Last week, CMS announced that it intends to reopen the submission period for hardship exception applications for eligible professionals and eligible hospitals to avoid the 2015 Medicare payment adjustments for not demonstrating meaningful use of Certified Electronic Health Record Technology (CEHRT). This reopening process will be addressed through future rulemaking. Previously, the hardship exception application deadline was April 1, 2014 for eligible hospitals and July 1, 2014 for eligible professionals; however, the new deadline will be November 30, 2014.
As part of the American Recovery and Reinvestment Act of 2009 (ARRA), Congress mandated payment adjustments under Medicare for eligible hospitals, critical access hospitals, and eligible professionals that are not meaningful users of CEHRT. The ARRA allows the Secretary to consider hardship exceptions for eligible hospitals, critical access hospitals, and eligible professionals to avoid the payment adjustments.
This reopened hardship exception application submission period is limited to the following circumstances for eligible professionals and eligible hospitals that:
- Have been unable to fully implement 2014 Edition CEHRT due to delays in 2014 Edition CEHRT availability; and
- Eligible professionals who were unable to attest by October 1, 2014 and eligible hospitals that were unable to attest by July 1, 2014 using the flexibility options provided in the CMS 2014 CEHRT Flexibility Rule.
We will continue to monitor the rulemaking process related to this extension.
Over the years, various instruments have narrowed and darkened providers’ appellate rights relating to Medicare underpayment and recoupments. Recent court decisions, however, may put providers’ Medicare appeal rights back on the yellow brick road. On August 6th, the U.S. District Court for the District of Columbia issued three injunctions, each prohibiting HHS, the PRRB and CMS’s Medicare contractors from further narrowing providers’ rights to appeal Medicare underpayments. These injunctions were issued in three related cases filed on behalf of over 40 hospitals by members of the Squire Patton Boggs Medicare Reimbursement Team in Denver and Washington, DC. The hospitals’ underlying reimbursement claims involve the Medicare outlier supplemental payment program and certain rural floor, budget neutrality adjustments. For further reading, see How to Navigate the Narrow Path to Reimbursement Appeal by Mimi Brouillette and Stephen Nash.
In a recent article, Eugenia Pierson, a Principal in Squire Patton Boggs Public Policy Health Care Practice, urged providers to prepare for HRSA’s promulgation of the 340B mega rule. In addition to safety net hospitals struggling with ACA implementation, tight state budgets, and delivery system reform, 340B issues and anticipated program changes promise to be another complicating factor with strong potential to restrict the program and the millions of dollars in savings hospitals and clinics are currently receiving. Her article discusses several key issues that the 340B mega rule is contemplated to resolve. She hypothesizes the upcoming 340B mega rule will resolve: (1) the definitions of eligible patient and covered entity; (2) diversion issues; (3) contract pharmacy compliance; (4) limits on 340B revenue; and (5) shift the focus to the patient.
There may be more criminal cases involving healthcare fraud in the near future, as the U.S. Department of Justice has announced it will be ramping up its review of whistleblower cases involving alleged health care fraud. In a recent speech, Leslie R. Caldwell, Assistant Attorney General for the DOJ’s Criminal Division, announced that the U.S. Department of Justice was further ramping up its review of False Claims Act lawsuits, with special attention being paid to cases involving claims of health care fraud.
So what’s new? First, the Criminal Division is putting more resources into reviewing cases for potential criminal investigation and prosecution. The Criminal Division has a Health Care Fraud Unit staffed with 40 attorneys (almost half of the attorneys in the Fraud section), which Ms. Caldwell describes as “the largest and most prolific unit of criminal prosecutors dedicated solely to health care fraud in the country.”
The Criminal Division will now immediately see all of the qui tam or whistleblower actions filed as soon as the Civil Division sees them. As reported by Mark Jacoby for MainJustice, this new, streamlined process may yield quicker parallel criminal investigations.
In addition, Ms. Caldwell’s remarks began and ended with an invitation to the members of Taxpayers Against Fraud Education Fund, a non-profit funded by successful whistleblowers and their lawyers. ”[W]hen you are thinking of filing a qui tam case that alleges conduct that potentially could be criminal, I encourage you to consider reaching out to criminal authorities, just as you now do with our civil counterparts in the department and the U.S. Attorney’s Offices,” Caldwell said.
What to expect going forward? The DOJ will continue its own efforts in the nine Strike Force cities (Baton Rouge, Brooklyn, Chicago, Dallas, Detroit, Houston, Los Angeles, Miami and Tampa) as well as identifying fraud by crunching CMS data. But Caldwell also expressed the Criminal Division’s interest in looking harder and sooner at whistleblower and other actions against physicians, executives, hospitals, and healthcare companies of all types as part of its expanding focus on healthcare fraud.
