News / Resources

Topics covered in this issue of the Health Law Update include:

• ACOs—NCQA Releases Standards and Measures; Seeks Public Comment 
• OIG Issues Guidance for Permissive Exclusions 
• Is Your EHR System Private Enough? 
• White House Forms New Subcommittee to Review Online Privacy Issues 
• Chris Swift Named Cleveland Best Lawyers “Health Care Lawyer of the Year” 
• Events Calendar

ACOs—NCQA RELEASES STANDARDS AND MEASURES; SEEKS PUBLIC COMMENT

The National Committee on Quality Assurance (NCQA) has produced the first definitive set of standards for qualifying as an accountable care organization (ACO), in response to the Patient Protection and Accountable Care Act, and is seeking public comments on the various standards and measures by November 19, 2010. NCQA convened an ACO task force to develop a clear set of standards to assess the core capabilities of entities and to assure the success of the ACO movement. With the publication of these standards, the Centers for Medicare and Medicaid Services (CMS) has a clear manner in which to assess capabilities and improve the likelihood of a potential ACO’s success and provide a blueprint and a pathway with very clear stages to achieve full ACO capability.

NCQA defines ACOs as provider-based organizations that assume responsibility for meeting the healthcare needs of a defined population with the goal of simultaneously improving health, improving the patient experience and reducing per capita costs. However, there is an express recognition by NCQA that the manner in which providers will organize themselves to accept accountable payment will vary based on existing practice structures in a region, population needs or local environmental factors. The standards acknowledge that a variety of services may be provided, including insurance products. There is recognition that, at a minimum, ACOs must include a group of physicians with a strong primary care base and sufficient other specialties that support the care needs of a defined population of patients.

A well-run ACO should align the clinical and financial incentives of its providers. Providers will need to be clinically integrated and work together to seamlessly coordinate care for assigned patients. . . .

The standards also provide guidance regarding the level of administrative infrastructure to manage budgets, collect data, report performance and make payments related to performance and organize providers around shared goals.

The NCQA-proposed standards are aligned with CMS’s triple-aim goals of achieving costs savings, improving quality and improving the patient experience.

By coordinating and integrating care, ACOs have the potential to simplify the care process for patients, enhance quality and reduce costs.

According to NCQA, the standards set forth qualifying criteria and monitoring criteria and were informed by guiding principles set forth by the American College of Physicians, American Association of Family Practice and the American Medical Group Association. They outline five guiding principles as follows:

1. ACOs must have a strong foundation of primary care.
2. ACOs must report reliable measures to support quality improvement and eliminate waste and inefficiencies to reduce cost.
3. ACOs are committed to improving quality, improving patient experience and reducing per capita costs.
4. ACOs work cooperatively towards these goals with stakeholders in a community or region.
5. ACOs create and support a sustainable workforce.

The standards contemplate that organizations may achieve one of four levels of scoring for ACOs. The levels are based on an organization’s demonstrated capability to function as an accountable entity and to achieve the CMS triple aims. The assessment is achieved by measuring the entity via seven criteria that go into great detail relating to:

1. Program structure operations;
2. Access and availability for patients;
3. Primary care;
4. Care management and the integration of data;
5. Care coordination and transitions between primary care and specialty care;
6. Patient rights and responsibilities and how an organization manages privacy issues; and
7. Performance reporting criteria.

NCQA is interested in how organizations may immediately use the measures to demonstrate performance. Based on past experience and the specific requests by the industry to use NCQA accreditation of medical homes as a deeming mechanism to assure compliance with multiple legal issues, the likelihood of NCQA standards for ACOs becoming a deeming standard for CMS is very high.

For more information about the draft ACO standards, ACO development or regarding the best manner to provide comments, please contact Susan Feigin Harris, or 713.646.1307.

OIG ISSUES GUIDANCE FOR PERMISSIVE EXCLUSIONS

The Office of Inspector General (OIG) recently issued guidance related to its permissive exclusion authority. The guidance identified factors that the OIG will consider in determining whether to exercise its discretionary authority to exclude owners, officers and managing employees of an entity that has been excluded or convicted of certain offenses.

Federal law allows the OIG to exclude individuals who have an ownership or control interest in a sanctioned entity if the individual knew or should have known of the conduct that led to the sanction. The law also allows the OIG to exclude officers and managing employees of a sanctioned entity based solely on their position in the company and without regard to what they knew or should have known.

With respect to owners, the OIG notes that if there is evidence that supports that the owner knew or should have known of the conduct, the OIG will “operate with a presumption in favor of exclusion.” The presumption can be overcome if the OIG finds that “significant factors weigh against exclusion.”

With respect to officers and managing employees, the OIG asserts that it can exclude every officer and managing employee although the OIG says it does not intend to do so. Rather, the OIG notes that if an officer or managing employee knew or should have known of the conduct, the OIG will “operate with a presumption in favor of exclusion.” As above, the presumption can be overcome if the OIG finds that “significant factors weigh against exclusion.”

The OIG guidance includes a series of questions that will be considered in determining whether to exercise its permissive exclusion authority. The questions relate to various factors, including the circumstances of the misconduct, the seriousness of the offense, the individual’s role in the sanctioned entity, the individual’s actions in response to the misconduct and information about the entity. For example, the OIG will consider the following factors:

• Whether beneficiaries were harmed;
• The extent of any financial harm to federal healthcare programs;
• Whether the misconduct is an isolated incident or represents a pattern of wrongdoing;
• If the entity previously has had any similar problems with the government;
• The individual’s role and responsibility in the entity including such person’s position and relationship to the underlying misconduct; and
• The size of the entity and its corporate structure.

It is important to note that the OIG’s decision to exercise its discretionary authority to exclude individuals is not subject to administrative or judicial review.

For more information, please contact B. Scott McBride, or 713.646.1390.

IS YOUR EHR SYSTEM PRIVATE ENOUGH?

News accounts and criminal convictions involving unauthorized access or theft of electronic health records by healthcare facility or medical practice employees are raising renewed concerns about the privacy and security implications associated with the surging development and use of electronic health records (EHR) systems. While providers often feel confident in the security offered by firewalls, passwords and encryption protection imbedded in their EHR systems, a potential threat to patient privacy remains simply in the fact that a large number of a provider’s employees may have broadly-defined access rights to virtually all of a provider’s patient records. Whether such broad access is permissible under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a question on which varying views of industry experts and lawmakers can be found. Stakeholder views may differ based on clinical, operational, financial and personal privacy considerations.

Under the HIPAA privacy regulations, with a few limited exceptions, when making disclosures or using protected health information (PHI) outside of treatment, a covered entity must make reasonable efforts to limit PHI disclosures to the minimum necessary to accomplish the intended purpose of the use, disclosure or request, or otherwise obtain an authorization from the patient. See 45 C.F.R. § 164.502(b). The minimum necessary requirement is to be implemented by identifying “those persons or classes of persons, as appropriate, in [the covered entity’s] workforce who need access to protected health information to carry out their duties” and “for each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.” 45 C.F.R. § 164.514(d)(2)(A) and (B).

Thus, a design issue in developing or purchasing a HIPAA-compliant EHR system is whether or not the system includes technology that reasonably and appropriately limits access to patient information to only those members of the workforce who need it, or so-called role-based access capability. While the classification of access rights and limitations on the categories of PHI that can be viewed may add complexity and expense to an EHR system, this HIPAA requirement should not be overlooked. Additionally, among other safeguards, the ability to log information system activity (e.g., record the user’s identity, time, type and extent of data accessed) and to perform security audits and forensic investigations on an EHR system are important components needed to facilitate a covered entity’s compliance with the HIPAA privacy and security regulations and to reassure patients that their privacy is indeed being protected during this period of rapid EHR expansion.

For more information, please contact John S. Mulhollan, or 216.861.7484.

WHITE HOUSE FORMS NEW SUBCOMMITTEE TO REVIEW ONLINE PRIVACY ISSUES

In a statement released October 24, the Obama Administration launched a new interagency “subcommittee” of the National Science and Technology Council to review privacy and Internet policy, which may include review of healthcare privacy issues. The working group will focus primarily on individual privacy issues associated with the Internet and related online systems, to “develop principles and strategic directions with the goal of fostering consensus in legislative, regulatory, and international Internet policy realms.”

Consisting of representatives of eleven federal agencies, including the U.S. Department of Health and Human Services and eight executive organizations, the subcommittee promises to work closely with private stakeholders in developing a set of core principles to, among other things, facilitate transparency, promote cooperation, empower individual decision-making and build trust in online environments, while at the same time protect the rule of law, promote innovation and economic expansion and balance the interests of stakeholders.

The identities of the private stakeholders to be invited, the schedule of the group’s meetings and the transparency of the subcommittee’s deliberations have yet to be determined or announced by the administration.

For more information, please contact John S. Mulhollan, or 216.861.7484.

CHRIS SWIFT NAMED CLEVELAND BEST LAWYERS “HEALTH CARE LAWYER OF THE YEAR”

Best Lawyers, the oldest peer-review publication in the legal profession, has named Chris Swift of Baker Hostetler as the “Cleveland Best Lawyers Health Care Lawyer of the Year” for 2011. Swift has been recognized by Best Lawyers for more than 10 years, including being named Cleveland Best Lawyers Tax Lawyer of the Year in 2010.

After more than a quarter of a century in publication, Best Lawyers is designating “Lawyers of the Year” in high-profile legal specialties in large legal communities. Only a single lawyer in each specialty in each community is being honored as the “Lawyer of the Year.”

Best Lawyers compiles its lists of outstanding attorneys by conducting exhaustive peer-review surveys in which thousands of leading lawyers confidentially evaluate their professional peers. The current, 17th edition of The Best Lawyers in America (2011) is based on more than 3.1 million detailed evaluations of lawyers by other lawyers.

The lawyers being honored as “Lawyers of the Year” have received particularly high ratings in surveys by earning a high level of respect among their peers for their abilities, professionalism and integrity.

Steven Naifeh, president of Best Lawyers, says, “We continue to believe—as we have believed for more than 25 years—that recognition by one’s peers is the most meaningful form of praise in the legal profession. We would like to congratulate Christopher J. Swift on being selected as the ‘Cleveland Best Lawyers Health Care Lawyer of the Year’ for 2011.”

EVENTS CALENDAR

November 18

Houston partner Susan Feigin Harris will speak on “Back to the Future: Accountable Care Organizations, Clinical Integration, Medical Homes and Emerging Models for Delivery System Reform” at the Healthcare Rx New Business of Healthcare Summit in Flower Mound, Texas.

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2010 Baker & Hostetler LLP