Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting

The National Law Review recently published an article, Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting, written by Elizabeth H. Johnson with Poyner Spruill LLP:

Poyner Spruill

 

The U.S. Department of Health and Human Services (HHS) has finally issued its omnibus HITECH Rules.  Our firm will issue a comprehensive summary of the rules shortly (sign up here), but of immediate import is the change to the breach reporting harm threshold.  The modification will make it much more difficult for covered entities and business associates to justify a decision not to notify when an incident occurs.

Under the interim rule, which remains in effect until September 23, 2013, a breach must be reported if it “poses a significant risk of financial, reputational, or other harm to the individual.” The final rule, released yesterday, eliminates that threshold and instead states:

“[A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.”
(Emphasis added).

In other words, if a use or disclosure of information is not permitted by the Privacy Rule (and is not subject to one of only three very narrow exceptions), that use or disclosure will be presumed to be a breach.  Breaches must be reported to affected individuals, HHS and, in some cases, the media.  To rebut the presumption that the incident constitutes a reportable breach, covered entities and business associates must conduct the above-described risk analysis and demonstrate that there is only a low probability the data will be compromised.  If the probability is higher, breach notification is required regardless of whether harm to the individuals affected is likely.  (Interestingly, this analysis means that if there is a low probability of compromise notice may not be required even if the potential harm is very high.)

What is the effect of this change?  First, there will be many more breaches reported resulting in even greater costs and churn than the already staggering figures published by Ponemon which reports that 96% of health care entities have experienced a breach with average annual costs of $6.5 billion since 2010.

Second, enforcement will increase.  Under the new rules, the agency is required (no discretion) to conduct compliance reviews when “a preliminary review of the facts” suggests a violation due to willful neglect.  Any reported breach that suggests willful neglect would then appear to require agency follow-up.  And it is of course free to investigate any breach reported to them.  HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews?  Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.

Third, covered entities and business associates can expect to spend a lot of time performing risk analyses.  Every single incident that violates the Privacy Rule and does not fit into one of three narrow exceptions must be the subject of a risk analysis in order to defeat the presumption that it is a reportable breach.  The agency requires that those risk analyses be documented, and they must include at least the factors listed above.

So why did the agency change the reporting standard?  As it says in the rule issuance, “We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. . . .”

The agency may also have changed the standard because it was criticized for having initially included a harm threshold in the rule, with critics claiming that the HITECH Act did not provide the authority to insert such a standard.  Although the new standard does, in essence, permit covered entities and business associates to engage in a risk-based analysis to determine whether notice is required, the agency takes the position that the new standard is not a “harm threshold.”  As they put it, “[W]e have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.”  So, the agency got their way in that they will not have to receive notice of every single event that violates the Privacy Rule and they have made a passable argument to satisfy critics that the “harm threshold” was removed.

The new rules are effective March 26, 2013 with a compliance deadline of September 23, 2013.  Until then, the current breach notification rule with its “significant risk of harm” threshold is in effect.  To prepare for compliance with this new rule, covered entities and business associates need to do the following:

  • Create a risk analysis procedure to facilitate the types of analyses HHS now requires and prepare to apply it in virtually every situation where a use or disclosure of PHI violates the Privacy Rule.
  • Revisit security incident response and breach notification procedures and modify them to adjust notification standards and the need to conduct the risk analysis.
  • Revisit contracts with business associates and subcontractors to ensure that they are reporting appropriate incidents (the definition of a “breach” has now changed and may no longer be correct in your contracts, among other things).
  • If you have not already, consider strong breach mitigation, cost coverage, and indemnification provisions in those contracts.
  • Revisit your data security and breach insurance policies to evaluate coverage, or lack thereof, if applicable.
  • Consider strengthening and reissuing training.  With every Privacy Rule violation now a potentially reportable breach, it’s more important than ever to avoid mistakes by your workforce.  And if they happen anyway, during a subsequent compliance review, it will be important to be able to show that your staff was appropriately trained.
  • Update your policies to address in full these new HIPAA rules.  The rules require it, and it will improve your compliance posture if HHS does conduct a review following a reported breach.

