HHS To Issue Additional Guidance Regarding the New HIPAA Marketing Definition and “Refill Reminder” Exception

The Health and Human Services’ Office of Civil Rights (“HHS”) has modified the HIPAA Marketing definition and related exceptions as part of the HITECH “Omnibus” Final Rule which was published on January 25, 2013 and which has a compliance deadline of September 23, 2013. 

In short, the Final Rule defines Marketing to mean any communication about a product or service that encourages the individual receiving the communication to purchase the product or service.  Absent an exception, any such Marketing communication that relies on the use or disclosure of the individual’s Protected Health Information (“PHI”) requires a HIPAA authorization. 

There are several exceptions to the Marketing definition under the Final Rule, one of which is to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, but only if any financial remuneration received by the HIPAA-covered entity in exchange for making the communication is reasonably related to the cost of making the communication.  Absent compliance with these criteria, a HIPAA authorization would be required before any such communications were permitted. 

As the September 23, 2013 compliance deadline nears, Adheris, Inc., a company that receives “financial remuneration” from pharmaceutical companies for sending refill reminders to patients, has filed a lawsuit and a motion for preliminary injunction suit against enforcement by HHS of this refill reminder exception under the Marketing definition.  As part of this legal process, Adheris is also seeking further delineation of what “reasonably related” means under this exception. 

According to a joint motion to suspend a briefing schedule on Adheris, Inc.’s motion for preliminary injunction filed on September 11, 2013, in Adheris, Inc. v. Sebelius et al., counsel for the defendants was informed that HHS:  

[I]ntends to issue further guidance concerning the provision challenged by plaintiff in this litigation.  The guidance will pertain to the financial remuneration that would be considered ‘reasonable’ for providing refill communications or other communications about a drug or biologic currently being prescribed to an individual.  HHS expects to issue such guidance by September 23, 2013. 

The joint motion also states that the Secretary of HHS will not enforce the provision regarding financial remuneration for refill reminders for a period of 45 days after the September 23, 2013 date, or until November 7, 2013, but expects to provide guidance on this issue by the September 23, 2013 date.   (Joint Motion, at ¶¶ 4, 5).   

HIPAA’s updated Marketing definition and the many different exceptions are of particular interest to pharmacies, pharmaceutical companies and entities such as Adheris, which qualify as HIPAA business associates to the pharmacies.  Determining what is “reasonable” financial remuneration for a refill reminder is just one of the many issues with respect to the Marketing definition under HIPAA.  It remains to be seen what kind of guidance is issued by HHS in the next few weeks, and whether it will address any of the other exceptions to the Marketing definition. 

If you have any questions regarding the Final Rule, the updated Marketing definition under HIPAA, or the Adheris, Inc. v. Sebelius, et al. matter, please contact  Susan Ziel at sziel@kdlegal.com, Ed Rickert, at erickert@kdlegal.com, or Jaya White at jwhite@kdlegal.com.

What SNF’s need to know about PEPPER

Have you received your provider-specific PEPPER report yet? The Program for Evaluating Payment Patterns Electronic Report (PEPPER) were mailed on August 30 to all free-standing skilled nursing facilities.  The envelopes are addressed to the Facility Administrator. 

The PEPPER report is in direct follow-up from the Office of Inspector General report issued last November discussing how we need to develop a better monitoring system to identify facilities that fall outside of the “normal” in several areas. The report specifically compares each SNF to the national and state averages from the 4th quarter from the past three years for episodes of care ending between Oct. 1, 2009, and Sept. 30, 2012.
The report's goal is to have skilled nursing facilities focus on areas in which they are an outlier. If you fall into the outlier areas of any aspects of this report, CMS feels you may be at a high risk for improper payments relating to up-coding AND down-coding mistakes.
The report focuses on the following areas:
  1. Therapy RUGs with High ADLs — such as, rehab+extensive services, or rehab with “C” ADL scores
  2. Non-therapy RUGs with High ADLs — in other words, nursing only RUGs, no therapy
  3. Change of Therapy Assessments — measured by the volume of COT MDS' your facility completes on a regular basis
  4. Ultra High Therapy RUGs — how strong is your clinical documentation to support the utilization of these RUGs?
  5. Therapy RUGs — compared with nursing-only RUGs
  6. 90+ Day Episodes of Care — targeting extended length-of-stays 
According to CMS, if your SNF’s percent is at/above the national 80th percentile or at/below the national 20th percentile, the SNF is identified as at risk for improper Medicare payments.  It also provides details on “Suggested Interventions for High Outliers” and “Suggested Interventions for Low Outliers.” The PEPPER report is a useful tool that can guide compliance audits for areas of risk.  Audit results should be used to develop specific action plans for ensuring compliant documentation and providing education to your employees.

