Our colleagues Alaap Shah and Stuart Gerson of Epstein Becker Green have written an Expert Analysis on Law360 that will be of interest to our readers: “Health Cos. Must Prepare for Growing Ransomware Threat.”

The following is an excerpt (see below to download the full version in PDF format):

Ransomware attacks have become big business, and they are on the rise. And entities in the health care and life sciences space have become primary targets of opportunity for attackers.

As the recent Colonial Pipeline Co. ransomware event illustrates, a small group of black hat hackers, living in protected status in nation states hostile to U.S. interests, can create massive disruption in our country’s infrastructure and well-being, and significant economic and other benefit for themselves and for the governments that support them.

Why is it that health care is such a prime target? The reason lies in the nature of the data that health care and life sciences companies and institutions create and store, and their relative vulnerability in the way they maintain and communicate it.

Health care entities are a treasure trove of cutting-edge research and information regarding pharmaceuticals, medical devices and other intellectual property that command great value. The protected health information that they store is of immense value, less with respect to identity theft, as is the popular notion, than it is as an enabler of fraudulent billing schemes that can quickly produce millions in revenue for hacking organizations.

And in the broadest sense, imagine, for example, the societal dislocation that a hostile digital intruder, or its sponsors, could cause if hospitals couldn’t provide services because their patient records were made inaccessible by ransomware encryption code. That kind of potentiality has been the reason why so many institutions and companies have caved in to ransomware demands.

Download Epstein Becker Green’s Ransomware Checklist for tips to proactively mitigate ransomware risk and for reactive measures to respond to a ransomware attack.

Download the full article in PDF format.

The roll out of the Office of the National Coordinator’s (ONC) 21st Century Cures Act Interoperability and Information Blocking Rules is reminiscent of the way HIPAA has rolled out over the course of the past 25 years. As of May 1, 2021, Actors have been required to comply with the Information Blocking rules. However, it will take some time before all Actors know who they are and for complaints of Information Blocking to be determined to be actual instances of Information Blocking, by which time the penalties that have not yet been finalized may also need to be adjusted.

While ONC defined Actors as health care providers, health IT developers of certified health IT and health information exchanges or networks in the Final Rule and published guidance on their website, there is still uncertainty as to whom the Information Blocking Rules apply. The confusion may emanate from the lack of familiarity some health care providers and health IT developers have as never having been regulated or overseen by the ONC. There also appears to be overlap between what the ONC Information Blocking Rules protect against and what and how the Office for Civil Rights protects under the HIPAA Privacy Rule. Furthermore, providers and payers are typically regulated and overseen by CMS, however, CMS has not addressed any of the potential “dis-incentives” that providers would be subject to for Information Blocking violations and payers have never been required to use certified electronic health records. 

It is understandable that the Information Blocking prohibitions would apply to a health IT developer that develops or offers health information technology that is certified under the ONC Certification Program. In the Rules, ONC clarified that the Information Blocking prohibitions apply to a health IT developer as long as the developer has one or more health IT Modules certified under the ONC Health IT Certification Program at the time it engages in a practice that is the subject of an information blocking claim. However, ONC carved out an exception for health care providers that have developed their own health IT for its own use.

When ONC defined health care provider based on the definition provided under the Public Health Services Act (42 U.S.C. 300jj) (“PHSA definition”) it included a significant number of providers that were never before regulated by the ONC. Many of the types of health care providers that were swept into the definition of Actor and subject to the Information Blocking provisions were not included in the incentive programs that made funding available for the purchase of certified electronic health records (e.g., ambulatory surgical centers, long-term care facilities and therapists), there aren’t quality payment incentive programs for them to participate in and some don’t use certified EHRs. Health care providers should be aware that in addition to the guidance ONC published clarifying that Information Blocking applies to any health care provider that meet the definition under the PHSA regardless of whether any of the health IT the provider uses is certified under the ONC Health IT Certification Program, the “catch-all” clause at the end of the PHSA definition allows any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary to be swept into the definition of Actor.

In the Final Rule, ONC combined two categories of Actors, health information exchange and health information networks and adopted one functional definition for both. A health information network or exchange refers to an entity that connects and exercises control over the technologies and services that enable the exchange of information between and among more than two other unaffiliated entities for treatment, payment or health care operations. Considering all the health IT developers, cloud service providers and data aggregators that are offering services to support Interoperability and communication to support health e-commerce, including care and benefit coordination, patient engagement and advancing social determinants of health to achieve care equality, there are a myriad of entities that are connecting multiple provider and/or payer organizations to coordinate the care or benefits of patients. These entities could unwittingly be performing the functions described in the definition of health information exchange or network without even knowing that they are considered Actors under the Information Blocking Rules.

