Telemedicine Comes of Age: OIG is Prosecuting Telehealth Fraud

You can now tell that telemedicine is a mature industry, because it has achieved enough critical mass that the fraud has started and the OIG is beginning to prosecute.  There is a lag time between when the cash flow and profit achieves sufficient critical mass to attract the criminals, the OIG identifies the problems, and the prosecution actually begins.

I am attaching a link to an OIG news release dated February 5, 2020 indicating the OIG is now prosecuting owners of a telemedicine company allegedly involved in arranging kickbacks for referrals.

Concurrently, the Office of the National Coordinator for Health Information Technology (ONC), which is a department of HHS, has proposed a rule to implement certain provisions of the 21st century Cures Act (Cures Act) designed to advance interoperability, support the access, exchange, and use of electronic health information, and make patients electronic health information (EHI) more electronically accessible through the adoption of standards and certifications for mobile digital applications (apps) on March 4, 2019, which proposed regulations are being studied by the White House.  The major app makers, i.e. Google, Apple, Microsoft, etc., the very industry giants seeking the access deals mentioned herein, believe interoperable health information apps should be as easily loaded as any other mobile app, but many regulators are concerned about the privacy and security of this data.  Attached is a link to the proposed rules.

One of the critical issues is interoperability, and whether one app developer can program restrictions into that app that would prohibit the sharing of that information through other systems.  The restriction is fairly common with other commercial apps which do not contain PHI and do not interfere with a patient’s management of their own healthcare, or the management by or sharing with other systems.  However, that commercial application is viewed as incompatible with the idea of improving health care delivery through the use of mobile apps.

Ambulance Company Pays $65,000 Settlement

On December 30, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $65,000 settlement with West Georgia Ambulance, Inc. for  violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules.

According to HHS, in 2013 the ambulance company reported a breach where an unencrypted laptop fell off the back bumper of an ambulance.  The company did not recover the laptop and reported that 500 individuals were affected by the breach.

An investigation showed that the company did not conduct an accurate and thorough risk analysis, did not have a HIPAA security training program, did not provide security training to its employees and failed to implement Security Rule policies or procedures.

In additional to the monetary settlement, the ambulance company agreed to enter into a Corrective Action Plan requiring a very detailed and thorough review and analysis of all of the security risks and vulnerabilities in the company, submit detailed reports, provide training and routine retraining, adopt and implement appropriate written policies and procedures and other corrective actions.

You can read the HHS Press Release and Resolution Agreement here:

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.



Tucker Arensberg Attorneys to speak at the PBI Health Law Institute in March 2020

Tucker Arensberg is pleased to be a gold sponsor of the 26th Annual Pennsylvania Bar Institute (PBI) Health Law Institute taking place from March 11–12, 2020 in Philadelphia, PA. Jerry J. Russo, Chair of the White Collar Criminal Defense Group and Kathleen A. Nandan, a former litigator with the U.S. Attorney’s Office in the Eastern District of New York will be presenting “Investigations and Litigation: How you respond can affect your livelihood, your bank account and your freedom.

Register now

Telehealth Update: Connect for Health Act

A bipartisan group of senators has introduced the Creating Opportunities Now for Necessary and Effective Care Technologies (CONNECT) for Health Act of 2019.  A summary produced by that bipartisan group is attached.

If enacted, the CONNECT for Health Act solutions would be as follows:

  • Create a bridge program to help providers transition to the goals of the Medicare Access and CHIP Reauthorization Act (MACRA) and the Merit-based Incentive Payment System (MIPS) through using telehealth and RPM without most of the aforementioned Social Security Act Section 1834(m) restrictions;
  • Allow telehealth and RPM to be used by qualifying participants in alternative payment models, without most of the aforementioned 1834(m) restrictions;
  • Permit the use of remote patient monitoring for certain patients with chronic conditions;
  • Allow, as originating sites, telestroke evaluation and management sites; Native American health service facilities; and dialysis facilities for home dialysis patients in certain cases;
  • Permit further telehealth and RPM in community health centers and rural health clinics;
  • Allow telehealth and RPM to be basic benefits in Medicare Advantage, without most of the aforementioned 1834(m) restrictions; and
  • Clarify that the provision of telehealth or RPM technologies made under Medicare by a health care provider for the purpose of furnishing these services shall not be considered “remuneration.”

Click here to read the CONNECT for Health Act.

Hospital Groups File Lawsuit Challenging Rule That Would Require Them To Disclose Prices Given To Insurers

Click on the link to an article published in the New York Times (12/4, Abelson) reporting the American Hospital Association and other hospital groups filed a lawsuit against the Trump Administration “over a new federal rule that would require them to disclose the discounted prices they give insurers for all sorts of procedures.” The hospital groups claim the new rule “is unlawful, several times over,” because the Administration exceeded its authority by issuing the rule and that disclosing the privately negotiated prices violates their First Amendment rights.

