The Convergence of Health Care and Banking

Posted by John Barnes on February 15, 2013

Bank Steth.pngContributed by Marcia L. Augsburger as part of the ongoing Compliance Matters series

      On January 25, 2013, the Office of Civil Rights (OCR) within the Department of Health and Human Services published guidance on whether banks and other financial institutions must comply with the Health Insurance Portability and Accountability Act (“HIPAA”) when they receive, transmit, use or disclose Protected Health Information (“PHI”) - patient-specific health information created by health care providers, health plans, health care clearinghouses, and other specified entities. 

      The OCR clarified that financial institutions are not required to comply with HIPAA when they conduct certain payment processing activities.  These activities include cashing a check, conducting a funds transfer, and authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums.

      However, OCR instructed that a financial institution may be a “business associate,” which must comply with HIPAA, where the institution performs functions “above and beyond” payment processing activities “on behalf of a covered entity,” such as accounts receivable functions on behalf of a physician, hospital, or other health care provider.  OCR did not describe what is “above and beyond payment processing” or define “accounts receivable functions.”  For health care providers, “accounts receivable functions” include payment processing activities and billing, but they may also include mailing letters to patients who are behind on payment, reviewing the terms of coverage agreements and provider contracts with health plans and other payers and applying them in dealing with patients, setting up payment schedules, and tracing changes to patient addresses.  Presumably, financial institutions performing these kinds of activities on behalf of providers are business associates.

      Thus, unlike other entities, whether financial institutions must comply with HIPAA does not turn on their receipt, disclosure, or use of PHI.  If this were the test, all banks would be business associates according to experts who have estimated that 40% of the information contained in most bank lockbox accounts meets the definition of PHI.  However, OCR instructs that the focus is on the nature of the information but on what financial institutions are doing with the information.

      If you are a bank or other financial institution that is performing an activity beyond processing payment, such as an accounts receivables function, you need:

  • Internal audits of current practices and a risk assessment;
  • Written HIPAA policies and procedures based on the results of the audits and risk assessment;
  • Workforce training on HIPAA designed around the activities and the results of the audits and risk assessment;
  • Contract review, development, and negotiation;
  • Assurance that existing methodologies render PHI “secure” within the meaning of HIPAA and take advantage of “safe harbors”;
  • Information about compliance deadlines and fast-paced modifications to HIPAA law;
  • Experienced legal analysts equipped to perform compliance audits and risk analyses, make compliance recommendations, deal with covered entities and other business associates, and offer informed and educated mitigation advice;
  • Support in responding to any potential breaches of PHI;
  • Representation when a breach occurs; and
  • General guidance from qualified health care attorneys on HIPAA, HITECH, and other federal and state privacy regulations.

DLA Piper’s Health Care Practice Group offers unique expertise in issues relating to financial and claims’ services, from regulations to coding.  Our attorneys also work with consultants and experts who focus on assisting financial institutions with expanding their health care service revenues.  We can assist with education and training, operations, and transactions in the health care industry.  For further information, please contact Marcia L. Augsburger at marcia.augsburger@dlapiper.com.

The Final HIPAA Rule: Conduits, Agents, and Subs -- Oh my!

Posted by John Barnes on January 22, 2013

'chain' photo (c) 2010, pratanti - license: http://creativecommons.org/licenses/by/2.0/

Contributed by Marcia Augsburger as part of the ongoing Compliance Matters series

On January 17, 2013, the Office for Civil Rights (“OCR”), Department of Health and Human Services, issued the long-awaited final rule:  “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.”  The final rule is effective March 26, 2013.  Covered Entities (“CEs”) and Business Associates (“BAs”) must comply with the applicable requirements by September 23, 2013. 

            The final rule seeks to address OCR’s findings in carrying out Executive Order 13563, which required OCR to conduct a retrospective review of existing regulations to identify ways to reduce costs and increase flexibilities under HIPAA.  The rule may or may not reduce costs, but the guidance provides more certainty for some businesses, and more flexibility for others, in interpreting privacy regulations that seemingly inhibited growth and development in the health care industry. 

            The rule clarifies that persons who undertake patient safety activities are BAs,[1] as are organizations such as Health Information Organization,[2] E-prescribing Gateways, or Regional Health Information Organizations that provide data transmission of PHI to a CE or its BA and that require access on a routine basis to such PHI.  As much as the rule offers certainty on these entities, however, it also offers room for argument, as OCR declined to define them with specificity.

