The Centers for Medicare and Medicaid Services (CMS) hopes to start Recovery Audit Contractor (RAC) automated reviews in late June and July, with more complex reviews rolling out later, according to a May 29 Health Leaders report. CMS expects to begin certain complex reviews like coding and DRG validation this fall. Medical necessity complex reviews will not begin until early 2010.

“The automated reviews are less burdensome on the provider, because there’s no request for medical records,” said Marie Casey, deputy director of the Division of Recovery Audit Operations at CMS, in the news item. “They’re also easier for the RACs to manage.”

The delay for medical necessity auditing is due to the complexity of the reviews. “We’re delaying because it’s more difficult,” Casey said. “We are really trying to ensure that when there is a difference of opinion [on the medical necessity determination of the case], the RAC clearly documents their rationale.”

The delay will also help CMS roll out an issue review team, a group comprised of members from various agency divisions that will look at policy questions, such as whether the RACs have been correct in the interpretation of coding guidelines. These teams will look comprehensively at the questions before approving new issues for RAC review, according to Kathleen Wallace, a CMS representative who spoke at a May 28 Region D RAC training session held in Helena, MT.

When record requests do come, they will start sporadically but eventually fall into a pattern, at least in Region D, said HealthDataInsights president and CEO Andrea Denko, during the Helena training session.

“Present on admission indicators, hospital-acquired conditions, serious reportable events, and ‘wrong’ surgical events are each hot topics,” write the authors of a “Coding Notes” column in this month’s print issue. “However, they also can be a hot topic together, because a number of these reporting requirements are interrelated.”

Jane Cook, Cheryl D’Amato, Gail Garrett, Becky Ruhnau-Gee, Linda Hyde, and Natalie Novak sort out the relationship of POA, HACs, SREs, and “wrong” surgical site policies in “Understanding National Coverage Policies.”

On Friday the California Department of Public Health announced an administrative penalty of $250,000 against Kaiser Permanente Bellflower Hospital for failing to prevent unauthorized access to octuplet mom Nadya Suleman’s medical records. According to CDPH, 21 employees and two physicians improperly viewed Suleman’s medical records.

The penalty is the first under California’s strict new privacy laws, which went into effect January 1. The $250,000 fine was the maximum allowed.

Kaiser first reported the breach back in April, when it disciplined and fired employees for accessing Suleman’s records. The CDPH investigation announced Friday involved the facility only. Under a separate law, the state may seek prosecution against the individuals themselves.

If you ever wonder what progress the Office for Civil Rights is making as it works its way through HIPAA privacy rule complaints, the numbers are easy to find. Each month OCR reports top-line results of the HIPAA cases it has received and resolved.

OCR has logged approximately 43,700 complaints since the privacy rule went into effect April 14, 2003. It has resolved 86 percent of them, and as of April 30 it had nearly 6,000 cases still on its to-do list.

OCR enforces the HIPAA privacy rule only. Enforcement of the security rule falls to the Centers for Medicare and Medicaid Services. Violations of either rule that involve possible criminal violations are referred to the Department of Justice. Through April 30 of this year, OCR had referred 456 cases to the DOJ and 306 cases to CMS. (more…)

One day before the Red Flags Rule were to take effect, the Federal Trade Commission announced a three-month delay. Organizations that would have woken up out of compliance today now have until August 1 to comply.

The rule requires “creditors” and financial institutions to develop and implement written identity theft prevention programs. (For more on the rule, see articles in “Privacy & Security.”)

The FTC also announced that it would release a compliance template for entities that have a low risk of identity theft, such as businesses that know their customers personally.

Continued confusion over the terms of the provision resulted in the delay. ”Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said in the statement.

This is the second delay for the Red Flags rule. The original deadline was November 2008.

The Department of Health and Human Services has published guidance related to the Genetic Information Nondiscrimination Act (GINA) and its effect on researchers.

