Affordable Care Act Update April 7, 2014: High Courts Vet Key Provisions of the Affordable Care Act Government Extends Enrollment Deadline


March 2014 has produced quite a bit of activity regarding the Patient Protection and Affordable Care Act ("ACA").  On March 24, 2014, oral argument was held in the latest challenges to the ACA in Sebelius v. Hobby Lobby Stores, et al. before the United States Supreme Court, and in Halbig v. Sebelius before the United States Court of Appeals for the District of Columbia Circuit.  That same day as these legal challenges, the Obama Administration, on its own accord, delayed once again the deadline to enroll in health insurance coverage for parties that represent they began the enrollment process before the deadline but did not complete the enrollment process for whatever reason. 

A summary of these significant updates with respect to the ACA are as follows:

Sebelius v. Hobby Lobby Stores

In the Hobby Lobby case, the Supreme Court must decide whether the ACA's mandate requiring certain for-profit employers to provide contraceptives coverage for its employees violates the Religious Freedom Restoration Act ("RFRA"), 42 U.S.C. §§ 2000bb et seq.  RFRA prohibits the Government from "substantially burdening a person’s exercise of religion” unless it has selected the least restrictive means to further a compelling governmental interest.  The lead plaintiff/appellee in the action is Hobby Lobby Stores, a closely held corporation whose owner has firmly held religious beliefs.  Hobby Lobby is claiming that the company itself is opposed on religious grounds to the requirement under the ACA that it provide the four abortifacient contraceptive methods among the 20 or so approved by the FDA ("the contraceptive mandate").  Hobby Lobby claims the contraceptive mandate substantially burdens its exercise of religion under the RFRA. 

At bottom, the Court must decide whether a corporation can qualify as a "person exercising religion" under the RFRA.  If so, it must decide whether mandating contraceptive coverage substantially burdens a person's religious exercise; and whether the contraceptive mandate is the least restrictive means of achieving the Government's alleged compelling interest of providing "public health and gender equality.” 

Hobby Lobby maintains that the contraceptive mandate imposes a substantial burden because it created a Hobson's choice: either (1) provide access to contraceptive options Hobby Lobby ownership deemed morally objectionable, (2) eliminate health insurance coverage altogether for its employees (which also would run contrary to the ownership's personally held religious beliefs) and pay an annual fine of more than $26 million, equivalent to a $2000 fine imposed on Hobby Lobby for not providing any health insurance for its more than 13,000 employees, or (3) eliminate coverage for only the contraceptive component, which would result in a $100 per day fine per employee, equivalent to a $1.3 million fine per day, or $475 million in fines per year.  Under any scenario, Hobby Lobby maintains, it is either pressured to compromise on its own, deeply held religious beliefs and become complicit in morally objectionable behavior, or face stiff fines thereby making its free exercise of religion more expensive.  Hobby Lobby also called into question the Government's "compelling interest" served by the mandate, given that does not actually preclude employees from access to such contraceptive options, only that Hobby Lobby itself does not want to directly pay for that access.

At oral argument, the Court probed the threshold question of whether a for-profit corporation – even a closely held corporation – can bring a free exercise claim under the First Amendment.  The Government's position appeared to be that the for-profit corporate form is inherently inconsistent with pursuing free exercise claims.  The Government relied on United States v. Lee, 455 U.S. 252 (1982) for the proposition that once a party decides to enter the commercial marketplace and form a for-profit corporation, that party loses standing to bring a RFRA or First Amendment challenge.  Chief Justice Roberts in one exchange with the Government queried why, if every court of appeal has held that for-profit corporations can bring racial discrimination claims as corporations, those same for-profit corporations could not also bring free exercise claims.  In another exchange, Justice Kennedy intimated the Government's theory would, by logical extension, preclude for-profit corporations from suing if forced to actually pay for abortions.  While contending that was not a question presented in this case (despite plaintiffs' deeply held beliefs that compelling them to fund the four abortifacient contraceptive methods was, in essence, compelling them to fund abortions), the Government conceded that, under its theory of this case, a for-profit corporation like Hobby Lobby would be barred from bringing a free exercise challenge to a requirement to fund abortions.  And, drawing on a recent Danish prohibition on kosher and halal slaughter methods on grounds that they are inhumane, Justice Alito inquired whether, if transplanted here in the United States, five Jewish or Muslim butchers joining together in a corporation could assert a First Amendment or RFRA claim if compelled to use non-kosher methods to butcher animals for non-religious reasons.  If corporations could not "exercise religion," a corporation that was compelled to engage in such activity would never have its day in court. 

The Court also questioned both sides on the purported "compelling" nature of the Government's interest in achieving public health through the contraceptives mandate considering that, for instance, it created an accommodation that does not impose the contraceptive mandate on "grandfathered" insurance plans. 

As is apparent from the briefs and oral argument, a ruling coming out either way will have significant and far reaching implications for for-profit corporations and the viability of the ACA in its present form going forward.  A decision is expected by the end of the Court's term in Summer 2014.

Halbig v. Sebelius

The Halbig case involved a challenge to an Internal Revenue Service ("IRS") regulation that purports to implement the provisions of the ACA authorizing federal tax credit subsidies to certain consumers purchasing health insurance through a State exchange.  Because the tax credit language arguably is limited to coverage purchased through a State exchange, the DC Circuit must decide whether the IRS may promulgate regulations extending such subsidies to consumers who obtained health coverage on an exchange established by the federal government under Section 1321 of the ACA, codified at 42 U.S.C. § 18041. 

