Long Term Care, Home Health and DME

Picture1Under the Privacy Rule, HIPAA covered entities (health care providers and health plans) are required to provide individuals, upon request, with access to their protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity.

Covered entities are also required to protect the individual’s PHI from unauthorized disclosure. How must a covered entity verify the identity of the individual requesting the PHI so as to comply with the Privacy Rule without at the same time violating it?

Recent guidance from the Office of Civil Rights (OCR) is somewhat helpful.

According the guidance, the Privacy Rule requires a covered entity to take “reasonable steps” to verify the identity of an individual requesting access (citing 45 CFR 164.514(h)).  OCR confirms the Privacy Rule does not mandate the form of verification, but rather leaves the manner of verification to the professional judgment of the covered entity, provided the verification processes and measures “do not create barriers to or unreasonably delay the individual from obtaining access to her PHI”.  OCR explains that verification may be oral or in writing and states that the type of verification depends on how the individual is requesting or receiving access. For instance, a person may request access in person, by phone, by fax or e-mail, or through a web portal hosted by the covered entity.

OCR suggests that standard request forms ask for basic information about the individual to enable the covered entity to verify the individual is the subject of the information requested.  For those covered entities providing individuals with access to their PHI through web portals, the portals should be set up with appropriate authentication controls, as required by the HIPAA Security Rule (for instance password protection and required periodic password updates).

For individuals who may call requesting access to their PHI, good policy might require verification of the requestors date of birth, address, and perhaps the condition the individual was treated for.

Verifying the authority of an individual’s personal representative is determined under State law. In the next blog post, we will look at the law in New York on who is a qualified person for purposes of access to an individual’s medical records.

An interesting SDNY settlement agreement resolves some False Claims Act allegations, but leaves others for another day.  Visiting Nurse Service of New York (VNS) paid just under $35 million to the United States and New York State to settle allegations that VNS improperly billed Medicaid for 1,740 members whose needs did not qualify for a managed care plan.  The government alleged that these members were improperly referred by social adult day care centers (SADCC), or received services primarily from SADCCs, many of which provided substandard and minimal care.   

In the settlement agreement, VNS admitted that 1,740 Medicaid long term care  program members were referred by SADCCs or used SADCC services, and were not eligible to be members of the plan; and that various SADCCs in the provider network did not provide services that qualified as “personal care services” under the long term care program contract with New York’s Department of Health. 

The settlement agreement has a unique “Remaining Investigation” provision.  Most FCA settlement agreements are designed to settle all claims against the defendants.  The VNS settlement agreement, however, provides that it resolves only part of the United States investigation. Examples of allegations that are part of the “Remaining Investigation” are redacted in the publicly-filed document.  In a provision that could lead to interesting questions of interpretation, VNS agrees  “to cooperate with the Remaining Investigation,” but without waiving attorney-client or joint defense privileges, work product protections, or factual or legal defenses covering claims the government may bring against VNS.  The issue of whether VNS is satisfying its duty of cooperation under the agreement while maintaining assertions of privilege and factual and legal defenses will be difficult to sort out if it is ever litigated.  The settlement agreement carves out any potential claims against the president of the corporation that administered the managed health care plan, so that individual could be the focus of the “Remaining Investigation.”  In addition, the Court approved keeping the relator’s complaint and the government’s complaint-in-intervention under seal.

During the pendency of the “Remaining Investigation,” VNS agrees to monitor and further revise standards for credentialing SADCCs; only credential SADCCs that have necessary certificates; monitor SADCCs to ensure compliance with credentialing; ensure that SADCCs provide proper personal care services; and prohibit marketing practices directed at enrolling members through SADCCs.

Earlier this month, a bill to amend the False Claims Act (“FCA”), the “Fairness in Health Care Claims, Guidance and Investigations Act,” was introduced in the House of Representatives.  According to one of the bill’s sponsors, Rep. Howard Coble (R-NC), the bill’s purpose is to ensure that unintentional billing disputes are not penalized as fraud.

