Health Law Highlights

Researchers Observe Increase in Emerging Ransomware Groups Targeting Healthcare

From HealthIT Security, by Jill McKeon:

  • The healthcare sector experienced significant data breaches in 2023, with over 540 organizations reporting such incidents, largely due to ransomware attacks. Healthcare was the third-most targeted industry, following manufacturing and technology.
  • The GuidePoint Research and Intelligence Team (GRIT) identified 63 distinct ransomware groups responsible for these attacks, with established groups like LockBit, Alphv, and Clop causing the majority of breaches. These groups have operated for at least nine months and have well-defined tactics.
  • Both established and emerging ransomware groups have increasingly targeted healthcare organizations. Despite traditionally being considered ‘off-limits’ due to potential negative press and law enforcement attention, the number of attacks on healthcare organizations rose in 2023.
  • Emerging groups, defined as those in operation for less than three months, have been particularly problematic for the healthcare sector. One such group, Rhysidia, has been aggressive in its attacks despite its relative newness, using tactics like phishing to compromise victims.
  • GRIT predicts that ransomware attacks will continue to escalate in 2024, with the most prolific groups leading advancements in techniques and strategies. The report emphasizes the importance of industry best practices in threat intelligence, information sharing, and public-private partnerships to combat this growing threat.
Health Law Highlights

CMS Finalizes its Proposal to Advance Interoperability and Improve Prior Authorization Processes

From Sheppard Mullin Richter & Hampton LLP, by Gianfranco Spinelli and Krysten Thomas:

  • Final Rule Issued by CMS: The Centers for Medicare and Medicaid Services (CMS) issued a final rule titled “CMS Interoperability and Prior Authorization” on January 17, 2024, which aims to advance interoperability and improve prior authorization processes. This rule impacts Medicare Advantage organizations, state Medicaid and CHIP agencies, Medicaid and CHIP managed care plans, and plans on the Affordable Care Act exchanges, as well as MIPS eligible clinicians, and eligible hospitals and critical access hospitals.
  • Patient Access API: The final rule requires Impacted Payers to provide patients access to certain information, including claims, cost sharing data, encounter data, and a set of clinical data accessible via health applications. The implementation of this requirement is set for January 1, 2027, which is a change from the original proposed date of January 1, 2026.
  • Provider Access API and Payer-to-Payer API: The rule mandates Impacted Payers to build and maintain a Provider Access API for data sharing with in-network providers. It also requires a Payer-to-Payer API to ensure patients can maintain continuity of care and have uninterrupted access to their health data. Both these requirements are to be implemented by January 1, 2027.
  • Prior Authorization API and Process Improvements: CMS finalized the proposal to require Impacted Payers to build and maintain a Prior Authorization API, which is to be implemented by January 1, 2027. The rule also shortens the time frames for prior authorization decisions and requires Impacted Payers to provide a specific reason for denied decisions. These requirements are to be complied with by January 1, 2026.
  • Public Reporting and Electronic Prior Authorization Measure: The final rule requires Impacted Payers to publicly report certain prior authorization metrics, with the initial set of metrics to be reported by March 31, 2026. It also mandates MIPS eligible clinicians, eligible hospitals, and CAHs to report the number of prior authorizations for medical items and services requested electronically from a Prior Authorization API.
Health Law Highlights

CMS Issues Interim Rule in Response to State Medicaid Disenrollment Trend

From Nelson Mullins Riley & Scarborough LLP, by Shane Duer, Knicole Emanuel, Cara Ludwig:

  • The Centers for Medicare & Medicaid Services (CMS) has issued an interim rule in response to the trend of states disenrolling recipients from the Medicaid program.
  • The rule aims to limit the removal of recipients from the program for procedural reasons rather than eligibility considerations.
  • States that fail to comply with the rule may face enforcement actions, including submitting a corrective action plan and paying civil money penalties.
  • The rule also requires states to submit reports on their eligibility redetermination activities, which will be made public.
  • The regulations became effective on December 6, 2023.

CMS Provides Additional Expansion Opportunities for High Medicaid Physician-Owned Hospitals

Under the Affordable Care Act’s amendments to the Stark Law, a Physician Owned Hospital (POH) cannot expand the aggregate number of operating rooms, procedure rooms or licensed beds beyond the number for which the hospital was licensed on March 23, 2010.

The Secretary of Health and Human Services may grant an exception to this prohibition to POHs qualifying as either an “applicable hospital” or a “high Medicaid facility” (as those terms are defined in the regulations).

POHs meeting one of these two exceptions were nonetheless still limited in that they could only request an expansion once every two years and the expansion was limited to no more that 200% of the rooms or beds that existed as of March 23, 2010.

These new rules relax these expansion limitations for “high Medicaid facilities,” but not “applicable hospitals”.

Though there are other requirements, a “high Medicaid facility” POH is one that for the three (3) most recent 12-month periods for which data is available, has an annual percentage of total Medicaid inpatient admissions that is estimated to be greater than the percent of such admissions for any other hospital located in the same county in which the POH is located (as determined by the data sources approved by CMS.