As noted above, our firm will issue a more comprehensive summary of these new HIPAA rules in coming days.

© 2013 Poyner Spruill LLP

Rainmaker Retreat: Law Firm Marketing Boot Camp

The National Law Review is pleased to bring you information about the upcoming Law Firm Marketing Boot Camp:

rainmaker ad January 2013

WHY SHOULD YOU ATTEND?

Have you ever gone to a seminar that left you feeling motivated, but you walked out with little more than a good feeling? Or taken a workshop that was great on style, but short on substance?

Ever been to an event that was nothing more than a “pitch fest” that left a bad taste in your mouth? We know exactly how you feel. We have all been to those kinds of events and we hate all those things too. Let me tell you right up front this is not a “pitch fest” where speaker after speaker gets up only trying to sell you something.

We have designed this 2 day intensive workshop to be content rich, loaded with practical content.

We are so confident you will love the Rainmaker Retreat that we offer a 100% unconditional money-back guarantee! At the end of the first day of the Rainmaker Retreat if you don’t believe you have already received your money’s worth, simply tell one of the staff, return your 70-page workbook and the CD set you received and we will issue you a 100% refund.

We understand making the decision to attend an intensive 2-day workshop is a tough decision. Not only do you have to take a day off work (all Rainmaker Retreats are offered only on a Friday-Saturday), but in many cases you have to travel to the event. As a business owner you want to be sure this is a worthwhile investment of your time and money.

WHO SHOULD ATTEND?

Partners at Small Law Firms (less than 25 attorneys) Solo Practitioners and Of Counsel attorneys who are committed to growing their firm. Benefits you will receive:

Solo practitioners who need to find more clients fast on a shoe-string budget. In addition to all the above benefits, solo attorneys will receive these massive benefits:

Law Firm Business Managers and Internal Legal Marketing Staff who are either responsible for marketing the law firm or manage the team who handles the law firm’s marketing. In addition to all the above benefits, Law Firm Business Managers and Internal Legal Marketing Staff will also receive these benefits:

Of Counsel Attorneys who are paid on an “eat what you kill” basis. In addition to all the above benefits, Of Counsel attorneys will also receive these benefits:

Associates who are either looking to grow their book of new clients in the next 6-12 months or want to launch their own private practice. In addition to all the above benefits, Associates will also receive these benefits:

Gun Violence Prompts HHS to Release Letter on Disclosures of Protected Health Information to Avert Threats to Health or Safety

vonBriesen

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued a letter to health care providers clarifying the providers’ ability under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Ruleto disclose necessary information about patients to avert threats to health or safety. OCR explained that providers may take action, consistent with ethical standards and other legal obligations, to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons when providers believe the patient presents a serious danger to himself or other people.

OCR Secretary Leon Rodriguez issued the letter in response to recent mass shootings in Newtown, Connecticut and Aurora, Colorado. The letter does not introduce a new requirement or standard for providers. Rather, the letter serves as a reminder that when considering whether to disclose protected health information to avert threats, providers are required to balance safety with patient privacy and that in some instances, safety will be paramount to privacy. HIPAA is not a barrier to making disclosures under these circumstances.

OCR Guidance

In its letter, OCR explains that the Privacy Rule balances the privacy of patient protected health information with the need to ensure that information may be appropriately used or disclosed when necessary for the patient’s treatment, to protect the nation’s public health, and for other critical purposes. According to OCR, one such critical purpose is the disclosure of otherwise confidential information when providers warn law enforcement or others that individuals may be at risk of harm because of a patient. In such circumstances, providers are presumed to act in good faith based on the provider’s interaction with the patient or based on a credible report from a person with apparent knowledge of the patient or other individual. Such provider warnings must be made consistent with other applicable law, including state law (see below for more on Wisconsin state law).

