The CARES Act (the “Act”), enacted on March 27, 2020, makes notable changes to federal law governing the disclosure of substance use disorder (“SUD”) records. The Act amends 42 U.S.C. 290dd-2, the governing statute of the regulations at 42 C.F.R. Part 2 (“Part 2”) to better align certain of its confidentiality requirements with HIPAA. The amendments do not change the basic premise that prior written consent of the patient is required for disclosure of SUD treatment records. However, once prior written consent of the patient is obtained, the amendments allow a covered entity, business associate, or Part 2 program to use or disclose SUD records for purposes of treatment, payment, and health care operations as permitted by HIPAA. Any information so disclosed may then be redisclosed in accordance with the HIPAA regulations. The amendments also allow a patient’s prior written consent to be given once for all such future uses or disclosures for purposes of treatment, payment, and health care operations, until the patient revokes his or her consent in writing. Continue reading The CARES Act Amends Federal Law Governing the Confidentiality of Substance Use Disorder Patient Records
There are several measures OCR/HHS has taken to lessen the regulatory burden of HIPAA for health care providers amidst COVID-19. Here is the latest breakdown of important pronouncements and guidance set forth by OCR/HHS to help providers deal with COVID-19 and HIPAA compliance:
2019 is well underway and so are Q1 board meetings. If you haven’t done so already and serve on a hospital board or work with hospital boards, look back at the December 11, 2018 DOJ press release which announced that a Pennsylvania hospital and health system CEO agreed to pay $1.25 million. https://www.justice.gov/usao-edpa/pr/coordinated-health-and-ceo-pay-125-million-resolve-false-claims-act-liability
The announcement caught the attention of CEOs, board members and other health leaders across the country as a pre-holiday reminder of the potential for individual civil and criminal liability arising out of compliance failures. Dr. Emil Dilorio, the founder, principal owner and CEO of Coordinated Health Holdings Co., a for-profit hospital and health system, agreed to settled allegations with the DOJ under the False Claims Act. The DOJ alleged that he and the company (which is on the hook for $11.25 million) submitted false claims to Medicare and other federal health care programs for orthopedic surgeries in a practice known as unbundling. Coordinated Health also had to enter into a five year Corporate Integrity Agreement – one of the most dreaded enforcement tools that HHS has in its arsenal. “The alleged corporate culture and leadership that promoted this conduct and allowed it to continue despite crystal clear warning is shameful,” said U.S. Attorney William M. McSwain of the Eastern District of Pennsylvania.
It is now an opportune time to assess your organization’s true corporate culture and determine whether your leadership appreciates its growing responsibilities and is equipped to fulfill those responsibilities in a meaningful way. Going through the motions of compliance education is simply not enough. The federal government has been very clear that it expects leadership, including boards, to understand their corporate governance responsibilities, their responsibilities regarding review and oversight of the organization’s compliance program, as well as applicable federal and state laws such as the False Claims Act.
While the OIG has stated that there is not a “one size fits all” program design for all compliance programs and that companies should tailor their compliance program designs, individuals who serve on for-profit and not-for-profit boards should make sure that they are fully equipped during the entire life cycle of their tenure. Board responsibility, particularly in the fast paced and highly regulated health care space, is not a static journey.
Moreover, each board member has a different baseline understanding of the industry, experience and skill set. Not every board member is living and breathing MACRA, ACOs, EMRs, CINs and AKS. But the old assumptions that health care has too many acronyms to bother lay members with or that the Stark law makes no sense and is not worth going over, have never been accurate and are definitely not in today’s enforcement environment. In fiscal year 2018 alone, the DOJ recouped $2.8 billion for False Claims Act cases.
Any prudent board member should make sure that either the organization’s current program is sufficiently tailored to that board’s individual needs or ask for additional and ongoing education and support. Initial education and ongoing refresh are just the beginning of an effective board compliance program. The OIG expects that board members understand their responsibilities to provide oversight for corporate compliance programs and to promote an ethical culture in their organizations. This is no small task. The regulatory framework is complex and in a state of flux, the OIG’s Work Plan is comprehensive and not the only determinant of focus areas and compliance risks, hospital operations are being reinvented to transition out of the fee for service model, and the reimbursement landscape is uncertain.
