2022 Budget Bill Includes Mandatory Healthcare Cyber Incident Reporting

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), was passed as part of the consolidated Budget Act for 2022, which also included the telehealth provisions I posted about last week.

The definition of “covered entity” in the Act is far greater than covered entity as defined by HIPAA.  Covered entity as per CIRCIA includes all of the entities identified by presidential policy directives as “designated critical infrastructure sector” entities.

However, the recent Medicare Compliance Reporter indicates that this will require hospitals to report cyber breaches in 72 hours and ransom payments within 24 hours to DHS.

The legislation gives the Cybersecurity and Infrastructure Security Agency (CISA) at DHS 24 months to propose implementing regulations, which then must be finalized 18 months thereafter, so we are looking at a window of approximately 3 and a half years at this point.

HHS Requesting Physician COVID Relief Payback of $100 Million

HHS sent notices to noncompliant physicians and facilities on March 10, 2022 giving them 30 days to return funds paid to healthcare providers who have not complied with the agency’s reporting requirements.  Attach is the PDF from HRSA (Health Resources and Services Administration), which is the agency responsible for dispensing and collecting the grant money.



Congress Extends Telehealth Coverage

The President and Congress extended Medicare telehealth coverage in the Consolidated Appropriations Act, which also included additional Ukrainian relief.

On Tuesday, March 15, 2022, President Biden signed the Consolidated Appropriations Act, 2022 (“2022 CAA”).  This new law includes several provisions that extend the Medicare telehealth waivers and flexibilities, implemented as a result of COVID-19 to facilitate access to care, for an additional 151 days after the end of the Public Health Emergency (“PHE”).

The 2022 CAA extension includes the basic PHE telehealth measures originally authorized in the Medicare pandemic response.

  • Geographic Restrictions and Originating Sites: Medicare beneficiaries can continue to receive telehealth services from anywhere in the country, including their home.  Medicare is permitting telehealth services to be provided to patients at any site within the United States, not just qualifying zip codes or locations (e.g. physician offices/facilities).
  • Eligible Practitioners: In addition to “physicians” as defined by Medicare, occupational therapists, physical therapists, speech-language pathologists, and qualified audiologists may continue to furnish and be paid for telehealth services as eligible distant site practitioners.
  • Mental Health: In-person requirements for certain mental health services will continue to be waived through the 151-day extension period.
  • Audio-Only Telehealth Services: Medicare will continue to provide coverage and payment for most telehealth services furnished using audio-only technology.  This includes professional consultations, office visits, and office psychiatry services (identified as of July 1, 20222 by HCPCS Codes 99241-99275, 99201-99215, 90804-90809 and 90862) and any other services added to the telehealth list by the CMS Secretary for which CMS has not expressly required the use of real-time, interactive audio-visual equipment during the PHE.

Highmark Fraud Waste and Abuse Results

Highmark Health issued a Press Release on February 7, 2022 announcing that it’s Financial Investigations and Provider Review (FIPR) department generated more than $245 million in savings related to fraud waste and abuse in 2021, the majority of which was in Pennsylvania–$184 million.

Click here to see to what the Highmark FIPR Department has identified as the “Red Flags of Fraud”.

2022 Medicare Rules for Facility-Based Split/Shared Visits

There has been much discussion and controversy over the new CMS position on billing for split/shared services in facility settings.

As originally proposed, and starting in January 2022, if the service was shared among providers (such as physicians and physician assistants), the provider who performed the substantive portion of the visit would be the provider in whose name the service should be billed.

This has been a particular hot point in groups, such as hospital employed groups, where a significant portion of the services have traditionally been performed by physician assistants but billed in the name of the physician because the physician was still present for some portion of those services.  Note this type of situation is not amenable to incident to billing because incident to billing is not available for facility visits.

As a result of significant comment and controversy, there is a transition exception available for calendar year 2022 only.  That exception allows the service to be billed in the name of the provider who performs a key component of the visit (history, exam or medical decision making), but the billing provider must fully document that service.

In addition, the facility that is doing the billing must agree to follow that protocol, because there are still two other key components and there could be a dispute about that as well.

For physicians compensated on a productivity basis, these WRVUs may be important and this 2022 transitional role should be carefully understood.

2022 Federal Compliance Enforcement Outlook

There is almost universal agreement regarding predictions for 2022 federal enforcement in the following areas:

  1. The use of fraudulently obtained COVID relief funds in both healthcare and in general, but specifically as a foundation for False Claims Act enforcement.
  1. Furthermore, the reinstatement of the Yates memo of 2015 by the Deputy Attorney General Lisa Monaco’s Memo in October 2021 returns to the policy of individual liability for corporate misconduct.