OCR’s letter emphasizes that in order to avert threats to health or safety, information from mental health records may be disclosed, as necessary, to certain individuals who may reasonably be able to prevent or lessen the risk of harm. Consequently, if a patient makes a credible threat, a mental health provider may alert police, a parent or family member of a patient, school administrators, campus police and others who may be able to intervene without violating HIPAA. However, OCR cautions that providers should abide by state law in addition to federal law governing alcohol and drug abuse (“AODA”) treatment records (42 C.F.R. Part 2).

Wisconsin Law

The OCR letter is generally consistent with Wisconsin law which has established that mental health professionals have a duty to exercise reasonable care in the treatment of their patients by warning others of threats of harm by the patient. In Schuster v. Altenberg (Wisconsin’s version of the Tarasoff case), the Wisconsin Supreme Court held that the duty to warn extends to whatever steps are reasonably necessary under the circumstances, including contacting the police, recommending or requiring hospitalization, or notifying a family member or friend who can help ensure safety.

Despite a provider’s duty to warn, Wisconsin’s privacy statutes do not expressly permit the disclosure of mental health records for this purpose. As a result, Wisconsin providers may disclose otherwise confidential information to avert threats, but providers should limit the information to be disclosed to only that information which is essential to avert or lessen the threat.

We are aware that the legislature will make efforts during this legislative session to amend Section 51.30 of the Wisconsin Statutes, which protects the privacy of mental health records. A goal of the effort is to align the privacy provisions of Wisconsin law with HIPAA. This legislative effort may present an opportunity to amend Section 51.30 to expressly permit disclosure of mental health information and records to avert threats.

What Does This Mean For Wisconsin Providers – A Balancing Test

If a health care provider has reason to believe that a patient poses a threat to self or others, the provider may disclose otherwise confidential information about the patient in order to warn law enforcement, intended targets of the harm, or members of the patient’s family. However, the provider should not disclose a patient’s complete treatment record.

Providers must balance safety and patient privacy to assess what confidential information is reasonably necessary to provide notice to officials or individuals so that they may appropriately intervene to prevent or lessen a threat to health or safety. This balancing test takes into account the who, what, when, and how of disclosure – what individuals, officers, or organizations should receive the warning and disclosure; what confidential information should be disclosed; when should appropriate individuals be notified; and how should notice be provided?

For example, pursuant to a provider’s duty to warn, if a patient has made credible threats, the provider could share the patient’s name and contact information, the specific threats made by the patient, and a list of persons who may be at risk. However, it is unlikely that disclosure of the patient’s treatment plan, complete list of prescriptions, and childhood history would be necessary to avert the threat. Law enforcement may be able to obtain a court order for more complete records, should they determine such disclosure is necessary. Providers are well advised to consult legal counsel when conducting this delicate balancing test.

Providers take on risk for over-disclosure of confidential patient information. OCR’s letter and the provider’s duty to warn do not provide providers with a blanket protection to disclose confidential patient information. Instead, providers should conduct the requisite balancing test and disclose only that confidential information reasonably necessary to avert or lessen a threat.

©2013 von Briesen & Roper, s.c.

Operational and Technical Changes for FACTA Compliance – January 30 – February 1, 2013

The National Law Review is pleased to bring you information about the upcoming Global Financial Markets – Operational and Technical Changes for FACTA Compliance:

key topics

  • Assess the full implications of the finalized FATCA regulation
  • Coordinate an optimal approach to operational, infrastructural and technical changes under FATCA
  • Identify strategies to effectively manage client accounts
  • Integrate existing internal procedures with FATCA compliance
  • Understand what is expected by the IRS

key features

  • Pre-Conference Workshop on January 30, 2013 for an Additional Cost:
  • Pre-Conference Workshop: The Intergovernmental Agreements: Changing the Face of International Tax lead by JP&MF Consulting and Mopsick Tax Law LLP

event focus

FATCA is amongst the biggest topics of debate in financial institutions across the globe. The effect that it will have on these institutions cannot be underestimated and its operational impact on the existing systems is set to be both time consuming and costly. The ability to successfully align all key stakeholders, including operations, technology, risk, legal and tax, will determine the ultimate cost of FATCA compliance. Moving on from mere interpretive matters, this GFMI conference will not only address key FATCA requirements but also discuss the practical impacts of IGAs and strategies for achieving operational and infrastructural efficiency.

