2016 Was a Busy Year: Developments in Nursing Facility Arbitration Law

Nursing home arbitration agreements get a bad rap. But as most practitioners in the field know, nursing facility arbitration agreements seem here to stay, at least (possibly) until recently.  Arbitration is thought by many to offer significant flexibility and efficiency vis-à-vis litigation, and proponents in the skilled nursing industry cite arbitration as an important tool to reduce litigation costs – including, of course, the costs associated with “runaway jury” punitive and noneconomic damages verdicts, which can be crippling to industry participants.

The enforceability of nursing facility arbitration agreements has long been a hotly contested issue.  It probably is fair to say that, in general, courts broadly view these agreements as enforceable in a vacuum, but they will approach any particular instance with a healthy degree of skepticism.  Occasionally, state courts have tried to go one step further than analyzing and rejecting nursing facility arbitration agreements on an ad hoc basis and have announced a per se rule against enforceability of such agreements.  That typically does not end well for those courts.

The relatively recent Marmet decision is a good example of this latter scenario.  There, the West Virginia Supreme Court issued a decision in a consolidated group of cases holding that pre-dispute nursing facility arbitration agreements were void as against public policy under state law  The decision was appealed to the U.S. Supreme Court, which granted certiorari and promptly slapped down the state court.  In a (relatively) scathing per curiam opinion, the Court emphasized:  “As this Court reaffirmed last Term, ‘[w]hen state law prohibits outright the arbitration of a particular type of claim, the analysis is straightforward:  The conflicting rule is displaced by the FAA.’  … That rule resolves these cases.  Since that decision, state courts seem to be somewhat more receptive to honoring and enforcing nursing facility arbitration agreements.

In 2016, however, federal regulators attempted to throw a curveball to the skilled nursing industry.  On September 28, 2016, the Centers for Medicare and Medicaid Systems (“CMS”) announced a new rule ostensibly intended “to make major changes to improve the care and safety of the nearly 1.5 million residents in the more than 15,000 long-term care facilities that participate in the Medicare and Medicaid programs.”  As part of this new rule, which would go into effect on November 28, 2016, CMS banned the use of pre-dispute arbitration agreements by nursing homes on a going-forward basis.  It noted that the rule did not apply to existing arbitration agreements (thus avoiding running afoul of the Federal Arbitration Act), and it specifically allowed nursing facilities and plaintiff-residents to agree to arbitrate after a dispute has arisen.  But the sort of prospective arbitration agreement that is presented to residents and potential residents at the time of admission would be prohibited from now on.  Although the rule technically only applied to nursing homes that accepted Medicare and Medicaid funds, as a practical matter, that included virtually all such facilities.

Needless to say, this was a controversial measure.  And the industry did not take it lying down.  On October 17, 2016, a group of trade organizations and nursing facility operators filed a lawsuit in the U.S. District Court for the Northern District of Mississippi challenged the pre-dispute arbitration rule.  On November 7, 2016, the court ultimately agreed with the challengers and entered an order preliminarily enjoining it.  It held in relevant part that a federal agency regulation effectively banning a certain type of arbitration agreement, even on a prospective-only basis, would be flatly inconsistent with the overarching pro-arbitration policy and purpose embodied by the FAA.  On December 9, 2016, CMS capitulated and sent a memorandum to Medicaid state survey administrators announcing that the rule should not be enforced unless and until the litigation was resolved and the injunction was lifted.  Especially in light of the change in administrations, the ultimate status of the pre-dispute arbitration rule is uncertain at best, and it is currently not being enforced.

So where does that leave nursing facility arbitration agreements?  Are facilities free to include them in admissions packets without fear that they will be unenforceable?  The answer to those questions necessarily is a qualified one.  Pre-dispute nursing home arbitration agreements still are not unenforceable per se, but at the same time, they will be looked upon with varying degrees of skepticism by courts.  As noted above, many post-Marmet state courts seem to have gotten the message that animus towards nursing home arbitration agreements will not be tolerated by the federal judiciary.  But “many” does not mean “all” (or even, necessarily, “most”), and there are still a number of states and jurisdictions in which courts appear likely to continue to go out of their way to find reasons as to why any particular arbitration agreement should not be enforced.

