Health Care Employers feel the Pain of H1N1 Vaccination Policies

Posted on November 13, 2009 by Rachel Brochert Roe

Many Hospitals and other employers in the health care industry are discussing the benefit of H1N1 vaccinations for their employees. Some are even considering mandating that employees receive the vaccination. After all, if your employees are “at will,” then you can impose new conditions of employment on them at any time.

On many levels, mandating the vaccine for health care workers makes sense. After all, OSHA mandates that employers provide their employees with a safe place to work. Doesn’t a mandatory vaccination ensure a safer place for employees to work? A healthy workforce also means less absenteeism. And, the idea of mandatory vaccinations isn’t totally foreign to health care: think TB vaccinations. I also compare a mandated vaccination to drug testing: somewhat invasive, but for the common good.

On the other hand, mandatory vaccinations raise many legal issues. For instance, if your workforce is unionized, then this would require negotiations with the union before implementation, as it affects the terms and conditions of employment. If you are non-unionized and have many employees opposed to the mandatory vaccination, a mandate may be what pushes employees to organize. Another consideration is that some have asserted that the vaccination is untested and potentially dangerous. If an employee is vaccinated over his/her objection, that may create liability for the employer if the employee experiences an injury or serious side effects from the vaccine.

While there are many good reasons to mandate the H1N1 vaccine, an employer who moves in this direction is definitely treading onto unsettled legal grounds.
 

Tags: , , , ,

HHS Publishes HITCH Breach Notification Interim Final Rule

Posted on October 9, 2009 by Adil Daudi

On August 24th, 2009 we finally saw the publication of interim final regulations implementing the security breach notification provisions of the Health Information Technology for Economic and Clinical Health Act ("HITECH").

While the regulations appear to parallel the statutory provisions of HITECH, the process covered entities must follow before notifying a patient of certain breaches of their protected health information (PHI) is not as strict as initially feared. For instance, under the new regulations, covered entities will still engage in a very subjective and fact specific risk assessment before determining when to notify a patient of a breach. The regulations also provide guidance to covered entities and their business associates (BAs) relative to their mutual obligations under the new rules.

Summarized below are some key points and issues we perceive to be relevant to covered entities and business associates under the new regulations.

The breach rules only apply to “unsecured” PHI.

Unsecured PHI is defined as PHI that has not been secured through the use of a technology or methodology specified by HHS. According to HHS guidance released in April 2009, encryption and destruction are the only two ways to secure PHI and avoid breach notification under the Act.  

Click here for a link to HHS’ April 2009 “Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements”.

Fact specific risk assessment.

The Regulations define a "breach" as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that "compromises the security or privacy" of the PHI." A use or disclosure compromises privacy or security only if it creates "a significant risk harm to the individual as a result of the impermissible use or disclosure." The regulations identify a number of factors covered entities or business associates may consider during this assessment, including:

  1. who impermissibly used or to whom the information was impermissibly disclosed;
  2. steps taken to mitigate an impermissible use or disclosure (i.e. lost or stolen laptop is returned and forensic analysis reveals that its information was not opened, altered, transferred or otherwise compromised);
  3. the type and amount of PHI involved.

In the event a notification is deemed necessary based on the facts all notification to individuals and HHS and must be given without “unreasonable delay,” but no later than 60 days after discovery.”

Exceptions to Breach Rule.

There are also key exceptions relative to the breach rule in situations where there is:

  1. an unintentional acquisition, access or use of PHI;
  2. inadvertent disclosure; or
  3. disclosure of PHI to person not reasonably able to retain such information.

Business Associates.

Under the new regulations, BAs must comply with the privacy and security regulations, just like covered entities. BAs must have policies and procedures documenting compliance with the privacy rule’s use and disclosure provisions and the security rule’s administrative, physical and technical safeguards requirements.

An interesting issue is raised relative to when BAs acting as “agents” of a covered entity versus BAs acting as “independent contractors” and the breach notification time frames requirements under both scenarios. If a business associate is acting as an agent of a covered entity then the business associate’s discovery of the breach will be imputed to the covered entity. Accordingly, the covered entity will have to provide notifications to the patient and HHS based on the time the business associate discovers the breach, not from the time the business associate notifies the covered entity. Conversely, if the business associate is an independent contractor of the covered entity (i.e., not an agent), then the covered entity must provide notification based on the time the business associate notifies the covered entity of the breach.

