Foster Swift - Attorneys at Law - Health Care Law Report

On January 13, 2009, the Department of Health and Human Services (“DHHS”) Office for Civil Rights ("OCR") published new HIPAA Privacy Rule frequently asked questions ("FAQs") regarding family medical history information. The new FAQs, posted on the OCR website, provide guidance to both individuals and physicians relative to family medical history information.

The first FAQ clarifies that the HIPAA Privacy Rule does not limit an individual's ability to gather and share family medical history information, and that "individuals are free to provide their doctors with a complete family medical history or communicate with their doctors about conditions that run in the family.

The second and third FAQs address physicians, cautioning that, as "covered entities" under the HIPAA Privacy Rule, they are limited in what they can do with family medical history information. Specifically, physicians are reminded in the second FAQ that the HIPAA Privacy Rule allows physicians who are covered entities to use and disclose protected health information (PHI"), including family medical history, only for treatment, payment, and health care operation purposes without obtaining the individual's authorization. Further, physicians are cautioned that family medical history gathered in the course of treating a patient becomes part of that patient's medical record and is treated as PHI about that patient. Therefore, that patient, and not the family members described in the family medical history, may exercise his or her rights under HIPAA, including the right of access, amendment, and the ability to authorize disclosure to others.

In the third FAQ, OCR advises health care providers that the Privacy Rule permits health care providers, including physicians, to disclose PHI about a patient to another provider, when such information is requested for the treatment of a family member of the patient. OCR gives the example of an individual's physician providing information to the physician of the individual's family member about the individual's adverse reactions to anesthetics prior to the family member undergoing surgery. OCR indicates that these kinds of disclosures of PHI are permitted without the individual's authorization.

These new FAQs, directed largely toward physicians, are a reminder to physicians of their ongoing obligations to comply with the HIPAA Privacy and Security Rules. A physician who conducts certain transactions electronically, such as electronic billing to Medicare or private payors, is considered a covered entity under HIPAA and is subject to HIPAA's Privacy and Security Rules. The HIPAA Privacy Rule has a multitude of administrative requirements, including that physician practices have written policies and procedures, use certain forms (including authorizations and notices of privacy practices), and conduct training in its HIPAA policies and procedures for all members of its work force. The HIPAA Security Rule requires covered entities, including physician practices, to conduct a written risk assessment and enact certain safeguards to secure PHI stored electronically. Generally, compliance with HIPAA Security likewise requires physicians to have certain written policies, procedures and forms in place in their practices that are consistent with the HIPAA rules.

Despite the fact that the deadlines for compliance with the HIPAA Privacy and Security Rules were April 15, 2003 and April 20, 2005 respectively, many physicians are not yet compliant with either aspect of HIPAA. With electronic medical records becoming more prevalent and with increased audit activity on the part of OCR, the time is now for physicians to become compliant with HIPAA. Physicians are encouraged to contact experienced health care counsel to discuss their current and ongoing obligations to comply with these complex regulations.

Michigan Law Revised to Allow Access to a Decedent's Medical Records

By: Johanna M. Novak, Esq.

In 2008, the Michigan Legislature revised Michigan's Medical Records Access Act to include "heirs at law" in the Act's definition of an authorized representative entitled to obtain copies of a deceased patient's medical records or autopsy reports. The Act, found at MCL 333.26261 – 333.26271, was previously interpreted to generally only allow a deceased patient's heirs access to medical records or autopsy reports in the event of a will contest or for certain life insurance purposes, unless those heirs had been formally appointed by the probate court as the deceased patient's personal or authorized representative. This created a great deal of confusion and expense for surviving family members who had not otherwise planned on appearing before the probate court.

While the revised Act expanded the definition of authorized representative to now allow a deceased patient's heirs at law access to his or her medical records and autopsy reports, the Act offers no definition of an heir at law, other than to state that it includes but is not limited to a spouse. It also offers no guidance to health care providers on how to determine whether the requesting party is truly an heir at law. For example, one might assume that a marriage certificate would suffice in determining whether the requesting party is the deceased patient's spouse. However, a recent divorce could impact the validity of that certificate. In addition, if a single patient with no children passes, and an apparent sibling requests that patient's records, is the sibling an heir at law? It could depend on whether the patient's parents are still living, which would require some investigation on the part of the provider.

