HIPAA Omnibus Rule imposes new standards for handling potential breaches of health information
By Gary Siller and Kathleen Quiroz, Strasburger & Price, LLP
The HIPAA Final Omnibus Rule (“Omnibus Rule”)1 establishes new standards for evaluating and addressing potential breaches of unsecured protected health information (“PHI”). Entities subject to HIPAA, or “Covered Entities,” must comply with these standards by September 23, 2013. This means that you may encounter consequences well beyond what you ever expected if your laptop that contains unsecured PHI is lost or stolen.
The federal government -- itself victim to the periodic inability to secure its own sensitive and confidential information -- continues an unrelenting pursuit against anyone who inadvertently puts PHI at risk of disclosure. In an attempt to prevent the potential breach of unsecured PHI, the Omnibus Rule now imposes more penalties and burdensome regulations than ever before, contributing to the continual increase in the cost of healthcare.
When a Covered Entity discovers a breach of its unsecured PHI, the HITECH Act2 mandates that the Covered Entity provide notice of the breach to all individuals whose PHI was subject to the breach. Covered Entities must also provide notice to the Secretary of the Department of Health and Human Services (“HHS”) and, in some instances, to one or more prominent media outlets.
3 The term “unsecured” does not simply mean that your stolen laptop, or other electronic data, was not password-protected. PHI is unsecured anytime it is not rendered “unusable, unreadable or indecipherable to unauthorized individuals through use of a technology or methodology” specified by the Secretary of HHS. To date, the only way to secure PHI is to encrypt it or destroy it.
HHS initially issued the Interim Final Rule4 for breach notifications in August 2009. This interim rule set forth the requirements to determine when a breach of unsecured PHI occurred as well as how, when, and to whom to report such a breach. With the January 2013 publication of the Omnibus Rule, HHS implements sweeping changes to HIPAA and its privacy, security and enforcement rules, including the breach notification requirements.
The most notable change made by the Omnibus Rule to the Interim Final Rule is the change in the standard for determining what constitutes a “breach” of unsecured PHI. The HITECH Act itself defines a “breach” as the acquisition, access, use or disclosure of PHI in a manner not permitted by HIPAA that otherwise compromises the security or privacy of the PHI. The standard established by the Interim Final Rule for determining whether an individual’s PHI has been compromised (a standard which is commonly referred to as the “harm threshold”) requires a risk analysis on the potential financial, reputational or other harm to the individual.
After September 23, 2013, the “harm threshold” no longer applies. Any acquisition, access, use or disclosure of unsecured PHI in a manner not permitted by HIPAA will be presumed to be a breach. To overcome this presumption, the Covered Entity or business associate must demonstrate (and document) the low probability that the PHI was compromised. The factors to be weighed in assessing the probability of compromise must include the following four factors at a minimum:
The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• the unauthorized person who used the PHI or to whom the disclosure was made;
• whether the PHI was actually acquired or viewed; and
• the extent to which the risk of harm to the affected individuals has been mitigated.
Another important change after September 23 involves the acquisition, access, use or disclosure of limited data sets that do not include any dates of birth or zip codes. Under the Interim Final Rule, any such acquisition, access, use or disclosure of such limited data sets would not constitute a breach that would trigger the breach notification requirements. But under the Omnibus Rule, any acquisition, access, use or disclosure of limited data sets, including those that do not involve dates of birth or zip codes, will be subject to the default presumption that a breach has occurred.
Potential sanctions for failing to provide notice required by the Omnibus Rule, or by the corresponding provisions in the Texas Business and Commerce Code, are significant. In fact, state law notification requirements could be more extensive than the HITECH breach notification requirements, so any evaluation of whether a breach has occurred and, if so, how, when and to whom such a breach must be reported, should include an analysis of all applicable state and federal laws. Moreover, Covered Entities and business associates must be proactive and institute the necessary protections to avoid a potential breach of PHI.
 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) (to be codified at 45 CFR pts. 160 & 164).
 The Health Information Technology for Economic and Clinical Health Act, Pub. L. 111-5 (2009), Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009.
 If a business associate becomes aware of such a breach, the HITECH Act also requires the business associate to notify the Covered Entity of the breach.
 The interim final rule with requests for comments on the Breach Notification for Unsecured Protected Health Information, 74 Fed. Reg. 42740 (Aug. 24, 2009). ▼
Dollars & Sense: Details matter in securing a loan to expand your medical practice
By Lisa Wood, MBA Senior VP, Medical Industry Specialist, Iberia Bank
The practice of medicine is an increasingly complicated and competitive process in which success can be determined by an organization’s ability to adopt and maintain skill sets more commonly associated with the boardroom than the examination room.
