On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).

As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties.  In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.   Continue Reading HHS Addresses Federal Court Invalidation of Certain Provisions of the HIPAA Rule Relating to the Third-Party Requests for Patient Records

January 28th marks Data Privacy Day which commemorates the signing of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.  This international treaty is the first of its kind to address privacy and data protection.

Strong privacy and cybersecurity safeguards are paramount to the success of companies and the consumers they serve.  These issues are so critical they took center stage at the annual Consumer Technology Association’s Consumer Electronics Show (CES) held earlier this month where tech companies of all sizes promoted their “privacy first” products and services.

Today we, Epstein Becker Green (EBG), are reminded about our commitment to support clients strengthen their privacy and cybersecurity programs.  EBG continues to help countless clients to navigate complex federal, state and international laws governing personally identifiable information (PII) and protected health information (PHI).

In that spirit of Data Privacy Day, we are sharing three key areas to watch in 2020:

  1. States are Aggressively Legislating around Privacy and Cybersecurity

Legislation at the state level is just beginning.  Leading the charge on January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect.  Other landmark legislation including the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD) Act and Nevada’s privacy bill (SB-220) are also in effect.  Many other states are actively considering legislation as well.  Specifically, we recommend watching Washington State’s efforts to pass the Washington Privacy Act (SB-6281).  We anticipate other states will model their legislation based on experiences with these early state laws.

  1. Federal Legislation is Needed to Fill Large Gaps in Privacy Regulation

Rapidly changing consumer sentiment about privacy coupled with aggressive state legislation is putting pressure on the U.S. Congress to pass an overarching privacy law to unify an otherwise fragmented privacy rules.  Nearly a dozen federal bills have already been proposed going into the 2020 Congressional year, with more expected to follow.  We recommend considering these possibility disruptive federal legislation efforts when updating privacy and cybersecurity programs moving forward.

  1. Privacy Laws are Increasingly Putting Consumers in Control of their Data

Trends in state and federal laws are increasingly empowering individuals with rights to transparency and control over how their data is collected, used and shared.  In particular, the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) appear poised to finalize proposed rules regarding the secure access, exchange, and use of electronic health information.  To be positioned for these changes, we recommend that entities take stock of what data they collect, where it is stored, and how to build mechanisms to respond to data exchange requests in a timely manner.

As we continue into 2020, remember that compliance in these areas is a marathon, not a sprint.  An ounce of prevention equals a pound of cure.

Through a January 9, 2020, press release, the Department of Justice (“DOJ”) reported more than $3 billion in total recoveries from settlements and judgments from fraud-related civil matters brought under the False Claims Act (“FCA”) for fiscal year (“FY”) 2019. An increase over the $2.9 billion recovered in FY 2018, FY 2019 reflected the ninth highest amount of recoveries in the past 30 years. The accompanying statistics released by DOJ reflect several themes related to FCA enforcement concerning the health care and life sciences industry.

The Health Care and Life Sciences Industry Accounted for Approximately 87 Percent of FY 2019 Recoveries

Consistent with previous years, fraud actions involving the health care and life sciences industries continue to drive DOJ’s FCA recoveries. Health care-related fraud recoveries alone have now exceeded $2 billion for 10 consecutive years. In FY 2019, health care-related matters generated approximately $2.6 billion in recoveries, or 85 percent of recoveries from all sectors combined, which does not include recoveries from state-based Medicaid actions with which DOJ may have assisted. The $71 million increase in recoveries from health care-related matters between FY 2018 and FY 2019 marks the third consecutive year of increasing health care-related recoveries. Notably, recoveries from health care-related cases brought directly by DOJ increased from $568 million to $695 million between FY 2018 and FY 2019, the second highest amount recovered in 30 years.