By way of background, the IRS allowed such tax credits in the 34 states that have not established a state exchange and where only an exchange operated by the federal government exists.  If the ACA is interpreted to condition tax credits on the establishment of a state exchange, as appellants note, the IRS will be not only be in violation in the law by issuing such tax credits, but the Government will find it extremely difficult to successfully implement the ACA without amending the ACA.  Among other problems, the tax credits are meant to help those that cannot afford insurance to purchase insurance, and without such credits, many will not be able to afford insurance.  The lack of a tax credit may also severely hamper the effect of the ACA's individual mandate requiring every citizen to have health insurance, because the ACA exempts a party from the individual mandate if insurance premiums exceed an "affordability threshold" established by the ACA.  26 U.S.C. § 5000A(e)(1), (5).  Without the tax credit, insurance premiums may exceed the affordability threshold and exempt many from the individual mandate since many states have not established exchanges.  Id.  The unavailability of the tax credit will also significantly affect employers because the ACA imposes fines on employers that fail to provide insurance to full-time employees.  Those fines only come into play, however, if at least one employee enrolls in coverage for which “an applicable . . . tax credit … is allowed or paid.” 26 U.S.C. § 4980H.  Thus, if tax credits are not available in a state due to the lack of a state-established exchange, employers will not be subject to fines from the ACA's employer mandate for failure to provide insurance to full-time employees. 

At oral argument, the DC Circuit appeared to be skeptical of the Government's argument that the ACA's provisions facially limiting applicability of tax credits to insurance purchased on state-established exchanges, in turn, allowed the IRS to apply such tax credits to insurance purchased in a state with no health insurance exchange.  In particular, Judge Raymond A. Randolph questioned how the ACA's clear language of "[a]n exchange established by the state" could be interpreted to mean "an exchange that's established by the federal government." And, as Appellants argued, the IRS would have no authority to separately interpret the "state exchange" clause given its plain and unambiguous language, and that the IRS's interpretation to the contrary is entitled to no Chevron deference.

Partial Extension of Enrollment Deadline

On March 25, while the ACA was undergoing vigorous challenge in the Supreme Court and DC Circuit, the Washington Post reported that all consumers who submitted applications for coverage on, but did not finish by the Monday, March 31, 2014 deadline, will be permitted to request an extension until mid-April to receive coverage.  This, after numerous officials in the Obama administration have insisted that the March 31, 2014 was a firm deadline, drew additional fire from critics of the ACA.

*  *  *

In summary, the ACA faced significant challenges at the end of March 2014.  Going forward, employers and health care organizations should track these developments closely as the Hobby Lobby case has significant implications for such parties, and the Halbig case has the potential to derail the ACA.  If you have any further questions on the ACA or these cases, please contact the authors of this article by email or any of the health care professionals at Akerman LLP.

The Government is Here to Help: HHS Releases HIPAA Security Risk Assessment Tool for Small Providers


The U.S. Department of Health and Human Services ("HHS") has just released a new security risk assessment ("SRA") tool to assist small and medium sized health care practices (one to ten providers) conduct a HIPAA risk assessment of their organization.

The HIPAA Security Rule requires that all health care organizations that are HIPAA covered entities or business associates must conduct a thorough and accurate risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. The results of the HIPAA audits conducted by the HHS Office for Civil Rights and recent HIPAA breach settlement agreements highlight the importance OCR places on HIPAA risk assessments. However, many smaller physician practices do not know how to complete a risk assessment that meets the HIPAA Security Rule requirement.

The SRA tool is a free software application for Windows operating systems and iOS iPad that a health care practice can download and use to assist in reviewing its implementation of the HIPAA Security Rule. The 156-question tool addresses the implementation specifications included in the HIPAA Security Rule and covers basic security practices, security failures, risk management, and personnel issues. The tool also identifies issues to consider in responding to the questions, possible threats and vulnerabilities, and examples of safeguards the organization may adopt. HHS says that the tool allows providers to "conduct and document a risk assessment in a thorough, organized fashion at their own pace." The application produces a report that the practice can later provide to auditors. Because the practice downloads the application, the government will not have access to assessment results unless the practice chooses to share that information. The SRA tool is solely for the purpose of conducting an internal HIPAA risk assessment as required by the HIPAA Security Rule and does not produce a statement of compliance and does not assess compliance with provisions of the HIPAA Privacy Rule.

The Office of National Coordinator for Health Information Technology is soliciting comments on the new SRA tool until June 2, 2014. Comments may be submitted to this address:

Tags: ,

Florida Department of Health Adopts New Telemedicine Rule: Florida Legislature Considers Changing the Law


While the Florida Department of Health (DOH) adopted a new telemedicine rule on March 12, 2014 [Rule 64B8-9.0141 and Rule 64B15-14.0081 of the Florida Administrative Code], several bills on the same subject are under consideration by the Florida Legislature. [See, SB 1646, SB 0070, HB 751, and HB 0167]  At the same time, the Federation of State Medical Boards (FSMB) reported a new "Model Policy for the Appropriate Use of Telemedicine Technologies in the Practice of Medicine." Whether the Florida Legislature will ultimately enact legislation consistent with the positions historically taken by the Florida Board of Medicine and the Florida Board of Osteopathic Medicine or change the law to facilitate cross border collaborations among Florida physicians and physicians licensed in their respective states remains to be seen.

The Florida Medical Boards have long taken the position that physicians who perform a professional service that contributes to the diagnosis and treatment of a patient in Florida must be licensed to practice medicine in Florida. The FSMB's newly restated Model Policy, originally adopted in 1996, is consistent with that position in that it states: "A physician must be licensed, or under the jurisdiction, [sic] of the medical board of the state where the patient is located. The practice of medicine occurs where the patient is located at the time telemedicine technologies are used. Physicians who treat or prescribe through online services sites are practicing medicine and must possess appropriate licensure in all jurisdictions where patients receive care."

