Blog Rss Feed

Tuomey Violates Stark Law and False Claims Act through Physician Employment Agreements

Mon, 13 May 2013 20:49:58 GMT

After a retrial, a federal jury found South Carolina-based 242-bed Tuomey Healthcare System (Tuomey) guilty last week of violating the Stark Law and the False Claims Act. In addition to the jury’s $39.3 million judgment against the hospital, Tuomey faces up to $357 million in potential fines from over 20,000 violations of the False Claims Act, which allows the government to claim treble damages.

The case was initiated by a whistleblower physician, who brought a qui tam action in 2005. The whistleblower believed that Tuomey had violated the Stark Law and False Claims Act by using referral fees to create incentives for physicians to steer business to the hospital. Under the part-time employment agreements, each physician received a significant benefits package, was paid a base salary, and was eligible for two potential bonuses, one based on productivity and the other on qualitative measures. According to the government, the physicians received total compensation that exceeded fair market value for the physician’s services. The government argued that the compensation paid in excess of fair market value was evidence that the agreements took into account the volume or value of the physicians' referrals to the hospital, in violation of the Stark Law and False Claims Act.

In 2010, a jury found that the hospital had violated the Stark Law, but not the False Claims Act. The trial judge in that case had imposed a $45 million penalty, but there was a dispute on how the judge interpreted the jury’s split findings, resulting in the 4th Circuit Court of Appeals invalidating the ruling and ordering the retrial.

Previously, Stark Law cases were rarely litigated due to the complexity of the cases. Now that the government was victorious in a Stark Law case, it may now have more incentive to litigate Stark cases and be less willing to settle such cases in the future. Providers should check existing agreements with referring physicians to ensure that such agreements are fair market value and commercially reasonable.

HHS OIG Releases Updated Special Advisory Bulletin on Exclusions from Participation in Federal Health Care Programs

Wed, 08 May 2013 21:09:13 GMT

Fourteen years after the original bulletin, the Department of Health and Human Services Office of Inspector General (OIG) released an updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs.

The Bulletin details the consequences of exclusion from federal health care programs and provides guidance for employers. Since the release of the 1999 bulletin, the OIG has received several questions about exclusions, many of which they address in the 2013 update.

The updated Bulletin:

(1). Confirms guidance from the 1999 bulletin on the scope and effect of an OIG exclusion;

(2). Provides additional guidance on the scope of the payment prohibition and potential Civil Monetary Penalty liability;

(3). Provides guidance on best practices for screening against the List of Excluded Individuals and Entities to ensure that providers do not employ or contract with an excluded individual; and

(4). Directs providers to use OIG’s Self-Disclosure Protocol to self-disclose the employment of, or contract with, an excluded person.

A notice announcing the bulletin will be included in the May 9 Federal Register publication.

Bill in Congress Seeks to Overhaul Medicare Auditing

Thu, 02 May 2013 20:15:56 GMT

Audits of Medicare payments by government contractors would be subject to a host of new oversight reforms under a bill that legislators proposed in Congress in March.

In recent years, audits by contractors have become a fixture in the Medicare program as the federal government has increased its efforts to crack down on waste and tighten health care spending. At the helm of the government’s auditing policy have been recovery audit contractors (RACs), private third-party entities that contract with the government to identify and recoup improper Medicare payments. While RACs have been successful in collecting billions of dollars for the government, many health care industry stakeholders claim that these recoveries have come with other costs, bearing significant administrative burdens on providers.

The American Hospital Association, for example, released in March a survey of more than a thousand hospitals that found that RACs issued nearly 60,000 more medical record requests in the fourth quarter of 2012 than in the third quarter and that over the same period RACs rendered more than 30,000 additional complex audit claim denials, most of which were for claims for short hospital stays where the RACs deemed the hospital setting an inappropriate site of care. Hospitals reported appealing more than 40 percent of all RAC denials and experiencing a 72 percent success rate in overturning them.

In an effort to bring relief to providers, the proposed legislation, the Medicare Audit Improvement Act of 2013 (H.R. 1250), would make major changes to the contractor review process. Among other things, the bill would:

Establish a consolidated limit for RACs and other contractors to make additional documentation requests, limiting such requests to two percent of hospital claims with a maximum of 500 additional documentation requests per 45 days;

Impose financial penalties on RACs whose payment denials are overturned on appeal and require RAC audit rates, denials, and appeals outcomes to be posted online; and

Authorize payment for services on an outpatient basis where a RAC denied the claim for payment only because it deemed the inpatient site of care, but not the care itself, improper.

Whether Congress will ultimately pass the legislation remains unclear. In the last session of Congress, legislators introduced a similar bill, but it never made it past committee review. Even if the newly proposed legislation meets a similar fate, some of its reforms could nevertheless be executed at the administrative level. In March, the Centers for Medicare and Medicaid Services solicited comments on a proposed rule that would allow providers to receive outpatient payment for services for which contractors denied claims for payment only because of the inpatient setting of care. Comments are due by May 17, 2013.

Obama Administration Aims to Restrict Physician Self-Referrals for Certain In-Office Services in Proposed Budget

Fri, 26 Apr 2013 19:53:49 GMT

In its recently unveiled budget proposal for fiscal year 2014, the Obama administration has proposed saving billions in federal expenditures by tightening restrictions on certain services for which physicians can self-refer patients and receive government payment.