The Operational and Technical Changes for FATCA Compliance Conference will be a two and half day, industry focused event, specific to Senior Executives working in Banks, Insurance and Asset Management Companies. Attendees will address key FATCA requirements, while discussing the practical implications of IGAs and strategies for achieving operational and infrastructural efficiency.

Key Themes of the Operational and Technical Changes for FATCA Compliance Conference Include:

1. Challenges of FATCA regulations and prospects for the final regulation

2. Achieving operational and infrastructural efficiency

3. Coordinating existing AML/KYC procedures with FATCA compliance

4. FATCA from the FFI’s perspective 5. Beyond banking: the challenges of FATCA implementation

6. Coping with the withholding obligation under FATCA

This is not a trade show; our conference series is targeted at a focused group of senior level executives to maintain an intimate atmosphere for the delegates and speakers. Since we are not a vendor driven conference, the higher level focus allows delegates to network with their industry peers.

Are Social Media Posts Discoverable?

The National Law Review recently published an article by Bruce H. Raymond of Raymond Law Group LLC regarding Social Media Posts:

RaymondBannerMED

A party files a request for production pursuant to Rule 34 seeking any profiles, messages (including status updates, wall comments, causes joined, groups joined, activity streams, blog entries) from social networking sites that reveal, refer or relate to any emotion, feeling, or mental state of plaintiff as well as communications by the plaintiff that may reveal or relate to events that could be expected to produce a significant emotion, feeling or mental state.

Essentially, the opposing counsel wants your social media activity. Potentially all of it. A party’s first thought might be that is private! I don’t want anyone to see it. However, depending on the claims advanced by a party this information may be discoverable and potential damaging and/or embarrassing posts may be ordered produced.

The production of social media posts, such as Facebook wall posts, are governed by the same relevance standard as any other discovery requests. While this issue is relatively new, cases and discovery orders on motions to compel are starting to become more prevalent. For instance, on Sept 7, 2012 a U.S. District Court granted a motion to compel social media posts from a plaintiff who claimed she was discriminated against by Home Depot. See Mailhoit v. Home Depot U.S.A.2012 WL 3939063 (C.D. Cal. Sept 7, 2012).

The plaintiff had testified at her deposition that as a result of the defendant’s actions, plaintiff suffered from depression. Defendant then sought to discover social media posts such as pictures on Facebook that would undermine the plaintiff’s claims of isolation and loss of friendship.

In examining the defendant’s discovery requests, the court noted that social networking posts are neither privileged nor protected by any right of privacy. However, the court acknowledged FRCP 34 does not allow a requesting party “a generalized right to rummage at will” through a party’s Facebook posts, but rather requires a threshold showing that the requested information is reasonably calculated to lead to the discovery of admissible evidence.

Therefore, the court held that a request for any profiles, postings or messages that reveal or relate to plaintiff’s emotional or mental state was too broad and failed to put a reasonable person of ordinary intelligence on notice of which specified documents or information would be responsive to the request.

However, the court did order the plaintiff to produce all social networking posts which in any way refer to her employment at Home Depot. Other courts have applied a similar rationale. For instance, another U.S. District Court denied a discovery request  in a slip and fall case seeking production of the plaintiff’s entire Facebook account.   Tompkins v. Detroit Metro Airport  , 278 F.R.D. 387 (E.D. Mich. 2012).

The defendant attached to their motion to compel pictures that were publically available on the plaintiff’s Facebook wall as well as private surveillance photos which showed her standing at a party and holding a small dog. The defendant argued these posts showed the relevance of the private posts which the defendant could not view. The court disagreed and stated that holding a small dog was not inconsistent with plaintiff’s claim of injury and therefore the defendant did not have a strong enough argument to obtain discovery of the plaintiff’s entire Facebook account. The court noted that if the pictures had showed her playing golf or riding a horse the defendant’s argument would have been stronger.

