Illinois Court Dismisses Plaintiffs Privacy Claims Arising out of HIPAA Breach

POSTED BY CAROLYN V. METNICK ON SEPTEMBER 5, 2014

On July 10, 2014, a Kane County, Illinois Circuit Court granted a motion to dismiss with prejudice in favor of Advocate Health & Hospitals Corporation (Advocate) in a class action case arising out of a breach of patients' protected health information (PHI). In August 2013, Advocate reported one of the largest data breaches to date under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) after four laptops containing the unencrypted information of over four million patients were  stolen from an Advocate medical group administrative building. As a result of the breach, two patients filed a class action lawsuit alleging that Advocate failed to take necessary steps to safeguard patients' PHI. Plaintiffs' claims include: negligence, violation of the Illinois Personal Information Protection Act, violation of the Illinois Consumer Fraud Act and invasion of privacy. The Kane County Circuit Court granted Advocate's Motion to Dismiss the complaint with prejudice for lack of standing and failure to state a claim. 

The Court held that the plaintiffs lacked standing because they could not prove that the information stolen had been accessed or used, and therefore, they could not prove that there had been actual identify theft or harm. The Court stated that "there had been no injury and no change in the status quo." While the Court noted that there was an increased risk of harm due to the theft of the laptops and the potential accessibility of the unsecured PHI, there had been no impending certainty of identity theft. In order for the matter to be ripe, the thieves would actually have to disclose, sell to other criminals or otherwise misuse the PHI.

The Court further ruled that there were insufficient allegations of present injury to sustain negligence and Illinois Consumer Fraud Act claims. With respect to the invasion of privacy claim, the Court ruled that there were insufficient allegations of intentional conduct.

This case is an example of the challenges in bringing claims under state law for HIPAA data breaches. There is no private cause of action under HIPAA so plaintiffs must rely on state law theories. Because most, if not all, states require that plaintiffs show actual injury to state a sufficient claim, plaintiffs often must overcome a high hurdle because they cannot show that their PHI was used to commit identity theft or other harm. Even if there is an identity theft, they often cannot prove that the identity theft was the result of the HIPAA breach.   

Even though state causes of action may be difficult to prove, covered entities and business associates face penalties under HIPAA.  Also, although difficult, state causes of action are still a risk. Therefore, HIPAA covered entities and business associates should take steps to protect sensitive information, including encrypting PHI that is stored on portable devices such as laptops, tablets and smartphones.

Tags: ,

OIG's Rejection of Payments for Prescription Transfers Leaves Questions about Central Fill Pharmacy Arrangements.

POSTED BY MARTIN R. DIX ON AUGUST 29, 2014

The U.S. Department of Health & Human Services, Office of Inspector General (OIG) recently refused to bless a specialty pharmacy's request to pay a per-prescription fee to retail pharmacies for "support services" to be provided in connection with prescriptions transferred to the specialty pharmacy (OIG Advisory Opinion 14-06). The OIG found that the per prescription fee could influence the retail pharmacy's decision to transfer prescriptions, that the proposed arrangement implicated the Anti-Kickback Statute ("AKS") and posed more than a minimal risk of fraud and abuse.

Generally, a specialty pharmacy is a mail order pharmacy that carries only expensive, often injectable, medications (usually over $1,000 per month) used to treat specific conditions such as HIV/AIDS and Hemophilia. Often, manufacturers of these specialty drugs limit their distribution to only certain specialty pharmacies and payors often limit patient access to only certain specialty pharmacies. The cost of the drugs and the limited need by retail pharmacies for the medications makes it cost prohibitive for most retail pharmacies to carry most specialty medications in stock. Thus, a retail pharmacy presented with a prescription for a specialty drug will often need to transfer the prescription or refer the patient to a specialty pharmacy.

In this case, the specialty pharmacy asked OIG to allow it to enter into agreements with various local pharmacies and pharmacy networks such that the specialty pharmacy would provide specialty drugs to their patients in exchange for a per-prescription fee amount. The retail pharmacy would be required to provide various "support services" including: (1) accepting new prescriptions from patients or their prescribers; (2) gathering patient and prescriber demographic information; (3) recording patient-specific medication history and use, including drug names, strengths, and directions; (4) counseling patients on appropriate use of their medications; (5) informing the patients about specialty drug access and services generally provided by specialty pharmacies; (6) obtaining patient consent to forward the prescription to the specialty pharmacy; (7) transferring the prescription information; and (8) providing ongoing assessments for subsequent refills, including transmitting information on any changes in the patient's medication regimens (the "support services").

The OIG concluded that the AKS was implicated because the specialty pharmacy would pay a per-prescription fee for support services each time the retail pharmacy transferred (referred) a specialty drug prescription. In most pharmacy-to-pharmacy prescription transfers, there is no accompanying payment. The OIG noted that the specialty pharmacy paid the retail pharmacy for support services only when a specialty prescription was transferred. Thus, the OIG found that the per-prescription fee is "directly linked" to specialty pharmacy prescriptions generated by the retail pharmacy, and could therefore materially influence the retail pharmacy's referral decisions.