Additional information on the PEPPER program for SNFs can be found at PEPPER Resources
If you have additional questions about the PEPPER program or ways to incorporate your PEPPER report into your compliance program, please contact Lori McLaughlin at lmclaughlin@kdlegal.com.

 

HIPAA Business Associates … How Do I Know Thee?

HIPAA, as amended by HITECH, imposes significant requirements on those persons or entities who qualify as a Business Associate (BA) as a result of their access to Protected Health Information (PHI) in the performance of services on behalf of a Covered Entity (CE).  For example, a BA could be a third party billing company, a shredding company, a law firm handling a Medicare audit appeal, an accounting firm responsible for cost reports or even a third party responsible for storing PHI off-site.  In each case, the drafting and negotiation of a Business Associate Agreement (BAA) is an important step in confirming BA duties and obligations related to these service arrangements, but it is also important to complete some level of due diligence before the BAA is executed and the CE is in a position to trust the BA with its PHI.   

What should the CE know about a prospective BA? 

To begin, the CE should confirm any and all names that have been used by the BA, whether now or in the past, so to confirm that none of these names are listed in the Office of Inspector General’s List of Excluded Individuals and Entities (OIG) or the General Services Administration’s System for Award Management f/k/a the Excluded Parties List System (SAM).   A review of the OIG Corporate Integrity Agreement database is another way to confirm any prior enforcement actions that may have involved a prospective BA.  Additionally, if the BA maintains certain licenses, registrations or other credentials necessary to perform their services on behalf of the CE, these qualifications should be verified by the CE.  Review of business references, or maybe even a telephone interview with another CE, may also be helpful. 

Proof of insurance coverage and some information about claims history should be requested.  A general search for any public filings about the BA can also provide additional information about their resources, business relationships and reputation.  The BA may also be asked to disclose any outside business relationships which might represent a conflict of interest in doing business with the CE. 

Because the BA is subject to HIPAA, as a result of the HITECH amendments, the CE should inquire about the BA’s HIPAA compliance program, including but not limited to the recent completion of a HIPAA security risk assessment process, the adoption of HIPAA policies and procedures, and the extent to which the BA will engage the services of subcontractors, from time to time, to assist in the performance of services.  Although not a HIPAA consideration, many CEs take additional steps to confirm the health status of the BA who will have any physical contact with the CE’s workforce or clients, including but not limited to up-to-date vaccination records and negative TB testing results. 

How should the CE gather this information about the BA?

The CE can conduct its due diligence using a range of techniques.  The BA could be asked to submit to a formal request for proposal process or the CE may ask the BA to complete and return a due diligence questionnaire.   Selected HIPAA compliance documents may be requested as well.  Depending on the nature of services to be performed, an in-person interview or even a site visit may be in order. 

In summary, the use of a well-drafted BAA, in addition to the use of an effective due diligence process not only makes for a proper introduction to the BA but it also serves another important purpose in allowing the CE to educate the BA and to communicate the importance of HIPAA compliance long before the parties sign on the bottom line. 

If you have any questions or require additional information regarding the establishment of a HIPAA-compliant CE-BA business relationship, please contact Susan Ziel at sziel@kdlegal.com, Mark Morrell at mmorrell@kdlegal.com, Meghan McNab at mmcnab@kdlegal.com or Jaya White at jwhite@kdlegal.com.     

 

HHS Issues Strategic Plan for 2014-2018: What Healthcare Organizations Need to Know

The Department of Health and Human Services (“HHS”) recently released its Strategic Plan Draft for fiscal years 2014-2018.  The strategic plan provides insight into the issues HHS deems a top priority.  In particular, one of the plans main objectives is reducing improper payments, fighting fraud, and risk management.  Currently, the draft plan addresses the following strategies to reach these objectives:
  • Early detection and prevention of bad actors from enrolling in Medicare and Medicaid.
  • Additional focus on screening requirements for both providers and suppliers in high-risk areas.
  • Strengthen the oversight of Medicaid by working with states.
  • Increased oversight of Medicare Part C and Part D by conducting audits.
  • Improving contractor accountability.
  • Supporting ongoing initiatives that address improper payments.
  • Coordinate with the Office of Inspector General, the Department of Justice, and the Federal Bureau of Investigation to pursue the prosecution and punishment of fraudulent activity including focusing on prevention, early detection, and data sharing.
HHS continues to focus on fraud and abuse in healthcare and this strategic plan highlights areas in which the government believes further enforcement can occur.  HHS has instituted several programs to combat fraud throughout the past four (4) years and these initiatives are likely to continue.  For example, HHS recently implemented a Senior Medicare Patrol program in which volunteers are trained to report healthcare fraud, waste, and abuse.  In addition, the Department of Justice, through the Health Care Fraud Prevention and Enforcement Action Team has recovered more than $4.6 billion since 2007.

