HEALTHCARE REFORMS & IMPACTS ON MEDICAL PRACTICES

James J. Eischen, Jr., Esq.

November 2013 Ft. Lauderdale, FL (c) 2013 James J. Eischen, Jr., Esq.

JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience as an attorney in California with planning and compliance with emphasis on private medicine, healthcare, start-ups and reimbursement planning. Several years of experience in the healthcare field. Graduated from the University of California at Davis School of Law in 1987. Professional Memberships: San Diego County Bar Association Law & Medicine Section, Attorney-Client Relations Committee, American Academy of Private Physicians corporate secretary and chair of the legal compliance and advocacy committee. (c) 2013 James J. Eischen, Jr., Esq.

Direct/Subscription Medicine Generally Defined History, Evolution, Various Models

(c) 2013 James J. Eischen, Jr., Esq.

History

(c) 2013 James J. Eischen, Jr., Esq.

MEDICINAL REGULATION •

•

•

•

•

•

(Event Driven)

1848: Drug Importation Act requires U.S. Customs Service inspection to stop entry of tainted, low quality drugs from overseas. 1906: Food and Drug Act outlaws states from buying and selling food, drinks, and drugs that have been mislabeled and tainted. http://www.fda.gov/downloads/D 1912: Sherley Amendment outlaws labeling rugs/ResourcesForYou/Consumers medicines with fake medical claims meant to trick the buyer. /BuyingUsingMedicineSafely/Unde rstandingOver-the1939: Federal Food, Drug and Cosmetic Act requires new drugs show safety before selling and CounterMedicines/ucm093550.pd safe limits be set for unavoidable poisonous f matter, and allows for factory inspections. Dangerous drugs must be given under the direction of a medical expert. 1951: Durham-Humphrey Amendment defines the kinds of drugs that cannot be used safely without supervision. 1962: Kefauver-Harris Drug Amendments require drug makers to prove drug works before FDA can (c) 2013 James J. Eischen, Jr., Esq. approve for sale.

HEALTH INSURANCE CONNECTED TO EMPLOYMENT • 1942: WWII wage + price controls = Employer-paid health insurance to increase compensation – IRS ruled health insurance a “legitimate cost of doing business” and not taxable income for employee. – Institutionalized employer-provided health care begins. Paul Starr, The Social Transformation of American Medicine, (New York: Basic Books, 1982), p. 311. (c) 2013 James J. Eischen, Jr., Esq.

HISTORY SUMMARIZED • •

• • • • • • •

Negative health events and questionable health product sales drive US health regulations, AMA formation WWII connects US health insurance with employment, leaving gaps (disabled, retired, government employees) that lead to government plans (Medicare formed 1965) Fears about abusive government plan billing lead to stringent billing laws to prevent fraud (and frustrate physician business) Fee for service with restrictions on utilization: to keep underfunded government plans afloat (and private plans follow Medicare) Plan fee for service tilts toward intervention and away from prevention, and plans do not reimburse for patient connection Health outcomes drop while healthcare spending increases US healthcare market broken and badly needs reform Some physicians seek alternatives to plan dependence and plan-driven healthcare http://www.ama-assn.org/ama/pub/about-ama/our-history/timelines-amahistory.page (c) 2013 James J. Eischen, Jr., Esq.

Insurance Vs. Private Pay Reimbursement Models What Drives Fee For Service

(c) 2013 James J. Eischen, Jr., Esq.

INSURANCE PLAN COVERAGE • • • • • •

Covered Non-covered Co-Pays and Deductibles HSA/Employment Plans HMO vs. PPO Medicare, Medigap and Medicaid

(c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq.

What Happens When Preventative Primary Care Lacks Sensible Reimbursement?

(c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq.

WHY AMERICA PERFORMS POORLY ON HEALTH MEASURES

(c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq.

 



 

U.S. has a large and widening "mortality gap" among adults over 50 compared with other high-income nations. Two-thirds of the difference in male life expectancy between the U.S. and other countries is due to deaths in that under-50 age category, and one-third of the gap is due to deaths among women under 50. U.S. fares worse in nine health domains: birth outcomes, injuries and homicides, teen pregnancies and sexually transmitted infections, HIV/AIDS, drug-related mortality, obesity and diabetes, heart disease, chronic lung disease, and disability. Areas in which the U.S. is not behind other wealthy countries are cancer screening and mortality, control of high blood pressure and cholesterol, smoking rates, and suicides. Part of the nation's poor ranking attributed to problems with its $2.6 trillion-a-year health care system (the world's most expensive by far). 50 million Americans without health insurance, fewer doctors per capita, less access to primary care and fragmented management of complex chronic diseases.

http://www.npr.org/blogs/health/2013/01/09/168976602/u-s-ranks-below-16-other-rich-countries-inhealth-report

(c) 2013 James J. Eischen, Jr., Esq.

