Biden Administration Seeks to Clarify Patient Privacy Protections Post-Dobbs, Though Questions Remain

On July 8, two weeks following the Supreme Court’s ruling in Dobbs v. Jackson that invalidated the constitutional right to abortion, President Biden signed Executive Order 14076 (E.O.). The E.O. directed federal agencies to take various actions to protect access to reproductive health care services,[1] including directing the Secretary of the U.S. Department of Health and Human Services (HHS) to “consider actions” to strengthen the protection of sensitive healthcare information, including data on reproductive healthcare services like abortion, by issuing new guidance under the Health Insurance and Accountability Act of 1996 (HIPAA).[2]

The directive bolstered efforts already underway by the Biden Administration. A week before the E.O. was signed, HHS Secretary Xavier Becerra directed the HHS Office for Civil Rights (OCR) to take steps to ensure privacy protections for patients who receive, and providers who furnish, reproductive health care services, including abortions.[3] The following day, OCR issued two guidance documents to carry out this order, which are described below.

Although the guidance issued by OCR clarifies the privacy protections as they exist under current law post-Dobbs, it does not offer patients or providers new or strengthened privacy rights. Indeed, the guidance illustrates the limitations of HIPAA regarding protection of health information of individuals related to abortion services.

A.  HHS Actions to Safeguard PHI Post-Dobbs

Following Secretary Becerra’s press announcement, OCR issued two new guidance documents outlining (1) when the HIPAA Privacy Rule may prevent the unconsented disclosure of reproductive health-related information; and (2) best practices for consumers to protect sensitive health information collected by personal cell phones, tablets, and apps.

(1) HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care

In the “Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe,”[4] OCR addresses three existing exceptions in the HIPAA Privacy Rule to the disclosure of PHI without an individual’s authorization and provides examples of how those exceptions may be applied post-Dobbs.

The three exceptions discussed in the OCR guidance are the exceptions for disclosures required by law,[5]  for purposes of law enforcement,[6] or to avert a serious threat to health or safety.[7]

While the OCR guidance reiterates that the Privacy Rule permits, “but does not require” disclosure of PHI in each of these exceptions,[8] this offers limited protection that relies on the choice of providers whether to disclose or not disclose the information. Although these exceptions are highlighted as “protections,” they expressly permit the disclosure of protected health information. Further, while true that the HIPAA Privacy Rule itself may not compel disclosure (but merely permits disclosure), the guidance fails to mention that in many situations in which these exceptions apply, the provider will have other legal authority (such as state law) mandating the disclosure and thus, a refusal to disclose the PHI may be unlawful based on a law other than HIPAA.

Two of the exceptions discussed in the guidance – the required by law exception and the law enforcement exception – both only apply in the first place when valid legal authority is requiring disclosure. In these situations, the fact that HIPAA does not compel disclosure is of no relevance. Certainly, when there is not valid legal authority requiring disclosure of PHI, then HIPAA prohibits disclosure, as noted as in the OCR guidance.  However, in states with restrictive abortion laws, the state legal authorities are likely to be designed to require disclosure – which HIPAA does not prevent.

For instance, if a health care provider receives a valid subpoena from a Texas court that is ordering the disclosure of PHI as part of a case against an individual suspected of aiding and abetting an abortion, in violation of Texas’ S.B. 8, then that provider could be held in contempt of court for failing to comply with the subpoena, despite the fact that HIPAA does not compel disclosure.[9] For more examples on when a covered entity may be required to disclose PHI, please see EBG’s prior blog: The Pendulum Swings Both Ways: State Responses to Protect Reproductive Health Data, Post-Roe.[10]

Notably, the OCR guidance does provide a new interpretation of the application of the exception for disclosures to avert a serious threat to health or safety. Under this exception, covered entities may disclose PHI, consistent with applicable law and standards of ethical conduct, if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. OCR states that it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care. Thus, in the guidance, OCR takes the position that if a patient in a state where abortion is prohibited informs a health care provider of the patient’s intent to seek an abortion that would be legal in another state, this would not fall into the exception for disclosures to avert a serious threat to health or safety.  Covered entities should be aware of OCR’s position and understand that presumably OCR would view any such disclosure as a HIPAA violation.

(2) Protecting the Privacy and Security of Individuals’ Health Information When Using Personal Cell Phones or Tablets

OCR also issued guidance on how individuals can best protect their PHI on their own personal devices. HIPAA does not generally protect the privacy or security of health information when it is accessed through or stored on personal cell phones or tablets. Rather, HIPAA only applies when PHI is created, received, maintained, or transmitted by covered entities and business associates. As a result, it is not unlawful under HIPAA for information collected by devices or apps – including data pertaining to reproductive healthcare – to be disclosed without consumer’s knowledge.[11]

In an effort to clarify HIPAA’s limitation to protect such information, OCR issued guidance to protect consumer sensitive information stored in personal devices and apps.[12] This includes step-by-step guidance on how to control data collection on their location, and how to securely dispose old devices.[13]

Further, some states have taken steps to fill the legal gaps to varying degrees of success. For example, California’s Confidentiality of Medical Information Act (“CMIA”) extends to “any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information.”[14] As applied, a direct-to-consumer period tracker app provided by a technology company, for example, would fall under the CMIA’s data privacy protections, but not under HIPAA. Regardless, gaps remain as the CMIA does not protect against a Texas prosecutor subpoenaing information from the direct-to-consumer app. Conversely, Connecticut’s new reproductive health privacy law,[15] does prevent a Connecticut covered entity from disclosing reproductive health information based on a subpoena, but Connecticut’s law does not apply to non-covered entities, such as a period tracker app. Therefore, even the U.S.’s most protective state privacy laws do not fill in all of the privacy gaps.