Under current federal law, a physician cannot make a referral to an entity for the furnishing of “designated health services” payable by government-funded health programs, such as Medicare, if the physician has a financial relationship with the entity. Correspondingly, this law—the “Stark Law”—also prohibits the entity receiving the referral from submitting a claim for payment for such services. Several exceptions, however, punctuate these prohibitions, including the “in-office ancillary services” exception, which shields referrals within physician practice groups for designated health services that meet specified criteria regarding the individual who furnishes the services, the location where the individual furnishes the services, and the party that bills for the services.

In an overview of the President’s 2014 budget plan for health care spending, the U.S. Department of Health and Human Services (HHS) notes that there are “many appropriate uses” for the in-office ancillary services exception, which the agency describes as designed to allow physicians to “self-refer quick turnaround services.” But, the agency cautions, some physicians have relied on the exception for certain services, such as advanced imaging and outpatient therapy that “are rarely performed on the same day as the related office visit.” Additionally, HHS claims, evidence suggests that the exception may have spurred “overutilization and rapid growth” of these services.

In light of these findings, the Obama administration has recommended excluding radiation therapy, therapy services (such as physical therapy and occupational therapy), and advanced imaging (such as CT scans and MRIs) from the in-office ancillary exception to encourage “more appropriate use of select services,” as HHS explains in the health spending overview. Notably, however, the administration would not extend this exclusion to “cases where a practice meets certain accountability standards,” which the HHS Secretary would have the authority to define, presumably before the exclusion would take effect in calendar year 2015 as the administration intends. Amending the Stark Law exception in this fashion would yield $6.1 billion in federal savings over 10 years, according to the administration.

Providers of the in-office services identified by the Obama administration should follow closely to see if the administration’s suggested change to the Stark Law makes it into the final budget and, if so, how the HHS Secretary ultimately defines the “accountability standards” that could make the difference between staying within the boundaries of the law and falling outside of them.

OIG Announces Revamped Self- Disclosure Protocol

Thu, 25 Apr 2013 20:42:02 GMT

The Office of the Inspector General (“OIG”) recently updated the 15-year-old Provider Self-Disclosure Protocol (“SDP”) in an effort to provide clearer and more concise guidance to providers. Since its inception, the SDP has recovered more than $280 million in federal funds.

According to the OIG, “the newly revised SDP supersedes and replaces the 1998 Federal Register Notice and the Open Letters [issued in 2006, 2008 and 2009]…” Notable changes include: revisions to the damages multiplier; reporting of individuals excluded from participating in federal programs; and reporting anti-kickback (“AKS”) violations.

Specifically, with respect to calculating provider penalties, the updated SDP indicates that a multiplier of 1.5 will typically be used; however, the OIG reserves the right to adjust the multiplier on a case-by-case basis. Additionally, the revised SDP clarifies how to treat information regarding individuals prohibited from involvement in federal health care programs. For instance, disclosed information must include a description of the employers’ process for identifying excluded individuals. The revised SDP also requires employers to screen all employees and contractors after one excluded employee is identified, so all excluded individuals may be disclosed simultaneously. Regarding AKS and Stark law violations, the revised SDP requires providers to include an admission that, from a reasonable assessment at the time of disclosure, “…the subject arrangement(s) constitute potential violations of the AKS and, if applicable, the Stark Law.” Additionally, the OIG provided examples of helpful information in resolving reported disclosures.

The new OIG guidance also highlights the benefits of SDP disclosures including: 1) a very low chance of permissive exclusion; 2) the application of the lower damages multiplier; and 3) suspension of the “60-day rule” requiring providers to return an overpayment within 60-days of discovery.

Meaningful Use Participants to Face Potential Audits

Thu, 25 Apr 2013 14:32:00 GMT

According to the Centers for Medicare and Medicaid Services (CMS), participants in the meaningful use program have a one in 20 chance of being subjected to a compliance audit.

Under the American Recovery and Reinvestment Act (ARRA), the 2009 federal stimulus package, eligible hospitals and health care professionals who demonstrate meaningful use of electronic health record systems (EHR) can qualify for incentive payments under Medicaid and Medicare. Participation by eligible providers has been robust, particularly by hospitals. According to a CMS factsheet, 85 percent of eligible hospitals are participating in the program and more than 75 percent of hospitals have received payments under the program as of March 2013. Of eligible health care professionals, 73 percent are participating, but only 44 percent have received payments as of last month.

CMS has stated that the majority of audits will be “desk audits” conducted by an audit contractor. However, a few on-site audits may occur. Some health care providers have already been notified by CMS of adverse audit findings. A few of these providers have started the appeals process and some providers could face fraud investigation. According to CMS, the most frequent issues arising in the audits are: (i) noncompliance with the requirement that providers perform a security risk assessment (a requirement under HIPAA as well); and (ii) a lack of proper documentation to support responses to the meaningful use requirements.

Citing HIPAA, Court Overturns Florida Law Providing for Release of Deceased Nursing Home Residents’ Medical Records

Tue, 16 Apr 2013 16:28:09 GMT

Offering a reminder that even deceased individuals’ health information is afforded privacy protection under federal law, a federal appeals court struck down a Florida law authorizing certain persons to obtain deceased nursing home residents’ medical records as in conflict with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Faced with medical record requests from deceased former nursing home residents’ spouses and other persons, several nursing homes in Opis Management Resources LLC v. Secretary Florida Agency for Health Care Administration, No. 12-12593 (11th Cir. Apr. 9 2013) pointed to HIPAA to support their refusal to release the records under the Florida law. That state law required licensed nursing homes to provide a current or former nursing home resident’s medical records to the resident’s spouse, guardian, surrogate, proxy, or attorney-in-fact. The nursing homes claimed that under provisions of HIPAA that protect the privacy of deceased individuals’ health information, the requesters did not have authority to act on behalf of the deceased residents and therefore were not their “personal representative”; thus, HIPAA prevented the nursing homes from disclosing the records. Florida regulators, on the other hand, maintained a contrary interpretation and issued citations to the nursing homes for not complying with the Florida law.

