Failure to Provide Communication Aid Costs Hospital $20K

John Dempsey Hospital agreed to pay $20,000 as compensation to a patient after failing to provide auxiliary communication aids during an emergency department visit. The patient, who is deaf and uses American Sign Language for communication, had to rely on a companion for all treatment communications.  In addition to paying compensation to the patient, the hospital is required to undergo a comprehensive review of its corporate policies and procedures to implement changes to enhance access, address intake and grievance procedures, adjust technology capabilities and institute staff training to ensure compliance with Section 1557.

Despite requesting interpreter services upon arrival at the hospital’s emergency department, the patient was not provided an interpreter or video remote interpreting services and had to rely on a companion to interpret throughout the hospital visit. After receiving a complaint about the incident, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), in partnership with the U.S. Attorney’s Office of the District of Connecticut conducted a compliance review of the hospital’s policies and procedures to determine compliance with the nondiscrimination provisions found in Section 1557 of the Patient Protection and Affordable Care Act (ACA). This is the first OCR settlement agreement under Section 1557 which provides for monetary damages specifically to a patient.

In general, Section 1557 expands upon existing federal non-discrimination rules and regulations to prohibit discrimination based on race, color, national origin, sex, age or disability in health programs or activities that receive federal financial assistance. The law applies to most hospitals, skilled nursing facilities, ambulatory surgical centers, home health agencies, hospices, federally qualified health centers, rural health clinics, physician practices, laboratories, pharmacies, outpatient rehabilitation facilities, ESRD dialysis centers, state Medicaid agencies as well as insurers that participate in the ACA’s Health Insurance Marketplace.

HHS issued the final rule implementing Section 1557 in 2016 and as of October 2016, entities subject to the rule must post notices regarding the entity’s nondiscrimination practices and taglines in at least the top 15 non-English languages spoken in the state that alert individuals with limited English proficiency of the availability of language assistance services. See sample notice and tagline documents here.  In addition, entities subject to the rule with 15 or more employees must designate a compliance coordinator and adopt a grievance procedure.  Section 1557 requires health care entities to ensure effective accessible communications with individuals who need interpreters, including individuals with disabilities as well as individuals with limited English proficiency.

The final rule requires health care entities to take appropriate steps to ensure that communications with individuals with disabilities are as effective as communications with others using appropriate auxiliary aids and services, such as alternative formats, sign language interpreters, and remote video interpreters. Health care entities are also required to make all programs and activities provided through electronic and information technology equally accessible. In addition, the final rule requires health care entities to take reasonable steps to provide meaningful access for individuals with limited English proficiency by providing qualified oral interpretation and written translation services. See HHS’s limited English proficiency resources for effective communications for additional guidance.

Where noncompliance of Section 1557 cannot be corrected by informal means, enforcement can include suspension of, termination of, or refusal to grant/continue federal financial assistance, referral to the Department of Justice and any other means authorized by law. Section 1557 authorizes a private right of action to challenge Section 1557 violations and receive compensatory damages. Affected entities are encouraged to develop and implement a language access plan to ensure they are prepared to take reasonable steps to provide meaningful access to each individual.

HHS has created several resources regarding ACA Section 1557 compliance: see general information and FAQs.

For further information or if you have any questions about ACA Section 1557 please contact Anthony Halbeisen.

 

 

HIPAA Audit Program Phase II – Have You Been Selected?

HIPAAAuditProgram

Phase II of the HIPAA Audit Program has begun, with many covered entities and business associates receiving a “Audit Entity Contact Verification” message from the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR). The communication requires the individual recipient to verify that he or she is the primary contact for the HIPAA Audit Program.

Does the receipt of this form mean that your entity has been selected for an audit? Not necessarily.

Although receipt of the communication is not a guarantee of an audit,  it is the first step in a process that may lead to a comprehensive HIPAA compliance audit of your entity.  According to OCR, the process for the HIPAA Audit Program is as follows:

  1. Contact Verification: OCR will send the Audit Entity Contact Verification to a covered entity or business associate to determine the entity’s primary contact for HIPAA purposes. Covered entities and business associates who receive the form should respond and not ignore the OCR’s request for verification.  The OCR has made it clear that entities who do not respond could still be subject to an audit.
  1. Questionnaire: After the entity’s contact information is verified, the OCR will send a questionnaire to each covered entity and business associate to determine the size, type, and operations of the entity.  Covered Entities will also be required to identify each of their business associates. OCR will use this data to develop the pool of potential auditees for the HIPAA Audit Program.
  1. Selection: OCR will then randomly select entities from the pool for audit.  If selected, the entity will have to visit an OCR web site and upload its HIPAA privacy policies, security policies, and most recent risk assessment. Based on the information uploaded, it is possible that OCR will arrange for an on-site visit of the entity.

The bottom line is that your receipt of the Audit Entity Contact Verification message does not necessarily mean that your entity will be selected for a HIPAA audit.  However, your entity will likely be placed into the pool from which OCR will select entities to audit.

If nothing else, the receipt of the Audit Entity Contact Verification communication should motivate your entity to review current HIPAA privacy and security policies and ensure that they conform to the requirements of HIPAA and the HITECH Act.  In addition, your entity should perform an updated risk analysis to uncover and address gaps in your HIPAA security policies and procedures.

A basic risk analysis should include the following components:

  1. Inventory: An inventory listing all of your information assets that contain health information (e.g. computers, laptops, smartphones, etc.);
  2. Threats: Potential threats to the security of your information assets;
  3. Controls: Current controls to safeguard the assets against the threats;
  4. Vulnerabilities: Any vulnerabilities in the controls;
  5. Likelihood: The likelihood that the threats will exploit the vulnerabilities;
  6. Impact: The impact if the vulnerabilities are exploited (e.g. how much health information is at risk); and
  7. Risk: The overall risk of a threat based the likelihood and potential impact of the threat’s exploitation of a vulnerability.

It is important to develop policies and procedures to address any risks that your entity uncovers as a result of the risk analysis.

Although the HIPAA Audit Program can be a source of anxiety for covered entities and business associates, it can also be a great opportunity to update HIPAA policies and procedures and ensure that your entity is doing everything possible to safeguard health information.