Alongside OCR’s guidance, the Federal Trade Commission (FTC) published a blog post warning companies with access to confidential consumer information to consider FTC’s enforcement powers under Section 5 of the FTC Act, as well as the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.[16] Consistent with OCR’s guidance, the FTC’s blog post reiterates the Biden Administration’s goal of protecting reproductive health data post-Dobbs, but does not go so far as to create new privacy protections relative to current law.

B.  Despite the Biden Administration’s Guidance, Questions Remain Regarding the Future of Reproductive Health Privacy Protections Post-Dobbs

Through E.O. 14076, Secretary Becerra’s press conference, OCR’s guidance, and the FTC’s blog, the Biden Administration is signaling that it intends to use the full force of its authorities – including those vested by HIPAA – to protect patient privacy in the wake of Roe.

However, it remains unclear how this messaging will translate to affirmative executive actions, and how successful such executive actions would be. How far is the executive branch willing to push reproductive rights? Would more aggressive executive actions be upheld by a Supreme Court that just struck down decades of precedent permitting access to abortion? Will the Biden Administration’s executive actions persist if the administration changes in the next Presidential election?

Attorneys at Epstein Becker & Green are well-positioned to assist covered entities, business associates, and other companies holding sensitive reproductive health data understand how to navigate HIPAA’s exemptions and interactions with emerging guidance, regulations, and statutes at both the state and Federal levels.

Ada Peters, a 2022 Summer Associate (not admitted to the practice of law) in the firm’s Washington, DC office and Jack Ferdman, a 2022 Summer Associate (not admitted to the practice of law) in the firm’s Boston office, contributed to the preparation of this post. 



[1] 87 Fed. Reg. 42053 (Jul. 8, 2022), https://bit.ly/3b4N4rp.

[2] Id.

[3] HHS, Remarks by Secretary Xavier Becerra at the Press Conference in Response to President Biden’s Directive following Overturning of Roe v. Wade (June 28, 2022), https://bit.ly/3zzGYsf.

[4] HHS, Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe (June 29, 2022),  https://bit.ly/3PE2rWK.

[5] 45 CFR 164.512(a)(1)

[6] 45 CFR 164.512(f)(1)

[7] 45 CFR 164.512(j)

[8] Id.

[9] See Texas S.B. 8; e.g., Fed. R. Civ. Pro. R.37 (outlining available sanctions associated with the failure to make disclosures or to cooperate in discovery in Federal courts), https://bit.ly/3BjX4I2.

[10] EBG Health Law Advisor, The Pendulum Swings Both Ways: State Responses to Protect Reproductive Health Data, Post-Roe (June 17, 2022), https://bit.ly/3oPDegl.

[11] A 2019 Kaiser Family Foundation survey concluded that almost one third of female respondents used a smartphone app to monitor their menstrual cycles and other reproductive health data. Kaiser Family Foundation, Health Apps and Information Survey (Sept. 2019), https://bit.ly/3PC9Gyt.

[12] HHS, Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone1 or Tablet (last visited Jul. 26, 2022), https://bit.ly/3S2MNWs.

[13] Id.

[14] Cal. Civ. Code § 56.10, Effective Jan. 1, 2022, https://bit.ly/3J5iDxM.

[15] 2022 Conn. Legis. Serv. P.A. 22-19 § 2 (S.B. 5414), Effective July 1, 2022, https://bit.ly/3zwn95c.

[16] FTC, Location, Health, and Other Sensitive Information: FTC Committed To Fully Enforcing the Law Against Illegal Use and Sharing of Highly Sensitive Data (July 11, 2022), https://bit.ly/3BjrzNV.

©2022 Epstein Becker & Green, P.C. All rights reserved.

Medicare CERT Audits and How to Prepare for Them

CERT audits are an unfortunate part of doing business for healthcare providers who accept Medicare. Failing the audit can mean the provider has to pay back overcharges and be subjected to increased scrutiny in the future. 

The best way to be prepared for a CERT audit is to have a compliance strategy in place and to follow it to the letter. Retaining a healthcare lawyer to craft that strategy is essential if you want to make sure that it is all-encompassing and effective. It can also help to hire independent counsel to conduct an internal review to ensure the compliance plan is doing its job.

When providers are notified of a CERT audit, hiring a Medicare lawyer is usually a good idea. Providers can fail the audit automatically if they do not comply with the document demands.

What is a CERT Audit?

The Comprehensive Error Rate Testing (CERT) program is an audit process developed by the Centers for Medicare and Medicaid Services (CMS). It is administered by private companies, called CERT Contractors, which work with the CMS. Current information about those companies is on the CMS website.

The CERT audit compares a sampling of bills for Medicare fee-for-service (FFS) payments, which were sent by the healthcare provider to its Medicare Administrative Contractor (MAC), against medical records for the patient. The audit looks at whether there is sufficient documentation to back up the claim against Medicare, whether the procedure was medically necessary, whether it was correctly coded, and whether the care was eligible for reimbursement through the Medicare program.