As such, it is crucial that any nursing facility or operator of facilities that wants to institute (or continue to use) an arbitration program go to great lengths to dot every “i” and cross every “t” when offering residents the opportunity to enter into an arbitration agreement.  This includes proactively reviewing the form arbitration agreement currently in use to ensure it complies with state contract law requirements, and training admissions staff so that the avoid typical pitfalls when presenting arbitration agreements to residents or prospective residents to sign (e.g., making sure that the resident has capacity to sign or that there is sufficient documentation for a representative to sign on behalf of that individual, making sure that the agreement is properly witnessed and countersigned, etc.).

Litigation over the arbitrability of a nursing facility dispute can itself be so costly and time-consuming that it removes many of the efficiencies and related advantages of arbitration. As is usually the case, it is best to try to address that potential issue on the front end of things.

 

Behavioral Health System to Pay $860,000 for Anti-Kickback Statute Violations

Under a civil settlement with the Department of Justice, El Paso Behavioral Healthcare, formerly University Behavioral Health of El Paso, LLC (“UBH”), has been ordered to pay over three-quarters of a million dollars to resolve allegations that it made improper payments to a doctor in exchange for patient referrals, and submitted false claims to Medicare.

The allegations focused on the Medicare claims of several patients from a physician whose office received payments above fair market value, or payments for services that were not rendered pursuant to a physician services agreement which also provided for the improper referral of the physician’s patients to UBH for Medicare-reimbursed services.

Federal law, including the Anti-Kickback Act and the Stark Law, seeks to ensure that services reimbursable by federal healthcare programs are paid at fair market value and based on the best interests of patients rather than the personal financial interests of referring physicians.

Periodic review of physician agreements should be a key component of any effective compliance program. In addition to the potential criminal sanctions that may be imposed for anti-kickback violations, Medicare claims arising from such improper financial relationships may result in substantial additional false claims liability. Healthcare facilities which discover Medicare overpayments through an effective compliance program can limit their liability through self-reporting.  Read more here.

CMS Publishes Final Rule: Sweeping Changes to Home Health Agency CoPs

On January 13, 2017, CMS published its final rule revising the conditions of participation (CoPs) that home health agencies (HHAs) must meet to participate in Medicare and Medicaid programs. The final rule implements the proposed rules published in the Federal Register October 9, 2014 (79 FR 61164), and becomes effective July 13 2017.

Among its many changes, the final rule redefines terms and establishes new standards for the content of comprehensive patient assessments, care planning, coordination of services, quality of care, quality of assessments and performance improvement (QAPI), skilled professional services, home health aid services, and clinical record keeping. The rule also makes changes to personnel requirements including limiting who can be an HHA administrator. To review the final rule in its entirety, click here.

The Joint Commission Issues Clarification on Texting of Patient Care Orders

“The use of secure text orders is not permitted at this time.”

In 2011 the technology to provide for the safety and security of text messaging was not available, and at that time The Joint Commission (“TJC”) said it was not acceptable for practitioners to text orders for patient care and treatment.  Then in May of 2016, TJC acknowledged all of the technology and data privacy and security issues it had in 2011 had been addressed. As published in The Joint Commission Perspectives, TJC revised its position and said physicians could text message when done in accordance with standards of practice, laws and regulations, and policies and practices “as long as the system met specific requirements .”

Since then, however, TJC got together with CMS and recently issued updated recommendations that include the following:

  • Providers should have policies prohibiting the use of unsecured text messaging of PHI.
  • CPOE (computerized provider order entry) should be the preferred method for submitting orders, which are directly entered into the electronic health record.
  • If a CPOE or written order is not available, a verbal order is acceptable, but only when impossible or impracticable to use CPOE or written orders.
  • The use of secure text orders is not permitted at this time.After further review the call on the field, as it were, has been overturned.

