Privacy Tip #335 – Health Care Sector Continues to Be Hit with Ransomware

According to the 2022 State of Ransomware Report issued recently by Sophos, it surveyed 5,600 IT professionals from 31 countries, including professionals in the health care sector. Those professionals in the health care sector shared that 66 percent of them had experienced a ransomware attack in 2021, which was an increase of 69 percent over 2020. This was the largest increase of all sectors surveyed.

If you look at the Office for Civil Rights data breach portal, you will see that a vast majority of breaches reported by health care providers and business associates are related to “Hacking/IT incident.” This confirms that the health care sector continues to be attacked by threat actors seeking to steal protected health information of patients.

If you are a patient who receives a breach notification letter from a health care provider or business associate, the letter will provide guidance on how to protect yourself following a data breach and may offer some protection guidance, including credit monitoring or fraud resolution. Such a letter has been sent to patients to comply with the breach notification requirements of HIPAA and state law. Part of those requirements includes that the patients be provided mitigation steps following the breach to protect themselves from fraud. Avail yourself of these protections in the event your information is compromised. Take the time to sign up for the mitigation offered. It is clear that these attacks will not subside any time soon.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

ERIC Files Amicus Brief Rebutting DOL Attempt to Create New Regulations in Lawsuit, Petitions US Supreme Court on Seattle Healthcare Case

Read on below for coverage of recent law firm news from McDermott Will & Emery.

ERIC Files Amicus Brief Rebutting DOL Attempt to Create New Regulations in Lawsuit

McDermott Will & Emery’s Andrew C. LiazosMichael B. Kimberly and Charlie Seidell recently filed an amicus brief in the US Court of Appeals for the 10th Circuit on behalf of the ERISA Industry Committee (ERIC). McDermott filed the brief in response to a US Department of Labor (DOL) amicus brief that advanced a novel interpretation of its regulations which, if adopted through litigation, would change longstanding procedures for benefit determinations under self-funded medical plans sponsored by large employers. The amicus brief focuses on key arguments against the DOL’s attempted regulatory reinterpretation, including that:

  • DOL may not rewrite its regulations outside of notice-and-comment rulemaking;
  • DOL’s interpretation of its own regulations is inconsistent with the plain text of the regulations;
  • There are good policy reasons underlying differential treatment of healthcare and disability benefits determinations; and
  • DOL’s interpretation of the regulations in its amicus brief is not entitled to deference under the Supreme Court decision in Kisor.

Read ERIC’s amicus brief here.

Read ERIC’s statement here.

ERIC Petitions US Supreme Court on Seattle Healthcare Case

McDermott Will & Emery’s Michael B. KimberlySarah P. Hogarth and Andrew C. Liazos, are co-counsel on a petition for certiorari before the Supreme Court of the United States on behalf of the ERISA Industry Committee (ERIC). The petition calls for review of ERIC’s legal challenge to the City of Seattle’s hotel healthcare “play or pay” ordinance. The ordinance mandates hospitality employers make specified monthly healthcare expenditures for their covered local employees if their healthcare plans do not meet certain requirements. The petition demonstrates that Seattle’s ordinance is a clear attempt to control the benefits provided under medical plans in violation of the preemption provision under the Employee Retirement Income Security Act of 1974, as amended (ERISA). This case is of significant national importance. Several other cities have proposed making similar changes, and complying with these types of ordinances will substantially constrain the ability of employers to control the terms of their medical plans on a uniform basis. ERIC’s petition is joined by several trade associations, including the US Chamber of Commerce, the American Benefits Council and the Retail Industry Leaders Association.

Read ERIC’s petition for writ of certiorari here.

Read ERIC’s statement here.

 

Article by , and .

Attorney Advertising © 2022 McDermott Will & Emery

For more legal industry news, click here to visit the National Law Review.

 

Employers Beware: Take-Home COVID Cases are on the Rise (US)

You’ve just been informed that an employee who apparently contracted COVID-19 from exposure in your workplace brought the virus home, and now his spouse, who is in a high-risk category, has contracted the virus and is in the hospital.  Do you as the employer face potential liability for the spouse’s illness?

More than two dozen so-called “take-home” COVID-19 lawsuits have been filed across the country, including against some of the largest employers in the US. This alarming pattern has prompted trade groups to warn employers of the potential for lawsuits stemming from COVID infections filed not only by workers’ family and friends but by anyone infected by that circle of people, creating a seemingly endless chain of liability for employers. Some states have enacted laws shielding employers from such suits, but where that is not the case, the legal theories and procedural paths under which these suits have proceeded vary – including some being brought in state courts, some in federal courts, and others brought under claims within the worker’s compensation system.

The issue is currently being tested in California, where the US Court of Appeals for the Ninth Circuit recently certified questions to the California Supreme Court seeking guidance on the state’s laws. The case, Kuciemba v. Victory Woodworks, Inc., arose after Mr. Kuciemba allegedly was exposed to COVID-19 through his work at one of his employer’s job sites.  According to the Kuciembas, Victory knowingly transferred workers from an infected construction site to the job site where Mr. Kuciemba was assigned without following the safety procedures required by the San Francisco Health Order. He was forced to work in close contact with these employees, and soon developed COVID-19, which he brought back home. His wife is over 65 years old and was at high risk from COVID-19, and the family had been careful to limit their exposure to the virus, with the exception of Mr. Kuciemba going to work. Mrs. Kuciemba subsequently tested positive for the disease and was hospitalized for over a month after developing severe symptoms. The Kuciembas filed suit, alleging that Victory caused Mrs. Kuciemba’s injuries by violating the Health Orders, and negligently allowed COVID-19 to spread from its worksite into their household.