Every year, the CERT program audits enough of these FFS payments – generally around 50,000 per year – to create a statistically significant snapshot of inaccuracies in the Medicare program.

The results from those audits are reported to CMS. After appropriately weighing the results, CMS publishes the estimated improper payments or payment errors from the entire Medicare program in its annual report. In 2021, the CMS estimated that, based on data from the CERT audits, 6.26 percent of Medicare funding was incorrectly paid out, totaling $25.03 billion.

The vast majority of those incorrect payments, 64.1 percent, were marked as incorrect because they had insufficient documentation to support the Medicare claim. Another 13.6 percent were flagged as medically unnecessary. 10.6 percent was labeled as incorrectly paid out due to improper coding. 4.8 percent had no supporting documentation, at all. 6.9 percent was flagged as incorrectly paid for some other reason.

The CERT Audit Process

Healthcare providers who accept Medicare will receive a notice from a CERT Contractor. The notice informs the provider that it is being CERT audited and requests medical records from a random sampling of Medicare claims made by the provider to its MAC.

It is important to note that, at this point, there is no suspicion of wrongdoing. CERT audits examine Medicare claims at random.

Healthcare providers have 75 days to provide these medical records. Failing to provide the requested records is treated as an audit failure. In 2021, nearly 5 percent of failed CERT audits happened because no documentation was provided to support a Medicare claim.

Once the CERT Contractor has the documents, its team of reviewers – which consists of doctors, nurses, and certified medical coders – compares the Medicare claim against the patient’s medical records and looks for errors. According to the CMS, there are five major error categories:

  • No documentation

  • Insufficient documentation

  • Medical necessity

  • Incorrect coding

  • Other

Errors found during the CERT audit are reported to the healthcare provider’s MAC. The MAC can then make adjustments to the payments it sent to the provider.

Potential Repercussions from Errors Found in a CERT Audit

CERT audits that uncover errors in a healthcare provider’s Medicare billings lead to recoupments of overpayments, future scrutiny, and potentially even an investigation for Medicare fraud.

When the CERT audit results are brought to the MAC’s attention, the MAC will adjust the payments that it made to the provider. If the claims led to an overpayment, the MAC will demand that money back.

But Medicare Administrative Contractors (MACs) can go further than just demanding restitution for overpayments. They can also require prepayment reviews of all of the provider’s future Medicare claims, and can even suspend the provider from the program, entirely.

Worse still, CERT audits that uncover indications of Medicare fraud may be reported to a law enforcement agency for further review. This can lead to a criminal investigation and potentially even criminal charges.

Appealing a CERT Audit’s Results

With penalties so significant, healthcare providers should seriously consider hiring a lawyer to appeal the results of a CERT audit.

Appeals are first made to the MAC, requesting a redetermination of the audit results. The request for redetermination has to be made within 120 days of receiving notice of the audit results. However, if the provider wants to stop the MAC from recouping an overpayment in the meantime, it has to lodge the request within 30 days.

Providers can appeal the results of the redetermination, as well. They can request a reconsideration by a Qualified Independent Contractor within 180 of the redetermination, or within 60 days to stop the MAC’s recoupment process.

Providers who are still dissatisfied can appeal the case to an administrative law judge, then to the Medicare Appeals Council, and finally to a federal district court for review.

How to Handle a CERT Audit

The best way to handle and to prepare for a CERT audit is to hire Medicare audit attorneys to guide you through the process. It would also help to start internal audits within the company.

For providers who have been notified that they are under an audit, getting a lawyer on board immediately is essential. An experienced healthcare attorney can conduct a thorough internal investigation of the claims being audited. This can uncover potential problems before the audit points them out, giving the healthcare provider the time it needs to prepare its next steps.

Providers who are not currently being audited can still benefit from an attorney’s guidance. Whether by drafting a compliance plan that will prepare the provider for an inevitable CERT audit or by conducting an internal investigation to see how well a current compliance plan is performing, a lawyer can make sure that the provider is ready for an audit at a moment’s notice.

Taking these preventative steps soon is important. CMS put the CERT audit program on halt for the coronavirus pandemic, but that temporary hold was rescinded on August 11, 2020. While the CMS has reduced the sample sizes that will be used for its 2021 and 2022 reports, it will likely go back to the original numbers after that. Healthcare providers should prepare for this increased regulatory oversight appropriately.

Oberheiden P.C. © 2022

Supreme Court Signals Move Away from Judicial Deference to Administrative Agencies

KEY TAKEAWAYS

In a unanimous decision on June 15, 2022, the Court in American Hospital Association v. Becerra[2] examined a Medicare reimbursement formula reduction that affected certain hospitals. While rejecting the DHHS agency interpretation of the reimbursement statute, the Court made no mention of Chevron deference even though the parties extensively briefed this doctrine. Instead, the Court focused solely on the relevant language of the statute. In particular, the Court held that the “text and structure” of the statute demonstrated that the Medicare reimbursement cut was not consistent with the statute.

In a 5-4 decision a few weeks later, the Court in Becerra v. Empire Health Foundation[3] again made no mention of Chevron deference even though the majority noted that the underlying statute’s “ordinary meaning … [did] not exactly leap off the page.” Despite its initial conclusion that the ordinary meaning of the statutory language was unclear, the Court continued its recent pattern of (a) choosing to not apply Chevron deference directly and (b) instead performing textural and structural analysis of its own. Based on this statutory analysis, the Court in Empire Health concluded that the statute was “surprisingly clear” if read as technical provisions for specialists and that the language of the statute supported the agency’s implementing regulation.

