Health Law Informer

Last June we wrote about the FTC’s enforcement action against LabMD, a medical testing laboratory, which was forced to wind down its business because of the costs associated with challenging the FTC since 2013. Using its broad enforcement authority under Section 5 of the FTC Act, the FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed lead to the data of thousands of consumers being leaked.

On November 13, 2015, Chief Administrative Law Judge D. Michael Chappell ruled in favor of LabMD, dismissing the FTC’s complaint because the FTC “fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act, [LabMD’s] alleged unreasonable data security cannot properly be declared an unfair act or practice in violation of Section 5(a) of the FTC Act.” Notably, Judge Chappell concluded that Continue reading…

Health Law Informer Author

More Posts

For those of us who work in the privacy and security space this past week has been a whirlwind with focus on the ramifications of the European Court of Justice (ECJ) decision invalidating the EU-U.S. Safe Harbor Agreement.  Much has been written on the EU-U.S. Safe Harbor Agreement and much more will be written in the coming weeks.  See Cozen O’Connor’s Cyber Law Monitor recent blog post, The End of Safe Harbor – What Does it Mean?   However, the ECJ decision was not the only news on safe harbor last week.  The U.S. Department of Health and Human Services, Office of Inspector General (“OIG”) issued their thoughts on data arrangements and safe harbor, albeit a much different safe harbor than the EU-U.S. Safe Harbor Agreement.  Healthcare providers and health IT vendors should pay close attention to OIG’s Alert.  See October 6, 2015 OIG Alert.

OIG issued the Alert during National Health IT Week and described it as a “Policy Reminder” on Information Blocking and the Federal Anti-Kickback Statute (42 U.S.C. 1320a-7b (b)).  The Federal Anti-Kickback statute prohibits individuals and entities from knowingly and willfully offering, paying, soliciting, or receiving remuneration to induce or reward referrals of business reimbursable under any Federal health care program (“FHCP”).  The Alert addresses a growing trend in the industry, arrangements involving the provision of software or information technology to a referral source.  Although there is a safe harbor for electronic health records (“EHR”) arrangements it “must fit squarely in all safe harbor conditions to be protected.” 42 CFR § 1001.952(y).

In its alert, OIG focused on the parameters of the safe harbor exception that allows donors to enter into a wide variety of arrangements involving EHR software, IT, and training services, provided there are no restrictions to the use, compatibility, or interoperability of donated items or services.  42 CFR § 1001.952(y)(3).  OIG provided guidance on this issue in 2013, explicitly stating that if the interoperability of an item or service is restricted by the donor or anyone acting on the donor’s behalf, including the recipient, then the donation violates the exemption and thus will be actionable under the Federal anti-kickback statute.

OIG’s Alert highlights practices outlined in its 2013 guidance that would be actionable under the Federal anti-kickback statute.  For example, an agreement between a donor and a recipient to limit a competitor from interfacing with the donated items or services would be actionable.  Even an agreement between a donor and an EHR technology vendor to charge non-recipient providers, non-recipient suppliers, or competitors’ high fees may be actionable.

OIG also provided an open invitation to whistleblowers to report fraud by urging persons with knowledge of violations of the safe harbor to be vigilant in reporting potential violations to their office.  Violations will occur when donors engage in information blocking, which refers to practices that unreasonably block the sharing of electronic health information (EHI).  OIG provided three criteria in a 2015 report for identifying practices that qualify as information blocking:

1. Interference with the ability of authorized people to access, exchange, or otherwise use EHI.
2. Knowledge, actual or expected under the circumstances, that the practice will be considered information blocking.
3. No reasonable justification for limiting sharing of EHI.

If all three criteria are met, then the practice in question is considered information blocking.

For more information on this Alert, contact Ryan P. Blaney or any member of Cozen O’Connor’s Health Care team.

