Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Home Health Agency Alert: The Review Choice Demonstration Project is Moving Forward in Illinois Effective June 1, 2019

April 9, 2019 by  
Filed under Home Health & Hospice

Review Choice Demonstration Project in Illinois(April 9, 2019): This article updates our article of February 19 on the lifting by the Centers for Medicare and Medicaid Services (“CMS”) of the moratorium on the enrollment of new home health agencies in Florida, Illinois, Michigan and Texas, and the announcement by CMS of the implementation of a new five year “Review Choice Demonstration Project” in three of those four states (Florida, Illinois, and Texas) as well as Ohio and North Carolina (with a possible extension to other states within the Palmetto/JM jurisdiction).

At the time of that article, CMS had announced that the project would begin in Illinois, with implementation in the other four states in the near future thereafter.  However, CMS had not specified a “start date” for Illinois because it was awaiting approval by the Office of Management and Budget (“OMB”) at that time.  CMS has now received that approval and has announced implementation in Illinois to begin on June 1, 2019.  All episodes of care beginning on or after that date during the period of the demonstration will be subject to the requirements of the project.

I.  Background of the Review Choice Demonstration Project:

As background, under the Review Choice Demonstration Project, home health agencies in the affected states will initially select from three options to have their claims reviewed:

  • Pre-claim review
  • Post-payment review, or
  • Minimal post-payment review with a 25% reduction.

After each six-month period, agencies with a 90% affirmation or approval rate under one of the first two options, above, will also be able to choose between two additional options.  Each of these options is described in our February 19 article.

II.  Illinois Home Health Agencies are Under the Microscope:

Home health agencies located in Illinois must choose and register for one of the three options, above, between the dates of April 17 and May 16 on a portal established by Palmetto GBA.  Any agency that fails to make a choice during that period will be assigned to the third option and will not be able to change that option during the entire five-year period, and thus will receive a 25% payment reduction during this entire time.

As discussed in our February 19 article, the Review Choice Demonstration is an outgrowth of the Pre-claim Review Demonstration for Home Health Services that had been initially implemented in Illinois and then “paused” and never “restarted.”  However, Illinois agencies that had met the 90% full provisional affirmation rate under that project (based on a minimal 10 request submission between August 2016 and March 2017) will be permitted to begin the Review Choice Demonstration by selecting from any of the options including the additional ones available to agencies with a 90% affirmation or approval rate during a 6-month period.

CMS has established links to both the Palmetto GBA portal described, above, and to an operational guide and Special Open Door Forum Presentation that describes the program at https://www.cms.gov/Research-Statistics-Data-and-Systems/Monitoring-Programs/Medicare-FFS-Compliance-Programs/Review-Choice-Demonstration/Review-Choice-Demonstration-for-Home-Health-Services.html.

III.  Is Your Home Health Agency Ready for an Audit?

Our earlier article goes into greater depth in describing the various options.  That article also emphasizes the critical nature of the choice that each agency makes in selecting an option.

Each of the options presents a separate set of risks and benefits as opposed to the others – the one exception being that the third option of a 25% payment denial does not appear to be a viable one for any agency.  Our earlier article also sets out several examples of these risks.  We thus recommend that every agency take the necessary time to consult with knowledgeable individuals, both internal and external, in making this selection during each 6-month period.

Additionally, as stated in that article, we cannot recommend strongly enough that agencies in the affected states have procedures in place to properly document coverage for all the cases that they handle, and also a process to prepare and move documentation through the system quickly and comprehensively.  They also should be updating their compliance and quality assurance programs to respond to these changes.

Liles Parker attorneys have substantial experience working with home health agencies in preparing them for the audit process which is similar to the processes that they will need to follow in responding to the Review Choice Demonstration Project, and in identifying the risks of choosing one option in relation to the others.  A number of our attorneys are also certified coders who have substantial experience in developing a format to justify coverage.  Finally, we have substantial experience working with agencies in developing and updating their compliance plans.

Healthcare LawyerAny person wishing a free consultation in the area should contact Michael Cook, the author and Co-chair of our Health Care Group. Michael can be reached at (202) 298-8750 or mcook@lilesparker.com

Are HIPAA Whistleblower Provisions Around the Corner?

Are HIPAA Whistleblower Provisions Around the Corner?(January 25, 2012):  Historically, home health agencies, physicians, clinics and other health care providers have associated the term “whistleblower” with the filing of a FalSe Claims Act case by an insider, former employee or other individual alleging to have direct knowledge of fraudulent billing conduct by a provider.  As health care providers will soon find, individuals harmed by the wrongful breach of their Protected Health Information (PHI) will soon have an opportunity to share in any penalties against by Department of Health and Human Services (HHS), Office of Civil Rights (OCR).  While not technically a “whistleblower” award program, the quasi-HIPAA whistleblower provisions included in recently-passed legislation  may ultimately present many of the same incentives to individuals who are allegedly harmed as a result of a breach of their PHI.

I.   Background of HIPAA Whistleblower Provisions:

Over the last few years, a number of health care providers and other “covered entities” (both large and small) have been audited and penalized by the government for improper breaches of protected health information. Enforcement actions taken have varied, ranging from mere warnings to criminal prosecution.

II.   HITECH Raises the Bar for Providers:

The “Health Information Technology for Economic and Clinical Health Act” (HITECH) contains a number of significant privacy provisions impacting health care providers.  Two of these provisions include:  (1) The initiation of privacy audits by contractors working for the  Department of Health and Human Services (HHS), Office of Civil Rights (OCR); and (2) The sharing of Civil Monetary Penalties assessed in response to an improper breach with the affected patients.

  • Privacy Audits

As OCR has announced, the agency has initiated an audit program intended to help ensure that health care providers are complying with the various medical records privacy provisions laid out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  To do so, OCR has contracted with several nationally-recognized audit firms for the purpose of auditing health care provider compliance with HIPAA’s privacy provisions.

When will audits begin? According to OCR, the initial audits of provider compliance with HIPAA / HITECH requirements began in November 2011. Once these initial audits are completed, OCR intends to focus the remaining audits on the issues and concerns identified in the contractors’ first preliminary audits. At this time, all audits are anticipated to be completed by December 2012.

If prior “pilot” programs are any indication of how these audits will be handled, we anticipate that OCR will ultimately adopt an ongoing audit HIPAA / HITECH process, tasked with assessing the compliance of health care providers, covered entities and business associates. It is essential that you critically review your current practices – after you have been audited, it will likely be too late to avoid the imposition of penalties.

How will HIPAA / HITECH audits be conducted? According to OCR, organizations selected for audit will be notified by the agency of their selection. At that time, they will be asked to provide “documentation of their privacy and security compliance efforts.” During this pilot period, each of the covered entities audited will receive a site visit. During the site visit, contractor representatives will be required to interview key personnel. The contractors will also review the covered entity’s practices and determine whether their operations fully comply with HIPAA’s / HITECH’s privacy requirements. After completing the site visit, a draft report will be prepared which outlines how the audit was handled, the conclusions that were reached by the contractor and the remedial actions that were taken by the covered entity. The draft report will be shared with the covered entity prior to finalization and the covered entity will have a chance to respond to the contractor’s findings.

  • Sharing of Civil Monetary Penalties

In addition to the HIPAA audit protocol discussed above, HITECH includes a seemingly-innocuous section which commands the Secretary HHS to establish a methodology to distribute a percentage of Civil Monetary Penalties to individuals harmed by an improper breach of protected health information or another HIPAA violation. For instance, if a patient’s medical records or other protected health information is inappropriately accessed or divulged to unauthorized persons and the OCR ultimately investigates the violation and assesses Civil Monetary Penalties against a provider or other covered entity in connection with the breach, the harmed patient may be eligible to receive a portion of the penalties collected by the government.

On its surface, such a clause seems reasonable – after all, why not compensate those who have been hurt by a wrongful disclosure or breach? However, this law (and its soon-to-be-created implementing regulations) will likely have extensive repercussions in reporting and enforcement of HIPAA violations. Giving patients a financial incentive to report wrongful disclosures and breaches of their protected health information will likely lead to increased reporting of incidents since harmed patients may now be eligible to share in any penalties collected.  Similar laws which allow private individuals to receive a portion of penalties and other funds recovered, such as the False Claims Act (FCA), have been extremely successful in detecting and deterring fraudulent activity. While HITECH does not create a “private right of action” for HIPAA violations and is substantially different from the FCA, it is important to note that their basic principles are the same. By giving private citizens, with perhaps greater and more immediate knowledge of an issue than the government, a real reason to report a problem, these problems can be more quickly and effectively remedied.

In 1986, when the FCA was overhauled with new provisions that gave private citizens more power and a greater likelihood of collecting money, the FCA’s usage skyrocketed. In what could be a very similar situation, affected individuals with the chance to receive a portion of fines and penalties will be far more likely to aggressively report and pursue these violations. For covered entities (comprising virtually all providers, billers and business associates), this means that implementing effective HIPAA privacy policies should be at the top of your compliance “to-do” list.

III.   How Health Care Providers Should Respond:

Among their first steps, health care providers and other covered entities should:

  • Ensure that patient protected health information is fully secured and protected.
  • Take steps to prevent improper access by authorized parties.
  • Ensure that anyone who accessing protected health information is properly logged so that patients can readily obtain an accounting or listing of anyone who has reviewed all or part of their records. This log should also document the purpose for assessing the record.
  • Take steps to prevent the access of protected health information by authorized personnel for unauthorized reasons.
  • Take steps to better ensure that no protected health information is inappropriately disclosed to third parties.

While the points outlined are essential, they are far from all-inclusive.  It is imperative that you identify qualified counsel to assist you in meeting your HIPAA / HITECH obligations.

Further, when handling protected health information, health care providers must remain mindful of the “minimum necessary” rule.  Health care providers, other covered entities and business associates who handling protected health information must only disclose the minimum information necessary for a requesting entity to properly do its job.

Ultimately, all health care providers, covered entities and business associates should take reasonable steps to help ensure that applicable HIPAA / HITECH provisions are fully met.

Healthcare LawyerRobert W. Liles and other health law attorneys at Liles Parker PLLC are skilled in counseling health care providers, billers and other covered entities in HIPAA compliance and other compliance-related issues. We can help you implement an effective Compliance Plan, conduct gap analyses and internal audits.  Furthermore, we can train your staff on staying compliant with federal regulations, including but not limited to, HIPAA / HITECH mandates, OSHA requirements, coding / billing regulations and more. For a free consultation, please call Robert at 1 (800) 475-1906.