The lower court dismissed the case, which was then appealed to the federal appeals court. After hearing the argument, the court asked the California Supreme Court to answer two questions of state law. First, whether Mrs. Kuciemba’s illness was an “injury” that was “derivative” of Mr. Kuciemba’s work-related injury, and therefore, Mrs. Kuciemba’s claims would be subject to the exclusive jurisdiction of the Worker’s Compensation Act (“WCA”); and second, assuming that the WCA is not the exclusive remedy, whether the employer owed a duty to the households of its employees to exercise ordinary care to prevent the spread of COVID-19. Neither question has been squarely answered by the California Supreme Court, although, as noted by the federal appeals court, in a somewhat analogous situation, California courts have allowed suits against employers who negligently allowed their employees to carry asbestos fibers home to their families.

While the Kuciemba case was pending, a California Court of Appeal in another case, See’s Candies v. Superior Court, ruled that the derivative injury doctrine does not bar third-party COVID-related claims. Under a similar fact pattern, the court allowed the negligence case to go forward while noting that the plaintiff would still need to prove that the employer owed a duty of care to non-employees infected with COVID-19 due to an employee contracting the virus at work. Acknowledging that an analysis of this duty “appear[s] worthy of exploration,” the state appellate court said the analysis would include an assessment of “public policy concerns that might support excluding certain kinds of plaintiffs or injuries from relief.” The California Supreme Court declined to review the See’s case, meaning that it’s holding still stands.

The California Supreme Court has not yet announced whether it will use its discretion to respond to the Ninth Circuit’s certified questions in the Kuciembas’ case. In the meantime, California employers cannot automatically rely on the exclusive remedial scheme provided under the worker’s compensation system to cover these claims and are not necessarily shielded from COVID-19 lawsuits brought by employees’ family members (and perhaps others). That said, even if employers owe their employees’ families a duty of care, affected employees will still have to prove that it was the employer’s negligence that caused the illness and that the virus was not contracted from another source – a tall order for a highly transmissible virus like COVID-19. In the meantime, however, it behooves all California employers to continue maintaining health and safety measures to prevent the spread of COVID-19, and react quickly and appropriately in the event of an outbreak of COVID-19 in the workplace.

© Copyright 2022 Squire Patton Boggs (US) LLP

Monkeypox—Do Employers Need to Worry?

Several cases of monkeypox have now been found in the United States. We do not yet know whether employers will need to worry about monkeypox in the context of their workforces and workplace, but it may be wise to be informed.

Monkeypox is a viral illness that has symptoms including body aches, headaches, fatigue, and, notably, a bumpy skin rash. It is primarily found in Africa, most particularly in the Democratic Republic of the Congo. Monkeypox has an incubation period that generally lasts 7-14 days but can be as long as 5-21 days. It has now recently been found in the United States, according to the U.S. Centers for Disease Control and Prevention (CDC). The first case reported was in Massachusetts in a man who had been to Canada. The second was in New York City by another individual who had a virus similar to monkeypox. And the third was a “presumptive case” involving a Broward County, Florida, man who had traveled internationally, the CDC said.

Unlike what we have been through with COVID-19, wearing a mask will likely not be an issue with monkeypox. It is spread through infected animals, prolonged person-to-person contact, direct contact with lesion materials, or indirect contact through contaminated items, such as contaminated clothing. Avoiding these will help avoid the possibility of infection. Since frequent handwashing continues to be a good hygiene practice, continuing to make this an easy and frequent practice for employees is generally a good health practice, according to health officials.

Monkeypox has also recently been found in Australia, Belgium, Canada, France, Germany, Italy, the Netherlands, Portugal, Spain, Sweden, and the United Kingdom. According to public health officials, the risk of exposure remains low although there are expected to be more cases in the United States. Health officials believe the smallpox vaccination will offer some amount of protection from monkeypox.

Employers that have employees who are soon to travel internationally, either for personal or business reasons, may want to consider educating them on the symptoms, how the virus is transmitted, and the fact that they may wish to consult with their own healthcare practitioners about the smallpox vaccination. There is no indication that travel should be avoided or prohibited.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

Medicare Advantage: OIG Report Finds Improper Denials

On April 27,2022, the Office of Inspector General of the Department of Health and Human Services (OIG), Office of Evaluations and Inspections, issued a report on the performance of Medicare Advantage Organizations (MAOs) in approving care and payment consistently with Medicare coverage rules. In its review, OIG found that 13% of MAO denials of prior authorization requests should have been approved and that 18% of payment requests from providers were improperly denied. OIG also made a number of recommendations to the Center of Medicare and Medicaid Services (CMS) with respect to its oversight of MAOs.