The Hill (12/4, Coleman) reports the hospital groups requested “an expedited decision to prevent hospitals from needing to prepare for the rule if it is ultimately ruled unconstitutional.”

Reuters (12/4, Joseph) and the Wall Street Journal (12/4, Armour, Subscription Publication) also cover the story. New York Times reporting

Trump Administration Announces Historic Price Transparency Requirements

Attached are links to the CMS Press Release and the Trump Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First.

The Trump Executive Order was first issued on June 21, 2019.

The CMS Press Release indicates action on two rules.

First, the “proposed” transparency and coverage rule would require health plans to:

Give consumers real time, personalize access to cost-sharing information, including an estimate of their cost-sharing liability for all covered healthcare items and services.

Disclose on a public website their negotiated rates for in-network providers and allowed amounts paid for out-of-network providers.

CMS is finalizing a rule that requires hospital to provide patients with “clear, accessible information about their standard charges for the items and services they provide, including through the use of standardized data elements, making it easier to shop and compare across hospitals”.  This final rule would go into effect beginning January 1, 2021.

Finally, the Washington Post article link indicates the two biggest hospital trade groups, i.e. the American Hospital Association and the Federation of American Hospitals, plan a legal challenge.

Anti-Kickback EHR and Cybersecurity Safe Harbor

As another part of the Regulatory Sprint to Coordinated Care, OIG proposed revisions to the existing EHR Anti-Kickback Safe Harbor and added a cybersecurity component.

The initial EHR Safe Harbor was developed in response to President George W. Bush’s 2004 initiative to extend EHR nationwide within 10 years, i.e. 2014.  The proponents of those EHR regulations presumably thought the task would be completed within that time frame, because the initial proposal had a 10 year sunset, i.e. 2014.  In 2014, the sunset was extended until 2021.  The math wizards among us recognize that as 17 years and counting, which suggests perhaps a marathon to coordinated care, or perhaps a Never Ending Story.

The concept allowed a health system to provide hardware, software and access to centralized ERH systems to physicians on related medical staffs without that “benefit” being considered as remuneration in exchange for referrals in violation of the Anti-Kickback statutes.  Apparently Parkinson’s Law of “work expanding to fill the available time” also applies to IT systems, and the computer corollary that data expands to fill the available space.  These goals have obviously been complicated by the continuing expansion of coordinated healthcare, quality incentive programs, and now “value-based enterprises”.

The Safe Harbor in 42 CFR Section 1001.952(y) has been amended in two ways:

  1. The sunset provisions have been permanently deleted, presumably in recognition of the reality that this is not a “finite” task that will eventually be completed; just think how the GPS in your car has evolved to become a self-driving vehicle.
  2. The addition of cybersecurity protection by the change of the definition to state that remuneration will not include non-monetary items consisting of items and services for information technology, trading services, and cybersecurity software and devices.

There is no comparable Stark change to the EHR Safe Harbor because of the nature of the prohibitions.  Stark prohibits physicians from making referrals to financial entities; provision of EHR by a healthcare system is not a physician referral.  The potential fraud or inducement risk of providing EHR was that it could be seen as remuneration in exchange for referrals.

$1,600,000 Civil Money Penalty for HIPAA Violations by the Texas Health and Human Services Commission

On November 7, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $1,600,000 civil money penalty for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules.

According to HHS, the Texas Health and Human Services Commission (TX HHSC) “operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities; and administers hundreds of programs for people need assistance, including supplemental nutrition benefits and Medicaid.”  TX HHSC also includes, since September 2017, the Department of Aging and Disability Services (DADS), a state agency that administers long-term care services for the aging.

According to the HHS Notice of Proposed Determination, the HIPAA violations committed by TX HHSC included:

  • In 2015, TX HHSC reported that electronic protected health information of 6,617 individuals became viewable over the internet after a breach following a server migration and a flaw in the software code.  The information available included names, addresses, social security numbers, and treatment information.  HHS also learned that TX HHSC had “never performed an ‘agency-wide’ security risk analysis.”

TX HHSC did not submit any written evidence of mitigating factors or affirmative defenses for consideration.  TX HHSC also waived its right to a hearing.

You can read the HHS Press Release, the Notice of Proposed Determination and the Notice of Final Determination here:

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.


Regulatory Sprint to Coordinated Care: New Stark & Anti-Kickback Rules

On October 22, 2019, CMS and OIG (Office of Inspector General) released new proposed rules regarding Stark Law Exceptions and Anti-Kickback Safe Harbors in response to what has universally been christened as the “Regulatory Sprint to Coordinated Care”, first announced by HHS in June of 2018.

