Small, Rural Hospital

Big News for Small and Rural Hospitals – CMS Notice Outlines Requirements to Obtain Increased Medicare

Reimbursement for FY 2013

The Department of Health and Human Services, Centers for Medicare and Medicaid Services  issued a notice on March 7, 2013 regarding its implementation of two provisions of the American Taxpayer Relief Act of 2012 (“ATRA”) that may significantly affect the reimbursement of smaller and rural hospitals for fiscal year 2013. (78 FR 14689) Specifically, this notice addresses actions that facilities qualifying for the low-volume hospitals payment adjustment or the Medicare Dependent Small Rural Hospital Program may have to take to receive increased reimbursement for FY 2013.

The Affordable Care Act provided for increased reimbursement of smaller and rural facilities under these two programs for FY 2011 and 2012.  With the end of FY 2012 on September 30, 2012, the increased reimbursement to these facilities expired.  However, with the enactment of ATRA on January 2, 2013 Congress retroactively funded a one year extension of these programs beginning October 1, 2012.

Low Volume Hospital Payment Adjustment

The low volume hospital payment adjustment may be very significant for smaller providers.  Under this program, a facility may receive a percentage increase of reimbursement based on a sliding scale  ranging from 25% for hospitals with fewer than 200 discharges to zero percent for facilities with greater than 1600 annual discharges.

To qualify for the Low Volume Hospital Payment  Adjustment program, a facility must have fewer than 1,600 discharges of individuals  entitled to or enrolled in benefits under Medicare Part A during the fiscal year, and be located more than 15 miles from another subsection (d) hospital.   A hospital that qualified for the low volume hospital status in FY 2012 may continue to receive the adjusted payment on FY 2013 without reapplying to the program, if it continues to meet the criterion based on the March 2012 update to the FY 2011 MedPAR data.  However, the hospital must verify in writing to its fiscal intermediary or MAC no later than March 22, 2013, that it continues to be more than 15 miles from any other subsection (d) hospital. Furthermore, hospitals that wish to participate in this program must also apply by March 22, 2013.

Medicare Dependent, Small Rural Hospital Program

ATRA also provides a one year extension to the Medicare Dependent Small Rural Hospital program (MDH).  As with the low volume hospital payment adjustment, this program was also set to expire at the end of FY 2012.  Hospitals that previously qualified for MDH status will be automatically reinstated as an MDH retroactively to October 1, 2012. However, since this program was set to expire on September 30, 2012 many facilities elected to apply for alternative programs. If a facility applied for the sole community program by August 31, 2012 and was approved, it will receive a SCH designation effective October 1, 2012, and will not receive an MDH designation unless the facility reapplies for this program. Additionally, if a facility missed the August 31, 2012 and subsequently applied for the SCH status with an effective date after October 1, 2012, the facility must  reapply for their MDH status, and such status will be effective 30 days from the date of approval.

Some facilities also requested to cancel their rural classification after the expiration of the MDH program.  For these facilities to re-qualify for the MDH program, they will be required to again request a rural designation and reapply for the MDH program. Therefore, any provider that that was reclassified as a SCH or canceled its rural designation status effective October 1, 2012 will not have its MDH status retroactively reinstated to October 1, 2012.

If you have any question regarding these Medicare programs or any other healthcare care regulation, please contact Clark Hill’s Health Care Practice Group at the information located on this page.

HIPAA Regulations - Healthcare Industry

Final HIPAA Regulations Issued: Provisions Regarding Business Associates, Penalties, Breach Notification Amended

On January 17, the Office of Civil Rights posted its omnibus Final Breach Notification Rule (the “Final Rule”), which modified many provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Final Rule, set to be published in the Federal Register on January 25, sets forth new responsibilities for business associates and subcontractors, amends the Breach Notification Rule, adds to the notifications required to be included in the Notice of Privacy Practices, and adopts the tiered penalty provisions of the Interim Final Rule (released on August 24, 2009), among many other provisions.

The Final Rule is effective March 26, 2013 with compliance required by covered entities and business associates by September 23, 2013, unless otherwise provided in the Final Rule.

This blog entry summarizes some pertinent provisions of the Final Rule.

Liability of Business Associates and Subcontractors

Under the Final Rule, subcontractors and business associates may be directly liable for certain Privacy and Security Rule violations.  A “business associate” is a third party that a covered entity may engage to assist it in performing its covered services.  To be considered a business associate, the third party must create, receive, maintain or transmit Protected Health Information (“PHI”).  A “subcontractor” is a person to whom a business associate delegates a function, activity or service, other than in the capacity of a member of the workforce of such business associate, and also creates, receives, maintains or transmits PHI.  Consistent with the previous rule, covered entities must have written business associate agreements with their business associates.  Pursuant to the Final Rule, the definition of “business associate” has been extended to include subcontractors. Therefore, the requirements of business associates has extended to subcontractors.  Business associates must ensure that they have agreements with all subcontractors that comply with the new regulations.

Compliance Date for Revised Business Associate Agreements

The compliance date for revising business associate agreements (“BAAs”) to comply with the Final Rule is September 23, 2013.  However, an opportunity to grandfather in existing BAAs exists if the BAA complied with the HIPAA regulations and is not set to be renewed between January 25 and September 23 of this year.  If a BAA renews after September 23, 2013, the BAA must comply by the earlier of (a) the date of the BAA’s renewal, or (b) September 22, 2014.  Those BAAs renewing between January 25 and September 23, 2013 must be revised to comply with the Final Rule by September 23.

Notice of Privacy Practices

The Final Rule requires certain amendments to Notices of Privacy Practices (the “Notice”) and requires certain statements regarding uses and disclosures that require authorization.  For instance, one of the changes requires a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of PHI for marketing purposes, and disclosure that constitute a sale of PHI require authorization.

Individual’s Access to His/Her Own PHI

Upon an individual’s request to obtain an electronic copy of his/her own PHI, the covered entity must furnish the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or in a format as agreed to by the covered entity and the individual.

Breach Notification

The most significant changes in the Final Rule fall appear in the revisions to the Breach Notification Rule.  Most considerable is the revision within the Breach Notification Rule was to the definition of “breach”.  Whereas, prior to the Final Rule, a use or disclosure of PHI was presumed to be a breach if it posed a significant risk of financial, reputation or other harm to the individual, a use or disclosure of PHI is now presumed unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised.  In other words, the Final Rule demonstrates a shift from the subjective risk-of-harm standard to the objective low-probability-of-compromise standard.  The Final Rule sets forth a number of factors that must be considered in determining when performing a risk assessment and determining the probability that PHI has been compromised:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification of the information;
  • The unauthorized person who impermissibly used the PHI or to whom the disclosure was made;
    Whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed; and
  • The Final Rule has also made a number of revisions to the notification obligations which arise upon discovery of the breach.

Tiered Penalties

The Final Rule adopted the tiered and increased civil monetary penalty structure to conform with HITECH.  The new penalty provisions are summarized in the following table:

While the foregoing is merely a summary of some of the major changes and provisions of the Final Rule, it is a reminder to all healthcare industry stakeholders that the healthcare regulatory environment continues to be dynamic and attention must be paid to new developments.  Since its release and during the next six months in which the industry has to comply with the Final Rule, Clark Hill’s healthcare attorneys have been, and will be, at the forefront of any new developments and will be available to assist new and existing clients with ensuring compliance with the new requirements.