Welcome to this week's edition of the Health Law Update. Topics covered today include:
We hope you find this information helpful. Please contact any member of Baker Hostetler's Healthcare Team with questions.
OVERPAYMENT REPORTING OBLIGATIONS: PROPOSED RULE WOULD EFFECTIVELY TREAT ALL OVERPAYMENTS AS FRAUD
On February 16, 2012, the Centers for Medicare and Medicaid Services (CMS) published its proposed rule implementing Section 6402(a) of the Patient Protection and Affordable Care Act (PPACA) that requires Medicare providers and suppliers to report and return overpayments within 60 days of identification in most instances; failure to report and return overpayments in accordance with Section 6402(a) could expose a provider to False Claims Act liability, civil monetary penalties or exclusion.
CMS proposes that a provider will have "identified" an overpayment if it has actual knowledge of the existence of an overpayment or acts in reckless disregard or deliberate ignorance of an overpayment. These are the same definitions in the False Claims Act, which is used to pursue allegations of fraud and false claims. CMS stated that this standard is meant to discourage providers from avoiding activities that might uncover an overpayment, such as self-audits and compliance checks. CMS also clarified that overpayments that would generally be reconciled on cost reports are the only types of refunds that can be delayed until the cost report deadline. Therefore, all claims-related overpayments would be subject to the 60-day deadline. Under the proposed rule, CMS would create a uniform reporting form for all Medicare contractors such that providers will have a consistent method to report and return overpayments.
The proposed rule states that "failure to make a reasonable inquiry [after receiving information about a potential overpayment], including failure to conduct such inquiry with all deliberate speed after obtaining the information, could result in the provider knowingly retaining an overpayment because it acted in reckless disregard or deliberate ignorance of whether it received such an overpayment." The standard of "all deliberate speed" is subjective and would be difficult for providers to assess. As an example of an obligation to investigate a potential overpayment, the proposed rule states that if a provider experiences a significant increase in revenue for no apparent reason and even though there is no reason to otherwise suspect an overpayment, the fact that the provider fails to make a reasonable inquiry into whether an overpayment exists may indicate that the provider acted in reckless disregard or deliberate ignorance of any overpayment.
A ten-year lookback period for paid claims also would be instituted by the proposed rule. This is significant, as the Medicare reopening period currently is only one year from the payment date for any reason and four years for "good cause." The long-standing reopening rules only allow a claim to be adjusted ten years in the past for fraud. CMS proposes to amend the reopening period to align with the ten-year lookback period, which would constitute a dramatic increase in potential liability for providers and effectively treat all overpayments as potential fraud as opposed to payment errors. We also would note that there is no discussion of the statutory provisions related to without fault. In sum, the proposed rule would significantly alter the Medicare statutory, regulatory and manual provisions that address claims adjustment and reopening periods.
Providers should comment on this rule. CMS will accept comments on the proposed rule until April 16, 2012.
For more information, please contact B. Scott McBride, firstname.lastname@example.org or 713.646.1390 or Darby C. Allen, email@example.com or 713.646.1311.
top of page
PREVENTIVE CARE MANDATE UPDATE: BURDEN SHIFTS FROM RELIGIOUS ORGANIZATIONS TO INSURERS; UNANSWERED QUESTIONS REMAIN
On February 10, 2012, President Obama announced a policy change intended to address the concerns of many religiously affiliated organizations over the preventive care mandate that requires nongrandfathered group health plans to provide FDA-approved contraceptive and sterilization procedures to women with no cost sharing. The announcement was accompanied by the issuance of a final rule published in the Federal Register on February 15, 2012. The final rule implements Section 2713 of the Public Health Service Act, as added by PPACA.
A narrow exemption to the contraceptive coverage requirement, initially set forth in an interim final rule published August 3, 2011, applies to "religious employers" that primarily employ or serve persons who share the same religious tenets as the employer. On January 20, 2012, the U.S. Department of Health and Human Services (HHS) confirmed that religiously affiliated institutions, such as universities, hospitals, charities or media companies that serve or employ people of other faiths, were required to comply with the preventive care mandate. However, these organizations were granted until the first plan year beginning on or after August 1, 2013, to comply.
The HHS announcement commenced a nationwide debate over whether the preventive care mandate violates religious liberty. In response, President Obama set forth a new policy for religious institutions that object to "directly providing insurance that covers contraceptive services." Under the new policy, when an employer is a religiously affiliated organization, such as a charity, school or a hospital with religious objection to providing or paying for contraceptive services, the insurer is "required to reach out and offer the woman contraceptive care free of charge without co-pays, without hassle."
