Tag: HHS

Recent Healthcare-Related Artificial Intelligence Developments

AI is here to stay. The development and use of artificial intelligence (“AI”) is rapidly growing in the healthcare landscape with no signs of slowing down.

From a governmental perspective, many federal agencies are embracing the possibilities of AI. The Centers for Disease Control and Prevention is exploring the ability of AI to estimate sentinel events and combat disease outbreaks and the National Institutes of Health is using AI for priority research areas. The Centers for Medicare and Medicaid Services is also assessing whether algorithms used by plans and providers to identify high risk patients and manage costs can introduce bias and restrictions. Additionally, as of December 2023, the U.S. Food & Drug Administration cleared more than 690 AI-enabled devices for market use.

From a clinical perspective, payers and providers are integrating AI into daily operations and patient care. Hospitals and payers are using AI tools to assist in billing. Physicians are using AI to take notes and a wide range of providers are grappling with which AI tools to use and how to deploy AI in the clinical setting. With the application of AI in clinical settings, the standard of patient care is evolving and no entity wants to be left behind.

From an industry perspective, the legal and business spheres are transforming as a result of new national and international regulations focused on establishing the safe and effective use of AI, as well as commercial responses to those regulations. Three such regulations are top of mind, including (i) President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of AI; (ii) the U.S. Department of Health and Human Services’ (“HHS”) Final Rule on Health Data, Technology, and Interoperability; and (iii) the World Health Organization’s (“WHO”) Guidance for Large Multi-Modal Models of Generative AI. In response to the introduction of regulations and the general advancement of AI, interested healthcare stakeholders, including many leading healthcare companies, have voluntarily committed to a shared goal of responsible AI use.

U.S. Executive Order on the Safe, Secure, and Trustworthy Development and Use of AI

On October 30, 2023, President Biden issued an Executive Order on the Safe, Secure, and Trustworthy Development and Use of AI (“Executive Order”). Though long-awaited, the Executive Order was a major development and is one of the most ambitious attempts to regulate this burgeoning technology. The Executive Order has eight guiding principles and priorities, which include (i) Safety and Security; (ii) Innovation and Competition; (iii) Commitment to U.S. Workforce; (iv) Equity and Civil Rights; (v) Consumer Protection; (vi) Privacy; (vii) Government Use of AI; and (viii) Global Leadership.

Notably for healthcare stakeholders, the Executive Order directs the National Institute of Standards and Technology to establish guidelines and best practices for the development and use of AI and directs HHS to develop an AI Task force that will engineer policies and frameworks for the responsible deployment of AI and AI-enabled tech in healthcare. In addition to those directives, the Executive Order highlights the duality of AI with the “promise” that it brings and the “peril” that it has the potential to cause. This duality is reflected in HHS directives to establish an AI safety program to prioritize the award of grants in support of AI development while ensuring standards of nondiscrimination are upheld.

U.S. Department of Health and Human Services Health Data, Technology, and Interoperability Rule

In the wake of the Executive Order, the HHS Office of the National Coordinator finalized its rule to increase algorithm transparency, widely known as HT-1, on December 13, 2023. With respect to AI, the rule promotes transparency by establishing transparency requirements for AI and other predictive algorithms that are part of certified health information technology. The rule also:

  • implements requirements to improve equity, innovation, and interoperability;
  • supports the access, exchange, and use of electronic health information;
  • addresses concerns around bias, data collection, and safety;
  • modifies the existing clinical decision support certification criteria and narrows the scope of impacted predictive decision support intervention; and
  • adopts requirements for certification of health IT through new Conditions and Maintenance of Certification requirements for developers.

Voluntary Commitments from Leading Healthcare Companies for Responsible AI Use

Immediately on the heels of the release of HT-1 came voluntary commitments from leading healthcare companies on responsible AI development and deployment. On December 14, 2023, the Biden Administration announced that 28 healthcare provider and payer organizations signed up to move toward the safe, secure, and trustworthy purchasing and use of AI technology. Specifically, the provider and payer organizations agreed to:

  • develop AI solutions to optimize healthcare delivery and payment;
  • work to ensure that the solutions are fair, appropriate, valid, effective, and safe (“F.A.V.E.S.”);
  • deploy trust mechanisms to inform users if content is largely AI-generated and not reviewed or edited by a human;
  • adhere to a risk management framework when utilizing AI; and use of AI technology. Specifically, the provider and payer organizations agreed to:
  • develop AI solutions to optimize healthcare delivery and payment;
  • work to ensure that the solutions are fair, appropriate, valid, effective, and safe (“F.A.V.E.S.”);
  • deploy trust mechanisms to inform users if content is largely AI-generated and not reviewed or edited by a human;
  • adhere to a risk management framework when utilizing AI; and
  • research, investigate, and develop AI swiftly but responsibly.

WHO Guidance for Large Multi-Modal Models of Generative AI

On January 18, 2024, the WHO released guidance for large multi-modal models (“LMM”) of generative AI, which can simultaneously process and understand multiple types of data modalities such as text, images, audio, and video. The WHO guidance contains 98 pages with over 40 recommendations for tech developers, providers and governments on LMMs, and names five potential applications of LMMs, such as (i) diagnosis and clinical care; (ii) patient-guided use; (iii) administrative tasks; (iv) medical education; and (v) scientific research. It also addresses the liability issues that may arise out of the use of LMMs.

Closely related to the WHO guidance, the European Council’s agreement to move forward with a European Union AI Act (“Act”), was a significant milestone in AI regulation in the European Union. As previewed in December 2023, the Act will inform how AI is regulated across the European Union, and other nations will likely take note of and follow suit.

Conclusion

There is no question that AI is here to stay. But how the healthcare industry will look when AI is more fully integrated still remains to be seen. The framework for regulating AI will continue to evolve as AI and the use of AI in healthcare settings changes. In the meantime, healthcare stakeholders considering or adopting AI solutions should stay abreast of developments in AI to ensure compliance with applicable laws and regulations.

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Healthcare, visit the NLR Health Law & Managed Care section.

Cannabis Rescheduling: HHS Findings and Legal Implications

On August 29, 2023, the U.S. Department of Health and Human Services (HHS) made a groundbreaking recommendation to the Drug Enforcement Administration (DEA) – that cannabis should be rescheduled from Schedule I to Schedule III under the Controlled Substances Act (CSA). This recommendation was made pursuant to President Biden’s request that the Secretary of HHS and the Attorney General initiate a process to review how cannabis is scheduled under federal law. In recent days, the unredacted 252-page analysis supporting the August recommendation was released pursuant to a Freedom of Information Act request. While the DEA is presently reviewing HHS’s recommendation and has final authority to schedule a drug under the CSA, it is ultimately bound by HHS’s recommendations on scientific and medical matters.

Why does this matter? Cannabis1 has been a Schedule I substance since the CSA was enacted in 1971. Substances are controlled under the CSA by placement on one of five lists, Schedules I through V. Schedule I controlled substances are subject to the most stringent controls and have no current accepted medical use. As a result, it is illegal under federal law to produce, dispense, or possess cannabis except in the context of federally approved scientific studies. Violations may result in large fines and imprisonment, including mandatory minimum sentences. Comparatively, Schedule III substances are considered to have less abuse potential than Schedule I and II substances, and have a currently accepted medical use in the United States.