This turnaround came about after TJC and CMS discussed the issues with numerous stakeholders, including text messaging platform vendors and experts in EHRs. The identified issues that led to the recent decision included:

  • Increased burden on nurses to manually transcribe text orders into the EHR.
  • Verbal orders are preferred when CPOE not used, because they allow for real-time clarification and confirmation of the order as it is given by the practitioner.
  • Text messaging could cause delay in treatment where a clinical decision support (“CDS”) recommendation or alert is triggered during data entry, requiring the nurse to contact the practitioner for additional information.

To view the Dec. 22, 2016 full text article on the TJC website click here to download.

 

Tis the Season to be Giving – OIG Increases “Nominal Gifts” Limit

The Office of the Inspector General (OIG) announced this Holiday season that it is increasing the monetary value of gifts falling under the nominal value exception to Medicare’s Civil Money Penalty Law.  Under section 1128A(a)(5) of the Social Security Act [42 U.S.C. §1320a-7(a)], a person who offers or transfers to a Medicare or Medicaid beneficiary any remuneration that the person knows or should know is likely to influence the beneficiary’s selection of a particular provider, practitioner, or supplier of Medicare or Medicaid payable items or services may be liable for civil monetary penalties (CMPs) of up to $10,000 for each wrongful act. “Remuneration” includes waivers of copayments and deductible amounts (or any part thereof) and transfers of items or services for other than fair market value[1].

However, as the OIG explained in its December 7, 2016 “Policy Statement Regarding Gifts of Nominal Value to Medicare and Medicaid Beneficiaries,” Congress intended to permit inexpensive gifts of nominal value.  The OIG has previously interpreted “inexpensive” and “nominal value” to mean a retail value of no more than $10 per item or $50 in the aggregate per patient on an annual basis, noting that it would periodically review these limits and adjust them according to inflation, if appropriate.[2]

The OIG now believes that the figures from 2000 should be adjusted. Thus, as of December 7, 2016, the OIG has modified its interpretation of “nominal value” to mean having a retail value of no more than $15 per item or $75 in the aggregate per patient on an annual basis.  The items may not be in the form of cash or cash equivalents. If a gift has a value at or below these thresholds, then the gift need not fit into an exception to section 1128A(a)(5).  Happy Holidays from the OIG.

[1] See section 1128A(i)(6) of the Act.

[2] See, e.g., 65 FR 24400, 24411 (Apr. 26, 2000).

Colorado Voters Approves “End of Life Options” Measure

On November 9, 2016, Colorado voters approved Proposition 106, the “End of Life Options” measure. Modeled after Oregon’s “Dignity in Death” law, it allows a Colorado resident who is terminally ill to seek a prescription for a lethal dose of medication if two doctors certify that the resident is mentally competent and has less than six months to live. The detailed act consists of 23 separate statutes, and it addresses a number of issues that may raise important questions for health care providers. For example, under Section 118 of the law, health care facilities (specifically including long term care facilities) are expressly permitted to bar employed or contracted physicians from writing a prescription for the terminal medication; obviously, health care facilities will need to decide whether – and how – their physicians will be allowed to participate in the right-to-die process. Look for updates from Gordon & Rees on key factors that health care providers must consider in upcoming weeks. The law is scheduled to become effective in the next month.

To read Proposition 106, the “End of Life Options” measure, please click here.

CMS ISSUES CHANGES TO REQUIREMENTS OF PARTICIPATION AFFECTING LTC FACILITIES: ARBITRATION IS OUT—ARE WAIVER OF JURY TRIALS IN?

Effective November 28, 2016, long-term care facilities that participate in Medicare and Medicaid will no longer be able to enter into “pre-dispute” agreements for binding arbitration with their residents.  The Centers for Medicare & Medicaid Services (CMS) issued the final rule on September 28, 2016, after consideration of extensive comments from key stakeholders in the long-term care community regarding proposed revisions.

Under the rule, a facility can ask a resident or a resident’s representative to enter into an arbitration agreement after a dispute arises.  However, the facility must comply with several requirements, such as ensuring that the agreement provides for the selection of a neutral arbitrator and a venue convenient to both parties.  Further, a resident’s right to remain in the facility cannot be contingent upon entering into the arbitration agreement and the agreement cannot contain language that discourages communications with federal, state or local surveyors and other officials.