In response to pharmaceutical sales over the Internet and other entrepreneurial e-health initiatives, the Florida Medical Boards previously established that a face-to-face encounter was required to establish an appropriate physician/patient relationship. This standard proved to be at odds with the objective of telemedicine in linking specialists with patients in different states and in different countries to make available the expertise of specialists to treat patients in remote or medically underserved areas. The FSMB has taken the position that "…while each circumstance is unique, such physician-patient relationships may be established using telemedicine technologies provided the standard of care is met." Additionally, the insurance industry has indicated burdensome regulations should not restrict the industry from contracting for medical services. Requiring face-to-face encounters was viewed as contrary to the efficient and cost-effective delivery of health care using telemedicine technologies.

The new Rules adopted by the DOH do not directly change the definition of the practice of medicine in Florida. But they include a curious statement which might be construed to permit out of state physicians, contrary to the longstanding position of the Florida Medical Boards and the DOH, to render "consultations" with Florida licensed physicians without being licensed in Florida. "Nothing contained in this rule shall prohibit consultations between physicians or the transmission and review of digital images, pathology specimens, test results, or other medical data by physicians or other qualified providers related to the care of Florida patients." [Rule 64B8-9.0141(7)(a), Florida Administrative Code]

The challenge and tension between the competing bills currently pending before the Florida Legislature is to facilitate the use of telemedicine to treat patients across state and national boundaries while ensuring that the physicians who diagnose and treat Florida residents are subject to the jurisdiction of the Florida Board of Medicine and the Florida Board of Osteopathic Medicine. Whether the Florida Legislature changes or clarifies current law will be decided within the next 45 days of the Florida Legislative Session.

Tags: , , ,

CMS Now Requiring Qualified Health Plans to Accept Premium Payments from Certain Third Parties


As previously reported on November 13, 2013 and February 20, 2014, the Centers for Medicare and Medicaid Services ("CMS") has attempted to provide guidance as to when it is appropriate for issuers of "qualified health plans" ("QHPs") to accept third parties premium payments on behalf of individuals.

On March 19, 2014, CMS reinforced its February 7, 2014 guidance by issuing an Interim Final Rule ("IFR") which requires issuers of QHPs, including stand-alone dental plans ("SADPs"), to accept premium and cost-sharing payments made on behalf of enrollees by the following entities:

  1. The Ryan White HIV/AIDS Program;
  2. Other federal and state government programs that provide premium and cost-sharing support for specific individuals; and
  3. Indian tribes, tribal organizations, and urban Indian organizations.

This new requirement to accept third party payments of premiums from those organizations on the "approved" list is effective March 14, 2014. CMS exercised its authority to waive the notice-and-comment requirements and the 30-day delay in effective date requirement of the Administrative Procedure Act. CMS stated that delaying the effective date of the rule would mean that some people who are eligible to enroll in a QHP but rely on these approved organizations to contribute to the cost of the premium, would not be able to pay for their coverage. It could also mean that the organizations listed in the regulation would not be able to assist individuals who are already enrolled, but do not have the funds to continue to pay their premiums, which could lead to coverage terminations. CMS is concerned that these scenarios could result in people's medical conditions worsening, especially those individuals with HIV/AIDS, and an increase in need for uncompensated care.

The Interim Final Rule also provides that failure to accept these third party payments could subject QHPs to civil monetary penalties of up to $100 per day for each individual who is adversely affected by the QHP's non-compliance.  Individuals who are in states with a federally-facilitated exchange or a state-based exchange who are affected by a violation by a QHP or SADP, may be eligible for a federally-facilitated exchange special enrollment period and a hardship exemption. CMS will issue additional guidance clarifying the criteria for this special relief.

CMS used the Interim Final Rule to restate its concern that third party payments of premium and cost-sharing by hospitals, other healthcare providers and other commercial entities could skew the insurance risk pool and create an "unlevel competitive field" in the insurance market and continued to encourage QHPs and SADPs to reject payments by those entities.

Issuers of QHPs and SADPs should quickly review (and revise if necessary) their policies and procedures regarding accepting premium payments from the approved organizations listed above to insure that they are in compliance with the new requirements.

Halifax Health and Government Settle False Claims Act Claims for $85 Million, But Case is Not Over


On March 10, 2014, Halifax Hospital Medical Center and Halifax Staffing, Inc. (collectively, "Halifax") entered into a settlement agreement and a corporate integrity agreement ("CIA") to resolve claims brought under the False Claims Act ("FCA"), alleging Halifax entered into improper incentive compensation arrangements with certain physicians in exchange for Medicare referrals. Halifax agreed to, among other things, pay $85 million in damages, with nearly a quarter of the settlement to go to the qui tam relator, and admit that it violated the Stark Law as described in an earlier ruling by the court. The settlement is said to be one of the largest for Stark Law violations.

Under the CIA, which has a five-year term, Halifax must retain an Independent Review Organization ("IRO") to perform annual reviews for submission to the OIG on whether Halifax is complying with the terms of its CIA. The CIA also requires the Board of Commissioners of Halifax to be responsible for the review and oversight of matters related to compliance with Federal health program requirements and the obligations of the CIA, including meeting at least bimonthly to review and oversee the compliance program and considering the results of the compliance program reviews required by the CIA. In addition to the IRO, Halifax must retain a "Board compliance expert" to assist the Board of Commissioners in fulfilling these responsibilities during the term of the CIA. The CIA also includes the standard reporting and certification requirements found in these types of agreements. The settlement and corresponding CIA arises out of a June 2009 lawsuit filed by qui tam relator, Elin Baklid-Kunz, the Director of Physician Services at Halifax. Relator's lawsuit alleged improper billing practices and unnecessary medical admissions in violation of the FCA, and separate Stark Law violations based on alleged improper incentive compensation arrangements whereby physician bonus payments were divided and varied based on the volume of Medicare referrals by each physician. This, in turn, led Halifax to falsely certify compliance with the Stark Law and submit claims in violation of the FCA.