The requester argued and the OIG recognized that the retail pharmacy's support services may benefit care coordination. However, the AKS applies if "one purpose" of the remuneration is to generate referrals (the one purpose test). Though the specialty pharmacy argued that it was paying fair market value for the services, the OIG found that there was a significant risk that the per-prescription payments were compensation to the retail pharmacy for generating referrals, rather than solely compensation for bona fide commercially reasonable services.

Most states allow pharmacies that are either commonly owned or have a contractual arrangement to engage in central fill arrangements, whereby an originating pharmacy receives the prescription, the prescription is shared with a dispensing pharmacy which dispenses the medication either directly to the patient or back to the originating pharmacy (similar to the arrangement above). Generally in a central fill arrangement, there is a sharing of pharmacy duties and responsibilities and some sort of sharing of the reimbursement for the medication.  Since many state pharmacy boards allow central fill arrangements, these were usually not viewed as an improper payment for referral arrangements. The above opinion casts doubt on these arrangements where there is a split of the reimbursement and when the drugs are reimbursed by a federal health care program (the AKS only applies when payment is made under a federal health care program). At a minimum, pharmacies engaging in such arrangements should make sure that the arrangements are commercially reasonable and justified such that they would not be viewed as a mere referral arrangement. And, while excluding or "carving out" federal programs does not always remove the federal AKS risk, in this instance excluding federally reimbursed prescriptions may help insulate the arrangements.

Absent from the OIG's discussion was that many state prescription transfer laws and regulations only apply to refills and not to the transfer of the original prescription. 

The opinion may be viewed here.

Key Takeaways:

  • Per-prescription payment for prescription transfers likely implicates the Federal Anti-kickback Statute ("AKS").
  • Central fill arrangements should be carefully crafted to attempt to avoid characterization of reimbursement as a kickback.
  • Consider excluding prescriptions reimbursed by federal programs from central fill arrangements between separate entities (this would not be an issue for pharmacies under common ownership). 
  • In states that have state anti-kickback laws, consider obtaining a state declaratory statement or similar ruling to address the payment arrangements, if your state allows this process.

Tags: ,

Efforts to Stop Health Insurance Fraud Through Use of Contractors Under Fire

POSTED BY CHRISTOPHER G. OPRISON & ILDEFONSO P. MAS ON AUGUST 25, 2014

In recent reports, from June 25, 2014 and August 13, 2014, the Government Accountability Office (GAO) highlights the mixed results achieved by the federal government's increased efforts to crack down on health insurance fraud through the use of contractors. The government has spent upwards of $600 million a year to uncover and punish health care fraud and overpayments, but  some have seen a need to improve the new initiative’s effectiveness – specifically, its use of contractors to unveil fraud. The GAO has stated that the use of contractors has been, at times, inefficient and lacking in clear oversight.  Currently, while the government spends approximately $600 million a year to combat health insurance fraud, $4.3 billion in fraudulent charges has been recovered.  Medicare fraud is estimated at tens of billions of dollars per year. See U.S. GOV'T ACCOUNTABILITY OFFICE, GAO-14-712T, MEDICARE FRAUD: FURTHER ACTIONS NEEDED TO ADDRESS FRAUD, WASTE, AND ABUSE (2014). 

In June 2014, the GAO recommended a number of fixes to the lack of coordination in these new fraud recovery efforts. Many of these recommendations  had yet to be implemented due to obstacles and a lack of funding. For example, the GAO recommended that CMS increase the amount and type of data collected in its central data repository by fiscal year 2010, as such data would better help CMS and its contractors uncover fraud. As of June of this year, CMS had still not expanded the data reported to its central data repository despite the GAO's suggestions.  The GAO further suggested that CMS force all contractors to adopt a government web portal intended to provide CMS and contractors with a single access point to CMS' central data repository and analytical tools to better analyze CMS' data and uncover fraud. CMS had not required all contractors to adopt that government web portal by June of this year. These and other shortcomings prompted the GAO to conclude in a June report that "although CMS has taken some important steps to identify and prevent fraud through increased provider and supplier screening and other actions, the agency must continue to improve its efforts to reduce fraud, waste, and abuse in the Medicare program." See GAO-14-712T at 17.

The GAO's most recent report on August 13, 2014 detailed a number of further shortcomings with CMS’ management of its fraud contractors. See U.S. GOV'T ACCOUNTABILITY OFFICE, GAO-14-474, MEDICARE PROGRAM INTEGRITY: INCREASED OVERSIGHT AND GUIDANCE COULD IMPROVE EFFECTIVENESS AND EFFICIENCY OF POSTPAYMENT CLAIM REVIEWS(2014). The August report specifically notes that while CMS has created a Recovery Audit Data Warehouse, a claim database which tracks claims that contractors have already reviewed, that database does not track whether all of the various types of contractors have duplicated their efforts reviewing claims. The report concluded that "CMS does not have sufficient information to determine whether its contractors are conducting inappropriate duplicative claims reviews" and that "CMS has conducted insufficient data monitoring to prevent [contractors] from conducting inappropriate duplicative reviews." Id. at 38. The GAO has recommended development of clearer guidelines from CMS to contractors and better oversight by CMS to ensure that contractors are not duplicating efforts.

