Tag: Health Law

HHS Launches Portal Seeking Questions from Mobile Health Application Developers

On October 5, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services launched a new platform to enable developers of mobile health technology, as well as others “interested in the intersection of health information technology and HIPAA privacy protection.” OCR notes that there is currently “an explosion of technology using data about the health of individuals in innovative ways to improve health outcomes.” The platform allows for individuals to both submit and review questions on the HIPAA implications of these mobile health applications.

The platform invites mobile health developers to submit questions and topics for future guidance. The portal asks:

What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable, more accessible? Use this page to submit your questions about HIPAA. Or present a use case. Look at what your peers are discussing, comment on it and vote on which topics or use cases would be the most helpful or important to your work.

As of now, the platform features questions (though no answers yet) regarding:

  • what entities are covered by HIPAA;

  • the application of HIPAA to cloud computing;

  • what aspects of the application (environment) must be HIPAA compliant;

  • the content of business associate agreements;

  • the flow of patient-generated data; and

  • the use of audit logging by developers.

Anyone can browse the site, but users who wish to submit questions must register. Registered users may also offer comments on other submissions or vote on the relevance of a topic. The portal represents that the entities and email addresses associated with posts by registered users will be anonymous to OCR. OCR also states that posting or commenting on a question on the portal will not subject anyone to enforcement action. While OCR will moderate comments posted by users, it will not vouch for the accuracy of these comments. Thus, users must pay close attention as to whether guidance appearing on by the portal is endorsed by OCR before taking action in reliance on this guidance.

The release of the portal comes at a time of particular uncertainty for medical application developers. HHS has acknowledged that existing HIPAA guidance has not addressed all of the questions raised by emerging technologies and has said that it plans to seek guidance from mobile application developers themselves. Depending on the timeliness of, and level of detail contained in, OCR’s responses to questions, the portal could prove a useful resource to a quickly evolving industry.

Article By Dena Feldman of Covington & Burling LLP

© 2015 Covington & Burling LLP

HIPAA: Disclosing Exam Results to Employers

Physicians and other providers are often paid by employers to conduct drug tests, fitness-for-duty or return-to-work exams, or employment physicals for employees. In such circumstances, the physician may mistakenly assume that they may disclose the test and exam results to the employer without the patient’s authorization, but that is not correct.HIPAA

As with any other protected health information, physicians and other providers generally need the patient’s written, HIPAA-compliant authorization to disclose exam results to the employer. (45 CFR 164.508(a); see also 65 FR 82592 and 82640). However, unlike other treatment situations, a provider may condition the performance of an employee physical or test on the patient’s provision of an authorization, i.e., the provider may refuse to perform the exam unless the patient executes a valid authorization. (45 CFR 164.508(b)(4)(iii); 65 FR 82516 and 82658). In addition, the employer may condition the employee’s continued employment on the provision of the exam results (at least under HIPAA), thereby creating an incentive for the employee to execute the authorization. (65 FR 82592 and 82640). The foregoing rules also apply when the health care provider is the employer, e.g., when a hospital employee receives treatment or tests at the hospital. In those situations, the hospital/employer generally may not access or use the patient/employee’s health information for employment-related purposes without the patient’s written authorization. (67 FR 53191-92).

An employee who receives an unfavorable test or exam result may attempt to block disclosure by revoking their authorization. Although patients are generally entitled to revoke their authorization by submitting a written revocation, HIPAA contains an exception that limits revocation if and to the extent that the provider has taken action in reliance on the authorization. (45 CFR 164.508(b)(5)). That exception should apply when the provider has conditioned and provided the test or exam in reliance on the patient’s authorization.

There are very limited exceptions to the authorization requirement. As in other situations, a provider may disclose protected health information to an appropriate entity if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public (45 CFR 164.512(j)), or if the disclosure is otherwise required by law. (Id. at 164.512(a)). HIPAA contains a specific exception that allows disclosures to employers if the exam was performed as part of a medical surveillance of the workplace and the employer needs the information to report work-related injuries as required by OSHA, MSHA, or similar state laws. (Id. at 164.512(b)(v)). Finally, HIPAA allows providers to disclose protected health information as authorized by and to the extent necessary to comply with workers compensation laws. (Id. at 164.512(l)).

The bottom line: if you are a physician or other provider who conducts employment physicals, tests, or exams, be sure you obtain the patient’s written, HIPAA-compliant authorization before conducting the exam and/or disclosing test or exam results to the employer.