Purpose and Method of the Study

OIG undertook the study to assess whether MAOs are appropriately providing access to medically necessary services and making payment to providers consistently with Medicare coverage rules. Since CMS pays MAOs principally by capitation, MAOs have a potential incentive to increase their profits by denying access to care of beneficiaries or by denying payments to providers. CMS’s annual audits of MAOs have indicated some persistent problems related to inappropriate denials of service and payment. As enrollment in Medicare Advantage continues to grow, OIG viewed it as important to ensure that medically necessary care is provided and that providers are paid appropriately.

OIG conducted the review by randomly selecting 250 denials of prior authorization requests and 250 payment request denials by 15 of the largest MAOs during a week in June of 2019. OIG had coding experts review the cases and had physician reviewers examine the medical records. Based on these reviews, OIG estimated the rates at which MAOs issued denials of services or payment that met Medicare coverage rules and MAO billing rules. OIG also examined the reasons for the inappropriate denials and the types of services involved.

Standards

MAOs must cover items and services included in fee-for-service Medicare, and may also elect to include additional items and services. MAOs are required to follow Medicare coverage rules that define what items and services are covered and under what circumstances. As the OIG states in the Report, MAOs “may not impose limitations – such as waiting periods or exclusions from coverage due to pre-existing conditions — that are not present in original Medicare.” In following Medicare coverage rules, MAOs are permitted to use additional denial criteria that were not developed by Medicare when they are deciding to authorize or pay for a service, provided the clinical criteria are “no more restrictive than original Medicare national and local coverage policies.” MAOs may also have their own billing and payment procedures, provided all providers are paid accurately, timely, and with an audit trial.

MAOs utilize prior authorization requests before care is furnished to manage care and payment requests from providers to approve payment for services provided. Beneficiaries and providers may appeal such decisions, and beneficiaries and providers are successful in many of the appeals (for a one-time period, as many as 75% of the appeals were granted).

Findings

Prior Authorization Denials

In the study, OIG found that 13% of prior authorization denials were for services that met Medicare coverage rules, thus delaying or denying care that likely should have been approved. MAOs made many of the denials by applying MAO clinical criteria that are not part of Medicare coverage rules. As an example, a follow-up MRI was denied for a beneficiary who had an adrenal lesion that was 1.5 cm in size, because the MAO required the beneficiary to wait one year for such lesions that are under 2 cm in size. OIG’s experts found such a requirement was not contained in Medicare coverage rules and was therefore inappropriate. Rather, the MRI was medically necessary to determine if the lesion was malignant.

OIG also found instances where MAOs requested further documentation that led to a denial of care when it was not furnished, as such additional documentation was not required to determine medical necessity. OIG’s reviewers found that either sufficient clinical information was in the medical record to authorize the care or the documentation requested was already contained in the medical record.

Payment Denials

OIG found in the study that 18% of payment denials fully met Medicare coverage rules and MAO payment policies. As a result of these denials, payment was delayed or precluded for services that should have been paid.

OIG found that common reasons for these inappropriate payment denials were human error in conducting manual reviews (for example, the reviewer not recognizing that a skilled nursing facility (SNF) was an in-network provider), and inaccurate programming.

OIG also found that advanced imaging services (including MRIs and CT scans), stays in post-acute facilities (including SNFs and inpatient rehabilitation facilities), and injections were the services that were most prominent in the inappropriate denials that should have been authorized for care and payment in accordance with Medicare coverage rules.

OIG Recommendations

Based on the study, OIG recommended that:

  • CMS should issue new guidance on both the appropriate and inappropriate use of MAO clinical criteria that are not contained in Medicare coverage rules. In particular, OIG recommended that CMS should more clearly define what it means when it states that MAO clinical criteria may not be “more restrictive” than Medicare coverage rules.

  • CMS should update its audit protocols to address issues identified in the report such as MAO use of clinical criteria and/or examine particular service types that led to more denials. OIG suggests CMS should consider enforcement actions for MAOs that demonstrate a pattern of inappropriate payment denials.

  • CMS should direct MAOs to identify and address the reasons that led to human errors.

CMS reviewed the OIG report and concurred with each of OIG’s recommendations. Those recommendations can affect future coverage decisions as well as utilization of prior authorization tools. AHIP, a national association of health care insurers, challenged the OIG’s sample size as inappropriate to support the agency’s conclusions, and defended prior authorization tools.

Takeaways

Given CMS’s concurrence with the report’s findings, we recommend that MAOs track these issues over the next several months in advance of CMS’s Final Rate Announcement for CY 2024.

MAOs should also be aware of potential False Claims Act (FCA) exposure in this area. FCA exposure can arise when a company seeks and receives payments despite being out of compliance with the basic terms for its participation. If an MAO knew it was denying claims that should be paid because they would be covered under traditional Medicare, but the MAO was still collecting full capitation, it is possible that a whistleblower or the government may pursue FCA liability. This risk warrants attention because whistleblowers can bring qui tam suits under the FCA, with resulting high costs for defense and potentially high penalties if a violation is proven (or settled to avoid further litigation). That said, an FCA suit based on this theory would raise serious questions, including whether any non-payment actually met the FCA’s “knowingly” standard (which includes reckless disregard), or whether any non-payment met the materiality threshold necessary to demonstrate a violation of the FCA.

