Articles Posted in Compliance

Published on:

On September 30, 2021, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance to help consumers, businesses, and healthcare entities understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about an individual’s COVID-19 vaccination status. As a preliminary note, the guidance reminds readers that the HIPAA Privacy Rule does not apply to employers or employment records. The Privacy Rule only applies to HIPAA covered entities, which include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions and, in some cases, to their business associates.

The guidance initially answers a highly popular and controversial question in light of the COVID-19 pandemic. According to the OCR guidance, the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. Because individuals or entities such as businesses are not covered entities, the Privacy Rule generally does not apply to them. The Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI), for example COVID-19 vaccination status, that covered entities and business associates create, receive, maintain, or transmit. In the opposite direction, the Privacy Rule does not prevent customers or clients of a business from disclosing whether they have been vaccinated. The Privacy Rule does not apply to individuals’ disclosures about their own PHI.

The guidance proceeds to inform readers that employers are not prohibited under the Privacy Rule from requiring employees to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its employees. However, other federal or state laws address terms and conditions of employment. Federal anti-discrimination laws generally do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement. Under the Americans with Disabilities Act (ADA), documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files. Similarly, the Privacy Rule does not prohibit a covered entity or business associate from requiring its employees to disclose to their employers or other parties whether employees have received a COVID-19 vaccine. The Privacy Rule also generally does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers.

Published on:

The Department of Justice (DOJ) recently announced a plea agreement regarding an alleged $73 million scheme to defraud Medicare that illustrates some of the pitfalls of compliance with the Anti-Kickback Statute (AKS). DOJ alleged that the owners of a clinical laboratory, Panda Conservation Group, LLC, and a telemedicine company, 1523 Holdings LLC, conspired to pay kickbacks in exchange for work arranging telemedicine providers to order genetic testing at Panda’s laboratories. While the parties had an agreement for IT and consultation services, DOJ alleged that this contract was a “sham” to hide the kickback payments and that the telemedicine company abused temporary, pandemic-responsive amendments to telehealth restrictions to refer beneficiaries to the laboratory for expensive and medically unnecessary cancer and cardiovascular genetic testing.

The Anti-Kickback Statute (42 U.S.C. § prohibits a person from knowingly offering, paying, soliciting, or receiving anything of value to induce or reward referrals for services covered by a Federal Healthcare Program. A Federal Healthcare Program is any program that provides health benefits, whether directly or through insurance, which is funded by the United States Government or any State health care program. A violation of the Anti-Kickback statute is a criminal offence and can carry severe penalties, including fines, prison sentences, and potential exclusion from participation in Federal Healthcare Programs in the future.

Since some referrals are necessary to optimize patient care, the Statute provides exceptions called “safe harbors” that permit certain arrangements that follow specific requirements. In the event an arrangement does not meet a safe harbor requirement, the arrangement will be considered on a case-by-case basis. Special care must be taken structure arrangements to comply with the AKS and its safe harbors.

Published on:

As part of the 2022 Medicare Physician Fee Schedule Proposed Rule, the Centers for Medicare & Medicaid Services (CMS) has proposed to significantly expand its authority to deny or revoke a provider’s or supplier’s Medicare billing privileges.

First, CMS proposed to modify the conditions that it considers when determining whether to revoke a provider for an “abuse of billing privileges.” CMS currently has the authority to revoke a provider’s or supplier’s enrollment for an “abuse of billing privileges,” defined as a pattern or practice of submitting claims that do not meet Medicare requirements. CMS has previously asserted that as few as three non-compliance claims can constitute such a pattern, However, in the current proposal, CMS expressed concern that the existing factors it uses to make such a determination may prevent it from acting against providers or suppliers who enroll in Medicare and engage in short-term periods of high-volume, non-compliant billing. CMS proposed to revise one factor, the percentage of submitted claims that were denied, to instead focus on the percentage of claim denials out of claim submissions during a limited period, such as a single month. CMS also proposed to remove three factors the agency deems largely irrelevant to determining the existence of a pattern or practice of improper billing. Specifically, the agency proposed to remove factors that focus on the reason for the claim denial, the length of time over which the pattern has continued, and the length of time a provider or supplier has been enrolled in Medicare. CMS proposed one new factor that considers the type of improper billing along with any aggravating or mitigating conditions in each case.