Among other issues, BA agreements may need to be amended to:

  1. clearly address the agent versus independent contractor status of the BA; and
  2. the timing of BA notification to a covered entity following a breach.

Grace Period, Enforcement and Penalties.

Finally, the regulations account for a grace period allowance before HHS expects to begin enforcement. The regulations took effect on September 23, 2009, but HHS has delayed seeking sanctions until February 22, 2010.

The caveat to this allowance period, however, is that the regulations significantly broaden the enforcement and penalties associated with a violation. Under the new system, HHS will employ a tiered penalty system based on the mental state of the offender. Additionally, HHS has also delegated some of the enforcement mechanisms to state Attorney General offices. Effective February 18, 2009, the Michigan Attorney General can bring actions under HIPAA independently of HHS. Finally, the regulations allow for penalties to be shared with those harmed by the disclosure (though, we have not seen regulations or guidance from HHS on the definition of the “harm” necessary to share in penalties).

Tags: , , , ,

RAC Audit Update

Posted on August 14, 2009 by Veronica Marsich

We have been waiting all summer for something to happen with the RAC audits.  Finally, as of August 4th, it looks like the action may beginning to break.  Connolly Consulting, the Recovery Audit Contractor for Region C, has just released a list of seven issues that have been approved by CMS for its initial automated reviews.  These seven "issues" are:

1. Blood Transfusions.
2. Untimed Codes.
3. IV Hydration Therapy.
4. Bronchoscopy Services.
5. Once in a lifetime procedures.
6. Pediatric codes exceeding age parameters.
7. J2505: Injection, Pegfilgrastim, 6 mg.
 

While is it not clear whether these issues are specific only to Connolly and Region C or whether the other RAC auditors will be using this same list to begin their automated reviews, health care providers would be wise to take this list and begin to run some internal data to assess accuracy in coding and billing as it relates to these topics.  Problems should be corrected immediately and over-payments refunded.

For those located in Region B (including Michigan), it is probably a good idea to get in the habit of checking the CGI website on a regular basis going forward to make sure that you have as much advance notice as possible, in the event CGI posts its own list of approved issues for automated review.

Tags: , , , ,

Medicare Secondary Payer - No Qui Tam Action

Posted on August 9, 2009 by Veronica Marsich

In the face of Section 111 and the industry's effort to comply with same, some good news for a change!

On July 29, 2009, the Second Circuit ruled that the Medicare Secondary Payer Statue does not permit a private individual to file a qui tam action on behalf of the federal government.  In this case, the plaintiff tried to file suit against an insurance company alleging that the company had failed to meet its obligations to ensure that it, and not the Medicare program, paid for certain claims for medical care from its insureds or others it was obligated to cover.  See Woods v. Empire Health Choice, Inc.  No. 07-4208-cv (2d Cir. July 29, 2009).

While this is a great result for health care insurers and self-insured providers who have more than enough to worry about right now, it is also a good reminder of something to be mindful of as more and more individuals are becoming aware of the new lottery game that is the qui tam lawsuit.  For those outside the jurisdiction of the Second Circuit, remember that this decision is something to hope for but not binding on your federal courts.  Good faith efforts to comply with the MSP (and Section 111) reporting obligations is very important both in the context of your interaction with the Medicare program but also in your interaction with your employees and other individuals who may be watching and questioning your conduct and your commitment to do what is right. 

