Health Law Informer

CMS approved Pennsylvania’s Medical Assistance (“Medicaid”) waiver request entitled Healthy Pennsylvania (“Waiver” or “Healthy Pennsylvania”) by letter dated August 28, 2014.  Governor Tom Corbett and the Pennsylvania Department of Welfare submitted the waiver application in February. The approval paves the way for a five-year demonstration project that begins on January 1, 2015 and is intended to “expand access to coverage to adults in Pennsylvania with incomes through 133 percent of the federal poverty level.” The Waiver includes changes that will be implemented through state Medicaid plan amendments and the demonstration project.

Waiver Priorities

• Improving access;
• Ensuring quality; and
• Providing affordability.

Waiver Objectives

• Promoting access to health insurance through the private insurance marketplace;
• Encouraging healthy behaviors and appropriate care, including early intervention, prevention, and wellness; and
• Increasing quality of care and efficiency of the health care delivery system.

Waiver Highlights (applicable to individuals enrolled in Medicaid and Healthy PA PCO)

• Inclusion of a private coverage option, Healthy PA PCO, which will make coverage available through a private commercial market that will operate outside of the Pennsylvania’s federally-run exchange
• Commercial insurance carriers, who are likely to be HealthChoices MCOs, will offer at least two health plans for individuals eligible for Healthy PA PCO
• Inclusion of Medicaid plan options categorized as “low risk” or “high risk” (these plans are not yet finalized and the parameters will be subject to negotiation with CMS)
• No premiums are required in year one
• Monthly premiums are required in year two for eligible individuals who have incomes greater than 100% of the federal poverty level (up to 2% of their income with the ability to reduce the premium based on healthy behaviors)
• Individuals enrolled in Healthy PA PCO and Medicaid will pay an amount equal to currently existing Medicaid copayments in year one of Healthy Pennsylvania’s implementation
• Elimination of copayments, except for $8 co-payments for non-emergency visits to emergency rooms, beginning in year two of Healthy Pennsylvania’s implementation

The Hospital & Healthsystem Association of Pennsylvania recently announced its support of Healthy Pennsylvania’s goals. Despite those who oppose Healthy Pennsylvania because among other reasons, it is viewed as not being the “traditional” Medicaid expansion as envisioned by the Affordable Care Act, Governor Tom Corbett anticipates that Healthy PA PCO will increase access to health care for over 600,000 eligible Pennsylvanians. Notably, CMS did not approve the proposed work search requirement, which would have required certain adults to undertake work search activities in order to qualify and remain eligible for health coverage under Healthy Pennsylvania. According to CMS, the approval of Pennsylvania’s Waiver makes it one of 28 states, including the District of Columbia, to expand Medicaid.

For more information regarding the Waiver, please contact Mark Gallant, Chris Raphaely, or J. Nicole Martin.

Health Law Informer Author

More Posts

Daily news stories about data breaches and enforcement actions seem to be the new norm, so it’s no surprise that people may start to believe that hackers have won the war and that no personal health information is safe. But exactly how many breaches have been reported in the last several years? And were the breaches the result of nefarious plots or just plain incompetence? About how many HIPAA investigations has the government actually launched?

Rest assured, Congress has been asking similar questions as well. The HITECH Act requires the Department of Health and Human Services Office for Civil Rights (OCR) to submit annual reports to Congress that provide contextualized information about incident rates and government action; OCR published its most recent two reports on Breaches of Unsecured Protected Health Information (Breach Report) and HIPAA Privacy, Security, and Breach Notification Rule Compliance (HIPAA Compliance Report).  In addition to including cumulative data, the reports cover relevant activities that occurred between January 1, 2011, and December 31, 2012. Continue reading…

Health Law Informer Author

More Posts

The United States Department of Justice (DOJ) recently announced the settlement of two qui tam whistleblower lawsuits against Omnicare Inc., the largest nursing home pharmaceutical and pharmacy services vendor in the nation. The suits alleged that Omnicare gave significant discounts to skilled nursing facilities in exchange for lucrative referrals and pharmacy provider contracts. This $124.24 million settlement is the largest ever in a “swapping” case brought under the Anti-Kickback Statute.