Every four (4) years HHS updates its strategic plan and solicits public comments regarding the contents of the plan.  This draft provides for a comment period which closes on October 15th, 2013.  

If you or your organization has any questions regarding this strategic plan, or would like to comment, please feel free to contact Robert A. Wade at (574) 485-2002 or Alex T. Krouse at (574) 485-2003.

CMS Further Delays DME Face-to-Face Requirement until 2014

On September 9th, the Centers for Medicare and Medicaid Services (“CMS”) announced delaying the requirement for face-to-face encounters for certain durable medical equipment (“DME”).  Originally, CMS intended this requirement to be enforced as of July 1st; however CMS announced delay until October 1st of this year.  Now, CMS explained it “will start actively enforcing and will expect full compliance with the DME face-to-face requirements beginning by a date that will be announced in Calendar Year 2014.”

Section 6407 of the Affordable Care Act established that a physician must document that a nurse practitioner, physician assistant, physician or a clinical nurse specialist has had a face-to-face encounter with a patient prior to providing a written order for the DME.  This encounter must occur within the six (6) months prior to such an order.  In light of operational issues, CMS is delaying this requirement until a later specified date in 2014.

Tips for Compliance: What Providers and DME Suppliers Need to Know
  • Providers and DME suppliers should continue to implement internal processes to ensure compliance with this requirement.
  • If a nurse practitioner, physician assistant, or a clinical nurse specialist orders certain DME, a physician must document the face-to-face encounter by signing or co-signing the medical record.
  • At a minimum, DME orders must include the beneficiary’s name, the item of DME ordered, the practitioner’s National Provider Identifier, the signature of the ordering practitioner, and the date of the order.
  • Only certain DME are covered under this requirement.  For a complete list, please see the CMS list here.
If you or your organization has any questions regarding this requirement, or have any questions regarding DME, please feel free to contact Robert A. Wade at (574) 485-2002 or Alex T. Krouse at (574) 485-2003.

HHS Awards Navigator Grants

On August 15, 2013, the Department of Health and Human Services (“HHS”)  awarded $67 million in Navigator grants to 105 Navigator groups, which was $13 million more than HHS initially stated it would award.  Indiana received a total of $2,043,596 in grants split between the following four (4) groups: (1) Affiliated Service Providers of Indiana, Inc. ($897,150); (2) Plus One Enterprises, Ltd, LLC ($130,875); (3) Health and Hospital Corporation of Marion County ($590,985); and (4) United Way Worldwide ($424,586).  Illinois received a total of $3,060,471 in grants split between eleven (11) Navigator groups.  A complete list of the Navigators awarded grants is available here.

Navigators are the [entities or individuals] organizations that facilitate education about and enrollment in qualified health plans (“QHPs”) through Exchanges.  Pursuant to Section 1311(i) and 1321(c)(1) of the Patient Protection and Affordable Care Act (“PPACA”), the grant awards were distributed exclusively in those States that chose not to operate a state-based Exchange and will instead participate in the Federally-facilitated Exchanges or State Partnership Exchanges. 

 
As described in the Initial Announcement of the funding opportunity for federal Navigators, issued back on April 9, 2013, the total number of awards was going to depend on the number of consumers each applicant proposed to service.  The total funding apportioned to each State with a Federally Facilitated Exchange or State Partnership Exchange would be no less than $600,000.  The Initial Announcement anticipated at least two types of applicants in each Exchange would receive an award, with at least one award being given to a community and  consumer-focused nonprofit.  

