OIG

The “Other” Safe Harbor: OIG Warns Healthcare Providers and Vendors Against Information Blocking and Federal Anti-Kickback Violations

golden-whistleblower

For those of us who work in the privacy and security space this past week has been a whirlwind with focus on the ramifications of the European Court of Justice (ECJ) decision invalidating the EU-U.S. Safe Harbor Agreement.  Much has been written on the EU-U.S. Safe Harbor Agreement and much more will be written in the coming weeks.  See Cozen O’Connor’s Cyber Law Monitor recent blog post, The End of Safe Harbor – What Does it Mean?   However, the ECJ decision was not the only news on safe harbor last week.  The U.S. Department of Health and Human Services, Office of Inspector General (“OIG”) issued their thoughts on data arrangements and safe harbor, albeit a much different safe harbor than the EU-U.S. Safe Harbor Agreement.  Healthcare providers and health IT vendors should pay close attention to OIG’s Alert.  See October 6, 2015 OIG Alert.

OIG issued the Alert during National Health IT Week and described it as a “Policy Reminder” on Information Blocking and the Federal Anti-Kickback Statute (42 U.S.C. 1320a-7b (b)).  The Federal Anti-Kickback statute prohibits individuals and entities from knowingly and willfully offering, paying, soliciting, or receiving remuneration to induce or reward referrals of business reimbursable under any Federal health care program (“FHCP”).  The Alert addresses a growing trend in the industry, arrangements involving the provision of software or information technology to a referral source.  Although there is a safe harbor for electronic health records (“EHR”) arrangements it “must fit squarely in all safe harbor conditions to be protected.” 42 CFR § 1001.952(y).

In its alert, OIG focused on the parameters of the safe harbor exception that allows donors to enter into a wide variety of arrangements involving EHR software, IT, and training services, provided there are no restrictions to the use, compatibility, or interoperability of donated items or services.  42 CFR § 1001.952(y)(3).  OIG provided guidance on this issue in 2013, explicitly stating that if the interoperability of an item or service is restricted by the donor or anyone acting on the donor’s behalf, including the recipient, then the donation violates the exemption and thus will be actionable under the Federal anti-kickback statute.

OIG’s Alert highlights practices outlined in its 2013 guidance that would be actionable under the Federal anti-kickback statute.  For example, an agreement between a donor and a recipient to limit a competitor from interfacing with the donated items or services would be actionable.  Even an agreement between a donor and an EHR technology vendor to charge non-recipient providers, non-recipient suppliers, or competitors’ high fees may be actionable.

OIG also provided an open invitation to whistleblowers to report fraud by urging persons with knowledge of violations of the safe harbor to be vigilant in reporting potential violations to their office.  Violations will occur when donors engage in information blocking, which refers to practices that unreasonably block the sharing of electronic health information (EHI).  OIG provided three criteria in a 2015 report for identifying practices that qualify as information blocking:

  1. Interference with the ability of authorized people to access, exchange, or otherwise use EHI.
  2. Knowledge, actual or expected under the circumstances, that the practice will be considered information blocking.
  3. No reasonable justification for limiting sharing of EHI.

If all three criteria are met, then the practice in question is considered information blocking.

For more information on this Alert, contact Ryan P. Blaney or any member of Cozen O’Connor’s Health Care team.

Ryan Blaney

Ryan Blaney

Ryan Blaney joined Cozen O'Connor as a member of the firm's Health Law group. Ryan practices in the firm's Washington, D.C., office. He focuses his practice on representing clients in the health care and life sciences industries in a wide range of matters, including health care fraud and abuse, civil and criminal government investigations, qui tam and whistle-blower disputes under the False Claims Act and other federal and state laws and regulations, HIPAA privacy and data security, compliance and transactional services, and antitrust matters.

More Posts - Website

Tags: , , , , ,

OIG’s New Work Plan Focuses on the Security of Health Information

Posted by Gregory M. Fliszar on December 04, 2014
CMS, HHS, HIPAA, OIG / No Comments

On October 31, 2014, The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its Work Plan for fiscal year (FY) 2015.  The Work Plan summarizes “new and ongoing reviews of activities that OIG plans to pursue with respect to HHS programs and operations during the current fiscal year and beyond.”  In the Work Plan OIG identified several areas related to HIPAA and/or information technology that it will examine and address during FY 2015.

As a new addition to the Work Plan, OIG will determine the extent to which hospitals comply with the contingency requirements of HIPAA.  HIPAA’s Security Rule requires covered entities and their business associates to have in place a contingency plan that establishes policies and procedures for responding to an emergency or other event (such as, for example, natural disasters, system failures, terrorism) that damages systems containing electronic protected health information (ePHI).  These policies and procedures must, at a minimum, include data backup plans, data recovery plans and plans to continue to protect the security of ePHI while operating in emergency operations mode.  In the Work Plan OIG advises that it will compare contingency plans used by hospitals with government and industry recommended practices. 

As part of the Work Plan, OIG will continue to examine whether the Centers for Medicare & Medicaid Services’ (CMS) oversight of hospitals’ security controls over networked medical devices is sufficient to protect ePHI.   The OIG noted that computerized medical devices such as dialysis machines, radiology systems and medication dispensing systems that use hardware, software and networks to monitor a patient’s condition and transmit and/or receive data using wired or wireless communications pose a growing threat to the security and privacy of personal health information. 

