What Now? How To Address A HIPAA Violation At Your Practice

how to address a HIPAA violation at your practice

Before a patient or caregiver files a HIPAA violation about your doctor’s office or hospital, often they will complain to your staff about the problem. How you handle patient complaints is crucial in helping you avoid HIPAA lawsuits or complaints. A patient can’t sue you for a HIPAA violation directly. They can file a complaint with the Office of Civil Rights, with the Department of Health in the State they live in, and the insurance providers they use. Once the complaint is filed it will be investigated.

Handling Patient Complaints

When a patient or caregiver complains about a HIPAA violation to your office, have a staff member sit down and talk with them personally. Don’t ask them to fill out a form immediately, since this depersonalizes the problem and sometimes make the patient or caregiver angrier. Before they fill out a form let them tell you in their own words what happened.

When you receive a written complaint, call the person and make an appointment to speak with them. When discussing the problem, ask them to tell what you what happened. This is an open ended question.  Try to listen and realize that their complaint might be valid. In many cases people just want to be heard, and this could keep the patient from reporting the incident to an outside agency as a HIPAA violation.

Listen to the complaint and why the person is making it. What do they want from your doctor’s office or hospital?  You can ask how you can resolve the problem or make it right.  Perhaps you might want to investigate the complaint by talking with staff and finding out their side of the story as well. Give the patient or caregiver a date that you will respond to their complaint.

Review medical records and billing records and note information that supports or refutes the complaint. Try to find a resolution. Get back to the patient or caregiver in writing in a few weeks or less with your findings.

Reporting the Complaint to Your Healthcare Insurance and Attorney

If the complaint is very serious you may be required to report the complaint to your healthcare practice attorney and malpractice insurance company. Some carriers expect all complaints to be reported.  Often reporting is only necessary if there is an insurance claim. Your staff may find themselves working with the risk manger and insurance claims rep.  Your office or healthcare facility will have to decide if you need help from legal counsel.

A good healthcare attorney helps your practice investigate and resolve serious HIPPA violations.   If the person that has complained has an attorney, you should notify your insurance carrier and get legal advice from an attorney yourself.

Resolution of the Complaint or HIPAA Violation

When you review the complaint, think about the damage done to your patient or caregiver. When your office did violate HIPAA regulations ask what you can do to resolve the problem. Perhaps the patient just wants an apology or you can take some disciplinary action against the employee that violated HIPAA. A cash amount or refund for medical expenses or loss or work is another option. This is for more serious HIPAA violations. 

Serious HIPAA Violations

When a serious breach has been discovered, contacting your practice’s attorney to help investigate, document the HIPAA violation, and resolve the problem is important. Contacting your malpractice insurance company and reporting the complaint or violations is required. Often an attorney and their staff can offer advice and recommend where to get HIPAA training for your medical staff in dealing with HIPAA regulations and procedures.  Legal advice from an attorney about HIPAA compliance can save your practice money and damage to your reputation. Need someone to help you navigate complicated HIPAA violations? We can help with that

Written by: Joan Russell

The Importance Of HIPAA Training: Employer Liability

the importance of HIPAA training: employer liability

Let me count the reasons for an employer to conduct HIPAA training. While orange is in this season, nobody wants to be on the receiving end of a criminal prosecution for the misuse of PHI. The headlines can kill even a thriving business and the penalties are equally terrifying.

With the capture and sale of Protected Health Information (PHI) quickly growing, employers should take proactive measures to protect themselves from the ethical, legal and criminal misconduct repercussions that can arise from a HIPAA violation. The complexities of HIPAA and the Privacy Rule can be mind-numbing, and organizations may be tempted to gloss over the nitty gritty, not understanding exactly how the law is enforced should an unlawful disclosure occur. This lackadaisical approach is a grave mistake as the enforcement provisions for HIPPA are actually statues of Title 42 of the U.S. Code which require civil and/or criminal remedies for violation.

HIPAA training is a vital operational component for any Covered Entity and should be a top priority every time a new employee is on boarded. Additionally, regular trainings should occur as a refresher for employees who have already undergone their training.  While the regulations do not explicitly note a timeframe requirement for continued trainings, annual refreshers are a generally accepted best practice.

In the midst of normal business operations, HIPAA training may seem like a financial drain and time-consuming inconvenience. However, ensuring that all training requirements are instituted is a necessary safeguard against both intentional and unintentional employee violations.