The regulation implementing PPACA §1311(i) requires that entities or individuals serving as Navigators have expertise in eligibility and enrollment rules and procedures; the range of QHP options and insurance affordability programs; the needs of underserved and vulnerable populations; and privacy and security standards.  In addition, the Initial Announcement required that in order to be eligible to apply for the Navigator grant, entities or individuals “must be capable of carrying out, at a minimum, certain required duties to include maintaining expertise in eligibility, enrollment, and program specifications; conducting public education activities to raise awareness about Exchanges; facilitating selection of a QHP; providing information and services in a fair, accurate, and impartial manner; providing referrals to any applicable office of health insurance consumer assistance or ombudsman established under Section 2793 of the Public Health Service Act to address consumer grievances, complaints, or questions about their health plan, coverage, or a determination; and providing information in a manner that is culturally and linguistically appropriate to diverse communities and accessible to individuals with disabilities.”  In addition to these duties, the Initial Announcement also requires award recipients to assist any consumer seeking assistance, even if that consumer is not a member of the community(ies) or group the applicant expects to serve. 

The awards are structured as Cooperative Agreements, which is defined in 31 U.S.C. 6301 as an alternative assistance instrument to be used in lieu of a grant whenever substantial Federal involvement with the recipient during performance is anticipated.  HHS intends to work with each Navigator award recipient to evaluate its progress relative to its Navigator Work Plan and may condition funding based on progress and adherence to Federal guidance and Exchange requirements including training, conflict of interest and adherence to Culturally and Linguistically Appropriate Services (CLAS) standards.  The period of performance is the 12 months beginning on the date of the award, August 15, 2013.   

If you have any questions on Navigators or Navigator grants please contact Meghan Linvill McNab at mmcnab@kdlegal.com.

Enforceability of Non-compete Agreements in Illinois—Is Two Years Now the Standard?

Recently, the Illinois Appellate Court issued a significant opinion on the enforceability of restrictive covenants in employment agreements where those agreements are reached after an employee has already begun work.  The decision, Fifield and Enterprise Financial Group, Inc. v. Premier Dealer Services, Inc., 1-12-0327 (1st Dist. 2013) (“Fifield”), impacts how employers structure their post-employment restrictive covenant arrangements going forward. It should also cause employers to review their agreements in force now and consider whether changes may be necessary.  

Historically, post-employment restrictive covenants have been carefully scrutinized by Illinois courts.  The courts consider the terms of the agreement, such as whether the restrictive covenant is supported by adequate consideration, and whether the terms of the agreement are reasonable and necessary to protect a legitimate business interest of the employer.  However, there was never a bright line test as to what any of the terms, such as “reasonable,” “adequate consideration,” or what a “legitimate business interest” of an employer may be. 
Prior to the recent decision in Fifield, the standard in Illinois was that “employment for a substantial period of time beyond the threat of discharge is sufficient consideration to support a restrictive covenant in an employment agreement.” Brown & Brown, Inc. v. Mudron, 379 Ill. App. 3d 724, 728 (2008) (Fifield, 1-12-0327, at 5, emphasis added).  Therefore, while employment could equal sufficient consideration to enforce such restrictive covenants, no clear standard as to what was in fact a “substantial period of time” was ever established. 

In the recent Fifield decision, however, the Court sets out a bright-line rule to establish adequate consideration:  two years of employment.  In Fifield, an employee resigned from the employer, Premier, after only three months and thereafter began working for its competitor.  As a condition of his employment at Premier, he signed an agreement which included both non-solicitation and non-competition clauses. The Court held that the agreement was unenforceable because it lacked “adequate consideration,” and noted:
Illinois courts have repeatedly held that there must be at least two years or more of continued employment to constitute adequate consideration in support of a restrictive covenant. This rule is maintained even if the employee resigns on his own instead of being terminated.

Fifield, at 6 (internal citations omitted). 
 
While the Fifield Court cites to other decisions that have “repeatedly held that there must be at least two years or more of continued employment,” there had never before been such a bright line rule establishing two years as adequate consideration.  Fifield, in effect, sets a mandatory two-year minimum employment rule for the enforcement of such restrictive covenants. 

In light of this case, it appears that post-employment non-competition agreements in Illinois will be scrutinized even more closely, and will be even more difficult to enforce against those employees who have not worked for a period of two years or greater.  Fifield does not address whether other forms of consideration, such as intangible benefits, may be considered as to the enforceability of an agreement.  The case also does not address the enforceability of confidentiality or non-disclosure provisions in employment agreements.
We know that non-competition agreements are ever popular in the healthcare sector, including with physicians, long-term care facilities, and home health agencies.  In light of the Fifield decision, healthcare providers should revisit their agreements with counsel—particularly those entered into on a “post-employment” basis—to determine the enforceability of any restrictive covenant term. Employers should also consider whether offering other types of consideration in the event that an employee who has worked for less than two years tries to breach such an agreement. 
For additional information on employment agreements in Illinois, or if you have any questions as to whether Fifield will impact your business, please contact Mark Bina (mbina@kdlegal.com) or Jaya White (jwhite@kdlegal.com). 