Adding to the difficulties, hospitals have resisted private contractors who arrive to investigate potential fraud. Some hospitals feel overburdened by the contractors' investigations and the fact that should a contractor's audit result in a determination of overpayment or another adverse action against a hospital, the CMS appeals process, which adjudicates whether a contractor's determination was justified, lacks sufficient resources to manage a high volume of cases. Some estimate there is a backlog of up to two years in the appeals process. See Memorandum From Nancy J. Griswold, Chief Administrative Law Judge, Office of Medicare Hearings and Appeals, to OMHA Medicare Appellants (Dec. 24, 2013). A recent article in The New York Times suggests that such burdens on hospitals may have led them to push back on the government's recent initiatives to curb fraud. Just this past summer, the government terminated a Florida fraud hotline even though it purportedly led to more than a thousand fraud investigations and uncovered millions in possible fraudulent payments. This hotline was once managed by an outside contractor, but calls to the hotline are now transferred to a general Medicare phone number that takes significantly longer to address complaints.  

The GAO's critical reviews, coupled with mounting pressure to do more to reduce health care fraud, should prompt efforts to collect more data regarding Medicare billing along with efforts to make more of that information available to contractors. Thus, it remains to be seen whether hospitals should prepare for and anticipate a more integrated and concerted effort from Medicare fraud contractors to uncover fraudulent billing. As always, Medicare and Medicaid providers should take measures to prevent fraud within their organizations, manage outside contractor audits effectively, and stay abreast of the various new CMS initiatives to address fraud and overbilling. 

For any questions about this blog or compliance with CMS regulations or contractor audits, please contact the authors.

Guidance Helps Medical Device Companies Determine Substantial Equivalence

POSTED BY SHERYL D. ROSEN ON AUGUST 4, 2014

When is a medical device substantially equivalent to another device? Like so much else, it depends. On July 15, 2014, the U.S. Food and Drug Administration (FDA) issued a draft guidance that aims to clarify that question. The document is officially directed at FDA staff, but it is equally instructive to companies seeking FDA approval for their devices. 

The FDA reviews medical devices before they can be sold in the United States, and manufacturers that prove their devices are substantially equivalent to existing products can undergo an abbreviated review process. However, substantial equivalence is a subjective target.  

The U.S. Food, Drug and Cosmetics Act at 21 U.S. Code 360c(i) states that a new device is substantially equivalent to an existing "predicate" device when the new device:

  1. has the same intended use as the predicate device; and
  2. either has the same technological characteristics as the predicate or has 
    different technological characteristics but is as safe and effective and does not
    raise different questions of safety and effectiveness than the predicate.

The guidance document focuses on the last step of the analysis – how FDA determines a device is as safe and effective as a predicate. The safety and effectiveness need not be identical. A new device can have increased safety and decreased effectiveness – or decreased safety and increased effectiveness – and still be considered substantially equivalent. When making these assessments, the FDA will weigh the benefits and risks of the new device versus the predicate. When considering benefits, the FDA will weigh:

  • Type of benefit
  • Magnitude of the benefit
  • Probability of the patient experiencing the benefit
  • Duration of the benefit

When assessing risks, the FDA will consider:

  • Severity, types, number, and rates of harmful events associated with use of the device
  • Probability of a harmful event
  • Probability of a patient experiencing one or more harmful events
  • Duration of harmful events
  • Risk from false-positive or false-negative results (for diagnostic devices)

The guidance provides several examples, including one in which a manufacturer wishes to market a tool for spinal surgery. The tool has a different shape and a deeper cutting action than the predicate device. Animal and clinical studies show the deeper cutting action leads to a greater risk of injuring surrounding tissue, but the new tool also shortens the duration of surgery and allows improved access to certain parts of the anatomy. The guidance concludes that the new device does not raise different questions of safety and effectiveness, and because the increased risk is accompanied by an increased benefit and a comparable benefit-risk profile, the new device would likely be found substantially equivalent to the predicate. 

Of course, the specific analysis will vary for every product and predicate. Companies seeking FDA approval should consult the guidance and an attorney to help prove their devices are substantially equivalent.

Tags:

Topics:  

Florida Board of Medicine Opts for Less Regulation of Office Surgical Procedures

POSTED BY JULIE GALLAGHER ON AUGUST 1, 2014

The Florida Board of Medicine recently amended its office surgery rules to exclude numerous facilities, and providers who inadvertently may have been in violation of the previous rule requirements by not having registered their offices to perform office surgery. Rule 64B8-9.009, Fla. Admin. Code, sets forth the standard of care for office surgery. The rule previously defined office surgery, in part, as the type of surgical procedures that "do not result in blood loss of more than ten percent of estimated blood volume in a patient with normal hemoglobin; require major or prolonged intracranial, intrathoracic, abdominal, or major joint replacement procedures except for laparoscopic procures; directly involve major blood vessels; or are generally emergent or life threatening in nature."

The exclusion of surgical procedures that "directly involve major blood vessels" from the type of procedure that could be done in an office setting was confusing for many physicians. It was unclear whether procedures that require insertion of catheters, wires or other devices to advance through blood vessels, using imaging guidance, would be considered office surgery such that these physicians would be required to register their offices and comply with all office surgery rule requirements. The matter was brought to the attention of the Board of Medicine, input was solicited and gathered from the profession and other States, and the Board came up with a solution rather quickly. Rather than require these facilities and physicians to register and come under the regulatory scheme for office surgery providers, the Board opted to amend the rule to clarify that percutaneous endovascular intervention does not constitute office surgery. 

