In this episode of the Diagnosing Health Care PodcastThe vaccine passport has been a major topic of discussion as businesses and governments consider how to balance privacy and safety through the rollout of the COVID-19 vaccine. Epstein Becker Green attorneys Patricia WagnerAlaap Shah, and Jessika Tuazon discuss the privacy and security concerns companies must weigh as they consider developing or implementing vaccine passports, such as the collection and use of an individual’s personal health information. As state governments and the private sector take the lead on developing vaccine passport initiatives, it is imperative that businesses implement better privacy and security practices to mitigate or manage risk.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts,
Overcast, Spotify, Stitcher, Vimeo, YouTube.

In December 2015, we wrote about the many failed health insurance co-ops created under the Affordable Care Act (“ACA”), and the impact of those failures on providers and other creditors, consumers, and taxpayers. At that time, co-ops across the country had more than one million enrollees. As of January 2021, there were roughly 120,000 enrollees in three remaining co-op plans. Nonprofit co-op insurers were intended to increase competition and provide less expensive coverage to consumers. However, low prices, lack of adequate government funding, restrictions on the use of federal loans for marketing, and low risk corridor payments from the Centers for Medicare & Medicaid Services created financial challenges for these insurance plans.

Health Republic Insurance Company of New York (“Health Republic”) was the largest co-op established under the ACA. New York State regulators ordered Health Republic shut down in September 2015 because of its poor financial condition. In the five-plus years of Health Republic’s liquidation proceedings, its outside legal advisors and other professionals have been paid approximately $8 million, while no money has been distributed to providers or policy holders. Unlike certain other states that maintain health insurance guarantee funds to protect consumers and providers in the event of a health insurer’s insolvency, New York State had no such guaranty fund to protect Health Republic’s creditors.

The ACA’s risk corridor program was designed to limit co-op plans’ profits and losses during the first three years of operations by collecting money from plans in which the costs were lower than the premiums received and conversely paying those plans in which costs exceeded the premiums received. In practice, plans’ losses exceeded their profits and the federal government paid only a small percentage of the risk corridor payments owing to the plans. Many lawsuits were filed by plans seeking to recover more than $12 billion from the government. Following protracted litigation, the United States Supreme Court ruled on April 27, 2020 that the government was obligated to make full risk corridor payments.

According to a press release dated May 3, 2021, New York’s Superintendent of Financial Services announced a settlement with the federal government by which Health Republic will recover more than $220 million from the United States. This recovery will allow Health Republic’s Liquidator “to pay all policyholder level claims in full, including many New York hospital systems and other health care providers” as well as pay New York State and local government claims and a portion of general creditors’ claims. Fortunately, the favorable outcome of the litigation over risk corridor payments will provide the means for creditor recoveries in this prolonged liquidation proceeding.

On April 8, 2021, the U.S. Department of Justice (“DOJ”) announced the first charges brought in connection with alleged fraud on the Accelerated and Advance Payment Program, administered by the Centers for Medicare & Medicaid Services (“CMS”).[1]  According to the indictment, Francis Joseph, M.D., a Colorado physician, has been charged with misappropriating nearly $300,000 from three different COVID-19 relief programs: the Accelerated and Advance Payment Program, the Provider Relief Fund, and the Paycheck Protection Program.[2]

Accelerated and Advance Payment Program

The Accelerated and Advance Payment Program is intended to provide emergency funds by way of expedited payments to health care providers and suppliers when there is a disruption in claims submission or claims processing.  While CMS has historically utilized this program to provide targeted relief in response to national emergencies or natural disasters affecting certain portions of the country, the program was expanded in March 2020 to apply to a broader group of Medicare Part A providers and Part B suppliers nationwide due to the financial impact of COVID-19.[3]

According to the indictment, Dr. Joseph allegedly submitted an Advance Payment Request Form for a medical practice of which he had relinquished control, and then transferred approximately $92,000 from the medical practice’s operating account to a personal bank account (approximately $87,000 of that amount was paid by the Medicare Administrative Contractor as an advance payment the previous day).

