CMS ISSUES CHANGES TO REQUIREMENTS OF PARTICIPATION AFFECTING LTC FACILITIES: ARBITRATION IS OUT—ARE WAIVER OF JURY TRIALS IN?

Effective November 28, 2016, long-term care facilities that participate in Medicare and Medicaid will no longer be able to enter into “pre-dispute” agreements for binding arbitration with their residents.  The Centers for Medicare & Medicaid Services (CMS) issued the final rule on September 28, 2016, after consideration of extensive comments from key stakeholders in the long-term care community regarding proposed revisions.

Under the rule, a facility can ask a resident or a resident’s representative to enter into an arbitration agreement after a dispute arises.  However, the facility must comply with several requirements, such as ensuring that the agreement provides for the selection of a neutral arbitrator and a venue convenient to both parties.  Further, a resident’s right to remain in the facility cannot be contingent upon entering into the arbitration agreement and the agreement cannot contain language that discourages communications with federal, state or local surveyors and other officials.

As one of the more controversial changes, critics of the new arbitration rule have reacted strongly against the change and have commented that this part of the rule “clearly exceeds” CMS’s statutory authority.  In its response to public comments, CMS explains that the Secretary of Health and Human Services has the authority to administer the program under the Social Security Act by setting general practice parameters for payment under Medicare and Medicaid.  CMS further cites to its authority to promulgate regulations for residents’ health, safety and well-being and states that there is “significant evidence that pre-dispute arbitration agreements have a deleterious impact on the quality of care for Medicare and Medicaid patients.”  Nevertheless, there are several legal bases upon which to challenge the agency’s ability to preclude an arbitration agreement.

While CMS’s comments cite to a resident’s waiver of the right to a jury trial as a major factor considered in its decision to disallow pre-dispute arbitration agreements, the final rule does not expressly preclude jury trial waiver provisions within facility admissions agreements.  Jury waivers may help to address runaway verdicts that have become a concern in negligence cases in past years, while still respecting expressed concerns that arbitration presents undue costs to residents and creates an environment of “secrecy.”  Note that state law may vary on whether such waivers are enforceable.

Also remarkable is CMS’s comment that it will not address waiver of class-action litigation in this rule, but rather reserve the issue for consideration during future rulemaking.

The broad-sweeping final rule also contains several other provisions that directly affect compliance programs, training of nursing staff, updating infection and control programs, and other key requirements that long-term care facilities must comply with in order to participate in the Medicare and Medicaid programs.  It is advisable for long-term care facilities to promptly consult with a knowledgeable healthcare attorney to assess modifications to admissions packets and to otherwise establish the framework necessary to comply with the revised Requirements of Participation.

Failure to Update Business Associate Agreement Leads to Health System’s Settlement with OCR

A hospital’s breach notification to the Department of Health and Human Services, Office of Civil Rights (“OCR”) led to a Resolution Agreement, payment of $400,000 and a Corrective Action Plan for an east coast health system. On September 23, 2016, OCR issued a press release advising that Woman & Infants Hospital of Rhode Island (“WIH”) a member of Care New England Health System (“CNE”) notified OCR of a reportable breach in November of 2012, stemming from its discovery that unencrypted backup tapes containing electronic Protected Health Information (“PHI”) were missing from two of its facilities. CNE provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for WIH’s information systems, as its business associate. Although WIH had in place a business associate agreement (“BAA”) with CNE, it was dated from March of 2005 and had not been updated since implementation and enforcement of the HIPAA Omnibus Final Rule.

OCR’s investigation of WIH’s HIPAA Compliance program, triggered by the report of the missing tapes, uncovered the outdated BAAs. WIH updated their BAA on August 28, 2015, as a result of OCR’s investigation. OCR then determined that from September 23, 2014, the date enforcement of the Final Rule began, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. The settlement was reached without any admission of liability by CNE or WIH.

The settlement is a jolt to many covered entities and their business associates for a number of reasons. The key take-aways are: (1) There is an inference in the OCR’s actions that a well worded BAA, wherein the business associates agrees to abide by the specifications required by the Privacy and Security Rules, is sufficient to satisfy the covered entity’s obligation to obtain “satisfactory assurances” the business associate will appropriately safeguard the PHI (meaning those often lengthy and burdensome security questionnaires or audits business associates are being asked to complete may be unnecessary and not required); (2) documentation of intent and action, including policies, procedures and BAAs, is extremely important in establishing HIPAA Compliance (i.e., the fact that the mistake occurred—tapes went missing—is being treated as the result of the absence of a written agreement, justifying the enforcement action, when in reality it is likely, or at least conceivable, that human error, inadvertence or lack of attention is the root cause and this could have occurred even if an updated BAA was in place and being followed); and (3) policies, procedures and continuous training and retraining of the workforce handling PHI is imperative to a successful HIPAA compliance program, and remains on the radar of any OCR investigation.

A copy of the Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/wih.
OCR’s sample BAA may be found at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

The Effects of Medicaid Expansion under the ACA: Findings from a Literature Review — The Henry J. Kaiser Family Foundation

Research on the effects of Medicaid expansions under the Affordable Care Act (ACA) can help increase understanding of how the ACA has impacted coverage; access to care, utilization, and health outcomes; and various economic outcomes, including state budgets, the payer mix for hospitals and clinics, and the employment and labor market. These findings also may…

via The Effects of Medicaid Expansion under the ACA: Findings from a Literature Review — The Henry J. Kaiser Family Foundation

OIG Expresses Concerns about Medicare Skilled Nursing Therapy Billing

Calling for a reevaluation of the Medicare payment system for skilled nursing facilities (SNFs), the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) recently issued a report expressing concerns about Medicare payment for therapy services. The OIG found that Medicare payments for therapy “greatly exceed” SNFs’ therapy costs. The difference between Medicare therapy payments and facility costs for therapy averaged 29 percent—twice as high as the 14 percent overall Medicare margin for SNF payments in 2012. The OIG stated that Medicare payments for therapy rose faster than therapy costs between 2002 and 2010. According to the OIG, one factor leading to the increased payments was that SNFs increasingly billed for the highest level of therapy even though beneficiary characteristics remained largely unchanged. The OIG report also notes that SNFs used strategies to optimize revenues, such as providing the minimum number of therapy minutes for the higher levels of therapy. Finally, the OIG found that increases in SNF billing resulted in $1.1 billion in Medicare payments in 2012 and 2013.

As a result of this and prior OIG reports, the OIG called for the Centers for Medicare and Medicaid Services (CMS) to reevaluate the Medicare SNF payment system. The OIG recommended that CMS take the following actions: (1) evaluate the extent that Medicare therapy payment rates should be reduced; (2) change the method used to pay for therapy; (3) adjust Medicare payments to eliminate any increases that are not related to beneficiary characteristics; and (4) strengthen oversight of SNF billing. CMS agreed with all of the OIG’s recommendations. Accordingly, it is possible.

OIG’s Advisory Opinion Concludes that Free Introductory Visits by Home Health Provider Are Not Prohibited Remuneration

A home health care provider’s policy of offering free introductory visits to patients who had already selected it as their home health care provider does not generate prohibited remuneration under the federal antikickback statute, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) concluded in a recent advisory opinion. (OIG Advisory Opinion No. 15-12.) The home health agency requesting the advisory opinion (requestor) stated that a physician or a health care professional provides a list of home health providers to a patient who needs home health services. The requestor has no involvement in the patient’s selection process, nor does it offer or pay any remuneration to the physician or other referral source. After a patient chooses the requestor as his or her home health agency, an employee of the requestor (liaison) contacts the patient by telephone to see if he or she would like to have an introductory visit with the liaison. The purpose of the introductory visit is to facilitate the patient’s transition to home health services and to increase compliance with the treatment plan. The liaison does not provide any diagnostic or therapeutic service reimbursed by any federal health care program during the introductory visit and the services provided during the introductory visit do not require clinical training.

The OIG concluded that the introductory visits were not remuneration because they did not provide any actual or expected economic benefit to patients. Although the services may have some “intrinsic value” to patients, the OIG concluded that the “intangible worth to patients” created by the introductory visits do not implicate the federal antikickback statute or the Civil Monetary Penalty law.

OIG Issue Fraud Alert on Physician Compensation Arrangements

The Office of Inspector General (OIG) at the Department of Health and Humans Services (HHS) recently issued a fraud alert for physicians who enter into compensation arrangements. Every physician should review carefully the terms and conditions of compensation arrangements, such as medical directorships, to ensure that they reflect fair market value for bona fide services provided by the physician. The OIG cautioned that a compensation arrangement may violate the anti-kickback statute if even one purpose of the arrangement is to compensate a physician for past or future referrals of federal health care program business.

The fraud alert highlighted the OIG’s recent settlements with 12 individual physicians. According to the OIG, the compensation paid to these physicians under medical directorship arrangements violated the anti-kickback statute for several reasons, including the following:

  • The payments took into account the volume or value of the physicians’ referrals rather than the fair market value for the services;
  • The physicians did not actually provide the services; and
  • Some of the physicians entered into arrangements where an affiliated health care entity paid the salaries of the physicians’ front office staff which relieved the physicians of a financial burden resulting in improper remuneration to the physicians.

Given the OIG’s recent focus on physician compensation arrangements, physicians should proactively review their agreements to ensure that they meet anti-kickback statute requirements, including any applicable safe harbors.

HHS/OCR Issues Guidance on HIPAA and Workplace Wellness Programs

Many employers view wellness programs as a way to lower health care costs and promote healthy behavior. With the growth of workplace wellness programs, new guidance from the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) is timely. HHS/OCR recently issued guidance in the form of frequently asked questions about HIPAA and workplace wellness programs.

5-19The applicability of HIPAA to a workplace wellness program depends on how the program is structured. An employer may sponsor its own wellness program or offer it through the employer’s group health plan. When a workplace wellness program is offered as part of a group health plan, individually identifiable health information collected from wellness program participants is protected under HIPAA because the group health plan is a covered entity under HIPAA. However, a workplace wellness program that is not offered as part of a group health plan but is offered by an employer directly is not covered by HIPAA since HIPAA applies only to covered entities and business associates, but not to employers in their capacity as employers. However, other federal and state laws may apply to the collection and/or use of information by an employer that directly offers a workplace wellness program.

The guidance also addresses whether a group health plan may allow an employer as plan sponsor access to protected health information about participants in a wellness program offered through the plan. If the employer does not administer the health plan, the group health plan can disclose to the employer as plan sponsor only information on which individuals are participating in the health plan and summary health information if requested for the purposes of modifying the plan or obtaining premium bids for coverage.

The guidance states that  the group health plan can provide an employer that is a plan sponsor and performs administrative functions on behalf of the group health plan with access to protected health information necessary to perform its plan administrative functions, but only if certain conditions are met. These conditions, which the employer as plan sponsor must include in plan documents and certify agreement to, include the following:

  • There must be adequate separation between employees who perform plan administrative functions and those who do not;
  • Protected health information cannot be used or disclosed for employment-related actions or other prohibited purposes under the privacy rule; and
  • There must be reasonable and appropriate administrative, technical, and physical safeguards to protect any electronic protected health information.

As employers and group health plans begin developing and implementing workplace wellness programs this year, they should review OCR’s recent guidance to ensure that they are in compliance with HIPAA.

 

Image courtesy of Flickr by Robert Gourley

Recent Compliance Guidance Issued for Health Care Governing Boards

In cooperation with several industry associations, the Office of Inspector General (OIG) at the Department of Health and Human Services (HHS) recently issued guidance to help governing boards of health care organizations perform their compliance duties. The guidance was developed through collaboration between the Association of Healthcare Internal Auditors, the American Health Lawyers Association, the Health Care Compliance Association, and the OIG. The compliance guidance repeats some guidance for other industry groups, such as a compliance program is not a “one size fits all” program. However, the guidance also contains information that is particularly applicable to governing boards.

The guidance addresses the following issues relating to a governing board’s oversight and review of compliance functions: (1) roles of, and relationships between, the organization’s audit, compliance, and legal departments; (2) mechanism and process for reporting within the organization; (3) identifying regulatory risk; and (4) encouraging enterprise-wide accountability for achieving compliance goals and objectives.

The guidance offers some suggestions specific to governing boards about compliance, including the following.

  • The guidance states that boards should develop a formal plan to stay current with the regulatory landscape so that the board can ask more pertinent questions and make informed decisions. The plan may involve periodic updates from staff or review of materials provided by staff or outside educational programs.
  • The guidance states that a board can raise its expertise level about regulatory and compliance matters by adding to the board or consulting with a regulatory, compliance, or legal professional.
  • There should be a process to ensure appropriate access to information, which can be set out in a formal charter document or other documents.
  • The guidance recommends that boards evaluate and discuss how management works together to address risk.
  • The guidance states that the board should set and enforce reporting to the board compliance-related information in a format that satisfies the interests or concerns of board members.

The board may want to consider scheduling regular executive sessions to discuss compliance and quality functions to encourage open communication.

HIPAA Privacy and Public Health Emergency Situations

In light of the Ebola outbreak, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) has issued a bulletin reminding health care providers that the protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are not set aside during an emergency.  OCR reminds covered entities that “the protections of the Privacy Rule are not set aside during an emergency.”  OCR cautions that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures.  Thus, covered entities and their business associates should review the HIPAA Privacy Rule to ensure that uses and disclosures in emergency situations are appropriate, as well as provide training and reminders to employees.

HIPAA recognizes that under certain circumstances it may be necessary to share patient information without authorization.  OCR’s bulletin notes that covered entities may disclose protected health information without a patient’s authorization as necessary to treat the patient or a different patient.  HIPAA also allows covered entities to release patient information without authorization for certain public health activities.  A covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability.  Information may also be shared at the direction of a public health authority to a foreign government that is acting in collaboration with the public health authority.   In addition, health information may be shared with persons at risk of contracting or spreading a disease or condition if authorized by law.  Finally, health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and ethical standards.

There are additional circumstances that allow the disclosure of protected health information.  A covered entity may disclose protected health information to a patient’s family members, relatives, friends, or other persons who the patient identifies as being involved in the patient’s care and disaster relief organizations.  Covered entities should review the specific circumstances that allow the release of this information.

Covered entities should also review whether the minimum necessary requirement applies.  For most disclosures, but notably not disclosures to health care providers for treatment purposes, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

Although the media has reported many details about Ebola patients, HIPAA is not suspended when providing information to the media about Ebola or other public health emergencies.  Therefore, covered entities should carefully review the rules surrounding disclosures to the media or others not involved in the care of the patient.  If the media requests information about a particular patient by name, a health care facility may release limited facility directory information to acknowledge that the individual is a patient and provide basic information about the patient’s condition in general terms, if the patient has not objected or restricted the release of this information, but information about an incapacitated patient may only be released if the disclosure is believed to be in the patient’s best interest and is consistent with the patient’s prior expressed preferences.   General information about a patient’s condition includes critical or stable, deceased, or treated and released.  OCR cautions that affirmative reporting or disclosure to the media or the public at large about an identifiable patient or  specific information may not be done without the patient’s or an authorized personal representative’s written authorization, unless one of the limited circumstances described elsewhere in OCR’s bulletin is applicable.

Although HIPAA is not suspended during a public health or other emergency, the HHS Secretary may waive certain provisions under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act.  The limited waiver applies to certain sanctions and penalties of the Privacy Rule if the President declares an emergency or disaster and the HHS Secretary declares a public emergency.  The waiver only applies in the emergency area and for the emergency period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours after the hospital implements its disaster protocol.  Once the Presidential or Secretarial declaration ends, a hospital must comply with the entire Privacy Rule, even if less than 72 hours have elapsed since the hospital implemented its disaster protocol.

HHS Office of Inspector General Issues 2015 Work Plan (Part 2)

This final post on the OIG’s 2015 Work Plan summarizes many of the OIG’s initiatives in other areas.  To read Part 1, click here.

Medical Equipment and Sales: The OIG plans to examine 10 areas regarding equipment and supplies, including issues relating to power mobility devices, lower limb prosthetics, nebulizer machines and related drugs, diabetes testing supplies, and the payment system for renal dialysis services and drugs.  The OIG will also review claims for frequently replaced medical equipment supplies to determine supplier compliance with medical necessity, frequency, and other Medicare requirements, noting that suppliers have automatically shipped certain device supplies without physician orders for refills.

Other Providers: The OIG plans to review other providers’ policies, practices, and billings and payments, including ambulance, anesthesia, chiropractic, diagnostic radiology, imaging, and clinical laboratory services. The OIG also will examine inappropriate and questionable billing by ophthalmologists, physician place of service coding errors, high use of outpatient physical therapy services, supplier compliance with transportation and set-up fee requirements for portable X-ray equipment, and high use of sleep-testing procedures by sleep disorder clinics.

Prescription Drugs: The OIG will review several areas relating to prescription drugs. Of note, the OIG plans to examine payments for drugs purchased under the 340B Drug Pricing Program by determining how much Medicare Part B spending could be reduced if Medicare could share the savings for drugs purchased under the 340B program.

Part A and B Contractors: The OIG plans to examine seven areas relating to oversight of contracts and contractor functions and performance.

Information Technology Security, Protected Health Information, and Data Accuracy: Of note, the OIG plans to examine whether CMS oversight of hospitals’ security controls over networked medical services is adequate to protect electronic-protected health information. The OIG states that computerized medical devices that are integrated with electronic medical records and a health network are a growing threat to the security and privacy of health information. These medical devices monitor a patient’s health status and transmit and receive health data.

Other Part A and Part B Program Management Issues: The OIG will examine enhanced enrollment screening procedures for Medicare providers under the ACA. For the first time, the OIG will conduct a risk assessment of the Pioneer Accountable Care Organization Model.

Medicare Part C and Part D: The OIG plans several activities regarding Medicare Part C and Part D, including Medicare Advantage Organizations’ compliance with Part C requirements, ensuring dual -eligible patient access to drugs under Part D, and Part D billing and payments including Medicare Part D payments for HIV drugs for deceased beneficiaries.

Medicaid Program: The OIG will investigate several areas relating to Medicaid, noting that protecting Medicaid from fraud, waste, and abuse takes on a heightened urgency as the program continues to expand. Thus, the OIG will investigate a variety of areas in the Medicaid program, including state claims for drug rebates and claims for federal reimbursement. The OIG will also review Medicaid payments by states for home health services and other community-based care, including determining whether adult day care services providers complied with federal and state requirements and whether home health agency health care workers were screened in accordance with federal and state requirements. In addition, the OIG will review issues relating to medical equipment and supplies, transportation, health care-acquired conditions, and managed care. Finally, the OIG will review a variety of issues regarding state management, funding, oversight, and payment for Medicaid.

Other: The OIG plans to review and investigate many other areas. For the first time, the OIG will determine the extent to which hospitals comply with the contingency planning requirements found in the Health Insurance Portability and Accountability Act (HIPAA), as well as compare the hospitals’ contingency plans with government and industry recommended practices.