Article By Kim C. Stanger, Pia Dean & William W. Mercer of Holland & Hart LLP

Copyright Holland & Hart LLP 1995-2015.

UK Government Launches Cybersecurity Service For Healthcare Organizations

The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system.  The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016.

Acording to recent press releases, CareCERT will:

  • “Provide incident response expertise for the management of cyber security incidents and threats across health and care system”;

  • “Broadcast potential cyber threats and necessary actions to take across the sector, to ensure cyber threats are safely dealt with”;

  • “Be a central source of security intelligence for health and care by working with cross government monitoring partners such as GovCertUK and CERT-UK”;

  • “Support the analysis of emerging and future threats through unique analysis tools and reporting”; and

  • “Be a trusted source of security best practice and guidance”.

CareCERT will be run by the Health and Social Care Information Centre (HSCIC).  The HSCIC is an important offshoot of the UK Department of Health, overseeing information assurance and patient privacy within the NHS as part of its broader role in setting health IT standards, assisting IT rollout throughout the NHS, and managing the release of healthcare statistics for the NHS.

CareCERT is expected to be a natural evolution of HSCIC’s existing function and expertise.  In particular, under the HSCIC/Department of Health’s data breach reporting policy (imposed on NHS bodies and their suppliers through contract), HSCIC is already one of the bodies notified and involved in the event of serious data breaches in the public healthcare sector.  The creation of CareCERT will enhance the HSCIC’s incident response capabilities, and will give NHS suppliers an increased opportunity to engage with HSCIC proactively (for guidance and threat alerts), rather than only after serious incidents take place.

Article by Mark Young & Philippe Bradley-Schmieg of Covington & Burling

© 2015 Covington & Burling LLP

Medical Record Retention

I am often asked how long a practice must maintain medical records. The answer depends on the type of provider you are and your risk tolerance. Providers should generally consider the following in establishing their record retention policies:

1. Patient care. The primary consideration should be patient care. Some practices (e.g., oncology) may want to retain medical records longer than the relevant regulatory requirement or statute of limitations period because the records may be important to future patient care. If your electronic records program allows, you may want to retain the records permanently.

2. Statutory or Regulatory Requirements. State and federal regulations require hospitals and certain other institutional providers to maintain medical records for specified periods, but those laws usually do not apply directly to physicians or physician groups. There are numerous guides online. For example, HealthIT.gov published a 50-state survey of record retention requirements. The Idaho Department of Health and Welfare published a helpful but incomplete summary of federal record retention regulations. CMS published a MedLearn article on recordretention. AHIMA is usually a good source for online guidance about record retention laws and regulations.

3. Accreditation, payer or other contract requirements. Some provider contracts, payer requirements, or accreditation standards may require providers to keep records for a certain time. For example, Idaho’s Medicaid Provider Handbook requires providers to maintain records to support claims for five years. Check your relevant contracts to ensure your record retention policies comply with any such requirements. You may also want to check with your liability insurer to determine if they have any record retention requirements or suggestions.

4. Statute of limitations. If there are no more paramount concerns, physicians should generally retain medical records for at least the applicable statute of limitations period to ensure the practice has the records necessary to defend its care or charges if challenged. In most cases, maintaining the records for ten (10) years should get you past relevant state or federal limitations periods, including those for malpractice, contract, or fraud and abuse claims. Beware that many states toll the statute of limitations period for claims by minors; if so, you may want to keep records of minors until the later of either (i) six years after the date of treatment, or (ii) three years after the minor reaches the age of majority, depending on your applicable state statute of limitations for malpractice claims.

If your records are subject to a pending claim or investigation, you should retain the records through the resolution of the claim or investigation. Destroying records that are subject to pending claims or investigations may result in liability under state or federal laws; common law claims for destruction of evidence; or adverse judgments because you lack the evidence to defend yourself.

ARTICLE BY Kim C. Stanger of Holland & Hart LLP

Copyright Holland & Hart LLP 1995-2015.

False Claims Act: Do You Really Have Just 60 Days to Repay?

One of your employees informs you of a potential overpayment from Medicare. Do you really only have 60 days from that point to determine if it is indeed an overpayment and repay it?