In recent years, nearly all the states within the U.S. have revised their laws to permit medical cannabis use. And 24 states, as well as the District of Columbia, have eliminated certain criminal penalties for recreational cannabis use by adults. However, under the U.S. Constitution’s Supremacy Clause, federal law takes precedence over conflicting state laws. Thus, states cannot actually legalize cannabis use without congressional or executive action, and all unauthorized activities under Schedule I involving cannabis are federal crimes anywhere in the United States.2

Notable Findings in HHS’s Recommendation

For HHS to recommend that the DEA change cannabis from Schedule I to Schedule III, HHS had to make three specific findings: 1) cannabis has a lower potential for abuse than the drugs or other substances in Schedules I and II; 2) cannabis has a currently accepted medical use in treatment in the U.S.; and 3) abuse of cannabis may lead to moderate or low physical dependence or high psychological dependence. HHS considered eight factors to make those findings, some of which include: cannabis’s actual or relative potential for abuse; the state of current scientific knowledge regarding the drug; the scope, duration, and significance of abuse; and what, if any, risk there is to public health. The unredacted analysis provides further insight into HHS’s determination to make the forementioned findings.

CANNABIS HAS A POTENTIAL FOR ABUSE LESS THAN THE DRUGS OR OTHER SUBSTANCES IN SCHEDULES I AND II.

To evaluate cannabis’s potential for abuse,3 HHS compared the harms associated with cannabis abuse to the harms associated with other substances, such as heroin (Schedule I), cocaine (Schedule II), and alcohol.4 HHS reported that evidence shows some individuals take cannabis in amounts sufficient to create a health hazard to themselves and the safety of other individuals and the community. However, HHS also reported evidence showing the vast majority of cannabis users are using cannabis in a manner that does not lead to dangerous outcomes for themselves or others. From 2015 to 2021, the utilization-adjusted rate of adverse outcomes involving cannabis was consistently lower than the respective utilization-adjusted rates of adverse outcomes involving heroin, cocaine, and other comparators. Further, cannabis was the lowest-ranking group for serious medical outcomes, including death. Overall, the data indicated that cannabis produced fewer negative outcomes than Schedule I, Schedule II drugs, and, in some cases, alcohol.

CANNABIS HAS A CURRENTLY ACCEPTED MEDICAL USE IN TREATMENT IN THE UNITED STATES

To determine whether cannabis has a currently accepted medical use (CAMU) in the U.S., HHS evaluated a two-part standard: 1) whether “[t]here exists widespread, current experience with medical use of the substance by [healthcare providers] operating in accordance with implemented jurisdiction-authorized programs, where medical use is recognized by entities that regulate the practice of medicine”; and 2) whether “[t]here exists some credible scientific support for at least one of the medical uses for which Part 1 is met.”

Under Part 1, HHS confirmed that more than 30,000 healthcare providers across 43 U.S. jurisdictions are authorized to recommend the medical use of cannabis for more than six million registered patients for at least 15 medical conditions. The Part 1 findings, therefore, supported an assessment under Part 2. Under Part 2, HHS reported that, based on the totality of the available data, there exists some credible scientific support for the medical use of cannabis. Specifically, credible scientific support described at least some therapeutic cannabis uses for anorexia related to a medical condition, nausea and vomiting (e.g., chemotherapy-induced), and pain.

Overall, while HHS reported that cannabis has a currently accepted medical use in the U.S., the Food and Drug Administration (FDA) underscored that such a finding does not mean that the FDA has approved cannabis as safe and effective for marketing as a drug in interstate commerce under the Federal Food, Drug, and Cosmetic Act.

ABUSE OF CANNABIS MAY LEAD TO MODERATE OR LOW PHYSICAL DEPENDENCE OR HIGH PSYCHOLOGICAL DEPENDENCE.

Lastly, HHS concluded that research indicated that chronic, but not acute, use of cannabis can produce both psychic and physical dependence in humans. However, while cannabis “can produce psychic dependence in some individuals,” HHS emphasized that “the likelihood of serious outcomes is low, suggesting that high psychological dependence does not occur in most individuals who use marijuana.”

Legal Ramifications of New Scheduling

Changing cannabis from Schedule I to Schedule III may potentially allow cannabis to be lawfully dispensed by prescription5 and states’ medical cannabis programs may now be able to comply with the CSA. However, it would not make state laws legalizing recreational cannabis use in compliance with federal law without other legal changes by Congress or the executive branch. Under the change, medical cannabis users may be eligible for public housing, immigrant and nonimmigrant visas, and the purchase and possession of firearms. They may also face fewer barriers to federal employment and eligibility to serve in the military. Researchers would face less regulatory controls, and the DEA would no longer set production quota limitations for cannabis. Because the prohibition on business deductions in Section 280E of the Internal Revenue Code only applies to Schedule I and II substances of the CSA, changing cannabis from Schedule I to Schedule III would allow cannabis businesses to deduct business expenses on federal tax filing.

Importantly, some criminal penalties for CSA violations depend on the schedule of the substance. Thus, if cannabis were to be reclassified as a Schedule III substance, some criminal penalties for CSA violations would no longer apply or be significantly reduced. However, CSA penalties that specifically apply to cannabis, such as quantity-based mandatory minimum sentences, would not change under a new rescheduling.

Many advocates consider HHS’s findings a step in the right direction. Specifically, supporters consider the findings further evidence that cannabis should be removed from the CSA altogether and regulated akin to tobacco and alcohol (referred to as descheduling). Given the momentum of cannabis legalization across U.S. states and breakthroughs in the medical and scientific advantages of cannabis, Congressional or Executive legalization, or – at very least – descheduling of cannabis may be on the horizon.

1 The CSA classifies the cannabis plant and its derivatives as “marijuana.” The CSA definition of marijuana excludes (1) products that meet the legal definition of hemp and (2) the mature stalks of the cannabis plant; the sterilized seeds of the plant; and fibers, oils, and other products made from the stalks and seeds.

2 Congress has granted the states some leeway in the distribution and use of medical marijuana by passing an appropriations rider preventing the Department of Justice from using taxpayer funds to prevent states from “implementing their own laws that authorize the use, distribution, possession, or cultivation of medical marijuana.” Courts have interpreted this as a prohibition on federal prosecution of state-legal activities involving medical cannabis.

3 In its report, HHS defined “abuse” to mean the “intentional, non-therapeutic use of a drug to obtain a desired psychological or physiological effect.”

4 Alcohol is not a scheduled controlled substance, but was used as a comparison because of its extensive availability and use in the U.S., which is also observed for the nonmedical use of cannabis.

5 Although the FDA has approved some drugs derived from cannabis, cannabis is not presently an FDA-approved drug.

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Cannabis, visit the NLR Biotech, Food, Drug section.

Biden Administration Seeks to Clarify Patient Privacy Protections Post-Dobbs, Though Questions Remain

On July 8, two weeks following the Supreme Court’s ruling in Dobbs v. Jackson that invalidated the constitutional right to abortion, President Biden signed Executive Order 14076 (E.O.). The E.O. directed federal agencies to take various actions to protect access to reproductive health care services,[1] including directing the Secretary of the U.S. Department of Health and Human Services (HHS) to “consider actions” to strengthen the protection of sensitive healthcare information, including data on reproductive healthcare services like abortion, by issuing new guidance under the Health Insurance and Accountability Act of 1996 (HIPAA).[2]

The directive bolstered efforts already underway by the Biden Administration. A week before the E.O. was signed, HHS Secretary Xavier Becerra directed the HHS Office for Civil Rights (OCR) to take steps to ensure privacy protections for patients who receive, and providers who furnish, reproductive health care services, including abortions.[3] The following day, OCR issued two guidance documents to carry out this order, which are described below.

