Header graphic for print


Healthcare reform winners & losers

Florida’s New Data Breach Notification Law Shortens the Time Period for Reporting Data Breaches

Posted in Data Protection, Florida, Privacy

Florida enacted a new data breach reporting law, the Florida Information Protection Act (“FIPA”), which will affect most, if not all, healthcare businesses.  The law became effective the first of this month (July 1, 2014). 

The deadline for data breach reporting under FIPA is now 30 days, shortened from 45 days in the previous version of the statute.   Sec. 501.171(3)(a). However, the Florida’s Department of Legal Affairs may grant a 15 day extension of time for good cause.  Because HIPAA requires data breaches to be reported within no later than 60 days, this new law requires data breaches to be reported to Florida’s Department of Legal Affairs before reporting must be made with the Secretary of Health and Human Services.  45 C.F.R. §§ 164.400-414; further details on HIPAA reporting requirements are available here.    

FIPA is codified within Florida’s chapter on consumer protection statutes at Sec. 501.171, Fla. Stat. and replaces a data breach provision previously located with the criminal code.  Despite its transition from criminal statute to a civil statute, the law explicitly states that it does not provide a private cause of action.  Sec. 501.171(10), Fla. Stat.

A copy of the statute can be found, in bill form, here.    For additional information on the new law, please see our longer article.

Best Practice on Data Privacy

Posted in Compliance, Data Protection, Electronic Health Records, Privacy, Uncategorized
 Most organizations would agree that data privacy must be treated as a priority issue, not least because of the financial and reputational consequences of a data breach.  Squire Patton Boggs has a global team of specialists advising clients on local and global data issues. Two members of our team, Tom Zeno and Lindsay Holmes have written a two part article looking at some of the core data privacy issues faced by US organizations and giving practical advice on compliance. The first part, which can be read here, looks at best practices for avoiding costly data breaches, focusing on the importance of familiarity with relevant federal and state laws and concluding with a series of practical tips for protecting data held by your organization.  The second part, which can be read here, looks at how to respond quickly and effectively to data breaches. In particular, it considers the importance of having a tested and up-to-date response and recovery plan in place and talks in detail about how to put such a plan together.The articles will be helpful for all organizations but they are aimed particularly at organizations in the healthcare sector.For more information, please feel free to contact Tom or Lindsay.

CMS Finalizes Medicare Part C and Part D Program Changes for Contract Year 2015: Moderate Deviations from Proposed Rule

Posted in Compliance, Department of Health and Human Services, False Claims Act, Fraud and Abuse, Insurance, Managed Care, Medicare Part D, Payer/Insurance Reform, Payment Methodologies, Pharmaceutical, PPACA, Publications

On January 8, 2014, we noted several proposed changes to the Medicare Part C and D programs as delineated in CMS’ January 8th proposed rule (hereinafter “Proposed Rule”). On Monday, May 19, 2014, CMS issued the final rule, titled Medicare Program; Contract Year 2015 Policy and Technical Changes to the Medicare Advantage and the Medicare Prescription Drug Benefit Programs (hereinafter the “Final Rule”). The Final Rule will be codified at 42 C.F.R. Parts 417, 422, 423, and 424. Although the Final Rule codifies many provisions of the Proposed Rule, an array of provisions in the Final Rule differ. For practitioners comfortable with provisions contained in the Proposed Rule, we suggest a careful reading of the Final Rule as various high-impact provisions have been modified or deleted. A summary of key deviations from the Proposed Rule, contained in the Final Rule, are as follows:

  1. Agent/Broker Program Modifications:
    • The Final Rule eliminates the proposed changes to agent/broker training and testing requirements;
    • The Final Rule replaces the proposed 35% of FMV cap with a 50% of FMV cap on MAO or sponsor compensation to independent agents for plan enrollee renewals for years two through six as codified at §§ 422.2274 and 423.2274.
  2. Drug Categories or Classes of Clinical Concern:
    • The Final Rule eliminates all proposed criteria for drug categories of clinical concerns;
    • The Final Rule maintains the existing six protected classes.
  3. Improving Payment Accuracy – Overpayment Identification and Overpayment Returns:
    • Response to comments in the Final Rule clarify that the 60-day period for reporting and returning overpayments begins on the date an organization identifies it has received an overpayment, with the term identification including awareness of erroneous data submitted to CMS that caused or will cause CMS to overpay the organization, rather than the date of calculation of such overpayment;
    • The Final Rule modifies the Proposed Rule overpayment provision § 422.326(d), which requires reporting and returning of overpayments within 60 days, by including at the end of paragraph § 422.326(d) the phrase “unless otherwise directed by CMS for the purpose of § 422.311,” in order to clarify that, when an MA organization has a contract selected for a RADV audit under § 422.311, during the audit the MA organization will not be allowed to report and return overpayments under § 422.326 that are due to errors in the data used to risk-adjust payments for the audited contract;
    • The Final Rule revises the §§ 422.326(c) and 423.360(c) definition of “identified overpayment” as “an overpayment when the MA organization has determined, or should have determined through the exercise of reasonable diligence, that the MA organization has received an overpayment,” thereby eliminating the proposed definition of “actual knowledge” or “acts in reckless disregard or deliberate ignorance of the existence of the overpayment”;
    • Response to comments in the Final Rule clarify the term “applicable reconciliation” for Part C and Part D programs;
    • The Final Rule applies the 6-year look-back period to fraud-related overpayments by eliminating the following proposed statement from §§ 422.326(e) and 423.360(e), “Overpayments resulting from fraud are not subject to this [6-year] limitation of the look-back period.” Continue Reading

CMS Issues Medicare and Medicaid Final Rule: Significant Changes to Conditions of Participation

Posted in Compliance, Department of Health and Human Services, Governance/Management, Hospitals, Physician Practice, Publications, Regulatory Compliance

On Wednesday, the Centers for Medicare and Medicaid Services (“CMS”) issued a second round of long-awaited red tape reduction initiatives aimed at ameliorating overly burdensome provider regulations.  The changes, memorialized within a Final Rule scheduled for publication on May 12, 2014 (available for review here: http://federalregister.gov/a/2014-10687) (“Unpublished Final Rule”)  include significant easing of Conditions of Participation (“CoPs”) related to medical staffs and governing boards, as well as other changes targeted toward provider operational efficiencies.  The changes include, notably:

  • Removal of the CoP requirement that individually certified hospitals, even within integrated health systems, retain separate medical staffs.  Under the Unpublished Final Rule, a multi-hospital system may now have a “unified and integrated” staff, subject to certain restrictions (including a requirement that staff members of individually certified hospitals vote to participate, or opt out, of the unified staff structure). 
  • Removal of the requirement that a hospital’s governing body must include a member of the medical staff, and insertion of a requirement that the governing body consult from time to time with the medical staff representative.
  • Removal of the requirement that Critical Access Hospitals (“CAHs”), Rural Health Clinics (“RHCs”) and Federally Qualified Health Centers (“FQHCs”) have a physician present at least once every two weeks. 
  • Removal of the requirement that a CAH develop its policies and procedures with at least one individual who is not a member of the CAH staff.
  • Reduction of requirements that ambulatory surgical centers (“ASCs”) must satisfy in order to provide radiological services to patients, and removal of the requirement that a doctor of medicine or osteopathy supervise all radiological services in an ASC setting. 
  • Revision of the outpatient services CoP to permit practitioners who are not members of a hospital’s medical staff to order outpatient services for their patients, when authorized by the medical staff and permitted by state law.
  • Removal of redundant data submission requirements for transplant centers.

Squire Sanders (US) LLP has specific expertise in guiding clients through the medical staffing, structure, governance and policy issues that have arisen though out the health reform era, and particularly in the context of integrated  and accountable care settings.  If you have questions about the Unpublished Final Rule, and would like to position your organization to take best advantage of it, please contact us.

Is Your Name on the List?

Posted in Compliance, Department of Health and Human Services, False Claims Act, Fraud and Abuse, Managed Care, Medicare Advantage, Medicare Part D, Payer/Insurance Reform, Payment Methodologies, Physician Practice

Given the 880,000 names of physicians released by Medicare Wednesday, physicians who treat Medicare patients can expect their names to be on the list.  The list, searchable here, contains the name of the provider, the specialty area, the city, county and state as well as the total payments made to the provider by Medicare for 2012.  Searches can be conducted nationally or by state.  Although released by the government, the list resulted from a lawsuit brought by the Wall Street Journal (WSJ) to gain access to Medicare billing data.  For background, see this WSJ article.  The WSJ article also contains a chart that lists the top fifteen specialties that have resulted in the highest average payments per provider. 

