The problem of prescription drug abuse is a growing national problem, and one that can have serious consequences for any physician that may be implicated. Earlier this month, the Centers for Medicare and Medicaid Services (“CMS”) announced proposed new rules to fight fraud and abuse in the federal Medicare Advantage and Part D prescription drug program. One of the goals of these proposed new rules is to identify Part D enrollees that have “potential opioid or acetaminophen over utilization issues that indicate the need to implement appropriate controls on these drugs for the identified beneficiaries.”[Read More]
29 Jan · Wed 2014
CMS Seeks To Fight Prescription Drug Abuse With Proposed New Rules
10 Jan · Fri 2014
OIG Criticizes CMS For Lack Of Adequate Fraud Detection Practices in Electronic Health Records
In early January, 2014, the Office of Inspector General (“OIG”) for the Department of Health and Human Services (“HHS”) issued a report criticizing HHS’s Centers for Medicare and Medicaid Services (“CMS”) for failing to adopt stronger integrity practices governing electronic health records (“EHRs”). “CMS And Its Contractors Have Adopted Few Program Integrity Practices To Address Vulnerabilities In EHRs,” oig.hhs.gov/oei/reports/oei-01-11-00571.pdf. Here are some of the OIG’s challenges and concerns: “…clues within the progress notes, handwriting styles, and other attributes that help corroborate the authenticity of paper medical records are largely absent in EHRs. Further, tracing authorship and documentation in an EHR may not be as straightforward as tracing in a paper record. Health care providers can use EHR software features that may mask true authorship of the medical record and distort information in the record to inflate health care claims.” These are legitimate issues for EHR users. Government health care programs such as Medicare and Medicaid, many insurance laws, and private payer contracts require prior documentation for every encounter as a matter of patient safety and proper billing. Also, under recent federal law, providers are receiving $22.5 billion in incentive payments to adopt EHRs and must attest to their compliance with EHR standards. The OIG recommends that CMS, working with their fraud detection contractors, develop more sophisticated EHR integrity and fraud detection standards and tools, and issue best practices and guidance. The OIG specifically recommends that CMS and contractors look at providers’ EHR audit logs to help authenticate records, and develop approaches to detecting inappropriate cutting-and-pasting. In its response, CMS indicates that it is aware of these issues and is working diligently to address them. The agency has also initiated investigations of a number of providers on the grounds that the attestations they provided in order to obtain the EHR incentive monies were not sufficient, which could result in takebacks. Most hospitals, physicians and others have deployed EHR systems that have been designed and are maintained by third party vendors. Many providers may not have the sophistication to determine whether, for instance, an audit log system is adequate to detect abuse. Nevertheless, it is incumbent on all providers with EHRs to be aware of potentially unlawful uses; to work with EHR vendors that will represent that their products are fully compliant and that they have installed tools, such as audit logs, access controls and export controls and others as may be required by CMS; and to properly train all staff and clinicians that use EHRs.
04 Dec · Wed 2013
mHealth App Use: Is Data Truly Protected?
One of the reasons why consumers, healthcare providers, investors, the government and others have been slow to adopt mobile health applications and software (apps), are concerns about the privacy and security of data collected through the apps. For instance, Appthority, a service provider that offers an app risk management solution, recently reported that the iPharmacy Drug Guide and Pill ID app “is playing fast and loose with your personal info.” www.appthority.com/news/mobile-threat-monday-android-app-leaks-your-medical-info-online. iPharmacy is a free app that allows consumers to maintain a personal health record on their prescription drugs, look up information on a drug, provide reminders, and maintain pharmacy discount cards. Appthority found that while the app description states that it encrypts personal information, it only uses a common encoding scheme and does not protect user info when the consumer searches for information about a drug through the app. Appthority also claims that the app sends personal information to advertising networks. Another example of a legitimate privacy and security concern relates to cloud storage. Many mHealth apps collect physiological data through sensors affixed to the body, store the data in the cloud, and provide the data to a physician or other provider. If the cloud storage vendor does not provide adequate security protections, the provider could be implicated as a party to the app’s use. mHealth apps offer tremendous opportunities to advance a more sophisticated and connected healthcare environment – but the modes of connection need to be solid from a data protection perspective. Good risk management is key.
04 Nov · Mon 2013
Duane Morris Attorneys Frederick Ball and Erin Duffy to Present "Introduction to Drug Law and Regulation: The Legal Framework for Drug Regulation"
Duane Morris partner Frederick Ball and associate Erin Duffy will present at the "Introduction to Drug Law and Regulation: The Legal Framework for Drug Regulation" program on Thursday, November 7, 2013 at the Hyatt Regency New Brunswick in New Brunswick, New Jersey.
