CMS Publishes Medicare Provider Charge Data

The Centers for Medicare & Medicaid Services has finally made  publicly available  hospital-specific charges for the more than 3,000 U.S. hospitals that receive Medicare Inpatient Prospective Payment System (IPPS) payments. The data represents almost 7 million discharges or 60 percent of total Medicare IPPS discharges. Hospitals have protected their price lists or “charge masters”  from public disclosure and by means of contractual confidentiality restrictions. CMS’s disclosure of this data were inspired in part by a March 2013 Time magazine investigative report on hospital charges authored by Steven Brill, which attracted extensive media attention and discussion.

CMS hopes that users of the data will be able to make comparisons between the amount charged by individual hospitals within local markets, and nationwide, for services that might be furnished in connection with a particular inpatient stay. CMS shared the data in advance with media outlets such as The Huffington Post, The New York Times and The Washington Post. Each of these outlets have published stories based on their analysis.   Entities such as ACO’s may find this data useful as they seek to deliver better patient care on limited budgets in order to produce shared savings.

Links:

https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/Medicare-Provider-Charge-Data/index.html

Shared Savings Program Application- Notice of Intent Filing Starts May 1, 2013

Downtown Tampa

The filing period for the Notice of Intent (NOI) to Apply for participation in the Medicare Shared Savings Program 2014 program starts today May 1, 2013 and expires on May 30, 2013. The completed NOI  must be submitted no later than 5 p.m. EST May 31, 2013.  CMS only accepts NOIs submitted electronically and advises that processing time may vary, so applicants are instructed to plan to submit their NOI as early as possible.  Those submitting a completed NOI will get NOI Receipt Notice by e-mail that includes the ACO identification number (ACO ID) and detailed instructions on how to get a CMS User ID. CMS states that an applicant must have an ACO ID to apply to participate in the Shared Savings Program and • You must have a CMS User ID and password to submit your application using the online Health Plan Management System (HPMS.) Additional instructions on acquiring a CMS User ID and related due dates are set forth on the web site.

In June 2013, CMS will post the application for the 2014 program start date on its web site. Applicants may use the on-line application to begin compiling their responses; however, applicants must submit their actual application electronically when the system is available July 1 through July 31, 2013.

This blog will have regular updates and summaries on  the Medicare Shared Savings Program 2014 program and Accountable Care Organizations.

Link:

http://www.cms.gov/Medicare/Medicare-Fee-for-Service-Payment/sharedsavingsprogram/index.html

 

Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for the International Classification of Diseases, 10th Edition (ICD-10-CM and ICD-10-PCS) Medical Data Code Sets

Department of Health and Human Services and Centers for Medicare & Medicaid Services have published the final rule adopting the standard for a national unique health plan identifier (HPID) and establishing requirements for the implementation of the HPID. In addition, it adopts a data element that will serve as an other entity identifier (OEID), or an identifier for entities that are not health plans, health care providers, or individuals, but that need to be identified in standard transactions. The final rule also specifies the circumstances under which an organization covered health care provider must require certain noncovered individual health care providers who are prescribers to obtain and disclose a National Provider Identifier (NPI). Lastly, the final rule changes the compliance date for the International Classification of Diseases, 10th Revision, Clinical Modification (ICD-10-CM) for diagnosis coding, including the Official ICD-10-CM Guidelines for Coding and Reporting, and the International Classification of Diseases, 10th Revision, Procedure Coding System (ICD-10-PCS) for inpatient hospital procedure coding, including the Official ICD-10-PCS Guidelines for Coding and Reporting, from October 1, 2013 to October 1, 2014.
Link to the Final Rule: https://federalregister.gov/a/2012-21238

Jumpstart Our Business Startups Act: Eliminating the Prohibition Against General Solicitation and General Advertising in Rule 506 and Rule 144A Offerings

The Jumpstart Our Business Startups Act (the “JOBS Act”) was enacted on April 5, 2012. Section 201(a)(1) of the JOBS Act directs Securities and Exchange Commission (the Commission), not later than 90 days after the date of enactment, to amend Rule 506 of Regulation D under the Securities Act of 1933 (the “Securities Act”) to permit general solicitation or general advertising in offerings made under Rule 506, provided that all purchasers of the securities are accredited investors. Section 201(a)(1) also states that “[s]uch rules shall require the issuer to take reasonable steps to verify that purchasers of the securities are accredited investors, using such methods as determined by the Commission.” Section 201(a)(2) of the JOBS Act directs the Commission, not later than 90 days after the date of enactment, to revise Rule 144A(d)(1) under the Securities Act to permit offers of securities pursuant to Rule 144A to persons other than qualified institutional buyers (“QIBs”), including by means of general solicitation or general advertising, provided that the securities are sold only to persons that the seller and any person acting on behalf of the seller reasonably believe are QIBs.