According to the U.S. Court of Appeals for the Eleventh Circuit, HIPAA and the Florida law “[could not] be reconciled” because the Florida law stood “as an obstacle to the accomplishment and execution of the full purposes and objectives of HIPAA in keeping an individual’s protected health information strictly confidential.” The court emphasized that while HIPAA sanctions the disclosure of deceased individuals’ protected health information to a “personal representative” and other identified persons “who were involved in the individual’s care or payment for health care prior to the individual’s death” to the extent the disclosed information is “relevant to such person’s involvement,” the law otherwise ensures the privacy protection of deceased individuals’ health information by generally prohibiting its use and disclosure except in certain circumstances or with authorization. In contrast, the court explained, the Florida law allowed for “sweeping disclosures, making a deceased resident’s protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason, and without regard to the authority of the individual making the request to act in a deceased resident’s stead.” In light of this apparent conflict, the court concluded, HIPAA preempted the Florida law.

For nursing homes in Florida and other HIPAA-covered entities subject to potentially broad state medical record disclosure laws like Florida’s, OPIS Management provides a defense in refusing to release deceased individuals’ medical records for litigation or other purposes. Curiously, the court’s ruling arrives just as the U.S. Department of Health and Human Services recently relaxed the HIPAA regulations governing deceased individuals’ health information to protect the privacy of such information only for 50 years (previously, protection was indefinite) and to authorize disclosure of such information to family members and other identified persons who were involved in the individual’s health care or payment for care. As this case demonstrates, however, these provisions are not limitless. HIPAA-covered entities should take care to scrutinize the qualifiers in these HIPAA rules as they navigate the intricacies of HIPAA and similar state laws, particularly where these laws conflict or diverge.

Proposed Extension of EHR Waiver under Stark and Anti-kickback

Mon, 15 Apr 2013 13:28:00 GMT

Last week, the Centers for Medicare and Medicaid Services (CMS) and the Office of Inspector General (OIG) of the Department of Health Human Services (HHS) issued proposed rules to extend waivers that relaxed federal Stark and anti-kickback laws with regard to the donation of electronic health-record (EHR) items and services. The waiver was intended to promote the use of EHR systems.

Under the proposed rule, the Dec. 31, 2013 sunset provisions in the original rules would be extended until Dec. 31, 2016. CMS and OIG have indicated that they are considering a further extension, allowing the waiver to continue through Dec. 31, 2021. Additionally, the proposed rules make two other significant changes. Firstly, the rules update the provision under which EHR software is deemed interoperable. Donated EHR technology must be “interoperable” as of the date it is donated. EHR technology will be deemed to be interoperable if it has been certified through an authorization process established by the Office of the National Coordinator for Health Information Technology (ONC) to any edition of the electronic health record certification criteria under the then applicable definition of “Certified EHR.” Secondly, CMS and OIG are considering the elimination of a requirement in the original rule that EHR is required to have electronic prescribing capabilities to qualify for the waiver.

CMS and OIG are soliciting public comments on other possible amendments to the exception, including limiting the scope of protected donors, and adding or modifying conditions to limit the risk of data and referral lock-in. CMS and OIG have indicated that they are contemplating specifically excluding the following from the list of permissible donors: laboratories, DME suppliers and independent home health agencies. Once the rules have been published in the Federal Register, there will be a 60-day comment period.

Teaching Hospitals May Adjust Number of Residents and Interns for Medicare Payment Past Three-Year Review Period, Appeals Court Rules

Mon, 11 Mar 2013 19:01:10 GMT

Teaching hospitals may adjust the number of full-time equivalent (FTE) residents and intern physicians that they submit to the Medicare program for reimbursement of the costs of the FTEs’ graduate medical education (GME) past the three-year regulatory window for review of reimbursement determinations, a federal appeals court ruled in Kaiser Foundation Hospitals v. Sebelius, No. 12-5037 (D.C. Cir. Mar. 5, 2013).

An accurate GME FTE number is critical to teaching hospitals because in 1997 Congress capped the number of GME FTEs teaching hospitals may include in their annual Medicare cost reports to the number of GME FTEs they had in 1996. Fiscal intermediaries that contract with the federal government in turn weigh this capped number when reviewing a hospital’s cost reports to determine the reimbursement that it is due. Under federal regulations, a party may reopen an intermediary’s reimbursement determination if it so requests within three years of the determination.

In Kaiser Foundation Hospitals, an intermediary used an inaccurate GME FTE number from 1996 and 1998 cost reports that excluded clinic-based residents to generate artificially low GME FTE caps for a consortium of teaching hospitals. The hospitals sought to adjust this number through a timely appeal of their reimbursement determinations from 1999 through 2003, but this adjustment hinged on them challenging their GME FTE count as it appeared in their 1996 and 1998 cost reports, the reimbursement determinations for which they conceded could not be reopened under the three-year review restriction. Thus, the issue arose whether the regulations governing review precluded modification of the data underlying the GME FTE caps, even if such modification only affected reimbursement determinations that the hospitals had timely contested. The hospitals argued that the regulations did not bar such modification, but the government disagreed.

