Regulatory Issues Facing
Community Providers
IACP Webinar – March 11, 2015
Rebecca A. Brommel: brommel@brownwinick.com
Michael E. Jenkins: jenkins@brownwinick.com
Catherine C. Cownie: cownie@brownwinick.com
Adam J. Freed: freed@brownwinick.com
Website: www.brownwinick.com
BLOG: www.brownwinick.com/BLOGHealthLaw
Department of Inspections & Appeals
Investigations and Procedures
Citations Generally
 Where do citations come from?
• Surveys
• Complaint Investigations
• Self-Reporting
 Who investigates?
• DIA – Health Facilities Division
Types of Violations



Class I – imminent danger or substantial
probability of resultant death or physical
harm
Class II – direct or immediate relationship to
health, safety or security but no imminent
danger nor substantial probability of resultant
death or physical harm
Class III – not classified as I or II
Penalties
•
•
•
•
•
•
Class I - $2,000 to $10,000; double if intentional act by facility
Class II - $100 to $500; may be waived upon request if corrected within time
specified in citation and if specified criteria are met
Class III – no penalty unless not corrected within the time specified; $50 per
day
Fines can be trebled for repeated violations of Class I or II occurring within 12
month period
No citation if self-identify and correct a Class II or III violation, except for those
involving abuse, personnel histories, failure to implement physician’s orders,
failure to notify physician of accident, injury, or adverse change, failure to
administer medications as ordered, failure to meet fire safety rules
Fines reduced by 35% if do not request formal hearing or if withdraw request
for hearing within 30 days after penalty assessed and it’s paid within 30 days of
receipt and notice
Step 1: Respond to Citation




Within 20 days
Notify that you seek informal conference
or to contest citation
Or, if not contesting, remit fine amount
If Class II or III – written response
acknowledging receipt and providing
statement or plan of correction
Step 2: Informal Conference






Notify in writing – certain content requirements; ask for
investigation materials
Held concurrently with “informal dispute resolution” (if Medicare
or Medicaid certified)
“Independent Reviewer”
Results usually issued within 10 business days of conference
Reviewer may affirm, modify or dismiss
If the citation is changed, DIA issues an amended citation and
then a new plan of correction must be issued for the amended
citation
Step 3: After the Informal Conference
If no further dispute with Reviewer’s
decision – pay fine
OR
 Within 5 days of Reviewer decision,
notify DIA in writing of formal contest of
citation

Step 4: Contested Case Proceeding




Discovery
Create record
Hearing in front of ALJ
Proposed decision
Step 5: Appeal to Director of DIA




Within 30 days of Proposed Decision
No new evidence unless material and
good reasons for failure to present
Obtain Final Decision
Option: Request for Rehearing – specific
reasons
Step 6: Appeal to District Court





Within 15 days of Final Decision
Briefing based upon record
No new evidence
Possibly oral argument
Ruling from Judge that can be appealed
to state Supreme Court/Court of Appeals
Federal Proceedings



May be a separate proceeding
State proceedings stayed upon request
If successful at federal level, state
follows decision
What Is A “Credible Allegation of
Fraud” and Why Does It Matter to Me?
What’s A “Credible Allegation of
Fraud”?
It’s a trigger that requires Medicaid suspend
payment to providers:
42 U.S.C. § 1396b(i)(2)(C) forbids federal
spending on any provider or person “to whom
the State has failed to suspend payments . . .
when there is pending an investigation of a
credible allegation of fraud” absent “good
cause”
What’s A “Credible Allegation of
Fraud”?



An “allegation, which has been verified by the State, from
any source.”
Sources of these allegations may include:
•
•
•
1) fraud hotline complaints,
2) claims data mining,
3) patterns identified through provider audits, civil false claims
cases, and law enforcement investigations.
Allegations are considered credible when they have
indicia of reliability and the State Medicaid Agency has
reviewed all allegations, facts, and evidence carefully and
acts judiciously on a case-by-case basis
What Are Some of the Sources of
Credible Allegations of Fraud?





Audits by private insurers
Patient grievances filed with state inspectors
State surveys or investigations
Current and former employee tips
Analysis of payer datasets
What Are Some Examples of
Credible Allegations of Fraud?
Allegations of:
 Upcoding and/or double billing
 Investigations by the OIG and FBI
 Inclusion of improper costs on cost reports
 Billing for services not rendered
 Submitting false claims
 Falsifying documentation
Where Did This “Credible
Allegation of Fraud” Come From?



PPACA/Obamacare
Shifted oversight focus from “pay and chase” model
to “shut off the tap” model
Prior to PPACA, federal regulations granted State
agencies discretion to suspend payments in whole
or in part upon “reliable evidence” of fraud
New regulations require suspension in whole when
there is a “credible allegation of fraud” absent “good
cause” not to suspend
When and How Will I Find Out About A
Credible Allegation of Fraud?


