For those of us who work in the privacy and security space this past week has been a whirlwind with focus on the ramifications of the European Court of Justice (ECJ) decision invalidating the EU-U.S. Safe Harbor Agreement.  Much has been written on the EU-U.S. Safe Harbor Agreement and much more will be written in the coming weeks.  See Cozen O’Connor’s Cyber Law Monitor recent blog post, The End of Safe Harbor – What Does it Mean?   However, the ECJ decision was not the only news on safe harbor last week.  The U.S. Department of Health and Human Services, Office of Inspector General (“OIG”) issued their thoughts on data arrangements and safe harbor, albeit a much different safe harbor than the EU-U.S. Safe Harbor Agreement.  Healthcare providers and health IT vendors should pay close attention to OIG’s Alert.  See October 6, 2015 OIG Alert.

OIG issued the Alert during National Health IT Week and described it as a “Policy Reminder” on Information Blocking and the Federal Anti-Kickback Statute (42 U.S.C. 1320a-7b (b)).  The Federal Anti-Kickback statute prohibits individuals and entities from knowingly and willfully offering, paying, soliciting, or receiving remuneration to induce or reward referrals of business reimbursable under any Federal health care program (“FHCP”).  The Alert addresses a growing trend in the industry, arrangements involving the provision of software or information technology to a referral source.  Although there is a safe harbor for electronic health records (“EHR”) arrangements it “must fit squarely in all safe harbor conditions to be protected.” 42 CFR § 1001.952(y).

In its alert, OIG focused on the parameters of the safe harbor exception that allows donors to enter into a wide variety of arrangements involving EHR software, IT, and training services, provided there are no restrictions to the use, compatibility, or interoperability of donated items or services.  42 CFR § 1001.952(y)(3).  OIG provided guidance on this issue in 2013, explicitly stating that if the interoperability of an item or service is restricted by the donor or anyone acting on the donor’s behalf, including the recipient, then the donation violates the exemption and thus will be actionable under the Federal anti-kickback statute.

OIG’s Alert highlights practices outlined in its 2013 guidance that would be actionable under the Federal anti-kickback statute.  For example, an agreement between a donor and a recipient to limit a competitor from interfacing with the donated items or services would be actionable.  Even an agreement between a donor and an EHR technology vendor to charge non-recipient providers, non-recipient suppliers, or competitors’ high fees may be actionable.

OIG also provided an open invitation to whistleblowers to report fraud by urging persons with knowledge of violations of the safe harbor to be vigilant in reporting potential violations to their office.  Violations will occur when donors engage in information blocking, which refers to practices that unreasonably block the sharing of electronic health information (EHI).  OIG provided three criteria in a 2015 report for identifying practices that qualify as information blocking:

1. Interference with the ability of authorized people to access, exchange, or otherwise use EHI.
2. Knowledge, actual or expected under the circumstances, that the practice will be considered information blocking.
3. No reasonable justification for limiting sharing of EHI.

If all three criteria are met, then the practice in question is considered information blocking.

For more information on this Alert, contact Ryan P. Blaney or any member of Cozen O’Connor’s Health Care team.

On October 31, 2014, The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its Work Plan for fiscal year (FY) 2015.  The Work Plan summarizes “new and ongoing reviews of activities that OIG plans to pursue with respect to HHS programs and operations during the current fiscal year and beyond.”  In the Work Plan OIG identified several areas related to HIPAA and/or information technology that it will examine and address during FY 2015.

As a new addition to the Work Plan, OIG will determine the extent to which hospitals comply with the contingency requirements of HIPAA.  HIPAA’s Security Rule requires covered entities and their business associates to have in place a contingency plan that establishes policies and procedures for responding to an emergency or other event (such as, for example, natural disasters, system failures, terrorism) that damages systems containing electronic protected health information (ePHI).  These policies and procedures must, at a minimum, include data backup plans, data recovery plans and plans to continue to protect the security of ePHI while operating in emergency operations mode.  In the Work Plan OIG advises that it will compare contingency plans used by hospitals with government and industry recommended practices. 

