Published on:

On September 10, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of its twentieth investigation under its HIPAA Right of Access Initiative. In early 2019, OCR stated that they would create an initiative to enforce patients’ right of access to their own health information in a timely and reasonable manner. This concept is not novel to OCR as it has already been outlined as a stated goal of HIPAA within the Privacy Rule. This aspect of HIPAA has been enforced at various times in the past, however it has never been enforced with any regularity until the OCR initiative was established. To date, OCR has remained dedicated to ensuring that every patient is afforded access to their health information that HIPAA has long stated such patients deserve.

In OCR’s latest settlement, a hospital and medical center located in Omaha, Nebraska agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA Privacy Rule. The alleged violation stems from a May 2020 complaint filed by a parent alleging that the hospital had failed to provide her with timely access to her minor daughter’s medical records. The hospital provided some records, but did not provide all of the requested records to the parent’s multiple follow-up requests. OCR alleged that the hospital failed to provide timely access to the requested medical records and thus potentially violated the HIPAA right of access standard. That standard generally requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable). As a result of OCR’s investigation, the parent did in fact receive all of the requested records.

Healthcare providers often afford heightened focus to preventing unauthorized access or sharing of health information, which sometimes means that less focus is given to providing quick and affordable health records to patients. In light of OCR’s initiative and dedication to enforce patients’ right of access under the Privacy Rule, healthcare providers should take care to be knowledgeable about this aspect of their operations.

Published on:

On September 30, 2021, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance to help consumers, businesses, and healthcare entities understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about an individual’s COVID-19 vaccination status. As a preliminary note, the guidance reminds readers that the HIPAA Privacy Rule does not apply to employers or employment records. The Privacy Rule only applies to HIPAA covered entities, which include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions and, in some cases, to their business associates.

The guidance initially answers a highly popular and controversial question in light of the COVID-19 pandemic. According to the OCR guidance, the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. Because individuals or entities such as businesses are not covered entities, the Privacy Rule generally does not apply to them. The Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI), for example COVID-19 vaccination status, that covered entities and business associates create, receive, maintain, or transmit. In the opposite direction, the Privacy Rule does not prevent customers or clients of a business from disclosing whether they have been vaccinated. The Privacy Rule does not apply to individuals’ disclosures about their own PHI.

The guidance proceeds to inform readers that employers are not prohibited under the Privacy Rule from requiring employees to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its employees. However, other federal or state laws address terms and conditions of employment. Federal anti-discrimination laws generally do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement. Under the Americans with Disabilities Act (ADA), documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files. Similarly, the Privacy Rule does not prohibit a covered entity or business associate from requiring its employees to disclose to their employers or other parties whether employees have received a COVID-19 vaccine. The Privacy Rule also generally does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers.

Published on:

In a recent court filing, the Department of Health and Human Services (HHS) reported that it has cleared approximately 79% of the Medicare appeals backlog. HHS is currently under court order to clear a backlog of hundreds of thousands of Medicare claims appeals pending before the Office of Medicare Hearings and Appeals (OMHA).

Generally, a Medicare claim denial or overpayment demand may be appealed through five successive levels of appeals. First, Redetermination by a Medicare Administrative Contractor (MAC), often the same MAC that denied the claims initially. Second, Reconsideration by a Qualified Independent Contractor (QIC). Third, appeal to an Administrative Law Judge (ALJ) employed by the Office of Medicare Hearings and Appeals (OMHA), a subdivision of HHS, where the provider may be entitled to a hearing. Fourth, review by the Medicare Appeals Counsel, also within HHS. Fifth and finally, appeal to a federal district court.

The entire appeals process can take years and create difficulties for healthcare providers or suppliers. The least efficient part of the process has long been the wait, sometimes for three to five years, for an available ALJ to hear the appeal, at which point in the appeals process the only review of a contractor’s decisions has been by other contractors. This left providers in the difficult position of having significant overpayment demands based on incorrect decisions by contractors but having to wait years for independent review of their cases. This long wait also violated the regulations that govern the appeals process, which generally entitle a provider to an ALJ hearing within 90 days of the provider’s request for a hearing. At the height of the backlog, over 400,000 cases were pending at OMHA.