Continue Reading DOJ False Claims Act Recoveries FY 2019: Total Collections Rise – Almost 90 Percent Relate to Health Care

Based on their extensive experience advising health care industry clients, Epstein Becker Green attorneys and strategic advisors from EBG Advisors are predicting the “hot” health care sectors for investment, growth, and consolidation in 2020.  These predictions for 2020 are largely based on the increasing confluence of the following three key “drivers” of health industry transformation that is substantially underway:

  1. The ongoing national imperative of reducing the cost of health care, via disease prevention and detection, and cost-effective, quality treatment, including more efficient care in ambulatory and retail settings;
  2. Extraordinary advances in technologies which enhance disease prevention, detection and cost-effective treatment (e.g., artificial intelligence (AI)-driven diagnosis and treatment, virtual care, electronic medical record (EMR) systems, medical devices, gene therapy, and precision medicine); and
  3. The aging baby-boomer population, with tens of millions of Americans entering into their 70s, 80s, and above.

Continue Reading 7 Hot Health Care Industry Sectors for Investment, Growth & Consolidation in 2020

Two announcements made by FDA in late October signal a marked change to FDA’s regulatory approach to “homeopathic” drugs. On October 25, 2019, FDA withdrew the 1988 Compliance Policy Guide (“CPG”) 400.400 Conditions Under Which Homeopathic Drugs May Be Marketed, and, concurrently, published revised draft guidance titled Drug Products Labeled as Homeopathic (the “Revised Homeopathic Draft Guidance”).

Homeopathy—an alternative medical approach that began in the late 18th century—is based on the belief that (1) a substance that causes symptoms in a healthy person can be used in a diluted form to treat symptoms and illnesses, and (2) the more diluted a substance, the more potent it is.  Homeopathic products are formulated as tinctures, dilutions, capsules, or powders.  Although homeopathic products meet the statutory “drug” definition under the Food, Drug, and Cosmetic (“FD&C”) Act, FDA historically has exercised enforcement discretion for homeopathic drugs, subject to labeling and formulation requirements specified in CPG 400.400, and has not prioritized enforcement for products failing to meet these requirements.

At the time the FD&C Act was enacted, homeopathic products were a cottage industry—made primarily in small batches on an individual patient basis.  Today, however, there is a burgeoning commercial industry, valued at approximately $ 5.39 billion globally as of 2017, marketing drug products labeled as “homeopathic.”  According to FDA, the increase in product availability has coincided with an increase in adverse event reports involving such products.  These include reports of toxicity from belladonna-containing products and loss of smell caused by intranasal zinc products.  FDA states in the Revised Homeopathic Draft Guidance that these adverse reactions occurred despite the products’ apparent compliance with CPG 400.400’s labeling and ingredient formulation requirements.

FDA first announced its intention to withdraw CPG 400.400 in a December 2017 draft guidance.  At that time, the agency did not plan to withdraw CPG 400.400 until a final guidance with an updated regulatory strategy was issued.  However, in a change of plans, FDA decided to withdraw CPG 400.400 concurrently with the release of the Revised Homeopathic Draft Guidance, thereby eliminating the “safe harbor” for homeopathic drug products.  According to FDA, the agency changed its plans because CPG 400.400, in addition to being out of date, also is inconsistent with the agency’s current risk-based enforcement approach.

The Revised Homeopathic Draft Guidance explains that, in the absence of a safe harbor, all unapproved homeopathic drugs are “being marketed illegally [and] subject to FDA enforcement at any time.”  However, FDA is prioritizing for enforcement those homeopathic products that the agency determines pose the highest risks to consumers. Specifically, FDA is prioritizing for enforcement the following types of homeopathic drug products:

  • Products with reports of injury that, after evaluation, raise potential safety concerns;
  • Products that contain or purport to contain ingredients associated with potentially significant safety concerns;
  • Products for routes of administration other than oral and topical;
  • Products intended to be used for the prevention or treatment of serious and/or life-threatening diseases or conditions;
  • Products for vulnerable populations; and
  • Products with significant quality issues.

