Category: Health Care Law

Complying with the Affordable Care Act’s Exchange Notice Requirement

Mintz Logo

The Patient Protection and Affordable Care Act (the “Act”) amends the Fair Labor Standards Act (“FLSA”) to require employers of all sizes to provide their employees a notice of the availability of coverage through public health insurance exchanges by March 1, 2013.1 In January of this year, the U.S. Department of Labor, the agency charged with administering the FLSA, announced a delay in the effective date of the notice to the “late summer or fall of 2013.”2 In Technical Release No. 2013-02 (entitled, “Guidance on the Notice to Employees of Coverage Options under Fair Labor Standards Act §18B and Updated Model Election Notice under the Consolidated Omnibus Budget Reconciliation Act of 1985”),3 the Labor Department provided details about the FLSA exchange notice requirement. The effective date of the requirement is now October 1, 2013 for current employees or within 14 days of an employee’s start date for employees hired after that date.

Background

The FLSA exchange notice must include a description of the existence of, and services provided by, public exchanges. That Act further requires that the notice:

  • Explain how the employee may be eligible for a premium tax credit or a cost-sharing reduction if the employer’s plan does not meet certain requirements;
  • Inform employees that if they purchase a qualified health plan through the exchange, then they may lose any employer contribution toward the cost of employer-provided coverage, and that all or a portion of the employer contribution to employer-provided coverage may be excludable for federal income tax purposes;
  • Include contact information for customer service resources within the exchange, and an explanation of appeal rights;
  • Meet certain accessibility and readability requirements; and
  • Be in writing.

The Department has provided two model notices — one for employers who offer a health plan4 to some or all employees and another for employers who do not.5 The model notice for employers who offer a health plan includes two parts. Part A (entitled “General Information”) tracks the requirement of the statute. Part B (entitled, “Information About Health Coverage Offered by Your Employer”) solicits information about the employer’s group health plan coverage that is intended to assist employees who apply for subsidized coverage under a group health plan product offered through the exchange. Part B includes an optional section that asks the employer to disclose whether the health care coverage offered meets the minimum value standard and whether the cost of coverage is intended to be affordable. While not required, employers may decide to complete this part of the notice in order to avoid having to respond to inquiries from exchanges seeking to process an individual’s application.

The notice requirement applies to all employers who are subject to the FLSA. In general, the FLSA applies to employers that employ one or more employees who are engaged in, or produce goods for, interstate commerce. For most firms, a test of not less than $500,000 in annual dollar volume of business applies. The FLSA also specifically covers the following entities, regardless of dollar volume of business: hospitals; institutions primarily engaged in the care of the sick, the aged, mentally ill, or disabled who reside on the premises; schools for children who are mentally or physically disabled or gifted; preschools, elementary and secondary schools, and institutions of higher education; and federal, state and local government agencies. (For an explanation of the reach of the FLSA, please see http://www.dol.gov/compliance/guide/minwage.htm.)

Timing and Delivery of Notice

Under the heading “Timing and Delivery of Notice,” Technical Release No. 2013-02 provides as follows:

Employers are required to provide the notice to each new employee at the time of hiring beginning October 1, 2013. For 2014, the Department will consider a notice to be provided at the time of hiring if the notice is provided within 14 days of an employee’s start date. With respect to employees who are current employees before October 1, 2013, employers are required to provide the notice not later than October 1, 2013. The notice is required to be provided automatically, free of charge.

The notice must be provided in writing in a manner calculated to be understood by the average employee. It may be provided by first-class mail. Alternatively, it may be provided electronically if the requirements of the Department of Labor’s electronic disclosure safe harbor at 29 CFR 2520.104b-1(c) are met.

(Emphasis added).

The reference to “employees” means all employees, full-time and part-time, but there is no need to provide notices to dependents. Nor does the notice have to be provided to former employees or other individuals who are not employees but may be eligible for coverage (e.g., under COBRA).

The question of who, exactly, is an employee is an important one. The Act’s exchange notice requirement amends the FLSA. Thus, while the Internal Revenue Code and ERISA look to the “common law” standard, applicable court precedent interpreting the FLSA’s use of the term “employee” relies on the broader, “economic realities” test. Accordingly, an individual is an “employee” for FLSA purposes if he or she is economically dependent on the business for which he or she performs personal services. Thus, individuals properly classified as independent contractors for tax purposes may nevertheless be employees (to whom notice must be provided) for FLSA purposes.

Delivery can be in hand or by first class mail. Delivery may also be made electronically under the Department of Labor’s “electronic disclosure safe harbor at 29 CFR 2520.104b-1(c).” The regulations at 29 CFR 2520.104b-1 provide a safe harbor under which electronic delivery is permitted to employees who have the ability to effectively access documents furnished in electronic form at any location where the employee is reasonably expected to perform duties as an employee and with respect to whom access to the employer’s or plan sponsor’s electronic information system is an integral part of those duties. Under the safe harbor, other individuals may also opt into electronic delivery.

Enforcement

The Act does not appear to impose any separate penalty for ignoring the exchange notice requirement. The FLSA authorizes administrative actions, civil suits and criminal prosecutions for violations of pre-existing FLSA sections, but not, it seems, for this requirement. This does not mean, of course, that noncompliance is a good idea or even a viable option. The lack of penalties does not translate into a lack of consequences. Plan sponsors still have a fiduciary obligation to be forthcoming with plan participants and beneficiaries. (This situation is similar to the rules governing the distribution of summary plan descriptions — while not technically required, there are many good reasons to comply.)

Article By:

of

U.S. Department of Labor (DOL) Clarifies Family and Medical Leave Act (FMLA) Leave Entitlement for Same-Sex Spouses

Morgan Lewis logo

In the wake of the Supreme Court’s Windsor decision, employers should review and, if necessary, revise their FMLA policies and procedures to ensure compliance.