Physician groups have been concerned that the release of data in such a raw and bulk form, without context, will lead to misinterpretations, confusion and unjust accusations of fraud.  Although the full ramifications of the release are impossible to predict at this time, some things seem clear for the immediate future.  Physicians, and systems that employ them, need to be prepared for the questions they are likely to receive from patients and the media.   Physicians and hospitals need take these questions seriously and develop useful answers.  Careless comments are likely to raise even more questions.  In fact, it may be a good practice for physicians and hospitals to search this database just to know what is out there in public.  It may not be just about Facebook anymore. 

In the midterm future, the release is likely to cause increased scrutiny during audits.  After all, a provider who receives payments above the average in a specialty area is likely to receive closer scrutiny from an auditor.  

In the long term, we can expect more investigations under the False Claims Act.  In fact, one of the reasons for releasing the data was to unleash a public scrutiny of providers in order to identify and root out fraud.  Correct or not, more scrutiny is coming.

Florida Proposes Pharmacy Audit Rights Legislation

Posted in Compliance, Fraud and Abuse, Insurance, Managed Care, Medicare Advantage, Medicare Part D, Pharmaceutical

The Florida legislature is currently considering proposed legislation that may affect the way in which managed care organizations, insurers, third-party payors, pharmacy benefit managers and other entities audit pharmacies in Florida.  The Florida House of Representatives, Health Innovation Subcommittee, is reviewing HB 745, which proposes to create a “Pharmacy audit bill of rights.”  The Health Policy Committee of the Florida Senate considered a similar bill, CS/SB 702, titled “Pharmacy audits; rights.”  Both bills set forth specific time periods for providing notice of on-site audits, for conducting on-site audits, and for providing preliminary and final reports.  The bills require payment of pharmacy claims that were retroactively denied for clerical errors if the prescriptions were dispensed correctly unless there is a pattern of errors or allegations of fraudulent billing.  The bills do not apply to audits related to suspected fraudulent activity or fee-for-service claims under the Medicaid program. 

The bills vary dramatically, however, on their enforcement mechanisms.   HB 745 allows for a private cause of action for willful violations of the law, including the potential to recover treble damages and an award of attorneys’ fees.  CS/SB 702 does not provide a private cause of action.  Rather, it requires the Florida Office of Insurance Regulation to investigate complaints of willful violations and deems a violation of the audit rights as an unfair claim settlement practice.

Essential Health Benefits Continue to Be Clarified by State Insurance Departments

Posted in Insurance, Payer/Insurance Reform, PPACA

On February 27, 2014, the D.C. Department of Insurance, Securities, and Banking (DISB) released a bulletin reminding insurers that medically necessary treatment for gender dysphoria, including gender reassignment surgeries, is a mandated benefit in the District of Columbia.  This is not the case in every state and serves as a reminder for health insurance plans required by federal law to offer “essential health benefits” (EHBs) that state law continues to play the primary role in defining that state’s EHBs.

Since 2011 when the U.S. Secretary of Health and Human Services opted to define EHBs under the Patient Protection and Affordable Care Act (PPACA) based on a “benchmark” plan selected for each state, the specific EHBs that insurers must offer in a state have often remained an enigma.  After all, PPACA merely requires the Secretary to define EHBs for ten broad benefit categories:

(1) ambulatory patient services;

(2) emergency services;

(3) hospitalization;

(4) maternity and newborn care;

(5) mental health and substance use disorder services, including behavioral health treatment;

(6) prescription drugs;

(7) rehabilitative and habilitative services and devices;

(8) laboratory services;

(9) preventive and wellness services and chronic disease management; and

(10) pediatric services, including oral and vision care.

The problem is that none of the benchmark plans are EHB compliant.  The reason is that the plans were approved for use in the market before the EHB laws took effect.  So, when federal law refers to the EHB “benchmark” plan, it is not actually referring to the plan that was selected to define EHBs for a state.  Federal law categorizes that plan as simply the “base-benchmark plan.”  Instead, the EHB benchmark plan is a “standardized set” of EHBs that most likely cannot be located in one simple, exhaustive document.

In other words, EHBs are something seemingly more nebulous and ethereal.  One must look to a broad range of sources to discover the EHBs for a given state, including the base-benchmark plan, insurance department bulletins, state law, and the like.

Identifying the overall EHBs for a state is only the first step as the substance of each benefit also varies from state to state.  The recently released DISB memorandum is a strong reminder of this.  While treatment of gender dysphoria is not required to be a standalone benefit, plans must be prepared to cover this treatment under other applicable benefit categories.  A failure to identify these state-specific benefits that may not be expressly listed in existing approved policies can lead to lengthy delays in obtaining state insurance department approval for newly filed policies and can even lead to the need to file amendments or riders to existing polices, as the DISB is requiring.