The Revised Homeopathic Draft Guidance does not offer any additional insight on where enforcement against homeopathic drug products falls within the FDA’s overall enforcement priorities going forward or when FDA will start to step up enforcement activities.  According to the agency’s public database, FDA has issued a total of four Warning Letters against manufacturers of homeopathic drug products, with the first being in 2015 and the most recent being in April 2019.

Stakeholders should consider assessing their products against the categories described in the Revised Homeopathic Draft Guidance in order to evaluate the risk of continuing to market or introducing new homeopathic drug products.

FDA is accepting comments to the Revised Homeopathic Draft Guidance through January 23, 2020.

Today, a final rule issued by the Centers for Medicare & Medicaid Services (CMS) establishing new enforcement initiatives aimed at removing and excluding previously sanctioned entities from Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP) goes into effect.[1] Published September 10 with a comment period that also closed today, the new rule expands CMS’s “program integrity enhancement” capabilities by introducing new revocation and denial authorities and increasing reapplication and enrollment bars as part of the Trump Administration’s efforts to reduce spending. While CMS suggests that only “bad actors” will face additional burdens from the regulation, the new policies will have significant impacts on all providers and suppliers participating in Medicare, Medicaid, and CHIP.[2]


The New “Affiliations” Revocation Authority

The new “affiliations” enforcement framework—the regulation’s most significant expansion of CMS’s revocation authority—permits CMS to revoke or deny a provider’s or supplier’s enrollment in Medicare if CMS determines an “affiliation” with a problematic entity presents undue risk of fraud, waste, or abuse. Generally to bill Medicare, providers and suppliers not only must submit an enrollment application to CMS for initial enrollment, but also must recertify enrollment, reactivate enrollment, change ownership, and to change certain information.[3] In the rule’s current form, providers or suppliers submitting an enrollment application or recertification to CMS (“applicants”) will be required to submit affiliation disclosures upon CMS’s request if the agency determines the entity likely has an affiliation with a problematic entity as described below.[4] CMS will base its request on a review of various data, including Medicare Provider Enrollment, Chain, and Ownership System data and other CMS and external databases that might indicate problematic behavior, such as patterns of improper billing.[5] Upon CMS’s request, applicants identified as having at least one affiliation with a problematic entity would be required to report any current or previous direct or indirect “affiliations” to CMS.[6]

Continue Reading New Program Integrity Rule Expanding Medicare Revocation and Denial Authorities Takes Effect Today

On October 22, 2019, the Centers for Medicare and Medicaid Services (“CMS”) issued a Request for Information (“RFI”) to obtain input on how CMS can utilize Artificial Intelligence (“AI”) and other new technologies to improve its operations.  CMS’ objectives to leverage AI chiefly include identifying and preventing fraud, waste, and abuse.  The RFI specifically states CMS’ aim “to ensure proper claims payment, reduce provider burden, and overall, conduct program integrity activities in a more efficient manner.”  The RFI follows last month’s White House Summit on Artificial Intelligence in Government, where over 175 government leaders and industry experts gathered to discuss how the Federal government can adopt AI “to achieve its mission and improve services to the American people.”

Advances in AI technologies have made the possibility of automated fraud detection at exponentially greater speed and scale a reality. A 2018 study by consulting firm McKinsey & Company estimated that machine learning could help US health insurance companies reduce fraud, waste, and abuse by $20-30 billion.  Indeed, in 2018 alone, improper payments accounted for roughly $31 billion of Medicare’s net costs. CMS is now looking to AI to prevent improper payments, rather than the current “pay and chase” approach to detection.

CMS currently relies on its records system to detect fraud. Currently, humans remain the predominant detectors of fraud in the CMS system. This has resulted in inefficient detection capabilities, and these traditional fraud detection approaches have been decreasingly successful in light of the changing health care landscape.  This problem is particularly prevalent as CMS transitions to value-based payment arrangements.  In a recent blog post, CMS Administrator, Seema Verma, revealed that reliance on humans to detect fraud resulted in reviews of less than one-percent of medical records associated with items and services billed to Medicare.  This lack of scale and speed arguably allows many improper payments to go undetected.

