant regulations, national or local coverage determinations, and CMS manuals lack specific signature requirements and/or guidelines to determine legibility or presence of signatures for medical review purposes, should Section 3.4.1.1 requirements be followed.

Therefore, based on the new information from CMS in Transmittal 327, acceptable methods for handwritten signatures are:

  • a legible full signature;
  • a legible first initial and last name
  • an illegible signature accompanied by signature log or attestation statement;
  • initials over a printed or typed name; and
  • initials accompanied by a signature log or attestation statement.

On the other hand, unacceptable signature methods are as follows:

  • Rubber stamp signatures, except for clinical diagnostic tests when a treating physician who authenticates medical documentation by handwritten or electronic signature, indicates that he or she intended the clinical diagnostic test be performed;
  • illegible signatures with no additional documentation to identify the signature;
  • initials with no additional documentation identifying them;
  • an unsigned note; and
  • a note with the statement “signature on file.”

Smith Haughey Rice & Roegge will continue to monitor developments in this area and distribute updated information as it becomes available.

Summer clerk Charissa Huang contributed to this post.

Tags: , , , ,

New Compliance Rules Stemming from the Medicare, Medicaid, SCHIP Extension Act Delayed, But Compliance Efforts Continue...

Posted on March 10, 2010 by Adil Daudi

For over a year now, the health care team at Smith Haughey Rice & Roegge has been busy assisting insurers and third-party administrators as they develop plans and procedures to comply with Section 111 of the Medicare, Medicaid, SCHIP Extension Act (MMSEA). On February 25, 2010 CMS posted new information on its Web site informing liability insurers, workers’ compensation insurers and self-insured entities (defined as “NGHPs”) that reporting of live claim input files is moved from the original deadline of April 1, 2010 to January 1, 2011. The immediate impact of this change is that entities subject to the reporting requirements now have additional time to register and test their processes for reporting claims to CMS. Additionally, CMS indicates that in February they will publish the next version of the “NGHP Section 111 User Guide” and alerts related to particular policy issues.

By way of background, Section 111 of the MMSEA amended the Medicare Secondary Payer Statute to impose mandatory data reporting requirements on liability insurers, no-fault insurers and workers’ compensation insurers. MMSEA Section 111 now places an affirmative obligation on insurers to: (a) determine if a claimant is entitled to Medicare; and (b) notify CMS of said entitlement and report specific information regarding the claim directly to CMS.

MMSEA builds off of a separate federal statute called the Medicare Secondary Payer (MSP) Statute. Under the MSP Statute, Medicare is designated as the secondary payer for Medicare beneficiaries who also have group health plan (GHP) coverage, as well as for Medicare beneficiaries who receive settlements, judgments, awards or other payment from liability insurance (including self-insurance), no-fault insurance, or workers’ compensation (non-group health plans or NGHPs). The purpose of the Section 111 mandatory reporting requirement is to notify CMS of instances when Medicare beneficiaries receive payments that relieve CMS of its obligation to cover medical costs.

Continue Reading...
Tags: , , , ,

Health Care Employers feel the Pain of H1N1 Vaccination Policies

Posted on November 13, 2009 by Rachel Brochert Roe

Many Hospitals and other employers in the health care industry are discussing the benefit of H1N1 vaccinations for their employees. Some are even considering mandating that employees receive the vaccination. After all, if your employees are “at will,” then you can impose new conditions of employment on them at any time.

On many levels, mandating the vaccine for health care workers makes sense. After all, OSHA mandates that employers provide their employees with a safe place to work. Doesn’t a mandatory vaccination ensure a safer place for employees to work? A healthy workforce also means less absenteeism. And, the idea of mandatory vaccinations isn’t totally foreign to health care: think TB vaccinations. I also compare a mandated vaccination to drug testing: somewhat invasive, but for the common good.