At a minimum, new and existing board members should look to understand the organization’s business models; organizational and governance structures; governing documents; authority matrix including any powers reserved for a parent or subsidiary board; board committee policies and procedures; D&O policies and scope of coverage; COI policies; current compliance plan; past years’ compliance plans and performance against the plans; significant compliance concerns that have led to self-disclosures or other self-reporting obligations; any recent or material government investigation; the terms of any Corporate Integrity Agreements; significant security or privacy breaches; processes and procedures in place relating to financial arrangements with physicians and physician groups; the fraud and abuse laws; medical necessity; billing and reimbursement basics; security obligations; and other key regulatory requirements that impact the organization.
Board members are also advised to meet the compliance lead, understand how issues are identified and remediated, and have access to the compliance team to answer any questions that may arise. Internal and, as appropriate, external counsel should be part of the process and partner with the compliance lead and board members, when necessary. These steps are important but not sufficient and every organization should continuously assess and improve its ongoing compliance strategy.
Service on a hospital board is an opportunity to serve and a privilege. It is also an obligation full of responsibilities. With so many issues competing for boards’ attention these days, the Coordinated Health settlement is a timely reminder that hospital leadership and boards cannot take their eyes off of the importance of compliance. The risk is too high to get lost in the alphabet soup.
On January 13, 2017, the Centers for Medicare and Medicaid Services (“CMS”) sent a Memorandum (“Memo”) to State survey agency directors encouraging long-term care providers to “consider cybersecurity when developing or reviewing their emergency preparedness plans.” The Memo was a follow-up to the CMS long-term care emergency preparedness rule published in the Federal Register on September 16, 2016: “Medicare and Medicaid Programs; Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers.” Under that final rule, long-term care facilities were held to additional standards, including requirements to have emergency and standby power systems in place. Nursing homes were also required to create plans regarding missing residents that could be activated regardless of whether the facility has activated its full-scale emergency plan. The rule was spurred on by recent flooding in Baton Rouge, Louisiana, and other emergency disasters, such as Hurricane Sandy and the 2009 H1N1 pandemic, according to CMS.
Whether State surveyors will actually enforce lack of cybersecurity plans for emergency preparedness as violations remains to be seen from this Memo. But certainly, a State survey agency could impose deficiencies for failure to have a proper cybersecurity plan and/or a proper cybersecurity back‑up plan as part of a facility’s emergency preparedness going forward. It is not clear why CMS decided to send this encouragement Memo three months after the Final Rule on emergency preparedness, but it likely has something to do with the fact that 2016 was a banner year for HIPAA privacy infractions and HIPAA enforcement by the Office for Civil Rights (“OCR”), the entity responsible for HIPAA compliance. In 2016, payouts for HIPAA violations skyrocketed to record heights of $23.51 million from OCR enforcers against health care providers. That number was triple the previous record of almost $7.94 million in payouts in 2014, followed by $6.19 million in payouts in 2015.
On August 5, 2016, the Centers for Medicare and Medicaid Services (CMS) published a Survey and Certification Memorandum (Notice) urging State health departments to enforce violations by nursing homes in posting patient images on social media. This development was interesting given that the Office for Civil Rights (OCR), the enforcer of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, presumably should already be cracking down on any such violations of resident rights as a violation of HIPAA. According to Modern Healthcare, increased instances of nursing home staff inappropriately posting resident pictures on social media may have sparked this pronouncement by CMS.
Specifically, CMS will more strictly enforce, through State agencies, corrective actions to ensure that employee postings of residents in a degrading manner do not occur in the nursing home setting. Interestingly, the Notice does not discuss nursing homes reporting such employee conduct to OCR, but does indicate that employees should report such postings on social media of residents as abuse “to at least one law enforcement agency.” Continue reading Government Cracks Down On Nursing Home Use of Social Media
On January 26, 2015, the United States Department of Health & Human Services (HHS) announced its timeline for shifting Medicare reimbursements from volume-based criteria to value-based criteria. HHS has adopted a framework that categorizes health care payments according to how providers receive payment to provide care:
• Category 1—fee-for-service with no link of payment to quality
• Category 2—fee-for-service with a link of payment to quality
• Category 3—alternative payment models built on fee-for-service architecture
• Category 4—population-based payment
In Monday’s announcement, HHS disclosed its initiative to drive more of the Medicare payments to categories 3 and 4. This is the first time in history that HHS has set explicit goals for alternative payment models and value-based payments. HHS declared: “Improving the quality and affordability of care for all Americans has always been a pillar of the Affordable Care Act, alongside expanding access to such care. The law gives us the opportunity to shape the way health care is delivered to patients and to improve the quality of care system-wide while helping to reduce the growth of health care costs.”
