Word spread quickly Monday (December 20, 2016) about CMS’ issuance of final regulations (to be published in the Federal Register on January 3, 2017) rolling out new mandatory bundled payments models for Acute Miocardial Infarction (AMI), Coronary Artery Bypass Graft (CABG), Surgical Hip and Fracture Treatment (SHFFT), a Cardiac Rehabilitation (CR) incentive model and Track 1+ Accountable Care Organizations. Speculation that President-elect Donald Trump’s nominee for HHS secretary, Rep. Tom Price, would move to roll the regulations back spread just as quickly.

The new regulations mandate bundled payment models (covering the period from admission to ninety days post-discharge) for AMI and CABG in 98 geographies covering 1,120 hospitals; for SHFFT in the 67 geographies where the Comprehensive Joint Replacement (CJR) has already been mandated covering 850 hospitals and for CR in 90 geographies covering 1,320 hospitals. CMS’ chart of geographies covered by each program is set forth here. The AMI, CABG and SHFFT programs give participant clinicians the opportunity to be excluded from Medicare and CHIP Reauthorization Act of 2015’s (MACRA) Medicare Incentive Payment System (MIPS) and to qualify under MACRA’s Advanced Alternative Payment Model (AAPM). Continue reading…

On September 8, 2016, CMS announced in its blog that it will allow physicians to select their level of participation for the first performance year of the Medicare Access and CHIP Reauthorization Act of 2015 (“MACRA”) Quality Payment Program, which begins January 1, 2017. Importantly, during the first performance year (2017), “[c]hoosing one of these options would ensure [physicians] do not receive a negative payment adjustment” under MACRA in 2019.

Under the Quality Payment Program physicians will fall under the Merit-Based Incentive Payment System (“MIPS”) if they do not qualify under the Advanced Alternative Payment Model (“Advanced APM”) option.  In 2019, physicians who are in the MIPS default option could face Medicare rate adjustments of up to 5% based on their performance under four weighted performance categories: quality (50%); resource use (10%); advancing care information (25%); and clinical practice improvement (15%). Advanced APMs include, for example, Track 2 and 3 MSSP ACOs; next generation ACOs; and bundled payment models, and physicians who qualify under the Advanced APM option earn a 5% incentive, are excluded from MIPS adjustments and receive higher fee schedule updates after 2024.

Recognizing that many physicians may face negative payment adjustments under MIPS as a result of participating under the Quality Payment Program, CMS is going to allow eligible physicians to “pick their pace of participation” and ensure they do not receive such negative payment adjustments in 2019 by choosing one of four options for the first performance year:

1. Test the Quality Payment Program;
2. Participate for part of the calendar year;
3. Participate for the full calendar year; or
4. Participate in an Advanced APM in 2017.

The first three options fall under MIPS, while the fourth option falls under the Advanced APM. In the first option, physicians could “submit some data to the Quality Payment Program”, avoid negative payment adjustments and test the waters before broader participation in subsequent years. Under option two, the performance year could begin later than January 1, 2017, a physician practice “could qualify for a small positive payment adjustment”, and a physician would submit Quality Payment Program information for fewer days. The third option is ideal for those physician practices that are ready to participate beginning January 1, 2017 and who are able to submit a full year of quality data. Additionally, physicians “could qualify for a modest positive payment adjustment.” The fourth option would be viable for those physicians or physicians groups who treat enough Medicare beneficiaries and who receive enough of their Medicare payments through an Advanced APM (e.g., MSSP ACOs). Through the Advanced APM option, physicians/physician groups would “qualify for a 5 percent payment in 2019.” It remains unclear what the difference is between a “small” and “modest” payment adjustment. However, CMS may address this in the final rule along with how it will implement MIPS and the Advanced APM. CMS will release the final rule by November 1, 2016.

For more information about MACRA, contact Chris Raphaely, Nicole Martin or a member of Cozen O’Connor’s Health Law team.

In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Monday July 11, 2016 its publication of new HIPAA guidance on ransomware (“Ransomware Guidance”). According to OCR:

Ransomware is a type of malware (or malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.

Notably, the HIPAA Security Rule already requires implementation of security measures to help covered entities and business associates prevent the introduction of malware (e.g., ransomware) into their systems, and to implement policies and procedures to assist in responding to ransomware attacks. The Ransomware Guidance addresses, among other areas, how to implement security measures in order to prevent, mitigate the chances of, or even recover from ransomware attacks. Not surprisingly, conducting a risk analysis (or risk assessment) is at the core of covered entities and business associates implementing security management processes as required by the HIPAA Security Rule. The Ransomware Guidance further notes that maintaining an overall contingency plan, as required by the Security Rule, that includes disaster recovery planning, emergency operations planning and frequent backups of data can also help covered entities and business associates respond to and recover from malware infections, including ransomware attacks.

