Download your Free copy of my "Medical Coding From Home Ebook" at the top right corner of this page

2018 CPC Practice Exam Answer Key 150 Questions With Full Rationale (HCPCS, ICD-9-CM, ICD-10, CPT Codes) Click here for more sample CPC practice exam questions with Full Rationale Answers

Click here for more sample CPC practice exam questions and answers with full rationale

Texas Supreme Court grants writ of mandamus for peer review committee records

Posted on March 6, 2020 by CPC Exam Medical Coding Updates

Case summary

Texas Supreme Court grants writ of mandamus for peer review committee records

The Supreme Court of Texas (the "Court") recently held that a trial court failed to adequately review allegedly privileged documents?to determine if they were disclosable pursuant to an exception to the state’s peer review statute?before issuing an order compelling Christus Santa Rosa Health System to produce them. As a result, the Court granted a petition for writ of mandamus filed by Christus, ordering the lower court to inspect the documents in question.

The documents concerned a peer review committee convened to review an unsuccessful surgery performed by Gerald Marcus Franklin, MD, in March 2012 to remove the left lobe of a patient’s thyroid gland. Franklin instead removed thymus gland tissue, requiring the patient to undergo a second surgery.

According to Franklin’s deposition, several weeks after the failed surgery he met with a three-member medical peer review committee to provide a verbal report. He said that complications arose due to an abundance of scar tissue, which made it difficult to distinguish between thymus and thyroid tissue. The unavailability of a cryostat machine, a critical piece of equipment that Franklin would have used during the surgery to diagnose the removed tissue, led him to end the surgery. During the meeting, the committee concluded that Franklin’s actions were reasonable and the committee chose not to take action.

As a result of the failed surgery, the patient filed a malpractice lawsuit against Franklin and his medical group in March 2013. Franklin subsequently filed a motion to designate Christus as a responsible third party, alleging that the unavailability of the cryostat machine was responsible for the surgery’s failure. The patient went on to add Christus as a defendant in the suit.

In March 2014, Franklin served Christus with a request to produce documents from its medical peer review file. Christus objected, arguing that the documents were protected from discovery under the medical peer review committee privilege provided by the Texas Occupations Code section 160.007(a), which states, "[E]ach proceeding or record of a medical peer review committee is confidential, and any communication made to a medical peer review committee is privileged."

Following an in camera review, the trial court ordered Christus to produce the documents under a protective order that mandated that they be disclosed only to Franklin and his attorneys.

Christus filed a motion to reconsider, which the trial court denied. Christus then filed a petition for writ of mandamus in the court of appeals, which was also denied, leading to it filing the petition with the state supreme court.

At issue was the interpretation and scope of an exception provided by Texas Occupation Code section 160.007(d), which states, "If a medical peer review committee takes action that could result in censure, suspension, restriction, limitation, revocation, or denial of membership or privileges in a healthcare entity, the affected physician shall be provided a written copy of the recommendation of the medical peer review committee and a copy of the final decision, including a statement of the basis for the decision."

Franklin argued that the documents were subject to disclosure under the exception because, even though the committee opted not to take any action, the medical peer review committee had the opportunity to recommend discipline.

The Court disagreed with Franklin’s interpretation of the privilege: "Looking to the intent of the Legislature, as we must, we conclude that the Legislature intended a medical peer review committee do more than simply convene for review for the exception to apply."

The Court found that applying this interpretation would require disclosure of a medical peer review committee’s documents every time it conducted a review, regardless of its outcome.

"Under this interpretation, it is difficult to conceive of an instance where the physician would not be entitled to the documents and the documents would remain privileged. This would in turn enfeeble confidentiality and prevent physicians from engaging in candid and uninhibited communications, which is essential for improving the standard of medical care in the state," the Court wrote.

The Court also found that the trial court did not review the documents in camera sufficiently to determine if the medical peer review committee took any actions that could result in one of the disciplinary actions listed in the exception to the medical peer review committee privilege, such as censure, suspension, or denial of privileges.

The trial court judge had stated he went through the documents page by page only to ensure that patient’s health information and social security numbers were not disclosed and didn’t look at the documents "closely enough" to determine whether the committee had taken any actions. Christus had argued that an in camera inspection of the documents would clarify if the exception applied.

The Court concluded that the trial court abused its discretion when it ordered Christus to produce the medical peer review committee documents; and ordered the trial court to vacate its order compelling production of the documents and to review the documents further to see if the exception applies.

Source: In re Christus Santa Rosa Health Sys., No. 14-1077 (Tex. May 27, 2016).

What does this mean for you?

J. Michael Eisner, Esq., of Eisner & Lugli in New Haven, Connecticut: The Court’s decision stands for the fundamental proposition that a court must comply with the plain meaning of the statutes that it is interpreting. While this may seem to be a "no brainer," too many courts ignore the plain meaning of statutes and act as if they were legislative bodies. Here, the statute required that disclosure only be made if the peer review committee recommended certain actions. According to the Texas Supreme Court, in spite of the clear wording in the statute, the trial court ordered disclosure without making the requisite determination(s). The Supreme Court sent the matter back to the trial court, ordering it to follow the statute.

HCPro.com – Credentialing and Peer Review Legal Insider

Credentialing & Peer Review Legal Insider, October 2016

Posted on July 20, 2019 by CPC Exam Medical Coding Updates

Interstate Medical Licensure Compact Commission proposes licensure process

The medical licensing tool aimed at expediting the process through which physicians can obtain licenses to practice in multiple states is one step closer to becoming a reality as more details of the process come into focus. Once it’s up and running, the Interstate Medical Licensure Compact will allow physicians licensed in one participating state to gain licensure in other participating states without having to repeat the entire licensing process in each state.

The Interstate Medical Licensure Compact Commission, which is responsible for the compact’s governing rules and administration, recently released a proposed process for expedited licensure through the compact and opened the period for public comments. The commission will consider the proposed rule at its meeting in early October.

The expedited licensure process

The basic process is the same as the one outlined in model legislation released two years ago, says Ian Marquand, chair of the Interstate Medical Licensure Compact Commission. Under the newly proposed process, a physician applies for expedited licensure via the compact through the state where he or she claims principal licensure. The state of principal licensure is where the physician resides, practices, is employed, or files a federal tax return.

"The physician will have to provide some information so that we can make sure that state is legitimately the state of principal license. A physician can’t willy-nilly pick a state in the compact," Marquand says. The applying physician will also have to pay the commission a service fee and submit to a criminal background check through a law enforcement agency, including providing fingerprints or other biometric data.

"There are no heavy applications at this point. The point of this is to make it much easier for a physician to get licensed in additional states and for much less time and energy expended," he says.

The principal licensure state would then review the applicant’s qualifications to determine if he or she is eligible for expedited licensure, perform a criminal background check, and issue a letter to the applicant and the compact commission verifying or denying the physician’s eligibility. Once the applicant receives that letter, he or she can then select from which member states to request expedited licensure and pay those states’ licensure fees. The relevant member boards would then issue full and unrestricted licenses to the applicant. Those licenses would be valid for as long as any other full and unrestricted license normally issued by that state board.

Application turnaround time

There is not a set amount of time to process the application for licensure through the compact due to several variables, Marquand says. These variables include how quickly the physician goes to a law enforcement agency to get fingerprinted, the amount of time necessary to complete the criminal background check and deliver the results to the medical board at the state of principal licensure, and how long it takes that state of principal licensure to review the criminal background check and the applicant’s other details (e.g., board certification and medical education).

A few test runs of the process have been performed in Marquand’s home state of Montana. "We find that it only really takes a matter of hours but it’s not the only thing our people have to do. So where it falls in the queue depends on how long it’s going to take for our people to actually get to do the work. That’s a variable. The communication between a state of principal license to compact commission and then compact commission to receiving state, I don’t think those should take very long at all."

In contrast, the applicant’s responsiveness will be a factor in the turnaround time. Marquand provides a hypothetical scenario to illustrate this point: Dr. Smith, whose state of principal licensure is Montana, applies for licensure in three additional states through the commission. He is prompt about providing his fingerprints and submitting to the criminal background check, which allows the staff in Montana to process his application fairly quickly. In a matter of days Dr. Smith is certified by the commission but then puts off paying the licensure fees.

"We can’t do anything until the fees have been paid. So if the physician is slow about paying fees, that’s on them, not on us," Marquand says. "But once the fees are paid and delivered to the receiving states, we don’t expect [the states] to take very long in issuing the license."

To help motivate physicians to stay on track with their applications, the proposed rule sets a 60-day limit for the applicant to submit all requested materials.

"With every application in the professional licensing world, there’s an expiration date on the application. It doesn’t sit there forever waiting for you to finish. If you don’t get it done, it expires. Putting a 60-day limit on that seems pretty reasonable to me," he says.

Returning to the example of Dr. Smith, Marquand says if the physician applies through the compact commission, pays the initial processing fee but then doesn’t have his fingerprints taken and is unresponsive to the commission’s requests for information for more than 60 days, the application is withdrawn.

"It put some onus on the physician to take some action. But will it take 60 days for processing? No, that’s just the time we give the physician to get any information that we need. But I can’t imagine that happening very often, if at all." Marquand says.

Once a physician is certified through the commission, that certification is valid for one year. This means that if Dr. Smith initially selects one compact state for licensure, such as Wyoming, and then decides six months later that he wants a license for Idaho as well, he will not have to reapply, Marquand says. Dr. Smith will simply need to inform his state of principal licensure?Montana?that he’d like to practice Idaho. The board in Montana will notify the commission and then Idaho will issue the license fairly quickly.

"The only thing that would preclude that would be if Dr. Smith gets in trouble with either the Montana or the Wyoming board and his license is suspended. Then his compact eligibility goes out the window," he says.

When a physician’s license is suspended, it is the responsibility of the member state in which the disciplinary action occurred to notify the commission, which in turn, would notify all the states in the compact. At that point, it would be up to each individual state to decide what to do.