OIG Issues Report on Medicare Recovery Contract Auditors

In August 2013, the Department of Health and Human Services, Office of Inspector General (“OIG”) issued a report of a study regarding Medicare Recovery Audit Contractors (“RACs”) and the Centers for Medicare and Medicaid Services (“CMS”) ‘actions to address “improper payments, referrals of potential fraud, and performance.”  A copy of the August 2013 report is available here: http://oig.hhs.gov/oei/reports/oei-04-11-00680.pdf.  The report was made available on OIG’s website on September 3, 2013.

A national RAC program was established as a result of the Tax Relief and Health Care Act of 2006, (TRHCA) and was operational by October 2009 in all geographical regions of the United States.  Id. at 1.  What is unique about RACs, as compared to other Medicare contractors, is that they are paid on a contingency basis, in accordance with the TRHCA.  These fees are determined based on a percentage of improper payments recovered or returned.  Id. at 2.  

In its report, OIG noted vulnerabilities in CMS’ oversight of the RAC contractors, and stated that “[g]iven the critical role of identifying improper payments, effective oversight of these contractors’ performance is performance.”  Id. at 6.  OIG also reported that “RACs had not received formal training and guidance from CMS to help them identify fraud.”  Id. 

OIG also found that approximately 94% of claims were not appealed by Providers, but when they were, almost half were overturned in the Providers’ favor.  Id. at 11.  In addition, in Fiscal Year 2010, it was determined that 56% of overpayments appealed for all Medicare contractors were overturned by an Administrative Law Judge.  Id. 

OIG has made four recommendations to CMS, including that CMS to develop additional performance evaluation metrics “to improve RAC performance and ensure that RACs are evaluated on all contract requirements.” 

CMS’ July 12, 2013 response to the OIG Report is attached as Exhibit C to the report. 

Our attorneys have handled numerous Medicare audit appeals, including those by Medicare RAC auditors.  We have raised concerns with CMS regarding the use of RACs, particularly due to potentially questionable motives resulting from the unique contingent percentage of recoveries.  In addition, as the OIG determined, these RACs are not properly trained, and have no guidance from CMS, but they are responsible for protecting the Medicare Trust funds.

If you are a Medicare Provider and receive a request for repayment of an alleged overpayment or have any questions regarding Medicare RAC audits or the appeal process, contact healthcare attorneys Charles MacKelvie, cmackelvie@kdlegal.com or Jaya White, jwhite@kdlegal.com.

Good News For Employee Health

On May 29, 2013, the Departments of Treasury, Labor, and Health and Human Services issued the final rule on employment-based wellness programs.  The final rule clarifies and continues the various classification of wellness programs, including “participatory wellness programs” and “health contingent wellness programs.” 

Participatory wellness programs require only that employees participate in the activities required by the employer.  Examples of participatory wellness programs might include attending regular wellness seminars.  By contrast, health contingent wellness programs are those that require employees to reach certain milestones, like smoking cessation or body mass index goals. 

The new regulations increase the maximum incentives that may be provided by employers, although few employers are near these maximums today.  The maximum permissible reward under a health contingent wellness program is increased from 20% to 30% of the cost of coverage.  The maximum permissible reward for programs designed to prevent or reduce tobacco use is increased to 50%. 

HHS indicated that the regulations are also designed to protect consumers by requiring that these programs be reasonably designed, uniformly available to all similarly-situated individuals, and accommodate recommendations made at any time by an individual’s physician based on medical appropriateness.  These accommodations include reasonable alternatives offered for those individuals who are unable to achieve the desired wellness results.

The regulations also ensure that programs are not overly burdensome and do not result in discrimination based on a health factor. 

According to the comments to the regulations, the intention of the Departments is that every individual participating in the program should be able to receive the full amount of any reward or incentive, regardless of any health factor. 

The agencies indicated that they anticipate issuing future guidance to provide clarity and modifications to these final rules. 

If you would like additional information on the specific requirements of the new rule or on wellness programs in general, please contact Thomas N. Hutchinson at (317) 238-6254.

