Ambulance Company Pays $65,000 Settlement

By Danielle Dietrich on December 30, 2019 Posted in HIPAA, HIT and EHR

On December 30, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $65,000 settlement with West Georgia Ambulance, Inc. for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules.

According to HHS, in 2013 the ambulance company reported a breach where an unencrypted laptop fell off the back bumper of an ambulance. The company did not recover the laptop and reported that 500 individuals were affected by the breach.

An investigation showed that the company did not conduct an accurate and thorough risk analysis, did not have a HIPAA security training program, did not provide security training to its employees and failed to implement Security Rule policies or procedures.

In additional to the monetary settlement, the ambulance company agreed to enter into a Corrective Action Plan requiring a very detailed and thorough review and analysis of all of the security risks and vulnerabilities in the company, submit detailed reports, provide training and routine retraining, adopt and implement appropriate written policies and procedures and other corrective actions.

You can read the HHS Press Release and Resolution Agreement here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/westgeorgia/index.html

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.

Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia. Danielle can be reached via email: ddietrich@tuckerlaw.com, telephone: 412-594-5605 or on Twitter at @DLDietrich.

Tucker Arensberg Attorneys to speak at the PBI Health Law Institute in March 2020

By Michael Cassidy on December 20, 2019 Posted in Legal News

Tucker Arensberg is pleased to be a gold sponsor of the 26th Annual Pennsylvania Bar Institute (PBI) Health Law Institute taking place from March 11–12, 2020 in Philadelphia, PA. Jerry J. Russo, Chair of the White Collar Criminal Defense Group; Danielle L. Dietrich, a Shareholder in the Health Care and Long Term Care Groups; and Kathleen A. Nandan, a former litigator with the U.S. Attorney’s Office in the Eastern District of New York will be presenting “Investigations and Litigation: How you respond can affect your livelihood, your bank account and your freedom.“

2020 Pennsylvania Medical Record Fees

By Michael Cassidy on December 16, 2019 Posted in Legal News

Click the link to view the 2020 Pennsylvania Medical Record Fees: https://www.pacodeandbulletin.gov/Display/pabull?file=/secure/pabulletin/data/vol49/49-49/1816.html#

Telehealth Update: Connect for Health Act

By Michael Cassidy on December 11, 2019 Posted in Legal News

A bipartisan group of senators has introduced the Creating Opportunities Now for Necessary and Effective Care Technologies (CONNECT) for Health Act of 2019. A summary produced by that bipartisan group is attached.

If enacted, the CONNECT for Health Act solutions would be as follows:

Create a bridge program to help providers transition to the goals of the Medicare Access and CHIP Reauthorization Act (MACRA) and the Merit-based Incentive Payment System (MIPS) through using telehealth and RPM without most of the aforementioned Social Security Act Section 1834(m) restrictions;
Allow telehealth and RPM to be used by qualifying participants in alternative payment models, without most of the aforementioned 1834(m) restrictions;
Permit the use of remote patient monitoring for certain patients with chronic conditions;
Allow, as originating sites, telestroke evaluation and management sites; Native American health service facilities; and dialysis facilities for home dialysis patients in certain cases;
Permit further telehealth and RPM in community health centers and rural health clinics;
Allow telehealth and RPM to be basic benefits in Medicare Advantage, without most of the aforementioned 1834(m) restrictions; and
Clarify that the provision of telehealth or RPM technologies made under Medicare by a health care provider for the purpose of furnishing these services shall not be considered “remuneration.”

Click here to read the CONNECT for Health Act.

Hospital Groups File Lawsuit Challenging Rule That Would Require Them To Disclose Prices Given To Insurers

By Michael Cassidy on December 5, 2019 Posted in Articles, Legal News

Click on the link to an article published in the New York Times (12/4, Abelson) reporting the American Hospital Association and other hospital groups filed a lawsuit against the Trump Administration “over a new federal rule that would require them to disclose the discounted prices they give insurers for all sorts of procedures.” The hospital groups claim the new rule “is unlawful, several times over,” because the Administration exceeded its authority by issuing the rule and that disclosing the privately negotiated prices violates their First Amendment rights.

The Hill (12/4, Coleman) reports the hospital groups requested “an expedited decision to prevent hospitals from needing to prepare for the rule if it is ultimately ruled unconstitutional.”

Reuters (12/4, Joseph) and the Wall Street Journal (12/4, Armour, Subscription Publication) also cover the story. New York Times reporting

Trump Administration Announces Historic Price Transparency Requirements

By Michael Cassidy on November 19, 2019 Posted in Legal News

Attached are links to the CMS Press Release and the Trump Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First.

The Trump Executive Order was first issued on June 21, 2019.

The CMS Press Release indicates action on two rules.

First, the “proposed” transparency and coverage rule would require health plans to:

Give consumers real time, personalize access to cost-sharing information, including an estimate of their cost-sharing liability for all covered healthcare items and services.