Provider Relief Fund

The Provider Relief Fund is a $178 billion measure appropriated under the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act that offers aid to providers who were financially impacted by COVID-19 and treatment and other assistance to individuals suffering from COVID-19.

The indictment marks the second time that DOJ has brought charges related to misuse of Provider Relief Fund distributions (DOJ announced the first charges in February 2021 against a home health provider).  According to the indictment, Dr. Joseph’s former medical practice met the criteria for a Provider Relief Fund distribution of $31,782, but Dr. Joseph allegedly transferred those funds from the medical practice’s operating account to a personal bank account.

Continue Reading U.S. Department of Justice Announces First Charges Brought Under the Accelerated and Advance Payment Program

Cyber threats and cybersecurity controls have evolved significantly over the past two decades since the HIPAA Security Rule were originally promulgated. During this same time, healthcare entities have increasingly become a prime target of hackers seeking to extort payment using ransomware, exfiltrate patient data to commit fraud, or disrupt operations in other nefarious ways.  Recognizing these challenges, some security professionals have sought further clarity on the HIPAA Security Rule that they deem to be “long in the tooth”. Yet, regulators have not made any significant modifications – perhaps driven by the original policy considerations of the HIPAA Security Rule that: “the standard should be comprehensive and coordinated to address all aspects of security”; that it be “scalable, so that it can be effectively implemented by covered entities of all types and sizes”; and that it “not be linked to specific technologies, allowing covered entities to make use of future technology advancements.”

As we previously discussed, the HITECH Act was recently modified to require that HIPAA regulators take into account “recognized security practices” in the context of investigation and enforcement actions. One such source of “recognized security practices” has historically been the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Yet, this NIST guidance also appears to be “long in the tooth” as it was issued nearly 13 years ago in October of 2008.

In the absence of significant regulatory changes to the HIPAA Security Rule, NIST called for comments from healthcare industry stakeholders regarding how to revise guidance SP 800-66. This will help clarify what “recognized security practices” are in today’s highly digitized, increasingly distributed and technology-driven world. NIST’s move brings its considerable cybersecurity expertise and resources to bear on updating the guidance to address the current cybersecurity threat landscape that healthcare entities face.

Chiefly, NIST seeks to update the guidance to:

  • Increase awareness of relevant NIST cybersecurity resources,
  • Increase awareness of relevant non-NIST resources relevant to compliance with the HIPAA Security Rule, and
  • Provide HIPAA Security Rule implementation guidance that reflects the current cyber threat landscape and best practices.

NIST is encouraging comments on stakeholder experiences leveraging SP 800-66 in practice in an effort to identify gaps in the guidance. NIST is also curious to hear from stakeholders who found the guidance not to be applicable to their organization in order to determine ways to make it more useful, relatable, and actionable. Specifically, NIST is seeking information on useful tactics, tools, resources, and techniques that stakeholders have leveraged in their compliance efforts including, but not limited to:

  • managing both practical and compliance aspects of security,
  • assessing risks to ePHI such as determining if security measures are effective, and
  • documenting adequate implementation for purposes of compliance.

To gain out-of-the-box perspectives, NIST is also seeking comment on any recognized security practices that stakeholders employ which diverged from compliance with the HIPAA Security Rule. While stakeholders may not want to go on the record describing how their own security practices “diverge” from the HIPAA Security Rule, they may more generally discuss industry practices. In that regard, perhaps these comments will be most interesting of all, as they will illustrate if practical security has diverged in a way that requires regulators to revisit the HIPAA Security Rule.

NIST encourages submission of comments here through June 15, 2021. Feel free to contact EBG’s Privacy, Cybersecurity, and Data Asset Management Team if you are interested in developing and submitting comments to shape what will likely constitute “recognized security practices” for the foreseeable future.

Alaap B. Shah

Patricia Wagner

In this episode of the Diagnosing Health Care Podcast: Since the start of the COVID-19 pandemic, many jurisdictions have enacted protections from COVID-19-related liability claims through legislation and executive orders. These liability shields, however, may give health care businesses a false sense of security and offer little protection when it comes to employment claims.

