There may be more criminal cases involving healthcare fraud in the near future, as the U.S. Department of Justice has announced it will be ramping up its review of whistleblower cases involving alleged health care fraud. In a recent speech, Leslie R. Caldwell, Assistant Attorney General for the DOJ’s Criminal Division, announced that the U.S. Department of Justice was further ramping up its review of False Claims Act lawsuits, with special attention being paid to cases involving claims of health care fraud.
So what’s new? First, the Criminal Division is putting more resources into reviewing cases for potential criminal investigation and prosecution. The Criminal Division has a Health Care Fraud Unit staffed with 40 attorneys (almost half of the attorneys in the Fraud section), which Ms. Caldwell describes as “the largest and most prolific unit of criminal prosecutors dedicated solely to health care fraud in the country.”
The Criminal Division will now immediately see all of the qui tam or whistleblower actions filed as soon as the Civil Division sees them. As reported by Mark Jacoby for MainJustice, this new, streamlined process may yield quicker parallel criminal investigations.
In addition, Ms. Caldwell’s remarks began and ended with an invitation to the members of Taxpayers Against Fraud Education Fund, a non-profit funded by successful whistleblowers and their lawyers. ”[W]hen you are thinking of filing a qui tam case that alleges conduct that potentially could be criminal, I encourage you to consider reaching out to criminal authorities, just as you now do with our civil counterparts in the department and the U.S. Attorney’s Offices,” Caldwell said.
What to expect going forward? The DOJ will continue its own efforts in the nine Strike Force cities (Baton Rouge, Brooklyn, Chicago, Dallas, Detroit, Houston, Los Angeles, Miami and Tampa) as well as identifying fraud by crunching CMS data. But Caldwell also expressed the Criminal Division’s interest in looking harder and sooner at whistleblower and other actions against physicians, executives, hospitals, and healthcare companies of all types as part of its expanding focus on healthcare fraud.
The widely reported data breach at Community Health Systems, Inc. (CHS) appears to have relied upon a “spear phish email” to launch the initial malware, according to a recent alert from the FBI. Experts engaged by CHS believe that the attacker is an “Advanced Persistent Threat.” The FBI alert provides tips for organizations to prevent or identify a similar breach as well as technical information about specific network and host indicators. Companies with valuable intellectual property or with data covered by HIPAA (Health Insurance Portability and Accountability Act of 1996) are advised to heed the FBI’s warning.
This is not the first such alert. In April, the FBI generally warned healthcare providers that their cybersecurity systems are lax. Unfortunately, it appears the FBI was all too correct. Cyber criminals orchestrated the largest ever-external criminal cyber-attack on CHS. In the months-long attack, hackers were able to bypass CHS’s security measures and successfully copy and transfer certain patient data outside the company.
The FBI warns that intellectual property also is at risk. In addition to healthcare providers, the hackers appear to be targeting entities in the medical device industry in order to steal development information about medical devices and equipment.
The attackers launched this attack with highly sophisticated malware and technology. The British Broadcasting Corporation reported that the malware was the infamous “Heartbleed” bug. Once the gateway was open, the attackers scanned the memory on networked devices for user logons and passwords. The attackers could then log on using virtual private network technology to scan and transmit data.
The CHS breach affected approximately 4.5 million individuals — patients of physicians affiliated with CHS in the last five years. The hackers did not breach the systems for clinical records but did access demographic data — patient names, addresses, birth dates, telephone numbers, and social security numbers. HIPAA considers individually identifiable health information, including demographic data, as protected health information. It is possible that the hackers will use the data for identity theft purposes.
CHS reported that it has fixed the issue. While CHS carries cyber/privacy liability insurance it is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law, and offering identity theft protection services to individuals affected by this attack.
The rapid implementation of interoperable electronic health records creates an increasingly attractive target for criminal cyber-attacks. This incident and the FBI’s alert should prompt a review of system security by healthcare organizations.
September 22, 2014 is the deadline to have business associate and data use agreements updated to conform to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Final Omnibus Rule (the Omnibus Rule), which became effective September 23, 2013.
