Law Protecting Emergency Medical Care Providers from Assault While Providing Emergency Medical Care

          We write to bring your attention to a Maine criminal statute that specifically protects emergency health care providers from assault while those providers are providing emergency services.  This law, 17-A M.R.S.A. §752-C, makes it a Class C crime to intentionally, knowingly or recklessly cause bodily injury to hospital and emergency medical services personnel assisting in a medical emergency.  A Class C crime is punishable by up to five years in prison. 

            If a health care provider is assaulted while assisting a patient in an emergent medical situation, either the individual who was assaulted, the hospital where the assault occurred, or the employer who employs the emergency medical services worker, can all request that charges be pressed on behalf of the victim.  It has recently come to our attention that some law enforcement officials are not aware of this statute.  Therefore, it is incumbent for hospitals and hospital administration to be aware of this law, and to bring it to the attention of law enforcement officers responding to an alleged assault of emergency department personnel. 

            If enforced vigorously, and with increased awareness by law enforcement officials and health care administration alike, this law should be a valuable tool in helping health care facilities protect their emergency health care providers who might otherwise feel vulnerable while providing a vital public service in an often unpredictable emergency medical care environment. 

            If you have questions regarding this law or its implications for your hospital or health care facility, please do not hesitate to contact us.

Recovery Audit Contractor Program

The Centers for Medicare & Medicaid Services announced today that Diversified Collection Services, Inc. of Livermore, California (“DCS”), will be the Recovery Audit Contractor (the “RAC”) for the State of Maine.   

The RAC Program 

The awarding of the contract is significant because it represents commencement of the recovery audit program in Maine.  Providers should be aware that implementation of the recovery audit program means that they may be the subject of a RAC audit.  Audited providers may be asked to present documentation to support claims paid up to three years preceding the date that the audit commences, but in no event earlier than October 1, 2007.   

According to CMS, DCS will: (i) identify and collect Medicare claims overpayments that were not previously identified by other contractors, such as Medicare carriers and fiscal Intermediaries, and (ii) identify underpayments to providers.  DCS will be compensated by the government on a contingency fee basis, which will be measured by the amount of overpayments collected and underpayments identified.  

As of June 2008, as the result of its three-year RAC demonstration project in selected states, CMS collected from providers $992.7 Million in improper overpayments and paid $37.8 Million in underpayments, all relating to claim and Medicare Secondary Payor audits.   

Appeal Rights

Under the RAC program, Medicare providers will have the same appeal rights they would have if CMS or a Carrier or Fiscal Intermediary identified the alleged overpayment. This includes five potential stages of appeal: a redetermination by the Carrier or Fiscal Intermediary; a reconsideration submitted to a Qualified Independent Contractor; an appeal to an Administrative Law Judge; an appeal to the Medicare Appeals Council; and, finally, an appeal to the federal district court.  At each level of appeal certain guidelines must be adhered to, as failure to follow them could result in the inability to continue the appeals process.

In the demonstration project, the appeals process produced some success in reversing project determinations.  To date, a net $693.6 Million has been returned to the Medicare Trust Fund.  Notably, 85% of overpayments were recouped from inpatient providers. 

What Happens Next? 

As soon as practicable, CMS will initiate informational and educational provider outreach before audit notices are issued to hospitals throughout the State.   

We have been closely monitoring the RAC initiative and expect it to have an impact on Maine providers.  Please contact Julius Ciembroniewicz or Allana Barrington if you have any questions or if you would like assistance in anticipating or preparing for an audit.

Conflict Management Processes Required for 2009

As you may be aware, The Joint Commission has made numerous changes and additions to its performance standards effective January 1, 2009.  Among the additions is a new Leadership Standard that calls for a formal process of managing conflict between leadership groups to protect the quality and safety of care.

The rationale behind this addition is a recognition that conflict occurs even in well-functioning organizations, and while it may at times be productive, unresolved conflict at the leadership level, whether regarding practices, procedures, policies or otherwise, may adversely impact the quality of patient care.