On the other hand, mandatory vaccinations raise many legal issues. For instance, if your workforce is unionized, then this would require negotiations with the union before implementation, as it affects the terms and conditions of employment. If you are non-unionized and have many employees opposed to the mandatory vaccination, a mandate may be what pushes employees to organize. Another consideration is that some have asserted that the vaccination is untested and potentially dangerous. If an employee is vaccinated over his/her objection, that may create liability for the employer if the employee experiences an injury or serious side effects from the vaccine.

While there are many good reasons to mandate the H1N1 vaccine, an employer who moves in this direction is definitely treading onto unsettled legal grounds.
 

Tags: , , , ,

HHS Publishes HITCH Breach Notification Interim Final Rule

Posted on October 9, 2009 by Adil Daudi

On August 24th, 2009 we finally saw the publication of interim final regulations implementing the security breach notification provisions of the Health Information Technology for Economic and Clinical Health Act ("HITECH").

While the regulations appear to parallel the statutory provisions of HITECH, the process covered entities must follow before notifying a patient of certain breaches of their protected health information (PHI) is not as strict as initially feared. For instance, under the new regulations, covered entities will still engage in a very subjective and fact specific risk assessment before determining when to notify a patient of a breach. The regulations also provide guidance to covered entities and their business associates (BAs) relative to their mutual obligations under the new rules.

Summarized below are some key points and issues we perceive to be relevant to covered entities and business associates under the new regulations.

The breach rules only apply to “unsecured” PHI.

Unsecured PHI is defined as PHI that has not been secured through the use of a technology or methodology specified by HHS. According to HHS guidance released in April 2009, encryption and destruction are the only two ways to secure PHI and avoid breach notification under the Act.  

Click here for a link to HHS’ April 2009 “Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements”.

Fact specific risk assessment.

The Regulations define a "breach" as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that "compromises the security or privacy" of the PHI." A use or disclosure compromises privacy or security only if it creates "a significant risk harm to the individual as a result of the impermissible use or disclosure." The regulations identify a number of factors covered entities or business associates may consider during this assessment, including:

  1. who impermissibly used or to whom the information was impermissibly disclosed;
  2. steps taken to mitigate an impermissible use or disclosure (i.e. lost or stolen laptop is returned and forensic analysis reveals that its information was not opened, altered, transferred or otherwise compromised);
  3. the type and amount of PHI involved.

In the event a notification is deemed necessary based on the facts all notification to individuals and HHS and must be given without “unreasonable delay,” but no later than 60 days after discovery.”

Exceptions to Breach Rule.

There are also key exceptions relative to the breach rule in situations where there is:

  1. an unintentional acquisition, access or use of PHI;
  2. inadvertent disclosure; or
  3. disclosure of PHI to person not reasonably able to retain such information.

Business Associates.

Under the new regulations, BAs must comply with the privacy and security regulations, just like covered entities. BAs must have policies and procedures documenting compliance with the privacy rule’s use and disclosure provisions and the security rule’s administrative, physical and technical safeguards requirements.

An interesting issue is raised relative to when BAs acting as “agents” of a covered entity versus BAs acting as “independent contractors” and the breach notification time frames requirements under both scenarios. If a business associate is acting as an agent of a covered entity then the business associate’s discovery of the breach will be imputed to the covered entity. Accordingly, the covered entity will have to provide notifications to the patient and HHS based on the time the business associate discovers the breach, not from the time the business associate notifies the covered entity. Conversely, if the business associate is an independent contractor of the covered entity (i.e., not an agent), then the covered entity must provide notification based on the time the business associate notifies the covered entity of the breach.

Among other issues, BA agreements may need to be amended to:

  1. clearly address the agent versus independent contractor status of the BA; and
  2. the timing of BA notification to a covered entity following a breach.

Grace Period, Enforcement and Penalties.

Finally, the regulations account for a grace period allowance before HHS expects to begin enforcement. The regulations took effect on September 23, 2009, but HHS has delayed seeking sanctions until February 22, 2010.