Although the guidance issued by OCR clarifies the privacy protections as they exist under current law post-Dobbs, it does not offer patients or providers new or strengthened privacy rights. Indeed, the guidance illustrates the limitations of HIPAA regarding protection of health information of individuals related to abortion services.

A.  HHS Actions to Safeguard PHI Post-Dobbs

Following Secretary Becerra’s press announcement, OCR issued two new guidance documents outlining (1) when the HIPAA Privacy Rule may prevent the unconsented disclosure of reproductive health-related information; and (2) best practices for consumers to protect sensitive health information collected by personal cell phones, tablets, and apps.

(1) HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care

In the “Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe,”[4] OCR addresses three existing exceptions in the HIPAA Privacy Rule to the disclosure of PHI without an individual’s authorization and provides examples of how those exceptions may be applied post-Dobbs.

The three exceptions discussed in the OCR guidance are the exceptions for disclosures required by law,[5]  for purposes of law enforcement,[6] or to avert a serious threat to health or safety.[7]

While the OCR guidance reiterates that the Privacy Rule permits, “but does not require” disclosure of PHI in each of these exceptions,[8] this offers limited protection that relies on the choice of providers whether to disclose or not disclose the information. Although these exceptions are highlighted as “protections,” they expressly permit the disclosure of protected health information. Further, while true that the HIPAA Privacy Rule itself may not compel disclosure (but merely permits disclosure), the guidance fails to mention that in many situations in which these exceptions apply, the provider will have other legal authority (such as state law) mandating the disclosure and thus, a refusal to disclose the PHI may be unlawful based on a law other than HIPAA.

Two of the exceptions discussed in the guidance – the required by law exception and the law enforcement exception – both only apply in the first place when valid legal authority is requiring disclosure. In these situations, the fact that HIPAA does not compel disclosure is of no relevance. Certainly, when there is not valid legal authority requiring disclosure of PHI, then HIPAA prohibits disclosure, as noted as in the OCR guidance.  However, in states with restrictive abortion laws, the state legal authorities are likely to be designed to require disclosure – which HIPAA does not prevent.

For instance, if a health care provider receives a valid subpoena from a Texas court that is ordering the disclosure of PHI as part of a case against an individual suspected of aiding and abetting an abortion, in violation of Texas’ S.B. 8, then that provider could be held in contempt of court for failing to comply with the subpoena, despite the fact that HIPAA does not compel disclosure.[9] For more examples on when a covered entity may be required to disclose PHI, please see EBG’s prior blog: The Pendulum Swings Both Ways: State Responses to Protect Reproductive Health Data, Post-Roe.[10]

Notably, the OCR guidance does provide a new interpretation of the application of the exception for disclosures to avert a serious threat to health or safety. Under this exception, covered entities may disclose PHI, consistent with applicable law and standards of ethical conduct, if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. OCR states that it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care. Thus, in the guidance, OCR takes the position that if a patient in a state where abortion is prohibited informs a health care provider of the patient’s intent to seek an abortion that would be legal in another state, this would not fall into the exception for disclosures to avert a serious threat to health or safety.  Covered entities should be aware of OCR’s position and understand that presumably OCR would view any such disclosure as a HIPAA violation.

(2) Protecting the Privacy and Security of Individuals’ Health Information When Using Personal Cell Phones or Tablets

OCR also issued guidance on how individuals can best protect their PHI on their own personal devices. HIPAA does not generally protect the privacy or security of health information when it is accessed through or stored on personal cell phones or tablets. Rather, HIPAA only applies when PHI is created, received, maintained, or transmitted by covered entities and business associates. As a result, it is not unlawful under HIPAA for information collected by devices or apps – including data pertaining to reproductive healthcare – to be disclosed without consumer’s knowledge.[11]

In an effort to clarify HIPAA’s limitation to protect such information, OCR issued guidance to protect consumer sensitive information stored in personal devices and apps.[12] This includes step-by-step guidance on how to control data collection on their location, and how to securely dispose old devices.[13]

Further, some states have taken steps to fill the legal gaps to varying degrees of success. For example, California’s Confidentiality of Medical Information Act (“CMIA”) extends to “any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information.”[14] As applied, a direct-to-consumer period tracker app provided by a technology company, for example, would fall under the CMIA’s data privacy protections, but not under HIPAA. Regardless, gaps remain as the CMIA does not protect against a Texas prosecutor subpoenaing information from the direct-to-consumer app. Conversely, Connecticut’s new reproductive health privacy law,[15] does prevent a Connecticut covered entity from disclosing reproductive health information based on a subpoena, but Connecticut’s law does not apply to non-covered entities, such as a period tracker app. Therefore, even the U.S.’s most protective state privacy laws do not fill in all of the privacy gaps.

Alongside OCR’s guidance, the Federal Trade Commission (FTC) published a blog post warning companies with access to confidential consumer information to consider FTC’s enforcement powers under Section 5 of the FTC Act, as well as the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.[16] Consistent with OCR’s guidance, the FTC’s blog post reiterates the Biden Administration’s goal of protecting reproductive health data post-Dobbs, but does not go so far as to create new privacy protections relative to current law.

B.  Despite the Biden Administration’s Guidance, Questions Remain Regarding the Future of Reproductive Health Privacy Protections Post-Dobbs

Through E.O. 14076, Secretary Becerra’s press conference, OCR’s guidance, and the FTC’s blog, the Biden Administration is signaling that it intends to use the full force of its authorities – including those vested by HIPAA – to protect patient privacy in the wake of Roe.

However, it remains unclear how this messaging will translate to affirmative executive actions, and how successful such executive actions would be. How far is the executive branch willing to push reproductive rights? Would more aggressive executive actions be upheld by a Supreme Court that just struck down decades of precedent permitting access to abortion? Will the Biden Administration’s executive actions persist if the administration changes in the next Presidential election?

Attorneys at Epstein Becker & Green are well-positioned to assist covered entities, business associates, and other companies holding sensitive reproductive health data understand how to navigate HIPAA’s exemptions and interactions with emerging guidance, regulations, and statutes at both the state and Federal levels.

Ada Peters, a 2022 Summer Associate (not admitted to the practice of law) in the firm’s Washington, DC office and Jack Ferdman, a 2022 Summer Associate (not admitted to the practice of law) in the firm’s Boston office, contributed to the preparation of this post. 

[1] 87 Fed. Reg. 42053 (Jul. 8, 2022), https://bit.ly/3b4N4rp.

[2] Id.

[3] HHS, Remarks by Secretary Xavier Becerra at the Press Conference in Response to President Biden’s Directive following Overturning of Roe v. Wade (June 28, 2022), https://bit.ly/3zzGYsf.

[4] HHS, Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe (June 29, 2022),  https://bit.ly/3PE2rWK.

[5] 45 CFR 164.512(a)(1)

[6] 45 CFR 164.512(f)(1)

[7] 45 CFR 164.512(j)

[8] Id.

[9] See Texas S.B. 8; e.g., Fed. R. Civ. Pro. R.37 (outlining available sanctions associated with the failure to make disclosures or to cooperate in discovery in Federal courts), https://bit.ly/3BjX4I2.

[10] EBG Health Law Advisor, The Pendulum Swings Both Ways: State Responses to Protect Reproductive Health Data, Post-Roe (June 17, 2022), https://bit.ly/3oPDegl.

[11] A 2019 Kaiser Family Foundation survey concluded that almost one third of female respondents used a smartphone app to monitor their menstrual cycles and other reproductive health data. Kaiser Family Foundation, Health Apps and Information Survey (Sept. 2019), https://bit.ly/3PC9Gyt.

[12] HHS, Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone1 or Tablet (last visited Jul. 26, 2022), https://bit.ly/3S2MNWs.