The U.S. Department of Labor (DOL) recently clarified that same-sex spouses are now covered by the Family and Medical Leave Act (FMLA) to the extent that an employee’s marriage is recognized in the state in which the employee resides. This clarification, which follows the U.S. Supreme Court’s decision in United States v. Windsor,[1] is consistent with the existing FMLA regulatory language defining a “spouse” for purposes of FMLA coverage.

The DOL did not issue any new formal, stand-alone guidance but instead revised several existing FMLA guidance documents to remove references to the Defense of Marriage Act (DOMA). It also affirmatively stated in a newly released Field Operations Handbook section on the FMLA that “[s]pouse means a husband or wife as defined or recognized under state law for purposes of marriage in the State where the employee resides, including common law marriage and same sex marriage.

Moving forward, FMLA spousal leave will only be available to employees who reside in a state that recognizes same-sex marriage, given that the existing FMLA regulatory language tied spousal coverage to the place of residence prior to the Windsor decision. However, the U.S. Office of Personnel Management (OPM), which has jurisdiction over FMLA rights for federal employees, recently issued post-Windsor guidance that extends FMLA leave rights to the spouses of federal employees without regard to states of residence.[2] OPM’s approach could eventually be followed by DOL for private sector employees and those employees otherwise covered by DOL rules but likely would require regulatory changes that would involve a notice and comment period.

It is worth noting that, while DOL’s clarification reflects a general increase in federal FMLA leave rights available to same-sex couples, in some circumstances, the availability of FMLA leave rights could mean a decrease in a given employee’s overall leave entitlement. For example, same-sex spouses residing in states recognizing same-sex marriage will now be subject to the FMLA’s restrictions on the combined amount of leave that spouses working for the same employer can use in certain circumstances. Similarly, an employee might have been entitled pre-Windsor to leave pursuant to state (but not federal) law to care for a same-sex spouse, which meant that the employee’s state and federal leave entitlements could not be exhausted concurrently.

Conclusion

In light of DOL’s updated guidance, employers should make sure that their FMLA policies allow spousal leave for employees in a same-sex marriage that is lawful in the state in which the employee resides. Employers, however, will need to think carefully about how they will administer such policies to avoid both employee relations issues and sexual orientation discrimination claims. For example, if an employer does not request documentation from an employee in an opposite-sex marriage as to whether the employee’s marriage is recognized in the state in which he or she resides, issues may arise if this information was requested of an employee in a same-sex marriage. While some employers may choose simply to grant FMLA leave to all employees regardless of domicile, employers need to be aware that such time may not be recognized as statutory FMLA leave. Employers should also pay close attention to future developments in this area as more states consider recognizing same-sex marriages.

[1]United States v. Windsor, 133 S. Ct. 2675 (2013).

[2]See U.S. Office of Personnel Admin., Benefits Administration Letter No. 13-203, Coverage of Same-Sex Spouses (July 17, 2013).

Article By:

Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health (HIPAA/HITECH) Compliance Strategies for Medical Device Manufacturers

Sheppard Mullin 2012

As computing power continues to become cheaper and more powerful, medical devices are increasingly capable of handling larger and larger sets of data. This provides the ability to log ever expanding amounts of information about medical device use and patient health. Whereas once the data that could be obtained from a therapeutic or diagnostic device would be limited to time and error codes, medical devices now have the potential to store personal patient health information. Interoperability between medical devices and electronic health record systems only increases the potential for medical devices to store personal information.

The concern has become so significant that the U.S. Food and Drug Administration recently issued a draft guidance and letter to industry noting concerns associated with theft or loss of medical information by cybersecurity vulnerable devices. For a more detailed discussion of this issue, see last month’s blog post.

This raises another important issue for medical device manufacturers and health care providers: medical device compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Compliance with HIPAA and HITECH has become a major concern for hospitals and health care providers, and will increasingly be an issue that medical device manufacturers will need to deal with.

A medical device manufacturer needs to answer three questions in order to determine whether the collection of patient information by a medical device is subject to HIPAA and HITECH:

  • Does the information qualify as Protected Health Information?
  • Is a Covered Entity involved?
  • Does a Business Associate relationship exist with a Covered Entity?

Protected Health Information

Protected Health Information (PHI) is individually identifiable health information transmitted or maintained in any form or medium.[1] Special treatment is given to electronic PHI, which is subject to both the HIPAA Privacy Rule, and the Security Rule (which only applies to electronic PHI). To be “individually identifiable,” the PHI must either identify the individual outright, or there must be a reasonable basis to believe that the information can be used to identify the individual.[2]

“Health information” is any information (including genetic information) that is oral or recorded in any form or medium, and meets two conditions.[3] First, the information must be created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.[4] Second, the information must relate to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual.[5]

If data collected by a medical device does not meet the definition of “individually identifiable,” or “health information,” it is not covered under HIPAA and HITECH. For example, a medical device that logs detailed medical diagnostic information about a patient, but includes no means by which that information may be traced to the patient, the data would likely fall outside of HIPAA and HITECH. Alternatively, a medical device, such as a mobile medical app, may request that a user provide detailed medical information about himself or herself. Provided that information is requested outside of the context of a health care provider, health plan, public health authority, employer, life insurer, school or university, HIPAA and HITECH similarly would likely not apply.