This introductory program provides a comprehensive overview of the laws and Food and Drug Administration regulations affecting the drug industry, and will help you and your organization get products approved and navigate regulatory problems. Experts will review the essential elements of FDA drug regulation in a systematic and comprehensive way. From the definition of “drug” to the different regulatory schemes for over-the-counter (OTC) and prescription (Rx) drugs, speakers walk you through key regulations and policies and will help you determine how those regulations and policies are applied.
For more information please visit the Food and Drug Law Institute website.
18 Oct · Fri 2013
Moody's report: Exchanges negatively impacting non-profit hospitals revenue
07 Oct · Mon 2013
Mobile Medical Apps Guidance
25 Sep · Wed 2013
All Nursing Homes Must be Fully Sprinklered by August 13, 2013
Nursing homes that participate in Medicare or Medicaid have had five years to achieve full sprinkler compliance since CMS published the final rule on August 13, 2008 entitled Fire Safety Requirements for Long Term Care Facilities, Automatic Sprinkler Systems.[i] At present there are no extensions. Any facility that is not fully sprinklered at the time of its routine recertification survey will be cited with a life-safety code deficiency (tag K056). Such facilities will be required to submit a plan of correction to come into compliance within three months. After three months, facilities that are still out of compliance will be subject to a denial of payment for new admissions (DPNA), and at the end of six months, non-compliant facilities will be subject to termination from the Medicare program.
Although CMS proposed a rule on February 7, 2013 that would permit time-limited extensions of the due date for facilities that were replacing a building or undergoing major modifications, no final rule for extensions has yet been promulgated. In reviewing plans of correction, however, CMS has said it will take note of facilities that are undergoing major building or renovation projects. CMS does not at this time have the statutory authority to grant extensions, but they are working on the issue.
The scope and severity of deficiency citations for sprinkler deficiencies are usually at a minimum level of D, E or F, “potential for harm.” The complete absence of a sprinkler system would always be cited at the F level or higher. Citation at the “harm” level of G, H or I is rare unless there has been a recent fire or other sprinkler issue causing actual harm. Selection between levels D, E and F will be based on how many facility residents face potential harm as a result of the deficiency.
If a facility is fully sprinklered but there are minor problems with the functioning of the system, such as improper coverage by some of the sprinkler heads, a deficiency at the level of D, E or F would be cited but K056 would not need to be cited. Time-limited waivers of less than six months may be granted to correct such systems. If there are major problems with a fully sprinklered facility, such as missing multiple sprinkler heads in rooms that were subdivided, or missing sprinklers in outside overhangs or on a loading dock, the facility would be considered partially sprinklered and K056 would apply. If a facility is partially sprinklered, for example in new wings but not in older parts of the building, or only in hazardous areas, K056 also applies.
Exceptions to the sprinkler requirement include:
· Out buildings that are not accessed by residents
· Parts of non-certified buildings that residents may pass through as long as they do not live or sleep there
· Certain awnings and overhangs that are constructed of non-combustible or limited combustible material
· Free standing wardrobes and closets that are considered to be furniture
CMS estimates that almost 1300 facilities nationwide are not fully sprinklered, with approximately 1150 partially sprinklered (or unknown) and about 140 unsprinklered. To promote the most rapid improvement in fire protection, CMS has said it will not impose a civil monetary penalty (CMP) if the plan of correction shows that the facility is making a timely investment, has contracts in place, and has completed plans for installation that will allow for completion of the sprinkler project within three months after the survey date. CMPs may be imposed, however, if the noncompliance is serious, and particularly if at the time of the survey the necessary plans have not been completed. The CMS Regional Office may issue other remedies and demand earlier compliance for facilities that do not show a clear commitment to, and reasonable timeframe for, sprinklering the facility.
Any facilities that have not already obtained any necessary state approvals and entered into contracts for installation of fully compliant sprinkler systems should be urged to do so now. In my experience, engineers who do this work are in heavy demand at this time, and the planning and installation process can easily take longer than three months, putting the facility at financial risk for a DPNA, or even termination. Facilities that wait until they are cited on survey may be in for a rude awakening.
For more information contact Kathleen Carver Cheney, Partner, 212-692-1097, email@example.com
Copyright 2013, American Health Lawyers Association, Washington, DC. Reprint permission granted.
[i] See 42 CFR 483.70(a)(8).
17 Jul · Wed 2013
FDA Issues Proposed Rules That Give FDA Administrative Detention Authority with Respect to Drugs
16 Jul · Tue 2013
Business Associate Agreements (“BAAs”) Under the New HIPAA/HITECH Omnibus Final Rule ("Final Rule")
Earlier this month, I attended the annual meeting of the American Health Lawyers Association in San Diego. This meeting was excellent from a networking perspective and the substantive information imparted during the various break-out sessions. A number of these sessions were devoted to or touched upon the Final Rule that was published on January 25, 2013, those terms that must now be included in BAAs under such Final Rule, and the effect of such Final Rule upon a business associate (“BA”) – someone the Final Rule defines as a person acting on behalf of a covered entity (“CE”) who (i) creates, receives, maintains or transmits protected health information (“PHI”); (ii) for a function or activity regulated by HIPAA; and (iii) provides certain identified services to such CE.
