It Is Not Illegal to Pay Physicians More Than They Generate

While we are waiting for final disposition of the AKS Safe Harbors and Stark Exceptions proposed in October of 2019, since the comment period expired December 31, 2019 and final rules have not been issued, I thought we should reflect on the comments made and proposed regulations regarding physician compensation.

Physicians have become accustomed to hospitals trying to hold down compensation with arguments that it’s illegal to pay physicians more than the revenue they generate, or we can’t exceed the 75th percentile or the 90th percentile of MGMA or other standards.  The latter portion of that comment is obviously untrue; somebody is in the top quartile and decile and they are not in jail.  It is important to recognize that, although it is prohibited to pay physicians based entirely upon the revenue they generate, except for certain productivity exceptions for bonafide compensation, that does not mean the reverse is true.  Physicians may be paid based upon fair market value even if their compensation would otherwise exceed the revenue generated by their services.

I have attached a PDF of comments from CMS/ OIG, i.e. pp. 55790-55791 regarding “Commercially Reasonable” and pp. 55796-55799 regarding “Fair Market Value”, wherein they recognize that commercially reasonable/fair market value can encompass situations in which the compensation exceeds the potential revenue or national standards. Click the links to read the comments: pp. 55790-55791  and  pp. 55796-55799.

CMS acknowledged compelling concerns of commenters when they explain that, even knowing when the compensation arrangement may result in losses, it may not only be reasonable but necessary in situations governed by community need, timely access, fulfillment of license or obligations, and talent, improvement of quality health outcomes.  I am sure there are many circumstances when specialists and even primary care physicians are serving hospitals in areas with insufficient volume to pay what would otherwise be the average going rate, but that physician is absolutely necessary in that community.  Nobody questions that.

On page 134, CMS acknowledges that it could be possible to pay an orthopedic surgeon more than the going rate because of his or her national stature and expertise.

Obviously none of this justifies routinely disregarding the national fair market value data or the revenue sources, but it does indicate that those arrangements are not per se illegal, just subject to the rule of reason.

Telemedicine Comes of Age: OIG is Prosecuting Telehealth Fraud

You can now tell that telemedicine is a mature industry, because it has achieved enough critical mass that the fraud has started and the OIG is beginning to prosecute.  There is a lag time between when the cash flow and profit achieves sufficient critical mass to attract the criminals, the OIG identifies the problems, and the prosecution actually begins.

I am attaching a link to an OIG news release dated February 5, 2020 indicating the OIG is now prosecuting owners of a telemedicine company allegedly involved in arranging kickbacks for referrals.

https://www.justice.gov/opa/pr/two-owners-telemedicine-companies-charged-roles-56-million-conspiracy-defraud-medicare-and

Concurrently, the Office of the National Coordinator for Health Information Technology (ONC), which is a department of HHS, has proposed a rule to implement certain provisions of the 21st century Cures Act (Cures Act) designed to advance interoperability, support the access, exchange, and use of electronic health information, and make patients electronic health information (EHI) more electronically accessible through the adoption of standards and certifications for mobile digital applications (apps) on March 4, 2019, which proposed regulations are being studied by the White House.  The major app makers, i.e. Google, Apple, Microsoft, etc., the very industry giants seeking the access deals mentioned herein, believe interoperable health information apps should be as easily loaded as any other mobile app, but many regulators are concerned about the privacy and security of this data.  Attached is a link to the proposed rules.

https://www.healthit.gov/topic/laws-regulation-and-policy/notice-proposed-rulemaking-improve-interoperability-health

One of the critical issues is interoperability, and whether one app developer can program restrictions into that app that would prohibit the sharing of that information through other systems.  The restriction is fairly common with other commercial apps which do not contain PHI and do not interfere with a patient’s management of their own healthcare, or the management by or sharing with other systems.  However, that commercial application is viewed as incompatible with the idea of improving health care delivery through the use of mobile apps.

Ambulance Company Pays $65,000 Settlement

On December 30, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $65,000 settlement with West Georgia Ambulance, Inc. for  violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules.

According to HHS, in 2013 the ambulance company reported a breach where an unencrypted laptop fell off the back bumper of an ambulance.  The company did not recover the laptop and reported that 500 individuals were affected by the breach.

An investigation showed that the company did not conduct an accurate and thorough risk analysis, did not have a HIPAA security training program, did not provide security training to its employees and failed to implement Security Rule policies or procedures.

In additional to the monetary settlement, the ambulance company agreed to enter into a Corrective Action Plan requiring a very detailed and thorough review and analysis of all of the security risks and vulnerabilities in the company, submit detailed reports, provide training and routine retraining, adopt and implement appropriate written policies and procedures and other corrective actions.

You can read the HHS Press Release and Resolution Agreement here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/westgeorgia/index.html

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.

 

 

Tucker Arensberg Attorneys to speak at the PBI Health Law Institute in March 2020

Tucker Arensberg is pleased to be a gold sponsor of the 26th Annual Pennsylvania Bar Institute (PBI) Health Law Institute taking place from March 11–12, 2020 in Philadelphia, PA. Jerry J. Russo, Chair of the White Collar Criminal Defense Group and Kathleen A. Nandan, a former litigator with the U.S. Attorney’s Office in the Eastern District of New York will be presenting “Investigations and Litigation: How you respond can affect your livelihood, your bank account and your freedom.

Register now

Telehealth Update: Connect for Health Act

A bipartisan group of senators has introduced the Creating Opportunities Now for Necessary and Effective Care Technologies (CONNECT) for Health Act of 2019.  A summary produced by that bipartisan group is attached.

