Header graphic for print


Healthcare reform winners & losers

Business Associate Agreement Update Deadline

Posted in Compliance, HIPAA, Privacy

September 22, 2014 is the deadline to have business associate and data use agreements updated to conform to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Final Omnibus Rule  (the Omnibus Rule), which became effective September 23, 2013. 

The Omnibus Rule’s transition provisions  protect eligible business associate agreements and data use agreements until the deadline. In early 2013, the US Department of Health and Human Services published the Omnibus Rule, which includes a transition provision permitting a covered entity, or a business associate with respect to a subcontractor, to continue to create, receive, maintain or transmit protected health information in reliance on a business associate agreement that complies with the prior rules. A similar transition provision permits a covered entity to continue to transmit a limited data set to a recipient in reliance on a data use agreement that complies with the prior rules. The transition provisions allow covered entities and business associates to operate under the earlier agreements until the deadline.

The transition provisions apply to business associate agreements and data use agreements entered into prior to January 25, 2013 that complied with HIPAA rules then in effect so long as the agreement was not modified between March 26, 2013 and September 23, 2013.

Compliance with the Omnibus Rule requires careful review of existing business associate agreements and inclusion of a number of new requirements including, but not limited to:

  • Compliance with certain provisions of the Security Rule;
  • Business associates obtaining satisfactory assurances from subcontractors that they agree to comply with the Security Rule when they create, receive, maintain or transmit PHI, and that they agree to the same restrictions that apply to the business associate regarding PHI;
  • Business associates must report any security incidents, including breaches of unsecured PHI to the covered entity; and
  • Business associates must comply with the requirements of the Privacy Rule when carrying out any of the covered entity’s obligations under the Privacy Rule.

The federal government has indicated it will expand its HIPAA oversight through compliance reviews and audits. Accordingly, both covered entities and business associates should consider conducting internal HIPAA audits and assessments to help identify and address any areas of concern.

HRSA issues 340B Interpretive Rule

Posted in FDA, Hospitals

The Health Resources and Services Administration (HRSA) of the US Department of Health and Human Services (HHS) recently announced the availability of an interpretive rule (the “Interpretive Rule”) regarding section 340B(e) of the Public Health Service Act (PHSA), effective July 21, 2014.

This Interpretive Rule comes on the heels of the US District Court for the District of Columbia’s ruling that HHS does not have the authority to issue substantive rules regarding section 340B(e)’s orphan drug exclusion. PhRMA v. HHS, No. 13-01501 (D.D.C. May 23, 2014). The court’s decision, however, left open the ability of HHS to issue interpretive rules on the provision. Accordingly, HRSA has characterized the former substantive rule as interpretive.

The rule is largely unchanged.  The Interpretive Rule, “Implementation of the Exclusion of Orphan Drugs for Certain Covered Entities Under the 340B Program,” affirms the agency’s previous guidance that pharmaceutical manufacturers must significantly discount orphan drugs for off-label uses. The Interpretive Rule specifically states that HHS interprets 340B(e) of the PHSA as excluding from the drug pricing program “drugs that are transferred, prescribed, sold, or otherwise used for the rare condition or disease for which the drug was designated” under the Federal Food, Drug, and Cosmetic Act (FFDCA). The Interpretive Rule states that the PHSA does not exclude from the program “drugs that are transferred, prescribed, sold, or otherwise used for conditions or diseases other than for which the drug was designated” under the FFDCA.

For pharmaceutical manufacturers, the Interpretive Rule means that HRSA and HHS will continue to require that orphan drugs be provided to freestanding cancer hospitals and other newly eligible entities at 340B Program rates when the drugs are transferred, prescribed, sold or otherwise used for conditions or diseases other than for which the drug was designated under Section 526 of the FFDCA.

Update:  On August 27, 2014, the U.S District Court for the District of Columbia issued its final judgment in PhRMA v. HHS.  The court entered its judgment in favor of PhRMA, but rejected PhRMA’s reqeust to consider the legality of the Interpretive Rule.  The upshot of this decision is that if PhRMA wants to challenge the Interpretive Rule, it will have to do so through a separate action.

Robert D. Nauman
T: +1 614 365 2721
E: robert.nauman@squirepb.com
Stanford L. Moore
T:  +1 614 365 2793
E:  stanford.moore@squirepb.com


Florida’s New Data Breach Notification Law Shortens the Time Period for Reporting Data Breaches

Posted in Data Protection, Florida, Privacy

Florida enacted a new data breach reporting law, the Florida Information Protection Act (“FIPA”), which will affect most, if not all, healthcare businesses.  The law became effective the first of this month (July 1, 2014). 