The new Final Rule, removes the limitation on the number of times a high Medicaid facility can request an expansion so long as the POH only has one request under review at any given time.

CMS also removed the 200% capacity limitation that previously existed for high Medicaid facilities seeking expansion.

High Medicaid facility POHs can now expand off of their main campus, but must continue to comply with Medicare rules and regulations regarding distance limitations relative to off-campus facilities and provider-based departments.

Source: CMS Provides Additional Expansion Opportunities for High Medicaid Physician-Owned Hospitals


Stark + AKS Final Rules

The final rules for changes to the Stark Law and Anti-Kickback Statute (healthcare fraud & abuse laws) have been published and go into effect on January 19, 2020. Of course, health lawyers love this stuff, but it could impact other practice areas too.

Transaction attorneys, you already know to be very careful if your transaction or arrangement, in any way, involves a hospital, doctor, or any other healthcare provider or entity. Even if your deal does not involve a healthcare provider, but could impact reimbursement by any federal program, these statutes may be implicated.

Litigators, these statutes can apply to your cases too. If your case involves one of these improper payments or an improper business structures, you might have a contractual avoidance theory available to you, if you’re the defendant, or an additional claim of fraud, if you are the plaintiff.

The key point is that these statutes can apply in ways that don’t seem immediately obvious.

Source: Stark + AKS Final Rules


Justice Department accuses Anthem of Medicare fraud

Yet another allegation of Medicare Advantange risk adjustment fraud, this time by Anthem. I wrote about the government’s case against Cigna here.

The case alleges that Anthem falsely certified the accuracy of the diagnostic data it sent to the Centers for Medicare and Medicaid Services, causing CMS to calculate risk-adjustment payments to the insurer based on inflated diagnosis information. For example, Anthem submitted an ICD-9 diagnosis code for active lung cancer for one patient, but its chart review program did not substantiate the diagnosis, according to court documents.

Source: Justice Department accuses Anthem of Medicare fraud


CMS Encourages Faster COVID-19 Diagnostic Testing

CMS is changing its payment methodology to encourage higher throughput of COVID-19 diagnostic testing. Previously, CMS would reimburse $100 per test

Starting January 1, 2021, Medicare will pay lower the base rate to $75. However, if the laboratory can complete the test within two (2) calendar days from the date the specimens is collected, CMS will reimburse an additional $25 for a total of $100 per test.

To be entitled to this $25 incentive, the laboratory must: a) complete the test in two calendar days or less, and b) complete the majority of their COVID-19 diagnostic tests that use high throughput technology in two calendar days or less for all of their patients (not just their Medicare patients) in the previous month.

Source: Press release: CMS Changes Medicare Payment to Support Faster COVID-19 Diagnostic Testing


DOJ sues Cigna, alleging $1.4B in Medicare Advantage fraud

Cigna falsified the health conditions of its Medicare Advantage plan members to coax CMS into making larger payments to the insurer on behalf of beneficiaries, a U.S. Justice Department lawsuit alleges.

Medicare Advantage organizations get reimbursed by Medicare based on a formula that takes into account the patient population’s acuity levels. Risk adjustment scores adjust for health conditions so that more reimbursement levels are higher for more costly or chronically ill populations.

The risk adjustment scores have become a source of potential fraud. If the scores are not accurately calculated, MA organizations can receive more reimbursement than their populations warrant. The scores are calculated by CMS based on information provided by the MA organization about the patients health conditions. If the health information provided by the MA organization is inaccurate, so too will be the risk adjustment scores derived by CMS.

Cigna uses a medical assessment system called “360” to assess the health condition of its patients, but this system did not require the providers to state whether the patient’s condition was derived from a clinical assessment or the patient’s subjective description.

CMS alleges that Cigna received an estimated $1.4 billion from 2012 to 2017 and DOJ is seeking equal to three times that amount in damages, along with a civil penalty of $11,000 for each violation.

Source: DOJ sues Cigna, alleging $1.4B in Medicare Advantage fraud


CMS Issues Cease and Desist Orders to Uncertified Labs Performing COVID-19 Testing

Since August 12, 2020, CMS issued 171 cease and desist letters to entities across the U.S. that were testing for COVID-19 without the appropriate certifications under the Clinical Laboratory Improvement Amendments of 1988 (CLIA).

Every facility that conducts COVID-19 testing is considered a “laboratory” and must be certified under CLIA, which verifies that labs meet federal performance and quality standards to help ensure they provide reliable results.

According to CMS, 34% of the labs that were ordered to stop testing were operating without a CLIA certificate, while the remaining 66% were performing COVID-19 testing outside the scope of their existing CLIA certification. The letters provided non-certified labs with information on how to become CLIA certified and encouraged certified labs to obtain proper CLIA certification so they could resume COVID-19 testing.

Source: CMS Takes Action to Protect Integrity of COVID-19 Testing