© 2022 Foley & Lardner LLP

Alabama Enacts New Telemedicine Law

Alabama Governor Kay Ivey recently signed SB 272 into law, setting forth telemedicine practice standards and abolishing Alabama’s previous “special purpose license” that allowed physicians licensed in other states to practice across state lines into Alabama. The law is effective July 11, 2022.

The law creates a new article in the Code of Alabama (Sections 34-24-701 through 34-24-707 of Chapter 24, Title 34). The statutory language is lengthy, but the key provisions are summarized below.

Medical License

Unless the physician meets an exception to licensure (e.g., peer-to-peer consultations, irregular or infrequent services), a physician must obtain either a full Alabama medical license or a license via the Interstate Medical Licensure Compact in order to provide “telehealth medical services” to a patient located in Alabama.

  • Telehealth medical services means “[d]igital health, telehealth, telemedicine, and the applicable technologies and devices used in the delivery of telehealth. The term does not include incidental communications between a patient and a physician.
  • The term “irregular or infrequent” services refers to “telehealth medical services” occurring less than 10 days in a calendar year or involving fewer than 10 patients in a calendar year.

Defined Terms and Allowable Modalities

  • Telehealth is defined as “[t]he use of electronic and telecommunications technologies, including devices used for digital health, asynchronous and synchronous communications, or other methods, to support a range of medical care and public health services.”
  • Telemedicine is defined as “[a] form of telehealth referring to the provision of medical services by a physician at a distant site to a patient at an originating site via asynchronous or synchronous communications, or other devices that may adequately facilitate and support the appropriate delivery of care.” The term includes digital health, but does not include incidental communications between a patient and a physician.
  • Digital Health is defined as “[t]he delivery of health care services, patient education communications, or public health information via software applications, consumer devices, or other digital media.”
  • Asynchronous is defined as “[t]he electronic exchange of health care documents, images, and information that does not occur in real time, including, but not limited to, the collection and transmission of medical records, clinical data, or laboratory results.”
  • Synchronous is defined as “[t]he real-time exchange of medical information or provision of care between a patient and a physician via audio/visual technologies, audio only technologies, or other means.”

Physician-Patient Relationship

A physician-patient relationship may be formed via telehealth without a prior in-person exam.

Telemedicine Prescribing of Medications and Controlled Substances

A practitioner may prescribe a legend drug, medical supplies, or a controlled substance to a patient via telehealth. However, a prescription for a controlled substance may only be issued if:

  1. The telehealth visit includes synchronous audio or audio-visual communication using HIPAA compliant equipment;
  2. The practitioner has had at least one in-person encounter with the patient within the preceding 12 months; and
  3. The practitioner has established a legitimate medical purpose for issuing the prescription within the preceding 12 months.

In-Person Visit for Unresolved Medical Condition

If a physician or practice group provides telehealth medical services more than 4 times in a 12-month period to the same patient for the same medical condition without resolution, the physician must either see the patient in-person within 12 months or refer the patient to a physician who can provide the in-person care within 12 months. This in-person visit requirement does not apply to the provision of mental health services.

The Alabama Board of Medical Examiners and the Alabama Medical Licensure Commission are currently developing administrative rules in accordance with the new law.

© 2022 Foley & Lardner LLP

Antitrust Enforcers’ “Second Listening” Forum On Merger Reform Highlights Issues In The Healthcare Industry

In March of this year the Antitrust Division of the U.S. Department of Justice (“DOJ”) and the Federal Trade Commission (“FTC”) jointly announced a series of “listening forums” that would help gather real world input from participants in key industry segments on possible reforms to the antitrust regulations pertaining to mergers and acquisitions.Co-led by DOJ Deputy Assistant Attorney General (“DAAG”) Doha Mekke and FTC Chairperson Lina Khan, the second of the four announced forums, focusing on healthcare, was held on April 14, 2022. 2  In addition to DAAG Mekki and Chairperson Khan, the program included eight panelists that provided perspectives from nurses, doctors, patients, pharmacists and small businesses. 3

DAAG Mekki started off the discussion by reaffirming the antitrust enforcement agencies’ collective commitment that “healthcare markets remain competitive” because it “is essential to our livelihood or the livelihood of the nation.” Mekki referenced ongoing work by the agencies in the healthcare field, including recent DOJ enforcement actions. 4

The healthcare panelists highlighted several ongoing issues in the industry, such as the adverse impact of care due to post-merger hospital staff downsizing that was tied to merger-specific efficiencies, reduced options to tertiary care, higher healthcare costs for patients, and unfair competition in the pharmaceutical and small business markets, and other impacts in the research and labor markets.

Chairperson Khan indicated that the comments resonated with the concerns that the FTC had in the hospital, pharmacy benefits management, and pharmacy industries. Ms. Khan also suggested a renewed interest in examining the potential anticompetitive effects of vertical integration in addition to horizontal mergers and acquisitions, which is consistent with the FTC’s position when it indicated that it wanted to revisit this issue while withdrawing the Vertical Merger Guidelines in 2021. Khan also reaffirmed the importance of examining anticompetitive effects in the labor market. All of these issues, according to Khan, are important in assessing how the antitrust laws can be used to improve the quality of healthcare for patients.