Covered Entities and Business Associates

There are two types of persons regulated by HIPAA and HITECH: “Covered Entities” and “Business Associates.” A Covered Entity is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a covered transaction.[6] A Business Associate is a person who either creates, receives, maintains, or transmits PHI for a regulated activity on behalf of a covered entity, or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to a covered entity, where the service involves the disclosure of PHI.[7]

Therefore, at a minimum, in order to be subject to HIPAA and HITECH a Covered Entity needs to be involved. For example, medical devices sold directly to consumers for personal use would generally not be subject to HIPAA and HITECH.

Conversely, just because a medical device manufacturer is not a “Covered Entity,” HIPAA and HITECH may apply through a Business Associate relationship. Business Associates include Health Information Organizations, E-prescribing Gateways, and others that provide data transmission services with respect to PHI to a covered entity, and that require access on a routine basis to PHI.[8] Business Associates also include persons that offer PHI to others on the behalf of a covered entity, or that subcontract with a Business Associate to create, receive, maintain, or transmit PHI.[9]

[1] 45 C.F.R. § 160.103 “Protected health information”.

[2] 45 C.F.R. § 160.103 “Individually identifiable health information” (2)(i) and (ii).

[3] 45 C.F.R. § 160.103 “Health information”.

[4] 45 C.F.R. § 160.103 “Health information” (1).

[5] 45 C.F.R. § 160.103 “Health information” (2).

[6] 45 C.F.R. § 160.103 “Covered entity”.

[7] 45 C.F.R. § 160.103 “Business associate” (1).

[8] 45 C.F.R. § 160.103 “Business associate” (3)(i).

[9] 45 C.F.R. § 160.103 “Business associate” (3)(ii) and (iii).

Article By:

 of

A Review of Centers for Medicare & Medicaid Services' (CMS) Approach to $125 Million Recoupment of Payments to Providers for Services to Incarcerated / Unlawfully Present Beneficiaries

Sheppard Mullin 2012

CMS seeks to recover from providers $125 million in alleged overpayments for services to beneficiaries who are belatedly identified as ineligible (incarcerated/unlawfully present). This post examines the recovery process CMS has put in place, noting CMS procedural shortcomings and reviewing some substantive defenses available to providers facing such demands.

In January 2013, CMS’ Office of Investigator General released two parallel reports, criticizing CMS for making improper payments to providers for services rendered to beneficiaries who, according to updated Social Security Administration records, were either incarcerated or unlawfully present in the United States at the time of such service.[1]

OIG concluded that between 2010-2012, CMS made more than $125 million in improper payments to providers (including hospitals, outpatient facilities, physicians, skilled nurses, DME suppliers, home health, and hospice). OIG recommended that CMS take steps to recover such funds and avoid such payments in future.

In response, CMS noted that it already had in place a system that checks, at the time a claim is submitted, the eligibility status of each beneficiary. If data indicates that a patient is not eligible, the claim is rejected. As a result, all overpayments identified by OIG resulted from changes to SSA data after claims were processed.

Apparently anticipating these OIG reports, in November 2012, CMS published two change requests[2] to implement an Informational Unsolicited Response Process (IUR). Through an IUR, the Common Working File system would automatically flag and report to the MACs any previously paid claims where subsequent data updates indicated that the beneficiary was not eligible at time of service due to incarceration or unlawfully present status. In Spring 2013, CMS began implementing the incarcerated patient IUR.

Although CMS has Regional Audit Contractors (RACs) in place to perform post payment technical bill review, CMS has bypassed the RAC process; instead, using the IUR, CMS has instructed the MACs to “initiate recoupment procedures” upon receipt of an IUR to recover these funds. MACs, acting upon this instruction, immediately initiated recoupment through remittance advice[3] based simply upon the subsequent SSA data change. By acting in this way, CMS:

Failed to provide any explanation of the reason for the overpayment redetermination;
Failed to provide the required 15 day opportunity for rebuttal;
Failed to defer recoupment pending the 15 day rebuttal period and through reconsideration;
Failed to address whether provider liability should be waived under section 1870 of the Social Security Act (no fault waiver); and
Failed to advise providers of their appeal rights.[4]

Providers reacted with surprise, placing many calls to the MACs and SSA (to address mistakes in data). In many cases, SSA data indicating incarceration of a patient was simply erroneous; even if valid, it appears that, like CMS, provider were generally unaware of ineligibility at the time of service.

CMS initially took the position that notice letters were not required and there would be no appeal rights; CMS at first indicated that any erroneous findings would be addressed by “data revisions” (presumably through a discretionary reopening by the MAC).

CMS has modified some of its positions based upon provider objection.

In recent FAQs,[5] CMS now concedes that providers do have appeal rights.

But CMS says most errors won’t be fixed until October 2013.

Critically, CMS has not yet addressed its failure to give providers proper notice, explanation of findings, rebuttal rights, its failure to consider no fault waiver. CMS also has so far failed to honor the post payment restrictions on recoupment pending rebuttal and appeal.

The SSA database is not perfect. In one case, a hospice was put on recoupment for months of service to a female beneficiary in 2010-2011 who was mistakenly identified in the SSA database with an unrelated incarcerated male patient. Notice and thoughtful consideration of rebuttal evidence would have prevented this error.

Perhaps more importantly for the general provider community, at the time each provider filed claims for services previously rendered, SSA data showed that the patient was eligible (or the claim would not have been paid). This fact presents a strong case for waiver of provider overpayment liability under the no fault provisions of section 1870 of the Social Security Act.

[1]http://oig.hhs.gov/oas/reports/region7/70203008.htm and https://oig.hhs.gov/oas/reports/region7/71201116.asp

[2] CR 8007 and CR 8009; eg: http://www.cms.gov/Regulations-and-Guidance/Guidance/Transmittals/Downloads/R1134OTN.pdf

[3] Incarcerated Patient shows ANSI Code 81G.