“The way we pay doctors is profoundly flawed. We need to move rapidly away from fee-for- service and embrace new ways of paying doctors to encourage cost-effective, high quality care.”

http://telemedicinenews.blogspot.com/

(c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq.

EFFECT OF COMPETITION ON HEALTHCARE

• Toyota's management philosophy and practices adopted by the hospital as a way to deliver medicine to its patients

• Systematic approach to producing cars and trucks efficiently, with the primary goal of pleasing the customer • Attract and retain "paying customers" to survive

http://www.sfgate.com/health/article/S-F-General-following-Toyota-Way-toefficiency-4879925.php

(c) 2013 James J. Eischen, Jr., Esq.

One problem is that the current fee-for-service system makes it difficult to coordinate after-hours care with a patient's regular doctor. This is problematic considering that providers that know a patient well, or at the very least have a patient's medical record, are able to give better quality of care. • • • •

In 2010, 40.2 percent of people said their primary care clinics offered extended hours, such as at night and on weekends. One in five people found it very difficult or somewhat difficult to reach their clinician after hours. People that reported less difficulty reaching a physician after hours had fewer emergency department visits (30.4 percent compared to 37.7 percent). Furthermore, there were lower rates of unmet medical needs (6.1 percent compared to 13.7 percent).

http://www.ncpa.org/sub/dpd/index.php?Article_ID=22692

(c) 2013 James J. Eischen, Jr., Esq.

Already, one in five physicians is restricting the number of Medicare patients in their practice and one in three primary care doctors – the providers on the front lines of keeping the cost of seniors’ care low – are restricting Medicare patients, according to a 2010 AMA survey of more than 9,000 physicians who care for Medicare patients.

http://www.forbes.com/sites/brucejapsen/2013/01/30/1-in-10-doctor-practices-fleemedicare-to-concierge-medicine/

(c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq.

FEE FOR SERVICE FRUSTRATING NEEDED INNOVATION? • Internal medicine moving toward clinical care teams. • Fee for service reimbursement obstacles may frustrate this otherwise necessary shift. http://annals.org/article.as px?articleid=1737234

(c) 2013 James J. Eischen, Jr., Esq.

FEE FOR SERVICE (FFS)

Does FFS work? Consensus = NO

(c) 2013 James J. Eischen, Jr., Esq.

Why Private Medicine?

(c) 2013 James J. Eischen, Jr., Esq.

EVOLVING AWAY FROM FEE FOR SERVICES: Private Subscription     



Average annual fee = approximately $1,800 > 4,000 physicians practice privately in the United States in 2012 Private physician averages about 350 patients Medicare changes = doctors reimbursed less for care provided Private patients get  more face-time with doctors  more thorough annual physicals  focus on preventive medicine Private fee makes up for lost revenue from declining reimbursements

http://www.ncpa.org/sub/dpd/index.php?Article_ID=22781

(c) 2013 James J. Eischen, Jr., Esq.

WHY SUBSCRIPTION? Patient Buy-in/Investment In Health  Investing in health  Owning health outcomes  Realizing actual costs of poor health decisions

(c) 2013 James J. Eischen, Jr., Esq.

REMOVING MENU DISTORTIONS FROM HEALTH CARE DELIVERY  Subscription model is financially viable (“gym analogy”)  Subscription = payment for counseling and medical direction disconnected from plan-funded intervention  Subscription = compensation for connection/tracking/coordination

(c) 2013 James J. Eischen, Jr., Esq.

INCENTIVIZING CUSTOMER SERVICE/RETENTION  Remaining connected vs. one-off consults  Patient accountability via persistent connection

(c) 2013 James J. Eischen, Jr., Esq.

STABILIZED PRACTICE CASH FLOW TO SUBSIDIZE PATIENT CONNECTION  FFS = financial disincentive to connect with medical practice  Subscription = investment in connection, incentive to remain connected

(c) 2013 James J. Eischen, Jr., Esq.

