Health Law Update – March 24, 2016

Alerts / March 24, 2016

Welcome to this week's edition of the Health Law Update. In this Issue:

  • CMS Pitches Controversial Payment Model for Medicare Part B Drugs
  • Debt Collector for Affiliated Physician Group Can Rely on Patient Contact Consent Obtained by Hospital
  • Kickbacks and Commercial Bribery: Another Touchstone to Consider
  • One Week, $5.45 Million in Resolution Agreements for HIPAA Violations
  • OCR Announces Beginning of 2016 HIPAA Phase 2 Audit Program
  • Events Calendar
CMS Pitches Controversial Payment Model for Medicare Part B Drugs

By Lee H. Rosebush and Nita Garg

CMS recently announced a proposed rule that would potentially create a new Medicare Part B prescription drug payment model. The proposed model is intended to improve quality of care and deliver better value for Medicare Part B beneficiaries. However, many providers and drug manufacturers have expressed concern that the new payment model will emphasize cost-cutting measures at the expense of ensuring beneficiary access to treatment. A number of groups, including the National Cancer Care Alliance and the Prevent Cancer Foundation, are urging Congress to withdraw the proposed rule in the interest of patient care. CMS has asked for comments on the proposed rule in general and specific areas of interest. Interested parties must submit comments no later than 5 p.m. on May 9, 2016.

Medicare Part B

Unlike for most drugs covered under Medicare Part D, Medicare Part B covers prescription drugs that are administered in a physician’s office or hospital outpatient department (e.g., oncology treatments). Specifically, drugs covered under Medicare Part B typically fall into one of three categories:

  • Drugs furnished incident to a physician’s service in the office or hospital outpatient setting
  • Drugs administered via a covered item of durable medical equipment
  • Other categories of drugs explicitly identified under applicable law

Currently, Medicare Part B generally pays physicians and outpatient departments the average sales price (ASP) of the drug plus 6 percent. Some believe that doing so encourages these facilities and/or physicians to use more expensive or specialty drugs. Specifically, those physicians or facilities that use cheaper drugs are penalized because their additional 6 percent reimbursement results in less money than is reimbursed to facilities treating the same patient with a more expensive drug.

By changing the payment methodology, CMS hopes to “encourage better care, smarter spending, and healthier people by paying providers for what works, unlocking health care data, and finding new ways to coordinate and integrate care to improve quality.” Specifically, the new method would reduce the 6 percent upcharge but would add a flat fee per drug per day.

The Proposed Part B Drug Payment Model

The new payment model would take place in two phases:

Phase 1

Under the new payment model, the add-on payment would be decreased from 6 percent to 2.5 percent. However, in addition to the upcharge, physicians or hospital outpatient departments would also receive a flat fee payment of $16.80 per drug per day. This model is intended to test whether this revised payment system alters prescribing incentives and leads to improved quality and value. CMS would update the flat fee at the beginning of each year by the percentage increase in the consumer price index for medical care for the most recent 12-month period. This phase will begin in late 2016, no earlier than 60 days after the final rule on the payment model.

Phase 2

Commercial health plans, pharmacy benefit managers, hospitals, and other entities that manage health benefits and drug utilization currently use various value-based pricing tools and feedback on prescribing patterns to improve the value of drug payments. CMS has identified such tools and feedback mechanisms that may be applicable for Part B drug payments to improve the value of such payments. This phase would begin no sooner than January 1, 2017.