[4] Key Authorities Include: 42 USC §§ 1395ff, 1395gg, 1395ddd(f); 42 CFR §§ 405.373, 405.379, 405.982; and the Medicare Financial Management Manual, Ch. 34, § 90.

[5] http://www.cms.gov/Medicare/Medicare-Contracting/FFSProvCustSvcGen/Downloads/Incarcerated-Beneficiary-FAQs-8-1-13.pdf

Article By:

 of

U.S. Medical Oncology Practice Sentenced for Use and Medicare Billing of Cancer Drugs Intended for Foreign Markets

GT Law

In a June 28, 2013 news release by the Office of the United States Attorney for the Southern District of Californiain San Diego, it was reported that a La Jolla, California medical oncology practice pleaded guilty and was sentenced to pay a $500,000 fine, forfeit $1.2 million in gross proceeds received from the Medicare program, and make restitution to Medicare in the amount of $1.7 million for purchasing unapproved foreign cancer drugs and billing the Medicare program as if the drugs were legitimate. Although the drugs contained the same active ingredients as drugs sold in the U.S. under the brand names Abraxane®, Alimta®, Aloxi®, Boniva®, Eloxatin®, Gemzar®, Neulasta®, Rituxan®, Taxotere®, Venofer® and Zometa®), the drugs purchased by the corporation were meant for markets outside the United States, and were not drugs approved by the FDA for use in the United States. Medicare provides reimbursement only for drugs approved by the Food and Drug Administration (FDA) for use in the United States. To conceal the scheme, the oncology practice fraudulently used and billed the Medicare program using reimbursement codes for FDA approved cancer drugs.

In pleading guilty, the practice admitted that from 2007 to 2011 it had purchased $3.4 million of foreign cancer drugs, knowing they had not been approved by the U.S. Food and Drug Administration for use in the United States. The practice admitted that it was aware that the drugs were intended for markets other than the United States and were not the drugs approved by the FDA for use in the United States because: (a) the packaging and shipping documents indicated that drugs were shipped to the office from outside the United States; (b) many of the invoices identified the origin of the drugs and intended markets for the drugs as countries other than the United States; (c) the labels did not bear the “Rx Only” language required by the FDA; (d) the labels did not bear the National Drug Code (NDC) numbers found on the versions of the drugs intended for the U.S. market; (e) many of the labels had information in foreign languages; (f) the drugs were purchased at a substantial discount; (g) the packing slips indicated that the drugs came from the United Kingdom; and (h) in October, 2008 the practice had received a notice from the FDA that a shipment of drugs had been detained because the drugs were unapproved.

In a related False Claims Act lawsuit filed by the United States, the physician and his medical practice corporation paid in excess of $2.2 million to settle allegations that they submitted false claims to the Medicare program. The corporation was allowed to apply that sum toward the amount owed in the criminal restitution to Medicare. The physician pleaded guilty to a misdemeanor charge of introducing unapproved drugs into interstate commerce, admitting that on July 8, 2010, he purchased the prescription drug MabThera (intended for market in Turkey and shipped from a source in Canada) and administered it to patients. Rituxan®, a product with the same active ingredient, is approved by the Food and Drug Administration for use in the United States.

Article By:

 of

Breach Notification Rules under Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule

DrinkerBiddle

This is the fourth in our series of bulletins on the Department of Health and Human Services’ (HHS) HIPAA Omnibus Final Rule. In our bulletins issued on February 28, 2013 and March 18, 2013, available here, we described the major provisions of this rule and explained how the provisions of the rule that strengthen the privacy and security of protected health information (PHI) impact employer sponsored group health plans, which are covered entities under the HIPAA privacy rules. In our bulletin issued on April 4, 2013, available here, we focused on changes that will need to be made to business associate agreements under the Omnibus Final Rule. In this bulletin, we discuss the modifications to the breach notification rules made by the Omnibus Final Rule and provide health plan sponsors with information regarding the actions they must take to meet their breach notification obligations in the event of a breach of unsecured PHI.

Key Considerations for Health Plan Sponsors

  • Health plan sponsors must be able to identify when a breach occurs and when breach notification is required.
  • Health plan sponsors should review their procedures for evaluating potential breaches and should revise those procedures to incorporate the new “risk assessment” required under the Omnibus Final Rule.
  • Health plan sponsors should review their procedures for notifying individuals, HHS, and the media (to the extent required) when a breach of unsecured PHI occurs.
  • Health plan sponsors should make training workforce members about the breach notification rules a priority. Workforce members should be prepared to respond to breaches and potential breaches of unsecured PHI. A breach is treated as discovered by the covered entity on the first day a breach is known, or, by exercising reasonable diligence would have been known, to the covered entity. This standard is met if even one workforce member knows of the breach or would know of it by exercising reasonable diligence, and even if the breach is not immediately reported to the privacy officer. Discovery of the breach starts the clock ticking on the notification obligation and deadlines, which are described below.
  • Health plan sponsors should review each existing business associate agreement to make sure that responsibility for breach notification is allocated between the business associate and the health plan in a manner that is appropriate based on the business associate’s role with respect to PHI and the plan sponsor’s preferences for communicating with employees.

Health plan sponsors will want to review and revise, as necessary, the following to comply with the new rules described below:

Compliance Checklist

 Business Associate Relationships and Agreements 
 Policies and Procedures 
 Security Assessment and Breach Notification Plan 
 Risk Analysis — Security 
 Plan Document and SPD 
 Notice of Privacy Practices 
 Individual Authorization for Use and Disclosure of PHI
 Workforce Training

What is a Breach?