In addition, the Ransomware Guidance states that ransomware attacks against a covered entity or business associate can be considered a breach under the HIPAA Rules. Specifically, the Ransomware Guidance provides, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e. unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Therefore, unless it can be shown that there is a low probability that the PHI involved in the ransomware attack has been compromised based on the factors in the Breach Notification Rule, a breach is presumed to have occurred, which would trigger the applicable breach notification provisions.

Even before OCR’s publication of the Ransomware Guidance, in late June the Secretary of HHS sent a letter (“Letter”) to the attention of chief executive officers at health care entities addressing the threat of ransomware. The Secretary attached interagency guidance to the Letter containing best practices and mitigation strategies integral to combatting ransomware incidents.

Ransomware is immediately disruptive to the day-to-day operation of businesses, as seen by its impact earlier this year on health care systems like MedStar in Washington, D.C. and Hollywood Presbyterian Medical Center in Los Angeles (“HPMC”), resulting for example, in HPMC paying 40 Bitcoins (approximately $17,000) to regain control of its computer system. Although the Ransomware Guidance does not address whether payment or ransom should be paid to regain access to computer systems, the interagency guidance attached to the Letter advises against paying hackers because, among other reasons, paying a ransom doesn’t necessarily guarantee that an entity will regain access to its system. The Ransomware Guidance does recommend that an entity victimized by a ransomware attack contact its local FBI or United States Secret Service field office.

For more information about the Ransomware Guidance contact Gregory M. Fliszar, Ryan Blaney, J. Nicole Martin or a member of Cozen O’Connor’s Health Law team.

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) finally announced on March 21 that it is ready to begin Phase Two of its HIPAA audit program, which will include business associates. These audits, mandated by HITECH, will primarily be comprised of desk audits, scheduled for completion by the end of December 2016, followed by onsite audits.

OCR explained it will immediately commence Phase Two by verifying, via email, cover entities’ and business associates’ contact information. The OCR is requesting timely responses, so that it can send pre-audit questionnaires out in order to gather data from covered entities and business associates for the creation of potential audit subject pools. The data will relate to the entities’ size, type and operations. Should covered entities and business associates fail to respond to OCR’s requests, they may still be part of OCR’s potential subject pools because OCR plans to compile publicly available information about covered entities and business associates that do not respond to its requests.

The first round of desk audits will focus on covered entities, and the second round will focus on business associates. The third round will be onsite audits, with a greater focus on the HIPAA requirements. OCR explains that some covered entities and business associates who are subject to desk audits may also be subject to onsite audits. According to OCR, all covered entities and business associates are eligible to be audited. The audits will focus on identifying compliance with specific privacy and security requirements under HIPAA/HITECH, and OCR will notify auditees by letter, regarding the subject(s) of their specific audits. On the HHS website, OCR provides a sample letter for review. Subsequent to the audits, OCR will review and analyze information from audit final reports.

Importantly, if an audit report uncovers significant noncompliance with HIPAA, it could prompt an investigation by OCR. The areas of interest for OCR in Phase Two will become clearer as the Phase Two audit program gets underway, but for now, we know OCR will focus on assessing covered entities’ and business associates’ HIPAA compliance, identifying best practices and discovering risks and vulnerabilities.

More information about the Phase Two audits is available here, and you can also contact Greg Fliszar, Ryan Blaney, J. Nicole Martin or another member of Cozen O’Connor’s Health Law team.

On consecutive days, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) recently announced two large HIPAA breach settlements. On March 16, 2016, OCR announced that it entered into a Resolution Agreement with North Memorial Health Care of Minnesota for $1.55 million plus a two-year corrective action plan. On March 17, 2016 OCR followed by announcing that Feinstein Institute for Medical research, a New York biomedical research institute, agreed to pay to OCR $3.9 million and enter into a three-year corrective action plan to settle potential HIPAA violations. Both cases resulted from the all too familiar scenario of breaches resulting from stolen, unencrypted laptops.

In the Minnesota hospital breach, the unencrypted laptop containing the PHI of over 9,000 individuals was stolen from the locked car of an employee of a business associate of the hospital. According to the OCR’s investigation, the hospital failed to have a business associate agreement in place with that particular business associate. OCR also alleged that the hospital had not previously performed a risk analysis to identify and address potential risks and vulnerabilities to the ePHI it maintained, accessed or transmitted.

