Anti-Kickback EHR and Cybersecurity Safe Harbor

As another part of the Regulatory Sprint to Coordinated Care, OIG proposed revisions to the existing EHR Anti-Kickback Safe Harbor and added a cybersecurity component.

The initial EHR Safe Harbor was developed in response to President George W. Bush’s 2004 initiative to extend EHR nationwide within 10 years, i.e. 2014.  The proponents of those EHR regulations presumably thought the task would be completed within that time frame, because the initial proposal had a 10 year sunset, i.e. 2014.  In 2014, the sunset was extended until 2021.  The math wizards among us recognize that as 17 years and counting, which suggests perhaps a marathon to coordinated care, or perhaps a Never Ending Story.

The concept allowed a health system to provide hardware, software and access to centralized ERH systems to physicians on related medical staffs without that “benefit” being considered as remuneration in exchange for referrals in violation of the Anti-Kickback statutes.  Apparently Parkinson’s Law of “work expanding to fill the available time” also applies to IT systems, and the computer corollary that data expands to fill the available space.  These goals have obviously been complicated by the continuing expansion of coordinated healthcare, quality incentive programs, and now “value-based enterprises”.

The Safe Harbor in 42 CFR Section 1001.952(y) has been amended in two ways:

  1. The sunset provisions have been permanently deleted, presumably in recognition of the reality that this is not a “finite” task that will eventually be completed; just think how the GPS in your car has evolved to become a self-driving vehicle.
  2. The addition of cybersecurity protection by the change of the definition to state that remuneration will not include non-monetary items consisting of items and services for information technology, trading services, and cybersecurity software and devices.

There is no comparable Stark change to the EHR Safe Harbor because of the nature of the prohibitions.  Stark prohibits physicians from making referrals to financial entities; provision of EHR by a healthcare system is not a physician referral.  The potential fraud or inducement risk of providing EHR was that it could be seen as remuneration in exchange for referrals.

$1,600,000 Civil Money Penalty for HIPAA Violations by the Texas Health and Human Services Commission

On November 7, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $1,600,000 civil money penalty for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules.

According to HHS, the Texas Health and Human Services Commission (TX HHSC) “operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities; and administers hundreds of programs for people need assistance, including supplemental nutrition benefits and Medicaid.”  TX HHSC also includes, since September 2017, the Department of Aging and Disability Services (DADS), a state agency that administers long-term care services for the aging.

According to the HHS Notice of Proposed Determination, the HIPAA violations committed by TX HHSC included:

  • In 2015, TX HHSC reported that electronic protected health information of 6,617 individuals became viewable over the internet after a breach following a server migration and a flaw in the software code.  The information available included names, addresses, social security numbers, and treatment information.  HHS also learned that TX HHSC had “never performed an ‘agency-wide’ security risk analysis.”

TX HHSC did not submit any written evidence of mitigating factors or affirmative defenses for consideration.  TX HHSC also waived its right to a hearing.

You can read the HHS Press Release, the Notice of Proposed Determination and the Notice of Final Determination here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/txhhsc/index.html?language=en

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.

Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia.  Danielle can be reached via email: ddietrich@tuckerlaw.com, telephone: 412-594-5605 or on Twitter at @DLDietrich.

Regulatory Sprint to Coordinated Care: New Stark & Anti-Kickback Rules

On October 22, 2019, CMS and OIG (Office of Inspector General) released new proposed rules regarding Stark Law Exceptions and Anti-Kickback Safe Harbors in response to what has universally been christened as the “Regulatory Sprint to Coordinated Care”, first announced by HHS in June of 2018.

As background, please remember that, although the Anti-Kickback Safe Harbors and the Stark Law Exceptions are confusingly similar with respect to their intended purpose, they serve the following different functions:

  1. The Stark Act prohibits physicians from referring only the Stark “designated health services” to healthcare entities with which they have financial relationships.

 

  1. The Anti-Kickback statute prohibits anyone from paying, receiving, soliciting or offering any kind of remuneration in exchange for the referral of any Medicare or governmental health covered service.

 

The regulators have provided “Stark Law Exceptions” and “Anti-Kickback Safe Harbors” which are remarkably similar but apply in the different context described above.

In general, the new Safe Harbors and Exceptions cover three major areas:

 

  1. Coordinated Care and Value-Based Enterprises.

 

  1. Extension of the EHR Safe Harbor sunset.

 

  1. Revising the definition of fair market value that applies to both the Stark Law Exceptions and the Anti-Kickback Safe Harbors (AKS).

 

This article is intended to cover the “new kid on the block”, i.e. the value-based enterprises.  The new definitions for the Stark Act and the AKS are each attached as Exhibit A and Exhibit B respectively.  A value-based enterprise is essentially defined as two or more VBE participants collaborating to achieve at least one value-based purpose as parties to a value-based arrangement, which arrangement has an accountable body or person responsible for management and a governing document describing its purpose.  That is a rather circular definition, and the specific definitions for both the Anti-Kickback Safe Harbor and the Stark Exceptions are attached.