The deadline for data breach reporting under FIPA is now 30 days, shortened from 45 days in the previous version of the statute.   Sec. 501.171(3)(a). However, the Florida’s Department of Legal Affairs may grant a 15 day extension of time for good cause.  Because HIPAA requires data breaches to be reported within no later than 60 days, this new law requires data breaches to be reported to Florida’s Department of Legal Affairs before reporting must be made with the Secretary of Health and Human Services.  45 C.F.R. §§ 164.400-414; further details on HIPAA reporting requirements are available here.    

FIPA is codified within Florida’s chapter on consumer protection statutes at Sec. 501.171, Fla. Stat. and replaces a data breach provision previously located with the criminal code.  Despite its transition from criminal statute to a civil statute, the law explicitly states that it does not provide a private cause of action.  Sec. 501.171(10), Fla. Stat.

A copy of the statute can be found, in bill form, here.    For additional information on the new law, please see our longer article.

Best Practice on Data Privacy

Posted in Compliance, Data Protection, Electronic Health Records, Privacy, Uncategorized
 Most organizations would agree that data privacy must be treated as a priority issue, not least because of the financial and reputational consequences of a data breach.  Squire Patton Boggs has a global team of specialists advising clients on local and global data issues. Two members of our team, Tom Zeno and Lindsay Holmes have written a two part article looking at some of the core data privacy issues faced by US organizations and giving practical advice on compliance. The first part, which can be read here, looks at best practices for avoiding costly data breaches, focusing on the importance of familiarity with relevant federal and state laws and concluding with a series of practical tips for protecting data held by your organization.  The second part, which can be read here, looks at how to respond quickly and effectively to data breaches. In particular, it considers the importance of having a tested and up-to-date response and recovery plan in place and talks in detail about how to put such a plan together.The articles will be helpful for all organizations but they are aimed particularly at organizations in the healthcare sector.For more information, please feel free to contact Tom or Lindsay.

CMS Finalizes Medicare Part C and Part D Program Changes for Contract Year 2015: Moderate Deviations from Proposed Rule

Posted in Compliance, Department of Health and Human Services, False Claims Act, Fraud and Abuse, Insurance, Managed Care, Medicare Part D, Payer/Insurance Reform, Payment Methodologies, Pharmaceutical, PPACA, Publications

On January 8, 2014, we noted several proposed changes to the Medicare Part C and D programs as delineated in CMS’ January 8th proposed rule (hereinafter “Proposed Rule”). On Monday, May 19, 2014, CMS issued the final rule, titled Medicare Program; Contract Year 2015 Policy and Technical Changes to the Medicare Advantage and the Medicare Prescription Drug Benefit Programs (hereinafter the “Final Rule”). The Final Rule will be codified at 42 C.F.R. Parts 417, 422, 423, and 424. Although the Final Rule codifies many provisions of the Proposed Rule, an array of provisions in the Final Rule differ. For practitioners comfortable with provisions contained in the Proposed Rule, we suggest a careful reading of the Final Rule as various high-impact provisions have been modified or deleted. A summary of key deviations from the Proposed Rule, contained in the Final Rule, are as follows:

  1. Agent/Broker Program Modifications:
    • The Final Rule eliminates the proposed changes to agent/broker training and testing requirements;
    • The Final Rule replaces the proposed 35% of FMV cap with a 50% of FMV cap on MAO or sponsor compensation to independent agents for plan enrollee renewals for years two through six as codified at §§ 422.2274 and 423.2274.
  2. Drug Categories or Classes of Clinical Concern:
    • The Final Rule eliminates all proposed criteria for drug categories of clinical concerns;
    • The Final Rule maintains the existing six protected classes.
  3. Improving Payment Accuracy – Overpayment Identification and Overpayment Returns:
    • Response to comments in the Final Rule clarify that the 60-day period for reporting and returning overpayments begins on the date an organization identifies it has received an overpayment, with the term identification including awareness of erroneous data submitted to CMS that caused or will cause CMS to overpay the organization, rather than the date of calculation of such overpayment;
    • The Final Rule modifies the Proposed Rule overpayment provision § 422.326(d), which requires reporting and returning of overpayments within 60 days, by including at the end of paragraph § 422.326(d) the phrase “unless otherwise directed by CMS for the purpose of § 422.311,” in order to clarify that, when an MA organization has a contract selected for a RADV audit under § 422.311, during the audit the MA organization will not be allowed to report and return overpayments under § 422.326 that are due to errors in the data used to risk-adjust payments for the audited contract;
    • The Final Rule revises the §§ 422.326(c) and 423.360(c) definition of “identified overpayment” as “an overpayment when the MA organization has determined, or should have determined through the exercise of reasonable diligence, that the MA organization has received an overpayment,” thereby eliminating the proposed definition of “actual knowledge” or “acts in reckless disregard or deliberate ignorance of the existence of the overpayment”;
    • Response to comments in the Final Rule clarify the term “applicable reconciliation” for Part C and Part D programs;
    • The Final Rule applies the 6-year look-back period to fraud-related overpayments by eliminating the following proposed statement from §§ 422.326(e) and 423.360(e), “Overpayments resulting from fraud are not subject to this [6-year] limitation of the look-back period.” Continue Reading