For more information about the HIPAA Audit Program and HIPAA compliance issues, please contact Casey Moriarty.

Can non-MSSP ACOs qualify for Tax-Exempt Status?

The Internal Revenue Service (IRS) recently affirmed its decision to deny 501(c)(3) tax-exempt status to an accountable care organization (ACO) that did not participate in the Medicare Shared Savings Program (MSSP). The IRS initially denied the ACO’s request for tax exempt status in a determination letter dated August 25, 2014. While neither the determination letter nor subsequent appeal is precedential, they provide valuable guidance for ACOs operating as tax-exempt organizations or pursuing tax-exempt status.

The ACO was formed by an existing exempt 501(c)(3) organization (System). The ACO’s purported purpose was furthering the triple aim health care reform goals (Triple Aim Goals) established by the Patient Protection and Affordable Care Act (PPACA), i.e. reducing healthcare costs, improving patient access to and the quality of medical care, and improving population health and patient experience. The ACO strove to further the Triple Aim Goals by acting as the representative for its providers in the negotiation and execution of agreements with third-party payers. The ACO’s providers included physicians employed by System, independent practice groups whose physicians were employed by System, and providers unaffiliated with System. Approximately half of the physicians participating in the ACO worked for independent practices or independent hospitals unaffiliated with System.

The IRS denied the ACO tax exempt status on two separate grounds. First, the IRS determined that the ACO was not operated exclusively for exempt purposes within the meaning of the Internal Revenue Code. The IRS then determined that the ACO was also not operated primarily for a public purpose.

Operated Exclusively for Exempt Purposes:

In order to qualify for 501(c)(3) status, an organization must be organized and operated exclusively for an exempt purpose. An organization is regarded as being operated exclusively for one or more exempt purposes, if it engages primarily in activities that accomplish an exempt purpose. An organization is not operated exclusively for an exempt purpose if more than an insubstantial part of its activities is not in furtherance of an exempt purpose. Two exempt purposes recognized by the IRS are lessening the burdens of government and the promotion of health.  In its determination letter, the IRS applied both exempt purposes to the ACO, before determining that the ACO was not operated exclusively for an exempt purpose.

Lessening the Burdens of Government:

In order for an activity to lessen the burdens of government, there must be an objective manifestation that government considers the activity to be its burden. Provisions of the PPACA encourage and support ACO cost sharing arrangements. In its determination letter, the IRS acknowledged that participation in the MSSP by an ACO will generally further the exempt purpose of lessening the burdens of government. The IRS continued, however, that the government has not provided an objective manifestation that it considers the activities of ACOs that do not participate in the MSSP to be its burden, regardless of their furtherance of the Triple Aim Goals. Accordingly, the IRS determined that the ACO’s activities did not further the exempt purpose of lessening the burdens of government.

This conclusion suggests that ACOs that do not participate in the MSSP may not be able to qualify for tax-exempt status by lessening the burdens of government. Such non-MSSP ACOs may be able to lessen the burdens of government through other means, however, furthering the Triple Aim Goals of the PPACA alone appears to be insufficient. ACOs who intend to further the Triple Aim Goals, should either participate in the MSSP or establish an exempt purpose other than lessening the burdens of government.

Promoting Health:

The promotion of health has long been recognized as an exempt purpose. However, not every activity that promotes health furthers exemption under Code Section 501(c)(3). For example, selling prescription pharmaceuticals promotes health, but is not a tax-exempt activity. In its determination letter, the IRS provided that while the Triple Aim Goals generally promote health, not all activities that that support the Triple Aim Goals further the promotion of health for purposes of Code Section 501(c)(3). The ACO’s primary activity was negotiating with private insurers on behalf of its providers, many of which were unrelated to the ACO. The IRS determined that the link between negotiating with private insurers and promoting health was insufficient. Accordingly, the IRS concluded that the ACO was not operated exclusively in furtherance of the exempt purpose of promoting health.

This conclusion provides two insights. First, it indicates that an ACO whose purpose is furthering the Triple Aim Goals can qualify as being operated exclusively for the exempt purpose promoting health. This is a valuable insight for ACOs that would prefer not to participate in the MSSP, but would like to receive tax-exempt status. Second, the IRS’ determination letter indicates that negotiating with private insurers likely is not sufficiently connected to promoting health. Accordingly, the activities of ACOs that do that participate in the MSSP will require a closer nexus to promoting health, in order for such ACOs to qualify as tax-exempt organizations.

Benefiting a Public Purpose:

In addition to being organized and operated exclusively for exempt purposes, organizations seeking tax-exempt status must be organized and operated primarily for a public purpose. Organizations that primarily serve private interests instead of public interests are not eligible for tax-exempt status. Notwithstanding the foregoing, limited private benefits are permissible, when a benefit to the public cannot be achieved without necessarily benefiting private individuals and the private benefits are insubstantial to the public benefit conferred by the activity. In its determination letter, the IRS determined that the ACO conferred an impermissible private benefit.

As discussed above, the ACO’s primary activity was negotiating with private insurers on behalf of its providers. The IRS determined that the ACO’s negotiations only indirectly benefitted the community, compared to the benefit conferred to the ACO’s providers. Further, the IRS determined that the ACO’s activities were not the only means of conferring the benefit to the community. Accordingly, the IRS determined that the ACO conferred an impermissible private benefit to its providers. This example stands is reminder, that the primary benefit of an organization’s activities must flow to the public and not private interests, in order for the organization to receive tax-exempt status.

Conclusion:

The IRS’ determination letter and holding on appeal provide three valuable lessons for ACO’s operating as tax-exempt organizations or pursuing tax-exempt status. First, in the opinion of the IRS, the activities of ACOs that do not participate in the MSSP do not further the exempt purpose of lessening the burdens of government. Second, while the Triple Aim Goals generally promote health, not all activities that support the Triple Aim Goals adequately further the promotion of health. For example, negotiation with private insurers on behalf of healthcare providers is not sufficiently tied to promoting health. Third, regardless of whether an ACO is organized and operated exclusively for an exempt purpose, the primary benefit an ACO’s activities must flow to the public and not private interests.