            Indeed, OCR declined to statically define any type of BA, emphasizing repeatedly the necessity of performing a factual analysis in uncertain situations, guided by principals designed to meet the overarching goals of HIPAA, HITECH and GINA.  OCR first settled a topic of some debate at health lawyers’ conferences by acknowledging that mere conduits are not BAs.

Read more about the Final HIPAA Rule after the jump

[1] This is to conform to the statutory provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA), 42 U.S.C. 299b-21, et. seq.  PSQIA provides for the establishment of Patient Safety Organizations (“PSOS”) to receive reports of patient safety events or concerns from providers and provide analyses of events to providers.  Such reports may include PHI.  42 CFR 3.10 et seq.

[2] OCR declined requests for a more specific definition of “Health Information Organizations,” saying only that the term currently refers to organizations that govern health information exchange among organizations within a defined geographic area, but that as the industry evolves, the types of entities that fall within this definition may change.

Continue Reading

Surge in DoJ Health Care Prosecutions: All Sectors of Health Care Industry Feel the HEAT in 2011

Posted by Rebecca Jones McKnight on September 08, 2011

ThermometerCoursetydigitalart.jpg

Contributed by Frank E. Sheeder, Carolyn F. McNiven, and Rebecca Jones McKnight as part of our ongoing Fraud & Abuse Matter series.

According to a recent clearinghouse report, federal criminal prosecutions of health care fraud are up—way up—this year.  According to an analysis that Transactional Records Access Clearinghouse (TRAC) conducted on statistics released by the U.S. Department of Justice (DoJ), in 2011 federal prosecutors initiated prosecution of 904 new health care fraud cases as of August.  This means that before the end of the summer of 2011, DoJ had initiated more health fraud cases than it did in all of 2010.  

That is quite a stunning statistic.  Moreover, if DoJ continues at this rate, it is on pace to reach 1,350 health care fraud cases by the end of 2011: approximately 85% more than in 2010.   (For more information regarding these statistics, see the TRAC analysis.)

Temperatures may be starting to dip as we head into fall, but DoJ shows no signs of turning down the heat on the health care industry. 

On September 7th, DoJ announced a massive nationwide health care takedown in which DoJ charged 91 defendants—including physicians, nurses, and other health care professionals—for alleged participation in Medicare fraud schemes involving approximately $295 million in false billing.  (Read more here.)  The charges stem from a greatly expanded Medicare Fraud Strike Force, which now operates in most major metropolitan areas.

Who are the targets of DoJ’s stepped up efforts in the health care sector?  The bottom line is that the targets are as diverse as the sector itself.  In addition to massive False Claims Act settlements with pharmaceutical and medical device manufacturers, DoJ has also focused on hospital emergency rooms and revenue recognition, home health care, occupational and physical therapy, mental health services, durable medical equipment (DME), and HIV infusion therapy cases.  This sample of August 2011 DoJ case activities provides a window into the wide angle of DoJ’s lens:

  • On August 25th, the owner of three Detroit-area clinics was sentenced to 48 months in prison for his role in schemes attempting to defraud the Medicare program of more than $15 million.
  • On August 24th, two sisters who owned a Detroit-area medical clinic and who are former “Most Wanted” health care fugitives pleaded guilty for their roles in a $9.1 million Medicare fraud scheme.  At sentencing, they face a maximum of 10 years in prison for each count of conspiracy to commit health care fraud, and 20 years in prison for each count of conspiracy to commit money laundering.
  • On August 23rd, the president of a Florida DME company was sentenced to 12 1/2 years in federal prison for conspiracy to commit health care fraud, health care fraud, and submitting false claims.  He was ordered to pay $7 million in restitution, a $3 million fine, and a $1,000 special assessment. The court also entered a money judgment in the amount of $5,800,000, representing the proceeds of the health care fraud.
  • On August 23rd, a the owner of a Miami-area mental health care company was convicted of 24 felony counts, including conspiracy to commit health care fraud, health care fraud, conspiracy to pay and receive illegal health care kickbacks, conspiracy to commit money laundering, money laundering, and structuring to avoid reporting requirements.   Her assets were frozen at the time of her arrest and will remain frozen through civil forfeiture proceedings.  At sentencing, she faces a maximum of:

    • 10 years in prison for each count of conspiracy to commit health care fraud and each count of health care fraud,
    • five years in prison for each count of conspiracy to pay and receive health care kickbacks,
    • 20 years in prison for each count of conspiracy to commit money laundering,
    • 10 to 20 years in prison for each count of money laundering, and
    • 10 years in prison for each count of structuring to avoid reporting requirements.    
  • On August 10th, a Maryland medical center agreed to pay $1.8 million to settle False Claims Act allegations that it was aware of, but failed to take action to prevent, medically unnecessary cardiac stent procedures by a cardiologist who formerly had privileges at the medical center.