The widely reported data breach at Community Health Systems, Inc. (CHS) appears to have relied upon a “spear phish email” to launch the initial malware, according to a recent alert from the FBI. Experts engaged by CHS believe that the attacker is an “Advanced Persistent Threat.” The FBI alert provides tips for organizations to prevent or identify a similar breach as well as technical information about specific network and host indicators. Companies with valuable intellectual property or with data covered by HIPAA (Health Insurance Portability and Accountability Act of 1996) are advised to heed the FBI’s warning.
This is not the first such alert. In April, the FBI generally warned healthcare providers that their cybersecurity systems are lax. Unfortunately, it appears the FBI was all too correct. Cyber criminals orchestrated the largest ever-external criminal cyber-attack on CHS. In the months-long attack, hackers were able to bypass CHS’s security measures and successfully copy and transfer certain patient data outside the company.
The FBI warns that intellectual property also is at risk. In addition to healthcare providers, the hackers appear to be targeting entities in the medical device industry in order to steal development information about medical devices and equipment.
The attackers launched this attack with highly sophisticated malware and technology. The British Broadcasting Corporation reported that the malware was the infamous “Heartbleed” bug. Once the gateway was open, the attackers scanned the memory on networked devices for user logons and passwords. The attackers could then log on using virtual private network technology to scan and transmit data.
The CHS breach affected approximately 4.5 million individuals — patients of physicians affiliated with CHS in the last five years. The hackers did not breach the systems for clinical records but did access demographic data — patient names, addresses, birth dates, telephone numbers, and social security numbers. HIPAA considers individually identifiable health information, including demographic data, as protected health information. It is possible that the hackers will use the data for identity theft purposes.
CHS reported that it has fixed the issue. While CHS carries cyber/privacy liability insurance it is providing appropriate notification to affected patients and regulatory agencies as required by federal and state law, and offering identity theft protection services to individuals affected by this attack.
The rapid implementation of interoperable electronic health records creates an increasingly attractive target for criminal cyber-attacks. This incident and the FBI’s alert should prompt a review of system security by healthcare organizations.
September 22, 2014 is the deadline to have business associate and data use agreements updated to conform to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Final Omnibus Rule (the Omnibus Rule), which became effective September 23, 2013.
The Omnibus Rule’s transition provisions protect eligible business associate agreements and data use agreements until the deadline. In early 2013, the US Department of Health and Human Services published the Omnibus Rule, which includes a transition provision permitting a covered entity, or a business associate with respect to a subcontractor, to continue to create, receive, maintain or transmit protected health information in reliance on a business associate agreement that complies with the prior rules. A similar transition provision permits a covered entity to continue to transmit a limited data set to a recipient in reliance on a data use agreement that complies with the prior rules. The transition provisions allow covered entities and business associates to operate under the earlier agreements until the deadline.
The transition provisions apply to business associate agreements and data use agreements entered into prior to January 25, 2013 that complied with HIPAA rules then in effect so long as the agreement was not modified between March 26, 2013 and September 23, 2013.
Compliance with the Omnibus Rule requires careful review of existing business associate agreements and inclusion of a number of new requirements including, but not limited to:
- Compliance with certain provisions of the Security Rule;
- Business associates obtaining satisfactory assurances from subcontractors that they agree to comply with the Security Rule when they create, receive, maintain or transmit PHI, and that they agree to the same restrictions that apply to the business associate regarding PHI;
- Business associates must report any security incidents, including breaches of unsecured PHI to the covered entity; and
- Business associates must comply with the requirements of the Privacy Rule when carrying out any of the covered entity’s obligations under the Privacy Rule.
The federal government has indicated it will expand its HIPAA oversight through compliance reviews and audits. Accordingly, both covered entities and business associates should consider conducting internal HIPAA audits and assessments to help identify and address any areas of concern.
The Health Resources and Services Administration (HRSA) of the US Department of Health and Human Services (HHS) recently announced the availability of an interpretive rule (the “Interpretive Rule”) regarding section 340B(e) of the Public Health Service Act (PHSA), effective July 21, 2014.
This Interpretive Rule comes on the heels of the US District Court for the District of Columbia’s ruling that HHS does not have the authority to issue substantive rules regarding section 340B(e)’s orphan drug exclusion. PhRMA v. HHS, No. 13-01501 (D.D.C. May 23, 2014). The court’s decision, however, left open the ability of HHS to issue interpretive rules on the provision. Accordingly, HRSA has characterized the former substantive rule as interpretive.
The rule is largely unchanged. The Interpretive Rule, “Implementation of the Exclusion of Orphan Drugs for Certain Covered Entities Under the 340B Program,” affirms the agency’s previous guidance that pharmaceutical manufacturers must significantly discount orphan drugs for off-label uses. The Interpretive Rule specifically states that HHS interprets 340B(e) of the PHSA as excluding from the drug pricing program “drugs that are transferred, prescribed, sold, or otherwise used for the rare condition or disease for which the drug was designated” under the Federal Food, Drug, and Cosmetic Act (FFDCA). The Interpretive Rule states that the PHSA does not exclude from the program “drugs that are transferred, prescribed, sold, or otherwise used for conditions or diseases other than for which the drug was designated” under the FFDCA.