CMS Issues Medicare and Medicaid Final Rule: Significant Changes to Conditions of Participation

Posted in Compliance, Department of Health and Human Services, Governance/Management, Hospitals, Physician Practice, Publications, Regulatory Compliance

On Wednesday, the Centers for Medicare and Medicaid Services (“CMS”) issued a second round of long-awaited red tape reduction initiatives aimed at ameliorating overly burdensome provider regulations.  The changes, memorialized within a Final Rule scheduled for publication on May 12, 2014 (available for review here: http://federalregister.gov/a/2014-10687) (“Unpublished Final Rule”)  include significant easing of Conditions of Participation (“CoPs”) related to medical staffs and governing boards, as well as other changes targeted toward provider operational efficiencies.  The changes include, notably:

  • Removal of the CoP requirement that individually certified hospitals, even within integrated health systems, retain separate medical staffs.  Under the Unpublished Final Rule, a multi-hospital system may now have a “unified and integrated” staff, subject to certain restrictions (including a requirement that staff members of individually certified hospitals vote to participate, or opt out, of the unified staff structure). 
  • Removal of the requirement that a hospital’s governing body must include a member of the medical staff, and insertion of a requirement that the governing body consult from time to time with the medical staff representative.
  • Removal of the requirement that Critical Access Hospitals (“CAHs”), Rural Health Clinics (“RHCs”) and Federally Qualified Health Centers (“FQHCs”) have a physician present at least once every two weeks. 
  • Removal of the requirement that a CAH develop its policies and procedures with at least one individual who is not a member of the CAH staff.
  • Reduction of requirements that ambulatory surgical centers (“ASCs”) must satisfy in order to provide radiological services to patients, and removal of the requirement that a doctor of medicine or osteopathy supervise all radiological services in an ASC setting. 
  • Revision of the outpatient services CoP to permit practitioners who are not members of a hospital’s medical staff to order outpatient services for their patients, when authorized by the medical staff and permitted by state law.
  • Removal of redundant data submission requirements for transplant centers.

Squire Sanders (US) LLP has specific expertise in guiding clients through the medical staffing, structure, governance and policy issues that have arisen though out the health reform era, and particularly in the context of integrated  and accountable care settings.  If you have questions about the Unpublished Final Rule, and would like to position your organization to take best advantage of it, please contact us.

Is Your Name on the List?

Posted in Compliance, Department of Health and Human Services, False Claims Act, Fraud and Abuse, Managed Care, Medicare Advantage, Medicare Part D, Payer/Insurance Reform, Payment Methodologies, Physician Practice

Given the 880,000 names of physicians released by Medicare Wednesday, physicians who treat Medicare patients can expect their names to be on the list.  The list, searchable here, contains the name of the provider, the specialty area, the city, county and state as well as the total payments made to the provider by Medicare for 2012.  Searches can be conducted nationally or by state.  Although released by the government, the list resulted from a lawsuit brought by the Wall Street Journal (WSJ) to gain access to Medicare billing data.  For background, see this WSJ article.  The WSJ article also contains a chart that lists the top fifteen specialties that have resulted in the highest average payments per provider. 

Physician groups have been concerned that the release of data in such a raw and bulk form, without context, will lead to misinterpretations, confusion and unjust accusations of fraud.  Although the full ramifications of the release are impossible to predict at this time, some things seem clear for the immediate future.  Physicians, and systems that employ them, need to be prepared for the questions they are likely to receive from patients and the media.   Physicians and hospitals need take these questions seriously and develop useful answers.  Careless comments are likely to raise even more questions.  In fact, it may be a good practice for physicians and hospitals to search this database just to know what is out there in public.  It may not be just about Facebook anymore. 