The forum ended with some of the more than two hundred public comments, most of which echoed similar concerns raised by the panelists in addition to concerns such as disparities in hospital-physician group contracting situations and racial disparities in access to healthcare as a result of healthcare system mergers.

Once again, all signs point toward an unprecedented time in antitrust enforcement in the healthcare industry. Accordingly, it is important that healthcare companies revisit, revise, and implement best practices with regard to their respective antitrust compliance programs. A proactive, as opposed to a reactive, approach would provide companies the best risk management strategy. It is also important to engage antitrust counsel early in potential transactions to assess how the antitrust agencies may view the deal.

The DOJ and FTC Listening Forums continue with Media and Entertainment, which was held on April 27, 2022, and the final one on Technology, which will be held on May 12, 2022. Click here to download the alert. 

FOOTNOTES

1    “Forums to focus on markets commonly impacted by mergers: food and agriculture, health care, media and entertainment, and technology,” March 17, 2022, available at: https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-justice-department-launch-listening-forums-firsthand-effects-mergers-acquisitions

2   See “Antitrust Enforcers’ First ‘Listening Forum’ On Merger Reform Highlights Ongoing Concerns in the Food and Agriculture Industry” May 9, 2022, available at: https://www.polsinelli.com/intelligence/antitrust-forum-highlights-concerns-in-food-and-ag

Full transcript of forum available at: https://www.ftc.gov/system/files/ftc_gov/pdf/FTC-DOJ-Listening-Forum-%20Health-Care-Transcript.pdf. It should be noted that Assistant Attorney General Jonathan Kanter did make an appearance at the end of the session, reiterating the importance of this forum.

4    See “DOJ Faces Two Strikeouts in First Health Care Wage-Fixing and ‘No Poach’ Prosecutions,” April 20, 2022, available at: https://www.polsinelli.com/intelligence/doj-faces-two-strikeouts-in-first-health-care

© Polsinelli PC, Polsinelli LLP in California
Article By Arindam Kar with Polsinelli PC.
For more articles about antitrust law, visit the NLR Antitrust law section.

A Simple Guide to Exactech Hip, Knee and Ankle Replacement Lawsuits and Settlements

How Do I Know If I Have a Exactech Claim?

STEP 1: Obtain Medical Records

We have written extensively about the different types of defects in certain Exactech products, and the various causes of those defects, particularly to the polyethylene (plastic) liners of those products. Regardless of whether you are dealing with a hip, knee or ankle replacement, the first step in figuring out whether you have a potential claim is to confirm which type of Exactech product (and the components of that product) that you had implanted.

There is a simple way to do that. Whenever doctors use a medical implant or device, like a hip, knee or ankle implant, it comes in its own shiny new box (as you can imagine, a lot of marketing goes into the packaging of these extremely expensive products).

The box has stickers on it that specifically identify everything about the product (manufacturer, model, lot number, etc.). The surgeon takes the sticker off of the box and attaches it to the Operative Report. Consisting of only a few pages, the Operative Report is a basic summary of your joint replacement operation. The stickers are usually attached to the last page of the Operative Report. You can go to your medical provider and ask for your Operative Report (this should only take a couple of days to receive), or you can retain an attorney to formally request your operative report (this will take a few weeks).

Helpful hint: medical providers are only responsible for keeping records for a certain amount of time. If your operation happened a relatively long time ago (longer than seven years), it will be much more difficult to get the records.

STEP 2: Identify the Exactech Implant

Now that you have a copy of your Operative Report with the identifying stickers, you need to compare your Exactech implant to a list of Exactech products that are recalled, alleged to be defective or are otherwise part of the pending nationwide litigations.

Again, some of the recalled product liners are subject to premature deterioration and failure because the packaging exposed them to oxygen, and some of the (hip) liners just did not last as long as they should have. As these products have been used in tens of thousands of procedures over many years, this obviously caused, and continues to cause, serious problems in patients – including osteolysis, or bone loss.

Exactech has a website that allows you to search your implant in its recalled products list. The website also contains the recall and warning letters that should have been sent to your doctors. Finally, the Exactech website encourages patients to submit claims for defective implants through a company hired by Exactech, named Broadspire.

STEP 3: Is Revision Necessary?

Now that you have identified your Exactech implant as one of the products that are alleged to be defective and are part of the pending nationwide litigations, you have to be able to show you suffered damages that require a revision of the implant. In this case, “revision” basically means that a doctor has found it necessary to go in and try to fix or replace part or all of your defective Exactech implant.

Unfortunately, every surgical procedure has a risk of complications. Just experiencing an injury, such as an infection at the surgical site, is not uncommon and does not always mean that your injuries are attributable to a defective Exactech product. So, you will also have to be able to show that the failure of your implant was caused by the premature breakdown and failure of the plastic liner of the implant.

STEP 4: Contact an Attorney

Now that you have determined that you have a defective Exactech implant that required (or will require) revision, you will want to get some legal advice. Two things to keep in mind: 1) make sure to talk to a law firm that specializes in Exactech hip, knee and ankle litigation; and 2) do not wait – there are different deadlines and statutes of limitations that apply to your claim. Do your homework and research the firm you will be working with – there is a good chance it will not be the same lawyer that handled your last speeding ticket, or one of the 800 numbers that flash across your television screen late at night. Put this on the top of your pile of things to do. Only bad things can happen if you wait too long to pursue a claim.