A Question of Privilege: Protecting Data in a Clinically Integrated Network

clinicallyintegratednetwork

In this emerging era of healthcare reimbursement based on value, many providers are considering different ways to provide services to patients.  The old fee-for-service model, which often awarded providers based on volume, is being replaced with a model that incentivizes providers to provide quality care at reduced costs.

In order to position themselves for value-based reimbursement, many providers have banded together to form clinically integrated networks (CINs) to coordinate and standardize patient care across various service lines.

Whatever term given to these networks (e.g. CINs, accountable care organizations, accountable care networks etc.), the goal of these entities is to enable a diverse array of independent providers to provide high quality, value-based care.

Many CINs have entered into “shared savings” contracts with payors, under which a CIN’s provider-members have the monetary incentive to meet certain quality-based metrics.

In order for these networks to be truly “clinically integrated,” it is critical that provider-members transmit data to the CIN related to their treatment of patients.

For example, in order to ensure the proper care of patients, primary care providers may be required to provide the CIN with the blood pressure levels of patients who are managing high blood pressure.

To incentivize high quality care, the providers whose patients have blood pressure levels consistently within an acceptable range will receive a larger payout of any “shared savings” money than providers whose patients consistently have higher levels.

Without the receipt of detailed treatment data from providers, CINs would not be able to effectively set quality-based metrics, recommend best practices, and incentivize value-based care.

But there is an important question that CINs should consider: Is the data submitted by a CIN’s provider-members privileged and protected from discovery in a lawsuit?

The Peer Review Privilege

The importance of protecting sensitive information related to a healthcare provider’s services is not a new concept.

Many states throughout the country have recognized the “quality improvement” or “peer review” privilege, which protects certain documents and information that are created during the course of a quality assurance review of a provider’s treatment of patients.

The privilege is a critical mechanism to ensure that peer reviewers engage in frank and open discussion of a provider’s practice without the threat of having all of their discussions obtained by a patient or the patient’s attorney.

For example, let’s assume that a peer review committee of a hospital is reviewing the competence of an OB/GYN physician whose patient had complications during childbirth.  The patient has provided her notice of intent to sue the hospital and the physician for malpractice.

In order to ensure that physician-error did not contribute to the bad result, the hospital’s peer-reviewers closely scrutinize the physician’s performance, and also the performance of the hospital’s support staff.  Their objective is to find any deficiencies that can be corrected for future cases.

Without the peer review privilege, the hospital could be forced to release the peer reviewers’ frank discussions related to the providers’ and hospital’s potential culpability to the patient’s malpractice attorney.  These self-critical discussions and documents could be a goldmine for the patient’s case against the hospital.

Clearly, the peer review privilege is essential for a healthcare provider’s risk management.

Peer Review Privilege and Clinically Integrated Networks

Providers and CINs commonly assume that the peer review privilege applies to any data transmitted between the CIN and the CIN’s provider-members.

But this might not be an accurate assumption.

In reality, the peer review privilege in many states is very narrow and only applies if the provider has met strict requirements.

For example, the Washington State peer review privilege solely applies to information created specifically for, and collected and maintained by a regularly constituted “coordinated quality improvement committee.”

The privilege is waived if any of the information or documents are disclosed to anyone outside of the committee.  One key exception is that a coordinated quality improvement committee of one entity may share information with a coordinated quality improvement committee of another entity.

The primary issue for CINs is that Washington State law only allows certain entities, such as hospitals, medical facilities, provider groups of five or more providers, and health carriers, to form a coordinated quality improvement committee.  WAC 246-50-005.

The rules do not explicitly permit a clinically integrated network or accountable care organization that is a separate legal entity from a medical facility or hospital to form a coordinated quality improvement committee.

Therefore, under Washington State law, there is a risk that provider data shared with a CIN will be unprotected from discovery in a lawsuit.

A Possible Alternative: The Patient Safety and Quality Improvement Act

It may come to a surprise to many CINs and providers that data shared between a CIN and a provider could be subject to discovery in a legal proceeding.  However, unless a state law allows a CIN to take advantage of the peer review privilege, quality data received by a CIN is potentially at risk.

One alternative that CINs should consider is the privilege set forth in the federal Patient Safety and Quality Improvement Act (PSQIA).

The PSQIA is federal law enacted in 2005 that created a broad privilege for “patient safety work product,” which a provider may disclose to a “patient safety organization.” These terms are defined as follows:

  • Patient Safety Organization (PSO): A private or public entity (or component of such entity) that is listed as a PSO by the Secretary of Health and Human Services.
  • Patient Safety Work Product (PSWP): Includes any data, reports, records, memoranda, analyses, or written or oral statements which could improve patient safety, health care quality, or health care outcomes; and
    • Which are assembled or developed by a provider for reporting to a PSO and are reported to a PSO; or
    • Are developed by a PSO for the conduct of patient safety activities; or
    • Which identify or constitute a provider’s deliberations, analyses, or reporting related to information disclosed to a PSO.  A provider’s procedures for collecting and reporting information to a PSO are known as the provider’s “patient safety evaluation system” (PSES).

Importantly, PSWP does not include the original medical record of the patient or other information that is collected or maintained separately from the provider’s collection and reporting to the PSO.

Therefore, if a CIN were to create a PSO, quality information shared between a CIN and its provider-members could be protected from discovery in a lawsuit.  Even better, the PSQIA privilege is never waived – even if the information or documents are subsequently improperly disclosed by the PSO.

In comparison to the Washington State peer review privilege, the privilege under the PSQIA appears to be broader and more appropriate for the activities of a CIN.

Creating a PSO for a Clinically Integrated Network

Although the privilege protections of the PSQIA should interest CINs and their participating members, it is important to review the major steps needed for the proper creation of a PSO.

  1. Eligibility: The first step is to confirm that the CIN is eligible to create a PSO.  Under the rules, any private or public entity can create a PSO, so long as the entity is not listed as “excluded” by the PSQIA. The list of excluded entities includes:
    • Health insurers;
    • Regulatory agencies;
    • Accreditation and licensure entities; and
    • Entities that administer a federal, state, local, or tribal patient safety reporting system to which health care providers are required to report.

If one of these types of agencies has an ownership interest in the CIN, it is critical that the CIN’s governing documents make clear that such entities do not exercise any control over the operation of the PSO.