If enacted, the CONNECT for Health Act solutions would be as follows:

  • Create a bridge program to help providers transition to the goals of the Medicare Access and CHIP Reauthorization Act (MACRA) and the Merit-based Incentive Payment System (MIPS) through using telehealth and RPM without most of the aforementioned Social Security Act Section 1834(m) restrictions;
  • Allow telehealth and RPM to be used by qualifying participants in alternative payment models, without most of the aforementioned 1834(m) restrictions;
  • Permit the use of remote patient monitoring for certain patients with chronic conditions;
  • Allow, as originating sites, telestroke evaluation and management sites; Native American health service facilities; and dialysis facilities for home dialysis patients in certain cases;
  • Permit further telehealth and RPM in community health centers and rural health clinics;
  • Allow telehealth and RPM to be basic benefits in Medicare Advantage, without most of the aforementioned 1834(m) restrictions; and
  • Clarify that the provision of telehealth or RPM technologies made under Medicare by a health care provider for the purpose of furnishing these services shall not be considered “remuneration.”

Click here to read the CONNECT for Health Act.

Hospital Groups File Lawsuit Challenging Rule That Would Require Them To Disclose Prices Given To Insurers

Click on the link to an article published in the New York Times (12/4, Abelson) reporting the American Hospital Association and other hospital groups filed a lawsuit against the Trump Administration “over a new federal rule that would require them to disclose the discounted prices they give insurers for all sorts of procedures.” The hospital groups claim the new rule “is unlawful, several times over,” because the Administration exceeded its authority by issuing the rule and that disclosing the privately negotiated prices violates their First Amendment rights.

The Hill (12/4, Coleman) reports the hospital groups requested “an expedited decision to prevent hospitals from needing to prepare for the rule if it is ultimately ruled unconstitutional.”

Reuters (12/4, Joseph) and the Wall Street Journal (12/4, Armour, Subscription Publication) also cover the story. New York Times reporting

Trump Administration Announces Historic Price Transparency Requirements

Attached are links to the CMS Press Release and the Trump Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First.

The Trump Executive Order was first issued on June 21, 2019.

The CMS Press Release indicates action on two rules.

First, the “proposed” transparency and coverage rule would require health plans to:

Give consumers real time, personalize access to cost-sharing information, including an estimate of their cost-sharing liability for all covered healthcare items and services.

Disclose on a public website their negotiated rates for in-network providers and allowed amounts paid for out-of-network providers.

CMS is finalizing a rule that requires hospital to provide patients with “clear, accessible information about their standard charges for the items and services they provide, including through the use of standardized data elements, making it easier to shop and compare across hospitals”.  This final rule would go into effect beginning January 1, 2021.

Finally, the Washington Post article link indicates the two biggest hospital trade groups, i.e. the American Hospital Association and the Federation of American Hospitals, plan a legal challenge.

Anti-Kickback EHR and Cybersecurity Safe Harbor

As another part of the Regulatory Sprint to Coordinated Care, OIG proposed revisions to the existing EHR Anti-Kickback Safe Harbor and added a cybersecurity component.

The initial EHR Safe Harbor was developed in response to President George W. Bush’s 2004 initiative to extend EHR nationwide within 10 years, i.e. 2014.  The proponents of those EHR regulations presumably thought the task would be completed within that time frame, because the initial proposal had a 10 year sunset, i.e. 2014.  In 2014, the sunset was extended until 2021.  The math wizards among us recognize that as 17 years and counting, which suggests perhaps a marathon to coordinated care, or perhaps a Never Ending Story.

The concept allowed a health system to provide hardware, software and access to centralized ERH systems to physicians on related medical staffs without that “benefit” being considered as remuneration in exchange for referrals in violation of the Anti-Kickback statutes.  Apparently Parkinson’s Law of “work expanding to fill the available time” also applies to IT systems, and the computer corollary that data expands to fill the available space.  These goals have obviously been complicated by the continuing expansion of coordinated healthcare, quality incentive programs, and now “value-based enterprises”.

The Safe Harbor in 42 CFR Section 1001.952(y) has been amended in two ways:

  1. The sunset provisions have been permanently deleted, presumably in recognition of the reality that this is not a “finite” task that will eventually be completed; just think how the GPS in your car has evolved to become a self-driving vehicle.
  2. The addition of cybersecurity protection by the change of the definition to state that remuneration will not include non-monetary items consisting of items and services for information technology, trading services, and cybersecurity software and devices.

There is no comparable Stark change to the EHR Safe Harbor because of the nature of the prohibitions.  Stark prohibits physicians from making referrals to financial entities; provision of EHR by a healthcare system is not a physician referral.  The potential fraud or inducement risk of providing EHR was that it could be seen as remuneration in exchange for referrals.

$1,600,000 Civil Money Penalty for HIPAA Violations by the Texas Health and Human Services Commission

On November 7, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $1,600,000 civil money penalty for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules.

According to HHS, the Texas Health and Human Services Commission (TX HHSC) “operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities; and administers hundreds of programs for people need assistance, including supplemental nutrition benefits and Medicaid.”  TX HHSC also includes, since September 2017, the Department of Aging and Disability Services (DADS), a state agency that administers long-term care services for the aging.

According to the HHS Notice of Proposed Determination, the HIPAA violations committed by TX HHSC included:

  • In 2015, TX HHSC reported that electronic protected health information of 6,617 individuals became viewable over the internet after a breach following a server migration and a flaw in the software code.  The information available included names, addresses, social security numbers, and treatment information.  HHS also learned that TX HHSC had “never performed an ‘agency-wide’ security risk analysis.”

TX HHSC did not submit any written evidence of mitigating factors or affirmative defenses for consideration.  TX HHSC also waived its right to a hearing.

You can read the HHS Press Release, the Notice of Proposed Determination and the Notice of Final Determination here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/txhhsc/index.html?language=en

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.

 

LexBlog