"It’s presumed that reciprocal discipline will happen very quickly. So if Dr. Smith gets in trouble in Wyoming, Wyoming reports him to the commission and Montana would probably take very swift action to suspend his license there, Marquand says. "And if he’s licensed anywhere else in the compact, those states would have the option of doing the same. We want to at least make it possible for very swift action in all the states.

He adds that there are circumstances where reciprocal discipline is automatic, such as when a license from a state of principal licensure is revoked, suspended, or surrendered. In such cases, states can change that automatic action to something else, if they choose. So while states would have some discretion, it may come after an initial action.

Physicians who retain clean records and maintain their qualifications would be able to obtain licenses in as many compact states as they want within a year of achieving certification from the commission, as long as they’re willing to pay the fees.

Work to be done

Some details of this process have yet to be finalized. For example, the amount of the commission’s processing fee has yet to be determined. The commission will likely take up this issue by the end of the year.

"Each individual state within the compact also needs to have its own discussion of whether it wants to charge an application fee to cover the cost of reviewing the physician’s qualifications," Marquand says. In Montana there is a proposal put forth for a $ 100 fee. That proposal still needs to go through a public comment period and receive final approval from the state medical board.

After considering the provisions of the proposed rule, the commission will have several options: Adopt the rule as-is, adopt it with amendments, send it back to the committee for more work, or scrap it completely.

"I’m certainly optimistic that the commission will adopt these. And whether there are any changes suggested to them through comments, we’ll deal with them. I think the commission is anxious to get these rules in place and move on to the next topic," Marquand says.

If the commission decides that the proposal requires significant changes, the rule could be brought back to the commission as early as December.

Work on the application portal for expedited licensure is also underway but an open date has not been announced, Marquand says. However, the commission has set January 2017 as the target date for the first licenses to be issued by a member state using the compact process.

To assist with all the work that remains to be done, the U.S. Health Resources and Services Administration (HRSA) recently announced a $ 250,000 annual grant for three years to help the commission get up and running. The grant, which was requested by the Federation of State Medical Board, underwrites the cost of the commission.

"That takes a huge load off on us as commissioners. We know that through that grant there will be money available to cover technical costs, meeting costs, and maybe even staff costs for the next three years," Marquand says. He forecasts that after the three years, the commission should be able to stand on its own financially and operate on the service fees it collects.

Telemedicine

Often the Interstate Medical Licensure Compact is discussed in the same breath as telemedicine but Marquand emphasizes the distinction between the two. The compact relates exclusively to licensing and therefore does not provide any rules, regulations, or even any guidelines on the use of telemedicine. Although physicians or health organizations may want to use it to allow their own practice or corporate practice to expand into more states, they will still need to follow the regulations of those states once licensed.

"I understand that there may be benefits of the compact for physicians who want to do telemedicine in more places, but that’s not specifically why the compact exists. The compact exists for licensed physicians to get licenses in other states quickly and efficiently, regardless of what kind of practice they want to do," Marquand says.

He recalls this topic came up at a press event in Washington, D.C., designed to promote the compact to members of Congress and major healthcare organizations. When the question was posed of who would be the major user of the compact?large healthcare organizations that want to use telemedicine, or individual physicians who want to expand a practice across state lines either in person or by telemedicine?the answer that came back was it would likely be both.

"Here’s how I look at this: Think of two parallel highways. On one, there are physicians using telemedicine. The compact is on the other, with ramps between them," he explains. "The folks on the telemedicine highway may take a ramp over to the compact highway to get additional licensure, but then they’ll get back on the telemedicine highway."

Moving forward

As this issue of CPRLI went to print, 17 states have enacted compact legislation and nine others have introduced it. Marquand is optimistic more will adopt legislation.

"There are a couple that haven’t quite got to the finish line and we understand there are going to be states that are on the sidelines, waiting to see what the commission does and see how the compact really works," he says.

That’s why Marquand says the work the commission is doing to get the compact up and running is so important. The successful operation of the compact will be the commission’s biggest promotional tool for convincing additional states to participate. The hope is to bolster the case for joining once the commission has concrete figures on time frames and the number of licenses issued.

Protecting your facility from successful plaintiff litigation

Identifying red flags within credentialing applications can be the first step to protecting yourself and your facility from a successful plaintiff litigation. In the on-demand webcast, Negligent Credentialing: Best Practices to Prevent Successful Plaintiff Litigation, expert Mark A. Smith, MD, MBA, FACS, discusses ways to recognize issues within a credentialing application that require immediate action or additional questioning. Smith also provides best practices an organization should adopt to prevent credentialing-based lawsuits.

At the end of this on-demand program, participants will be able to:

Identify at least three red flags in credentialing applications that require action or explanation

Know what a negligent credentialing claim entails

Assemble the necessary documentation to help combat negligent credentialing

For more information or to order this webcast on demand, visit http://hcmarketplace.com/negligent-credentialing-best-practices-to-prevent-successful-plaintiff-litigation.

OCR ramps up HIPAA enforcement efforts

The Office for Civil Rights (OCR) stepped up HIPAA enforcement in a big way this year. The agency handed down more than $ 5 million in HIPAA settlement fines in one week in March, and in July reached a HIPAA violation settlement with Advocate Health Care in Illinois that carried a $ 5.55 million payment. OCR kicked off phase two of its HIPAA Audit Program and will likely complete desk audits of covered entities (CE) and business associates (BA) by the end of the year. Comprehensive on-site audits may occur early in 2017.

However, breaches continue to come at a relentless pace and questions have arisen about OCR’s handling of HIPAA violations, particularly repeat HIPAA offenders. And a truly permanent HIPAA audit program may not yet be in sight: OCR states that phase two audits will help the agency plan for a permanent audit program but doesn’t state when that might launch.

In a September 2015 report (https://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf), the Office of Inspector General (OIG) said OCR?and the U.S. Department of Health and Human Services (HHS) as a whole?should strengthen its oversight of CEs and be proactive rather than reactive in its approach to HIPAA enforcement. The report found that in 26% of closed privacy cases, OCR did not have complete documentation of corrective actions taken by CEs. In addition, OCR’s case tracking system has significant limitations and makes it difficult for the agency’s staff to check if a CE under investigation has been the subject of previous investigations.

All of this may make some CEs and BAs feel that HIPAA compliance is merely optional, and that leads to a weaker privacy and security culture throughout the industry. Although OCR does take action to make its presence felt, it could do more, Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona, says.

"I do believe that OCR is trying to let people know that it considers HIPAA compliance an important objective," he says. "With its guidance and ongoing alerts about the occasional enforcement actions here and there, I see OCR’s enforcement a small step above being a paper tiger in terms of how seriously people take it."

The waiting game

The OIG’s September 2015 report wasn’t the first time that agency has found fault with HHS and OCR’s methods, Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says.

"OIG has published a number of reports over the years, identifying problems with HHS’ oversight and enforcement of these HIPAA rules," she says. "I know of no one in the profession who reads the OIG reports and disagrees."

But HHS and OCR have been slow to take action. More than five years passed between the end of phase one of the HIPAA Audit Program and the announcement of phase two, and OCR still has obligations it’s failed to fulfill. The agency’s slow pace may lead some to take it, and HIPAA, less seriously.

"Since the latest round of rule changes back in 2010, over six years ago, there are still outstanding rules and unmet commitments by HHS and OCR," Ruelas says. "In the end, it not only erodes credibility but also questions just how seriously is OCR taking its enforcement duties."

Another day, another fine

HHS and OCR regularly announce breach settlements, but 2016 saw a flurry of high-profile and costly settlements. OCR took the opportunity to make examples of a number of CEs and BAs in its statements, calling attention to the particular violations that tipped the settlements into the hundreds of thousands, or even millions, of dollars.

Although the settlements grab attention and headlines, it may be difficult to determine their positive impact. Some of the HIPAA violations in question date back years. Staff who worked at the organization, and may have been involved in the breach, are likely gone. Even administrators, executive leaders, and owners may change in that time. Some organizations may see OCR’s enforcement actions as too little, too late, Mac McMillan, FHIMSS, CISSM, cofounder and CEO of CynergisTek, Inc., in Austin, Texas, says.

"We all want the same thing: to see our industry do better," he says. "This is just more of the same old, same old. Same issues, different players."

A HIPAA settlement fine might be a crushing blow to a physician practice or small home health or physical therapy organization, but even the largest fines might not make an appreciable impact on larger organizations, McMillan says.

"To be really impactful, there will probably need to be more, they will need to happen closer to the actual event they’re related to, and possibly the fines will need to be bigger," he says. "The fines levied were really not substantial fiscally, and there was no accountability for those responsible for making security decisions, so they pay and move on."

Borten agrees that the long period of time between when a breach is reported and when OCR takes action lessens the impact. "The response or punishment must rapidly follow the event to have a significant impact on future behavior," she says.

Although some find California’s short breach notification timelines and black and white faxing rules burdensome, these measures have caused CEs and BAs to change their behavior and improved privacy and security, McMillan says.

Some CEs and BAs may be willing to take the chance they won’t be caught, Ruelas says. "I truly think that people see enforcement a lot like getting hit by lightning. However, if it does occur, it tends to be a game changer and does make for an interesting day."

But whether the change is meaningful or widespread may be difficult to determine, and any alteration to OCR’s HIPAA enforcement practices would likely be an improvement, he adds.

Learning from others’ mistakes

However, CEs and BAs can get something out of HIPAA settlements. Conscientious entities will fulfill the terms of the corrective action plan and even improve on it. And other CEs and BAs can take valuable lessons from OCR’s breach announcements. The agency often draws attention to specific issues that led to the breach, levies a pricey fine, and points out how the organization could have avoided the problem in the first place.

"HIPAA enforcement actions are important teaching tools," Borten says. "Workforce members can be asked if the same problem could arise in their organization, and how individuals can avoid the same fate."

Many privacy or security failures that lead to breaches are the result of human error and are still relevant regardless of when the breach occurred, she adds.

Although the security landscape has expanded beyond missing laptops and smartphones, Ruelas says there’s still a lot CEs and BAs can learn from these enforcement actions. Organizations may see ransomware, phishing, and privacy and security breaches on social media as the biggest threats?and rightly so. Yet many breaches still come down to 10-year-old HIPAA basics: misdirected faxes, incorrectly addressed emails, or handing the wrong documents to a patient.