The new policy leaves open issues and unanswered questions with regard to the tracking of premium dollars collected from religiously affiliated employers relative to the insurer's funds used to pay for such services, as well as the self-insured. Although the announcement states that such religious organizations will not be required to subsidize the cost of such services, it does not specifically address organizations that are self-insured. A self-insured employer is, essentially, the "insurer" and uses other insurance companies only to administer or advise on its group health plan.
While the final rule does not include the policy change announced by the President on February 10, it is anticipated that a new regulation to define the responsibilities of insurance companies and group health plans in covering contraceptive and other preventive services will be issued during the one-year transition period. The policy announced on February 10 by President Obama faces continued opposition by some religious organizations, including the United States Conference of Catholic Bishops.
For more information, please contact John S. Mulhollan, firstname.lastname@example.org or 216.861.7484 or Michelle Manzoian at email@example.com or 216.861.7714.
top of page
GROUP HEALTH PLAN AND INSURANCE COVERAGE: FINAL GUIDANCE ISSUED ON SUMMARY OF BENEFITS AND COVERAGE
The U.S. Departments of the Treasury, Labor (DOL) and HHS (collectively, the "Departments") recently released final regulations governing the summary of benefits and coverage and the uniform glossary for group health plans and health insurance coverage. By way of background, Section 2715 of the Public Health Service Act, as added by PPACA, charged the Departments with the development of (1) standards for compiling and providing a summary of benefits and coverage explanation (SBC), including who must provide the SBC, to whom the SBC must be provided and when, and what content must be included in the SBC; and (2) a standard set of definitions for certain insurance-related and medical terms. PPACA also requires that group health plans and health insurance issuers provide a notice of modification to participants and beneficiaries if material terms of the plan or coverage change from the terms described within the most recent SBC. The final regulations address each of these items.
Additional guidance about the SBC was published simultaneously to the regulations. The guidance addresses the format of the SBC for the first year in which the SBC requirements apply (updated guidance will be issued by the Departments in later years). It also includes the HHS and DOL website addresses where one can find (1) a template for the SBC, (2) a sample completed SBC, (3) instructions for completing the SBC template, (4) language that must be used when completing the SBC template, (5) a guide for coverage example calculations, and (6) the uniform glossary required under PPACA.
Importantly, the final regulations generally extend the compliance deadline for the SBC from March 23, 2012, to September 23, 2012. Specifically, participants and beneficiaries who enroll or reenroll in group health coverage through an open enrollment period, and participants and beneficiaries who enroll in group health coverage other than through an open enrollment period, must be provided an SBC no later than the first day of the first open enrollment period that begins on or after September 23, 2012, or the first day of the first plan year beginning on or after September 23, 2012, respectively. The compliance deadline for disclosures made to plans and to individuals in the individual market by health insurance issuers is September 23, 2012.
If you have any questions regarding the SBC final regulations and the related guidance, please contact Deborah Bracy at firstname.lastname@example.org or 216.861.7354; Jennifer A. Mills at email@example.com or 216.861.7874; or Susan Whittaker Hughes at firstname.lastname@example.org or 216.861.7841.
top of page
EMTALA: CMS REQUEST FOR COMMENTS
CMS has issued a request for comments on the applicability of the Emergency Medical Treatment and Active Labor Act (EMTALA) to hospital inpatients in the February 2, 2012, Federal Register. As a reminder, EMTALA was enacted in 1986 as a patient antidumping statute to ensure that individuals with an emergency medical condition are provided lifesaving services regardless of their insurance coverage or ability to pay. EMTALA sets forth the medical screening requirements for patients presenting to an emergency department and obligates hospitals to stabilize the patient or appropriately transfer that patient to another facility. If a hospital with a dedicated emergency department fails to meet its EMTALA obligations, it may be subject to the imposition of civil monetary penalties and the termination of its Medicare provider agreement.
Concerns over the law's applicability to inpatients and the transfer of patients to hospitals with specialized capabilities, such as children's hospitals, burn units, shock-trauma units, neonatal intensive care units or regional referral centers in rural areas, have been raised since the law's implementation. To that end, the agency is soliciting comments concerning patients with an emergency medical condition who have been admitted through a hospital's emergency department but remain unstable and require the specialized capabilities of another hospital. In such instances, CMS has taken the position that while the EMTALA obligation for the admitting hospital has ended, the hospital with specialized capabilities also has no EMTALA obligation toward that patient. The CMS position crystalizes the regulations for hospitals with specialized capabilities and, as stated in the agency's request for comments, CMS is making no proposals with respect to this policy. Instead, the agency will continue to monitor whether it may be appropriate in the future to reconsider its position and has provided a 60-day comment period to allow for the submission of data and real world examples relevant to the issue.