The language of Standard LD.02.04.01* is as follows:

The [organization] manages conflict between leadership groups to protect the quality and safety of care.

The related Elements of Performance are as follows:

1. Senior managers and leaders for the organized medical staff work with the governing body to develop an ongoing process for managing conflict among leadership groups. 
2. The governing body approves the process for managing conflict among leadership groups.  
3. Individuals who help the hospital implement the process are skilled in conflict management. Note: These individuals may be from either inside or outside the hospital. 
4. The conflict management process includes the following: 

- Meeting with the involved parties as early as possible to identify the conflict 

- Gathering information regarding the conflict 

- Working with the parties to manage, and, when possible, resolve the conflict 

- Protecting the safety and quality of care           

5. The hospital implements the process when a conflict arises that, if not managed, could adversely affect patient safety or quality of care. 

Given these clear Joint Commission requirements, all Joint Commission accredited hospitals must develop a process, approved by the governing body, to help manage conflict among leadership groups.   

We can help in several ways: 

*          We have assisted a number of hospitals in establishing Joint Commission Conference Committees to address issues creating conflicts between the Board, hospital administration, and/or the Medical Staff.   

*          We can provide conflict resolution training tailored to your organization’s needs. Several of our attorneys are trained in conflict management and available to assist with education, development of policies, processes, and board presentations.  

*          We can serve as neutral facilitators, mediators, or arbitrators in your dispute resolution processes. Our conflict resolution experience collectively includes mediating or facilitating business, municipal, health care, and end-of-life care matters. Our training includes successful completion of Mediation and Arbitration courses from the American Health Lawyers Association; the Certificate Program in Mediation at University of Southern Maine; coursework and experience in bioethics mediation, as well as mediation of civil litigation matters and other disputes.   

Please contact us with any questions or to set up an appointment to help your organization meet its Joint Commission leadership and patient safety accreditation standards.

* 2008 Pre-Publication Version. This Standard was previously proposed as LD.2.40 in late 2006 and open for comment through early 2007.

CMS Issues Sample Interview and Documentation Request for Onsite HIPAA Security Reviews

CMS recently posted to its website a document that give hospitals some insight into, and some guidance in preparing for, a possible HIPAA Security review. The link is attached, below.

Please contact us if we can help you prepare for a possible audit of your organization’s EPHI policies and practices.

http://www.cms.hhs.gov/Enforcement/Downloads/InformationRequestforComplianceReviews.pdf

Electronic Security Breach Leads to HIPAA Resolution Agreement and Corrective Action Plan

On July 16, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into a  Resolution Agreement with Providence Health & Services, Providence Health System – Oregon, and Providence Hospice and Home Care (“Providence”) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. Providence made no admission of liability. This is the first such “Resolution Agreement” required of a covered entity in the HIPAA context.

As a result of the cooperation of Providence with both the Office of Civil Rights (OCR) and Centers for Medicare and Medicaid Services (CMS), Providence agreed to pay a $100,000 “Resolution Amount” (not a civil monetary penalty) and to implement a robust Corrective Action Plan (“CAP”), performing certain obligations for a period of three years.

The matter arose as a result of HIPAA security breaches at two of the three Providence entities. Specifically, on several occasions in 2005 and 2006, back up tapes, optical disks and laptops, all containing unencrypted Electronic Protected Health Information  (ePHI), were removed from the premises of the covered entity and left unattended, and subsequently lost or stolen, compromising the ePHI of over 386,000 patients. Pursuant to state notification laws, patients were alerted to the losses or thefts, which led to over 30 complaints to HHS.