 

Tags: , , , , ,

MMSEA Section 111 - Medicare Secondary Payer Mandatory Reporting

Posted on May 27, 2009 by Veronica Marsich

I have read Section 111 and all of the guidance put out by the Centers for Medicare and Medicaid Services ("CMS"), listened to most of the the teleconferences sponsored by CMS on the subject and had the opportunity to talk to different clients and stakeholders about the new requirements and what they are hearing from various consultants and legal advisers about the new reporting requirements.  And, what I have concluded from all of this reading, listening and talking is the following:

  • There are lots of attorneys and consultants out there scaring and confusing hospitals and hospital insurers about Section 111 and what CMS is going to do with this new reporting system;
  • The Medicare Secondary Payer system and these new reporting requirements are a much greater burden for workers' comp and no fault carriers than other NGHP liability insurers (and I never appreciated that until recently);
  • CMS keeps saying that this new reporting system is, for them, at least for now ... about collecting data and NOT about trying to find liability insurers who they can make "pay twice" for a Medicare beneficiary's medical expenses;
  • As it relates to what goes on in health care, with respect to patient complaints and disputes and the settlement of those disputes, there is A LOT that CMS is still trying to understand and figure out so, there is A LOT we don't know yet about what does and does not have to be reported;
  • If you are a self-insured hospital ... if you are "first dollar" self-insured ... unless your excess carrier is telling you that they will act as your reporting agent, it is probably a good idea to register with CMS some time over the next month or two and test your system so that you can report if you have to;
  • CMS has said on numerous occasions that you don't have to register if you don't think you will have anything to report so, for now, if you are an insured hospital that doesn't expect to "settle" a dispute with a Medicare beneficiary outside of your insurance policy, for more than $5,000, you can relax a bit ... let's wait and see what CMS does;
  • If you are an insured hospital and you have a "deductible" your insurer can and probably will work with you to establish a system so that you don't have to report anything ... talk to them and if they say there is nothing they can do ... might be time to shop for insurance; 
  • CMS is still learning and thinking about health care providers and the little patient related settlements you enter into from time to time with your patients when they are unhappy ... they understand that they don't need to know about all of those, despite the way the current guidance reads and there will likely be better guidance in the future to carve some of that out of the reporting requirements; and
  • CMS is not, in this particular instance, looking for the "gotcha" moments ... i.e. this is not about CMS looking for opportunities to slap $1,000 per day fines on insurers and self-insured providers.  If you make a good faith effort to understand what you have to report and if you try to report correctly, you will get a chance to learn how to do it right.

Bottom line, if you are a liability insurer or a TPA for a self-insured health care provider, you have to register and you should get working on that right away ... developing the appropriate procedures and working through the IT issues will take time so don't delay.  If you are a self-insured hospital or other health care provider, you have two options: (1) register and set up the internal systems to begin reporting, or (2) hire a Section 111 reporting agent (a new cottage industry ... part of the federal stimulus plan!!!).  If you are an insured health care provider, take a breath and sit tight, there is more to come on what if anything you might have to report and since the registration deadline has been extended to September 1 and you don't have to report any settlements that occur before January 1, 2010, lets just wait and see what CMS does.   CMS may clarify some of the confusion over the next few months and things might not be so bad after all.

 

 

Tags: , , , , , , ,

Paying for On-Call Coverage - Here we go again!

Posted on May 25, 2009 by Veronica Marsich

On Wednesday, May 21st, the OIG posted a new Advisory Opinion, 09-05 evaluating a poposed on-call compensation arrangement between a hospital and the specialists on its medical staff.   The Hospital proposed an arrangements where members of its medical staff who agreed to provide on-call coverage to the Hospital's emergency department on a schedule established by the Hospital would be compensated on a per encounter basis for encounters with those patients who came to the Hospital ED who were otherwise indigent and uninsured.

What makes this Advisory Opinion interesting is not the Hospital's proposed methodof paying the on-call physicians although it is creative and will be something I will propose to clients who struggle with how to do this.  Its not the fact the OIG felt that any on-call compensation arrangement would pass muster under an Anti-Kickback analysis, OIG has recognized that such arrangements can be necessary and appropriate in certain circumstances.  

It is the fact that the OIG seems to have given up on the idea of trying requiring that such arrangements be limited to areas where there are physician/specialist shortages.  OIG acknowledges that, "on-call coverage compensation potentially creates considerable risk that physicians may demand such compensatiion a s a condition of doing business at a hospital, even when neither the services provided nor any external market factor (e.g., a physician shortage) support such compensation."  But, despite this acknowledgement, OIG required nothing in the proposed on-call compensation arrangement to ensure that this was not a situation where the physician specialists were merely holding the Hospital hostage.

