Category: Health Care Law

Health Care Fraud 2013 – May 15-17, 2013

The National Law Review is pleased to bring you information about the upcoming ABA Health Care Fraud Conference:

Health Care Fraud May 15-17 2013

 

 

May 15 – 17, 2013

Where

  • Eden Roc Renaissance Miami Beach
  • 4525 Collins Ave
  • Miami Beach, FL 33140-3226
  • United States of America

The 23rd Annual National Institute on Health Care Fraud provides a rewarding educational experience for health care attorneys, regulators, prosecutors, criminal defense attorneys, and qui tam relators’ counsel. This National Institute draws panelists, facilitators, and participants from each of these significant groups and offers unique opportunities to meet and share experiences and concerns in a non-adversarial setting.  The program planning committee is committed to creating a program that advances education, communication, professionalism, and discussion of current legal and ethical issues that arise in the health care fraud practice. These issues are addressed in panel discussions and small workshop formats designed to maximize audience participation.

New Family and Medical Leave Act (FMLA) Regulations Effective: New Notice Poster and Model Forms Available

Poyner Spruill

As of March 8, 2013, employers with 50 or more employees are required to post the Department of Labor’s (DOL) new Family and Medical Leave Act (FMLA) notice poster incorporating the recently issued final regulations, which incorporate amendments made by the National Defense Authorization Act (NDAA) and the Airline Flight Crew Technical Corrections Act (AFCTCA).  The new notice poster can be found at the DOL’s website here.  Federal law requires that all covered employers post the FMLA notice in a conspicuous place, even if no employees are eligible for FMLA leave.  The deadline for employers to begin posting the new notice poster was March 8, 2013, so any employer who has not already done so should act now.

In addition to the new poster, the DOL has issued revised model forms that reflect the final regulations.  Most notably, the DOL has issued an all-new certification form: Certification for Serious Injury or Illness of a Veteran for Military Caregiver Leave (WH-385-V).  This form reflects the FMLA’s expanded provisions that allow eligible employees to use Military Caregiver Leave to care for a veteran who was (not dishonorably) discharged from the military within the past five years.

While there are several new provisions of the FMLA that relate to job–protected leave for airline personnel and flight crews, there have been significant changes made that apply to all employees.  Specifically, there have been significant changes made to Qualifying Exigency Leave which include the following: expanding the number of days that an eligible employee may take for rest and recuperation qualifying exigency leave, revising the definition of  “military member” for purposes of leave, changing the type of duty required for coverage, and granting certain employees leave rights to care for the parents of a military member.

In addition, Military Caregiver Leave under the FMLA has been expanded.  Under the new regulations, the definition of “covered servicemember” has been expanded to include covered veterans who are undergoing medical treatment, recuperation, or therapy for a serious injury or illness.  Under the final regulations, a “covered veteran” is an individual who was discharged or released under conditions other than dishonorable at any time during the five-year period prior to the first date the eligible employee takes FMLA leave to care for the covered veteran.  Moreover, the definition of a “serious injury or illness” for a current servicemember has been expanded to include injuries or illnesses that existed before the beginning of the member’s active duty that were aggravated by service in the line of duty while on active duty in the Armed Forces.

For more detailed information, the DOL’s side-by-side comparison of the 2008 and 2013 regulations can be found here.

While many of the changes relate to provisions that are seldom used by most employers (with the exception of airlines), every FMLA-covered employer must post the new notice poster and should review its forms and policies to ensure compliance with the new regulations.

© 2013 Poyner Spruill LLP

Supreme Court Clarifies Antitrust Immunity For State-Sanctioned Conduct

Bracewell & Giuliani Logo

On February 19, 2013, the U.S. Supreme Court, in a unanimous decision, found that a merger of two Georgia hospitals was not immune from federal antitrust laws under the “state-action” exemption, reversing a decision of the Eleventh Circuit Court of Appeals. The Supreme Court’s ruling has implications for activities of local governmental entities, such as counties and municipalities, as well as private actors exercising authority delegated by a state.

In this case, Federal Trade Commission v. Phoebe Putney Health System, Inc.,1 the Hospital Authority of Albany-Dougherty County (Authority), a non-profit entity formed by the city of Albany and Dougherty County pursuant to Georgia law, owned and operated Phoebe Putney Memorial Hospital.  In 2010, the Authority authorized the purchase of the only other hospital in Dougherty County, Palmyra Medical Center. The Federal Trade Commission (FTC) sought to block the merger on the grounds that it would create a virtual monopoly and would substantially lessen competition in the market for acute-care hospital services, in violation of Section 5 of the Federal Trade Commission Act and Section 7 of the Clayton Act. Both the federal district court and the Eleventh Circuit denied the FTC’s request for an injunction, finding that the state-action doctrine immunized the merger from antitrust liability.

The state-action doctrine, which was first recognized by the U.S. Supreme Court in Parker v. Brown,2 exempts from the federal antitrust laws actions by a state acting in its sovereign capacity. The doctrine was subsequently expanded to cover subdivisions of a state, such as municipalities and other local governmental entities which, although not sovereign, are immune from federal antitrust scrutiny if their activities are undertaken pursuant to a “clearly articulated and affirmatively expressed” state policy to displace competition. Even anticompetitive actions of private parties implementing state policy may be entitled to immunity if the “clear articulation” requirement is met and the policy is “actively supervised” by the state itself.3

To pass the “clear articulation” test, a state legislature need not expressly state an intention for a delegated action to have anticompetitive effects. Rather, state-action immunity applies if the anticompetitive effect was the “foreseeable result” of what the state authorized.  The Eleventh Circuit found that, because the Authority was granted broad corporate powers, including power to acquire and lease hospitals, anticompetitive conduct by the Authority must have been reasonably anticipated by the Georgia Legislature and therefore was foreseeable.