With the approval of qualified health plans last summer that are being offered in the health insurance exchanges, states made a lot of progress toward defining their EHBs.  Still, as demonstrated by the DISB memorandum, EHBs continue to be clarified.  Both insurers with existing plans in the market and those insurers gearing up to file qualified health plans and off-exchange products for 2015 must be sure to take these developments into account.

CMS Adds to the Growing Guidance on Third Party Premium Payments

Posted in Department of Health and Human Services, Hospitals, Insurance, Payer/Insurance Reform, Payment Methodologies, PPACA

On February 7, 2014, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum that adds to the growing library of federal guidance on the permissibility of and limitations for health care providers and other entities paying the premiums of patients covered by qualified health plans (QHPs) in the health insurance exchanges or marketplaces.  The guidance significantly limits the types of third party premium payment arrangements that CMS would find to be acceptable.

In a memorandum issued on November 4, 2013, CMS first revealed its concern that third party payments of premiums could lead to adverse selection by skewing the insurance risk pool and creating an unlevel field in the exchanges.  It expressly encouraged QHPs issuers “to reject such third party payments.”  CMS suggested that it may “take appropriate action, if necessary.”

In its latest memorandum, CMS clarified that its original guidance does not apply to similar arrangements on behalf of QHP enrollees from Indian tribes, tribal organizations, urban Indian organizations, and state and federal government programs and grantees.  For all other arrangements, CMS established a narrow exception for “private, not-for-profit foundations” if a foundation makes the premium payment on behalf of QHP enrollees who satisfy defined criteria that are based on financial status and do not consider enrollees’ health status.  CMS expects the payments for the premium and any cost sharing payments to cover the entire policy year.

In taking this position, CMS is encouraging QHP issuers to reject the premium payments by hospitals, other health care providers, and any other commercial entities that provide the funds for such payments.  This would include payments to provide either a month or so of coverage while a particular treatment or procedure is provided or even coverage for an entire policy year.

Given that the exchange market laws strictly limit when QHP issuers may terminate an enrollee’s coverage, the most likely method for QHP issuers to reject premiums after the premiums have been accepted is to rescind the enrollee’s coverage.  The exchange market rules permit QHP issuers to rescind coverage where the enrollee (or a person on his or her behalf) has performed an act, practice, or omission that constitutes fraud or made an intentional misrepresentation of material fact “as prohibited by the terms of the plan or coverage.”  QHP issuers would need to include a prohibition on third party premium payments in their policies.  Since QHPs rely on the exchanges for the application and the contract, the most likely document to include such a statement would be the member handbook/evidence of coverage.  Where an enrollee or someone on his or her behalf ignores the prohibition and submits a third party premium payment, the submission may constitute fraud or an intentional misrepresentation of material fact justifying rescission and the return of the premium payment.

It is not clear whether state insurance departments that have regulatory authority over the member handbook/evidence of coverage will support CMS’ position and permit the inclusion of language prohibiting third party payments.  Overly broad prohibitions may raise concerns that QHP issuers will attempt to rescind coverage under unintended circumstances, such as where family provides financial support.  Therefore, any prohibition on third party premium payments should be crafted with precision and to avoid such concerns.

As noted above, CMS’ guidance adds to a growing list of guidance on this topic from the federal government.  On October 30, 2013, the Secretary of Health and Human Services (“HHS”) confirmed that HHS does not view QHPs or the programs related to the exchanges as federal health care programs that would then implicate fraud and abuse laws, such as the federal Anti-Kickback Statute.  On December 2, 2013, the HHS Office of the Inspector General issued an advisory opinion approving a non-profit, tax-exempt charitable organization’s premium support program.  Interestingly, whereas CMS would only approve of an arrangement that does not base support on health status, the OIG-approved arrangement was limited to a population with a specific disease.  Of course, the OIG was concerned with the application of the Anti-Kickback Statute while CMS is concerned with adverse selection.