The joint DoJ and HHS Health Care Fraud Prevention and Enforcement Action Team (HEAT), which makes the fight against health care fraud “a Cabinet-level priority” has also been active.  On September 1st, a California medical billing company agreed to pay $4.6 million to resolve False Claims Act allegations tied to coding and billing practices.  HEAT reports this resolution as being “part of the government’s emphasis on combating health care fraud and another step for the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative.”

These trends are likely to make anyone in the health care industry break into a sweat.  The government has made health care fraud enforcement a top priority.  Prudent organizations anticipate government contacts and have comprehensive and well-communicated policies and procedures for dealing with them.  You may contact  Frank E. Sheeder or Carolyn F. McNiven, partners in DLA Piper's Health Care Compliance and Enforcement practice, for additional information on how to mitigate legal and regulatory risks in the current enforcement environment and to discuss the best approaches to dealing with government inquiries.

9th Circuit to Pharmacies: Studies of Drug Prices Not Protected From Disclosure

Posted by John Barnes on July 25, 2011

'Pharmacy sign in Soho' photo (c) 2010, Ged Carroll - license: http://creativecommons.org/licenses/by/2.0/

Contributed by Marcia Augsburger and Steve Goff as part of the ongoing Compliance Matters series.

On July 19, 2011, the Ninth Circuit (federal) Court of Appeals issued a decision of significance to pharmacies that want to keep information about their charges out of the hands of bulk buyers like insurers:   Beeman v. Anthem Prescription Management,  2011 WL 2803561 (C.A.9 (Cal.)).  At issue was California Civil Code section 2527(c), which requires “prescription drug claims processors” to conduct or obtain studies every 24 months identifying the fees California pharmacies charge to private customers for pharmaceutical dispensing services.  Under the statute, claims processors must send the results of these studies to “each client for whom [they] perform [ ] claims processing services,” or, in other words, to third party payors such as insurers. Id. § 2527(d).  Violations of the statute carry civil penalties ranging from $1,000 to $10,000.  Cal. Civ.Code § 2528. 

The original bill for Civil Code section 2527(c), introduced by the California Pharmacists Association in 1981, required pharmacies to be reimbursed according to their “customary charges” rather than according to rates “unilaterally set by PBMs.”  Beeman v. TDI Managed Care Services, Inc., 449 F.3d 1035, 1038 (9th Cir.2006). The bill was then amended in committee to substitute the reimbursement requirements with the current PBM reporting requirements.   The purpose of the change was stated as follows:  "The purpose of the amended bill is to require claims processors to present objective data on the range and percentiles of usual and customary charges of pharmacists in the hope that at a time in the future this information will become the basis for reimbursement [and] help identify areas for cost-containment in the future.” 

Despite several California state court cases holding that Civil Code section 2527(c) is unconstitutional, the federal court held that section 2527 does not offend the Federal or State constitutions by compelling speech that affects the content of the speaker's message. Accordingly, the court held that no level of constitutional scrutiny applied to the statute and therefore, prescription drug claims processors cannot avoid the statute on constitutional grounds.  

The Beeman decision is set against a backdrop of increasingly mandatory transparency in the healthcare industry - for example, California hospitals must report  a comprehensive list of  their standard  prices to the Office of Statewide Health Planning and Development annually.  Further efforts are currently underway in the California legislature to require hospitals and health plans to publicize information about their business dealings. 

After Beeman, pharmacies should examine their pricing structures, consider the information distributed, and design their policies and strategic plans accordingly.  Please contact Marcia Augsburger for advice on pricing and revenue issues in the healthcare industry.

The So-Called "Corporate Practice of Medicine": Is It Really Illegal?

Posted by Rebecca Jones McKnight on June 27, 2011

DrMeasuringBloodPressurebyAmbro.jpgContributed by Kimberly K. Egan, Rebecca Jones McKnight, and So-Eun Lee as part of our ongoing Compliance Matters series.

 

It’s 2011. 

You are an employer.  Health care premiums are driving the cost of skilled labor through the roof.  And “health care reform” has yet to bring costs down in a meaningful way—some would say it has done the opposite.  So why not hire a health care professional as part of your HR staff?  Pay him or her a salary, and allow your employees and their families to visit for free. Just like on-site notary publics or benefits professionals, right?  Think of the potential cost savings!

Or maybe you are an investor or entrepreneur looking for business opportunities in the changing regulatory environment.  Why not partner with a health care professional to come up with a cost-effective way to deliver health care?