The Patient Protection and Affordable Care Act of 2010 requires that a person who receives an overpayment of Medicare or Medicaid funds report and return the overpayment within 60 days of the “date on which the overpayment was identified,”  and makes the failure to do so a violation of the False Claims Act. 42 U.S.C. 1320a-7k(d)((2)-(3)(emphasis added). However, Congress didn’t define what it means toidentify a false claim.

On August 3, 2015, the United States District Court for the Southern District of New York issued the first  federal court decision addressing when an overpayment should be considered to be “identified” for purposes of determining whether there has been a False Claims Act violation.

The ruling came in the case of Kane v. Healthfirst, et al. and U.S. v. Continuum Health Partners Inc. et al., in which Continuum Health Partners Inc. “ which operated and coordinated a network of non-profit hospitals “ was accused of failing to make timely repayment of identified overpayments.

The potential false claim was first brought to the defendants’ attention in September, 2010 by New York State auditors. An employee of Continuum subsequently provided a preliminary list of potential overpayments to management in February, 2011. He was fired four days later and subsequently filed a whistle-blower action. It wasn’t until the government issued a Civil Investigative Demand in June, 2012 that Continuum reimbursed the government for a large number of claims. Continuum did not return all of the overpayments to the government until May, 2013 approximately two years after the initial internal email.

According to the ruling, approximately half of the February, 2011 preliminary list of overpayments did, in fact, constitute overpayments. The Continuum defendants had argued that the 60-day period began only after the overpayment was “classified with certainty.” The court, however, sided with the government and found that the 60-day clock starts when a person is “put on notice” that a claim may be overpaid.

The court tempered its ruling, though, by stating that a false claims violation occurs only when the “obligation is knowingly concealed or knowingly and improperly avoided or decreased.” Further, the court stated that “prosecutorial discretion would counsel against” an enforcement action in a situation involving “well intentioned” providers working with “reasonable haste” to rectify the issue. In such a case, the healthcare provider wouldn’t have acted with the “reckless disregard, deliberate ignorance, or actual knowledge” required to support a false claims case.

While the decision didn’t provide bright lines and identify exactly when that 60-day clock starts, one of the key takeaways is that once a potential overpayment is identified, a health care provider must take prompt action and follow through with a thorough internal review process to determine whether an overpayment truly exists. Then, it must make repayments to the extent required.

ARTICLE BY Steven E. PozaricRobert SchwendingerDiane E. FelixJonathan F. Dalton & Bradley S. Byars of Armstrong Teasdale

© Copyright 2015 Armstrong Teasdale LLP. All rights reserved

Four Ways Medicare and Medicaid Have Changed the Health Care Industry

It’s a bizarre program that is absolutely essential to American healthcare.

That is the opinion of Theodore Marmor, professor of public policy at Yale and author of the book, The Politics of Medicare. Whether you agree with him or not, it is difficult to deny the influence of Medicare and Medicaid on the health care industry. To mark the 50th anniversary of Medicare and Medicaid, signed into law by President Lyndon Johnson on July 30, 1965, we have identified four ways these programs have shaped the health care industry.

  1. There is no stopping the health care juggernaut. In a March 2014 presentation during the conference of National Health Care Journalists, Rosemary Gibson (senior advisor with The Hastings Center) brought the point home with this statistic: In 1965, there were no health care companies listed in the Fortune 100. By 2013, there were 15. 

  2. The federal government is now the largest purchaser of health care in the United States. In its Primer on Medicare, The Kaiser Family Foundation estimates that 14% of the $3.5 trillion spent by the federal government in 2014 was spent on Medicare (approximately $505 billion total), making it the largest purchaser of health care in the United States. Its spending power means CMS and Medicare will continue to hold sway in the industry.

  3. Medicare and Medicaid is driving innovation, but have they run out of gas? US News & World Report estimates that today, one in three Americans is covered by Medicare or Medicaid, and it is that extension of coverage to a larger population that is driving innovation. In the article, “America’s Health Care Elixir,” Kimberly Leonard states, “Because the government covered more people, and eventually extended that coverage to include drugs and medical devices, industries knew they could invest in research because they would eventually recoup the costs of their work through sales of new products.” However, innovation is beginning to outstrip the programs’ ability to keep pace. For example, Leonard states, “Pharmaceuticals also are moving toward developing more expensive biologic drugs, which could be a challenge for Medicare and Medicaid to afford.” More important, the programs’ outdated structure, developed during a different business environment, serving a different population, is making it difficult for them to keep pace with technology.