Training every employee with access to PHI is an important step towards ensuring HIPAA compliance. While managers and physicians are typically the first to receive training, even the newest intern should receive training to ensure compliance. Many violations occur inadvertently because an entry- or mid-level employee is not well-versed in privacy requirements and has no frame of reference for appropriate use of PHA. Proactively training and offering refreshing learnings can help Covered Entities steer clear of violations.

Sometimes, even proper training and good faith efforts to foster a HIPAA-compliant workforce do not protect an employer from liability in court. With this liability trend in mind, employers may choose to re-consider the accesses that employees have to information across the computer system of the organization. Limiting access will reduce the incidences where an employee can illegally access personal patient information. As learned through the $1.33 million award in Walgreen Co. V. Abigail E. Hinchey, misguided employee activity that falls within the “normal scope of employment” can lead to employer liability. Reducing the access that an employee has within his or “normal scope of employment” can afford greater legal protections for an employer in the instance of a violation.

All employers should take the following steps to reduce the potential for liability should an employee wrongfully use or disclose PHI violation of HIPAA:

            1. Establish corporate policies that align with HIPAA compliance standards

            2. Audit employee activity

            3. Pre-determine disciplinary policies should a violation occur

            4. Document all HIPAA trainings

When building the privacy standards and training policies for an organization, remember that HIPAA establishes the national minimum standard. State laws can – and some do – require even greater privacy protections. All employers should be familiar with the additional requirements of the state they operate in. HIPAA compliance and appropriate training is a foundational aspect of any Covered Entity. 

Written by: Meagan Bates

Walking You Through The Stark Law: Summary, Violations, & Exceptions

walking you through stark law: what is the stark law, violations of stark law, stark exceptions

What is the Stark Law? It’s a question that plagues any honest physician, surgeon, and medical staff throughout the country. To put bluntly, it’s a complex legal law that applies to physicians that refer Medicare and Medicaid patients for services in which they receive financial compensation or a family member does.  It is a very broadly defined law that is not easy to understand.  Violations of the statute can result in $15,000 fine per statute. Hospitals in several states have been heavily fined over the last few years for violations, and that’s not something that will stop soon.

The law relates largely to referrals, particularly Medicaid and Medicare ones. It was designed to keep physicians from using financial compensation agreements as an incentive to refer patients to specific practices for medical care. Stark law states that when a doctor receives financial compensation or money for a referral, this is a violation of the Stark Law. Financial compensation can come in a number of ways, and whether it’s sending patients to a company that your own shares or have a vested interest in or simply receiving money or gifts from an organization as “thanks” for patient referrals, both are a violation of Stark law.

The fact is that referring anyone to a doctor or medical service that you receive money for may be a violation of this law. This includes laboratories for testing, radiology labs, pharmacies, or any services not part of your medical group. It doesn’t apply to patient referrals within a hospital from one service to another (i.e. a pediatric patient being sent to the same hospital’s radiology department for an x-ray), but rather is in the context of referrals from one healthcare organization to another healthcare organization in exchange for reward.

When you’re a physician entering into any medical business deal, it is advisable to consult with a lawyer if you question that what you are doing violates the Stark law. This applies to medical practices, hospitals and small offices. When money is exchanged it is wise to have a contract specifying the arrangement.

Any physician that refers Medicare and Medicaid patients should ask themselves if they or any member of their family are benefiting financially from the referral.  What health service is this referral for and is there a financial relationship between myself and the facility in question? Is money exchanged or do I own part of the business? Finally, is it legal or illegal?  If the answer is yes to one or more of these questions, it is wise to not make the referral.

Exceptions To The Stark Rule

The Stark law has exceptions when physicians refer a Medicare or Medicaid person to a business that is part of a group.  It is acceptable for in-office services offered for the practice, and with prepaid health plans. It is acceptable if the physician is affiliated with a hospital or group through work and does not receive money for the referral. If money is received for referrals there must be a contract between the physician and the employer. This is another exception in some cases.

The physician must allow the patient to choose another doctor or facility if they prefer to.  Referrals must not be based on volume and dominating the market for profit alone.  Often those in a group can share profits made from referrals. When referring patients for additional services, the other healthcare facility should be part of the group.  Often they will be offered in the same building or nearby.