CMS also proposed to expand its authority to deny or revoke a provider’s or supplier’s enrollment if any healthcare, administrative, or management services personnel furnishing services payable by any federal health care program is excluded by the OIG, such as a billing specialist, accountant, or human resources specialist. CMS asserted that this proposal would align its authority with a 2013 OIG Special Advisory Bulletin prohibiting a provider or supplier from employing excluded individuals to furnish management or administrative services payable by any federal health care program.

Published on:

Significant changes could be coming to dentistry if dental benefits are added to Medicare. A proposal, currently before Congress as part of a large budget bill, would do just that. If this proposal becomes law and Medicare begins to cover dental benefits, it would likely have major implications on the practice of dentistry, both administratively and financially.

While some Medicare Part C (Medicare Advantage) plans cover dental benefits, original Medicare, which is administered in a very different manner, does not. While Medicare Part C plans are administered by private insurers, original Medicare is administered by a myriad of federal contractors that are overseen by the Centers for Medicare & Medicaid Services (CMS). For dental providers accustomed to dealing with private insurers and Part C plans, interacting with Medicare may present new challenges. An experienced healthcare attorney can be key to navigating the regulatory and business challenges of Medicare compliance.

First, dental practices would likely come under the purview of the Medicare contractors. These contractors handle Medicare enrollments, claims processing, data analysis, audit and claims review, program integrity, and a myriad of other functions. Some decisions regarding Medicare-enrolled providers are made by contractors and some by CMS, although it is not always clear. Most decisions, including enrollment decisions and claims denials, are subject to a multi-level appeal process. Dental practices familiar with the business motivations of private insurers may be surprised by the sometimes-uncompromising nature of decisions made by CMS and its contractors. For example, unlike an overpayment demand by a private insurer, a Medicare overpayment demand can rarely be negotiated.

Published on:

Demonstrating its commitment to audit Provider Relief Fund (PRF) recipients, the Department of Health and Human Services (HHS) has hired several outside contractors to provide audit or program integrity services relating to the PRF. The PRF is a $175 billion fund created by Congress through the CARES Act and administered by HHS (and its sub-agency the Health Resources and Services Administration or HRSA) to provide financial relief to healthcare providers during the COVID-19 pandemic. HHS has subdivided the PRF into various general and targeted distributions. These distributions were paid to providers in several waves between April 2020 and the present.

Publicly available contracts provide a glimpse into HHS’s actions regarding the PRF. Over the last year, HHS has contracted with KPMG to provide “program integrity support,” Kearney & Company to provide “PRF Audit support services,” and Creative Solutions Consulting to provide “audit and financial review services.” Combined, HHS has committed approximately $5.5 million to these contracts. Reports indicate HHS has hired PricewaterhouseCoopers and Grant Thornton, as well.

Although HHS’s retention of contractors is nothing new, these agreements signal to providers that HHS is not taking PRF reporting lightly. Providers who received and retained payments through the PRF are required to file reports justifying their use of the funds and documenting their compliance with the terms and conditions of the payments. Providers must report information on healthcare-related expenses attributable to coronavirus, lost revenue attributable to coronavirus, other pandemic assistance received, and administrative data. Providers who received more than $500,000 in aggregate payments are required to report some data elements in greater detail, including specific information regarding operations, personnel, supplies, equipment, facilities, and several other categories. Thus, some providers will be required to report significant amounts of financial information in considerable detail.

Published on:

According to data from the Pharmacy Audit Assistance Service (PAAS) National, the Covid-19 Public Health Emergency (PHE) has negatively affected pharmacies navigating audits by Pharmacy Benefit Managers (PBM). PBMs are companies who are primarily responsible for developing and maintaining drug formularies, contracting with pharmacies, negotiating discounts and rebates with drug manufacturers, and processing and paying prescription drug claims. PBMs manage prescription drug benefits on behalf of health insurers, Medicare Part D drug plans, large employers, and other payers. PBMs routinely conduct audits on member pharmacies in order to monitor pharmacies’ performance and identify alleged improper payments made to the pharmacies. However, PBMs have been criticized for overstepping those audit functions by utilizing audits as a source of revenue for themselves at the expense of independent pharmacies and patients.

In response to the PHE, many state insurance agencies and PBMs themselves suspended in-person audits in 2020 and shifted to virtual audits. The virtual nature of a PBM audit means pharmacies are responsible for a greater workload because they must complete tasks that would normally be completed by a PBM during a field audit. For example, pharmacies must locate, organize, and deliver hundreds of pages of documents and records in compliance with PBMs’ standards, while managing the day-to-day pharmacy operations. Although virtual PBM audits allows benefit managers to review more pharmacy claims than during traditional in-person audits, it also allows them to potentially deny more claims than before.