These proposed value-based pricing strategies include the following:

  • Discounting or eliminating patient cost-sharing. Patients are often required to pay for a portion of their care through cost-sharing. This proposed test would decrease or eliminate cost sharing to improve beneficiaries’ access and appropriate use of effective drugs.
  • Feedback on prescribing patterns and online decision support tools. This proposed test would create evidence-based clinical decision support tools as a resource for providers and suppliers focused on safe and appropriate use for selected drugs and indications. Examples could include best practices in prescribing or information on a clinician’s prescribing patterns relative to geographic and national trends.
  • Indications-based pricing. This proposed test would vary the payment for a drug based on its clinical effectiveness for different indications. For example, a medication might be used to treat one condition with high levels of success but an unrelated condition with less effectiveness, or for a longer duration of time. The goal is to pay for what works for patients.
  • Reference pricing. This proposed model would test the practice of setting a standard payment rate – a benchmark – for a group of therapeutically similar drug products.
  • Risk-sharing agreements based on outcomes. This proposed test would allow the Centers for Medicare and Medicaid Services (CMS) to enter into voluntary agreements with drug manufacturers to link patient outcomes with price adjustments.

Considerations for Affected Parties and Entities

Affected parties and entities should take advantage of the comment period, which closes May 9, 2016, to comment on specific areas of concern, including:

  • Monitoring per-patient drug usage. If CMS is concerned about reducing drug spend, will the agency also be monitoring drug usage per patient? By paying a per-drug fee, is CMS encouraging physicians to utilize drugs that previously were considered PRN (as needed for patients)? For example, will we see an increase in pain or anti-emetic medications?
  • Actual acquisition cost utilization. We note that this new methodology is not that much different from the methodology utilized in the AAC (actual acquisition cost) payment structures. Specifically, many AAC Medicaid-based programs now use the acquisition cost plus a small markup with a $10 or greater dispensing fee. By moving in this direction, is CMS showing its hand for future AAC utilization?
  • Greater recognition of pharmacist services. Will pharmacists encourage the adoption of this methodology? There has been a push for years for pharmacists to be recognized as a “practitioner” by CMS. By increasing the dispensing fee, or per-drug fee, and moving away from reimbursement based on ingredient cost, is there more recognition for the pharmacists’ services?
Debt Collector for Affiliated Physician Group Can Rely on Patient Contact Consent Obtained by Hospital

Careful drafting of consent and information release provisions can ensure that providers and affiliated physicians and their debt collectors can contact patient cell phones using automatic telephone dialing systems or artificial or prerecorded voices.

By Robert M. Wolin

The Sixth Circuit recently held that a hospital-based anesthesia group’s debt collector did not violate the Telephone Consumer Protection Act (TCPA) when it placed collection calls to patient cell phone numbers using an “automatic telephone dialing system” and an “artificial or prerecorded voice.” The TCPA prohibits making calls “using any automatic telephone dialing system or an artificial or prerecorded voice” to a cell phone number without the “prior express consent of the called party.” The Sixth Circuit held that the hospital did not violate the TCPA because the patients had given their “prior express consent” to receive collection calls on their cell phones when they provided their cell phone information to the hospital.

As part of the admission process, the patients signed consent forms covering their medical services that permitted Mount Carmel Hospital in Columbus, Ohio, to use the patients’ health information “for [as] many reasons as needed” including billing and payment and release of the health information. One consent form used was more specific and provided that the hospital was authorized to release the patients’ health information “to such employees, agents or third parties as are necessary [including] to companies who provide billing services for physicians or other providers involved in [the patients’] medical care.” Based on this consent, the hospital provided the cell phone numbers to the anesthesiologists, who in turn provided this information to the debt collector. The debt collector called the patients’ cell phone numbers, despite never having received their cell phone information directly from the patients.

The Court reviewed Federal Communications Commission (FCC) guidance on what constitutes “prior express consent.” Based on a 1992 interpretation, the Court found that the FCC interpreted “prior express consent” to include certain forms of implied consent. In particular, that “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.” The number, however, must be knowingly provided by patients as the one they wished to be reached at. Where a party learns of a telephone number in another way, such as by capturing it via caller ID, consent will not be deemed to have been given.

