HHS Task Force Identifies Critical Cybersecurity Recommendations

The recent WannaCry ransomware attack and the bevy of breaches over the past few years demonstrate that cyber risks in the healthcare arena are substantial and widespread. The Department of Health and Human Services (HHS) Health Care Industry Cybersecurity (HCIC) Task Force Report (HCIC Report), required under the federal Cybersecurity Information Sharing Act of 2015, details many risks and recommended improvements across the healthcare sector. Released on June 2, 2017, after taking into account input from a diverse group of healthcare stakeholders, including organizations, industry experts and the government, the HCIC Report identifies six “imperatives” to improve healthcare cybersecurity:

  1. Cyber Governance: Define and streamline leadership, governance and expectations for healthcare industry cybersecurity.
  2. Increase Health IT Security: Increase the security and resilience of medical devices and health IT.
  3. Education: Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase Preparedness: Increase healthcare industry readiness through improved cybersecurity awareness and education.
  5. Protect IP and R&D: Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
  6. Improve Information Sharing: Improve information sharing of industry threats, weaknesses and mitigations.

Although some of the details recommended to achieve these imperatives may be considered controversial, the HCIC Report identifies some of the most critical risks and provides examples of measures every company can take today to mitigate cyber risk.

Continue Reading

Applying Escobar — Decisions on Materiality, Falsity and Other Issues

June 16, 2017, marks the one-year anniversary of the precedent-setting U.S. Supreme Court decision in Universal Health Services v. United States ex rel. Escobar (Escobar), which approved the implied false certification theory as a basis for liability under the False Claims Act (FCA). Because the decision impacts every provider who supplies goods and services to the federal government, all eyes were on the lower courts and how they will apply the decision. In an article for Bloomberg BNA Health Fraud Report, Tom Zeno and Rebecca Worthington reviewed recent FCA decisions on questions of materiality, falsity and other FCA concerns.

Escobar emphasized that the materiality inquiry is a “demanding” one. Upon remand, the First Circuit determined the language used by the Supreme Court “makes clear that courts are to conduct a holistic approach to determining materiality in connection with a payment decision, with no one factor being necessarily dispositive.” For establishing materiality, a holistic analysis of three factors is a favored test: (1) whether regulatory compliance was a condition of payment; (2) the centrality of the requirement in the regulatory program; and (3) whether the government paid claims despite actual knowledge that certain requirements were violated.

One unsettled question is whether Escobar set forth two requirements for establishing implied certification liability. In Escobar, the Supreme Court held that “implied certification theory can be a basis for liability, at least where two conditions are satisfied: first, the claim does not merely request payment, but also makes specific representations about the goods or services provided; and second, the defendant’s failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.” Many courts have treated these two conditions as a mandatory two-part requirement.

Inferring insight from an active year of decisions, the authors also concluded that dismissal is likely when payments continue after actual knowledge of alleged fraud as well as when conduct such as altered invoices is alleged. Additionally, as expected, other jurisdictions are adopting the analysis of Escobar as seen in New Jersey, Chicago and the District of Columbia.

Read the full article here.

Ohio Expands Prescriptive Authority for Certain Advanced Practice Registered Nurses

On May 17, the Ohio Board of Nursing (the Board) adopted a new formulary which expands the prescriptive authority for certain of Ohio’s advanced practice registered nurses (APRNs). Specifically, this new “exclusionary” formulary applies to Ohio’s certified nurse practitioners, clinical nurse specialists and certified nurse midwives.  The new formulary was adopted pursuant to Ohio’s House Bill 216 (HB 216), which amended ORC § 4723.50 to require, in part, that the Board adopt a new exclusionary formulary permitting APRNs to prescribe any controlled substances except as prohibited by federal or state law, and except for drugs or devices to perform or induce abortions.  The exclusionary formulary also provides that the APRN’s prescriptive authority shall not exceed that of the APRN’s collaborating physician or podiatrist.

This new exclusionary formulary replaces Ohio’s previous APRN formulary which limited prescriptive authority to only those drugs specifically identified therein.  By permitting APRNs to potentially prescribe any controlled substance not otherwise prohibited by law, the new formulary appears to expand the prescriptive authority of Ohio’s APRNs.

