The Scope E-NewsletterJune 2010 Compliance Update: Reimbursement and Privacy

With the passage of sweeping healthcare reform legislation over the past year, there is no doubt many faculty, residents, fellows and staff are wondering what it means and how it will affect operations in the Compliance Office. To ease the transition, Will Wallace, JD, Compliance Officer, has started a "Compliance Update" column to provide monthly updates.

Medicare and Medicaid Reimbursement

Pursuant to §6402(d) of the Patient Protection and Affordable Care Act of 2010 (PPACA) and effective March 23, 2010, all identified overpayments are to be returned to Centers for Medicare and Medicaid Services within 60 days or the date any corresponding cost report is due. There is no minimum amount, and the refund is to be accompanied by a written explanation for the overpayment. Refunds should be made to Cahaba, which is the Medicare Area Contractor for our region. Cahaba staff have advised that overpayment refunds are to be accompanied by Cahaba's refund form, which includes a section for explaining the reason for the overpayment. If they change their view as to the written explanation, a notification will be made to GSM faculty and staff. Retention of overpayments past the 60 day period will bring exposure to civil and criminal False Claim Act liability.

Pursuant to §6404 of PPACA and effective January 1, 2010, the timely filing requirements for Medicare Fee for Service claims have been amended. Faculty and staff now have one calendar year after the date of service to file a claim. Claims with dates of service prior to October 1, 2009, will be subject to pre-PPACA timely filing rules and associated edits. Claims with dates of service October 1, 2009, through December 31, 2009, received after December 31, 2010, will be denied as being past the timely filing deadline. Claims with dates of service January 1, 2010, and later received more than one calendar year beyond the date of service will be denied as being past the timely filing deadline. This topic is specifically addressed in Medicare Learning Network Matters #MM6960 and can be found on the CMS website.

HIPAA and HITECH

With the fast approaching deadlines for adoption of electronic medical records, significant changes have been made to the Health Insurance Portability and Accountability Act (HIPAA) via the Health Information Technology for Economic and Clinical Health (HITECH) Act. These changes pertain to notification of breaches of Protected Health Information (PHI). These changes have been outlined on the Office of Compliance HIPAA Privacy page on The Pulse under "Breach Notification." This policy defines a breach of PHI and the necessary steps to be taken to notify patients and the Secretary of Health and Human Services.

The HIPAA Privacy and Security provisions now apply directly to Business Associates (BA) that you contract with to perform functions or activities on your behalf where PHI is used or shared. In the past you were only required to get assurance from BAs that they would keep the PHI confidential. Now the BA agreement must reflect that the BA has HIPAA Privacy and Security policies in place. Many companies do not want to be considered a BA any longer and are balking at signing new BA agreements. However, if PHI is shared with them, then it is a requirement that they have the policies in place before you can use their services.

For questions and further information, contact Will Wallace, JD.