In order to provide a sense of the vagueness of the intended scope of these arrangements, I have inserted the two following quotes from the regulatory announcements:

Evolution of Healthcare Landscape

“The health care landscape when the physician self-referral law was enacted bears little resemblance to the landscape of today.  As some CMS RFI commenters highlighted, the physician self-referral law was enacted at a time when the goals of the various components of the health care system were not merely unaligned but often in conflict, which each component competing for a bigger share of the health care dollar without regard to the inefficiencies that resulted for the system as a whole–in other words, a volume–based system.  According to several commenters, the current physician self-referral regulations–intended to combat overutilization in a volume-based world–are outmoded because, by their nature, integrated care models protect against overutilization by aligning clinical and economic performance as the benchmarks for value.  And, in general, the greater the economic risk that providers assume, the greater the economic disincentive to overutilize services.  According to more than one of these commenters, the current prohibitions are even antithetical to the stated goals of policy makers both in the Congress and within HHS for health care delivery and payment reform.  Although we agree in concept, we continue to operate substantially in a volume-based payment system.  Thus, we must proceed with caution, even as we propose the significant changes outlined in this proposed rule.”

The government regulators are late to the game in recognizing the ambiguity and the absence of reality regarding the existing regulations.  The regulatory philosophy has long been to make everything illegal and then work their way backwards granting Exceptions and Safe Harbors, precisely because actually “describing” an acceptable arrangement is extremely difficult, especially when the violation could be based upon the intent of the individuals.  That lack of clarity has always created a great deal of potential risk for participants.

VBE Description

“We intend the definition of “value-based enterprise” to include only organized groups of health care providers, suppliers, and other components of the health care system collaborating to achieve the goals of a value-based health care system.  An “enterprise” may be distinct legal entity–such as an ACO–with a formal governing body, operating agreement or bylaws, and the ability to receive payment on behalf of its affiliated health care providers.  An “enterprise” may also consist only of the two parties to a value-based arrangement with the written documentation recording the arrangement serving as the required governing document that describes the enterprise and how the parties intend to achieve its value-based purpose(s).  Whatever its size and structure, a value-based enterprise is essentially a network of participants (such as clinicians, providers, and suppliers) that have agreed to collaborate with regard to a target patient population to put the patient at the center of care through care coordination, increase efficiencies in the delivery of care, and improve outcomes for patients.  We have proposed our definition of “value-based enterprise” in terms of the functions of the enterprise as it is not our intention to dictate or limit the appropriate legal structure for qualifying as a value-based enterprise.”

Should be accountable care organizations for the first attempt to provide exceptions for organized healthcare enterprises.  Accountable health care organizations were created by the Accountable Care Act of 2010.  A standing joke for legal presenters discussing ACOs was to ask the audience what an ACO was called before it was called an ACO.  The answer is:  a felony!

These ideas are new and the general intent is to protect legitimate value-based enterprises from the Anti-Kickback or the self-referral prohibitions.  However, at this stage, they are obviously quite vague.  This calls to mind Justice Potter Stewart’s quote regarding pornography:

“I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description, and perhaps I could never succeed in intelligibly doing so.  But I know when I see it . . .”.  Jacobellis v. Ohio (U.S. Supreme Ct. 1964).

Since these proposed regulations are brand new, fairly short in the way of explanation, fairly broad in the terms of coverage and without any actual examples of what does and doesn’t work, you should be very cautious when you first participate in any VBE design to take advantage of these situations.

$3,000,000 Settlement by University of Rochester Medical Center for Numerous HIPAA Violations

On November 5, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement with the University of Rochester Medical Center (“URMC”) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules in 2013 and 2017.

According to HHS, URMC reported that protected health information (“PHI”) had been improperly disclosed after the loss of an unencrypted flash drive in 2013 and the theft of an unencrypted laptop in 2017.  HHS found that URMC had failed to undertake the appropriate measures to protect this kind of PHI, including encryption mechanisms and system-wide risk analysis.  HHS reports that it investigated a similar breach involving the loss of an unencrypted flash drive by URMC in 2010.

In addition to the monetary settlement, URMC also agreed to a Corrective Action Plan.

You can read the HHS Press Release, Resolution Agreement and Corrective Action Plan here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/urmc/index.html

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.

Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia.  Danielle can be reached via email: ddietrich@tuckerlaw.com, telephone: 412-594-5605 or on Twitter at @DLDietrich.

Federal Government Delays Hospital Transparency Regarding Commercial Rates

The federal government/Trump administration announced today a delay regarding a proposed rule requiring hospitals to disclose actual negotiated price rates.  See WSJ News.