In the midterm future, the release is likely to cause increased scrutiny during audits.  After all, a provider who receives payments above the average in a specialty area is likely to receive closer scrutiny from an auditor.  

In the long term, we can expect more investigations under the False Claims Act.  In fact, one of the reasons for releasing the data was to unleash a public scrutiny of providers in order to identify and root out fraud.  Correct or not, more scrutiny is coming.

Florida Proposes Pharmacy Audit Rights Legislation

Posted in Compliance, Fraud and Abuse, Insurance, Managed Care, Medicare Advantage, Medicare Part D, Pharmaceutical

The Florida legislature is currently considering proposed legislation that may affect the way in which managed care organizations, insurers, third-party payors, pharmacy benefit managers and other entities audit pharmacies in Florida.  The Florida House of Representatives, Health Innovation Subcommittee, is reviewing HB 745, which proposes to create a “Pharmacy audit bill of rights.”  The Health Policy Committee of the Florida Senate considered a similar bill, CS/SB 702, titled “Pharmacy audits; rights.”  Both bills set forth specific time periods for providing notice of on-site audits, for conducting on-site audits, and for providing preliminary and final reports.  The bills require payment of pharmacy claims that were retroactively denied for clerical errors if the prescriptions were dispensed correctly unless there is a pattern of errors or allegations of fraudulent billing.  The bills do not apply to audits related to suspected fraudulent activity or fee-for-service claims under the Medicaid program. 

The bills vary dramatically, however, on their enforcement mechanisms.   HB 745 allows for a private cause of action for willful violations of the law, including the potential to recover treble damages and an award of attorneys’ fees.  CS/SB 702 does not provide a private cause of action.  Rather, it requires the Florida Office of Insurance Regulation to investigate complaints of willful violations and deems a violation of the audit rights as an unfair claim settlement practice.

Essential Health Benefits Continue to Be Clarified by State Insurance Departments

Posted in Insurance, Payer/Insurance Reform, PPACA

On February 27, 2014, the D.C. Department of Insurance, Securities, and Banking (DISB) released a bulletin reminding insurers that medically necessary treatment for gender dysphoria, including gender reassignment surgeries, is a mandated benefit in the District of Columbia.  This is not the case in every state and serves as a reminder for health insurance plans required by federal law to offer “essential health benefits” (EHBs) that state law continues to play the primary role in defining that state’s EHBs.

Since 2011 when the U.S. Secretary of Health and Human Services opted to define EHBs under the Patient Protection and Affordable Care Act (PPACA) based on a “benchmark” plan selected for each state, the specific EHBs that insurers must offer in a state have often remained an enigma.  After all, PPACA merely requires the Secretary to define EHBs for ten broad benefit categories:

(1) ambulatory patient services;

(2) emergency services;

(3) hospitalization;

(4) maternity and newborn care;

(5) mental health and substance use disorder services, including behavioral health treatment;

(6) prescription drugs;

(7) rehabilitative and habilitative services and devices;

(8) laboratory services;

(9) preventive and wellness services and chronic disease management; and

(10) pediatric services, including oral and vision care.

The problem is that none of the benchmark plans are EHB compliant.  The reason is that the plans were approved for use in the market before the EHB laws took effect.  So, when federal law refers to the EHB “benchmark” plan, it is not actually referring to the plan that was selected to define EHBs for a state.  Federal law categorizes that plan as simply the “base-benchmark plan.”  Instead, the EHB benchmark plan is a “standardized set” of EHBs that most likely cannot be located in one simple, exhaustive document.

In other words, EHBs are something seemingly more nebulous and ethereal.  One must look to a broad range of sources to discover the EHBs for a given state, including the base-benchmark plan, insurance department bulletins, state law, and the like.

Identifying the overall EHBs for a state is only the first step as the substance of each benefit also varies from state to state.  The recently released DISB memorandum is a strong reminder of this.  While treatment of gender dysphoria is not required to be a standalone benefit, plans must be prepared to cover this treatment under other applicable benefit categories.  A failure to identify these state-specific benefits that may not be expressly listed in existing approved policies can lead to lengthy delays in obtaining state insurance department approval for newly filed policies and can even lead to the need to file amendments or riders to existing polices, as the DISB is requiring.