[13] Id.

[14] Cal. Civ. Code § 56.10, Effective Jan. 1, 2022, https://bit.ly/3J5iDxM.

[15] 2022 Conn. Legis. Serv. P.A. 22-19 § 2 (S.B. 5414), Effective July 1, 2022, https://bit.ly/3zwn95c.

[16] FTC, Location, Health, and Other Sensitive Information: FTC Committed To Fully Enforcing the Law Against Illegal Use and Sharing of Highly Sensitive Data (July 11, 2022), https://bit.ly/3BjrzNV.

Article By Alaap B. Shah, Allen R. Killworth, Marylana Saadeh Helou, and Devon Minnick of Epstein Becker & Green, P.C.

For more privacy-related legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

U.S. Supreme Court Agrees with HHS Payment Methodology for Disproportionate Share Hospitals

The fight about how Medicare compensates disproportionate share hospitals (“DSH”) is one of the longest-running reimbursement disputes of recent years, and it has generated copious work for judges around the country.  In a 5-4 decision, the U.S. Supreme Court settled one piece of the conflict:  the counting of “Medicare-entitled” patients in the Medicare fraction of the “disproportionate-patient percentage.”  Becerra v. Empire Health Found., 597 U.S. ___ (2022) (slip op.).  The Supreme Court concluded that the proper calculation, under the statute, counts “individuals ‘entitled to [Medicare] benefits[,]’ . . . regardless of whether they are receiving Medicare payments” for certain services.  Id. (slip op., at 18) (emphasis added).

DSH payments are made to hospitals with a large low-income patient mix.  “The mark-up reflects that low-income individuals are often more expensive to treat than higher income ones, even for the same medical conditions.”  Id. (slip op., at 3).  The federal government thus gives hospitals a financial boost for treating a “disproportionate share” of the indigent population.

The DHS payment depends on a hospital’s “disproportionate-patient percentage,” which is basically the sum of two fractions: the Medicare fraction, which reflects what portion of the Medicare patients were low-income; and the Medicaid fraction, which reflects what portion of the non-Medicare patients were on Medicaid.  Historically, HHS calculated the Medicare fraction by including only patients actually receiving certain Medicare benefits for their care.  In 2004, however, HHS changed course and issued a new rule.  It counted, in the Medicare fraction, all patients who were eligible for Medicare benefits generally (essentially, over 65 or disabled), even if particular benefits were not actually being paid.  For most providers, that change resulted in a pay cut.

The new rule sparked several lawsuits.  Hospitals challenged HHS’s policy based on the authorizing statutory language.  These hospitals essentially argued in favor of the old methodology.  Appeals led to a circuit split, with the Sixth and D.C. Circuits agreeing with HHS, and the Ninth Circuit ruling that HHS had misread the statute.

The Supreme Court has now resolved the issue.  The majority opinion, authored by Justice Kagan, sided with HHS.  The majority concluded that, based on the statutory language, “individuals ‘entitled to [Medicare] benefits’ are all those qualifying for the program, regardless of whether they are receiving Medicare payments for part or all of a hospital stay.”  Id. (slip op., at 18).  The majority also explained that if “entitlement to benefits” bore the meaning suggested by the hospital, “Medicare beneficiaries would lose important rights and protections . . . [and a] patient could lose his ability to enroll in other Medicare programs whenever he lacked a right to [certain] payments for hospital care.”  Id. (slip op., at 11).

Justice Kavanaugh dissented, joined by Chief Justice Roberts and Justices Gorsuch and Alito.  The dissent argued that those lacking certain Medicare coverage should be excluded from HHS’s formula, based on “the most fundamental principle of statutory interpretation: Read the statute.”  Id. (Kavanaugh, J., dissenting) (slip op., at 2).  According to the dissent, the majority’s ruling will also restrict hospitals’ ability to provide care to underprivileged communities.  “HHS’s misreading of the statute has significant real-world effects: It financially harms hospitals that serve low-income patients, thereby hamstringing those hospitals’ ability to provide needed care to low-income communities.”  Id. (slip op., at 4).

There was one point of agreement among the majority and dissenting justices: the complexity of the statutory language for DSH payments.  Echoing the thoughts often held by healthcare advisors, Justice Kagan found the statutory formula to be “a mouthful” and “a lot to digest.”  Id. (majority opinion) (slip op., at 4).  And in his dissent, Justice Kavanaugh called the statute “mind-numbingly complex,” and resorted to an interpretation that he found “straightforward and commonsensical”: that patients cannot be “simultaneously entitled and disentitled” to Medicare benefits.  Id. (Kavanaugh, J., dissenting) (slip op., at 1, 3).

Article By Jeffrey DeBeer and Keith Bradley of Squire Patton Boggs (US) LLP

For more Supreme Court and litigation legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

Senate Bill to Revise and Reassess GRAS Program

  • On May 27, Senator Edward J. Markey (D-Mass.), alongside Senators Richard Blumenthal (D-Conn.) and Elizabeth Warren (D-Mass)., introduced the Ensuring Safe and Toxic-Free Foods Act, which is described as “comprehensive legislation that ensures the Department of Health and Human Services (HHS) fulfills its responsibility to promote the health and well-being of American families by directing the Food and Drug Administration (FDA) to strengthen the Substances Generally Recognized as Safe (GRAS) Rule, which exempts companies from seeking pre-market approval for food chemicals.” A summary of the legislation is available here.
  • The legislation would prohibit manufacturers from independently designating substances as GRAS (or manufacturing or selling food containing those substances) without supplying notice and supporting information to the Secretary of HHS. Substances that are carcinogenic or that have evidence of reproductive or developmental toxicity would be prohibited from receiving a GRAS designation. Further, the legislation would require that a GRAS Notice and all supporting information be publicly available online and subject to a 90-day review period.
  • The legislation would also direct the Secretary to create an Office of Food Chemical Safety Reassessment within FDA’s CFSAN. The new office would be responsible for reassessing the safety of existing food additives, food contact substances, color additives, and substances that had already received GRAS status. The office would be required to reassess at least 10 substances (or class of substances) once every three years. As included in the bill, the first 10 substances to be reviewed would be:
    • Perfluoroalkyl substances and polyfluoroalkyl substances
    • Ortho-phthalates
    • The class of bisphenols
    • Titanium dioxide
    • Potassium bromate
    • Perchlorate
    • Butylated hydroxyanisole (BHA)
    • Butylated hydroxytoluene (BHT)
    • Brominated vegetable oil (BVO)
    • Propyl paraben
  • With regard to the legislation, Senator Markey has said “The FDA too often falls short on their responsibility to promote food safety, highlighted recently by the baby formula crisis where FDA’s deputy commissioner for food policy did not learn about the whistleblower complaint for four months. It is long past time we revise existing food safety measures and close the loophole allowing manufacturers to self-regulate what new substances can enter our food supply.”

Article By Food and Drug Law at Keller and Heckman of Keller and Heckman LLP

For more biotechnology, life sciences, food and drug law news, click here to visit the National Law Review.
© 2022 Keller and Heckman LLP

Medicare Advantage: OIG Report Finds Improper Denials

On April 27,2022, the Office of Inspector General of the Department of Health and Human Services (OIG), Office of Evaluations and Inspections, issued a report on the performance of Medicare Advantage Organizations (MAOs) in approving care and payment consistently with Medicare coverage rules. In its review, OIG found that 13% of MAO denials of prior authorization requests should have been approved and that 18% of payment requests from providers were improperly denied. OIG also made a number of recommendations to the Center of Medicare and Medicaid Services (CMS) with respect to its oversight of MAOs.