While human error is still a concern, McMillan is most worried about the increasing number of breaches due to hacking, particularly the greater loss of data due to hacking and the effects such breaches have on the industry. "Human errors are still an issue, but the relative impact of those incidents compared to the impacts we see from hacking recently pales in comparison. Many of those attacks were the result of misconfigured or poor administration of systems resulting in serious outages and millions of lost records," McMillan says. "This is where OCR needs to focus attention."

Phase two

The launch of phase two of the HIPAA Audit Program may promise some positive change. The audits are intended to help the agency improve HIPAA guidance and tools and pinpoint common problems and challenges CEs and BAs face. Desk audits of CEs began in July, with BAs scheduled to follow in the fall. However, it may take 90 days after submitting documents for CEs to receive a draft audit report. Until then, it will be difficult to predict what OCR’s response to the audits might be.

The audit reports will not be made public, although OCR representatives indicated they will likely be available through a Freedom of Information Act request. Sharing some data might help CEs and BAs.

"I do think that if audit results can somehow be summarized and shared, just by their detailed nature, the audits can be wonderful sources of information for the HIPAA community," Ruelas says.

It took three years for the agency to update the audit protocols to reflect changes made by the HIPAA omnibus rule, he adds. It’s too soon to tell how long it might take the agency to revise or refocus its guidance based on the results of the phase two audits, but it would no doubt be beneficial for all CEs and BAs to see results sooner rather than later.

Establishing a permanent audit program is one of OCR’s responsibilities under HIPAA, and the agency’s failure to develop one has drawn criticism from the industry and from other regulatory agencies such as the OIG. OCR agreed with the OIG’s latest call for a permanent audit program. Phase two is an encouraging step in that direction, but still not quite enough.

"It has been very vocal on its commitment to establishing an effective and permanent auditing program," Ruelas says. "Let’s see if it really is going to walk the talk."

Legal and regulatory news roundup

Find out what’s happening in the world of federal healthcare regulations by reviewing some recent headlines from across the country.

EMTALA violations declining

The number of U.S. hospitals cited for violating the Emergency Medical Treatment and Active Labor Act (EMTALA) has decreased over a 10-year period, according to a study published in the Annals of Emergency Medicine. Researchers analyzed a list from CMS of EMTALA investigations conducted from 2005?2014 and found that the percentage of U.S. hospitals cited for violations citations decreased from 5.3% to 3.2%. The percentage of hospitals investigated also declined during this period from 10.8% to 7.2%.

EMTALA aims to prevent the practice of discharging or transferring patients to other hospitals before stabilizing treatment is provided for emergency medical conditions. It requires hospital emergency departments to provide medical screening examinations to patients seeking medical treatment regardless of their ability to pay, citizenship, or legal status.

Stark Law, EMTALA violation penalty amounts increase

Due to several years of inflation, the U.S. Department of Health and Human Services recently issued an interim final rule that calls for steeper maximum penalties for violating federal regulations, including EMTALA and the Stark Law.

For hospitals with more than 100 beds, the maximum penalty for an EMTALA violation is $ 103,139, up from the previous maximum of $ 50,000 set in 1987. For hospitals with less than 100 beds, the maximum penalty is $ 51,570, up from $ 25,000.

Circumventing the Stark Law’s self-referral restriction can now result in a maximum penalty of more than $ 159,000, up from previous maximum of $ 100,000 set in 1994. Submitting claims in violation of the Stark Law can result in a penalty of nearly $ 24,000, up from $ 15,000.

Home health agency owner sentenced for healthcare fraud, kickbacks

Khaled Elbeblawy, the former owner and manager of three home health agencies in the Miami area, will spend 20 years in prison for his role in a scheme that fraudulently billed Medicare for millions of dollars.

Elbeblawy was sentenced to prison and ordered to pay more than $ 36 million in restitutions following his conviction in January of one count of conspiracy to commit healthcare fraud and wire fraud and one count of conspiracy to defraud the United States and pay healthcare kickbacks. According to evidence presented at trial, from 2006?2013, Elbeblawy and his co-conspirators claimed to have provided medically necessary home health services to Medicare beneficiaries through the three agencies: Willsand Home Health Agency Inc., JEM Home Health Care LLC, and Healthy Choice Home Services Inc. In reality, those services were either medically unnecessary or never provided. The conspirators also paid kickbacks to physicians, patient recruiters, and staffing groups for referrals of beneficiaries.

In all, Elbeblawy and his co-conspirators submitted $ 57 million in false or fraudulent claims and received approximately $ 40 million in payments. In 2012, Eulises Escalona, a former owner of Willsand and JEM, pled guilty to one count of conspiracy to commit healthcare fraud and was sentenced to 10 years in prison. Cynthia Vilches, former co-owner of Healthy Choice, also pled guilty to one count of conspiracy to commit healthcare fraud and is awaiting sentencing.

Healthcare systems calls for dismissal of antitrust lawsuit

Carolinas HealthCare System (CHS) has argued that the joint antitrust lawsuit filed against it by the U.S. Justice Department and the North Carolina Attorney General’s office has no basis. According to the Charlotte Observer, the lawsuit alleges CHS uses its size to drive up prices to prevent competition. CHS operates 10 hospitals in the Charlotte area. Its closest competitor, Novant Health, operates five.

The lawsuit alleges CHS uses its clout to encourage health insurers to steer patients away from other lower-priced hospitals and toward CHS hospitals.

In asking for a dismissal, CHS has said the lawsuit has failed to allege any actual competitive harm to the marketplace.

Exciting updates: More content, tools, and news at your fingertips!

The challenges healthcare professionals tackle each day don’t wait for solutions, and neither should you. That’s why Credentialing & Peer Review Legal Insider (CPRLI) is transitioning to a more frequent and robust publishing model this fall by combining with the Credentialing Resource Center (CRC)’s flagship publication, Credentialing Resource Center Journal (CRCJ), to create a single source for all your credentialing, privileging, peer review, and legal news, tools, and best practice strategies.

Your updated member benefits gain you access to expanded content and tools on CRC?with new resources added weekly to the website (www.credential-ingresourcecenter.com). Plus, as a CRC member you gain instant access to over 300 clinical privilege white papers, core privileging forms, Medical Staff Talk, and Credentialing Resource Center Daily (CRCD), CRC’s daily e-newsletter for medical staff leaders and MSPs. If you are already a CRC member, you will continue to receive the news and analysis you’ve come to rely on, plus expanded member benefits this fall.

As a member of CRC, you can continue to download and print high-quality PDFs of the current issue, as well as several years of back issues of CRCJ and CPRLI, directly from CRC’s website. We’re looking forward to delivering your peer review and credentialing guidance in a timelier, efficient, and more convenient manner.

Stay tuned for additional details as we near implementation. In the meantime, feel free to contact Editor Son Hoang at [email protected] with any questions.

HCPro.com – Credentialing and Peer Review Legal Insider

Credentialing & Peer Review Legal Insider, September 2016

Posted on August 2, 2018 by CPC Exam Medical Coding Updates

Avoid HIPAA breaches from ransomware attacks

Although ransomware is not a new phenomenon, a recent increase in reported attacks along with several well-publicized cases have raised the public’s awareness of the threat it poses. Ransomware, a variety of malware, can be incredibly damaging because it is designed to infect a system, find and encrypt the system’s data, and lock out users until they pay a ransom–typically in an anonymous electronic currency like bitcoin–to regain access through a decryption key.

According to a U.S. government interagency report, there have been approximately 4,000 ransomware attacks each day since the beginning of the year, up from the 1,000 daily attacks reported last year. Further, a recent analysis by managed security services provider Solutionary found that 88% of ransomware attacks during the second quarter of this year targeted healthcare entities.

"Hospitals rely on data systems not only for the survival of their business, but the survival of their patients. Because of this, the perceived value of the data becomes much greater, meaning the criminals can charge premium ransoms against their victims," says Travis Smith, senior security research engineer at Tripwire, a Portland, Oregon-based cybersecurity firm.

The variants of ransomware that exist can complicate a hospital or other healthcare provider’s response, says Doron S. Goldstein, partner and co-head of privacy, data, and cybersecurity practice at Katten Muchin Rosenman, LLP, in New York City. In addition to the typical form of ransomware that infiltrates systems and locks users out of their data unless they make some form of payment, some types can also exfiltrate a copy of the locked data to the hacker, or delete the data but make it seem as though it’s encrypted and still present-tricking the user into paying for data that is actually gone.

"In each scenario, you don’t know if there is intention to release the data if you pay or not. You may pay and still get nothing. Or you may get it back. There is no certainty to it. Some victims have gotten access back; others have not," says Goldstein, a former software developer and network administrator. "The general guidance from law enforcement, such as the FBI, is not to pay ransom. But if everything you have is locked out, you may not feel like you have a choice."

HHS guidance

In light of the increased prevalence of ransomware threats, the U.S. Department of Health and Human Services (HHS) recently released guidance to help covered entities understand the risks associated with these types of attacks and how complying with HIPAA can help identify, prevent, and recover from ransomware.

"The HHS is just reacting to what is happening in the marketplace. The sustained increase in the number of successful ransomware attacks is proof that the ransomware problem is going to get worse before it gets better. Issuing guidance is raising awareness of the issue at hand," Smith says.

The HHS guidance states that healthcare entities can better protect against ransomware by implementing security measures required by the HIPAA Security Rule. According to the guidance, these measures include limiting access to electronic protected health information (PHI) to personnel and software that require it; and conducting risk analyses to identify threats and vulnerabilities to PHI.

"You have to do the risk analysis. Ransomware is just another form of malware; it’s particularly insidious, but they all require doing the risk analysis," says Goldstein.

A big takeaway from the HHS guidance is the importance of taking appropriate actions beforehand to mitigate the potential of damage caused by ransomware, he adds. Unlike malware that simply transfers PHI without authorization, ransomware makes the PHI unavailable or destroys it altogether.