If you are a hospital with specialized capabilities, or one that seeks frequent transfers to such facilities and would like to submit comments, please contact Lynn Sessions at 713.646.1352 or email@example.com for assistance.
top of page
A REVIEW OF HEALTHCARE BANKRUPTCIES: 2011
The healthcare industry was ailing in 2011. There were 88 publicly traded companies that filed for Chapter 11 relief in 2011, and of that amount, approximately 11 companies were in the healthcare industry. The healthcare industry led the group, with telecommunications and energy tied for second place (nine filings in each industry). The healthcare industry has faced many challenges over the years. For starters, hospitals are not always paid for their services. Patients that are admitted are not asked to prepay for their services and, given the state of the economy, it is understandable why many patients "stiff" medical providers with the bill. Another reason for the high number of Chapter 11 filings is the rising cost of healthcare, as well as the decreasing rates of reimbursement from Medicare and Medicaid, and an increasing number of uninsured patients. Other considerations include lawsuits against the hospitals, salary and pension obligations and increased competition with outpatient surgery centers and walk-in clinics.
Many healthcare facilities decided to overcome these challenges in 2011 by filing for bankruptcy and revisiting their business model. For example, Peninsula Hospital, which filed for Chapter 11 relief in the Eastern District of New York, needed to strategically change its business of medicine and boost surgical, cardiac and oncology services. The case is still pending. Another facility, Quincy Medical Center, filed for Chapter 11 relief because it had been losing patients in recent years to larger teaching hospitals in nearby Boston. Quincy was sold to Steward Health Care System for approximately $38 million in the fall of 2011 as part of its Chapter 11 case. Of course, like any other business, medical facilities could be improperly managed, which would inevitably lead to a bankruptcy filing. For example, Hoboken University Medical Center was allegedly under the assumption that it would have an unlimited source of funding from the Hoboken Hospital Authority and from the City of Hoboken. However, when the Authority members discovered the extent of the hospital's losses, they directed that the hospital live within its budget, pushing it into bankruptcy. Hoboken University Medical Center ultimately was purchased by Hudson Hospital Holdco LLC.
It is unclear what the state of healthcare bankruptcies is for 2012. Thus far, a number of healthcare facilities have filed for Chapter 11 relief, including, most recently, Christ Hospital in Jersey City, which is currently seeking a buyer of its 367-bed hospital. It remains to be seen whether the healthcare industry will regain its financial health in 2012 or whether it will need further treatment in the form of increased Chapter 11 filings.
For more information, please contact Marc E. Hirschfield firstname.lastname@example.org or 212.589.4610; Marc Skapof email@example.com or 212.847.2864; George Klidonas firstname.lastname@example.org or 212.589.4625 or any member of Baker Hostetler's Bankruptcy, Restructuring and Creditors' Rights Team.
top of page
MASSACHUSETTS: ALL CONTRACTS WITH VENDORS THAT HANDLE PERSONAL INFORMATION MUST INSTITUTE SAFEGUARDS BY MARCH 1
Regulators are focusing more and more on how responsible organizations are when engaging third-party vendors. The Health Insurance Portability and Accountability Act (HIPAA) has in place requirements for engaging business associates. The Connecticut Department of Insurance has requirements for reporting breaches caused by vendors. And the Massachusetts Attorney General, through the Data Security Regulations, requires oversight of third party service providers. This is no surprise since many studies suggest that over a third of breaches are caused by vendors.
Since March 1, 2010, businesses that handle personal information of Massachusetts residents have been addressing the requirements of Massachusetts 201 CMR 17.00—Standards for the Protection of Personal Information of Residents of the Commonwealth. There are many requirements—from employing a comprehensive information security program to developing security policies for current and terminated employees. Additionally, organizations are required to include language in contracts with vendors who handle personal information of Massachusetts residents regarding the employment of appropriate safeguards. This has always been a requirement under 201 CMR 17.03(f)(2); however, there was a two-year "safe harbor" for contracts that were entered into prior to March 1, 2010. That "safe harbor" expires on March 1, 2012, and all contracts with vendors who handle personal information of Massachusetts residents must require vendors to implement and maintain appropriate security measures for personal information.
Personal information defined by the Massachusetts statute, includes information that is frequently kept by healthcare providers:
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Whether you are a vendor, or the organization providing the data to the vendor, you must have a Written Information Security Program (WISP) in place to be compliant under Massachusetts 201 CMR 17.00. If a breach occurs, the Massachusetts Attorney General must be notified and very likely will ask for a copy of your WISP. Generally, when we assist clients with the preparation of a WISP, we address both technical and administrative safeguards, such as:
- Employee training;
- Sanction policies;
- Regular monitoring of the implementation of the policies in place;
- Risk assessments;
- Breach response plans;
- Access controls;
- Antivirus protections; and
- Firewall protections.