The Supreme Court disagreed.  Writing for the Court, Justice Sonia Sotomayor noted at the outset that “state-action immunity is disfavored.” The Court held that the Eleventh Circuit applied the concept of foreseeability too loosely and that the “clear articulation” standard is met only where anticompetitive effects are the “inherent, logical, or ordinary result of the exercise of authority delegated by the state legislature.” More specifically, the Supreme Court said that grants of general corporate power to substate governmental entities, such as the Authority, do not meet the “clear articulation” requirement for state-action immunity. The acquisition and leasing powers exercised by the Authority mirror general powers routinely conferred by state law upon private corporations and are typically used in ways that raise no antitrust concerns. As a result, a state that has delegated such general powers cannot be said to have contemplated that they will be used to displace competition, for example, by consolidating ownership of hospitals.

The Supreme Court did acknowledge that public, non-profit entities like the Authority differ materially from private corporations that offer hospital services. However, neither the Georgia Legislature’s objective of improving access to affordable health care, nor the Authority’s non-profit status, logically suggested that the State intended hospital authorities to pursue their goals through anticompetitive mergers. Even the authorization of discrete forms of anticompetitive conduct pursuant to a regulatory structure, such as the Legislature’s certificate of need requirement, did not mean the State affirmatively contemplated other forms of anticompetitive conduct that are only tangentially related.

The Supreme Court’s decision narrows the scope of state-action immunity and has implications for conduct of local governmental entities as well as private actors, not only involving mergers and acquisitions in the health care sector, but also in other contexts and other industries. This was noted by the FTC, which issued astatement praising the Court’s opinion and stating that it “will ensure competition in a variety of other industries, as well.” Entities acting under existing state legislation may need to re-evaluate whether the statutes that empower them offer immunity from federal antitrust scrutiny. Even legislation that explicitly allows some activities that might be anticompetitive may now need to be read more carefully. Parties seeking to get new legislation passed to protect certain conduct that may displace competition now have a clearer roadmap for the degree of specificity required in the statutory language.

1 568 U.S. ___ (2013).

2 317 U.S. 341 (1943).

3 Local governmental entities are not subject to the “active state supervision” requirement because they have less of an incentive to pursue their own self-interest under the guise of implementing state policies.

© 2013 Bracewell & Giuliani LLP

DOL, IRS, and HHS Put the Brakes on Stand-Alone Health Reimbursement Arrangements Used to Access Health Insurance Coverage in the Individual Market

The National Law Review recently featured an article regarding Health Reimbursement Arrangements written by Alden J. Bianchi and Gary E. Bacher of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

MintzLogo2010_Black

 

In a set of Frequently Asked Questions(FAQs) posted to the Department of Labor’s website on January 24, the Departments of Health and Human Services, Labor, and Treasury (the “Departments”) put a stop to an approach to health plan design under which employers furnish employees with a pre-determined dollar amount (a “defined contribution”) that employees can apply toward the purchase of health insurance coverage in the individual health insurance market.

An arrangement under which an employer provides an amount of money to employees to pay for unreimbursed medical expenses or for individual market premiums is itself a “group health plan.” Such an arrangement is referred to and regulated under the Internal Revenue Code as a “health reimbursement arrangement” or “HRA.”2 The HRA approach described above is referred to as a “stand-alone HRA” to distinguish it from arrangements in which the HRA is paired with an employer’s group health plan. This latter HRA design is referred to as an “integrated HRA.”

The rules governing HRAs stand in contrast to cafeteria plans and medical flexible spending arrangements, which pave the way for employee contributions to be paid with pre-tax dollars. Where employee contributions are limited to premiums, the cafeteria plan is referred to colloquially as a “premium-only” plan. Where employees can set aside their own money to pay for certain medical expenses including co-pays and co-insurance with pre-tax dollars, the arrangement is referred to as a “medical flexible spending arrangement” or “medical FSA.” Medical FSAs can include employer money (typically in the form of “flex credits”), but they cannot be used to pay health insurance premiums.

While some vendors have begun to market stand-alone HRAs, it was never clear that HRAs used to access individual market coverage could pass muster under the Patient Protection and Affordable Care Act (the “Act”) or other applicable laws. The regulatory hurdles, both before and after 2014, include the following:

  1. Before 2014, carriers issuing coverage in the individual market are free to impose all manner of underwriting conditions, which raise the specter of discrimination based on health status in violation of Title I of the Health Insurance Portability and Accountability Act (HIPAA). These concerns disappear commencing in 2014 as a consequence of the Act’s comprehensive overhaul of health insurance underwriting practices.
  2. The Act generally prohibits group health plans and health insurance carriers from imposing lifetime or annual limits on the dollar value of essential health benefits. In prior guidance, the regulators gave a “pass” to integrated HRAs, but not to stand-alone HRAs.
  3. Because individual market products are age rated, the same coverage will cost more in the hands of an older employee than in the hands of a similarly-situated younger employee. Before 2014, the variations in premium costs are a matter of state law; from and after 2014, the Act establishes a federal floor under “modified community rating” rules that permit a disparity of no more than 3:1. Under either regulatory regime, a flat dollar amount is thought to raise questions under the Age Discrimination in Employment Act (ADEA). Under the ADEA, variations in premiums are permitted only where the added cost charged to an older employee is justified by the actuarially-adjusted cost of providing the benefits to the older employee.