Purpose and Method of the Study

OIG undertook the study to assess whether MAOs are appropriately providing access to medically necessary services and making payment to providers consistently with Medicare coverage rules. Since CMS pays MAOs principally by capitation, MAOs have a potential incentive to increase their profits by denying access to care of beneficiaries or by denying payments to providers. CMS’s annual audits of MAOs have indicated some persistent problems related to inappropriate denials of service and payment. As enrollment in Medicare Advantage continues to grow, OIG viewed it as important to ensure that medically necessary care is provided and that providers are paid appropriately.

OIG conducted the review by randomly selecting 250 denials of prior authorization requests and 250 payment request denials by 15 of the largest MAOs during a week in June of 2019. OIG had coding experts review the cases and had physician reviewers examine the medical records. Based on these reviews, OIG estimated the rates at which MAOs issued denials of services or payment that met Medicare coverage rules and MAO billing rules. OIG also examined the reasons for the inappropriate denials and the types of services involved.

Standards

MAOs must cover items and services included in fee-for-service Medicare, and may also elect to include additional items and services. MAOs are required to follow Medicare coverage rules that define what items and services are covered and under what circumstances. As the OIG states in the Report, MAOs “may not impose limitations – such as waiting periods or exclusions from coverage due to pre-existing conditions — that are not present in original Medicare.” In following Medicare coverage rules, MAOs are permitted to use additional denial criteria that were not developed by Medicare when they are deciding to authorize or pay for a service, provided the clinical criteria are “no more restrictive than original Medicare national and local coverage policies.” MAOs may also have their own billing and payment procedures, provided all providers are paid accurately, timely, and with an audit trial.

MAOs utilize prior authorization requests before care is furnished to manage care and payment requests from providers to approve payment for services provided. Beneficiaries and providers may appeal such decisions, and beneficiaries and providers are successful in many of the appeals (for a one-time period, as many as 75% of the appeals were granted).

Findings

Prior Authorization Denials

In the study, OIG found that 13% of prior authorization denials were for services that met Medicare coverage rules, thus delaying or denying care that likely should have been approved. MAOs made many of the denials by applying MAO clinical criteria that are not part of Medicare coverage rules. As an example, a follow-up MRI was denied for a beneficiary who had an adrenal lesion that was 1.5 cm in size, because the MAO required the beneficiary to wait one year for such lesions that are under 2 cm in size. OIG’s experts found such a requirement was not contained in Medicare coverage rules and was therefore inappropriate. Rather, the MRI was medically necessary to determine if the lesion was malignant.

OIG also found instances where MAOs requested further documentation that led to a denial of care when it was not furnished, as such additional documentation was not required to determine medical necessity. OIG’s reviewers found that either sufficient clinical information was in the medical record to authorize the care or the documentation requested was already contained in the medical record.

Payment Denials

OIG found in the study that 18% of payment denials fully met Medicare coverage rules and MAO payment policies. As a result of these denials, payment was delayed or precluded for services that should have been paid.

OIG found that common reasons for these inappropriate payment denials were human error in conducting manual reviews (for example, the reviewer not recognizing that a skilled nursing facility (SNF) was an in-network provider), and inaccurate programming.

OIG also found that advanced imaging services (including MRIs and CT scans), stays in post-acute facilities (including SNFs and inpatient rehabilitation facilities), and injections were the services that were most prominent in the inappropriate denials that should have been authorized for care and payment in accordance with Medicare coverage rules.

OIG Recommendations

Based on the study, OIG recommended that:

  • CMS should issue new guidance on both the appropriate and inappropriate use of MAO clinical criteria that are not contained in Medicare coverage rules. In particular, OIG recommended that CMS should more clearly define what it means when it states that MAO clinical criteria may not be “more restrictive” than Medicare coverage rules.

  • CMS should update its audit protocols to address issues identified in the report such as MAO use of clinical criteria and/or examine particular service types that led to more denials. OIG suggests CMS should consider enforcement actions for MAOs that demonstrate a pattern of inappropriate payment denials.

  • CMS should direct MAOs to identify and address the reasons that led to human errors.

CMS reviewed the OIG report and concurred with each of OIG’s recommendations. Those recommendations can affect future coverage decisions as well as utilization of prior authorization tools. AHIP, a national association of health care insurers, challenged the OIG’s sample size as inappropriate to support the agency’s conclusions, and defended prior authorization tools.

Takeaways

Given CMS’s concurrence with the report’s findings, we recommend that MAOs track these issues over the next several months in advance of CMS’s Final Rate Announcement for CY 2024.

MAOs should also be aware of potential False Claims Act (FCA) exposure in this area. FCA exposure can arise when a company seeks and receives payments despite being out of compliance with the basic terms for its participation. If an MAO knew it was denying claims that should be paid because they would be covered under traditional Medicare, but the MAO was still collecting full capitation, it is possible that a whistleblower or the government may pursue FCA liability. This risk warrants attention because whistleblowers can bring qui tam suits under the FCA, with resulting high costs for defense and potentially high penalties if a violation is proven (or settled to avoid further litigation). That said, an FCA suit based on this theory would raise serious questions, including whether any non-payment actually met the FCA’s “knowingly” standard (which includes reckless disregard), or whether any non-payment met the materiality threshold necessary to demonstrate a violation of the FCA.

Article By Alexis Finkelberg Bortniker, C. Frederick Geilfuss II, Matthew D. Krueger, Maureen F. Kwiecinski, and Kinal M. Patel at Foley & Lardner LLP

For more health law and managed care news, click here to visit the National Law Review.

© 2022 Foley & Lardner LLP

NCLC Tells FCC “Callers can easily avoid making calls to telephone numbers that have been reassigned….” – But Is it That Simple?

The National Consumer Law Center is at it again.

In response to the Department of Health and Human Services’ recent letter to the FCC seeking clarity on whether the TCPA applies to texts it would like to make to alert Americans of certain medical benefits, the NCLC–an organization that nominally represents consumers, but really seems to represent the interests of the plaintiff’s bar–has filed a comment.

Unsurprisingly, the NCLC takes the position that HHS needs no relief. Government contractors are covered by the TCPA–it says–but the texts at issue in HHS’ letter are consented, so they’re fine. (Although it later clarifies that only “many” but not “all” of the enrollees whom HHS wishes to call have “probably” given their telephone numbers as part of written enrollment agreements–so perhaps not.)

Hmmmm. Feels like a trap. But we’ll ignore that for now.

The critical piece here though is what the NCLC–very powerful voice, for better or (often) worse–is telling the FCC about the effectiveness of the new Reassigned Number Database:

3. Callers can easily avoid making calls to telephone numbers that have been reassigned to someone other than the enrollee

A primary source of TCPA litigation risk has been calls inadvertently made to numbers that are no longer assigned to the person who provided consent. Courts have held the caller liable for making automated calls to a cell phone number that has been reassigned to someone other than the person who provided consent to be called.29

The Commission has implemented the Reassigned Number Database specifically to address that risk of liability, as well as to limit the number of unwanted robocalls:

The FCC’s Reassigned Numbers Database (RND) is designed to prevent a consumer from getting unwanted calls intended for someone who previously held their phone number. Callers can use the database to determine whether a telephone number may have been reassigned so they can avoid calling consumers who do not want to receive the calls. Callers that use the database can also reduce their potential Telephone Consumer Protection Act (TCPA) liability by avoiding inadvertent calls to consumers who have not given consent for the call.31

The database has been fully operational since November 1, 2021. It provides a means for callers to find out before making a call if the phone number has been reassigned. If the database wrongly indicates that the number has not been reassigned, so long as the caller has used the database correctly, no TCPA liability will apply for reaching the wrong party. 32 Thus, as long as HHS’s callers make use of this simple, readily available database, they can be confident that they will not be held liable for making calls to reassigned numbers.