In the New York research corporation breach, OCR alleged that the institution did not have policies and procedures in place, including a policy on encryption and one that addressed use and access of electronic devices (e.g., the removal of the devices from the institution’s facility), nor did it have in place a security management process that sufficiently addressed potential security risks and vulnerabilities to ePHI, namely, its confidentiality, vulnerability or integrity. Notably, the stolen, unencrypted laptop contained the PHI of approximately 13,000 individuals.

As above, both OCR settlements also include multiple year corrective action plans requiring the hospital and research facility to conduct risk analyses/assessments, train their employees, and have HIPAA compliant policies and procedures in place. The Resolution Agreement for the Minnesota hospital breach is available here, and the Resolution Agreement for the New York research institute breach is available here.

Takeaways: The OCR’s 2016 breach enforcement is off to a very strong start with two high dollar settlements. Lessons learned from both breaches include the significance of encrypting electronic devices, conducting and updating on a regular basis security risk assessments and analyses, having adequate safeguards in place to protect PHI, having business associate agreements with all business associates, and having and implementing HIPAA policies and procedures to protect the security and privacy of PHI, including for example, policies related to encryption, authorized access to ePHI/PHI, and removal of electronic devices from facilities.

For more information, contact Greg Fliszar, J. Nicole Martin, or a member of Cozen O’Connor’s Health Law team.

Last June we wrote about the FTC’s enforcement action against LabMD, a medical testing laboratory, which was forced to wind down its business because of the costs associated with challenging the FTC since 2013. Using its broad enforcement authority under Section 5 of the FTC Act, the FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked.

On November 13, 2015, Chief Administrative Law Judge D. Michael Chappell ruled in favor of LabMD, dismissing the FTC’s complaint because the FTC “fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act, [LabMD’s] alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act.” Notably, Judge Chappell concluded that Continue reading…

On July 23, 2015, the Third Circuit invalidated, as being contrary to the Medicare statute, the U.S. Department of Health and Human Services’ (HHS) Medicare wage index “reclassification rule,” 42 C.F.R. § 412.230(a)(5)(iii). That rule was designed to prevent (and did prevent) urban hospitals that had strategically reclassified as being rural from being reclassified again (based on their newly acquired rural status) to a particular urban area, to benefit from a higher Medicare standardized amount and wage index.

In Geisinger Community Medical Center v. Secretary United States Department of Health and Human Services, the hospital first reclassified, successfully, as a Section 401 hospital (i.e., an urban hospital that elects to be treated as rural). It then sought to reclassify, based on its newly acquired rural status, to the Allentown urban wage index area. The hospital estimated that such a reclassification would increase its Medicare reimbursements by approximately $2.6 million per year. The Allentown urban area is 27 miles from the hospital. To be reclassified to that area, the hospital had to rely on the relaxed 35 mile maximum distance applicable to rural hospitals; it would not qualify under the maximum 15 mile distance applicable to urban hospitals. The reclassification rule, however, prohibited Section 401 hospitals from reclassifying based on their acquired rural status.

The Third Circuit panel majority, under a Chevron Step One analysis, agreed with the hospital that HHS’ reclassification rule is unlawful. It specifically held that the statutory text of Section 401 unambiguously requires HHS, through broad and mandatory language, to treat Section 401 hospitals like hospitals that are actually located in rural areas. The reclassification rule, therefore, unlawfully prevented the Section 401 hospital from being considered as a rural hospital in its application to reclassify to a different wage index area.

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to settle, without an admission of liability or wrongdoing, potential HIPAA violations. As part of the resolution agreement Cornell Pharmacy will pay $125,000 and enter into a two-year corrective action plan (“CAP”) focused on correcting the alleged deficiencies in its HIPAA compliance program.

Cornell Pharmacy is a small, single store pharmacy located in Denver, Colorado that specializes in compound medications and providing services for local hospice agencies. OCR began an investigation into the pharmacy after it received a media report from a Denver news agency that protected health information (“PHI”) belonging to Cornell Pharmacy was apparently disposed of and found in an unlocked, publicly accessible dumpster. The documents were not shredded and contained the PHI of approximately 1,610 of Cornell Pharmacy’s patients.   After conducting its investigation, OCR concluded that Cornell Pharmacy failed to implement any written policies and procedures as required by HIPAA’s Privacy Rule, and further failed to provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of having updated and comprehensive HIPAA policies and procedures in place, including policies on the proper disposal of PHI, and on training all staff on those policies and procedures.   Further, in this year of massive cyber-attacks and other breaches of electronic data, this HIPAA settlement serves to remind covered entities and business associates not to forget about protecting their paper records as well.   As stated by OCR in its press release, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” As discovered by Cornell Pharmacy, a breach or other improper disclosure of paper PHI can also result in significant consequences.