COPYRIGHT © 2022, STARK & STARK
For more about personal injury cases, visit the NLR Litigation section.

COVID-19 Healthcare Enforcement Actions to Increase in 2022 and Beyond

The Department remains committed to using every available federal tool—including criminal, civil, and administrative actions—to combat and prevent COVID-19 related fraud. We will continue to hold accountable those who seek to exploit the pandemic for personal gain, to protect vulnerable populations, and to safeguard the integrity of taxpayer-funded programs”

US Attorney General Merrick Garland – March 10, 2022, Remarks

The Biden Administration, US Department of Justice (DOJ), US Department of Health and Human Services Office of Inspector General (HHS-OIG), and other federal agencies have prioritized prosecuting COVID-19-related fraud since the pandemic began. Although the United States appears to be finally emerging from the pandemic, the government’s pandemic-related enforcement actions are here to stay for the foreseeable future. DOJ has made clear that the government’s COVID-19 enforcement efforts will accelerate, with a more significant focus on complex healthcare fraud cases and civil actions under the False Claims Act (FCA). As the federal government continues to devote additional resources towards its pandemic-related enforcement efforts, healthcare companies, hospital systems and providers should prepare for increased scrutiny.

Additional Resources Devoted to COVID-19 Fraud Enforcement Efforts

DOJ and other federal agencies have already devoted an unprecedented amount of resources to investigating and prosecuting pandemic-related fraud cases. These extensive efforts have led to immediate results. To date, DOJ has brought pandemic-related criminal charges against more than 1,000 individuals with the total alleged fraud losses exceeding $1 billion, and has seized more than $1.2 billion in fraudulently obtained relief funds.

DOJ’s pandemic-enforcement efforts show no sign of slowing down anytime soon. Less than a year after US Attorney General (AG) Merrick Garland established the COVID-19 Fraud Enforcement Task Force, the Biden administration announced that DOJ would appoint a chief prosecutor to expand on the Task Force’s “already robust efforts,” to focus on “most egregious forms of pandemic fraud” and to target particularly complex fraud schemes.

On March 10, 2022, DOJ announced that Kevin Chambers has been appointed as DOJ’s director for COVID-19 fraud enforcement. During his introductory remarks, Chambers said that DOJ would be “redoubling [its] efforts to identify pandemic fraud, to charge and prosecute those individuals responsible for it and whenever possible, to recover funds stolen from the American people.” He also indicated that DOJ would use “new tools” it has developed since the start of the pandemic to investigate such fraud.

In a March 2, 2022, speech before the American Bar Association’s Annual National Institute on White Collar Crime, AG Garland also announced that the Biden Administration will seek an additional $36.5 million in the 2022 budget for DOJ to “bolster efforts to combat pandemic-related fraud.” As evidence of this point, DOJ plans to hire 120 new prosecutors and 900 new Federal Bureau of Investigation agents who will focus on white-collar crime.

DOJ and HHS-OIG to Increasingly Focus on FCA Cases

For the past two years, officials from DOJ and HHS-OIG have identified civil and criminal healthcare fraud relating to COVID-19 as a high priority. As the effects of the pandemic subside, COVID-19-related civil enforcement actions targeting healthcare providers and healthcare companies seem set to increase.

During remarks at the Federal Bar Association’s annual Qui Tam Conference in February 2022, Gregory Demske, chief counsel to the inspector general for HHS-OIG, emphasized that COVID-19 remains a key enforcement priority. Demske indicated that HHS-OIG is focused on the use of COVID-19 to bill for medically unnecessary services, and fraud in connection with HHS’s Provider Relief Fund (PRF) and Uninsured Relief Fund. Demske also confirmed that HHS-OIG remains intensely focused on fraud in connection with telehealth services, the use of which increased exponentially during the pandemic. And, in March 2022, AG Garland reiterated that DOJ will use “every available federal tool—including criminal, civil, and administrative actions—to combat and prevent COVID-19 related fraud.”

The majority of pandemic-related healthcare enforcement actions to date have been criminal prosecutions involving truly blatant instances of fraud and abuse. Going forward, civil and administrative actions likely will be used to pursue cases that turn on lower mens rea requirements or involve more complex regulatory issues. These civil actions will include qui tam actions filed by whistleblowers, as well as FCA cases initiated directly by the DOJ.

In 2021, DOJ recovered more than $5 billion in connection with FCA cases involving the healthcare industry. Given the unprecedented amount of government funds expended to combat the COVID-19 pandemic, DOJ and HHS-OIG will undoubtedly rely on the FCA to maximize the government’s financial recovery. DOJ has already reached FCA settlements in several Paycheck Protection Program cases. It is only a matter of time before we see similar FCA investigations, complaints and settlements focused on relief funding to healthcare providers.

Pandemic-Related Healthcare Priorities

HHS’s PRF

The PRF was created as part of the Coronavirus Aid, Relief and Economic Security (CARES) Act to provide direct payments to “eligible health care providers for health care-related expenses [and] lost revenues that are attributable to coronavirus.” More than $140 billion has been disbursed to hospitals and healthcare providers under the PRF, which is administered by the Health Resources & Services Administration (HRSA).