The U.S. Court of Appeals for the D.C. Circuit sided with the hospitals, holding that “the reopening regulation allows for modification of predicate facts in closed years provided the change will only impact the total reimbursement determination in open years.” This result, the court reasoned, was compelled by the plain language of the regulations, which made clear that the three-year review limitation applied only to reopening an actual reimbursement determination. Alternatively, the court held, the government “acted arbitrarily in treating similarly situated parties differently,” given that it “routinely championed a permissive interpretation of the reopening regulation when correction of the predicate facts would have resulted in a windfall for the agency, but adopted a contrary view here, where the benefits would inure to the provider.” Similarly, the court explained, the government’s conflicting position in previous cases undermined its additional argument that “even if the modification of predicate facts in a closed year does not itself amount to a reopening, the change will necessitate an adjustment of that year’s reimbursement, which all parties agree constitutes an impermissible reopening.”

As a victory for teaching hospitals, Kaiser Foundation Hospitals incentivizes hospitals to review their GME FTE numbers. If they can identify undercounted GME FTE numbers, as the hospitals did in that case, they may have ground to challenge, within the three-year review period, reimbursement determinations that were based on such undercounting and may be able to claim greater reimbursements on a forward-looking basis.

Sacrificing the ACA, the Cost of Avoiding Perpetual Calamity?

Thu, 07 Mar 2013 20:21:00 GMT

Once again, the Affordable Care Act (ACA) has a target on its back. Yesterday, the House passed a bill to stave off “sequestration” and the looming specter of a government shut-down on March 27. The bill slashed funding to the ACA’s health insurance exchanges along with other domestic programs.

The bill proposed cuts to domestic programs including health insurance exchanges of up to 11 percent but spared defense spending and veterans programs. The bill will now be considered by the Senate where Republicans, led by Senator Cruz (R-TX), will offer an amendment that would strip all funding from the ACA. This measure is unlikely to pass the Democrat controlled Senate; however, it sends a strong message that the battle over Obamacare wages on. This proposed cut would not be the first that health care exchanges have faced. As part of the fiscal cliff deal, 90 percent of the funding for health insurance exchange start-up loans was slashed.

The Republican controlled House is using its “purse string power” to continue the fight against the ACA, and is sending a strong message to the Obama Administration and the Democrat led Senate that they cannot retire their boxing gloves yet.

Licensing Fee Rate Hike in the Future for Illinois Physicians?

Mon, 25 Feb 2013 20:32:35 GMT

Last week, the Illinois Senate approved a proposal to more than double fees from $300 to $700 for a three-year physician license. The Illinois House must now vote on the measure. Currently, the House has separate legislation similar to the Senate measure, but the House version would permanently raise fees to $750, while the rate increase under the Senate version would be temporary, with fees decreasing to $500 in July 2018.

The measure is in response to the severe financial deficit in the medical unit of the Department of Financial and Professional Regulation, which has been forced to lay off more than half its staff members last month. As a result of these layoffs, physicians and medical resident license processing waiting periods have increased from 16 business days to six months. The Illinois medical community is pushing for a solution to restore staff members to the medical unit soon as this processing delay could jeopardize the licensure of medical residents who are set to begin practicing in Illinois hospitals this summer.

Both the Senate and House measures include a provision allowing for the borrowing of $6.6 million from a tax fund to rehire staff. However, the Illinois State Medical Society (ISMA) has opposed these borrowing provisions, stating that the State should pay the medical unit for money that previous administrations have taken from the unit for other purposes. Additionally, ISMA has said that it would agree to a rate hike of only $500.

If the House measure is approved, it would land in the Senate. If both measures are passed, the governor would then decide which version to sign. Generally, though, approved competing measures become part of a House-Senate compromise.

Appeals Court Upholds Individual Insurance Mandate Amid Mandate Implementation Efforts

Tue, 12 Feb 2013 19:25:50 GMT

As the Obama Administration works toward implementing the contentious individual insurance mandate in the Affordable Care Act (ACA), a federal appeals court on Feb. 1, 2013 upheld the constitutionality of the key provision in the 2010 health reform law, which requires most Americans to maintain health insurance or pay a penalty beginning in 2014.

Leading the suit in U.S. Citizens Association v. Sebelius, Nos. 11-3327/3798 (6th Cir. Feb. 1, 2013) were a nonprofit association and several of its members who were among the early challengers to the mandate. The Supreme Court ultimately ruled in National Federation of Independent Business v. Sebelius, 132 S. Ct. 2566 (2012) that Congress possessed the authority under its constitutional taxing power to enact the mandate and its accompanying penalty, but it left unresolved questions regarding whether the mandate violated the individual rights protected by the Constitution’s Bill of Rights. According to the plaintiffs in U.S. Citizens Association, the mandate did infringe these rights—specifically, their rights to expressive and intimate association under the First Amendment, right to liberty under the Fifth Amendment, and right to privacy under various amendments, including the First and Fifth Amendments.

The U.S. Court of Appeals for the Sixth Circuit, however, disagreed. In each strand of its analysis, the court emphasized that the mandate only requires individuals to maintain a minimum level of health insurance or pay a penalty. Contrary to the plaintiffs’ assertions, the court held, the mandate did not intrude upon their selection of care providers or their ability to express disapproval of the ACA or health insurance generally in violation of their respective rights to intimate association and expressive association. Nor, according to the court, did the mandate dictate the terms of the plaintiffs’ medical care or compel them to disclose their personal medical information to insurance companies in violation of their respective rights to liberty or privacy.

The Sixth Circuit’s ruling marks one less obstacle for the Obama Administration as it moves forward in implementing the mandate. On the same day that the court released its opinion, the Internal Revenue Service published a proposed rule that provides guidance on liability for and computation of penalty payments under the mandate, the minimum health insurance that individuals must maintain, exemptions from the mandate, and procedures to ensure compliance. The rule is open to public comments until May 2, 2013.