Health Law Informer Author

More Posts

In August 2012, a Physician Group—comprising of nearly 20 physicians—reported its HIPAA breach to HHS, which resulted from a laptop bag containing the employee’s laptop and a computer server backup being stolen from an employee’s car in July 2012. According to the Resolution Agreement between HHS and the Physician Group, the laptop did not contain ePHI, but the portable, unencrypted server backup in the employee’s bag did. The backup contained ePHI for 55,000 individuals. To settle this matter, the Physician Group has agreed to pay $750,000.

Although stolen laptops and lack of encryption is nothing new in the world of HIPAA breaches, this situation stands out for a few reasons:

•  The Physician Group did not conduct “an accurate and thorough” risk assessment;
•  The significance of encryption extends not only to desktop computers and laptops, but also to portable devices, including but not limited to computer server backups; and
• This is a notable fine for a Physician Group of less than 20 physicians.

For more information regarding this incident and HIPAA compliance, including the importance of encryption and risk assessments, contact J. Nicole Martin or any member of Cozen O’Connor’s healthcare law team.

Health Law Informer Author

More Posts

On July 23, 2015, the Third Circuit invalidated, as being contrary to the Medicare statute, the U.S. Department of Health and Human Services’ (HHS) Medicare wage index “reclassification rule,” 42 C.F.R. § 412.230(a)(5)(iii). That rule was designed to prevent (and did prevent) urban hospitals that had strategically reclassified as being rural from being reclassified again (based on their newly acquired rural status) to a particular urban area, to benefit from a higher Medicare standardized amount and wage index.

In Geisinger Community Medical Center v. Secretary United States Department of Health and Human Services, the hospital first reclassified, successfully, as a Section 401 hospital (i.e., an urban hospital that elects to be treated as rural). It then sought to reclassify, based on its newly acquired rural status, to the Allentown urban wage index area. The hospital estimated that such a reclassification would increase its Medicare reimbursements by approximately $2.6 million per year. The Allentown urban area is 27 miles from the hospital. To be reclassified to that area, the hospital had to rely on the relaxed 35 mile maximum distance applicable to rural hospitals; it would not qualify under the maximum 15 mile distance applicable to urban hospitals. The reclassification rule, however, prohibited Section 401 hospitals from reclassifying based on their acquired rural status.

The Third Circuit panel majority, under a Chevron Step One analysis, agreed with the hospital that HHS’ reclassification rule is unlawful. It specifically held that the statutory text of Section 401 unambiguously requires HHS, through broad and mandatory language, to treat Section 401 hospitals like hospitals that are actually located in rural areas. The reclassification rule, therefore, unlawfully prevented the Section 401 hospital from being considered as a rural hospital in its application to reclassify to a different wage index area.

Health Law Informer Author

More Posts

On July 7, 2015, U.S. Reps. Mike Thompson, Gregg Harper, Diane Black, and Peter Welch announced the introduction of a new version of the July 2014 telehealth legislation (H.R. 5380) called the Medicare Telehealth Parity Act of 2015 (H.R. 2948) (the “Act”). The Act has already been referred to each of the House Energy and Commerce Committee and the House Committee on Ways and Means.

According to Congressman Thompson’s press release, this Act would phase in and expand upon existing telehealth services under Medicare, by, among other changes:

• Removing the geographic barriers under current law and allowing the provision of telehealth services in rural, underserved, and metropolitan areas;

• Expanding the list of providers and related covered service that are eligible to provide telehealth services to include respiratory therapists, physical therapists, occupational therapists, speech language pathologists, and audiologists;

• Allowing remote patient monitoring for patients with chronic conditions such as heart failure, chronic obstructive pulmonary disease, and diabetes; and

• Allowing the beneficiary’s home to serve as a site of care for home dialysis, hospice care, eligible outpatient mental health services, and home health services.