  1. Separate Legal Entity: In order to ensure compliance with the PSQIA, and insulate liabilities, the CIN should considering forming the PSO under a separate legal entity (e.g. limited liability company). The primary mission of the separate PSO entity must be the improvement of patient safety and the quality of health care delivery. Under the PSQIA rules, the PSO would be a “component” of the CIN.
  2. Workforce: The PSO must be staffed by a qualified “workforce,” which must include employed or contracted licensed healthcare providers. The CIN can share staff with the PSO, but such staff members should sign confidentiality agreements stating that they will not improperly disclose PSWP to the CIN.
  3. Policies: The PSO must create policies and procedures to meet the eight patient safety criteria in the PSO:
    • Efforts to improve patient safety and the quality of health care delivery;
    • The collection and analysis of PSWP;
    • The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;
    • The utilization of PSWP for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;
    • The maintenance of procedures to preserve confidentiality with respect to PSWP;
    • The provision of appropriate security measures with respect to PSWP;
    • The utilization of qualified staff; and
    • Activities related to the operation of a PSES and to the provision of feedback to participants in a PSES.
  1. Participation Agreement: The PSO should enter into a template Participation Agreement with the CIN’s provider-members. Among other requirements, the Agreement should specify a standardized manner for the providers’ transmission of data to the PSO. The PSO and the CIN’s provider-members should also enter into a HIPAA Business Associate Agreement.
  1. Patient Safety Evaluation System: Each provider entity should set up its own policies and procedures for reporting PSWP to the PSO. This reporting structure will be each provider’s “patient safety evaluation system.”
  1. Consent for Disclosure to the CIN: The PSQIA permits a PSO to disclose PSWP back to a participating provider for “patient safety activities.”  However, due to the fact that a CIN is not a “provider” of healthcare services, it is not able to contract with the PSO and receive PSWP. This could be a problem if the CIN needs access to identifiable PSWP in order to develop quality metrics, create best practices for the members, or distribute any shared savings money.  In order to ensure that the CIN is able to receive PSWP from the PSO, each CIN provider-member should sign a consent that permits the PSO to disclose PSWP to the CIN for the purposes of clinical and financial integration.
  1. Apply for Certification: In order to officially become a PSO, the PSO entity should apply for certification from the Agency for Health Research and Quality (https://pso.ahrq.gov/forms/initial/). After approval, the PSO will be listed for a period of three years. The PSO must renew its listing after the three year period.

Please note that this is not an exhaustive list of requirements for PSOs, but it does contain many of the major steps that should be considered in forming a PSO.

By going through the process of forming a PSO, a CIN may have a better chance of protecting sensitive quality data than relying on state peer review privilege laws.

For more information on the peer review privilege, clinically integrated networks, and patient safety organizations please contact Casey Moriarty.

Stolen Laptop Costs Research Institute Millions

The Feinstein Institute for Medical Research (Feinstein) recently agreed to pay, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), $3.9 million to settle allegations that Feinstein violated the HIPAA Privacy and Security Rules. This settlement confirms the OCR’s position that nonprofit research institutes are held to the same standards as all other HIPAA covered entities.

The OCR began its investigation, after Feinstein filed a breach report revealing that a laptop computer containing electronic protected health information (ePHI) had been stolen from an employee’s car. The laptop contained the ePHI of approximately 13,000 patients and research participants. The laptop was unencrypted.
In addition to the breach, OCR’s investigation determined that Feinstein failed to:

(1) conduct a risk analysis of all of the PHI held at Feinstein, including the PHI on the stolen laptop;

(2) implement policies and procedures for granting access to ePHI to workforce members;

(3) implement physical safeguards for the laptop;

(4) implement policies and procedures managing the movement of hardware that contains ePHI; and

(5) implement encryption technology or to ensure that an alternative measure to encryption was deployed to safeguard the ePHI.

HIPAA does not expressly require encryption of ePHI, however, covered entities and business associates, who do not encrypt ePHI, are required to document why encryption is not reasonable or appropriate. Covered entities and business associates that do not encrypt ePHI are also required implement measures equivalent to encryption to safeguard ePHI.

 
In addition to other violations, the OCR’s investigation revealed that Feinstein failed to document why encrypting the laptop was not reasonable or appropriate. Further, contrary to having measures equivalent to encryption for safeguarding ePHI, the OCR found that Feinstein lacked policies and procedures for the receipt and removal of laptops containing ePHI from its facilities and policies and procedures for authorizing access ePHI.

 
This settlement provides us with three lessons. First, it’s important to realize that research institutes are held to the same standards as other covered entities. To the extent a research institute maintains PHI, it is essential to develop adequate policies and procedures to protect the PHI. Failing to do so, exposes the institute to considerable risk. Second, encrypting ePHI goes a long way towards reducing liability. Had Feinstein’s laptop been encrypted to the NIST standard, Feinstein’s ePHI would have been secured and Feinstein wouldn’t have been required to report a breach. Instead, as is often the case, the OCR’s investigation revealed multiple additional HIPAA violations. By not encrypting ePHI covered entities and business associates risk not only the cost of a breach, but also the potential for added costs following an OCR investigation. Lastly, covered entities and business associates that don’t encrypt their ePHI, are required to document why encryption is not reasonable or appropriate. Failing to do so is a HIPAA violation and subjects covered entities and business associates to liability.

CMS Issues Stark Law Changes

CMS issued last week its final rule modifying the Physician Self-Referral Law aka the Stark Law putting into place most of what it proposed to modify this summer. The majority of the new modifications become effective on January 1, 2016, though CMS indicates that many of the changes are just clarifications of existing application of the Stark Law.

Highlights of Some Proposed Revisions

The below list is not an all-inclusive list of the revisions to the Stark Law, but highlights some of the more substantial changes.

Temporary Noncompliance with Signature. Following the confusion between what was considered inadvertent and not inadvertent, CMS has modified this rule to allow the temporary noncompliance with the signature requirements for up to 90 days following the date of noncompliance regardless of the parties’ intention for not signing earlier.

Remuneration. The definition of remuneration has been revised to more clearly specify that certain items, devices, or supplies related to the collection, transportation, etc. of specimens are excluded from the definition of remuneration if used solely for one or more of such testing/specimen collection purposes.