D.C. Circuit Court Denies Hospital Provider Challenge to Recovery of Payments

In a recent decision, the U.S. Court of Appeals for the D.C. Circuit upheld a lower court decision, and CMS administrative decisions, holding that the Secretary of the Department of Health and Human Services’ (the “Secretary”) is permitted to delegate the ability to make “sustained or high level of payment error” determinations to Medicare contractors under the Medicare Integrity Program.  See Gentiva Healthcare Corp. v. Sebelius (D.C. Circ., No. 12-5179, July 23, 2013) (citing 42 U.S.C. §1395ddd9(f)(3)).  The statute  at issue also expressly prohibits judicial review of high level payment error determinations.   

In its ruling, the Court relied upon the language of the statute that the Secretary of HHS may “’perform any of [her] functions under’ the Medicare program ‘directly, or by contract . . ., as the Secretary may deem necessary.’” Gentiva, at 2 (citing 42 U.S.C. §1395kk(a)). 

The Gentiva case centers around the following statutory language, quoted by the Court: 

 “[a] medicare contractor may not use extrapolation to determine overpayment amounts to be recovered . . . unless the Secretary determines that. . . there is a sustained or high level of payment error.”

Gentiva, at 3 (quoting 42 U.S.C. § 1395ddd(f)(3)).

The underlying audit was performed by Cahaba Safeguard Administrators, a Medicare Program Integrity contractor.  Cahaba performed a reimbursement review of Gentiva claims submitted from July 2005-November 2006, and concluded that Gentiva received higher than the average payment per beneficiary in its region, and that at least 58% or more of its claims were at least partially denied.  Id.   Based on its review, Cahaba made the determination that the claims submitted by Gentiva showed “sustained or high level of payment error.” Id.  It then drew a sample of 30 claims, and extrapolated its results, for a determination of an alleged overpayment of over $4 million.  While Gentiva successfully challenged Cahaba’s alleged overpayment determination, reducing the overpayment by almost half, it disputed that Cahaba had the authority to make the determination of the high level of payment error, based on the plain language of the statute that the “Secretary” is to determine that there is a sustained or high level of payment error, not a contractor. Id.

Despite a 1999 ruling by a former Health Care Financing Administrator, Nancy-Ann Min DeParle, raising concerns regarding samples smaller than 100 claims, the Court upheld the district court’s reliance on the “Chevron” two-part test.  It found that (1) There was not an explicit exception to the Secretary of HHS’ “broad power” to delegate; and (2) the Secretary’s interpretation was reasonable, and therefore given deference, pursuant to Chevron.  Id. at 5, 7, 9 (citing  Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984)). 

The Court noted that providers like Gentiva can still challenge the final overpayment calculation and extrapolation methodology used at both the agency level and in the courts.  Id. at 8.  However, providers already have a challenge defeating such overpayment determinations, and now, even though the Court noted that Gentiva “may have the better reading” of the statute (Id. at 6), providers cannot even dispute the high level payment error, even upon judicial review.  This certainly raises questions regarding the providers’ due process. 

Our attorneys have successfully handled Medicare Program Integrity audits, including addressing concerns regarding the contractor’s audit methodology.  If you have any questions regarding the Gentiva case, specifically, or the Medicare  audit process, please contact Jaya White at jwhite@kdlegal.com or Charles MacKelvie at cmackelvie@kdlegal.com.

Mark Your Calendars For September 23rd HIPAA Compliance Deadline

Attention HIPAA covered entities and business associates. . . the deadline for compliance with the final HITECH Omnibus Final Rule is September 23, 2013.

The Omnibus Final Rule was released on January 25, 2013 and requires updates and revisions to a number of documents and policies utilized and maintained by healthcare providers.

First, an organization’s “Notice of Privacy Practices” (or “Privacy Notice”) must include several updates for all new patients.


The definition of a “business associate” has also expanded, and with it, the business associate is now directly liable for compliance with HIPAA, and faces direct liability under the Omnibus Final Rule. In connection with this, business associates must enter into written agreements with all subcontractors that assist with activities involving PHI of the business associate. This means that business associate agreements must be updated to conform to these new requirements.


According to the Omnibus Final Rule, every impermissible use or disclosure of unsecured PHI is presumed to be a breach unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised. Any breach requires notification to affected individuals and to the Secretary of HHS in accordance with requirements that went into effect in 2010.


Upon request, a covered entity must provide patient medical records in the format requested, within 30 days.  The patient record must be provided in the format requested, if producible, or if not, in readable electronic form. This means that providers are now required to grant patients electronic access to health information if it is requested that way by the patient and is maintained electronically. Covered entities must also produce this information to a third party designated by the patient in a proper signed writing.