It is later than 90 days, however the Commission has finally come around to proposing amendments to Rule 506 of Regulation D and Rule 144A under the Securities Act of 1933 to implement Section 201(a) of the JOBS Act. The proposed amendment to Rule 506 would provide that the prohibition against general solicitation and general advertising contained in Rule 502(c) of Regulation D would not apply to offers and sales of securities made pursuant to Rule 506, provided that all purchasers of the securities are accredited investors. The proposed amendment to Rule 506 would also require that, in Rule 506 offerings that use general solicitation or general advertising, the issuer take reasonable steps to verify that purchasers of the securities are accredited investors. The proposed amendment to Rule 144A(d)(1) would provide that securities may be offered pursuant to Rule 144A to persons other than qualified institutional buyers, provided that the securities are sold only to persons that the seller and any person acting on behalf of the seller reasonably believe are qualified institutional buyers. We are also proposing to revise Form D to add a separate check box for issuers to indicate whether they are using general solicitation or general advertising in a Rule 506 offering. The comment period ends on October 5, 2012.

The Commission is adopting revisions to the Electronic Data Gathering, Analysis, and Retrieval System (EDGAR) Filer Manual and related rules to reflect updates to the EDGAR system. The revisions are being made primarily to support submission of Confidential Registration Statements; require Form ID authentication documents in PDF format; automate LTID generation for Large Trader registrations; support minor updates to Form D; remove superseded XBRL Taxonomies; remove the OMB expiration date from Form TA-1, TA-2, TA-W, 25-NSE; and request of unused funds. The EDGAR system is scheduled to be upgraded to support this functionality on July 2, 2012.

Link to proposed rule under the JOBS Act: https://federalregister.gov/a/2012-21681

Link to final revisions to EDGAR Filer Manual: https://federalregister.gov/a/2012-21805

Revisions to Payment Policies Under the Physician Fee Schedule for CY 2013

On July 30, 2012 CMS will publish a major proposed rule addressing changes to the physician fee schedule, payments for Part B drugs, and other Medicare Part B payment policies to ensure that the payment systems are updated to reflect changes in medical practice and the relative value of services. The proposed rule would also implement provisions of the Affordable Care Act by establishing a faceto-face encounter as a condition of payment for certain durable medical equipment (DME) items. In addition, it would implement statutory changes regarding the termination of non-random prepayment review under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003. Finally, this proposed rule also includes a discussion regarding the Chiropractic Services Demonstration program.

The proposed rule also addresses new claims-based data reporting requirements for therapy services to implement a provision in the Middle Class Tax Relief and Jobs Creation Act (MCTRCA). In addition, this rule proposes:

● Potentially Misvalued Codes to be Evaluated.

● Additional Multiple Procedure Payment Reductions (MPPR).

● Expanding Medicare Telehealth Services.

● Regulatory Changes regarding Payment for Technical Component of Certain Physician Pathology Services to Conform to Statute.

● Primary Care and Care Coordination Service.

● Payment rates for Newly Covered Preventive Services.

● Definition of Anesthesia and Related Care in the Certified Registered Nurse Anesthetists Benefit.

● Ordering Requirements for Portable X-ray Services.

● Updates to the Ambulance Fee Schedule.

● Part B Drug Payment Rates.

● Ambulance Coverage-Physician Certification Statement.

●Updating the–

  • Physician Compare Website.
  • Physician Quality Reporting System.
  • Electronic Prescribing (eRx) Incentive Program.
  • Medicare Shared Savings Program.

● Providing Budget Neutrality Discussion on the Chiropractic Demonstration.

● Physician Value-Based Payment Modifier and the Physician Feedback Reporting Program.

● Medicare Coverage of Hepatitis B Vaccine.

● Updating Existing Standards for e-prescribing under Medicare Part D and Lifting the LTC Exemption.

Several proposed changes would affect the specialty distribution of Medicare expenditures. This proposed rule reflects the priority on improving payment for primary care services. Overall, payments for primary care specialties would increase and payments to select other specialties would decrease due to several changes in how CMS proposes to calculate payments for CY 2013.