The Court then considered a 2008 interpretation by the FCC in which the agency held “that the provision of a cell phone number to a creditor (e.g., as part of a credit application) reasonably evidences prior express consent by the cell phone subscriber to be contacted at that number regarding the debt,” and that calls placed by a debt collector on behalf of a creditor will be “treated as if the creditor itself placed the call.” The FCC emphasized “that prior express consent is deemed to be granted only if the wireless number was provided by the consumer to the creditor, and that such number was provided during the transaction that resulted in the debt owed.” The 2008 Ruling “conclude[d] that the creditor should be responsible for demonstrating that the consumer provided prior express consent” and that “the burden will be on the creditor to show it obtained the necessary prior express consent.”

The Court then found that the FCC in a 2014 ruling held “that the TCPA does not prohibit a caller ... from obtaining the consumer’s prior express consent through an intermediary[.]” Finally, in 2015 the FCC stressed “that there is no one way to provide consent: ‘[N]either the Commission’s rules nor its orders require any specific method by which a caller must obtain such prior express consent ... [and] the scope of consent must be determined upon the facts of each situation[.]’ … In reiterating that callers may ‘obtain a consumer’s prior express consent through an intermediary[,]’ the FCC stated that ‘[i]mportantly, ... an intermediary can only convey consent that has actually been obtained, and cannot provide consent on behalf of another party.’ … Put differently, the context of the consent provided is critical.”

The patients argued that the FCC’s rulings did not allow the hospital to provide their cell phone numbers to another provider of services, the anesthesiologists, during the course of their business relationship with the hospital, nor did it allow the anesthesiologists to provide their cell phone numbers to a debt collector to call on its behalf. The patients’ interpretation focused on the FCC 2008 Ruling that “prior express consent is deemed to be granted only if the wireless number was provided by the consumer to the creditor.” The Sixth Circuit rejected this narrow reading of the FCC interpretation and stated that “if one provides a cell phone number to a health organization seeking medical treatment, and a provider affiliated with that health organization treats that person for the same ailment, it is normal, expected, and desired to interpret that provision of the cell phone number as an invitation for an entity affiliated with that organization to call for something arising out of one’s treatment.” “[P]rovision of a cell phone number to a hospital that then provides that cell phone number to an affiliated physicians’ group that provided medical services to a consumer arising out of the same occurrence can constitute ‘prior express consent’ under the TCPA.”

The Court then turned its attention to the question of whether consent for the hospital to use “health information” for billing and collection includes the patients’ cell phone numbers. The district court relied on the Health Insurance Portability and Accountability Act’s definitions and concluded that “health information” included “any information ... created or received by a health care provider” that “relates to ... the past, present, or future payment for the provision of health care to an individual.” Using this definition, the Court found “that the hospital’s registration forms, in which it received [the patients’] wireless numbers, constituted information related to future payment, and therefore, part of Plaintiffs’ health information.” The Sixth Circuit concurred and stated that “[c]ontact information most undoubtedly is any information that relates to a patient’s payment for care provided.”

Finally, the patients maintained that their authorization to the hospital was only valid for one year and thus did not authorize any calls to be made after this period. The Court held that a consumer may revoke consent to contact by cell phone through any reasonable means and that a one-year term limitation could in fact be a revocation of consent. However, in this case, the Sixth Circuit held that the one-year limitation was applicable only to the release by the hospital of certain kinds of information and did not preclude the collection calls.

Kickbacks and Commercial Bribery: Another Touchstone to Consider

The latest indictment confirms that fraud and abuse analysis is about more than just the federal and state healthcare anti-kickback statutes.

By Robert M. Wolin

The U.S. Attorney for the Northern District of New Jersey has just charged the 26th doctor and 39th person for accepting bribes from Biodiagnostic Laboratory Services in exchange for the wrongful referral of federal healthcare program patients. The 10-count indictment charges Dr. Bernard Greenspan, a family physician, with one count of conspiring to commit violations of the anti-kickback statute and the federal Travel Act and wire fraud. Allegations include that Dr. Greenspan had taken $200,000 in bribes over a period of years in exchange for referring patient blood tests to a Biodiagnostic lab.