While I steadfastly support both the creation and use of the RND, it also must be observed that there are myriad problems with the RND as it currently exists. Most importantly, the data sets in the RND are only comprehensive through October 1, 2021 and spotty back to February, 2021 (beyond which there are no records!)

So for folks like HHS–and servicers of mortgages, and retailers, and credit card companies–who want to reach customers who provided their contact information before 10/2021 or 2/2021 the RND is simply not helpful.

The NCLC’s over simplification of a critical issue is not surprising. They once told Congress that the TCPA is “Straightforward and Clear” after all.

Full comment here: NCLC Comments-c3

We’ll keep an eye on developments on HHS’ letter and all the FCC goings ons.

Article By Eric J. Troutman of Troutman Firm

For more TCPA and communications legal news, click here to visit the National Law Review.

© 2022 Troutman Firm

COVID-19 Healthcare Enforcement Actions to Increase in 2022 and Beyond

The Department remains committed to using every available federal tool—including criminal, civil, and administrative actions—to combat and prevent COVID-19 related fraud. We will continue to hold accountable those who seek to exploit the pandemic for personal gain, to protect vulnerable populations, and to safeguard the integrity of taxpayer-funded programs”

US Attorney General Merrick Garland – March 10, 2022, Remarks

The Biden Administration, US Department of Justice (DOJ), US Department of Health and Human Services Office of Inspector General (HHS-OIG), and other federal agencies have prioritized prosecuting COVID-19-related fraud since the pandemic began. Although the United States appears to be finally emerging from the pandemic, the government’s pandemic-related enforcement actions are here to stay for the foreseeable future. DOJ has made clear that the government’s COVID-19 enforcement efforts will accelerate, with a more significant focus on complex healthcare fraud cases and civil actions under the False Claims Act (FCA). As the federal government continues to devote additional resources towards its pandemic-related enforcement efforts, healthcare companies, hospital systems and providers should prepare for increased scrutiny.

Additional Resources Devoted to COVID-19 Fraud Enforcement Efforts

DOJ and other federal agencies have already devoted an unprecedented amount of resources to investigating and prosecuting pandemic-related fraud cases. These extensive efforts have led to immediate results. To date, DOJ has brought pandemic-related criminal charges against more than 1,000 individuals with the total alleged fraud losses exceeding $1 billion, and has seized more than $1.2 billion in fraudulently obtained relief funds.

DOJ’s pandemic-enforcement efforts show no sign of slowing down anytime soon. Less than a year after US Attorney General (AG) Merrick Garland established the COVID-19 Fraud Enforcement Task Force, the Biden administration announced that DOJ would appoint a chief prosecutor to expand on the Task Force’s “already robust efforts,” to focus on “most egregious forms of pandemic fraud” and to target particularly complex fraud schemes.

On March 10, 2022, DOJ announced that Kevin Chambers has been appointed as DOJ’s director for COVID-19 fraud enforcement. During his introductory remarks, Chambers said that DOJ would be “redoubling [its] efforts to identify pandemic fraud, to charge and prosecute those individuals responsible for it and whenever possible, to recover funds stolen from the American people.” He also indicated that DOJ would use “new tools” it has developed since the start of the pandemic to investigate such fraud.

In a March 2, 2022, speech before the American Bar Association’s Annual National Institute on White Collar Crime, AG Garland also announced that the Biden Administration will seek an additional $36.5 million in the 2022 budget for DOJ to “bolster efforts to combat pandemic-related fraud.” As evidence of this point, DOJ plans to hire 120 new prosecutors and 900 new Federal Bureau of Investigation agents who will focus on white-collar crime.

DOJ and HHS-OIG to Increasingly Focus on FCA Cases

For the past two years, officials from DOJ and HHS-OIG have identified civil and criminal healthcare fraud relating to COVID-19 as a high priority. As the effects of the pandemic subside, COVID-19-related civil enforcement actions targeting healthcare providers and healthcare companies seem set to increase.

During remarks at the Federal Bar Association’s annual Qui Tam Conference in February 2022, Gregory Demske, chief counsel to the inspector general for HHS-OIG, emphasized that COVID-19 remains a key enforcement priority. Demske indicated that HHS-OIG is focused on the use of COVID-19 to bill for medically unnecessary services, and fraud in connection with HHS’s Provider Relief Fund (PRF) and Uninsured Relief Fund. Demske also confirmed that HHS-OIG remains intensely focused on fraud in connection with telehealth services, the use of which increased exponentially during the pandemic. And, in March 2022, AG Garland reiterated that DOJ will use “every available federal tool—including criminal, civil, and administrative actions—to combat and prevent COVID-19 related fraud.”

The majority of pandemic-related healthcare enforcement actions to date have been criminal prosecutions involving truly blatant instances of fraud and abuse. Going forward, civil and administrative actions likely will be used to pursue cases that turn on lower mens rea requirements or involve more complex regulatory issues. These civil actions will include qui tam actions filed by whistleblowers, as well as FCA cases initiated directly by the DOJ.

In 2021, DOJ recovered more than $5 billion in connection with FCA cases involving the healthcare industry. Given the unprecedented amount of government funds expended to combat the COVID-19 pandemic, DOJ and HHS-OIG will undoubtedly rely on the FCA to maximize the government’s financial recovery. DOJ has already reached FCA settlements in several Paycheck Protection Program cases. It is only a matter of time before we see similar FCA investigations, complaints and settlements focused on relief funding to healthcare providers.

Pandemic-Related Healthcare Priorities

HHS’s PRF

The PRF was created as part of the Coronavirus Aid, Relief and Economic Security (CARES) Act to provide direct payments to “eligible health care providers for health care-related expenses [and] lost revenues that are attributable to coronavirus.” More than $140 billion has been disbursed to hospitals and healthcare providers under the PRF, which is administered by the Health Resources & Services Administration (HRSA).

Payments under the PRF are subject to specific terms and conditions. To retain PRF disbursements, providers must attest to “ongoing compliance” with these requirements and acknowledge that their “full compliance with all Terms and Conditions is material to the Secretary’s decision to disburse funds.” Notwithstanding ongoing concerns and confusion regarding the PRF program requirements, any noncompliance with the terms and conditions could result in criminal, civil and administrative enforcement actions. As recently as March 3, 2022, AG Garland identified fraud in connection with the PRF as a key DOJ enforcement priority.

To date, the Healthcare Fraud Unit of DOJ’s Criminal Division has already brought criminal charges against nine individuals for fraud relating to the PRF. These criminal cases, however, have almost exclusively focused on egregious allegations of fraud and abuses, such as misappropriating PRF disbursements and using the money for personal expenses. For example, in September 2021, DOJ charged five individuals with using PRF payments to gamble at Las Vegas casinos and purchase luxury cars.

DOJ, however, has long indicated that the FCA will also play a “significant role” in DOJ’s PRF enforcement efforts. It is now just a matter of time before such civil investigations and settlements emerge.

HRSA’s stated oversight plan includes post-payment analysis and review to determine whether HHS distributed PRF payments to eligible providers in the correct amounts; audits to assess whether recipients used the funds in accordance with laws, guidance, and terms and conditions; and the recovery of overpayments and unused or improperly used payments. Among other things, HRSA and HHS-OIG likely will evaluate ownership changes, double counting reimbursed expenses and losses, and compliance with the balanced billing requirements.