Link: https://federalregister.gov/a/2012-16814

How the use of Medicare Data to generate Performance Measurements affects Physicians?

Centers for Medicare & Medicaid Services (CMS), HHS recently issued final rules pursuant to the Patient Protection and Affordable Care Act, (Pub. L. 111-148), enacted on March 23, 2010, and the Health Care and Education Reconciliation Act of 2010, (Pub. L. 111-152), enacted on March 30, 2010 (collectively the “Affordable Care Act.”) Effective January 1, 2012, the Affordable Care Act would amend the Social Security Act (the “Act”) to require standardized extracts of Medicare claims data under parts A, B, and D to be made available to “qualified entities” for the evaluation of the performance of providers and suppliers. Qualified entities may use the information obtained the Act for the purpose of evaluating the performance of providers and suppliers, and to generate public reports regarding such performance (the “Performance Reports”). Qualified entities may receive data for one or more specified geographic areas. Congress also required that qualified entities combine claims data from sources other than Medicare with the Medicare data when evaluating the performance of providers and suppliers.

A.     What will be published in the Performance Reports?

Performance Reports generated by the qualified entities may only include information on individual providers and suppliers in aggregate form, that is, at the provider or supplier level, and may not be released to the public until the providers and suppliers have had an opportunity to review them and, if necessary, ask for corrections.

B.     How can the qualified entity use of the Medicare Claims Data?

The statute bars the re-use of the Medicare claims data provided to qualified entities under the Act. The qualified entity “shall only use such data, and information derived from such evaluation” for Performance Reports on providers and suppliers. Additionally, the Data Use Agreement between the qualified entity and CMS (the “DUA”), bars re-use of the data for other purposes. The Act does not address the use of the published Performance Report. Subject to any limitations imposed by other applicable laws, the Performance Reports could be used by any party, including the qualified entity, for activities such as internal analyses, pay-for-performance initiatives, or provider tiering.

C.     What can Physicians do to correct issues with Performance Reports?

The Act requires the Performance Reports to be made available to the public after they are made available to providers and suppliers for review and requests for corrections. Each provider or supplier will confidentially receive any Performance Report where they are identified. It is the responsibility of the qualified entity to ensure that the data is delivered using a secure method to the appropriate provider or supplier.

D.     How long do physicians have to review and provide comments before the Performance Report is published?

CMS requires that qualified entities publicly report measure results on the date specified to the provider or supplier when the report is sent for review (at least 60 days after the date on which the confidential reports are sent to a provider or supplier), regardless of the status of a request for error correction.

E.     How many Performance Reports will Physicians have to deal with?

CMS does not intend to limit the number of qualified entities accepted for participation into the program, and therefore, it is possible that there will be more than one qualified entity working in the same geographic area and publish Performance Reports for that geographic area.

F.     How much will it cost a Physician to review a Performance Report and provide comments?

Physicians who receive the Performance Reports have no obligation to review them. CMS assumes that those who do review the Performance Reports would devote and average of five hours to reviewing them at an average cost of $214.00 for physician offices. For those who appeal CMS assumes that preparing the appeal would involve an average of ten hours of effort on the part of a physician at an average cost of $429 for physician offices. The latter amount includes CMS’ assumption that 50 percent of the providers and suppliers who decide to appeal would hire consultants to assist with the appeals process.

G.     Will the Performance Reports be published in standard formats?

 CMS does not intend to standardize the Performance Reports, so each qualified entity will be able to publish Performance Reports in different formats.

 H.     Must the Performance Reports be published? How frequently will the reports be published?

Qualified entities are not allowed to produce Performance Reports for confidential use only, thus the reports must be published. There is no requirement in the Act on the frequency of public reporting, so CMS adopted a rule of once per year. Reporting once per year is the minimum requirement. A qualified entity may choose to report more frequently than once per year, as long as it is still able to meet the requirement of allowing providers and suppliers the opportunity to review and request error correction in the Performance Reports.

I.     How fresh will be the Medicare claims data that CMS provides?

CMS will provide qualified entities with the most recent available historical data, which, for qualified entities approved at the beginning of the program, CMS expects to include data for CY2009, CY2010, and the first two quarters of 2011. Then, CMS would provide quarterly data updates on a rolling basis.

J.     Will the qualified entity have all of the claims for a physician?

CMS will release claims based on the location of the beneficiary residence, not the location of the provider or supplier rendering the services. This will mean the qualified entity might not receive all of the Medicare claims for a given provider or supplier.

