Red Flag Rules Enforcement Pushed Back Again

Red Flag Rules
By Brant Crouch and Jason Lavender

We've all heard a horror story about identity theft - or perhaps you have been a victim yourself. But did you know that you (individually) and your hospital could be found guilty of stealing someone else's identity without even knowing that you did it? You read correctly. Any institution or individual who HANDLES personal non-public information is at risk of breaking new Federal and State Identity Theft Legislation. Non-compliance carries strong consequences such as fines, criminal and civil litigation and up to 10 years in prison.

This article focuses on one particular area known as the Red Flag Regulations. Enforcement has been delayed until May 1, 2009. In late 2007, the Federal Trade Commission ("FTC") issued sweeping regulations aimed at deterring, detecting and preventing identity theft. Under these rules, known as the Red Flag Regulations, 16 C.F.R. § 681.1 et seq. and Final Rule ("Red Flag Regulations") financial institutions and creditors of covered accounts must establish a program to detect, prevent and mitigate identity theft. For more information go to http://www.ftc.gov/bcp/edu/pubs/articles/art11.shtm.

Most health care providers fall under the regulation due to its definition of Creditor. It applies to personal accounts that are paid after the service is rendered or if the service is intended to be paid in installments. Most health care accounts or charges are not paid in advance of service. However, even if a provider generally provides care on a pre-paid basis, accepting patient payments plus insurance payments amounts to a multiple payment account would make the provider subject to the Red Flag regulations. It's important to note that the American Medical Association (AMA) and several other healthcare associations are making efforts to get the FTC to remove health care providers from the definition of Creditor. However, it appears that the FTC will continue to broaden the scope of who will need to comply versus narrowing it. In a February 4, 2009 response to the AMA, the FTC specifically addressed this issue by reinforcing that providers will not be excluded and cites several reasons why. To obtain a copy of this letter or more information you may email the authors of this article.

So now what can health care providers do to get in compliance as quick as possible and most cost effectively? Much of what needs to be done to comply can be done internally using your own staff. Many compliance plan templates are available for free and some at a nominal cost. However, the multiple steps required to comply fully with the regulation involve employee training for ALL staff, third party vendor notification, and possibly more heavy lifting. One option is to utilize an outside resource to assist in providing the employee training. TPHAC has a resource available to all members that provides these services at no cost.

Many medical facilities around the country have taken pro-active measures to ensure that they protect and educate their own staff and the public they serve by enforcing a solid privacy policy as one way to minimize internal risks. One CEO said, "We take pride in the fact that we are taking the reasonable steps necessary to protect our staff, patients and private records. Our employees have found significant value in the Identity Theft awareness training and related employee benefits we now provide."

One of the leading publications for business legal issues, Business & Legal Reports, writes:

"One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. An employer can choose whether or not to pay for this benefit. The key is to make the protection available, and have a mandatory employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance."

John Gardner, a former member of the South Carolina House of representatives and 23-year veteran attorney explains that, "The government says that an institution must have four things: a written privacy policy, someone to oversee that policy, training for your employees on the true problem of identity theft, and a mitigation plan in place."

Many health care providers either don't know about these laws or falsely believe that they are exempt from them. Some state governments like Texas have taken the aggressive approach of sending investigators out to businesses to look for violations.

"Identity theft is one of the fastest growing crimes in the United States," Attorney General Greg Abbott said. "Texans expect their personal information to be protected. The Office of the Attorney General will take all necessary steps to ensure that consumers are protected from identity thieves." And they have; making examples of many companies from large ones like Radio Shack and EZ Corp, to smaller businesses like modeling agencies and beauty colleges.

While there's no doubt that health care providers simply do not need any more government compliance headaches, it's clear that when it comes to identity theft there will be no letting up. The AMA will continue to contest this issue with the FTC. In the meantime, it is important to take immediate steps regarding compliance and providing identity theft protection to your patients and employees might be the best way to address these challenges.

Brant Couch, CPA and Vice President with HealthSure, Inc. is located in Austin,Texas. He can be reached at 512-292-3315 or brantc@healthsure.com.

Jason Lavender, Managing Partner & Certified Identity Theft Risk Management Specialist with ID Theft Solutions of America, is located in Austin, Texas. He can be reached at 512-514-6598 or jlavender@idtsoa.com.

