On November 30, 2016, the House overwhelmingly passed (392-26) the 21st Century Cures Act (“Bill”). The Bill moves on to the Senate next week and it is projected to pass in the Senate as well. Notably, the Bill seeks to improve upon the federal regulatory structure regarding Federal Drug Administration (FDA) approval and expediting the development of new drugs. Under the Bill, FDA funding would increase by $500 million. The Bill also provides for the authorization of new National Institutes of Health research grant funding, in the billions, including funding for Vice President Biden’s “moonshot” to cure cancer. Importantly, a proposed provision regarding reporting under the Sunshine Act was removed from the Bill. Specifically, the proposed provision would have exempted from the reporting requirements of the Physician Payment Sunshine Act payments from drug and device manufacturers to physicians for speaking at continuing medical education events and for contributing to medical textbooks, or medical journals.

In a final rule published today in the federal register (“Final Rule”), CMS announced numerous changes to the consolidated Medicare and Medicaid requirements for participation for long term care (LTC) facilities (42 CFR part 483, subpart B), which take effect on November 28, 2016 (see the March 7, 2016 blog for information about the July 16, 2015 proposed rule (“Proposed Rule”)). Much to the satisfaction of elder care advocates, the Final Rule provides that nursing homes may no longer require prospective nursing home residents to agree to binding arbitration. This strikes a blow at LTC facilities, which generally used arbitration as a tool to avoid incurring the onerous costs associated with litigation.

CMS’ position in the final rule isn’t shocking as it had expressed concern about the use of arbitration agreements in nursing homes in its Proposed Rule. Although no longer permissible for LTC facilities to use as a condition of admission, according to Andy Slavitt, CMS’ Acting Administrator, and Kate Goodrich, Director of the Center for Clinical Standards & Quality, “facilities and residents will still be able to use arbitration on a voluntary basis at the time a dispute arises.” However, such agreements will still need to be “clearly explained” to residents.

Nursing homes that have traditionally asked residents to sign binding arbitration agreements should revisit their admissions processes and implement revised policies and procedures to ensure compliance with the Final Rule, so that, beginning November 28, 2016, residents at such LTC facilities are no longer required to agree to binding arbitration. LTC facilities may also consider revising their policies and procedures to incorporate recommending the use of arbitration to residents following disputes that may arise, and to ensure that any such recommendations are clearly explained to their residents.

For more information regarding the voluntary use of arbitration agreements in the nursing home context, contact J. Nicole Martin, Dana Petrillo or any member of Cozen O’Connor’s health care law team.

Last week, the Third Circuit Court of Appeals held that the merger between Penn State Hershey Medical Center and PinnacleHealth System, the two largest hospitals in Harrisburg, Pennsylvania, may not move forward at this time. The Court of Appeals overturned the District Court’s (Middle District of PA) denial of the FTC’s and the Commonwealth of Pennsylvania’s request for a preliminary injunction, directing the District Court to enter a preliminary injunction blocking the merger “pending the outcome of the FTC’s administrative adjudication.”

In reaching its decision, the Court of Appeals held that the critical determination of the relevant market for a proper antitrust analysis should be defined primarily “through the lens of the insurers” and that it “was error for the District court to completely disregard the role insurers play in the healthcare market.” The Court of Appeals ruled that the relevant market was the four- county Harrisburg area. It found that the market was highly concentrated and that the combined hospitals would control 76% percent of the market. As a result the plaintiffs were found to have established a prima facie case that the merger “is presumptively anticompetitive.”

In rebuttal, the hospitals alleged, among other things, that, the merger would result in efficiencies leading to capital savings and enhance the hospitals’ efforts to engage in risk-based contracting, but the Court of Appeals found that these arguments failed to demonstrate tangible, verifiable benefits to consumers, and only constituted “speculative assurances.” It remains to be seen whether the hospitals will continue their pursuit of merger through the FTC’s administrative review process or abandon it.

This decision, like others involving hospitals that have preceded it, underscores the unique nature of the markets in which hospitals and other healthcare providers operate. These markets are not primarily defined by the direct impact of market consolidation upon the behavior of the ultimate consumers, the patients. Instead, the markets are defined by the patients’ purchasing surrogates, their health insurers.

