News / Resources

Welcome to this week's edition of the Health Law Update. Topics covered today include:

• IRS Clarifies W-2 Reporting Requirements for Employer-Sponsored Health Plan Coverage 
• Proposed Rule Implements the Physician Payment Sunshine Act 
• Medicaid DSH Calculation -- Insurance Won't Cover the Patient's Claim; No Worries -- Relief May Be on the Way! 
• Update: Final HITECH Act Regulations Will Be Published in 2012 
• Ohio Appeals Court Rejects Wrongful Disclosure of Medical Information Claim 
• Events Calendar

We hope you find this information helpful. Please contact any member of Baker Hostetler's Healthcare Team with questions.

IRS CLARIFIES W-2 REPORTING REQUIREMENTS FOR EMPLOYER-SPONSORED HEALTH PLAN COVERAGE

In early January, the Internal Revenue Service (IRS) released Notice 2012-9, which clarified and revised the requirements for disclosing the aggregate cost of employer-sponsored health coverage on employees' annual Form W-2, Wage and Tax Statements. Notice 2012-9 revised portions of Notice 2011-28, in addition to adding new requirements and restating other portions of the prior guidance. (For a prior summary of Notice 2011-28, please see our June 23, 2011, issue of the Health Law Update.)

As background, the informational disclosures to employees are required pursuant to Internal Revenue Code (Code) Section 6051(a)(14) (which was added by Section 9002(a) of the Patient Protection and Affordable Care Act (PPACA)). The IRS previously issued guidance (including Notice 2010-69 and Notice 2011-28) interpreting Code Section 6051(a) in order to assist employers with making the disclosures. These reporting requirements are informational only. Nothing under Code Section 6051(a)(14) or the related guidance causes or would cause otherwise tax-excludable employer-provided healthcare to become taxable to the employee.

Notice 2012-9 contains 39 questions and answers which, among other requirements:

• Briefly discuss the general requirements of Section 6051(a)(14) of the Code;
• Identify the employers subject to the reporting requirements and clarify that employers who file fewer than 250 Forms W-2 in the preceding calendar year are exempt from the reporting requirements, beginning with 2012 Forms W-2 (except that employers who use agents to file Forms W-2 will be exempt only if the employer would have filed fewer than 250 Forms W-2 if it had not used the agent);
• Provide methods for reporting the cost of coverage on the Form W-2;
• Define certain terms related to the cost of coverage which employers must report on the Form W-2;
• Set forth the types of coverage which employers must include in the amount reported on the Form W-2 (including the amount, if any, of a health flexible spending arrangement which exceeds the corresponding salary reduction elected by the employee for the plan year);
• Clarify that the cost of coverage under a dental plan or a vision plan need not be included in the aggregate reportable cost if the plan satisfies the requirements for excepted benefits under the Health Insurance Portability and Accountability Act (HIPAA);
• Describe calculation methods that employers may use to determine the cost of coverage when a payroll period includes December 31 and continues into the subsequent calendar year;
• Address various other issues employers may encounter in calculating the cost of coverage, including the extent to which an employer must include the cost of coverage provided under an employee assistance program (EAP), wellness program or on-site medical clinic in the aggregate reportable cost reported on the Form W-2; and
• Provide transition relief in the reporting of certain types of employer-sponsored coverage.

The guidance contained in Notice 2012-9 is generally applicable beginning with the 2012 Forms W-2 (provided to employees in January 2013). However, employers who voluntarily report the cost of coverage on 2011 Forms W-2 may rely upon the guidance contained in Notice 2012-9.

For more information, please contact Jennifer A. Mills, or 216.861.7874, Deborah Koerwitz Bracy, or 216.861.7354, or Anne C. Foster, or 216.861.7258.

top of page

PROPOSED RULE IMPLEMENTS THE PHYSICIAN PAYMENT SUNSHINE ACT

PPACA incorporated the Physician Payment Sunshine Act at Section 6002. On December 19, 2011, the Centers for Medicare and Medicaid Services (CMS) published a proposed rule implementing this provision. The proposed rule requires applicable manufacturers of drugs, devices, biologicals or medical supplies covered by Medicare, Medicaid or the Children's Health Insurance Program to annually disclose to CMS payments or transfers of value to physicians and teaching hospitals, known as "covered recipients."

The proposed rule recognizes that the rule would not be finalized in time to require collection of information for all of calendar year 2012 as required in PPACA; therefore, CMS proposes that only part of 2012 data would be required to be reported on March 31, 2013. The final rule will clarify when manufacturers are required to begin collecting payment information for the first reporting period.