In October 2011, the Government intervened as to the Stark Law-related claims, but declined to intervene as to relator's remaining FCA claims alleging improper billing practices and unnecessary medical admissions. In November 2013, the Court granted partial summary judgment for the Government, finding a Stark Law violation in fact occurred due to the incentive compensation arrangement, but found a genuine dispute of fact regarding the extent of the violation and whether Halifax acted "knowingly" as required to state a claim under the FCA. The Court also did not address relator's remaining FCA claims and thereafter severed, for purposes of trial, the "knowledge" and damages elements of the alleged Stark Law violations from relator's remaining FCA claims alleging improper billing practices and unnecessary medical admissions.

The March 10, 2014 settlement resolves only the alleged Stark Law violations. The remaining FCA violations advanced by relator for improper billing practices and unnecessary medical admissions are set for trial on July 8, 2014.  

Though beyond the scope of this discussion, the Halifax case also dealt with the attorney client privilege and whether such privilege had been waived by Halifax by virtue of the manner in which the internal investigation had been handled. As a result, practitioners should carefully review the court's analysis of this issue.

Tags: , , ,

HHS Settlement: Reminder That HIPAA Applies to Local Governments Big and Small


The U.S. Department of Health and Human Services Office for Civil Rights (HHS) recently announced that it had reached an agreement with Skagit County, Washington to settle potential HIPAA violations involving the County Public Health Department. The settlement arose from a 2011 incident involving the unauthorized disclosure of electronic protected health information (ePHI) of over 1,500 individuals. The settlement also covered what HHS deemed to be the County's "general and widespread non-compliance" with HIPAA. Skagit County has approximately 118,000 residents and the Health Department provides essential services to many individuals who would not otherwise be able to afford healthcare. This is HHS’ first settlement with a county government and is designed to send a strong message about meaningful HIPAA compliance to local and county governments, regardless of size.

HHS began its investigation after receiving notice from the County of a breach involving the ePHI of 7 individuals. Upon investigation, it was determined that the County had violated the HIPAA Privacy, Security and Data Breach Notification Rules. HHS investigators found that the County:

  • Provided access on the County's web server to the ePHI of 1,581 individuals;
  • Never notified the affected individuals of the breach;
  • From 2005 to the present, did not implement policies and procedures to detect and prevent security violations or provide security training to its workforce members, including its Information Security members; and
  • From 2005 until June 2012, did not implement and maintain policies and procedures that were reasonably designed to ensure compliance with the Security Rule.

Although the settlement was not an admission of liability, the County agreed to pay HHS $215,000 and is required to implement an extensive corrective action plan (CAP). Because the County had not previously developed and adopted many of the policies and procedures required under HIPAA, the CAP imposed significant additional obligations, including the development and submission to HHS for approval many policies and procedures that are required under HIPAA, such as a comprehensive HIPAA compliance plan and procedures for accounting for disclosures. The County is also required to provide substitute breach notification, submit for approval hybrid entity documents that detail the covered healthcare components of its operations, conduct a thorough risk analysis of the ePHI security risks associated with the covered healthcare components of its operations, and conduct appropriate training and submit annual reports for three years regarding the County's compliance with the CAP. Because the County had never adopted or implemented many of the required policies and procedures, the costs of complying with the CAP are likely to be significant and are in addition to the $215,000 settlement payment.

Even though the bulk of HIPAA's requirements have been in place for a decade or more, this settlement indicates there are covered entities or business associates that may not be fully compliant with applicable provisions of HIPAA. The increased enforcement activities by HHS highlight the importance for covered entities and business associates, whether private or public, to take appropriate steps to minimize the chances of impermissible disclosures of ePHI and any resulting enforcement action by HHS. At minimum, a covered entity or business associate should:

  1. Ensure their privacy and security policies and procedures reflect the requirements of the HITECH Act and the HIPAA Omnibus Rule that was effective September 23, 2013 and that workforce members are trained to implement and follow these policies and procedures;
  2. At least annually conduct a thorough risk analysis to identify and mitigate security risks and vulnerabilities associated with ePHI and adopt or revise policies accordingly;
  3. In the event of a suspected privacy breach, timely comply with breach investigation and notification requirements; and
  4. Determine whether existing general liability or professional liability policies provide coverage for data breach incidents and if not, contact their insurance broker about obtaining such coverage.

Tags: ,

California Supreme Court Expands Protections to Whistle-Blowers and Weakens Hospital Peer Review Systems


The recent decision by the California Supreme Court in Fahlen v. Sutter Central Valley Hospitals, No. S205568 , 2014 WL 655995 (Cal. 2014) may significantly weaken the efficacy of hospital peer review proceedings in California and may have implications for hospitals in other states. The court held that a physician is not required to exhaust peer review proceedings before bringing a statutory whistle-blower retaliation claim under California Health and Safety Code Section 1278.5 against a hospital that institutes what appeared to be a retaliatory peer review action against that physician.

Dr. Fahlen, a physician with staff privileges at a California hospital had, at various times over several years, heated exchanges with nurses and other hospital staff for allegedly failing to follow his patient treatment instructions. The hospital's Chief Operating Officer contacted the medical director of the physician's practice to complain. Eventually, Dr. Fahlen was terminated by his practice, lost his medical malpractice insurance, and was unable to treat patients at the hospital. The hospital initiated peer review proceedings against Dr. Fahlen and terminated his staff privileges. The physician filed a lawsuit against the hospital pursuant to California's whistle-blower statute without first filing an administrative mandamus proceeding, an appeal of the hospital’s decision that gives deference to the hospital’s decision. The hospital argued that Dr. Fahlen’s claim merited dismissal because California law required him to exhaust all judicial and administrative remedies before suing the hospital under the whistle-blower statute.