The FAQs cite the Act’s ban on lifetime and annual limits as the basis for their objection to stand-alone HRAs used to access individual market coverage. Specifically, the FAQs note that—

“[A]n HRA is not considered integrated with primary health coverage offered by the employer unless, under the terms of the HRA, the HRA is available only to employees who are covered by primary group health plan coverage provided by the employer. …”

The Departments state their objections unequivocally: an HRA used to purchase coverage in the individual market cannot be considered integrated with that individual market coverage. Therefore, such an arrangement does not satisfy the requirements Act prohibiting group health plans and health insurance carriers from imposing lifetime or annual limits on essential health benefits. The Departments also made clear that an employer-sponsored HRA may be treated as integrated with other coverage only if the employee receiving the HRA is actually enrolled in that coverage. Thus, if an HRA credits additional amounts to an individual only when he or she does not enroll in the employer’s group health plan, the HRA will not comply with the Act.

Recognizing the potential hardship to existing stand-alone HRAs, the FAQs include a special rule for amounts credited or made available under HRAs in effect prior to January 1, 2014. Whether or not an HRA is integrated with other group health plan coverage, unused amounts credited before January 1, 2014 may be used after December 31, 2013 to reimburse medical expenses without running afoul of the Act. If the HRA did not prescribe a set amount or amounts to be credited during 2013, then the amounts credited cannot exceed the amount credited for 2012.

©1994-2013 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

HIPAA Final Omnibus Rule Brings “Sweeping Change” to Health Care Industry

Dinsmore-2c-print NEW

On January 17, 2013, the U.S. Department of Health and Human Services (HHS)announced the release of the HIPAA final omnibus rule, which was years in the making. The final rule makes sweeping changes to the HIPAA compliance obligations of covered entities and business associates and comprises four final rules wrapped into one:

  1. Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010;
  2. Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act and to adopt the additional HITECH Act enhancements to the Enforcement Rule that were not previously adopted in the October 30, 2009 interim final rule, including provisions to address enforcement where there is HIPAA non-compliance due to willful neglect;
  3. A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which eliminates the breach notification rule’s “harm” threshold and supplants an interim final rule published on Aug. 24, 2009; and
  4. A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.

HHS estimates a total cost of compliance with the final omnibus rule’s provisions to be between $114 million and $225.4 million in the first year of implementation and approximately $14.5 million each year thereafter. Among the costs HHS associates with the final rule are: (i) costs to covered entities of revising and distributing new notices of privacy practices; (ii) costs to covered entities related to compliance with new breach notification requirements; (iii) costs to business associates to bring their subcontracts into compliance with business associate agreement requirements; and (iv) costs to business associates to come into full compliance with the Security Rule. HHS attributes between $43.6 million and $155 million of its first year estimates to business associate compliance efforts. It is predicted that the true compliance costs for both covered entities and business associates will be far in excess of these HHS estimates.

Some of the key provisions of the final omnibus rule include:

  • Expanded definition of “business associate.” The definition of “business associate” has been expanded to include subcontractors of business associates, any person who “creates, receives, maintains, or transmits” protected health information on behalf of a covered entity, and certain identified categories of data transmission services that require routine access to protected health information, among others. A covered entity is not required to enter into a business associate agreement with a business associate that is a subcontractor; that obligation flows down to the business associate, who is required to obtain the proper written agreement from its subcontractors.
  • Direct compliance obligations and liability of business associates.Business associates are now directly liable for compliance with many of the same standards and implementation specifications, and the same penalties now apply to business associates that apply to covered entities, under the Security Rule. Additionally, the rule requires business associates to comply with many of the same requirements, and applies the same penalties to business associates that apply to covered entities, under the Privacy Rule. Business associates must also obtain satisfactory assurances in the form of a business associate agreement from subcontractors that the subcontractors will safeguard any protected health information in their possession. Finally, business associates must furnish any information the Secretary requires to investigate whether the business associate is in compliance with the regulations.
  • Modified definition of “marketing.” The definition of “marketing” has been modified to encompass treatment and health care operations communications to individuals about health-related products or services if the covered entity receives financial remuneration in exchange for making the communication from or on behalf of the third party whose product or service is being described. A covered entity must obtain an individual’s written authorization prior to sending marketing communications to the individual.
  • Prohibition on sale of PHI without authorization. An individual’s authorization is required before a covered entity may disclose protected health information in exchange for remuneration (i.e., “sell” protected health information), even if the disclosure is for an otherwise permitted disclosure under the Privacy Rule. The final rule includes several exceptions to this authorization requirement.
  • Clear and conspicuous fundraising opt-outs. Covered entities are required to give individuals the opportunity to opt-out of receiving future fundraising communications. The final rule strengthens the opt-out by requiring that it be clear and conspicuous and that an individual’s choice to opt-out should be treated as a revocation of authorization. However, the final rule leaves the scope of the opt-out to the discretion of covered entities. In addition to demographic information, health insurance status, and dates of health care provided to the individual, the final rule also allows covered entities to use and disclose: department of service information, treating physician information, and outcome information for fundraising purposes. Covered entities are prohibited from conditioning treatment or payment on an individual’s choice with respect to the receipt of fundraising communications. In addition, the NPP must inform individuals that the covered entity may contact them to raise funds and that they have a right to opt-out of receiving such communications.
  • Right to electronic copy of PHI. If an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
  • Right to restrict disclosures to health plans. When an individual requests a restriction on disclosure of his or her protected health information, the covered entity must agree to the requested restriction (unless the disclosure is otherwise required by law), if the request for restriction is on disclosures to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to protected health information for which the health care provider has been paid out of pocket in full. Covered health care providers will need to employ some method to flag or make a notation in the record with respect to the protected health information that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan.
  • GINA changes for some health plans. Health plans that are HIPAA covered entities, except issuers of long term care policies, are prohibited from using or disclosing an individual’s protected health information that is genetic information for underwriting purposes. The rule does not affect health plans that do not currently use or disclose protected health information for underwriting purposes.
  • Provision for compound authorizations for research. A covered entity may combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the conditioned and unconditioned research components, clearly allows the individual the option to opt in to the unconditioned research activities, and the research does not involve the use or disclosure of psychotherapy notes. For research that involves the use or disclosure of psychotherapy notes, an authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes.
  • Required changes to Notice of Privacy Practices (NPP). NPPs must be modified and distributed to individuals to advise them of the following: (1) for health plans that underwrite, the prohibition against health plans using or disclosing PHI that is genetic information about an individual for underwriting purposes; (2) the prohibition on the sale of protected health information without the express written authorization of the individual, as well as the other uses and disclosures for which the rule expressly requires the individual’s authorization (i.e., marketing and disclosure of psychotherapy notes, as appropriate); (3) the duty of a covered entity to notify affected individuals of a breach of unsecured protected health information; (4) for entities that have stated their intent to fundraise in their notice of privacy practices, the individual’s right to opt out of receiving fundraising communications from the covered entity; and (5) the right of the individual to restrict disclosures of protected health information to a health plan with respect to health care for which the individual has paid out of pocket in full.
  • Broader disclosure of decedents’ PHI. Covered entities are permitted to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
  • Disclosure of proof of immunizations to schools. A covered entity is permitted to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor.
  • Tiered and enhanced enforcement provisions. The final rule conforms the regulatory language of the rule to the enhanced enforcement provisions of the HITECH Act. Penalties for non-compliance are based on the level of culpability with a maximum penalty of $1.5 million for uncorrected willful neglect.