OIG also plans to continue to perform audits of covered entities receiving incentive payments for the use of electronic health records (EHRs) and their business associates (including cloud providers) to determine whether they are adequately protecting ePHI created or maintained by certified EHR technology.  In addition, OIG will review the adequacy of CMS’ oversight of states’ Medicaid system and information controls.  Prior OIG audits found that states often fail to have in place adequate security features, potentially exposing Medicaid beneficiary information to unauthorized access.

As to future endeavors, the Work Plan stated that other areas under consideration for new work include the security of electronic data, the use and exchange of health information technology, and emergency preparedness and response efforts.  In addition, OIG advises that in FY 2015 and beyond, it will continue to focus on IT systems security vulnerabilities in health care reform programs such as health insurance marketplaces. 

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , , , , , , , , , , , , ,

CMS Announces Program to Fund ACO Growth, Extends Fraud and Abuse Waivers

Posted by Chris Raphaely on October 16, 2014
Accountable Care Organizations, CMS, OIG / No Comments

The Centers for Medicare & Medicaid Services (“CMS”) announced a new initiative, the ACO Investment Model, on October 15, 2014.  Under the model, ACOs which are made up of “providers [who] lack adequate access to … capital” may receive additional funding from the CMS “to invest in infrastructure necessary to successfully implement population care management.” The eligibility criteria are as follows:

  • The ACO must be accepted into and participate in the Medicare Shared Savings Program. The ACO’s first performance period in the Medicare Shared Savings Program must have started in either 2012, 2013 or 2014 or will start in 2016.
  • The ACO has completely and accurately reported quality measures to the Medicare Shared Savings Program in the most recent performance year, if the ACO started in the Medicare Shared Savings Program in 2012, 2013 or 2014, excluding ACOs that will start in 2016.  The ACO has a preliminary prospective beneficiary assignment of 10,000 or fewer beneficiaries for the most recent quarter, as determined in accordance with the Shared Savings Program regulations.
  • The ACO does not include a hospital as an ACO participant or an ACO provider/supplier (as defined by the Shared Savings Program regulations), unless the hospital is a critical access hospital (CAH) or inpatient prospective payment system (IPPS) hospital with 100 or fewer beds.
  •  The ACO is not owned or operated in whole or in part by a health plan.
  •  The ACO did not participate in the Advance Payment Model.

Continue reading…

Chris Raphaely

Chris Raphaely

R. Christopher Raphaely joined Cozen O'Connor's Philadelphia office in 2014 as co-chair of the Health Care Practice Group. Chris joins the firm from Jefferson Health System, where he served as deputy general counsel and general counsel to the system’s accountable care organization and captive professional liability insurance companies.

More Posts

Tags: , , , ,

Ruminations on Observation: OIG Report Highlights Inpatient vs. Observation Status

Posted by Judy Mayer on August 22, 2013
Medicaid / No Comments

On July 29, 2013, the OIG released a memorandum report finding that Medicare paid more on average for short inpatient stays than for observation stays in 2012.  The report, Hospitals’ Use of Observation Stays and Short Inpatient Stays for Medicare Beneficiaries, OEI-02-12-00040, touches on observation versus inpatient status, which has been and continues to be a hot button issue.

Background

Medicare beneficiaries receiving care at a hospital are classified as either inpatients or observation patients.  Observation patients are outpatients who receive treatments and assessments to determine whether they require further treatment as inpatients or can be discharged.  CMS policy provides that observation services are usually needed for 24 hours or less.   Continue reading…

Judy Mayer

Judy Mayer

Judy Mayer is an associate in the firm’s Health Law Group. Judy handles a variety of transactional, regulatory and litigation matters, including advising health care providers. She also holds an MBA from Villanova University.

More Posts - Website

Tags: , , ,

Screen Early, Screen Often: OIG Updates its Advice on How to Avoid Liability for Employing or Contracting with Individuals Excluded from Participation in Federal Health Care Programs

Posted by William P. Conaboy Jr. on June 03, 2013
Fraud and Abuse, Medicaid, Medicare / No Comments

On May 8, 2013, the Office of Inspector General (“OIG”) of the Department of Health & Human Services issued an updated Special Advisory Bulletin (the “Updated Bulletin”)[1]  on the effect of exclusion from participation in Medicare, Medicaid and other Federal health care programs (collectively “FHPs).  The Updated Bulletin, which replaces and supersedes guidance originally provided by OIG in a 1999 Special Advisory Bulletin (the “1999 Bulletin”), details OIG’s broad interpretation of the scope and effect of its exclusion authority under the Civil Monetary Penalties Law (“CMPL”).[2]  The Updated Bulletin addresses many of the questions OIG has received about exclusions and purports to convey insight gained from resolving self-disclosure cases since publishing the 1999 Bulletin. Continue reading…

William P. Conaboy Jr.

William P. Conaboy Jr.

Bill Conaboy is an associate in the firm’s Healthcare Law Group. Prior to working with the firm Bill earned a Doctor of Pharmacy degree (Pharm D), and is currently a licensed pharmacist and attorney in both Pennsylvania and New Jersey. Bill focuses on regulatory and litigation matters related to many areas of healthcare law.

More Posts - Website

Follow Me:
TwitterLinkedIn

Tags: , ,