Before Fahlen, California law generally required a physician to exhaust all quasi-judicial proceedings afforded by a hospital and attack a hospital's decision through an administrative mandamus action before the physician could sue a hospital in common law tort on the basis that the doctor’s exclusion from staff privileges was retaliatory. In Fahlen, the California Supreme Court distinguished common law tort claims from statutory whistle-blower retaliation claims, which, it found, do not require exhaustion of all judicial and administrative remedies. The court determined that the "clear legislative intent" of the statute contemplated that a peer review proceeding could run contemporaneous with a Section 1278.5 whistle-blower action, particularly given the express legislative purpose behind the whistle-blower statute, which is to encourage and protect whistle-blowers who raise concerns about the quality of patient care.

For the first time on appeal to the California Supreme Court, the hospital advanced a federal preemption argument. The hospital argued that permitting simultaneous actions without exhaustion of all judicial and administrative remedies was at odds with the federal Health Care Quality Improvement Act ("HCQIA"), which establishes a broad immunity from lawsuits for individuals and healthcare organizations that participate in reasonably informed and reasonably justified disciplinary actions by medical peer review bodies. The hospital argued that the HCQIA and its underlying policy is to encourage hospitals and physicians to engage in peer review programs by relieving those parties from the threat of lawsuits. The Supreme Court declined to consider the argument as not properly before the Court, but did note that the HCQIA would not preclude relief such as reinstatement and other injunctive relief in any event.

While this decision only reflects the law in California, it has significant implications for hospitals throughout the United States. Many states have whistle-blower statutes that may be similar to California's whistle-blower statute. Although, as the Court discusses, members of a peer review committee engaged in a bona fide review process (and not one, as the Court noted here, that was initiated with retaliatory motivations) have qualified immunity, that immunity is merely a defense to a claim brought in a lawsuit. In other words, to raise it with any effect, one must actually be party to a lawsuit. Accordingly, one cannot ignore the further practical deterrence that a decision like this will have on the willingness of physicians to participate on a peer review committee. Ultimately, this decision has the potential to chill peer review systems in hospitals, which might also lessen the hospital’s ability to improve patient care.

Thus, more than ever, it is important for hospitals to consult legal counsel early on when considering whether to terminate a physician's privileges as the physician may use the hospital’s conduct before and during peer review as the basis for a whistle-blower action. However, while consulting counsel early in the process gives the hospital some "cover," relying on advice of counsel to justify the hospital's disciplinary decisions necessarily implicates a privilege waiver related to the discussions with counsel about those decisions. Hospitals should also bolster their complaint-filing policies so that they create an environment whereby physicians have clear and effective procedures to submit complaints about patient care and feel free from retaliation by the hospital.

As of now, the reach of the Fahlen decision is confined to California hospitals, but it should be viewed as an indication of things to come in other states, as courts throughout the United States continue to expand protections afforded to whistle-blowers.

Unique Data Breach Settlement – A Sign of Things to Come?


A judge in the United States District Court for the Southern District of Florida has approved a $3 million data breach class action settlement agreement between AvMed, Inc. and plaintiffs. The settlement arises out of a December 2009 theft of unencrypted laptops containing the personal information of individuals who received  healthcare coverage through AvMed and for the first time permits plaintiffs in a data breach case who did not suffer actual damages to claim a share of the settlement funds. This settlement agreement likely will serve as a model for future data security class action claims.

Under the settlement agreement, AvMed will establish a $3 million settlement fund to pay the following:

  1. Those whose personal information was on the stolen laptops, but who did not suffer identity theft ("Premium Overpayment Settlement Class") may receive $10 for each year that the Premium Overpayment Class Member paid AvMed for health insurance coverage before the December 2009 incident, up to a maximum recovery of $30. This relief reimburses Class members for the portion of premiums that plaintiffs contend AvMed should have spent on adequate data protection.
  2. Those who suffered identity theft ("Identity Theft Settlement Class") will be reimbursed for the amount of any proven actual, monetary loss that is shown by the claimant to have occurred more likely than not as a result of the December 2009 incident. Members of the Identity Theft Settlement Class may also make a claim under the Premium Overpayment Settlement Class.
  3. Attorneys' fees and costs of lawyers for the plaintiffs' class, in the amount of $750,000.
  4. An incentive award of $10,000 to be split evenly among the class representatives for their efforts in serving as class representatives.
  5. The costs of sending notices to the settlement classes as well as all costs of administration of the settlement.

In addition to creating the settlement fund described above, AvMed agreed to implement the following before the settlement is approved by the court:

  • Mandatory security awareness and training programs for all company employees;
  • Mandatory training on appropriate laptop use and security for all company employees whose employment responsibilities include accessing information stored on company laptop computers;
  • Upgrade all company laptop computers with additional security mechanisms, including GPS tracking technology;
  • Implement new password protocols and full disk encryption technology on all company desktops and laptops so that electronic data stored on such devices is encrypted at rest;
  • Physical security upgrades at company facilities and offices to further safeguard workstations from theft; and
  • Review and revise written policies and procedures to enhance information security.

This settlement agreement demonstrates that  healthcare providers, health plans, and their business associates may have increased exposure for damages in data breach lawsuits even when plaintiffs cannot establish actual damages as a result of a breach. It will now be easier for plaintiffs to claim that a portion of their health insurance premiums or their payment for medical care should have been used to improve data security. Plaintiffs have pleaded this unjust enrichment theory in other data breach cases in Florida courts without success. (See previous blog posts here and here.) Time will tell if the AvMed settlement breathes new life into unjust enrichment and other novel data breach theories. In the meantime, healthcare providers, health plans, and their business associates should implement the prospective relief steps outlined above to minimize the risk of a costly data breach.

Tags: ,

35 Days and Counting - R.I.P. Windows XP


Effective April 9, 2014, Microsoft will no longer provide technical support or security updates for the Windows XP operating system. According to Microsoft, personal computers running Windows XP after April 8, 2014 should not be considered to be protected.