Continue Reading

Lawyer Misconduct Dooms FCA Suit

A fraudulent survey of doctors sponsored by attorneys for a qui tam relator doomed a False Claims Act (FCA) complaint against a pharmaceutical company. In a forceful opinion, United States District Judge Dennis Saylor IV, District of Massachusetts, found violation of ethical rules, excised more than 100 paragraphs of the complaint as a sanction, and dismissed the truncated complaint for failure to meet the particularity standards required for an FCA complaint under Fed. R. Civ. P. 9(b).

When the government declined to intervene in an FCA suit alleging off label marketing, attorneys for the relator filed a second amended complaint based in large part on the results of a purported research study about prescribing practices for the drug. The survey, conducted via internet and telephone, by a doctor hired by the attorneys, was disclosed during discovery. The survey falsely represented that the resulting data would be used only for research purposes and would be kept confidential. Instead, the attorneys included data in the complaint such as names and addresses of 36 doctors as well as some information about their practices and some of their patients. Continue Reading

Can DOJ Impose False Claims Act on States?

The immense power wielded by the Department of Justice (DOJ) under the False Claims Act (FCA) has limits according to United States District Judge Anna J. Brown in the District of Oregon. This month the court decided DOJ cannot force the Act to apply to an “arm of the state” simply by intervening in the suit. Although a rare setback to a DOJ position on proper interpretation of the FCA, the issue may not yet be settled.

In 2013, relator Richard Doughty filed a qui tam suit on behalf of the United States alleging that Oregon Health and Sciences University (OHSU) submitted improper reimbursement rates for some projects supported by federal funds. In 2016, the United States intervened by filing its own complaint alleging violations of the FCA. OHSU moved to dismiss the complaints on the ground that it is not a “person” under the definition of those covered by the FCA because OHSU is an “arm of the state.” DOJ opposed dismissal on the ground that, when the United States intervenes and litigates in its own name, the United States may bring an FCA action against an arm of the state.

Judge Brown agreed with OHSU and dismissed the suit by relying upon a Supreme Court decision in another qui tam case, Vermont Agency of Natural Resources v. U.S. ex rel. Stevens. In that decision, the Supreme Court held the FCA “does not subject a State (or state agency) to liability” because of the “longstanding interpretative presumption that ‘person’ does not include the sovereign.” When deciding that OHSU was an “arm of the state,” Judge Brown considered these factors:

  • Would state funds pay a money judgment
  • Does the entity perform central government functions
  • May the entity sue and be sued
  • May the entity take property in its own name or only in the name of the State
  • What is the entity’s corporate status

DOJ attempted to distinguish Vermont Agency because the United States had declined to intervene in that case. Relying on concurrences in Vermont Agency, DOJ contended that, although a qui tam relator can be dismissed, DOJ’s decision to intervene makes a qualitative difference in application of the FCA. Judge Brown ruled otherwise.

In addition to concurrences in Vermont Agency, DOJ’s assertion of power over an FCA complaint may be bolstered by a recent decision of the Fourth Circuit. In that matter, DOJ declined to intervene in the litigation, but it also refused to agree to a settlement that was acceptable to the relator and to the defendant. Concluding that the United States was the real party in interest in FCA litigation, the Fourth Circuit joined with the Fifth and Sixth Circuits to hold that DOJ controls acceptance of a settlement. As the Fourth Circuit put it, “the Attorney General possesses an absolute veto power over voluntary settlements in FCA qui tam actions.”

This expansive view of DOJ’s authority over settlement conflicts with a Ninth Circuit decision holding that, “while the government may not obstruct the settlement and force a qui tam plaintiff to continue litigation, the government nevertheless may question the settlement for good cause.”

It remains to be seen whether DOJ will seek further review of the OSHU decision in order to secure the authority it seeks.

HHS Announces $400,000 HIPAA Settlement with Community Health Center

The Department of Health and Human Services Office of Civil Rights (HHS OCR) recently settled with a notable covered entity – a nonprofit Federally Qualified Community Health Center (FQHC) – over alleged Health Information Portability and Accountability Act (HIPAA) Privacy and Security Rule violations.