Disclose on a public website their negotiated rates for in-network providers and allowed amounts paid for out-of-network providers.

CMS is finalizing a rule that requires hospital to provide patients with “clear, accessible information about their standard charges for the items and services they provide, including through the use of standardized data elements, making it easier to shop and compare across hospitals”. This final rule would go into effect beginning January 1, 2021.

Finally, the Washington Post article link indicates the two biggest hospital trade groups, i.e. the American Hospital Association and the Federation of American Hospitals, plan a legal challenge.

Anti-Kickback EHR and Cybersecurity Safe Harbor

By Michael Cassidy on November 11, 2019 Posted in Articles, Legal News

As another part of the Regulatory Sprint to Coordinated Care, OIG proposed revisions to the existing EHR Anti-Kickback Safe Harbor and added a cybersecurity component.

The initial EHR Safe Harbor was developed in response to President George W. Bush’s 2004 initiative to extend EHR nationwide within 10 years, i.e. 2014. The proponents of those EHR regulations presumably thought the task would be completed within that time frame, because the initial proposal had a 10 year sunset, i.e. 2014. In 2014, the sunset was extended until 2021. The math wizards among us recognize that as 17 years and counting, which suggests perhaps a marathon to coordinated care, or perhaps a Never Ending Story.

The concept allowed a health system to provide hardware, software and access to centralized ERH systems to physicians on related medical staffs without that “benefit” being considered as remuneration in exchange for referrals in violation of the Anti-Kickback statutes. Apparently Parkinson’s Law of “work expanding to fill the available time” also applies to IT systems, and the computer corollary that data expands to fill the available space. These goals have obviously been complicated by the continuing expansion of coordinated healthcare, quality incentive programs, and now “value-based enterprises”.

The Safe Harbor in 42 CFR Section 1001.952(y) has been amended in two ways:

The sunset provisions have been permanently deleted, presumably in recognition of the reality that this is not a “finite” task that will eventually be completed; just think how the GPS in your car has evolved to become a self-driving vehicle.
The addition of cybersecurity protection by the change of the definition to state that remuneration will not include non-monetary items consisting of items and services for information technology, trading services, and cybersecurity software and devices.

There is no comparable Stark change to the EHR Safe Harbor because of the nature of the prohibitions. Stark prohibits physicians from making referrals to financial entities; provision of EHR by a healthcare system is not a physician referral. The potential fraud or inducement risk of providing EHR was that it could be seen as remuneration in exchange for referrals.

$1,600,000 Civil Money Penalty for HIPAA Violations by the Texas Health and Human Services Commission

By Danielle Dietrich on November 8, 2019 Posted in Legal News

On November 7, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $1,600,000 civil money penalty for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules.

According to HHS, the Texas Health and Human Services Commission (TX HHSC) “operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities; and administers hundreds of programs for people need assistance, including supplemental nutrition benefits and Medicaid.” TX HHSC also includes, since September 2017, the Department of Aging and Disability Services (DADS), a state agency that administers long-term care services for the aging.

According to the HHS Notice of Proposed Determination, the HIPAA violations committed by TX HHSC included:

In 2015, TX HHSC reported that electronic protected health information of 6,617 individuals became viewable over the internet after a breach following a server migration and a flaw in the software code. The information available included names, addresses, social security numbers, and treatment information. HHS also learned that TX HHSC had “never performed an ‘agency-wide’ security risk analysis.”

TX HHSC did not submit any written evidence of mitigating factors or affirmative defenses for consideration. TX HHSC also waived its right to a hearing.

You can read the HHS Press Release, the Notice of Proposed Determination and the Notice of Final Determination here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/txhhsc/index.html?language=en

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.

Regulatory Sprint to Coordinated Care: New Stark & Anti-Kickback Rules

By Michael Cassidy on November 6, 2019 Posted in Fraud - Stark, Legal News

On October 22, 2019, CMS and OIG (Office of Inspector General) released new proposed rules regarding Stark Law Exceptions and Anti-Kickback Safe Harbors in response to what has universally been christened as the “Regulatory Sprint to Coordinated Care”, first announced by HHS in June of 2018.

As background, please remember that, although the Anti-Kickback Safe Harbors and the Stark Law Exceptions are confusingly similar with respect to their intended purpose, they serve the following different functions:

The Stark Act prohibits physicians from referring only the Stark “designated health services” to healthcare entities with which they have financial relationships.

The Anti-Kickback statute prohibits anyone from paying, receiving, soliciting or offering any kind of remuneration in exchange for the referral of any Medicare or governmental health covered service.

The regulators have provided “Stark Law Exceptions” and “Anti-Kickback Safe Harbors” which are remarkably similar but apply in the different context described above.

In general, the new Safe Harbors and Exceptions cover three major areas:

Coordinated Care and Value-Based Enterprises.

Extension of the EHR Safe Harbor sunset.

