HEALTHCARE LAW NEWS - VOLUME 56
SPEAKING OF EXTRAPOLATION
Courts normally allow audit findings, particularly those by governmental agencies, to be used as a basis for determining damages or overpayments. When extrapolation is used, the sample determined in the audit is used as a basis, with or without adjustments, to estimate the total damages or overpayments.
Medicare contractors, such as RAC contractors, may not use extrapolation to determine overpayment amounts unless the Secretary of HHS determines that there is a “sustained or high level of payment error”, or that educational intervention has failed to correct the payment error. This is important to keep in mind in dealing with various contract auditors (the same rules appear not to apply to OIG). You may wish to keep this in mind in determining who exactly the auditor is, and in filing any initial appeals. Since certain contract auditors appear to have used technical bases for denying claims, and then extrapolated those with a subset sample audit, it is only fair to point out that such contract auditors are not allowed to use that method.
However, as I noted below, if the appeal period continues to extend over several years, you may need to seek judicial intervention where such recoupment amounts are based upon an extrapolated subsample audit which is prohibited under federal law.
TODAY – NEXT HIPAA DEADLINE
Business associate agreements must be revised and in full compliance by September 23, 2014. The Omnibus Rule effective March 26, 2013, set this deadline. If your business associate agreements do not have updated contractor provisions, breach identification reporting obligation language, limitations on the use of PHI for marketing, PHI definition updates and updated sub-contractor provisions, they are likely not in compliance.
Also, unless you have completed your HIPAA Security Risk Assessment, I strongly recommend you do so by the end of 2014. The lack of a HIPAA Security Risk Assessment, much less one in proper form, is likely to result in additional fines and penalties in the event of a breach. You are welcome to ask me to assist you with the Security Risk Assessment, or you are welcome to use the HHS online Security Risk Assessment tools available at:
http:/www.healthit.gov/providers-professionals/security-risk-assessment-tool
I am also experienced in preparing HIPAA compliant business associate agreements, and in helping you identify other entities, whether subcontractors or your own vendors, who should also have business associate agreements.
INDIANA COUNTY HOSPITALS, DOCTOR PAY RELEASE
A battle is continuing between a state law which requires that public employees’ salaries be disclosed, and hospital officials who want to keep that information secret. Even though the Attorney General has opined that county hospitals must comply with the state law, county hospitals are seeking some way around disclosing this information, claiming that it puts them at a disadvantage somehow with private hospitals. This disadvantage to the public or to the doctors has not yet been explained.
Also, all twelve county hospitals haven’t complied, and there are questions about what methods can be used to force compliance. Expect this matter to be taken up by the 2015 Indiana legislature.
COMMUNITY HEALTH SYSTEMS DATA BREACH LAWSUIT
Tennessee based Community Health Systems had previously admitted that the personal information of 4.5 million patients had been breached. To date, Community Health Systems claims that it was non-medical data that was breached.
A lawsuit filed in the Northern District of Alabama claims that Community delayed in confirming the attack from April and June, and not reporting it until August, which impacted the former patients by denying them the ability to immediately respond to protect themselves. The complaint apparently alleges inadequate encryption.
This is another interesting case in that, if Community’s claim is true that no PHI was breached, what are the obligations under these circumstances, what is a reasonable time to wait to notify governmental agencies and those affected by the breach and, as discussed before, the impact of actual losses to the close potential loss to the class?
APPEALS ARE SOOOOO SLOW
Some Medicare beneficiaries have had it with delays over Medicaid appeals. A lawsuit was announced in Connecticut regarding the failure of HHS and CMS to comply with the statutory 90 day limit to resolve appeals. The suit claims that current law requires decisions in Medicare appeal cases within 90 days after a request for a hearing. The lawsuit claims that the current average wait time is currently 489 days, which would appear to be a clear violation of law. This may be the case that finally cracks open the question of whether not only providers have to comply with the law, but whether our government must comply with its own laws.
This newsletter is edited by Paul Wallace of Jones ∙ Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians in health practices in contract items, federal legal compliance, creation of practice entities, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or pwallace@joneswallace.com.