 



Private medicine delivers excellent care in a manner that is attractive to physicians. Question: Whether it has the potential to fix many of the more serious problems that exist in our system for delivering primary care.  Affordability  Reducing the number of patients that private-practice physicians see significantly reduces the number of patients served by each primary care physician. Private medicine remains attractive to doctors and patients in many regards. But significant questions remain about whether it should be promoted as a model that can meet the needs of most patients in society even with the advent of hybrid models.

(c) 2013 James J. Eischen, Jr., Esq.

Evolution Of The Private Pay Models

(c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq.

DIRECT PRIMARY CARE

“Because direct primary care models will be able to adopt technology (e.g., smart phone EKGs or longer appointment times) that traditional primary care can’t prioritize, it will begin to steal away market share from the incumbents. When this begins happening, traditional primary care will have no tools at its disposal to compete on price or service. Its business model is locked in a feefor-service reimbursement world that will never be able to respond to the lower cost structure or different profit formula employed by direct primary care.” http://www.christenseninstitute.org/disrupting-thetraditional-primary-care-business-model-direct-primarycare/ (c) 2013 James J. Eischen, Jr., Esq.

RISE OF MOBILE HEALTHCARE • As of 2013, 95 million Americans are using mobile phones as health tools or to find health information. • 45% of online adults with a chronic condition reported that the internet is essential to managing that condition. http://mobihealthnews.com/26821/95m-americansused-mobile-for-health-in-2013/

(c) 2013 James J. Eischen, Jr., Esq.

 



Concierge medicine delivers excellent care in a manner that is attractive to physicians. Question: Whether it has the potential to fix many of the more serious problems that exist in our system for delivering primary care.  Affordability  Reducing the number of patients that concierge-practice physicians see significantly reduces the number of patients served by each primary care physician. Retainer-based medicine remains attractive to doctors and patients in many regards. But significant questions remain about whether it should be promoted as a model that can meet the needs of most patients in society even with the advent of hybrid models.

(c) 2013 James J. Eischen, Jr., Esq.

PRIVATE MEDICINE HAS COME A LONG WAY  Washington  Qliance  MD2  Florida  MDVIP  Expansion with confirmed FFNCS model compliance  Fee For Non-Covered Service

 Diversification    

OneMedical MedLion White Glove Health Regional & national competition (c) 2013 James J. Eischen, Jr., Esq.

PRIVATE PRACTICE MODELS A Solution?

(c) 2013 James J. Eischen, Jr., Esq.

DIVERSE SOLUTIONS FOR VARYING CARE MODELS • Cash Practice • Direct Model (monthly subscription primary care) – Qliance – MedLion

• Concierge/Retainer (annual/monthly retainer care) – MDVIP

• Health/Wellness Amenity Packages – Physician vs. Employer

• Administrative Fee Model – OneMedical (c) 2013 James J. Eischen, Jr., Esq.

Diverse Models Detailed Overview

(c) 2013 James J. Eischen, Jr., Esq.

HYBRID CONVERSION • Patients voluntarily elect to subscribe • Patients allowed to remain in practice without subscribing • Probably complies with PPO contracts • Attorney and consultant support costs • Feasibility issues – Lower conversion rates – Mixed standards of health delivery (c) 2013 James J. Eischen, Jr., Esq.

CASH/OPT-OUT PRACTICE • Opted out of Medicare • Avoids Medicare assignment compliance issues • Attorney and consultant costs • Fee for service vs. subscription--Menu • Pros and cons – Cash menu = FFS – Subscription—simplified – Opt-out negatives? (c) 2013 James J. Eischen, Jr., Esq.

MEDICARE PARTICIPATING SUBSCRIPTION • Structured to avoid Medicare Assignment violations (Fee for non-covered services follows OIG guidelines?) • Retains PPO contracts? • Attorney support is very important, plus potential consultant support • Bills Medicare and PPOs? – Plan attitude shifts – Co-pays and deductibles

• Annual vs. monthly subscription • Pros and cons – Medicare compliance complex – Benefits from combined private and plan billing – PPO plans may elect to(c) terminate plan participation 2013 James J. Eischen, Jr., Esq.

“DIRECT” LOWER FEE SUBSCRIPTION • Structurally one of the prior models—same considerations • Tends to be: Opted out for lower monthly fee subscription (but not always) • National and solo models – Using a national or regional model may not avoid attorney and consultant needs!