As background, please remember that, although the Anti-Kickback Safe Harbors and the Stark Law Exceptions are confusingly similar with respect to their intended purpose, they serve the following different functions:

  1. The Stark Act prohibits physicians from referring only the Stark “designated health services” to healthcare entities with which they have financial relationships.


  1. The Anti-Kickback statute prohibits anyone from paying, receiving, soliciting or offering any kind of remuneration in exchange for the referral of any Medicare or governmental health covered service.


The regulators have provided “Stark Law Exceptions” and “Anti-Kickback Safe Harbors” which are remarkably similar but apply in the different context described above.

In general, the new Safe Harbors and Exceptions cover three major areas:


  1. Coordinated Care and Value-Based Enterprises.


  1. Extension of the EHR Safe Harbor sunset.


  1. Revising the definition of fair market value that applies to both the Stark Law Exceptions and the Anti-Kickback Safe Harbors (AKS).


This article is intended to cover the “new kid on the block”, i.e. the value-based enterprises.  The new definitions for the Stark Act and the AKS are each attached as Exhibit A and Exhibit B respectively.  A value-based enterprise is essentially defined as two or more VBE participants collaborating to achieve at least one value-based purpose as parties to a value-based arrangement, which arrangement has an accountable body or person responsible for management and a governing document describing its purpose.  That is a rather circular definition, and the specific definitions for both the Anti-Kickback Safe Harbor and the Stark Exceptions are attached.

In order to provide a sense of the vagueness of the intended scope of these arrangements, I have inserted the two following quotes from the regulatory announcements:

Evolution of Healthcare Landscape

“The health care landscape when the physician self-referral law was enacted bears little resemblance to the landscape of today.  As some CMS RFI commenters highlighted, the physician self-referral law was enacted at a time when the goals of the various components of the health care system were not merely unaligned but often in conflict, which each component competing for a bigger share of the health care dollar without regard to the inefficiencies that resulted for the system as a whole–in other words, a volume–based system.  According to several commenters, the current physician self-referral regulations–intended to combat overutilization in a volume-based world–are outmoded because, by their nature, integrated care models protect against overutilization by aligning clinical and economic performance as the benchmarks for value.  And, in general, the greater the economic risk that providers assume, the greater the economic disincentive to overutilize services.  According to more than one of these commenters, the current prohibitions are even antithetical to the stated goals of policy makers both in the Congress and within HHS for health care delivery and payment reform.  Although we agree in concept, we continue to operate substantially in a volume-based payment system.  Thus, we must proceed with caution, even as we propose the significant changes outlined in this proposed rule.”

The government regulators are late to the game in recognizing the ambiguity and the absence of reality regarding the existing regulations.  The regulatory philosophy has long been to make everything illegal and then work their way backwards granting Exceptions and Safe Harbors, precisely because actually “describing” an acceptable arrangement is extremely difficult, especially when the violation could be based upon the intent of the individuals.  That lack of clarity has always created a great deal of potential risk for participants.

VBE Description

“We intend the definition of “value-based enterprise” to include only organized groups of health care providers, suppliers, and other components of the health care system collaborating to achieve the goals of a value-based health care system.  An “enterprise” may be distinct legal entity–such as an ACO–with a formal governing body, operating agreement or bylaws, and the ability to receive payment on behalf of its affiliated health care providers.  An “enterprise” may also consist only of the two parties to a value-based arrangement with the written documentation recording the arrangement serving as the required governing document that describes the enterprise and how the parties intend to achieve its value-based purpose(s).  Whatever its size and structure, a value-based enterprise is essentially a network of participants (such as clinicians, providers, and suppliers) that have agreed to collaborate with regard to a target patient population to put the patient at the center of care through care coordination, increase efficiencies in the delivery of care, and improve outcomes for patients.  We have proposed our definition of “value-based enterprise” in terms of the functions of the enterprise as it is not our intention to dictate or limit the appropriate legal structure for qualifying as a value-based enterprise.”

Should be accountable care organizations for the first attempt to provide exceptions for organized healthcare enterprises.  Accountable health care organizations were created by the Accountable Care Act of 2010.  A standing joke for legal presenters discussing ACOs was to ask the audience what an ACO was called before it was called an ACO.  The answer is:  a felony!

These ideas are new and the general intent is to protect legitimate value-based enterprises from the Anti-Kickback or the self-referral prohibitions.  However, at this stage, they are obviously quite vague.  This calls to mind Justice Potter Stewart’s quote regarding pornography:

“I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description, and perhaps I could never succeed in intelligibly doing so.  But I know when I see it . . .”.  Jacobellis v. Ohio (U.S. Supreme Ct. 1964).

Since these proposed regulations are brand new, fairly short in the way of explanation, fairly broad in the terms of coverage and without any actual examples of what does and doesn’t work, you should be very cautious when you first participate in any VBE design to take advantage of these situations.