Other exceptions have to do with a physician renting office space and equipment, then referring patients to that office. In many cases this is not a violation. When there is an employment relationship or the doctor is on staff at the hospital or multiple hospitals, this is another exception.  There are also exceptions for personal service arrangements and physician recruitment.

Stark Law Violations

Violations of the Stark law for medical companies and physicians involve illegal activities. For example, marketing g a drug or treatment not approved by the FDA and receiving payment for it. Submitting false claims to Medicare and Medicaid for services never performed. Paying physicians or doctor’s kickbacks to continually refer or use a certain company or medical facility. Admitting patients and using services for treatments that do not need to be performed or paying physicians far more than the market value.

One hospital found guilty of breaking the Stark law paid money to nursing homes and outside services to receive government contracts or be rewarded contacts that were open for bids. This violates fair competition among different medical groups. Some physicians have been paid by the pharmaceutical industry to prescribe a medication or group of medications to hundreds of Medicare and Medicaid patients. This is a violation of the Stark law.

Kickbacks and illegal compensation for services is the backbone of the Stark law. This often involves money paid by companies to physicians to prescribe only their drugs, to recommend treatments not needed, payments, billing Medicare and Medicaid for services not performed, and the like. Since the Stark laws are complex and do involve contracts and legal arrangements, physicians should contact a lawyer to learn more about Stark laws and how it applies to them and their circumstances.

It is crucial for hospitals, medical practices and any type of physician that refers other services to know Stark law and review it with a lawyer when in doubt concerning Medicare and Medicaid. Stark violations carry a high price in terms of money, fines, and loss of business.  The Stark Law definition is confusing and my need clarificationin your medical practice, doctor’s office, laboratory, nursing home,  or hospital. 

Written by: Joan Russell

3 Things You Didn't Know About HIPAA

three things you didn't know about HIPAA

HIPAA is a monumental act in American history, offering protection for patient’s health information in a constantly changing health care environment. With the multi-stakeholder payment and reimbursement processes, HIPAA serves as a protection for patients that the parties managing their information must follow. In order to be an informed consumer of health care, patients should strive to familiarize themselves with the policies that affect their personal information and relationships with care providers and payers. The questions below detail three areas that patients may not know about the HIPAA law.

What does HIPAA stand for?

HIPAA is an acronym that represents the Health Insurance Portability and Accountability Act. While knowing the full name of the policy is important, just stick with HIPAA for general conversations. The four-letter representation is widely accepted and understand by most everyone working in the health care environment.

What are my rights under HIPAA?

Many patients have asked their physicians and other medical staff to clarify how HIPAA affects them, their children and the personal information associated with their medical care. Primarily, HIPAA affords patients the right to obtain a copy of their health information regardless of their payment status with the physician or hospital system. While a patient can request a paper copy of their medical information, it is also within the rights of any patient to request an electronic copy of their medical record; this includes labs and test results. Patients should also be aware that under HIPAA, a healthcare provider who initially conducted a test or other exam is not liable for the security of any information after it has been sent along to another organization such as a payer or clearinghouse.

Additionally, HIPAA provides detailed specifications governing what information family and friends are able to attain from a patient’s physician. A patient generally has to provide permission, either written or verbal, before a health care provider can provide any details about diagnosis, treatment or payment to a friend or family member. A patient can imply consent over information sharing by bringing an additional person to a health care examination or meeting with a physician. In extreme circumstances, such as a debilitating injury or surgery, the treating physician will use his or her discretion to share medical information with family and friends involved in care decisions and payment. For instance, if a patient is unconscious from having her gallbladder removed, the physician will share her condition with a spouse; however, the physician will not share unrelated information about past medical problem or unrelated procedure, such as a wisdom teeth removal.

Are any organizations that hold my information exempt from HIPAA?

Yes. The Privacy Rule does not apply to employment records which sometimes contain medical information. Differentiating an employment record from an employer-sponsored health plan is important to understanding how this exemption affects patients. The Privacy Rule ensures that any information related to your medical plan is protected. For instance, if your BlueCross BlueShield is your insurance carrier, a representative from the insurance company will never share any reimbursement details with an employer as this would be a flagrant HIPPA violation. However, if an employee needs to take medical leave for a condition, he or she may be required to submit a note from a physician or insurance provider which would then be held in the unprotected employment record. 

