Health Law Update – March 10, 2016

Alerts / March 10, 2016

Welcome to this week's edition of the Health Law Update. In This Issue:

  • The 2017 Exchange Regulations: Network Adequacy Challenges Remain
  • Don’t Get Phished! Hackers Pose as CEOs to Steal Tax Information from HR and Payroll Professionals at Healthcare Organizations
  • Texas Open Carry Law: FAQs for Hospitals and Healthcare Facilities
  • Lee Rosebush Discusses Compounding Pharmacy Regulations at American Pharmacists Association Annual Meeting
  • Events Calendar
The 2017 Exchange Regulations: Network Adequacy Challenges Remain

The impact of these rules will be felt widely among the provider community as it struggles to face increasing pressures resulting from the plans’ continually narrowing networks

By Susan Feigin Harris and Summer D. Swallow

The Centers for Medicare and Medicaid Services (CMS) recently issued the final 2017 Benefit and Payment Parameters Rule (Final Rule) and concurrently released a final 2017 Letter to Issuers (Letter to Issuers) in the Federally Facilitated Marketplaces (commonly referred to as Exchanges) setting out the benefit and payment policies applicable to qualified health plans (QHPs) for the 2017 benefit year. The Final Rule and Letter to Issuers address a broad range of topics including risk adjustment, reinsurance and risk corridors, stand-alone dental plans, rate review and medical loss ratios. In this article, we focus on the issues relating to network adequacy and the inclusion of essential community providers, areas that have caused difficulty and concern for a number of clients. Although many were hoping this Final Rule would offer substantive relief for these concerns, CMS failed to move forward with some of the more meaningful measures presented in the proposed rule.

Network Adequacy – Minimum Threshold

The biggest disappointment for provider advocates is the failure by CMS to meaningfully address concerns surrounding the increasing use of narrow networks. The evolution of the narrow network has thrust adequacy standards into the spotlight. Although the proposed rule originally offered a minimum network adequacy standard, CMS failed to adopt this provision in the Final Rule.

In the proposed rule, CMS called on the states to select a quantifiable network adequacy standard, subject to certain minimum criteria established by CMS. If a state with an Exchange did not select such a standard, CMS would apply time and distance standards, calculated at the county level, similar to those used for evaluating Medicare Advantage plans. However, CMS apparently heard insurers’ arguments that such standards would take away the flexibility they needed in negotiating with providers for their networks.

Instead, the Final Rule defers to the insurance industry through the development of the National Association of Insurance Commissioners (NAIC) Model Act, which will surely require time for the states to adopt. CMS advises that it will utilize current network adequacy standards in reviewing QHPs, including quantitative time and distance standards, but will not require the states to do so at this time.

The sense from CMS in the commentary was that the NAIC Model Act would address the issues presented by many specialty providers in the U.S., including freestanding cancer centers, children’s hospitals, women’s health providers, and transplant providers. Is the NAIC Model Act the answer?

Network Adequacy – Continuity of Care

The Final Rule addressed issues relating to continuity of care when providers are removed from the network. CMS will compel insurers to give patients being seen on a regular basis by a provider 30 days’ notice (or as soon as practicable) of such provider’s termination from the network. Additionally, insurers must, in cases where a provider is terminated without cause, continue to offer coverage for the shorter of completion of the patient’s active treatment or 90 days, at in-network cost-sharing rates.

Network Adequacy – Cost Sharing

Beginning in 2018, plans will be required to count enrollee cost sharing for an essential health benefit provided by an out-of-network ancillary provider (such as anesthesiologists or radiologists) at an in-network facility toward the enrollee’s annual limitation on cost sharing. Although this does not go as far as some would have liked, enrollees consider it a step in the right direction.

CMS allows for an exception if the issuer provides enrollees with written notice in advance of receiving the service advising the enrollee that an out-of-network provider may be providing the services and that the enrollee may incur additional costs. This provision does not preempt more protective state laws and does not apply to balance bills, if the provider charges in excess of the in-network payments. This is an area in which consumer education and information relating to surprise costs is fraught with confusion and in which state laws have been particularly focused on around the country.

