News / Resources

Topics covered in this issue of the Health Law Update include:

• Proposed Rule Would Change HIPAA Accounting of Disclosures—Covered Entities Will Continue to Face Significant Technical Challenges
• Supplier’s Invoice: One Box Spinal Implant Parts, One Lot False Claims
• Texas Legislature Omnibus Healthcare Legislation (S.B. 7)

PROPOSED RULE WOULD CHANGE HIPAA ACCOUNTING OF DISCLOSURES—COVERED ENTITIES WILL CONTINUE TO FACE SIGNIFICANT TECHNICAL CHALLENGES

On May 31, 2011, the U.S. Department of Health and Human Services (HHS) published a proposed rule adopting sweeping changes to the “accounting of disclosures” requirement under 45 C.F.R. § 164.528 that likely are to have a significant impact on the health information technology (HIT) systems being implemented by many healthcare providers, health plans (including employer-sponsored plans) and business associates. The proposed requirements will not become final until after comments are received and evaluated and a final rule is published by HHS later this year or next. Therefore, healthcare providers, health plans (including employers sponsoring health plans) and business associates should take this opportunity to carefully review the proposed rule’s provisions, send comments to HHS and consider the systematic changes that may be necessary when the rule becomes finalized.

The proposed rule changes the existing Health Insurance Portability and Accountability Act (HIPAA) accounting requirement in two very significant ways. First, it revises the accounting requirement to shorten the time period covered by the regulation to the three-year period prior to the request (previously six years) for all disclosures of protected health information (PHI) (paper and electronic), while removing the certain exceptions, including those for disclosures related to treatment, payment and healthcare operations. Second, in the interest of balancing the rights of individuals to learn about disclosures of their PHI, with the burden to covered entities of providing detailed accounting reports, the proposed rule creates a new “access report” requirement which enables covered entities to provide only the date, time and identity of the person who accessed an individual’s electronic PHI, but does not require tracking or reporting the purpose of the disclosure as required under the existing accounting requirement.

Existing HIPAA Accounting Requirement Expanded by HITECH Act

Under the existing HIPAA privacy regulations, individuals are entitled to receive an “accounting” of all disclosures of PHI made by the covered entity, including those through its business associates, for the six years preceding the individual’s request, excluding certain permissible disclosures, the most significant of which are (1) for treatment, payment and healthcare operations; (2) disclosures to the individual about him or her; and (3) disclosures to law enforcement. 45 C.F.R. § 164.528(a)(1). The accounting is required to be furnished to the individual no later than 60 days after receiving a written request.

When Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the stimulus legislation known as the American Recovery and Reinvestment Act of 2009, it instructed HHS to adopt an accounting requirement specifically related to “electronic health records” (EHRs) by requiring the accounting of disclosures from an EHR to include all disclosures, without excluding those made for treatment, payment and healthcare operations and shortening the time period covered by an accounting of disclosures from an EHR to three years instead of six (paper records still would be subject to a six-year accounting period). The HITECH Act directed HHS to issue regulations by not later than June 18, 2010.

The changes put forth by HHS in the May 31 proposed rule go significantly beyond the requirements of the HITECH Act, but HHS asserts they are consistent with the major purpose of the Act which was to apply the accounting requirement to electronic PHI in an EHR.

Revisions to the Accounting of Disclosures of PHI Under § 164.528

Healthcare providers, health plans and employer-sponsored health plans may welcome some of the changes being proposed to the existing accounting of disclosures requirement, while finding other changes more burdensome. HHS proposes to shorten the time period covered by a request for an accounting to just three years, regardless of whether the records are paper or electronic. This should enable covered entities to apply accounting procedures consistently across all types of PHI. Additionally, HHS has chosen to focus more attention on accounting of disclosures that are presumed to be most important to individuals by removing some disclosures from the requirement, while adding specific requirements for other categories of disclosures. For example, on the one hand, disclosures for clinical research will be excluded from the accounting requirement (assuming that the IRB or research practitioner has followed HIPAA’s requirements for an authorization or research waiver), as will disclosures that are required by law. On the other hand, a full accounting will be required for all disclosures that are not permitted under HIPAA, including unauthorized disclosures that did not rise to the level of a “breach” under the Breach Notification Interim Final Rule published at 45 C.F.R. part 164, subpart D, disclosures for public health activities (such as infectious disease reporting) and for all disclosures made for law enforcement purposes and judicial or administrative proceedings (even though such disclosures in certain cases do not require an authorization).

Further, on the positive side, the proposed rule limits the accounting for disclosures requirement to only the PHI maintained in a “designated record set” instead of all PHI that may be scattered throughout an organization. Nevertheless, on the negative side, covered entities may find significant challenges in determining what exactly constitutes a “designated record set,” and will continue to be required to track the purpose of each disclosure subject to an accounting—a task many covered entities have found will add a significant level of complexity to the already expanding list of required features of HIT systems. Generally speaking, a “designated record set” is a group of records maintained by or for a covered healthcare provider that comprises the medical and billing records about individuals or maintained by a health plan (including an employer-sponsored health plan) comprising the enrollment, payment, claims adjudication and case or medical management record systems used, in whole or in part, by or for either type of covered entity to make decisions about individuals. The applicability and scope of the definition (i.e., what provider or health plan records fall within or outside of the definition) have perplexed some covered entities who may be particularly challenged by the existing requirement to maintain written or electronic documentation showing all designated record sets maintained within their organization, under 45 C.F.R. § 164.524. Additionally, the HHS preamble to the proposed rule specifically applies the accounting requirement to copies of designated record sets held by business associates, a factor likely to necessitate amendments to business associate contracts.

As indicated by the brief highlights of the proposed rule described above, the new requirements contain a mixed bag of changes designed to enhance an individual’s right to learn where, by whom and for what purpose disclosures of their PHI have been made, lessening the burden on covered entities by reducing the types of disclosures and the time period covered by the accounting requirement.

Further helping to improve the individuals’ understanding of the types of disclosures made about them may be the new requirement for an access report, described below, which will allow covered entities to respond in a more narrow fashion to individuals’ requests for information on disclosures of their PHI maintained in an electronic designated record set.

New “Access Report” Will Be Required Upon Request by an Individual

Perhaps the most significant change proposed by HHS is the new right of individuals to receive an access report including, at a minimum, the date and time of access and the name of the user or entity that accessed or disclosed PHI maintained in an electronic designated record set. The report must include all access, including uses as well as disclosures, which is a significant expansion of the existing accounting requirement. There will be no distinction between access by internal employees and access by persons outside an organization. Additionally, the report must indicate the type of information accessed (e.g., diagnosis or medications) and the action taken (modify, transfer, etc.), but only if either of such information is available in the HIT system. Perhaps most significantly, the access report applies to all electronic PHI maintained in a designated record set, not just EHRs, and the exception for disclosures relating to treatment, payment or healthcare operations would not apply. Thus, while HHS points out that the new access report requirement satisfies the HITECH Act’s mandate to apply the accounting requirement to EHRs, in actual operation, the proposed rule expands the right to an accounting to cover a much wider variety of disclosures, including internal uses of PHI by employees. These changes would create significant new challenges for covered entities already grappling with the design and implementation of appropriate system activity logs and audit reporting technology to comply with existing privacy and security laws.

Impact on Covered Entities and Business Associates

The proposed accounting requirement changes published on May 31 will create significant new challenges to a wider spectrum of covered entities than previously expected by most experts. For example, the expansion of the access report to cover all electronic PHI, rather than merely EHRs, will sweep within the rule’s application many additional entities that customarily do not maintain EHRs, such as health plans and health insurers (including employers that sponsor such plans) and business associates working with electronic PHI. Additionally, the application of the new requirements specifically to designated record sets will highlight the need for covered entities and business associates to develop and document the types of PHI they routinely use or disclose, to ensure that designated record sets are appropriately tracked and oversight maintained (both human and electronic) for purposes of preparing an adequate accounting or access report within the time limits and other requirements under the regulation.

Keep in mind that the new requirements published on May 31 are only proposed. Nevertheless, assuming that many of the provisions are enacted in final rule, the following activities, among others described previously, will be needed. It may not be too early for covered entities and business associates to consider and plan for the following new requirements:

Business Associate Agreements

Healthcare providers, health plans and employers sponsoring health plans will need to amend their business associate agreements with business associates (such as billing companies and consultants, third-party administrators and other vendors handling PHI) to reflect and facilitate compliance with the new accounting and access reporting requirements. These amendments should include descriptions of the shortened timing and detailed content required for such reports. Business associate agreements should be amended to require that business associates take steps to gather the appropriate information and actively assist with compiling reports when and as requested by their covered entity customers.

Notice of Privacy Practices

Changes to covered entity Notices of Privacy Practices will be necessary to appropriately describe the new accounting and access report requirements and to inform individuals of the types of disclosures subject to the requirements. For health plans and employers, because these updates are considered material revisions to the notice, the revised Notices will need to be distributed within 60 days of the material revision.

Record Retention Policies

Covered entity and business associate record retention policies would need to be updated to reflect changes in the document retention rules as they apply to accountings of disclosures and the new access report requirement. Specifically, information that is required to be included in an accounting or access report must be retained for three years from the date of the disclosure, but the actual accounting or report must be retained for six years.

Enhanced Tracking of Disclosures and Access

The new rule will put greater urgency and emphasis on adopting reasonable and appropriate technical and administrative measures to log access, changes, uses and disclosures of electronic PHI, including those for public health, law enforcement, judicial or administrative proceedings, research and other permissible activities, which may become subject to the expanded reporting requirements.

HHS has asked that comments on the proposed rule be submitted by August 1, 2011. HIPAA-covered entities, including providers and employer health plan sponsors, should seriously consider submitting comments and questions to HHS in an effort to shape how these rules will ultimately affect them.

For more information, contact John S. Mulhollan, or 216.861.7484, Susan Whittaker Hughes, or 216.861.7841 or Lynn Sessions, or 713.646.1352.

top of page

SUPPLIER’S INVOICE: ONE BOX SPINAL IMPLANT PARTS, ONE LOT FALSE CLAIMS

In a recent case, the First Circuit held that a provider’s truthful certification can be a false certification with respect to an underlying supplier based upon the supplier’s conduct in an underlying transaction. The court found that compliance with the anti-kickback statute (AKS), by both the provider and its underlying suppliers, was a precondition for Medicare reimbursement and that a provider’s submission of a claim which included items and services from a supplier’s underlying transaction that violated the AKS would give rise to a violation of the False Claims Act (FCA) with respect to the supplier, based on the provider’s implied certification.

To state a claim under the FCA, a person must have “(1) knowingly presented or caused to be presented, (2) a false claim, (3) to the United States government, (4) knowing its falsity, (5) which was material, and (6) seeking payment from the federal treasury.” A claim for payment, according to the court, implies that the claimant has complied with the preconditions to payment.

In this case, the supplier paid kickbacks to physicians to induce the use of the supplier’s spinal implant products. The court held that when a physician or hospital certifies that it will abide by Medicare laws, regulations and instructions in its provider agreement with respect to his or her own compliance, the provider also is making an implied certification concerning the behavior of non-claim-submitting entities in the provider’s supply chain; specifically, that its supplier’s underlying transactions to obtain the items and services necessary to provide the services billed in a provider’s claim did not result from a kickback. The court focused on the provider agreement’s language that states, “I understand that payment of a claim by Medicare is conditioned upon the claim and the underlying transaction complying” with the AKS. The court’s extremely broad definition of what constitutes an underlying transaction is unprecedented. Rather than treating the underlying transaction solely as the transaction between the patient and the provider, the court incorporated all of the transactions in the underlying supply chain as underlying transactions. Thus, the supplier’s kickback to a physician to encourage the order of an item by the hospital, violated that hospital’s implied certification that the underlying transaction was compliant with the AKS. We believe that the Supreme Court, if it reviews this issue, would be unlikely to view the term “underlying transaction” as expansively as the First Circuit has.

The district court had held that provider agreements only included representations about the provider entity’s conduct and that unlawful conduct by a third party, about which the provider neither knew nor had reason to know, could not render the provider’s claims false or fraudulent. The district court also held that a claim can be false or fraudulent only if the submitting entity knew or should have known of the underlying falsehood or fraudulence. The First Circuit rejected both propositions.

The court also found that the supplier’s kickback to a physician rendered the physician’s Medicare billing for surgical services related to the implantation of the spinal implant products to be false, even though the physician did not bill for the supplier’s spinal implant products.

The supplier essentially was deemed to have caused the provider to submit false claims, even though the provider’s certification was accurate as to its own transactions. It is likely, in this case, that the hospital would have no liability for the false claim as it had no knowledge of the kickback. However, where a hospital has some knowledge of a physician’s financial relationship, for example, when a physician forms a product distribution company, the hospital may have an obligation to investigate the physician’s financial relationship to assure that its certification of compliance with the AKS is accurate.

It should also be noted that the Senate Finance Committee minority staff recently issued a report on their inquiry into physician-owned distributors, and several ranking senators have sent letters to the HHS Office of Inspector General and the Centers for Medicare and Medicaid Services asking that an investigation be opened into physician-owned distributorships.

For more information, please contact Robert M. Wolin, or 713.646.1327.

top of page

TEXAS LEGISLATURE OMNIBUS HEALTHCARE LEGISLATION (S.B. 7)

Legislature Jabs Healthcare Facility Employees in Special Session

Under new legislation passed by the Senate in the first special session of the Texas legislature, healthcare facilities, including hospitals, nursing homes, assisted living facilities, ESRD facilities and ambulatory surgery centers will be required to develop and implement policies to vaccinate their workers to protect patients from vaccine-preventable diseases.

The healthcare facility’s policy must (1) require all employees, persons with privileges and persons providing direct patient care under contract, from housekeepers to physicians, to receive vaccines for vaccine-preventable diseases specified by the facility, based on the person’s level of risk resulting from the individual’s exposure to patients; (2) include procedures for persons to be exempted for certain medical conditions or for reasons of conscience, including a religious belief; (3) provide procedures a person who is exempt from the vaccinations must follow to protect facility patients from exposure, as in the use of protective medical equipment, such as gloves and masks; (4) prohibit discrimination or retaliatory action against someone who is exempt from the required vaccines, except that required use of protective medical equipment, such as gloves and masks, may not be considered retaliatory action, and during a public health disaster the person may be prohibited from having contact with facility patients; (5) include procedures for verifying whether a person has complied, and maintenance of a written or electronic record of such person’s compliance with or exemption from the policy; and (6) include disciplinary actions for failure to comply with the policy.

Policies are required to be in place by September 2012.

Standardized Patient Risk Identification System to Protect Healthcare Workers

The legislation also required that the Texas Department of State Health Services develop a standardized patient risk identification system to readily identify patients with specific medical risks. Once developed, hospitals will be required to utilize the statewide standardized patient risk identification system, subject to certain limited exceptions.

Medicaid Emergency Room Cost Sharing

The Texas legislation also contains a provision requiring Medicaid beneficiaries, to the extent permitted under the federal Medicaid program, to share the cost of nonemergency medical care received through a hospital emergency room, to encourage personal responsibility. The legislation also authorized, to the extent that it is cost effective, a physician incentive program designed to reduce the use of hospital emergency room services for nonemergency conditions by Medicaid recipients.

Texas Value-Based Purchasing

The Texas Senate also authorized the development of quality-based outcome and process measures and quality-based payment systems for compensating physicians, healthcare providers and facilities participating in the child health plan or Medicaid program. The measures will be designed to (1) align payment incentives with high-quality, cost-effective healthcare; (2) reward the use of evidence-based best practices; (3) promote the coordination of healthcare; (4) encourage appropriate physician and other healthcare provider collaboration; (5) promote effective healthcare delivery models; and (6) take into account the specific needs of the child health plan program enrollee and Medicaid recipient populations.

Alien Sponsors Liable for Public Hospital Care

The legislation provides that a public hospital or hospital district that provides healthcare services to certain sponsored aliens may recover, from the person who executed an affidavit of support on behalf of the alien, the costs of the healthcare services provided to the alien.

Certified Healthcare Collaboratives (because we can’t call them ACOs)

Finally, the Senate developed a form of accountable care organization, known as a certified healthcare collaborative (Texas ACO), to provide or arrange for healthcare services through contracts with physicians and healthcare providers or with entities contracting on behalf of participating physicians and healthcare providers. A Texas ACO, however, generally may not prohibit a physician or other healthcare provider from participating in another healthcare collaborative. Texas ACOs must obtain a certificate of authority under the Texas Insurance Code.

Texas ACOs are required to establish policies to improve the quality and control the cost of healthcare services. A Texas ACO’s policies must include standards and procedures relating to (1) the selection and credentialing of physicians and healthcare providers; (2) the development, implementation, monitoring and evaluation of evidence-based best practices and other processes to improve the quality and control the cost of healthcare services, including practices or processes to reduce the occurrence of potentially preventable events, and processes to improve patient engagement and coordination of healthcare services; and (3) patient and provider complaints.

The legislation exempted Texas ACOs from Texas’ antitrust laws and enacted provisions designed to provide ACOs with immunity from federal antitrust laws through the state action doctrine. The legislation, however, does not protect anyone from the penalties associated with activities that would constitute per se violations under federal antitrust laws. The Federal Trade Commission, however, has expressed its concern that the immunity from federal antitrust laws will have adverse consequences for consumers.

The legislation also permits Texas ACOs to contract for and accept payments from governmental and third party payors based on alternative payment mechanisms, including bundled or global payments and quality-based payments, without violating state laws, such as the corporate practice of medicine doctrine.

For more information, please contact Robert M. Wolin, or 713.646.1327.

top of page

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2011 Baker & Hostetler LLP