This announcement means that covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") who continue to use Windows XP after April 8th will likely be in violation of the HIPAA Security Rule. The Security Rule does not mandate minimum operating system requirements for computer systems. However, according to guidance from the U.S. Department of Health and Human Services Office for Civil Rights, any known security vulnerabilities of an operating system should be considered in a HIPAA risk analysis. In other words, a risk analysis should consider whether an operating system contains known vulnerabilities for which a security patch is unavailable because the operating system is no longer supported by its manufacturer. Based on the statements by Microsoft and the HIPAA Security Rule requirement to have technical safeguards in place for electronic protected health information, covered entities and business associates who do not switch to another operating system operate at their own peril.

To minimize the risk of suffering a data breach, covered entities and business associates should:

  1. Determine whether any of their operating systems are currently using Windows XP; and
  2. Update from Windows XP to a newer operating system that is supported by the manufacturer before April 9, 2014.

Tags: , ,

Thought Leaders: These are "Turbulent," "Transitional" Times in Healthcare


The phrase "the only constant is change itself" has rarely been so true across an entire industry. The U.S. healthcare sector is having to adjust to rapidly changing times. That whirlwind of change was discussed by industry leaders at Akerman's recent panel event titled "Healthcare Issues for 2014: What Can You Expect?"

Panelists included Karen Zeiler, Senior Vice President of the Florida Hospital Association; George S. Huang, Director and Senior Analyst for Wells Fargo Securities; and Edwin Miller, Vice President of Product Management for electronic medical practice solutions provider CareCloud. The panel highlighted many of the changes which are causing the industry to adapt. Those changes – almost all of which stem from federal healthcare reform – include:

  • Shift in payment models from fee-for-service to paying for value
  • Increased focus on health outcomes
  • Changes in care delivery models
  • Payment cuts to hospitals and Medicaid
  • Taxes on insurers and medical devices
  • Electronic medical records incentives and innovative uses
  • New ICD-10 billing codes
  • Changing utilization trends
  • Increased demand for price transparency

Below are some insights from our panelists regarding emerging themes within the healthcare industry.

Bullish Long-Term Outlook

The healthcare sector is in a turbulent, transitional period that has led to conservative behavior by investors. Industry leaders are also building up their balance sheets and shifting new capital expenditures to information technology ("IT") and less-expensive care settings such as outpatient surgery centers. Total healthcare bond issuance has decreased significantly since 2008, but there is optimism that industry outlook will be positive over the 7- to 10-year range, so long as health systems find innovative ways to improve the way care is delivered and integrated, optimize capacity and increase efficiency.

Hospitals Facing Cuts, Innovating Despite Lack of Medicaid Expansion in Florida

Reductions in reimbursement and increased medical device taxation under the Affordable Care Act ("ACA") have increased pressure on hospitals to innovate. Adding to the burden is the high level of uncompensated care that hospitals are obligated to provide. In Florida alone, hospitals provided $3 billion in charity care last year. Expanding the Medicaid program could reduce the number of uninsured Floridians (estimated at four million), but hospital leaders do not expect expansion to pass the Florida House of Representatives this year. Meanwhile, hospitals are: (1) investing in new IT tools to better understand data, improve outcomes, and reduce costs; (2) eliminating waste in the supply chain by examining under-utilization and eliminating over-capacity; and (3) consolidating to increase market share, expanding further into the outpatient same-day acute market, and acquiring a large number of physician practices.

Emphasis on Interoperability and Meaningful Use

To achieve meaningful use and accountable care milestones, providers require a platform of interoperable IT resources that integrate, manage and analyze provider data. In response to this need, hospitals are shifting investments from the physical plant to the IT infrastructure. Cloud-based information systems are increasing in prevalence, with many providers moving toward integrated practice management solutions, incorporating clinical, financial and operational information into a single platform. Although the vision of seamless interoperability has not yet materialized, the industry is making great strides while adapting to new healthcare delivery models under the ACA.

Tomorrow is Here

The industry is changing and adapting to healthcare reform and advances in technology at a rapid pace. Providers and patients will experience glitches and bumps along the way as new care models are ironed out and new technology is introduced. Hopefully, presuming the bullish investors are correct, the industry will adapt to thrive, and patient outcomes will improve.


HHS Allows Third-Party Premium Payments by Tribes and Non-Profits


We previously reported that the U.S. Department of Health and Human Services ("HHS") has discouraged hospitals and other third parties from paying patients' premiums or cost-sharing. HHS stated in its November 4, 2013 FAQ that it "has significant concerns with this practice because it could skew the insurance risk pool and create an unlevel field in the Marketplaces." In other words, if hospitals and other providers pay premiums for the sickest patients, HHS has expressed its concern that doing so will shrink the proportion of healthy patients so necessary to keep the insurance risk pool afloat.

In response to the HHS November release, there were questions about whether the FAQ applied to payments of premiums and cost sharing made on behalf of qualified health plan ("QHP") enrollees by certain types of third party payors, including Indian tribes and non-profits. On February 7, 2014, HHS issued two new FAQs addressing these questions.

Specifically, the new FAQs state:

  • The November 4, 2013 FAQ does not apply to payments for premiums and cost sharing made on behalf of QHP enrollees by Indian tribes, tribal organizations, and urban Indian organizations. In fact, QHP issuers and state and federal insurance Marketplaces are encouraged to accept such payments.
  • As previously stated in the 2015 Draft Letter to Issuers on Federally-Facilitated and State Partnership Exchanges, a Marketplace may permit Indian tribes, tribal organizations, and urban Indian organizations to pay QHP premiums on behalf of members who are qualified individuals, subject to terms and conditions determined by the Marketplaces.
  • State and federal government programs or grantees – specifically the Ryan White HIV/AIDS Program – may in fact pay premiums on behalf of their members who are eligible to purchase coverage through the Marketplaces.
  • Private, non-profit foundations may pay premiums and cost sharing for patients if the patients are selected based on defined financial status criteria. The patient's health status may not be considered, and the premium and any cost sharing payments must cover the entire policy year.