The amended rule defines percutaneous intervention as:

"a procedure performed without open direct visualization of the target vessel, requires only needle puncture of an artery or vein followed by insertion of catheters, wires, or similar devices which are then advanced through the blood vessels using imaging guidance. Once the catheter reaches the intended location, various maneuvers to address the diseased area may be performed which include, but are not limited to, injection of contrast for imaging, treatment of vessels with angioplasty, artherectomy, covered or uncovered stenting, intentionally occluding vessels or organs (embolization), and delivering medications, radiation, or other energy such as laser, radiofrequency, or cryo."

This extensive definition covers a long list of procedures performed by a variety of specialties. Registration for all of the providers of these procedures could have overwhelmed regulatory inspectors and other staff. Moreover, given the other criteria for procedures eligible for office surgery—non emergent and not life threatening, no major blood loss, not overly invasive—percutaneous intervention fit nicely within the intended scope of the original rule. 

However, despite the amendment, all physicians should remain mindful of the preamble to the office surgery rule:

NOTHING IN THIS RULE RELIEVES THE SURGEON OF THE RESPONSIBILITY FOR MAKING THE MEDICAL DETERMINATION THAT THE OFFICE IS AN APPROPRIATE FORUM FOR THE PARTICULAR PROCEDURE(S) TO BE PERFORMED ON THE PARTICULAR PATIENT. 

This remains good advice.

Tags: ,

New ACA Rules Could Require Broader Provider Networks

POSTED BY MARSHALL R. BURACK ON JULY 30 2014

"If you like your doctor, you can keep your doctor." President Obama repeated this assurance to the American public numerous times, and the statement was prominently featured on the White House web site prior to and after adoption of the Affordable Care Act in 2010.  

The Obama administration is developing regulations to address the concerns of consumers who say the Affordable Care Act ("ACA") has restricted their ability to choose doctors and hospitals, without incurring sizeable medical bills for out-of-network services.

In order to create health insurance plans with lower premiums, so as to be more affordable and more attractive to individuals shopping for insurance on the ACA-mandated, newly-created insurance exchanges, many insurers have established plans with narrower provider networks, giving plan members fewer doctors and hospitals to choose from. Smaller networks allow the insuror to exercise greater control over provider charges and to limit their networks to only the highest quality providers, enabling them to offer high-value plans with lower premiums. The "flip side" of this trend, however, is that patients have fewer doctors and hospitals to choose from, and may incur substantial medical expenses if they receive services from doctors or hospitals which are not part of the network.

To address the concerns of patients who say that many health plans offered under the ACA unduly limit their choice of providers, CMS is developing new requirements which will require health plans to offer broader provider networks. Federal officials have said the new requirements will be similar to the standards currently used to determine whether Medicare Advantage Plans have a sufficient number of doctors and hospitals in their networks. Federal standards specify the minimum number of primary care doctors and specialists which must be included in the network for a Medicare Advantage Plan, based on population in the area served by this Plan, population density, and other factors. Medicare also establishes maximum travel time and distance criteria.  Similar travel standards are already in place for Florida HMOs.

A number of insurers have opposed detailed federal rules, arguing that consumers should be able to choose more affordable, high-value plans, with narrower provider networks.

Florida Information Protection Act of 2014 - Florida Means Business When It Comes to Protecting Customers' Personal Information

POSTED BY ROBERT E. SLAVKIN, ELIZABETH F. HODGE & ALI LURIA ON JULY 28, 2014

On June 20, 2014, Governor Rick Scott signed into law the Florida Information Protection Act of 2014 ("FIPA"), which became effective July 1, 2014. FIPA expands the obligations of businesses and government entities that maintain data containing personal information of individuals to safeguard and provide notice of breaches of such information. As a result, Florida now has one of, if not the most strict breach notification statutes in the country.

What should entities conducting business with Florida customers do to comply with FIPA?

  • Evaluate your current policies and security measures for electronic personal information and update them as necessary;
  • Develop new policies or update existing policies for identifying breaches and providing appropriate notification to affected individuals.
  • Ensure that your company is using proper methods to destroy or dispose of personal information;
  • Review and update your agreements with third party agents who maintain or transmit electronic personal information to address the new requirements of § 501.171, Florida Statutes, regarding notification of breaches suffered by the third party agent and what precautions the third party agent takes to safeguard and properly destroy data.
  • Review your liability policies to determine what coverage is available in the event of a breach. The cost to respond to a data breach continues to climb, and some insurers are revising their CGL policies to exclude coverage for data breaches. Separate cyber liability policies are available in the marketplace.

For more information about FIPA, click here.

