Federal Government Delays Hospital Transparency Regarding Commercial Rates

The federal government/Trump administration announced today a delay regarding a proposed rule requiring hospitals to disclose actual negotiated price rates.  See WSJ News.

In January, 2019, as reported in the MedLaw Blog on January 10, 2019, CMS added a rule requiring hospitals to publish their standard charges beginning January 2019.

As noted in that blog post, requiring the “charge master disclosure” does not provide much in the way of transparency since so few commercial payors actually pay that rate.

 

 

$2,154,000 Civil Money Penalty for Numerous HIPAA Violations by Jackson Health System

On October 23, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $2,154,000 civil money penalty for numerous violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules between 2013 and 2016.

According to HHS, Jackson Health System (“JHS”) is a medical system based in Florida and provides health care to 650,000 patients on average each year.

According to the HHS Notice of Proposed Determination, the HIPAA violations committed by JHS included:

  • In 2013, JHS lost paper records for 1,471 patients.
  • In 2015, there were media reports disclosing the protected health information (“PHI”) of a well-known NFL player who was a patient.  An ESPN reporter had shared a photograph of an electronic display board in a JHS operating room and paper schedule, both of which contained the PHI of the patient.
  • In 2016, JHS reported that one if its employees had been selling patient information since 2011, and that employee had inappropriate accessed 24,188 patient records.
  • JHS failed to provide timely and accurate breach notifications or conduct the appropriate steps to identify and remediate potential risks for additional violations.

JHS waived its right to a hearing and did not contest the findings.  It has paid the $2,154,000 civil monetary penalty.

You can read the HHS Press Release, the Notice of Proposed Determination and the Notice of Final Determination here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/jackson/index.html

If your office would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.

Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia.  Danielle can be reached via email: ddietrich@tuckerlaw.com, telephone: 412-594-5605 or on Twitter at @DLDietrich.

Regulatory Sprint to Coordinated Care: CMS/AKS and OIG Stark Proposed Amendments

HHS has long admitted that the Anti-Kickback Statute (AKS) and the Stark law have not evolved to keep pace with the transition to value based care.  In June of 2018, HHS issued an RFI seeking additional information and HHS also issued a release on December 12, 2018 seeking input on improving care coordination and reducing the regulatory burdens of the HIPAA rules.

I would suggest that almost everybody else came to that conclusion much earlier than last year.

On October 9, 2019 HHS and OIG released their proposals as part of this “Regulatory Sprint to Coordinated Care”.  Note that OIG is issuing new Safe Harbors applicable to the AKS rules and CMS is issuing proposed changes to the definitions in the Stark Law.

  • AKS prohibits the solicitation or payment of remuneration by anybody for any government health care program.
  • CMS only prohibits physicians from referring Designated Health Services (DHS) to provider entities with which they have financial relationships and, although it is more restricted in scope, it is nevertheless broad enough to impact global health care delivery.

OIG has issued Safe Harbors in the following areas:

  • Care coordination and improved quality, health, and efficiency.
  • Value-based arrangements with substantial downside financial risk covering certain in-kind and monetary arrangements where a value-based enterprise (VBE) accepts substantial downside risk from third party payors.
  • Value-based arrangements with full financial risk.
  • Patient engagement and support arrangements.
  • CMS sponsored model arrangements and model patient incentive.
  • Donations of cybersecurity technology services, accompanied by modifications to the existing EHR Safe Harbor.

CMS is proposing to change definitions with respect to fair market value, as follows:

  • CMS is proposing to alternative definitions for the term commercially reasonable so that it could apply either to arrangements that further legitimate business purposes or arrangements that make commercial sense similar to other existing arrangements.
  • CMS is proposing three definitions of fair market value (FMV) applying to equipment rentals, office space, and FMV in general.
  • CMS is proposing to revise the volume or value based standard so that it will apply only when the formula used to calculate the remuneration actually includes referrals and other business generated.