Some parts of the bill are unlikely to gain wide support.  First, the bill requires that before the Department of Justice (“DOJ”) requests information from a health care provider as part of an investigation, it would have to certify that the responsible agency had examined all regulations, guidelines and billing instructions, all communications with the alleged perpetrator, and each of the allegedly false claims, and certify that the allegations are viable and that the regulations, guidelines and billing instructions were unambiguous at the time of the violation.  Without such a certification, the Court would be required to dismiss a qui tam complaint based on those allegations.

When DOJ receives a qui tam complaint, however, it is mandated by law to investigate, and the bill would seem to require that the government undertake a full investigation based on its own records alone, and on all of the involved claims, before seeking any information from a provider.  The bill would also apply to federal investigations that do not arise from qui tam complaints.  Legislators are unlikely to so severely restrict the ability of federal agencies to investigate health care fraud in light of the massive resources being poured into enforcement.  Similarly, passage of the provision to raise the FCA standard of proof from “preponderance of the evidence” to “clear and convincing evidence” is a long-shot.

Sections Likely to Gain Support

Nevertheless, some parts of the bill could garner support because they go directly to the concept of “fairness” in the bill’s title, and the widespread concern that billing errors or confusion about compliance are routinely characterized by investigators and qui tam relators as fraud.  The bill provides that an FCA case could not be brought based on a claim submitted in good faith reliance on: (1) erroneous information supplied by an agency; (2) written statements of Federal policy provided by an agency; or (3) an audit or review by the agency of the person submitting the claim where there was no finding that the claim was a violation.  The bill would also bar FCA cases where a claim was submitted in substantial compliance with a model compliance program issued by HHS.  Some form of these provisions would add a measure of fairness for providers who are attempting to comply in good faith but do not succeed in meeting all the requirements of extremely complex regulations, guidelines and billing instructions.  Another bill provision would limit FCA claims to those involving an amount of damages that is material to the government.

Providing a safe harbor for providers attempting good faith compliance would be a very appealing change to the FCA.  While the DOJ certification provision has a limited chance of success, a restriction on excessive or disproportionate use of subpoenas and civil investigative demands may have broader support.  In any event, this bill highlights the problems providers face when billing errors or confusion are treated as fraud, and they are subjected to the staggering costs of responding to a federal investigation and the crippling risks of fighting the treble damages and penalties of an FCA case.

Farrell Fritz health care attorneys know the False Claims Act, and can help health care providers deal with government investigations, audits, and compliance issues.

Is your office photocopy machine a HIPAA time-bomb?  Affinity Health Plan recently learned that the answer is yes, to the tune of a $1.2 million settlement with the US Department of Health and Human Services Office for Civil Rights (OCR).  Affinity is a not-for-profit managed care organization which includes one of the New York metropolitan area’s largest Medicaid managed care programs.  In 2010, Affinity made a mandatory breach report to OCR when it learned that the protected health information (PHI) of over 300,000 individuals was found on the hard drives of multiple photocopiers that Affinity had leased.  Affinity failed to have the hard drives wiped or destroyed prior to the return of the copiers at the end of the leases.

As HIPAA Covered Entities, healthcare organizations from hospitals and inpatient facilities to physician practices and health plans should take note of this matter.   For Covered Entities, this may mean new policies covering copiers and other hard drives containing PHI, revised risk analyses and safeguards, and revised Business Associate Agreements (BAAs).

Additionally, Business Associates of healthcare organizations, including consultants, lawyers, accountants, and billing companies, who may possess protected health information should also pay close attention.  Under the Omnibus Rule, finalized earlier this year and taking effect on September 23, 2013, business associates will be directly responsible for compliance with the privacy and security provisions HIPAA, HITECH and the Ominbus Rule. This means developing their own policies and procedures, conducting internal risk assessments and audits, and implementing physical and electronic safeguards to protect PHI.  Business Associates should carefully read new or revised BAAs they receive from Covered Entities to better understand their obligations.