Arrangement vs. Agreement. CMS clarifies in several of the exceptions (i.e personal services, leases, physician recruitment, etc.) that the requirement that the arrangement be set out in writing does not require a single formal contract but rather that several documents may establish sufficient documentation to satisfy the writing requirements. Examples of supplementary contemporaneous documents may include communications between the parties, check requests or invoices, time sheets, and call coverage schedules. Further examples are described within the final rule.

Holdover Provision. Prior to this final rule, the personal service arrangement, rental of office space and rental of equipment exceptions permitted a holdover arrangement for up to 6 months. CMS has modified these provisions to permit indefinite holdovers, provided that the arrangement continues on the same terms and conditions as the original arrangement.

Recruitment of Non-Physician Practitioners. CMS has added a new exception allowing a hospital (FQHC and RHC) to provide remuneration to a physician to compensate for non-physician practitioners if certain conditions are met (including cap of 50% of remuneration paid to non-physician practitioner and restriction on using the exception with the same referring physician only once every 3 years). Such non-physician practitioners include clinical psychologists and social workers, physician assistants, nurse practitioners, clinical nurse specialists and certified nurse midwives.

Timeshare Arrangements. CMS created a new exception for timeshare lease arrangements, which includes both space and equipment (supplies, items, services, etc.). The space/equipment must be predominately used for E/M services and remain on the same schedule. The equipment in the space must also be located in the same building as where the E/M services are furnished, not used to furnish DHS other than those incidental to E/M services furnished at the time of the patient’s visit and not include advanced imaging equipment, radiation therapy equipment or clinical & pathology lab equipment (other than CLIA waived tests).

The changes that relax some of the signature, holdover and writing requirements are consistent with CMS’ experience with SRDP submissions. Further the new exceptions recognize some of the changes in the delivery of patient care (such as non-physician providers and timeshare arrangements).  If you have questions about any of these modifications or the Stark Law in general please contact Elana Zana.

 

 

 

Naughty or Nice – 60 Day Overpayment Reporting Rule

According to a recent New York District Court decision, whether providers are subjected to an enforcement action under the False Claims Act for failing to report and return an overpayment within the sixty-day window should turn on whether they have been naughty or nice after learning of the potential of an overpayment.  In this case, at least at the motion to dismiss stage, the court concluded that the providers had been naughty, which, based on the factual recitations seemed a pretty easy call.  Essentially, the providers were alerted to the potential of substantial overpayments by an employee tasked with examining an overpayment issue.  Four days after providing his employer with a spreadsheet detailing the overpayments, the employee was fired and his spreadsheet “filed”.  A couple months later, the employee filed his qui tam action in which the United States and the state of New York eventually intervened.

 

Naughty or nice became important because of the court’s analysis of what constitutes “identification” of an overpayment for purposes of triggering the 60 day report and return obligation.  In this regard, according to the decision, at least one thing is certain.  The answer is not when the amount of the overpayment is finally calculated with certainty.  In response to this argument by the defendants, the court observed this would create ” . . . a perverse incentive to delay learning the amount due . . . relegating the sixty-day period to merely the time within which they would have to cut the check.”

 

The Government took the position that an overpayment is identified when the recipient is put on notice that a certain claim may have been overpaid.  The court agreed that defining “identified”  ” . . . such that the sixty day clock begins ticking when a provider is put on notice of a potential overpayment , rather than when the overpayment is conclusively ascertained, is compatible with the legislative history of the FCA and the FERA highlighted by the Government.”

 

The court characterized the rule derived from a review of legislative history as “unforgiving”, noting that it provides no leeway for the recipient of an overpayment who ” . . . struggles to conduct an internal audit, and reports its efforts to the Government within the sixty-day window, but has yet to isolate and return all overpayments sixty-one days after being put on notice of potential overpayments.”  ”  . . .it nowhere requires the Government to grant more leeway or more time to a provider who fails timely to return an overpayment but acts with reasonable diligence in an attempt to do so.”  Any relief for the provider that is diligently attempting to determine whether the potential overpayment is factually and legally an actual overpayment and, if so, the amount of the overpayment to be returned rests with prosecutorial discretion, which according to the court, ” . . . would counsel against the institution of enforcement actions aimed at well-intentioned health care providers working with reasonable haste to address erroneous overpayments” because in such a  situation the provider would not have acted with reckless disregard, deliberate ignorance or actual knowledge of the overpayment, a requirement of a FCA claim.

 

In fact, in comments to the court in this case, the Government made clear that this was not a case of a provider working diligently on the claims and on the sixty-first day is still scrambling with its spreadsheets.  “You know, the Government wouldn’t be bringing that kind of claim.”

So the moral of the story is if a messenger notifies you of a potential overpayment, be nice, act with diligence to investigate and quantify any overpayment, and for goodness sake don’t shoot the messenger.

To learn more about refunding overpayments please contact Greg Montgomery or Adam Snyder.

 

WHOA ME! TUOMEY!

For the second time in the past three years, Tuomey Healthcare System found its fate in the hands of the 4th Circuit Court of Appeals as a Qui Tam Defendant under the False Claims Act (“FCA”). Only this time it did not fare quite as well in what amounts to a crushing defeat. Back in 2012, pending retrial on allegations that Tuomey violated the FCA, the 4th Circuit Court of Appeals vacated a $45 million judgment stemming from violations of the Stark Law, see prior article here.  Now, on July 2, 2015, the 4th Circuit affirmed the district court’s decision on retrial that Tuomey submitted 21,730 False Claims based on Stark Law violations and was thereby liable for $237,454,195 in damages and penalties. The 4th Circuit rejected Tuomey’s arguments that no reasonable jury could have concluded that Tuomey violated Stark or intended to submit False Claims and that it was entitled to a new trial based upon various assignments of error related to jury instructions and damages issues related to measurement and constitutional matters.

The result is stunning, and should give pause to health lawyers, consultants and healthcare executives who find themselves walking the tightrope between sound business judgment and the complicated maze of the Stark Law and other complex healthcare rules. Indeed, in his concurring opinion, Judge Wynn expressed distaste for the outcome:

But I write separately to emphasize the troubling picture this case paints: An impenetrably complex set of laws and regulations that will result in a likely death sentence for a community hospital in an already medically under-served area…..Health care providers are open to extensive liability, their financial security resting uneasily upon a combination of their attorneys’ wits [and] prosecutorial discretion.” [citations omitted]. Despite attempts to establish “bright line” rules,…the Stark law has proved challenging to understand and comply with.