Following are links to:

  • HHS Press Release

https://www.cms.gov/newsroom/fact-sheets/modernizing-and-clarifying-physician-self-referral-regulations-proposed-rule

  • OIG Safe Harbors

https://www.govinfo.gov/content/pkg/FR-2019-10-17/pdf/2019-22027.pdf

  • CMS Proposed Stark Law Amendments

https://www.govinfo.gov/content/pkg/FR-2019-10-17/pdf/2019-22028.pdf

All of these documents comprise of hundreds of pages, 650 to be exact, and I will attempt to isolate individual proposals for discussion throughout the end of the year.

Pennsylvania Commonwealth Court Again Declines to Extend Consent Decree

The Pennsylvania Commonwealth Court, on remand from the Pennsylvania Supreme Court, has again decided that the previously agreed termination date of the access provisions contained in the UPMC/Highmark Consent Decrees, i.e. June 30, 2019, is not a term subject to the modification provisions of those Consent Decrees, and is definite.  The adjudication of the Commonwealth Court, attached hereto, discusses the history of the negotiation of the terms, especially the termination date, and confirms the Consent Decrees will expire on June 30, 2019.

For additional information contact Mike Cassidy.

$3,000,000 Settlement for HIPAA Breach by Diagnostic Medical Imaging Company

Today the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement for a disclosure of patient protected health information (“PHI”) via its FTP server.

In 2014, HHS received an email tip that the social security numbers of Touchstone Medical Imaging (“Touchstone”) patients were accessible online via an insecure file transfer protocol (“FTP”) web server.  HHS confirmed that this information was accessible via a simple Google search.

Both the FBI and HHS notified Touchstone of the breach, which included the name, date of birth, phone number, and address and in some cases social security number of over 300,000 individuals.  Touchstone failed to investigate the issue until several months later.

HHS found that:

1) Touchstone impermissibly disclosed the PHI of over 300,000 individuals through its insecure FTP server.

2) Touchstone failed to have technical policies and procedures to restrict who could access the information through the server.

3) Touchstone failed to have a written business associate agreement with a business associate.

4) Touchstone continue to engage another business associate without having a business associate agreement in place.

5) Touchstone failed to thoroughly and accurate assess potential risks and vulnerabilities of electronic PHI that it held.

6) Touchstone waited well over four months to respond to the incident.

7) Touchstone failed to notify affected individuals of the breach until 147 days after it was notified of the breach.

8) Touchstone failed to notify media outlets of the breach until 147 days after it was notified of the breach.

To settle the matter, Touchstone has agreed to pay HHS $3,000,000 and enter into a Corrective Action Plan.

You can read the HHS Press Release and the Resolution Agreement here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/tmi/index.html

If your office would like guidance on how it can prevent HIPAA violations from occurring, please contact our firm.

Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia.  Danielle can be reached via email: ddietrich@tuckerlaw.com, telephone: 412-594-5605 or on Twitter at @DLDietrich.

Mike Cassidy Named a Fellow of the American Health Lawyers Association

Tucker Arensberg, P.C. is pleased to announce that Michael A. Cassidy has been honored as one of only seven healthcare lawyers in the nation to be selected in 2019 as a Fellow of the American Health Lawyers Association (“AHLA”). Only a fraction of 1% of AHLA’s nearly 14,000 members are selected for fellowship annually. This honor recognizes the career long achievements, the contributions and tenure with AHLA, and their continuing service and leadership in the legal profession. Fellows include past AHLA presidents, former members of the Board of Directors, former members of practice group and program planning committees, and others who have been very active within the association.

Mike is Chair of the Business and Finance Department and focuses his practice on compliance, credentialing and peer review, reimbursement, contracts, HIT, HIPAA and telehealth issues for physicians. Mike is also the publisher of the Med Law Blog https://www.medlawblog.com, the firm’s health law blog, and has been certified in Healthcare Compliance (CHC) by the Health Care Compliance Association (HCCA).

Mike received his Juris Doctor from the University of Pittsburgh School of law and his undergraduate degree from Brown University.

CMS Expands Medicare Advantage Telehealth Coverage

On April 4, 2019, CMS issued the final Medicare Advantage Rule for calendar year 2020, announcing it will allow Medicare Advantage carriers to significantly increase the range of telehealth services beyond traditional Medicare Part B covered services, stipulating only that, if a service is to be covered as a telehealth service, it must also be covered as an in-person service.

Attached are:

LexBlog