For quite some time reimbursement barriers prevented the expanded use of telehealth/telemedicine under Medicare beyond reimbursement for limited services, limited modes of telehealth, and the “originating site” restriction. Over the last few years, legislation expanding access and reimbursement under Medicare for telemedicine/telehealth services has been introduced, but never passed. This time could be different as the legislation has not only bipartisan support, but also the support of industry groups, including among others, the American Telemedicine Association and the American Heart Association. Stay tuned for additional updates regarding the Act. For further information, contact J. Nicole Martin or any member of Cozen O’Connor’s healthcare law team.

Health Law Informer Author

More Posts

Somehow, although certainly not from a clear reading of the Medicare statute, there was long a perceived rule that Medicare would only cover certain services if the patient was making measurable improvement. This created the perverse circumstance that a provider was discouraged from delivering services that would maintain a patient’s current health level even if the absence of those services would result in the patient declining and then needing even greater services.

Through the hard work and perseverance of six named individual plaintiffs, led by Glenda Jimmo of Vermont, and seven advocacy organizations, the perceived “improvement rule” has been struck down.  (For information on the settlement of the case and the legal ramifications, see information available through the Center for Medicare Advocacy. That’s the good news given the importance of keeping certain patients from getting worse, the bad news is that the settlement of the Jimmo case is not widely enough known.

Reports suggest that claims for skilled maintenance services are still being denied, or, in many instances, providers do not even offer these services to patients based on the assumption that reimbursement will be withheld. As a result of the Settlement, CMS agreed to embark on an education campaign around this ruling. That educational effort will need to be redoubled to get the message out, especially given the reality that many service providers themselves think only in terms of patient improvement and not maintenance, as improvement has long been the primary measure of their effectiveness.

Earlier this week, the Center for Medicare Advocacy convened a group of providers and patient advocates to identify barriers to implementing the Jimmo decision and how to circumvent them. Stay tuned for more!

Health Law Informer Author

More Posts

On June 18, 2015, HHS Secretary Sylvia M. Burwell and DOJ Attorney General Loretta E. Lynch announced nationwide arrests in Medicare fraud schemes amounting to approximately $712 million in false billings.  Attorney General Lynch described the strike as “the largest criminal health care fraud takedown in the history of the Department of Justice, and it adds to an already remarkable record of enforcement.”

According to the Department of Justice Press Release the takedown was led by the Medicare Fraud Strike Force and resulted in 243 individuals, including 46 doctors, nurses and licensed medical professionals, being charged with Medicare fraud.  This Strike Force targeted false billings for the following services:

• Home Health
• Psychotherapy
• Physical and Occupational Therapy
• DME
• Pharmacy Fraud

The nationwide sweep included Florida, Texas, California, Louisiana, New York and Michigan.  Miami was a particular focus with 73 defendants charged and $263 million of false billings for home health, mental health and pharmacy services.

This nationwide sweep involved significant coordination between multiple government enforcement agencies and illustrates the government’s joint efforts to target health care fraud.  Included in the press conference were FBI Director James B. Comey, Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Inspector General Daniel R. Levinson of the HHS Office of Inspector General (HHS-OIG) and Deputy Administrator and Director of CMS Center for Program Integrity Dr. Shantanu Agrawal.

Assistant Attorney General Caldwell spoke and emphasized the Criminal Division’s increased focus on Medicare fraud stating,  “Every day, the Criminal Division is more strategic in our approach to prosecuting Medicare Fraud.  We obtain and analyze billing data in real-time.  We target hot spots – areas of the country and the types of health care services where the billing data shows the potential for a high volume of fraud – and we are speeding up our investigations.  By doing this, we are increasingly able to stop schemes at the developmental stage, and to prevent them from spreading to other parts of the country.”

For further information contact Ryan P. Blaney or any member of Cozen O’Connor’s health care team.