Network Adequacy – Transparency and Consumer Choice

Recently, McKinsey Center for U.S. Health System Reform released a report indicating that while the proportion of narrowed networks has remained relatively constant, the overall number of networks has declined. Moreover, consumer choice has also declined as an increasing number of consumers had access to only narrow networks in 2016.

CMS has committed to developing a ratings classification system providing consumers access to each QHP’s network coverage on The ratings will be based on comparisons on the plan level with other plans in the same county and allow consumers to view and compare networks in their respective markets.

Essential Community Providers

Insurers that wish to provide products on the Exchange are bound by regulation to include in their networks a sufficient number and geographic distribution of Essential Community Providers (ECPs) that serve predominately low-income, medically underserved individuals. The Letter to Issuers and Final Rule identify how providers may petition/apply to become an ECP. The requirements to qualify include meeting several parameters that ensure the provider, in fact, serves the population for which the ECP distinction was designed. The current list of providers that qualify as ECPs in 2017 was recently posted to the CMS website. Beginning in 2018, CMS will credit issuers for multiple-contracted, full-time equivalent (FTE) ECP practitioners at a single location, up to the number of available FTE practitioners reported by the ECP facility through the ECP petition process.

For specialty providers, again, in the Final Rule, CMS refused to disaggregate certain ECP categories. For example, CMS will not evaluate access to children’s hospitals or free-standing cancer centers as separate from general acute care hospitals. CMS explained that “there are too few ECPs within each of these additional ECP categories appearing on our ECP list to afford issuers sufficient flexibility in their contracting.” As such, these specialized providers are grouped among all the hospitals, generally.

Standardized Options

CMS established standardized plan options for 2017 at the bronze, silver and gold levels and for each of the cost-sharing tiers within the silver level. Insurers are not required to offer standardized plans and may offer additional options. However, CMS believes that by displaying the standardized plans on it can provide consumers with an easy way to compare and choose among the available standardized plans. The plans would have (1) four tier drug formularies, (2) one in-network provider tier, and (3) standardized copayments and coinsurance for certain essential health benefit services. Certain routine services would also be exempt from the deductible.

Third-Party Payments

The Final Rule restates that insurers must accept premium payment from local government grantees that are funded by state and local governments; federal and state government programs that provide premium and cost-sharing support for specific individuals; and Indian tribes, tribal organizations and urban Indian organizations; but it fails to extend this directive to non-profit charitable organizations.

Patient Safety Standards

The Final Rule requires insurers to verify that contracted hospitals of more than 50 beds, if not working with a patient safety organization, implement an evidence-based initiative to improve healthcare quality through the collection, management, and analysis of patient safety events that reduces all cause preventable harm, prevents hospital readmission, or improves care coordination. CMS noted this option “would allow flexibility and promote alignment for hospitals that already engage in effective national, State, public and private patient safety programs.”


Unfortunately, the Final Rule and Letter to Issuers failed to meaningfully provide strict standards that would ensure consumers have access to specialized providers on the Exchange. The tendency appears to ensure that issuers have the requisite flexibility to craft their networks, financially, in a manner that will promote success on the Exchange, despite consumer complaints. The challenge is now at the state level to adopt NAIC Model Act provisions. For states that refuse to play in the Affordable Care Act sandbox, providers may have a heavier lift with their insurance commissioners and legislators.

Don’t Get Phished! Hackers Pose as CEOs to Steal Tax Information from HR and Payroll Professionals at Healthcare Organizations

By Melinda L. McLellan and Lynn Sessions

Every tax season is plagued with scams to defraud individuals and companies for money from tax returns. However, this year has started off with a bang and this means that the healthcare industry has another reason to worry. On March 1, 2016, the IRS issued an alert warning “payroll and human resources professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.” Less than a week later, on March 7, the Attorney General of North Carolina sounded a similar alarm concerning the rise in phishing-related breaches, reporting that “[i]n 2016, 26 phishing breaches have been reported by businesses and other organizations, with 16 of those reports coming within the past two weeks, compared to eight phishing breaches reported in all of 2015.”

The scheme typically begins with a “spoofing” email that appears to have been sent by a company’s CEO or another high-ranking executive to one or more employees in the human resources or payroll departments. In many cases, the sender’s email address is a match, and the tone or style of the message is convincingly similar to that of the individual who is supposed to have sent it. The email contains a request that the recipient respond by sending the “CEO” certain employee personal information, usually including Social Security numbers. The email may ask specifically for W-2 forms, or may instead ask for a compilation of employee data similar to what appears on tax documents. The employee, accepting the request as legitimate, forwards the requested information to the perpetrator.