"For a healthcare provider in particular, having data exfiltrated means there’s damage to the patients, but likely not to their immediate health. Being locked out of your health data or your patients’ health data is a potential threat to the life and health of patients," he says.

HIPAA breaches

The guidance provides clarification on whether a ransomware infection constitutes a HIPAA breach. A breach under HIPAA is any acquisition, access, use, or disclosure of PHI in a manner that is not permitted under the HIPAA Privacy Rule and that compromises the PHI’s security or privacy.

Prior to the release of the HHS guidance, instances of data exposure that revealed individuals’ PHI would be considered a HIPAA breach, says Justin Jett, director of compliance and auditing at Plixer International, a Kennebunk, Maine-based security analytics company. However, at that point, one could have made the argument that ransomware wouldn’t technically be considered a breach since it encrypts data rather than exposing it.

Now, according to the new guidance, if a ransomware infection encrypts electronic PHI that was not encrypted prior to the incident, a breach has occurred. The guidance reasons that the PHI has been "acquired" because hackers have taken control or possession of it. In these cases, the hospital must then undertake a risk analysis and, when applicable, comply with the breach notification requirements and notify individuals affected, HHS, and the media.

However, if the hospital had previously (prior to the ransomware attack) encrypted the PHI in a manner that would render it unusable, unreadable, or undecipherable to an unauthorized individual, there is a possibility the ransomware attack wouldn’t be considered a breach.

"I interpret this guidance as removing the loophole of ransomware not actually looking at the data. Since malware changes over time, it’s within the realm of possibility that ransomware will target [PHI] and exfiltrate the data once found. The new guidance states that if the ransomware is unable to actually see the protected healthcare information in cleartext (not encrypted), then it is not a reportable breach," Smith says.

Even in these cases, the guidance says additional analysis would be required to determine if the PHI was sufficiently encrypted prior to the attack. Goldstein says this emphasizes the need for a risk analysis whenever there is a security incident. He further noted that HHS may have included this guidance so covered entities could not view the ransomware’s own encryption of the data as protection against that data being compromised.

"In those cases, the data is technically encrypted by virtue of the ransomware, but it’s not encrypted by the covered entity; it’s encrypted by someone else who controls that encryption. It shouldn’t be viewed as encryption for the purposes of your risk analysis," Goldstein says."

Prevention and recovery

To better prevent ransomware, Jett says all staff should be appropriately trained on email and web security as most malware and ransomware comes from those sources. Additionally, companies should invest in heightened email security solutions, like anti-spam firewalls, which will help prevent the most obvious attacks from getting to employees’ inboxes.

The HHS guidance suggests that since HIPAA requires the workforces of covered entities to receive security training on detecting and reporting malware, employees can assist with early detection of ransomware by spotting indicators of an attack. These warning signs could include unusually high activity in a computer’s CPU as the ransomware encrypts and removes files, or an inability to access files that have been encrypted, deleted, or relocated.

Even if hospitals are vigilant, ransomware attacks may still occur. Again, the guidance suggests that HIPAA compliance may help hospitals recover from ransomware attacks due to HIPAA’s mandate for frequent backups of data.

Goldstein warns, however, that some variants of ransomware can lie dormant for a period of time in order to migrate across systems, including into data backups. Many hospitals and companies keep hot backups as part of their disaster recovery plan. These backups can be automatically or manually switched on if a system goes down. If ransomware has infiltrated a backup, the backup’s data could also become compromised and encrypted by the ransomware as soon as it’s activated.

"The important thing about dealing with the impact of ransomware is that it may require additional or different protections compared to what other malware requires to avoid or mitigate its ill effects," he says.

Recent ransomware attacks

All types of malicious software attacks are on the rise,but ransomware has recently received more high-profile media coverage, says Doron S. Goldstein, partner and co-head of privacy, data, and cybersecurity practice at Katten Muchin Rosenman, LLP, in New York City. "Ransomware has certainly gotten more coverage lately because of the potential damage, and the sophistication of some of these attacks has increased," he says.

The following are a few of the recent ransomware attacks that made headlines:

Hollywood Presbyterian Medical Center: In February, this Los Angeles hospital paid hackers the equivalent of $ 17,000 in bitcoins to regain access to its computer system, according to the Los Angeles Times. The malware prevented hospital staff from accessing their system for 10 days by encrypting its files; once the hospital paid the ransom, it was given a decryption key to unlock the files. In a statement, CEO Allen Stefanek said paying the ransom was the quickest way to restore the hospital’s systems.

Chino Valley Medical Center and Desert Valley Hospital: In March, hackers targeted these southern California hospitals by infiltrating their computer systems with ransomware. A spokesman for the two hospitals, which are part of Prime Healthcare Services, Inc., said technology specialists were able to limit the attacks so both hospitals remained operational, no data was compromised, and no ransom was paid.

MedStar Health: Also in March, this Columbia, Maryland-based system was targeted with ransomware that encrypted the system’s data. According to the Baltimore Sun, the hackers demanded that MedStar pay three bitcoins, worth approximately $ 1,250, to unlock a single computer, or 45 bitcoins, the equivalent of about $ 18,500, to unlock all of its computers. MedStar refused to pay the ransom, and staff at its 10 hospitals and more than 250 outpatient centers resorted to using paper records while system access was restored.

Kansas Heart Hospital: In May, hackers infected the network system of this Wichita hospital with ransomware. According to local CBS affiliate KWCH12, the hospital paid an undisclosed portion of the ransom demanded but the hackers refused to return full access and demanded a second payment. The hospital announced that it had refused to make the second payment and would work with its IT team and external security experts to restore access to the rest of the system.

Exciting updates: More content, tools, and news at your fingertips!

Your updated member benefits gain you access to expanded content and tools on CRC–with new resources added weekly to the website (www.credentialingresourcecenter.com). Plus, as a CRC member you gain instant access to over 300 clinical privilege white papers, core privileging forms, Medical Staff Talk, and Credentialing Resource Center Daily (CRCD), CRC’s daily e-newsletter for medical staff leaders and MSPs. If you are already a CRC member, you will continue to receive the news and analysis you’ve come to rely on, plus expanded member benefits this fall.

To help readers keep tabs on available content, we will announce new articles in CRCD. At the end of each month, we’ll roll the corresponding weekly articles into a digital issue of the newly expanded 16-page CRCJ that mirrors the current digital format. As a member of CRC, you can continue to download and print high-quality PDFs of the current issue, as well as several years of back issues of CRCJ and CPRLI, directly from CRC’s website. We’re looking forward to delivering your peer review and credentialing guidance in a timelier, efficient, and more convenient manner.

Stay tuned for additional details as we near implementation. In the meantime, feel free to contact Editor Son Hoang at [email protected] with any questions.

Case summary

Maine supreme court upholds immunity for CVO questionnaire

The Supreme Judicial Court of Maine (the "Court") upheld a superior court’s ruling granting immunity to two physicians who provided negative comments regarding a third physician when they responded to a questionnaire from a credentials verification organization (CVO).

The decision stems from a dispute where Kevin F. Strong, MD, sought damages from Rebecca M. Brakeley, MD, and Jonathan M. Bausman, MD, alleging defamation and tortious interference with his business relationship with St. Mary’s Regional Medical Center in Lewiston, Maine.

In 2013, Strong applied for staff privileges at St. Mary’s, which reached out to its contracted CVO, Synernet, to collect, verify, and dispense Strong’s credentialing information. Synernet sent professional reference questionnaires to Brakeley and Bausman, who completed and returned them. Synernet forwarded the responses to St. Mary’s, which ultimately chose to deny staff privileges to Strong. Strong subsequently filed his complaint in the superior court against Brakeley and Bausman, claiming the denial was a result of negative comments in their questionnaires.

In court, Brakeley and Bausman argued that their statements were entitled to absolute immunity pursuant to Section 2511 of the Maine Health Security Act and filed a motion for summary judgment. The superior court granted the motion, and Strong appealed.

Strong made several arguments for why Brakeley and Bausman’s statements didn’t meet the criteria for immunity, but the Court rejected his interpretation of the statute.

In its decision to affirm the superior court’s summary judgment, the Court discussed the language of Section 2511 and its three subsections, which outline the circumstances when a physician is afforded immunity from civil liability, and why Strong’s interpretation was incorrect.

Central to Strong’s argument was Subsection 3 of the statute, which states that physicians "assisting the board, authority, or committee in carrying out any of its duties or functions provided by the law" are afforded immunity. Strong argued that Synernet was not a board, authority, or committee and therefore Brakeley and Bausman were not immune. However, the Court interpreted that subsection to include professional competence committees, which the Maine Health Security Act defines to include "[e]ntities and persons, including contractors, consultants, attorneys and staff, who assist in performing professional competence review activities."

Since St. Mary’s contracted with Synernet to collect, verify, and dispense credentialing information for its competence review process, the Court concluded Synernet qualified as a professional competence committee and therefore was a board, authority, or committee pursuant to the statute.

Strong also interpreted the language of Subsection 3 to mean that it only provided protection to a physician if he or she was a member of the board, authority, or committee. The Court found this interpretation illogical as it twisted the meaning of the subsection from protecting the acts of the physician providing assistance to instead protecting the committee receiving the assistance.

Source:

Strong v. Brakeley, Docket No. And-15-260 (Me. Apr. 21, 2016).

HCPro.com – Credentialing and Peer Review Legal Insider

peer to peer review during the authorization process

Posted on October 10, 2017 by CPC Exam Medical Coding Updates

Hey Everyone,

I am trying to get black and white paper evidence about this topic. My Dr is wanting to bill for the peer to peer review that is needed when getting a prior authorization. It was my understanding that this is not possible and is included in the surgical package. If anyone can give me any information I would be most grateful. Please let me know if you have a link that I am able to research and print out. Also, please let me know if I am incorrect.

thanks in advance

Medical Billing and Coding Forum

Credentialing & Peer Review Legal Insider, August 2016

Posted on July 25, 2017 by CPC Exam Medical Coding Updates

New PSO guidance raises questions over patient safety work product privilege

In May, the U.S. Department of Health and Human Services (HHS) published Guidance Regarding Patient Safety Work Product and Providers’ External Obligations in the hopes of clarifying what documents are considered patient safety work product (PSWP) and thus protected from discovery during litigation. Because the guidance has far-reaching implications for the scope of the privilege and confidentiality protection, providers should consider reexamining their process for collecting information in the pursuit of improving patient safety.