For more information about this decision, contact Chris Raphaely, Nicole Martin or a member of Cozen O’Connor’s Health Law team

On September 8, 2016, CMS announced in its blog that it will allow physicians to select their level of participation for the first performance year of the Medicare Access and CHIP Reauthorization Act of 2015 (“MACRA”) Quality Payment Program, which begins January 1, 2017. Importantly, during the first performance year (2017), “[c]hoosing one of these options would ensure [physicians] do not receive a negative payment adjustment” under MACRA in 2019.

Under the Quality Payment Program physicians will fall under the Merit-Based Incentive Payment System (“MIPS”) if they do not qualify under the Advanced Alternative Payment Model (“Advanced APM”) option.  In 2019, physicians who are in the MIPS default option could face Medicare rate adjustments of up to 5% based on their performance under four weighted performance categories: quality (50%); resource use (10%); advancing care information (25%); and clinical practice improvement (15%). Advanced APMs include, for example, Track 2 and 3 MSSP ACOs; next generation ACOs; and bundled payment models, and physicians who qualify under the Advanced APM option earn a 5% incentive, are excluded from MIPS adjustments and receive higher fee schedule updates after 2024.

Recognizing that many physicians may face negative payment adjustments under MIPS as a result of participating under the Quality Payment Program, CMS is going to allow eligible physicians to “pick their pace of participation” and ensure they do not receive such negative payment adjustments in 2019 by choosing one of four options for the first performance year:

1. Test the Quality Payment Program;
2. Participate for part of the calendar year;
3. Participate for the full calendar year; or
4. Participate in an Advanced APM in 2017.

The first three options fall under MIPS, while the fourth option falls under the Advanced APM. In the first option, physicians could “submit some data to the Quality Payment Program”, avoid negative payment adjustments and test the waters before broader participation in subsequent years. Under option two, the performance year could begin later than January 1, 2017, a physician practice “could qualify for a small positive payment adjustment”, and a physician would submit Quality Payment Program information for fewer days. The third option is ideal for those physician practices that are ready to participate beginning January 1, 2017 and who are able to submit a full year of quality data. Additionally, physicians “could qualify for a modest positive payment adjustment.” The fourth option would be viable for those physicians or physicians groups who treat enough Medicare beneficiaries and who receive enough of their Medicare payments through an Advanced APM (e.g., MSSP ACOs). Through the Advanced APM option, physicians/physician groups would “qualify for a 5 percent payment in 2019.” It remains unclear what the difference is between a “small” and “modest” payment adjustment. However, CMS may address this in the final rule along with how it will implement MIPS and the Advanced APM. CMS will release the final rule by November 1, 2016.

For more information about MACRA, contact Chris Raphaely, Nicole Martin or a member of Cozen O’Connor’s Health Law team.

On August 18, 2016, the Secretary of Pennsylvania’s Department of Health (“DOH”), Dr. Karen Murphy, announced that the DOH has posted draft temporary regulations (“Regulations”) focusing on the 25 medical marijuana grower/processor permits that will become available under Pennsylvania’s Medical Marijuana Act (“Act”) that was passed last April.

The Regulations state the general application requirements for medical marijuana organizations, which requirements include detailed information about principals and financial backers of such organizations. Medical marijuana organizations include not just grower/processors, but also clinical registrants and dispensaries. The application requirements also contain a clear commitment to foster diversity. The Regulations establish procedures for promoting and ensuring that medical organizations foster diversity through participation of diverse groups in all aspects of the medical organization’s operations. This includes but is not limited to requiring each organization to have a diversity plan. Diverse groups are defined under the Regulations as “disadvantaged business[es], minority-owned business[es], women-owned business[es], service-disabled veteran-owned small business[es] or veteran-owned small business[es] that ha[ve] been certified by a third-party certifying organization.”

The Regulations also contain specific requirements for grower/processor permits. Application forms for permits will be posted on the DOH website in the future. Among the requirements is that a grower/processor notify DOH within six months of being issued an initial permit that it is ready, willing and able to begin production.