This is the the link to the release of the final rule by CMS:  http://www.ofr.gov/OFRUpload/OFRData/2011-31232_PI.pdf

HITECH Act, Personal Health Record Vendors, And The FTC

The HITECH Act expands the legal obligations and liabilities related to safeguarding health records to entities which are neither covered entities nor business associates under HIPAA. The affected entities are personal health record vendors (PHR Vendors) and entities that: (i) offer products and services through the website of a PHR Vendor, (ii) are not covered by HIPAA and offer products or services through the websites of covered entities that offer individuals PHR; and (iii) are not covered entities and that access information in a PHR or send information to a PHR (each a “PHR Management Service”). A third party service provider which provides services to PHR Vendors and PHR Management Services in connection with PHR Records and “accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services.”

The new obligations created by the HITECH Act require such entities to provide notification in the event of a breach of security resulting in the acquisition of unsecured PHR identifiable health information without the authorization of the affected individuals. The PHR Vendor, PHR Management Services and their respective third party servicers are required to provide notifications to each affected individual and the FTC. The FTC is then required to provide notice to the HHS. The third party servicers must also provide notice to PHR Vendors and PHR Management Services of any breach that it discovers and such notice must identify each affected individual.

Each breach is considered to be a violation of Federal Trade Commission Act on unfair and deceptive acts or practices and subject to civil penalties of up to $16,000 per breach. Pursuant to the HITECH Act, the FTC has adopted the Health Breach Notification Rule and stated that an unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information (the FTC Rule). However, the presumption is a rebuttable one, provided the PHR Vendor, PHR Management Service or respective third party servicer that experienced the breach has reliable evidence showing there has not been, or could not reasonably have been, any unauthorized acquisition of such information. The FTC has decided that the FTC Rule ‘‘does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.’’

The notification requirements for breaches set forth in the FTC Rule are similar to the requirements of the HITECH Act. The FTC Rule essentially places the same notification obligations on PHR Vendors, PHR Management Services and their third party servicers that the HITECH Act places on covered entities and business associates. The enforcement of the FTC Rule commenced on February 22, 2010 and the FTC has already posted incidents of breaches and the names of the entities involved.

The HITECH Act and the FTC Rule have upped the ante for entities not subject to HIPAA and require any businesses which deal with PHR to evaluate their operations to ensure compliance. The HITECH Act and the FTC Rule also create additional complexity for entities which may be covered by HIPAA and then alternatively may be subject to the FTC Rule.

 

Penalties Under The HITECH Act

Initially it was unclear whether the criminal penalties for breaches of HIPAA were applicable to persons other than covered entities and business associates. In fact, the Department of Justice adopted the position that only covered entities and directors, officers and employees are subject to prosecution. Under the HITECH Act, Congress dealt with this ambiguity by stating that criminal penalties are applicable to persons other than covered entities.

The HITECH Act added that civil money penalties could be imposed for willful neglect along with knowing violations of HIPAA. The HITECH Act also implemented tiered civil penalties the severity of which depended on the nature of the violation. Violations due to willful neglect are now subject to civil money penalties and the Secretary of the Department of Health and Human Resources will be required to investigate such violations based on a complaint starting in 2011. There are four tiers of violations under the HITECH Act amendments.

 

 Tier Nature of Violation Range of Penalties
A Breach of HIPAA that is not known by the covered entity or could not have been known by exercising reasonable diligence Each violation = $100

Total amount of $25,000 for all violations of an identical requirement or prohibition in a calendar year

 

B Breach of HIPAA due to reasonable cause and not due to willful neglect Each violation= $1,000

Total amount of $100,000 for all violations of an identical requirement or prohibition in a calendar year

 

C Breach of HIPAA due to willful neglect which is corrected during the 30-day period beginning on the first date the person liable for the penalty or damages knew Each violation= $10,000

Total amount of $250,000 for all violations of an identical requirement or prohibition in a calendar year

 

D Breach of HIPAA due to willful neglect which is not corrected during the 30-day period beginning on the first date the person liable for the penalty or damages knew Each violation= $50,000

Total amount of $1,500,000 for all violations of an identical requirement or prohibition in a calendar year

 

All of the penalties imposed on any violator for any tier shall be limited to $1,500,000.

