FTC To Rule on Banning Non-Compete Agreements

The Federal Trade Commission has announced that it will be holding a Special Open Commission Meeting on Tuesday, April 23, 2024, at 2pm EST regarding the rule to ban non-compete agreements (read the announcement here). The expectation for this meeting is that the FTC will disclose the proposed final rule followed by remarks by the FTC chair and will conclude with a Commission vote on the proposed final rule.

This Open Commission Meeting follows the proposed rule in January 2023 (available here) that proposed banning most employers from imposing non-compete agreements on their employees. This proposed rule was subject to a 90-day public comment period, during which the FTC received over 26,000 comments.

The Open Commission Meeting is open to the public and will be available via webcast here.

PA House Passes Physician Non-Compete Limitations

The Allegheny County Medical Society has reported that the Pennsylvania House of Representatives has passed a bill to bar non-compete agreements in healthcare employment.  Click here for a copy of the Press Release, and a copy of the legislation.  There are limitations:

  • The bill is effective immediately for new restrictive covenant only after current license renewal
  • It allows undefined liquidated damages
  • It provides exemption for counties with populations of less than 50,000

It now goes to the Pennsylvania Senate.

HIPAA Fundamentals for Providers

In March of this year, The Office for Civil Rights of the Department of Health and Human Services issued a letter addressing the recent cybersecurity incident impacting many health care entities, primarily Change Healthcare, a unit of UnitedHealthcare Group (read the letter here). This incident was a great reminder of the constant vigilance required to protect patient health information in the age of remote healthcare, telehealth, and electronic health records.

In the wake of these recent cybersecurity events, safeguarding patient information has become paramount, prompting heightened scrutiny of HIPAA compliance. HIPAA, or the Health Insurance Portability & Accountability Act, provides for a series of rules relating to the protection of protected health information, or PHI. These rules apply to all covered entities and their business associates. As any provider knows, HIPAA compliance can become complicated and confusing. This article provides a high-level overview on three major components covered by HIPAA: The Privacy Rule, The Security Rule, and the Breach Notification Rule.

Privacy Rule

The Privacy Rule covers the process of protecting PHI while allowing for the secure transfer of PHI in the coordination of a patient’s care. PHI is any information that can be used to identify a patient, which can be electronic, paper, or verbal, and includes (1) common identifiers, such as name, address, birth date, social security number, etc., (2) a patient’s physical or mental health condition, whether past, present, or future, (3) the health care provided to the patient, and (4) payment information for a patient’s health care, whether past, present, or future.

Under the Privacy Rule, covered entities are required to (i) notify patients about their privacy rights and how their information will be used, (ii) adopt privacy procedures and train employees on such procedures, (iii) assign a security officer to ensure proper adoption and compliance with the privacy procedures, and (iv) secure patient records containing PHI so they do not become available to those who do not have a need to see them. The Privacy Rule also provides that patients are allowed access to examine and get a copy of their medical records and to request corrections to their medical records.

In order to facilitate patient care, covered entities may share information with doctors, hospitals, and ambulances for treatment, payment, and health care operations, even without a signed consent from the patient. If a provider feels as if she is acting in the patient’s best interest, the provider may share information about a patient, so long as proper safeguards against breach are taken. Unless a patient objects, the Privacy Rule allows for PHI to be given to family, friends, or anyone else the patient identifies as being involved in their care.

Security Rule

The Security Rule covers the requirements of how you are to protect PHI, including a patient’s electronic PHI, or ePHI. Under the Security Rule, a covered entity must (1) develop reasonable and appropriate security policies, (2) ensure the confidentiality, integrity, and availability of all ePHI, both while maintaining and transmitting such ePHI, (3) identify and protect against any possible security threats to ePHI, (4) prevent unauthorized uses or disclosures, (5) analyze security risks that may be present in the physical and cyber environments and create appropriate safeguards against such risks, (6) continually review and modify security measures to ensure continuous protection of ePHI, and (7) train all employees on appropriate handing of PHI for HIPAA compliance.

When a covered entity is developing its HIPAA compliance safety measures, it should take into consideration its size, complexity, and capabilities, its technical, hardware, and software infrastructure, and the costs of its security measures, all while balancing the likelihood and possible impact of risks to ePHI.  

Breach Notification Rule

The Breach Notification Rule outlines the requirements for notifying patients and the Department of Health and Human Services in the event that there is a breach. In some instances, depending on the size and scale of the breach, there may even be a requirement to notify the media. A breach is generally defined as an unpermitted use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Whether or not a disclosure or unpermitted use has occurred can be determined by a risk assessment that evaluates (1) the nature and extent of PHI involved, (2) the unauthorized individual who used or gained access to the PHI, (3) whether an unauthorized individual actually acquired or viewed the PHI, and (4) the extent to which the covered entity or business associate reduced the PHI exposure risk.