The Regulations prohibit executive level employees of the Commonwealth and their immediate family members from being employed by or holding an interest in medical marijuana organizations while employed by the Commonwealth and for one year thereafter.

The Regulations are not final and are open for public comment until August 26, 2016.

Although Pennsylvania joins 23 other states and the District of Columbia to legalize medical marijuana, marijuana is still classified as a Schedule I controlled substance by the U.S. Drug Enforcement Agency, and as such it remains a crime under federal law to grow, sell and/or use marijuana. Any content contained herein is not intended to provide legal advice in connection with the violation of any state or federal law.  Although the Act provides for the legalization of medical marijuana in the Commonwealth of Pennsylvania, one should obtain legal advice with respect to any such compliance issues.

Stay tuned for details regarding an upcoming Cozen O’Connor webinar on these Regulations.

For more information about the Regulations or the Act, contact Chris Raphaely, J. Nicole Martin or another member of Cozen O’Connor’s Cannabis Industry Team.

In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Monday July 11, 2016 its publication of new HIPAA guidance on ransomware (“Ransomware Guidance”). According to OCR:

Ransomware is a type of malware (or malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.

Notably, the HIPAA Security Rule already requires implementation of security measures to help covered entities and business associates prevent the introduction of malware (e.g., ransomware) into their systems, and to implement policies and procedures to assist in responding to ransomware attacks. The Ransomware Guidance addresses, among other areas, how to implement security measures in order to prevent, mitigate the chances of, or even recover from ransomware attacks. Not surprisingly, conducting a risk analysis (or risk assessment) is at the core of covered entities and business associates implementing security management processes as required by the HIPAA Security Rule. The Ransomware Guidance further notes that maintaining an overall contingency plan, as required by the Security Rule, that includes disaster recovery planning, emergency operations planning and frequent backups of data can also help covered entities and business associates respond to and recover from malware infections, including ransomware attacks.

In addition, the Ransomware Guidance states that ransomware attacks against a covered entity or business associate can be considered a breach under the HIPAA Rules. Specifically, the Ransomware Guidance provides, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e. unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Therefore, unless it can be shown that there is a low probability that the PHI involved in the ransomware attack has been compromised based on the factors in the Breach Notification Rule, a breach is presumed to have occurred, which would trigger the applicable breach notification provisions.

Even before OCR’s publication of the Ransomware Guidance, in late June the Secretary of HHS sent a letter (“Letter”) to the attention of chief executive officers at health care entities addressing the threat of ransomware. The Secretary attached interagency guidance to the Letter containing best practices and mitigation strategies integral to combatting ransomware incidents.

Ransomware is immediately disruptive to the day-to-day operation of businesses, as seen by its impact earlier this year on health care systems like MedStar in Washington, D.C. and Hollywood Presbyterian Medical Center in Los Angeles (“HPMC”), resulting for example, in HPMC paying 40 Bitcoins (approximately $17,000) to regain control of its computer system. Although the Ransomware Guidance does not address whether payment or ransom should be paid to regain access to computer systems, the interagency guidance attached to the Letter advises against paying hackers because, among other reasons, paying a ransom doesn’t necessarily guarantee that an entity will regain access to its system. The Ransomware Guidance does recommend that an entity victimized by a ransomware attack contact its local FBI or United States Secret Service field office.

For more information about the Ransomware Guidance contact Gregory M. Fliszar, Ryan Blaney, J. Nicole Martin or a member of Cozen O’Connor’s Health Law team.

On April 17, 2016, Governor Wolf signed Act 16 of 2016, making Pennsylvania the 24^th state (plus the District of Columbia) to legalize marijuana for medical use. The full text of the act is available here.

Physicians, not surprisingly, will play a vital role in making medical marijuana available to Pennsylvanians, while ensuring patient safety in the process.  This is what they should know about Act 16: Continue reading…

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) finally announced on March 21 that it is ready to begin Phase Two of its HIPAA audit program, which will include business associates. These audits, mandated by HITECH, will primarily be comprised of desk audits, scheduled for completion by the end of December 2016, followed by onsite audits.

OCR explained it will immediately commence Phase Two by verifying, via email, cover entities’ and business associates’ contact information. The OCR is requesting timely responses, so that it can send pre-audit questionnaires out in order to gather data from covered entities and business associates for the creation of potential audit subject pools. The data will relate to the entities’ size, type and operations. Should covered entities and business associates fail to respond to OCR’s requests, they may still be part of OCR’s potential subject pools because OCR plans to compile publicly available information about covered entities and business associates that do not respond to its requests.

The first round of desk audits will focus on covered entities, and the second round will focus on business associates. The third round will be onsite audits, with a greater focus on the HIPAA requirements. OCR explains that some covered entities and business associates who are subject to desk audits may also be subject to onsite audits. According to OCR, all covered entities and business associates are eligible to be audited. The audits will focus on identifying compliance with specific privacy and security requirements under HIPAA/HITECH, and OCR will notify auditees by letter, regarding the subject(s) of their specific audits. On the HHS website, OCR provides a sample letter for review. Subsequent to the audits, OCR will review and analyze information from audit final reports.

Importantly, if an audit report uncovers significant noncompliance with HIPAA, it could prompt an investigation by OCR. The areas of interest for OCR in Phase Two will become clearer as the Phase Two audit program gets underway, but for now, we know OCR will focus on assessing covered entities’ and business associates’ HIPAA compliance, identifying best practices and discovering risks and vulnerabilities.

More information about the Phase Two audits is available here, and you can also contact Greg Fliszar, Ryan Blaney, J. Nicole Martin or another member of Cozen O’Connor’s Health Law team.

On consecutive days, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) recently announced two large HIPAA breach settlements. On March 16, 2016, OCR announced that it entered into a Resolution Agreement with North Memorial Health Care of Minnesota for $1.55 million plus a two-year corrective action plan. On March 17, 2016 OCR followed by announcing that Feinstein Institute for Medical research, a New York biomedical research institute, agreed to pay to OCR $3.9 million and enter into a three-year corrective action plan to settle potential HIPAA violations. Both cases resulted from the all too familiar scenario of breaches resulting from stolen, unencrypted laptops.

In the Minnesota hospital breach, the unencrypted laptop containing the PHI of over 9,000 individuals was stolen from the locked car of an employee of a business associate of the hospital. According to the OCR’s investigation, the hospital failed to have a business associate agreement in place with that particular business associate. OCR also alleged that the hospital had not previously performed a risk analysis to identify and address potential risks and vulnerabilities to the ePHI it maintained, accessed or transmitted.

In the New York research corporation breach, OCR alleged that the institution did not have policies and procedures in place, including a policy on encryption and one that addressed use and access of electronic devices (e.g., the removal of the devices from the institution’s facility), nor did it have in place a security management process that sufficiently addressed potential security risks and vulnerabilities to ePHI, namely, its confidentiality, vulnerability or integrity. Notably, the stolen, unencrypted laptop contained the PHI of approximately 13,000 individuals.

As above, both OCR settlements also include multiple year corrective action plans requiring the hospital and research facility to conduct risk analyses/assessments, train their employees, and have HIPAA compliant policies and procedures in place. The Resolution Agreement for the Minnesota hospital breach is available here, and the Resolution Agreement for the New York research institute breach is available here.

Takeaways: The OCR’s 2016 breach enforcement is off to a very strong start with two high dollar settlements. Lessons learned from both breaches include the significance of encrypting electronic devices, conducting and updating on a regular basis security risk assessments and analyses, having adequate safeguards in place to protect PHI, having business associate agreements with all business associates, and having and implementing HIPAA policies and procedures to protect the security and privacy of PHI, including for example, policies related to encryption, authorized access to ePHI/PHI, and removal of electronic devices from facilities.

For more information, contact Greg Fliszar, J. Nicole Martin, or a member of Cozen O’Connor’s Health Law team.