As a result,  we need to expect that more and more and more physician specialists will now demand that their hospitals pay them to take call coverage in the ED and will point to this Advisory Opinion as the basis for asserting that there are no compliance justifications or market force elements that might exist in the particular hospital's market to justify a hospital's refusal to make those payments.   At a time when more and more hospitals are operating at a net loss and without any extra income to cover such expenses, hospitals will be increasingly asked by physicians to find the money somewhere. 

Tags: , , , , , , ,

Last Minute Reprieve from FTC Red Flag Rules Enforcement

Posted on May 1, 2009 by Maria Saez

The Federal Trade Commission ("FTC") announced yesterday that it will delay enforcement of the Red Flag Rules until August 1, 2009 (enforcement was scheduled to begin today).  The Red Flag Rules require creditors and financial institutions with covered accounts to implement programs to identify, detect and respond to patterns, practices, or specific activities that would indicate identity theft.  The definition of "creditor" includes any entity that regularly extends or renews credit and all entities that regularly permit deferred payments for goods or services.  This definition also includes professionals, such as physicians and lawyers, who provide services and bill later. 

There is also some good news for entities that have a low risk of identity theft - the FTC will soon release a template to help them comply with the Red Flag Rules.  This is in response to feedback from low risk entities that they were having difficulty determining how to tailor the Rules to fit their businesses. 

Although this is the second time the FTC has delayed enforcement of the Red Flag Rules, the November 1, 2008 deadline by which creditors should have been in compliance has always remained the same. 

Tags: , ,

Swine Flu Information for Michigan Health Care Providers

Posted on April 29, 2009 by Maria Saez

Two probable cases of swine flu have now been identified in Michigan.  The first suspected case was identified in Livingston County.  The second is an Ottawa County resident who was released from a Kent County hospital last week.

More suspected cases in Michigan are likely.  Both the Michigan Department of Community Health and the Centers for Disease Control and Prevention have set up informational websites to assist health care providers with identifying and treating suspected cases of swine flu and to disseminate the latest information on the disease in the U.S.

MDCH:  www.michigan.gov/swineflu

CDC:  www.cdc.gov/swineflu

 

Tags: , ,

Recent Court Decision on EMTALA is Problematic for Hospitals

Posted on April 16, 2009 by Maria Saez

Do EMTALA’s requirements extend beyond the emergency department? Does a hospital’s obligations under EMTALA end when a patient presenting to the emergency department is admitted to the hospital as an inpatient? Until this week, most health law experts would have answered “yes” to both of these questions. But in the recent case of Moses v. Providence Hospital, the 6th Circuit Court of Appeals says “no” and, in doing so, adds quite a bit of ambiguity to EMTALA compliance efforts.

EMTALA’s (Emergency Medical Treatment and Active Labor Act) is a federal statute that imposes specific obligations on Medicare-participating hospitals that offer emergency services to provide a medical screening examination (MSE) when a request is made for examination or treatment for an emergency medical condition (EMC), including active labor, regardless of an individual’s ability to pay. Hospitals are then required to provide stabilizing treatment for patients with EMCs. If a hospital is unable to stabilize a patient within its capability, or if the patient requests a transfer, an appropriate transfer should be implemented.

In Moses, the plaintiff was the estate of Marie Moses Irons, whose husband was taken to the emergency department of Providence Hospital with various physical symptoms such as high blood pressure and severe headaches, as well as slurred speech, disorientation, hallucinations and delusions. He had also demonstrated threatening behavior towards his wife. The patient was evaluated by hospital staff and admitted as an inpatient for further testing and treatment. After approximately six days, the patient was deemed stable and discharged. Ten days later, the patient murdered his wife.

The first issue considered by the Court was whether a non-patient has standing to sue under EMTALA. The Court found that the plain language of the statute (namely that “any individual” who suffers harm due to a hospital’s violation of EMTALA may bring suit) clearly allowed for standing by a non-patient. This holding is troubling because it is contrary to the legislative history of the statute and the intent of the statute as a whole.

