Articles Posted in Uncategorized

In October 2017, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued Health Insurance Portability and Accountability Act (HIPAA) guidance regarding the use of mobile devices in the healthcare field. The guidance recognizes the risks of mobile device use while also acknowledging the central role such devices play in many businesses.

The first risk noted by the OCR is of mobile devices being lost or stolen. Since devices used to create or access protected health information (PHI) may be taken off-site, the risk of being lost or stolen is much greater. Regardless of the nature of the device, if it has unsecured PHI, a breach of that PHI could trigger breach notification obligations for covered entities and business associates.

The other risks raised by the OCR are those involving unsecure Wi-Fi and cloud storage applications, as well as the danger of having a mobile device infected with viruses or malware through email, websites or the downloading of apps. Entities that handle PHI must institute security protocols to assure that hackers cannot gain control of PHI and other private information through these methods.

The Centers for Medicare and Medicaid Services (CMS) released the details of its Medicare hospital patient-status appeals settlement (“the 2016 Settlement”), following CMS’ initial announcement of the reopening on September 28th.

The 2016 Settlement comes as the successor of CMS’ 2014 68% settlement (the 68% Settlement), where eligible hospitals were able to settle their Medicare inpatient-status appeals for 68% of the net payable amount. The 68% Settlement successfully settled 346,000 claims with 2,022 hospitals. Since then, providers and other industry advocates (including Andrew Wachler of Wachler & Associates) have been pressuring CMS to offer another comparable settlement, and CMS responded positively with the 2016 Settlement.

The 2016 Settlement has comparable terms to the 68% Settlement, but there is one major difference: the 2016 Settlement only reimburses hospitals for 66% of the net payable amount on pending eligible claims. 2% is no minor adjustment on such a large scale, and will lead to millions of dollars less being paid out to providers. To scale, if the 68% Settlement had been for only 66%, the payout would have been roughly $1.42 billion rather than $1.47 billion. Still, with the Medicare appeals backlog as substantial as ever, many hospitals welcome the opportunity for an expedient and largely favorable resolution to their pending patient-status appeals. This is especially true considering the uncertainty of whether there will be other settlements offered in the future.

In March, a federal jury convicted a Chicago-area physician on ten counts related to violations of the federal anti-kickback statute (AKS). According to a release by the United States Department of Justice (DOJ), Dr. Venkateswara Kuchipudi is the tenth defendant convicted as a result of a multi-year investigation into Sacred Heart Hospital on Chicago’s West Side. The investigation was executed by the Medicare Fraud Strike Force, a part of the Health Care Fraud Prevention & Enforcement Team (HEAT), and resulted in closure of the hospital.

The AKS prohibits healthcare providers from providing or receiving any form of remuneration in return for the referral of Medicare, Medicaid or other federal healthcare program business. The AKS is a criminal statute and interpreted broadly, and a violation of the AKS has significant implications on health care providers and suppliers. Violation of the statute constitutes a felony punishable by a maximum fine of $25,000, imprisonment up to 5 years, or both, and a conviction will also lead to exclusion from Federal health care programs, including Medicare and Medicaid.

According to the DOJ, Dr. Kuchipudi provided extensive referrals to Sacred Heart Hospital. The trial also revealed that Dr. Kuchipudi engaged in a scheme to ensure that his nursing home patients were transported to Sacred Heart Hospital for treatment even when there were better hospitals closer to the nursing homes at which Dr. Kuchipudi had privileges. In return, Sacred Heart Hospital provided physician assistants and nurse practitioners to Dr. Kuchipudi in the hospital and in Chicago-area nursing homes where Dr. Kuchipudi’s patients resided. The physician assistants and nurse practitioners were paid by the hospital, however Dr. Kuchipudi billed Medicare and Medicaid for their services as if he employed them himself.

The U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), recently announced a settlement with St. Elizabeth’s Medical Center (SEMC) over violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). SEMC is a tertiary care hospital located in Massachusetts. OCR’s investigation began in November 2014, when OCR alleged that SEMC violated HIPAA’s Privacy, Security and Breach Notification Rules. As part of the settlement, SEMC agreed to pay $218,400 and adopt a corrective action plan to address the deficiencies in SEMC’s HIPAA compliance program.

On July 10, 2015, OCR released an HHS OCR Bulletin containing the allegations against SEMC, the parties’ settlement agreement and SEMC’s corrective action plan. OCR’s investigation stemmed from a complaint against SEMC filed on November 16, 2012. The allegations pertain to SEMC’s use of internet-based document sharing programs that contain electronic protected health information (ePHI). OCR found that SEMC used the internet-based applications without analyzing the privacy and security risks, as required by HIPAA. Further, critical to SEMC’s liability under HIPAA, OCR alleged that SEMC “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.” The settlement agreement also covers a separate HIPAA breach that occurred in August 2014, when SEMC notified HHS of a breach of unsecured ePHI located on a personal laptop and USB flash drive.