• Pros and cons – – – –

Affordability Large patient pools avoid some policy negatives Compliance issues with state insurance laws Simplicity (c) 2013 James J. Eischen, Jr., Esq.

NATIONAL/REGIONAL MODELS • Business entity handles conversion and billing (and other?) administrative services • Practice/Physician contract with entity • Still recommend legal support, may avoid consultant costs? • Pros and cons – – – –

Less physician business execution, and no consulting fee obligation Less retention of gross revenue (varies) Significant benefits with conversion vs. over time Standardized administrative functions?

(c) 2013 James J. Eischen, Jr., Esq.

What Does Your Private Medicine Model Look Like?

(c) 2013 James J. Eischen, Jr., Esq.

THINGS TO THINK ABOUT • What is your vision of ideal healthcare? • What do you want to change in your practice and why? • What is your tolerance for (and interest in) business ownership vs. employment stability? • How does reimbursement requirements currently affect your practice?

(c) 2013 James J. Eischen, Jr., Esq.

BALANCING YOUR QUALITY OF LIFE WITH YOUR PRACTICE  BENEFITS

 DRAWBACKS

• Longer appointment times to get to know patients • Less people that you are responsible for • More flexibility in scheduling

• Less control over daily schedule • Uncertainty of number of patients at start-up • Being available all the time can be draining

(c) 2013 James J. Eischen, Jr., Esq.

AMA POLICY E-8.055: ETHICAL GUIDELINES FOR PRIVATE PHYSICIAN PRACTICES • Be clear about the financial terms and do not pressure patients to agree to the arrangement. • Do not promote your private practice as providing better diagnostic care and therapeutic services. • If you have both private and non-private patients, meet the same diagnostic and therapeutic standards for each. • Continuity of care requirements apply. • Within your private practice, you may still provide services that can be billed to health insurers. Clearly define what is and is not covered under the private practice fee. Continue to comply with all relevant laws, rules and contractual requirements. • All physicians professionally obliged to care for those in need regardless of the ability to pay, especially when the need is urgent. (c) 2013 James J. Eischen, Jr., Esq.

Conversion And Practice Formation

(c) 2013 James J. Eischen, Jr., Esq.

CONSULTANT VS. FRANCHISE CONVERSION OPTIONS  Concierge consulting firm • • •

Tailor their services to your specific needs Work with you for as long as necessary to the process so you can continue to practice Cost is significantly less than the expense of using a concierge franchise

 Concierge franchise • • • •

Use a proven model (you do not have to make a lot of decisions) Internal marketing, legal and support staff Have read-made package and tools necessary to establish your concierge practice Expensive

 Get information and knowledge from other sources • •

Camaraderie Access to experts of this evolving sector of medicine

 GET LEGAL ASSISTANCE! (c) 2013 James J. Eischen, Jr., Esq.

Structuring Your Private Medicine Model Know The Rules

(c) 2013 James J. Eischen, Jr., Esq.

Medicare Rules

(c) 2013 James J. Eischen, Jr., Esq.

 A Roadmap for New Physicians: Avoiding Medicare and Medicaid Fraud and Abuse, U.S. Department of Health & Human Services and Office of Inspector General  http://oig.hhs.gov/compliance/ physician-education/index.asp  Private reimbursement compliance issues

(c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq.

https://oig.hhs.gov/complia nce/physicianeducation/index.asp

(c) 2013 James J. Eischen, Jr., Esq.

OIG: NO “DOUBLE BILLING”  If you are a participating or non-participating physician, you may not ask Medicare patients to pay a second time for services for which Medicare has already paid  Charging an “access fee” or “administrative fee” that allows patients to obtain Medicare-covered services from your practice constitutes double billing  It is legal to charge patients for services that are not covered by Medicare

 If you have opted-out of Medicare  May charge for “access” and “care coordination”  Must comply with opt-out contract rules

(c) 2013 James J. Eischen, Jr., Esq.

OIG ALERT – MARCH 31, 2004 Alert from Office of Inspector General, March 31, 2004  http://oig.hhs.gov/fraud/docs/alertsa ndbulletins/2004/FA033104AssignVio lationI.pdf •

(c) 2013 James J. Eischen, Jr., Esq.