The Omnibus Rule’s transition provisions protect eligible business associate agreements and data use agreements until the deadline. In early 2013, the US Department of Health and Human Services published the Omnibus Rule, which includes a transition provision permitting a covered entity, or a business associate with respect to a subcontractor, to continue to create, receive, maintain or transmit protected health information in reliance on a business associate agreement that complies with the prior rules. A similar transition provision permits a covered entity to continue to transmit a limited data set to a recipient in reliance on a data use agreement that complies with the prior rules. The transition provisions allow covered entities and business associates to operate under the earlier agreements until the deadline.
The transition provisions apply to business associate agreements and data use agreements entered into prior to January 25, 2013 that complied with HIPAA rules then in effect so long as the agreement was not modified between March 26, 2013 and September 23, 2013.
Compliance with the Omnibus Rule requires careful review of existing business associate agreements and inclusion of a number of new requirements including, but not limited to:
- Compliance with certain provisions of the Security Rule;
- Business associates obtaining satisfactory assurances from subcontractors that they agree to comply with the Security Rule when they create, receive, maintain or transmit PHI, and that they agree to the same restrictions that apply to the business associate regarding PHI;
- Business associates must report any security incidents, including breaches of unsecured PHI to the covered entity; and
- Business associates must comply with the requirements of the Privacy Rule when carrying out any of the covered entity’s obligations under the Privacy Rule.
The federal government has indicated it will expand its HIPAA oversight through compliance reviews and audits. Accordingly, both covered entities and business associates should consider conducting internal HIPAA audits and assessments to help identify and address any areas of concern.
The Health Resources and Services Administration (HRSA) of the US Department of Health and Human Services (HHS) recently announced the availability of an interpretive rule (the “Interpretive Rule”) regarding section 340B(e) of the Public Health Service Act (PHSA), effective July 21, 2014.
This Interpretive Rule comes on the heels of the US District Court for the District of Columbia’s ruling that HHS does not have the authority to issue substantive rules regarding section 340B(e)’s orphan drug exclusion. PhRMA v. HHS, No. 13-01501 (D.D.C. May 23, 2014). The court’s decision, however, left open the ability of HHS to issue interpretive rules on the provision. Accordingly, HRSA has characterized the former substantive rule as interpretive.
The rule is largely unchanged. The Interpretive Rule, “Implementation of the Exclusion of Orphan Drugs for Certain Covered Entities Under the 340B Program,” affirms the agency’s previous guidance that pharmaceutical manufacturers must significantly discount orphan drugs for off-label uses. The Interpretive Rule specifically states that HHS interprets 340B(e) of the PHSA as excluding from the drug pricing program “drugs that are transferred, prescribed, sold, or otherwise used for the rare condition or disease for which the drug was designated” under the Federal Food, Drug, and Cosmetic Act (FFDCA). The Interpretive Rule states that the PHSA does not exclude from the program “drugs that are transferred, prescribed, sold, or otherwise used for conditions or diseases other than for which the drug was designated” under the FFDCA.
For pharmaceutical manufacturers, the Interpretive Rule means that HRSA and HHS will continue to require that orphan drugs be provided to freestanding cancer hospitals and other newly eligible entities at 340B Program rates when the drugs are transferred, prescribed, sold or otherwise used for conditions or diseases other than for which the drug was designated under Section 526 of the FFDCA.
Update: On August 27, 2014, the U.S District Court for the District of Columbia issued its final judgment in PhRMA v. HHS. The court entered its judgment in favor of PhRMA, but rejected PhRMA’s reqeust to consider the legality of the Interpretive Rule. The upshot of this decision is that if PhRMA wants to challenge the Interpretive Rule, it will have to do so through a separate action.
Florida enacted a new data breach reporting law, the Florida Information Protection Act (“FIPA”), which will affect most, if not all, healthcare businesses. The law became effective the first of this month (July 1, 2014).
The deadline for data breach reporting under FIPA is now 30 days, shortened from 45 days in the previous version of the statute. Sec. 501.171(3)(a). However, the Florida’s Department of Legal Affairs may grant a 15 day extension of time for good cause. Because HIPAA requires data breaches to be reported within no later than 60 days, this new law requires data breaches to be reported to Florida’s Department of Legal Affairs before reporting must be made with the Secretary of Health and Human Services. 45 C.F.R. §§ 164.400-414; further details on HIPAA reporting requirements are available here.