Background

In general terms, a breach is any improper use or disclosure of PHI. While HIPAA requires mitigation of any harmful effects resulting from an improper use or disclosure of PHI, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 added a notification requirement. HITECH requires covered entities to notify affected individuals, HHS and, in some cases, the media following a breach of unsecured PHI. HITECH defined “breach” as an acquisition, access, use, or disclosure of an individual’s PHI in violation of the HIPAA privacy rules, to the extent that the acquisition, access, use or disclosure compromised the security or privacy of the PHI. The HHS interim final regulations further specified that PHI was compromised if the improper use or disclosure posed a significant risk of financial, reputational, or other harm. The interim final regulations also contained four exceptions to the definition of breach, adding a regulatory exception to the three statutory exceptions.

General Definition of Breach under the Omnibus Final Rule

Under the Omnibus Final Rule, “breach” continues to be defined as an acquisition, access, use, or disclosure of PHI that both violates the HIPAA privacy rules and compromises the security or privacy of the PHI. However, the Omnibus Final Rule modifies the interim final regulations in two important ways:

  • The interim final regulatory exception for an unauthorized acquisition, access, use, or disclosure of PHI contained in a limited data set from which birth dates and zip codes have been removed is eliminated.
  • The risk of harm standard is eliminated and replaced with a presumption that any acquisition, access, use, or disclosure of PHI in violation of the HIPAA privacy rules constitutes a breach. However, a covered entity (such as a health plan) can overcome this presumption if it concludes following a risk assessment that there was a low risk that PHI was compromised (see “Presumption that a Breach Occurred” below).

Statutory Exceptions to “Breach”

HITECH provided three statutory exceptions to the definition of breach that are also set forth in the Omnibus Final Rule. If an improper acquisition, access, use, or disclosure of PHI falls within one of the following three exceptions, there is no breach of PHI:

  • The acquisition, access, or use is unintentional and is made in good faith by a person acting under a covered entity’s (or business associate’s) authority, as long as the person was acting within the scope of his or her authority and the acquisition, access, or use does not result in a further impermissible use or disclosure of the PHI.
  • The disclosure of PHI is inadvertent and is made by a person who is authorized to access PHI at a covered entity (or business associate), as long as the disclosure was made to another person within the same covered entity (or business associate) who is also authorized to access PHI, and there is no further impermissible use or disclosure of the PHI.
  • The disclosure of PHI is to an unauthorized person, but the covered entity (or business associate) has a good faith belief that the unauthorized person would not reasonably have been able to retain the PHI.

The interim final regulations added a fourth exception for impermissible uses or disclosures of PHI involving only PHI in a limited data set, which is PHI from which certain identifiers are removed, provided birth dates and zip codes are also removed. The Omnibus Final Rule eliminates this exception so an impermissible use or disclosure of PHI in a limited data set will be presumed to be a breach of PHI as described below.

Presumption that a Breach Occurred

Under the Omnibus Final Rule, a breach is presumed to have occurred any time there is an acquisition, access, use, or disclosure of PHI that violates the HIPAA privacy rules (subject to the statutory exceptions outlined above).

However, a covered entity may overcome this presumption by performing a risk assessment to demonstrate that there is a low probability that the PHI has been compromised. If the covered entity chooses to conduct a risk assessment, the assessment must take into account at least the following four factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk to the PHI has been mitigated.

The covered entity may consider additional factors as appropriate, depending on the facts and circumstances surrounding the improper use or disclosure. After performing its risk assessment, if the covered entity determines that there is a low probability that the PHI has been compromised, there is no breach and notice is not required. If the covered entity cannot reach this conclusion and if no statutory exception applies, then the covered entity must conclude that a breach has occurred.

The Omnibus Final Rule also makes clear that a covered entity may decide not to conduct a risk assessment and may instead treat every impermissible acquisition, access, use, or disclosure of PHI as a breach.

Drinker Biddle Note: Covered entities have the burden of proof to demonstrate either that an impermissible acquisition, access, use, or disclosure of PHI did not constitute a breach, or that all required notifications (as discussed below) were provided. Covered entities should review and update their internal HIPAA privacy and security policies to include procedures for performing risk assessments, as well as procedures for documenting all risk assessments and determinations regarding whether a breach has occurred and whether notification is required.

Providing Breach Notification

Covered entities are required to notify all affected individuals when a breach of unsecured PHI is discovered (unless an exception applies or it is demonstrated through a risk assessment that there is a low probability that the PHI has been or will be compromised). Notification to HHS is also required, but the time limits for providing this notification vary depending on the number of individuals affected by the breach. In addition, covered entities may be required to report the breach to local media outlets. The Omnibus Final Rule describes in detail the specific content that is required to be included in notifications to affected individuals, HHS, and the media.

Drinker Biddle Note: Although the Omnibus Final Rule defines when a “breach” has occurred, notification is required only when the breach involves unsecured PHI. PHI is considered “unsecured” when it has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. HHS has issued extensive guidance on steps that can be taken to render PHI unusable, unreadable, and indecipherable.

Notification to Affected Individuals

Covered entities must notify affected individuals in writing without unreasonable delay, but in no event later than 60 calendar days, after discovery of a breach of unsecured PHI. The notice may be sent by mail or email (if the affected individual has consented to receive notices electronically). The Omnibus Final Rule also provides additional delivery methods that apply when an affected individual is deceased, and when a covered entity does not have up-to-date contact information for an affected individual.

Drinker Biddle Note: Again, a breach is deemed discovered on the first day such breach is known or by exercising reasonable diligence would have been known by any person who is a workforce member or agent of a covered entity or business associate.

Drinker Biddle Note: Please note that 60 days is an outer limit for providing the notice and is not a safe harbor. The operative standard is that the notice must be provided without unreasonable delay. Thus, based on the circumstances, a notice may be unreasonably delayed even though provided within the 60-day period.