Despite the additional guidance from CMS, unless CMS engages in new rule making, CMS’ options to prohibit arrangements outside the scope it has approved appear to be limited.  Rather, its guidance appears to be more of a green light for QHP issuers to begin taking steps to reject third party premium payments, including by rescinding enrollees’ coverage.  Already, Blue Cross Blue Shield of Louisiana announced a new policy that effective March 1, 2014 it will no longer accept third party payments for premiums, except in the case of family support.  Diverging from CMS guidance, this policy also applies to Ryan White clients.  Given the CMS policy and actions insurance companies are taking, any hospital, health care provider or other entity considering a third party premium arrangement must ensure that it structures the arrangement to comply with all applicable federal and state requirements and guidance and particular insurer’s policies.

Is CMS Prepared for Evolving Medical Records Technology?

Posted in Compliance, Department of Health and Human Services, Electronic Health Records, Fraud and Abuse, Regulatory Compliance, Technology

Health care fraud accounts for billions of the US health expenditure each year. This week HHS published a study addressing possible deficiencies in CMS’ capability to address fraud vulnerabilities and ensure the integrity of electronic health records (“EHR”) systems which CMS and its contractors use to pay Medicare claims. Concerns about whether CMS’ oversight and fraud detection practices have caught up with rapidly evolving medical records technology, from paper records to EHRs, prompted the Office of Inspector General (“OIG”) to conduct this study. Although the transition from paper to electronic records is projected to increase efficiency and benefit patients, experts have warned that EHRs can make the commission of fraud easier as key fraud identifiers, like the ability to trace authorship and documentation, may be lacking. The study results help exemplify that CMS has work to do if it is to thoroughly combat fraudulent EHR practices. 

EHRs differ from paper medical records in many ways. Aspects of paper records that can be used to demonstrate authenticity, like handwriting styles, are not available when using electronic records. Additionally, features of EHR systems can be used to commit fraud. Documentation practices such as the copy-past function, which conveniently allows the user to “select information from one source and replicate it in another location,” can lead to medical inaccuracies that result in inappropriate charges billed to patients and third-party payors. It can also lead to inflated claims and the creation of fraudulent claims. Another feature called auto-population allows for easier “overdocumentation” where false information is inserted in the record to “create the appearance of support for billing higher level services.”

The study used surveys to question CMS administrative and program integrity contractors, who use medical records to pay Medicare claims, identify inappropriate payment and investigate fraud, about how they have adjusted their fraud identification practices when using EHRs instead of paper records. OIG also reviewed EHR guidance and policies released by CMS and its contractors regarding EHR fraud vulnerabilities.

The study found that very few contractors had altered the way they reviewed EHRs as compared to paper records, and CMS placed no requirement on them to do so. It also found that although such features like audit logs are unique to EHRs and can be used to track modifications and authenticate records, very few contractors utilized them for this purpose. Contractors also responded that they did not have the capability to determine if a provider had copy-pasted or overdocumented. Additionally, the guidance provided by CMS regarding EHR fraud vulnerabilities has been limited. CMS has indicted that record keeping “within an EHR deserves special consideration,” but has provided no additional guidance. 

Based on these results, OIG made several fairly obvious recommendations: (1) to provide specific guidance to CMS contractors on detecting EHR fraud; and (2) to instruct CMS contractors to utilize audit logs to authenticate medical records for claims purposes. CMS has since responded to these recommendations and agreed that guidance and set of best practices for EHR fraud detection are needed, which it will work to provide. CMS also agreed that audit logs could be helpful authentication tools, but disagreed that contractors should be required to use them in every situation. Thus, they may be appropriate in some circumstances, but their use should not be required.

Program integrity is integral to the functioning of the Medicare program and to reducing the cost of health care fraud. This study has helped bring to light deficiencies that CMS will have to quickly address in order keep up with evolving medical records technology.

Squire Sanders lawyers have significant experience advising clients on EHR implementation and compliance issues. For more information on how we can assist you, please contact the Squire Sanders Healthcare Practice Group

Preserving the Attorney-Client Privilege for In-House Counsel

Posted in Governance/Management, Publications

In the December 2013 edition of AHLA Connections, Tom Zeno and Emily Root analyzed the application of the attorney-client privilege to in house counsel and provided five practice tips to maximize the protection of the privilege for in house counsel.  In the article, Emily and Tom explore often overlooked principles of the privilege and illustrate the principles through specific cases such as Vioxx, Halifax, and Shire Pharmaceutical.  The article compares ways in which courts apply the privilege to outside counsel and in house counsel and discusses the nuances required for in house counsel to maintain attorney-client privilege. Tom and Emily offer guidance on practical steps health care organizations can take to preserve the privilege that will result in increased protection for in house counsel and the company.

For further information on this or other matters, please contact Tom Zeno or Emily Root.