Tags:

Physicians and Photography Don't Mix

POSTED BY JULIE GALLAGHER & LESLIE SCHULTZ-KIN ON JULY 24, 2014

A gynecologist who secretly photographed and videotaped women's bodies in the examining room will cost one of the world's leading medical institutions $190 million.  In a damaging blow to its reputation, Johns Hopkins Hospital has agreed to a settlement with more than 8,000 patients of Dr. Nikita Levy, who wore a pen-like camera around his neck to secretly record videos and photos of his patients, including 62 girls.  Dr. Levy, a 25-year physician with Johns Hopkins Health System in Baltimore, Maryland, had seen approximately 12,600 patients during his tenure.  He was fired in February 2013 after a co-worker spotted the camera and alerted authorities.  Investigators discovered roughly 1,200 videos and 140 images stored on his home computer.  Dr. Levy committed suicide days after his termination.

Although the women's faces were not visible in the images, and it could not be established with certainty which patients were recorded or how many, thousands of patients were traumatized, according to lawyers.  A class action lawsuit was brought against Johns Hopkins on behalf of the more than 8,000 patients, who claimed the hospital should have known what Dr. Levy was up to.  Each plaintiff was interviewed by a forensic psychologist and a post-traumatic stress specialist to determine how much trauma she suffered and how much money she will receive.  The settlement is one of the largest on record in the United States involving a physician who took photographs of patients without their consent. 

In Florida, although such conduct would likely be seen as outrageous by the regulators at the Department of Health and the members of the Board of Medicine, there is no specific statutory prohibition against photographing a patient without his or her consent.   Section 458.331(1)(p), Fla. Stat., subjects a physician to discipline for performing "professional services" that have not been authorized by the patient. Photography is not likely a professional service provided by a physician.  Likewise, sexual  misconduct, although clearly prohibited, as defined in section 458.329, Fla. Stat., involves using the patient-physician relationship to induce the patient into sexual activity.  Taking unauthorized photographs in and of itself might not be considered sexual misconduct.  Despite those legal pitfalls, the conduct could be considered outside the standard of care and, therefore, be subject to disciplinary action.  Physicians simply should not take any photograph or create any image of a patient without his or her consent, even if the physician has no plan to share the information.  Surgical consent forms routinely disclose the potential for photographs or videos to be created during the surgery and spell out any use planned for them.  This should be the routine practice for any examination or other service that creates an opportunity for images to be taken and preserved.   

Unfortunately, the Johns Hopkins lawsuit is not the only case involving a physician photographing a patient inappropriately.  In 2013, Dr. Patrick Yang, an anesthesiologist at Torrance Memorial Medical Center in Torrance, California, said he believed an unconscious patient "would get a kick" out of him cutting up sticky medication labels with scissors to put a mustache and gang tears on her face during surgery.  Instead, the woman sued him and the hospital for breach of medical privacy over allegedly spreading a cellphone photograph on the internet.  Dr. Yang's action during the surgery also prompted a state investigation and a rebuke from the hospital, which called his joke a "breach of professionalism."  He was disciplined but kept his privileges at the hospital.    

Also in 2013, a former Northwestern University student claimed that after she was admitted to Northwestern Memorial Hospital in Chicago, Illinois, for extreme intoxication, a physician at the hospital took photos of her and posted them to social media sites, Instagram and Facebook, with commentary about her condition.  She is seeking compensation from Dr. Vinaya Puppala, the hospital and the Feinberg School of Medicine in excess of $1.5 million.  In 2010, four employees were terminated at St. Mary's Medical Center in Long Beach, California, because they used cellphones to photograph a dying emergency room patient and then shared the photos on Facebook.  In 2007, the Mayo Clinic in Rochester, Minnesota faced a lawsuit over the acts of Dr. Adam Hansen, chief resident of general surgery, who used his cell phone to take a picture of a patient's penis during surgery.

In this era of social media where the use of smartphones and tablets make sharing data so easy, these cases raise fresh concerns about a hospital's ability to protect patients' privacy.  Accordingly, it is imperative that hospitals implement comprehensive policies regarding patient photography, video imaging and audio recording.  Such policies should:

  • Define allowable purposes and circumstances for obtaining film, digital photographs, video images or recording patients using a camera or other device.
  • Set forth standards for the creation, use, disclosure and retention of the images.
  • Ensure that patient/legal representative consent is given in writing or by verbal consent documented through an appropriate authorization form.
  • Identify prohibited activities and behaviors relating to photography, video or audio recordings of patients, including personal use, entertainment purposes, posting on social media or in public areas, malicious use, or using such images in a way that is disruptive to patient care or the work environment.  Staff failing to comply with such policies must be subject to disciplinary action.

Tags: ,

Federal Appeals Court in D.C. Strikes Down Key Aspect of Health Care Reform (Just Before the 4th Circuit’s Opposite Ruling) – Any Impact on the Individual and Employer Mandates?

POSTED BY LEANNE REAGAN ON JULY 23, 2014

Yesterday, the U.S. Court of Appeals for the District of Columbia Circuit, in a 2-1 ruling by a three judge panel, invalidated an Internal Revenue Service regulation that interpreted section 36B of the Affordable Care Act ("ACA") as authorizing premium tax credits for insurance purchased on either a state or federally-facilitated Exchange. In striking down the IRS regulation, the majority found that the language in the ACA “unambiguously restricts the section 36B subsidy to insurance purchased on Exchanges ‘established by the State’.” The D.C. Circuit court’s decision could have far reaching implications given the fact that currently 36 states have chosen not to establish state Exchanges and instead rely on federally-facilitated Exchanges. If the court’s decision is upheld, it could result in significant premium increases for many individuals who purchased their coverage through a federally-facilitated Exchange, but who would qualify for a premium tax credit based on their household income if they had purchased coverage through a state-run Exchange. 