Notification to HHS

Covered entities must notify HHS of breaches of unsecured PHI by electronically submitting a breach report form through the HHS website. If a breach of unsecured PHI affects 500 or more individuals, HHS must be notified at the same time that notice is provided to the affected individuals. For breaches of unsecured PHI that affect fewer than 500 individuals, the covered entity may keep a log of all such breaches that occur in a given year and submit a breach report form through the HHS website on annual basis, but not later than 60 days after the end of each calendar year.

Notification to the Media

When there is a breach of unsecured PHI involving more than 500 residents of a state or jurisdiction, a covered entity must notify prominent media outlets serving the state or jurisdiction. This media notification must be provided without unreasonable delay, and in no case later than 60 days after the breach is discovered.

State Law Requirements

Separate breach notification requirements may apply to a covered entity under state law. HIPAA’s breach notification laws preempt “contrary” state laws. “Contrary” in this context generally means that it is impossible to comply with both federal and state laws. As state breach notification laws are not typically contrary to the HIPAA breach notification rules, covered entities may have to comply with both laws.

Drinker Biddle Note: Covered entities should review applicable state breach notification laws and consider to what extent those laws should be incorporated into their HIPAA privacy policies and procedures.

Implications for Business Associate Agreements

If a covered entity’s business associate discovers that a breach of unsecured PHI has occurred, the Omnibus Final Rule requires the business associate to notify the covered entity without unreasonable delay, but in no event later than 60 days following the discovery of the breach. The notice must include, to the extent possible, the identification of each affected individual as well as any other information the covered entity is required to provide in its notice to individuals.

Although a covered entity is ultimately responsible for notifying affected individuals, HHS and the media (as applicable) when a breach of unsecured PHI occurs, the covered entity may want to delegate some or all of the notification responsibilities to its business associate. If a covered entity and its business associate agree that the business associate will be responsible for certain breach notification obligations, the scope of the arrangement should be clearly memorialized in the business associate agreement. In negotiating its business associate agreements, a covered entity should consider provisions such as:

  • Which party determines whether a breach occurred?
  • Who is responsible for sending required notices, and the related cost?
  • Indemnification in the event a business associate incorrectly determines that a breach did not occur, or a business associate otherwise fails to act appropriately.

Drinker Biddle Note: Covered entities that choose to delegate breach notification responsibilities to business associates should pay close attention to how such delegation provisions are drafted to minimize the possibility that the business associate will be considered an “agent” of the covered entity. Under the Omnibus Final Rule, when a business associate acts as an agent of the covered entity, the business associate’s discovery of a breach is imputed to the covered entity, and, therefore, a covered entity could be liable for civil monetary penalties related to the business associate’s act or omission. More information about issues related to drafting business associate agreements can be found in our bulletin issued on April 4, 2013, available here.

Compliance Deadline

Group health plans have until September 23, 2013 to comply with the new requirements of the Omnibus Final Rule. During the period before compliance is required, group health plans are still required to comply with the breach notification requirements of the HITECH Act and the interim final regulations.

Of course, the best course of action is to maintain adequate safeguards to prevent any breach. A recent settlement of HIPAA violations resulting in a $1.7 million payment to HHS is discussed in a separate publication, available here.

Article By:

of

Will Obesity Claims Be the Next Wave of Americans with Disabilities Act (ADA) Litigation?

Poyner SpruillIn a new federal lawsuit in the U.S. District Court for the Eastern District of Missouri, Whittaker v. America’s Car-Mart, Inc., the plaintiff is alleging his former employer violated the Americans with Disabilities Act (ADA) when it fired him for being obese.  Plaintiff Joseph Whittaker claims the company, a car dealership chain, fired him from his job as a general manager last November after seven years of employment even though he was able to perform all essential functions of his job, with or without accommodations.  He alleges “severe obesity … is a physical impairment within the meaning of the ADA,” and that the company regarded him as being substantially limited in the major life activity of walking.

The EEOC has also alleged morbid obesity is a disability protected under the ADA.  In a 2011 lawsuit filed on behalf of Ronald Katz, II against BAE Systems Tactical Vehicle Systems, LP (BAE Systems), the EEOC alleged the company regarded Mr. Katz as disabled because of his size and terminated Katz because he weighed over 600 lbs.  The suit alleged Mr. Katz was able to perform the essential functions of his job and had received good performance reviews.  The case was settled after BAE Systems agreed to pay $55,000 to Mr. Katz, provide him six months of outplacement services, and train its managers and human resources professionals on the ADA.  In a press release announcing the settlement, the EEOC said, “the law protects morbidly obese employees and applicants from being subjected to discrimination because of their obesity.”

Similarly, in 2010, the EEOC sued Resources for Human Development, Inc. (RHD) in the U.S. District Court for the Eastern District of Louisiana, for firing an employee because of her obesity in violation of the ADA. According to the suit, RHD fired Harrison in September of 2007 because of her severe obesity.  The EEOC alleged that, as a result of her obesity, RHD perceived Harrison as being substantially limited in a number of major life activities, including walking.  Ms. Harrison died of complications related to her morbid obesity before the case could proceed.

RHD moved for summary judgment, arguing obesity is not an impairment.  The court, having reviewed the EEOC’s Interpretive Guidance on obesity, ruled severe obesity (body weight more than 100% over normal) is an impairment.  The court held that if a plaintiff is severely obese, there is no requirement that the obesity be caused by some underlying physiological impairment to qualify as a disability under the ADA.  The parties settled the case before trial for $125,000, which was paid to Ms. Harrison’s estate.

