Articles Posted in Uncategorized

On March 9, 2021 the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a 45-day extension of the public comment period for the proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule. The public comment period has been extended from March 22, 2021, to May 6, 2021 in order to give the public more time to fully consider the proposed changes.

OCR first announced the proposed rule making on December 10, 2020. The proposed changes to HIPAA are part of the larger transition to a value-based health care system in which providers are compensated based on patient health outcomes. The modifications propose to address standards that may impede the transition to a value-based health care system and other unnecessary burdens by increasing individuals’ rights to access their health information, enhancing information sharing for care coordination and case management, improving family and caregiver involvement for individuals experiencing health emergencies, reducing the administrative burden on HIPAA-covered providers, and facilitating the disclosure of certain health information during emergencies such as the opioid crisis and COVID-19 pandemic. Other major provisions include:

• Defining the terms electronic health record (EHR) and personal health application

In January 2021, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) added several new items to its work plan. The OIG work plan sets forth various projects including OIG audits and evaluations that are underway or planned to be addressed during the fiscal year and beyond by OIG. These are some of the highlights of the new additions to the work plan of which providers and suppliers should be aware.

First, due to increased use of telehealth during the COVID-19 public health emergency, OIG will conduct a series of audits of Medicare Part B telehealth services in two phases. Phase one audits will focus on making an early assessment of whether services such as evaluation and management, opioid use order, end-stage renal disease, and psychotherapy meet Medicare requirements. Phase two audits will include additional audits of Medicare Part B telehealth services related to distant and originating site locations, virtual check-in services, electronic visits, remote patient monitoring, use of telehealth technology, and annual wellness visits to determine whether Medicare requirements are met.

OIG will also evaluate home health services provided during the COVID-19 public health emergency to determine which types of skilled services were furnished via telehealth, and whether those services were administered and billed in accordance with Medicare requirements. OIG has indicated that it will report as overpayments any services that were improperly billed and will make appropriate recommendations to CMS based on the results of our review.

On February 3, 2021, the Michigan Department of Health and Human Services (MDHHS) announced it will  expand mobile COVID-19 testing and other public health services in partnership with Wayne State University (WSU) and Wayne Health (WH). The partnership between MDHHS, WSU, and WH began in September 2020 and is an extension of a pilot program between WSU, WH, Ford Motor Company, and The Arab Community Center for Economic and Social Services (ACCESS). According to MDHHS, the mobile health units will provide critical health services, COVID-19 testing to high-risk communities, and reduce barriers to healthcare during the COVID-19 pandemic.

The pilot program, which began in April 2020, was an extension of drive-through COVID-19 testing sites in Detroit and Dearborn, with financial support from WSU. Ford Motor Company provides vehicles, drivers, tents, sanitation, power, and Wi-Fi for mobile testing. Each mobile unit will be equipped for COVID-19 testing with medical staff and tools provided by WSU and ACCESS.

The new program will allow three mobile units to travel between sites and provide COVID-19 testing and other healthcare services to communities at the highest risk. MDHHS, WSU, and WH have expanded the pilot program to offer flu vaccinations, cardiometabolic risk factor screenings, and social determinant assessments, in addition to the already offered services such as blood pressure screening, HIV testing, and on-site referrals for public benefits including Medicaid, unemployment assistance, as well as food and shelter programs. The mobile unit program has also partnered with Detroit Parent Network (DPN) to supply community navigation services to patients who utilize the mobile health units. DPN family health advocates ensure patients are connected to the proper resource providers, such as utility assistance, child enrichment, food assistance, referrals to primary care physicians, and ensure the mobile health unit patients are available to follow-up. The services are available to all individuals who walk or drive to the mobile units, and no appointments or prescriptions are required.

In response to the COVID-19 pandemic, Congress has attempted to make COVID-19 testing free to individuals by requiring commercial insurers to cover testing. However, federal guidance and action by commercial insurers have muddied the waters and left clinical laboratories in an unenviable position.

The Families First Coronavirus Response Act (FFCRA), passed by Congress on March 18, 2020, required commercial insurers to provide coverage of FDA-approved tests for the “detection of SARS–CoV–2 or the diagnosis of the virus that causes COVID–19,” as well as items and services relating to a visit that results in such a test, at no cost to the beneficiary. Shortly thereafter, on March 27, 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The CARES Act expanded the types of approved tests that were covered by the FFCRA and set the reimbursement rate for COVID-19 testing by out-of-network laboratories. Pursuant to the CARES Act, clinical laboratories must post their “cash price” for COVID-19 testing on their public website and insurers must reimburse out-of-network laboratories for COVID-19 testing at this “cash price.”

However, in June 2020, three government agencies, Department of Health and Human Services, Department of Transportation, and Department of Labor, released guidance that created several points of confusion regarding these requirements. For example, because the FFCRA and CARES Act only require coverage for testing for the “detection or diagnosis” of COVID-19, the June 2020 guidance excluded testing for employment, travel, and monitoring purposes from that which insurers were required to cover. Instead, the guidance required that the testing be done for the “individualized diagnosis or treatment” of COVID-19. Further, despite the FFCRA’s mandate that insurers cover items and services for visits that result in a COVID-19 test, the June 2020 guidance limited coverage to the testing itself and excluded from coverage “any other items and services.”