With the FQHC agreeing to pay $400,000 to HHS and entering into a corrective action plan, this settlement highlights how long HHS OCR investigations can take (five years from investigation start to settlement); how broad HHS OCR targets are (FQHCs are not safe from scrutiny); and just how onerous corrective action can be after an investigation.

Our data privacy and cybersecurity team has prepared an excellent, detailed summary of the case, which may be found here.

Elephants in the Room: What is Next for Health Policy?

Health policy in the US is a problem in search of a solution and, despite a current pause in actions, reform efforts will continue this year.

The Squire Patton Boggs policy team has put together an excellent article recapping recent events regarding the actions torepeal and replace the Affordable Care Act (ACA) and the decision to pull new health reform legislation from the House Floor.The article also explores several potential paths forward, including actions involving the American Health Care Act (AHCA),bipartisan opportunities in reauthorizations of current programs, potential appropriations activities and executive branch actions.

A copy of this excellent article may be found here.

OIG Expands Anti-Kickback Statute and Civil Monetary Penalties Protections (Part 2)

As we discussed in a previous post, the Department of Health and Human Services Office of Inspector General (OIG) published a final rule (Final Rule) amending the safe harbors to the Anti-Kickback Statue (AKS) and also amending exceptions to the Civil Monetary Penalties rule (CMP), providing greater protection for certain arrangements with beneficiaries.

In this second part of our two-part series, we discuss the Final Rule’s changes to the CMP.

Expanded Protections for CMP Beneficiary Inducement

The Final Rule adds five new exceptions for beneficiary arrangements, incorporating these exceptions into the CMP’s definition of “remuneration.”

  1. Copayment Reductions for Certain Outpatient Department Services

The OIG proposed a cost-sharing exception permitting reduction in the copayment amount for some or all covered hospital outpatient department services to no less than 20% of the Medicare fee schedule in its Proposed Rule. This cost-sharing exception builds upon Section 4523 of the Balanced Budget Act of 1997 (the BBA), which prompted the Secretary of the Department of Health and Human Services to establish a copayment reduction procedure.  In the Final Rule, the OIG added the exception into the definition of “remuneration” using substantively identical language to the statutory language.

  1. Certain Remuneration That Poses a Low Risk of Harm and Promotes Access to Care

The Final Rule adds a new interpretive exception that aligns with an existing statutory exception protecting “any other remuneration which promotes access to care and poses a low risk of harm to patients and Federal health care programs.” The OIG noted that “[t]his exception should be read in the context of more specific exceptions and safe harbors,” and it would look to those exceptions “to determine if remuneration poses a low risk of harm.” Certain arrangements that do not meet the exceptions for a safe harbor or exception may be protected under this exception. Any entity asserting such protection for its arrangements has the burden of demonstrating sufficient facts and analysis for the OIG to determine that the arrangement fits within the exception.

This exception builds off of specific aspects of the statutory language. The OIG defined “care” to mean items and services that are payable by Medicare, Medicaid or a state health program, but does not include a medically necessary qualifier. The OIG defined “promotes access” to limit the exception to only remuneration that “improves a particular beneficiary’s ability to obtain medically necessary items and services” for a defined beneficiary population, but not on an individual patient-by-patient basis. The OIG clarified that its interpretation of items or services that “promote access to care” captures giving patients the opportunities to remove socioeconomic, education and other barriers to access necessary care; while excluding items or services that purely reward patients for accessing care. Furthermore, remuneration associated with a coordinated care arrangement that meets the requirement of being low risk and assists patients to access necessary care can fit within this exception.

In addition to promoting access to care, remuneration must pose a low risk of harm to federal healthcare programs for protection under this exception. The OIG finalized its proposed interpretation of a “low risk of harm to Medicare and Medicaid beneficiaries and Medicare and Medicaid program” to mean that the remuneration must: “(1) be unlikely to interfere with, or skew, clinical decision-making; (2) be unlikely to increase costs to Federal health care programs or beneficiaries through overutilization or inappropriate utilization; and (3) not raise patient-safety or quality-of-care concerns.” In its commentary, the OIG cautioned that certain forms of remuneration (such as cash, cash equivalents and copayment waivers) and, specifically, remuneration provided in connection with marketing, are unlikely to be considered by the OIG to be low risk.