“Guidance on the Genetic Information Nondiscrimination Act: Implications for Investigators and Institutional Review Boards” provides background on protections provided by GINA and discusses GINA’s impact on investigators who conduct genetic research and the institutional review boards that review it, particularly on criteria for IRB approval of research and the requirements for obtaining informed consent under the HHS regulations for the protection of human subjects (45 CFR part 46).

Final GINA regulations are expected in May.

To review GINA’s provisions, see the July 2008 “Word from Washington” column “Getting to Know GINA.”

Capping off our Health Information Privacy and Security Week series, Federal Trade Commission attorney Steven Toporoff offers tips on complying with the Red Flags Rule, which goes into effect May 1. Toporoff works in the FTC’s Division of Privacy and Identity Protection, Bureau of Consumer Protection.

Millions of Americans each year fall victim to identity theft.  When identity theft involves healthcare, the consequences can be severe. It can result in losses to the healthcare provider from unpaid bills, the exhaustion of the victim’s benefits, or even potentially life-threatening corruption of a patient’s medical records. 

The crime also can play havoc with an innocent consumer’s credit rating.  Medical identity theft may arise when a person seeks healthcare services or prescription pharmaceuticals using someone else’s name or insurance information.  A recent nationwide survey conducted for the FTC found that 4.5 percent of the 8.3 million identity theft victims have experienced some form of medical identity theft.

The Red Flags Rule is designed to help protect patients and providers from suffering the consequences of medical identity theft.  Briefly put, this new law requires “creditors” and “financial institutions” to determine if they have either consumer accounts that permit multiple payments or other accounts for which there is a reasonable risk of identity theft.  If they do, these covered entities must develop and implement a written identity theft prevention program. Each provider has the flexibility to implement a program that best suits its size, complexity, and actual risk of identity theft.    (more…)

Continuing our Health Information Privacy and Security Week series, today Chris Apgar, CISSP, president of Apgar & Associates LLC, takes a look at medical identity theft within the context of the Red Flags Rule.

Much is reported in the news about identity theft including new catchy commercials that are intended to prompt consumers to pay attention to their credit record. What isn’t mentioned is the threat of medical identity theft. Identity theft is primarily a financial crime while medical identity theft can directly impact an individual’s ability to seek healthcare and health insurance coverage. (more…)

A 19-year-old college student uses her university clinic for gynecological visits. Her parents contact the clinic and ask to see her health record in order to find out if she is using birth control. The clinic shares the record with the parents. Did the clinic staff do wrong?

Maybe not.

The behavior would seem to fly in the face of the HIPAA privacy rule, but virtually all public schools and most private and public postsecondary institutions are covered by a different federal law.

The Family Educational Rights and Privacy Act, or FERPA, regulates the privacy of students’ education records. These can include student health records if the institution chooses to classify them as such. The HIPAA privacy rule does not apply to records covered by FERPA.

It’s a complicated intersection of federal law, and the Department of Health and Human Services and the Department of Education have issued guidance to help schools navigate it. See “When FERPA and HIPAA Collide” in the Winter 2009 issue of AHIMA’s Academic Advisor e-newsletter.

Last week, the Centers for Medicare and Medicaid Services (CMS) announced that the parties involved in the protest over the award of Recovery Audit Contractor (RAC) contracts had come to a settlement. This means that the stop work order has been lifted, and CMS will continue with the implementation of the RAC program.

PRG-Shultz will serve as a subcontractor to HealthDataInsights, Diversified Collection Services, and CGI Technologies and Solutions. Viant Payment Systems will serve as a subcontractor to Connolly Consulting. According to CMS, “the four RACs will contract with subcontractors to supplement their efforts.”

The program had been suspended last November when PRG-Shulz and Viant protested the contracts that had been awarded to four others. CMS plans to have four RACs in place by 2010. Each RAC will be responsible for identifying overpayment and underpayments in approximately a quarter of the country.