As part of admission into a nursing home, a facility typically requires prospective residents to agree to binding arbitration. Arbitrating disputes generally allows nursing facilities to handle disputes without incurring the onerous costs – both of time and money – associated with litigation. Nursing facilities, which operate on razor thin margins, consider the costs of litigation to be an unnecessary burden for resolving disputes that could be resolved more efficiently and just as fairly in the arbitration context. Moreover, nursing facilities fear believe that they are not operating on a level playing field in a jury trial, because juries are typically biased in favor of residents and do not understand the constraints under which facilities operate. At the same time, nursing home resident advocates have long argued that use of arbitration in the nursing home setting is a legitimate concern because residents may feel coerced into signing them and may not fully understand the implications of signing such an agreement–that it means they are waiving their right to a jury trial.

Since last year, the use of arbitration agreements in nursing facilities has been in the forefront, both in state courts, and in the July 16, 2015 CMS proposed rule regarding the regulation of nursing homes, where the Centers for Medicare & Medicaid Services (“CMS”) proposed specific requirements regarding arbitration agreements (“Proposed Rule”).

For example, in Wert v. Manorcare of Carlisle PA, LLC (2015 WL 6499141, No. 62 MAP 2014 (Pa. Oct. 27, 2015)), the Pennsylvania Supreme Court addressed the enforceability of a nursing home’s arbitration agreement. While the Wert Court did not squarely address the issue of whether the arbitration clause is void as against public policy, the Wert Court stated it “recognize[s that premising the integrality of a contractual term on the subjective understanding of a far less sophisticated non-drafting party is ill-advised public policy that would further distort an already lopsided balance of power.” Despite the Wert Court’s acknowledgement of this being a public policy concern, the decision turned on the procedural validity of the clause because it required the use of the National Arbitration Forum’s code, which the Wert Court found the clause unenforceable. However, the brief reference to the public policy implications of arbitration agreements suggests that if the actual clause is called into question—other than for procedural reasons—Pennsylvania courts may void them as against public policy. On February 29, 2016, the United States Supreme Court (GGNSC Gettysburg LP v. Wert, U.S., No. 15-820) refused to review the Wert decision. The United States Supreme Court’s refusal is in line with other states as well, which like Pennsylvania, have found such agreements requiring the use of the National Arbitration Forum’s code to govern and address disputes between nursing homes and residents unenforceable.

In contrast, in Carrigan v. Live Oak Nursing Ctr., LLC (2015 WL6692199, No. 2:15–CV–319 (S.D. Tex. Nov. 3, 2015)), a Texas federal court decided late last year that an arbitration agreement signed along with the resident admission agreement was enforceable and that the parties would have to resolve their dispute through arbitration. The Carrigan Court further found that all parties who benefited from the resident admission agreement would be bound by the arbitration clause even though they did not sign it, that is, those parties who were suing to enforce duties under the resident admission agreement—that existed because of the relationship between the former resident and facility under the resident admission agreement—would also be bound by the arbitration agreement.

In the Proposed Rule, CMS expressed concern about the use of arbitration agreements in nursing homes. While soliciting comments on whether binding arbitration agreements should be prohibited, CMS nevertheless proposed a new regulation (42 C.F.R. 483.70(n)) with the following requirements:

• The agreement is to be explained to the residents who acknowledge that they understand the agreement;
• The agreement is to be entered into voluntarily;
• Arbitration sessions be conducted by a neutral arbitrator in a location that is convenient to both parties.
• Admission to the facility is not contingent upon the resident or the resident representative signing a binding arbitration agreement.
• The agreement could not prohibit or discourage the resident or anyone else from communicating with federal, state, or local health care or health-related officials, including representatives of the Office of the State Long-Term Care Ombudsman.

Both the Wert case and the Proposed Rule highlight concerns about the use of arbitration agreements in the nursing home world. Given CMS’ expressed concern about them, nursing homes who ask residents to sign binding arbitration agreements would be well advised to look carefully at the process by which the residents agree to binding arbitration and to implement policies that ensure that residents clearly understand what they are signing and that they are not pressured to sign these agreements.

For more information regarding the use of arbitration agreements in the nursing home context, contact J. Nicole Martin or any member of Cozen O’Connor’s healthcare law team.