Published on:

The Centers for Medicare & Medicaid Services (CMS) recently announced a proposal to repeal the Medicare Coverage of Innovative Technology (MCIT) rule that has been delayed several times. The latest news in the MCIT saga comes from a CMS announcement expressing concerns with the final rule, specifically that it will require more time for adequate implementation.

The final rule was implemented to reduce the time it takes for FDA-approved medical technology to become covered under Medicare. The MCIT would reduce these wait times by granting Medicare coverage to breakthrough devices immediately after receiving FDA approval. The FDA designates medical devices as “breakthrough devices” when they are shown to be more effective at diagnosing or treating serious diseases than the currently available devices. This designation allows these devices to have reduced development, assessment, and review timelines.

However, CMS announced reservations about the final rule and has proposed changes. CMS’s primary concern is that the final MCIT is not acting in Medicare recipients’ best interest because it could provide coverage for breakthrough devices that are not reasonable and necessary to treat Medicare recipients’ diseases or conditions. This concern stems from the current guidelines for clinical trials for medical devices. Specifically, the FDA does not require Medicare recipients to be included in clinical trials for medical devices. Since Medicare recipients generally have more comorbidities than the general population, the clinical trials may not accurately reflect Medicare patient outcomes. CMS has also expressed concern that the final rule takes away its tools to deny coverage when it becomes apparent that a particular device can be harmful to the Medicare population. If the rule goes into effect, and a device approved under it is later found to be harmful to Medicare recipients, CMS would be limited in the actions it could take to withdraw or modify coverage. Lastly, CMS believes there could be confusion and disruption stemming from devices receiving approval without a clear path for appropriate coding and payment.

Published on:

The Department of Health and Human Services (HHS) recently announced the annual expansion of the Settlement Conference Facilitation (SCF) program. SCF is an alternate dispute resolution mechanism used to resolve Medicare claims appeals. However, because SCF is meant to help reduce the appeal backlog, only appeals filed before a certain date are eligible.  With the latest expansion, appeals involving requests for Administrative Law Judge (ALJ) hearing or Medicare Appeal Council review filed on or before June 30, 2021 are now eligible for SCF.

Generally, a Medicare claim denial or overpayment demand may be appealed through five successive levels of appeals. First, Redetermination by a Medicare Administrative Contractor (MAC), often the same MAC that denied the claims initially. Second, Reconsideration by a Qualified Independent Contractor (QIC). Third, appeal to an Administrative Law Judge (ALJ) employed by the Office of Medicare Hearings and Appeals (OMHA), a subdivision of HHS, where the provider may be entitled to a hearing. Fourth, review by the Medicare Appeals Counsel, also within HHS. Fifth and finally, appeal to a federal district court.

The entire appeals process can take years and create difficulties for healthcare providers or suppliers. The least efficient part of the process has long been the wait for an available ALJ to hear the appeal, which can take three to five years, at which point the only prior review of a contractor’s decisions has been done by other contractors. This has left providers in the difficult position of having significant overpayment demands based on incorrect decisions by contractors but having to wait years for independent review of their cases. In response to this, HHS is now under court order to reduce this backlog of cases.

Published on:

The Department of Justice (DOJ) recently announced a plea agreement regarding an alleged $73 million scheme to defraud Medicare that illustrates some of the pitfalls of compliance with the Anti-Kickback Statute (AKS). DOJ alleged that the owners of a clinical laboratory, Panda Conservation Group, LLC, and a telemedicine company, 1523 Holdings LLC, conspired to pay kickbacks in exchange for work arranging telemedicine providers to order genetic testing at Panda’s laboratories. While the parties had an agreement for IT and consultation services, DOJ alleged that this contract was a “sham” to hide the kickback payments and that the telemedicine company abused temporary, pandemic-responsive amendments to telehealth restrictions to refer beneficiaries to the laboratory for expensive and medically unnecessary cancer and cardiovascular genetic testing.