OIG ALERT 03-31-04 • While the physician characterized the services to be provided under the contract as “not covered” by Medicare, the OIG alleged that at least some of these contracted services were already covered and reimbursable by Medicare. Among other services offered under this contract were the “coordination of care with other providers,” “a comprehensive assessment and plan for optimum health,” and “extra time” spent on patient care. OIG alleged some of these contracted services were already covered and reimbursable by Medicare. (c) 2013 James J. Eischen, Jr., Esq.

CHECK FOR MEDICARE COVERAGE

http://www.medicare.gov/pubs/pdf/10050.pdf

(c) 2013 James J. Eischen, Jr., Esq.

MEDICARE ASSIGNMENT COMPLIANCE  Unless you have opted out of Medicare  Avoid billing for covered services  Avoid billing for “buzz words”  Watch out for these common and problematic phrases:  Access  Care coordination  Membership (?)  24/7 communications (?)  Electronic records access

(c) 2013 James J. Eischen, Jr., Esq.

LIABILITY AND PENALTIES FOR ADDED PAYMENT FOR COVERED SERVICES

http://www.cms.gov/Outreach-and-Education/Medicare-LearningNetwork-MLN/MLNMattersArticles/downloads/SE0421.pdf

(c) 2013 James J. Eischen, Jr., Esq.

OPTING-OUT OF MEDICARE • Physician-Patient Agreement Requirements – Every 2 years

• Insurance Plan Participation Restrictions/Benefits • Renewal & PECOS Registration – Don’t fall asleep at the wheel!

• Urgent Care & unexpected Medicare coverage • Consequences of failing to comply with optout requirements (c) 2013 James J. Eischen, Jr., Esq.

OPT-OUT COMPLIANCE The physician/practitioner has filed an affidavit in accordance with §40.9 and has signed private contracts in accordance with §40.8 but, the physician/practitioner knowingly and willfully submits a claim for Medicare payment (except as provided in §40.28) or the physician/practitioner receives Medicare payment directly or indirectly for Medicare-covered services furnished to a Medicare beneficiary (except as provided in §40.28); (For specific information about Chapter 15, sections 8 and 28, refer to http://www.cms.hhs.gov/Manuals/downloads/bp102 c15.pdf on the CMS website. The sections of Chapter 15 that are revised by CR6081 are attached to CR6081.) • The physician/practitioner fails to enter into private contracts with Medicare beneficiaries for the purpose of furnishing items and services that would otherwise be covered by Medicare, or enters into private contracts that fail to meet the specifications of §40.8; or • The physician/practitioner fails to comply with the provisions of §40.28 regarding billing for emergency care services or urgent care services; or • The physician/practitioner fails to retain a copy of each private contract that the physician/practitioner has entered into for the duration of the opt-out period for which the contracts are applicable or fails to permit CMS to inspect them upon request. (c) 2013 James J. Eischen, Jr., Esq. •

OPT-OUT NONCOMPLIANCE CONSEQUENCES All of the private contracts between the physician/practitioner and Medicare beneficiaries are deemed null and void. • The physician’s or practitioner’s opt-out of Medicare is nullified. • The physician or practitioner must submit claims to Medicare for all Medicare covered items and services furnished to Medicare beneficiaries. • The physician or practitioner or beneficiary will not receive Medicare payment on Medicare claims for the remainder of the opt-out period, except as stated above. • The physician or practitioner is subject to the limiting charge provisions as stated in §40.10. • The practitioner may not reassign any claim except as provided in the Medicare Claims Processing Manual, Chapter 1, “General Billing Requirements,” §30.2.13. (For more information about the General Billing Requirements refer to http://www.cms.hhs.gov/manuals/downloads/clm104 c01.pdf on the CMS website). • The practitioner may neither bill nor collect any amount from the beneficiary except for applicable deductible and coinsurance amounts. • The physician or practitioner may not attempt to once more meet the criteria for properly opting out until the 2-year opt-out period expires. (c) 2013 James J. Eischen, Jr., Esq. •

PAR VS. NON-PAR MEDICARE • PAR

• NON-PAR

– Fee for non-covered services vs. Medicare reimbursement

– 113% of Medicare assignment

THERE IS NO ONE SIZE FITS ALL FOR MEDICARE ASSIGNMENT COMPLIANCE AND THE PHYSICIANPATIENT AGREEMENT

(c) 2013 James J. Eischen, Jr., Esq.

http://www.medpac.gov/chapters/Ju n12_Ch02.pdf

BE CAREFUL

(c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq.