As one of the more controversial changes, critics of the new arbitration rule have reacted strongly against the change and have commented that this part of the rule “clearly exceeds” CMS’s statutory authority.  In its response to public comments, CMS explains that the Secretary of Health and Human Services has the authority to administer the program under the Social Security Act by setting general practice parameters for payment under Medicare and Medicaid.  CMS further cites to its authority to promulgate regulations for residents’ health, safety and well-being and states that there is “significant evidence that pre-dispute arbitration agreements have a deleterious impact on the quality of care for Medicare and Medicaid patients.”  Nevertheless, there are several legal bases upon which to challenge the agency’s ability to preclude an arbitration agreement.

While CMS’s comments cite to a resident’s waiver of the right to a jury trial as a major factor considered in its decision to disallow pre-dispute arbitration agreements, the final rule does not expressly preclude jury trial waiver provisions within facility admissions agreements.  Jury waivers may help to address runaway verdicts that have become a concern in negligence cases in past years, while still respecting expressed concerns that arbitration presents undue costs to residents and creates an environment of “secrecy.”  Note that state law may vary on whether such waivers are enforceable.

Also remarkable is CMS’s comment that it will not address waiver of class-action litigation in this rule, but rather reserve the issue for consideration during future rulemaking.

The broad-sweeping final rule also contains several other provisions that directly affect compliance programs, training of nursing staff, updating infection and control programs, and other key requirements that long-term care facilities must comply with in order to participate in the Medicare and Medicaid programs.  It is advisable for long-term care facilities to promptly consult with a knowledgeable healthcare attorney to assess modifications to admissions packets and to otherwise establish the framework necessary to comply with the revised Requirements of Participation.

Failure to Update Business Associate Agreement Leads to Health System’s Settlement with OCR

A hospital’s breach notification to the Department of Health and Human Services, Office of Civil Rights (“OCR”) led to a Resolution Agreement, payment of $400,000 and a Corrective Action Plan for an east coast health system. On September 23, 2016, OCR issued a press release advising that Woman & Infants Hospital of Rhode Island (“WIH”) a member of Care New England Health System (“CNE”) notified OCR of a reportable breach in November of 2012, stemming from its discovery that unencrypted backup tapes containing electronic Protected Health Information (“PHI”) were missing from two of its facilities. CNE provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for WIH’s information systems, as its business associate. Although WIH had in place a business associate agreement (“BAA”) with CNE, it was dated from March of 2005 and had not been updated since implementation and enforcement of the HIPAA Omnibus Final Rule.

OCR’s investigation of WIH’s HIPAA Compliance program, triggered by the report of the missing tapes, uncovered the outdated BAAs. WIH updated their BAA on August 28, 2015, as a result of OCR’s investigation. OCR then determined that from September 23, 2014, the date enforcement of the Final Rule began, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. The settlement was reached without any admission of liability by CNE or WIH.

The settlement is a jolt to many covered entities and their business associates for a number of reasons. The key take-aways are: (1) There is an inference in the OCR’s actions that a well worded BAA, wherein the business associates agrees to abide by the specifications required by the Privacy and Security Rules, is sufficient to satisfy the covered entity’s obligation to obtain “satisfactory assurances” the business associate will appropriately safeguard the PHI (meaning those often lengthy and burdensome security questionnaires or audits business associates are being asked to complete may be unnecessary and not required); (2) documentation of intent and action, including policies, procedures and BAAs, is extremely important in establishing HIPAA Compliance (i.e., the fact that the mistake occurred—tapes went missing—is being treated as the result of the absence of a written agreement, justifying the enforcement action, when in reality it is likely, or at least conceivable, that human error, inadvertence or lack of attention is the root cause and this could have occurred even if an updated BAA was in place and being followed); and (3) policies, procedures and continuous training and retraining of the workforce handling PHI is imperative to a successful HIPAA compliance program, and remains on the radar of any OCR investigation.