As detailed above, the changes announced by HHS expand many of the requirements to business associates and subcontractors. Fortunately, the final rule provides a slight reprieve in one respect. It allows covered entities and business associates up to one year after the 180-day compliance date to modify business associate agreements and contracts to come into compliance with the rule.

Perhaps the most highly anticipated change found in the final omnibus rule relates to what constitutes a “breach” under the Breach Notification Rule. The final rule added language to the definition of breach to clarify that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity (or business associate) demonstrates that there is a low probability that the PHI has been compromised. Stated differently, the rule removes the subjective harm standard and modifies the risk assessment to focus instead on the risk that the PHI has been compromised. The final rule also identifies four objective factors covered entities and business associates are to consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.

The final omnibus rule does not address the accounting for disclosures requirements, which is the subject of a separate proposed rule published on May 31, 2011, or the penalty distribution methodology requirement, which HHS has stated will both be the subject of future rulemaking.

The Office of Civil Rights has characterized the new rules as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” Leon Rodriguez, the Director of the Office of Civil Rights, stated, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The HIPAA final omnibus rule is scheduled to be published in the Federal Register on January 25, 2013 and will go into effect on March 26, 2013. Covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013. Entities affected by this final rule are strongly urged to begin an analysis of their existing HIPAA compliance policies and procedures and take steps to comply with the final rule.

The HHS Press Release announcing the final rule is available at:
http://www.hhs.gov/news/press/2013pres/01/20130117b.html

The full text of the rule is currently available at:
https://www.federalregister.gov/articles/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules

© 2013 Dinsmore & Shohl LLP

Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting

The National Law Review recently published an article, Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting, written by Elizabeth H. Johnson with Poyner Spruill LLP:

Poyner Spruill

 

The U.S. Department of Health and Human Services (HHS) has finally issued its omnibus HITECH Rules.  Our firm will issue a comprehensive summary of the rules shortly (sign up here), but of immediate import is the change to the breach reporting harm threshold.  The modification will make it much more difficult for covered entities and business associates to justify a decision not to notify when an incident occurs.

Under the interim rule, which remains in effect until September 23, 2013, a breach must be reported if it “poses a significant risk of financial, reputational, or other harm to the individual.” The final rule, released yesterday, eliminates that threshold and instead states:

“[A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.”
(Emphasis added).

In other words, if a use or disclosure of information is not permitted by the Privacy Rule (and is not subject to one of only three very narrow exceptions), that use or disclosure will be presumed to be a breach.  Breaches must be reported to affected individuals, HHS and, in some cases, the media.  To rebut the presumption that the incident constitutes a reportable breach, covered entities and business associates must conduct the above-described risk analysis and demonstrate that there is only a low probability the data will be compromised.  If the probability is higher, breach notification is required regardless of whether harm to the individuals affected is likely.  (Interestingly, this analysis means that if there is a low probability of compromise notice may not be required even if the potential harm is very high.)

What is the effect of this change?  First, there will be many more breaches reported resulting in even greater costs and churn than the already staggering figures published by Ponemon which reports that 96% of health care entities have experienced a breach with average annual costs of $6.5 billion since 2010.

Second, enforcement will increase.  Under the new rules, the agency is required (no discretion) to conduct compliance reviews when “a preliminary review of the facts” suggests a violation due to willful neglect.  Any reported breach that suggests willful neglect would then appear to require agency follow-up.  And it is of course free to investigate any breach reported to them.  HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews?  Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.

Third, covered entities and business associates can expect to spend a lot of time performing risk analyses.  Every single incident that violates the Privacy Rule and does not fit into one of three narrow exceptions must be the subject of a risk analysis in order to defeat the presumption that it is a reportable breach.  The agency requires that those risk analyses be documented, and they must include at least the factors listed above.

So why did the agency change the reporting standard?  As it says in the rule issuance, “We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. . . .”

The agency may also have changed the standard because it was criticized for having initially included a harm threshold in the rule, with critics claiming that the HITECH Act did not provide the authority to insert such a standard.  Although the new standard does, in essence, permit covered entities and business associates to engage in a risk-based analysis to determine whether notice is required, the agency takes the position that the new standard is not a “harm threshold.”  As they put it, “[W]e have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.”  So, the agency got their way in that they will not have to receive notice of every single event that violates the Privacy Rule and they have made a passable argument to satisfy critics that the “harm threshold” was removed.

