Healthcare Empowered

Jenna Godlewski and Alice Harrs, for MaynardNexsen:

If you are a healthcare provider enrolled with Medicare and Medicaid, it is imperative that you know the governmental agencies’ expectations for compliant billing and understand that the agencies constantly monitor and audit provider claims to identify aberrant claims submissions and billing patterns.  This article summarizes several primary governmental agencies and Center for Medicare and Medicaid Services (“CMS”) contractors who conduct audits of healthcare claims reimbursed by Medicare and Medicaid and provides information as to how to monitor and identify the current audit targets of these auditors.

Douglas A. Grimm, for ArentFox Schiff:

In a recent Yale CEO Summit survey, 48% of CEOs indicated that AI will have its greatest effect as applied to the health care industry — more than any other industry. This alert analyzes how AI is already affecting the health care industry, as well as some of the key legal considerations that may shape the future of generative AI tools.

The article addresses the emerging regulatory framework, AI’s potential to streamline administrative processes, reduce operating expenses, and increase the amount of time a physician spends with a patient. While we all anticipate  AI can assist providers diagnose conditions and develope plans of care, we also need processes to confirm that AI is generating reliable information.

Jesse M. Coleman and Drew del Junco, writing for Seyfarth Shaw, LLP:

On June 13, 2023, Texas Governor Greg Abbott signed a major new patient safety bill into law that is intended both to reform the disciplinary authority of the Texas Medical Board (TMB) and to better protect patients from potentially dangerous doctors. …

The law, known as H.B. No. 1998, … seeks to equip the TMB, which regulates physicians in Texas, with the tools necessary to protect patients from dangerous physicians, increase hospital reporting requirements, all the while maintaining transparency about physician disciplinary records.

…

Among other changes, the new law:

• Requires a medical peer review committee or health care entity to report in writing to the TMB the results and circumstances of a medical peer review that adversely affects the clinical privileges of a physician for a period longer than 14 days. Previously, hospitals were obligated to make such a report only if the adverse action lasted more than 30 days, which is the current requirement for reporting such actions to the NPDB.

…

• Prevents doctors from practicing medicine in Texas if their medical licenses have been revoked, restricted, or suspended for cause in other states.
• Prevents doctors from practicing in Texas if they have been convicted, or had a deferred disposition, for a felony or misdemeanor crime involving moral turpitude.

Employees of health care providers do not have carte blanche authority to access patient records. Any access of protected health information must be for an appropriate use, either the provision of care to the patient, one of the other authorized uses. When employees misuse PHI, the Health and Human Services Office for Civil Rights (OCR) can and will penalize the organization.

McDermott Will & Emery, posted on National Review, writes about one such recent settlement with OCR:

The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”

Will Maddox, for D-Magazine:

Fourteen Medical City Healthcare hospitals are among the hundreds of facilities caught up in an apparent patient data theft at the North Texas hospital operator’s parent company, HCA Healthcare. HCA says that information from around 11 million patients was “made available by an unknown and unauthorized party” in an online forum.
HCA believes that clinical and payment information was not part of the breach, but name, address, email, phone number, and service date and location were included in what was stolen. Credit card information, passwords, driver’s license numbers, and social security numbers are not believed to be a part of the theft.

James A. Cannatti, III, Tony Maida, and Niya Mack, for McDermott Will & Emery:

On June 27, 2023, the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) released a final rule amending OIG’s civil money penalty (CMP) regulations implementing the 21st Century Cures Act (Cures Act) amendment to the CMP Law (CMPL), which, among other things, authorizes HHS to impose CMPs, assessments and exclusions upon individuals and entities that engage in fraud and other misconduct related to HHS grants, contracts and other agreements (42 USC 1320a-7a(o)-(s)). OIG’s final rule also addresses the Cures Act amendment to the Public Health Services Act (42 USC 300jj-52) authorizing OIG to investigate claims of information blocking and providing the Secretary of HHS authority to impose CMPs for information blocking, as well as Bipartisan Budget Act of 2018 increases to penalty amounts in the CMPL. We will be issuing a separate Special Report on the information blocking portion of OIG’s final rule.

Wendell Bartnick, Christian Blair and Stuart Cobb for Law 360:

On June 18, Texas enacted the Texas Data Privacy and Security Act, becoming the 11th state to enact a comprehensive consumer data privacy law.

Businesses regulated by the TDPSA have until July 1, 2024, to come into compliance with the law. The TDPSA does not tread much new ground for material privacy-related obligations, but its scope and applicability will require new thinking.

…

[T]the TDPSA likely applies to a larger swath of businesses than other state privacy laws because it may apply when a business produces a product or service that is consumed by a Texas resident. Analyzing the applicability of the TDPSA could look like a first-year civil procedure question examining personal jurisdiction.

It seems possible that a business without any operations in Texas or any desire to offer products or services in Texas could be regulated by the TDPSA if an individual takes a product from another state and uses it in Texas.

Similar to other comprehensive state privacy laws, the TDPSA provides exemptions depending on characteristics of the business or the data, including exemptions for nonprofits and businesses or data regulated by certain federal and state laws.

Jim Parker, for Hospice News:

Some hospice owners have been selling their businesses soon after securing a license. This has prompted federal agencies to pursue new regulations to address the problem.

The practice appears to stem from a rash of newly licensed hospices that have emerged in California, Nevada, Texas and Arizona.

Some of these providers have secured licenses, as well as Medicare certification and, sometimes, accreditation. They then proceed to enroll a small number of patients for whom they never bill Medicare …

By not billing, they are better able to avoid regulators’ attention.

Hospice is perceived as a predictable revenue stream by private equity (PE). Too often, PE does not understand the hospice business model nor does it have the commitment to prioritize standard of care over maximizing profits. Flipping licenses has undoubtedly increased because of an influx of PE funds.

Telehealth has been a boon for fraud because it expands the reach of the fraudster. But this type of fraud is nothing new. It’s just a different mechanism for communicating with vulnerable targets.

Joseph Choi for The Hill:

The Department of Justice (DOJ) announced Wednesday it has charged 78 people relating to their alleged involvement in defrauding care programs for elderly and disabled people of more than $2.5 billion. …

The bulk of the fraud appears to have been conducted through telemedicine schemes. According to the DOJ, individuals in the U.S. and abroad engaged in an operation that targeted elderly and disabled people through advertisements and the mail, connecting them with offshore staff who upsold unnecessary equipment and prescriptions.