On January 15, 2021, the Department of Health and Human Services (HHS) released further updates on the reporting requirements for entities that received payments from the Provider Relief Fund (PRF). HHS also pushed back the opening of the PRF reporting portal. The PRF is a $175 billion fund created by Congress through the CARES Act and administered by HHS to provide financial relief to healthcare providers during the COVID-19 pandemic. HHS has subdivided the PRF into various general and targeted distributions.

Acceptance of a PRF payment is conditioned on, among other things, the provider agreeing to use the funds only for healthcare related expenses and lost revenue attributable to coronavirus, and to file reports demonstrating compliance with the conditions of the payment. Through previous guidance, HHS established that, when reviewing a recipient’s use of the PRF payment, it would first apply the payment to healthcare related expenses, then apply any remainder to lost revenue. The new guidance outlines three ways that recipients may calculate their “lost revenue attributable to coronavirus.”

First, a recipient may report the difference between 2019 and 2020 actual patient care revenue. Recipients who choose this method must submit to HHS their 2019 revenue from patient care payer mix, broken down quarterly. Second, a recipient may report the difference between 2020 budgeted and 2020 actual patient care revenue. Recipients who choose this method must submit their 2020 budget, which must have been in place prior to March 27, 2020. Third, a recipient may use “any reasonable method of estimating revenue.” Recipients who choose an alternate methodology must submit to HHS a description of the methodology and an explanation of why it is reasonable. HHS may reject the recipient’s methodology and require them to utilize one of the two pre-approved methodologies. Recipients should also be aware that HHS has warned that recipients who use alternative methodologies are more likely to face an audit of their use of the PRF payment.

In October 2017, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued Health Insurance Portability and Accountability Act (HIPAA) guidance regarding the use of mobile devices in the healthcare field. The guidance recognizes the risks of mobile device use while also acknowledging the central role such devices play in many businesses.

The first risk noted by the OCR is of mobile devices being lost or stolen. Since devices used to create or access protected health information (PHI) may be taken off-site, the risk of being lost or stolen is much greater. Regardless of the nature of the device, if it has unsecured PHI, a breach of that PHI could trigger breach notification obligations for covered entities and business associates.

The other risks raised by the OCR are those involving unsecure Wi-Fi and cloud storage applications, as well as the danger of having a mobile device infected with viruses or malware through email, websites or the downloading of apps. Entities that handle PHI must institute security protocols to assure that hackers cannot gain control of PHI and other private information through these methods.

The Centers for Medicare and Medicaid Services (CMS) released the details of its Medicare hospital patient-status appeals settlement (“the 2016 Settlement”), following CMS’ initial announcement of the reopening on September 28th.

The 2016 Settlement comes as the successor of CMS’ 2014 68% settlement (the 68% Settlement), where eligible hospitals were able to settle their Medicare inpatient-status appeals for 68% of the net payable amount. The 68% Settlement successfully settled 346,000 claims with 2,022 hospitals. Since then, providers and other industry advocates (including Andrew Wachler of Wachler & Associates) have been pressuring CMS to offer another comparable settlement, and CMS responded positively with the 2016 Settlement.

The 2016 Settlement has comparable terms to the 68% Settlement, but there is one major difference: the 2016 Settlement only reimburses hospitals for 66% of the net payable amount on pending eligible claims. 2% is no minor adjustment on such a large scale, and will lead to millions of dollars less being paid out to providers. To scale, if the 68% Settlement had been for only 66%, the payout would have been roughly $1.42 billion rather than $1.47 billion. Still, with the Medicare appeals backlog as substantial as ever, many hospitals welcome the opportunity for an expedient and largely favorable resolution to their pending patient-status appeals. This is especially true considering the uncertainty of whether there will be other settlements offered in the future.

In March, a federal jury convicted a Chicago-area physician on ten counts related to violations of the federal anti-kickback statute (AKS). According to a release by the United States Department of Justice (DOJ), Dr. Venkateswara Kuchipudi is the tenth defendant convicted as a result of a multi-year investigation into Sacred Heart Hospital on Chicago’s West Side. The investigation was executed by the Medicare Fraud Strike Force, a part of the Health Care Fraud Prevention & Enforcement Team (HEAT), and resulted in closure of the hospital.

The AKS prohibits healthcare providers from providing or receiving any form of remuneration in return for the referral of Medicare, Medicaid or other federal healthcare program business. The AKS is a criminal statute and interpreted broadly, and a violation of the AKS has significant implications on health care providers and suppliers. Violation of the statute constitutes a felony punishable by a maximum fine of $25,000, imprisonment up to 5 years, or both, and a conviction will also lead to exclusion from Federal health care programs, including Medicare and Medicaid.