The health care attorneys at Farrell Fritz understand HIPAA, can help your organization move toward compliance with new and old requirements, and minimize your risk of substantial fines.


Senator Kemp Hannon, Chair of the New York State Senate Committee on Health (and counsel at Farrell Fritz), will be hosting a health care forum featuring a presentation by State Medicaid Director Jason Helgerson.  The event will take place on Monday, August 5 from 10:00 am to noon at the Hofstra University Student Center Theatre.

Helgerson, also Executive Director of the Medicaid Redesign Team (MRT), will speak on the topic “An Update on Medicaid Redesign and the Medicaid Budget in New York.”  He will give an overview of the State’s $53 Billion a year Medicaid program, the deep changes effected in the program by the MRT, and the progress of the changes.

Seating is extremely limited.  Parties interested in attending should call Senator Hannon’s office at (516) 739-1700, or email hannon@nysenate.gov with their name, title, address, organization and telephone number.


The Office for Civil Rights of the US Department of Health and Human Services, in conjunction with the Workgroup for Electronic Data Interchange (“WEDI”), has announced a series of four free webinars on compliance with the latest Omnibus HIPAA/HITECH final rule, which implements significant changes in the requirements imposed upon health care organizations, providers, and their business associates.  Final compliance with the new rule is required by September 23, 2013.

Aimed at smaller clinical practices, the webinars will  address topics  including the new breach notification requirements, new Business Associate liability, and enforcement.  The first webinar will be held on June 14, 2013.

While we advise clients to review these matters with their legal counsel, it can be quite informative to hear the requirements and compliance expectations directly from the agency responsible for enforcement.  Providers should be prepared to revise their policies and documents, including Business Associate Agreements, well before the September dealine.

Note that the webinars are free, but registration with WEDI is required in order to register.

On January 2, 2013, the US Department of Health and Human Services announced a $50,000 settlement with Hospice of North Idaho for a data breach involving the theft of a lost, unencrypted laptop computer containing the health information of 441 patients.

This settlement is the first for a reported breach affecting fewer than 500 individuals.   HHS Office of Civil Rights Director Leon Rodriguez stated that “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

A few takeaways from this settlement:

  • All HIPAA covered entities should conduct initial and ongoing risk assessments regarding use of electronic PHI;
  • Providers should develop and adopt policies and procedures regarding the use of mobile devices such as laptops, tablets, and smart phones containing electronic PHI, and appropriate safeguards to implement;
  • Think about who should have access to the devices, how they are protected or encrypted, where they are stored;
  • Providers should carefully investigate all data breaches, no matter how small;
  • After an investigation, review the provisions of the HITECH Act regarding breach notification; must the provider notify HHS immediately, notify the affected individuals, or take other measures?
  • Consult with counsel familiar with HIPAA, HITECH and data breaches to ensure that all Federal and State obligations are being met with an appropriate investigation, response, remedial assessments and policies and procedures.


Just a reminder to New York State Medicaid providers that certifications under the NYS Social Services Law and the Federal Deficit Reduction Act are due no later than December 31.

All New York State Medicaid providers who are required to have a compliance program under Social Services Law Section 363-d must certify that their compliance programs are effective.  The certification must be completed during the month of December each year.  The Social Services Law certification is an online certification that may be accessed through the New York State Office of the Medicaid Inspector General website under the Compliance tab. 

Medicaid providers subject to the Federal Deficit Reduction Act of 2005 (DRA) must also provide a certification that they are meeting the DRA’s requirements.  The certification must be completed each year prior to January 1st.  The DRA certification may also be accessed on OMIG’s website under the Compliance tab.

There can be significant consequences both for failing to certify and for certifying compliance when not in compliance with the regulatory requirements.  Parties who are unsure whether they need to certify their programs, or who may have questions regarding their compliance programs or certifications, are advised to consult with their attorneys to review their options.