In January, 2019, as reported in the MedLaw Blog on January 10, 2019, CMS added a rule requiring hospitals to publish their standard charges beginning January 2019.

As noted in that blog post, requiring the “charge master disclosure” does not provide much in the way of transparency since so few commercial payors actually pay that rate.

 

 

$2,154,000 Civil Money Penalty for Numerous HIPAA Violations by Jackson Health System

On October 23, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $2,154,000 civil money penalty for numerous violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules between 2013 and 2016.

According to HHS, Jackson Health System (“JHS”) is a medical system based in Florida and provides health care to 650,000 patients on average each year.

According to the HHS Notice of Proposed Determination, the HIPAA violations committed by JHS included:

  • In 2013, JHS lost paper records for 1,471 patients.
  • In 2015, there were media reports disclosing the protected health information (“PHI”) of a well-known NFL player who was a patient.  An ESPN reporter had shared a photograph of an electronic display board in a JHS operating room and paper schedule, both of which contained the PHI of the patient.
  • In 2016, JHS reported that one if its employees had been selling patient information since 2011, and that employee had inappropriate accessed 24,188 patient records.
  • JHS failed to provide timely and accurate breach notifications or conduct the appropriate steps to identify and remediate potential risks for additional violations.

JHS waived its right to a hearing and did not contest the findings.  It has paid the $2,154,000 civil monetary penalty.

You can read the HHS Press Release, the Notice of Proposed Determination and the Notice of Final Determination here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/jackson/index.html

If your office would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.

Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia.  Danielle can be reached via email: ddietrich@tuckerlaw.com, telephone: 412-594-5605 or on Twitter at @DLDietrich.

Regulatory Sprint to Coordinated Care: CMS/AKS and OIG Stark Proposed Amendments

HHS has long admitted that the Anti-Kickback Statute (AKS) and the Stark law have not evolved to keep pace with the transition to value based care.  In June of 2018, HHS issued an RFI seeking additional information and HHS also issued a release on December 12, 2018 seeking input on improving care coordination and reducing the regulatory burdens of the HIPAA rules.

I would suggest that almost everybody else came to that conclusion much earlier than last year.

On October 9, 2019 HHS and OIG released their proposals as part of this “Regulatory Sprint to Coordinated Care”.  Note that OIG is issuing new Safe Harbors applicable to the AKS rules and CMS is issuing proposed changes to the definitions in the Stark Law.

  • AKS prohibits the solicitation or payment of remuneration by anybody for any government health care program.
  • CMS only prohibits physicians from referring Designated Health Services (DHS) to provider entities with which they have financial relationships and, although it is more restricted in scope, it is nevertheless broad enough to impact global health care delivery.

OIG has issued Safe Harbors in the following areas:

  • Care coordination and improved quality, health, and efficiency.
  • Value-based arrangements with substantial downside financial risk covering certain in-kind and monetary arrangements where a value-based enterprise (VBE) accepts substantial downside risk from third party payors.
  • Value-based arrangements with full financial risk.
  • Patient engagement and support arrangements.
  • CMS sponsored model arrangements and model patient incentive.
  • Donations of cybersecurity technology services, accompanied by modifications to the existing EHR Safe Harbor.

CMS is proposing to change definitions with respect to fair market value, as follows:

  • CMS is proposing to alternative definitions for the term commercially reasonable so that it could apply either to arrangements that further legitimate business purposes or arrangements that make commercial sense similar to other existing arrangements.
  • CMS is proposing three definitions of fair market value (FMV) applying to equipment rentals, office space, and FMV in general.
  • CMS is proposing to revise the volume or value based standard so that it will apply only when the formula used to calculate the remuneration actually includes referrals and other business generated.

Following are links to:

  • HHS Press Release

https://www.cms.gov/newsroom/fact-sheets/modernizing-and-clarifying-physician-self-referral-regulations-proposed-rule

  • OIG Safe Harbors

https://www.govinfo.gov/content/pkg/FR-2019-10-17/pdf/2019-22027.pdf

  • CMS Proposed Stark Law Amendments

https://www.govinfo.gov/content/pkg/FR-2019-10-17/pdf/2019-22028.pdf

All of these documents comprise of hundreds of pages, 650 to be exact, and I will attempt to isolate individual proposals for discussion throughout the end of the year.

Pennsylvania Commonwealth Court Again Declines to Extend Consent Decree

The Pennsylvania Commonwealth Court, on remand from the Pennsylvania Supreme Court, has again decided that the previously agreed termination date of the access provisions contained in the UPMC/Highmark Consent Decrees, i.e. June 30, 2019, is not a term subject to the modification provisions of those Consent Decrees, and is definite.  The adjudication of the Commonwealth Court, attached hereto, discusses the history of the negotiation of the terms, especially the termination date, and confirms the Consent Decrees will expire on June 30, 2019.

For additional information contact Mike Cassidy.

LexBlog