Understanding patient rights under HIPAA is an important component of being able to advocate for the best health care possible. When patients have a strong understanding of how policies impact their relationship with a physician, insurance carrier and employer, they can make more informed decisions about care and personal information disclosures. 

Written by: Meagan Bates

HIPAA: The Who's, What's, When's, and Why's of Disclosure

HIPAA: the who's what's where's and when's of disclosure

In 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into effect. The Standards for Privacy of Individually Identifiable Health Information, or the Privacy Rule, was established by the U.S. Department of Health and Human Services to actually implement requirements. Fundamentally, HIPAA and the Privacy Rule exist to limit the frequency where a person’s protected health information (PHI) could be used or disclosed. The Privacy Rule is the first time in U.S. history that a comprehensive health policy came into effect requiring organizations to augment their standard operating procedures to demonstrate HIPAA compliance.

Disclosures must follow the strict policies of the privacy rule. In accordance with the violation and penalty structures, organizations should strive to always demonstrate positive intent and take all steps necessary to create an environment that prevents incidental or inadvertent disclosures. The Four W’s of HIPAA disclosure provide a framework for who should be cognizant of the privacy rule stipulations during the course of health care business. 

WHO: Any group that houses or transmits PHI is effected by HIPAA; this includes a whole host of potential parties including health care providers, laboratories, pharmacies, insurance companies and clearing houses known as covered entities. Additionally, any consultants or tangentially associated representatives such as lawyers and accountants are indirectly affected.

WHAT: A HIPAA disclosure, either intentional or incidental, is the sharing of PHI with another individual or entity. The Privacy Rules dictates that organizations protect patient information from being disclosed unless under direct compliance with the Privacy Rule stipulations or as the patient who owns the PHI authorizes in writing.

WHEN: Permitted uses and disclosures exclusively apply to the business of healthcare and are usually limited to other organizations or individuals who need the information to complete a component of the care or payment process. According to the Privacy Rules, several overarching themes dictate the legality of disclosures. Most commonly, information may be disclosed to an organization who is involved in the treatment or payment of a health care event; this usually includes a physician, pharmacy or payer. Secondarily, cursory details about an individual’s care or payment for care may be disclosed to family or friends upon the patient’s verbal agreement; this stipulation is largely at the discretion of the health care entity caring for the patient. In the course of business operations minor incidental disclosures may occur without penalty if all reasonable safeguards are in place; such occurrences may include a patient in an adjoining room overhearing a diagnosis. Finally, PHI may be shared for public interest activities in circumstances such as abuse, law enforcement need or donation of tissue and limited data sets may be provided with redacted identifying information for research purposes.  

WHY: Disclosure policies establish safeguards to ensure that patient information is not released to organizations or individuals when it is not pertinent to the administration or payment of health care.

HIPAA violations, or the disclosure of PHI in any manner not consistent with the Privacy Rule, can result in civil and criminal penalties in adherence with the American Recovery and Reinvestments Act of 2008 which built a penalty structure for HIPAA violations. Violation penalties increase in direct correlation with the level of neglect associated with the violation. For instance, if a violation occurs but the violator was not aware, the penalty is $100 per violation; however, if a violation occurs out of willful neglect and is not corrected, the penalty is $50,000 for each violation. Intentional disclosures with the intent to sell the information can result in up to ten years of jail time and substantially increased fines. 

 When dealing with HIPAA rules and regulations, organizations should regularly train staff and consult with third-party experts to ensure that all components of the business are aligned with the Privacy Rules. In an ever-evolving health care environment, the circumstances of disclosure are often left to the judgment of the health care professional involved in the interaction. Demonstrating good intent through adherence to best practices will serve an organization well should an incidental violation every occur. 

Written by: Meagan Bates

Understanding HIPAA: Acceptable Uses Of Private Healthcare Information

understanding HIPAA: acceptable uses of private healthcare information

What is HIPAA Compliance? The Healthcare Insurance Portability and Accountability Act is designed to protect a patient’s privacy. It protects the patient’s name and address, social security number, insurance information, medications, and medical records. Employees and healthcare providers can access this information when they need to treat, receive payment, or manage healthcare operations.