If a breach affects the PHI of more than 500 patients, the covered entity must notify the Department of Health and Human Services without reasonable delay but no later than 60 days after discovery of the breach. In smaller breaches affecting 500 patients or less, the Department of Health and Human Services must be notified on an annual basis.

Conclusion

This high-level overview of three major HIPAA components is just the tip of the iceberg, and each rule referenced could even have several articles diving into its complexity and nuance. If you have a question about properly safeguarding PHI, what to do in the event of a breach, or just have a general HIPAA compliance question, engaging legal counsel can be a valuable resource. For more information, contact Adam Appleberry at aappleberry@tuckerlaw.com or (412) 594-5532.

U.S. Department of Justice (DOJ) Provides Corporate Fraud Enforcement Update

During the American Bar Association’s 39th National Institute on White Collar Crime, the most senior executives of the DOJ (Attorney General Merrick B. Garland and Deputy Attorney General Lisa Monaco) delivered remarks promoting the success of DOJ compliance and enforcement by:

  • Emphasizing the DOJ’s top priority being the prosecution of “corner office bad actors”
  • Publicizing the success of the voluntary disclosure program
  • Emphasizing the important role of compensation clawbacks by audit/compliance and executive compensation committees with respect to receiving comparable credit against potential fines and restitution
  • Continuing to emphasize and promote the opportunity for credit for cooperation during investigations and whistleblower cooperation, and announced that DOJ is initiating a new corporate fraud/misconduct whistleblower program focused on compliance opportunities not already impacted by existing whistleblower and quitam programs.

Here are links to the remarks of Attorney General Garland and Deputy Attorney General Monaco.

Change Healthcare Cyberattack Disrupts Physician Payments

“On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group was the victim of the most significant cyberattack on the US healthcare system in American history.  Change Healthcare is the predominant source of more than 100 critical functions that keep the healthcare system operating.”

American Hospital Association Letter March 4, 2024

This hack was first reported by the Wall Street Journal on February 23, 2024, in an article entitled “Hospitals and Pharmacies Reeling After Change Healthcare Attack”. 

The Wall Street Journal further reported on March 1, 2024 in an article titled “Medical Providers Fight to Survive After Change Healthcare Attack” that medical practices have gone without revenue for well over a week as a result of the ransom or attack on Change Healthcare.

On March 7, 2024, the Wall Street Journal reported that “UnitedHealth Aims to Restore Change Healthcare Systems Within Two Weeks”. 

Penn State Health Agrees To Pay Over $11 Million Due To Violations Of Medicare Rules & Regulations

Penn State Health has agreed to pay $11,712,336 to settle allegations of civil liability from submitting improper claims to Medicare for Annual Wellness Visit services.

DOJ Press Release Link

Penn State Health has voluntarily disclosed that between December 2015 and November 2022 claims were submitted to Medicare for Annual Wellness Visit services that were not supported by the medical record. Once the improper claims were discovered, Penn State Health promptly took corrective action and disclosed the matter to the United States Attorney’s Office.

False Claims Act (FCA) Liability for Physician Compensation Exceeding Fair Market Value (FMV)

When negotiating physician compensation issues, hospitals frequently rely upon the premise they must pay fair market value compensation in order to comply with the provisions of the Stark Act prohibiting referrals in exchange for compensation, and sometimes non-profit inurement issues.

Although the prohibitions are clear, determining what constitutes fair market value is often not.  Provisions allegedly enforcing fair market value by limiting compensation to the 75th percentile of some national study are clearly inapplicable; obviously, somebody is legitimately being paid in the top quartile. 

The issue is often not the amount of the compensation, but how it is determined.

The recent settlement by Indiana Health Network with DOJ, announced by DOJ in a Press Release on December 19, 2023 identifies some clear problems, or at least warning signs. 

  • A compensation system where bonuses were linked to referrals rather than productivity
  • Compensation that was allegedly double what was being earned by the physician in private practice prior to the recruitment
  • Allegedly falsifying or manipulating the data used by a consultant to determine fair market value

A lesson learned from this case is not new.  Intentional disregard and even manipulation of the process can lead to significantly liability; in this case–$345 million.

2024 Medicare Physician Fee Schedule

CMS issued the Final Rule for the 2024 Medicare Physician Fee Schedule (PFS) on November 2, 2023, for payments to be effective on or after January 1, 2024.

Fee Schedule Link

The overall payment rates under the PFS will be reduced by 1.25% in calendar year 2024.

The final PFS conversion factor will be $32.74, which is a decrease of 1.15 of dollar and 15% (or 3.4%) from the 2023 conversion factor of $33.89.

LexBlog