Payments under the PRF are subject to specific terms and conditions. To retain PRF disbursements, providers must attest to “ongoing compliance” with these requirements and acknowledge that their “full compliance with all Terms and Conditions is material to the Secretary’s decision to disburse funds.” Notwithstanding ongoing concerns and confusion regarding the PRF program requirements, any noncompliance with the terms and conditions could result in criminal, civil and administrative enforcement actions. As recently as March 3, 2022, AG Garland identified fraud in connection with the PRF as a key DOJ enforcement priority.

To date, the Healthcare Fraud Unit of DOJ’s Criminal Division has already brought criminal charges against nine individuals for fraud relating to the PRF. These criminal cases, however, have almost exclusively focused on egregious allegations of fraud and abuses, such as misappropriating PRF disbursements and using the money for personal expenses. For example, in September 2021, DOJ charged five individuals with using PRF payments to gamble at Las Vegas casinos and purchase luxury cars.

DOJ, however, has long indicated that the FCA will also play a “significant role” in DOJ’s PRF enforcement efforts. It is now just a matter of time before such civil investigations and settlements emerge.

HRSA’s stated oversight plan includes post-payment analysis and review to determine whether HHS distributed PRF payments to eligible providers in the correct amounts; audits to assess whether recipients used the funds in accordance with laws, guidance, and terms and conditions; and the recovery of overpayments and unused or improperly used payments. Among other things, HRSA and HHS-OIG likely will evaluate ownership changes, double counting reimbursed expenses and losses, and compliance with the balanced billing requirements.

PRF oversight and enforcement actions have been delayed partly because of program complexities and extended reporting timelines. For example, the first report from PRF recipients on use of funds was not due until the end of 2021. Depending on the date funds were received, PRF recipients may have no reporting obligations through 2023. Entities that expended more than $750,000 in federal awards, including PRF payments, also must obtain an independent audit examining their financial statements; internal controls; and compliance with applicable statutes, regulations and program requirements. These independent audits of PRF payments must be submitted to the Federal Audit Clearinghouse, for nonprofit organizations, or the HRSA Division of Financial Integrity, for for-profit “commercial” organizations. Recipients also may be subject to separate audits by HHS, HHS-OIG or the Pandemic Response Accountability Committee to review copies of records and cost documentation and to ensure compliance with the applicable terms and conditions.

Finally, DOJ and HHS-OIG have increasingly relied on sophisticated data analytics to drive their healthcare enforcement efforts generally. Now that the first round of reports containing specific PRF data certifications are available to HRSA and HHS-OIG, we expect to see the use of such analytics, in conjunction with all the other available information, in connection with PRF enforcement.

Telehealth

Telehealth use expanded exponentially during the pandemic. A March 2022 HHS-OIG report showed that during the first year of the pandemic, more than 28 million Medicare beneficiaries (approximately 43% of all Medicare beneficiaries) used telehealth services—a “dramatic increase from the prior year” in which only 341,000 beneficiaries used telehealth. This increase was largely the result of HHS temporarily waiving statutory and regulatory requirements related to telehealth to allow Medicare beneficiaries to obtain expanded telehealth services.

Telehealth has been at the forefront of DOJ’s healthcare enforcement efforts for years now. For example, DOJ’s 2021 nationwide healthcare enforcement action included criminal charges against dozens of individuals for telehealth fraud schemes involving more than $1.1 billion in alleged loses. The majority of these telehealth enforcement actions to date have involved the use of telehealth to engage in traditional fraud healthcare schemes, such as illegal kickbacks and billing for medically unnecessary services and equipment.

DOJ, however, has increasingly pursued criminal enforcement actions directly related to the telehealth waivers HHS issued in response to the pandemic. For example, in November 2021, a defendant was sentenced to 82 months in prison for participating in a $73 million telehealth fraud scheme. The defendant owned laboratories that provided genetic testing and had paid his coconspirators to arrange for telehealth providers to order medically unnecessary genetic tests. The telehealth providers were not actually treating the beneficiaries, did not use the test results and often never even conducted the telemedicine consultation. Although this was primarily a traditional Anti-Kickback Statute/medical necessity case, DOJ also charged the defendant with using the COVID-19-related telehealth waivers to submit more than $1 million in false claims for sham telemedicine visits.

Similar criminal prosecutions and civil actions relating to the expanded telehealth waivers and sham telehealth encounters can be expected in the future. DOJ and HHS-OIG will likely focus on telehealth visits that resulted in claims for services and equipment with particularly high reimbursement rates, such as genetic testing and durable medical equipment. DOJ and HHS-OIG likely will use data analytics to focus on instances in which telehealth services were billed by providers with whom the beneficiary did not previously have a relationship.

Improper Billing Schemes

DOJ has also pursued criminal cases involving traditional healthcare fraud schemes that sought to take advantage of the COVID-19 pandemic. For example, in May 2021, DOJ announced criminal charges against numerous individuals who were improperly bundling COVID-19 tests with other more expensive laboratory tests, such as genetic testing, allergy testing and respiratory pathogen panel testing. DOJ has likewise pursued criminal cases in which defendants improperly used COVID-19 “emergency override” billing codes to circumvent preauthorization requirements and bill Medicare for expensive medications and treatments. Any improper billing schemes that relate to the pandemic will continue to be a focus of criminal and civil enforcement efforts going forward.

