Articles

OIG’s Special Fraud Alert: Laboratory Payments to Referring Physicians

The Department of Health and Human Services, Office of Inspector General issued a Special Fraud Alert on June 25, 2014 addressing compensation paid by laboratories to referring physicians and physician group practices (collectively, physicians) under the Anti-Kickback Statute (AKS) for specimen processing and registry arrangements. The Alert calls attention to the OIG’s concerns about remuneration to physicians in excess of fair market value from laboratories or the value of referrals for Federal health care program business to laboratories. Concerns raised by arrangements that violate the AKS, cited by the OIG, include:

  1. Corruption of medical judgment

  2. Overutilization

  3. Increased costs to the Federal health care programs and beneficiaries

  4. Unfair competition

The OIG notes that “because the anti-kickback statute ascribes criminal liability to parties on both sides of an impermissible “kickback” arrangement, physicians who enter into Specimen Processing or Registry Arrangements with laboratories may also be at risk under the statute.” Limiting these arrangements to non-Federal health care programs does not protect either party from the AKS.

The following are descriptions of these types of arrangements and characteristics, as noted by the OIG, which may point towards a potential unlawful arrangement.

Specimen Processing Arrangements

When physicians collect specimens in their office, rather than a clinical laboratory draw station, the specimen needs to be maintained under specified conditions to remain viable for transport to the clinical laboratory. This typically includes maintaining the specimen at a specified temperature and collection in a specific type of vacuum tube or container. Medicare allows for the physician to bill Medicare for a venipuncture blood specimen collection (CPT Code 36415) when:

  1. “It is the accepted and prevailing practice among physicians in the locality to make separate charges for the drawing of collection of a specimen and

  2. It is the customary practice of the physician performing such services to bill separate charges for the drawing or collection of the specimen.”

Costs associated with specimen processing (including centrifuging, separating serum, labeling, completing forms, supplying necessary insurance information and other documentation) and packaging for transport to a clinical laboratory are captured through CPT code 99000 (handling and/or conveyance of specimen for transfer from the office to a laboratory).  Physicians are not directly reimbursed for CPT code 99000 as it is listed as a “Bundled Code” in the Medicare Physician Fee Schedule, but may report this CPT code allowing CMS to take into account the costs associated with the services in calculating the practice expense component of a procedure’s relative value unit. Characteristics of a potential problematic Specimen Processing Arrangement pointed out by the OIG include, but are not limited to:

  1. Payment exceeds fair market value for services actually rendered by the party receiving the payment.

  2. Payment is for services for which payment is also made by a third party, such as Medicare.

  3. Payment is made directly to the ordering physician rather than to the ordering physician’s group practice, which may bear the cost of collecting and processing the specimen.

  4. Payment is made on a per-specimen basis for more than one specimen collected during a single patient encounter or on a per-test, per patient, or other basis that takes into account the volume or value of referrals.

  5. Payment is offered on the condition that the physician order either a specified volume or type of tests or test panel, especially if the panel includes duplicative (e.g., two or more tests performed using different methodologies that are intended to provide the same clinical information), or test that otherwise are not reasonable and necessary or reimbursable.

  6. Payment is made to the physician or the physician’s group practice, despite the fact that the specimen processing is actually being performed by a phlebotomist placed in the physician’s office by the laboratory or a third party.”
Registry Arrangements

In efforts to “advance clinical research to promote treatment”, “provide physicians with valuable clinical knowledge for patients with similar disease profiles” or “provide other benefits to physicians or the health care industry generally”; some clinical laboratories have engaged in “Registry Arrangements” that typically involve payments to physicians for specified duties such as submitting patient data to be incorporated into the Registry, answering patient questions about the Registry, and reviewing Registry reports and may induce physicians to order duplicative tests for comparative data. The OIG acknowledges that physician compensation from a laboratory related to data collection and reporting may be reasonable under limited circumstances. Characteristics of a potential problematic Registry Arrangement pointed out by the OIG include, but are not limited to:

  1. “The laboratory requires, encourages, or recommends that physicians who enter into Registry Arrangements perform the tests with a stated frequency (e.g., four times per year) to be eligible to receive, or to not receive a reduction in, compensation.

  2. The laboratory collects comparative data for the Registry from, and bills for, multiple tests that may be duplicative (e.g., two or more tests performed using different methodologies that are intended to provide the same clinical information) or that otherwise are not reasonable and necessary.

  3. Compensation paid to physicians pursuant to Registry Arrangements is on a per-patient or other basis that takes into account the value of volume of referrals.