The new rules are effective March 26, 2013 with a compliance deadline of September 23, 2013.  Until then, the current breach notification rule with its “significant risk of harm” threshold is in effect.  To prepare for compliance with this new rule, covered entities and business associates need to do the following:

  • Create a risk analysis procedure to facilitate the types of analyses HHS now requires and prepare to apply it in virtually every situation where a use or disclosure of PHI violates the Privacy Rule.
  • Revisit security incident response and breach notification procedures and modify them to adjust notification standards and the need to conduct the risk analysis.
  • Revisit contracts with business associates and subcontractors to ensure that they are reporting appropriate incidents (the definition of a “breach” has now changed and may no longer be correct in your contracts, among other things).
  • If you have not already, consider strong breach mitigation, cost coverage, and indemnification provisions in those contracts.
  • Revisit your data security and breach insurance policies to evaluate coverage, or lack thereof, if applicable.
  • Consider strengthening and reissuing training.  With every Privacy Rule violation now a potentially reportable breach, it’s more important than ever to avoid mistakes by your workforce.  And if they happen anyway, during a subsequent compliance review, it will be important to be able to show that your staff was appropriately trained.
  • Update your policies to address in full these new HIPAA rules.  The rules require it, and it will improve your compliance posture if HHS does conduct a review following a reported breach.

As noted above, our firm will issue a more comprehensive summary of these new HIPAA rules in coming days.

© 2013 Poyner Spruill LLP

Gun Violence Prompts HHS to Release Letter on Disclosures of Protected Health Information to Avert Threats to Health or Safety

vonBriesen

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued a letter to health care providers clarifying the providers’ ability under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Ruleto disclose necessary information about patients to avert threats to health or safety. OCR explained that providers may take action, consistent with ethical standards and other legal obligations, to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons when providers believe the patient presents a serious danger to himself or other people.

OCR Secretary Leon Rodriguez issued the letter in response to recent mass shootings in Newtown, Connecticut and Aurora, Colorado. The letter does not introduce a new requirement or standard for providers. Rather, the letter serves as a reminder that when considering whether to disclose protected health information to avert threats, providers are required to balance safety with patient privacy and that in some instances, safety will be paramount to privacy. HIPAA is not a barrier to making disclosures under these circumstances.

OCR Guidance

In its letter, OCR explains that the Privacy Rule balances the privacy of patient protected health information with the need to ensure that information may be appropriately used or disclosed when necessary for the patient’s treatment, to protect the nation’s public health, and for other critical purposes. According to OCR, one such critical purpose is the disclosure of otherwise confidential information when providers warn law enforcement or others that individuals may be at risk of harm because of a patient. In such circumstances, providers are presumed to act in good faith based on the provider’s interaction with the patient or based on a credible report from a person with apparent knowledge of the patient or other individual. Such provider warnings must be made consistent with other applicable law, including state law (see below for more on Wisconsin state law).

OCR’s letter emphasizes that in order to avert threats to health or safety, information from mental health records may be disclosed, as necessary, to certain individuals who may reasonably be able to prevent or lessen the risk of harm. Consequently, if a patient makes a credible threat, a mental health provider may alert police, a parent or family member of a patient, school administrators, campus police and others who may be able to intervene without violating HIPAA. However, OCR cautions that providers should abide by state law in addition to federal law governing alcohol and drug abuse (“AODA”) treatment records (42 C.F.R. Part 2).

Wisconsin Law

The OCR letter is generally consistent with Wisconsin law which has established that mental health professionals have a duty to exercise reasonable care in the treatment of their patients by warning others of threats of harm by the patient. In Schuster v. Altenberg (Wisconsin’s version of the Tarasoff case), the Wisconsin Supreme Court held that the duty to warn extends to whatever steps are reasonably necessary under the circumstances, including contacting the police, recommending or requiring hospitalization, or notifying a family member or friend who can help ensure safety.

Despite a provider’s duty to warn, Wisconsin’s privacy statutes do not expressly permit the disclosure of mental health records for this purpose. As a result, Wisconsin providers may disclose otherwise confidential information to avert threats, but providers should limit the information to be disclosed to only that information which is essential to avert or lessen the threat.

We are aware that the legislature will make efforts during this legislative session to amend Section 51.30 of the Wisconsin Statutes, which protects the privacy of mental health records. A goal of the effort is to align the privacy provisions of Wisconsin law with HIPAA. This legislative effort may present an opportunity to amend Section 51.30 to expressly permit disclosure of mental health information and records to avert threats.

What Does This Mean For Wisconsin Providers – A Balancing Test

If a health care provider has reason to believe that a patient poses a threat to self or others, the provider may disclose otherwise confidential information about the patient in order to warn law enforcement, intended targets of the harm, or members of the patient’s family. However, the provider should not disclose a patient’s complete treatment record.

Providers must balance safety and patient privacy to assess what confidential information is reasonably necessary to provide notice to officials or individuals so that they may appropriately intervene to prevent or lessen a threat to health or safety. This balancing test takes into account the who, what, when, and how of disclosure – what individuals, officers, or organizations should receive the warning and disclosure; what confidential information should be disclosed; when should appropriate individuals be notified; and how should notice be provided?

For example, pursuant to a provider’s duty to warn, if a patient has made credible threats, the provider could share the patient’s name and contact information, the specific threats made by the patient, and a list of persons who may be at risk. However, it is unlikely that disclosure of the patient’s treatment plan, complete list of prescriptions, and childhood history would be necessary to avert the threat. Law enforcement may be able to obtain a court order for more complete records, should they determine such disclosure is necessary. Providers are well advised to consult legal counsel when conducting this delicate balancing test.