Finally, in West Virginia v. EPA,[4] the Supreme Court in a 6-3 decision again refused to give any deference to the EPA’s interpretation of a Clean Air Act provision which the EPA claimed as the statutory basis to regulate greenhouse gas emissions by power plants. The Court concluded that the EPA had violated the “Major Questions” Doctrine when the EPA used this provision to regulate carbon emissions. Under the “Major Questions” Doctrine, an agency cannot make decisions of vast economic and political significance without Congress expressly giving the agency the power to do so. Since the EPA’s effort to regulate greenhouse gases by making industry-wide changes was a decision of “vast economic and political significance,” the Court concluded that the EPA lacked the authority to do so in light of the overall nature and structure of the statute. Thus, even though there was some textual support for the EPA’s position, the Court again refused to defer to the agency and its interpretation of a statute.

Read together, these three decisions show an increased skepticism by the Court of agency interpretations of statutes and signal that going forward, the federal courts will more closely scrutinize administrative agency decisions in general. Businesses that have, to date, relied on an administrative agency interpretation may need to reassess their reliance if the interpretation relies on a broad or strained reading of a statute. Conversely, businesses currently restrained by agency interpretations which were shown deference by courts may now have an opening to challenge those interpretations.


FOOTNOTES

[1] Chevron, U.S.A., Inc. v. Nat. Res. Def. Council, Inc., 467 U.S. 837 (1984).

[2] Am. Hosp. Ass’n v. Becerra, 142 S. Ct. 1896 (2022).

[3] Becerra v. Empire Health Found., for Valley Hosp. Med. Ctr., 142 S. Ct. 2354 (2022).

[4] W. Virginia v. Env’t Prot. Agency, 142 S. Ct. 2587 (2022).

© 2022 Miller, Canfield, Paddock and Stone PLC

U.S. Supreme Court Agrees with HHS Payment Methodology for Disproportionate Share Hospitals

The fight about how Medicare compensates disproportionate share hospitals (“DSH”) is one of the longest-running reimbursement disputes of recent years, and it has generated copious work for judges around the country.  In a 5-4 decision, the U.S. Supreme Court settled one piece of the conflict:  the counting of “Medicare-entitled” patients in the Medicare fraction of the “disproportionate-patient percentage.”  Becerra v. Empire Health Found., 597 U.S. ___ (2022) (slip op.).  The Supreme Court concluded that the proper calculation, under the statute, counts “individuals ‘entitled to [Medicare] benefits[,]’ . . . regardless of whether they are receiving Medicare payments” for certain services.  Id. (slip op., at 18) (emphasis added).

DSH payments are made to hospitals with a large low-income patient mix.  “The mark-up reflects that low-income individuals are often more expensive to treat than higher income ones, even for the same medical conditions.”  Id. (slip op., at 3).  The federal government thus gives hospitals a financial boost for treating a “disproportionate share” of the indigent population.

The DHS payment depends on a hospital’s “disproportionate-patient percentage,” which is basically the sum of two fractions: the Medicare fraction, which reflects what portion of the Medicare patients were low-income; and the Medicaid fraction, which reflects what portion of the non-Medicare patients were on Medicaid.  Historically, HHS calculated the Medicare fraction by including only patients actually receiving certain Medicare benefits for their care.  In 2004, however, HHS changed course and issued a new rule.  It counted, in the Medicare fraction, all patients who were eligible for Medicare benefits generally (essentially, over 65 or disabled), even if particular benefits were not actually being paid.  For most providers, that change resulted in a pay cut.

The new rule sparked several lawsuits.  Hospitals challenged HHS’s policy based on the authorizing statutory language.  These hospitals essentially argued in favor of the old methodology.  Appeals led to a circuit split, with the Sixth and D.C. Circuits agreeing with HHS, and the Ninth Circuit ruling that HHS had misread the statute.

The Supreme Court has now resolved the issue.  The majority opinion, authored by Justice Kagan, sided with HHS.  The majority concluded that, based on the statutory language, “individuals ‘entitled to [Medicare] benefits’ are all those qualifying for the program, regardless of whether they are receiving Medicare payments for part or all of a hospital stay.”  Id. (slip op., at 18).  The majority also explained that if “entitlement to benefits” bore the meaning suggested by the hospital, “Medicare beneficiaries would lose important rights and protections . . . [and a] patient could lose his ability to enroll in other Medicare programs whenever he lacked a right to [certain] payments for hospital care.”  Id. (slip op., at 11).

Justice Kavanaugh dissented, joined by Chief Justice Roberts and Justices Gorsuch and Alito.  The dissent argued that those lacking certain Medicare coverage should be excluded from HHS’s formula, based on “the most fundamental principle of statutory interpretation: Read the statute.”  Id. (Kavanaugh, J., dissenting) (slip op., at 2).  According to the dissent, the majority’s ruling will also restrict hospitals’ ability to provide care to underprivileged communities.  “HHS’s misreading of the statute has significant real-world effects: It financially harms hospitals that serve low-income patients, thereby hamstringing those hospitals’ ability to provide needed care to low-income communities.”  Id. (slip op., at 4).