Any groups not specifically mentioned in the February FAQ should continue to avoid paying premiums or cost sharing on behalf of patients. While the February FAQ authorizes such payments in specific situations, the cautionary language in the November FAQ still stands, generally, with regard to hospitals, doctors, and all other third parties.

The Doc Fix: Do We Finally Have a Permanent Solution?


Will physicians finally be free from worrying that their Medicare payments will be severely slashed?  During the first week in February, Republicans and Democrats in the U.S. House of Representatives and Senate agreed on a bill which would repeal the SGR formula and thus avoid the necessity for a recurring, last minute stop-gap fix, known as the 'doc fix'. 

In 1997, Congress passed a budget law designed to slow the increase in Medicare spending.  The law linked Medicare reimbursements to physicians to economic growth through a formula called the "sustainable growth rate" (SGR).  If Medicare expenditures exceeded a specified target, reimbursement for physician services would be reduced in the following year, to keep aggregate spending under control.

Medicare spending has exceeded the target every year for more than a decade, setting up the doctors for significant pay cuts.  Each year, Congress has jumped in, often at the 11th hour, just before the reimbursement cuts were to be implemented, with a short-term "doc fix" to prevent the cuts from becoming effective.  Because the would-be cuts are cumulative, the reduction in reimbursements to physicians would now be staggering if it went into full effect.

The new proposal, which would be phased in over a period of years, seeks to better align Medicare payments to physicians with medical outcomes and quality of service, moving away from the current fee-for-service system.  Beginning in 2018, physicians providing services to Medicare patients could earn bonuses, or could suffer penalties, for achieving, or failing to achieve, certain medical quality targets and for making "meaningful use" of electronic health records.

The new proposal is not yet a done deal; Congress has not yet come up with a way to pay for the new plan.  The clock is ticking, though.  Under the SGR formula, current Medicare physician pay rates are scheduled to be cut by 24% as of March 31, 2014, so there is severe time pressure to find a solution.

Watch this space for future developments and to see if Congress can come up with a permanent solutions for the annual "doc fix."

New Privacy Rule Gives Patients Right to Access Lab Test Reports


On February 6, 2014, the Centers for Medicare and Medicaid Services (CMS) and the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) issued a final rule amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to provide individuals the right to access test reports directly from laboratories subject to HIPAA. The goal of the final rule is to provide individuals with a greater ability to access their health information, empowering them to take a more active role in managing their health and healthcare.

Under the final rule, HIPAA-covered labs must:

  • Disclose lab test results to individuals, in most cases, within 30 days of a request for such information. Labs are not required to disclose results to an individual if the individual did not request disclosure.
  • Comply with an individual's request to have the lab transmit a copy of Protected Health Information (PHI) to another person or entity appropriately designated by the individual.
  • Verify the identity and authority of any person requesting access to lab test results as a personal representative of the individual. If the lab cannot verify the identity and authority, it may not release the test report.
  • Disclose test reports that the lab maintains even if the test report was created before the effective date of the final rules.
  • Subject to a narrow limitation, disclose test reports to the individual upon request even if the lab test is considered "sensitive," i.e., tests for sexually transmitted disease, pregnancy test, etc…
  • Allow individuals to make requests for test reports directly to the lab and not require the individual to make the request to the healthcare provider.
  • Charge only the reasonable, cost-based copy fee permitted under the HIPAA Privacy Rule. HIPAA covered labs may not charge fees for verification, documentation, liability insurance, maintaining systems and other similar activities.
  • Revise their Notice of Privacy Practices by October 6, 2014 to inform individuals of their right to access PHI directly from HIPAA covered labs, include a brief description of how to exercise this right, and remove any contrary statements from the existing notice. Ordering providers are not required to update their privacy notices.
  • Not withhold an individual's PHI because the individual has not paid the lab for services provided.

The Final Rule also explains what is not required:

  • With respect to employment-related testing, the CLIA regulations do not apply to the employer or entity that performs substance abuse testing for the purpose of employment screening where the results are merely used to determine compliance with conditions of employment.
  • CLIA labs that are not subject to HIPAA have discretion to provide individuals with direct access to lab test reports, subject to any applicable state laws that may limit access.
  • The final rule does not require labs to interpret test reports for individuals, although labs may provide additional education material regarding the test results if they choose to do so.

In the commentary, HHS says that effective April 7, 2014, the final rule preempts any state laws that prohibit individuals from having direct access to their test reports or that allow test results to go to directly to the patient only with provider approval. The rule does not preempt any state laws that require labs to provide access earlier than the 30-day requirement under the HIPAA Privacy Rule or state laws that prohibit parents and guardians from accessing the PHI of their minor children.

HHS intends the final rule to provide labs with flexibility in setting up systems to receive, process, and respond to requests for access by individuals as long as those systems comply with the requirements of the HIPAA Privacy Rule. Specifically, labs that operate as part of a larger legal entity that is a hospital may continue to use the hospital's already established mechanisms for providing access to individuals requesting their test reports from the hospital labs, provided those mechanisms comply with the access provisions of the HIPAA Privacy Rule.

The final rule is effective on April 7, 2014. HIPAA-covered entities must comply with the rule by October 6, 2014.

HIPAA-covered laboratories in all states, not just those that currently prohibit direct release of lab results to individuals, should review their existing policies and procedures for compliance with the new requirements under CLIA and HIPAA. Those labs that are not covered by HIPAA should also use this opportunity to examine whether to exercise their new authority to respond to requests of individuals for lab results.

Tags: , , ,

Department of Health and Human Services Office of Inspector General's FY 2014 Work Plan Identifies Security of EHR Technology as New Focus


On January 31, 2014, the U.S. Department of Health and Human Services ("HHS") Office of Inspector General ("OIG") released its annual work plan.  Not surprisingly, issues relating to Electronic Health Records ("EHRs") continue to receive significant attention.