Providers take on risk for over-disclosure of confidential patient information. OCR’s letter and the provider’s duty to warn do not provide providers with a blanket protection to disclose confidential patient information. Instead, providers should conduct the requisite balancing test and disclose only that confidential information reasonably necessary to avert or lessen a threat.

©2013 von Briesen & Roper, s.c.

The Wrap-Around Slap-Around for Primary Care Centers

McBrayer NEW logo 1-10-13

For Kentucky Primary Care Centers (“PCCs”), Rural Health Centers (“RHCs”), and Federally Qualified Health Centers (“FQHCs”), getting the run-around from Medicaid on wrap-around payments is not so unusual.  Frequently, these providers complain that supplemental payments distributed by the Kentucky Department for Medicaid Services’ (“Medicaid”) are too low, too late or both.

Last week the situation got worse for PCCs who received a slap in the face from Medicaid in the form of a letter declaring that PCCs who do not carry a federal designation as a rural health care provider, will no longer receive Medicaid wrap-around payments as of February 1, 2013.

  • The History

The establishment of FQHCs and RHCs was precipitated by the need for primary health care services in rural areas.  In addition to other requirements, these providers must be located in an area that has been designated as medically underserved (“MUA”) or having a shortage of health care professionals (“HPSA”).  To encourage providers to serve patients in these areas, federal law provides that these services are reimbursed using a prospective payment system (“PPS”), which is determined separately for each individual FQHC or RHC, calculated on a per-visit cost basis, and does not include any adjustment factors other than a growth rate to account for inflation and a change in the scope of services furnished during that fiscal year.

Years ago, Kentucky established an additional type of licensed health provider, the PCC, which often looks like a RHC in its service delivery model but is not located in a MUA or HPSA and therefore not eligible for certification as a RHC or FQHC.  For payment purposes, Medicaid has always treated PCCs like RHCs and FQHCs—using a PPS rate.  State Plan Amendments filed by Medicaid and approved by CMS clearly document Kentucky’s decision to reimburse PCCs using the same methodology that is used for FQHCs and RHCs.  Importantly, PCCs have always been a creature of Kentucky, not federal, law.

  • The Wrap-Around

In November 2011, Medicaid began contracting with Managed Care Organizations (“MCOs”) to provide coverage to Kentucky’s Medicaid population. These MCOs reimburse FQHCs and RHCs for their services not on a PPS rate basis but in accordance with their individual fee schedules.  The wrap-around payment was introduced by The Balanced Budget Act of 1997 when the law: (1) relieved MCOs of the responsibility to pay FQHCs and RHCs their cost-based rate and instead required the MCOs to pay these providers “not less” than they would pay non-PPS reimbursed providers for the same medical services, and (2) required that PPS-reimbursed providers were compensated by Medicaid the difference between the amount paid by the MCO and the facility’s PPS rate.  As a result, State Medicaid Programs are required to make  “wrap-around payments” at least every four months.

Because Medicaid pays wrap-around payments for PPS reimbursed providers, and PCCs are paid using the same PPS methodology as FQHCs and RHCs, Medicaid distributes wrap-around payments to FQHCs, RHCs, and PCCs.

  • The Slap-Around

Medicaid is funded with state and federal dollars and apparently, as stated in last week’s letter to providers, which can be accessed via this link (20130109152243687), CMS has drawn a line and is requiring the Kentucky’s Medicaid cut-off wrap-around payments for Kentucky PCCs.  This means that unless a PPS-reimbursed primary care provider has a federal designation as a MUA or HPSA and is certified as a RHC or FQHC, it will only receive reimbursement from the MCOs.  In other words, as of February 1, 2013, PPCs’ PPS rates will no longer be recognized as a basis for supplemental payments from Medicaid.

  • What Next?

This blow leaves the owner/operators of PCCs shaking their heads—especially in light of the astounding costs expended to establish and defend a viable PPS rate that is soon to be meaningless.  What’s more, Medicaid’s helping hand is nowhere to be found.

This conundrum requires fast and creative action which could include: seeking an injunction in Franklin Circuit Court to stop Medicaid from acting in violation of Kentucky law and basic due process; collaborating with another provider that is located in an area designated as a MUA or HPSA or is already certified as a RHC; or corporate restructuring to become a non-profit with a community-board that is eligible to become a FQHC, to name a few.   There is no simple solution.  For PCCs, this is much more than the usual wrap-around run-around.

© 2013 by McBrayer, McGinnis, Leslie & Kirkland, PLLC

Late Action to Avert “Fiscal Cliff” Includes Several Health Policy Changes

MintzLogo2010_BlackAs was widely expected over the month of December, the Obama Administration and Congress scrambled in the late hours of 2012 and on New Year’s Day devising a legislative package to prevent the United States from going over the “Fiscal Cliff,” a series of across-the-board tax increases and spending cuts that would have automatically implemented without intervening legislative action. Although the compromise they reached was far from the “Grand Bargain” that President Obama and many members of Congress were seeking, Vice President Biden and Senate leadership came to an agreement to avoid the cliff for the early part of 2013. The Senate approved the package, the American Taxpayer Relief Act (H.R. 8), by an overwhelmingly bipartisan vote of 89-8 in the early morning hours of New Year’s Day. Later that day, shortly before midnight, the House voted to approve the Senate package by a vote of 257-167, with 85 Republicans joining 172 Democrats in support.

The legislation contains some significant health policy changes, described in more detail below, although its primary purpose is to prevent steep tax increases for 99% of Americans and to delay the automatic “sequestration” spending cuts that were scheduled to go into effect due to an earlier agreement to raise the debt ceiling. In H.R. 8, which the Congressional Budget Office (CBO) estimates will cost around $4 trillion, the sequester is turned off for two months, allowing Congress more time to focus on a comprehensive deficit reduction solution. In addition, current tax rates are permanently extended for all Americans earning up to $400,000 for individuals and $450,000 for married couples. Several other major tax modifications, including some related to the estate tax and capital gains, were also included. Discussion about other aspects of the legislation, including changes to renewable energy programs, may be found here.