The federal Travel Act seems like an odd statute to violate in connection with a Medicare lab fraud case. But upon a deeper dive, the U.S. Attorney’s logic can be seen and confirms that fraud and abuse analysis is about more than just the federal and state healthcare anti-kickback statutes. The indictment alleges that Dr. Greenspan knowingly and intentionally traveled in interstate commerce and used the mail and facilities in interstate commerce to promote and manage an unlawful activity and distribute the proceeds of the activity.

The Travel Act prohibits a person from traveling in interstate commerce, or using the mail or any facility in interstate commerce, with intent to promote, manage, establish, carry on, or facilitate the promotion, management, establishment, or carrying on of any unlawful activity or distribute the proceeds thereof. Unlawful activity includes bribery in violation of applicable state or federal laws. The U.S. Attorney alleged that Dr. Greenspan violated the New Jersey commercial bribery statute and as a result violated the federal Travel Act, 18 U.S.C. § 1952. A violation of the Travel Act carries a maximum sentence of five years in prison for commercial bribery as well as fines, in addition to any penalty that may be imposed for a separate violation of the anti-kickback statute.

Like similar state statutes, the New Jersey Commercial bribery statute prohibits a person from soliciting, giving or accepting, or agreeing to give or accept any benefit as consideration for knowingly violating or agreeing to violate a duty of fidelity to which he is subject, including as (1) an agent, partner or employee of another; (2) a physician or other professional adviser; or (3) an officer, director, manager or other participant in the direction of the affairs of an incorporated or unincorporated association. N.J.S.A. 2C:21-10. In this case, it is alleged that Dr. Greenspan accepted payments from Biodiagnostic Laboratory Services as consideration for knowingly violating or agreeing to violate his fiduciary duty to his patients as a physician. In essence, he impermissibly put his financial interests above the interests of his patients when he accepted the payments from Biodiagnostic Laboratory Services that were allegedly made to influence his conduct in relation to his patients’ laboratory referrals.

Consequently, even though an arrangement with a physician or other provider with a fiduciary duty to a patient may satisfy an exception under the federal anti-kickback statute, it is important to consider whether the arrangement complies with state commercial bribery laws. In most cases, compliance under commercial bribery laws can be achieved through proper disclosure to the patient.

One Week, $5.45 Million in Resolution Agreements for HIPAA Violations

By Lynn Sessions and Suchismita Pahi

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) continued its run of resolution agreements for HIPAA violations, pulling in $5.45 million from just two entities, North Memorial Health Care of Minnesota (NMHCM) and the Feinstein Institute for Medical Research (Feinstein), in a single week. The resolution agreements emphasize that business associate agreements and security risk analyses are “major cornerstones” of the HIPAA rules, and research institutions working with patient information are held to the same standards as covered entities for protecting patient data. Judging from these resolution agreements and our work with the OCR in its investigations, the OCR considers business associate agreements and security risk analyses as “low-hanging fruit” for covered entities’ HIPAA compliance.

The NMHCM Settlement

On March 16, 2016, NMHCM agreed to pay $1.55 million for failing to enter into a business associate agreement with a major contractor, Accretive Health, a hospital revenue cycle management company, for seven months and for failing to conduct an organization-wide risk analysis to address risks and vulnerabilities to patient information. The OCR investigation followed a report by NMHCM of the theft of a laptop from the locked vehicle of an Accretive Health employee. Accretive Health, as the business associate, had access to NMHCM’s hospital database, which contained the protected health information (PHI) of 289,904 patients. The stolen laptop was password protected but unencrypted and contained the PHI of approximately 9,497 NMHCM patients.

The Feinstein Settlement

Feinstein, a biomedical research institute sponsored by Northwell Health Inc., a large health system consisting of 21 hospitals and over 450 patient facilities and physician practices, agreed to pay $3.9 million related to a breach report submitted to OCR in 2012. Feinstein reported the theft of a laptop containing PHI of approximately 13,000 patients waiting to participate in a research study.