When it comes to HIPAA at the workplace, it’s crucial for your practice’s employees to know how to properly handle this confidential information, otherwise you may find yourself neck deep in HIPAA malpractice suits.

A great rule of thumb is to give out the least amount of information about patients as possible when it is requested. Only release what is needed to get the patient treated, and when in doubt employees should ask their supervisor or compliance officer. HIPAA compliance rules refer to primarily electronic medical information. Employees should ask the question “do I need to see the medical information to perform my job?”  When the answer is yes, then it is acceptable. When the answer is no, refrain from using the information.

Acceptable Uses of Private Healthcare Information  


·       Sending information from one healthcare department to another to make sure a procedure is performed.

·       Two physicians sharing information so a patient can be treated. 

·       Referring a patient to a specialist.

·       Information can be discussed and coordinated at nursing stations

·       Discussing lab tests in joint treatment areas

·       Healthcare professional can discuss information during training or rounds in healthcare facilities

·       Pharmacists can discuss a prescription over the phone or in person with a doctor or patient

Payment and Healthcare Operations      

·       Determining eligibility of a patient under an insurance plan.

·        Billing and collection purposes and reviewing medical services and their necessity.

·       Conducting assessments for improvement of services in healthcare settings

·       Reviewing the qualifications of healthcare professionals

·       Conducting or arranging a medical review of physician or healthcare facilities.

HIPAA violations are much more common in the workplace than we like to think, and it’s likely that you’ll run into a compliance issue with one of your employees at some point. Don’t panic. Dealing with a HIPAA violation isn’t the end of the world, and if you know what to look out for, you’ll be able to minimize the number of violations that take place at your center. Familiarize yourself with common HIPAA violations and make sure to set a standard HIPAA training protocol in place for your staff. 

Common HIPAA Violations And How To Avoid Them

common HIPAA violations and how to avoid them

HIPAA violations are much more common in the workplace than we like to think, and it’s likely that you’ll run into a compliance issue with one of your employees at some point. Don’t panic. Dealing with a HIPAA violation isn’t the end of the world, and if you know what to look out for, you’ll be able to minimize the number of violations that take place at your center.

Common HIPAA violations include:

·       Accessing the healthcare information of family members or friends and you are not on the healthcare team to treat them.

·       Giving a prescription or health information to the wrong person. 

·       Calling a family member or friend about someone you know being admitted to the hospital or clinic, or revealing their medical condition.

·        Sharing your password for PCI medical information with other people.

·       Emailing medical information about a patient to friends for gossiping purposes or accidentally sending the information to the wrong person.

·       Talking about patients and their treatment in a cafeteria, elevator, or other public place.

·       Leaving a PHI work station without logging off.

·       Improper disposal of paper documents and sign in sheets that reveal patient diagnoses.

·       Posting photos of patients to social media or discussing PHI on social media.

HIPAA violations happen in healthcare, but it’s important for you to do everything you can to prevent them at your practice. Providing new and current employees with HIPAA training and refreshers will go a long way towards minimizing your risk of violations. Here are some additional areas you should cover with employees.

Proper Disposal of PHI Information

Sometimes a HIPAA violation can come from something as simple as what’s in the company trash bin. Make sure to warn staff to properly shred or cut any paper work with PHI information on it before throwing away. Labels and patient ID’s should be shredded and put in a locked confidential shred box. When not possible, cut or shred plastic ID’s so they are not readable. Electronic patient information should be disposed of correctly.

Computer Compliance

All computers should have their own password and software that limits employee access to PCI information. Records should be backed up and stored in a secure place. Computers should be in positions so that others cannot read information as they walk by. Use screen savers when computers aren’t in use, and make sure that sessions expire quickly when not being used. When sending out any emails with PHI information, those emails should be encrypted.

Files and Papers and Communications

When displaying charts in the doctor’s exam room, tape a piece of paper in the holder so no one can read the charts.  Leave patient information out of public areas. Do not use patient names in newsletters, articles or blogs without their explicit permission. Always remember to put away folders and paperwork.

Lower your voice when discussing patients in the office and with others.  Check the waiting area to make sure patients cannot overhear the office telephone calls. When you leave a message on a phone, keep it brief and professional. Ask patients the best way to contact them about test results or doctor appointments, and familiarize yourself with any other third parties this patient’s information is allowed to be released to.