Michigan's Estates and Protected Individuals Code ("EPIC") defines an heir as the person who is entitled to the decedent's property under the laws of intestate succession. Although the Act does not refer readers to EPIC to determine whether the requesting party is an heir at law, EPIC is an obvious place to look. EPIC basically creates a priority list to determine how a decedent's property will be distributed if he or she has no will. However, it seems unreasonable to expect a health care provider to review EPIC and research family history to identify a true heir at law to avoid a possible privacy law violation.

To alleviate some uncertainty in identifying whether the person requesting the records is truly an heir, consider developing an affidavit for the requesting party to sign. By signing the affidavit in front of a notary, the requesting party is essentially testifying under oath that he or she is an heir according to the terms of the Act. If, down the road, it is determined that the requesting party was not being truthful, at least you can produce that affidavit and explain that you relied on that testimony and provided the records in good faith.

If you have any questions about the Medical Records Access Act, please contact attorney Johanna M. Novak at (517) 371-8231.

RACS ARE READY - ARE YOU?

By: Gary J. McRay, Esq.

Overview

Medicare oversees a variety of payment systems and a network of contractors that process over 1.2 billion claims each year. CMS Acting Administrator, Kerry Weems, has reported that CMS paid approximately $675 billion in 2008 to over one million providers. When there is this much money involved, there are going to be honest mistakes and, worse, intentional cheating. Recovery audit contractors ("RACs") were used in a three-year demonstration program that identified Medicare overpayments and underpayments to health care providers and suppliers in California, Florida, New York, Massachusetts, South Carolina and Arizona. This was so successful that it resulted in $1.03 billion being identified as improper payments, with only $37.8 million as underpayments. The cost to CMS was reportedly less than twenty cents for every dollar recovered.

The Tax Relief and Health Care Act of 2006 mandated a permanent national RAC program to be in place by January 1, 2010. In October of 2008, CMS announced the following four audit contractors for the permanent program: (1) Diversified Collection Services, Inc. of Livermore, California in Region A (initially Maine, New Hampshire, Vermont, Massachusetts, Rhode Island and New York); (2) CGI Technologies and Solutions, Inc. of Fairfax, Virginia ("CGI") in Region B (initially Michigan, Indiana and Minnesota); (3) Connolly Consulting Associates, Inc. of Wilton, Connecticut in Region C (initially South Carolina, Florida, Colorado and New Mexico); and (4) HealthDataInsights, Inc. of Las Vegas, Nevada in Region D (initially Montana, Wyoming, North Dakota, South Dakota, Utah and Arizona). Additional states will be added to each RAC region in 2009. The new RACs were selected based upon a competitive process, that reviewed (i) the level and quality of claim analysis, (ii) detail to customer service, (iii) conflict of interest reviews and (iv) competitive and low contingency fees. Before the RAC audits actually begin, the RACs propose to hold town hall type meetings with health care providers and CMS staff and representatives to discuss the program.

CMS originally imposed an automatic stay in the work of the RACs due to protests filed by two unsuccessful bidders. These protests were settled on February 4, 2009, with the four RACs subcontracting with the two unsuccessful bidders. PRG-Schultz, Inc. will serve as a subcontractor to CGI here in Michigan. In addition to the four audit contractors, CMS announced its contract with Provider Resources, Inc. of Erie, Pennsylvania to work as the RAC Validation Contractor. The RAC Validation Contractor will work with CMS and the RACs to approve any new issues the RACs want to pursue for improper payments and will perform accuracy reviews on a sample of randomly selected claims on which the RACs have already collected overpayments. CMS expects the RAC program to be as successful in returning monies to the Medicare Trust Fund as was true with the demonstration program.

Scope of the RAC Review

There are two types of review: automated review and complex review. An automated review is a review of claims data at the system level without a person actually reviewing the medical record and there is certainty that service is (i) not covered, (ii) incorrectly coded, (iii) a duplicate payment or (iv) some other claims-related overpayment. A complex review consists of an individual review of medical records and it is used in situations where there is a high probability that a claim includes an overpayment. Pursuant to the RAC Statement of Work, RACs are prohibited from selecting cases by a random review or sample. Instead, their charge is to make a targeted review using proprietary data analysis techniques in order to determine claims that are likely to contain overpayments.