This is especially true when a medical practice is interested in a business loan for a working capital line of credit; a loan to acquire equipment; to purchase a building or expand or remodel office space. There are many types of financial arrangements available and it is beneficial for borrowers and lenders to work together on the most appropriate choice.
In some cases a revolving line of credit is appropriate. This allows the borrower access to pre-approved funds as needed for seasonal or periodic expenses, which are then repaid in a prescribed manner. The term is usually one to two years, but can be renewed as needed based on mutual agreement.
Term loans, the most common method of borrowing, provide an amortized loan for a specific time and purpose. Repayment takes place with installments over the life of the loan – much like a car loan. Balloon loans apply similar terms for a short period of time – but require the balance to be paid off or new financing arranged at the end of the life of the loan.
Bridge or bullet loans offer short term financing in anticipation of a specific event – such as providing financing to start construction of a new house until a former residence is sold in the world of real estate.
The initial meeting with a prospective lender should allow ample time for discussion of the loan request and evaluation of financing options. It is best to schedule the initial meeting at a time when the office is closed to patient appointments and distractions can be avoided.
Your banker will want to understand your practice and how it operates as well as the purpose for the loan and how it will benefit your business. Depending on the scope of the loan arrangement, it may be appropriate for a business manager, industry consultant or financial expert participate in the discussion. Working with bankers who have knowledge and experience in the medical industry will be a benefit throughout the process and can make the process go much smoother.
The banker’s considerations in evaluating a loan request are usually simple: the purpose of the loan and how it will be repaid.
Having detailed information and an itemized schedule of anticipated expenses associated with the loan is important. Sales contracts, price quotes for equipment, written estimates from contractors and other expenses will help document the amount of the requested loan. Having an organized package ready to hand to the prospective lender during your meeting will both facilitate the process and demonstrate to the lender that you have given complete thought to your needs.
To demonstrate credit worthiness, be prepared to provide the most recent three years of business financial statements – including balance sheet and income statements – and year-to-date financials if more than three months into a new year. Personal guarantors will need to provide individual financial statements and three years of the most recent personal tax returns.
For a line of credit, be prepared to provide an accounts receivable summary report.
New business ventures or expansions will require detailed projections for the first three years of operations. For a line of credit, be prepared to provide an accounts receivable summary report.
Following the meeting between the prospective lender and borrower, the banker starts the underwriting process using the information and financial data provided. Bankers use a universal set of criteria referred to as the Five C’s of Credit.
These include character, involving credit reports, background checks on owners and personal guarantors and general reputation in the industry. Collateral is the value of assets that will serve as collateral to the loan, which can be based on appraisals or invoices and the borrowing base for an accounts receivable-based line of credit. ▼
Washington’s expanded Medicaid: not right for Texas
By Texas State Rep. Brandon Creighton, R-Conroe
In an effort to pave the way for the Affordable Care Act, President Obama’s administration is proposing a significant expansion of Medicaid. The program, as written, is bad for Texas and bad for Texans.
In March, the House Republican Caucus, which I chair, voted overwhelmingly to reject the federal health care law’s proposed expansion of Medicare. While the proposed program could generate significant healthcare dollars for the state initially, it would expand an inefficient and unfair program that would eventually overwhelm our Texas state budget, costing taxpayers more in the long run.
Rejecting Medicare expansion was not an easy decision. But faced with a short time frame and limited data about the reality of what such a program would do to our economy, the Texas Legislature was faced with one of the biggest decisions of our generation – and one that would impact generations to come.
The proposed program would add poor adults to the existing M e d i c a i d state-federal p r o g r a m. W i t h nearly 6.2 million residents or 24 percent of adult Texans having no health insurance, the goal of providing insurance coverage to those has merit. But the methodology is fiscally irresponsible for Texas.
While the federal government would provide funding for such a program initially, the proposed legislation would begin shifting a significant amount of financial responsibility back to the state after three years.
For some states with lower population and a lower percentage of uninsured residents, such a program may make sense. But a “one-size-fits-all” approach does not benefit Texas. Indeed, nearly half the states in the process of evaluating an expansion of Medicaid have serious reservations about the future implication of expanding a program already known to be a burden on taxpayers. Many are taking a “wait and see” attitude to examine how Texas deals with the Medicare expansion.
The problem is that once the state accepts an expansion of healthcare responsibility for low-income residents, it will continue to be responsible when the federal government begins to lower its level of financial support. Combine that with the fact that 70 percent of physicians have begun excluding new Medicare patients from their practice and it’s easy to see the doubts about the program are growing.