For further information please contact the author, Gregory M. Fliszar (Philadelphia, PA), or other members of Cozen O’Connor’s healthcare team.

On January 26, 2015, the Secretary of the United States Department of Health and Human Services (“HHS”), Sylvia Mathews Burwell, announced two important goals for the Department:

1. Increase the percentage of Medicare provider payments that are made through alternative payment models based on how well the providers care for patients, rather than the amount of care provided. The percentage goals for these alternative payment models are 30% by 2016 and 50% by 2018.
2. Tie virtually all Medicare fee-for-service payments (85% in 2016 and 90% in 2018) to quality and value.

This announcement puts hard numbers on the goal to move away from traditional fee-for-service Medicare payments that has been stated generally since at least 2010 when the Affordable Care Act was enacted. By clearly delineating specific figures for alternative payment models, such as accountable care organizations and bundled payment arrangements, from those figures for payment methods, HHS has made it clear that providers should be thinking not just about different forms of payment but different forms of organizations and relationships with other providers. Alternative payment models generally require coordination among different types of providers who may not otherwise be related to each other.

While the announced goals focus on the Medicare fee-for-service system, it is clear that HHS intends the impact of these goals to be far broader. Ms. Burwell also announced the creation of a Health Care Payment Learning and Action Network to facilitate a public-private sector partnership to “continue to build on our work with state Medicaid agencies, private payers, employers, consumers and other partners,” while welcoming the fact that “our partners in the private sector have the opportunity to be even more aggressive” in establishing alternative payment models and pay-for-value compensation systems. On the same day as Ms. Burwell’s announcement, the Centers for Medicare and Medicaid Services released a fact sheet stating that it is taking action with a goal to spend “our health dollars” more wisely, citing the importance of the goal for patients, families, providers, tax payers, employers, states and insurance companies, and making it clear that HHS and CMS fully intend to have their efforts to transform health care delivery and payment systems to reverberate well beyond the Medicare program.

On October 31, 2014, The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its Work Plan for fiscal year (FY) 2015.  The Work Plan summarizes “new and ongoing reviews of activities that OIG plans to pursue with respect to HHS programs and operations during the current fiscal year and beyond.”  In the Work Plan OIG identified several areas related to HIPAA and/or information technology that it will examine and address during FY 2015.

As a new addition to the Work Plan, OIG will determine the extent to which hospitals comply with the contingency requirements of HIPAA.  HIPAA’s Security Rule requires covered entities and their business associates to have in place a contingency plan that establishes policies and procedures for responding to an emergency or other event (such as, for example, natural disasters, system failures, terrorism) that damages systems containing electronic protected health information (ePHI).  These policies and procedures must, at a minimum, include data backup plans, data recovery plans and plans to continue to protect the security of ePHI while operating in emergency operations mode.  In the Work Plan OIG advises that it will compare contingency plans used by hospitals with government and industry recommended practices. 

As part of the Work Plan, OIG will continue to examine whether the Centers for Medicare & Medicaid Services’ (CMS) oversight of hospitals’ security controls over networked medical devices is sufficient to protect ePHI.   The OIG noted that computerized medical devices such as dialysis machines, radiology systems and medication dispensing systems that use hardware, software and networks to monitor a patient’s condition and transmit and/or receive data using wired or wireless communications pose a growing threat to the security and privacy of personal health information. 

OIG also plans to continue to perform audits of covered entities receiving incentive payments for the use of electronic health records (EHRs) and their business associates (including cloud providers) to determine whether they are adequately protecting ePHI created or maintained by certified EHR technology.  In addition, OIG will review the adequacy of CMS’ oversight of states’ Medicaid system and information controls.  Prior OIG audits found that states often fail to have in place adequate security features, potentially exposing Medicaid beneficiary information to unauthorized access.

As to future endeavors, the Work Plan stated that other areas under consideration for new work include the security of electronic data, the use and exchange of health information technology, and emergency preparedness and response efforts.  In addition, OIG advises that in FY 2015 and beyond, it will continue to focus on IT systems security vulnerabilities in health care reform programs such as health insurance marketplaces.