According to PAAS National, even though the number of pharmacy audits in 2020 declined nearly 14% year over year, the overall number of prescriptions reviewed increased by 40%. PAAS data also shows that the average audit in 2020 cost pharmacies $23,978, which is 35% more than the annual average over the previous five years. This data further implies that pharmacies are shouldering more of the administrative burden of responding to audits in addition to the task of pursuing a subsequent appeal where the PBM denies claims during an audit.

Published on:

The August 12, 2021 issue of the Medical Learning Network (MLN) Connects newsletter indicates that CMS is planning to resume the Targeted Probe and Educate (TPE) audit program. CMS temporarily suspended pre-payment reviews under the TPE program in response to the Covid-19 public health emergency (PHE) in March 2020. While CMS authorized Medicare Administrative Contractors (MACs) to resume post-payment audits in August 2020, TPE pre-payment reviews generally remained suspended.

The MLN Newsletter does not offer specific information as to when CMS will officially resume TPE audits. The Newsletter also does not indicate whether CMS will focus on new TPE audits or whether the agency intends to resume existing TPE reviews that were suspended at the beginning of the PHE. In a June 2021 Q&A by Palmetto GBA, one of the MACs, Palmetto stated that they “do not have an expected date for TPE to return.” Other MACs have yet to update their websites to reflect CMS’s announcement. However, it appears CMS has given the MACs the go-ahead to resume paused TPE reviews and initiate new reviews.

A TPE review consists of up to three rounds of claims review, with education to the provider after each round. A provider or supplier navigating a TPE review should take care to comply with the program’s requirements and timelines and should be aware of the potential consequences of a review. A TPE review can take months or years to resolve and can have devastating impacts on a provider’s business, up to and including revocation of Medicare billing privileges and placement on the CMS Preclusion List. Closely monitoring the process of the TPE review can be critical to a successful resolution. For more information about TPE reviews, please see our previous blog on Responding to a Targeted Probe and Educate Review.

Published on:

The Pharmaceutical Research and Manufacturers of America (PhRMA) issued an updated August 2021 Code on Interaction with Health Care Professionals, which takes effect January 1, 2022. Section 7 of the PhRMA Code’s guidance on speaker programs largely echoes a Special Fraud Alert regarding health care speaker programs which was issued by the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) in November 2020. The focus here is on programs where health care professionals (HCPs) participate in company-sponsored speaker programs in order to help educate and inform other health care professionals about the benefits, risks, and appropriate uses of company medicines. Similarly to the Special Fraud Alert, the PhRMA Code raises significant concerns about companies offering or paying remuneration (and HCPs soliciting or receiving remuneration) in connection with speaker programs in violation of health care fraud and abuse laws, such as the Anti-Kickback Statute.

A primary focus of the PhRMA Code’s speaker program guidance involves situations where attendees of such programs are offered meals incident to attendance. In general, the Code explains that incidental meals of modest value may be offered to attendees of company-sponsored speaker programs, subject to some non-exhaustive principles. The purpose of the speaker program should be to present substantive educational information designed to help address a bona fide educational need among attendees, taking into account recent substantive changes in relevant information or the importance of the availability of such educational programming. According to the PhRMA Code, only those with a bona fide educational need for the information should be invited and incidental meals furnished to attendees must be modest as judged by local standards, as well as subordinate in focus to the educational presentation. Companies should not pay for or provide alcohol in connection with the speaker program. Speaker programs should occur in a venue and manner conducive to informational communication, and a company representative should be physically present. Luxury resorts, high-end restaurants, and entertainment, sporting, or other recreational venues or events are cautioned against. Repeat attendance at a speaker program on the same or substantially the same topic is generally not appropriate, unless the attendee has a bona fide educational need to receive the information presented, including attendance by speakers as participants after speaking at such programs. Friends, significant others, family members, and other guests of a speaker or an invited attendee are not appropriate attendees unless such individuals have an independent, bona fide educational need to receive the information presented. To note, the PhRMA Code does not address attendance at a speaker program that does not include an incidental meal to the attendee.

