Compliance: Reporting Overpayments and the 60-day Clock

On August 3, 2015, a federal judge in New York issued an important opinion regarding the False Claims Act and what it means to “identify” an overpayment for purposes of starting the 60-day clock in which Medicare and Medicaid overpayments must be returned. The decision underscores the importance of taking overpayment allegations seriously, and makes clear that deliberate ignorance is not a viable defense. Providers should take note of this decision, and update their compliance plans accordingly.

The case, Kane v. Healthfirst, et. al., arose out of a software glitch in a managed care company’s billing system. The glitch caused providers to submit additional bills to secondary payors, above and beyond what is permitted under the New York Medicaid program. Eventually, the managed care company identified the glitch, and alerted its contracted providers, including the hospital, of the problem. The hospital tasked an employee, Mr. Kane (who eventually became the relator), with investigating the issue. Mr. Kane identified approximately 900 claims that could be affected by the software glitch, and stated that “further analysis would be needed to confirm his findings.” Shortly thereafter, Mr. Kane was terminated.

Subsequently, the hospital reimbursed the State of New York for five improperly submitted claims, but did nothing with Mr. Kane’s analysis or the rest of claims for two years. The DOJ alleged that this delay violated the Affordable Care Act requirements that Medicare/Medicaid overpayments must be reported and returned within 60 days of the date “on which the overpayment was identified.” Failure to comply with such a requirement constitutes a violation of the False Claims Act.

The instant action centers upon what it means to “identify” an overpayment. The term “identify” was not defined by Congress in the Affordable Act. The DOJ argued that the hospital acted intentionally or recklessly and “fraudulently delay[ed] its repayments for up to two years after [the hospital] knew of the extent of the overpayments.” The hospital, on the other hand, argued that Kane’s email only provided notice of potential overpayments, and did not identify actual overpayments so as to trigger the 60-day clock.

Ultimately, the district court rejected the hospital’s position, and concluded that identification occurs when health care providers are “put on notice” of potential overpayments. For providers, this means that when you receive information which suggests that an overpayment(s) may exist, you need to take action. Further, this action should be documented in an organized manner specifying the actions being taken to track down the overpayment. While it is yet to be seen whether such efforts could serve as a defense, the decision of the district suggests that good intentions could be a viable defense.

For more information regarding the False Claims Act or related compliance issues, please contact Dan O’Brien or any member of our health care practice group.

CMS Proposed Stark Law Revisions

On July 15, 2015, the Centers for Medicare and Medicaid Services (“CMS”) published proposed revisions to the regulations implementing the physician self-referral law, or Stark Law.

The Stark Law is a key regulatory scheme in the healthcare industry that governs relationships between physicians and the providers to whom they refer certain designated health services. In order to receive Medicare reimbursement for these services, all financial relationships between providers and the referring physician must satisfy a statutory or regulatory exception to the Stark Law. These exceptions are complex and very technical, and providers who fail to fully comply with the Stark Law’s many requirements can be subjected to significant penalties and other sanctions.

Many of CMS’ proposed revisions appear designed to reduce the burden of some of these technical requirements. In addition, CMS is proposing several new exceptions. If enacted, these will be some of the most significant changes to the Stark Law in years.

Highlights of the proposed revisions include the following:

  • Contractual requirements. Many of the Stark Law exceptions require the relationship between the parties to be “set out in writing” or be pursuant to a “written agreement.” CMS is proposing to revise all exceptions to contain the same language, using the phrase “arrangement.” CMS has further clarified that the “arrangement” does not have to be a formal, written contract, and the exceptions can potentially be satisfied by multiple documents evidencing the course of conduct between the parties.
  • Recruitment of Nonphysician Practitioners (NPPs).   CMS is proposing a new exception that would allow hospitals and other providers to provide recruitment support for nurse practitioners and other NPPs. Previously, this support had only been allowed for physicians.
  • Timeshare Arrangements. CMS is proposing a new exception that would allow providers to enter into timeshare arrangements with physicians for the use of office space, equipment, personnel, supply and other services.
  • Standardized language. CMS is proposing to standardize the use of certain phrases throughout the regulations. As described above, various references to “contracts” or “writings” will now be uniformly replaced with the term “arrangement.” In addition, all references to the volume or value of referrals between parties will use the phrase “takes into account.”
  • Holdovers. Under the proposed regulations, parties may continue to provide services under leases and personal service agreements that have technically expired for an indefinite period without violating the Stark Law. Previously, providers could only do so for six months.
  • Signature Requirements. Under the proposed regulations, contracts could be signed up to 90 days after services started and be considered compliant with the Stark Law. Previously, the period was only 30 days in most circumstances.
  • Term Requirements. Many of the exceptions to the Stark Law require the parties to have an agreement for at least one year. CMS is clarifying that the contract or agreement between the parties does not have to have an explicit one-year term, so long as the relationship does in fact last one year.  CMS is continuing the requirement that if an agreement is terminated prior to the one year term, the parties cannot enter into a similar agreement until that one-year period is up.