Along with the monies paid to HHS, Providence agreed to numerous obligations under the CAP, including:

*   Conducting a risk assessment regarding potential vulnerabilities to confidentiality, integrity, and availability of ePHI when created, received, maintained, or used off-site;

*   Implementation of a risk assessment plan to reduce identified risks and vulnerabilities;

*  Revision or development (subject to HHS approval) of policies and procedures regarding physical and technical safeguards and encryption of back-up electronic media transported or stored off-site containing ePHI, as well as the same regarding portable electronic devices;

*  Signed written or electronic compliance certification from each member of the workforce that receives the Policies and Procedures including a statement that the workforce member has read, understands, and shall abide by the requirements therein;

*  Implementation of other technical safeguards regarding back-up electronic media and portable devices that contain ePHI (such as password protection);

*  Agreement to report violations by Providence workforce members to HHS;

*  Training workforce members, within 90 days of HHS Policy and Procedure approval by HHS (or within 30 days for new hires), and agreement to review training annually, with proof of attendance;

*  Quarterly monitoring and documentation of monitoring reviews to ensure compliance with policies, including assurance that all portable devices, including laptop, Blackberry, personal digital assistant, etc., satisfy HHS-approved Policy and Procedure requirements;

*  Development of a written Implementation Report within 120 days of receiving approval by HHS of Policies and Procedures that includes attestations attesting to, among other things, the distribution of such Policies and Procedures, the training of the workforce together with training materials, and the truth of the contents of the report itself;

*  Submission of annual reports reflecting compliance with the CAP.

What does this mean for your organization? Kozak & Gayer recommends developing or reviewing your risk assessment regarding electronic security for all ePHI, to ensure compliance with HIPAA’s physical, technical and administrative requirements.  Ensure that workforce members are trained on your ePHI security policies and practices, and monitor regularly for effectiveness. Make sure that all the right stakeholders are involved in your ePHI compliance efforts, and consider how your organization would respond to a breach of patient privacy both during business hours and off-hours. Develop processes for complying with Maine’s Notice of Risk to Personal Data Act (applicable to health care entities), which requires holders of personal information to alert individuals of any risk to their information that could even potentially lead to identity theft.

Hospital Implications of Newly Revised PhRMA Code - July 2008

The Pharmaceutical Research and Manufacturers of America ("PhRMA") Board of Directors has adopted measures to enhance the PhRMA Code on Interactions with Healthcare Professionals ("the Code"). Because the Code was originally developed by PhRMA to avoid government regulation of gifts to prescribing physicians and practitioners, it may be prudent for hospitals to be familiar with the Code's provisions when drafting vendor policies. The revised Code:

1. Prohibits distribution of non-educational items to healthcare providers and their staff. Examples include pens, mugs and other objects with a company or product logo.

2. Prohibits sales representatives from providing restaurant meals to healthcare professionals, but allows them to provide occasional meals in healthcare professionals' offices in conjunction with informational presentations. Similarly, the Code reaffirms and strengthens previous statements that drug companies should not provide any entertainment or recreational benefits to healthcare professionals.

3. Includes new provisions that require companies to ensure that their representatives are sufficiently trained about applicable laws, regulations and industry codes and to take appropriate action if they fail to comply with relevant standards of conduct.

4. Provides that each drug company must state its intentions to abide by the Code and that company CEOs and Compliance Officers will certify each year that they have processes in place to comply.

The new Code is available at:

http://www.phrma.org/files/PhRMA%20Marketing%20Code%202008.pdf

If you have any questions, please give us a call and we would be happy to assist you.

Mandatory Posting of Compensation of Certain Officers and Directors

The Maine legislature enacted at its recent session 13-B M.R.S.A. § 713-A(2-A), which requires nonprofit corporations to post on their websites the total compensation paid by the corporation to any director or officer if the total compensation exceeds $250,000 in any 12-month period. The statute states:

"A public benefit corporation that receives at least 25% of its total funding from one or more municipal, county, state or federal sources shall provide to the public information about the total compensation paid by the corporation to any director or officer of the corporation if the compensation exceeds $250,000 in any 12-month period. The corporation shall make the information available by posting the information on its publicly accessible website or through other comparable means. "Compensation" includes all remuneration and benefits."

The statutory mandate applies, of course, to all Maine hospitals. By way of reminder, hospitals must comply with the statute by July 18, 2008.

If you have any questions regarding application of the statute, please let us know.