Limitations on the Audit

With the RAC demonstration program, RACs were permitted to reopen claims up to four years following the date of the initial payment. Now RACs will be prohibited from reviewing claims more than three years past the date of initial payment and, more importantly, may only review claims on or after October 1, 2007.

Under the demonstration program, RACs did not need to employ a physician medical director or coding expert. Now RACs are required to have a medical director and (i) registered nurses or therapists to determine medical necessity and (ii) certified coders to make coding decisions. The credentials of reviewers must be presented upon request by the provider. If an audit results in a denial of a claim, the medical director must be available to discuss the denial if requested to do so. If the denial is overturned at any level of appeal, the RAC must pay back the contingency fee. When conducting reviews, RACs are bound to follow all National Coverage Decisions ("NCDs"), coverage provisions in Interpretive Manuals, national coverage, coding articles and Local Coverage Decisions ("LCDs").

What Subject Areas Will the RACs Focus Upon?

One piece of guidance might be the Work Plan published annually by the Office of Inspector General ("OIG") setting forth various projects and issues to be addressed during the upcoming fiscal year. Also, CMS periodically makes announcements or its representatives give speeches highlighting where they will focus their resources. For example, CMS Acting Administrator, Kerry Weems, in a recent presentation, mentioned rampant fraud in the home health and DME industries as areas of CMS concern.

In addition, the demonstration program focused on (i) incorrect coding, (ii) the failure to meet medical necessity, (iii) no or insufficient documentation and (iv) a variety of other reasons, such as duplicate claims and outdated fee schedules.

The Appeal of RAC Denials

Claim denials or claims of overpayments will be subject to the normal Medicare Part A and Part B appeals process found at 42 C.F.R. § 405.900 et seq. In a complex review where there is a RAC medical record request, the provider must respond within 45 days (unless there is an extension). The claim is automatically denied if the provider does not respond timely. Then the RAC has 60 days to make its determination. Where there is a claim denial, either in a complex review or an automated review, there should be a demand letter and a request for repayment, which triggers the appeal process.

The first level in the appeal process is the request for a redetermination, and this must be done in writing within 120 days of receiving the demand letter. § 405.942. There is a process for a party to request an extension of time for filing a redetermination with the RAC.

Any provider dissatisfied with the redetermination decision may then file a request to be reconsidered by a Qualified Independent Contractor ("QIC"). This second level of appeal must be filed within 180 days of receiving notice of the redetermination. § 405.962. Any request for reconsideration must be in writing and made on standard CMS forms with certain elements therein dictated by the regulations. A reconsideration consists of an independent, on-the-record review of the initial determination. The QIC will review the evidence and findings upon which the initial determination was based and any additional evidence the parties submit, or that the QIC obtains on its own. § 405.968. The QIC basically has 60 days upon receiving the request for reconsideration, plus any additional time provided for under the applicable regulations, to notify all the parties of its reconsideration or its inability to complete the reconsideration. § 405.970.

The reconsideration is final and binding unless a provider requests an Administrative Law Judge ("ALJ") hearing (or expedited access to judicial review is allowed or there is a reopening) which is the third level of review. § 405.978. This request must be filed within 60 days following receipt of the QIC's reconsideration decision. See § 405.1014. ALJ hearings may be conducted by video-teleconference, telephone or in person. The regulations favor hearings conducted by video-teleconference ("VTC"). If VTC is unavailable or if there are special or extraordinary circumstances, then the ALJ may conduct an in-person hearing. §405.1020. The regulations require that parties submit all written evidence they wish to have considered at the hearing with the request of the hearing or within ten days of receiving the notice of the hearing. § 405.1018. Within 90 days, beginning on the date when the request for a hearing is received (and unless the 90-day period is extended in accordance with the regulations), the ALJ will issue a written decision providing findings of fact, conclusions of law and the reasons for the decision. The decision is based on the evidence offered at the hearing or otherwise admitted into the record. § 405.1046.

The fourth level of appeal is the Medicare Appeals Council ("MAC") Review. The request for a MAC Review must be filed within 60 days following receipt of the ALJ's decision. See § 405.1102. The MAC will review the ALJ's decision de novo. The party requesting the appeal does not have the right to a hearing before the MAC. The MAC will consider all the evidence in the administrative record. Upon completion of its review, the MAC may adopt, modify or reverse the ALJ's decision or remand the case to an ALJ for further proceedings. § 405.1108.