Pursuant to the American Recovery and Reinvestment Act of 2009, OIG received funding to evaluate whether funds received by HHS agencies and grantees have been utilized for their intended purposes and in accordance with program requirements. 

This past year, OIG reviewed Medicare and Medicaid incentive payments to providers to determine whether they were erroneous. These efforts will continue this fiscal year, with OIG evaluating whether incentive payments for the purchase, implementation and operation of EHR technology have been claimed by providers and hospitals in accordance with requirements and to assess the Centers for Medicare and Medicaid Services' ("CMS") actions to rectify erroneous payments.

As meaningful-use attestors are aware, a core meaningful-use objective for eligible providers and hospitals is to safeguard EHR information created or maintained by certified EHR technology. 

In 2014, OIG will follow-up on this objective by launching a new initiative that will focus on auditing various covered entities receiving EHR incentive payments and their business associates, such as EHR cloud service providers.  The OIG plans to target the issue of whether electronic health information created or maintained by certified EHR technology is being adequately protected through these cloud service providers. 

The Akerman team stands ready to answer your questions about audits relating to EHR system implementation and use of the technology.  The entire 2014 work plan may be viewed here.

Tags: , ,

Electronic Health Record (EMR) Systems – One of the Many Ways Technology is Changing Medicine


A Conversation with Brian Foster, Director of Client Solutions at CareCloud

The availability of incentive payments to providers from the Centers for Medicare and Medicaid Services (CMS) to implement electronic medical records (EMR) systems is a hot topic these days among healthcare providers. Marshall Burack, a partner in Akerman's Healthcare Practice Group sat down with Brian Foster, director of client solutions at CareCloud, a leading provider of healthcare IT solutions, to discuss various EMR-related issues and answer some frequently asked questions from Akerman's physician clients.

Meaningful Use and Medicare Payment Adjustments

Akerman: The government has been making incentive payments to healthcare providers who install interoperable electronic medical records systems and make meaningful use of such systems. Can providers still receive the incentive money?

CareCloud: Incentive money is still available, but the clock is ticking. There are three stages to the incentive program. Stage 1 focuses on data capturing and sharing. Stage 2 focuses on advanced clinical processes, and Stage 3 will focus on improved outcomes. Stage 2 starts this year (2014). Here are some key guidelines:

  • Make sure any EMR you purchase is labeled as "2014 Certified."
  • If you are a Medicare-eligible professional, you need to start this year with Stage 1, and you must use the EMR for a 90-day period beginning no later than July 1, 2014.
  • If you've already completed Stage 1, then you simply need to report for one 3-month period fixed to any calendar quarter in 2014. If you are a Medicaid-eligible professional, you can choose any 90-day period this year.
  • Also beginning this year, you will be required to report on 9 out of 64 Clinical Quality Measures (CQMs) in order to demonstrate Meaningful Use, regardless of whether you are participating in Stage 1 or Stage 2 of the Incentive Program. CQMs for adults include measures such as "controlling high blood pressure" and "use of imaging studies for low back pain."

The much talked about payment adjustments (Medicare's euphemism for "penalties") will begin in 2015 for providers who do not demonstrate meaningful use by October of this year.

Cloud-Based Software vs. Server-Based

Akerman: Some of our physician clients who are looking to purchase new practice management and EMR software are confused by the term "cloud-based." What does this mean and what are the advantages?

CareCloud: With a cloud-based system, you should not have to purchase, install or manage any software. A system that is truly "cloud-based" allows you to access it from any hardware (Mac or PC), using any Internet browser (e.g., Microsoft's Internet Explorer, Google Chrome, Safari, or Firefox), and from any geographic location (e.g., office, home, or mobile hot spot) – all with complete security and reliability. Think of the way you access Gmail, for example – you do not download software or require special hardware, once you login, you access the Gmail service from any device, using any browser, from any location with an Internet connection.

Security breaches also are rare in cloud-based Practice Management (PM) software systems since there is no patient data in your office or on a laptop that could be stolen. As always, be sure you have a current and robust data security compliance plan for your medical office.

When purchasing a cloud-based service, since you are not responsible for software maintenance, upgrades, or fees for adding new users, costs can also be significantly lower if you engage in a "software as a service (SaaS)" agreement, depending on the vendor. A SaaS agreement differs from a standard software license in that the SaaS customer does not receive a physical or installed copy of the software, no ownership in the SaaS software will be transferred to the SaaS customer, and the customer's right to use SaaS software will end upon termination of the SaaS agreement.

Interoperability: Will Software from Different Vendors Work Together?

Akerman: Should physicians purchase a combined EMR/Practice Management system, or is it preferable to purchase a dedicated EMR system and a separate practice management system?

CareCloud: The ideal solution is to have one vendor and a single product with PM, EMR, and billing tools for your practice. Some practices go the route of purchasing a specialty-specific EMR. However, these products often fall short when it comes to practice management and billing functionality.

You can purchase PM software and, in most cases, these systems can be integrated with your existing EMR (the vendors might charge for this). That means your staff would schedule appointments and collect patient demographics on the PM system, you would document patient encounters on the EMR, and then staff would manage the claims submission and collections back on the PM software. The two systems will push the necessary information back and forth to create a seamless workflow. This type of integration is pretty common today but not every vendor will participate, so make sure you ask about integration before you sign the contracts and not after.


Brian Foster is director of client solutions with CareCloud in Miami. He can be reached at 786.879.9200 or

Marshall Burack is a partner in Akerman's Healthcare Practice Group in Miami. He represents physicians and physician groups, and other participants in the healthcare industry in various corporate and business matters. He can be reached at 305.982.5603 or


Tags: ,

Useful Resources