Published on:

The Coronavirus is causing many changes and uncertainties about how our healthcare is treated. With the utilization of 1135 waivers, states can assist enrollees in Social Security Act programs in obtaining sufficient health care items and services. Under the Stafford Act or National Emergencies Act, the President has the authority to declare a national disaster or emergency. The Secretary of the Department of Health and Human Services (“HHS”) can then temporarily waive or modify certain Medicare, Medicaid, and Children’s Health Insurance Program (“CHIP”) requirements. Under these waivers, providers are expected to act in good faith, can be reimbursed for, and be exempted from sanctions—absent any determination of fraud and abuse.

1135 waivers last up until the termination of the emergency period, or 60 days from the date the waiver was approved, whichever comes first. The Secretary may extend the waiver for additional periods of up to 60 days if it is deemed necessary. While the 1135 waivers only apply to Federal program requirements, states should also consider altering their licensure or conditions or participation requirements.

On March 16, 2020, Florida was the first state to have an 1135 waiver approved by the Centers for Medicare and Medicaid Services (“CMS”). Florida addressed concerns of federal requirements hindering the state’s ability to continue to deliver proper health care. The 1135 waiver changed five main things. First, Florida is temporarily allowed to enroll providers who are not currently enrolled with another State Medicaid Agency (“SMA”) or Medicare if the state meets some minimum requirements. Second, CMS is temporarily waiving all pre-approval requirements. Third, pre-admission screening and annual resident reviews (“PASRR”) for both Level 1 and Level 2 can be waived for the next 30 days. Fourth, facilities are temporarily allowed to be fully reimbursed for services rendered during an emergency evacuation to an unlicensed facility. And lastly, the fifth waiver is the temporary delay of scheduling Medicaid Fair Hearings and the issuance of Fair Hearing Decisions during the emergency period.

Published on:

Beginning on March 6, 2020, the Centers for Medicare and Medicaid Services (“CMS”) has temporarily expanded telehealth services for Medicare beneficiaries and cut back on HIPAA enforcement to help combat the COVID-19. This expansion will last until the end of the public health emergency as declared by the Secretary of HHS. Telehealth, the remote delivery of healthcare services, often by video conference between patient and provider, is a growing frontier in the age of digital healthcare. However, Medicare was slow to adopt the new technology.

Until recently, Medicare only covered telehealth services provided to beneficiaries in designated rural areas and only if they received the services at a hospital, clinic, or other medical facility. Virtual check-ins and e-visits were reimbursed at a much lower rate. Virtual check-ins encompass brief communications between physicians and patients, such as text messages or emails, where a patient can send images and discuss symptoms and treatment options with their physician. E-visits are conducted through a patient portal and are not face-to-face. This temporary expansion will now reimburse physicians who perform virtual check-ins and e-visits at the rate of an in-person visit.

The expansion was made in pursuant to an 1135 waiver. The Coronavirus Preparedness and Response Supplemental Appropriations Act, as signed into law on March 6, 2020 authorized the Department of Health and Human Services (“HHS”) to waive certain traditional Medicare telehealth requirements during this national emergency. Spurred by the calls for self-quarantine and social distancing, these waivers have led to an expansion of Medicare coverage for telehealth services.

Published on:

The Centers for Medicare and Medicaid Services (“CMS”) expanded its Targeted Probe and Educate (“TPE”) program on October 1, 2017. The goal of the TPE program is to help providers be more cognizant of their billing practices so that they may provide improved services in the future.

TPE review is a process where providers who have high denial rates or unusual billing practices compared to other providers in their field are reviewed. Simple claim errors are typically why providers have high denial rates. Some examples of these errors include: missing a physician signature, encounter notes not fully supporting eligibility, documentation not meeting medical necessity, or missing/incomplete certifications or recertification.

When a provider is chosen for the program, they receive a letter from their Medicare Administrative Contractor (MAC). The TPE process involves an initial review, or “probe,” of 20-40 claims. If it is determined that the provider is non-compliant, a targeted, one-on-one education session will be offered to address errors found in the claims reviewed. Conversely, providers who are found to be compliant will not be reviewed again for at least one year. After the education session, providers have 45 days to make changes and improve. Those providers who continue to have high error rates after the first round must then proceed with a second round of reviewed claims and education. If high error rates continue, a third round will commence. After three rounds of TPE, if the provider continues to be non-compliant, they will be referred to CMS for further action. A provider can be removed from the review process at any point if they sufficiently demonstrate a significant reduction in their error rates.

Published on:

The Centers for Medicare and Medicaid Services (“CMS”) has released its Final Rule regarding the disclosure of affiliations in the provider enrollment process. This rule took effect on November 4, 2019. This rule permits the Secretary to revoke or deny enrollment based on the disclosure of any affiliations that CMS determines poses an undue risk of fraud, waste, or abuse. Although this rule will eventually be applicable to all providers, CMS is starting out with a phase-in approach, where the rule will only be applied to initially enrolling or revalidating providers that CMS has specifically determined may have one or more applicable affiliations.