The last step in the appeals process involving a RAC decision is judicial review in federal district court. A party has to file the action in federal district court within 60 days after the date it receives notice of the MAC decision. See § 405.1130. One notes that in federal court any findings of fact by HHS, if supported by substantial evidence, are conclusive. § 450.1136. If a federal district court remands a case to HHS for further consideration, the MAC, acting on behalf of the Secretary, may make a decision, or the MAC may remand the case to an ALJ with instructions to take action and either issue a decision, take other action or return the case to the MAC with a recommended decision.

Conclusion

There is no doubt that Medicare providers will receive additional audit activity because of the RAC Program. Providers will need to follow the issues being identified by CMS and by the RAC contractors, and will need to engage in self-auditing and monitoring to improve the accuracy of their claim submissions to CMS, especially in targeted audit areas. Many hospitals and other providers have done this assessment and are actively preparing for potential RAC audits. In addition, providers will need to timely and comprehensively respond to any audit requests from an Audit Contractor. It will be important to document each claim, proving the coding accuracy and the medical necessity for the services, plus keeping a photocopy for its own records. Never change any chart or record. If a handwritten note is illegible, a transcript may be typed but it has to be exact and any spelling mistakes and other errors have to stay. Providers need to be especially careful when responding to medical record requests. Failure to timely respond within 45 days of the request may trigger an automatic denial. RAC audits will be similar to other CMS audits, with the exception that the Audit Contractor will be highly motivated since it is making money at the expense of the provider. Unfortunately, hospitals and physicians are entering into a new, and less friendly, audit environment.

NEW REVISIONS TO MENTAL HEALTH PARITY ACT

By: Johanna M. Novak, Esq.

New revisions to the Mental Health Parity Act of 1996 ("Act") take effect on January 1, 2010, for most group health plans. Historically the Act prohibited group health plans from applying lower lifetime dollar limits to mental health benefits than were applied to medical and surgical benefits. For example, if a group health plan did not impose lifetime limits on substantially all medical and surgical benefits, then it could not impose any limits on mental health benefits offered under the plan.

The new revisions expand on these protections. If a plan provides mental health benefits, the financial requirements and treatment limitations for mental health coverage and substance abuse disorder benefits may not be more restrictive than the most frequent financial requirements and treatment limitations applied to substantially all medical and surgical benefits covered under the plan. Financial requirements include deductibles, co-payments, co-insurance, and out-of-pocket expenses. Treatment limitations include limits on the frequency of treatment, number of visits, and days of coverage.

In addition, if a group health plan provides out-of-network coverage for medical and surgical benefits, then the group health plan must also provide out-of-network coverage for mental health and substance abuse disorders.

The Act applies to group health plans with 51 or more employees in the prior calendar year. Small employers (those with 50 or fewer employees) are exempt. There is also a limited exemption for plans that experience an increase of at least 2% in actual total costs in the first plan year that the revisions take effect (or an increase of 1% annually thereafter). This rise in costs must be documented by an actuary and the exemption request filed with the Secretary of Labor.

Foster, Swift, Collins & Smith, P.C. is a 107-year old law firm with nearly 100 attorneys in five Michigan offices. The firm’s legal solutions are the result of experience, hard work, sound judgment and first rate professionals working cooperatively for the benefit of Foster Swift clients. The firm’s attorneys are members of the following client-centered practice groups: Administrative & Municipal • Banking, Finance & Real Estate • Business & Corporate • Commercial Litigation • General Litigation • Health Care • Employment, Labor & Benefits • Trusts & Estates • Workers’ Compensation.

Foster, Swift, Collins & Smith, P.C. Health Care Law Report is intended for general information for our clients and friends. This report highlights specific areas of law. This communication is not legal advice. The reader should consult an attorney to determine how the information applies to any specific situation.

IRS Circular 230 Notice: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice contained in this communication is not intended to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code, or (ii) promoting, marketing, or recommending to another party any transaction or matter addressed in this communication.

This e-mail is a Foster, Swift, Collins & Smith, P.C. electronic newsletter. If you no longer wish to receive the Health Care Law Report, please click UNSUBSCRIBE and place "Unsubscribe" in the subject line. You may also call 517.371.8100 or send a letter to Marketing, 313 South Washington Square, Lansing, MI 48933.

Lansing | Farmington Hills | Grand Rapids | Detroit | Marquette