Dr. Kyle Janek, Texas Health & Human Services Commissioner, has pointed out that Medicaid is a jointly funded federalstate program that accounted for 18-19 percent of the state’s budget in 1990. The current existing Medicare accounts for nearly 27 percent of the state budget and is projected to increase to 33 percent in a few years.
An expanded Medicare program would take away money from transportation, education and law enforcement. Allocating a diminishing about of funding and maintaining – or expanding – services is increasingly challenging.
Texas has the twelfth largest economy in the world, but unfunded mandates by the federal government can weaken our state.
This is simply not acceptable, but there are viable alternatives.
The idea of expanding healthcare to low-income families has merits, it’s the universal approach proposed by the Obama administration with which the Texas Legislature has concerns. We would rather see the federal government work with the states individually to determine viable programs for increasing healthcare.
The state of Arkansas has recommended such a program and many in the Republican Caucus see benefits for a similar approach in Texas. There is precedent for the federal government in providing waivers to states based on unique characteristics. The state was given an 1115 waiver allowing Texas to set different rule regarding how hospitals are paid under Medicare. We want some similar flexibility with creating healthcare programs for low-income Texans.
Nearly 80 percent of low-income Texans have indicated an ability and a willingness to contribute to their healthcare. It’s equally important to realize that in the current economy, a significant number of people who could afford insurance have chosen to do without – especially young adults who are willing to gamble on the benefits of youth.
State Senate Finance Committee Chairman Tommy Williams, R-The Woodlands, has suggested a Texas-style Medicaid program that includes co-pays and deductibles, managed-care expansion and requirements that individuals enroll in available private or employer insurance plans.
Every state is different and should have the ability to develop a program that fits the particular needs of its citizens. The current Medicaid expansion proposals from the federal government are not the best solution for Texas.
A better solution is to allow state government flexibility in creating a viable program with the support and backing of the federal government – not financially irresponsible mandates to expand a system that is flawed, inefficient fiscally unsustainable.
That, like the proposed Medicare expansion proposal being pushed by the Obama administration, would be unfair. ▼
Emil J Freireich Cancer Center/Apollo Hospital plans November opening
By FAWN CREIGHTON, M.Ed., LPC, CEO, APOLLO HOSPITAL
A specialty hospital dedicated to treating cancer patients in North Houston with professional medical expertise, state-of-the-art technology and personalized service is finishing construction and preparing for its official opening this fall.
The Emil J Freireich Cancer Center/Apollo Hospital System is scheduled to open at 9201 Pinecroft in Shenandoah Nov. 15. Apollo will offer patients exceptional medical treatment and oncology-rated services in a relaxed, more convenient setting,” said hospital CEO Fawn Creighton. “Our goal is to make treatment more accessible and less stressful – without compromising quality of care.”
Patient services at the 30,000-squarefoot facility include chemotherapy, bioimmunotherapy, 24-hour infusion therapy and radiation therapy as well as imaging, laboratory and on-site pharmacy services.
The Emil J Freireich Cancer Center/ Apollo Hospital System boasts the latest in technology with the availability of a 128-Slice Computed Tomography (CT) scanner. The unit is capable of scanning the entire body in seconds, providing detailed 3D images of organs and structures inside the human body.
“This technology enables physicians to spot small tumors that would otherwise go undetected by CT-64 scanners and older technology. Apollo will be the only hospital in North Houston to have it available,” said Asit Choksi, founder and majority owner of Apollo.
The Emil J Freireich Cancer Center/Apollo Hospital System will offer a comprehensive Breast Center that will include: Tomosynthesis Mammography with a new State of the Art Hologic System Stereotactic and Ultrasound-Guided Biopsies 3Tesla Breast MRI Technology Medical and Radiation Oncology Consultations Bone Density Scans Genetic Testing On-site Breast Radiologists The Emil J Freireich Cancer Center/Apollo Hospital System is named for a pioneer in cancer research and a professor of medicine at the University of Texas MD Anderson Cancer Center.
“We are honored that Dr. Freireich is allowing his name to be associated with our cancer treatment and hospital facility,” said Choksi. “He’s a highly respected member of the medical community who has done much for cancer research.”
Metzger Construction Co. of Houston is performing $3.3 million in renovations to the building – set for a November opening, Creighton said – in which the Emil J Freireich Cancer Center/Apollo Hospital System will operate.
Upon completion, the Apollo Hospital will offer inpatient beds, a VIP suite, an emergency department, observation unit, two operating rooms and a procedure room.