Moreover, notwithstanding the requirements of the Massachusetts law, it is good practice to update old contracts to address issues that have evolved over the past few years related to privacy. Some of these include:
- Independent audit of a vendor (e.g., American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 16 (SSAE 16));
- Cyber insurance coverage, including notification costs;
- Preapproval of the use of cloud services;
- Preapproval of the downstream sharing of data with subvendors; and
- Compliance with local, state and federal data security laws.
Whether or not you need to comply with the Massachusetts Data Security Regulations, now is a good time to take your dusty old contracts out of the drawer to see how they can be improved. Vendors should be reviewing their contracts, too -- not just from a regulatory compliance standpoint, but to make sure they are not committing to something they are unable to deliver.
If you need assistance in revising your vendor agreements or need additional information, please contact Ted Kobus at email@example.com or 212.217.1504.
top of page
2011 YEAR IN REVIEW: SPOTLIGHT ON THE HEALTHCARE PRIVACY TEAM
The firm's Privacy Team has handled more than 250 data breaches, with a heavy concentration in the healthcare sector. In fact, we managed the response for two of the three largest healthcare breaches announced in 2011. Whether large or small, a breach is significant to our clients and we are prepared to assist—which is why the firm established a 24/7 toll-free breach hotline for clients when they are faced with a breach event: 855.217.5204. The hotline is staffed around the clock by experienced Baker Hostetler privacy attorneys.
Assisting our clients through breach response is just one aspect of our privacy practice; we have seen growth in the risk management and breach preparation services that we provide to our clients. Development of policies and procedures always has been a part of our practice. However, last year, we began conducting breach workshops to help educate clients and advise them about what to expect when a breach occurs. These workshops generally are half-day sessions that provide practical advice (and real-world breach tabletop exercises) to help clients prepare for an event.
Our litigation and regulatory response privacy team members have been busy as well. We are currently involved in several medical privacy lawsuits, including class action lawsuits in California involving the Confidentiality of Medical Information Act. A regulatory investigation is almost a guarantee after a healthcare data breach and we handled numerous HHS Office for Civil Rights investigations in nearly every region last year.
Investigations by state attorneys general, The Joint Commission and the California Department of Public Health also are becoming commonplace and our team is prepared to advise clients on related issues. Significantly, we handled the first HHS Office of Inspector General audit of portable devices under the Fiscal Year 2012 Work Plan.
With respect to proactive data privacy and information security counseling, we advise a broad spectrum of healthcare interests on such issues as:
- HIPAA and HITECH business associate compliance;
- Privacy matters related to social media and community interest website projects;
- Security risk assessments and development of security policies, procedures and safeguards for protection of electronic health information;
- Use of data for marketing purposes; and
- Eligibility, contracting/licensing, measurement and reporting requirements under the federal stimulus incentive program for Meaningful Use of Certified Electronic Health Records.
Our team also conducted webinars for clients on legal issues related to cloud computing and data breach reporting.
Ted Kobus serves as National Co-Leader of the firm's Privacy, Security and Social Media Team, advising healthcare providers on privacy, data breaches, social media and intellectual property issues. For more information, please contact Ted at firstname.lastname@example.org or 212.271.1504 or any member of the Baker Hostetler Privacy, Security and Social Media Team.
top of page
Cleveland partner Tom Campanella will speak on "Hot Issues in Health Care Policy" at the Ohio University College of Osteopathic Medicine in Athens, Ohio.
Cleveland partner Tom Campanella will speak on "The Future of Health Care" at the 27th Annual Conference of the North Central Academy of Podiatric Medicine in Cleveland, Ohio.
Cleveland partner Tom Campanella will speak on "Accountable Care Organizations: What's New and What's Next?" at the Chief Executive Officer Meeting of the Physician Insurers Association of America in Scottsdale, Arizona.
March 29 & 30
Houston partner Scott McBride will speak on "Quality: Payment Enforcement" at the Institute on Medicare and Medicaid Payment Issues program sponsored by the American Health Lawyers Association in Baltimore, Maryland.
Cleveland partner Tom Campanella will speak on "Evolution of the U.S. Healthcare System: How Did We Get Here and Where Are We Going?" at the Baldwin-Wallace College MBA Association in Berea, Ohio.
top of page
Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2012 Baker & Hostetler LLP