In addition to its size, this settlement is noteworthy because DOJ had initially declined to intervene in the underlying suits and relators pursued the claims independently. That go-it-alone decision was so resoundingly vindicated in Omnicare, it is likely that this case will encourage other whistleblowers to follow a similar course of action. Relators have long had the right to continue False Claims Act litigation without governmental participation. DOJ’s decision whether to intervene or not was traditionally (although not explicitly stated) viewed as a reflection of the strength of the whistleblower’s allegations.  With the increase in whistleblower complaints, the limitations on the number of cases that DOJ can put resources on, statutory changes, the rise of a specialized qui tam bar, and big dollar victories like this may significantly increase the number of independent qui tam lawsuits. Continue reading…

Health Law Informer Author

More Posts

Recently, the American Medical Association (AMA) released a report on telemedicine (Report) that, among other things, (i) outlines coverage and payment rules; (ii) summarizes various specialty society practice guidelines/position statements; and (iii) presents its own position and recommendations regarding the role of telemedicine in the provision of health care. The Report provides a current overview of barriers (e.g., reimbursement and licensure) that prevent further implementation of telemedicine in the provision of health care in our society, and it also emphasizes the importance of ensuring quality of care, patient safety, and coordination of care. The AMA’s publication of this Report will hopefully continue the important dialogue regarding the promise of telemedicine.

Look for an upcoming more detailed client alert analyzing this Report, other updates concerning telemedicine, and the general role of telemedicine in our healthcare system.

Health Law Informer Author

More Posts

The Pennsylvania Department of Health (“DOH”) Bureau of Laboratories (“Bureau”) recently announced that it will begin to phase-in enforcement of Act 122, which amended the Pennsylvania Clinical Laboratory Act (“Lab Act”), even though Act 122 became effective on December 18, 2013. The Bureau also issued additional guidance regarding Act 122 in its Frequently Asked Questions, Volume 1 and Volume 2 (“FAQs”).

According to its Senate Co-Sponsorship Memoranda, the purpose of Act 122 was to: (1) prohibit the “placing of phlebotomists or specimen collectors in physician and other health care provider offices in the Commonwealth;” and (2) afford Pennsylvania laboratories “the ability to compete on a level playing field with out-of-state labs” who had been able to place staff in providers’ offices “without fear of sanction.” However, the broad language of Act 122 will also affect laboratories’ ability to collect specimens from skilled nursing facilities (“SNFs”). Continue reading…

Health Law Informer Author

More Posts

Year #2 Report on Medicare Fraud Prevention System

On June 25, 2014, the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services Office of Inspector General (OIG) issued and certified, as required by the Small Business Jobs Act of 2010 (SBJA) their second implementation year report  for the Fraud Prevention System (FPS) along with a press release.  By way of background, CMS is under pressure from Congress and the United States Government Accountability Office (GAO) to enhance their health care fraud, abuse and waste prevention and detection success through the use of predictive analytics technologies while at the same time monitoring the expenditures and costs by government contractors and auditors such as ZPICs to prevent fraud.  Last October, GAO published a Report concerning CMS’s Medicare Program Integrity titled, “Contractors Reported Generating Savings but CMS Could Improve Its Oversight.” 

CMS and OIG’s Report to Congress on the FPS responds to many, but not all, of GAO’s criticisms.  Here are a few of the noteworthy findings and observations in the Report:

• CMS reports that they “identified or prevented” $210.7 million in Medicare payments attributed to FPS.  This is a return on investment of $5 to $1 for the second implementation year and an increase ROI from Year 1.
• OIG disagrees with CMS’s use of “identified savings” to calculate the success of the FPS and instead recommends using “adjusted savings” as a measure of savings and return on investment related to the Department’s use of FPS.
• Under OIG’s adjusted savings analysis, OIG only certified $54.2 million of the $210.7 million as attributed to the Department’s use of FPS. 
• OIG found that the “Department’s use of its predictive analytics technologies resulted in a return on investment of $1.34 (not $5) for every dollar spent on the FPS.
• Based on criticism received by OIG and GAO, CMS reported that they changed the methodology to require ZPICs (Zone Program Integrity Contractors) to submit provider-specific outcome data to be able to conduct more quality control reviews prior to reporting savings.
• OIG disagreed with CMS and stated, “[A]lthough the Department has made significant progress in addressing the challenges of measuring actual and projected savings, its procedures were not always sufficient to ensure that its contractors provided and maintained reliable data to always support FPS savings.”  Interestingly, OIG initially included a much stronger statement but revised the final statement based on CMS’s objections.  The original statement was “[T]he Department could not ensure that its contractors always provided and maintained reliable data to support FPS savings.”   
• CMS expects that future activities of the FPS will substantially increase savings by expanding the use of predictive analytics and modeling beyond identifying FRAUD and into areas of WASTE and ABUSE.   This will require more refined predictive models and modifications from insights from field investigators, policy experts, clinicians, and data analysts.  In Year 3, CMS will convene workgroups with federal agency, states, and private partners to develop and expand FPS’s capabilities.
• In Year 3, CMS also will explore the cost-effectiveness and feasibility of expanding predictive analytics technology to Medicaid and the Children’s Health Insurance Program (CHIP).  CMS anticipates working with State Medicaid Agencies to train and explore opportunities for expanding predictive analytics. 