With the approval of qualified health plans last summer that are being offered in the health insurance exchanges, states made a lot of progress toward defining their EHBs.  Still, as demonstrated by the DISB memorandum, EHBs continue to be clarified.  Both insurers with existing plans in the market and those insurers gearing up to file qualified health plans and off-exchange products for 2015 must be sure to take these developments into account.

CMS Adds to the Growing Guidance on Third Party Premium Payments

Posted in Department of Health and Human Services, Hospitals, Insurance, Payer/Insurance Reform, Payment Methodologies, PPACA

On February 7, 2014, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum that adds to the growing library of federal guidance on the permissibility of and limitations for health care providers and other entities paying the premiums of patients covered by qualified health plans (QHPs) in the health insurance exchanges or marketplaces.  The guidance significantly limits the types of third party premium payment arrangements that CMS would find to be acceptable.

In a memorandum issued on November 4, 2013, CMS first revealed its concern that third party payments of premiums could lead to adverse selection by skewing the insurance risk pool and creating an unlevel field in the exchanges.  It expressly encouraged QHPs issuers “to reject such third party payments.”  CMS suggested that it may “take appropriate action, if necessary.”

In its latest memorandum, CMS clarified that its original guidance does not apply to similar arrangements on behalf of QHP enrollees from Indian tribes, tribal organizations, urban Indian organizations, and state and federal government programs and grantees.  For all other arrangements, CMS established a narrow exception for “private, not-for-profit foundations” if a foundation makes the premium payment on behalf of QHP enrollees who satisfy defined criteria that are based on financial status and do not consider enrollees’ health status.  CMS expects the payments for the premium and any cost sharing payments to cover the entire policy year.

In taking this position, CMS is encouraging QHP issuers to reject the premium payments by hospitals, other health care providers, and any other commercial entities that provide the funds for such payments.  This would include payments to provide either a month or so of coverage while a particular treatment or procedure is provided or even coverage for an entire policy year.

Given that the exchange market laws strictly limit when QHP issuers may terminate an enrollee’s coverage, the most likely method for QHP issuers to reject premiums after the premiums have been accepted is to rescind the enrollee’s coverage.  The exchange market rules permit QHP issuers to rescind coverage where the enrollee (or a person on his or her behalf) has performed an act, practice, or omission that constitutes fraud or made an intentional misrepresentation of material fact “as prohibited by the terms of the plan or coverage.”  QHP issuers would need to include a prohibition on third party premium payments in their policies.  Since QHPs rely on the exchanges for the application and the contract, the most likely document to include such a statement would be the member handbook/evidence of coverage.  Where an enrollee or someone on his or her behalf ignores the prohibition and submits a third party premium payment, the submission may constitute fraud or an intentional misrepresentation of material fact justifying rescission and the return of the premium payment.

It is not clear whether state insurance departments that have regulatory authority over the member handbook/evidence of coverage will support CMS’ position and permit the inclusion of language prohibiting third party payments.  Overly broad prohibitions may raise concerns that QHP issuers will attempt to rescind coverage under unintended circumstances, such as where family provides financial support.  Therefore, any prohibition on third party premium payments should be crafted with precision and to avoid such concerns.

As noted above, CMS’ guidance adds to a growing list of guidance on this topic from the federal government.  On October 30, 2013, the Secretary of Health and Human Services (“HHS”) confirmed that HHS does not view QHPs or the programs related to the exchanges as federal health care programs that would then implicate fraud and abuse laws, such as the federal Anti-Kickback Statute.  On December 2, 2013, the HHS Office of the Inspector General issued an advisory opinion approving a non-profit, tax-exempt charitable organization’s premium support program.  Interestingly, whereas CMS would only approve of an arrangement that does not base support on health status, the OIG-approved arrangement was limited to a population with a specific disease.  Of course, the OIG was concerned with the application of the Anti-Kickback Statute while CMS is concerned with adverse selection.

Despite the additional guidance from CMS, unless CMS engages in new rule making, CMS’ options to prohibit arrangements outside the scope it has approved appear to be limited.  Rather, its guidance appears to be more of a green light for QHP issuers to begin taking steps to reject third party premium payments, including by rescinding enrollees’ coverage.  Already, Blue Cross Blue Shield of Louisiana announced a new policy that effective March 1, 2014 it will no longer accept third party payments for premiums, except in the case of family support.  Diverging from CMS guidance, this policy also applies to Ryan White clients.  Given the CMS policy and actions insurance companies are taking, any hospital, health care provider or other entity considering a third party premium arrangement must ensure that it structures the arrangement to comply with all applicable federal and state requirements and guidance and particular insurer’s policies.