PRF oversight and enforcement actions have been delayed partly because of program complexities and extended reporting timelines. For example, the first report from PRF recipients on use of funds was not due until the end of 2021. Depending on the date funds were received, PRF recipients may have no reporting obligations through 2023. Entities that expended more than $750,000 in federal awards, including PRF payments, also must obtain an independent audit examining their financial statements; internal controls; and compliance with applicable statutes, regulations and program requirements. These independent audits of PRF payments must be submitted to the Federal Audit Clearinghouse, for nonprofit organizations, or the HRSA Division of Financial Integrity, for for-profit “commercial” organizations. Recipients also may be subject to separate audits by HHS, HHS-OIG or the Pandemic Response Accountability Committee to review copies of records and cost documentation and to ensure compliance with the applicable terms and conditions.

Finally, DOJ and HHS-OIG have increasingly relied on sophisticated data analytics to drive their healthcare enforcement efforts generally. Now that the first round of reports containing specific PRF data certifications are available to HRSA and HHS-OIG, we expect to see the use of such analytics, in conjunction with all the other available information, in connection with PRF enforcement.

Telehealth

Telehealth use expanded exponentially during the pandemic. A March 2022 HHS-OIG report showed that during the first year of the pandemic, more than 28 million Medicare beneficiaries (approximately 43% of all Medicare beneficiaries) used telehealth services—a “dramatic increase from the prior year” in which only 341,000 beneficiaries used telehealth. This increase was largely the result of HHS temporarily waiving statutory and regulatory requirements related to telehealth to allow Medicare beneficiaries to obtain expanded telehealth services.

Telehealth has been at the forefront of DOJ’s healthcare enforcement efforts for years now. For example, DOJ’s 2021 nationwide healthcare enforcement action included criminal charges against dozens of individuals for telehealth fraud schemes involving more than $1.1 billion in alleged loses. The majority of these telehealth enforcement actions to date have involved the use of telehealth to engage in traditional fraud healthcare schemes, such as illegal kickbacks and billing for medically unnecessary services and equipment.

DOJ, however, has increasingly pursued criminal enforcement actions directly related to the telehealth waivers HHS issued in response to the pandemic. For example, in November 2021, a defendant was sentenced to 82 months in prison for participating in a $73 million telehealth fraud scheme. The defendant owned laboratories that provided genetic testing and had paid his coconspirators to arrange for telehealth providers to order medically unnecessary genetic tests. The telehealth providers were not actually treating the beneficiaries, did not use the test results and often never even conducted the telemedicine consultation. Although this was primarily a traditional Anti-Kickback Statute/medical necessity case, DOJ also charged the defendant with using the COVID-19-related telehealth waivers to submit more than $1 million in false claims for sham telemedicine visits.

Similar criminal prosecutions and civil actions relating to the expanded telehealth waivers and sham telehealth encounters can be expected in the future. DOJ and HHS-OIG will likely focus on telehealth visits that resulted in claims for services and equipment with particularly high reimbursement rates, such as genetic testing and durable medical equipment. DOJ and HHS-OIG likely will use data analytics to focus on instances in which telehealth services were billed by providers with whom the beneficiary did not previously have a relationship.

Improper Billing Schemes

DOJ has also pursued criminal cases involving traditional healthcare fraud schemes that sought to take advantage of the COVID-19 pandemic. For example, in May 2021, DOJ announced criminal charges against numerous individuals who were improperly bundling COVID-19 tests with other more expensive laboratory tests, such as genetic testing, allergy testing and respiratory pathogen panel testing. DOJ has likewise pursued criminal cases in which defendants improperly used COVID-19 “emergency override” billing codes to circumvent preauthorization requirements and bill Medicare for expensive medications and treatments. Any improper billing schemes that relate to the pandemic will continue to be a focus of criminal and civil enforcement efforts going forward.

Key Takeaways and Recommendations

DOJ, HHS-OIG and other federal agencies remain focused on pursuing healthcare fraud relating to the COVID-19 pandemic. The best way for hospitals, health systems and other healthcare companies and providers to prepare for this increased enforcement activity and scrutiny is to ensure that they have a robust compliance program in place.

There is no one-size-fits-all approach to compliance, but companies can take several proactive and practical steps to minimize their enforcement risk:

  • Monitor federal and state regulatory and statutory changes. The rules, regulations and guidance relating to the COVID-19 pandemic, including for the PRF and expanded telehealth waivers, have repeatedly changed over the past two years and continue to evolve. Monitoring such changes will not only help prevent enforcement actions, but a company’s reasonable and good faith efforts to interpret and follow such rules and regulations can be a powerful defense should an investigation arise, as discussed in connection with the Allergan case, above. Further to that point, where regulatory requirements and associated guidance is ambiguous, a good documentary record of the basis for your entity’s interpretation of the rules is critical.
  • Incorporate data analytics into your compliance program. DOJ and HHS-OIG continue to rely heavily on sophisticated data analytics, including artificial intelligence, to identify and prosecute fraud. In March 2022, AG Garland emphasized DOJ’s use of “big data” to identify payment anomalies that are indicative of fraud. Healthcare companies already have access to vast amounts of data that they can and should use to proactively identify errors, monitor risk areas and address any potential misconduct.
  • Adapt your compliance program and internal controls, as appropriate, to support PRF compliance, reports and audits. Recipients should continue to practice good compliance hygiene and maintain contemporaneous records regarding the receipt and spending of federal funds. Doing so may involve implementing additional systems to track spending, recovery and relief to avoid overlapping use of funds among relief programs, or consulting with grant accounting and compliance advisors to augment existing infrastructure. Recipients also should periodically review policies, procedures and controls, particularly following major updates to program requirements and interpretations.
  • Ensure the accuracy of required PRF reports, certifications and submissions. Particularly in light of ongoing political pressure, HRSA and HHS-OIG likely will conduct extensive oversight of the PRF to identify potential errors, overpayments and improper use of funds. Recipients should carefully review guidance and instructions to avoid inadvertent errors and misstatements on all submissions. Recipients may consider revisiting prior submissions underlying significant disbursements to identify interpretative issues or compliance concerns that warrant additional supporting documentation or disclosure.
  • Carefully consider the implications before entering into arrangements with other parties. The biggest risk to healthcare companies often comes from those with whom they do business. Compliance programs should focus heavily on reducing the risk of entanglement with bad actors.
  • Be diligent in the design and oversight of marketing strategies. Healthcare companies and providers should regularly review their marketing strategies to ensure total transparency and compliance (both historic and prospective) with applicable state and federal anti-kickback statutes. Companies should confirm that patients are reached through appropriate channels. Although issues relating to COVID-19 may be the impetus for a government investigation, violations of the Anti-Kickback Statute frequently result in larger recoveries for the government.
  • Proactively examine coding and billing practices. Providers should immediately review and revisit their coding and billing practices to determine if their practices involved bundling COVID-19 testing with other claims, the use emergency override billing codes or billing for other COVID-19 related services with high reimbursement rates. There is a strong likelihood that the DOJ will review the claims data for any providers with statistically significant use of these billing and coding practices, particularly when the providers are located in geographical areas where the DOJ’s Healthcare Fraud Strike Force and HHS-OIG’s Medicare Fraud Strike Force operate.

Article By Julian L. André, Benton Curtis, and Dawn R. Helak of McDermott Will & Emery

For more health law legal news, click here to visit the National Law Review.

© 2022 McDermott Will & Emery

HIPAA Enforcement Continues Under Right of Access Initiative

On March 28, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two additional cases as part of OCR’s HIPAA Right of Access Initiative.