What is clear is that Facebook posts can be discoverable and that courts will utilize traditional principles of relevance to determine whether social media account information must be produced. While case law is still developing on this issue, counsel would be advised to limit their requests for social media posts to those that are relevant to the case as opposed to seeking a party’s entire Facebook account.

comp arrow.png

© 2013 by Raymond Law Group LLC

ABA Gaming Law Minefield Conference – February 14-15, 2013

The National Law Review is pleased to bring you information about the upcoming ABA Gaming Law Minefield Conference:

ABA Gaming Law Feb 14-15, 2013

When

February 14 – 15, 2013

Where

  • Green Valley Ranch Resort & Spa
  • 2300 Paseo Verde Pkwy
  • Las Vegas, NV 89101
  • United States of America
 
The program will discuss revolutionary legal, regulator, and ethical issues confronting both commercial and Native American gaming.  Attendees will learn about global anti-corruption initiatives, Internet gaming, and the challenges faced by commercial and Native American gaming.

FDA Issues Final Guidance on Refuse to Accept Policy for 510(k)s and Premarket Approval Applications (PMAs): Food, Drug & Device Law Alert

The National Law Review recently published an article by Hae Park-Suk and Lynn C. Tyler, M.S. of Barnes & Thornburg LLP regarding New FDA Final Guidance:

Barnes & Thornburg

 

The FDA recently issued two final medical device guidance documents titled, “Refuse to Accept Policy for 510(k)s” and “Acceptance and Filing Reviews for Premarket Approval Applications (PMAs).” Draft versions of these two guidance documents had been issued last summer in response to the FDA Safety and Innovation Act. The FDA was able to finalize the documents promptly because they did not receive many adverse public comments.

In addition to explanation of the new policy, the 510(k) guidance includes three checklists – one each for traditional, abbreviated, and special 510(k)s – for use by FDA staff in determining whether to accept a 510(k) for filing. The 510(k) guidance explains that two prior guidance documents, which this one replaces, and its current checklist “deal[t] largely with administrative elements but [did] not address specific content that is essential for 510(k) review.” FDA hopes that that the new guidance and checklists “will clarify the content needed in traditional, special, and abbreviated 510(k) submissions to allow FDA to conduct a substantive review, thereby enhancing the quality of received 510(k) submissions and improving overall review time.”

Further, the guidance states that the acceptance review should be conducted and completed within 15 calendar days of FDA’s receipt of a 510(k). If FDA refuses to accept the filing, it will notify the submitter and send the submitter a copy of the completed checklist to help the submitter identify the deficiency. The submitter may submit the additional information identified in the checklist and FDA will perform the acceptance screening again, also within 15 calendar days of receipt of the information. If FDA refuses to accept the filing a second time, the submitter is again notified and given the new checklist. If FDA accepts the filing, the submitter is notified and FDA will begin a substantive review of the 510(k). If FDA does not respond within the 15 days, the 510(k) is deemed accepted and FDA will also notify the submitter and begin a substantive review.

The checklists include five preliminary questions to be answered before the content of the 510(k) is compared to the acceptance criteria: Is the product a device or a combination product with a device component? Is the application with the appropriate Center (CDRH or CBER)? Is 510(k) the appropriate regulatory submission? Is there a pending PMA (pre-market approval application) for the same device and indications for use? And, if clinical studies have been submitted, is the submitter the subject of the Application Integrity Policy?

The PMA guidance also replaces a prior document, in this case one from 2003. The PMA guidance also includes checklists for the acceptance decision and follows the same 15 day scheme as the 510(k) guidance. It has the same five preliminary questions as the 510(k) guidance to be answered before the content is compared to the acceptance criteria, only modified for the PMA context. In other words, the third question is whether a PMA is the appropriate regulatory submission and the fourth is whether there is a pending 510(k) for the same device and indications for use.