The PhRMA Code also sets out four general principles that apply to companies’ retention of HCPs as speakers at company-sponsored speaker programs. First, HCPs may be engaged by companies as speakers for company-sponsored speaker programs to help educate and inform other HCPs who have an independent, bona fide educational need to receive information about the benefits, risks, and appropriate uses of company medicine and related disease states. Second, company decision regarding the selection or retention of HCPs as speakers should be made based on defined criteria such as general medical expertise, reputation, knowledge, experience regarding a particular therapeutic area, and communication skills. Third, HCPs engaged by the company as speakers should also participate in company-sponsored speaker training programs because the Food and Drug Administration (FDA) holds companies accountable for the presentation of their speakers. Finally, any compensation or reimbursement made to HCPs in conjunction with a speaking arrangement (including company-sponsored speaker training) should be reasonable, based on fair market value, and should not take into account the volume or value of past business that may have been, or potential future business that could be, generated for the company by the HCP. The PhRMA Code further cautions companies and speakers to be clear about the distinction between health care professional speaker programs and continued medical education programs. Health care providers should keep these guidelines in mind when designing company-sponsored HCP speaker programs.

Published on:

On July 6, 2021, the U.S. Court of Appeals for the D.C. Circuit issued a 2-1 opinion in Judge Rotenberg Education Center v. FDA that overturned the Food and Drug Administration’s (FDA) ban on the use of electric shock medical devices for particular purposes because the FDA is prohibited from regulating the practice of medicine. The Judge Rotenberg Education Center (Center) is a facility in Massachusetts that treats patients with severe behavioral conditions and intellectual disabilities. The Center manufactures its own electric stimulation device, known as a graduated electronic decelerator, and is the only facility in the country that uses electric shock therapy to treat individuals who severely self-injure or are aggressive. The Center admits patients that other facilities could not successfully treat, and is seen by some as a last resort for patients and their families.

The FDA first proposed to ban electric stimulation devices used to treat self-injurious or aggressive behaviors in April 2016, and a final rule banning such devices became effective in March 2020. Electrical stimulation devices are legally authorized for use in other medical settings, for example to prevent muscle atrophy and reduce muscle spasms in physical therapy patients. Thus, the key question that the Court addressed was whether the FDA has legal authority to ban an otherwise legal device from a particular use. The Court concluded that the FDA does not have such authority because a “use-specific” ban like the one at issue “interferes with a practitioner’s authority by restricting the available range of devices through regulatory action.” The Court further opined that “the FDA has no authority to choose what medical devices a practitioner should prescribe or administer or for which conditions.”

Section 360f of the Federal Food, Drug, and Cosmetic Act (Act) grants the FDA authority to ban medical devices intended for human use when such devices present “substantial deception or an unreasonable and substantial risk of illness or injury.” Section 396 of the Act prohibits the FDA from regulating the practice of medicine, specifically forbidding the agency from taking actions that “interfere with the authority of a health care practitioner to prescribe or administer any legally marketed device to a patient for any condition or disease within a legitimate health care practitioner-patient relationship.” Since electric shock stimulation devices are legally used in other settings, the FDA’s attempted use-specific ban does not render such devices as not legally marketed. As the Court stated, “any device that the FDA attempts to ban for one but not all uses will, accordingly, still be legally marketed.” Thus, the FDA only has the more comprehensive power to completely ban a medical device, but not the intermediate power to tailor a ban to only certain uses. The opinion underlines the limits of the FDA’s authority to regulate medical devices.

Published on:

Congress recently proposed changes to the False Claims Act (“FCA”) that would make it easier for the government to prove certain noncompliance was “material” and therefore a violation of the FCA. These changes appear to be a response to the landmark Escobar decision regarding materiality under the FCA.

Originally introduced to address unscrupulous government contractors during the Civil War, the FCA has become a popular tool for prosecuting alleged healthcare fraud. In general, the FCA imposes civil liability for knowingly submitting false claims to the government. Importantly, the FCA carries severe consequences, including treble damages and a per-claim penalty that increases each year with inflation ($11,803 per claim for 2021). The FCA also allows individuals to initiate the prosecution under a qui tam action, in which the government may decide to intervene and wherein the individual is entitled to a share of the government’s recovery.

Under the “implied false certification” theory of FCA liability, liability attaches where a provider submits a claim for payment that makes specific representations about the goods or services provided, but knowingly fails to disclose the defendant’s noncompliance with a statutory, regulatory, or contractual requirement. In 2016, in the Escobar case, the United States Supreme Court held that any misrepresentation about compliance with a statutory, regulatory, or contractual requirement must be “material” to the government’s decision to pay the claim in order to give rise to liability under the FCA. Materiality under Escobar is a demanding standard and cannot be met merely because the government has designated a requirement to be a condition of payment.

Contact Information