As Goes Ohio Medicaid Expansion, So Goes the Nation?

Fri, 08 Feb 2013 16:05:19 GMT

This week, Republican governors in both Ohio and Michigan have come out in support of expanding their state’s Medicaid programs under the Affordable Care Act (ACA). Without state participation in Medicaid expansion, the ACA’s goal of insuring the uninsured faces grave risk of failure. Despite this recent progress, there remains a great deal of uncertainty surrounding whether or not Republican governors in holdout states will support the President’s plan. Time will tell if Ohio will serve as a predictor of state participation.

With the addition of Ohio and Michigan, 19 states and D.C. will have expanded Medicaid under the ACA, and six Republican governors have spoken out publicly in support of program expansion. In defending his decision, Ohio Governor John Kasich (R) cited that the Obama Administration was willing to compromise on certain aspects of the expansion. The Administration has been in talks with Ohio to allow Medicaid-eligible individuals, with income between 100 percent and 138 percent of the poverty line, to have the option of participating in private health exchanges.

Some holdout states remain reluctant to follow Ohio’s lead despite the Administration’s willingness to bargain. Yesterday, Pennsylvania’s Republican Governor Tom Corbett (R) expressed his unwillingness to support Medicaid expansion, citing primarily concerns about the future costs to taxpayers. Ohio is a well established bellwether in presidential elections. The success of Medicaid expansion will tell whether or not Ohio’s powers of prediction extend beyond presidential elections to presidential policies.

Mark Your Calendars For Our Feb. 21, 2013 HIPAA-HITECH Webinar

Thu, 07 Feb 2013 15:15:07 GMT

Mark your calendars, because on Feb. 21, 2013 we're hosting a complimentary webinar entitled, "HIPAA-HITECH Is Really Here: Preparing Covered Entities, Business Associates and Subcontractors for Compliance With the New Final HIPAA/HITECH Rule."

Designed for healthcare providers, health plans and business associates, this presentation will provide insight and practical guidance on a variety of topics. The webinar will be hosted by Stacy Cook, a partner in Barnes & Thornburg's Healthcare Department.

For more information and to register for this webinar, visit the Barnes & Thornburg website by clicking on the following link: HIPAA-HITECH Is Really Here. And for more information on the HIPAA final rule, check out our series of articles on the subject here - BT Currents: HIPAA final rule.

Finally, Final Rule on the Physician Payments Sunshine Act Released

Wed, 06 Feb 2013 15:43:48 GMT

Initially intended for release before the end of 2012, the Centers for Medicare & Medicaid Services (CMS) released the long-awaited final rule on the Physician Payments Sunshine Act (the Sunshine Act) on Feb. 1, 2013, with publication to follow on Feb. 8. The Final Rule will become effective 60 days after the publication date.

Established under the Affordable Care Act (ACA), the Sunshine Act requires medical industry companies, including pharmaceutical and device manufacturers, to disclose all consulting fees, travel reimbursements, research grants, and other gifts to physician and teaching hospitals with values over $10. Additionally, the Sunshine Act requires manufacturers and group purchasing organizations (each a GPO) to report certain information regarding ownership or investment interests held by a physician in the manufacturer or GPO. Aiming to foster transparency for both consumers and the federal government, the Department of Health and Human Services (HHS) will publish this data on a public website and send annual reports to Congress.

The delay of this highly anticipated final rule follows the delayed release of the proposed rule late last year, and the postponement of several other key ACA implementation deadlines. Under the statute, data collection was to begin January 2012. However, under the Final Rule, CMS requires manufactures and applicable GPOs to begin collecting required data by Aug. 1, 2013, and begin reporting this data to CMS beginning March 31, 2014. CMS will release the data to the public by Sept. 30, 2014.

Continue to visit www.bthealthlaw.com for updates and an upcoming Client Alert providing an in-depth analysis of the Sunshine Act Final Rule.

Data Breach Analysis Changes Under New HIPAA Rule

Thu, 31 Jan 2013 16:37:17 GMT

According to the final rule published by the U.S. Department of Health and Human Services (HHS) on Jan. 25, 2013 that overhauls the Health Insurance Portability and Accountability Act of 1996 (HIPAA), “covered entities” and their business associates will have to conduct more thorough risk assessments following breaches of “unsecured protected health information.”

Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, covered entities have had to provide notification of discovered breaches—defined for HIPAA purposes as the impermissible acquisition, access, use, or disclosure of “protected health information” (PHI) that compromises the security or privacy of the PHI—to affected individuals, the federal government, and even the media in some cases. To this end, under an interim rule released by HHS later that year, covered entities and their business associates had to determine if a breach occurred by performing a risk assessment of whether there was a “significant risk of harm to the individual as a result of the impermissible use or disclosure.” As HHS concluded in the new rule, however, this “harm standard” was often interpreted as setting a much higher threshold for breach notification than the agency intended and frequently resulted in subjective, inconsistent determinations as to what amounted to “harm.”

In an attempt to address these concerns, HHS modified the breach analysis in several ways in the new rule, with which covered entities and business associates must comply by Sept. 23, 2013. First, it adds a presumption that an impermissible use or disclosure of PHI is a breach. Second, it replaces the harm standard with a new standard that requires covered entities and business associates to demonstrate that there is a “low probability that the protected health information has been compromised . . . .” This standard, in turn, incorporates several factors that were previously weighed under the harm standard:

· The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;

· The unauthorized person who used the PHI or to whom the disclosure was made;

· Whether the PHI was actually acquired and viewed; and

· The extent to which the risk to the PHI has been mitigated.