Written Notification Under The HITECH Act

In the event that a breach requiring notification under the HITECH Act occurs the covered entity or business associate must provide notification to the individuals affected by the breach. The outline below sets forth the requirements on such notices.
A. Timing of Notification:
i. Notification must be provided without unreasonable delay
ii. No later than 60 days after discovery of the breach
iii. A breach is discovered when it is first known to the covered entity or business associate
iv. “Known” means to the knowledge of an employee, officer or agent, other than the person committing the breach
v. Since the business associate must inform the covered entity of its breach, the clock does not start for the covered entity until it is informed by the business associate
vi. Notice may be delayed if a law enforcement official determines that it will adversely affect a criminal investigation or national security
B. Method of Notification
i. Notice must be provided in writing
ii. Notice must be sent by first class mail to the last known address or the next of kin
1) Electronic mail may be used if the individual expressed a preference
iii. If the contact information is out of date then a substitute method is required
1) If 10 or more individuals require this alternative method then the notice must conspicuous and for a length of time set by the Secretary of HHS
I. Alternative methods can be
a. On the home page of the website of the covered entity or business associate, or
b. In prominent media outlets (print or broadcast), including media outlets where affected individuals reside
c. These alternative methods must include a toll free number
iv. In addition to the above methods, a telephone call to affected individuals is permitted if there is high risk of “possible imminent misuse of unsecured” PHI
v. If a breach involves 500 or more residents of a defined geographic area, in addition to the above methods
1) Prominent media outlets shall be used to provide notification
2) HHS must also be notified immediately if unsecured PHI of 500 or more individuals is acquired or disclosed
I. Otherwise only a log has to be maintained which is submitted to HHS annually
II. HHS will publicly identify each reporting covered entity on its website and report them to Congress annually
C. Content of Notification
i. Regardless of the form all notifications must set forth:
1) Description of the breach and timing
2) Nature of the unsecured PHI subject to the breach
3) What affected individuals can do to protect themselves
4) Description of the efforts to investigate the breach, mitigate the harm and limit future breaches
5) How affected individuals may contact the covered entity or business associate to get assistance and access more information

HITECH Act Ups The Ante Under HIPAA

Passed on February 17, 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) requires entities covered by HIPAA and their business associates to notify each individual “whose unsecured PHI (protected health information) has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to a breach. Protected health information is deemed to be secured when it has been encrypted or destroyed in accordance with the standards of the National Institute of Standards and Technology.

A breach is defined under the HITECH Act as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The HITECH Act also sets forth two exceptions to reporting a breach when (1) an employee or authorized individual of a covered entity or a business associate has unauthorized acquisition, access, or use made in good faith within the course and scope of employment or other professional relationship and no further acquisition, access, use, or disclosure of the PHI takes place; or (2) an individual authorized to access the PHI at a facility operated by a covered entity or business associate inadvertently discloses the PHI to a similarly situated individual at the same facility and no further acquisition, access, use, or disclosure of the PHI takes place.

Written notification of a breach must take place without unreasonable delay i.e., no later than 60 calendar days after the circumstances of the breach is known by the covered entity or business associate’s employee, officer, or other agent, exclusive of the individual causing the breach. Notifications can be provided in electronic format if that preference is expressed and if the contact information is out of date or nonexistent then alternative notice must be provided via the website or major media outlets. The alternative notice methods must include a toll free number. If a large number of individuals in a state or jurisdiction are affected by the breach (i.e. 500 or more) then in addition to the usual notification methods, then notice must be provided via prominent media outlets. The notices must set forth the nature of the breach, the description of the PHI disclosed, the steps individuals have to take to protect themselves, the actions taken by the covered entity or business associate and contact procedures.

HITECH Act clarified an ambiguity under HIPAA and stated that the criminal penalties of HIPAA apply to persons other than covered entities. Thus business associates and other third parties which obtain or disclose PHI without authorization are subject to criminal penalties for disclosure of PHI. The civil penalties for failure to comply with HIPAA have been increased under the HITECH Act. HITECH Act implemented tiered penalties the severity of which depended on the nature of the violation. Violations due to willful neglect are now subject to civil money penalties and the Secretary of the Department of Health and Human Resources will be required to investigate such violations based on a complaint starting in 2011. There are four tiers of violations under the HITECH Act amendments. The penalties are escalated from $100 per violation at the lowest level to $50,000.00 per violation at the highest and the overall penalties for a calendar year can range from $25,000 to $1,500,000.

This summary only covers the salient points of the HITECH Act for the lay person. The details of
other provisions will be covered in other postings in this series.