Health Law Update – February 25, 2016

Alerts / February 25, 2016

Welcome to this week's edition of the Health Law Update. In This Issue:

  • The Deeper Dive: The Final Overpayment Rule
  • CMS Doubles Down on Targeting Part D Enrollee Prescription Drug Abuse, But Will Stakeholders Agree?
  • Protecting Patient Data From Hacker Ransom Demands
  • Blog Exclusives
  • Lee Rosebush Authors Article on Compliance for Outsourcing Facilities Engaged in Clinical Investigation
  • Lee Rosebush Reviews Research Report on State Oversight of Sterile Drug Compounding
  • Events Calendar
The Deeper Dive: The Final Overpayment Rule

By B. Scott McBride and Darby C. Allen

The Centers for Medicare and Medicaid Services (CMS) recently issued its final rule for Reporting and Returning of Overpayments (Final Rule). The Final Rule implements section 1128J(d) of the Social Security Act, which requires Medicare providers and suppliers to report and return overpayments within 60 days after the overpayment was identified in most instances. Failure to report and return overpayments in accordance with this provision could expose a provider to False Claims Act liability, civil monetary penalties, or exclusion. The Final Rule establishes a complicated set of standards that together make up a process that providers and suppliers must complete with respect to reviewing potential Medicare overpayments and reporting and returning overpayments that are identified.

The “Identified” Standard

The obligations of the Final Rule begin when an overpayment is identified. The Final Rule provides that a person will be deemed to have “identified an overpayment when the person has, or should have through the exercise of reasonable diligence, determined that the person received an overpayment and quantified the amount of the overpayment.” Of particular note, CMS opined that if a provider undertakes “no or minimal compliance activities to monitor the accuracy and appropriateness” of its claims, it could face liability under this “identified” standard based on the failure to exercise reasonable diligence. CMS believes that the Final Rule provides “bright line” standards; however, we believe there will be many complexities in practice.

Under the Final Rule, the 60-day time period begins either: (1) when the reasonable diligence is completed and the overpayment is identified, or (2) when “credible information” of a potential overpayment is received if the person fails to conduct reasonable diligence and did in fact receive an overpayment. The requirement to exercise reasonable diligence arises when a person receives “credible information” regarding a potential overpayment. CMS’s commentary states that a person may receive credible information as a result of a contractor or government audit. In these instances, the person would have a duty to conduct reasonable diligence to determine whether additional overpayments exist outside of the audit, for example, beyond the time limits that were part of the audit.

CMS’s commentary in the Final Rule states that reasonable diligence includes both proactive compliance activities to monitor for the receipt of overpayments and investigations conducted in a good faith and timely manner in response to obtaining credible information of a potential overpayment. With respect to retrospective investigations, CMS believes that reasonable diligence is demonstrated through the “timely, good faith investigation of credible information, which is at most six months from receipt of the credible information, except in extraordinary circumstances.” While this standard allows providers some time to investigate and quantify the overpayment before the 60-day deadline begins, CMS has taken the position that investigations should normally be wrapped up within six months. Whether extraordinary circumstances exist to extend the investigation timeline is a factual inquiry, and CMS indicated that Stark Law violations that are referred to the Voluntary Self-Referral Disclosure Protocol (SRDP) as well as situations involving natural disasters and states of emergency may be considered extraordinary. With respect to quantification of the overpayment, CMS recognizes that statistical sampling and extrapolation may be appropriate auditing methods.

The Lookback Period

CMS originally proposed a 10-year lookback period to correspond with the outside bounds of the False Claims Act statute of limitations. In light of concerns raised by stakeholders that a 10-year lookback period would be inconsistent with long-standing CMS policies regarding reopening and administrative finality and would exceed record-retention requirements, CMS has adopted a six-year lookback period in the Final Rule. The lookback period is measured from the date the overpayment is identified. CMS believes that providers will not be significantly burdened by the six-year lookback period (compared to the traditional reopening period of four years), because other state and federal laws require them to retain records and claims data for between six and seven years.

The Final Rule amends the reopening rules to permit a Medicare contractor to reopen an initial determination upon a provider’s request for the purpose of reporting and returning an overpayment. In 2002, CMS had proposed extending the reopening period to five years, but did not finalize the proposal after many commenters raised concerns about the burden of locating documentation on older claims. In commentary to the Final Rule, CMS summarily dismissed commenters who raised concerns that the lookback period under the 2012 proposed rule and the Final Rule would extend even longer by asserting that the adoption of the statutory provision justifies changes to the reopening rules. CMS’s discretion to interpret the statute in a way that destroys 40 years of Medicare precedent with respect to the reopening rules may face legal challenge as providers contend with enforcement actions.