Possible Impact on Individual Mandate: The individual mandate generally requires that individuals maintain “minimum essential coverage”. Failure to maintain such coverage can result in a penalty.  However, the penalty would not apply to individuals for whom the annual cost of the cheapest coverage (reduced by any applicable tax credits) would exceed 8% of their projected household income. Since the premium tax credits would no longer be available in the 36 states with federally-facilitated Exchanges, the court’s decision, if upheld, may considerably decrease the number of people who could be subject to a penalty for failing to maintain coverage.  

Possible Impact on Employer Mandate: The employer mandate under Code section 4980H imposes penalties on certain large employers who fail to provide their full-time employees with health insurance that meet certain minimum value and affordability requirements. Specifically, the penalties under Code section 4980H apply to any large employer who fails to offer its full-time employees appropriate coverage if one or more of the employees enroll in an Exchange and qualify for a premium tax credit. If the court’s ruling is upheld, since premium tax credits would be unavailable in states with federally-facilitated Exchanges, large employers would not be subject to penalties for failing to offer coverage to employees who are residents in those 36 states. However, a large employer who employs individuals who reside in a state with a state Exchange could still be subject to penalties under Code section 4980H. 

Opposite Ruling by the Fourth Circuit: Also yesterday, the U.S. Court of Appeals for the Fourth Circuit issued a ruling that reached the opposite conclusion. The Fourth Circuit found that the language in section 36B was “ambiguous and subject to multiple interpretations”. The court upheld the IRS regulation “as a permissible exercise of the agency’s discretion.”  

What’s Next? The Department of Justice has already stated that it will appeal the D.C. Circuit court’s decision by seeking an en banc review, which would put the case before the entire appeals court. Given that the D.C. and Fourth circuits are now split on whether federal subsidies are available for coverage purchased through federally-facilitated Exchanges, the likelihood that the issue will ultimately be reviewed by the U.S. Supreme Court increases. In the meantime, we will continue to monitor this issue and provide updates.

Enhancements to Florida's Solicitation of Funds Law Now Effective - Charities Now Have Tighter Regulations

POSTED BY HENRY H. RAATTAMA, JR. ON JULY 17, 2014

In response to the Tampa Bay Times investigative story, "America's Worst Charities," Florida’s Commissioner of Agriculture, Adam Putnam, worked with the Florida Legislature to enact material enhancements to Florida's Solicitation of Funds statutes (Chapter 496 – HB 629). Any charity that is subject to registration with the Department of Agriculture and Consumer Services (the Department), including not-for-profit hospitals and other not-for-profit health care providers which solicit charitable contributions, is impacted and will need to review and implement the new requirements that became effective July 1, 2014. 

Among the changes are the following:

  • The standard disclosure requirement, which is a statutory requirement that applies to all charities registered with the Department, must now include the Department's website.
  • If the solicitation is on the internet, each page may include the disclosure, and the disclosure must include the charity's phone number or address.
  • No officer, trustee, or director who has been convicted of a felony may solicit funds. We note that this is not a pleasant question to ask, but a necessary one.
  • Each charity that is registered with the Department must adopt a Conflict of Interest Policy, and each officer, director, or trustee must certify compliance with the Conflict of Interest Policy each year. The certification must be submitted with the annual registration. The required Conflict of Interest Policy is very specific and should be reviewed closely in order to meet compliance. It appears the IRS model conflict policy will not satisfy the law.
  • The professional solicitor rules have been greatly enhanced.
  • There are "collection receptacle" (donation drop box) disclosure requirements, for those who collect donations.
  • A disaster relief charity that has registered with the Department for four or fewer years and raises more than $50,000 must comply with substantial additional reporting requirements.
  • There are new financial reporting requirements for charities who receive contributions of more $500,000. For charities with contributions less than $500,000, there is no apparent change.

While these are only the high points of the enhancements, each not-for-profit health care provider that raises funds in Florida must review the new statutory requirements closely or risk being in violation of them.  Every not-for-profit health care provider that registers with the Department is potentially impacted by the amendments and should seek proper legal advice to determine the most appropriate method to come into compliance.

Tags:

New OIG Special Fraud Alert Aimed at Laboratory Payments to Referring Physicians

POSTED BY MICHAEL P. GENNETT & ELIZABETH F. HODGE & JOSEPH W. N. RUGG ON JULY 10, 2014

On June 25, 2014, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued a Special Fraud Alert entitled "Laboratory Payments to Referring Physicians." While the Alert breaks no new ground (see, e.g., its 1994 Special Fraud Alert), it demonstrates the OIG's continuing concerns about clinical laboratories' offering inducements to referring physicians. 