The Anti-Kickback Statute (42 U.S.C. § prohibits a person from knowingly offering, paying, soliciting, or receiving anything of value to induce or reward referrals for services covered by a Federal Healthcare Program. A Federal Healthcare Program is any program that provides health benefits, whether directly or through insurance, which is funded by the United States Government or any State health care program. A violation of the Anti-Kickback statute is a criminal offence and can carry severe penalties, including fines, prison sentences, and potential exclusion from participation in Federal Healthcare Programs in the future.

Since some referrals are necessary to optimize patient care, the Statute provides exceptions called “safe harbors” that permit certain arrangements that follow specific requirements. In the event an arrangement does not meet a safe harbor requirement, the arrangement will be considered on a case-by-case basis. Special care must be taken structure arrangements to comply with the AKS and its safe harbors.

Published on:

On September 10, 2021, the U.S. Department of Health and Human Services (HHS) announced that it would make $25.5 billion in new funding available for healthcare providers affected by the COVID-19 pandemic. This funding includes allocations of $8.5 billion in funding from the American Rescue Plan (ARP) for providers who provide services to rural Medicaid, Children’s Health Insurance Program (CHIP), or Medicare patients, as well as an additional $17 billion in Provider Relief Fund (PRF) Phase 4 funding for a broad range of providers who can document expenses and lost revenue associated with the COVID-19 pandemic.

PRF Phase 4 payments are based on providers’ lost revenue and expenditures between July 1, 2020 and March 31, 2021, in conformity with the requirements of the Coronavirus Response and Relief Supplemental Appropriations Act of 2020 (CRRSAA). PRF Phase 4 is intended to reimburse smaller providers for their lost revenues and pandemic-related expenses at a higher rate compared to larger providers. This characteristic stems from the Biden Administration’s ongoing commitment to social equity, as smaller providers tend to operate on thinner margins and often serve vulnerable or isolated communities when compared to larger providers. Because Medicaid, CHIP, and Medicare patients tend to be lower income and have greater and more complex medical needs, PRF Phase 4 will also include bonus payments for providers who serve these individuals. HRSA will price these bonus payments at the generally higher Medicare rates to ensure equity amongst providers serving low-income children, pregnant women, people with disabilities, and seniors. In parallel, HRSA will make ARP payments to providers based on the amount of Medicaid, CHIP, and/or Medicare services they provide to patients who live in rural areas as defined by the HHS Federal Office of Rural Health Policy. For both programs, HRSA will use existing Medicaid, CHIP, and Medicare claims data to calculate payments.

In order to streamline the application process, providers will apply for both the PRF and ARP programs in a single application. To help ensure that provider relief funds are used for patient care, PRF recipients will be required to notify the HHS Secretary of any merger with, or acquisition of, another healthcare provider during the period in which they can use the payments. Providers who report a merger or acquisition may be more likely to be audited to confirm their funds were used for pandemic-related expenses. The application portal will open on September 29, 2021. Moreover, HHS is also releasing detailed information about the methodology utilized to calculate PRF Phase 3 payments in order to promote transparency in the PRF program. Providers who believe their PRF Phase 3 payment was not calculated correctly according to this methodology will now have an opportunity to request a reconsideration. Specific details on the PRF Phase 3 reconsideration process have yet to be announced.

Published on:

As part of the 2022 Medicare Physician Fee Schedule Proposed Rule, the Centers for Medicare & Medicaid Services (CMS) has proposed to significantly expand its authority to deny or revoke a provider’s or supplier’s Medicare billing privileges.