By the end of 2016, HHS has set a goal of tying 30 percent of traditional, fee-for-service, Medicare payments to quality or value through alternative payment models, such as Accountable Care Organizations (ACOs) or bundled payment arrangements. By the end of 2018, the goal is 50 percent of these payments.
An ACO is an organization of health care providers that agree to be accountable for the quality, cost, and overall care of a group of Medicare beneficiaries. Reimbursement is tied to quality metrics to reduce the total cost of care for the assigned population of patients. Hospitals and physicians have been forming ACOs, and HHS’s most recent initiative should drive even more dollars in this direction.
However, in our experience, long-term care facilities (LTC Facilities) have been slow to adopt the ACO model. Refusal to join an ACO could result in fewer referrals from hospitals and other providers, since ACO members will refer to the facility (or facilities) within the ACO. LTC Facilities with high ratings for their Quality Measures (on Nursing Home Compare) and low re-hospitalization rates will be more attractive to ACOs. Now is the time to join an ACO, before it is too late.
Covered Entities Cautioned Regarding Use of Business Associates
On July 8, 2013, health insurer WellPoint, Inc. entered into a Resolution Agreement with the U.S. Department of Health and Human Services, Office for Civil Rights (HHS), agreeing to pay HHS $1.7 million to resolve an HHS complaint regarding violations of the HIPAA Privacy and Security Rules during the period of October 23, 2009, through March 7, 2010. WellPoint reported a breach of electronic protected health information (ePHI) on June 18, 2010, leading to an HHS investigation that commenced on September 9, 2010.
The WellPoint matter serves as a reminder to HIPAA-covered entities and subcontractors that are business associates to comply with the HIPAA Security Rule and to prudently oversee the services provided by these business associates.
Click here to read the full Alert.
Although the professional component of coding for evaluation and management services (“E&M Services”) has been scrutinized over the years, until recently, little attention has been given to coding practices for the facility component of these services—including emergency department facility services. In a September 24, 2012, letter written by Kathleen Sebelius, Secretary, U.S. Department of Health and Human Services (HHS); and Eric Holder, Jr., Attorney General, U.S. Department of Justice, to hospital leadership throughout the United States, HHS and the Justice Department expressed their concern that hospitals may be inappropriately coding E&M Services. Specifically, the letter notes that “CMS is initiating more extensive medical reviews to ensure that providers are coding evaluation and management services accurately.” In light of the recent attention on emergency department facility component coding practices, an area that so far has largely been overlooked by the regulators, any facility that has not reviewed its coding practices for the facility component of E&M Services may want to consider doing so at this time.
Click here to read the full Alert.
The relationship between privacy and mobile applications is coming into focus. On February 27, 2012, the California Attorney General entered into a Joint Statement of Principles with the six largest mobile application companies – Apple, Google, H-P, Microsoft, Amazon and RIM – regarding consumer privacy and transparency issues when data is collected through an app. http://ag.ca.gov/cms_attachments/press/pdfs/n2647_agreement.pdf. The Five Principles set parameters for good practice. Although not legally binding, the AG promises to review compliance in the fall, and may use California laws on privacy, false advertising, unfair business practices and others as enforcement tools. Since California often leads the way in privacy enforcement it is likely that other states will follow suit.
We live in the data age where every day a new technology is announced in business- and consumer-oriented ecommerce and mobile health (mhealth). In response, in recent years, federal and state legislators have enacted strict data privacy and security laws, such as HIPAA, COPPA, and Gramm-Leach-Bliley, to protect data whether in electronic (IT) or physical form. This data is known as protected health information under HIPAA and personally identifiable information under other statutes. New federal and state laws also mandate comprehensive data breach responses, including notifications to individuals whose PHI or PII was breached and some agencies and state attorneys general. The shared premise behind these laws is that the public expects the highest standard of data protection from businesses and government. (Whether or not this is true – after all we regularly give our credit card numbers to anonymous persons over the phone – is a subject for another day…)