New HIPAA Rules Coming Soon

In addition to moving HIPAA enforcement over to the Office of Civil Rights (OCR), HHS proposed new rules regarding HIPAA. The "breach notification" regulations, as part of the economic stimulus package, will require health providers, health plans and other entities covered by HIPAA to notify impacted individuals, HHS and the media of breaches impacting more than 500 individuals. Those entities that properly secure information through encryption or destruction will not be required to give notification.

These regulations will now cover business associates of covered entities. This is a big change to HIPAA.

Latest health IT regulations from the federal government for practices and health care facilities

"As the web continues its torrid growth, we simply have too many web sites to sort through, too many places to buy products from, too many software providers to pick from." - Anonymous Blogger

Health Care Information Technology Update

The health care industry is not immune to the vast array of information technology (IT) choices to sort through in the "Web 2.0" era. The following is an attempt by CAB Strategies to sort through the latest health IT laws and regulations that will impact Texas medical practices and health facilities in the near future. Please note that the following is for information purposes only and does not serve as legal advice.

American Recovery and Reinvestment Act of 2009 (HR 1/P.L. 111-5)

Signed into law by the president in February 2009 (also known as the Stimulus Act), this law incorporated the Health Information Technology for Economic and Clinical Health (HITECH) Act.

What does HR 1 do?

Beginning in January 2011, HR 1 provides Medicare reimbursements incentives to physicians (eligible professionals) and hospitals who are "meaningful users" of electronic health records (EHRs). (More about meaningful users down below.) Beginning in 2015, payment penalties will begin for physicians and facilities who are not meaningful users of EHRs.

Medicare incentive payments for hospitals

Incentive payments for eligible hospitals that are meaningful EHR users will begin in October 2010. Reduced payments for hospital that fail to become meaningful EHR users will begin in FY 2015.

The incentive process for determining hospital incentive payments is a little complicated. According to CMS, the incentive payment for each eligible hospital would be based on the product of (1) an initial amount, (2) the Medicare share, and (3) a transition factor.

The initial amount

It is the sum of a $2 million base year amount plus a dollar amount based on the number of discharges for each eligible hospital.

The Medicare share

It is a fraction based on estimated Medicare fee-for-service and managed care inpatient bed-days and modified by charges for charity care.

The transition factor

It phases down the incentive payments over the four-year period. The factor equals 1 for the first year, ¾ for the second payment year, ½ for the third payment year, and ¼ for the fourth payment year. The transition factor is modified for hospitals that wait until 2014 to become a meaningful EHR user (their first year transition factor would be ¾ instead of 1).

What does this mean for ASCs?

The law does not provide incentives for ASCs to adopt EHRs. Only eligible professionals (physicians) and hospitals can take advantage of the incentives. However, many ASCs will want to adopt the EHRs in order to connect to the medical office.

Payments for eligible professionals

The incentives for eligible professionals, such as physicians, will begin in January 2011. Hospital-based physicians who furnish their services in a hospital setting will not be eligible. Eligible providers who furnish most of their services in a health professional shortage area would see their incentive payments increased by 10 percent.

The incentive payment formula is a little complicated. Key highlights of the payment formula:

· You must take advantage of the incentive payments during the time window of 2011 - 2016 (penalties set in after that).

· The payment is equal to 75 percent of Medicare allowable charges for the covered services (or maximum amounts on the sliding scale). We'll focus on the maximum amounts.

· Note that eligible professionals who utilize EHRs in 2011 or 2012 will have a maximum payment of $18,000 for the first year (instead of $15,000).

Incentive disbursements (top row is the year that the EHR is implemented):

	2011	2012	2013	2014	2015
2011	$18,000	$0	$0	$0	$0
2012	$12,000	$18,000	$0	$0	$0
2013	$8,000	$12,000	$15,000	$0	$0
2014	$4,000	$8,000	$12,000	$12,000	$0
2015	$2,000	$4,000	$8,000	$8,000	$0
2016	$0	$2,000	$4,000	$4,000	$0

Payment penalties for eligible professionals

A physician who does not utilize a meaningful EHR by 2015 would start seeing Medicare payment reductions in 2015. They include:

· 1 percent reduction in 2015

· 2 percent reduction in 2016

· 3 percent reduction in 2017

· 3 to 5 percent reduction in subsequent years.