Companies of all sizes and across all industries, including the healthcare industry, have reported receiving phishing emails that fit this pattern. Media reports that multiple hospitals have been spear-phished with what appears to be this scam. To help avoid a similar fate, organizations should warn their human resources and payroll departments about this increasingly prevalent phishing scheme. Employees should be reminded of privacy and security policies concerning the disclosure of personal information, and be advised that email requests for any type of sensitive data should be confirmed as authentic through direct contact with the apparent sender.

Unfortunately, the W-2 request variant isn’t the only phishing scam putting taxpayers at risk this season, as old-fashioned IRS-impersonation phone hoaxes also remain an issue. You can review a compilation of IRS alerts regarding these threats as well as further information on how to avoid tax-related identity theft on the IRS’s website.

Texas Open Carry Law: FAQs for Hospitals and Healthcare Facilities

By Michael J. Lombardino and Gregory S. Saikin

As of January 1, 2016, concealed license holders in Texas can now legally carry their handguns visibly in hip or shoulder holsters. This comes at a time when violence in hospitals and healthcare facilities is on the rise. According to a 2015 survey published by the International Association for Healthcare Security and Safety Foundation, from 2012 to 2014, hospitals reported a 40 percent increase in violent crime. This increase comes not just from gang and drug violence, but also from disruptive patients and distraught relatives. The following FAQs offer discussion points for hospitals and healthcare facilities to consider as they decide whether and to what extent they should ban employees, patients and the public from carrying firearms onto their premises.

Concealed Handgun Law in Texas

The original concealed handgun law (SB 60), passed by the 74th Texas Legislature in 1995, afforded concealed handgun license (CHL) holders the right to carry concealed handguns in most public and private places. Since then, Texas law has generally recognized an employer’s right to prevent their employees from bringing weapons to the workplace. However, in 2011, the 82nd Texas Legislature passed the “parking lot law” (SB 321) that prevents employers from restricting an employee’s right to store legally-owned firearms or ammunition in a privately-owned vehicle parked in the employer’s lot or garage. Employers could still prevent employees with a CHL from bringing a firearm to the workplace or from storing a firearm in a company-provided vehicle. In 2015, the 84th Texas Legislature passed the new open carry law (HB 910), effective January 1, 2016. HB 910 authorizes anyone with a CHL to carry a handgun openly (in a hip or shoulder holster) in all locations where previously they could carry a concealed handgun.

Can Hospitals and Healthcare Facilities Still Prohibit Employees from Bringing Firearms to Work?

Yes. Texas employers maintain the right to prohibit employees from bringing a weapon (openly or in a concealed manner) to the workplace. And employers may still prohibit employees from storing firearms or ammunition in company-provided vehicles. But, employees do retain the right to store legally-owned firearms and ammunition in a privately-owned vehicle that is parked in the employer’s lot or garage.

Do Hospitals and Healthcare Facilities Need to Update Their Employee Policies?

Probably not, as long as their current policies comply with the 2011 parking lot law and include language that prohibits employees from possessing weapons in the workplace. That being said, employers might consider revising their weapons policy to expressly prohibit employees from both possessing and carrying (openly or concealed) weapons at work the next time their policies are updated.

Can Hospitals and Healthcare Facilities Prohibit the Public from Bringing Firearms onto the Premises?

Yes. Hospitals and healthcare facilities can provide verbal notice to any person (including vendors, visitors, patients, or contractors) that carrying firearms while on the premises is prohibited. However, due to the difficulties associated with proving verbal notice, written notice (i.e., posting signage or giving a card) of the prohibition should be given to nonemployees entering the premises. When written notice is provided, it must comply with Sections 30.06 and 30.07 of the Texas Penal Code to be effective.

Are Hospitals and Healthcare Facilities Required to Post a Sign Prohibiting Firearms?

No, but it is recommended that hospitals and healthcare facilities post signage anyway to be absolutely certain that everyone entering the premises receives actual or constructive notice of the prohibition against weapons on the premises to the fullest extent of the law. Additional considerations for certain public hospitals and government-owned healthcare facilities that wish to prohibit firearms apply and should be addressed with legal counsel.