The caveat to this allowance period, however, is that the regulations significantly broaden the enforcement and penalties associated with a violation. Under the new system, HHS will employ a tiered penalty system based on the mental state of the offender. Additionally, HHS has also delegated some of the enforcement mechanisms to state Attorney General offices. Effective February 18, 2009, the Michigan Attorney General can bring actions under HIPAA independently of HHS. Finally, the regulations allow for penalties to be shared with those harmed by the disclosure (though, we have not seen regulations or guidance from HHS on the definition of the “harm” necessary to share in penalties).

Tags: , , , ,

RAC Audit Update

Posted on August 14, 2009 by Veronica Marsich

We have been waiting all summer for something to happen with the RAC audits.  Finally, as of August 4th, it looks like the action may beginning to break.  Connolly Consulting, the Recovery Audit Contractor for Region C, has just released a list of seven issues that have been approved by CMS for its initial automated reviews.  These seven "issues" are:

1. Blood Transfusions.
2. Untimed Codes.
3. IV Hydration Therapy.
4. Bronchoscopy Services.
5. Once in a lifetime procedures.
6. Pediatric codes exceeding age parameters.
7. J2505: Injection, Pegfilgrastim, 6 mg.
 

While is it not clear whether these issues are specific only to Connolly and Region C or whether the other RAC auditors will be using this same list to begin their automated reviews, health care providers would be wise to take this list and begin to run some internal data to assess accuracy in coding and billing as it relates to these topics.  Problems should be corrected immediately and over-payments refunded.

For those located in Region B (including Michigan), it is probably a good idea to get in the habit of checking the CGI website on a regular basis going forward to make sure that you have as much advance notice as possible, in the event CGI posts its own list of approved issues for automated review.

Tags: , , , ,

Medicare Secondary Payer - No Qui Tam Action

Posted on August 9, 2009 by Veronica Marsich

In the face of Section 111 and the industry's effort to comply with same, some good news for a change!

On July 29, 2009, the Second Circuit ruled that the Medicare Secondary Payer Statue does not permit a private individual to file a qui tam action on behalf of the federal government.  In this case, the plaintiff tried to file suit against an insurance company alleging that the company had failed to meet its obligations to ensure that it, and not the Medicare program, paid for certain claims for medical care from its insureds or others it was obligated to cover.  See Woods v. Empire Health Choice, Inc.  No. 07-4208-cv (2d Cir. July 29, 2009).

While this is a great result for health care insurers and self-insured providers who have more than enough to worry about right now, it is also a good reminder of something to be mindful of as more and more individuals are becoming aware of the new lottery game that is the qui tam lawsuit.  For those outside the jurisdiction of the Second Circuit, remember that this decision is something to hope for but not binding on your federal courts.  Good faith efforts to comply with the MSP (and Section 111) reporting obligations is very important both in the context of your interaction with the Medicare program but also in your interaction with your employees and other individuals who may be watching and questioning your conduct and your commitment to do what is right. 

 

Tags: , , , , ,

MMSEA Section 111 - Medicare Secondary Payer Mandatory Reporting

Posted on May 27, 2009 by Veronica Marsich

I have read Section 111 and all of the guidance put out by the Centers for Medicare and Medicaid Services ("CMS"), listened to most of the the teleconferences sponsored by CMS on the subject and had the opportunity to talk to different clients and stakeholders about the new requirements and what they are hearing from various consultants and legal advisers about the new reporting requirements.  And, what I have concluded from all of this reading, listening and talking is the following:

  • There are lots of attorneys and consultants out there scaring and confusing hospitals and hospital insurers about Section 111 and what CMS is going to do with this new reporting system;
  • The Medicare Secondary Payer system and these new reporting requirements are a much greater burden for workers' comp and no fault carriers than other NGHP liability insurers (and I never appreciated that until recently);
  • CMS keeps saying that this new reporting system is, for them, at least for now ... about collecting data and NOT about trying to find liability insurers who they can make "pay twice" for a Medicare beneficiary's medical expenses;
  • As it relates to what goes on in health care, with respect to patient complaints and disputes and the settlement of those disputes, there is A LOT that CMS is still trying to understand and figure out so, there is A LOT we don't know yet about what does and does not have to be reported;
  • If you are a self-insured hospital ... if you are "first dollar" self-insured ... unless your excess carrier is telling you that they will act as your reporting agent, it is probably a good idea to register with CMS some time over the next month or two and test your system so that you can report if you have to;
  • CMS has said on numerous occasions that you don't have to register if you don't think you will have anything to report so, for now, if you are an insured hospital that doesn't expect to "settle" a dispute with a Medicare beneficiary outside of your insurance policy, for more than $5,000, you can relax a bit ... let's wait and see what CMS does;
  • If you are an insured hospital and you have a "deductible" your insurer can and probably will work with you to establish a system so that you don't have to report anything ... talk to them and if they say there is nothing they can do ... might be time to shop for insurance; 
  • CMS is still learning and thinking about health care providers and the little patient related settlements you enter into from time to time with your patients when they are unhappy ... they understand that they don't need to know about all of those, despite the way the current guidance reads and there will likely be better guidance in the future to carve some of that out of the reporting requirements; and
  • CMS is not, in this particular instance, looking for the "gotcha" moments ... i.e. this is not about CMS looking for opportunities to slap $1,000 per day fines on insurers and self-insured providers.  If you make a good faith effort to understand what you have to report and if you try to report correctly, you will get a chance to learn how to do it right.

Bottom line, if you are a liability insurer or a TPA for a self-insured health care provider, you have to register and you should get working on that right away ... developing the appropriate procedures and working through the IT issues will take time so don't delay.  If you are a self-insured hospital or other health care provider, you have two options: (1) register and set up the internal systems to begin reporting, or (2) hire a Section 111 reporting agent (a new cottage industry ... part of the federal stimulus plan!!!).  If you are an insured health care provider, take a breath and sit tight, there is more to come on what if anything you might have to report and since the registration deadline has been extended to September 1 and you don't have to report any settlements that occur before January 1, 2010, lets just wait and see what CMS does.   CMS may clarify some of the confusion over the next few months and things might not be so bad after all.

 

 

Tags: , , , , , , ,

Paying for On-Call Coverage - Here we go again!

Posted on May 25, 2009 by Veronica Marsich

On Wednesday, May 21st, the OIG posted a new Advisory Opinion, 09-05 evaluating a poposed on-call compensation arrangement between a hospital and the specialists on its medical staff.   The Hospital proposed an arrangements where members of its medical staff who agreed to provide on-call coverage to the Hospital's emergency department on a schedule established by the Hospital would be compensated on a per encounter basis for encounters with those patients who came to the Hospital ED who were otherwise indigent and uninsured.

What makes this Advisory Opinion interesting is not the Hospital's proposed methodof paying the on-call physicians although it is creative and will be something I will propose to clients who struggle with how to do this.  Its not the fact the OIG felt that any on-call compensation arrangement would pass muster under an Anti-Kickback analysis, OIG has recognized that such arrangements can be necessary and appropriate in certain circumstances.  

It is the fact that the OIG seems to have given up on the idea of trying requiring that such arrangements be limited to areas where there are physician/specialist shortages.  OIG acknowledges that, "on-call coverage compensation potentially creates considerable risk that physicians may demand such compensatiion a s a condition of doing business at a hospital, even when neither the services provided nor any external market factor (e.g., a physician shortage) support such compensation."  But, despite this acknowledgement, OIG required nothing in the proposed on-call compensation arrangement to ensure that this was not a situation where the physician specialists were merely holding the Hospital hostage.

As a result,  we need to expect that more and more and more physician specialists will now demand that their hospitals pay them to take call coverage in the ED and will point to this Advisory Opinion as the basis for asserting that there are no compliance justifications or market force elements that might exist in the particular hospital's market to justify a hospital's refusal to make those payments.   At a time when more and more hospitals are operating at a net loss and without any extra income to cover such expenses, hospitals will be increasingly asked by physicians to find the money somewhere. 

Tags: , , , , , , ,