State Laws on Insurance

(c) 2013 James J. Eischen, Jr., Esq.

STATE LAW INSURANCE ISSUES (REGARDLESS OF OPT-OUT STATUS)  Avoid appearance (or reality) of insurance  Why?  Lack of adequate capitalization  Lack of registration  State law violation of insurance regulations

(c) 2013 James J. Eischen, Jr., Esq.

Insurance Contracts

(c) 2013 James J. Eischen, Jr., Esq.

• HMO = NO • PPO = Maybe? – Discrimination – Hybrid

(c) 2013 James J. Eischen, Jr., Esq.

Incentives

(c) 2013 James J. Eischen, Jr., Esq.

DISCOUNTING, REBATES, INSURANCE PLAN CO— PAYS/DEDUCTIBLES: AVOIDING IMPROPER INCENTIVIZING UNDER STATE/FEDERAL LAWS  May not “incentivize”  No free toaster oven  Do not routinely waive co-pays and deductibles—WATCH OUT!  May not induce utilization

(c) 2013 James J. Eischen, Jr., Esq.

Private Practice Contracts And Documentation

(c) 2013 James J. Eischen, Jr., Esq.

PHYSICIAN-PATIENT CONTRACT DRAFTING RECOMMENDATIONS • Easy to read contract – Simplify

• Clarity, particularly on key issues • Use FAQs and brochures to express details, use the contract to craft the compliance posture • Fee structure must avoid state insurance issues • Amenities allocated to private fees to avoid Medicare compliance issues (Q: Does your staff know how to properly explain your retainer/subscription model?) – Or comply with opt-out requirements – http://www.cms.hhs.gov/Manuals/downloads/bp102c15.pdf

• Avoid inducements/discounting (i.e. no toaster ovens) • AVOID PROMISES YOU CAN’T KEEP

(c) 2013 James J. Eischen, Jr., Esq.

PHYSICIAN-PATIENT AGREEMENT DEALING WITH ELECTRONIC COMMUNICATIONS  Need separate ePHI agreement for risk management/HIPAA compliance  HIPAA Final Rule: Non-compound ePHI consent

(c) 2013 James J. Eischen, Jr., Esq.

EPHI/ELECTRONIC RECORDS AND COMMUNICATIONS RISK MANAGEMENT

 Privacy Rule  Security Rule  Documented permissions

(c) 2013 James J. Eischen, Jr., Esq.

UPDATING YOUR PHYSICIAN-PATIENT CONTRACT  Laws governing coverage often change  Physician-patient agreement should be prepared by an attorney experienced in physician legal issues and reviewed annually • Every concierge/direct/private practice is different so every retainer agreement is different. There is no one right way to structure a physician-patient agreement. There is no one version of private medicine.

(c) 2013 James J. Eischen, Jr., Esq.

CAN I CHARGE FOR PATIENTS’ ACCESS TO ELECTRONIC HEALTH RECORDS? • Patients can ask for a copy of their electronic medical record in an electronic form. • When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. • New limits on how information is used and disclosed for marketing and fundraising purposes. • Prohibits the sale of an individuals’ health information without explicit permission. • MUST ONLY CHARGE ACTUAL COSTS

www.hhs.gov/news/press/2013pres/01/ 20130117b.html

(c) 2013 James J. Eischen, Jr., Esq.

MUST CHECK MARKETING/PRACTICE COMMUNICATIONS FOR COMPLIANCE    

Website FAQs Patient letters Staff training!!!

(c) 2013 James J. Eischen, Jr., Esq.

BOTTOM LINE • Subscription for – Non-covered services (Par/Non-Par) – All services (Opt-out, with compliant contract) – Limited or finite services (avoid insurance issues)

• Exclude mandated services – Electronic records access – Watch out for preventative care

• Deal with HIPAA! (i.e., you can’t avoid the federal government) (c) 2013 James J. Eischen, Jr., Esq.

NEW FINAL RULE HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

(c) 2013 James J. Eischen, Jr., Esq.

HIPAA/PRIVACY COMPLIANCE (PARTICULARLY WITH ELECTRONIC COMMUNICATIONS)  Final/Omnibus Rule updated  Electronic data storage of any kind = HIPAA  Basic rules:  Privacy  Security  Add: Accounting (for cash paid services)

(c) 2013 James J. Eischen, Jr., Esq.