Regulations require State to provide written notification within 5
days after the suspension’s effective date. (May delay for up to
30 days upon the request of law enforcement)
Notice must contain statements that :
•
•
•
•
•
•
Payments are being suspended in accordance with 45 CFR §
455.23
To the general allegations as to the suspension action
The suspension is for a temporary period and describe the
circumstances under which the suspension will be terminated
The types of Medicaid claims or business units to which the
suspension is being applied
Inform the provider of its right to submit written evidence
Set forth the applicable state administrative appeals process
What Can My Organization Do When It
Receives Notice of A Credible
Allegation of Fraud?


Proceed with an administrative appeal
Submit information to IME
• May submit information to prove that “good
cause” exception exists to requirement of full
suspension of payments

Negotiate a Settlement Agreement with Iowa
Medicaid
•
Settlement Agreement will often turn back on partial
payments to provider pending outcome of
investigation
How Does Suspension End?



Notice of end of investigation
Resolution of issue via settlement agreement
Judicial resolution of issues
HIPAA
Overview
•
•
HIPAA and HITECH
Laws Applicable to Specific Categories
of Medical Information
•
•
•
•
Substance Abuse
Mental Health
AIDS
Employment
Who is Required to Comply with
HIPAA?
•
“Covered Entities”
•
•
•
•
•
Health plans
Health care clearinghouses
Health care providers who transmit health information in
electronic form in connection with a covered transaction
“Business Associates”
Other Entity Types:
•
•
•
Hybrid
Affiliated Covered Entities
Organized Health Care Arrangement
Who is a “Business Associate”?
A “business associate” is a person who:
1. “On behalf of [a] covered entity . . . but other than in the capacity of a member
of the workforce of such covered entity . . . creates, receives, maintains, or
transmits protected health information for a function or activity regulated by
this subchapter, including claims processing or administration, data analysis,
processing or administration, utilization review, quality assurance, patient
safety activities listed at 42 CFR 3.20, billing, benefit management, practice
management, and repricing; or”
2.
“Provides, other than in the capacity of a member of the workforce of such
covered entity, legal, actuarial, accounting, consulting, data aggregation (as
defined in § 164.501 of this subchapter), management, administrative,
accreditation, or financial services to or for such covered entity, or to or for
an organized health care arrangement in which the covered entity
participates, where the provision of the service involves the disclosure of
protected health information from such covered entity or arrangement, or
from another business associate of such covered entity or arrangement, to
the person.”
Source: 45 C.F.R. § 160.103
A “Business Associate” includes
Subcontractors.
A “business associate” includes:
•
“a subcontractor that creates, receives,
maintains, or transmits protected health
information on behalf of the business
associate.”
Source: 45 CFR § 160.103
What is “Protected Health
Information”?
“Individually identifiable health information”
that is:
• Transmitted by electronic media;
• Maintained in electronic media; or
• Transmitted or maintained in any other
form or medium.
Are Community Providers
Subject to HIPAA?
Community
Provider
Health
Information
Billing
Company
Are Community Providers
Subject to HIPAA?
Community
Provider
Health
Information
Law
Firm
Are Community Providers
Subject to HIPAA?
Community
Provider
Health
Information
Community
Provider
What is a Business Associate
Required to Do?
A business associate must provide
“satisfactory assurances” that it will
appropriately safeguard the information.
The Business Associate provides the
satisfactory assurances in a “Business
Associate Agreement.”
What are the Penalties for Failure to
Comply with HIPAA and HITECH?
Civil Penalties:

CE or BA did not know and by exercising reasonable
diligence would not have known of the violation:
•
•

$100 to $50,000 per violation.
Not to exceed $1,500,000 for identical violations
during a year.
Violation due to reasonable cause and not willful
neglect:
•
•
45 C.F.R. § 160.404
$1,000 to $50,000 per violation.
Not to exceed $1,500,000 for identical violations
during a year.
What are the Penalties for Failure to
Comply with HIPAA and HITECH?
Civil Penalties (cont.):

Violation due to willful neglect but corrected within
required time period (30 days):
•
•

$10,000 to $50,000 per violation.
Not to exceed $1,500,000 for identical violations
during a year.
Violation due to willful neglect and not corrected:
•
•
45 C.F.R. § 160.404
$50,000 per violation.
Not to exceed $1,500,000 for identical violations
during a year.
What are the Penalties for Failure to
Comply with HIPAA and HITECH?
Criminal Penalties:

Knowingly obtain or disclose PHI in violation:
•


Up to 1 year in prison
Offenses committed under false pretenses:
•
Up to 5 years in prison
Offenses committed for personal gain or
malicious harm:
•
Up to 10 years in prison
Famous Breaches of PHI
Website: www.brownwinick.com
Toll Free Phone Number: 1-888-282-3515
OFFICE LOCATIONS:
666 Grand Avenue, Suite 2000
Des Moines, Iowa 50309-2510
Telephone: (515) 242-2400
Facsimile: (515) 283-0231
616 Franklin Place
Pella, Iowa 50219
Telephone: (641) 628-4513
Facsimile: (641) 628-8494
DISCLAIMER: No oral or written statement made by BrownWinick attorneys should
be interpreted by the recipient as suggesting a need to obtain legal counsel from
BrownWinick or any other firm, nor as suggesting a need to take legal action. Do not
attempt to solve individual problems upon the basis of general information provided
by any BrownWinick attorney, as slight changes in fact situations may cause a
material change in legal result.