As part of the Work Plan, OIG will continue to examine whether the Centers for Medicare & Medicaid Services’ (CMS) oversight of hospitals’ security controls over networked medical devices is sufficient to protect ePHI.   The OIG noted that computerized medical devices such as dialysis machines, radiology systems and medication dispensing systems that use hardware, software and networks to monitor a patient’s condition and transmit and/or receive data using wired or wireless communications pose a growing threat to the security and privacy of personal health information. 

OIG also plans to continue to perform audits of covered entities receiving incentive payments for the use of electronic health records (EHRs) and their business associates (including cloud providers) to determine whether they are adequately protecting ePHI created or maintained by certified EHR technology.  In addition, OIG will review the adequacy of CMS’ oversight of states’ Medicaid system and information controls.  Prior OIG audits found that states often fail to have in place adequate security features, potentially exposing Medicaid beneficiary information to unauthorized access.

As to future endeavors, the Work Plan stated that other areas under consideration for new work include the security of electronic data, the use and exchange of health information technology, and emergency preparedness and response efforts.  In addition, OIG advises that in FY 2015 and beyond, it will continue to focus on IT systems security vulnerabilities in health care reform programs such as health insurance marketplaces. 

The Centers for Medicare & Medicaid Services (“CMS”) announced a new initiative, the ACO Investment Model, on October 15, 2014.  Under the model, ACOs which are made up of “providers [who] lack adequate access to … capital” may receive additional funding from the CMS “to invest in infrastructure necessary to successfully implement population care management.” The eligibility criteria are as follows:

• The ACO must be accepted into and participate in the Medicare Shared Savings Program. The ACO’s first performance period in the Medicare Shared Savings Program must have started in either 2012, 2013 or 2014 or will start in 2016.
• The ACO has completely and accurately reported quality measures to the Medicare Shared Savings Program in the most recent performance year, if the ACO started in the Medicare Shared Savings Program in 2012, 2013 or 2014, excluding ACOs that will start in 2016.  The ACO has a preliminary prospective beneficiary assignment of 10,000 or fewer beneficiaries for the most recent quarter, as determined in accordance with the Shared Savings Program regulations.
• The ACO does not include a hospital as an ACO participant or an ACO provider/supplier (as defined by the Shared Savings Program regulations), unless the hospital is a critical access hospital (CAH) or inpatient prospective payment system (IPPS) hospital with 100 or fewer beds.
•  The ACO is not owned or operated in whole or in part by a health plan.
•  The ACO did not participate in the Advance Payment Model.

Continue reading…

On July 29, 2013, the OIG released a memorandum report finding that Medicare paid more on average for short inpatient stays than for observation stays in 2012.  The report, Hospitals’ Use of Observation Stays and Short Inpatient Stays for Medicare Beneficiaries, OEI-02-12-00040, touches on observation versus inpatient status, which has been and continues to be a hot button issue.

Background

Medicare beneficiaries receiving care at a hospital are classified as either inpatients or observation patients.  Observation patients are outpatients who receive treatments and assessments to determine whether they require further treatment as inpatients or can be discharged.  CMS policy provides that observation services are usually needed for 24 hours or less.   Continue reading…

On May 8, 2013, the Office of Inspector General (“OIG”) of the Department of Health & Human Services issued an updated Special Advisory Bulletin (the “Updated Bulletin”)[1]  on the effect of exclusion from participation in Medicare, Medicaid and other Federal health care programs (collectively “FHPs).  The Updated Bulletin, which replaces and supersedes guidance originally provided by OIG in a 1999 Special Advisory Bulletin (the “1999 Bulletin”), details OIG’s broad interpretation of the scope and effect of its exclusion authority under the Civil Monetary Penalties Law (“CMPL”).[2]  The Updated Bulletin addresses many of the questions OIG has received about exclusions and purports to convey insight gained from resolving self-disclosure cases since publishing the 1999 Bulletin. Continue reading…