The settlement between OCR and SEMC is predicated on SEMC’s continued compliance with the settlement agreement’s corrective action plan. As part of the plan, SEMC agreed to perform robust “self-assessment” to determine the SEMC’s workforce members’ knowledge of and compliance with SEMC policies and procedures regarding: transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; and security incident reporting related to ePHI. The self-assessment includes unannounced site visits to various SEMC departments, randomly selected interviews of SEMC workforce members, and inspection of portable devices that can access ePHI in the departments impacted by the breach. SEMC is also required to provide a report documenting its self-assessment to HHS within 150 days of the settlement.

In June, the U.S. Court of Appeals for the District of Columbia Circuit ruled on two regulations implemented by the Centers for Medicare and Medicaid Services (CMS) under the federal Stark law (Stark) in 2008. Following a challenge by the Council for Urological Interests (the Council), a urology trade association, the court rejected CMS’ prohibition on per-click equipment rental leases but upheld CMS’ new interpretation of “entity furnishing designated health services” and thus the prohibition against “under-arrangement” transactions.

Stark prohibits physicians from referring Medicare or Medicaid patients for designated health services to an entity with which the physician has a financial relationship unless an exception applies. An exception to Stark exists for equipment leases. Under CMS’ 2008 regulation challenged by the Council, CMS barred per-click rental arrangements based on CMS’ analysis that Congress did not intend to protect arrangements where the lessor’s amount of income fluctuated based on the amount of patients referred by the lessor to the lessee. CMS claimed to base its determination to bar per-click equipment leases on a 1993 U.S. House of Representatives conference report (Conference Report).

The court reviewed CMS’ per-click equipment lease prohibition under the two-step Chevron legal test used to determine whether a court must grant deference to a government agency’s interpretation of a statute. First, the court determined that Stark did not forbid CMS from banning per-click leases, as the statute does not expressly permit per-click leases and also allows the Secretary of the U.S. Department of Health and Human Services (the Secretary) to impose, by regulation, other requirements as needed to protect against program or patient abuse. However, the court determined that the per-click ban failed under step-two of the Chevron analysis, as the agency’s statutory interpretation was not permissible or reasonable in light of Congress’s intent. The court’s decision focused on the Conference Report cited by CMS. The Conference Report explained, “in reference to the rental-charge clause for the equipment rental exception, ‘[t]he conferees intended that charges for space and equipment leases may be based on…time-based rates or rates based on units of service furnished, so long as the amount of time-based or units of service rates does not fluctuate during the contract period.'” The court’s decision highlighted how the Secretary’s interpretation of the Conference Report had changed over time, pointing out that in 2001, the Secretary explained, “given the clearly expressed congressional intent in the legislative history, we are permitting ‘per use’ payments.” The court found that the Conference Report makes clear that unit of service rates are what cannot fluctuate during the contract period, and noted that the Secretary’s new interpretation of the Conference Report ignored the word “rates” completely. In rejecting the ban on per-click leases, the court stated that the agency’s “jargon is plainly not a reasonable attempt to grapple with the Conference Report; it belongs instead to the cross-your-fingers-and-hope-it-goes-away school of statutory interpretation.”

In June, the New York Attorney General announced a widespread settlement with Aspen Dental Management, Inc. (“Aspen Dental”) based on the Attorney General’s finding that the dental practice management company engaged in the unauthorized practice of dentistry and illegal fee splitting under New York law.

The Attorney General’s investigation evidences enforcement of the corporate practice of medicine doctrine, which exists in many states and prohibits corporations owned by non-professionals from employing or otherwise contracting with physicians to practice medicine and charging for professional services, except in limited circumstances. In New York, like many states, the corporate practice of medicine doctrine emanates from prior court decisions, laws regulating professional corporations, and laws restricting the division of fees generated from professional services. The prohibition on the corporate practice of medicine is grounded in public policy concerns based on the principle that when a lay corporation holds a financial interest in a physician’s profits, the entity has a direct interest in and ability to control medical decision-making and impact the quality of care provided to patients.

The Attorney General’s announcement highlights the regulatory challenges faced by medical practice management companies that receive percentage of revenue compensation. In this case, Aspen Dental provided business support and administrative services to several independently owned dental practices. The Attorney General, however, determined that Aspen Dental held an impermissible level of control over the clinics, which included sharing in the clinics’ profits, marketing the clinics under the Aspen Dental trade name, incentivizing or otherwise pressuring clinic staff to increase sales of dental services or products, implementing revenue-oriented scheduling systems, and the hiring and oversight of clinical staff. Additionally, the Attorney General cited Aspen Dental’s control over the practice’s bank accounts and implementation of non-competition and non-solicitation agreements that effectively prohibited the practices from competing with any other dental practice affiliated with Aspen Dental.

Recently, on June 1, the Center for Medicare & Medicaid Services (CMS) published its long anticipated Medicaid managed care proposed rules. This is the first time CMS proposed revisions to the Medicaid managed care regulations since 2002. The proposed rules includes several measures intended by CMS “to modernize the Medicaid managed care regulatory structure in order to facilitate and support delivery system reform initiatives to improve health outcomes and the beneficiary experience, while effectively managing costs.” Among other things, the proposed rule would make a number of changes designed to align Medicaid managed care operating standards with those used in other markets.