The proposed rule clarifies that CMS will consider items covered by one of the applicable programs if they are paid on a fee schedule or as part of a composite rate payment; however, over-the-counter drugs and those items that do not require premarket approval by, or notification to, the Food and Drug Administration are not within the rule.

Manufacturers must report to CMS the covered recipient's name, business address, specialty and NPI for physicians and the date, form and nature of payment. CMS will publish the data annually on a publicly available website.

The proposed rule exempts from disclosure payments to physicians that are less than $10 individually and $100 in the aggregate annually. Additionally, manufacturers may request that CMS delay the publication of payments made to covered recipients for bona fide product research, development agreements and clinical investigations for a maximum of four years.

Under the proposed rule, manufacturers and group purchasing organizations also will be required to submit a separate report to CMS disclosing physician ownership and investment interests and transfers of value to physicians attributable to these relationships.

Entities that fail to report the required information accurately and completely may be subject to varying civil monetary penalties (CMPs), depending on the nature of the failure. However, CMPs of up to $1 million annually are possible.

Comments to the proposed rule are due by February 17, 2012.

For more information, please contact B. Scott McBride, or 713.646.1390 or Darby C. Allen, or 713.646.1311.

top of page

MEDICAID DSH CALCULATION -- INSURANCE WON'T COVER THE PATIENT'S CLAIM; NO WORRIES -- RELIEF MAY BE ON THE WAY!

CMS recently issued a proposed rule clarifying what constitutes uncompensated care for purposes of the Medicaid disproportionate share hospital (DSH) payment limit. The proposed rule broadens the definition of "individuals who have no health insurance (or other source of third party coverage)" for purposes of computing the amount of uncompensated care provided by DSH hospitals to include individuals who have insurance coverage, but are not covered for the specific service provided.

CMS issued the proposed rule in an attempt to address a potential conflict between the CMS 1994 guidance, which endorsed a "service-specific approach" to the DSH payment computation, and the CMS 2008 Medicaid DSH payment rule that excluded DSH reimbursement for individuals with "creditable coverage," as well as individuals who had coverage based upon a legally liable third party payer.

This clarification is important because Medicaid DSH payments to hospitals may not exceed the amount of uncompensated care a hospital provides for the applicable year. The proposed rule mitigates some of the unintended consequences of the CMS 2008 rule by eliminating the penalty to hospitals that provide uncovered services for people with insurance, even though the hospital received no payment.

For more information, please contact Robert M. Wolin, or 713.646.1327.

top of page

UPDATE: FINAL HITECH ACT REGULATIONS WILL BE PUBLISHED IN 2012

During 2011, informal indications were given by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) and various industry experts that the final Health Information Technology for Economic and Clinical Health Act (HITECH Act) regulations amending the HIPAA privacy and security regulations would be published by the end of 2011. However, the regulations continue to be delayed due to the numerous comments and policy questions being reviewed and addressed by OCR and other Health Information Privacy officials within HHS, according to a privacy specialist. Reasons for the lengthy time period include numerous policy reviews conducted by HHS and the need to formulate responses to over 300 comments received in connection with the July 14, 2010, proposed rule (75 Fed. Reg. 40868). Although no specific month or day has been announced for publication of the final regulations in 2012, healthcare providers, health plans and clearinghouses should be prepared for publication sometime this year, and expect a few weeks or months of delayed enforcement to enable subject entities to transition to any new requirements.

Additionally, policy reviews are still being conducted by HHS OCR with respect to the Interim Final Rule for breach notification under the HITECH Act, which is found at 45 C.F.R. part 164, subpart D. It is not clear whether the breach notification regulations will remain unchanged or if revisions will be announced along with the HITECH Act final regulations.

Despite the continued delay in the final HITECH Act regulations, covered entities and business associates that are reviewing, implementing and updating their HIPAA privacy and security policies and procedures should continue to do so with diligence. The HIPAA regulations require periodic evaluation and updating of policies and safeguards to address a changing healthcare environment and evolving privacy and security threats. Further, OCR currently is in the process of conducting HIPAA privacy and security audits of covered entities, as required under the HITECH Act, notification of which began in November 2011. Covered entities should keep in mind that the HIPAA Security Standards took effect for most covered entities in April of 2005. For business associates under the HITECH Act, the HIPAA Security Standards became directly applicable to them in February 2010. Similarly, the HITECH breach notification interim final rule, referred to above, became actively enforced in February 2010. Covered entities and business associates should consider finalizing any updates to their privacy and security policies, procedures, safeguards and documentation, and revisit these later in the year for any adjustments needed when the final HITECH Act regulations are published.