The Secretary of Heath & Human Services would then re-visit the issue in 2018.

What must the EHR look like and what is a meaningful user?

Unfortunately, the federal government often waits until the last minute to release necessary regulations for implementing a law (it will be late 2009 when HHS releases the final EHR guidelines). However, there are three key factors to look for when determining if your system could qualify for the EHR incentives: meaningful user, qualifying EHR technology and certified EHR technology.

Meaningful user

The law sets out three basic standards for defining a meaningful user of EHR technology for purposes of meeting the incentive requirements:

· Certified or qualified EHR technology use.

· Electronic exchange of health information.

· Using the EHR to report clinical data and other quality measures.

HHS will release the final meaningful user guidelines in late 2009.

Qualifying EHR technology

You must have qualifying EHR technology in place in order to receive the incentive payments. In addition, qualifying technology is the first step to take in order to reach certification.

HR 1 provides an outline of what functionality will be required for qualifying EHR technology:

· Provide clinical decision support.

· Support provider order entry.

· Capture and query information relevant to health care quality.

· Exchange electronic health information with and integrate it with other sources.

All EHR systems must meet the qualifying standards.

Certified EHR technology

Certified EHR technology will be a qualified health record that is certified as meeting the standards adopted by the Office of the National Coordinator for Health Information Technology (ONCHIT). The Certification Commission for Health Information Technology (CCHIT) will certify products. There is a possibility that EHRs currently certified by CCHIT may not meet the new incentive standards. However, that remains to be seen and will be addressed in late 2009.

Currently, CCHIT does not certify products specific to ASCs. It is mostly focused on the physician practice environment.

Medicaid programs will determine their own requirements (closely following the Medicaid measures set out in HR 1).

What grants are available?

HR 1 authorizes $19 billion grants and incentives to help providers purchase health IT systems. Much of the money will likely flow to the state agencies and provide them with the ability to provide the grants. Of the $19 billion, $2 billion will be used to develop infrastructure to increase health IT adoption (ASCs will be eligible for these funds). The other $17 billion will be used for low-cost loans for the meaningful use of certified EHRs (ASCs will not eligible for this).

Keep in mind that it is very difficult to obtain a state or federal grant. It is a very long process in which you compete with a large number of sophisticated competitors for a relatively small pot of money. It is not like a congressional earmark in which a member of Congress directs the money to a certain entity.

Does it create health care "best practices" endorsed by the federal government?

HR 1 gives the Office of the National Coordinator for Health Information Technology (ONCHIT) within the U.S. Department of Health and Human Services more authority.

This new authority includes:

· Developing vocabulary, messaging and functional standards for interoperability.

· Criteria to make sure that the IT systems meet those needs.

· Privacy and safety criteria.

· "Helping facilitate the creation of prototype health information networks."

E-Prescribing (As Part of the Medicare Modernization Act of 2003)

The Medicare Modernization Act of 2003 required the Centers for Medicare and Medicaid Services (CMS) to develop a set of standards for electronic-prescribing (e-prescribing). The Medicare Improvement for Patients and Providers Act of 2008 took e-prescribing one step further by authorizing incentive bonus payments (and eventual penalties for failing to do so) under Medicare.

What are the bonuses and penalties?

Physicians who use e-prescribing will be provided Medicare bonuses between the years 2009 and 2013. Physicians who fail to do so (beginning in 2012) would witness reductions in the Medicare payments.

The e-prescribing incentives:

· 2 percent bonus in 2009 and 2010

· 1 percent bonus in 2011 and 2012

The e-prescribing penalties:

· 1 percent reduction in 2012

· 1.5 percent reduction in 2013

· 2 percent reduction in 2014

Physician Quality Reporting Initiative (PQRI)

A 2006 law established the first physician quality reporting system for CMS (including an incentive payment). A 2008 law made the PQRI permanent. However, Congress only authorized incentive payments through 2010. (Congress will likely add new incentive payments in the future.)

Eligible providers who meet the requirements and submit the necessary information will receive a 2.0 percent bonus from CMS for the reporting period of January 1, 2009 through December 31, 2009.