A copy of the Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/wih.
OCR’s sample BAA may be found at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Arizona Anesthesia Group Notifies 882,590 Patients of Data Breach

Valley Anesthesiology and Pain Consultants (“VAPC”), a physician group of more than 200 anesthesiologists and pain management specialists with several locations near Phoenix, Arizona, began notifying patients on August 11, 2016, of a potential data breach involving protected health information (“PHI”), despite the fact their retained forensic consultant found no evidence that the information on the computer system was accessed. However, the consultant was unable to definitively rule that out after investigation, and it did confirm that an individual gained access to a system containing PHI. The physician group elected to take the proactive route of notifying affected individuals. The forensic firm was apparently called in shortly after VAPC learned on June 13, 2016, that a third party may have gained unauthorized access to VAPC’s computer system on March 30, 2016, including records of 882,590 current and former patients, employees and providers.

On its website, VAPC says they value their relationship with patients and so decided to mail the notification letters. Law enforcement was also advised, and a dedicated call center has been set up to answer patients’ questions. Patients have been advised to review the statements they receive from their health insurer and to advise the insurer of any unusual activity. The computer system accessed is believed to have contained patient names, limited clinical information, name of health insurer, insurance identification numbers, and in some instances, social security numbers (“SSN”). No patient financial information was included in the computer systems. For providers, the information included credentialing information such as names, dates of birth, SSN, professional license numbers, DEA (Drug Enforcement Agency) and NPI (National Provider Identifier) numbers, as well as bank account information and potentially other financial information. The employee records on the system included names, dates of birth, addresses, SSNs, bank account information and financial information. Individuals that had their SSN or Medicare number exposed are being offered credit monitoring and identity theft protection services.

The circumstances of the incident illustrate the quandary regarding the presumption that it is a reportable breach if you can’t prove there was no access to the information, and the interplay between the HIPAA Security Rule and the Privacy Rule. Here, it was apparently established the system’s security was breached, but unclear whether personal health information was accessed once the unauthorized individual was in the system.

More information is available on VAPC’s website: https://valley.md/securityupdate.

Ransomware: Preparing for the Storm That’s A Brewin’

On July 11, 2016, the Office for Civil Rights (“OCR”) published guidelines for ransomware attack prevention and recovery, including the role HIPAA has in assisting covered entities and business associates to prevent and recover from such attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack. According to the OCR report, there have been 4,000 daily ransomware attacks since early 2016, up 300% from 2015. Earlier this week a healthcare IT Security Consultant told me the chatter he hears is that the hackers out there are working on stronger, more aggressive, more deadly hacks to unleash, and he fears a hacking storm a brewin’. Time to get serious and batten down the hatches, folks!

8-3The OCR report describes what a ransomware attack is, and explains that maintaining strict HIPAA Security Rule compliance can help prevent the introduction of malware, including ransomware. Some of the required security measures discussed include:

  • Implementing a security management process, which includes conducting a risk analysis and taking steps to mitigate or remediate identified threats and vulnerabilities;
  • Implementing processes to guard against and detect malicious software;
  • Training users on malicious software protection; and
  • Implementing access controls.

Since ransomware  gets into your system and then ties up your data, denying you access to your data (usually through encryption), and then directs you to pay a ransom to the hacker in order to receive a decryption key, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Again, HIPAA compliance protects entities because the Security Rule requires covered entities and business associates to implement a data backup plan as part of maintaining an overall contingency plan, which includes periodic testing of the plan to be sure it works.

The presence of ransomware – or any malware – is considered a security incident and triggers the need to initiate security incident response and reporting procedures. Based upon an analysis of the investigation results, breach notification may be required. Additionally, if there is an impermissible disclosure of PHI in violation of the privacy rule there is a presumed breach which may trigger notification. Whether or not the presence of ransomware would be a breach under HIPAA Rules is thus fact specific. However, unless the entity demonstrates there is a “…low probability that the PHI has been compromised,” a breach of PHI is presumed to have occurred and the entity must comply with the applicable breach notification provisions.

Further information and a copy of the OCR report can be found here.