There is general consensus regarding the resurgence of target, probe and educate (TPE) audits.  I have attached a link from the CMS website which provides an outline of the process and a humorous but misleading YouTube video regarding the alleged simplicity and intended fairness of the process.

We also expect significant audit activity around the new shared service billing rules for Evaluation and Management (E&M) visits which provide, the visit should be billed by the physician or physician assistant who provided the substantive portion of the visit, i.e. which is defined as more than half of the total time spent, and that both practitioners must be in the same group.  This may not be problematic if the visits are conducted separately and it’s accepted that the PA will be doing the billing.  However, when the visits are conducted jointly, so that the physician and the PA are both present, the physician should have an understanding of how the billing will be done, especially in a large group or system arrangement when the physician is relaying upon WRVU productivity.

“Stark” Rules: Navigating Physician Leases and Subleases

Under the Federal Ethics in Patient Referrals Act (more commonly known as “Stark”), if a physician[1] has a financial relationship with an entity, the physician may not refer patients to the entity for medical services payable by Medicare unless the financial relationship complies with the Stark safe harbors.  Thus, entities that lease or sublease space or equipment to or from physicians must ensure the terms of those agreements comply with Stark if they are planning to bill Medicare for services rendered or referred by the physicians.

For these agreements to comply with Stark, all the following must be satisfied:

1.  The agreement must be in writing, signed by the parties, and specify the premises or equipment involved.  Beware of situations in which the lease generalizes the space or equipment utilized or the parties continue to use the space or equipment after the written lease has terminated.[2]

2.  The term of the agreement must be at least one year[3], and compensation terms may not be amended during the first year. The parties may terminate the agreement within the first year of the arrangement, but if they do, the parties may not enter into a new agreement until after the first year expires.

3.  The space or equipment must not exceed that which is reasonable for legitimate business purposes.

4.  The space or equipment must be used exclusively by the lessee during the time the space or equipment is leased, except that the lessee may make payments, representing lessee’s pro rata share of expenses, for the use of common areas.

5.  The rental charges over the term of the agreement must be set in advance and consistent with fair market value and they must not be determined in a manner that considers the volume or value of any referrals or other business generated between the parties.

6.  The agreement must be commercially reasonable for each party, even if no referrals were made between them.

Stark is a strict liability statute, meaning that a person is held liable if they violate it, even if that person did not intentionally violate it.  Entities which bill Medicare for services improperly referred must repay amounts improperly received.  Failure to do so within 60 days may result in additional penalties of $15,000 per claim as well as potential False Claims Act liability.  For these reasons, it is critical that physician arrangements be structured to comply with Stark and to fit within the above-listed safe harbors.

In addition to Stark, entities must ensure that their space and equipment arrangements comply with other relevant laws, including the federal Anti-Kickback Statute and any applicable state laws. The Anti-Kickback Statute generally prohibits offering, paying, soliciting, or receiving compensation to induce or reward referrals for items or services payable by government programs, such as Medicare and Medicaid. The federal Anti-Kickback Statute is violated if even one purpose of the transaction is to induce prohibited referrals unless the arrangement is structured to fit within a regulatory safe harbor.  However, unlike Stark, the Anti-Kickback Statute is a criminal statute and requires intent.  Although the Anti-Kickback safe harbor for space and equipment rentals requirements vary to some extent from those in Stark, entities are likely to be in compliance with the Anti-Kickback Statute if they structure their arrangements to comply with Stark.

As you can see, entities and physicians alike must diligently review their leases and subleases to ensure compliance with the applicable laws.  Please contact Ashley S. Wagner, Esq. at 412-594-5550 or awagner@tuckerlaw.com if you have questions.

[1] Stark also applies to a member of the physician’s family.

[2] A holdover month-to-month rental is permitted for up to six months immediately following the expiration of an agreement that otherwise complied with Stark requirements, provided that the holdover rental is on the same terms and conditions as the immediately preceding agreement

[3] The agreement may provide for renewal terms, but the adjusted base rent during any renewal term should be based upon a new appraisal at the time of each renewal.

CMS Policy Summary: 2022 Medicare Physician Fee Schedule, Telehealth Originating Site Facility Fee and Services List, and Physician Assistant Billing

In MLN Matters article MM 12159, CMS has published summaries of the following:

  • Updates to payment policies and Medicare payment rates for services provided by physicians and non-physician practitioners (NPP)
  • Updates to Medicare telehealth services and telehealth originating site facility fee payment amounts
  • Billing for a physician assistant (PA) services