Category Archive for ‘Medical Privacy & Security’
The New Managed Care Billby Scott Einiger, Esq.
How Is Your Medical Office Affected by the New Managed Care Bill?
A significant piece of legislation changing the method by which carriers could seek overpayment demands and audits was signed into law by Governor George Pataki on August 18, 2006. This new legislation changes how carriers’ process claims for reimbursement and expedites the application process for in-network physicians and providers.
The law’s most significant change is shortening carriers’ overpayment recovery time to two years from the original payment, as opposed to the current six-year contract statute of limitations, unless a reasonable belief of fraud and several other procedural conditions exist.
Effective as of January 1, 2007, the following procedural changes will be implemented:
Time Limitation on Recovery Demands:
Under the Prompt Payment Law (Insurance Law, Section 3224-a), health insurance plans must pay undisputed claims within 45 days after submission of the claim by a physician. Prior to this new legislation, the carriers circumvented this requirement by seeking a refund of claims subsequent to payment, and sought recovery of overpayments of claims made during the past six years prior to the demand. The new legislation limits the time period available for overpayment recovery efforts, as they may no longer be initiated against a physician for payments made more than two years after the original payment was received by the physician. The legislation has the following noteworthy exceptions to the two-year rule:
• a reasonable belief of fraud or other intentional misconduct, or abusive billing;
• required by, or initiated at the request of, a self-insured plan; or
• required by a state or federal government program.
Certainly, as seen from the recent Class Action Settlement proceedings against certain carriers, these exceptions may encourage carriers to allege fraud in order to take advantage of the longer statute of limitations. However, if the carriers do allege a reasonable suspicion of fraud, it seems they will be required to demonstrate that the belief is reasonable and that they undertook other actions regarding this reasonable suspicion of fraud, i.e., reporting to the Office of Professional Medical Conduct (OPMC).
Coding Standards and Processing:
Whereas previously, it was required that health insurance plans follow the American Medical Association Current Procedural Terminology (AMA-CPT), this legislation requires that all health plans now accept or will initiate the processing of claims consistent with the current version of the AMA-CPT codes. This conformity with the AMA-CPT guidelines will more likely ensure that reviews and overpayment demands will have some guidelines. Some carriers now just make routine reference to Medicare standards or some other standard outside the CPT guidelines, as it suits them.
As many physicians are aware, many carriers unilaterally offset monies they believe that they are owed against future payments to the provider on completely unrelated services performed in good faith to different patients. Oftentimes, carriers bury this offset of monies within the Explanation of Benefits and simply deduct the amounts so that it appears as if the carrier is owed no monies, or has a negative balance (i.e., the physician owes monies to the carrier).
The new managed care law requires that before a health plan may seek recovery of an alleged overpayment by an offset, the health plan must provide 30-days written notice to the doctor providing the patient’s name, service date, and payment amount allegedly overpaid. This practice should alleviate random unilateral withdrawals of monies by the carrier from services rendered to different patients when those services are not at issue. The carrier must also inform the doctor of the proposed adjustment amount and include a reasonably specific explanation of the proposed adjustment.
The new managed care law amends current Insurance Law, setting a 90-day time limit on health plans’ credentialing process for physicians seeking to participate in the insurer’s network. Additionally, the law prescribes several limited circumstances under which the time will be extended beyond the 90-day time frame, i.e., the insurer must have tried and been unable to complete the process despite best efforts.
The abbreviated “statute of limitations” under this new law is extremely significant, as carriers will not be able to capitalize on the six-year time frame to make an enormous refund demand. Additionally, if the carrier does attempt to go beyond the two-year period, it must set forth a reasonable suspicion of fraud. Certainly carriers may use the word “fraud” to their own advantage, but they had better have the substance behind it, including a “reasonable belief;” otherwise there may be legal recourse for providers wrongly accused of fraud.
By requiring acceptance of the AMA’s CPT codes, the implementation of a time limit for health plans to demand refunds, and requiring health plans to act within 90 days to complete credentialing applications by physicians, the practical significance of this legislation is clear and will have a positive impact. Chances are, your medical office will see some of the benefits of dealing with the carriers once the new law is implemented.