Put An Employee In Charge of HIPAA Compliance

Putting someone in the office in charge of HIPAA compliance will help with developing and enforcing a checklist. In small offices this can be the office manager, office worker, nurse, or even doctor. Giving all employees training on HIPAA compliance is another job for the compliance officer. Be sure to train them on how to release information to the right sources, inappropriate ways to handle information, and how to handle computer information.

Sometimes you can arrange for a compliance officer from the outside. They can train your staff and monitor your performance on a part time basis. This is often a good option for larger offices or even hospitals.

At the end of the day,  some basic training can help you avoid major HIPPA violations  in your healthcare practice with employees. This is an important part of training your employees properly. 

7 Different Types of HIPAA Violations

7 Different Types of HIPAA violations

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that provides for the privacy and security of patients’ medical information. Under HIPAA, protected health information (PHI), which is defined as individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium, must be kept confidential. Violations of HIPAA can result in civil and/or criminal penalties, so it is important to understand the different ways (whether negligent or intentional) HIPAA can be violated so you can take preventative action.

What is a HIPAA violation? The best way to understand what constitutes a HIPAA violation is to look at examples, so I’ve compiled a list of 7 different types of common HIPAA violations. This is by no means an exhaustive list, but it does illustrate just how easy it is for HIPAA violations to occur.

Lost or stolen devices—if there is not proper encryption and password protection on electronic devices such as laptops and smart phones, unauthorized people can gain access to PHI if one of these devices falls into the wrong hands.

Improper disposal of information—all paperwork containing PHI needs to be shredded, because if it is simply thrown away, anyone could walk by the trash can and pluck confidential patient information out of the garbage. Similarly, data stored in digital form needs to be properly wiped from devices and old hard drives or flash drives should be physically destroyed.

Third-party disclosure—most practices have subcontractors and business associates, and if these associates violate HIPAA than YOU are legally responsible for their non-compliance! Businesses must ensure any third-party associates have policies in place regarding HIPAA compliance.

Unauthorized release of information—unless the patient is a dependent or Power of Attorney has been granted, PHI cannot be released to anyone other than the patient, including family members, without their signed consent.

Using or selling PHI for personal gain—employees with access to PHI aren’t always honest, and whether they simply snoop to satisfy personal curiosity or actually use or sell patients’ PHI for personal gain, this is a serious infraction.

Unsecured records—under HIPAA, electronic and paper files containing PHI must be secured. This includes making sure electronic devices are password protected and paper files are stored in secure, locked areas. This also applies to leaving paperwork with PHI out in the open (such as on a desk) where it can be seen by prying eyes.

Overheard information—discussing PHI, even with co-workers or other authorized parties, in public places or anywhere it can be overheard by others is asking for trouble. This is tantamount to discussing PHI with your significant other, best friend, or posting about it on social media.

Ensuring all personnel are properly trained and have a good understanding of HIPAA is vital to preventing violations. Employers can take precautions such as encrypting data, password protecting electronic devices, and securing records; however, employees are personally responsible for exercising integrity in regards to PHI and not releasing confidential information in person, via the telephone, electronically, or on social media.

Additionally, the HIPAA Breach Notification Rule “requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.” A breach is an improper disclosure of PHI which compromises the information’s security, privacy, or both, and there are breach notification guidelines that include notification of the affected individuals, the Secretary of the U.S. Department of Health and Human Services, and possibly the media.

It is in the best interest of professionals and patients alike to abide by HIPAA—not only that, but it’s the law. As U.S. citizens we have a right to the privacy and security of our personal information, and in the digital age we all must be especially vigilant in preserving this right. 

Written by: Margaret Durkovic

Things Every Healthcare Practice Needs To Know About The Anti-Kickback Statute: Part 1

things every healthcare practice needs to know about the anti-kickback statute

If you’re in healthcare, chances are you’re quite familiar with the Anti-Kickback Statute. It’s that federal regulation that’s got your practice’s physician liaisons sweating with every delivered gift basket. Technically speaking, the AKS prohibits “the offering, solicitation, or acceptance of any type of gift or remuneration in exchange for rewarding referrals for federal healthcare program business.” Sounds intense, right?