First, CMS proposed to modify the conditions that it considers when determining whether to revoke a provider for an “abuse of billing privileges.” CMS currently has the authority to revoke a provider’s or supplier’s enrollment for an “abuse of billing privileges,” defined as a pattern or practice of submitting claims that do not meet Medicare requirements. CMS has previously asserted that as few as three non-compliance claims can constitute such a pattern, However, in the current proposal, CMS expressed concern that the existing factors it uses to make such a determination may prevent it from acting against providers or suppliers who enroll in Medicare and engage in short-term periods of high-volume, non-compliant billing. CMS proposed to revise one factor, the percentage of submitted claims that were denied, to instead focus on the percentage of claim denials out of claim submissions during a limited period, such as a single month. CMS also proposed to remove three factors the agency deems largely irrelevant to determining the existence of a pattern or practice of improper billing. Specifically, the agency proposed to remove factors that focus on the reason for the claim denial, the length of time over which the pattern has continued, and the length of time a provider or supplier has been enrolled in Medicare. CMS proposed one new factor that considers the type of improper billing along with any aggravating or mitigating conditions in each case.

CMS also proposed to expand its authority to deny or revoke a provider’s or supplier’s enrollment if any healthcare, administrative, or management services personnel furnishing services payable by any federal health care program is excluded by the OIG, such as a billing specialist, accountant, or human resources specialist. CMS asserted that this proposal would align its authority with a 2013 OIG Special Advisory Bulletin prohibiting a provider or supplier from employing excluded individuals to furnish management or administrative services payable by any federal health care program.

Published on:

Significant changes could be coming to dentistry if dental benefits are added to Medicare. A proposal, currently before Congress as part of a large budget bill, would do just that. If this proposal becomes law and Medicare begins to cover dental benefits, it would likely have major implications on the practice of dentistry, both administratively and financially.

While some Medicare Part C (Medicare Advantage) plans cover dental benefits, original Medicare, which is administered in a very different manner, does not. While Medicare Part C plans are administered by private insurers, original Medicare is administered by a myriad of federal contractors that are overseen by the Centers for Medicare & Medicaid Services (CMS). For dental providers accustomed to dealing with private insurers and Part C plans, interacting with Medicare may present new challenges. An experienced healthcare attorney can be key to navigating the regulatory and business challenges of Medicare compliance.

First, dental practices would likely come under the purview of the Medicare contractors. These contractors handle Medicare enrollments, claims processing, data analysis, audit and claims review, program integrity, and a myriad of other functions. Some decisions regarding Medicare-enrolled providers are made by contractors and some by CMS, although it is not always clear. Most decisions, including enrollment decisions and claims denials, are subject to a multi-level appeal process. Dental practices familiar with the business motivations of private insurers may be surprised by the sometimes-uncompromising nature of decisions made by CMS and its contractors. For example, unlike an overpayment demand by a private insurer, a Medicare overpayment demand can rarely be negotiated.

Published on:

Demonstrating its commitment to audit Provider Relief Fund (PRF) recipients, the Department of Health and Human Services (HHS) has hired several outside contractors to provide audit or program integrity services relating to the PRF. The PRF is a $175 billion fund created by Congress through the CARES Act and administered by HHS (and its sub-agency the Health Resources and Services Administration or HRSA) to provide financial relief to healthcare providers during the COVID-19 pandemic. HHS has subdivided the PRF into various general and targeted distributions. These distributions were paid to providers in several waves between April 2020 and the present.

Publicly available contracts provide a glimpse into HHS’s actions regarding the PRF. Over the last year, HHS has contracted with KPMG to provide “program integrity support,” Kearney & Company to provide “PRF Audit support services,” and Creative Solutions Consulting to provide “audit and financial review services.” Combined, HHS has committed approximately $5.5 million to these contracts. Reports indicate HHS has hired PricewaterhouseCoopers and Grant Thornton, as well.

Although HHS’s retention of contractors is nothing new, these agreements signal to providers that HHS is not taking PRF reporting lightly. Providers who received and retained payments through the PRF are required to file reports justifying their use of the funds and documenting their compliance with the terms and conditions of the payments. Providers must report information on healthcare-related expenses attributable to coronavirus, lost revenue attributable to coronavirus, other pandemic assistance received, and administrative data. Providers who received more than $500,000 in aggregate payments are required to report some data elements in greater detail, including specific information regarding operations, personnel, supplies, equipment, facilities, and several other categories. Thus, some providers will be required to report significant amounts of financial information in considerable detail.

Contact Information