Fortunately, AI manufacturers and developers have been leveraging AI to detect fraud for some time in various industries. For example, the financial and insurance industries already leverage AI to detect fraudulent patterns. However, leveraging AI technology involves more than simply obtaining the technology. Before AI can be used for fraud detection, the time-consuming process of amassing large quantities of high quality, interoperable data must occur. Further, AI algorithms need to be optimized through iterative human quality reviews. Finally, testing the accuracy of the trained AI is crucial before it can be relied upon in a production system.

In the RFI, CMS poses many questions to AI vendors, healthcare providers and suppliers that likely would be addressed by regulation.  Before the Federal government relies on AI to detect fraud, CMS must gain assurances that AI technologies will not return inaccurate or incorrect outputs that could negatively impact providers and patients. One key question raised involves how to assess the effectiveness of AI technology and how to measure and maintain its accuracy. The answer to this question should factor heavily into the risk calculation of CMS using AI in its fraud detection activities. Interestingly, companies seeking to automate revenue cycle management processes using AI have to grapple with the same concerns.  Without adequate compliance mechanisms in place around the development, implementation and use of AI tools for these purposes, companies could be subject to high risk of legal liability under Federal False Claims Act or similar fraud and abuse laws and regulations.

In addition to fraud detection, the RFI is seeking advice as to whether new technology could help CMS identify “potentially problematic affiliations” in terms of business ownership and registration.  Similarly, CMS is interested to gain feedback on whether AI and machine learning could speed up current expensive and time-consuming Medicare claim review processes and Medicare Advantage audits.

It is likely that this RFI is one of many signals that AI will revolutionize how healthcare is covered and paid for moving forward.  We encourage you to weigh in on this on-going debate to help shape this new world.

Comments are due to CMS by November 20, 2019.

Our colleagues Amy F. LermanFrancesca R. Ozinal, and team have released the 2019 update to Epstein Becker Green’s Telemental Health Laws survey.

Available as a complimentary app for iPhoneiPad, and Android devices, the survey covers state telehealth laws, regulations, and policies within mental health.

For more about the survey findings, visit “Epstein Becker Green Finds Telehealth Services Are Increasingly Accessible to Mental Health Professionals Despite Legislative Barriers.”

Also see the “Telemental Health Laws: Overview” for more about the milestones achieved in 2019, current barriers, and opportunities for 2020 and beyond.

The Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services Office of Inspector General (OIG) issued their long-awaited proposed rules in connection with the Regulatory Sprint to Coordinated Care today.  Transforming our healthcare system to one that pays for value is one of the Department’s top four priorities, and the Deputy Secretary launched the Regulatory Sprint to remove potential regulatory barriers to care coordination and value-based care.

OIG’s proposed rule revising the safe harbors under the anti-kickback statute includes a number of noteworthy proposals, but by far the most significant are the proposed new safe harbors for value-based arrangements and patient engagement arrangements.  The breadth and scope of the proposed new safe harbors is remarkable; unlike OIG’s previously issued safe harbors, if finalized, they would protect arrangements of unknown design and unproven efficacy as long as the parties reasonably anticipate the arrangement will advance the coordination and management of care of a target patient population and the arrangement satisfies all of a safe harbor’s other requirements. The proposed rule also includes a new safe harbor for cybersecurity donations, and modifications to the personal services and management contracts safe harbor that would provide new protections for outcomes-based arrangements such as shared savings, gainsharing, and pay-for-performance arrangements. Given the challenges associated with designing safe harbor protections for emerging healthcare arrangements, OIG took great pains to emphasize that it had not yet made a final determination that the arrangements described in its proposals should be exempt from liability under the anti-kickback statute and that any final safe harbors would provide only prospective protection.