One of the biggest issues with the Anti-Kickback Statute is that it’s so broad. It’s been around for over 40 years, and physicians today are still struggling to understand exactly what it is and how it affects their practice. There’s not enough time in the world for me to go over all the different nuances, but here are 7 things every healthcare provider should know about the Anti-Kickback Statute, split into two separate posts so you’re not overwhelmed at once. In this first post, we’ll be covering the basics.

1. Understand its origins.

The Anti-Kickback Statute isn’t exactly new to the market. It was enacted by congress in 1972 as an amendment to the Social Security Act.

2. Familiarize yourself with why the regulation was originally put in place.

The AKS was put in place primarily to address the many loopholes in the Social Security Act. These loopholes made it easier for organization to defraud healthcare programs through the use of kickbacks, and also made it incredibly tough to prosecute offenders.

The primary goal of the AKS was to “close the SSA loopholes by providing clearer standards through which to prosecute fraudulent healthcare organizations”. Their way of accomplishing this? Spelling out offences relating to healthcare referrals and putting clear penalties in place for those who violated the law.

3. Be able to recite the basics.

The AKS is a complicated and fairly wordy document, but at the end of the day there are a few general concepts everyone in healthcare needs to be aware of. Long story short, the AKS makes the following three things illegal:

·      A physician or health service provider claiming reimbursements from Medicare or Medicaid for payments made in kickbacks

·      A physician/health service provider asking for compensation in return for referring patients who are on Medicaid or Medicare

·      A health service provider to compensate a physician or service provider for referring Medicare or Medicaid patients to them

The AKS can be confusing, but understanding the basics of this statute will go a long way towards keeping yourself protected. Next time we’ll dive a little deeper into four more AKS basics you should familiarize yourself with. 

Jeffrey P. Greenberg, LLC Listed As One Of 2017's Best Lawyers In America For Health Care Law

We're incredibly excited to share some news that we've been keeping a secret for quite a few weeks now. Jeffrey P. Greenberg, our very own lawyer, was selected by the Best Lawyers In America group as one of 2017's Best Lawyers In America. Jeff was selected specifically for his excellence of work in health care law, a service he's been providing to clients in Tampa and the surrounding communities for almost 20 years now. 

Jeffrey P. Greenberg best lawyer in america for healthcare law

The Best Lawyers In America is an annual list put together by Best Lawyers that's been published since 1983. It ranks the top lawyers country-wide in a number of practice areas, and has long been regarded as the definitive guide to legal excellence. The lawyers selected for recognition are ranked by their peers through a peer-review survey, which surveys over 50,000 attorneys in a number of different practice areas.

It's an incredibly prestigious honor, and we couldn't be more proud of Jeff for the work he's done. Excited for Jeff? You can congratulate him on LinkedIn

Impact of Supreme Court Decision on Obamacare With Jeff Greenberg, Lead Health Care Counsel for Atlantic Health Solutions

After hearing about the Supreme Court’s decision to uphold President Obama’s Affordable Care Act, we were interested to learn what the historical decision means for healthcare professionals from a legal sense. We spoke with Atlantic Health Solutions’ in-house legal counsel Jeff Greenberg, to hear his predictions for what’s to come.

What does the Supreme Court's decision to uphold the ACA mean for patients and their quality of care?

There will be a lot more patients in the health care system, as more will be covered with some type of health insurance. Some people have said that the quality of health care provided will suffer, because there will be so many more people with access to care and no increase in providers. Patients will likely see longer wait times and a difference in how quickly they can get appointments. It has been predicted that with more patients gaining access to care, patients could see the same scheduling issues typical of Canadian health care. Also, as lower reimbursement is expected, physicians might be led to be less motivated due to lack of revenue, leading to lower quality care. Fortunately, others say that providers have planned for this influx of volume, so the quality should remain the same. 

What does the decision mean for Physicians from a stability and care standpoint?

For physicians, this decision is a double-edged sword. While they will see greater patient volume, at the end of the day, physicians’ reimbursement is going to be lowered even more. Because someone is going to end up paying for these patients’ care, they will be forced to examine other options such as being pushed into the ACO model and bundled payments. Unfortunately, these options do not benefit specialists as much as primary care health care providers.  Many hope that while they will be getting paid less, they might make up for it with volume; the question will be if they can truly make a profit off of patients with government supplied insurance. Physician’s main priority is to provide care to those in need, so many will accept lower paying insurance work, especially if their schedule needs to be filled, but many high quality providers will not be required to accept these patients, and if their schedule is full with high-revenue patients, there might not be room for others.