  1. Retailer Rewards

The OIG adopted the ACA’s statutory text creating an exception to the beneficiary inducements provisions of the CMP for retailer rewards programs that meet certain criteria. A retailer rewards program may offer or transfer items for free or less than fair market value if: (a) the items or services consist of coupons, rebates or other rewards from a retailer; (b) the items or services are offered or transferred on equal terms available to the general public, regardless of health insurance status; and (c) the offer or transfer of the items or services is not tied to the provision of other items or services reimbursed in whole or in part by Medicare or a state health program.

The OIG interprets “retailers” to be entities “that sell [ ] items directly to consumers . . . [and do not] primarily provide services,” including both big-box stores with pharmacies and smaller, independent pharmacies. These retailers may offer rewards that must not be copayment waivers. Additionally, these rewards must be available to everyone regardless of health insurance status, and must not be tied to the provision of items or services reimbursed by Medicare or a state healthcare program. For example, a reward of a $20 coupon that could be used on anything in the store would be eligible for protection, whereas a reward of federally reimbursable items stemming from the purchase of federally reimbursable items would not.

  1. Remuneration to Financially Needy Individuals

The Final Rule incorporates a third new statutory provision that excepts from the definition of “remuneration” the offer or transfer of items or services for free or less than fair market value if the following requirements are met: (a) the items and services are not advertised or tied to the provision of other items or services reimbursed by the Medicare or state healthcare programs (including Medicaid); (b) there is a reasonable connection between the items or services and the medical care of the individual; and (c) the recipient has been determined to be in financial need.

This exception, like others, does not impose any affirmative obligations on providers or suppliers to provide free items or services, waive copayments or implement any program that involves giving anything of value to beneficiaries; rather, this exception describes the circumstances under which such gifts or benefits are not prohibited by the beneficiary inducements CMP.

  1. Copayment Waivers for the First Fill of Generic Drugs

The OIG adopts another ACA statutory provision excepting from the definition of “remuneration” the waiver by a Part D Plan sponsor of any copayment for the first fill of a covered Part D drug. The OIG states that the purpose of this exception is to “minimize drug costs by encouraging the use of lower cost generic drugs.” The Part D Plan sponsor must include the waiver in its annual benefit design package it submits to CMS if the sponsor will use it. This exception is applicable to coverage years beginning on or after January 1, 2018.

Conclusion

While the AKS and CMP are often viewed by the healthcare and life science industries as impediments to improving the efficiency and innovation of healthcare delivery, the OIG in its Final Rule liberalizes those requirements by enhancing the flexibility of healthcare providers to engage in business arrangements that improve access to care, while still protecting federal programs and patients from fraud and abuse. In an environment where value-based reimbursement models and population health initiatives are the growing norm, the AKS and CMP exceptions under the Final Rule encourage hospitals, pharmacies, ambulance providers, Medicare Advantage Plans and FQHCs to collaborate and strategize among each other on efforts to better serve beneficiaries, members and patients alike.

House Ways and Means Committee Approves Revenue Provisions Relating to Proposed Repeal and Replacement of the Affordable Care Act

The House Ways and Means Committee approved legislation that would repeal the taxes enacted to fund the Affordable Care Act, and defer for five years the “Cadillac tax” on expensive health insurance policies. It also approved eliminating the penalty tax for not having health insurance, adopting a new refundable credit to help Americans pay for health insurance, and making revisions in tax law relating to health savings accounts and flexible savings accounts, including changes that adversely affect the treatment of health insurance plans that pay for abortions.

Our in-depth discussion of the proposed legislation may be found here.

OIG Expands Anti-Kickback Statute and Civil Monetary Penalties Protections

Late last year, the Department of Health and Human Services Office of the Inspector General (OIG) published a final rule (Final Rule) that amends the safe harbors to the federal Anti-Kickback Statute (AKS) by modifying an existing safe harbor, adding new safe harbors and codifying existing statutory provisions that provide further protections from sanctions under the AKS with respect to certain payment practices and business arrangements. The Final Rule also amends the exceptions to the civil monetary penalty rule (CMP) regarding beneficiary inducements by codifying revisions to the definition of “remuneration” added by the Balanced Budget Act of 1997 and the Patient Protection and Affordable Care Act, as amended (ACA).