Under the Patient Safety and Quality Improvement Act (PSQIA), providers collect and manage information through a patient safety evaluation system (PSES), which is then sent to a patient safety organization (PSO) for analysis and feedback. To motivate providers to participate in PSOs, PSQIA entitles the submitted information broad privilege and confidentiality protections.

According to Michael R. Callahan, Esq., partner at Katten Muchin Rosenman, LLP, in Chicago, the guidance may impact how discoverability disputes are handled in courts. To understand why, consider the three primary buckets of patient safety information:

Bucket one: All mandated reports. For example, some states like New York and Florida require mandated adverse reporting if a wrong site surgery is performed. For these incidents, hospitals are required to prepare and submit a report to the state. Reports that fall within this bucket shouldn’t be treated as PSWP.
Bucket two: All reports that hospitals are required to collect and maintain pursuant to state and federal law, such as the Medicare Conditions of Participation (CoP).
Bucket three: All other information collected and maintained in a hospital’s PSES to improve quality, safety, and patient outcomes. This information is PSWP.

Disputes will arise from reports that fall into bucket two, Callahan says. HHS’s guidance stated that this type of information isn’t PSWP, but not all state and federal laws have crystal clear language defining what information hospitals need to collect and maintain.

"You will seldom find in the state and federal laws a specific list of documents which identifies the kinds of records and reports a provider is required to maintain and collect and to make available for inspection by a governmental authority. It is not that clear cut and hospitals use different terminology," he says.

For example, Callahan points out that in the case Tibbs v. Bunnell, discussed later in this article, the dispute was over the question of whether an incident report collected and reported to a PSO by a defendant hospital was a bucket two document. "The language under Kentucky law obligated the hospital to maintain and collect ‘incident investigation reports’ but does this refer to the incident report, a resulting root cause analysis report or a peer review investigation report? Is it all or none of the above?"

The PSO guidance

The guidance, which was published in the Federal Register in May, clarifies what information can and cannot be called PSWP. Information can be PSWP if:

A provider prepares it for reporting to a PSO and follows through in the reporting
A PSO develops it for the conduct of patient safety activities
A provider places it in a PSES to be reported to a PSO

Information that can’t be PSWP includes:

Patient medical records, billing and discharge information, or any other original patient or provider information
Materials collected and maintained separately from a PSES
Records mandated by federal and state law
Information prepared to satisfy external obligations

One criticism of the guidance is its expansion of the concept of original patient and provider records, Callahan says. PSQIA states these records, such as medical records and billing information, can never be privileged. The guidance further clarified the scope of what these records include:

Original records required of a provider to meet any federal, state, or local public health or health oversight requirements regardless of whether they are maintained inside or outside of the PSES
Copies of records that reside within a provider’s PSES that were prepared to satisfy a federal, state, or local public health or health oversight record maintenance requirement if the records are maintained only within the PSES and any original records are either not maintained outside of the PSES or were lost or destroyed

Callahan takes issue with HHS’ expansion of the definition of an original patient and provider record to include bucket one and bucket two documents, especially since it was put forth in guidance and not a final rule.

Requirements under the Administrative Procedure Act require a notice and comment period before a final rule is adopted. However, HHS chose to issue the guidance without following this procedure and therefore it should only be viewed as an interpretative rule, Callahan says. The U.S. Supreme Court decision earlier this year in the case of Perez v. Mortgage Bankers Association found that interpretive rules "do not have the force and effect of law."

"The guidance is simply an interpretation provided by HHS. While it certainly expresses the position of HHS, the Office of Civil Rights and the Agency for Healthcare Research and Quality (AHRQ) from a regulatory enforcement standpoint, it is not binding on state or federal courts," he says.

As a result, different interpretations of PSQIA will likely lead to continued challenges to court orders to turn over documents hospitals believe to be PSWP. Some of these discoverability disputes have made their way to state supreme courts.

Southern Baptist Hospital of Florida v. Charles

In a case that will go before the Florida Supreme Court later this year, Southern Baptist Hospital of Florida v. Charles, the PSO guidance may play a role in determining whether occurrence reports?reports that hospital collects and maintains for events that are inconsistent with its routine operations or care of patients, or that could result in an injury?are PSWP.

The plaintiff sued Southern Baptist Hospital of Florida, claiming his sister suffered a catastrophic neurological injury due to negligence. During discovery, the plaintiff requested documents related to adverse medical incidents and the conduct of physicians who worked at the hospital. This request was made pursuant to Amendment 7 of the Florida Constitution, which provides patients with the right to access "any records made or received in the course of business by a healthcare facility or provider relating to any adverse medical incident."

Although the hospital produced some of the requested documents, it declined to turn over occurrence reports that were collected within its PSES and reported to its PSO, claiming they were PSWP and therefore privileged and confidential under PSQIA.

The plaintiff argued that PSQIA only protects documents generated exclusively for submission to a PSO, so anything collected to also satisfy a state law is not PSWP. The circuit court agreed, finding that information collected for dual purposes was not PSWP and ordered the hospital to produce the documents.

This order was later reversed by an appellate court, which said the documents were PSWP because they were collected in the hospital’s PSES and reported to a PSO. Further, documents can simultaneously be PSWP and meet a state reporting requirement. The plaintiff appealed to the state supreme court, which will hear the case in October.

Since the documents in question fall into bucket two, the plaintiff will likely cite the guidance to support a position that the reports can’t be treated as PSWP and therefore are discoverable, says Callahan. However, the argument can be made that the guidance is not legally binding on the courts.

Tibbs v. Bunnell

The release of the PSO guidance likely contributed to the U.S. Supreme Court’s denial to hear Tibbs v. Bunnell. The case would have provided a nationwide interpretation of the scope of privilege and confidentiality protections under PSQIA for reports submitted to PSO, as well as whether PSQIA preempted state laws.

In Tibbs, a patient’s estate brought a wrongful death and medical malpractice suit against three surgeons employed by University of Kentucky Hospital. The plaintiffs sought to discover a post-incident event report generated by a surgical nurse through the hospital’s PSES and subsequently sent to its PSO.

At trial, the hospital argued that the report was protected under PSQIA and therefore not subject to discovery. However, the trial court ruled that the report was not protected under PSQIA. The hospital appealed.

Although the appellate court found that the privilege provided by the PSQIA did preempt the Kentucky state law, it stipulated that protections afforded by PSQIA only apply to documents that contain "self-examining analysis," meaning those in which the provider analyzes his or her own actions. The court then sent the matter back to the trial court for evaluation of whether the report contained self-examining analysis.

The hospital appealed to the Kentucky Supreme Court, arguing that the appellate court erroneously limited the scope of privilege protections under PSQIA. The Supreme Court reversed the Court of Appeals’ interpretation of PSQIA, finding it too narrow. However, it also ruled that the incident report was not protected under PSQIA because its creation, maintenance, and utilization was required in the regular course of the hospital’s business, as well as under Kentucky state law. Therefore it cannot be collected within the hospital’s PSES and treated as PSWP.

In response, the hospital filed a petition for the U.S. Supreme Court to review the Kentucky Supreme Court’s decision. The petition had the support of more than 50 PSOs, hospitals, and health systems from across the country, as well as the American Hospital Association, AMA, and The Joint Commission. Last October, the court asked the U.S. solicitor general to file a brief on his views of the case and whether the petition should be granted or denied.

Just as the guidance was published, the solicitor general filed his brief to the court. The brief recommended that the court deny the petition in light of the guidance issued by HHS and because hearing the case would be premature until it is seen how the lower courts interpret and apply the guidance.

In June, the U.S. Supreme Court denied the petition without comment and without remanding the case back to the Kentucky Supreme Court to take the guidance into consideration. This leaves the Kentucky Supreme Court’s ruling in place, although the decision is only binding on Kentucky courts.

Carron v. Rosenthal

Regardless of the U.S. Supreme Court’s denial to hear Tibbs, discovery disputes are still playing out in other courts. The Rhode Island Supreme Court will be hearing an appeal of an order for a hospital to produce incident reports in Carron v. Rosenthal. In this case, the plaintiff is suing her obstetrician and Newport Hospital for medical malpractice after her newborn baby suffered irreversible brain damage following a failed labor induction and died days later.

Two nurses prepared incident reports known as Medical Event Reporting System (MERS) reports, which were submitted to the hospital’s PSO. The hospital also produced separate state-mandated adverse event reports.

Later during discovery, the nurses were deposed but had difficulty remembering what had happened, so the plaintiffs asked that the hospital produce the MERS reports. The hospital objected, citing PSQIA and the Rhode Island Patient Safety Act.

According to Callahan, much of the plaintiff’s argument was based on the Kentucky Supreme Court’s decision in Tibbs that reports required by state statutes can’t be treated as PSWP. However, Newport Hospital argued that in Tibbs, the University of Kentucky Hospital collected state mandated reports in its PSES. At Newport Hospital, state mandated reports are collected separately. The MERS reports were separate reports distinguishable from the mandated reports and therefore were PSWP, according to the hospital.

Despite this argument, the trial court ruled in favor of the plaintiff and order the hospital to show the MERS reports to the nurses?but not the plaintiff?to refresh their memories before they were to be deposed again. The hospital appealed and, because Rhode Island does not have an appellate court, the state supreme court exercised its discretion to hear the hospital’s appeal. A decision is expected later this year.

What can providers do?

With the U.S. Supreme Court declining to hear Tibbs, and ongoing confusion in regards to the guidance, providers that participate in a PSO have a few options for how to proceed.

Providers can choose not to do anything and simply maintain the status quo as they wait for further regulatory or judicial developments, says Callahan. "We have these other cases before state supreme courts and it’s conceivable one of those will be appealed. It doesn’t mean the U.S. Supreme Court is going to accept one of these other ones, but that’s a development that providers may want to wait on."