What can we expect to see happen in regards to hospitals purchasing IDTFs?

A lot more physicians may go work for hospitals as surviving as an outpatient facility is not necessarily easy or secure. Hospitals are also required to take all patients and they always have, so until now they have missed collecting from patients without means. Now they will collect from the government entities and be able to feed revenue to their hospital-owned providers.  This is good for those physicians comfortable with being an extension of the hospital, and fewer will see the benefits of being an IDTF (independent diagnostic testing facility) as oppose to being purchased to some. 

What are the implications for patients who opt not to purchase insurance and continue to be uninsured?

If patients don’t purchase insurance, they can continue to be uninsured. Patients that cannot afford care and prefer to remain uninsured will not be penalized, however if you can afford insurance and decide to remain uninsured, you will pay a penalty each year. As for employers who are now required to provide insurance plans to their employees, many are determining whether purchasing the insurance or simply accepting the penalty is more affordable. Many believe that the penalty will be less expensive.  Businesses with less than 50 employees are not required to provide insurance and are presently unaffected by the Affordable Care Act.

So, is this the end of cash-pay?

This is absolutely not the end of self-pay and cash-pay patients will still be demand concierge services and other cash-pay procedures. It is predicted that even after the decision to uphold the ACA, 20 million Americans will remain uninsured and will continue to utilize cash pay options.  It is also important to remember that the mandate is still subject to being repealed.

How do you think this will affect our nation's healthcare system long term?

Long term, it is too early to tell. If Romney gets elected, he will likely try to overturn the decision immediately and some states will still opt out of Medicaid Expansion, which could cause huge issues.  The conversation about Medicaid Expansion for states is still going on and the end result is still not clear. However, if everything remains as it is I would speculate cost and payment challenges, physicians being forced to work for hospitals/ACO’s, a larger patient population and some limited access to providers, with quality care and price transparency attempted to be driven.

CMS Transmittal 1104

CMS recently issued Transmittal 1104, effective January 1, 2013 (with an implementation date of January 7, 2013) dealing with the application of the Multiple Procedure Payment Reduction (“MPPR”) on the Professional Component (“PC”) and Technical Component (“TC”) of Certain Diagnostic Imaging Procedures to physicians in the same group practice.

Prior to this transmittal, the MPPR was applicable only when the same physician (not physicians in the same group practice) furnished multiple services to the same patient on the same day (in the same session). Now it applies to the physicians in the group practice in the same manner.

The transmittal states the policy as follows:

The MPPR on diagnostic imaging applies when multiple services are furnished by the same physician to the same patient in the same session on the same day.  The MPPR on certain diagnostic imaging services applies to PC and TC services.  It applies to both PC-only services, TC-only services, and to the PC and TC of global services.  Full payment is made for each PC and TC service with the highest payment under the MPFS.  Payment is made at 75 percent for subsequent PC services furnished by the same physician to the same patient in the same session on the same day.  Payment is made at 50 percent for subsequent TC services furnished by the same physician to the same patient in the same session on the same day.  The individual PC and TC services with the highest payments under the MPFS of globally billed services must be determined in order to calculate the reduction.

As stated, previously the MPPR applied only when an individual physician furnished multiple services to the same patient, in the same session, on the same day.  CMS therefore expanded the MPPR on the PC and TC of imaging services by applying it to physicians in the same group practice (same Group National Provider Identifier (NPI)) who furnish multiple services to the same patient, in the same session, on the same day.

The complete list of codes subject to the MPPR on diagnostic imaging is in the attachment to the transmittal. CMS will assume procedures furnished on the same date of service were furnished in the same session unless a modifieris used to indicate multiple sessions; in that case, the reduction will not apply.

Physicians and physician practices had fought hard in Congress and with CMS to prevent the foregoing from happening-arguingthat, unlike the TC, the PC of diagnostic services was differenteven if multiple services were provided to the same patient in the same session (i.e., there are no economies of scale in professional services). They argued further that such was even truer with respect to different physicians in the same practice as different skills/ intellectual activities were being performed by the different physicians, even to the same patient in the same session.

These arguments were to no avail, as imaging had a bull’s eye on its back again, and CMS found another way to cut reimbursement –this time with physician groups.