The PMA guidance identifies several grounds for refusing to accept a tendered PMA application. FDA will not accept a PMA if it is incomplete because it does not on its face contain all information required under section 515(c)(1)(A)-(G) of the FD&C Act. Another reason a PMA will not be accepted is if it does not contain each of items required under 21 C.F.R. § 814.20 and any justification for the omission of any item is inadequate. FDA will not accept a PMA if the Applicant has a 510(k) pending for same device, and the FDA has not determined whether the device falls within the scope of 21 C.F.R. § 814.1(c). A PMA will not be accepted if it contains a false statement of material fact or is not accompanied by a statement of either certification or disclosure as required by 21 CFR Part 54.

A copy of the 510(k) guidance can be found here and a copy of the PMA guidance can be found here.

© 2013 BARNES & THORNBURG LLP

The 2013 E-Discovery and Information Governance National Institute January 23 – 25, 2013

The National Law Review is pleased to bring you information about the upcoming 2013 E-Discovery and Information Governance National Institute:

E-Discovery And Information Governance Jan 23-25 2013

January 23 – 25, 2013

Where

  • Stetson University
  • College of Law/Tampa Law Center
  • 1700 N Tampa St
  • Tampa, FL 33602-2653
  • United States of America

The ABA Section of Science and Technology Law is pleased to invite you to the E-Discovery and Information Governance National Institute at Stetson’s Tampa Law Center in Tampa, Florida January 23–25, 2013. This National Institute will provide attendees a rare opportunity to sharpen their skills in electronic discovery and digital evidence (EDDE). The curriculum will consist of case studies, a mock 26(f) meet-and-confer, a mock spoliation hearing, and panel discussions with luminaries in the field.

The faculty, consisting of judges, legal practitioners, technologists, and forensics experts will:

  • Present information on the current thought on the handling of electronically stored information (ESI), including descriptions and interpretations of judicial decisions
  • Analyze recent judicial decisions on the production of ESI and the key rules from the Federal Rules of Civil Procedure that impact e-discovery
  • Provide invaluable insights on how best to prepare their technical staff and information systems to respond to requests for ESI
  • Cover ESI issues for a variety of business sectors including the HIPAA HITECH requirements that mandate an enhanced standard of care for the parties producing and receiving electronic health records (EHR)
  • Describe how new search technologies will lead to cost efficient, yet defensible, automated production of relevant ESI
  • Examine the e-discovery implications of the increasing use of encryption, social media, and data stored in the cloud Attendees will walk away with an understanding of how the handling of ESI has evolved and will present a hopeful prognosis that expected improvements will provide cost efficient, but defensible, management of ESI.

Attendees will walk away with an understanding of how the handling of ESI has evolved and will present a hopeful prognosis that expected improvements will provide cost efficient, but defensible, management of ESI.

This unique blend of faculty, case studies, analysis of judicial decisions, clear explanation of where technology is and where it is going, and informative yet entertaining mock hearings presented in a two-day package offer an experience matched by no other conference. This is a one-of-a-kind program you will not want to miss.

The Wrap-Around Slap-Around for Primary Care Centers

McBrayer NEW logo 1-10-13

For Kentucky Primary Care Centers (“PCCs”), Rural Health Centers (“RHCs”), and Federally Qualified Health Centers (“FQHCs”), getting the run-around from Medicaid on wrap-around payments is not so unusual.  Frequently, these providers complain that supplemental payments distributed by the Kentucky Department for Medicaid Services’ (“Medicaid”) are too low, too late or both.

Last week the situation got worse for PCCs who received a slap in the face from Medicaid in the form of a letter declaring that PCCs who do not carry a federal designation as a rural health care provider, will no longer receive Medicaid wrap-around payments as of February 1, 2013.