  4. Medicare and Medicaid helped end segregation in health care facilities. One lesser-known positive effect on the industry is that these programs helped end segregation, at least at health care facilities. The programs required that health care facilities could not be racially segregated if they wanted to receive Medicare and Medicaid payments, which meant facilities had to start accepting African-American patients.

With the changes introduced with the Affordable Care Act, it is clear that the government is keen on keeping these programs going for another 50 years or more, and their legacy of influence in the health care industry continues to evolve. Where they will be in 50 years remains to be seen.

ARTICLE BY Health Care Practice Group of Foley & Lardner LLP

© 2015 Foley & Lardner LLP

Affordable Care Act Reporting Penalties Significantly Increased

On June 29, 2015, President Barack Obama signed the Trade Preferences Extension Act (the Act) into law. In addition to containing several revenue offsets, the Act significantly increased penalties for incorrect information returns, including those required by the Affordable Care Act (ACA).

The Internal Revenue Service (IRS) may impose penalties for both failing to file and filing incorrect or incomplete information returns and/or payee statements after the due dates for such forms pursuant to Internal Revenue Code Section 6721 and 6722. These penalty provisions apply to a variety of information reporting requirements including Forms W-2 and 1099, and now more recently to Forms 1094-B, 1095-B, 1094-C, and 1095-C relating to compliance with the ACA.

Below we have summarized a few of the notable penalty changes made by the Act.

Description Old Penalty Amount New Penalty Amount
Penalty for filing incorrect returns (per return) $100 $250
Penalty for incorrect returns if corrected within 30 days (per return) $30 $50
Penalty for incorrect returns if corrected by August 1
(per return)		 $60 $100
Penalty for intentionally disregarding to file timely and correct returns $250 $500
Maximum penalty per calendar year $1,500,000 $3,000,000
Maximum penalty per calendar year if corrected within 30 days

$250,000

$500,000
Maximum penalty per calendar year if corrected by August 1

$500,000

$1,500,000

Keep in mind that the final ACA regulations provide that penalties will not be imposed on entities that show they made good faith efforts to comply with the reporting requirements for 2015. The IRS has indicated that anuntimely filed form will not meet the good faith requirement. Should the requirements regarding ACA reporting not be met due to good faith requirements, the penalties may be still be waived if the failure was due toreasonable cause.

Because the penalties for incorrect forms are applied with respect to each incorrect form, it may be advisable, where possible, to take advantage of the combined form reporting where authorized. For example, an employer may use one Form 1094-C to transmit all Forms 1095-C rather than multiple Forms 1094-C.

In summary, employers should be aware that larger fines now exist for failures in reporting and the penalties apply to each incomplete or incorrect form. For example, intentionally incorrect information with respect to one employee could result in a penalty of $500 for both the Form 1095-C filed with the IRS and the Form 1095-C provided to the employee, for a total of $1,000 for that one employee. Furthermore, it is important to file all forms in a timely manner to show good faith under the ACA transition rule for 2015 Forms.

ARTICLE BY Jeffrey ArnoldAmy GordonSusan M. Nash & Ruth Wimer, Esq., CPA of McDermott Will & Emery
© 2015 McDermott Will & Emery

How Does the King v. Burwell Decision Affect the Affordable Care Act?

The Supreme Court handed the Obama administration a key victory, upholding the tax credits that allow many low-income Americans to purchase health care insurance in states where the federal government is running the insurance marketplace. These tax credits, available to Americans with household incomes between 100% and 400% of the federal poverty line, operate as a form of premium assistance that subsidizes the purchase of health insurance.

The petitioners in King v. Burwell, No. 14-114 (U.S. June 25, 2015), challenged a ruling from the Internal Revenue Service (IRS) and claimed that a phrase in the Affordable Care Act (ACA) indicating that the subsidies are only available to consumers buying insurance in a state-run exchange prohibited the federal government from providing tax credits where states have not established their own exchanges. Arguing that the text of the law should be read literally, they challenged an IRS regulation that makes these tax credits available regardless of whether the exchange is run by a state or the federal government.

But the Supreme Court sided with the Obama administration in its 6-3 decision, emphasizing that language allowing tax credits for health insurance purchased on “an Exchange established by the State” must be interpreted in context and within the larger statutory scheme. Chief Justice Roberts, who authored the majority opinion, wrote that the phrase “an Exchange established by the State” was ambiguous, and therefore required the Court to look to the broader structure of the law. He wrote that the larger statutory scheme required the Court to reject the petitioners’ interpretation, which would have destabilized the individual insurance market and would create the exact same “death spirals” of rising premiums and declining availability of insurance that the law was crafted to avoid. In passing the law, he added, Congress sought “to improve health insurance markets, not to destroy them.”