Epstein Becker Green attorneys Denise Merna DadikaGregory Keating, and Elena Quattrone discuss the unintended liability consequences health care employers must consider as they transition more employees back to in-person work and the ways to mitigate increasing whistleblower and retaliation risks.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts,
Overcast, Spotify, Stitcher, YouTube, and Vimeo.

On April 29, 2021, the Federal Communications Commission (FCC) will begin accepting applications for the second round of its COVID-19 Telehealth Program (the “Program”). However, the application filing window will only be open for a very short seven day period and will close on May 6, 2021. To give all applicants an equal opportunity to have their applications reviewed, the FCC announced that all applications filed during this period will be reviewed once the application filing window has closed.

Initially, in March 2020, Congress appropriated $200 million for the first round of the COVID-19 Telehealth Program funding under the CARES Act. An additional $249.95 million was provided to the FCC in December 2020, under the Consolidated Appropriations Act (CAA), to helping address inequities in access to health care service. The COVID-19 Telehealth Program was designed to help health care providers purchase telecommunications equipment, broadband connectivity, and other devices necessary for providing telehealth services to rural, low-income and underserved populations.

The Program is limited to nonprofit and public health care providers (47 U.S.C. § 254(h)(7)(B)) that fall within the following categories:

  1. Post-secondary educational institutions offering health care instruction, teaching hospitals, and medical schools;
  2. Community health centers or health centers providing health care to migrants;
  3. Local health departments or agencies;
  4. Community mental health centers;
  5. Not-for-profit hospitals;
  6. Rural health clinics;
  7. Skilled nursing facilities; or
  8. Consortia of health care providers consisting of one or more entities falling into one of the first seven categories.

Continue Reading The Federal Communications Commission Announces Narrow Window to Apply for Second Round of COVID-19 Telehealth Program Funding – Applications Due May 6, 2021

On April 19, 2021, the Office of Inspector General’s (OIG) Office of Audit Services (OAS) released the results of an audit conducted on the accuracy of diagnosis codes submitted to CMS by Humana, Inc. for 2015 dates of service. Based on the audit results, the OIG recommended Humana return a whopping $197.7 million in alleged overpayments and enhance its policies and procedures to prevent, detect and correct noncompliance with Federal requirements for diagnosis codes that are used to calculate risk-adjusted payments.

Under the Medicare Advantage (MA) program, the Centers for Medicare & Medicaid Services (CMS) makes monthly capitated payments to MA organizations using a risk adjustment system that takes into consideration the health status of its beneficiaries. MA organizations communicate the health status of its beneficiaries to CMS through the submission of diagnosis codes.

The OIG, under its authority to conduct audits to identify waste and mismanagement of federal health program dollars, has, more recently, been actively conducting audits on risk adjustment submissions from certain MA organizations using two different methodologies – (1) an approach similar to CMS’ historic Risk Adjustment Data Validation (RADV) audits where it samples all diagnosis codes submitted for 200 beneficiaries; and, (2) a targeted code approach, reviewing single instance submissions of certain codes that tend to carry a high error rate.  Both the Humana audit and an audit conducted on Essence Healthcare, Inc., used the RADV-like approach. In the Essence audit, OIG recommended that Essence repay CMS only $158,904 in overpayments. In doing so, the OIG did not apply an extrapolated overpayment amount. This is in sharp contrast to the almost $200 million extrapolated estimate by OIG for Humana.

Humana did not agree with the OIG audit results, challenging the OIG in both its coding and audit methodology. According to the OIG report, Humana was successful in overturning a number of coding determinations made by the government team, driving the error rate down and reducing the extrapolated overpayment amount from $261 million to $197 million. Other arguments raised by Humana include: (1) the OIG did not follow CMS’s established RADV methodology; (2) the OIG did not incorporate underpayments into its estimates of overpayments; (3) the OIG did not correctly calculate the overpayment amount; and, (4) the identification of unsupported diagnosis codes do not indicate a failure of Humana’s policies and procedures.

The OIG audit findings and recommendations do not represent final determinations by CMS. As indicated in the report, officials at CMS will determine whether an overpayment exists. MA organizations have the right to appeal the determination through CMS’ RADV appeals process.