The health policy provisions included in the bill fall into two main categories: (1) extension of various health care programs and reimbursement streams under Medicare and other government initiatives, and (2) “offsets” and changes in other programs and payment methodologies to glean savings to cover the costs of the package. A summary of the major health care provisions are as follows.

Summary of Extensions of Health Care Programs/Reimbursement

The most sought-after extender provision in the Act is the so-called “Doc Fix” or physician payment adjustment for Medicare providers. If Congress had failed to act, as of January 1, 2013, reimbursement rates for physicians under the Medicare program would have dropped by about 26.5% based off of the application of the sustainable growth rate (SGR) formula that adjusts Medicare physician reimbursement annually. The effect of the SGR formula, if it is actually implemented, is to decrease, not increase, physician reimbursement. Although there is widespread support for a “permanent fix” to the SGR, the steep costs of not implementing its cumulative reductions leads Congress every year to seek a short-term solution. H.R. 8 freezes the Medicare physician reimbursement rate at its 2012 level until December 31, 2013 with a price tag of about $25 billion over ten years. (A more permanent, albeit expensive, solution for the Doc Fix may be considered in Congress as part of the upcoming debates starting this spring over the debt ceiling increase and continuing resolution.)

In addition to the Doc Fix, several other payment and program extensions were part of the legislative agreement. Some of the more notable provisions include:

  • Ambulance Add-On Payments: This provision continues the base rate payment add-ons for ground ambulance transports through December 31, 2013. Ambulance transports will receive a 2% add-on in urban areas, a 3% add-on for rural areas, and a 22.6% add-on for super-rural areas (a “super-rural area” is defined as a rural county that is among the lowest quartile of all rural counties by population density).
  • Payments for Outpatient Therapy Services: Payments for these services will be capped at $1,880 for any therapy services provided by non-hospital providers. The Act continues to use this limit, but also extends the “exceptions case process” by which providers can receive additional reimbursements if more therapy services are deemed to be medically necessary. The extension lasts until December 31, 2013.
  • Medicare-Dependent Hospital (MDH) Program: H.R. 8 extends the MDH program, which delivers increased reimbursements to small rural hospitals that depend on Medicare payments for a large share of their revenue. The MDH program also supports the development of rural health infrastructure. The extension lasts through the beginning of the next federal fiscal year on October 1, 2013. The Act also extends a payment add-on for low-volume hospitals, which are defined as having fewer than 1,600 Medicare discharges and being at least 15 miles away from the nearest “like-hospital.”
  • Work Geographic Adjustment: Under this provision the existing 1.0 floor on the “physician work” index continues through December 31, 2013, to reflect the geographic differences in cost of resources to provide physician services to Medicare beneficiaries.
  • Medicare Advantage Plans for Special Needs Beneficiaries: The Act extends through 2014 the authority of specialized Medicare Advantage plans to target the enrollment of special needs individuals.
  • Medicare Reasonable Cost Contracts: H.R. 8 allows Medicare Reasonable Cost Contracts to exist through 2014 in areas in which at least two Medicare Advantage coordinated care plans currently operate.
  • Performance Improvement under Medicare: The Act extends funding through 2013 for the Medicare Improvements and Providers Act of 2008 and for outreach and assistance for low-income programs.

Outside of the Medicare program, the Act also has a number of other extensions, including: extending the Qualifying Individual Program, which allows Medicaid to pay Medicare Part B premiums for beneficiaries with incomes between 120% and 135% of the poverty line, until December 31, 2013; extending the Transitional Medical Assistance program, which allows low-income residents to maintain their Medicaid coverage when they start new employment, through December 31, 2013; continuing the Medicaid and CHIP Express Lane option through September 30, 2014; and extending funding for Family-to-Family Health Information Centers and diabetes research, treatment, and prevention programs for American Indians and Alaska Natives.

Summary of Health Care Offsets

In order to offset the projected costs of the extender provisions in the bill, the Act implements cost reductions in Medicare and other government health programs. Most significantly, a provision adjusting the Documentation and Coding of Medicare payments will allow CMS to recoup overpayments that it determines had been made to hospitals, and not yet recovered, as a result of the transition to Medicare Severity Diagnosis Related Groups (DRGs). CMS had been concerned that providers were “over-coding” (providing better documentation and coding of medical records to achieve a higher-weighted DRG) to increase their reimbursements and had instituted a prospective recoupment program covering certain years. This program is now extended. Congress estimates savings of $10.5 billion over ten years. In a separate provision, the Act increases the statute of limitations for recovering overpayments from 3 to 5 years.