The Supreme Court’s analysis went a step beyond the traditional framework used by courts to review agency actions. This two-step analysis, first announced in Chevron U.S.A. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984) and widely known as the Chevrontwo-step, first considers whether the statutory language is clear—and if it is, the inquiry ends there. But if the language of the law is silent or ambiguous, a court next considers whether the agency’s interpretation of the statute is reasonable, granting considerable deference to the agency’s interpretation. Because the tax credits under the ACA are central to the reforms created by the law, Chief Justice Roberts explained, Congress would not have delegated such an important question to any agency, and especially not to the IRS, which lacks expertise in crafting health insurance policy. He wrote that in this case, the task of determining the correct reading of the statute belonged to the Court.

For most providers and companies involved in the health care system, the result of this decision means business as usual. But the decisive victory for the law today means that the ACA is here to stay, and will have a permanent effect on how patients access care. Insurers and providers still must overcome hurdles to achieve affordable premiums and provide improved care for patients across the country. And as more laws are sorted out in the courts, the Supreme Court’s reliance on context in interpreting the statute today could set an important precedent of emphasizing the purpose of major legislation when analyzing its trickier provisions.

ARTICLE BY Anna S. Ross of Foley & Lardner LLP

© 2015 Foley & Lardner LLP

Obamacare Survives in 6-3 Vote – Supreme Court Issues Opinion on King v. Burwell

This morning, the Supreme Court of the United States issued its final decision on King v. Burwell regarding the survival of Obamacare. The decision, issued by Chief Justice Roberts and joined by Justices Anthony Kennedy, Ruth Bader Ginsburg, Stephen Breyer, Sonia Sotomayor and Elena Kagan, effectively allows millions of people to to keep the tax subsidies provided so they can afford health insurance.

The Affordable Care Act (ACA) explicitly states that the tax subsidies were provided for individals to purchase insurance through state-based changes. The Court was charged with determining whether they could be used to purchase insurance through the federally run Healthcare.gov marketplace as well. The creators of the law contend that the law’s intent is to make affordable care available to people across the country through both channels by providing a federal exchange where states did not establish one.

The Court agreed -federal government can subsidize health insurance premiums for residents of states that did not establish a state health insurance exchange. In the Court’s opinion, Chief Justice Roberts wrote “The combination of no tax credits and an ineffective coverage requirement could well push a State’s individual insurance market into a death spiral… It is implausible that Congress meant the Act to operate in this manner.”

Chief Justice Roberts reinforces the role of the Court – as an interpreter of the law, not its creator:

[I]n every case we must respect the role of the Legislature, and take care not to undo what it has done. A fair reading of legislation demands a fair understanding of the legislative plan. Congress passed the Affordable Care Act to improve health insurance markets, not to destroy them. If at all possible, we must interpret the Act in a way that is consistent with the former, and avoids the latter. (emphasis added)

This is a developing story. Please stay tuned for more updates and legal commentary.

SCOTUS Upholds Exchange Subsidies – King v. Burwell

Supreme Court Upholds Affordable Care Act Insurance Subsidies

Copyright ©2015 National Law Forum, LLC

June 24th – Healthcare Quarterly Update: Cybersecurity and Health Data Privacy by Bloomberg BNA

Washington, DC

Join Bloomberg BNA for this essential event that explores concerns relating to cyber-security and health data privacy. Healthcare industry experts Kirk Nahra and David Holtzman will join HHS’s Iliana Peters for a comprehensive examination of:
• Big data in the healthcare sector and how to protect information
• Protecting patient and organization information
• Federal enforcement of HIPAA Privacy, Security, Data Breach rules
• Practical up to date information on current issues
• And so much more.

Click here to register today!

Identify actionable issues, secure your organization, and earn CLE credits.

A breakfast panel with accomplished scholars and an HHS representative. This conversation will address practical considerations for ensuring that patient’s data is being properly handled in full compliance with all regulations and ethical responsibilities. Healthcare practitioners are increasingly required to address concerns of Data privacy and Cyber-security; attending this panel will assist you in identifying actionable points in the law common to many legal practices.