PSOs will also likely have questions about the guidance and will reach out to AHRQ for additional guidance, so providers will want to wait to see if there is any further clarification, he says.

Providers that choose to comply with the guidance will need to determine if any information they were previously collecting in their PSES for reporting to their PSO is no longer considered PSWP. These providers will need to review state and federal laws, including the Quality Assurance and Performance Improvement standards set forth in the Medicare CoP, to ensure the information doesn’t fall into buckets one or two, Callahan says. Anything that’s determined to fall into those two buckets will require modifications to the provider’s PSES policy.

Since the guidance is an interpretive rule, some providers may choose to fight requests to turn over disputed documents, Callahan says. Providers would choose this path if they believed a court would be more likely to side with their interpretation of PSQIA.

More drastically, providers could simply decide to abandon their PSOs altogether. However, there are several factors to consider before making that move, says Callahan.

The Affordable Care Act requires hospitals with more than 50 beds that want to provide healthcare services to patients enrolled in a state insurance exchange to be enrolled in a PSO. This was modified to allow hospitals to meet the requirement by contracting with a hospital engagement network (HEN) or quality improvement organization (QIO).

However, contracting with a HEN or QIO doesn’t offer providers the same privilege protection received from participating in a PSO. Those providers would still have their state law protections, but those vary and some states may not have any protections at all or limited protections, Callahan says.

Providers considering leaving their PSO will need to evaluate their state protections, including the scope of protected activities and entities.

"Using Illinois as an example, [state law protections] only generally apply to hospitals, surgery centers, and managed-care entities. The statutes do not apply to physicians, physician groups, labs, pharmacies, home health, or other licensed providers. So if you have formed a clinically integrated network with all these different provider boxes, only the hospital?for all practical purposes?will be protected," Callahan says.

Providers should also check to see if it’s possible under state law to inadvertently waive the privilege if protected information is not handled correctly (e.g., information is disclosed improperly). Under PSQIA, the protections afforded to PSWP can never be waived.

Callahan also notes it’s important for providers to know that state privilege protections only apply in state courts or state claims. So, for example, if a physician is terminated but falls under a protected class (race, age, sex, religion, etc.), he or she can file a federal claim. The physician can then request access to protected peer review documents. Although the hospital may try to argue that they are privileged and confidential under the state peer review statute, state privilege statutes cannot be asserted to preempt federal claims. However, if the documents were collected in a PSES and reported to a PSO, they would not be undiscoverable.

"The PSQIA has many advantages to offer. Part of the problem, however, is that there are not many appellate court interpretations of the law and most of those decision have only involved medical malpractice cases" Callahan says. "Unfortunately, because the U.S. Supreme Court denied the petition in Tibbs, these disputes will have to be decided on a state-by-state basis. This is great for the attorneys but not helpful for PSOs and participating providers."

Case summary

Texas Supreme Court grants writ of mandamus for peer review committee records

Following an in camera review, the trial court ordered Christus to produce the documents under a protective order that mandated that they be disclosed only to Franklin and his attorneys.

The Court found that applying this interpretation would require disclosure of a medical peer review committee’s documents every time it conducted a review, regardless of its outcome.

Source: In re Christus Santa Rosa Health Sys., No. 14-1077 (Tex. May 27, 2016).

What does this mean for you?

Legal and regulatory news roundup

Find out what’s happening in the world of federal healthcare regulations by reviewing some recent headlines from across the country.

Senate Finance Committee aims to reform Stark Law

The Senate Finance Committee hopes to introduce legislation to reform the federal physician self-referral law, commonly referred to as the Stark Law. During a recent hearing, Chairman Orrin Hatch (R-Utah) said the committee would take some action by the end of 2016 but did not elaborate on what that might be.

In June, Hatch released a white paper discussing potential reforms to the Stark Law. Several commenters suggested repealing the law in its entirety. Others suggested changes to the law that would allow providers to implement new payment models.

In a statement released with the white paper, Hatch said the Stark Law is "a real burden for hospitals and doctors trying to find new ways to provide high quality care while reducing costs as they work to implement recent healthcare reforms."

Hundreds charged with healthcare fraud in nationwide sweep

More than 300 physicians, nurses, and other medical professionals across the country allegedly involved in healthcare fraud schemes face criminal and civil charges following what the U.S. Department of Justice called the largest coordinated takedown in history. The Medicare Fraud Strike Force in 36 federal districts led the sweep, which also involved 23 state Medicaid Fraud Control Units and 26 U.S. Attorney’s Offices.

The individuals charged are suspected of collectively submitting approximately $ 900 million in fraudulent billing to Medicare and Medicaid. They face multiple healthcare fraud-related charges, including conspiracy to commit healthcare fraud, aggravated identity theft, money laundering, and violations of the anti-kickback laws for schemes in which they submitted claims for medically unnecessary treatments. Often the treatments were never provided. In some cases kickbacks were paid to Medicare beneficiaries, patient recruiters, and other co-conspirators in return for providing beneficiary information to providers to use in submitting fraudulent billing.

Some of the highlights of the sweep include:

One-hundred defendants from southern Florida were charged for their alleged involvement in schemes that resulted in $ 220 million in fraudulent billings for home healthcare, mental health services, and pharmacy fraud.
Eleven defendants in southern Texas were allegedly responsible for $ 47 million fraudulent billing, including one physician who allowed unlicensed individuals to perform services and then billed Medicare as if he had performed them.
Twenty-two defendants in central California allegedly defrauded Medicare of $ 162 million. One physician is believed to be responsible for nearly $ 12 million through fraudulently billing for medically necessary vein ablation procedures.

In an announcement of the arrests, Attorney General Loretta E. Lynch said, "The wrongdoers that we pursue in these operations seek to use public funds for private enrichment. They target real people?many of them in need of significant medical care. They promise effective cures and therapies, but they provide none. Above all, they abuse basic bonds of trust?between doctor and patient; between pharmacist and doctor; between taxpayer and government?and pervert them to their own ends."

Cardiologist agrees to pay $ 2 million to settle kickback, false billing lawsuit

Asad Qamar, MD, of the Institute of Cardiovascular Excellence (ICE) of Ocala, Florida, has agreed to pay $ 2 million to resolve a lawsuit alleging he paid kickbacks to patients and improperly billed Medicare, Medicaid, and TRICARE?a healthcare program of the U.S. Department of Defense Military Health System. Qamar will also release any claim to $ 5.3 million in suspended Medicare funds and agreed to a three-year exclusion from participating in any federal healthcare program. This will be followed by a three-year integrity agreement with the Department of Health and Human Services Office of the Inspector General.

According to the U.S. Department of Justice, the lawsuit against Qamar claimed that he and ICE billed for peripheral artery interventional services and other related procedures, many of which were medically unnecessary according to the patients’ medical histories or records, or by the severity of their symptoms.

The lawsuit also alleged that Qamar and ICE persuaded patients to agree to the unnecessary procedures by routinely and indiscriminately waiving the 20% Medicare copayment. The copayment is typically used to help patients be smarter healthcare consumers and deter them from unnecessary procedures.

According to The Wall Street Journal, following a legal effort by the paper, CMS made public Medicare payment data which showed that Qamar had collected more than $ 18 million from Medicare in 2012. That ranked him second highest paid among all physicians in the country and four times more than the third highest paid cardiologist.

The settlement resolves two consolidated lawsuits originally filed under the whistleblower provision of the False Claims Act. The two individuals who originally brought the suit will receive about $ 1.3 million for their share of the settlement.

Former Warner Chilcott president acquitted on anti-kickback charge

W. Carl Reichel, former president of Warner Chilcott, was found not guilty of conspiring to pay kickbacks to physicians to induce them to prescribe its drugs.

The government’s case against Reichel alleged that he encouraged members of the sales force to provide physicians with payments, meals, and other rewards. According to court documents, Reichel was acquitted on grounds that there wasn’t insufficient evidence to suggest that he had ever given the sales team any such direction.

HCPro.com – Credentialing and Peer Review Legal Insider

Credentialing & Peer Review Legal Insider, July 2016

Posted on June 20, 2017 by CPC Exam Medical Coding Updates

CMS proposes rolling back 2-midnight rule

The controversial 2-midnight rule may be no more following CMS’ release of its latest proposed rule for the hospital inpatient prospective payment system (IPPS). When it was first put in place for fiscal year 2014, the 2-midnight rule established a benchmark for inpatient admissions where a Medicare Part A payment would be considered reasonable and necessary for patient stays that lasted at least two midnights. Stays that didn’t reach that benchmark would be billed as outpatient services, which are covered by Medicare Part B and tend to result in lower hospital reimbursements.

Under the new proposed rule, CMS would no longer impose a 0.2% payment cut for inpatient stays under the 2-midnight rule. Hospitals would also receive a one-time 0.6% payment in fiscal year 2017 to offset the reduction in inpatient payments over the previous three years.

In the proposed rule, CMS wrote, "We still believe the assumptions underlying the 0.2[%] reduction to the rates put in place beginning in FY 2014 were reasonable at the time we made them in 2013. Nevertheless … in the context of this case, we believe it would be appropriate to use our authority … to prospectively remove, beginning in FY 2017, the 0.2[%] reduction to the rates put in place beginning in FY 2014."

The proposed rule, which would affect about 3,330 acute care hospitals and 430 long-term care hospitals, would apply to patient discharges from October 1, 2016 and later.

Under the proposed rule, acute care hospitals that are meaningful use electronic health record (EHR) users and that successfully participate in the Hospital Inpatient Quality Reporting Program would receive a 0.9% payment increase.

Overall, CMS estimates that the elimination of the payment cut and proposed payment increases will result in an additional $ 539 million in payments in fiscal year 2017.

CMS held a comment period for the proposed rule, which ended in June. A final rule will be issued August 1.

The proposed rule comes as welcome news to some. Following the announcement of the proposed rule, the American Hospital Association (AHA) released a statement from President and CEO Rick Pollack that said, "[The] rule includes a very important outcome because it reverses the inappropriate and unfair 0.2[%] payment reduction for inpatient services that was implemented as part of the original ‘two-midnight’ policy. The AHA successfully challenged [CMS’] interpretation through the courts to convince them to restore the resources that hospitals are lawfully due."