There was one point of agreement among the majority and dissenting justices: the complexity of the statutory language for DSH payments.  Echoing the thoughts often held by healthcare advisors, Justice Kagan found the statutory formula to be “a mouthful” and “a lot to digest.”  Id. (majority opinion) (slip op., at 4).  And in his dissent, Justice Kavanaugh called the statute “mind-numbingly complex,” and resorted to an interpretation that he found “straightforward and commonsensical”: that patients cannot be “simultaneously entitled and disentitled” to Medicare benefits.  Id. (Kavanaugh, J., dissenting) (slip op., at 1, 3).

© Copyright 2022 Squire Patton Boggs (US) LLP

Abortion-Related Travel Benefits Post-Dobbs

Immediately following the Supreme Court decision in Dobbs v. Jackson returning the power to regulate abortion to the states, a number of large employers announced that they would offer out-of-state travel benefits for employees living in states where abortion-related medical care is unavailable. Employers considering offering abortion-related travel benefits have several key considerations to keep in mind. The law currently allows health plans to provide reimbursement for travel primarily for and essential to medical care. Although this area of the law is evolving, employers with self-funded medical plans may amend their existing medical plans to provide abortion-related travel benefits while those with fully insured medical plans may face more obstacles in providing such benefits.

In Dobbs v. Jackson, an abortion clinic challenged a Mississippi law that would ban abortion after 15 weeks of pregnancy, with limited exceptions. In establishing the constitutional right to abortion in Roe v. Wade, the Supreme Court restricted states in their ability to limit or ban abortions before viability of the fetus, or 24 weeks from the time of conception. In upholding the Mississippi law, the Supreme Court overturned Roe and held that the protection or regulation of abortion is a decision for each state.

Alabama, Arkansas, Kentucky, Missouri, Oklahoma and South Dakota have already banned or made abortion illegal pursuant to trigger laws which went into effect as of the Supreme Court decision on June 24, 2022.  Also, a number of additional states are expected to soon have similar legislation in effect, either by virtue of expected legislative action or trigger laws with slightly delayed effective dates.  In response, a number of employers have announced that they will reimburse all or a portion of abortion-related travel expenses for employees in states where abortions are banned or otherwise not available.

Under Section 213(d) of the Internal Revenue Code, the definition of “medical care” includes transportation that is both “primarily for and essential to” the medical care sought by an individual. These types of travel benefits have historically been utilized in connection with certain specialized medical treatments, such as organ transplants.  However, Section 213(d) is not limited to particular types of procedures, and thus forms the framework for providing abortion-related travel benefits through existing medical plans.

Although Code Section 213(d) applies to both self-insured and insured medical plans, the substantive coverage provisions of insured medical plans will generally be governed by the state insurance code of the state in which the insurance policy is issued.  Coverage for abortion services or any related travel benefits may not be permitted under the insurance code of the state in which the policy is issued, or an insurer may not offer a travel benefit for such services even if permitted to do so.  Self-insured plans, by contrast, provide employers more flexibility in plan design, including control, consistent with existing federal requirements, over the types and levels of benefits covered under the plan. As noted above, existing plans may already cover travel-related benefits for certain types of medical procedures.

Employers with high-deductible health plans tied to health savings accounts (HSAs) will need to consider the impact of adding abortion-related travel benefits to such plans.  Travel-related benefits of any type would not appear to be eligible for first dollar coverage, and thus may be of minimal benefit to participants enrolled in high-deductible health plans.

Employers with fully insured medical plans that do not cover abortion-related travel benefits may be able to offer a medical travel reimbursement program through an integrated health reimbursement arrangement (HRA).  An integrated HRA is an employer-funded group health plan from which employees enrolled in the employer’s traditional group medical insurance plan are reimbursed for qualifying expenses not paid by the traditional plan.

Another potential option for employers with fully insured medical plans may be to offer a stipend entirely outside of any established group health plan. Such reimbursement programs may result in taxable compensation for employees who receive such reimbursements. Also, employers would need to be sensitive to privacy and confidentiality considerations of such a policy, which should generally be minimized if offered in accordance with the existing protections of HIPAA through a medical plan and under which claims are processed by an insurer or third-party administrator rather than by the employer itself.

Additionally, some state laws may attempt to criminalize or otherwise sanction so-called aiding and abetting actions related to the procurement of abortion services in another state.  This is an untested area of the law, and it is unclear whether any actions brought under such statutes would be legally viable.  In this regard, Justice Kavanaugh stated as follows in his concurring opinion in Dobbs:  “For example, may a State bar a resident of that State from traveling to another State to obtain an abortion? In my view, the answer is no based on the constitutional right to interstate travel.” (Kavanaugh Concurring Opinion, page 10.)  This is an area that will require continual monitoring by employers who offer abortion-related travel benefits.

© 2022 Vedder Price

Update: In Opioid Liability Ruling for Doctors, SCOTUS Deals Blow to DOJ

On June 27, 2022, the United States Supreme Court ruled that doctors who act in subjective good faith in prescribing controlled substances to their patients cannot be convicted under the Controlled Substance Act (“CSA”).  The Court’s decision will have broad implications for physicians and patients alike.  Practitioners who sincerely and honestly believe – even if mistakenly – that their prescriptions are within the usual course of professional practice will be shielded from criminal liability.