This case is troubling. It seems as if, even for well-intentioned health care providers, the Stark Law has become a booby trap rigged with strict liability and potentially ruinous exposure – especially when coupled with the FCA.

Judge Wynn’s words were not lost on the majority:

Finally, we do not discount the concerns raised by our concurring colleague regarding the result in this case. But having found no cause to upset the jury’s verdict in this case and no constitutional error, it is for Congress to consider whether changes to the Stark Law’s reach are in order.

Short of congressional action, CMS recently announced Stark-related proposals [http://www.cms.gov/Newsroom/MediaReleaseDatabase/Fact-sheets/2015-Fact-sheets-items/2015-07-08.html] that could ease the burden of the law. Tuomey will need to find its relief elsewhere.

Stark Generally.

A physician may not make a referral to an entity for the furnishing of designated healthcare services (“DHS”) if the physician has a financial relationship with the entity, unless an exception applies. DHS include inpatient and outpatient hospital services. A referral does not include any DHS personally performed or provided by the referring physician. There is a referral, however, when the hospital bills a facility fee in connection with personally performed services. A financial relationship may exist through ownership or a compensation arrangement.

Tuomey’s Reaction to Business Challenges.

Tuomey is a nonprofit community hospital in Sumter, South Carolina, a mostly rural, medically underserved area. In the early 2000s, like so many other community hospitals, Tuomey faced the challenge of dropping outpatient volumes due to physicians performing procedures in their own offices or in ambulatory surgery centers. Tuomey’s future looked bleak and tens of millions in lost revenue was predicted. Tuomey developed a strategy to enter into part-time employment agreements with several previously-independent physicians on its medical staff. The arrangements were problematic for several reasons, without considering their current $237 Million price tag:

 

  • Compensation that varied year to year based on collections;
  • A requirement that Physicians perform outpatient procedures at Tuomey facilities;
  • Productivity bonuses of eighty percent of collections and an additional incentive bonus up to 7 percent of the productivity bonus;
  • Physicians were paid more than their collections, despite fair market value opinions from valuation experts;
  • Tuomey provided malpractice coverage, and performed the billing;
  • Ten year terms with 2 year back-end non-competes;
  • Physician who refused the arrangement and raised specific Stark issues (e.g. the Qui Tam Plaintiff in this case, Dr. Drakeford); and
  • Competing expert legal opinions from top health lawyers who were kept in the dark from one another and rejection and lack of diligence regarding negative opinions from counsel

 

Following two trials and two appeals, the 4th Circuit affirmed the $237 Million jury verdict and concluded that the trial court correctly granted a motion for a new trial, and rejected Tuomey’s various claims of error. As discussed below, the Court considered and commented on several important Stark and FCA issues.

Significant Aspects of 4th Circuit’s Opinion

 

Testimony of Kevin McAnaney:

 

Following the first Tuomey trial in 2010, the jury found that Tuomey had violated the Stark Law, but not the FCA. The trial court granted a post-trial motion based on what it viewed as its substantial error in excluding the testimony of Tuomey’s Senior Vice President and Chief Operating Officer, Gregg Martin. The 4th Circuit agreed that a new trial was proper, but reached that decision on slightly different grounds – the trial court’s exclusion of Kevin McAnaney’s testimony. Mr. McAnaney, a lawyer in private practice, was retained by Dr. Drakeford and Tuomey to advise of the Stark Law risks. Mr. McAnaney previously wrote a substantial portion of the Stark Law regulations in his role as Chief of the Industry Guidance Branch of DHHS Office of General Counsel to the Inspector General. The Court and the jury, apparently, found the McAnaney testimony to be particularly probative of the knowledge element of the FCA. McAnaney advised that the Tuomey employment agreements raised significant “red flags” under the Stark Law, such as compensating physicians in excess of their collections, thus making the arrangement “an easy case to prosecute.”

 

On McAnaney’s testimony, the 4th Circuit observed and concluded the following:

 

In the first trial, the jury did not hear from McAnaney and found for Tuomey on the FCA claim. When the case was retried, McAnaney was allowed to testify and the jury found for the government. Coincidence? We think not.

Indeed, it is difficult to imagine any more probative and compelling evidence regarding Tuomey’s intent than the testimony of a lawyer hired by Tuomey, who was an undisputed subject matter expert on the intricacies of the Stark Law, and who warned Tuomey in graphic detail of the thin legal ice on which it was treading[.]

Jury Reasonably Found Stark Violations:

 

It is unremarkable in a general sense that the 4th Circuit refused to set aside a jury verdict and find that no reasonable jury could have concluded that Tuomey violated Stark. Tuomey argued, unsuccessfully, that the only question that should have gone to the jury was whether the contracts, on their face, took into account the value or volume of anticipated referrals. The Court concluded that two components of the physicians’ compensation varied with the volume or value of referrals. The physicians were paid a base salary that was adjusted upward or downward in the subsequent year depending on collections from the prior year. The physicians were also paid a productivity bonus that was set at eighty percent of their collections. The Court concluded that it was “plain that a reasonable jury could find that the physicians’ compensation varied with the volume or value of actual referrals.” The Court also recalled its earlier opinion where it noted that the tainted referrals were the “facility component of the physicians’ personally performed services, and the resulting facility fee billed by Tuomey based upon that component.”

False Claims Act

 

The Court rejected Tuomey’s claim that no reasonable jury could have found a violation of the FCA because it acted on the advice of counsel. The court again pointed to the testimony of attorney McAnaney and amplified the District Court’s conclusion that a “reasonable jury could have found that Tuomey possessed the requisite scienter once it determined to disregard McAnaney’s remarks.” Tuomey’s ‘advice of counsel’ defense ultimately failed because it was unable to show that there had been a full disclosure of all pertinent facts to and among legal counsel, and a lack of good faith reliance on just the favorable legal advice. The Court was not persuaded by Tuomey’s claims that it had, following Mr. McAnaney’s negative view, retained top national health lawyers from reputable firms to complete the transaction.

