Not a week goes by without some mention of the opioid crisis and opioid litigation, including the recent settlement proposal by Purdue Pharma to pay $270 million to resolve a case pending with the State of Oklahoma. Purdue Pharma, the maker of OxyContin®, has had over 1,000 lawsuits filed against it by State and local governments alleging that it caused the opioid crisis. On April 5, 2019, the Illinois Attorney General filed a lawsuit against Purdue Pharma LP and Purdue Pharma Inc. over their alleged roles in the opioid crisis. According to the lawsuit, more than 2,000 Illinois residents died in 2017 alone due to opioid overdoses.
Drug Enforcement Administration (“DEA”) representatives recently advised State regulators that it is turning up the heat to aggressively crack down on a common practice among physicians or practitioners, nurses, and pharmacists who provide Schedule II controlled substances to residents of long-term care facilities (“LTCFs”). The practice involves the admission of a resident to a LTCF after hours and the administration of a Schedule II controlled substance without a valid prescription.
Often, due to the after-hours admission and without a valid prescription, the nurse removes the Schedule II controlled substance from the facility’s emergency box or narcotics box and administers it to the resident. Although convenient for the nurse administering the drug, this practice violates federal law and State law, and can result in any number of legal actions against the physician or practitioner, nurse, administrator, facility, or pharmacist by the DEA, Department of Justice, federal Office of Inspector General, State Department of Professional Regulation, State Medicaid department, and State Department of Public Health, among other federal and State agencies. All health care providers and practitioners should ensure that they are following the law when prescribing, dispensing, or administering controlled substances.
The Federal Trade Commission (FTC) is making headlines in Alaska, supporting a move to repeal that state’s certificate of need (CON) law. CON laws require health care providers to establish that a need exists for the services the provider seeks to provide. If there is no need, the provider is not allowed to establish its business.
The goals of CON laws are to reduce health care costs, reduce redundancy, and to improve access to care. CON laws are designed to ensure that health care is available in poor or rural communities, not just cities and wealthy areas. A 1974 federal law (repealed in 1987) required all states to enact CON laws.
The FTC argues that CON laws hurt competition and do not live up to the goals of protecting consumers from unexpected health care costs. The FTC says that CON laws create barriers to entry into the market which limits consumer choice and may stifle innovation.
With the weight of the FTC behind the repeal movement, is Alaska’s law doomed? Maybe not. The FTC criticized Illinois’ CON law in 2008, and the law is still in force, going strong.
On January 13, 2017, the Centers for Medicare and Medicaid Services (“CMS”) sent a Memorandum (“Memo”) to State survey agency directors encouraging long-term care providers to “consider cybersecurity when developing or reviewing their emergency preparedness plans.” The Memo was a follow-up to the CMS long-term care emergency preparedness rule published in the Federal Register on September 16, 2016: “Medicare and Medicaid Programs; Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.” Under that final rule, long-term care facilities were held to additional standards, including requirements to have emergency and standby power systems in place. Nursing homes were also required to create plans regarding missing residents that could be activated regardless of whether the facility has activated its full-scale emergency plan. The rule was spurred on by recent flooding in Baton Rouge, Louisiana, and other emergency disasters, such as Hurricane Sandy and the 2009 H1N1 pandemic, according to CMS.
Whether State surveyors will actually enforce lack of cybersecurity plans for emergency preparedness as violations remains to be seen from this Memo. But certainly, a State survey agency could impose deficiencies for failure to have a proper cybersecurity plan and/or a proper cybersecurity back‑up plan as part of a facility’s emergency preparedness going forward. It is not clear why CMS decided to send this encouragement Memo three months after the Final Rule on emergency preparedness, but it likely has something to do with the fact that 2016 was a banner year for HIPAA privacy infractions and HIPAA enforcement by the Office for Civil Rights (“OCR”), the entity responsible for HIPAA compliance. In 2016, payouts for HIPAA violations skyrocketed to record heights of $23.51 million from OCR enforcers against health care providers. That number was triple the previous record of almost $7.94 million in payouts in 2014, followed by $6.19 million in payouts in 2015.
Continue reading Cybersecurity and Emergency Preparedness for Long-Term Care
The Stark Law, 42 U.S.C. 1395nn, places restrictions on lease arrangements between physician groups and hospitals for equipment owned by the physicians, leased to the hospitals and then used by the same physicians to treat patients at the hospital. Under the Stark Law, such leases are prohibited unless the arrangement complies with the equipment rental exception, 42 U.S.C. 1395nn(e)(1)(B).
