• Expands Round Two of competitive bidding by an additional 21 Metropolitan Statistical Areas.
• Competitive bidding pricing must be implemented in every Metropolitan Statistical Area by 2016.
• Eliminates the two percent increase for Round One competitive bidding items in 2014.
• Eliminates the first-month purchase option for standard power wheelchairs.
• Requires a mandatory compliance program for all providers including HME providers.
• Imposes a 2.3% excise tax on medical device manufactures ($20 billion over 10 years).
• Requires a face-to-face exam for all HME and home health items and services.
• Establishes a yet to be defined “productivity adjustment” that would lower future CPI-Urban updates to the DMEPOS fee schedule.  This provision is not applicable to competitive bidding sites and is applicable to all providers, not just DME.

This topic hits close to home for Ty and I as we are in Indiana.

Indiana Shocker: Bayh Not Seeking Re-Election

Bayh, a popular former governor and a son of former Sen. Birch Bayh (D-Ind.), was easily elected to the Senate in 1998 and overwhelmingly re-elected in 2004. But Republicans were gearing up to seriously challenge him this year. Former Sen. Dan Coats recently announced his candidacy and several lesser-known Republicans have been challenging Bayh for months.

Nonetheless, Bayh insisted that his decision was not influenced by political reasons. “My decision was not motivated by political concern,” Bayh said. “Even in the current challenging environment, I am confident in my prospects for re-election. Running for the sake of winning an election, just to remain in public office, is not good enough.” A Democratic aide said that Bayh had completed his candidacy paperwork, was polling well ahead of Coats and had $13 million in his campaign account.

Bayh’s decision puts Democrats in a bind because it comes just one day before Senate candidates must submit voter signatures to county election offices and four days before they must file for ballot access with state election officials in Indianapolis. To qualify for the May 4 primary ballot, a Senate candidate must collect 4,500 signatures of registered voters, including at least 500 in each of the state’s nine congressional districts.

Democratic officials in Indianapolis could choose a replacement candidate for Bayh if no Democrat can meet the deadline, as seems likely. Indiana election law provides that “a candidate vacancy for United States Senator or a state office shall be filled by the state committee of the political party.”

Potential candidates for the nomination include Reps. Brad Ellsworth, who represents the southwestern 8th district, and Baron P. Hill, who represents the southeastern 9th district and lost a 1990 Senate race to Coats. Hill spokeswoman Katie Moreau said that Hill is on a military trip overseas and unavailable for comment.

CQ Politics presently rates the Indiana Senate race as Leans Democratic, though that rating will be changed now that Bayh is not running.

Breach Prevention is Critical as HIPAA Compliance Worlds Collide

Privacy and security officers have to comply with more rules than ever. The Federal Trade Commission’s Red Flags rule, existing HIPAA laws, and the new Health Information Technology for Economic and Clinical Health (HITECH) Act require that covered entities:

• Protect patient information with technical, administrative, and physical safeguards (HIPAA)
• Lessen the negative effect of unauthorized disclosure (HIPAA)
• Notify patients within 60 days of breaches that involve unsecure personal health information (PHI) and pose a significant risk of financial, reputational, or other harm (HITECH; enforcement effective February 17)
• Inform HHS of breaches (HITECH; enforcement effective February 17)
• Establish an identity theft prevention program with policies and procedures to detect, prevent, and mitigate identity theft (Red Flags Rule; enforcement effective June 1)

How should your facility handle these added regulations? Implement a three-step process to protect all patient information that includes plans for what to do before, during, and after a security incident, says Andrew E. Blustein, Esq., partner and cochair of Garfunkel Wild & Travis, PC’s Health Information and Technology Group, in Great Neck, NY, Hackensack, NJ, and Stamford, CT.

“A medical record is chock-full of information that an identity thief can use to its advantage,” says Blustein. “It’s basically a treasure chest of credit card numbers, Social Security card numbers, and everything else someone needs to steal an identity.”

Before the breach

Mitigate harm resulting from identity theft by preventing breaches from occurring, says David A. Mebane, Esq., senior vice president for legal affairs at Saint Barnabas Health Care System in West Orange, NJ.

“You want to create the right amount of technical safeguards so your patients are protected,” says Mebane.

Safeguards include:

• Encrypting laptop computers and other portable devices
• Prohibiting the installation of unsecured software
• Creating system firewalls
• Establishing remote access roles specific to applications and business requirements
• Destroying unnecessary patient information
• Using and updating antivirus software

HHS also provides specific guidance for securing portable devices.

Establish policies and educate employees and vendors about their responsibility to protect information and report incidents, says Mebane.

“You’ll also want to perform regular audits so you have a way of detecting breaches,” says Mebane. “Once the information has been stolen and is in the wrong hands, a lot of the damage will already have been done.”

Create an incident response program, advises Blustein. Form teams and designate leaders responsible for responding to and investigating any breaches. Ensure that your policies specify:

• The type of information that must be reported
• The entities to whom information must be reported
• The deadline for reporting information
• Penalties for individuals responsible for the breach

Responding to the breach

“Installing a program to prevent loss of PHI is like putting an alarm on your house,” says Blustein. “It’s a good start and it will prevent some thieves, but it doesn’t mean you’ll never have a problem.”

If you discover a breach, alert your attorneys and consider retaining outside counsel. This serves two purposes. It provides an unbiased look at the event and helps protect your organization.

Activate the response teams you previously established, says Blustein. They should be prepared to investigate all aspects of the breach, including:

• How the theft occurred
• Who took the information
• Whether employees were at fault
• The amount of information taken
• The number and identity of affected patients
• The type of information stolen

Soon after making these determinations, decide whom you must notify and how you must do this. You’ll need to consider state law, HIPAA, and the HITECH Act, says Blustein. You also must ask yourself what the right thing to do is, he says.

“You need someone in your organization who can make these decisions quickly to avoid the bottleneck problem,” says Blustein. “The concern is that often things pile up and it takes too long to get approval and the notification letter ends up sitting on an administrator’s desk.”

Also consider offering affected individuals free credit monitoring for a specified time to help reduce the effect of the identity theft.

“You want to do everything you can to protect yourself and your patients,” says Blustein. “By monitoring credit and notifying the right people, you might be able to cut off the use of their personal information before any damage is done.”

Learning your lessons

The nature of the breach will help determine whether you want to amend your existing policies to be better prepared, educate staff members with respect to prevention, or implement more safeguards, says Blustein. Shore up any documentation pertaining to the incident in case there is an investigation, he says.

Even if you don’t experience a security incident, monitor businesses and healthcare organizations in your area that may have been affected, advises Mebane.

“You can’t just roll out policies and be done with it,” says Blustein. “The challenges are always changing, and you need to be able to keep up with them.”

Ensuring uniformity throughout your organization is important. “An organization should strive to ensure that your clinic down the street should have the same policies and protection as the computer in your main lobby,” says Blustein.

http://frwebgate1.access.gpo.gov/cgi-bin/PDFgate.cgi?WAISdocID=25988156994+0+2+0&WAISaction=retrieve