Understand The Purpose Of HIPAA

(c) 2013 James J. Eischen, Jr., Esq.

WHAT IS HIPAA? • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. – The Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) establishes national standards for the protection of certain health information. – The Security Rule (Security Standards for the Protection of Electronic Protected Health Information) establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). – Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

(c) 2013 James J. Eischen, Jr., Esq.

KEY TERMS • “Unsecured” PHI – PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons specified by HHS • Encryption and destruction

• ePHI – Electronic PHI

• Breach – Acquisition, access, use or disclosure of PHI – PHI security or privacy is compromised (c) 2013 James J. Eischen, Jr., Esq.

Look At Basic HIPAA Compliance (Privacy And Security Rules)

(c) 2013 James J. Eischen, Jr., Esq.

SECURITY RULE • Prior to HIPAA, no generally accepted federal security standards or general requirements for protecting health information. • New technologies evolving. Health care industry moves away from paper processes to electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. • Providers use clinical applications such as computerized physician order entry (COPE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. • Security Rule: Protects the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. • Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ ePHI. (c) 2013 James J. Eischen, Jr., Esq.

SECURITY RULE APPLIED • Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. • Specifically, covered entities must: – Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit; – Identify and protect against reasonably anticipated threats to the security or integrity of the information; – Protect against reasonably anticipated, impermissible uses or disclosures; and – Ensure compliance by their workforce.

(c) 2013 James J. Eischen, Jr., Esq.

PRIVACY RULE: CONFIDENTIALITY The Privacy Rule defines “confidentiality” to mean that ePHI is not available or disclosed to unauthorized persons. The Privacy Rule prohibits improper uses and disclosures of ePHI.

(c) 2013 James J. Eischen, Jr., Esq.

SO, WHAT SECURITY MEASURES MUST BE IMPLEMENTED? • Security Rule does not dictate measures, but requires the covered entity to consider: – – – –

Its size, complexity, and capabilities, Its technical, hardware, and software infrastructure, The costs of security measures, and The likelihood and possible impact of potential risks to e-PHI.

 Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.

(c) 2013 James J. Eischen, Jr., Esq.

http://www.ama-assn.org/resources/doc/washington/hipaa-phi-encryption.pdf

(c) 2013 James J. Eischen, Jr., Esq.

Evaluate What Changed With The Omnibus/Final Rule

(c) 2013 James J. Eischen, Jr., Esq.

BEFORE AND AFTER OMNIBUS RULE • Before – BA regulated through BAAs

• After – BAs and subcontractors regulated directly under HIPAA

BAs are CEs, and must comply with Security Rule

(c) 2013 James J. Eischen, Jr., Esq.

EXPANDED DEFINITION OF CE • CE: On behalf of a covered entity (CE), creates, receives, maintains or transmits PHI • Subcontractor of a BA Role + responsibilities of BA = CE BA requirements/exposure not defined simply because it is a party to a BAA

(c) 2013 James J. Eischen, Jr., Esq.

NOT A BA • Those who simply provide “transmission services” – Digital couriers or “mere conduits”

But if you store personalized ePHI, even if you do not view it, you are a BA/CE

(c) 2013 James J. Eischen, Jr., Esq.

SUBCONTRACTORS • Contract between the CE’s BA and the BA’s subcontractor must satisfy the BAA requirements • Subcontractor of a subcontractor of a subcontractor of a subcontractor ALL BAS HIPAA/HITECH obligations apply to subcontractors

(c) 2013 James J. Eischen, Jr., Esq.

OMNIBUS/FINAL RULE • All covered entities must review documentation including business associate agreements, notice of privacy practices, and their policies and procedures to ensure compliance with the Final Rule • BAA and NPP MUST BE UPDATED

(c) 2013 James J. Eischen, Jr., Esq.

PRESUMPTION OF BREACH • Interim Final Rule – Risk assessment to determine if unauthorized ePHI access, use or disclosure caused harm – No presumption of a breach

• Final Rule – Unauthorized access, use or disclosure presumed to be a breach unless CE determines low probability ePHI was compromised

(c) 2013 James J. Eischen, Jr., Esq.