Providers who may be impacted by these proposed changes are encouraged to submit comments to CMS. Comments may be submitted electronically here and should be received by September 8, 2015.

Benesch is preparing an in-depth client alert analyzing the potential impact of these regulations. If you have questions regarding the scope and impact of these proposed regulations in the mean time, please contact any member of the Benesch Health Law team.

HIPAA and Jason Pierre-Paul’s Medical Chart – Setting the Record Straight

Last night, ESPN reporter Adam Schefter tweeted a photo of New York Giants defensive end Jason Pierre-Paul’s medical chart, which chart indicated that Pierre Paul had his index finger amputated. The amputation was apparently the result of a fireworks accident on the Fourth of July. Prior to the Schefter’s report of the amputation, the injury was already a major offseason story for the NFL, as Pierre-Paul is a pro-bowler, and initial reports indicated that the New York Giants withdrew an outstanding $60 million contract offer as a result of the Fourth of July injury.

Football aside, the Pierre-Paul story is yet another example of a celebrity patient’s medical information being disclosed to the media. Right now, the internet is ablaze with news stories and comments suggesting that Adam Schefter and/or ESPN violated HIPAA by posting a copy of Pierre-Paul’s medical chart. Despite the public outcry, this view highlights a fundamental misunderstanding of HIPAA and its prohibitions. Adam Schefter and/or ESPN are not the ones that should be concerned about a HIPAA violation – the hospital and its employee(s) that leaked Pierre-Paul’s medical chart, however, should be.

At its most basic level, HIPAA provides certain federal protections for protected health information (“PHI”) held by covered entities and their business associates. The definition of a “covered entity” includes health care providers, health plans, and health care clearinghouses. See 45 C.F.R. 160.103. A “business associate,” in turn, is generally defined to include a person or entity that creates, receives, maintains or transmits PHI on behalf of a covered entity. Id.

Clearly, neither ESPN nor Adam Schefter constitutes a covered entity or business associate. Absent evidence of a conspiracy with hospital employees to obtain the documents in violation of HIPAA, ESPN and Adam Schefter should be in the clear with respect to HIPAA. On the other hand, unless Pierre-Paul appropriately authorized the disclosure of his medical chart, the hospital and its employee(s) that leaked the medical chart to Adam Schefter could face significant civil and/or criminal penalties in connection with a HIPAA violation.

It is also important to note that although HIPAA does not authorize a private right of action (meaning that only the Department of Health and Human Services Office of Civil Rights or State Attorneys General can enforce HIPAA), private individuals have had some success with lawsuits alleging state law privacy violations that utilize HIPAA to establish the standard of care.

For additional information regarding HIPAA, please contact Dan O’Brien, Cliff Mull, or any other member of Benesch’s Health Care Department.

HHS Revises, Delays Medicare Enrollment Requirements for Part D Prescriptions

The Affordable Care Act authorized the Department of Health and Human Services (HHS) to require a physician, dentist or other healthcare provider to be enrolled in the Medicare program before they can issue a prescription covered by Medicare Part D.

Regulations implementing this requirement were first issued by HHS in 2014 and scheduled to go into effect June 1, 2015, with an enforcement delay until December 1, 2015.  Under the regulations, HHS required all providers to either formally enroll in, or officially opt out of, the Medicare program in order to issue a covered prescription to a Medicare Part D beneficiary.

These regulations will have the greatest impact on healthcare providers, such as dentists, whose services are generally not covered under Medicare but who may still issue prescriptions to Medicare beneficiaries.  These providers have historically neither formally enrolled in nor opted out of the Medicare program, because they never provided services which were eligible for Medicare reimbursement.