Health Law Informer Author

More Posts

After a significant number of settlement agreements between the U.S. Department of Health and Human Services Office of Inspector General (OIG), OIG decided to release a Fraud Alert reminding physicians, practices and hospitals about the significant compliance risks with medical director agreements. The June 9, 2015 Fraud Alert highlights four issues of concern in medical director agreements and relationships:

1. Agreements providing for medical director compensation based upon a calculation taking into account the volume of a medical director’s referrals to the entity he or she is serving as medical director.
2. Agreements providing for medical director compensation above fair market value for the services to be rendered by the medical director.
3. Medical directors failing to actually render the services set forth in medical director agreements, yet still being compensated for such services.
4. Agreements providing that affiliated health care entities pay for a medical director’s front office staff, thereby relieving the medical director of a financial burden such medical director would otherwise have incurred.

This Fraud Alert offers nothing new in terms of Anti-Kickback regulation and enforcement, reiterating to providers that the Anti-kickback statute generally prohibits a provider from being paid any form of remuneration for referring a patient for federal healthcare business.  It appears to be a not-so-friendly reminder that “remuneration” can come in many shapes and sizes and physicians must continue to be vigilant in their negotiating and entering into medical director agreements, as well as their adherence to same. A physician considering entering into any business venture in the health care sector should proceed with caution, and always confer with a health care attorney before signing on the dotted line.  The complete June 9, 2015 Fraud Alert can be found here: http://oig.hhs.gov/compliance/alerts/guidance/Fraud_Alert_Physician_Compensation_06092015.pdf.

For further information contact a member of Cozen O’Connor’s health care team.

Authored by Ryan Blaney (Washington, DC) and Marc Goldsand (Miami, FL).

Health Law Informer Author

More Posts

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to settle, without an admission of liability or wrongdoing, potential HIPAA violations. As part of the resolution agreement Cornell Pharmacy will pay $125,000 and enter into a two-year corrective action plan (“CAP”) focused on correcting the alleged deficiencies in its HIPAA compliance program.

Cornell Pharmacy is a small, single store pharmacy located in Denver, Colorado that specializes in compound medications and providing services for local hospice agencies. OCR began an investigation into the pharmacy after it received a media report from a Denver news agency that protected health information (“PHI”) belonging to Cornell Pharmacy was apparently disposed of and found in an unlocked, publicly accessible dumpster. The documents were not shredded and contained the PHI of approximately 1,610 of Cornell Pharmacy’s patients.   After conducting its investigation, OCR concluded that Cornell Pharmacy failed to implement any written policies and procedures as required by HIPAA’s Privacy Rule, and further failed to provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of having updated and comprehensive HIPAA policies and procedures in place, including policies on the proper disposal of PHI, and on training all staff on those policies and procedures.   Further, in this year of massive cyber-attacks and other breaches of electronic data, this HIPAA settlement serves to remind covered entities and business associates not to forget about protecting their paper records as well.   As stated by OCR in its press release, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” As discovered by Cornell Pharmacy, a breach or other improper disclosure of paper PHI can also result in significant consequences.

For further information please contact the author, Gregory M. Fliszar (Philadelphia, PA), or other members of Cozen O’Connor’s healthcare team.

Health Law Informer Author

More Posts

We wrote in late March about the U.S. House of Representatives passing SGR legislation intended to be a permanent cure to Medicare’s “doc fix” legislation. Yesterday evening, the Senate finally passed the SGR legislation to avoid a rate cut. Congress anticipates President Obama will sign the SGR legislation into law fairly quickly. Among other measures, the SGR legislation will amend Title XVIII of the Social Security Act, pertaining to Medicare, to:

• “remove sustainable growth rate (SGR) methodology from the determination of annual conversion factors in the formula for payment for physicians’ services; and
• revise the update in rates for 2015 and subsequent years.”

Notably, the SGR legislation extends the two-midnight Medicare rule through FY2015. The two-midnight Medicare rule only provides coverage for hospital stays when a beneficiary remains in a hospital over two midnights because the beneficiary requires care over this minimum period of time. Medicare generally denies coverage for care provided during shorter length hospital stays. The SGR legislation also extends the CHIP program through FY2017.

For further information contact Cozen O’Connor’s health care team.

Health Law Informer Author

More Posts