Some of the other more notable offsets include the following:

  • End Stage Renal Disease (ESRD) Payments: H.R. 8 makes several changes related to payments for ESRD. It is projected to save $4.9 billion by altering the bundled payment to account for behavioral and utilization changes of dialysis drugs. It also is projected to save $300 million by reducing reimbursement rates by 10% for ambulance services to ESRD individuals receiving non-emergency basic life support services.
  • Medicare Disproportionate Share Hospitals: To save an estimated $4.2 billion, the Act maintains the 75% reduction in the reimbursement rate for Medicare Disproportionate Share Hospitals contained in the Affordable Care Act, and will determine future allotments from this rebased level.
  • Coding Intensity Adjustment: Under current law, Medicare Advantage plans receive a coding intensity adjustment of 3.41%, which reduces those plans’ reimbursement rates so that they more closely match the reimbursement to Medicare fee-for-service plans. This rate factor, determined by the CMS, will be increased to save an estimated $2 billion.
  • Consumer Operated and Oriented Plans (CO-OPs): The Act rescinds all unobligated funds for the CO-OP Program and its plans, which are nonprofit health insurance providers, established by section 1332(g) of the Affordable Care Act. The provision does not take away any obligated CO-OP funds, but it does create a contingency fund consisting of 10% of the current unobligated funds. The contingency fund will be used to help currently approved and created co-ops and will result in an estimated savings of $2.3 billion.
  • CLASS Repeal: The Act repeals the Community Living Assistance Services and Supports (CLASS) program established by the ACA and championed by the late Sen. Ted Kennedy (D-MA). Although in October 2011 the Obama administration suspended the long-term care insurance program in which workers would have paid monthly premiums during their careers to create a cash-bank in case of disability later in life, many Democrats had hoped to revive the program someday. H.R. 8 repeals the CLASS Act, although doing so provided no savings. In its place, the Act creates a Commission on Long-Term Care to develop a plant for the establishment, implementation and financing of a system to make long-term care services and support available for individuals. The Commission has no scoring effect.
  • Medicare Improvement Fund: The Act eliminates the Medicare Improvement Fund for an estimated savings of $1.7 billion.
  • Multiple Therapy Procedure Payment Reduction: The Act reduces payments for physical and other therapy services when they are provided in the same day for an estimated savings of $1.8 billion.
  • Advanced Imaging Services Adjustment: The Act increases the utilization factor used in the setting of payment for imaging services in Medicare from 75% to 90%, which is projected to save $800 million.
  • Competitive Bidding Rates Applicable for all Diabetic Supplies: The Act applies competitive bidding payment rates to diabetic test strips purchased at retail pharmacies for an estimated savings of $600 million.
  • Radiology Services Adjustment: The Act reduces payments for stereotactic radiosurgery services paid for under the Medicare hospital outpatient system, which is expected to save $300 million.

Although the American Taxpayer Relief Act has prevented the country from going over the “fiscal cliff,” the 113thCongress will almost certainly continue to focus on health care cost containment and entitlement reform in the coming weeks and months. Mintz Levin and ML Strategies will continue to closely monitor the effect of fiscal policy on health care.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

2013 Notice to Employees Concerning the American Health Benefit Exchanges

Fowler White Boggs P.A.‘s Lawrence M. PlouchaBarbara L. Sanchez-Salazar, and Kathy J. Tayon recently had an article, 2013 Notice to Employees Concerning the American Health Benefit Exchanges, featured in The National Law Review:

Fowler_NoShadow_Logo

Under the Patient Protection and Affordable Care Act of 2010 (“PPACA”) each state is required to establish an American Health Benefit Exchange (“Exchange”) that:

  • facilitates the purchase of qualified health plans;
  • provides for the establishment of a small business health program that is designed to assist qualified small employers in the state with facilitating the enrollment of their employees into qualified health plans offered in the small group market in their state; and
  • meets certain organizational and operational requirements.

Although the Exchanges are not set to come on line until January 1, 2014, employers have an obligation in 2013 to inform current employees and new hires of the availability of the Exchange, of the employees ability to shop for coverage and if eligible to obtain coverage from the Exchange.

The employers notice must be in writing and must be issued by the following deadlines:

  • Information to new hires: March 1st and
  • Information to current employees: March 13th

The notice should explain:

  • General information concerning the employers health plan,
  • The employee’s right to purchase health insurance coverage through a state Exchange;
  • The services provided by the Exchange;
  • How to contact the Exchange;
  • The employee’s possible eligibility for government subsidies under the Exchange if the employer’s share of the aggregate cost of benefits is less than 60%; and
  • The employee’s possible loss of an employer subsidy, if any, (in the form of a tax-free contribution to the employer-provided health coverage) if the employee purchases health insurance coverage through the Exchange.

PPACA guidance on the “aggregate cost of benefits” defines it as the aggregate cost of applicable employer-sponsored coverage. Thus the aggregate cost for an individual employee is the total cost of coverage under all applicable employer-sponsored health coverage provided to the individual employee. The amount reported may differ among a company’s employees depending on each employee’s specific election of coverage (i.e. PPO, HMO, single, family, etc.). The cost of coverage under a particular group health plan is referred to as the “reportable cost,” and the aggregate cost of applicable employer-sponsored coverage is referred to as the “aggregate reportable cost.” The aggregate reportable cost generally includes both the portion of the cost paid by the employer and the portion of the cost paid by the employee, regardless of whether the employee paid for that cost through pretax or after-tax contributions. In addition, the aggregate reportable cost also includes any portion of an employer-sponsored group health plan’s cost of coverage that is includable in the employee’s gross income.

For the purposes of the notice requirement, “applicable employer-sponsored coverage” means coverage under any group health plan (including onsite primary-care medical clinics) made available to the employee by an employer that is excludable from the employee’s gross income under Section 106 or would be excludable if it were employer-provided coverage. (Thus, employee-pay-all group health coverage is included.) However, when calculating the applicable employer-sponsored coverage do not include the following coverage:

  • Long-term care
  • Accident or disability income insurance, or any combination of the two
  • Supplement to liability insurance
  • Liability insurance, including general liability insurance and automobile liability insurance
  • Workers compensation or similar insurance
  • Automobile medical payment insurance
  • Credit-only insurance
  • Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits
  • Any coverage under a separate policy, certificate or contract of insurance that provides benefits substantially for treatment of the mouth (including any organ or structure within the mouth) or for treatment of the eye
  • Coverage only for a specified disease or illness
  • Hospital indemnity or other fixed indemnity insurance

©2002-2012 Fowler White Boggs P.A.