In light of these changes, covered entities and business associates should examine their risk-assessment policies to ensure that they conform to the new breach standard. In doing so, they should bear in mind that HHS requires all of the above factors to be considered in a breach analysis, in addition to other factors that may be warranted depending on the circumstances of an impermissible use or disclosure.

This entry is part of an ongoing series on the Barnes & Thornburg Healthcare Blog regarding the HIPAA final rule released on Jan. 17, 2013. Continue to visit www.bthealthlaw.com for new updates and analysis.

Direct Liability and Responsibilities Under the HIPAA Final Rule: What Should Business Associates Know?

Tue, 29 Jan 2013 20:55:52 GMT

Under the recently released HIPAA final rule, business associates are now directly liable for both the use and disclosure of protected health information (PHI) in violation of the Privacy Rule or the Security Rule. Business associates should be aware of the consequences of this significant change in their accountability for HIPAA breaches. Direct liability means that, just as with covered entities, business associates in violation of HIPAA will now be subject to civil and criminal penalties for their actions.

In addition to considering the penalties of a HIPAA violation, business associates should also be aware of the new obligations arising under the HIPAA final rule. While HIPAA requirements previously focused on covered entities, under the final rule, business associates will have to prepare for a new set of obligations. Specifically, business associates must:

(1) Maintain records and submit compliance reports as Department of Health and Human Services (HHS) may deem necessary to determine whether the business associate has complied with applicable HIPAA provisions and has cooperated with compliance investigations and reviews;

(2) Notify the covered entity following the discovery of a breach of unsecured PHI;

(3) Make reasonable efforts to limit use and disclosure of PHI, or requests for PHI, to the minimum extent necessary to accomplish the intended purpose;

(4) Enter into HIPAA compliant business associate agreements (BAA) with subcontractors that handle PHI;

(5) Provide an accounting of disclosures, and;

(6) Disclose PHI needed by a covered entity to respond to an individual’s request for an electronic copy of his/her PHI.

As we discussed last week, subcontractors should also pay close attention to changing requirements for business associates. Subcontractors who create, receive, or transmit PHI on behalf of business associates will now be considered business associates themselves, and will thus also be subject to direct liability under HIPAA.

Covered Entities Required to Modify Notice of Privacy Practices Under New HIPAA Rule

Fri, 25 Jan 2013 20:12:41 GMT

With the release on Jan. 17, 2013 of the U.S. Department of Health and Human Services’ (HHS) much-anticipated final rules implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, health plans, health care clearinghouses, and health care providers—or “covered entities” under HIPAA—must modify the notices they provide to individuals regarding their health information privacy practices.

Under the current HIPAA framework, covered entities must provide a “notice of privacy practices” (NPP) that describes permissible uses and disclosures of individuals’ “protected health information” (PHI) by covered entities, covered entities’ legal duties regarding PHI, and individuals’ rights concerning their PHI. The final rule builds on this framework by incorporating changes to HIPAA made by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 to strengthen privacy and security protections for PHI. Among these changes, covered entities’ NPP now must contain a statement indicating that uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI require an individual’s written authorization. Additionally, the NPP must inform individuals of their right to restrict certain disclosures of their PHI to a health plan where an individual pays out of pocket in full for a health care item or service, and their right to be notified of a breach of unsecured PHI where an individual is affected by such breach.

HHS concluded that these changes represented a “material change,” thus requiring covered entities to promptly revise and distribute their NPP. Ordinarily, health plans must provide a revised NPP to individuals within 60 days of a material revision, but in an effort to increase flexibility, HHS suspended this requirement for health plans that post their NPP on their website. Now, these health plans may post the change or their revised NPP on their website by the effective date of the material change (in this instance, Sept. 23, 2013) and provide the revised NPP, or information about the material change and how to obtain the revised NPP, in their next annual mailing to individuals then covered by the plan. By contrast, the requirements for health care providers regarding distribution of a revised NPP remain the same: They must provide their revised NPP after the compliance date of a material change (again, Sept. 23, 2013 in this instance). Nevertheless, in response to concerns about printing costs for revised NPPs, HHS clarified that health care providers may satisfy their legal obligations simply by posting their revised NPP or a summary thereof in a clear and prominent location at the care delivery site, and by having copies of the full NPP there for individuals to take with them.

HIPAA Final Omnibus Rule & Business Associate Agreements

Fri, 25 Jan 2013 16:10:05 GMT

This week, Barnes & Thornburg’s Health Law Blog is examining the impact of the recently released Health Insurance Portability and Accountability Act Omnibus final rule (HIPAA Final Rule) on business associates. The HIPAA Final Rule has retooled the definition and responsibilities of business associates. The Department of Health and Human Services (HHS) has made sweeping changes to: who is considered a business associate; the obligations of business associates and subcontractors; and potential business associate and subcontractor liability. This blog entry specifically examines the impact of HIPAA Final Rule on business associate agreements (BAAs).

In order to comply with the HIPAA Final Rule, BAAs between covered entities and business associates will require modification. A BAA must now: (1) establish the permitted and required uses and disclosure of protected health information (PHI) by the business associate; (2) require the business associate to report any breaches of unsecured PHI to the covered entity; (3) ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate; and (4) require the business associate to comply with any and all other HIPAA rules and regulations with which the covered entity would have to comply to the extent that the business associate performs related obligations. Specifically, the business associate will need to agree that it has technical, physical and administrative safeguards in place, and that it meets certain security standards. Essentially, business associates will need to take administrative actions and physical measures to protect PHI, which will also involve having appropriate policies and procedures in place. Business associates, like covered entities, will now be directly accountable for following many provisions of HIPAA. Due to increased HIPAA enforcement and the expansion of liability to business associates and subcontractors, covered entities and business associates should consider the role of indemnification provisions.