The Right of Access Initiative was launched by OCR in 2019 “to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule” as explained by OCR. In the March 28 announcement, OCR indicated its continuing commitment to enforce compliance with the HIPAA Rules, including the “foundational” Right of Access provision. With the two most recent cases, there have now been 27 investigations and settlements under the Right of Access Initiative (see full chart below).

Nearly all of the investigations in the Right of Access Initiative involve a single individual unable to obtain a copy of some or all of their protected health information from a health care provider or to do so within the timeframe required or in accordance with fees permitted by the HIPAA Privacy Rule. In some cases, additional issues found during the investigation, such as failure to have conducted a HIPAA risk assessment or lack of HIPAA policies, are part of the settlement.  In all cases, in addition to the monetary penalty, the settlement has included a Corrective Action Plan imposing various obligations, such as policy development, training, and mandatory reporting to OCR.

The Right of Access Initiative remains one of the most active areas of HIPAA enforcement. In its most recent Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, OCR noted that right of access was the third most common issue of complaints resolved. Moreover, the Right of Access Initiative coordinates with the ONC 2020-2025 Federal HIT Strategic Plan and the goal of “Providing patients and caregivers with more robust health information.” It is a core tenant of the Federal HIT Strategic Plan that access to health information will “better support person-centered care and patient empowerment.”

Article By Allen R. Killworth and Zeina Abu-Hijleh of Epstein Becker & Green, P.C.

For more health law legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

HHS OIG Signs Off on Substance Use Recovery Incentive Program

On March 2, 2022, the Department of Health and Human Services (“HHS”) Office of the Inspector General (the “OIG”) issued a new advisory opinion (“AO 22-04”) related to a program through which the Requestor would provide certain individuals access to digital contingency management (“CM”) and related tools to treat substance use disorders (“Program”).  The OIG advised that it would not impose administrative sanctions under the Anti-Kickback Statute (“AKS”) or the Beneficiary Inducements Civil Monetary Penalty Law (“CMPL”).

The Requestor, a digital health company, offers a Program that uses smartphone and smart debit card technology to implement CM for individuals with substance use disorders, addressing aspects of these disorders “in ways that conventional counseling and medications often cannot.” The Requestor makes this technology available to individuals who meet certain requirements through contracts with a variety of entities, such as health plans, addiction treatment providers, employee assistance programs, research institutions, and other treatment providers (“Customers”).

Individuals (‘Members”) are Customer- or self-referred, and are subject to a structured interview using the American Society of Addiction Medicine Continuum Triage tool before participation in the Program. The Requestor’s enrollment specialist, under the guidance of a licensed clinical supervisor, determines the type of services and frequency of recovery coaching using an evidence-based, automated algorithm. The Program technology establishes the schedule of expected target behavioral health events, objectively validates whether each expected event has occurred, and, if it has, promptly disburses the exact, protocol-specified incentive to the Member, using (where appropriate) a progressive reinforcement schedule.

The Program is not limited to treatments or federally reimbursable services; it also includes, among other features, support groups, medication reminders, and appointment attendance verification. For those that do include federally reimbursable services, the Requestor advised that such services may be furnished by a Customer. Incentives from the Program are provided to Members via a “smart debit card.” The card includes “abuse and anti-relapse protections (e.g., it cannot be used at bars, liquor stores, casinos, or certain other locations nor can it be used to convert credit to cash at ATMs or gas stations)”, and allows the Requestor to monitor use. Incentives are capped at $200/month and $599/year; individual incentives are typically relatively small, at $1-$3.

The Requestor receives fees from Customers on either a flat monthly basis, per eligible, active Member, or a pay-for-performance model, in which Requestor is paid upon a Member achieving certain agreed-upon targets for abstinence. The Requestor certified that the aggregate fees are consistent with fair market value and do not vary based on the volume or value of business generated under federal health care programs. Instead, fees are based on the service configurations being purchased and the intensity of behavioral targets that are planned for each Member, as well as whether a member is low- or high-risk, and in or out of treatment.

OIG concluded that two stream of remuneration potentially implicate the AKS and CMPL.  First, Customers pay Requestor a fee to provide services, some of which could incentivize a Member to receive a federally billable service. Second, some of the fees Customers pay to Requestor get passed on to Members as CM Incentives for achieving certain behavioral health goals, some of which may involve services that could be billable to Federal health care programs (e.g., a counseling session) by a particular provider or supplier, which could be a Customer. OIG noted its longstanding concerns relating to the offer of incentives intended to induce beneficiaries to obtain federally reimbursable items and services, as such incentives could present significant risks of fraud and abuse.

The OIG concluded that the Program presents a minimal risk of fraud and abuse and declined to impose sanctions, providing four justifications –

  1. The Requestor certified that the Program is based in research, and provided evidence that CM is a “highly effective, cost-efficient treatment for individuals with substance use disorders.” Therefore, the OIG decided that, taken together with the other safeguards present in the Arrangement, the incentives in the Requestor’s Program serve as “part of a protocol-driven, evidence-based treatment program rather than an inducement to seek, or a reward for having sought, a particular federally reimbursable treatment.”
  2. The incentives offered through the Program have a relatively low value and a cap, and largely are unrelated to any federally payable services, especially as the Requestor is not enrolled in and does not bill to federal health care programs for Program services. Therefore, the OIG determined that the risk of the incentives “encouraging overutilization of federally reimbursable services is low.”
  3. The Requestor’s Customer base is not limited to entities that have an incentive to induce receipt of federally reimbursable services. While the OIG acknowledged that there may be instances where an incentive may be given for receiving a federally billable service, the fees do not vary based on volume or value of any federally reimbursable services, and the Customers do not have control of the Program. Therefore, the OIG determined that the risk is low an entity would become a Customer to “generate business or reward referrals.”
  4. Although the incentives loaded onto a smart debit card function as cash equivalents, the OIG found the safeguards included in the Arrangement sufficient to mitigate fraud and abuse concerns. The Requestor, which does not bill federal health care programs or have an incentive to induce overutilization, determines what services an individual needs and what incentives are attached. Additionally, the smart debit card has “anti-relapse protections”, which can signal possible need for intervention. Therefore, the OIG concluded that the remuneration in the form the smart debit card is sufficiently low risk.

AO 22-04 reflects HHS’s continued aims to increase flexibility around substance use disorder treatments.  Just two weeks before, HHS announced two grant programs, totaling $25.6 million, to expand access to medication-assisted treatment for opioid use disorder and prevent the misuse of prescription drugs. In a press release, HHS Secretary Xavier Becerra is quoted as saying, “At HHS we are committed to addressing the overdose crisis, and one of the ways we’re doing this is by expanding access to medication-assisted treatment and other effective, evidenced-based prevention and intervention strategies.” HHS’ “National Tour to Strengthen Mental Health” is intended to “hear directly from Americans across the country about the challenges they’re facing, and engage with local leaders to strength the mental health and crisis care in our communities”, focused on three aspects: mental health, suicide, and substance use. Further flexibilities should be anticipated in these areas as the Tour continues.

Anyone seeking treatment options for substance misuse should call SAMHSA’s National Helpline at 800-662-HELP (4357) or visit findtreatment.gov. If you or anyone you know is struggling with thoughts of suicide, please call the National Suicide Prevention Lifeline at 800-273-TALK (8255), or text the Crisis Text Line (text HELLO to 741741).

Article By Christine M. Clements and Theresa E. Thompson of Sheppard, Mullin, Richter & Hampton LLP

For more health law legal news, click here to visit the National Law Review.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.