Tuomey Unsuccessfully Challenges Jury Instructions and Damages Award

 

The Court rejected Tuomey’s various claims of error related to jury instructions. Tuomey argued that the trial court failed to limit the jury’s inquiry to whether or not the contracts, on their face, took into account value or volume of anticipated referrals. The Court emphasized that the jury could consider the parties’ intent to determine if an arrangement took into account volume or value of referrals, but intent alone would not be enough to create a violation.

 

Tuomey argued that the jury should have been separately instructed on the knowledge element in the indirect compensation arrangement definition under Stark and in the FCA. The court found that any such error here was harmless since the jury’s conclusion that Tuomey possessed the requisite scienter under the FCA and also possessed knowledge that the Physicians’ aggregate compensation varied with referrals, a necessary element of the definition of an indirect compensation arrangement under Stark. 42 U.S.C. § 411.354 (c)(2)(iii).

 

Tuomey claimed that the trial court erred by failing to instruct the jury that disputed legal questions are not false claims under the FCA. As with all providers who bill Medicare, Tuomey was required to certify its compliance with laws, to include the Stark Law. Because the jury found that Tuomey violated the Stark Law, the certification of compliance was false, and therefore all tainted claims were false. This seems like fertile ground for further appellate challenge.

 

The Court rejected Tuomey’s challenge to the trial court’s failure to give an instruction that Tuomey was entitled to rely on legal advice even if it turned out to be wrong. The Court found that other jury instructions regarding knowledge under the FCA already were sufficient to cover Tuomey’s concern in this regard.

 

Finally, the Court rejected various challenges by Tuomey regarding the whopping $237,454,195 judgment. It argued that the trial court improperly calculated the penalty, that it incorrectly measured damages, and that the award violated the 5th and 8th Constitutional Amendments. The Court rejected all of Tuomey’s arguments, and found that the jury was properly instructed to consider all tainted hospital claims – both inpatient and outpatient, to determine prohibited referrals. The Court further concluded that the Government was allowed to rely on summary evidence of referrals, perhaps due in part to the fact that Tuomey did not offer its own expert as to damages calculations. The court rejected Tuomey’s challenge that the Government was not damaged, and rejected Tuomey’s claims that the award was unconstitutional under the Due Process Clcause of the 5th Amendment and the Excessive Fines Clause of the 8th Amendment.

 

The Court rejected Tuomey’s argument that if it submitted false claims that the only false claims were its annual cost report submissions and not the 21,730 UB-92/04 forms that it submitted. The Court concluded that Tuomey violated the FCA each time it submitted a claim for reimbursement because it was knowingly asking the government to pay an amount that, by law, it could not pay. Again, look for this issue to be prominently featured in a future appellate review of this case.

 

Takeaways from Tuomey

While Tuomey presents staggering results, it does represent a somewhat unusual set of facts. While it provides a strong reminder that hospitals should critically view their arrangements with referring physicians, it does not preclude the development of sound business and legal strategies within a complicated regulatory legal framework. The following are among the valuable lessons learned from Tuomey:

 

  • Courts and juries may look beyond the four corners of an agreement to determine if an arrangement takes account of volume or value;
  • Courts and juries may look beyond supporting items such as self-serving appraisals to find legal violations; Lawyers and their clients are best-advised to validate the assumptions supporting such appraisals;
  • There is a reason that nearly every FCA matter settles and that is due to the shear potential downside, as evidenced by this case;
  • Review arrangements with physicians and consider them and their fair market value support in the context of the history and intent that lead to the arrangements, to determine if they would pass Tuomey-like scrutiny;
  • Take care when bringing in the next lawyer to rule out a prior negative legal opinion or to break the tie between two competing legal opinions – who is the client? Where is the attorney-client privilege? How will all lawyers’ opinions be considered by the lawyers and the client?

 

Adam Snyder is Chair of the Ogden Murphy Wallace Business Department and is a Part-time/Adjunct Faculty member of the University of Washington School of Law. For additional information regarding Tuomey, Stark, or the False Claims Act, please contact Adam Snyder or Greg Montgomery.

 

4 Ways That HIPAA Encourages the Disclosure of Health Information

What’s the first word that comes to mind when you see the term “HIPAA”?

For many individuals in the healthcare market, the word is “NO.”

“Just say no” is a common answer for covered entities and business associates when they are faced with a decision about whether to disclose health information.

But what if I told you that HIPAA actually permits (and even requires) you to say “yes” to many disclosures of health information?

One of the most overlooked aspects of HIPAA is that there are sections that encourage the free-flow of information.  Examples include: (1) disclosures for treatment purposes, (2) disclosures for patient access, (3) disclosures to minimize an imminent danger, and (4) disclosures that are required by state laws.

Disclosures for Treatment Purposes

Let’s get one thing clear: HIPAA allows the disclosure of health information for treatment purposes.

A common misconception among providers is that HIPAA prevents or limits health care providers from sharing health information between each other to provide care for a patient.

This is not true.

I also commonly hear the idea that HIPAA requires a Business Associate Agreement in order for a provider to share health information for the purpose of treating a patient.

This is not true.

In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between health care providers AND the “coordination or management of health care” by a provider and a third party.

The third party does not even have to be a health care provider!

For example, an eye doctor can disclose health information to a contact lens distributor in order to confirm a prescription.  The distributor is not a health care provider, but the disclosure is for the purpose of treatment of the patient.

Patient Access

One common idea is that patients do not have an unfettered right to access their entire medical record.

Many providers feel that they, not the patient, have ownership of the patient’s health information and have no obligation to give the patient unrestricted access.

This opinion has lead to more than one Office of Civil Rights investigation.

In reality, HIPAA gives patients broad rights to access their health information and health care providers are required to honor patient requests. Patients are also not required to fill out an Authorization for Release of Records when requesting their own health care information.

With that said, there are some important exceptions to the patient’s access rights under HIPAA, including the limitation on accessing psychotherapy notes, information compiled in anticipation of a lawsuit, or if the access is prohibited under some other law.

But in general, patients have the right to access all of their health information that a provider uses to make treatment decisions about a patient. This includes any health information that a provider received from other providers.

Denial of such access could constitute a HIPAA violation.