What Are the Notice Requirements Under Sections 30.06 and 30.07 of the Texas Penal Code?

To make it a criminal violation to bring a firearm onto the premises, hospitals and healthcare facilities must provide written notice using the precise language stated in Sections 30.06 and 30.07 of the Texas Penal Code as follows:

Concealed Carry Notice: “Pursuant to Section 30.06, Penal Code (trespass by license holder with a concealed handgun), a person licensed under Subchapter H, Chapter 411, Government Code (handgun licensing law), may not enter this property with a concealed handgun.”

Open Carry Notice: “Pursuant to Section 30.07, Penal Code (trespass by license holder with an openly carried handgun), a person licensed under Section H, Chapter 411, Government Code (handgun licensing law), may not enter this property with a handgun that is carried openly.”

Both notices are required. If only the Section 30.06 notice is posted, then concealed carry is illegal but open carry is still permitted. If only the Section 30.07 notice is posted, then open carry is illegal but concealed carry is still permitted. The notices must be in both English and Spanish. So a total of four notices must be posted. They must appear in contrasting colors with block letters at least one inch in height. And they must be posted in a conspicuous manner clearly visible to the public. Hospitals and healthcare facilities can order these signs from any vendor that sells posters for the workplace.

Importantly, posting this signage would not prevent police officers and similar individuals from bringing weapons onto the premises. Hospitals and healthcare facilities can also authorize security guards and other individuals to carry firearms, notwithstanding the posted written notice.

The Bottom Line …

The major change in the law is that licensed handgun holders can now openly carry wherever they previously could carry a concealed handgun. Hospitals and healthcare facilities can still prohibit the possession or carrying of weapons by their employees through their workforce policies. But in order to create a criminal deterrent for visitors, vendors, patients, contractors, and other third parties from carrying a firearm on the premises, written notice must be provided using the precise language stated in Sections 30.06 and 30.07 of the Texas Penal Code. We recommend the posting of signs at each entrance to the property to ensure effective notice is communicated.

Lee Rosebush Discusses Compounding Pharmacy Regulations at American Pharmacists Association Annual Meeting

BakerHostetler Partner Lee Rosebush, PharmD, JD, MBA, spoke during the session, “Compounding Medication: Are You Liable?” at the American Pharmacists Association (APhA) Annual Meeting and Exposition on March 5 in Baltimore. APhA’s conference attracts nearly 10,000 practitioners and academics in pharmacy each year.

Because compounding medication is risky business, pharmacists need to know the potential liability issues at both the state and federal levels. Rosebush discussed the hottest compounding liability topics, including laws affecting intra and interstate dispensing and distribution, the role of the U.S. Food and Drug Administration versus boards of pharmacy, office versus clinic use, and the legality and ethics of compounding products with questionable proven efficacy and safety, among other topics. Other speakers included Francis Palumbo, PhD, FAPhA, University of Maryland School of Pharmacy, and Tony Park, PharmD, JD, California Pharmacy Lawyers.

Events Calendar

April 4, 2016

Houston Partner Gregory S. Saikin will participate in a webcast, “FCPA Investigation Cooperation: Avoiding Common Mistakes,” for The Knowledge Group.

April 20, 2016

Houston Partner Lynn Sessions will participate on a panel, along with other industry experts, to discuss “Healthcare Data Breach: Another Day, Another Breach” at the 2016 Medical PL Symposium sponsored by the Professional Liability Underwriting Society in Chicago, IL.

April 21, 2016

Houston Partner B. Scott McBride will present on “False Claims Act Enforcement and Investigations” at the UT Law’s 28th Annual Health Law Conference in Houston, TX.

Washington, D.C., Partner Lee H. Rosebush will present on “Drug Pricing in Pharmacy & PBM Contracting – What Does It All Really Mean?” at the Academy of Managed Care Pharmacy (AMCP): Managed Care & Specialty Pharmacy Annual Meeting in San Francisco, CA.

April 22, 2016

Houston Partner Donna Clark will present a “Stark Update” at the UT Law’s 28th Annual Health Conference in Houston, TX.

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.

Related Services