Background

Two years ago, CMS enacted the payment cuts for inpatient stays to offset an anticipated increase in inpatient admissions as a result of the 2014 IPPS 2-midnight rule. The increase in admissions was predicted to cost $ 220 million.

Following the rule’s introduction, there was vocal opposition to the rule from hospitals that argued it arbitrarily complicated care for Medicare beneficiaries, and legal challenges were subsequently launched over the 0.2% cut.

In the case Shands Jacksonville Medical Center v. Burwell, several hospitals and hospital associations, including the AHA, questioned whether Sylvia Burwell, secretary of the Department of Health and Human Services (HHS), had the authority to make the proposed across-the-board reductions, and whether her prediction of the $ 220 million increase was valid.

In September, the U.S. District Court for the District of Columbia found that HHS did have the authority to reduce the reimbursement rates, but that the justification for the 0.2% cut was lacking.

In his ruling, District Judge Randolph Moss wrote, "The Court is unable to evaluate whether the [s]ecretary’s decision was reasonable because her omission prevented the public from offering meaningful comments. The [p]laintiffs never had the opportunity to explain where, in their view, she went wrong, and, thus, the [s]ecretary never had to provide a reasoned justification of her position."

Moss ordered Burwell to provide additional justification for the reimbursement cut and allow a public comment period. CMS issued a request for comments in December.

The following month, 55 additional hospitals filed a similar lawsuit over the 2-midnight rule’s 0.2% inpatient payment cut and the estimated increase in inpatient admissions the cut was based on.

CMS pauses reviews of short-stay claims

On a related note, in May, CMS put a temporary pause on reviews performed by Beneficiary and Family Centered Care Quality Improvement Organizations (BFCC-QIO) to determine if payments under Medicare Part A are appropriate for claims for inpatient stays that span less than two midnights.

In a message posted June 6, CMS explained it "became aware of inconsistencies in the BFCC-QIOs’ application of the two-midnight policy for short hospital stay reviews, and … we temporarily paused short stay patient status reviews to give us time to improve standardization in the BFCC-QIOs’ review process."

BFCC-QIOs will use the temporary pause to complete retraining on the two-midnight policy and to review all claims that were denied since last October. BFCC-QIOs began conducting the short-stay claim reviews in October, which were previously conducted by Medicare Administrative Contractors.

CMS believes audit activities will resume in 60?90 days, according to the update it posted in June. In the meantime, hospitals that previously had a claim denied should check with their BFCC-QIO to see if the claim has been denied before filing an appeal. Hospitals that have already filed appeals will have the findings of the re-review performed by the BFCC-QIO shared with the appeals adjudicators.

Five simple tips to help healthcare organizations prevent fraud

by Elizabeth Stepp, senior counsel at Oberheiden Law Group, in Dallas

It’s impossible to calculate the amount of healthcare fraud that exists, as much of it slips under the radar. However, healthcare fraud poses a serious problem, putting the health and welfare of beneficiaries at risk while costing taxpayers billions of dollars.

Preventing healthcare fraud and abuse is challenging, especially for hospitals, hospices, and other similar organizations. While there are a lot of honest and well-intentioned healthcare providers, there are quite a few perpetrators?ranging from street criminals to large companies. As such, owners of healthcare organizations need to be on their guard at all times. After all, allegations of fraud and abuse against low-level or top brass employees can affect the reputation of any healthcare organization.

But if you’re the owner of a small or large healthcare organization, don’t let this worry you. The following are some tips to help you prevent your organization’s reputation from taking a hit, and to avoid costly lawsuits.

Perform background checks before hiring

Pre-employment screening for employees, as well as contingent or temporary workers, is a common best practice for healthcare organizations. That being said, not all organizations have the time and resources to perform thorough background checks. Add to this a shortage of quality caregivers plus an increase in the number of patients, and employers find it easy to rely on trust instead of facts.

Since a single scam artist can taint your organization’s reputation, avoid employing or hiring individuals just because they appear to be trustworthy. Make sure pre-employment background checks include the following:

Education verification: Verify training and accreditation.
Employment verification: Crosscheck length of employment, position, and performance with previous companies. Note reasons for leaving and analyze gaps in employment history.
Record verification: Ensure that civil records are clean and confirm that there are no criminal records.

Additionally, check personal references, verify Social Security numbers, and have individuals undergo drug tests.

Have policies and procedures in place

Formalized policies and procedures promote regulatory compliance and workplace safety, and above all guarantee safe and quality patient care. Healthcare organizations also need to have policies and procedures in place to safeguard protected information. Start with defining access and authorization controls, and separate duties in order to reduce opportunities of fraud.

Make sure that policies and procedures are up-to-date and well written, so as to reduce practice variability. Practice that varies from one person to another can lead to sub-standard care and reliance on memory, which in turn can cause errors and oversights. Apart from this, organizations should have a defined set of internal controls to produce accurate financial reports, help comply with laws and regulations, oversee asset protection, and so on.

If you’re not sure about which policies to implement, getting in touch with a healthcare fraud defense attorney will be helpful. These lawyers can defend your case, and they know what it takes to prevent becoming a victim of fraud.

Perform audits regularly

Accurate and complete clinical documentation is important if you want to provide quality healthcare. The best way to improve documentation, and the care that your organization provides, is to conduct regular medical audits. Medical audits can also improve the financial health of your organization, and determine areas that need corrections and improvements.

Ensure that medical auditing and monitoring in your healthcare organizations is:

A regular and ongoing process
Conducted by qualified professionals who lay emphasis on government enforcement actions and ensure compliance with internal, state, and federal rules and regulations
Performed by keeping senior officials and board members in the loop

Protect data

For healthcare organizations, protecting data can mean reducing the number of emergent care cases, improving patient outcomes, providing better oversight and care, and increasing revenue. This makes it necessary for all healthcare organizations?big and small?to protect data. That being said, a lot of small- and mid-sized healthcare organizations think spending on data protection is pointless, as even organizations that take the appropriate steps are attacked by fraudsters.

Sure, data breaches keep happening. But, if you do what’s right, you can definitely protect your organization from being an easy target?and healthcare abusers like easy targets.

Here are some things to keep in mind:

Dumping data in the trash can gives dumpster divers an opportunity to steal and sell private data. Make a point to shred all data before it is discarded.
Conduct a risk assessment in accordance with government regulations to help you review security policies, identify threats posed to your organization, and expose system vulnerabilities.
Remind employees to keep a watchful eye on data and to never leave electronic devices or records unattended.
Encryption technology known as SSL, or Secure Socket Layer, can prevent data breaches.
Keep a note of who can access records and manage user identities. Also, allow employees access to information that is pertinent to their position.
Use complex passwords and two-factor authentication where possible.
Have a guest wireless network that’s separate from the main corporate network to offer additional protection.
Get in touch with a cloud vendor or a local security firm to host information systems. Clarify if you’ll be paying for a suite of services or just certain parts, such as encryption or threat management.
If you can’t afford to spend on data protection, turn to free open-source tools.

Make it easy to report fraud

Reporting fraud and abuse?or any suspicious activity?should be an easy process. You’ll also have to set up a system so that vendors, employees, and patients and their family members can report abuse anonymously.

Most importantly, take required action on all complaints received. By addressing issues promptly, you’ll instill confidence among your employees and patients.

Protect your healthcare organization today

As an honest healthcare provider, you’d certainly want your healthcare organization to be free of fraud and abuse. Having the right intentions alone won’t be able to help you achieve your goals; you’ll have to take the necessary steps too.

With the information given here, you now know what you need to do to ensure that your healthcare organization is safe. Implement these tips right away, and say goodbye to fraud and abuse!

What can be done about bias in peer review?

by Kym Morrissey, BA, CPHQ, CNMT, RT(N), peer review coordinator at St. Anthony Hospital in Lakewood, Colorado

A number of articles have been written about bias in peer review?what it is, how it affects the overall peer review process, and types of bias, to name a few. Bias is understandably the stumbling block to effective peer review. It is the one factor that can take a well-meaning committee that is truly focused on improvement and make it appear as if it is practicing sham peer review.

At St. Anthony Hospital, our professional review committee is a multidisciplinary committee that represents the most active specialties of the medical staff; it also has representation from internal medicine and primary care. Over the years, changes to committee scoring have been implemented to help score more fairly and with less bias.

To assess whether these changes have made an impact, we conduct a biannual survey to assess the perception of the peer review committee members. This has been done since 2009. For the past seven years, we have asked the same questions to allow for comparison across time as new members join, old members step down, and efforts toward improvement are implemented. Two questions specifically designed to assess bias have consistently been included in the survey:

Do you feel that the cases are reviewed in a fair and impartial manner by the committee members?
Do you feel that the action taken at the meeting is appropriate?

The results of those two questions reflect improvements that have been made and the impact of those improvements on our survey results. (See the chart at bottom-left.)

In 2010, multi-level scoring was implemented but included patient outcome, which inherently biases the case review, particularly if the outcome isn’t good. In 2012, the committee moved to a multilevel scoring system where overall practitioner care, issue identification, and documentation comprised the final case assessment. The perception of bias is slowly improving with the change to the multi-level scoring.

In 2013, one of the committee members suggested blind voting to increase members’ ability to vote with their conscience without the pressure of a show of hands. Initially this was done with a voting sheet, and the scores were tallied and reported during the meeting, but this method proved too onerous. The committee then started utilizing an audience response system to allow the members to vote privately. The voting results are displayed immediately so that the members are aware of the case level assessment.

It has been interesting to watch the voting reflect the opinions of the members. Previously a show of hands would be unanimous; it would be difficult to say that members were voting according to their conscience. Group pressure would prevail, and hands would go up as members looked around the table. With an audience response system, the results are more telling?rarely is there a unanimous vote. A simple majority determines the level assigned. In the case of a tie, the committee may discuss a few of the salient points again and then revote the question. The voting results are displayed immediately so that the members are aware of the case level assessment.