“Apollo will consolidate quality medical treatment services in a more convenient ‘one-stop’ location in The Woodlands,” said Creighton. “We want to reduce the stress caused by driving all over Houston for doctor visits, treatments and filling of prescriptions.”
Boutique, specialty hospitals offer patients the benefit of more personalized treatment, added Creighton.
“Many hospitals offer excellent care, but you’re treated like a number throughout your treatment,” she said. “At Emil J Freireich Cancer Center/Apollo Hospital System, we’re committed to personal service as well as the best possible medical care available.” ▼
How to improve your medical practice’s cash flow forecasting and collections performance
By Reed Tinsley, CPA, CVA, CFP, CHBC
The ability to forecast cash flow and collections performance is vital to any medical practice. Yet many practices don’t realize they have valuable data at their disposal to improve these processes and increase revenue. Much as Dorothy in The Wizard of Oz realized that happiness lies in her own backyard, the key to success for
many practices is to understand how to target and mine their own data and use it to their best advantage. That is why new and dramatically effective collections and performance models are helping to lift the industry out of its “the way we’ve alwaysdone it” mindset.
Start with three essentials
At the highest level, forecasting and performance improvements require data about three essential elements of your practice’s billing landscape: 1) your historic Net Collection Ratios (NCRs), 2) the lag time between billing and payment, and 3) the percentage of collections that are insurance vs. private pay. Yet these “buckets” of information are just the beginning to effective collections forecasting and performance. Within each
of these three essentials, you should also go from macro-view to a more detailed picture by extracting information about:
• Facility mix—e.g., hospitals vs. imaging centers
• Payer mix
• Place of service mix—inpatient,outpatient, ER
• Demographic zip code analysis
Once you have this data extracted to determine your practice’s unique profile, you can then apply the information to help you to better project cash flows and budget estimates based on growth and collection trends. The information can also go a long way to help you build more effective marketing strategies. Let’s take a look at two ways you can “slice and dice” your data and the applications that are delivering value to successful medical practices today.
View #1: Payment differential by zip code Examining your NCRs, your lag times and your insurance/private pay ratios by zip code can reveal much about your practice and impact your strategies to enhance collections performance. For example, you may find particular insurance carriers are more prevalent in one zip code than another—carriers that historically have performed better for you than others. Or you may find a carrier behaves differently in a certain zip code because the employers in that area have better contracts with it. Or maybe a certain zip code houses a major
retirement community whose residents are more likely to need your services and more likely to be Medicare patients. The results of your zip code data analysis might look like this:
• ER Self-Pay Patient in Zip Code XXXX1 – NCR = 6.5%
• ER Self-Pay Patient in Zip Code XXXX2 – NCR = 10.4%
• ER Self-Pay Patient in Zip Code XXXX3 – NCR = 26.1%
• BCBS Inpatient - Patient Portion – in Zip Code XXXX1 – NCR = 23.7%
• BCBS Inpatient - Patient Portion – in Zip Code XXXX2 – NCR = 31.2%
• BCBS Inpatient - Patient Portion – in Zip Code XXXX3 – NCR = 45.9%
A zip code footprint analysis can make all the difference in how you forecast and how you build strategies and methods to improve collections performance in every area of your practice—and that includes your marketing efforts. For example, where do you put your next billboard for the optimum effect? Where do you build a new imaging center? What local businesses do you market your services to? How do you draw more patients from the zip codes that historically have performed better for you?
View #2: Place of service mix Your place of service mix is also an important area to examine for improving your forecasting and collections processes. For example, if you find a high percentage of your business is in the ER, then you can utilize your data to work with hospitals in educating ER physicians on what types of tests are appropriate to order and for what reason. Denials by CPT code and referring physician is a particularly useful analysis in communicating possible problem “areas.” This can go a long way to decrease your denial rates and ensure your payment rates
for ER services are as high as the inpatient and outpatient areas of your practice. The same thought processes would apply toinpatient work and office work.
Knowing what all of your practice mixes are, and how they are changing is critical in reconciling performance variations from period to period to identify areas of strength and of course, areas that need improvement.Your profile is constantly changing Through the ongoing use of data mining approaches like those described here, your practice can gain a better understanding of specific payers and specific markets— and how those payers and markets keep changing. For example, payer and patient lag times and NCRs evolve over time with new technology and changes in
economic conditions. As insurance and patient responsibility ratios shift, your own forecasting models will need to evolve, as well.
The industry will continue to change, but one thing will remain constant: Data will always be of the utmost importance. By leveraging the latest data mining andanalysis capabilities, your practice can stayahead of the curve.