The Alert provides an in-depth discussion of laboratories' paying referring physicians for collecting specimens and paying physicians for submitting patient data to a registry or database. The Alert explains that physicians who prepare specimens for transfer from the office to a laboratory have a CPT code (99000) to bill Medicare for a nominal charge. Where laboratories are separately paying the same physician for specimen collection, the double billing is evidence to the OIG of an obvious intent to induce referrals. Similarly, with respect to physicians submitting patient data for a database, even if the project has legitimate underpinnings, it may still be illegal if an intent is to induce referral. The Alert contains a detailed list of characteristics of specimen processing and data registry arrangements that it finds suspect.

The OIG 's concerns are not lessened in referral arrangements that "carve out" Medicare and other federal programs and focus only on commercial insurance. The OIG takes the position that, because physicians refer to a limited number of labs, inducements with respect to commercial insurance are likely intended to induce Medicare referrals also. Equally important, inducements for commercial insurance referrals may violate applicable state laws (for example, Florida's Patient Brokering law).  

Physicians should review their financial arrangements with outside clinical labs. The question to be asked always is whether one of the reasons for the arrangement is to induce referrals of patients for lab services. Although the Alert focuses on specimen processing and data registry arrangements, that does not mean that other arrangements are OK. The fraud and abuse concerns set forth in the Alert extend to any arrangement that provides some sort of financial benefit to physicians with the intent to induce referrals of patients for lab services. 

______________________________


Following publication of the Alert, the OIG published a study entitled "Questionable Billing for Medicare Part B Clinical Laboratory Services." In the Study, the OIG found that "[a]lmost half of the labs that exceeded the thresholds for five or more measures of questionable billing—compared to 13 percent of all labs—were located in California and Florida, areas known to be vulnerable to Medicare fraud." The OIG's recommended that it "[r]eview the labs identified as having questionable billing and take appropriate action" and also "[r]eview existing program integrity strategies to determine whether these strategies are effectively identifying program vulnerabilities associated with lab services." As a result, clinical labs and physicians should exercise great vigilance in reviewing their financial and referral relationships with each other to insure that they comply with applicable federal (and state) fraud and abuse and other healthcare laws.

Tags: , ,

Patient Records: Increasing Exposure for Privacy Breaches

POSTED BY ELIZABETH F. HODGE & KAREN M. BUESING ON JULY 8, 2014

Healthcare providers and businesses that store or process protected health information ("PHI") face increased scrutiny and significant fines for data privacy breaches and security lapses in the coming months. In the past 12 months, the U.S. Department for Health and Human Services Office for Civil Rights ("OCR") has recovered more than $10 million in fines for alleged violations of HIPAA. Enforcement is likely to become even more aggressive in the next year, according to Jerome Meites, a chief regional civil rights counsel at HHS, who spoke last month at the American Bar Association Physician Legal Issues Conference. "Knowing what's in the pipeline, I suspect that number will be low compared to what's coming up," Meites said during his presentation.
 
Meites noted that companies need to ensure the security of laptops and other portable devices that carry patient information. "Everywhere in your system where [patient information] is used, you have to think about how to protect it." Meites also noted the importance of performing a comprehensive risk analysis. Most of the cases in which breaches led to financial settlements, and not just corrective actions, involved entities who had not performed the required risk assessment.

The need to analyze risks, adopt safeguards, and train staff extends beyond healthcare providers and applies to anyone who stores, processes or has access to protected health information. Covered entities should ensure they have Business Associate Agreements with those who handle, process or have access to protected health information. All of the foregoing will be increasingly important as OCR turns up the heat on enforcement efforts.

Recent HIPAA Settlements

In the past two months, two healthcare organizations agreed to pay $4.8 million to settle charges that they potentially violated HIPAA Privacy and Security Rules. These organizations failed to secure thousands of patients' electronic protected health information (ePHI) held on their network. A third organization agreed to pay $800,000 after its employees left 71 boxes of patient records in a departing physician's driveway.

These recent settlements are a reminder that covered entities and businesses who handle or have access to patient information cannot ignore the need to safeguard the privacy of all records in their possession. Healthcare providers not only must consider how to store and dispose of paper records that have been transferred to electronic health records, but also how to ensure that IT professionals involved in the conversion have been properly trained on HIPAA.

Second Round of HIPAA Audits

The next round of HIPAA audits will begin this fall. OCR already has sent questionnaires to approximately 800 covered entities to screen them for selection for the audit. These upcoming audits will be much more targeted than the first round of HIPAA audits and will be conducted as "desk audits" by OCR staff, rather than as field audits by outside accounting firms.  Approximately 100 covered entities will be audited on their compliance with the requirements for notices of privacy practices and providing individuals with access to PHI; 100 covered entities will be audited to evaluate whether they have a risk analysis and have implemented a corresponding risk management plan; and 150 covered entities will be audited for their policies related to the content of and timeliness of notice of a breach. OCR will use information gleaned from the audit responses to identify business associates that will be audited beginning in early 2015.