The new HIPAA Final Rule also expands compliance and potential liability to subcontractors. Therefore, business associates should examine their subcontractor relationships to ensure compliance with the HIPAA Final Rule, and specifically to consider whether a BAA is necessary.

HHS has provided a transition period for existing BAAs, if prior to Jan. 25, 2013, the BAA complied with HIPAA and the BAA is not renewed or modified between March 26, 2013 and Sept. 23, 2013. If a BAA meets these requirements, it will be considered compliant until the earlier of: the date the BAA is renewed or modified after Sept. 23, 2013 or Sept. 22, 2014. Due to increased enforcement, covered entities and business associates should review their current BAAs and ensure that they are in compliance with HIPAA immediately prior to Jan. 25, 2013 if they wish to take advantage of this transition period.

Subcontractors under the HIPAA Final Rule

Thu, 24 Jan 2013 15:33:17 GMT

Released last week, the Health Insurance Portability and Accountability Act (HIPAA) final omnibus rule (available here) not only finalized proposed changes, but also included changes that the Department of Health and Human Services (HHS) says will expand HIPAA requirements to business associates of healthcare providers and any entity with which they subcontract.

With this final rule, HIPAA now covers the processors of health insurance plans and other service providers that handle protected healthcare information (PHI), including both contractors and subcontractors. PHI is protected health information as such term is defined in 45 C.F.R. 160.202.

The final rule defines “subcontractor” as “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” 45 C.F.R. 160.202. The discussion of the final rule clarifies that a subcontractor is a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of PHI. According to the definition of "business associate" under the final rule, if a business associate subcontracts part of its function requiring access or use of PHI to another organization, that subcontractor is also subject to HIPAA." 45 C.F.R. 160.202. There must be an agreement between the business associate and its subcontractor that contains the elements required to be included in business associate agreements and describes the subcontractor's permitted uses and disclosures of PHI (which may not include uses and disclosures not permitted to the business associate).” An example of this subcontractor relationship would be a third party administrator business associate that contracts with another party to shred and destroy documents containing PHI.

Previously, the focus of HIPAA has been on covered entities themselves. A "covered entity" is defined as a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction subject to HIPAA. 45 C.F.R. 160.202. Under the final rule, covered entities must ensure that business associates, which now include subcontractors, protect "electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities." 45 C.F.R. 164. 308. Thus, every connected contractor and subcontractor must be responsible for each other and subcontractors are now directly liable to HHS for breaches. It is important to note that a covered entity is not liable for the actions of a subcontractor as there is no direct relationship between the entities.

Business associates (and therefore subcontractors as well) have until the Sept. 23, 2013 compliance date to comply with these new provisions. Keep checking the Barnes & Thornburg Healthcare blog in the upcoming weeks for more information on what subcontractors, and other business associates, can expect under these new regulations.

HIPAA Final Rule Released: What to Expect

Fri, 18 Jan 2013 20:34:36 GMT

After a long-wait and growing anticipation, the Department of Health and Human Services Office for Civil Rights released the final rule updating several provisions of the Health Insurance Portability and Accountability Act (HIPAA) on Jan. 17, 2013. While the rule becomes effective March 26, covered entities and their business associates have until September 23 to comply with its requirements.

The final rule provides for the following:

1. changes to the HIPAA Privacy and Security rules as required by the Health Information and Clinical Health Act (HITECH);

2. changes to the HIPAA enforcement rule;

3. final regulations concerning data breach reporting requirements; and

4. changes to the Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA)

The Barnes & Thornburg Healthcare Department will be providing an in-depth analysis of the final rule through blog entries and webinars in the upcoming weeks. Keep checking the blog for more information on what covered entities and business associations can expect under these new regulations.

What Can Healthcare Entities Learn from the First Settlement for a HIPAA Breach Involving Fewer than 500 Patients?

Fri, 04 Jan 2013 22:31:29 GMT

A breach of the Heath Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule in 2010 by the Hospice of North Idaho (HONI) resulted in a recent settlement payment of $50,000 to the U.S. Department of Health and Human Services (HHS). While settlements for large HIPAA violations are becoming increasingly common in recent years, this particular settlement is the first for a breach affecting fewer than 500 individuals.

The investigation by the HHS Office of Civil Rights (OCR) began after HONI reported the theft of an unencrypted laptop containing electronic patient health information (ePHI). While the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires breaches affecting 500 or more individuals to be reported to HHS within 60 days after discovery, those breaches affecting fewer than 500 individuals need only be reported to HHS on an annual basis. During the investigation, OCR determined that HONI had neither conducted a risk analysis to safeguard ePHI nor implemented procedures or policies to address mobile device security, as required under HIPAA.

In the HONI case and a recent case involving the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) (which resulted in a $1.5 Million settlement payment to HHS), OCR focused not only on the breach itself, but also whether the breaching entity had sufficient written HIPAA policies and had conducted the risk assessment required under the HIPAA Security Rule. Healthcare entities, particularly smaller entities that may have previously thought that their size provided protection from HHS investigations and penalties, may want to consider the HONI settlement, along with recent settlements for larger breaches such as MEEI, as a "wake-up call" to develop or evaluate their own HIPAA Privacy and Security policies and procedures. Entities subject to HIPAA that do not have such policies and procedures in place may be prudent to adopt and maintain those addressing its specific HIPAA needs and concerns to reduce the chance of a breach. Furthermore, even those entities that have HIPAA policies in place may want to consider re-evaluating their policies and procedures to ensure that they are both up-to-date and effective.