FIPA is codified within Florida’s chapter on consumer protection statutes at Sec. 501.171, Fla. Stat. and replaces a data breach provision previously located with the criminal code. Despite its transition from criminal statute to a civil statute, the law explicitly states that it does not provide a private cause of action. Sec. 501.171(10), Fla. Stat.
A copy of the statute can be found, in bill form, here. For additional information on the new law, please see our longer article.
On January 8, 2014, we noted several proposed changes to the Medicare Part C and D programs as delineated in CMS’ January 8th proposed rule (hereinafter “Proposed Rule”). On Monday, May 19, 2014, CMS issued the final rule, titled Medicare Program; Contract Year 2015 Policy and Technical Changes to the Medicare Advantage and the Medicare Prescription Drug Benefit Programs (hereinafter the “Final Rule”). The Final Rule will be codified at 42 C.F.R. Parts 417, 422, 423, and 424. Although the Final Rule codifies many provisions of the Proposed Rule, an array of provisions in the Final Rule differ. For practitioners comfortable with provisions contained in the Proposed Rule, we suggest a careful reading of the Final Rule as various high-impact provisions have been modified or deleted. A summary of key deviations from the Proposed Rule, contained in the Final Rule, are as follows:
- Agent/Broker Program Modifications:
- The Final Rule eliminates the proposed changes to agent/broker training and testing requirements;
- The Final Rule replaces the proposed 35% of FMV cap with a 50% of FMV cap on MAO or sponsor compensation to independent agents for plan enrollee renewals for years two through six as codified at §§ 422.2274 and 423.2274.
- Drug Categories or Classes of Clinical Concern:
- The Final Rule eliminates all proposed criteria for drug categories of clinical concerns;
- The Final Rule maintains the existing six protected classes.
- Improving Payment Accuracy – Overpayment Identification and Overpayment Returns:
- Response to comments in the Final Rule clarify that the 60-day period for reporting and returning overpayments begins on the date an organization identifies it has received an overpayment, with the term identification including awareness of erroneous data submitted to CMS that caused or will cause CMS to overpay the organization, rather than the date of calculation of such overpayment;
- The Final Rule modifies the Proposed Rule overpayment provision § 422.326(d), which requires reporting and returning of overpayments within 60 days, by including at the end of paragraph § 422.326(d) the phrase “unless otherwise directed by CMS for the purpose of § 422.311,” in order to clarify that, when an MA organization has a contract selected for a RADV audit under § 422.311, during the audit the MA organization will not be allowed to report and return overpayments under § 422.326 that are due to errors in the data used to risk-adjust payments for the audited contract;
- The Final Rule revises the §§ 422.326(c) and 423.360(c) definition of “identified overpayment” as “an overpayment when the MA organization has determined, or should have determined through the exercise of reasonable diligence, that the MA organization has received an overpayment,” thereby eliminating the proposed definition of “actual knowledge” or “acts in reckless disregard or deliberate ignorance of the existence of the overpayment”;
- Response to comments in the Final Rule clarify the term “applicable reconciliation” for Part C and Part D programs;
- The Final Rule applies the 6-year look-back period to fraud-related overpayments by eliminating the following proposed statement from §§ 422.326(e) and 423.360(e), “Overpayments resulting from fraud are not subject to this [6-year] limitation of the look-back period.” Continue Reading
On Wednesday, the Centers for Medicare and Medicaid Services (“CMS”) issued a second round of long-awaited red tape reduction initiatives aimed at ameliorating overly burdensome provider regulations. The changes, memorialized within a Final Rule scheduled for publication on May 12, 2014 (available for review here: http://federalregister.gov/a/2014-10687) (“Unpublished Final Rule”) include significant easing of Conditions of Participation (“CoPs”) related to medical staffs and governing boards, as well as other changes targeted toward provider operational efficiencies. The changes include, notably:
- Removal of the CoP requirement that individually certified hospitals, even within integrated health systems, retain separate medical staffs. Under the Unpublished Final Rule, a multi-hospital system may now have a “unified and integrated” staff, subject to certain restrictions (including a requirement that staff members of individually certified hospitals vote to participate, or opt out, of the unified staff structure).