If you or your organization aren’t sure if you fit into one of the definitions of Actor, or if you have any other questions about Interoperability, Information Blocking, ONC Health IT Certification, please contact the Epstein Becker & Green, P.C. attorney who regularly handles your legal matters, or one of the authors of this blog post: Karen Mandelbaum or Patricia Wagner.

In this episode of the Diagnosing Health Care Podcast:  The Departments of Labor, Health and Human Services, and the Treasury jointly released a set of frequently asked questions (“FAQs”) related to recent changes made to the Mental Health Parity and Addiction Equity Act effective as of February 10, 2021, and enacted by the Consolidated Appropriations Act at the end of 2020. Accordingly, health plans and insurers must ensure that they understand, and are prepared to provide regulators with documentation of their compliance with, parity requirements on at least a small group of specific non-quantitative treatment limits.

Special guest Henry Harbin, MD, Health Care Consultant and former CEO of Magellan Health Services, and Epstein Becker Green attorneys Kevin MaloneDavid Shillcutt, and Tim Murphy discuss how stakeholders can gain key insights into the federal enforcement approach on parity from the new set of FAQs, including where the government might get the most return on investment for enforcement.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts,
Overcast, Spotify, Stitcher, Vimeo, YouTube.

On May 17, 2021, the U.S. Department of Justice (“DOJ”) announced the establishment of a COVID-19 Fraud Enforcement Task Force (“Task Force”) to ramp up enforcement efforts against COVID-19-related fraud.[1]

Organized and led by Deputy Attorney General Lisa Monaco, the Task Force convened its first meeting on May 28 and aims to “marshal the resources of the [DOJ] in partnership with agencies across government to enhance enforcement efforts against COVID-19 related fraud.”[2]  The Task Force will involve coordination among several DOJ components, including the Criminal and Civil Divisions, the Executive Office for United States Attorneys, and the Federal Bureau of Investigation.  “Key interagency partners” have also been invited to join the Task Force, including the Department of Labor, the Department of the Treasury, the Department of Homeland Security, the Social Security Administration, the Department of Veterans Affairs, the Food and Drug Administration’s Office of Criminal Investigations, the U.S. Postal Inspection Service, the Small Business Administration, the Special Inspector General for Pandemic Relief, and Pandemic Response Accountability Committee, among others. Continue Reading U.S. Department of Justice Announces Interagency Task Force to Combat COVID-19 Relief Fraud

Teaching hospitals should find that their Medicare reimbursement for training physicians will be a little sweeter thanks to a decision by the United States District Court for the District of Columbia.  Milton S. Hershey Medical Center, et al. v. Becerra, No. 19-2680 (D.D.C. May 17, 2021).  The hospitals challenged a 1997 regulation that set out a formula for counting the number of full-time residents and fellows. Under the Medicare statute, the government reimburses hospitals for salaries and administrative costs directly related to graduate medical education (“GME”). The statute contains a formula for determining the weighted number of full-time equivalent residents (“FTEs”) employed by the hospital.  The formula weights FTEs based on the length of their employment, and imposes a cap on the number of FTEs that a hospital can count for Medicare reimbursement. 42 U.S.C. § 1395ww(h)(3-5).  The formula also counts residents differently from fellows, who have completed a residency in a specialty and are receiving further training in a subspecialty; for purposes of the FTE count, the weighting factor for residents is 1.0 and for fellows the weighting factor is 0.5. 42 U.S.C. § 1395ww(h)(4)(C).  Congress also capped the number of FTEs that can be counted for purposes of Medicare reimbursement at the FTE count for that hospital as of December 31, 1996.

CMS waded into this accounting in 1997, when it published a final regulation that addressed those situations where a hospital exceeds its FTE resident cap. The regulation mandated that when this occurred, the hospital’s FTE count would be reduced “in the same proportion that the number of FTE residents for that cost reporting period exceeds the number of FTE residents for the most recent cost reporting period ending on or before December 31, 1996.” 42 C.F.R. § 413.79(c)(2)(iii).

This left a sour taste in the mouths of teaching hospitals because the regulation could reduce the total FTE count below the number reached by following the statute alone if it exceeded its FTE cap. Several hospitals that trained residents and employed fellows challenged the validity of the regulation, arguing that it conflicted with the statutory formula and unlawfully reduced their Medicare GME reimbursement. The District Court agreed.

The court’s decision rejected the Secretary’s arguments and the challenged regulation melted away.  The court found that the hospitals had not waived their opposition to the regulation simply because they had not submitted comments opposing it during the notice-and-comment period in 1997. Next, the court concluded that the FTE formula in the Medicare statute was not a simple confection; it did not give the Secretary the authority to change the weights assigned to residents and fellows in determining the number of FTEs for a given hospital. Rather than defer to the Secretary, the court relied on Step One of the well-established test set out in Chevron v. Natural Resources Defense Council, 467 U.S. 837, 843 (1984), which limits the analysis to the plain language of the statute when Congress has addressed the issue directly through legislation and its intent is clear. In this case, although Congress had delegated rulemaking authority to the Secretary, it did state that those rules “shall” count a resident with a weight of 1.0 and a fellow as 0.5 for all periods after July 1, 1987. Although the Secretary referred to other language in the statute that addresses various aspects of GME reimbursement in general terms and delegated authority to the Secretary to publish regulations, there were no gaps in the statute for counting FTEs that needed to be filled through rulemaking.

If the decision stands, then those hospitals that were affected by the regulation and still have pending appeals should see their Medicare reimbursement increased.  This decision is also  noteworthy because the court relied on the Chevron framework.  That decision has been under attack, but Hershey is an example that shows how Chevron remains good law and reaffirms the approach of many courts that judicial deference to agency rulemaking should not be presumed, even with a statutory scheme as intricate as the Social Security Act.

In this episode of the Diagnosing Health Care Podcast:  Federal and state cannabis regulation and enforcement appear to be moving in different directions. While the Food and Drug Administration (“FDA”) has broadened its net to target businesses making claims that their products can treat specific conditions, a growing number of states have passed bills that, among other things, legalize adult-use cannabis.

Epstein Becker Green attorneys Delia DeschaineNathaniel Glasser, and Megan Robertson discuss how developments in 2021 impact the cannabis industry and why all players, including employers, health care providers and retailers, and businesses operating in the cannabis space, need to pay close attention to the different nuances between federal and state laws.

For more, listen to our previous episode on the FDA’s cannabis regulatory rulemaking:

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts,
Overcast, Spotify, Stitcher, Vimeo, YouTube.

In a move that reminds us that successful defendants can—and should—seek attorneys’ fees in the right case, a magistrate judge in the U.S. Court of Appeals for the Ninth Circuit awarded pharmaceutical company Aventis Pharma SA (“Aventis”) attorneys’ fees in a False Claims Act (“FCA”) case brought by a competitor, Amphastar Pharmaceuticals Inc. (“Amphastar”). The FCA contains a fee-shifting component, permitting prevailing parties to recover attorneys’ fees from the opposing party—but the playing field is not equal. This fee-shifting provision entitles a prevailing plaintiff to an award of reasonable attorneys’ fees and costs, regardless of whether the government elects to intervene in the case. 31 U.S.C. § 3730(d)(1)-(2). A defendant, on the other hand, can only be awarded attorneys’ fees in cases in which the government has declined to intervene and where the defendant can show that the opposing party’s action was “clearly frivolous, clearly vexatious, or brought primarily for purposes of harassment.” 31 U.S.C. § 3730(d)(4). Continue Reading Defendant Aventis Pharma Awarded Over $17.2 Million in Attorneys’ Fees in False Claims Act Case

The U.S. Department of Health and Human Services’ Office of Inspector General (“OIG”) recently issued Advisory Opinion No. 21-02, regarding a joint investment by a health system, a manager, and certain surgeons in an ambulatory surgery center (“ASC”) (the “Proposed Arrangement”). According to a national survey, most hospitals and health systems are planning to increase their investments in ASCs and anticipate converting hospital outpatient departments to ASCs. Many hospitals with ASCs operate the ASCs as physician joint ventures. As payors and patients continue to show interest in having outpatient procedures performed in ASCs, there is an expected trend to see an increase in investments and joint ventures in ASCs therefore making the Advisory Opinion particularly noteworthy.

In their request to OIG, the health system and the manager (“Requestors”) specifically inquired whether the Proposed Arrangement would constitute grounds for sanctions under the Federal Anti-Kickback statute (“AKS”). Based upon the facts provided in the request for the Advisory Opinion and a supplemental submission, the OIG reached the favorable conclusion that due to the low risk of fraud and abuse, the OIG would not impose sanctions on the health system or the manager in connection with the Proposed Arrangement.

The Proposed Arrangement

Under the Proposed Arrangement, the health system, five orthopedic surgeons, three neurosurgeons employed by the health system, and a manager, would invest in a new ASC. The health system would own 46 percent of the ASC, the surgeons would collectively own 46 percent of the ASC, and the manager would own 8 percent of the ASC. The manager certified that no physician has had, or would have, ownership in the manager that provides management and other services to the ASC. Furthermore, the ASC would operate in a medical facility owned by a real estate company jointly owned by the health system, the surgeons, and the manager. The ASC would enter into space and equipment leases as well as service arrangements with the health system and the real estate company.

OIG’s Analysis

Based on the following criteria, the OIG determined that the following safeguards in the Proposed Arrangement would mitigate the risk and that, as such, the OIG would not impose administrative sanctions in connection with the Proposed Arrangement:

Health System and Physician Investor Interest

(1) Although one or more of the neurosurgeons would fail to meet the Hospital-Physician ASC Safe Harbor Provision requirement that a physician investor derive at least one-third of his or her medical practice income for the previous fiscal year or previous 12-month period from the performance of ASC-qualified procedures, the health system certified that the neurosurgeons would use the ASC on a regular basis as part of their medical practices. Additionally, the health system certified that the surgeons would rarely refer patients to each other.

(2) The Proposed Arrangement would contain certain safeguards to reduce the risk that the health system would make or influence referrals to the ASC or the surgeons. For example, the health system certified that any compensation paid by the health system to affiliated physicians for services furnished would be consistent with fair market value and would not be related, directly or indirectly, to the volume or value of any referrals. In addition, the health system certified that it would refrain from any actions designed to require or encourage affiliated physicians to refer patients to the ASC or the surgeons and would not track referrals made to the ASC.

Continue Reading OIG Issues Favorable Advisory Opinion on Ambulatory Surgery Center Joint Venture

In this episode of the Diagnosing Health Care PodcastThe vaccine passport has been a major topic of discussion as businesses and governments consider how to balance privacy and safety through the rollout of the COVID-19 vaccine. Epstein Becker Green attorneys Patricia WagnerAlaap Shah, and Jessika Tuazon discuss the privacy and security concerns companies must weigh as they consider developing or implementing vaccine passports, such as the collection and use of an individual’s personal health information. As state governments and the private sector take the lead on developing vaccine passport initiatives, it is imperative that businesses implement better privacy and security practices to mitigate or manage risk.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts,
Overcast, Spotify, Stitcher, Vimeo, YouTube.

In December 2015, we wrote about the many failed health insurance co-ops created under the Affordable Care Act (“ACA”), and the impact of those failures on providers and other creditors, consumers, and taxpayers. At that time, co-ops across the country had more than one million enrollees. As of January 2021, there were roughly 120,000 enrollees in three remaining co-op plans. Nonprofit co-op insurers were intended to increase competition and provide less expensive coverage to consumers. However, low prices, lack of adequate government funding, restrictions on the use of federal loans for marketing, and low risk corridor payments from the Centers for Medicare & Medicaid Services created financial challenges for these insurance plans.

Health Republic Insurance Company of New York (“Health Republic”) was the largest co-op established under the ACA. New York State regulators ordered Health Republic shut down in September 2015 because of its poor financial condition. In the five-plus years of Health Republic’s liquidation proceedings, its outside legal advisors and other professionals have been paid approximately $8 million, while no money has been distributed to providers or policy holders. Unlike certain other states that maintain health insurance guarantee funds to protect consumers and providers in the event of a health insurer’s insolvency, New York State had no such guaranty fund to protect Health Republic’s creditors.

The ACA’s risk corridor program was designed to limit co-op plans’ profits and losses during the first three years of operations by collecting money from plans in which the costs were lower than the premiums received and conversely paying those plans in which costs exceeded the premiums received. In practice, plans’ losses exceeded their profits and the federal government paid only a small percentage of the risk corridor payments owing to the plans. Many lawsuits were filed by plans seeking to recover more than $12 billion from the government. Following protracted litigation, the United States Supreme Court ruled on April 27, 2020 that the government was obligated to make full risk corridor payments.

According to a press release dated May 3, 2021, New York’s Superintendent of Financial Services announced a settlement with the federal government by which Health Republic will recover more than $220 million from the United States. This recovery will allow Health Republic’s Liquidator “to pay all policyholder level claims in full, including many New York hospital systems and other health care providers” as well as pay New York State and local government claims and a portion of general creditors’ claims. Fortunately, the favorable outcome of the litigation over risk corridor payments will provide the means for creditor recoveries in this prolonged liquidation proceeding.