Disclosures to minimize an imminent danger or assist law enforcement

Another way that HIPAA encourages the disclosure of health information is seen in the allowable disclosure to minimize an imminent threat to health or safety of an individual or of the public.

HIPAA permits covered entities to disclose health information to persons reasonably able to prevent or lessen the threat.

In addition, HIPAA permits covered entities to disclose health information to law enforcement authorities to identify or apprehend an individual in the following circumstances:

  • An individual makes a statement admitting participation in a violent crime that the covered entity reasonably believes may have resulted in serious physical harm to the victim.
  • Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.

There are some key exceptions to this permissive disclosure for mental health counselors. State laws may further restrict the extent of the disclosure exceptions.

However, these are important exceptions that can prevent danger to members of the community.

Disclosures Required By Law State

Another permissive type of disclosure under HIPAA is any disclosure required by state law. A few common disclosure obligations under state law are:

  • Reporting cases of child abuse
  • Reporting cases of vulnerable adult abuse
  • Reporting to law enforcement if an individual has certain types of wounds (e.g. bullet wound).

The HIPAA “required by law” disclosure exception makes it essential for covered entities and business associates to review their state mandatory reporting laws.

Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake.

Conclusion

HIPAA does not always mean “no.”

Of course, it is easy for healthcare market participants to believe this stereotype.  The horror stories of large fines levied on covered entities and business associates who improperly disclose health information are so common.

However, there are many permissive (and some required) disclosures under HIPAA that covered entities and business associates must understand and implement in their business operations.

Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly government investigations and fines.

For more information about HIPAA, please contact Casey Moriarty.

Ready for an OIG Security Audit?

At HIMSS15 in Chicago I had the pleasure of speaking with my colleague, Dave Schoolcraft, regarding the OIG Security Audits. These in depth security audits conducted not by the OCR or CMS, but rather the Office of Inspector General, delve into the security systems of Eligible Hospitals (and potentially Eligible Professionals) participating in the EHR Incentive Program.

Background

The OIG in its 2014 and 2015 Work Plans identified its plan to audit participants in the EHR Incentive Programs and their business associates, including cloud service providers, “to determine whether they adequately protected electronic health information created or maintained by certified EHR technology.” This audit stretches beyond a typical meaningful use audit and is not only centered on the security of ePHI stored in the CEHRT, but also looks at relationships with downstream service providers. Though EPs and EHs that participate in the EHR Incentive Program are aware of pending audits from CMS (via Figliozzi & Company), including the necessary documentation and security risk analysis requirements, these audits may come as quite a surprise – especially the level of thoroughness the OIG pursues in these audits. Though the OIG identifies the targeted entities due to their participation in the EHR Incentive Program, these audits look nothing like a CMS audit but instead are an in-depth HIPAA security audit.

The Audit

The audit itself is conducted by OIG investigators that are knowledgeable about security infrastructure as well as HIPAA requirements. The OIG commences the audit with a phone call followed by a formal letter notifying the recipient entity of the audit. As stated in its letter “the objective of [the] audit is to assess if the [hospital’s] meaningful use requirements have protected the confidentiality, integrity and availability of electronic protected health information (ePHI) in its EHR systems.” The OIG sends out a document request/questionnaire with approximately 17 categories and subcategories that it is investigating. In addition to reviewing the responses to the document requests the OIG auditors come on-site for 2-3 weeks to conduct interviews and personally review the security infrastructure.

Sample audit questions include:

  • Review of the EHR network diagram that shows EHR network architecture including external connections.
  • Provision of a description of internal or external web sites associated with the EHR system including patient portals.
  • Analysis of existing HIPAA policies and procedures, including patch management and access controls.
  • Detailed description of EHR network devices including the manufacturer and model number, software version and primary function.

As stated in the OIG Workplan, the target of the investigation is not only the covered entity itself, but also the relationships with business associates and downstream cloud service providers.

Audit Readiness Plan

It is unknown how many audits OIG will conduct and the ultimate goal of these audits. We believe that the OIG plans on creating a roll-up report to describe the findings of these audits, rather than publishing individual reports – however this has not been verified because the OIG has denied Freedom of Information Act requests.

We recommend that covered entities prepare for these audits as follows:

  • Gather information regarding existing security infrastructure in place, including relationships about sharing PHI with business associates and downstream providers.
  • Evaluate health IT vendors to determine if they are compliant with business associate agreements – this may include asking the business associate to provide you with evidence and results from a security risk assessment.
  • Identify team members that will respond to an OIG audit request.
  • Conduct a mock audit to fully assess security.

Additional Audits

 The OIG Work Plans also identify three other related types of audits.

 

  1. OIG Audits of Medicare EHR Incentive Program. Earlier this month the OIG issued a number of multi-year audits of EHR Incentive Program participants. These audits are very similar to the CMS Meaningful Use audits conducted by Figliozzi, but are in fact not conducted by CMS. Unlike the CMS audits however, the OIG audits are multi-year and may request information from both Stage 1 and Stage 2 attestations.

 

  1. OIG Audits of Medicaid EHR Incentive Programs. OIG has conducted at least three audits of states issuing Medicaid EHR Incentive Program dollars: Louisiana, Massachusetts and Florida. Of the three audited, only Florida was found to have issued the EHR Incentive Program dollars correctly. The OIG has instructed the other states to reimburse the federal government for the incorrectly distributed funds and adjust the payment calculations for the hospitals going forward.

 

  1. OIG Audits of Contingency Plans. Pursuant to the HIPAA Security Rule, covered entities must have contingency plans in place in case of a disaster or other occurrence that damages systems that contain ePHI (45 CFR 164.308). The OIG plans to compare hospitals’ contingency plans with “government and industry recommend practices.”
  2. OIG Audits of AIU Participants.  OIG has recently issued new audits investigating AIU attestations.  For further detail related to these audits go to:  http://meaningfuluseaudits.com/oig-escalates-meaningful-use-audits-of-hospitals/.

 

Preparing for these OIG audits can be accomplished during your own internal Security Risk Analysis and can be a useful tool for verifying the accuracy and thoroughness of your own process. For more information about the OIG Security Audits or other OIG audits please contact Elana Zana or Dave Schoolcraft.