Updates and revisions will be needed within each organization’s policies, procedures, and business associate agreements to conform to the September 23rd deadline.  Compliance by the September 23, 2013 deadline is important because providers face increased fines and penalties for noncompliance. Penalties are now divided into four (4) tiers, depending on the level of knowledge and negligence about a particular violation, with the potential for $1.5 million in fines per violation.


For more information about compliance with the Omnibus Final Rule and the September 23rd deadline, contact Susan Ziel at sziel@kdlegal.com, Mark Morrell at mmorrell@kdlegal.com, Jaya White at jwhite@kdlegal.com or Meghan McNab at mmcnab@kdlegal.com.

CMS Broadens Qualification for Independent IDR Participation and Will Require Escrow of all CMPs

In December of 2011, the Centers for Medicare and Medicaid Services (“CMS”) implemented provisions of the Affordable Care Act that required the establishment of a Federally-funded Independent Informal Dispute Resolution process (“Independent IDR”) that facilities could take part in at no cost to the facility.  The Affordable Care Act also required Civil Money Penalties (“CMP”) issued for deficiencies to be placed into escrow by the facility on (i) the date the Independent IDR is completed or (ii) 90 days after the date of notice of imposition of CMP, whichever occurs first.  When the program was first rolled out by CMS, the Independent IDR and escrow provisions were limited to only “G” level deficiencies or higher.

Beginning on October 1, 2013, every CMP that is imposed by CMS will be subject to the escrow provisions and the nursing facility may request Independent IDR on any level deficiency.  On and after October 1, 2013, there will no longer be any restriction on what level deficiency a facility can request Independent IDR when CMP has been issued on that deficiency.  The offer of Independent IDR will be communicated in the CMP notice letter.  CMS will collect the CMP on the earlier of the two dates described above.

This change in policy will only apply to standard and complaint surveys that begin on or after October 1, 2013.  Any revisit survey conducted on or after October 1, 2013 that is associated with a standard or complaint survey completed before October 1, 2013 will not be subject to this new policy change.  To read the CMS memorandum discussing this change, click here. 

If you have additional questions on Independent IDR Participation please contact Meghan McNab at mmcnab@kdlegal.com or Zach Cattell at zcattell@kdlegal.com.

Date Exchanges Accelerate

Research published last month in Health Affairs from the Office of the National Coordination for Health Information Technology (“ONC”) show that health information exchanges between hospitals and outside providers jumped 41% in the last 4 years.  Highlights of the new study indicated on the HHS website include: 

·         58% of hospitals exchanged daily with providers outside of their organization in 2012.

·         84% of hospitals that adopted EHR and participated in a regional HIE exchanged information with providers outside of their organization.

·         Between 2008-2012, there were significant increases in the percentage of hospitals exchanging radiology reports, laboratory results, clinical care summaries, and medication lists with hospitals and providers outside of their organization.

·         The proportion of hospitals that adopted at least a basic EHR and participated in an HIE grew more than fivefold from 2008 to 2012.

·         Hospitals with basic EHR systems participating in HIEs had the highest rates of hospital exchange activity in 2012, regardless of the organizational affiliation of the provider exchanging data or the type of clinical information exchanged.

·         However only about 1/3 of hospitals exchanged clinical care summaries or medication lists with outside providers. 

To see more about state-level estimates for several of the measures included in the study, visit ONC’s Health IT Dashboard at http://dashboard.healthit.gov/.  The abstract of the Health Affairs study can be found at http://content.healthaffairs.org/content/32/8/1346.abstract. 

For more information, please contact Thomas N. Hutchinson, Krieg DeVault LLP, 12800 N. Meridian Street, Ste. 300, Carmel, IN  46032-5406, phone: 317-238-6254.

ONC Announces (Really Short) Behavioral App Contest

The Office of the National Coordinator (ONC) announced on August 27, 2013 a new “app” challenge.  The challenge is designed to promote patient management of behavioral health and to extend treatment to a wider population.  

Submissions were due on September 3, a mere week after the challenge was announced.  The ONC indicated the timeframe is designed to encourage owners of existing apps to submit their work for the challenge.  The top 3 finishers will be invited to a White House event on September 16 where the winner will either present their application in person or via video demonstration. 

The ONC explained that with 20% of adults and 13% of adolescents suffering from mental disorders, and 9% of Americans 12 and older with substance abuse or dependence, Health IT holds “significant potential” to empower patients to play a greater role in their care.  Notwithstanding, fewer than 1/2 of adults and 1/3 of children with mental disorders, and only 11% of individuals with substance abuse disorders, receive treatment. 