For pharmaceutical manufacturers, the Interpretive Rule means that HRSA and HHS will continue to require that orphan drugs be provided to freestanding cancer hospitals and other newly eligible entities at 340B Program rates when the drugs are transferred, prescribed, sold or otherwise used for conditions or diseases other than for which the drug was designated under Section 526 of the FFDCA.
Update: On August 27, 2014, the U.S District Court for the District of Columbia issued its final judgment in PhRMA v. HHS. The court entered its judgment in favor of PhRMA, but rejected PhRMA’s reqeust to consider the legality of the Interpretive Rule. The upshot of this decision is that if PhRMA wants to challenge the Interpretive Rule, it will have to do so through a separate action.
Florida enacted a new data breach reporting law, the Florida Information Protection Act (“FIPA”), which will affect most, if not all, healthcare businesses. The law became effective the first of this month (July 1, 2014).
The deadline for data breach reporting under FIPA is now 30 days, shortened from 45 days in the previous version of the statute. Sec. 501.171(3)(a). However, the Florida’s Department of Legal Affairs may grant a 15 day extension of time for good cause. Because HIPAA requires data breaches to be reported within no later than 60 days, this new law requires data breaches to be reported to Florida’s Department of Legal Affairs before reporting must be made with the Secretary of Health and Human Services. 45 C.F.R. §§ 164.400-414; further details on HIPAA reporting requirements are available here.
FIPA is codified within Florida’s chapter on consumer protection statutes at Sec. 501.171, Fla. Stat. and replaces a data breach provision previously located with the criminal code. Despite its transition from criminal statute to a civil statute, the law explicitly states that it does not provide a private cause of action. Sec. 501.171(10), Fla. Stat.
A copy of the statute can be found, in bill form, here. For additional information on the new law, please see our longer article.
On January 8, 2014, we noted several proposed changes to the Medicare Part C and D programs as delineated in CMS’ January 8th proposed rule (hereinafter “Proposed Rule”). On Monday, May 19, 2014, CMS issued the final rule, titled Medicare Program; Contract Year 2015 Policy and Technical Changes to the Medicare Advantage and the Medicare Prescription Drug Benefit Programs (hereinafter the “Final Rule”). The Final Rule will be codified at 42 C.F.R. Parts 417, 422, 423, and 424. Although the Final Rule codifies many provisions of the Proposed Rule, an array of provisions in the Final Rule differ. For practitioners comfortable with provisions contained in the Proposed Rule, we suggest a careful reading of the Final Rule as various high-impact provisions have been modified or deleted. A summary of key deviations from the Proposed Rule, contained in the Final Rule, are as follows:
- Agent/Broker Program Modifications:
- The Final Rule eliminates the proposed changes to agent/broker training and testing requirements;
- The Final Rule replaces the proposed 35% of FMV cap with a 50% of FMV cap on MAO or sponsor compensation to independent agents for plan enrollee renewals for years two through six as codified at §§ 422.2274 and 423.2274.
- Drug Categories or Classes of Clinical Concern:
- The Final Rule eliminates all proposed criteria for drug categories of clinical concerns;
- The Final Rule maintains the existing six protected classes.
- Improving Payment Accuracy – Overpayment Identification and Overpayment Returns:
- Response to comments in the Final Rule clarify that the 60-day period for reporting and returning overpayments begins on the date an organization identifies it has received an overpayment, with the term identification including awareness of erroneous data submitted to CMS that caused or will cause CMS to overpay the organization, rather than the date of calculation of such overpayment;
- The Final Rule modifies the Proposed Rule overpayment provision § 422.326(d), which requires reporting and returning of overpayments within 60 days, by including at the end of paragraph § 422.326(d) the phrase “unless otherwise directed by CMS for the purpose of § 422.311,” in order to clarify that, when an MA organization has a contract selected for a RADV audit under § 422.311, during the audit the MA organization will not be allowed to report and return overpayments under § 422.326 that are due to errors in the data used to risk-adjust payments for the audited contract;
- The Final Rule revises the §§ 422.326(c) and 423.360(c) definition of “identified overpayment” as “an overpayment when the MA organization has determined, or should have determined through the exercise of reasonable diligence, that the MA organization has received an overpayment,” thereby eliminating the proposed definition of “actual knowledge” or “acts in reckless disregard or deliberate ignorance of the existence of the overpayment”;
- Response to comments in the Final Rule clarify the term “applicable reconciliation” for Part C and Part D programs;
- The Final Rule applies the 6-year look-back period to fraud-related overpayments by eliminating the following proposed statement from §§ 422.326(e) and 423.360(e), “Overpayments resulting from fraud are not subject to this [6-year] limitation of the look-back period.” Continue Reading