CMS Updates Medicare Conditions for Coverage for ASCs

The long-awaited Final Rule updating Medicare Conditions for Coverage (CFCs) for Ambulatory Surgery Centers (ASCs) has finally been published by the Centers for Medicare and Medicaid Service (CMS).   The Final Rule represents the first major non-payment related update to the ASC CfCs since they were originally published in 1982.  The requirements of the Final Rule are effective for ASCs as of May 18, 2009.

The Final Rule generally focuses on patient rights and patient outcomes.  Among other things, it:

  • Bolsters patient rights to disclosure of physician financial interest in the ASC
  • Refines the obligations to assess patient pre-operative condition and post-operative condition
  • Requires certain ASC governing body actions regarding quality assessment and performance improvement
  • Imposes certain infection control requirements
  • Requires preparation of a disaster preparedness plan coordinated with state and local authorities

In the Final Rule, CMS ended up backing away from some of the more controversial changes that it had placed in its Proposed Rule.  Among the proposals that drew the most criticism from the ASC community and that CMS either removed or modified in the Final Rule were the following:

  • CMS backed away from its proposal to require the surgeon to conduct a “thorough assessment” of all bodily systems on each patient prior to discharge.   The Final Rule requires that a physician or other qualified practitioner, which includes a registered nurse with post-operative care experience, assess the patient in a manner appropriate the the procedure performed and the patient’s individual condition.
  • CMS backed away from its proposed “safe transition to home” language, which seemed to burden the ASC with responsibility for ensuring each patient not only have adequate transportation home but actually make it home safely.  The Final Rule generally requires that patients be discharged in the company of a responsible adult. 
  • CMS backed away from its proposal to require ASCs providing radiological services to meet the more burdensome coverage conditions applicable to suppliers of portable x-ray services.  The Final Rule requires that the less burdensome hospital conditions for radiology be met.
  • CMS backed away from its proposal to redefine ASCs to exclude facilities that keep patients past 11:59 p.m.  Instead, the Final Rule excludes facilities where the expected duration of services exceeds 24 hours.   

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact

Congress Mandates Mental Health Parity in Insurance Coverage

Amidst the throes of the financial bailout, Congress has approved legislation requiring insurers and employers to cover mental illness, including alcohol and drug addiction, at levels on par with physical illness. 

For example, the bill requires parity in deductibles, co-pays, and out-of-pocket expenses, and it will eliminate limits insurers commonly impose for mental illness, such as 30 visits or 30 days in hospital, in the absence of similar limits for medical and surgical coverage.

The new law does not force employers or health plans to cover mental illness or alcohol or drug abuse.  And it does not apply to employers with fewer than 50 employees.  Many states already have some form of parity law, but self-insured employers have not been reached by state parity laws. 

The Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act of 2008 was saved from death upon Congressional adjournment when it ended up getting tacked onto the bailout bill in the Senate, which then passed in the House.



© 2008 Parsonage Vandenack Williams LLC


For more information, contact


Health Care Providers’ Deadline to Implement “Red Flag Rules” Identity Theft Programs Is November 1, 2008

Health care providers have until November 1, 2008, to implement programs to address the issue of identity theft, a growing problem that can have particularly disastrous results in the medical context.  This requirement is imposed by amendments — known as the “Red Flag Rules” — to the federal Fair and Accurate Credit Transactions Act.

In short, a Red Flag Rules program must be designed to identify, detect, and respond to “red flags,” namely those patterns, pratices, or specific activities that could indicate identity theft.

Many health care providers are not aware of the Red Flag Rules because the implementing regulations were jointly promulgated by the Federal Trade Commission (FTC) and various federal banking regulators rather than CMS or other agencies providers are likely to monitor. 

The Red Flag Rules apply to “creditors” that have “covered accounts.”  Although the definitions of these terms are complex, and are not crystal clear, the definitions themselves and FTC guidance indicate that health care providers would fall within the relevant definitions and therefore be subject to enforcement by the FTC under the Fair Credit Reporting Act.

The five basic required elements of a Red Flag Rules program are as follows:

1.)  Identify red flags (for example, by considering billing practices and any history of suspicious patient information activity)

2.)  Detect red flags (for example, by having authentication processes to verify patient identity, changes of address, etc.)