The conference will highlight how technology can be used to improve treatment for behavioral health disorders.  The contest hopes to identify and highlight existing technologies to do so.

Hopefully, this is not the last of such challenges.  Information regarding the rules of submission can currently be found at http://challenge.gov/onc/623-behavorial-health-patient-empowerment-challenge.  Developers would be wise to review the rules and determine if their applications could meet the requirements and designs should a new challenge be announced.

For more information, please contact Thomas N. Hutchinson, Krieg DeVault LLP, 12800 N. Meridian Street, Ste. 300, Carmel, IN  46032-5406, phone: 317-238-6254.

The Office of Inspector General Recently Approved the Amended Illinois State False Claims Act

Recently, the U.S. Department of Health and Human Services, Office of Inspector General (OIG) responded to the Illinois Attorney General’s request to review the amended Illinois False Claims Act, Pub. Act. 097-0978, (amending 740 ILCS 175/5), under the requirements of Section 1909 of the Social Security Act.  A copy of the May 22, 2013 response is available at http://oig.hhs.gov/fraud/docs/falseclaimsact/Illinois.pdf.

Section 1909 of the Social Security Act was added by Section 6031 of the Deficit Reduction Act of 2005.  Its purpose is to create a financial incentive for states to enact legislation that creates liability to the State for the submission of false claims under the State Medicaid Programs.  See the Updated OIG Guidelines for Evaluating State False Claims Act, at p. 2 (March 15, 2013), available at: http://oig.hhs.gov/fraud/docs/falseclaimsact/guidelines-sfca.pdf.  States that participate in the Medicaid program administer their own programs, within Federal guideline limits, and receive funds from the Federal Government termed “the Federal medical assistance percentage.”  Id. 

Under the Federal False Claims Act, “any person who knowingly submits, or causes to be submitted, a false or fraudulent claim for payment or approval under the State Medicaid program is liable to the Federal Government for three times the amount of the Federal Government’s damages plus penalties of $5,500 to $11,000 for each false or fraudulent claim.”  Id. at 2.  State False Claims Acts also establish liability, and include similar “qui tam” provisions authorizing individuals known as relators to file lawsuits against entities and individuals that defraud the government by submitting false or fraudulent claims under the State Medicaid Program.  Id. at 2-3. 

States are required to share their recovery under their State False Claims Acts with the Federal Government in the same proportion as the Federal medical assistance percentage.  Section 1909 of the Social Security Act incentivized states to implement state False Claims Acts meeting certain requirements by reducing the amount the Federal Government receives by 10 percentage points of the amount recovered under a State False Claims Act action.  Id. at 3.   

Since the enactment of Section 1909, there have been several amendments to the False Claims Act, (in legislation such as the Patient Protection and Affordable Care Act and the Dodd-Frank Wall Street Reform and Consumer Protection Act).  The OIG gave certain states, including Illinois, a 2-year “grace period” for their state False Claims Acts to come into compliance with the revised Section 1909 requirements while still continuing to qualify for the incentive.  These requirements are outlined in the Updated OIG Guidelines for Evaluating State False Claims Acts, at pp. 6-11.  If Illinois had not amended and resubmitted its False Claims Act for review by the OIG, Illinois would have lost the 10% bonus incentive for recoveries under the Act, which would be a substantial loss to the State.    

If you have any questions, or require additional information on the Illinois False Claims Act, or other False Claims Act issues, contact Randall Fearnow, rfearnow@kdlegal.com or Jaya White jwhite@kdlegal.com.    


CIHQ Approved as Accrediting Organization for Acute Care Hospitals

Recently, the Center for Medicare & Medicaid Services (“CMS”) announced approval of the Center for Improvement in Healthcare Quality (“CIHQ”) as the nation’s newest accreditation provider for acute care hospitals.  Generally, hospitals must meet certain conditions to participate in the Medicare Program.  One of those requirements include ongoing State surveys; however hospitals also have the option of certification by a recognized accreditation program.

This past spring CIHQ requested approval for its hospital accreditation program.  The approval process included onsite administrative reviews of CIHQ.  This new accreditation provides additional options for acute care and critical-access hospitals.  Currently, accreditation providers include both the Joint Commission and DNV Healthcare, Inc.
If you have any questions about CIHQ or the accreditation process for hospitals, please feel free to contact Susan E. Ziel at (317) 238-6244 or Alex T. Krouse at (574)485-2003.