To prepare for this increased scrutiny, healthcare providers and their business associates should:

  • Conduct a thorough risk analysis of the threats and vulnerabilities to their electronic PHI and update that risk analysis annually or more often if there is a significant change in the operations of the entity.
  • Implement security measures to reduce the risks identified in the risk analysis. It is not enough to do the risk analysis: covered entities and business associates must follow up on the findings to reduce risk.
  • Remember to address risks associated with PHI that is in paper format, including methods of storage and disposal of the paper. As recent and not-so-recent HIPAA settlements have shown, leaving paper records in public areas such as driveways or open dumpsters or trash bins is not an appropriate way to dispose of records.
  • Make sure your breach notification policies and procedures are current. As part of this assessment, identify potential vendors, i.e., forensic experts, vendors to assist with mitigation efforts, outside law firms to conduct the investigation and to assist in the event of a breach.
  • Make sure your Notice of Privacy Practices is current and review your policies and procedures for responding to requests from individuals for access to their PHI.

Akerman's Healthcare team stands ready to assist businesses in assessing risks and adopting compliance plans.

Tags: , , ,

FDA Offers Guidance for Choosing Prescription Drug Names

POSTED BY SHERYL D. ROSEN ON JUNE 30, 2014

If you've seen your share of prescription drug commercials, you've likely marveled at the odd drug names: Moexipril. Oxcarbazepine. Zafirlukast. You might think pharmaceutical companies just prefer complex, new combinations of letters, but naming a drug requires more than a marketing brainstorm session. A recent draft guidance document from the U.S. Food and Drug Administration ("FDA") shows many considerations go into choosing a drug name. Names that are too similar can be confused, and names that include descriptive phrases or abbreviations could be misunderstood, leading to unfair marketing and drug errors. In order to improve safety and reduce ambiguous or misleading names, the FDA suggests that drug makers follow the nonbinding guidelines in the guidance document. The guidelines advise:

  • Avoid similarities in spelling or pronunciation with names of other drugs, even if those other drugs are discontinued or only sold in foreign countries.
  • Avoid including medical abbreviations within the name. For example, the NameQD could be mistaken on a prescription for the medical abbreviation QD, or quaque die in Latin, meaning every day.
  • Avoid using the same proprietary name or the same root proprietary name for products that do not contain at least one common active ingredient.
  • Avoid names that include product-specific attributes, dosage form, or route of administration. (NameOral, Nametabs, etc.)
  • Avoid non-standard suffixes or modifiers that could cause confusion. For example, Name3 could be misunderstood as a drug to be taken for 3 days or a drug that includes 3 active ingredients.
  • Avoid using different names for products with identical active ingredients.  Unaware prescribers could put a patient on both at the same time, possibly causing overdose.
  • Avoid fanciful names that state or imply a quality of the drug, such as BestMed or DrugSuper.
  • Avoid symbols. For example, if a drug is called Name+, the plus sign could be confused on a prescription pad for "and" or the number 4.

Knowing these naming constraints exist, the next time you see a drug commercial, you'll realize that a new drug name might sound arbitrary, but it definitely isn't.

Tags: ,

FDA Issues Draft Guidance for Drug and Device Information on Social Media

POSTED BY JAMES I. ZIRKLE ON JUNE 25, 2014

The Food and Drug Administration ("FDA") recently issued two draft guidance documents relating to the use of Twitter and other social media by drug and medical device companies. Emphasizing that companies must give a balanced presentation of their products, the Agency stated that companies must provide risk information along with any benefit information within a tweet or similar promotional message.

The FDA also provided guidelines for companies wishing to respond to misinformation posted on blogs or other social media platforms. The Agency stressed that, while a company has no obligation to correct independently-posted information, any correction must consist of truthful and non-misleading information that, among other requirements, is limited to the scope of the misinformation and non-promotional in nature. A more detailed update highlighting main compliance points and areas of risk can be accessed here.

Tags:

IRS Disallows Shifting Employee Health Coverage Burden to Exchanges

POSTED BY BETH ALCALDE ON MAY 30, 2014

Certain employers hoped that they had discovered a way to "have their cake and eat it too". In response to the looming employer mandate for employers with 50 or more employees – the requirement to offer full - time employees group health plan coverage or else face penalties under the Affordable Care Act, - some creative Human Resource leaders had suggested that employers could send their employees to a health insurance exchange, while still offering those employees a tax-free contribution to assist with the exchange insurance premiums. This proposed "solution" would have theoretically permitted employers to save money by terminating their group health plan obligations, while still preserving the existing employer-based system's tax advantages, whereby employer contributions toward employees' coverage are not included as taxable income to workers. This would have provided employees with a variation of the current system, by offering a tax advantaged way to purchase replacement medical coverage through the exchange.

Through a question-and-answer issued on May 13, 2014, the IRS stated that this approach was not acceptable. Specifically, the IRS reasoned that such a pre-tax funding arrangement itself would be considered a "group health plan" under the Affordable Care Act and, therefore, the pre-tax funding arrangement would be required to comply with the Affordable Care Act's market reforms. So exposure to penalties would remain if the pre-tax funding arrangement was not compliant. In particular, failure to satisfy those market reforms would expose the employer to excise tax penalties of $100 per day per affected employee (i.e., $36,500 per year for every employee).

The IRS guidance does not allow such an incentive for large employers to drop employer-sponsored coverage. As expected, the Obama administration has expressed its agreement with and appreciation for the IRS' position, since the entire Affordable Care Act financial and administrative structure requires at its core the fundamental continuation of employer-based health insurance coverage.

Tags: ,

Useful Resources