CMS confirmed that the Final Rule is not retroactive, and the six-year lookback period would not apply to overpayments that are reported and returned before March 14, 2016. To that end, providers and suppliers that have reported overpayments through the SRDP would be subject to the four-year reopening period. CMS is currently only permitted to require a financial analysis of overpayments for the four-year reopening period in the SRDP, but it is seeking approval to require reporting of the additional two years of financial data. In the interim, providers entering the SRDP should carefully consider whether to voluntarily report data for the fifth and six years to toll the obligation to return overpayments attributable to the Stark Law violations during the entire lookback period.

Finally, given the six-year lookback period, providers should review the findings in contractor and government audits carefully. These findings could be considered “credible information” that require the provider to exercise reasonable diligence to report and return similar overpayments for the entire six-year lookback period.

The Reporting and Refunding Process

The Final Rule permits providers to report and return identified overpayments through claims adjustment, credit balance, self-reported refund processes, or “another appropriate process to report and return overpayments.” CMS declined to finalize its proposal to create a standardized refund form and eliminated the specific list of data elements to be reported in recognition of the burden providers would face in furnishing this breadth of information. CMS also confirmed that if a contractor identifies a payment error and notifies a provider that it will adjust the claims to correct the error, the provider does not have an obligation to report and return the overpayment separately. Finally, CMS stated that only submissions to the SRDP and the OIG Self-Disclosure Protocol would toll the deadline to return the overpayment, while self-disclosure to other government entities such as the U.S. Department of Justice would not toll the deadline.

The Details

In addition to establishing a process for providers to take when reviewing potential overpayments, the Final Rule clarified a number of issues raised by stakeholders. First, CMS clarified that while the statutory provision applies to Medicare and Medicaid generally, the Final Rule is applicable only to Medicare Parts A and B. A separate regulation published in 2014 applies to reporting and returning of overpayments for Medicare Parts C and D. CMS also clarified that only those errors and non-reimbursable expenditures in cost reports that result in increased reimbursement would be considered “overpayments” for purposes of the Final Rule.

Providers and suppliers should review their existing internal auditing practices and strengthen them where necessary in anticipation of the Final Rule’s March 14, 2016 effective date.

CMS Doubles Down on Targeting Part D Enrollee Prescription Drug Abuse, But Will Stakeholders Agree?

By Kameron L. Brackins

With the release of its 2017 draft call letter, CMS continues its push to curb opioid dependence, overdose and death among Medicare Part D enrollees. To that end, CMS proposes that Part D plan sponsors edit their benefit designs to target opioid overutilization at the point-of-sale. The letter also reminds Part D sponsors that benefit designs that impede medication-assisted treatment for opioid addiction, including high cost sharing, will not be approved by CMS.

The point-of-sale target is not a new proposal. CMS included an expectation in its 2016 draft call letter that Part D plan sponsors implement a soft point-of-sale edit to prevent improper opioid use. The recommendation was delayed, however, due to stakeholder concerns that enrollee access to needed prescription drugs could be disrupted.

Despite the commendable effort by CMS to reduce opioid use disorders and overdose, disagreement persists over Medicare Part D performance expectations aimed at enhanced utilization controls. For example, there has been significant pushback from stakeholders in response to recently solicited comments by CMS on whether providers should be required to consult a patient’s history on their state’s Prescription Drug Monitoring Program in an effort to identify the patient’s risk of nonmedical use of controlled substances. Will this latest CMS proposal meet with similar opposition?

The deadline for submitting comments to the 2017 Draft Call Letter is March 4, 2016, and the final 2017 Call Letter will be published on April 4, 2016.

Protecting Patient Data From Hacker Ransom Demands

By Suchismita Pahi

Forty bitcoins later (approximately $17,000), Hollywood Presbyterian Hospital can now access its electronic medical health records and return to treating its patients as scheduled. But as hackers develop new tools to access information, an increasing number of providers will be targeted and ransom demands will escalate, putting hospitals and patients at risk. Focusing on technical cybersecurity protection, workforce training, and comprehensive risk analysis and management will enable covered entities and business associates to better withstand attacks and reduce vulnerabilities.

On February 2, 2016, three days prior to the attack on Hollywood Presbyterian Hospital, the Office for Civil Rights (OCR) released an email on ransomware and preventing ransomware infection as part of its cybersecurity awareness initiative. Ransomware is a type of malware that can infect systems, encrypt files, or otherwise block users from their data until the institution or person pays a ransom to regain access. As with any malware, the avenue of attack can be email, open remote connection ports, and more. Hollywood Presbyterian Hospital is working with the Federal Bureau of Investigation to identify the route of the attack.

Mitigating Risks

Covered entities and business associates must remain vigilant against cybersecurity attacks to avoid becoming the next victim of a ransomware attack. At a minimum, covered entities and business associates should focus on the following three areas:

  • Technical cybersecurity protection
  • Workforce training
  • Comprehensive risk analysis and management

OCR continues to enable covered entities and business associates to achieve HIPAA compliance with guidance on different HIPAA components. Most recently, OCR released its crosswalk between the HIPAA Security Rule and the National Institute of Science and Technology (NIST) Cybersecurity Framework. The crosswalk can be used to identify any gaps in cybersecurity between NIST’s framework and HIPAA requirements, as well as help bolster existing cybersecurity with the NIST standards.