The ruling stemmed from the convictions of Dr. Xiulu Ruan and Dr. Shakeel Kahn for unlawfully prescribing opioid painkillers.  At their trials, the district courts rejected any consideration of good faith and instructed the members of the jury that the doctors could be convicted if they prescribed opioids outside the recognized standards of medical practice. The Tenth and Eleventh Circuits affirmed the instructions.  Drs. Ruan and Kahn were sentenced to 21 and 25 years in prison, respectively.

The Court vacated the decisions of the courts of appeals and sent the cases back for further review.

The question before the court concerned the state of mind that the Government must prove to convict a doctor of violating the CSA.  Justice Breyer framed the issue: “To prove that a doctor’s dispensation of drugs via prescription falls within the statute’s prohibition and outside the authorization exception, is it sufficient for the Government to prove that a prescription was in fact not authorized, or must the Government prove that the doctor knew or intended that the prescription was unauthorized?”

The doctors urged the Court to adopt a subjective good-faith standard that would protect practitioners from criminal prosecution if they sincerely and honestly believed their prescriptions were within the usual course of professional practice.  The Government argued for an objective, good-faith standard based on the hypothetical “reasonable” doctor.  The Court took it one step further.

Justice Breyer delivered the opinion of the Court.  He said that for purposes of a criminal conviction under the CSA, “the Government must prove beyond a reasonable doubt that the defendant knowingly or intentionally acted in an unauthorized manner.”  To hold otherwise “would turn a defendant’s criminal liability on the mental state of a hypothetical ‘reasonable’ doctor” and “reduce culpability on the all-important element of the crime to negligence,” he explained.  The Court has “long been reluctant to infer that a negligence standard was intended in criminal statutes,” wrote Justice Breyer.

Justice Samuel Alito wrote a concurring opinion, which Justice Clarence Thomas joined and Justice Amy Coney Barrett joined in part.  Although Justice Alito would vacate the judgments below and remand for further proceedings, he would hold that the “except as authorized” clause of the CSA creates an affirmative defense that defendant doctors must prove by a preponderance of the evidence.

The Court’s decision will protect patient access to prescriptions written in good faith.  However, for the government, the Court’s decision means prosecutors face an uphill battle in charging, much less convicting, physicians under the CSA.  Indeed, the Court’s decision may have a chilling effect on the recent surge in DOJ prosecutions of medical practitioners and pain clinics.

© 2022 Dinsmore & Shohl LLP. All rights reserved.

Preparing Corporate Messaging in the Wake of Dobbs

The United States Supreme Court (“SCOTUS”), in Dobbs v. Jackson Women’s Health Organization, has held that there is no constitutional right to abortion, overruling Roe v. Wade and Casey v. Planned Parenthood.

Employers, who increasingly are finding themselves on the front lines of many societal issues, will need to decide quickly whether and how they might address the Dobbs decision, as public reaction has been and is likely to remain strong. Board members, employees, and shareholders may advocate for corporations to take a visible stand on the issue of abortion and reproductive rights. And employees may want to speak up themselves (possibly via employer social media accounts).

It is important to remember that company communication decisions and actions regarding the Dobbs ruling, as well as other political and social issues, can have practical and legal implications.

The first question is whether your company will comment on Dobbs. If you decide to comment, there are many factors to consider. Your message is an important starting point. Who is your intended audience? Will your employees consider it an opportunity to join in the conversation? What will you say? Even if your message is internal, keep in mind that it may not stay that way, given the nature of social media. And before you think, “I’ll just stay out of it,” remember that some will view silence or neutrality as a statement in and of itself. If you choose not to speak, are you prepared to deal with any potential reaction from customers, employees, or shareholders?

Internally, employees may have questions about health benefits or other terms and conditions of employment because of Dobbs. It will be important to arm all key stakeholders, including leadership, corporate communications, and human resources, with tools to consistently manage these communications and responses.

Whether it’s internal or external communications, expect feedback! How that feedback is handled is as important as the initial communication (or lack thereof).

Certain industries, like healthcare and insurance, may also feel compelled to make an affirmative statement if the Dobbs decision has a direct impact on services and/or products. In those cases, the need to consider all implications is even more pressing.

In thinking through these decisions, employers should also consider who may need to approve any messaging. The board of directors, senior executives, legal, and marketing and communications teams are among the key stakeholders who may need to be consulted. And don’t forget that your public-facing employees may bear the brunt of your response. Are they prepared?

Employers should also keep in mind various laws that may govern their reaction, including those they might otherwise not consider. For example, the National Labor Relations Act protects employees’ rights to collectively discuss terms and conditions of employment at work and off duty – and that applies to employers with and without a unionized workforce. The current Biden-appointed General Counsel of the National Labor Relations Board has taken an expanded view of topics that are connected to the workplace. Moreover, some states, including California and New York, have enacted off-duty conduct laws that prohibit employers from disciplining employees for lawful conduct outside of work, which may include political advocacy. There may also be anti-discrimination laws and potential civil and criminal liability associated with your statements, depending on their wording.

Reactions to the Dobbs decision may vary. Some reaction may be comparable to what we’ve seen with respect to other recent political and/or social justice movements, such as Black Lives Matter and #MeToo; others may react differently, or not at all. In these rapidly changing times, companies — particularly publicly traded and consumer-facing ones — need to be make informed decisions. Clear, consistent messaging is key to establishing confident and consistent responses to potential concerns by employees and other stakeholders.