According to the DOJ, Dr. Kuchipudi provided extensive referrals to Sacred Heart Hospital. The trial also revealed that Dr. Kuchipudi engaged in a scheme to ensure that his nursing home patients were transported to Sacred Heart Hospital for treatment even when there were better hospitals closer to the nursing homes at which Dr. Kuchipudi had privileges. In return, Sacred Heart Hospital provided physician assistants and nurse practitioners to Dr. Kuchipudi in the hospital and in Chicago-area nursing homes where Dr. Kuchipudi’s patients resided. The physician assistants and nurse practitioners were paid by the hospital, however Dr. Kuchipudi billed Medicare and Medicaid for their services as if he employed them himself.

The U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), recently announced a settlement with St. Elizabeth’s Medical Center (SEMC) over violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). SEMC is a tertiary care hospital located in Massachusetts. OCR’s investigation began in November 2014, when OCR alleged that SEMC violated HIPAA’s Privacy, Security and Breach Notification Rules. As part of the settlement, SEMC agreed to pay $218,400 and adopt a corrective action plan to address the deficiencies in SEMC’s HIPAA compliance program.

On July 10, 2015, OCR released an HHS OCR Bulletin containing the allegations against SEMC, the parties’ settlement agreement and SEMC’s corrective action plan. OCR’s investigation stemmed from a complaint against SEMC filed on November 16, 2012. The allegations pertain to SEMC’s use of internet-based document sharing programs that contain electronic protected health information (ePHI). OCR found that SEMC used the internet-based applications without analyzing the privacy and security risks, as required by HIPAA. Further, critical to SEMC’s liability under HIPAA, OCR alleged that SEMC “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.” The settlement agreement also covers a separate HIPAA breach that occurred in August 2014, when SEMC notified HHS of a breach of unsecured ePHI located on a personal laptop and USB flash drive.

The settlement between OCR and SEMC is predicated on SEMC’s continued compliance with the settlement agreement’s corrective action plan. As part of the plan, SEMC agreed to perform robust “self-assessment” to determine the SEMC’s workforce members’ knowledge of and compliance with SEMC policies and procedures regarding: transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; and security incident reporting related to ePHI. The self-assessment includes unannounced site visits to various SEMC departments, randomly selected interviews of SEMC workforce members, and inspection of portable devices that can access ePHI in the departments impacted by the breach. SEMC is also required to provide a report documenting its self-assessment to HHS within 150 days of the settlement.

In June, the U.S. Court of Appeals for the District of Columbia Circuit ruled on two regulations implemented by the Centers for Medicare and Medicaid Services (CMS) under the federal Stark law (Stark) in 2008. Following a challenge by the Council for Urological Interests (the Council), a urology trade association, the court rejected CMS’ prohibition on per-click equipment rental leases but upheld CMS’ new interpretation of “entity furnishing designated health services” and thus the prohibition against “under-arrangement” transactions.

Stark prohibits physicians from referring Medicare or Medicaid patients for designated health services to an entity with which the physician has a financial relationship unless an exception applies. An exception to Stark exists for equipment leases. Under CMS’ 2008 regulation challenged by the Council, CMS barred per-click rental arrangements based on CMS’ analysis that Congress did not intend to protect arrangements where the lessor’s amount of income fluctuated based on the amount of patients referred by the lessor to the lessee. CMS claimed to base its determination to bar per-click equipment leases on a 1993 U.S. House of Representatives conference report (Conference Report).

The court reviewed CMS’ per-click equipment lease prohibition under the two-step Chevron legal test used to determine whether a court must grant deference to a government agency’s interpretation of a statute. First, the court determined that Stark did not forbid CMS from banning per-click leases, as the statute does not expressly permit per-click leases and also allows the Secretary of the U.S. Department of Health and Human Services (the Secretary) to impose, by regulation, other requirements as needed to protect against program or patient abuse. However, the court determined that the per-click ban failed under step-two of the Chevron analysis, as the agency’s statutory interpretation was not permissible or reasonable in light of Congress’s intent. The court’s decision focused on the Conference Report cited by CMS. The Conference Report explained, “in reference to the rental-charge clause for the equipment rental exception, ‘[t]he conferees intended that charges for space and equipment leases may be based on…time-based rates or rates based on units of service furnished, so long as the amount of time-based or units of service rates does not fluctuate during the contract period.'” The court’s decision highlighted how the Secretary’s interpretation of the Conference Report had changed over time, pointing out that in 2001, the Secretary explained, “given the clearly expressed congressional intent in the legislative history, we are permitting ‘per use’ payments.” The court found that the Conference Report makes clear that unit of service rates are what cannot fluctuate during the contract period, and noted that the Secretary’s new interpretation of the Conference Report ignored the word “rates” completely. In rejecting the ban on per-click leases, the court stated that the agency’s “jargon is plainly not a reasonable attempt to grapple with the Conference Report; it belongs instead to the cross-your-fingers-and-hope-it-goes-away school of statutory interpretation.”