For more information, please contact John S. Mulhollan, or 216.861.7484.

top of page

OHIO APPEALS COURT REJECTS WRONGFUL DISCLOSURE OF MEDICAL INFORMATION CLAIM

In an opinion announced on January 10, 2012, the Ohio Tenth District Court of Appeals held that a hospital's use of a patient's individually identifiable health information (PHI) for obtaining payment of a patient's account was a valid use of PHI for payment purposes under HIPAA, and rejected the patient's claim that disclosure of the patient's PHI was a wrongful disclosure of medical information under Biddle v. Warren General Hospital, Ohio's seminal case that established a personal injury tort for wrongful disclosure of confidential medical information.

In OhioHealth Corp. v. Ryan, No. 10AP-937, 2012-OH-60, 10th Dist. App. (Jan. 10, 2012), OhioHealth filed a legal action against Ryan, a former patient, to recover on an account for unpaid medical services. Defendant Ryan denied the allegations of the complaint and filed a counterclaim against OhioHealth, alleging OhioHealth created false PHI by claiming that Ryan was uninsured and that OhioHealth engaged in unauthorized disclosure of said information to a third party.

Ryan asserted that under Biddle v. Warren Gen. Hosp., 86 Ohio St. 3d 395 (1999), OhioHealth disclosed, without authorization or privilege, nonpublic medical information obtained in a confidential relationship. OhioHealth countered that, as a "covered entity" under HIPAA, its actions were governed by the HIPAA privacy regulations, which specifically authorize disclosure of PHI for purposes of obtaining payment for services, and which preempt contrary state laws (and that no exceptions to state law preemption applied).

The trial court granted OhioHealth's motion to dismiss the patient's counterclaim on the basis that the disclosure of PHI at issue was indeed permitted under HIPAA and therefore constituted an authorized, privileged use of medical information under the Biddle case. After additional motions for summary judgment and dismissal, the trial court issued a judgment entry finding there were no genuine issues of material fact remaining for trial and held defendant Ryan liable on the unpaid account. Defendant Ryan appealed both the dismissal of the counterclaim and the judgment entry on the unpaid account.

The Ohio Tenth District Court of Appeals, in addressing defendant Ryan's first assignment of error, found that (1) Biddle v. Warren Gen. Hosp. was distinguishable from the instant case because OhioHealth's disclosure of Ryan's account information was a protected or "privileged" disclosure, meaning it was legally permitted under HIPAA without obtaining the patient's consent, and (2) no private right of action exists under HIPAA, which is the dispositive authority in the case.

First, assuming that the Biddle case did apply, the court found the disclosure in the present case was authorized by HIPAA for payment purposes, thus rendering the disclosure by OhioHealth permissive and not wrongful or unauthorized under Biddle. Further, the disclosure involved account information and not the entire medical records of the patient, as was the case in Biddle. Second, the court reasoned that the federal HIPAA law generally preempts or supersedes state laws that are contrary to its requirements, unless such state laws impose requirements that are more stringent than HIPAA (citing 45 C.F.R. § 160.202(6) and § 160.203(b)). The court found that defendant Ryan failed to cite any Ohio authority more stringent than HIPAA. Third, and significantly, the court of appeals recognized that, even if there was a wrongful disclosure under HIPAA, there is no private right of action under HIPAA, as recognized by several federal district courts in Ohio on prior occasions. Ryan was without ability to bring an action under HIPAA in court.

Thus, given the privileged, authorized disclosure of information by OhioHealth under HIPAA, and absent any more stringent state law requirement, the defendant was unable to establish a claim that OhioHealth engaged in the tort of wrongful disclosure of nonpublic medical information obtained in a confidential relationship under Biddle v. Warren General Hospital. The court of appeals upheld the dismissal of the defendant's counterclaim against OhioHealth, and upheld the trial court's summary judgment in favor of OhioHealth on the patient's past due account.

See the opinion.

For more information, please contact John S. Mulhollan, or 216.861.7484.

top of page

EVENTS CALENDAR

February 8-9

Houston partner Scott McBride will speak on "Medicare Audits and Appeals: Practical Advice on Preparing for and Responding to RAC, ZPIC, and MAC Audits" at the Physicians and Physician Organizations Law Institute sponsored by the American Health Lawyers Association in Orlando, Florida.

February 10

Houston partner Scott McBride will speak on "Healthcare Enforcement Trends and Individual Liability" at the Institute for Healthcare Financial Improvement sponsored by the Healthcare Financial Management Association Texas Gulf Coast in Houston, Texas.

top of page