Vol. 15 •Issue 5 • Page 54
Avoiding Legal Pitfalls in Sleep Center Operations
Knowing the nuances of patient privacy, fraud, and abuse laws can protect your staff.
The delivery of health care services is subject to pervasive state and federal regulations, and the operation of a sleep disorders center is no exception.
The state in which a center operates may require licensure, operational standards, credentialing, protection of patient information privacy, and more. Centers in certain states may find themselves exposed to potential liability for their sleep-deprived patients who engage in occupations such as truck driving, where falling asleep at the wheel can lead to highway tragedy.
At the federal level, sleep disorders centers must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and, if they bill Medicare, Medicaid, or other federal health care programs, they must comply with federal fraud and abuse laws. Let’s review these federal requirements.
HIPAA’s transaction rule
HIPAA brought the health care industry federal regulation of patient information privacy, security, and electronic transactions. Any sleep disorders center that has conducted electronic transactions regulated by HIPAA — called the “standard transactions” — is a covered entity and must be in compliance.
The standard transactions include claims, remittance advice, eligibility for a health plan, referral certification, claims status, and coordination of benefits. Any of these transactions, conducted electronically with Medicare, Medicaid, and any other health plan, must be transmitted in the standard formats set by the transactions rule. That requirement applies whether a sleep disorders center conducts those transactions itself or through a billing service or other third party.
The Centers for Medicare and Medicaid Services, which enforce the transactions rule, allow health plans to have contingency plans under which they may accept noncompliant electronic standard transactions as long as they make good faith efforts to encourage their provider trading partners to achieve transactions rule compliance. But health plans may also require providers to submit electronic transactions only in compliance with the transactions rule.
Medicare abandoned its contingency plan in July 2005. Since then, Medicare won’t pay claims unless they’re submitted electronically as standard transactions, except from small suppliers.
A sleep disorders center qualifies as a small supplier only if it has less than 10 full-time equivalent employees. For more information on transactions rule compliance, look at www.cms.hhs.gov/TransactionCodeSetsStands.
In addition, before May 23, 2007, centers that conduct standard transactions will need to obtain a unique “National Provider Identifier” (NPI) for use in those transactions. Check www.cms.hhs.gov/NationalProvIdentStand for details about obtaining and using the NPI.
Privacy and security rules
The privacy and security rules impose stringent requirements on how covered entities may use and disclose patient medical information, called protected health information. The privacy rule applies to protected health information in any format and no matter how communicated, whether on paper, by computers, or orally. The security rule applies only to protected health information in electronic form as transmitted and maintained by computers.
Both rules require a sleep disorders center that’s a covered entity to have written policies and procedures addressing how it protects the confidentiality, security, and integrity of protected health information, to train its employees on these policies and procedures, and to enforce compliance with them.
The center also must have a notice of its privacy practices that’s consistent with privacy rule requirements and its policies and procedures. This notice must be given to each patient at the first visit, and the patient must be requested to sign an acknowledgement of its receipt.
For detailed information on privacy rule compliance, look at the Web site of the Office for Civil Rights of the Department of Health and Human Services (HHS) at www.hhs.gov/ocr/hipaa. For detailed information on security rule compliance, visit www.cms.hhs.gov/SecurityStandard.
Business associates
A key requirement of the privacy and security rules is a sleep disorders center that’s a covered entity must have written “business associate” contracts with each person or organization that performs a function or activity on the center’s behalf involving the center’s protected health information. For example, an independent physician that a center engages to serve as its medical director is usually the center’s “business associate.” So is a billing service that a center hires to manage its claims submissions.
Similarly, a sleep disorders center that decides to outsource its polysomnographic data for off-site, and perhaps off-shore, analysis is engaging a business associate. Whether the business associate is in Indiana or India, the center must have a written business associate contract with the outsourced vendor.
The privacy and security rules require that specific terms be included in these business associate contracts to ensure that the business asso-ciates maintain the privacy and security of the center’s protected health information.