POTENTIAL BREACH EVALUATION • CE must evaluate – Nature and extent of ePHI – Unauthorized person who used ePHI – Whom disclosure was made – ePHI actually viewed or acquired – How risk was mitigated

DOCUMENT, DOCUMENT, DOCUMENT AND THEN DOCUMENT SOME MORE (c) 2013 James J. Eischen, Jr., Esq.

BREACH NOTIFICATION • BA must provide notice of breach – To CE – Breach treated as discovered as of 1st day when known or would have been known • When by exercising reasonable diligence would have breach been known?

• Subcontractor BA gives notice to BA

(c) 2013 James J. Eischen, Jr., Esq.

ELECTRONIC ACCESS • “Reasonable” safeguards • If PHI owner wants PHI sent unencrypted, CE needs to let individual know of risks – DOCUMENT ePHI OWNER’S CONSENT

• Secure mechanism • Electronic “machine readable copy” – Can be used on a computer – PDFs

• If a PHI owner asks for specific format, CE needs to accommodate when possible

(c) 2013 James J. Eischen, Jr., Esq.

FEES CHARGED FOR ELECTRONIC RECORDS? • Labor costs only – Retrieval costs or capital costs not allowed to be charged

• Supplies upon request can be charged Best practice is to list fees on authorization/consent form itself

(c) 2013 James J. Eischen, Jr., Esq.

ACCESS TO THIRD PARTIES • Individual can request CE to send ePHI to another individual – In writing • Electronic OK but verification needed

– Identify who is the receiver

• PHI must still be protected when sent to third party

(c) 2013 James J. Eischen, Jr., Esq.

RESTRICTIONS/ACCOUNTING RULE • Individual can restrict ePHI to health plan when paying out of pocket in full for a service (Accounting Rule) • CE need to develop how to track restrictions • CEs submit restricted ePHI for required audits when “required by law”

(c) 2013 James J. Eischen, Jr., Esq.

Identify Necessary HIPAA Compliance Steps

(c) 2013 James J. Eischen, Jr., Esq.

Update Your Documentation!

(c) 2013 James J. Eischen, Jr., Esq.

HIPAA COMPLIANCE: BASIC DOCUMENTATION • Notice of Privacy Practices (NPP) • Business Associate Agreement (BAA) • Internal risk analysis memo • Practice’s written office procedures and processes must be examined thoroughly • Evaluate risks and decide how to address those risks

(c) 2013 James J. Eischen, Jr., Esq.

SO, WHAT DO I DO? • • • •

Update BAA Update NPP Update internal risk assessment memo Ensure electronic records access not subject to unlawful charges

(c) 2013 James J. Eischen, Jr., Esq.

Electronic Communications, Scheduling & Records Management

(c) 2013 James J. Eischen, Jr., Esq.

HIPAA/PRIVACY COMPLIANCE WITH ELECTRONIC COMMUNICATIONS

Electronic data storage of any kind = HIPAA

(c) 2013 James J. Eischen, Jr., Esq.

SHOULD MY PHYSICIAN-PATIENT AGREEMENT DEAL WITH ELECTRONIC COMMUNICATIONS • Not recommended! • Need separate ePHI agreement for risk management/HIPAA compliance • HIPAA Final Rule: Non-compound ePHI consent

(c) 2013 James J. Eischen, Jr., Esq.

CHECK MARKETING/PRACTICE COMMUNICATION PLATFORMS FOR COMPLIANCE • • • • • •

Website Calendar/Scheduling FAQs Patient letters Staff training!!! Is this all really necessary? (Hint—The correct answer is not “no”)

(c) 2013 James J. Eischen, Jr., Esq.

So What Can Go Wrong Anyway? Case Study: Arizona Cardiologist Fined $100,000 and ordered to take corrective action to implement policies and procedures to safeguard the protected health information of its patients. (c) 2013 James J. Eischen, Jr., Esq.

WHAT WENT WRONG? • Inadequate internal risk analysis • Lack of staff training • No BAA with outside IT vendor for web calendar • Bottom Line: an internal risk analysis memo and awareness of patient privacy rights can avoid fines/penalties http://www.healthcareitnews.com/news/phoenix-practice-pay-100000settle-hipaa-case (c) 2013 James J. Eischen, Jr., Esq.

THANK YOU James J. Eischen, Jr., Esq. Office: (619) 819-9655 Email: [email protected] Skype: jeischenjr http://www.assessmentandplan.com http://www.higgslaw.com

(c) 2013 James J. Eischen, Jr., Esq.