In June 2013, the American Medical Association (AMA) declared that obesity is a disease.  Although the AMA’s decision does not, by itself, create any new legal claims for obese employees or applicants under the ADA, potential plaintiffs are likely to cite the new definition in support of ADA claims they bring.  In light of these recent developments, obesity related ADA claims will likely become more common.

Article By:

 of

Centers for Medicare and Medicaid Services (CMS) Issues Revised Process for Making National Coverage Determinations

vonBriesen

Yesterday, the U.S. Department of Health and Human Services Centers for Medicare and Medicaid Services (CMS) published its revised process for external requests and internal reviews for new national coverage determinations (NCDs) or for reconsideration of existing NCDs.  Today’s guidance supersedes CMS’s previous process issued in 2003.

Prior to formally requesting an NCD or reconsideration, CMS encourages requesters to contact CMS staff in the Coverage and Analysis Group (CAG).  The CAG staff may identify additional needed information and supporting documentation.  The requester may also find that a formal request is not needed.  For example, CAG staff could determine that coverage of the item or service is already available or that the item or service falls outside the scope of an NCD.

If the requester decides to move forward with requesting an NCD review, the requester must provide the following, which would constitute a “complete, formal request”:

  1. A final letter of request that is clearly identified as “A Formal Request for A National Coverage Determination.”
  2. A full and complete description of the item or service in the request.
  3. The scientific evidence supporting the clinical indications for the item or service, including the proposed use of the item or service, the target Medicare population, the medical indication(s) for which the item or service can be used, and whether the item or service is used by health care providers or beneficiaries.
  4. The Medicare Part A or B benefit category or categories in which the item or service falls.
  5. Additional information if the item or service is currently under FDA review.

Once CMS receives the complete formal request, it will add the request to its tracking sheet on the CMS website and permits public comments on the request.  CMS will also initiate a formal evidence review and will generally issue a proposed decision within six months of opening the NCD review.  CMS will accept public comments for 30 days after issuing the proposed decision.  CMS will then issue a final NCD within 60 days of the end of the public comment period.  These timeframes could be extended, however, if CMS commissions a third party technology assessment, convenes the Medicare Evidence Development and Coverage Advisory Committee, or requests a clinical trial.

Today’s guidance also provides the process for requesting reconsideration of an NCD.  The reconsideration must be in writing and clearly identified.  The requester must also provide documentation meeting one of the following:

  1. Additional scientific evidence not considered at the most recent review and a “sound premise” that the evidence may change the NCD decision.
  2. Arguments that CMS’s conclusion materially misinterpreted the existing evidence at the time the NCD was decided.

CMS will generally accept or reject an external NCD reconsideration request within 60 days of receiving the request.

In certain circumstances, CMS may internally initiate review of an NCD.  CMS will also periodically review NCDs that have not been reviewed in the past 10 years.  CMS will publish a list of NCDs proposed for removal and rationale for removal and provide a 30 day public comment period.  CMS anticipates that this process will reduce the timeframe for removal or amendment of an NCD.  Currently, removal or amendment takes 9 to 12 months.

For more information, please see the guidance at this link.

Article By:

 of

Health Care Reform Update – Week of August 5th, 2013

Mintz Logo

Leading the News

Office of Personnel Management Addresses Premiums for Congressional Staffers On August 1st, the U.S. Office of Personnel Management (OPM) announced it will release proposed regulations within the next week to allow the federal government to contribute to the health care premiums of members of Congress and their staffs. Earlier in the week, President Obama said he was working with Congress to address the issue, which had prompted concerns about a brain drain from Capitol Hill. Senator Tom Coburn (R-OK) said he intended to place a hold on Katherine Archuleta, the nominee to be the chief at OPM, until the issue was resolved.

House Energy and Commerce Committee Unanimously Approves SGR Bill On July 31st, by a unanimous 51-0 vote, the House Energy and Commerce passed legislation that would repeal the sustainable growth rate (SGR) Medicare physician payment method and shift payment to quality-based measures.

Implementation of the Affordable Care Act

On July 29th, CMS issued a release that indicates the ACA and its gradual closure of the donut hole coverage gap has saved 6.6 million Americans over $7 million, an average savings of $1,061 per beneficiary.

On July 29th, the White House issued a blog post noting nationwide health care costs grew just 1.1% from May 2012 – May 2013. The 1.1% growth is the slowest in 50 years.

On July 30th, House Republicans released a playbook for the August recess that encourages members to hold “emergency town halls” in response to ACA implementation.August 5, 2013

On July 30th, the CMS released an application that allows organizations to become “Champions for Coverage” under the ACA.

On July 30th, CMS released an application for community health centers and other health providers that want to become certified application counselor organizations and help people searching for insurance coverage on the ACA exchanges.

On July 30th, the Congressional Budget Office (CBO) and the Joint Committee on Taxation (JTC) issued an estimate that the employer mandate delay of the ACA will cost about $12 billion.

On July 31st, HHS issued a request for information from stakeholders regarding section 1557 of the ACA, which prohibits discrimination based on race, color, national origin, sex, age, or disability in health care programs.

On July 31st, the Kaiser Family Foundation (KFF) released a report and interactive map on how insurance coverage would be expanded as a result of the ACA.

On July 31st, House Speaker John Boehner (R-OH) said he is still unsure if House Republicans will use the threat of a government shutdown in an effort to defund the ACA.

On July 30th, EHealthInsurance reached a deal to sell its products on the ACA insurance exchanges. EHealth CEO Gary Lauer says his company’s involvement on the exchanges will lead to increased enrollment and improved competition in the insurance marketplace.

On August 1st, California announced six insurers that will offer coverage on the state’s Small Business Health Options Program (SHOP). A summary of the Covered California plan indicates the premium prices and coverage options for hypothetical business operations.

