Home Healthcare Accountants
Gustavo A. Viera, Home Healthcare Accountants, stated that the Centers for Medicare and Medicaid Services announced on August 10, 2011 that it will begin sending revalidation requests by mail to nearly 1.5 million health professionals, more than half of whom are physicians. These notifications are already being sent and will continue until March 23, 2013.
CMS has implemented new screening criteria for all Home Healthcare Accountants applications in an effort to weed out individuals and institutions that shouldn’t have billing privileges, according to VieraCPA, Home Healthcare Accountants. There is, however, a great concern expressed by many physician organizations that legitimate physicians and other Healthcare Agency professionals could mistakenly get caught up in this enrollment sweep, according to VieraCPA.
We aren’t joking about checking your mail, says VieraCPA. Once you receive the request, you will have sixty days to recertify your enrollment information. CMS is playing hardball: “Failure to submit the enrollment forms as requested may result in a deactivation of your Medicare billing privileges” according to according to VieraCPA.
Note that this recertification is also required for clinics and group practices. And, as you might expect Home Healthcare Accountants anticipate that the notifications for the physicians in a large group practice might arrive in a “piece meal” manner. Diligence is required on behalf of you and your staff to avoid having your Medicare billing privileges deactivated, says VieraCPA.
New Federal poster Requirements
The notification goes into further discussions regarding what it is illegal for an employer to do, as well as what it is illegal for a union that represents an employee to do.
Experts say the background to this situation is that this is actually a rule put forth by the National Labor Relations Board. It was not passed by the Congress nor was it signed by the President.
What does this do to Your Practice?
What this does is effectively inform your employees that they do have the right to organize. It is widely understood that the Service Employees International Union (SEIU) has specifically targeted the Southeast, where there are a number of right to work states, with the intent of organizing. The healthcare industry, being obviously a significant service industry, is one of the key targets, according to VieraCPA.
This being said, understand that if an employer knowingly and willfully even fails to post the notice, the failure may be considered as evidence of unlawful motive in an unfair labor practice case. The recommendation is that you watch for any implementation delays (there are a number of legal challenges of this requirement) and, assuming no change comply by Monday, November 14th. As practices become larger and larger due to mergers and other consolidations, it may inevitable that at some point or another, unions may approach your employees, or your employees approach unions.
HIPAA Enforcement Intensifies
The implementation of the HITECH Act under the ARRA in early 2009, and the recent refining of the regulations related to the enforcement of HIPAA by the Office of Civil Rights (OCR), has increased the scrutiny that healthcare organizations may undergo. In July 2011, the Office of Civil Rights awarded $9.2 million dollars to KPMG to conduct HIPAA compliance audits under the guidance of the Department of Health and Human Services staff. Under this program, there will be 150 audits varying in size and scope.
Of note in the discussion surrounding this project is the fact that most of the significant violators of late have been major institutions.
For example, UCLA Medical Center, Massachusetts General Hospital, and Cignet Health of St. George County Maryland. Mainly because of the publicity focused around HIPAA violations in national news coverage, there appears to be an increased awareness on the part of the general public about it. From January 1, 2010 thru December 31, 2010 there were 9,158 HIPAA complaints reported to the Office of Civil Rights nationally. Of those, 54% were resolved after intake and review. Of the remaining 4,229 cases that required investigation, in 2,703 (64%) the OCR required corrective action.
It’s worth taking a look at how this process works. As to how important cooperation is, in the case of Cignet, mentioned previously, $3 million of their $4.3 million fine was related to the fact that they failed to cooperate with OCR’s investigation on a continuing daily basis. This was perceived by the OCR as a willful neglect on behalf of Cignet to comply with the Privacy Rule.
Additional guidance will be forthcoming from CMS regarding specific issues related to the enforcement of the Security Rule under the HITECH Act. Look for this information to be published by CMS in the fall of 2011.
The Office of Civil Rights is seriously taking into account the severity of any privacy or security breach. There is what is known as a “threshold risk of harm” analysis that requires four steps. These are as follows:
- What was the nature of the data elements breached?
- What is the likelihood that the information is accessible and usable?
- What is the likelihood that the breach may lead to harm?
- What is the ability of the covered entity to mitigate the risk of harm?
Some of the many breaches that have occurred have related, for example, to the theft of laptops containing protected health information (PHI). In many of these cases, the nature of the elements breached was significant in that it related to PHI. However, the likelihood that the breach could lead to harm was minimal due to the security systems that had been implemented and enforced. Simply stated, it was likely the thieves wanted the laptop and had no interest whatsoever in the PHI that it contained.
In fact, in some cases, the laptops have been recovered at pawn shops, etc. by law enforcement agencies and the covered entity has determined that the information was never accessed.
VieraCPA are always available to assist you with questions related to the enforcement of HIPAA. Over the past few years we have had a number of situations in which our clients have been involved in breaches of PHI. Many of these were simply violations of common sense, others were due to carelessness. Fortunately we can state that none of them were done in a vindictive or truly harmful manner. Nonetheless, you need to be vigilant, constantly train your staff and keep them updated on HIPAA requirements.
Also be aware that a number of government agencies are involved in HIPAA enforcement. Aside from the HHS Office of Civil Rights, the Federal Trade Commission Bureau of Consumer Protection, the Centers for Medicare and Medicaid Services, as well as the Attorney General in your state may become involved.