©2022 Epstein Becker & Green, P.C. All rights reserved.

U.S. Supreme Court Overturns Roe and Casey: What This Decision Means for Employers

As many expected based on the draft opinion that was leaked months ago, the U.S. Supreme Court has held the U.S. Constitution does not protect the right to obtain an abortion. Dobbs v. Jackson Women’s Health Organization, No. 19-1392 (June 24, 2022).

Dobbs overturns nearly 50 years of precedent from the Court’s decision in Roe v. Wade and Planned Parenthood Pennsylvania v. Casey on the issue.

The impact of Dobbs will vary, as states are now at liberty to enforce and create abortion legislation without restrictions arising out of constitutional protections.

What does this mean for employers?

As pressure mounts on this issue, some employers may be considering what, if anything, they can or should do. Many states have enacted legislation that restricts individual abortion rights and potentially third parties who assist individuals who seek abortions. To the extent any state laws were not enforced because of the Court’s holding in Roe or Casey, states can move forward now to implement and enforce those laws.

Laws often referred to as “trigger laws,” those that are in place but unenforceable due to overriding federal restrictions, become enforceable once those federal restrictions are lifted. As a result of Dobbs, abortion-related “trigger laws” previously unenforceable can take effect, creating new standards for individuals and others that will redefine the national abortion law landscape.

Some existing state laws and trigger laws may affect employers and put employers at risk of violating state law if they implement policies to assist employees seeking an abortion or even continue to cover abortions under group health plans. For example, a state law may create liability for anyone who “aids or abets” a person who obtains an abortion. Employers also must be cognizant of how they apply their leave policies, who may seek accommodations based on a sincerely held religious belief, and whether certain provisions of the Pregnancy Discrimination Act apply to women who are seeking or who have had an abortion.

In addition, the Court’s ruling may affect employee benefit plans. Many employers are considering additional benefits for their employees, and their covered dependents, such as travel reimbursement for seeking an abortion outside of the local jurisdiction due to state law restrictions. There are many legal issues to consider in connection with the coverage of abortion-related services under employee benefit plans. (For additional guidance on the issue, see our article, Group Health Plan Considerations in the Face of (Potentially) Changing Abortion Laws.) Depending on how the state laws are enacted, there also may be issues with relying on ERISA preemption provisions to avoid these obligations.

Corporate management and directors should plan for changes and be aware of policies and fiduciary responsibilities. This can include preparing for public and employee reactions (for and against), legislative and law enforcement threats, social media posts, and other employee demonstrations. Pressure from a variety of groups to take a corporate public opinion also may occur.

Whether changes to leave policies, employee benefits, travel reimbursement, or handling accommodation requests, employers considering policies or benefit offerings in response to Dobbs must carefully review and consider federal and state laws, including state abortion-related legislation to evaluate the risk of potential liability.

Jackson Lewis P.C. © 2022

CMS Reduces COVID-19 Vaccine Mandate Surveys and Rescinds Surveyor Vaccination Requirements

In two recent memoranda, the Centers for Medicare and Medicaid Services (CMS) made changes to previously issued survey guidance related to COVID-19 vaccination issues.

In QSO-22-17-ALL, CMS modified the frequency by which State Agencies and Accreditation Organizations will survey for compliance with the federal staff vaccine mandate applicable to health care providers and suppliers (discussed in a prior post).  Noting that 95% of providers and suppliers surveyed have been found in substantial compliance with the rule, CMS is eliminating the previous requirement that State Agencies and Accreditation Organizations survey for compliance with the vaccine mandate during every survey.  Review of compliance with vaccine mandate is still required, however, during initial surveys, recertification surveys, and in response to specific complaint allegations that allege non-compliance with the staff vaccination requirement.  This means that a State Agency or Accreditation Organization is not required to review compliance with the staff vaccination requirement during, for example, a validation survey or a complaint survey unrelated to compliance with the staff vaccination requirement.  A State Agency or Accreditation Organization may still choose to expand any survey to include review of vaccine mandate compliance; however, the new guidance should result in a reduction in survey frequency of this issue for providers and suppliers.

In QSO-22-18-ALL, CMS rescinded, in its entirety, the previously issued QSO-22-10-ALL memorandum, which had mandated that surveyors of State Agencies and Accreditation Organizations be vaccinated for COVID-19.  However, CMS noted that the State Agencies and Accreditation Organizations were responsible for compliance and prohibited providers and suppliers from asking surveyors for proof of vaccination.  While CMS is now encouraging vaccination of surveyors performing federal oversight surveys, the mandate for vaccination is no longer in effect.

Article By Allen R. Killworth of Epstein Becker & Green, P.C.

For more coronavirus legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

Health Care Providers on Alert: Two Hospitals Penalized for Continuous Noncompliance with the Hospital Price Transparency Rule

We previously discussed the requirements of the Hospital Price Transparency Rule (“Rule”) on health care providers and health plans, as well as CMS’s proposal to increase penalties for a hospital’s failure to comply with the Rule.  About a year and a half after the Rule became effective, CMS has now imposed its first set of civil monetary penalties (“CMPs”) on Northside Hospital Atlanta and Northside Hospital Cherokee, which have been fined $883,180 and $214,320, respectively.