For example, the proposed rule includes modifications to the current regulations governing the grievance and appeals systems for Medicaid managed care. The goal is to further align and increase uniformity in the grievance and appeals systems with Medicare Advantage managed care plans and private health insurance and group health plans in order to make the process more consistent across markets. Of particular note, most capitated, risk-bearing forms of Medicaid managed care–whether full or partial risk–would be expected to offer an internal appeals process with specified time frames, with external appeal to the state Medicaid fair hearing process in the event of an adverse determination. The rule would introduce new appeals timeframes, timeframes for plan compliance with favorable beneficiary rulings, and would clarify the right of beneficiaries to introduce new evidence at each stage of appeal.

In addition, the proposed rule would require all states to offer a 60-day time period to request external review through a fair hearing (some states now allow a far shorter time period) and would clarify members’ right to their case file, medical records, and other documents such as the plan documents used to conduct coverage determinations. The expedited appeal time frame would be tightened, as would notice and recordkeeping requirements. Simultaneously, the proposed rule would also require beneficiaries to exhaust internal appeals procedures before seeking a state fair hearing. This is a significant change since some states now allow beneficiaries to bypass the internal process.

On February 9, 2015, the U.S. Department of Health and Human Services Office of Inspector General (OIG) delivered an advisory opinion finding that a physician or provider previously excluded from participating in Medicare, Medicaid, and all other federal health care programs was permitted to share in federal payments with his former medical practice when the payments were based on services furnished prior to the individual’s exclusion even though payment was received by the practice after the exclusion. The Petitioner sought guidance from the OIG as to whether sharing in these payments with the practice would violate the terms of the Petitioner’s exclusion from federal health care programs and would potentially subject the Petitioner to additional administrative sanctions or other liability.

The Petitioner was a physician who was prohibited from participating in all federal health care programs for 20 years under the terms of a criminal plea and civil False Claims Act settlement (Settlement). The Settlement resolved various allegations of fraud against the Petitioner and required the Petitioner to divest all his ownership in the medical practice. The divestiture was ultimately accomplished through an asset purchase agreement between the Petitioner and specified buyers. The asset purchase agreement was executed shortly after the effective date that Petitioner became an excluded provider under the terms of the Settlement, which prohibited his or her participation in federal health care programs. Under the terms of the purchase agreement, the Petitioner was permitted to share in a portion of the Practice’s returns after the Petitioner divested his or her ownership in the Practice as long as those payments were for services that the Petitioner or Practice provided to patients and billed to federal health care programs before the Petitioner became an excluded provider.

The OIG’s February 9th, 2015, advisory opinion began its analysis by citing federal statutes that prohibit payment by all federal health care programs for items or services furnished: (1) by an excluded provider; or (2) at the medical direction or under the prescription of an excluded person. The effects of becoming an excluded provider was not elaborated upon in the February 9th advisory opinion, however the OIG more fully addressed and explained the effect of provider exclusions in its May 8, 2013, Special Advisory Bulletin titled “Effect of Exclusion from Participation in Federal Health Care Programs.”

On October 6, 2014, the Improving Medicare Post-Acute Care Transformation Act of 2014 (IMPACT Act) was signed into law. The bill moved swiftly through both houses due to its joint development by the House Ways and Means Committee and the Senate Finance Committee. The Post-Acute Care (PAC) community also voiced strong support for the IMPACT Act.

Currently, PAC payments to Medicare are typically based on the setting of care. This payment system often results in PAC providers supplying comparable services, but receiving dramatically different reimbursement amounts due to their setting of care. Under the IMPACT Act, the US Department of Health and Human Services (HHS) is tasked with promulgating a reporting system for PAC providers, which includes long-term care hospitals, skilled nursing facilities, inpatient rehabilitation facilities, and home health agencies. PAC providers will be required to report standardized data regarding patient care assessment, resource use, and quality measures. This data collection will allow providers and policymakers to analyze and compare the cost, quality, and type of services offered across a range of PAC providers. It is important to note that the IMPACT Act does not apply to critical access hospitals.

Specifically with regards to quality measures, PAC providers will be required to report on the following issues:

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced that it will be initiating Phase 2 of the compliance audits mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH). The first phase of audits was carried out in 2011 and 2012, and targeted covered entities. While Phase 2 will expand the targeted entities to include business associates, it will utilize information gathered during Phase 1 to narrow the scope of audits in order to review the areas of greatest risk to protected health information (PHI).

Following Phase 1, OCR’s findings noted that, generally, the smaller the covered entity, the more compliance issues it had with all 3 Health Insurance Portability and Accountability Act (HIPAA) Standards: privacy, security, and electronic transactions. Furthermore, OCR observed that over 60% of the violations related to security standards. Additionally, nearly 40% of the findings related to privacy standards occurred simply due to lack of knowledge regarding the privacy standards.

Applying this information, OCR will narrow the focus of their compliance audits in Phase 2. The audits will occur between October 2014 and June 2015, and will address: