Category: Health Law Highlights

Categories
Health Law Highlights

Providers Target Insurers in New Surprise Billing Legal Scuffles

From Bloomberg Law, by Sara Hansard:

  • Health care providers are increasingly suing insurers for not making timely arbitration award payments under the No Surprises Act, creating a new hurdle in the implementation of the billing dispute resolution system. These lawsuits are expected to rise as more claims move through the system and are potentially batched together.
  • The No Surprises Act’s federal online independent dispute resolution (IDR) portal has faced challenges, including large case backlogs and numerous shutdowns. As of June 2023, more than 490,000 disputes over out-of-network claims were submitted, with 61% remaining unresolved.
  • A significant consolidated lawsuit, Guardian Flight LLC v. Aetna Life Insurance Co., involves four air ambulance companies suing Aetna Inc. and Cigna Health and Life Insurance Co. for non-payment of claims following arbitration decisions. The companies claim that the insurers have failed to pay over $3 million in IDR awards.
  • Insurers are arguing that providers cannot file court cases to enforce IDR awards and that their only recourse is to file a complaint with the Centers for Medicare & Medicaid Services (CMS). CMS has stated that it takes the issue of late payments seriously and will impose civil monetary penalties if a violation is found.
  • There are complications and challenges in challenging arbitration awards, including the expensive cost of litigation. Some health care providers have found it difficult to determine whether to use the federal or state process for dispute resolution, further complicating the situation.
Categories
Health Law Highlights

Texas Medical Board Cracking Down on IV Hydration

From Hendershot & Cowart, PC, by Keith Lefkowitz: 

  • The Texas Medical Board (TMB) has addressed the rise of medical business models offering intravenous (IV) vitamin therapy or hydration, cautioning that these could potentially violate Texas regulations. TMB President, Dr. Sherif Zaafran, emphasized that IV therapy is a medical procedure and must be conducted under the supervision of a licensed physician or delegated non-physician.
  • Physicians are advised to ensure that such IV hydration services are therapeutically beneficial or necessary for the patient’s treatment, and are properly diagnosed and documented. 
  • The TMB warns against offering medical treatments as a “menu” for patients to choose from without proper medical assessment. The provision of medically unnecessary services could be seen as unprofessional conduct and a violation of the Medical Practice Act and TMB Rules.
  • A patient must be examined by a qualified healthcare practitioner, who should perform appropriate diagnostic tests and develop a diagnosis before prescribing drug therapies. Prescription of drugs without determining medical necessity may breach the Medical Practice Act and TMB Rules.
  • The TMB has strict guidelines for standing delegation orders and standing medical orders, including the types of medicines that may be provided. Physicians are encouraged to review the TMB regulation, Chapter 193 – Standing Delegation Orders, for full guidance on the rules related to delegation and supervision requirements and responsibilities.
Categories
Health Law Highlights

Key Considerations for Healthcare Providers Responding to Law Enforcement Requests

From Quarles & Brady LLP, by Simone Colgan Dunlap, Sarah Coyne, Kaitlyn Fydenkevez, Meghan O’Connor:

  • Current HIPAA rules permit healthcare providers to disclose protected health information (PHI) to law enforcement under specific circumstances, such as to comply with a court order, respond to an administrative request, or in cases of identifying a suspect or victim, among others.
  • Providers must also be aware of more stringent state laws, particularly when it comes to “sensitive” categories of data like mental health records or sexual/reproductive health data. Any disclosure must meet the requirements of both HIPAA and state law.
  • Providers should ensure that staff understand organizational policies and procedures regarding law enforcement requests, and should watch for the final rule on HIPAA disclosure requirements. The Senate Finance Committee’s letter calls for broader protection, which may influence the final rule, particularly in relation to pharmacy disclosure of prescription data to law enforcement.
Categories
Health Law Highlights

HHS-OIG Determines Consultant’s Gift Cards Given to Physicians Recommending Services Do Not Implicate Anti-Kickback Statute

From Barnes & Thornburg, by Jason D. Schultz and Mary Elizabth “Lizzy” Ford:

  • The U.S. Department of Health and Human Services’ Office of Inspector General (HHS-OIG) issued Advisory Opinion No. 23-15, permitting a consulting services company to offer gift cards as incentives for physician practices to recommend its services to other physicians. 
  • The company provides various consulting services, including workflow optimization, data analytics, electronic health record consulting, compliance monitoring, and assistance with Medicare Merit-Based Incentive Payment System (MIPS) matters.
  • The proposed arrangement involves three streams of remuneration: gift cards for recommendations and successful referrals, payment for consulting services, and potential higher MIPS reimbursements for customers. 
  • HHS-OIG determined that the Anti-Kickback Statute (AKS) would not be implicated, as the arrangement does not involve referrals or purchases for which payment may be made under a federal healthcare program. 
  • The opinion underscores that the AKS is not violated and no sanctions are imposed when the arrangement does not involve referrals or purchases related to a Federal health care program.
Categories
Health Law Highlights

OIG Approves Hospital’s Redemption Offer to Retiring Physician-Owners

From Bass, Berry & Sims, PLC, by Justin Brown, Krista Cooper, Ashley Gholston Fowler, Travis Lloyd:

  • The U.S. Department of Health and Human Services Office of Inspector General (OIG) issued Advisory Opinion No. 23-12 on January 3, approving a plan by a physician-owned hospital to redeem the ownership interests of physicians who retire at 67 over a two-year period. This opinion provides guidance on redemption of physicians’ ownership interests in syndicated facilities like physician-owned hospitals and ambulatory surgery centers.
  • The requesting party, a limited liability partnership operating two hospitals, proposed a one-time offer to physician-owners turning 67 to redeem their units over two years to avoid a potential liquidity crunch. To accept, a physician-owner must agree to retire within six months of the first payment and certify they will not refer patients to the hospitals or other partners.
  • The partnership would redeem the units in three equal increments over the two-year period at a fair market value price. Redeemed units are offered to existing and prospective physician-owners equally, without regard to the volume or value of referrals or other business generated.
  • The OIG concluded that the arrangement posed a low risk under the federal Anti-Kickback Statute, based on the fact that eligibility for the redemption offer is unrelated to the volume or value of referrals or other business generated, and the remuneration is unlikely to result in unfair competition by altering referral patterns.
  • The advisory opinion highlights the importance of objectivity and consistency in structuring redemptions and offerings. Basing redemptions and offerings on objective criteria unrelated to the volume or value of referrals or other business generated and applying these criteria consistently to all physicians reduces the risk of non-compliance with the Anti-Kickback Statute and federal physician self-referral law (Stark Law).
Categories
Health Law Highlights

Is Stripe HIPAA Compliant?

From The HIPAA Journal, by Steve Adler:

  • Stripe’s Non-HIPAA Compliance: Despite being compliant with various US and international data privacy regulations, Stripe is not HIPAA compliant. This is due to its method of recording personal data within transaction data, which is then used for fraud detection and shared with third-party payment providers, some of which have questionable security and privacy practices.
  • Payment Processing Exemption: Stripe can process payments without violating HIPAA because of an exemption provided by the Social Security Act (§1179), which excludes financial transactions from HIPAA’s Administrative Simplification Regulations. However, this exemption only applies to payment processing and not to other activities, such as fraud detection, without a Business Associate Agreement (BAA) in place.
  • Stripe’s BAA Limitation: Stripe cannot enter into a BAA with HIPAA covered entities and business associates because some of its third-party payment providers, like Coinbase and PayPal, will not enter into a BAA with Stripe. This makes Stripe non-HIPAA compliant.
  • Stripe’s Global Compliance: As a global payment processing platform, Stripe must adhere to various consumer protection regulations and licensing requirements worldwide, leading it to restrict or prohibit certain types of business activities, including collecting payments for certain healthcare services.
  • Violating Stripe’s Terms and Conditions: If a business violates Stripe’s Terms and Conditions, which include a list of restricted business activities, Stripe can immediately terminate access to its payment processing platform. Therefore, businesses considering Stripe should thoroughly review its Terms and Conditions and related documentation to understand their obligations.
Categories
Health Law Highlights

The Most Critical Elements of the FTC’s Health Breach Rulemaking

From Lawfare, by Justin Sherman and Devan Desai,

  • The Federal Trade Commission (FTC) is considering modifications to its Health Breach Notification Rule (HBNR), which governs how non-HIPAA-covered entities handle health data breaches. The proposed changes aim to keep up with technological advancements and trends in the health tech and data landscapes.
  • The FTC’s proposal comes amid a greater focus on health data privacy, following enforcement actions against prescription drug provider GoodRx and fertility tracking app Premom, both of which allegedly violated the HBNR by sharing sensitive health data without proper disclosures.
  • The proposed changes aim to expand federal health data breach regulations to reflect the evolving role of health tech apps, telehealth services, data brokers, and digital advertisers in collecting, aggregating, identifying, sharing, and selling Americans’ health information.
  • The FTC is looking to expand and clarify the definition of personal health record identifiable information, formally expand the definition of a breach to include unauthorized data disclosures, and clarify how the HBNR applies to mobile apps and health tech companies.
  • While the proposed changes largely serve to clarify existing policies and practices, they are viewed as crucial in improving privacy regulation, aligning with state-level health data regulations, and addressing harmful practices such as selling sensitive health data without consumers’ consent.
Categories
Health Law Highlights

HHS Issues First Settlement for HIPAA Violations Related to a Ransomware Attack

From Hall Benefits Law, by Anne Tyler Hall:

  • The U.S. Department of Health and Human Services (HHS) reached a settlement with a Massachusetts-based medical management company for alleged violations of HIPAA’s Privacy and Security Rules. The company, a HIPAA business associate, will pay $100,000 and comply with a three-year corrective action plan (CAP).
  • The investigation began in 2019, following the company’s notification to HHS about a Gandcrab ransomware attack that had occurred two years prior. The attack, discovered 18 months after it happened, affected the electronic Protected Health Information (ePHI) of over 206,000 individuals.
  • HHS found that the company violated HIPAA rules by disclosing individuals’ ePHI without authorization and failing to perform a thorough risk analysis, regularly review information system activity, and establish compliant security policies and procedures.
  • The CAP requires the company to revise its HIPAA policies and procedures, addressing issues like security awareness, training, and regular review of information system activities. The company must distribute these revised policies to all workers who use or disclose ePHI, and promptly report any noncompliance to HHS.
  • The CAP also mandates that the company conduct a thorough risk analysis of potential risks and vulnerabilities concerning its existing system for storing ePHI. The company must document its security measures, adopt a risk management plan, and submit annual reports to HHS throughout the three-year duration of the CAP.
Categories
Health Law Highlights

Ownership Transparency: The New Normal in Healthcare?

From Davis Wright Tremain, LLP, by Megan Leonard and Robert G. Homchick,

  • On November 17, 2023, the U.S. Department of Health and Human Services published a final rule requiring Medicare and Medicaid nursing facilities to provide more detailed ownership and managerial information on the Medicare Enrollment Application Form CMS-855A.
  • Private equity’s role in the healthcare sector has been under scrutiny, with increased transparency and oversight measures being implemented at both the federal and state levels.
  • The Final Rule was issued in response to studies linking private equity ownership to a decline in quality of care in nursing homes and SNFs.
  • The Final Rule will be effective January 16, 2024 and will require disclosure of ownership and managerial information upon initial enrollment, revalidation, and change of ownership.
  • The Final Rule requires nursing homes to disclose information on their governing body, officers, directors, and additional disclosable parties, as well as the organizational structure and relationships of these parties. This information must be reported upon initial enrollment, revalidation, and every five years.
Categories
Health Law Highlights

US Enforcement of Emergency Abortion Rule Halted in Texas

From Bloomberg Law, by Mary Anne Pazanowski and Ian Lopez:

  • The Fifth Circuit has ruled that the Biden administration’s guidance document, intended to protect abortion access nationwide, cannot be enforced due to a failure to follow proper rulemaking procedures.
  • The guidance document added new obligations under the Emergency Medical Treatment and Labor Act, rather than simply restating existing requirements.
  • The court’s decision limits the government’s ability to ensure that clinicians can provide necessary care, including abortion, in emergency situations.
  • The case highlights a conflict between the Biden administration’s pro-abortion stance and Texas law, which largely bans the procedure.
  • The decision has been met with concern from advocates for reproductive justice, who fear that access to abortion services will be further restricted.