While those required terms are the same whether the business associate is located within or without the United States, a center should carefully consider the enforceability of the contract and, hence, its ability to prevent misuse of its protected health information in foreign jurisdictions.
Federal fraud and abuse controls
Sleep disorders centers that bill Medicare, Medicaid, other federal health care programs such as CHAMPUS, TRICARE, SCHIPs, or Veterans’ Health, face an array of federal fraud and abuse control laws. Violation of these laws carries breathtaking penalties: criminal fines, prison terms, civil monetary penalties, exclusion from Medicare, Medicaid, and other federal health care programs, and even exposure to whistle-blower lawsuits. It’s prudent to stay on the legal side of these laws, which include the anti-kickback law and Stark Law.
The anti-kickback law reaches just about every arrangement that involves the exchange of anything of value — no matter how small — intended to induce or influence referrals or the generation of business for which Medicare, Medicaid, or another federal health care program may pay.
Specifically, anyone who knowingly and willfully offers, pays, solicits, or receives any remuneration, at least one purpose of which is to induce or to pay for referrals or business for which a federal health care program may pay, commits a federal felony. Both sides of an illegal referral arrangement violate the anti-kickback law.
The anti-kickback law allows for several safe harbors to give health care organizations protection from its expansive reach. There are safe harbors for investments by referral sources, for space and equipment rentals, for personal services and management contracts, employment, discounts, and more.
For example, the safe harbor for management contracts is useful for a sleep disorders center that engages a physician who’s a referral source to act as its medical director. The safe harbors are highly technical and complicated and must be carefully examined to ensure that every one of a safe harbor’s elements is satisfied.
While it’s wise to try to fit potentially suspect arrangements within a safe harbor, an arrangement that doesn’t satisfy a safe harbor isn’t necessarily illegal. Rather, it must be examined on its particular facts to determine if at least one purpose of the arrangement is to induce referrals of Medicare, Medicaid, or other federal health care program business.
An alternative for arrangements that don’t meet a safe harbor, but seem benign, is to obtain an advisory opinion from the HHS Office of Inspector General (OIG). If the opinion clears the arrangement, the parties to it are protected from an OIG enforcement action on that arrangement under the anti-kickback law.
For detailed information on the safe harbors, OIG’s fraud alerts, compliance program guidance, and other useful information regarding federal fraud and abuse enforcement, examine the OIG’s web site at www.oig.hhs.gov.
Stark law
Few laws are as complicated as the Stark physician self-referral prohibitions. Stark prohibits a physician with a direct or indirect “financial relationship” with an entity from making referrals to that entity for “designated health services” (DHS) payable by Medicare or Medicaid, unless an exception applies.
Stark prohibits the entity furnishing the DHS from billing any payer for DHS furnished to a Medicare or Medicaid beneficiary as a result of a tainted referral.
There are 10 DHS. Sleep medicine and sleep disorder testing aren’t among them. Hence, Stark doesn’t apply to referrals to a sleep disorders center from physicians with financial relationships with the center.
Durable medical equipment is a DHS. Hence, Stark applies to referrals to a sleep disorders center dispensing continuous positive airway pressure devices and other DME from physicians with financial relationships with the center. Of particular note, physicians who own a sleep disorders center can’t dispense CPAP or other DME to Medicare or Medicaid beneficiaries and legally bill anyone for that service.
A physician has a financial relationship with an entity furnishing DHS if the physician or an immediate family member has either an ownership or other investment interest in or a compensation arrangement with the entity.
Many complex and technical exceptions to Stark exist, and every element must be satisfied to enjoy the insulation of the exception. For guidance on Stark compliance, examine the CMS Web site at www.cms.hhs.gov/MedlearnProducts/40_PhysSelfReferral.asp.
Jack Rovner is senior partner and co-chair of the Health Law Practice Group at the law firm of Neal, Gerber & Eisenberg LLP, Chicago. Contact jrovner@ngelaw.com or (312) 269-8014.