Practice Tip: CMS’s FPS is more fully integrated into the Medicare FPS payment system and allows CMS to monitor and deny individual claims in the prepayment stage.  ZPICs and other government contractors will continue to be the government’s “boots on the ground” but they will be armed with better information and real time data to investigate.  Providers need to take any and all inquiries by ZPICs seriously.  Anticipate more coordinated investigations by the FBI, ZPICs, States AGs, State Medicaid Fraud Agencies, and Federal agencies and faster freezing or rejections of provider claims.  Anticipate the expansion of FPS’s predictive analytics to the areas of waste and abuse. 

Please check back with the Health Law Informer Blog and Cozen O’Connor for additional analysis of CMS’s Second Implementation Year Report in the coming weeks. 

Health Law Informer Author

More Posts

It has been 18 years in coming, and the time is finally here. All Controlling Health Plans (CHPs) must obtain a unique Health Plan Identifier (HPID). A CHP is a health plan that controls its own business activities, actions, or policies, or is controlled by entities that are not health plans. The HPID is a unique 10-digit, all-numeric identifier that will be assigned to every qualifying health plan.

The Health Insurance Portability and Accountability Act (HIPAA) first indicated the need for HPIDs back in 1996. Almost a decade later, the Department of Health and Human Services (HHS) issued a final rule mandating HPID adoption. Now the important part: the deadline for most providers to register for an HPID is November 5, 2014. (Small health plans, those with annual claims paid of $5 million or less, have until November 5, 2015 to register.)

The primary purpose of HPIDs is standardization, which should make the exchange of electronic data more efficient and more accurate. Among other improvements, HPIDs will drastically decrease the instances of misrouted transactions or rejected transactions due to insurance identification errors. HHS has said that universal adoption of HPIDs is expected to save $6 billion over the next ten years.

While CHPs are required to register, sub-health plan affiliates may register for a HPID or may choose to use the number of its CHP parent. Self-insured group health plans that fit the definition of a CHP will be required to have an HPID. If a health plan engages a business associate to conduct standard transactions on its behalf, the business associate must use the health plan’s HPID in every field where the health plan is identified.

In addition to registering for the HPID, CHPs must disclose their HPID when requested and communicate any changes to the required data elements in the HPID Enumeration System within 30 days of the change.

The HPID will be used for all “standard transactions,” as defined by HIPAA, as well as for other lawful purposes, including: identification on health plans’ internal files; health insurance cards; cross-referencing in health care fraud and abuse files; and identification of health plans on Health Information Exchanges, and federal and state insurance exchanges.

Health Plans can complete their HPID application here.

HHS provides videos to assist Health Plans in the application process and a 111-page User Manual published by CMS here.

Health Law Informer Author

More Posts

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is not the only government arm that enforces data breaches. The Federal Trade Commission (FTC) has broad authority to regulate the security of consumer information and hold companies liable for a failure to use adequate data security practices. In August 2013, the FTC targeted LabMD, a medical testing laboratory, which maintains personal financial and health information for nearly one million consumers. The FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which resulted in the data of thousands of consumers being leaked on to the peer-to-peer file-sharing network LimeWire, the black-market and in the hands of illegal data brokers.

Until recently the FTC enforced its breach authority under the Act without pushback, so a company facing allegations would simply settle. However, LabMD became the second company to challenge the FTC’s enforcement of data breaches (a hotel chain company was the first to challenge the FTC’s authority). LabMD attempted to stop the investigation by filing appeals to federal district and appellate courts and the FTC. The appeals were based primarily on two arguments: (i) the FTC does not have the statutory authority to set data security standards for companies; and (ii) LabMD is already subject to the OCR’s enforcement authority under HIPAA’s security regulations, so it should not also be subject to the FTC’s enforcement authority.

Despite LabMD’s best efforts, two Eleventh Circuit judges refused to intervene before the FTC issued its final order, the FTC rejected LabMD’s motion to dismiss and it moved forward with the administrative proceedings. However, LabMD continues to fightback. Recently, LabMD filed a motion to dismiss with the FTC, and contended that the FTC had not proven that the data breach caused injury, specifically, that it did not present evidence that there was substantial harm or likely to be substantial harm to consumers as a result of the breach.

During trial, Michael Daugherty, CEO of LabMD, testified that the effect of the FTC’s allegations and subsequent probe has placed the company in a “very deep coma” and that he “can’t understate how damaging and confusing and sideswiping [the matter is] to the attitude, energy and morale of [LabMD’s] management staff.”

Interestingly, the trial has been on recess since May 30 when the administrative law judge delayed the proceeding until June 12 in response to an announcement that the House Committee on Oversight and Government Reform was investigating Tiversa Inc., the cyber-intelligence firm that played a central role in the FTC’s case against LabMD. In a separate lawsuit, LabMD is alleging that Tiversa provided the FTC with patient information files that it stole from LabMD.

When trial resumes on June 12, the focus will continue to be on whether LabMD’s data security standards that it used to protect consumers’ personal information were reasonable. It will be interesting whether developments from the Tiversa investigation impact the outcome of the trial. For more information about this proceeding go to the FTC website.

Practice Tip: Ensure that your security policies and procedures are being implemented and followed in accordance with HIPAA security requirements because inadequate security safeguards may lead to enforcement actions by the OCR and the FTC.

Health Law Informer Author

More Posts

A report recently released by the Federal Trade Commission (FTC) concludes that data brokers currently operate so far below the radar screen that most consumers are unable to exercise any real control over the collection and use of their personal information. In addition to shedding light on the data broker marketplace and its practices, the report also provides recommendations to Congress about legislation that could better protect consumers and begin to regulate this poorly understood industry.

Data Brokers: A Call for Transparency and Accountability is based on an in-depth study of nine leading data brokers, companies that collect consumers’ personal information and resell or share that information with others in the form of marketing, risk management, or people search products. Combined, data brokers currently collect and store billions of bits of data about nearly every consumer in the United States. According to the FTC, “Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data.”

In order to promote transparency, the Commission recommended that Congress consider legislation:

– Enabling consumers to easily identify which data brokers may have data about them and where they should go to access such information and exercise opt-out rights.

– Requiring data brokers to clearly disclose to consumers that they not only use raw data (such as a person’s name, address, age, and income range), but that they also use data they derive with that information.

– Requiring data brokers to disclose the names and/or categories of their sources of data, so that consumers are better able to determine if they need to correct their data with an original public record source; require data brokers to allow consumers to correct erroneous information in their private databases.

– Mandating that consumer-facing entities to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data, such as the ability to opt-out of sharing their information with data brokers.

More generally, the Commission called on the data broker industry to adopt several best practices:

– Implement privacy-by-design, considering privacy issues at every stage of product development.

– Refrain from collecting information from children and teens, particularly in marketing products.

– Take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes.

Cozen O’Connor’s Health Law Informer will continue to monitor Congress and the data broker industry’s response to the FTC report.

Health Law Informer Author

More Posts

In May and within a week of the Office of Inspector General of the Department of Health and Human Services (OIG) releasing a proposed rule to expand its exclusion authority, the agency also released a proposed rule (Rule) expanding its authority to impose civil monetary penalties (CMPs). OIG anticipates that “CMP collections may increase in the future in light of the new CMP authorities and other changes proposed in this [R]ule.” Over the last decade, OIG has collected more than $165 million in CMPs (between $10.2 million to $26.2 million per year).

Health care providers, suppliers and related institutions should pay particular attention to five proposed key changes:

(1) The focus on an expansion in the range of conduct for which OIG could assess CMPs to include: failing to provide OIG timely access to documents, ordering or prescribing medication or services while excluded from participation in federal health care programs, making false statements on enrollment applications to participate in federal health care programs, failing to report and return known overpayments, and making or using a false statement that is material to a false or fraudulent claim.

(2) Interpretation of the penalty as a per day penalty—for example, up to $10,000 for each day a person fails to report and return an overpayment.

(3) Imposition of CMPs on Medicare Advantage and Medicare Part D organizations (if any of their employees or contractors engaged in fraudulent activity). This broadens the general liability of these organizations for misconduct to include contracted providers or suppliers, employees and agents. Medicare Advantage and Part D organizations would also be eligible for CMPs if they enroll an individual (or his or her designee) without consent; transfer an enrollee to another plan without the enrollee’s (or his or her designee’s) consent; transfer an enrollee to make a commission; fail to comply with marketing restrictions; or employ or contract with any person who engages in prohibited conduct.

(4) Revision to the current structure of 42 C.F.R. Part 1003 because it is “cumbersome and potentially confusing for the reader” in order to “add clarity and improve transparency in OIG’s decision-making processes.” The bases for CMP assessments would be grouped into subsections by subject matter. OIG would provide a single list of factors to be considered when determining the amount of a CMP to include: the nature and circumstances of the violation, the degree of culpability of the person, the history of prior offenses, other wrongful conduct, and other matters as justice may require.

(5) An increase of the claims-mitigating factor from $1,000 to $5,000. The claims-mitigating factor acts as a threshold to help OIG determine the severity of a program violation. OIG believes that the $1,000 threshold is “lower than appropriate . . . given the changes in the costs of health care since this regulation was last updated in 2002.”

Other notable proposed changes include: the addition of a mitigating factor for “appropriate and timely corrective action” taken by a person under OIG’s Self-Disclosure Protocol; clarification that a single aggravating circumstance may result in the maximum amount allowed penalty, assessment, or exclusion; and the delegation of authority from the Department of Health and Human Services Secretary to OIG at Part 1003.150.

Comments to the Rule are due by July 11, 2014.

Health Law Informer Author

More Posts