Part one of this two-part series discusses the Final Rule’s changes to the AKS.  In the second installment, we will discuss the Final Rule’s changes to the CMP.

Expansion of AKS Safe Harbors

Protection for Cost-Sharing Waivers

The Final Rule significantly amends the existing safe harbor for waiver of beneficiary coinsurance and deductible amounts to create protection for  reducing or waiving a beneficiary’s copayment, coinsurance or deductible (collectively “cost-sharing”) amounts owed to a pharmacy or ambulance provider, subject to certain standards.

Pharmacy Cost-Sharing Waivers for Financially Needy Beneficiaries

Under the Final Rule, a pharmacy may reduce or waive the cost sharing amounts imposed under a federal healthcare program if the waiver or reduction meets the following standards: (i) the waiver or reduction is not offered as part of an advertisement or solicitation; (ii) the pharmacy does not routinely waive or reduce cost-sharing amounts; and (iii) the pharmacy waives the cost-sharing amount only after (a) determining in good-faith that the individual is either in financial need or (b) fails to collect the cost-sharing amount after making reasonable collection efforts.

The OIG declined to provide guidance on the number of cost sharing waivers that would be considered “routine,” and therefore, problematic. As pharmacies serve many different communities, including those with subsidy-eligible beneficiaries that are exempt from the prohibition against routine waivers, the OIG stated that it will neither mandate nor prohibit protocols to determine the number of waivers or reductions that pharmacies may develop to meet the safe harbor requirements. The OIG also declined to mandate specific guidelines for a pharmacy’s good faith determination of financial need, but emphasized that the guideline a pharmacy adopts must be reasonable and applied uniformly when performing the financial need assessment. Additionally, the OIG emphasized that a pharmacy must make an effort to collect the cost-sharing amounts. While the copayment amount or the “historical inability” to collect for a particular beneficiary may be “factors that are considered in determining what reasonable collection efforts are,” the pharmacy may not forego all collection efforts and must attempt to collect the cost-sharing amount.

Cost-Sharing Waivers or Reductions for Emergency Ambulance Services

The Final Rule also created a safe harbor related to ambulance services, a frequent topic of OIG Advisory Opinions. Specifically, this safe harbor permits coinsurance/deductible waivers or cost-sharing reductions by ambulance service providers for which Medicare pays under a fee-for-service payment system. The waiver or reduction of such cost sharing responsibilities by an ambulance provider in connection with “emergency ambulance services” falls within the protection of this newly established safe harbor so long as the ambulance provider: (1) is owned and operated by a state, a political subdivision of a state or a tribal health organization; (2) is enrolled as a Medicare Part B provider of the emergency ambulance services; (3) offers the waiver or reduction of cost-sharing amounts in a uniform manner to all individuals; and (4) does not later claim the amount reduced or waived as bad debt or otherwise shift the burden to Medicare, a state healthcare program, other payers or individuals. Importantly, the safe harbor only applies to emergency services, and privately owned ambulance providers do not qualify for safe harbor protection.

Protected Remuneration between FQHCs and Medicare Advantage Organizations

The OIG adopted a regulatory safe harbor to protect any remuneration between an FQHC (or an entity controlled by an FQHC) and an MA organization pursuant to a written agreement that meets certain statutory requirements. The statutory payment rule guarantees an FQHC a payment amount that at a minimum equals the amount the MA organization would make to a non-FQHC entity. Consistent with statutes, the safe harbor only protects payments related to an FQHC’s treatment of MA organization enrollees and does not include a fair market value requirement.