The Final Rule requires providers and suppliers to disclose any current or previous direct or indirect affiliation with a provider or supplier that has a “disclosable event.” The Final Rule defined a disclosable event as: (1) when the provider or supplier has an uncollected debt; (2) the provider or supplier has been or is currently subject to a payment suspension under a federal health care program; (3) the provider or supplier has been or is currently excluded by the Office of Inspector General (“OIG”) from Medicare, Medicaid, or CHIP; or (4) the provider or supplier has had its Medicare, Medicaid, or CHIP billing privileges denied or revoked.

If an entity or individual is affiliated with a provider or supplier with any of the above-mentioned disclosable events, the Secretary is authorized to deny enrollment when it is determined that this affiliation poses an undue risk of fraud, waste, or abuse. To determine the existence of undue risk, CMS will consider: (1) the length and period of the affiliation; (2) the nature and extent of the affiliation; and (3) the type of disclosable event and when it occurred.

Published on:

The Office for Civil Rights (“OCR”), a division of the Department of Health and Human Services (“HHS”), is responsible for investigating complaints and reports that covered entities (i.e., health plans, health care clearinghouses, or health care providers that conduct certain electronic transactions) or business associates have violated either the HIPAA Privacy or Security Rule. The HIPAA Privacy and Security Rules exist to safeguard Protected Health Information (“PHI”) that is held, used, or disclosed by covered entities and their business associates. Generally, any individually identifiable health information held by or that is within a covered entity’s or its business associates’ control is considered PHI, and any non-permitted release of PHI is considered a HIPAA violation.

Historically, the OCR has investigated and sanctioned larger covered entities and business associates in connection with HIPAA violations that affect the PHI of 500 or more individuals. OCR’s recent settlement agreement with Anthem, which corresponded to the much-publicized 2015 cyber-attack on Anthem’s information systems compromising the PHI of over 79 million individuals, is a good example of OCR’s normal enforcement activity (with the exception of the $16 million fine, the largest to date for a HIPAA violation). However, since 2015, the OCR has placed emphasis on investigating and at times fining smaller covered entities for breaches affecting less than 500 individuals (after a report issued by the HHS Office of Inspector General found that the OCR had typically not investigated the same). Two recent fines issued by the OCR illustrate this emphasis.

The first was issued against Allergy Associates of Hartford, P.C. (“Allergy Associates”), which is comprised of four physicians and two mid-level providers. The settlement agreement, announced on November 26, 2018, requires Allergy Associates to pay a $125,000 fine and enter into a two-year corrective action plan (“CAP”) with the OCR. The incident leading to the alleged violation involved a patient who tried to enter Allergy Associates for treatment while accompanied by her service dog. Upon seeing the dog, an Allergy Associate’s physician turned the patient away, advising the patient that he and many of his patients were allergic to dogs. The patient thereafter contacted a local media outlet about what happened, and also filed a complaint to the Department of Justice alleging that Allergy Associates violated her civil rights under the Americans with Disabilities Act. A physician from Allergy Associates later spoke with a reporter from the media outlet (off-the-record) regarding the incident and disclosed the patient’s PHI. Despite the fact that the reporter was already familiar with the incident, the physician’s statements to the reporter concerning the patient violated HIPAA, as he did not have her prior written authorization to disclose the information. Moreover, and despite an obligation under HIPAA to do so, Allergy Associates made no attempt to sanction the doctor internally.

Published on:

The Office of Medicare Hearings and Appeals (“OMHA”) has been updating the OMHA Case Processing Manual (“OCPM”) since the Medicare appeals final rule became effective on March 20, 2017. As an effort to regulate and codify procedures for adjudicative functions through statutes, regulations, and OMHA directives, the OCPM is regularly revised to stay up-to-date with the Medicare appeals process.

The first major recent revision to the OCPM was eliminating the four divisions: Part A/B Claim Determinations, Part C Organization Determinations, Part D Organization Determinations, and SSA Determinations. The revised OCPM is no longer divided and consists of twenty consecutive chapters. In May 2018, the OCPM added new chapters 1 and 20, and revised chapter 19. In July 2018, the OCPM revised chapters 5, 6, and 7.  Most recently, on November 30, 2018, OMHA published new chapters 17 and 18.

Chapter 17 is entitled “Dismissals.” It addresses reasons why an ALJ or attorney adjudicator may dismiss requests for hearings or a review of reconsideration dismissal. For example, the reasons an ALJ may dismiss a case include, without limitation, an untimely filing, failure to cure a defect in the request for hearing, or failure to appeal.  On the other hand, an attorney adjudicator may dismiss a request for hearing only when the appellant withdraws the request for hearing.  The chapter also outlines the information that must be contained within a dismissal order, the impact of a dismissal on a case, and the circumstances in which an adjudicator may vacate his or her dismissal. Lastly, the chapter addresses the right to appeal an ALJ’s or attorney adjudicator’s dismissal order.