- Removal of the requirement that a hospital’s governing body must include a member of the medical staff, and insertion of a requirement that the governing body consult from time to time with the medical staff representative.
- Removal of the requirement that Critical Access Hospitals (“CAHs”), Rural Health Clinics (“RHCs”) and Federally Qualified Health Centers (“FQHCs”) have a physician present at least once every two weeks.
- Removal of the requirement that a CAH develop its policies and procedures with at least one individual who is not a member of the CAH staff.
- Reduction of requirements that ambulatory surgical centers (“ASCs”) must satisfy in order to provide radiological services to patients, and removal of the requirement that a doctor of medicine or osteopathy supervise all radiological services in an ASC setting.
- Revision of the outpatient services CoP to permit practitioners who are not members of a hospital’s medical staff to order outpatient services for their patients, when authorized by the medical staff and permitted by state law.
- Removal of redundant data submission requirements for transplant centers.
Squire Sanders (US) LLP has specific expertise in guiding clients through the medical staffing, structure, governance and policy issues that have arisen though out the health reform era, and particularly in the context of integrated and accountable care settings. If you have questions about the Unpublished Final Rule, and would like to position your organization to take best advantage of it, please contact us.
Given the 880,000 names of physicians released by Medicare Wednesday, physicians who treat Medicare patients can expect their names to be on the list. The list, searchable here, contains the name of the provider, the specialty area, the city, county and state as well as the total payments made to the provider by Medicare for 2012. Searches can be conducted nationally or by state. Although released by the government, the list resulted from a lawsuit brought by the Wall Street Journal (WSJ) to gain access to Medicare billing data. For background, see this WSJ article. The WSJ article also contains a chart that lists the top fifteen specialties that have resulted in the highest average payments per provider.
Physician groups have been concerned that the release of data in such a raw and bulk form, without context, will lead to misinterpretations, confusion and unjust accusations of fraud. Although the full ramifications of the release are impossible to predict at this time, some things seem clear for the immediate future. Physicians, and systems that employ them, need to be prepared for the questions they are likely to receive from patients and the media. Physicians and hospitals need take these questions seriously and develop useful answers. Careless comments are likely to raise even more questions. In fact, it may be a good practice for physicians and hospitals to search this database just to know what is out there in public. It may not be just about Facebook anymore.
In the midterm future, the release is likely to cause increased scrutiny during audits. After all, a provider who receives payments above the average in a specialty area is likely to receive closer scrutiny from an auditor.
In the long term, we can expect more investigations under the False Claims Act. In fact, one of the reasons for releasing the data was to unleash a public scrutiny of providers in order to identify and root out fraud. Correct or not, more scrutiny is coming.
The Florida legislature is currently considering proposed legislation that may affect the way in which managed care organizations, insurers, third-party payors, pharmacy benefit managers and other entities audit pharmacies in Florida. The Florida House of Representatives, Health Innovation Subcommittee, is reviewing HB 745, which proposes to create a “Pharmacy audit bill of rights.” The Health Policy Committee of the Florida Senate considered a similar bill, CS/SB 702, titled “Pharmacy audits; rights.” Both bills set forth specific time periods for providing notice of on-site audits, for conducting on-site audits, and for providing preliminary and final reports. The bills require payment of pharmacy claims that were retroactively denied for clerical errors if the prescriptions were dispensed correctly unless there is a pattern of errors or allegations of fraudulent billing. The bills do not apply to audits related to suspected fraudulent activity or fee-for-service claims under the Medicaid program.
The bills vary dramatically, however, on their enforcement mechanisms. HB 745 allows for a private cause of action for willful violations of the law, including the potential to recover treble damages and an award of attorneys’ fees. CS/SB 702 does not provide a private cause of action. Rather, it requires the Florida Office of Insurance Regulation to investigate complaints of willful violations and deems a violation of the audit rights as an unfair claim settlement practice.