Protection for Discounts provided by Manufacturers on Drugs Furnished to Beneficiaries under the Medicare Coverage Gap Discount Program

The OIG also added safe harbor protection for drug price discounts when the discount is furnished to a beneficiary under the Medicare Coverage Gap Discount program established under the ACA. Under the Medicare Coverage Gap Discount, a manufacturer may offer discounts on drugs at the point of sale to an “applicable beneficiary” for an “applicable drug,” and the drug manufacturer participates in, and is in compliance with, the requirements of the Medicare Coverage Gap Discount Program.  An “applicable beneficiary” is an individual who, subject to a number of exclusions, has reached or exceeded the initial coverage limit for prescribed drugs, has not incurred costs for covered drugs in the year equal to the annual out-of-pocket threshold. An ‘‘applicable drug’’ is a part D drug or licensed biologic, available to an applicable beneficiary through an applicable formulary or provided through an exception or appeal.  OIG included these self-implementing statutory exceptions in its rulemaking for completeness.

Free or Discounted Local Transportation

The Final Rule also allows “eligible entities” to provide free or discounted local transportation to federal healthcare program beneficiaries to “established patients” in order to obtain medically necessary items or services so long as the eligible entities comply with the conditions of the regulation.

Under this new safe harbor, an “eligible entity” is any individual or entity, except individuals or entities that primarily supply healthcare items, like durable medical equipment suppliers or pharmaceutical companies.

The safe harbor protects round trip transportation from a patient’s home to a provider or supplier of services as long as the following conditions are met: (a) the eligible entity has a set policy regarding the availability of free  or discounted local transportation assistance, the policy is applied uniformly and consistently, and availability is not determined in a manner related to the past or anticipated volume or value of federal healthcare program business; (b) the mode of transportation cannot include air, luxury and ambulance-level transportation; (c) the transportation assistance cannot be publicly advertised or marketed to patients or others who are potential referral sources, marketing of healthcare items or services cannot occur during the course of the transportation, and drivers or others involved in arranging the transportation cannot be paid on a per-beneficiary-transported basis; (d) the eligible entity is prohibited from shifting the associated costs to Medicare, a state healthcare program, other payers or individuals; (e) the individual receiving the transportation benefit is an “established patient” of the eligible entity; and (f) the distance one-way traveled is no more than 25 miles from the healthcare provider or supplier, or 50 miles if the patient resides in a rural area.

A patient is considered to be an “established patient” for purposes of this safe harbor after he or she selects and initiates contact with a provider or supplier to schedule an appointment (e.g., telephone call). This differs from the standard under the Proposed Rule, where only patients who had selected a provider or supplier and had attended an appointment with the provider or supplier were deemed to be “established.” Because the eligible entity is not permitted to market the transportation services, OIG believes that making transportation available to new patients who contact the provider or supplier on their own initiative is sufficiently low risk to warrant safe harbor protection.

The OIG clarified that an eligible entity offering free or discounted local transportation need not require transportation to be planned in advance. Further, a transportation program can use vouchers rather than having the transportation provided directly by the eligible entity in the form of a shuttle service (discussed below) or other mode of transportation.

The safe harbor also protects the offering of a shuttle service by eligible entities. The term “shuttle” refers to a vehicle (except for air, luxury or ambulance) that runs on a set route and on a set schedule. Of note, the “established patient” requirement does not apply to shuttle services. However, shuttle transportation must remain “local,” meaning that there are no more than 25 miles between any stop on the route and any stop at a location where healthcare items or services are provided, or within 50 miles if the patient resides in a rural area. The marketing prohibitions also apply to shuttle services, except that the shuttle schedule and stops may be posted in public. All of the remaining requirements of the safe harbor (e.g., eligible entity requirements, other marketing restrictions and the prohibition on cost-shifting) apply to shuttle service offerings.

Technical Correction to Referral Safe Harbor

As a technical correction, the OIG finalized an amendment to the second standard of the referral service safe harbor to clarify that any payments participants make to the referral service must not be based on “the volume or value of any referrals to or business otherwise generated by either party for the other party . . . .” The prior language “for the referral service” may have supported an ambiguous interpretation that referral services may adjust their fees on the basis of the volume of referrals made to participants.

While the Final Rules’ provisions do not, on balance, appear to present a major change to the AKS, they do reflect a trend toward expanding the safe harbors and exceptions available under relevant fraud and abuse laws.

LexBlog