Multi-State Plan Proposed Rule Released

Wed, 05 Dec 2012 17:14:56 GMT

On Nov. 30, 2012, a few weeks after the announcement of government sponsorship of multi-state plans took existing insurers and CO-OP developers by surprise, the Office of Personnel Management (OPM) published the proposed rule on these plans. Under these multi-state plans, health insurance operated under contract with the federal government will be available to consumers in every state through state insurance exchanges. The impetus behind these plans is the belief that a government sponsored multi-state plan will increase competition and lead to more competitive pricing in health insurance markets.

According to OPM, there are five primary objectives of the proposed rule:

1.      Ensure the choice of at least two high-quality products to consumers participating in each exchange

2.      Promote competition in the health insurance market

3.      Offer plans from the same issuer to families or small business that may reside or operate in more than one state

4.      Provide strong, effective contractual oversight of the multi-state plans

5.      Work cooperatively with states and the Department of Health and Human Services to ensure a “level playing field.”

This last objective is of particular concern to private insurers. The Affordable Care Act (ACA) provisions pertaining to multi-state plans do not specify how these plans will comply, if at all, with requirements under various state laws. Private insurers worry that if state laws do not apply, these multi-state plans may have an unfair competitive advantage over other insurers who are subject to state-specific requirements. While the proposed rule includes the ACA directive that the multi-state plans be governed by all state and federal laws that apply to qualified health plans, it also carves out an exception “to the extent any such laws are inconsistent with these regulations, OPM guidance, or OPM’s contracts.”

The comment period for this rule will be open from Dec. 5, 2012 through Jan. 4, 2013, and OPM has stated that the final rule will be released next year.

Federal Agencies Release Key Health Reform Rules

Mon, 03 Dec 2012 19:48:15 GMT

As anticipation about the Obama Administration’s regulatory policy has swelled in the wake of President Obama’s reelection, the federal Departments of Health and Human Services, Labor, and Treasury on Nov. 20, 2012 released rules that propose to implement critical provisions of the Affordable Care Act (ACA), the 2010 federal health reform law. Issued in three separate rules that respectively address health insurance plan benefit requirements, insurance market reforms, and employer-provided wellness programs, the rules promise to have a significant impact on insurers, providers, state governments, and consumers, all of whom are likely to influence the development of the rules from proposed to final form.

Intended to aid consumers as they look for non-grandfathered private health insurance options in the individual and small group markets, the rule on essential health benefits, actuarial value, and accreditation standards seeks to promote consistency across health plans by requiring that health insurance plans include certain categories of essential health benefits (EHB), such as ambulatory patient services and prescription drugs. As insurance regulation generally falls under the jurisdiction of state governments, the rule provides states with significant flexibility in defining EHB. Under the rule, states are to select a benchmark plan from various listed options (e.g., the largest plan by enrollment in any of the three largest products in the state’s small group market), and all plans including EHB must offer benefits that are substantially similar to the benefits offered by the benchmark plan. If a state does not select a benchmark, HHS will set the default benchmark plan. The rule also contains a number of provisions to prevent discrimination against consumers.

Additionally, the rule outlines standards related to the determination of actuarial value (AV), which refers to the percentage of total average costs for covered benefits that a plan will cover, and proposes a timeline for when insurers offering coverage in a federal or state partnership exchange must become accredited. In 2014, non-grandfathered health plans in individual and small group markets must meet certain AV levels.

The rule on health insurance market requirements aims to complement these requirements by implementing major structural reforms. Among other things, the rule would generally require insurers to accept every individual or employer who applies for coverage in the individual or group market, and require insurers to renew all coverage in such markets. Additionally, the rule would allow insurers in the individual and small group markets to vary premiums based only on limited factors, such as age and tobacco use, and within restricted ratio limits.

Finally, the rule on incentives for nondiscriminatory wellness programs in group health plans endeavors to promote employer-sponsored wellness programs designed to incentivize employees to develop healthy behaviors while protecting against consumer discrimination in such programs. For programs that require individuals to meet a specific standard related to their health to obtain a reward—for example, programs that reward individuals who do not use or stop using tobacco products—the rule specifies requirements governing program design, participation, and reward size.

Long-Delayed Sunshine Rule One Step Closer to Release

Mon, 03 Dec 2012 19:23:15 GMT

Despite growing pressure from both consumer groups and industry groups, the Physician Payments Sunshine Act (the Act) final rule has not yet been published. However, the rule is one step closer to final release, as it is now in the hands of the Office of Management and Budget for review.

Requiring annual reporting of payments between applicable drug or device manufacturers and physicians or teaching hospitals, the Act is intended to shed light on these financial relationships. The Department of Health and Human Services will foster transparency for both consumers and the federal government by publishing this data on a public website and sending annual reports to Congress.

The delay of the highly anticipated final rule follows the delayed release of the proposed rule late last year, and the postponement of several other key Act implementation deadlines. Under the statute, data collection was to begin January 2012. However, due to the modified timeline, the Centers for Medicare and Medicaid Services announced earlier this year that collection would not begin until January 2013. Applicable manufacturers must begin disclosing required physician payment data 90 days after the release of the final rule.

The final rule has been long-awaited by interested parties. Consumer groups have criticized the publication timeline for placing implementation of the Act over a year behind schedule. Drug and medical device groups likewise have criticized this delay, as they worry they will not have adequate time to prepare for what many view as the burdensome requirements under the Act.

More information on the Sunshine Rule is available via the Bloomberg BNA article below.

Bloomberg BNA – “Long-Awaited Final ‘Sunshine’ Rule Lands at OMB for Regulatory Review”