Key Takeaways and Recommendations

DOJ, HHS-OIG and other federal agencies remain focused on pursuing healthcare fraud relating to the COVID-19 pandemic. The best way for hospitals, health systems and other healthcare companies and providers to prepare for this increased enforcement activity and scrutiny is to ensure that they have a robust compliance program in place.

There is no one-size-fits-all approach to compliance, but companies can take several proactive and practical steps to minimize their enforcement risk:

  • Monitor federal and state regulatory and statutory changes. The rules, regulations and guidance relating to the COVID-19 pandemic, including for the PRF and expanded telehealth waivers, have repeatedly changed over the past two years and continue to evolve. Monitoring such changes will not only help prevent enforcement actions, but a company’s reasonable and good faith efforts to interpret and follow such rules and regulations can be a powerful defense should an investigation arise, as discussed in connection with the Allergan case, above. Further to that point, where regulatory requirements and associated guidance is ambiguous, a good documentary record of the basis for your entity’s interpretation of the rules is critical.
  • Incorporate data analytics into your compliance program. DOJ and HHS-OIG continue to rely heavily on sophisticated data analytics, including artificial intelligence, to identify and prosecute fraud. In March 2022, AG Garland emphasized DOJ’s use of “big data” to identify payment anomalies that are indicative of fraud. Healthcare companies already have access to vast amounts of data that they can and should use to proactively identify errors, monitor risk areas and address any potential misconduct.
  • Adapt your compliance program and internal controls, as appropriate, to support PRF compliance, reports and audits. Recipients should continue to practice good compliance hygiene and maintain contemporaneous records regarding the receipt and spending of federal funds. Doing so may involve implementing additional systems to track spending, recovery and relief to avoid overlapping use of funds among relief programs, or consulting with grant accounting and compliance advisors to augment existing infrastructure. Recipients also should periodically review policies, procedures and controls, particularly following major updates to program requirements and interpretations.
  • Ensure the accuracy of required PRF reports, certifications and submissions. Particularly in light of ongoing political pressure, HRSA and HHS-OIG likely will conduct extensive oversight of the PRF to identify potential errors, overpayments and improper use of funds. Recipients should carefully review guidance and instructions to avoid inadvertent errors and misstatements on all submissions. Recipients may consider revisiting prior submissions underlying significant disbursements to identify interpretative issues or compliance concerns that warrant additional supporting documentation or disclosure.
  • Carefully consider the implications before entering into arrangements with other parties. The biggest risk to healthcare companies often comes from those with whom they do business. Compliance programs should focus heavily on reducing the risk of entanglement with bad actors.
  • Be diligent in the design and oversight of marketing strategies. Healthcare companies and providers should regularly review their marketing strategies to ensure total transparency and compliance (both historic and prospective) with applicable state and federal anti-kickback statutes. Companies should confirm that patients are reached through appropriate channels. Although issues relating to COVID-19 may be the impetus for a government investigation, violations of the Anti-Kickback Statute frequently result in larger recoveries for the government.
  • Proactively examine coding and billing practices. Providers should immediately review and revisit their coding and billing practices to determine if their practices involved bundling COVID-19 testing with other claims, the use emergency override billing codes or billing for other COVID-19 related services with high reimbursement rates. There is a strong likelihood that the DOJ will review the claims data for any providers with statistically significant use of these billing and coding practices, particularly when the providers are located in geographical areas where the DOJ’s Healthcare Fraud Strike Force and HHS-OIG’s Medicare Fraud Strike Force operate.

For more health law legal news, click here to visit the National Law Review.

© 2022 McDermott Will & Emery

HIPAA Enforcement Continues Under Right of Access Initiative

On March 28, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two additional cases as part of OCR’s HIPAA Right of Access Initiative.

The Right of Access Initiative was launched by OCR in 2019 “to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule” as explained by OCR. In the March 28 announcement, OCR indicated its continuing commitment to enforce compliance with the HIPAA Rules, including the “foundational” Right of Access provision. With the two most recent cases, there have now been 27 investigations and settlements under the Right of Access Initiative (see full chart below).

Nearly all of the investigations in the Right of Access Initiative involve a single individual unable to obtain a copy of some or all of their protected health information from a health care provider or to do so within the timeframe required or in accordance with fees permitted by the HIPAA Privacy Rule. In some cases, additional issues found during the investigation, such as failure to have conducted a HIPAA risk assessment or lack of HIPAA policies, are part of the settlement.  In all cases, in addition to the monetary penalty, the settlement has included a Corrective Action Plan imposing various obligations, such as policy development, training, and mandatory reporting to OCR.

The Right of Access Initiative remains one of the most active areas of HIPAA enforcement. In its most recent Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, OCR noted that right of access was the third most common issue of complaints resolved. Moreover, the Right of Access Initiative coordinates with the ONC 2020-2025 Federal HIT Strategic Plan and the goal of “Providing patients and caregivers with more robust health information.” It is a core tenant of the Federal HIT Strategic Plan that access to health information will “better support person-centered care and patient empowerment.”

©2022 Epstein Becker & Green, P.C. All rights reserved.