Although most within the industry surely will welcome OIG’s proposed rule, others will be unhappy with it, including pharmaceutical manufacturers; manufacturers, distributors, or suppliers of durable medical equipment, prosthetics, orthotics or supplies (DMEPOS); and laboratories, all of which would be excluded from participating in value-based and patient engagement arrangements.

CMS has taken the next step in the regulatory sprint to coordinated care by proposing new exceptions to the Stark Law that specifically address various types of value-based arrangements and has created a special rule related to indirect value-based arrangements.  Similar to OIG, CMS also is proposing a new exception related to donations of cyber security technology and services to physicians.  In addition to these broad sweeping new exceptions recognizing the changes in the reimbursement system, CMS also made other modifications to the existing exceptions and notably have provided clarity in definitions.  On first blush, the new rule appear to allow for opportunities for more flexible arrangements.

Stay tuned to updates on Health Law Advisor for an in-depth analysis of both the OIG’s proposed rule and CMS’ special rule.

Based on findings of the Payment Accuracy Report recently issued by the Department of Health and Human Services (DHHS), six Democratic United States Senators questioned the Centers of Medicare and Medicaid Services’ (CMS) oversight and enforcement of Medicare Advantage (MA) plans. In a letter dated September 13, 2019, the Senators highlighted their belief that MA plans have been overbilling the federal government for years, specifically in excess of $30 billion dollars over the last three years.

The Senators requested that CMS provide a response on how the Agency intends to hold MA plans responsible for failing to meet purported contractual obligations, including the accuracy of risk adjustment submissions.

This letter comes on the heels of several setbacks that may affect the Agency’s ability to police Medicare Advantage plans. The Supreme Court ruling in Azar v. Allina Health Services, No. 17–1484 (U.S. June 3, 2019) may restrict CMS’s ability to rely on interpretive publications and sub-regulatory guidance in lieu of formal rulemaking. Additionally, CMS’s Medicare Part C and D overpayment regulation was struck down in United Healthcare Ins. Co. v. Azar, 330 F. Supp. 3d 173 (D.D.C. 2018). Finally, the health plan industry comments to CMS’s proposed Risk Adjustment Data Validation (RADV) rule have heavily criticized the Agency’s proposed handling of RADV, CMS’s primary risk adjustment enforcement tool.

Although payment integrity and risk adjustment were at the forefront of their concerns, the Senators flagged other issues regarding CMS’s oversight of MA operations that they believe could create access to care barriers for MA plan members. The Senators asserted that MA plans fail to provide members with complete and accurate provider directories to make informed decisions when choosing a plan and that CMS has failed to ensure these MA networks even comply with network adequacy requirements. The Senators further noted that the MA plans have not been forthright in providing comprehensive encounter data that reflects the actual services provided to its members, encouraging a reduction in bonus payments for failure to disclose this information. Finally, the Senators called for more transparency with encounter data, denial information, Star ratings and potential out-of-pocket expenses, encouraging CMS to make this information publicly available.

CMS has mechanisms to police most of the concerns raised by the Senators through its MA Program Audits, Civil Monetary Penalties and contract sanctions, which can include termination. However, as noted in CMS’ 2018 Program Audit report, the plans audited by the Agency in 2018 covered only 2% of the MA enrollee population, though the Agency levied 10 civil monetary penalties and 3 intermediate sanctions on audited plans for issues of non-compliance.

The letter from this group of Senators follows previous concerns expressed by Senator Chuck Grassley in 2017 and several high profile settlements related to the MA Program, all of which suggest that MA plans, downstream providers and vendors should increase their efforts to comply with rules and be prepared for increased government scrutiny.

Ashley Creech, a Law Clerk (not admitted to the practice of law) in the firm’s Washington, DC office, contributed significantly to the preparation of this post.