Also troubling is the Court’s decision that a hospital’s obligations under EMTALA does not end upon inpatient admission of the patient. The Court, by ignoring CMS guidance on this issue stating that admitting an individual as an inpatient satisfies the hospital’s EMTALA’s obligations, held that a hospital’s decision to admit a patient for further testing does not satisfy EMTALA’s requirement that the hospital treat the patient so as to stabilize him. The Court disregarded the CMS guidance as “contrary to EMTALA’s plain language” and as not having any retroactive effect on this case since the patient’s stay ended prior to the regulation’s creation. The Court held that EMTALA forbids a patient’s release unless his condition is stabilized to the point where no further deterioration of the condition is likely. Therefore, because EMTALA requires a hospital to treat the patient to stabilize the condition, simply admitting a patient is not enough. As the Court stated, EMTALA “requires more than the admission and further testing of a patient; it requires that actual care, or treatment, be provided as well.”

The lower court in Moses, like many courts in other circuits, found that EMTALA is not intended to be a federal malpractice statute and that under EMTALA, a court should only be concerned with whether the patient was diagnosed with an emergency medical condition and whether he was discharged when he was not stable. EMTALA does not guarantee that a hospital will correctly diagnose a patient’s condition. Interpreting EMTALA to require stabilization treatment after diagnosis of an EMC and during an inpatient admission raises questions not answered by Congress such as when the duty to treat terminates, for how long treatment must be provided and when a temporal delay in treatment constitutes a violation of the duty to provide stabilization treatment. To require this would make EMTALA a malpractice statute. The lower court believed that issues about how well a patient is treated are dealt with under state malpractice law, not EMTALA.

Given these prior EMTALA holdings, it is difficult to understand how the 6th Circuit could have gotten it so wrong. One explanation is that the Court’s decision is less “wrong” than it is poorly drafted. In reading the opinion, it seems that the Court had serious doubts as to whether the hospital and the physicians really discharged the patient because they thought he was stable or because his insurance had denied coverage for the care he might have required. Questions of fact on these issues would have justified denying the hospital’s motion for summary disposition. Unfortunately, instead of directly challenging the veracity of the hospital’s position, the Court published an opinion which leaves hospitals and future courts in this jurisdiction with a terribly confusing opinion and considerable risk when treating the next patient admitted through the emergency department who is determined stable for discharge. The Court could have reached such a conclusion without disregarding CMS regulations and without taking a position contrary to all other circuits.

Unless and until Moses is overturned or reconsidered, the lessons to be learned might come down to these:

  • Clearly document whether the patient is found to have an emergency medical condition.
  • Clearly document when the patient is found to be “stable” and what clinical observations led to that conclusion.
  • Where recommendations for treatment are made and ultimately not followed, document the reasons why the recommendations were not followed.
  • Where inconsistencies exist in a medical record regarding a patient’s stability for discharge or need for further inpatient services, resolve those inconsistencies BEFORE discharging the patient.
  • In the 6th Circuit… don’t take anything for granted!
Tags: ,

Time is Almost Up for FTC Red Flag Rule Compliance

Posted on April 10, 2009 by Maria Saez

The deadline by which health care providers must have their FTC Red Flag Rules compliance program in place is fast approaching. Although the deadline for compliance was November 1, 2008, the FTC postponed enforcement of the Red Flag Rules until May 1, 2009.  Health care providers, along with financial institutions and other creditors, must be in compliance with the FTC’s Red Flag Rules by then.  As we explained in a posting in October 2008, health care providers who periodically allow patients to pay for medical services over time through a series of payments should have written policies that identify the “red flags” or indicators of possible identity theft they may come across in the course of business, establish procedures to detect those red flags and to respond appropriately to mitigate and prevent harm, and develop procedures for training staff and keeping applicable policies current.  Health care providers should also have procedures in place to ensure that their vendors are in compliance with the Red Flag Rules. This could mean amending existing business associate agreements or asking for copies of the vendors’ Red Flag policies.

For those health care providers who are still unsure about what the Red Flag Rules mean, the FTC has issued a “How-to Guide” that gives an easy-to-understand overview of the Rules.

In addition, a sample Red Flag Policy for health care providers developed by the American Hospital Association can be found here. Your compliance counsel should also be able to assist with developing a Red Flag Rules compliance program.
 

Tags: , ,