The provider community objected that these regulations would create an undue burden on providers who had never been subject to Medicare enrollment requirements and would limit beneficiaries’ access to needed pharmaceuticals. For example, a prescription for a painkiller or antibiotic issued to a patient by a dentist would no longer be covered if the dentist had not met these new enrollment requirements.  The patient would have to pay for the full cost of the drug and, if they could not afford to so, might not receive needed pharmaceutical care.

In response, HHS released revised regulations on May 6, 2015.  These revisions include a delayed effective date of January 1, 2016.  In addition, Medicare Part D plans must now provide provisional coverage of the a drug prescribed by a provider who does not meet the enrollment/opt out requirements.  The provider will then have up to 3 months to either enroll or formally opt out of Medicare, allowing the prescription to be covered back to the original date.

Providers who have not yet enrolled in or opted out of Medicare have four options to consider:

  1. Take no action.  The provider can still issue prescriptions – but Medicare Part D beneficiaries will be required to pay the full cost of the prescription or find an alternate provider.
  2. Enroll as a Medicare provider.  Dentists and other healthcare professionals are eligible for Medicare enrollment, even if they never provide Medicare-covered services.
  3. Enroll in Medicare as an ordering/referring provider (ORP).  This is a limited enrollment category.  An ORP is allowed to order Medicare-reimbursable services, including prescriptions, but is not eligible for Medicare reimbursement for any services they provide directly.
  4. Opt out of Medicare.  Providers can formally opt out of Medicare by filing an affidavit with the appropriate Medicare contractor.

Each option has pros and cons that should be weighed carefully before a decision is made.  If you have any questions regarding Medicare provider enrollment or opting out of the Medicare program, please contact the Benesch Health Care group.

CareFirst, Third Major Health Insurer This Year To Be Hit By Cyberattack

On May 20, 2015, CareFirst BlueCross BlueShield (“CareFirst”) announced that it was the latest victim of a major cyberattack, with as many as 1.1 million plan customers affected.  Current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014 are impacted by this event.

CareFirst said that although the hackers may have acquired customer names, email addresses, birthdates, customer-created user names and subscriber identification numbers, they did not obtain sensitive financial or medical information like Social Security numbers, medical claims, credit card or employment information or passwords associated with the user names.  The company has stated that those affected by the cyberattack will be provided two free years of credit monitoring and identity theft protection.

As an explanation of how CareFirst learned of the breach, Chet Burrell, CareFirst’s chief executive, said that after cyber attacks on other insurers earlier this year, he created a task force to review the company’s information technology systems.  CareFirst then hired Mandiant, a division of FireEye, to perform a forensic review of its systems.  Last month, Mandiant determined a breach had occurred in June 2014 allowing unauthorized access to a single database with the information listed above.

Just hours after the announcement of the breach, class action law firms were already investigating the circumstances of the breach and seeking plaintiffs who may have been affected.  Now that state claims may be brought based on HIPAA as a standard of care, the suits will likely consider potential harm due to the disclosure and whether CareFirst adequately protected the information and provided timely notice.  These are the same types of claims brought in the numerous class action lawsuits after the Anthem cyber-attack in February 2015.

The cyber-attack and pending lawsuits should serve as a reminder for healthcare companies to review and properly implement their HIPAA privacy and security policies and procedures.  For more information on HIPAA, health care compliance or related issues, please feel free to contact Daniel Meier or any member of our health care practice group for a further discussion.

Medicare Part B Reimbursement After the SGR Repeal

On April 16, 2015, President Barack Obama signed into law the Medicare Access and CHIP Reauthorization Act of 2015 and thereby repealed the sustainable growth rate (“SGR”) Medicare Part B provider reimbursement methodology, represented by the Physician Fee Schedule that had been in place for nearly twenty years. SGR reimbursement was originally intended to control Medicare costs by keeping provider reimbursement proportionate to America’s overall economic growth. This was to be accomplished by setting reimbursement ceilings and then cutting reimbursement when those ceilings were exceeded in a given year. Historically, rather than instituting these cuts as planned, Congress repeatedly delayed the implementation of reimbursement reductions through the use of repeated short term legislative patches delaying any cutbacks

This pattern of emergency stop-gap measures ended on April 16, 2015 when, in an uncharacteristically bipartisan move, Congress permanently repealed and replaced the SGR. This revised reimbursement formula includes:

  • eliminating delayed reimbursement rate reductions under the SGR;
  • from 2015 – 19, increasing reimbursement rates by 0.5%;
  • from 2020 – 25, freezing reimbursement rates; and
  • from 2026 – forward, instituting annual reimbursement rate increases based upon provider participation in one of two provider risk-sharing arrangements: (1) the Merit-Based Incentive Payment System (“MIPS”) provides for a 0.25% annual increase; or (2) Alternative Payment Models (“AMP”) provides for a 0.75% annual increase.

Both incentive programs incorporate value-based payments beginning in 2019. First, MIPS combines and replaces existing incentive programs and provides a payment adjustment to fee-for-service reimbursement based upon a composite score made up of four categories: (1) Quality; (2) Resource Use; (3) Clinical Improvement; and (4) EHR Use. Second, AMP participants will receive a 5% of annual reimbursement bonus payment in exchange for generating sufficient revenue through qualified risk-sharing payment models, such as Accountable Care Organizations and Medical Homes.

The SGR repeal is funded by reductions in Medicare payments to hospitals and post-acute care providers, elimination of first-dollar Medigap coverage, and increases to Medicare premium cost-sharing for high income beneficiaries. Despite these cuts, the Congressional Budget Office estimates that the legislation will still add a grand total of $141 billion to the Federal deficit.

The elimination of the SGR provides some enduring stability following years of uncertainty.  After repeated, temporary SGR legislative fixes, the legislation eliminating the SGR and instituting the replacement reimbursement methodology represents a bipartisan effort to transition Federal health care program reimbursement away from traditional fee-for-service arrangements and into a new era of value-based payments. Consistent with trends in the health care industry at-large, and the Federal health care programs in particular, providers seeking meaningful reimbursement increases through Medicare Part B under the revised reimbursement methodology must meet quality metrics, whether through an incentivized fee-for-service model or through participation in alternative payment mechanisms.

For more information on health care reimbursement trends, please contact a member of Benesch’s health care team.

Guidance Released for Health Care Governing Boards

On April 20, 2015, the Office of Inspector General (the “OIG”) of the U.S. Department of Health and Human Services, the Association of Healthcare Internal Auditors, the American Health Lawyers Association, and the Health Care Compliance Association published a first-of-its-kind guide entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight.”

The guide is intended to assist governing boards of health care organizations (“Boards”) to create and carry out compliance programs. The guide addresses issues relating to a Board’s oversight and review of compliance program functions, including: (1) the roles of, and relationships between, the organization’s audit, compliance, and legal functions; (2) the mechanism and process for issue-reporting within an organization; (3) the approach to identifying regulatory risks; and (4) methods of encouraging organization-wide accountability for achievement of compliance goals and objectives.

The guide encourages Boards to create benchmarks using publicly available resources, such as the Federal Sentencing Guidelines, the OIG’s voluntary compliance program guidance, and OIG Corporate Integrity Agreements.  Although there is no such thing as a “one size fits all” compliance program, these resources can be helpful in creating a program tailored to each organization’s needs.

While recognizing that not all organizations will possess the resources to support the structure in its entirety, the guide recommends creating corporate charters that address the following functions: (1) compliance; (2) legal; (3) internal audit; (4) human resources; and (5) quality improvement. Boards should continuously evaluate the effectiveness of these charters.

The guide also encourages Boards to ensure proper reporting mechanisms are in place within the organization. If managers or other individuals within the organization are not held responsible for reporting compliance concerns to the Board, the Board will not have a complete picture of the adequacy and effectiveness of the organization’s compliance atmosphere. Therefore, Boards should consider scheduling regular sessions to hear from the organization’s management about the organization’s utilization of compliance, legal, internal audit, and quality functions.

Identifying risk areas is an integral part of any organization’s compliance program. Boards can identify high risk areas from internal and external sources. The guide recommends tracking industry trends to identify risk areas, as new payment models can lead to new incentives and new compliance concerns.

Finally, the guide recommends encouraging accountability within an organization along with compliance. Many organizations have tied an employee’s performance assessment and other incentives to adherence to the organization’s compliance program to emphasize and encourage individual accountability.

The entire guide is available on the OIG’s website. For more information on health care compliance programs, please contact any member of Benesch’s health care practice group.