Revising the definition of fair market value that applies to both the Stark Law Exceptions and the Anti-Kickback Safe Harbors (AKS).

This article is intended to cover the “new kid on the block”, i.e. the value-based enterprises. The new definitions for the Stark Act and the AKS are each attached as Exhibit A and Exhibit B respectively. A value-based enterprise is essentially defined as two or more VBE participants collaborating to achieve at least one value-based purpose as parties to a value-based arrangement, which arrangement has an accountable body or person responsible for management and a governing document describing its purpose. That is a rather circular definition, and the specific definitions for both the Anti-Kickback Safe Harbor and the Stark Exceptions are attached.

In order to provide a sense of the vagueness of the intended scope of these arrangements, I have inserted the two following quotes from the regulatory announcements:

Evolution of Healthcare Landscape

“The health care landscape when the physician self-referral law was enacted bears little resemblance to the landscape of today. As some CMS RFI commenters highlighted, the physician self-referral law was enacted at a time when the goals of the various components of the health care system were not merely unaligned but often in conflict, which each component competing for a bigger share of the health care dollar without regard to the inefficiencies that resulted for the system as a whole–in other words, a volume–based system. According to several commenters, the current physician self-referral regulations–intended to combat overutilization in a volume-based world–are outmoded because, by their nature, integrated care models protect against overutilization by aligning clinical and economic performance as the benchmarks for value. And, in general, the greater the economic risk that providers assume, the greater the economic disincentive to overutilize services. According to more than one of these commenters, the current prohibitions are even antithetical to the stated goals of policy makers both in the Congress and within HHS for health care delivery and payment reform. Although we agree in concept, we continue to operate substantially in a volume-based payment system. Thus, we must proceed with caution, even as we propose the significant changes outlined in this proposed rule.”

The government regulators are late to the game in recognizing the ambiguity and the absence of reality regarding the existing regulations. The regulatory philosophy has long been to make everything illegal and then work their way backwards granting Exceptions and Safe Harbors, precisely because actually “describing” an acceptable arrangement is extremely difficult, especially when the violation could be based upon the intent of the individuals. That lack of clarity has always created a great deal of potential risk for participants.

VBE Description

“We intend the definition of “value-based enterprise” to include only organized groups of health care providers, suppliers, and other components of the health care system collaborating to achieve the goals of a value-based health care system. An “enterprise” may be distinct legal entity–such as an ACO–with a formal governing body, operating agreement or bylaws, and the ability to receive payment on behalf of its affiliated health care providers. An “enterprise” may also consist only of the two parties to a value-based arrangement with the written documentation recording the arrangement serving as the required governing document that describes the enterprise and how the parties intend to achieve its value-based purpose(s). Whatever its size and structure, a value-based enterprise is essentially a network of participants (such as clinicians, providers, and suppliers) that have agreed to collaborate with regard to a target patient population to put the patient at the center of care through care coordination, increase efficiencies in the delivery of care, and improve outcomes for patients. We have proposed our definition of “value-based enterprise” in terms of the functions of the enterprise as it is not our intention to dictate or limit the appropriate legal structure for qualifying as a value-based enterprise.”

Should be accountable care organizations for the first attempt to provide exceptions for organized healthcare enterprises. Accountable health care organizations were created by the Accountable Care Act of 2010. A standing joke for legal presenters discussing ACOs was to ask the audience what an ACO was called before it was called an ACO. The answer is: a felony!

These ideas are new and the general intent is to protect legitimate value-based enterprises from the Anti-Kickback or the self-referral prohibitions. However, at this stage, they are obviously quite vague. This calls to mind Justice Potter Stewart’s quote regarding pornography:

“I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description, and perhaps I could never succeed in intelligibly doing so. But I know when I see it . . .”. Jacobellis v. Ohio (U.S. Supreme Ct. 1964).

Since these proposed regulations are brand new, fairly short in the way of explanation, fairly broad in the terms of coverage and without any actual examples of what does and doesn’t work, you should be very cautious when you first participate in any VBE design to take advantage of these situations.

$3,000,000 Settlement by University of Rochester Medical Center for Numerous HIPAA Violations

By Danielle Dietrich on November 5, 2019 Posted in HIPAA, HIT and EHR

On November 5, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement with the University of Rochester Medical Center (“URMC”) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules in 2013 and 2017.

According to HHS, URMC reported that protected health information (“PHI”) had been improperly disclosed after the loss of an unencrypted flash drive in 2013 and the theft of an unencrypted laptop in 2017. HHS found that URMC had failed to undertake the appropriate measures to protect this kind of PHI, including encryption mechanisms and system-wide risk analysis. HHS reports that it investigated a similar breach involving the loss of an unencrypted flash drive by URMC in 2010.

In addition to the monetary settlement, URMC also agreed to a Corrective Action Plan.

You can read the HHS Press Release, Resolution Agreement and Corrective Action Plan here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/urmc/index.html

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.