  4. Compensation paid to physicians pursuant to Registry Arrangements is not fair market value for the physicians’ efforts in collecting and reporting patient data.

  5. Compensation paid to physicians pursuant to Registry Arrangements is not supported by documentation, submitted by the physicians in a timely manner, memorializing the physicians’ efforts.

  6. The laboratory offers Registry Arrangements only for tests (or disease states associated with tests) for which it has obtained patents or that it exclusively performs.

  7. When a test is performed by multiple laboratories, the laboratory collects data only from the tests it performs.

  8. The tests associated with the Registry Arrangement are presented on the offering laboratory’s requisition in a manner that makes it more difficult for the ordering physician to make an independent medical necessity decision with regard to each test for which the laboratory will bill (e.g., disease-related panels).”

When entering into Specimen Collection or Registry Arrangements, take these characteristics into consideration. Arrangements involving payments to physicians in excess of the fair market value of the physicians’ services or that reflect the volume or value of referrals of Federal health care program business should raise red flags. Trusent Solutions has the expertise to analyze these types of arrangements. For more information on the services offered by Trusent Solutions, contact us at 717.399.1562.


THE REAL RI$K$ OF DATA BREACHE$
and a few ways to prevent them

by Katherine B. Kravitz, J.D.
Trusent Solutions, LLC

We are now a decade into the HIPAA experience. Today, hundreds of pages of security and privacy regulations provide a compliance framework. The experience of the last decade, indeed, the experience of the last year, tells us that there is a method to what may appear as bureaucratic madness; that the age of technology we are now wading through creates challenges to security and privacy well beyond the occasional misdirected fax. If you believe that the public trust is among the most valuable assets of any healthcare provider, that it is an essential core building block for any successful healthcare business, then you should believe this truth: we need HIPAA.

According to one recent study, Healthcare entities accounted for the largest percentage of data breaches across all industries last year. Additionally, according to the Poneman Institute’s Second Annual Benchmark Study on Patient Privacy and Data Security, the incidence of Data Breaches in the health care setting increased by a whopping 32% over the prior year. The Poneman study estimated the economic impact of a Data Breach to be $2.2 million per entity. On average, the surveyed entities paid nearly $250,000 in legal fees alone in 2011 to resolve data breaches and other privacy violations. 2011 was also a year when DHHS also levied fines of $1 Million, $4.3 Million and $1.7 Million upon Covered Entities for HIPAA violations. The message is loud and clear; pay attention to HIPAA, or be prepared to pay. With the pilot program of HIPAA audits authorized under the health care reform law set to conclude in December, now is the time for covered entities to revisit, revise and reenergize HIPAA compliance efforts if they have not already done so. Some areas to focus on are highlighted below.

Pay attention to the protection of mobile devices. A recent report found that 81% of physicians are using smart phone; up more than 10% over the prior year. DHHS Secretary Kathleen Sebelius recently noted that a large number of HIPAA violations related to unencrypted devices being lost or stolen. Yet, nearly half of the providers in the Poneman study did nothing to protect their mobile devices. Not surprisingly, the study showed that nearly half of all breaches did indeed involve lost or stolen computing devices. One solution, encryption, solves a number of potential problems.

Pay attention to employees. The Poneman study found a slight decrease in the incidence of intentional unauthorized employee access, which was felt to be the result of employee training. However, the intentional insider/employee access, both malicious and nonmalicious, still accounted for 1/4 of all data breaches. It is apparent that Privacy and Security must constantly and repeatedly be emphasized and reinforced with employees through education, training and awareness campaigns.

Revisit and review your HIPAA policies. Are they user friendly? Are they understandable? Are they followed? Are they common knowledge among your workforce? Are they accessible to the workforce? Policies that are too technical to be understood are less likely to be followed. If your facility or practice undergoes a HIPAA audit, members of your workforce will likely be questioned about policies, and should have more than a superficial understanding of what they say.

Reinforce HIPAA principals through ramped up education. Has your institution or practice gotten complacent about educating the workforce about HIPAA? Does your staff take it seriously? Are compliance essentials reinforced on a regular basis? Now is a good time to work on coming up with creative new ways to drive the HIPAA message home.

Are your security systems and access controls up to date and consistent with what is being utilized by similarly situated covered entities? Given the high incidence of improper access by employees, scrutiny of access controls should be ongoing.

Data breaches affect many industries. However, consumers have a much higher expectation of privacy in their medical data. As health care providers pour millions and millions of dollars into new health information technologies, it is essential that they remember to give proper attention and resources to protecting that most valuable asset; the public trust in the information they will create, share and maintain with that technology.

 

Trusent SolutionsConsultation