In addition to technical protections, workforce training is the second line of defense against malware such as ransomware. The HIPAA Security Rule requires security awareness and training for workforce members of covered entities. 45 C.F.R. 164.308 (a)(5). Regular bulletins with short examples of malware attacks or guidance on assessing and responding to malware incidents, along with training focused on recognizing malware and emphasizing best practices in email and Internet security, will help protect healthcare providers against successful malware attacks.

Finally, the importance of risk analyses and management plans cannot be overstated. A proper risk analysis will identify any gaps in device security and server security, making sure that the covered entity or business associate is not wide open to malware propagated by hackers.

Blog Exclusives

ALJ Upholds OCR’s $239,800 CMP for Healthcare Provider

By Lynn Sessions and Suchismita Pahi

On January 13, 2016, the Department of Health and Human Services’ Administrative Law Judge upheld the Office for Civil Rights’ (OCR’s) civil monetary penalty (CMP) against Lincare, Inc., d/b/a United Medical (Lincare), for $239,800 in an appeal of OCR’s Health Insurance Portability and Accountability Act (HIPAA) CMPs. Lincare is a home health company that provides respiratory care and equipment for over 1,000 medical centers to patients at their homes. Read more >>

Sandoz Requests Supreme Court Review of the Federal Circuit’s Interpretation of Biosimilar Law

By Ronald C. Kern Jr., Ph.D.

On February 16, 2016, Sandoz Inc. filed a petition for a writ of certiorari with the U.S. Supreme Court, asking the Court to review the Federal Circuit’s interpretation of the Biologics Price Competition and Innovation Act (BPCIA). The petition presents the following questions to the Court:

Whether notice of commercial marketing given before FDA approval can be effective and whether, in any event, treating Section 262(l)(8)(A) as a standalone requirement and creating an injunctive remedy that delays all biosimilars by 180 days after approval is improper. Read more >>

Lee Rosebush Authors Article on Compliance for Outsourcing Facilities Engaged in Clinical Investigation

BakerHostetler Partner Lee Rosebush, along with Francis B. Palumbo and Lowell M. Zeta, authored the article, “Navigating Through a Complex and Inconsistent Regulatory Framework: Section 503B of the Federal Food Drug and Cosmetic Act Outsourcing Facilities Engaged in Clinical Investigation,” published in the December 31, 2015, issue of Therapeutic Innovation & Regulatory Science. The article points out that the U.S. pharmaceutical industry has invested $500 billion in research and development since 2002 and advises pharmacy compounders and other stakeholders to be acutely aware of the consequences of noncompliance.

The article discusses inconsistencies in federal and state drug labeling regulations and explains that the regulatory landscape is governed by U.S. federal and state authorities competing for oversight and enforcement authority. Accordingly, the article advises researchers to be keenly aware of the implications of federal and state laws, including any inconsistencies, prior to engaging in clinical investigation. More information >>

Lee Rosebush Reviews Research Report on State Oversight of Sterile Drug Compounding

Partner Lee Rosebush was one of four external reviewers of the report, “National Assessment of State Oversight of Sterile Drug Compounding,” published in February 2016. The study, commissioned by The Pew Charitable Trusts and conducted by researchers from the University of Illinois at Chicago, assesses the national landscape of state policies on compounding sterile drugs, such as medicines that are injected or infused into the body. Read the report >>

Events Calendar

March 5, 2016

Washington, D.C., Partner Lee H. Rosebush will present on “Compounding Medication: Are You Liable?” at the American Pharmacists Association 2016 Annual Conference in Baltimore, MD.

April 4, 2016

Houston Partner Gregory S. Saikin will participate in a webcast, “FCPA Investigation Cooperation: Avoiding Common Mistakes,” for The Knowledge Group.

April 20, 2016

Houston Partner Lynn Sessions will participate on a panel, along with other industry experts, to discuss “Healthcare Data Breach: Another Day, Another Breach” at the 2016 Medical PL Symposium sponsored by the Professional Liability Underwriting Society in Chicago, IL.

April 21, 2016

Houston Partner B. Scott McBride will present on “False Claims Act Enforcement and Investigations” at the UT Law’s 28th Annual Health Law Conference in Houston, TX.

Washington, D.C., Partner Lee H. Rosebush will present on “Drug Pricing in Pharmacy & PBM Contracting – What Does It All Really Mean?” at the Academy of Managed Care Pharmacy (AMCP): Managed Care & Specialty Pharmacy Annual Meeting in San Francisco, CA.

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.

Related Services

Related Industries