The Rule requires, in part, hospitals to make public a machine-readable file containing a list of all standard charges for all items and services, such as, e.g., supplies, room and board, and use of the facility, among other items.  See 45 C.F.R. § 180.40(a); id. at § 180.20.  The Rule also requires hospitals to display shoppable services in a consumer-friendly manner.  See id. at § 180.60(d)(2); id. at § 180.60(b).  The goal of these specific requirements, in addition to those set forth in the remainder of the Rule, is to provide consumers with sufficient information about the charges for certain items and services by requiring health care providers and health plans to be publicly transparent about such charges.

Based on CMS’s CMP letters, dated June 7, 2022, Northside Hospital Atlanta and Northside Hospital Cherokee were non-compliant with the aforementioned specific requirements of the Rule.  The chronology of events is important to understand how CMS ended up issuing its CMP letters.

Northside Hospital Atlanta

For Northside Hospital Atlanta:

  • CMS documented the hospital’s non-compliance since March 24, 2021.
  • CMS issued a Warning Letter, dated April 19, 2021, to the hospital and provided it the opportunity to respond and to provide supporting documentation to CMS.
  • Northside Hospital Atlanta did not respond.
  • On September 2, 2021, CMS reviewed the hospital’s website and determined that the non-compliance persisted.
  • On September 30, 2021, CMS issued a Request for Corrective Action Plan (CAP) to the hospital, stating that it was non-compliant with the aforementioned specific requirements of the Rule.
  • On November 15, 2021, in response to the Request for CAP, the hospital stated that patients could request specific price estimate quotes by calling or emailing Northside Hospital Atlanta, which CMS determined was insufficient in response to its Request for CAP and to comply with the Rule.
  • On December 20, 2021, CMS requested a revised CAP from the hospital.
  • Northside Hospital Atlanta did not respond.
  • On January 11, 2022, CMS conducted a technical assistance call with the hospital, during which the hospital confirmed that it was non-compliant with the Rule and explained that it had intentionally removed all previously posted pricing files.
  • On January 24, 2022, CMS, again, requested a revised CAP from the hospital.
  • Northside Hospital Atlanta did not respond.

Based on the foregoing, CMS imposed an $883,180 CMP on Northside Hospital Atlanta, calculated as follows, pursuant to 45 C.F.R. § 180.90:

  • $36,300
    • $300 per day of non-compliance times 121 days.
    • 121 days represents the number of calendar days during 2021 that Northside Hospital Atlanta was non-compliant with the Rule (September 2, 2021 through December 31, 2021), pursuant to 45 C.F.R. § 180.90(2)(i).

 plus

  • $846,880
    • $10 per bed per day times 536 beds times 158 days.
    • 158 days represents the number of calendar days during 2022 that Northside Hospital Atlanta was non-compliant with the Rule (January 1, 2022 through the date of CMS’s CMP letter, June 7, 2022), pursuant to 45 C.F.R. § 180.90(2)(ii).

Northside Hospital Atlanta has until 60 calendar days from the date of CMS’s CMP letter to pay.  Until the hospital notifies CMS that all non-compliance has been corrected, CMPs will continue to accrue.

Northside Hospital Cherokee

For similar reasons as Northside Hospital Atlanta, Northside Hospital Cherokee was fined $214,320.  CMS noted that Northside Hospital Cherokee was non-compliant since April 16, 2021, and notified the hospital by Warning Letter, dated May 18, 2021.  CMS reviewed the hospital’s website on September 9, 2021, and issued a Request for CAP on October 27, 2021—to which the hospital did not respond.  Similar to Northside Hospital Atlanta, CMS held a technical assistance call on January 11, 2022, during which Northside Hospital Cherokee notified CMS that it had intentionally removed all previously posted pricing files.  CMS requested a Request for CAP on January 24, 2022—to which the hospital did not respond.

Similar to Northside Hospital Atlanta, Northside Hospital Cherokee was penalized $214,320, calculated as follows:

  • $34,200
    • $300 per day of non-compliance times 114 days.
    • 114 days represents the number of calendar days during 2021 that Northside Hospital Cherokee was non-compliant with the Rule (September 9, 2021 through December 31, 2021), pursuant to 45 C.F.R. § 180.90(2)(i).

plus

  • $180,120
    • $10 per bed per day times 114 beds times 158 days.
    • 158 days represents the number of calendar days during 2022 that Northside Hospital Cherokee was non-compliant with the Rule (January 1, 2022 through the date of CMS’s CMP letter, June 7, 2022), pursuant to 45 C.F.R. § 180.90(2)(ii).

Similar to Northside Hospital Atlanta, CMS noted that Northside Hospital Cherokee continues to be non-compliant and, thus, CMPs will continue to accrue.

Takeaways

These fines reflect CMS’s willingness to take material enforcement action where the Rule’s regulatory requirements are largely ignored and CMS’s subsequent efforts to obtain compliance are rejected.  Non-compliance carries heavy fines that are calculated, in part, by the number of days of non-compliance and by bed count.  Health care providers should take notice and ensure that they are compliant or, at least, making efforts towards compliance with the Rule’s requirements.  Critically, CMS will not accept a refusal to comply, as reflected in CMS’s responses to Northside Hospital Atlanta’s and Northside Hospital Cherokee’s refusals to submit CAPs.  As noted in CMS’s CMP letters to these providers, CMS is scanning websites and subsequently notifying providers that appear to be non-compliant with the Rule—which are ignored at the provider’s peril.

© 2022 Proskauer Rose LLP.