On August 1st, 38 Republican Senators sent a letter to White House Counsel Kathryn Ruemmler with a request for information on the government agencies involved in ACA implementation.

On August 1st, the House Ways and Means Committee held a hearing on the role of the IRS in ACA implementation. Gary Cohen of the CMS Center for Consumer Information and Insurance Oversight (CCIIO) and Daniel Werfel of the IRS testified before the committee.

On August 1st, the House Energy and Commerce Committee conducted a hearing with CMS Administrator Marilyn Tavenner to discuss the current state of ACA implementation.

On August 2nd, the House voted, 232-185, to prohibit the IRS from being involved in enforcement of the ACA. The vote was the 40th time the House has attempted to repeal components of the ACA.

Other HHS and Federal Regulatory InitiativesAugust 5, 2013

On July 30th, the Department of Justice (DOJ) announced Wyeth Pharmaceuticals agreed to pay over $490 million to resolve criminal and liability issues arising from the company’s unlawful marketing of Rapamune, a drug only approved by the Food and Drug Administration (FDA) for kidney transplants.

On July 31st, CMS issued final payment rules to increase payments to skilled nursing facilities by 1.3%, at a cost of $470 million, and increase payments to inpatient rehabilitation facilities by 2.3%, a $170 million cost.

On August 1st, the FDA released 2014 user fee rates for biosimilars, brand name prescription drugs, generic prescription drugs, and medical devices.

On August 2nd, the FDA issued a rule addressing ‘gluten-free’ food labeling. The rule states foods that claim to be gluten-free but contain more than 20 parts per million of gluten will be considered misbranded products.

On August 2nd, CMS released a final rule relating to payments for acute care and long-term care hospitals in 2014. The rule increases payment to the nation’s 3,400 acute care hospitals by $1.2billion. Payment to 440 long-term care facilities is set to increase $72 million.

Other Congressional and State Initiatives

On July 31st, Rep. Daniel Lipinski (D-IL) introduced legislation to require hospitals to publicly disclose the prices charged for the most common medical procedures.

On August 1st, Democratic Senators sent a letter to President Obama urging the White House to establish set targets for Medicare and Medicaid cost savings.

On August 1st, Senators Mark Warner (D-VA) and Johnny Isakson (R-GA) introduced The Care Planning Act of 2013, a bill to improve palliative care and provide seriously ill patients with greater control of their own care.

On August 2nd, Michigan and Illinois announced a partnership to share Medicaid information systems, a plan expected to save millions of dollars for both states.

On August 2nd, Senators Mike Crapo (R-ID), Ben Cardin (D-MD), and Angus King (I-ME) introduced a bill, S. 1422, to require the CBO to more completely address the cost-savings of preventive healthcare.

Other Health Care News

On July 29th, doctors from the National Cancer Institute published a report suggesting the word ‘cancer’ is overused. The report argues the overuse of the term leads to unnecessary and potentially harmful treatment in many patients.August 5, 2013

On July 29th, Gallup released a poll indicating Americans have exercised less each month in 2013 than during the same months in 2012. About half of Americans say they exercise at least 30 minutes three or more days each week.

On August 2nd, the Institute of Medicine released a report on the efforts needed to tackle obesity in the United States.

Hearings and Mark-Ups Scheduled

The Senate and the House of Representatives are in recess until the week of September 9th.

David Shirbroun also contributed to this article.

Article By:
of

Recent Data Breach Reports: And the Hits Keep on Coming….

Mintz Logo

The ”hits” to data bases, in any event.   Here is a rundown of some of the most recent data breach reports –

Oregon Health & Science University Data Breach Compromises 3,000 Patients’ Records in the Cloud.

Modern Healthcare (subscription may be required) reports that the Oregon Health & Science University announced it is “notifying more than 3,000 of its patients of a breach of their personally identifiable information after their data were placed by OHSU resident physicians on a pair of Google’s cloud-based information-sharing services.” The data breach, which involves “patients’ names, medical record numbers, dates of service, ages, diagnoses and prognoses and their providers’ names” posted to Gmail or Google Drive, was discovered in May by an OHSU faculty member.  According to  Healthcare IT News, this is OHSU’s “fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services.”

Citigroup Reports Breach of Personal Data in Unredacted Court Filings; Settles with Justice Department

American Banker reports that Citigroup recently admitted having failed to safeguard the personal data (including birthdates and Social Security numbers) of approximately 146,000 customers who filed for bankruptcy between 2007 and 2011. Citi apparently failed to fully redact court records placed on the Public Access to Court Electronic Records (PACER) system. “The redaction issues primarily resluted from a limitation in the technology Citi had used to redact personally identifiable information in the filings,” Citi said in a statement. “As a result of this limitation in technology, personally identifiable information could be exposed and read if electronic versions of the court records were accessed and downloaded from the courts’ online docket system and if the person downloading the information had the technical knowledge and software to restore the redacted information.”

In a settlement with the Justice Department’s U.S. Trustee Program, Citi has agreed to redact the customer information, notify all affected debtors and third parties, and offer all those affected a year of free credit monitoring.

University of Delaware Reports Cyberattack – 72,000 Records Affected

The University of Delaware is notifying the campus community that it has experienced a cyberattack in which files were taken that included confidential personal information of more than 72,000 current and past employees, including student employees. The confidential personal information includes names, addresses, UD IDs (employee identification numbers) and Social Security numbers.

Stanford University Reports Hack – Investigating Scope

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.”

Japan’s Railway Company Apologizes for Unauthorized “Sharing”

The Wall Street Journal reported yesterday (registration may be required) that Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent, The Wall Street Journal reports. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states.

Article By:

 of