Published on:

On September 26, 2018, the Centers for Medicare & Medicaid Services (“CMS”) announced plans to commence a review demonstration of Home Health Agencies (“HHAs”) in Illinois, Ohio, North Carolina, Florida, and Texas, with the option to expand to other states in the JM jurisdiction. CMS invited public comment on CMS’ new proposal in the Federal Register by October 29, 2018. The Pre-Claim Review Demonstration (“PCRD”) was re-named the Review Choice Demonstration (“RCD”) and began in Illinois on December 10, 2018.

The RCD is a revised version of the PCRD. The PCRD went into effect in August 2016 but was short-lived, as it was halted in April 2017 due to wide backlash among Home Health Industry providers. Thus, the new RCD should be more welcomed HHAs, as it is much more flexible than the previously rigid PCRD.

The Secretary is authorized to “develop or demonstrate improved methods for the investigation and prosecution of fraud in the provision of care or services under the health programs established under [the Act].” Based on this authority, CMS implemented the RCD to help identify, investigate, and prosecute potential fraud occurring within HHAs who are providing services to Medicare beneficiaries. The RCD is intended to ease the burden on CMS by reducing the number of audits while protecting the Medicare Trust Fund by ensuring that payments for home health services are appropriate.

Published on:

On November 1, 2018, a U.S. District Court ordered the United States Department of Health and Human Services (“HHS”) to eliminate the Medicare appeals backlog by the end of fiscal year 2022.  There are currently 426,594 backlogged appeals. The recent ruling imposes a timetable for reducing the backlog of appeals. Specifically, 19% of the appeals must be cleared by the end of fiscal year 2019; 49% of the appeals must be cleared by the end of fiscal year 2020; 75% by the end of fiscal year 2021; and the backlog must be eliminated entirely by 2022. To demonstrate its progress, HHS must file quarterly status reports beginning on December 31, 2018.

The Court’s order arises from a lawsuit that was filed by the AHA in 2014. AHA alleged that HHS was violating federal law by failing to process appeals within 90 days from the date of the Office of Medicare Hearings and Appeals’ receipt of the request for hearing.  In 2016, the District Court entered summary judgment in favor of the AHA and ordered HHS to comply with a timetable to eliminate the backlog of appeals by 2020.  In 2017, the D.C. Circuit reversed the District Court and ordered the District Court to evaluate HHS’ claim that compliance with the timetable would be impossible.

HHS has implemented some backlog-reduction efforts to try complying with the previous ruling to eliminate the backlog by fiscal year 2020. Settlement Conference Facilitations (“SCF”) are an example of one of these initiatives. Medicare Part A and Part B providers and suppliers who have appeals pending before an ALJ are encouraged to participate in SCF. SCF uses a facilitator to help the appellant and CMS find a mutually agreeable resolution. Initiatives like SCF are a step forward in reducing the backlog, as it takes people out of the long waiting period and resolves cases in a simpler matter.

Published on:

In 2015, Anthem, Inc. (“Anthem”) discovered that criminal hackers had breached its electronic database and gained access to over 79 million records, including the records of at least 12 million minors.  The protected health information obtained by the hackers included, among other information, names, addresses, dates of birth, medical IDs, and Social Security numbers. The hackers were able to gain access to the information by using a “spear phishing” email technique. At least one employee received a phishing email and responded to it, allowing the hackers to gain remote access to the employee’s computer and at least 90 other systems, including Anthem’s data warehouse.

Although the massive data breach was first discovered in January 2015, the breach actually began on February 18, 2014 – meaning the breach went undetected for almost a whole year.   “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who gained access to their system to harvest passwords and steal people’s private information,” said Office of Civil Rights (“OCR”) Director Roger Severino.

Anthem has agreed to pay $16 million to the Department of Health and Human Services’ (“HHS”) OCR and take corrective action to prevent potential violations of HIPAA rules in the future.  While other breaches like this have occurred in the past, this was the largest health data breach in U.S. history, and the $16 million settlement is now the largest HIPAA settlement in history.

Published on:

The Centers for Medicare & Medicaid Services (“CMS”) recently announced a review of Inpatient Rehabilitation Facilities (“IRFs”) that will focus on the “reasonable and necessary” requirement that IRFs are required to meet. An IRF provides rehabilitation services to patients who have suffered an injury, illness, or surgery that has left them in need of intensive rehabilitation.  Services provided by IRFs include physical therapy, occupational therapy, rehabilitative nursing, speech-language pathology, and the procurement of prosthetic and orthotic devices.

IRF services are considered “reasonable and necessary” if: (1) the patient requires therapeutic intervention in multiple therapy disciplines, (2) the patient actively participates in and benefits from the therapy program, (3) the patient is sufficiently stable at the onset of the program, (4) the patient is supervised by a physician, (5) the patient’s chart has the correct documentation within it, and (6) the patient requires an interdisciplinary team approach to care and the team has weekly meetings.

IRFs are not meant to be used as an alternative to a full course of treatment.  Patients who are still completing their treatment in the hospital and cannot fully participate in intensive rehabilitation therapy will not have their IRF service determined to be reasonable or necessary. Furthermore, IRF is not appropriate for patients who have finished their hospital treatment and no longer need intensive rehabilitation.