Wachler & Associates Health Law Blog

The U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), recently announced a settlement with St. Elizabeth’s Medical Center (SEMC) over violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). SEMC is a tertiary care hospital located in Massachusetts. OCR’s investigation began in November 2014, when OCR alleged that SEMC violated HIPAA’s Privacy, Security and Breach Notification Rules. As part of the settlement, SEMC agreed to pay $218,400 and adopt a corrective action plan to address the deficiencies in SEMC’s HIPAA compliance program.

On July 10, 2015, OCR released an HHS OCR Bulletin containing the allegations against SEMC, the parties’ settlement agreement and SEMC’s corrective action plan. OCR’s investigation stemmed from a complaint against SEMC filed on November 16, 2012. The allegations pertain to SEMC’s use of internet-based document sharing programs that contain electronic protected health information (ePHI). OCR found that SEMC used the internet-based applications without analyzing the privacy and security risks, as required by HIPAA. Further, critical to SEMC’s liability under HIPAA, OCR alleged that SEMC “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.” The settlement agreement also covers a separate HIPAA breach that occurred in August 2014, when SEMC notified HHS of a breach of unsecured ePHI located on a personal laptop and USB flash drive.

The settlement between OCR and SEMC is predicated on SEMC’s continued compliance with the settlement agreement’s corrective action plan. As part of the plan, SEMC agreed to perform robust “self-assessment” to determine the SEMC’s workforce members’ knowledge of and compliance with SEMC policies and procedures regarding: transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; and security incident reporting related to ePHI. The self-assessment includes unannounced site visits to various SEMC departments, randomly selected interviews of SEMC workforce members, and inspection of portable devices that can access ePHI in the departments impacted by the breach. SEMC is also required to provide a report documenting its self-assessment to HHS within 150 days of the settlement.

In June, the U.S. Court of Appeals for the District of Columbia Circuit ruled on two regulations implemented by the Centers for Medicare and Medicaid Services (CMS) under the federal Stark law (Stark) in 2008. Following a challenge by the Council for Urological Interests (the Council), a urology trade association, the court rejected CMS’ prohibition on per-click equipment rental leases but upheld CMS’ new interpretation of “entity furnishing designated health services” and thus the prohibition against “under-arrangement” transactions.

Stark prohibits physicians from referring Medicare or Medicaid patients for designated health services to an entity with which the physician has a financial relationship unless an exception applies. An exception to Stark exists for equipment leases. Under CMS’ 2008 regulation challenged by the Council, CMS barred per-click rental arrangements based on CMS’ analysis that Congress did not intend to protect arrangements where the lessor’s amount of income fluctuated based on the amount of patients referred by the lessor to the lessee. CMS claimed to base its determination to bar per-click equipment leases on a 1993 U.S. House of Representatives conference report (Conference Report).

The court reviewed CMS’ per-click equipment lease prohibition under the two-step Chevron legal test used to determine whether a court must grant deference to a government agency’s interpretation of a statute. First, the court determined that Stark did not forbid CMS from banning per-click leases, as the statute does not expressly permit per-click leases and also allows the Secretary of the U.S. Department of Health and Human Services (the Secretary) to impose, by regulation, other requirements as needed to protect against program or patient abuse. However, the court determined that the per-click ban failed under step-two of the Chevron analysis, as the agency’s statutory interpretation was not permissible or reasonable in light of Congress’s intent. The court’s decision focused on the Conference Report cited by CMS. The Conference Report explained, “in reference to the rental-charge clause for the equipment rental exception, ‘[t]he conferees intended that charges for space and equipment leases may be based on…time-based rates or rates based on units of service furnished, so long as the amount of time-based or units of service rates does not fluctuate during the contract period.'” The court’s decision highlighted how the Secretary’s interpretation of the Conference Report had changed over time, pointing out that in 2001, the Secretary explained, “given the clearly expressed congressional intent in the legislative history, we are permitting ‘per use’ payments.” The court found that the Conference Report makes clear that unit of service rates are what cannot fluctuate during the contract period, and noted that the Secretary’s new interpretation of the Conference Report ignored the word “rates” completely. In rejecting the ban on per-click leases, the court stated that the agency’s “jargon is plainly not a reasonable attempt to grapple with the Conference Report; it belongs instead to the cross-your-fingers-and-hope-it-goes-away school of statutory interpretation.”

In June, the New York Attorney General announced a widespread settlement with Aspen Dental Management, Inc. (“Aspen Dental”) based on the Attorney General’s finding that the dental practice management company engaged in the unauthorized practice of dentistry and illegal fee splitting under New York law.

The Attorney General’s investigation evidences enforcement of the corporate practice of medicine doctrine, which exists in many states and prohibits corporations owned by non-professionals from employing or otherwise contracting with physicians to practice medicine and charging for professional services, except in limited circumstances. In New York, like many states, the corporate practice of medicine doctrine emanates from prior court decisions, laws regulating professional corporations, and laws restricting the division of fees generated from professional services. The prohibition on the corporate practice of medicine is grounded in public policy concerns based on the principle that when a lay corporation holds a financial interest in a physician’s profits, the entity has a direct interest in and ability to control medical decision-making and impact the quality of care provided to patients.

The Attorney General’s announcement highlights the regulatory challenges faced by medical practice management companies that receive percentage of revenue compensation. In this case, Aspen Dental provided business support and administrative services to several independently owned dental practices. The Attorney General, however, determined that Aspen Dental held an impermissible level of control over the clinics, which included sharing in the clinics’ profits, marketing the clinics under the Aspen Dental trade name, incentivizing or otherwise pressuring clinic staff to increase sales of dental services or products, implementing revenue-oriented scheduling systems, and the hiring and oversight of clinical staff. Additionally, the Attorney General cited Aspen Dental’s control over the practice’s bank accounts and implementation of non-competition and non-solicitation agreements that effectively prohibited the practices from competing with any other dental practice affiliated with Aspen Dental.

Recently, on June 1, the Center for Medicare & Medicaid Services (CMS) published its long anticipated Medicaid managed care proposed rules. This is the first time CMS proposed revisions to the Medicaid managed care regulations since 2002. The proposed rules includes several measures intended by CMS “to modernize the Medicaid managed care regulatory structure in order to facilitate and support delivery system reform initiatives to improve health outcomes and the beneficiary experience, while effectively managing costs.” Among other things, the proposed rule would make a number of changes designed to align Medicaid managed care operating standards with those used in other markets.

For example, the proposed rule includes modifications to the current regulations governing the grievance and appeals systems for Medicaid managed care. The goal is to further align and increase uniformity in the grievance and appeals systems with Medicare Advantage managed care plans and private health insurance and group health plans in order to make the process more consistent across markets. Of particular note, most capitated, risk-bearing forms of Medicaid managed care–whether full or partial risk–would be expected to offer an internal appeals process with specified time frames, with external appeal to the state Medicaid fair hearing process in the event of an adverse determination. The rule would introduce new appeals timeframes, timeframes for plan compliance with favorable beneficiary rulings, and would clarify the right of beneficiaries to introduce new evidence at each stage of appeal.

In addition, the proposed rule would require all states to offer a 60-day time period to request external review through a fair hearing (some states now allow a far shorter time period) and would clarify members’ right to their case file, medical records, and other documents such as the plan documents used to conduct coverage determinations. The expedited appeal time frame would be tightened, as would notice and recordkeeping requirements. Simultaneously, the proposed rule would also require beneficiaries to exhaust internal appeals procedures before seeking a state fair hearing. This is a significant change since some states now allow beneficiaries to bypass the internal process.