The provisions of the Final Rule are especially important to a BA, considering (a) a BA is now independently liable for violations of HIPAA’s privacy and security requirements, and (b) BAs shall be subject to future audits by the Office of Civil Rights to insure compliance with HIPAA, including those amended privacy, security, enforcement and breach notification provisions that are part of the Final Rule. Essentially, under the Final Rule, BAs must comply with HIPAA’s privacy and security rules in the same manner as a CE, including with respect to breach notification requirements that may represent the greatest risk when negotiating a BAA.[Read More]
15 Jul · Mon 2013
WellPoint Pays HHS $1.7 Million to Settle HIPAA Security Violations
The WellPoint matter serves as a reminder to HIPAA-covered entities and subcontractors that are business associates to comply with the HIPAA Security Rule and to prudently oversee the services provided by these business associates.[Read More]
10 Jul · Wed 2013
IRS Publishes Notice Providing Transition Relief in Response to ACA Delay
As outlined in our prior Alert, the Obama administration recently announced a one-year delay in the effective date of three key provisions of the Patient Protection and Affordable Care Act (ACA): (1) the annual information reporting requirements applicable to insurers, self-insuring employers and certain other providers of minimum essential coverage, (2) the annual information reporting requirements applicable to large employers (i.e., those with 50 or more full-time equivalent employees); and (3) the employer shared responsibility provisions. These provisions of the ACA will now be fully effective for 2015.[Read More]
03 Jul · Wed 2013
Obama Administration Delays ACA Employer Reporting and Penalties for 2014
In a July 2, 2013, blog posting on the U.S. Department of the Treasury website titled "Continuing to Implement the ACA in a Careful, Thoughtful Manner," the Obama administration announced that it will provide an additional year before the Patient Protection and Affordable Care Act's (ACA) mandatory employer and insurer reporting requirements begin. These reporting requirements, which were originally scheduled to go into effect on January 1, 2014, will now be delayed until January 1, 2015. More significant is the fact that the Obama administration acknowledges that the delay in the reporting requirements will make it impractical to determine which employers owe shared responsibility payments for 2014. Therefore, the employer shared responsibility provisions will also not be applicable until 2015.[Read More]
27 Jun · Thu 2013
Duane Morris Co-Hosted "The 2013 mHealth Prognosis: Converging Business and Legal Trends"
Duane Morris, in conjunction with the Wharton Health Care Management Alumni Association and Locust Walk Partners, presented a networking reception and panel discussion of the key legal and business issues for mHealth app developers and entrepreneurs on Wednesday, June 26, 2013, at the University of Pennsylvania's Bodek Lounge. Panelists discussed topics including healthcare industry trends and mHealth growth; investment and business trends; legal and regulatory issues; and healthcare IT and reimbursement issues.
Click here to see pictures of the event.
12 Jun · Wed 2013
State Medicaid Fraud Control Units' Data Mining Likely to Increase Through Federal Funding
Effective June 17, 2013, state Medicaid fraud control units (MFCU) will be permitted to use federal matching funds to pay for data mining activities to detect potentially fraudulent utilization and billing patterns. Historically, MFCUs have been prohibited from using federal matching funds to pay for the cost of data mining. Given the financial constraints facing MFCUs, this funding is likely to result in a substantial increase in activities by MFCUs across the United States. While this rule in and of itself is noteworthy, it is likely to have a more significant impact on healthcare providers when coupled with the regulation implementing the Patient Protection and Affordable Care Act (ACA) that requires states to suspend all Medicaid payments to a provider upon credible allegation of fraud during, or triggering, a Medicaid investigation.
Click here to read the full Alert.[Read More]
Final HIPAA Wellness Program Regulations Issued Under Affordable Care Act
On June 3, 2013, the U.S. Department of Labor, Department of Health and Human Services, Internal Revenue Service, Employee Benefits Security Administration and Department of the Treasury published in the Federal Register final guidance regarding nondiscriminatory wellness programs under employer-sponsored group health plans. This final guidance was issued in the form of much-anticipated joint final regulations on such wellness programs (the "Final Regulations"). It is important to note that the Final Regulations will apply to wellness programs offered under all group health plans [regardless of whether the plan is "grandfathered" under the Patient Protection and Affordable Care Act (the "Affordable Care Act")]. Moreover, these Final Regulations will be effective for plan years beginning on or after January 1, 2014.For employers that currently maintain or desire to implement wellness programs to encourage healthy employee behavior or control plans costs, the time to start planning is now. [Read More]