The New York County Medical Society, the Medical Society of the State of New York and its partners have worked for years for the passage of this legislation on behalf of New York’s doctors. Members can look at their own circumstances and bring questions to the Society’s legal services.
To be referred, call the Society at ( 212) 684-4670, ext. 212 or 214, of the Regulatory Division atAbrams, Fensterman, Fensterman, Eisman, Formato, Ferrara, & Einiger, LLP, (212) 279-9200.
Medical Privacy and Securityby Scott Einiger, Esq.
Medical Privacy and Security: Is Your Medical Office Ready for HIPAA?
Protecting confidential medical information has historically been addressed on a local level with each state setting its own rules and regulations. In New York State, the legal protections afforded individuals concerning their confidential medical information is delineated by statute in the Civil Practice Law and Rules (CPLR), Public Health Law and Mental Hygiene Law. 
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was originally enacted to enhance (not guarantee) certain health care insurance coverage for Americans. HIPAA also creates a national, standardized set of rules for maintaining (security) and protecting (confidential) patient medical information known as PHI (Protected Health Information). The privacy component of the HIPAA law will go into effect on the first medical service delivery on April 14, 2003. The law has recently undergone significant amendments since the “Final Rule” was originally enacted. While the Federal Law will not pre-empt more restrictive state law, HIPAA does create certain mandatory procedures that must be implemented by all covered entities to avoid potential monetary fines and/or for intentional acts even possible criminal penalties.
While the HIPAA regulations may continue to undergo further fine tuning to address various practical concerns, it is imperative that physicians and their administrative office staff not wait to educate themselves about the federal law’s purpose and the actual legal requirements. Undertaking to education the office staff is one of the key requirements of the law. Implementing a written compliance plan is another. Waiting until the effective date could prove costly. The failure to institute a good faith and reasonable office compliance program, to provide privacy notice to patients concerning their rights, to protect against the unauthorized release of confidential records and implement security safeguards for data in transit and maintained in the office, could potentially place physician owners their employees (including administrative office staff) and even business associates at grave risk for potential monetary fines and even criminal penalties for the unauthorized disclosure of PHI. The Office for Civil Rights (OCR) is responsible for implementing and enforcing the privacy regulation.
II. Covered Entities and Covered Services
Covered entities within HIPAA’s jurisdictional reach would include those that either provide, pay for or submit electronically information concerning health care services or billing information including hospitals, health plans, group and solo medical offices. Virtually every individual physician practitioner and group medical practice are covered entities under the jurisdiction of the HIPAA federal law as submission of their claims to managed care entities and or governmental programs (medicaid/medicare) will all be done electronically. This includes the services (i.e. tests procedures) provided directly to the patients by primary care physicians and also includes medical services indirectly performed or tests or procedures ordered by medical consultants at the direction or order of another physician (i.e. consultants such as radiologists).
III. Protected Health Information
Once an entity fulls under the jurisdiction of HIPAA, Protected Health information (PHI) under the federal law is broadly defined and includes all information whether recorded or oral that relates to past, present or future health conditions, medical care or payment for said conditions or care. Creating an effective confidentiality and security compliance program will help avoid the penalties and sanctions that apply for noncompliant programs. Such penalties and sanctions could include civil penalties and fines for each violation ($100 per violation with a maximum penalty of $25,000/year for identical penalties) and for intentional violations of the law could even include criminal penalties (i.e. fines between $50,000 – $250,000 and imprisonment terms between 1 to 10 years).
HIPAA is a complex and extensive national initiative which includes at its core rules that govern: notice to patients of their rights, protection of confidential medical information and rules for medical professionals to implement reasonable precautions and safeguards to protect the privacy and security of confidential Private Health Information (PHI). It behooves all medical offices which included the physician owners, employees and administrative staffs to learn HIPAA’s rules as there are serious monetary fines and even criminal (if intentional) penalties for unauthorized disclosures of PHI as of April 14, 2003.
 (CPLR 4504, Public Health Law 18, Article 27-F of the Public Health Law and MHL 2205).