  • The History

The establishment of FQHCs and RHCs was precipitated by the need for primary health care services in rural areas.  In addition to other requirements, these providers must be located in an area that has been designated as medically underserved (“MUA”) or having a shortage of health care professionals (“HPSA”).  To encourage providers to serve patients in these areas, federal law provides that these services are reimbursed using a prospective payment system (“PPS”), which is determined separately for each individual FQHC or RHC, calculated on a per-visit cost basis, and does not include any adjustment factors other than a growth rate to account for inflation and a change in the scope of services furnished during that fiscal year.

Years ago, Kentucky established an additional type of licensed health provider, the PCC, which often looks like a RHC in its service delivery model but is not located in a MUA or HPSA and therefore not eligible for certification as a RHC or FQHC.  For payment purposes, Medicaid has always treated PCCs like RHCs and FQHCs—using a PPS rate.  State Plan Amendments filed by Medicaid and approved by CMS clearly document Kentucky’s decision to reimburse PCCs using the same methodology that is used for FQHCs and RHCs.  Importantly, PCCs have always been a creature of Kentucky, not federal, law.

  • The Wrap-Around

In November 2011, Medicaid began contracting with Managed Care Organizations (“MCOs”) to provide coverage to Kentucky’s Medicaid population. These MCOs reimburse FQHCs and RHCs for their services not on a PPS rate basis but in accordance with their individual fee schedules.  The wrap-around payment was introduced by The Balanced Budget Act of 1997 when the law: (1) relieved MCOs of the responsibility to pay FQHCs and RHCs their cost-based rate and instead required the MCOs to pay these providers “not less” than they would pay non-PPS reimbursed providers for the same medical services, and (2) required that PPS-reimbursed providers were compensated by Medicaid the difference between the amount paid by the MCO and the facility’s PPS rate.  As a result, State Medicaid Programs are required to make  “wrap-around payments” at least every four months.

Because Medicaid pays wrap-around payments for PPS reimbursed providers, and PCCs are paid using the same PPS methodology as FQHCs and RHCs, Medicaid distributes wrap-around payments to FQHCs, RHCs, and PCCs.

  • The Slap-Around

Medicaid is funded with state and federal dollars and apparently, as stated in last week’s letter to providers, which can be accessed via this link (20130109152243687), CMS has drawn a line and is requiring the Kentucky’s Medicaid cut-off wrap-around payments for Kentucky PCCs.  This means that unless a PPS-reimbursed primary care provider has a federal designation as a MUA or HPSA and is certified as a RHC or FQHC, it will only receive reimbursement from the MCOs.  In other words, as of February 1, 2013, PPCs’ PPS rates will no longer be recognized as a basis for supplemental payments from Medicaid.

  • What Next?

This blow leaves the owner/operators of PCCs shaking their heads—especially in light of the astounding costs expended to establish and defend a viable PPS rate that is soon to be meaningless.  What’s more, Medicaid’s helping hand is nowhere to be found.

This conundrum requires fast and creative action which could include: seeking an injunction in Franklin Circuit Court to stop Medicaid from acting in violation of Kentucky law and basic due process; collaborating with another provider that is located in an area designated as a MUA or HPSA or is already certified as a RHC; or corporate restructuring to become a non-profit with a community-board that is eligible to become a FQHC, to name a few.   There is no simple solution.  For PCCs, this is much more than the usual wrap-around run-around.

© 2013 by McBrayer, McGinnis, Leslie & Kirkland, PLLC

9th Annual Clean Tech Investor Summit – February 6-7, 2013

The National Law Review is pleased to bring you information about the upcoming 9th Annual Clean Tech Investor Summit:

The Clean-Tech Investor Summit chaired by Technology Partners’ Ira Ehrenpreis and produced by International Business Forum, is the premier clean-tech investment and innovation summit of the year. Held each winter in Palm Springs, CA, at the Renaissance Esmeralda Resort & Spa, the event brings together leading investors, Fortune 500 executives, entrepreneurs, and service providers for two days of high-level presentations, conversations, and networking. Hosting a national audience at this destination location has fostered the optimal networking experience.  General registration is $1,995, but National Law Review readers can use discount code CTNLR and pay only $1,495!

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by