Makes perfect sense, right?  Unfortunately, in many states it is illegal.  In the early 1900s, states were concerned that the so-called “corporate practice of medicine” was a conflict of interest between the corporation’s interests and the health care professional’s ethical obligations to patients. 

In other words, states thought the profit motive of a corporation would get in the way of a physician’s independent judgment and the sanctity of doctor-patient relationships.  The “commercialization of (medicine), exploitation of the public, and quackery” were seen as inevitable if corporations could practice medicine.[1]

What does this mean for entrepreneurs and established businesses seeking new opportunities?

 

Continue Reading

New Procedures May Mean Faster Progression to Injunctions and Seizures

Posted by Rebecca Jones McKnight on April 07, 2011

Contributed by Rebecca Jones McKnight as part of our ongoing Compliance Matters series.

enforcement.jpgOn April 5, 2011, Dana Corrigan (Associate Commissioner of FDA’s Office of Regulatory Affairs (ORA)), announced an upcoming change in the way FDA will decide whether to seek injunctions and seizures to gain control of violative products.

In the past, FDA officials in the field would send an enforcement recommendation to ORA at FDA headquarters.  Then ORA would draft lengthy memos explaining why an injunction or seizure was warranted.  Then ORA would send the issue to the relevant FDA Center (e.g., CDRH, CDER, CBER) based on the type of product.  After its review, the Center would send the issue to FDA’s Office of the Chief Counsel for legal review, and even more memos. 

Corrigan said that this process often led to situations in which decisions were not made as quickly or efficiently as ideal from the agency’s perspective.

Under new procedures, Corrigan said FDA will collapse this process, using a more collaborative approach from the beginning—bringing in all the relevant FDA players—to determine whether an injunction or seizure is warranted.

The Key Things to Know About ACOs

Posted by Kim Egan on April 01, 2011

Contributed by Mary B. Langowski, Tiffani V. Williams, and Deana Cairo

 

stethoscope and apple.bmp

The Department of Health and Human Services has issued a series of long-awaited proposed regulations and guidance related to improved coordination of patient care through the development and use of Accountable Care Organizations (ACOs).

 

As mandated under Section 3022 of the Affordable Care Act (ACA), the new ACO model will reward providers for their ability to deliver coordinated care across multiple care settings in a manner that is expected to generate cost savings for the Medicare program, while improving the quality of care for beneficiaries.  The Medicare Shared Savings Program will begin operating on January 1, 2012.

 

The ACO guidance released yesterday has three components.  First, the proposed rule issued by the Centers for Medicare and Medicaid (CMS), Medicare Program; Medicare Shared Savings Program:  Accountable Care Organizations (the CMS Proposed Rule), sets forth the proposed organization and payment rules for ACOs under the Medicare Shared Savings Program.  Second, the CMS and HHS Office of the Inspector General (OIG) proposed regulation, Medicare Program; Waiver Designs in Connection with the Medicare Shared Savings Program and the Innovation Center (the OIG Proposed Rule), addresses the waiver of the application of fraud and abuse laws, which CMS and the OIG are authorized to waive under the ACA, with respect to financial arrangements involving ACOs and the ability of the Center for Medicare and Medicaid Innovation (CMMI) to test innovative payment and delivery reform models.  Finally, the Federal Trade Commission (FTC) and the Department of Justice (DOJ) enforcement policy proposal, Proposed Statement of Antitrust Enforcement Policy Regarding Accountable Care Organizations Participating in the Medicare Shared Savings Program (the Proposed Antitrust Policy), outlines the application of antitrust laws to health care providers seeking to become ACOs.

Read our brief overview of all three ACO-related proposals at: http://www.dlapiper.com/key-things-to-know-about-acos/

Safety Matters: How FDA Communicates Drug Safety Information; New Guidance

Posted by Kim Egan on March 28, 2007

Safety Matters.jpgKimberly K. Egan and Brooke Killian

FDA has now issued non-binding guidance, Drug Safety Information – FDA’s Communication to the Public, explaining how the agency communicates important drug safety information to the public. This new guidance, issued March 2, 2007, is the result of FDA’s recent reexamination of its risk communication program.

The guidance defines “important drug safety information” as information that could alter the risk-benefit analysis for a drug in a manner that may affect prescribing and use decisions. 

It defines “emerging drug safety information” as important drug safety information that has yet to be confirmed. 

The guidance notes that interpreting drug safety information is complex and that important public health considerations are served by publicizing emerging drug safety information as quickly as possible. It also notes the negative consequences that can result from premature dissemination of unsubstantiated drug information, including inappropriately discontinuing necessary medications.

Continue Reading