In reviewing the survey, the 2014 results marked the first time a unanimous response was registered to the question of whether the actions taken by the committee were appropriate. From a low of 41% in 2011 to 100% in 2014, we may say that anonymous voting has given the committee the freedom to vote truthfully and the peace of mind that actions are appropriate. The verbatim comments from the most recent survey of peer review committee members bear this out:

"The electronic voting has made final determinations more consistent and fair."
"I feel like I can express my opinion without risk of comment during the meeting because of electronic voting."
"Originally thought the voting took too long; now I appreciate the anonymity."

In summary, from much of the literature that exists on professional peer review, there is a general opinion that bias is one of its inherent enemies. Even small attempts to reduce bias can add value. Will we ever be able to overcome all bias? In all honesty, no, but we should not give up the battle to reduce it.

Legal and regulatory news roundup

Find out what’s happening in the world of federal healthcare regulations by reviewing some recent headlines from across the country.

Hospital’s EMTALA violations threaten its federal funding

CMS has threatened to cut Medicare and Medicaid funding for Indian Health Service’s (IHS) Sioux San Hospital in Rapid City, South Dakota, after an unannounced inspection in May found deficiencies in the emergency department.

According to the CMS report, the hospital failed to provide patients with timely medical screening examinations to determine whether they had an emergency medical condition, which is a violation of the Emergency Medical Treatment and Active Labor Act of 1986 (EMTALA). CMS based its findings on a review of medical records and interviews with patients, patient representatives, and hospital staff.

A case cited in the CMS report recounts how a mother brought her 6-month-old baby to the emergency department at Sioux San complaining of congestion, cough, runny nose, and watery eyes. The attending provider diagnosed the baby with a viral respiratory infection without taking a patient history, which would have revealed that the baby was born premature and had a history of respiratory distress. The baby later had a seizure and spent time in the ICU at another facility.

Shortly after the inspection, CMS informed IHS that it had until June 15 to address the deficiencies or risk losing Medicare and Medicaid reimbursements. IHS has submitted a 31-point correction action plan, which CMS has accepted.

The corrective plan includes:

A review and revision of the existing EMTALA policies and staff training on any updates.
24-hour coverage of the emergency department by a MD or DO every day. During high-volume periods, a second provider will be added.
Pediatric assessment training for all emergency department physicians and nurses.
A pediatrician on call 24/7 for consultations.
Timely medical screening examinations provided for all patients in the emergency department.
FPPE performed on the last 10 pediatric patients of all emergency department providers and medical staff.
Daily situation reports for IHS area directors, prepared by the hospital’s CEO.

Three defendants plead guilty in $ 580 million fraud, kickback case

The U.S. government’s ongoing investigation into kickbacks paid for patient referrals and fraudulent billing at Pacific Hospital in Long Beach, California, has led to three more defendants pleading guilty to federal charges. They join six other individuals who have already pleaded guilty to charges of participating in a 15-year-long scheme that illegally referred thousands of patients to the hospital and generated hundreds of millions in fraudulent billings.

The investigation is looking into allegations that dozens of surgeons and other medical professionals participated in a scheme with Pacific Hospital in which they were paid kickbacks for referring patients to the hospital for spinal surgeries. Members of the conspiracy were paid $ 15,000 for every lumbar fusion surgery and $ 10,000 for every cervical fusion surgery referred to Pacific Hospital. During the last eight years of the scheme, Pacific Hospital submitted more than $ 580 million in bills for spinal surgeries, many of which were paid by the federal workers’ compensation system and the California workers’ compensation system.

The latest defendants to plead guilty are Michael Drobot Jr., Linda Martin, and Michael Barri.

Drobot Jr. pleaded guilty to charges of conspiracy and illegal kickback charges and faces up to 10 years in prison. He is the son of Michael Drobot Sr., the owner of Pacific Hospital who previously pleaded guilty to orchestrating the scheme in April 2014. Drobot Jr. solicited physicians and chiropractors to enter into the kickback arrangements with the hospital and served as a liaison with medical professionals.

Martin, a marketer for Pacific Hospital, also pleaded guilty to a conspiracy charge for recruiting medical professionals to refer patients to the hospital in exchange for kickbacks. She could be sentenced to up to five years in prison for her charge.

Barri, a chiropractor, pleaded guilty to a conspiracy count and admitted he received more than $ 158,000 in kickbacks during a nine-month period for referring dozens of patients to Pacific Hospital. Pacific Hospital used Barri’s referrals to bill insurance carriers $ 3.9 million for spinal surgeries. He faces up to five years in prison.

Drobot Jr., Martin, and Barri, along with the previous six defendants, have agreed to cooperate with the ongoing investigation being conducted by the FBI, the U.S. Postal Service Office of Inspector General, IRS Criminal Investigation, and the California Department of Insurance.

Healthcare providers responding to online reviews may violate HIPAA

A report from ProPublica has found that some healthcare providers apparently violate HIPAA when replying to reviews on the rating website Yelp. After analyzing more than 1.7 million reviews on the website, ProPublica found that some physicians, dentists, and chiropractors shared patient health information when responding to online criticism from patients.

ProPublica identified more than 3,500 one-star reviews on Yelp that mentioned privacy and HIPAA. The report further details several instances of HIPAA violations, which have resulted in warnings from the U.S. Department of Health and Human Services’ Office for Civil Rights as well as ongoing investigations after the patients filed complaints. The Office for Civil Rights, however, does not track how many complaints it has received regarding HIPAA violations on Yelp.

ProPublica was able to speak to some patients who claim their personal information was disclosed by providers on Yelp. They said the violation of their medical privacy only compounded the damage they received from poor care.

Physician indicted on kickback charges

A federal grand jury has indicted Hailu T. Kabtimer, MD, of Henderson, Tennessee, with five counts of violating the federal anti-kickback act.

According to the U.S. Attorney’s Office for the Middle District of Tennessee, from 2013 to 2014, Kabtimer allegedly accepted cash payments in exchange for patients to a particular medical equipment supplier.

During that time, the indictments alleged Kabtimer allegedly accepted kickback payments on eight occasions, totaling $ 3,400. Additionally, Kabtimer allegedly accepted $ 200 for every patient he referred for a continuous positive airway pressure ventilator and $ 300 for every patient he referred for an oxygen unit.

In a statement, U.S. Attorney David Rivera said, "Medical providers who break the law to enrich themselves will be caught and prosecuted … This office and our law enforcement partners will continue our vigorous efforts to enforce the anti-kickback law and to hold accountable medical professionals who accept illegal cash kickbacks."

If found guilty, Kabtimer faces up to five years in prison for each count. He would also face forfeiture of any proceeds traced back to offenses.

Data breach compromises 4,000 patients’ protected health information

More than 4,000 patients of Complete Chiropractic & Bodywork Therapies (CCBT) of Ann Arbor, Michigan, were recently notified of a breach that may have been exposed their treatment and billing information. This includes patients’ encrypted electronic medical record data, such as their names, dates of birth, addresses, Social Security numbers, and health/diagnosis information.

CCBT reported the breach after discovering a server infected with malware. The server was immediately secured and disconnected from the internet; all workstation and vendor passwords were changed, and additional IT security safeguards were put in place, according to a statement released by CCBT.

An investigation determined that the malware was likely scanning for login and password information and that the first unauthorized access occurred four months prior to the breach’s discovery. However, CCBT noted that there was no indication that any patient information had been taken or inappropriately used.

CCBT has offered all affected patients a free year of identity theft protection.

Patient recruiter sentenced for Medicare fraud, kickback scheme

Carlos Rodriguez Nerey, owner and president of Nerey Professional Services, Inc., a Miami-based consulting and staffing company, will spend five years in prison for his role in a $ 2.3 million Medicare fraud scheme.

In April, following a one-week jury trial, Nerey was convicted of one count of conspiracy to defraud the United States and pay and receive healthcare kickbacks, and one count of receiving healthcare kickbacks. At Nerey’s recent sentencing, U.S. District Judge Darrin P. Gayles of the Southern District of Florida imposed the prison term and ordered that Nerey pay $ 2.3 million in restitutions.

From October 2014 to September 2015, Nerey would accept kickbacks from Miami-based healthcare agencies Mercy Home Care, Inc., and D&D&D Home Health Care, Inc., in exchange for referring Medicare beneficiaries to serve as patients. Some patients didn’t actually qualify for home healthcare services based on Medicare’s rules and regulations. Nerey’s actions contributed to the submission and subsequent payment of millions of dollars in fraudulent claims to Medicare.

According to evidence presented at trial, Nerey created a shell company to accept approximately $ 250,000 in kickbacks from the two home healthcare agencies. He had also previously worked for several other fraudulent home healthcare agencies in the area.

HCPro.com – Credentialing and Peer Review Legal Insider

What can be done about bias in peer review?

Posted on June 20, 2017 by CPC Exam Medical Coding Updates

What can be done about bias in peer review?

by Kym Morrissey, BA, CPHQ, CNMT, RT(N), peer review coordinator at St. Anthony Hospital in Lakewood, Colorado

Do you feel that the cases are reviewed in a fair and impartial manner by the committee members?
Do you feel that the action taken at the meeting is appropriate?

The results of those two questions reflect improvements that have been made and the impact of those improvements on our survey results. (See the chart at bottom-left.)

"The electronic voting has made final determinations more consistent and fair."
"I feel like I can express my opinion without risk of comment during the meeting because of electronic voting."
"Originally thought the voting took too long; now I appreciate the anonymity."

HCPro.com – Credentialing and Peer Review Legal Insider

Practice Sample CPC Test Questions to Prepare Yourself For Your Actual Certified Coder Exam and Medical Coding Career

CPC Study Guide and Sample CPC Exam Questions And Answers – Best Way To Prepare For Your Medical Coder Certification Test

Tag Archives: Peer

Texas Supreme Court grants writ of mandamus for peer review committee records

Credentialing & Peer Review Legal Insider, October 2016

Credentialing & Peer Review Legal Insider, September 2016

peer to peer review during the authorization process

Credentialing & Peer Review Legal Insider, August 2016

Credentialing & Peer Review Legal Insider, July 2016

What can be done about bias in peer review?