Our colleagues Brian Cesaratto and Alexander Franchilli of Epstein Becker Green have a new post on Workforce Bulletin that will be of interest to our readers: “NAME:WRECK” Cybersecurity Vulnerability Highlights Importance of Newly Issued IoT Act“.

The following is an excerpt:

A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices[1] highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout Research Labs and JSOF Research Labs have jointly published a report detailing a security vulnerability known as “NAME:WRECK.” This is exactly the type of issue that the new IoT Act was and is designed to address at the governmental level, because the vulnerability can detrimentally affect the security of millions of interconnected IoT devices. As our recent blog “New Internet of Things (IoT) Cybersecurity Law’s Far Reaching Impacts” discussed, this is the type of cybersecurity risk that all organizations should consider and factor in to their supply chain risk assessments and mitigation measures. If your organization directly uses IoT devices, or contracts with vendors who supply IoT devices or software/systems using IoT devices, whether in the healthcare, manufacturing, retail, financial services, hospitality or employment context, you should be evaluating your cybersecurity programs for protecting IoT devices.

Click here to read the full post and more on Workforce Bulletin.

On April 13, 2021, a New York-based chiropractor, was sentenced to nine years in prison, and ordered to pay close to $20 million, for running what the federal government alleged was a large scale scheme to defraud Medicare and other third party insurers.[1]   The sentencing stems from a case originally filed under seal on August 29, 2018, in which the U.S. Attorney’s Office for the Southern District of New York alleged that two New York chiropractors – James and Jeffery Spina – improperly owned and controlled multiple medical practices and engaged in submission of fraudulent health care claims from 2011 until September 2017. Continue Reading NY Chiropractor Sentenced to Nine Years in Prison for Health Care Fraud Scheme

On March 26, 2021, the U.S. Department of Justice (“DOJ”) reported on the agency’s heightened criminal and civil enforcement activities in connection with COVID-19-related fraud.[1]  As of that date, DOJ had publicly charged 474 defendants with criminal offenses in connection with COVID-19-related schemes across 56 federal districts to recover more than $569 million in U.S. government funds.

The Coronavirus Aid, Relief, and Economic Security (“CARES”) Act is a federal law, enacted on March 29, 2020, designed to provide emergency financial assistance to the millions of Americans who are suffering the economic effects caused by the COVID-19 pandemic.  The CARES Act provides relief through a number of different programs, including the Paycheck Protection Program (“PPP”), Economic Injury Disaster Loans (“EIDL”), the Provider Relief Fund, and Unemployment Insurance (“UI”).[2]  With the promulgation of these programs, DOJ has ramped up efforts in identifying and investigating fraud to protect the integrity of the $2.2 trillion in taxpayer funds appropriated under the CARES Act.

Criminal Enforcement Activities

The majority of fraud cases brought by DOJ have originated in the Criminal Division’s Fraud Section, accounting for at least 120 defendants charged with PPP fraud.[3]  The PPP allows qualifying small businesses and other organizations to receive loans with a maturity of two years and an interest rate of 1 percent.  PPP loan proceeds must be used by businesses for payroll costs, interest on mortgages, rent, and utilities.  Most of these defendants are facing charges for allegedly misappropriating loan payments for prohibited purposes, such as luxury purchases, while another significant portion are charged in connection with allegedly inflating payroll expenses in order to obtain larger PPP loans.[4]

DOJ also announced that it has seized over $580 million in fraudulent application proceeds in connection with the EIDL program, which is designed to provide loans to small businesses and agricultural and nonprofit entities.  DOJ’s primary concerns with respect to this program have related to fraudulent applications for EIDL advances and loans on behalf of shell or nonexistent businesses.

In response to a rise in UI fraud schemes, DOJ has established the National Unemployment Insurance Fraud Task Force to investigate domestic and international organized crime groups targeting unemployment funds through the use of identity theft.  Since the start of the pandemic, over 140 defendants have been publicly charged with federal offenses related to UI fraud.[5]

Continue Reading U.S. Department of Justice Reports on Heightened Enforcement Activities Against COVID-19 Related Fraud