Health Care Provider's Legal Requirements for 2012


On January 1, people ponder the past and resolve to make the most of the coming year. This article provides ten resolutions for health care providers. These resolutions are designed to remind providers of various legal requirements and to help providers make the most of 2012.

1. Providers should verify that their HIPAA policies are applicable to modern technology, such as smart phones, texting, and other forms of electronic devices and social media. Under the HIPAA Security Rule, covered entities, such as hospitals and provider offices, must implement administrative, physical, and technical safeguards for protected health information (PHI) that is in an electronic format. With the continuous development in technology, covered entities should routinely conduct risk assessments and adjust policies and procedures so that the integrity, confidentiality, and availability of electronic PHI remains protected.

2. A similar goal for 2012 should be to ensure that agreements with business associates (BAs) reflect changes required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, including requiring the BA to comply with the HIPAA Security Rule. Since HITECH, the HIPAA Privacy and Security Rules apply directly to BAs. BAs include all persons and entities to which a provider discloses PHI for the business purposes of the provider. Thus, claims processors, data analysts, billing and collection agencies, attorneys, accountants, and consultants can all qualify as business associates under HIPAA. In addition to compliance with the Privacy and Security Rules, HIPAA mandates that agreements with BAs obligate the BA to meet other requirements as well. BAs may agree to meet these requirements in the main body of the contract with the provider, in an addendum to the contract, or in a separate agreement.

3. Providers should expand their review of contractual arrangements to meet a third goal for 2012—that is, to reassess arrangements implicating the federal proscription on physician self-referrals (commonly known as the “Stark Law”) to ensure they fully comply with a Stark exception. Providers are now required to self-disclose violations of Stark Law requirements or face possible false claims liability. The Stark regulations allow for a limited “grace period” for correction of technical non-compliance, such as inadvertent failure to obtain a signature. Now is a good time to ensure that all physician contracts are signed and current. Where appropriate, consider adding automatic renewal language to contracts,to avoid accidental non-compliance with a contract expires. In addition, providers should verify that any remuneration is consistent with fair market valuations for 2012.

4. The Stark Law provides an exception for non-monetary compensation up to a certain dollar limit that is adjusted for inflation. In 2012, the dollar limit will increase to $373. Providers should, therefore, adjust their tracking systems to reflect the change. Additionally, hospitals providing such compensation should check for any inadvertent overages and ensure that physicians repay excess amounts in the time allotted under the law.

5. Providers should ensure that they adhere to policies and procedures for initial and ongoing checks of the exclusions database maintained by the Office of Inspector General (OIG). The OIG has the authority to impose civil monetary penalties (CMPs) on providers that employ or contract with individuals or entities excluded from participation in a federal health care program. The longer a provider employs or contracts with an excluded individual or entity, the greater the CMP will be. According to reports on the OIG website, numerous entities have paid CMPs because of an excluded employee. Nothing can ruin a good year like an unwelcome visit from the OIG; therefore, providers should routinely check the exclusions database during 2012.

6. No New Year resolution plan is complete without a goal to lose some excess weight. To meet this goal, providers should clean out record archives and shed the weight of any records retained longer than the period specified in the record retention policy. For hospitals, the policy should require retention of medical records for a minimum of ten years for adult patients. Hospitals should retain records of patients younger than 18 until either the patient’s 20th birthday or the 10th anniversary of the last treatment, whichever date occurs later. It is important to destroy documents in the normal course of business, in accordance with the retention policy. No documents relevant to ongoing or threatened litigation or investigations should be destroyed, however.

7. No resolution plan is complete without a review of last year’s account statements. Under the Deficit Reduction Act, a provider receiving at least $5 million annually from Medicaid must have policies and procedures concerning federal and state false claims acts and whistleblower protections. Also, such providers must educate their employees on these policies and procedures. In 2012, therefore, providers should review their account statements from 2011 and implement any needed policies and procedures. A policy regarding whistleblower protections will also help tax-exempt organizations present a good case on IRS form 990 in 2012. IRS form 990 requires tax-exempt hospitals to indicate whether they have policies and procedures regarding not only whistleblower protections but also conflicts of interests applicable to board members, officers, and high-ranking employees.

8. Providers other than tax-exempt organizations can also benefit from policies and procedures that effectively address conflicts of interests. When providers make decisions tainted by a personal or economic conflict of interest, the conflict may hinder the achievement of the provider’s ultimate goal—that is, an unwavering focus on providing quality health care. As the eighth goal for 2012, hospitals and medical staffs should implement workable policies and procedures that address conflicts of interests that may arise during the decisionmaking process.

9. Providers should ensure that their procedures regarding consent forms and disclosures of risks are consistent with the requirements promulgated by the Texas Medical Disclosure Panel (TMDP). In the Texas Administrative Code, the TMDP has identified certain procedures that require full disclosure of specified risks. Also, the TMDP provides a model consent form for most procedures along with specialized consent forms for radiation therapy and hysterectomies.

10. As a final resolution for 2012, providers should update the information they provided to Medicare on their enrollment applications. To notify Medicare of changes, providers may submit the pertinent information on the applicable CMS-855 paper form. Hospitals may report on CMS-855B form, while physicians and non-physician practitioners can utilize the CMS-855I form. Providers may also update their enrollment information electronically through the Provider Enrollment, Chain and Ownership System.

By pursuing the ten goals identified in this article, providers will have a solid start in 2012.