OCR’s investigation concluded that Feinstein failed to conduct a risk analysis and implement the following:

  • Policies and procedures for workforce access to electronic PHI (ePHI)
  • Physical safeguards for laptops containing ePHI to restrict access by unauthorized users
  • Policies and procedures that govern receipt and removal of hardware and electronic media containing ePHI into and out of a facility and movement within a facility
  • A mechanism to encrypt ePHI, or alternatively document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to safeguard ePHI.
OCR Announces Beginning of 2016 HIPAA Phase 2 Audit Program

By Paulette M. Thomas

The OCR recently announced the beginning of the next phase of the HIPAA Privacy, Security, and Breach Notification Audit Program and indicated that it will review the policies and procedures implemented by covered entities and business associates to comply with the HIPAA Privacy, Security, and Breach Notification Rules. During the upcoming months, OCR will contact selected covered entities and business associates by email, informing them of the desk audit and requesting documents and data. Entities will have 10 business days to provide requested information via a new secure audit portal available on the OCR website.

A wide range of covered entities are being identified by OCR to better assess HIPAA compliance across the industry. Covered entities and business associates will be selected based on entity size, affiliation with other healthcare organizations, type of entity and its relationship to individuals, geographic factors, and whether the organization is public or private. OCR indicates that it will not audit an entity that currently has an open complaint investigation or is undergoing a compliance review, according to the OCR. However, if an audit identifies serious compliance issues, OCR may initiate a compliance review of the entity.

Covered entities need to be aware that OCR will contact the covered entity by email to request contact information and to disclose identity of the covered entity’s business associates. If the entity does not respond to OCR’s request, OCR will obtain information that is publicly available. Covered entities that do not complete the requested contact information may still be selected for an audit or subject to a compliance review.

OCR will review the desk audit information and provide a draft report of its findings to the entity. The entity will have 10 business days to review and provide comments to OCR, which will be included in the final report. Thereafter, OCR will complete the final report within 30 business days and provide it to the entity.

Desk audits are slated for completion by the end of December 2016. Although the majority will be desk audits, OCR indicates it will conduct on-site audits, and some desk audits may subsequently become on-site audits. The entity will be notified by email if it is selected for an on-site audit, and OCR estimates the audit will take place over three to five days, depending on the size of the entity. The entity will receive a draft report from OCR, and have 10 business days to review and provide comments, which will be included in the final report. Thereafter, OCR will complete the final report within 30 business days and provide it to the entity.

OCR intends to use the information gleaned from the audits to develop technical assistance and tools to assist entities in achieving compliance and in preventing breaches. OCR will update and post the audit protocol to its website whereby entities can use the tool to conduct their own self-audits.

For information pertaining to areas of compliance concern and a HIPAA Audit Checklist, please refer to our previous blog post: OCR HIPAA Phase 2 Audits Coming Soon. Be Prepared.

Events Calendar

April 4, 2016

Houston Partner Gregory S. Saikin will participate in a webcast, “FCPA Investigation Cooperation: Avoiding Common Mistakes,” for The Knowledge Group.

April 20, 2016

Houston Partner Lynn Sessions will participate on a panel, “Healthcare Data Breach: Another Day, Another Breach,” along with other industry experts, at the 2016 Medical PL Symposium sponsored by the Professional Liability Underwriting Society in Chicago, IL.

April 21, 2016

Houston Partner B. Scott McBride will present on “False Claims Act Enforcement and Investigations” at the UT Law’s 28th Annual Health Law Conference in Houston, TX.

Washington, D.C., Partner Lee H. Rosebush will present on “Drug Pricing in Pharmacy & PBM Contracting – What Does It All Really Mean?” at the Academy of Managed Care Pharmacy (AMCP): Managed Care & Specialty Pharmacy Annual Meeting in San Francisco, CA.

April 22, 2016

Houston Partner Donna Clark will present a “Stark Update” at the UT Law’s 28th Annual Health Conference in Houston, TX.

May 5, 2016

Washington, D.C. Partner Lee H. Rosebush will co-lead a table discussion on “Compounding and Drug Pricing” at the FDLI Annual Conference in Washington, D.C.

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.

Related Services