One requirement of the equipment rental exception, which is both statutory and regulatory (42 C.F.R. 411.357(b)), is that the rental charges be “set in advance.” In a recent case from the D.C. Circuit Court of Appeals, Council for Urological Interests v. Burwell, the court considered whether a “per-click” or “per-use” fee could be considered “set in advance” and otherwise meet the criteria for the exception. In an oddly constructed opinion, the court struck down a regulatory prohibition on per-click arrangements, but remanded under terms that would permit the restriction to be re-instated. Continue reading “Per-click” fees OK but don’t count on it
Health systems attempting to fulfill the mandate of integrating hospitals and physicians may find themselves accused of going too far. Although the Affordable Care Act, shared savings, gainsharing and other alternative payment methodologies have made integration of physicians, hospitals and other providers an operational goal, success in reaching that goal may be challenged by private antitrust actions.
In a recent Florida federal court decision, the antitrust complaint of “several of Southern Brevard County’s physicians and physicians practice groups” was held to have stated a monopolization claim against Health First, Inc. and three of its wholly-owned subsidiaries — an insurer, a hospital and a physician practice group. Essentially, by fully integrating its business, and incentivizing in-network referrals and managed care pricing, Health First became vulnerable to claims of tying, exclusive dealing, price discrimination and monopolization.
Continue reading Health System Integration and Antitrust Laws on Collision Course
1. Since most text messaging is not a secure form of communication, it raises HIPAA concerns if any protected health information is included in the text message. There is the possibility of a data breach in the transmission of the text message, as well as in the event of a lost or stolen phone.
2. Relevant information about a patient may be omitted from the patient’s medical chart if it is communicated via text message. Text messages are difficult to print or archive, resulting in the information being lost or deleted. This can have adverse consequences in the patient’s care due failure to communicate important information regarding the patient to everyone who needs the information.
3. Important evidence may be lost, resulting in adverse consequences in the event of a lawsuit. Any time a lawsuit is anticipated, all relevant evidence must be preserved, including text messages. However, since the messages reside on individual employees’ phones, they may be omitted from the document preservation efforts, or accidentally (or intentionally) deleted by the employee. Such loss of evidence could result in the court’s imposition of an “adverse inference,” meaning that the jury must determine that lost evidence would have been adverse to the health care facility (even if that is not true).
The safest course is to ban text messaging in a health care setting. Health care facilities which allow the use of text messaging should implement policies and procedures to ensure that they avoid these problems.
One arrow in the quiver for healthcare providers sued for violations of false claims and anti-kickback statutes is pressing for discovery from the whistleblower/relator, including a deposition of the relator. The failure of the whistleblower to comply with the discovery obligations could result in meaningful sanctions, including dismissal.
In Guthrie v. A Plus Home Health Care, Inc. et al, 0:12-cv-60629-WPD (S.D. FL), the relator, William Guthrie, sued a home health care provider, its seven doctors, and their spouses, alleging that the doctors and their spouses implemented a fraudulent scheme of compensation and referral payments resulting in violations of the False Claims Act, the Stark Act, and the federal Anti-Kickback Statute. Continue reading False Claims and Anti-Kickback Defendants Should Insist on Discovery from the Whistleblower/Relator
Employers that sponsor group health plans for their employees should pay careful attention to the newly announced final omnibus rule amending HIPAA in accordance with the HITECH Act of 2009. This final rule under the HITECH Act, issued on January 17, 2013, impacts group health plans in two significant ways. Group health plan sponsors should act now to make changes to existing plan documents, including HIPAA procedures and business associate agreements, in response to the Final Rule.
Click here for an overview of how HIPAA generally applies in the context of employer-sponsored group health plans and these significant changes impacting group health plans.
Continue reading Employers Take Note: Final HIPAA Rules Mandate New Obligations for Group Health Plans
The HIPAA Rules require that when a HIPAA-covered entity (a provider, plan or clearinghouse) or a business associate of a covered entity uses or discloses protected health information (“PHI”), or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
Click here to read more about the HIPAA “minimum necessary” standard—one of the most essential, yet vague, aspects of the HIPAA Rules.
Continue reading HIPAA Minimum Necessary Standard Should Be Key Component of Policies and Procedures, Now More Than Ever
The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information (“PHI”); a lower threshold for determining whether a breach has occurred for reporting purposes; and restrictions on “marketing” activities and the “sale” of PHI.
Click here to read this Overview Summary of the 2013 Amendments. Duane Morris is issuing a series of Alerts on the 2013 Amendments. Please see the in-depth Alerts already distributed by the firm on changes under the 2013 Amendments to the definition of a business associate and changes to the breach notification requirements. We will continue to issue Alerts on discrete HIPAA topics.