In this election season, both presidential candidates offer plans to deal with the rising cost of providing health care services, the President’s “Obamacare” by increasing the number of insured individuals through Health Insurance Exchanges, and reducing costs for a continuum of services through Accountable Care Organizations; and Governor Romney by a consumer-driven approach through Medicare vouchers, tax credits, and Health Savings Accounts.

A recent article on the website Salon written by Michael Lind of the centrist New America Foundation poses the provocative thesis that the immense and ever-increasing cost of providing health care services in the United States could be remedied by aggressive, mandatory price controls by the US government on all health care services – hospitals, nursing homes, physicians, prescription drugs, etc.

Now this already occurs in part.  The government sets prices to be paid by Medicare and Medicaid to providers of care.  However, this has little effect on the majority of the population with private insurance or no insurance.  Each insurance company or managed care entity negotiates fees with providers, but none have the market strength necessary to effect national changes in pricing.

 What if tomorrow the US government set out a mandatory fee schedule for every procedure and prescription drug, so that no provider or manufacturer could charge more than this schedule?  Lind suggests instant cost savings, with no rationing, no limiting access to care, and no “death panels.”

This proposal is similar to the Japanese health system, which is largely fee-for-service and private provider based, with easy access to hospitals and physicians.  The government sets the price for every medical procedure, profitability of categories of providers is monitored, and fees are reduced if a sector becomes too profitable (not that much different from US requirements regarding insurance company medical loss ratios; many insurers recently paid out refunds).  Japan boasts a long-lived and healthy population, with health care spending as a percentage of GDP increasing at a fraction of the increase in the United States.

Of course, such a bold proposal brings to mind dozens of questions regarding the impact of price controls.  In the short term, would acute care hospitals be forced to shut down?  Would older physicians simply close their practices?  Would aspiring physicians choose another profession?  With lower prices, would patients demand even more testing and prescription drugs, reducing or eliminating savings?  Would physicians and hospitals increase volume of services, perhaps with unnecessary procedures, to make up for lost revenue?  Would this be a windfall for health insurers?  Would premiums drop to the point that more Americans could afford health insurance? Would reduced costs translate into greater access to employer sponsored health insurance? Would it spur economic growth and jobs, allowing more people to access employer sponsored health insurance?

Let’s hear your thoughts.


 The New York State Office of the Medicaid Inspector General (“OMIG”) recently finalized regulatory changes to New York State law which relate to the withholding of payments to Medicaid providers when there is a “credible allegation of fraud.”  A credible allegation of fraud is defined as an “allegation that has indicia of reliability and has been verified by the [OMIG], or the Medicaid fraud control unit, or another State agency, or law enforcement organization.”

The changes, which will modify portions of 18 NYCRR 518.7 and 18 NYCRR 518.9, were required as a result of New York’s participation in the Medicaid program under the Affordable Care Act.

Mirror of Federal Requirements

 The changes finalized by the OMIG will mirror federal requirements and will now state that the OMIG “must withhold payments under the program, in whole or in part, when it has determined or has been notified that a provider is the subject of a pending investigation of a credible allegation of fraud unless the [OMIG] finds good cause not to withhold payments” in accordance with applicable federal regulations.

Prior to the finalization of these changes the determination by the OMIG to implement a withhold was discretionary and the OMIG could withhold amounts where it had “reliable information that a provider is involved in fraud or willful misrepresentation involving claims…or has abused the program or has committed an unacceptable practices.”

A Provider’s Rights to Appeal Withholds

The changes also provide a method for providers that are the subject of the withholding to appeal the OMIG’s decision.  Although not entitled to an administrative hearing, the affected provider may, within 30 days of the notice, submit written arguments and documentation that the withhold should be removed.  The OMIG will provide a response to the provider no later than 60 days after receiving such written arguments or documentation.  The OMIG will, in its response, inform the provider of its determination to either affirm, reverse or modify the withhold, either in whole or in part.

Any provider that is affected by the withholding of Medicaid payments by the OMIG should consult with its counsel to determine an appropriate response to the OMIG.