DGS Health Law Blog

CMS Strengthens Enrollment Standards for DMEPOS Suppliers

Lisa Rothrock — Fri, 27 Aug 2010 16:40:36 -0700

Earlier today, CMS issued a final rule increasing restrictions on durable medical equipment, prosthetics, orthotics and supplies (“DMEPOS”) to prevent fraud. Not only did CMS strengthen existing standards that suppliers must satisfy to provide DMEPOS to Medicare patients, but the final rule also adds several new standards. The rule becomes effective on September 27, 2010.

The new standards for DMEPOS suppliers to receive payment from the Medicare program include the following:

· Suppliers must obtain a state license for supplying oxygen if the state requires a license;

· Suppliers must remain open to the public for at least 30 hours per week, with certain exceptions;

· Suppliers must continue to maintain ordering and referring documentation from physicians or licensed practitioners; and

· Supplier must not share a practice location with other Medicare providers or suppliers, with certain exceptions.

In addition, the final rule expands the existing standards for DMEPOS suppliers to receive payment from the Medicare program, including ensuring that suppliers maintain a physical location on an appropriate site. The rule details several requirements as to what will be an appropriate site. CMS also included in the final rule language explaining that suppliers must be licensed to provide licensed services and cannot contract with another to provide those licensed services.

HHS Withdraws HIPAA Breach Notification Final Rule

Lisa Rothrock — Mon, 02 Aug 2010 13:04:53 -0700

The HHS final rule on breach notification was submitted to the OMB on May 14, 2010, which is typically the final step before the final rule is published. HHS, however, “withdrew” the final rule from the OMB to “allow for further consideration, given the Department’s experience to date in administering the regulations,” as it stated in a notice posted on the HHS website. HHS failed to explain the reason for withdrawing the final rule for further consideration except to note that the breach notification issue is “complex.”

The breach notification interim final rule issued pursuant to the HITECH Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. According to HHS, during the 60-day public comment period on the interim final rule, HHS received approximately 120 comments.

Many in the industry have speculated that this withdrawal may be related to the controversial “harm” threshold set forth in the rule. Under the harm threshold, a provider only needs to notify patients about a data breach if the provider determines that the breach presents a significant risk of harm to the patients. Critics of the harm threshold contend that all breaches should be disclosed and providers should not have the discretion to make such a risk assessment.

A final rule is expected in the coming months. This withdrawal does not have an impact on the interim final rule.

HIPAA Violation Costs Rite Aid $1 Million

Erin McAlpin Eiselein — Tue, 27 Jul 2010 17:08:38 -0700

How much does it cost to violate HIPAA? For drug store chain Rite Aid Corporation, the answer is $1 Million. Today, HHS announced that Rite Aid will pay a $1 million fine, implement a corrective action program, and sign a consent order with the Federal Trade Commission to resolve this coordinated investigation that was triggered by television media outlets capturing images of prescription bottles containing protected health information improperly disposed in trash containers accessible to the public. Even after Rite Aid pays the fine, it will feel the effects of its non-compliance for a long time to come as the FTC consent order will remain in place for 20 years.

HHS issues final regulations on "meaningful use"

Wallis S. Stromberg — Tue, 13 Jul 2010 12:01:09 -0700

Final regulations on "meaningful use" of electronic health records were released today by HHS. The 863 pages specifies the initial criteria that hospitals and physicians hoping to obtain incentive support payments under the ARRA for their use of EHRs must meet. The regulations will be published in the Federal Register on July 28, 2010.

New OCR Rule Strengthens HIPAA Requirements

Lisa Rothrock — Fri, 09 Jul 2010 10:38:01 -0700

Yesterday the Office for Civil Rights (“OCR”) released a Proposed Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requirements. OCR issued this Proposed Rule pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The Proposed Rule will not be published in the Federal Register until July 14, 2010, and there will be 60 days from that date to comment.

More specifically, this Proposed Rule modifies and strengthens the HIPAA Privacy Rule, Security Rule, and Enforcement Rule as well as the penalties and investigation provisions. The most notable changes include the following:

The requirements of the Privacy Rule and Security Rule will apply to business associates in the same manner they currently apply to covered entities.

Subcontractors of business associates will be considered business associates, and the business associate must obtain “satisfactory assurances” through a contract or other arrangement that the subcontractor will comply with the applicable privacy and security requirements.

There will be new limitations on the use and disclosure of protected health information (“PHI”) in marketing and fundraising, including a requirement that individuals be given opportunities to opt out of receiving marketing or fundraising materials without any impact on their future treatment.

Covered entities and business associates will be prohibited from selling an individual’s PHI without that individual’s authorization, and covered entities will not be allowed to coerce patients into authorization by conditioning treatment, payment, enrollment, or eligibility for benefits on authorization.

The Proposed Rule expands patients’ rights by allowing patients to request that a covered entity restrict uses or disclosures of their PHI, and by giving patients greater access to copies of their electronic health records.

Covered entities’ Notice of Privacy Practices given to patients must include additional information, such as the authorization requirements described above.

Penalties for violations of HIPAA privacy and security requirements will be increased to $1.5 million per calendar year for violations of the same requirement or prohibition.

The Proposed Rule defines the terms “reasonable cause,” “reasonable diligence,” and "willful neglect,” which provide the basis for the various categories of liability under the Enforcement Rule.

Covered entities will have certain identified responsibilities during complaint investigations and compliance reviews.

HHS Launches New Website - HealthCare.gov

Erin McAlpin Eiselein — Tue, 06 Jul 2010 21:04:52 -0700

There is a brand new resource for navigating health care reform - a website managed by HHS called HealthCare.gov. According to the website, it is "designed to help you take control over your health care and make the choices that are right for you." Currently, the content is focused on four primary areas: finding health insurance options, learning about preventative health care, comparing hospital quality, and learning more about the Affordable Care Act. Admittedly a work in progress, HHS welcomes user comments to improve the site and make it more useful for the public. This coming October, look for the website to include private health insurance pricing information.

Red Flags Rule Enforcement Postponed until Court Ruling

Lisa Rothrock — Fri, 02 Jul 2010 12:51:37 -0700

The Federal Trade Commission (“FTC”) and several medical associations have agreed to a joint stipulation that the FTC would not enforce its Red Flags Rule with respect to physician members of various associations until the DC Circuit rules on the American Bar Association’s pending action challenging the Red Flags Rule. Although the FTC has already announced that it will again delay the deadline for compliance with the Red Flags Rule until December 31, 2010, this stipulation may extend further the compliance deadline for physicians in the medical associations and state medical societies referred to in the case.

OIG Report on Improper ENT Billing

Lisa Rothrock — Fri, 25 Jun 2010 08:36:58 -0700

The Department of Health and Human Services (“HHS”) Office of the Inspector General (“OIG”) recently released a report presenting the results of an extensive medical record review conducted in 2006 regarding payments made to nursing facilities for Medicare Part B enteral nutrition therapy (“ENT”) claims for non-Part A patients. The study found that 21 percent of the claims were inappropriate or inadequately documented, resulting in an estimated $39 million in Part B payments that the government should not have paid. Although in the 2010 Work Plan OIG already declared its intent to focus on review of nursing homes’ Part B ENT billing, this report may result in increased scrutiny of providers’ claims and documentation.

DGS Health Law Blog Recognized as Top Reference for HIPAA / HITECH

Sara Kraeski — Wed, 23 Jun 2010 15:09:09 -0700

We are pleased to announce that the DGS Health Law Blog has been recognized by HealthInsuranceQuotes.org as one of 47 top-rated and top-referenced health blogs for understanding HIPAA issues. We are delighted that people are finding our blog useful and we encourage you to contact any of our attorneys if you have further questions about HIPAA or HITECH matters.

Grandfathered Health Plans: New Interim Regulations

Lisa Rothrock — Mon, 21 Jun 2010 14:54:48 -0700

Last week the United States Departments of Treasury, Labor and Health and Human Services issued Interim Final Rules providing guidance on “grandfathered health plans” under health care reform. The Patient Protection and Affordable Care Act (“PPACA”) set different standards for grandfathered health plans than for those plans not grandfathered. According to these regulations, health plans that existed on March 23, 2010 will be significantly restricted in the changes they can make to copayments, deductibles and benefits covered if the plans want to maintain grandfathered status and avoid the new requirements of PPACA.

Most plans will fail to qualify for grandfathered status over the next three years, according to the Departments’ analysis in the Interim Final Rules. The greatest impact will be on small employers with between 3 and 99 employees. The Departments estimate that between 49% and 80% of small employer plans will relinquish their grandfathered status by 2013. In addition, the Departments estimate that between 34% and 64% of large employer plans will relinquish their grandfathered status by 2013.

The Basics of Grandfathered Health Plans

Section 1251 of PPACA provides that the statute should not be construed to require an individual to terminate coverage under an individual or group health plan in which the person was enrolled at the time of PPACA’s enactment on March 23, 2010 (the “Enactment Date”). PPACA further provides that the statute’s reforms will not apply to these “grandfathered” plans unless specifically stated. For example, the prohibition on rescissions and the extension of dependent coverage until age 26 apply even to grandfathered health plans.

The Interim Final Rules explain that grandfathered plans include those group or individual health plans in which an individual or an individual and the individual’s family members were enrolled as of the Enactment Date. A grandfathered health plan does not cease to be grandfathered merely because one or more (or even all) individuals enrolled on the Enactment Date cease to be covered, so long as the group plan has continuously covered at least one person at all times since the Enactment Date. In addition, new employees and existing employees newly enrolled and their families may enroll in a grandfathered health plan after the Enactment Date and the coverage remains grandfathered.

Subject to special rules for collectively bargained plans, health plans sold to new entities or individuals after the Enactment Date will not be grandfathered, even if those plans were offered in the group or individual market before the Enactment Date. Accordingly, insurers that want to maintain grandfathered plans must keep existing plans separate from new plans, which will not be eligible for grandfathered health plan protection.

Changes Allowed without Forfeiting Grandfathered Status

There are only a few ways in which health plans can change without losing their grandfathered status, including the following:

Changes to premiums;
Increases to benefits;
Changes to comply with federal or state legal requirements; and
Changes to voluntarily comply with PPACA requirements.

In addition, a plan maintains its grandfathered status even if changes were made that were effective after the Enactment Date so long as the changes were agreed to by contract or a filing with the state insurance department on or before the Enactment Date. Moreover, changes adopted prior to the release date of the Interim Final Rules on June 17, 2010 will not result in a plan’s loss of grandfathered status, so long as such changes are revoked or modified effective as of the first day of the first plan year beginning on or after September 23, 2010. The preamble to the Interim Final Rules give health plans and insurance issuers some leniency here, stating that regulators may not enforce changes made in good faith compliance with these grandfather requirements prior to June 17, 2010 (the official release date of the Interim Final Rules) if the changes only modestly exceed those changes permitted under the regulations.

Disclosure and Documentation Requirements

Grandfathered health plans must disclose to their enrollees in plan materials that they are grandfathered. The regulations request comments as to the particular language that plans should use for this disclosure. In addition, insurers must maintain records documenting the terms of the grandfathered plan that were in effect on the Enactment Date and any other necessary supporting documentation to demonstrate the plan’s grandfathered status.

How Plans Will Lose Their Grandfathered Status

There are many ways a health care plan will lose its grandfathered status, including the following:

Eliminating all or substantially all benefits to diagnose or treat a particular condition;
Increasing any percentage of coinsurance;
Increasing a fixed-amount cost-sharing requirement, other than a copayment (e.g., a deductible or out-of-pocket limit), if the total percentage increase in the cost-sharing requirement is greater than the “maximum percentage increase” (defined in the statute as medical inflation plus 15 percentage points);
Increasing a fixed-amount copayment, if the total increase in the copayment exceeds the greater of either: (1) the “maximum percentage increase”; or (2) $5 increased by medical inflation since the Enactment Date;
Decreasing employer contribution, whether based on the cost of coverage or on a formula, by more than 5 percent below the contribution rate in place on the Enactment Date;
Imposing new or reduced annual limits; or
Engaging in a merger, acquisition or similar restructuring with the primary purpose of covering new individuals under a grandfathered plan, the goal being to prevent grandfather status from being bought and sold as a commodity.

Notably, if an employer that enters into a new policy or insurance contract, the new health plan is not grandfathered. However, if a self-insured plan changes its administrator, the plan keeps its grandfathered status. Collectively bargained plans keep their grandfathered status until the expiration of the last of the collective bargaining agreements for the grandfathered plan expires.

What Should You Do Next?

Employers should determine whether, given the restrictions imposed by these regulations, maintaining their current health plan offerings as a grandfathered plan or forfeiting grandfathered status. In addition, employers, health plans and plan issuers may want to consider submitting comments in response to this Interim Final Rule by August 16, 2010 (60 days from the release of the regulations).

Another Delay for the Red Flags Rule

Erin McAlpin Eiselein — Fri, 28 May 2010 11:45:53 -0700

In not-so-surprising news today, the FTC has delayed the enforcement date of the Red Flags Rule for the fifth time. The new forbearance deadline is December 31, 2010 - however, if Congress passes legislation on this issue with an effective date before December 31, 2010, the FTC will begin enforcing this rule on that earlier effective date. This delay follows on the heels of a lawsuit filed last Friday by the American Medical Association and other challenging the Rule's definition of "creditor" to the extent that it includes medical professionals.

PPACA - The Starting Point for Reform

Wallis S. Stromberg — Thu, 20 May 2010 09:04:39 -0700

I recently led a class on the new health care reform law, the Patient Protection and Affordable Care Act (PPACA), and have attched the powerpoint presentation from that class. I hope this provides a good start on understanding the scope of the this legislation. A good overall detailed summary of the statute, which incorporates the Reconciliation changes into the PPACA provisions, is here. The whole law, including the Reconciliation Act changes, is here.

PPACA is the start of a decades long process of remaking the health care system in the United States.The law calls for many new state or federal agencies, commissions, and other institutions, as well as scores of new federal rules and regulations, and will most likely require changes to other existing federal and state laws if it is to be fully implemented. Congress has already begun talking about amending some of the provisions in PPACA due to "unintended consequences."

Cost estimates for the reformation are continually changing as well, and it now appears the purported $1 Trillion cap on cost will be significantly surpassed.

For a timeline on when the various changes become effective, the Kaiser Family Foundation's is a good reference.

IRS Begins Issuing Regulations Under PPACA

Wallis S. Stromberg — Thu, 20 May 2010 07:38:38 -0700

The Internal Revenue Service has begun issuing regulations implementing the Patient Protection and Affordable Care Act (PPACA), the federal health reform law. You can expect to see new regulations under the law coming out monthly for the remainder of the year. At a recent speech to the American Health Lawyers Association, a spokesperson for CMS said that HHS is presently drafting 18 sets of new regulations that have to be in effect duri ng 2010, compared to its normal output of 2 - 3 sets.

The IRS's first rules relate to extending dependent coverage under a parent's health insurance to include children up to age 26.

PPACA requires that all group plans extend a parent's right to include a child on the parent's health plan coverage until the child reaches age 26, regardless of whether or not the child is actually a "dependent" or whether he or she is married. The only real resatriction is that the child cannot be eligible for coverage under an employer-sponsored plan ithrough the child's workplace. The law goes into effect for all plan years beginning after September 23, 2010, although many private insurance companies have begun offering such coverage already in order to pick up recent college graduates.

The second set of IRS guidelines relates to the tax credits available to a small business (under 25 FTE employees) for up to 35% of the employer's cost of providing health insurance coverage for its employees. The IRS explains how to determine if your business is eligible for the credits, by calculating the number of "FTE employees" and the average compensation, the threshold tests for eligibility. The credit is available to qualifying businesses for the years 2010 - 2013.

New OIG Advisory Opinion on pre-authorization services

Wallis S. Stromberg — Fri, 07 May 2010 10:30:56 -0700

The OIG just issued Advisory Opinion No. 10-04 which approved a program by a group of imaging centers to provide pre-authorization services for patients and referring physicians at no charge. This is a surprising turn from the path of prior Advisory Opinions on free services provided to physicians, where the OIG expressed major concerns about any service being funished by a provider that relieved a referring physician of a task the doctor would otherwise have done.

The rationale of the OIG in deciding to approve the arrangement had four components:

1. The service was available for all patients and referring physicians and was not tied to the volume or value of any physician's referrals, and since insurance plans do not have any uniformity in the requirements for who is to obtain the pre-authorization, it is only by chance if the physician is relieved of a duty.

2. No payments will be made to the physicians by the imaging centers, and there are no other rewards to physicians as incentives for referrals. The imaging centers only pass on to the payors the medical necessity information provided by the referring physician, and there is no assurance that the procedure will be authorized.

3. The process would be transparent, in that the persons seeking pre-authorization would identify themselves as representatives of the imaging centers, would make all their records concerning the requests to available to the physicians, and would have little ability to influence a referral because it would have already been made.

4. Economically, it is the imaging centers who are at risk if pre-authorization is not done properly, as it is their charges that will be denied. They therefore have a significant interest in making sure that the pre-authorization is received prior to their procedures being performed.

It is the 4th justification that seems to be the strongest here, since the risk is indeed all on the imaging center. It is just somewhat unusual to see the OIG directly recognize the economic reality of the situation in addressing a fraud and abuse concern.

While this Opinion, like all such Advisory Opinions, is limited to the specific case at hand, it provides guidance to other providers as to when it may be permissible to provide an "extra" to enhance your services. Whether it can translate into services beyond this type of administrative prerequisite for reimbursement is not clear.

Colorado Begins to Implement National Health Care Reform

Erin McAlpin Eiselein — Wed, 28 Apr 2010 09:41:43 -0700

Colorado Governor Bill Ritter has begun implementing health care reform in Colorado. By executive order, he has created a new task force called the Interagency Health Reform Implementing Board to oversee this process and has appointed his health care policy expert, Lorez Meinhold, to the newly created position of Director of Health Reform Implementation. On a roll, he also has signed four bills into law that his press release states are designed to "enhance the state's nationally recognized health reform initiatives."

Congratulations to DGS Health Law "Super Lawyers"

Sara Kraeski — Wed, 07 Apr 2010 14:10:34 -0700

I’m sure that John, Barbara, Wally, & Erin would be too humble to post this themselves, but as the firm’s director of business development I think it is notable that each of them has been selected as a Colorado “Super Lawyer” this year. I know that this recognition reflects the depth of their expertise and the wide regard of their peers, and we are fortunate to have such a strong team working for our health care clients. Congratulations, all - Sara

State Medical Board Disciplinary Actions Against Physicians Rise 6% in 2009

Heather L. Kenney — Fri, 02 Apr 2010 10:20:57 -0700

In its annual report, the Federation of State Medical Boards reported a 6% jump in disciplinary actions taken against physicians in 2009, compared to only a 1% increase in 2008. The 75-page report provides a summary of the 5,721 disciplinary actions instituted by 70 medical and osteopathic boards--an increase of 342 actions from the prior year.

The medical boards of Nebraska, New Hampshire and South Dakota more than doubled their disciplinary actions, while the Florida Board of Osteopathic Medicine and the South Carolina Board of Medical Examiners had the greatest reduction in disciplinary actions, reducing their number by 38 and 36, respectively.

"Mission Accomplished"?

Wallis S. Stromberg — Mon, 29 Mar 2010 07:37:47 -0700

Here is one timeline for the many actions needed to implement the new health care reform law.

No one would contend that the new law provides a "turnkey" solution to changes in the health care system. There will be scores of new government commissions and panels that will be set up, major new regulations promulgated, and systems developed for coordination with state regulatory bodies and legislative action. It is likely that every step along this path will be a contested battle, as it seems clear that this law is a incubator for unintended consequences, and there is a strong public opposition to the centralized regulation of health care in Washington. It would be premature to start hanging any "Mission Accomplished" banners on health care reform.

Every time I hear a politician in Washington praise this law for "cutting" the deficit by $130 Billion over ten years and saving money on Medicare, I wonder if that politician will be voting against the "physician fix" that takes back over $250 Billion in the hoped for savings under the new law and thereby results in a net increase in the deficit over that ten year period.

Update: Another timeline here.

OCR Still Working On HITECH Rulemaking, Delays Enforcement of Certain Provisions

Heather L. Kenney — Thu, 25 Mar 2010 15:12:44 -0700

On March 18, 2010, the Office of Civil Rights (OCR) published an update on its rulemaking and enforcement efforts under the HITECH Act. OCR made clear that the increased civil monetary penalties for HIPAA violations and enforcement of the breach notification rule have been effective since February 17, 2010 and February 22, 2010, respectively.

However, OCR stated that it continues to work on a Notice of Proposed Rulemaking (NPRM) regarding the following HITECH provisions: business associate liability; new limitations on the sale of protected health information, marketing and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.

OCR noted that although the effective date for many of these provisions has passed (February 17, 2010), the NPRM and subsequent final rule will provide specific information regarding the expected date of compliance and enforcement for the new requirements.

Of particular interest in this rulemaking will be whether the OCR will require parties to affirmatively amend their business associate agreements to reflect the new privacy and security requirements with which business associates must directly comply, or whether the new provisions are already incorporated into the agreements by operation of law.

DGS will continue to monitor OCR’s HITECH rulemaking progress and will post updates as they are available.

Health Care and Education Affordability Reconciliation Act of 2010

Erin McAlpin Eiselein — Mon, 22 Mar 2010 06:14:23 -0700

Here's the text of the 153 page House Bill called the Heath Care Education and Affordability Reconciliation Act of 2010. We'll be reading it too and posting our thoughts on how it affects you and your business.