3.)  Respond to red flags (for example, by seeking verification or monitoring patient accounts when suspicious activity occurs, and involving law enforcement when warranted)

4.)  Update the program (for example, by responding to changes in methods of identity theft, incorporating new developments in identity theft prevention, and responding to alerts from law enforcement) 

5.)  Approval and Oversight (the program must have the initial approval of the entity’s board of directors or similar governing body, it must be overseen by an employee of at least senior management level status, it must include staff training, and it must include oversight of service provider arrangements)

The Red Flag Rules afford entities flexibility in designing programs appropriate to their size and complexity and the nature and scope of their operations.



© 2008 Parsonage Vandenack Williams LLC


For more information, contact

What Is the Shelf Life of a Patient’s Dislosure Authorization in Nebraska?

Under HIPAA, a patient’s written authorization for a health care provider to disclose the patient’s protected health information to a third party must, by its terms, expire either upon a) the occurrance of a specified event or b) a date certain.  HIPAA puts no limit on how long these time periods can be.

Therefore, when creating a HIPAA-compliant authorization form, a provider can select as long a time period as desired.  However, under Nebraska law, an authorization to release a patient’s medical records must expire no more than 180 days after the patient signs it.  This particular Nebraska statute is not preempted by HIPAA.

Although some Nebraska providers use authorization forms that limit the period for all disclosures to 180 days from execution, Nebraska law only limits authorizations to disclose medicial records to 180 days.  Therefore, a single authorization form can be drafted in such a way as to provide that it will expire in 180 days only for purposes of authorizing medical records releases, but have a much longer shelf life for purposes of disclosures other than releases of medical records. 

The main reason many providers (wisely) require all patients to sign a disclosure authorization is to cover the frequent and ongoing verbal discussions they have with others who accompany patients to their appointments and/or assist them with paying their bills (such as the adult children of elderly patients or the parents of college students).  Rather than having patients re-execute authorizations every 180 days to cover these types of discussions, providers may wish to consider using an authorization form with a 180 day expiration that is limited to the authorization to release medical records.  Then, after 180 days, the provider can have the patient execute a new authorization if medical records need to be released.  Otherwise, the authorization will remain good for the type of day-to-day disclosures it is mainly intended to cover.


© 2008 Parsonage Vandenack Williams LLC


For more information, contact

Group Practice DHS Revenue Allocation under the Stark Law

The latest phase of the Stark Law, known as Stark III, does not alter the basic premise that a group practice can pay a physician a share of overall profits or a productivity bonus provided that such share or bonus is not based on the volume or value of Designated Health Services (DHS) referrals by the physician.


Under Stark III, allocation of DHS revenue is deemed not to be based on the volume or value of DHS referrals, i.e. is permissible, only on certain limited bases, including per capita (i.e., in equal shares), or in accordance with production if DHS revenues are less than 5% of the group’s total revenue and less than 5% of each physician’s total compensation.   Special rules apply for productivity bonuses.


It is also vital to note that Stark III retains the requirement that allocation be done according to a methodology set down in advance.  Compensation methodology can always be changed prospectively, but not retroactively under Stark.


   © 2008 Parsonage Vandenack Williams LLC

For more information, contact

HIPAA Beyond the Office: Laptops, PDAs, and Home Computers

For all the complexity of HIPAA, the greatest provider liability often arises from easily correctable security lapses, such as the failure to password protect a physician’s BlackBerry.  The failure of physicians to password protect PDAs used to store or transmit patient information is a glaring HIPAA violation, but, lamentably, one that still frequently occurs.

HIPAA Security Rule requirements for protected health information in electronic format apply not just with regard to computers in the office, but also personal laptops, home-based personal computers, PDAs and smart phones.     

Remote access and use of ePHI should be strictly limited to legitimate business or medical purposes, and procedures should be put in place to mitigate identified risks.  For example, to mitigate the risk of unauthorized access via portable devices, which are highly susceptible to theft due to their size, two-factor authentication is an advisable condition of access.  To mitigate the risk of unauthorized viewing of what appears on the screen of a physician’s home desktop computer, which is susceptible to being viewed by other residents or visitors to the physician’s home, a session time-out should be set.


© 2008 Parsonage Vandenack Williams LLC


For more information, contact