By now many of you have heard about the large settlement that hospitals entered into a few weeks ago with the federal government to fix underpayments to hospitals for inpatient services caused by CMS’ failure to properly determine the rural floor budget neutrality adjustment over the past several years. These settlements cover amounts owed by the federal government under traditional Medicare – i.e., Part A.
However, these settlements did not address similar problems with payments by Medicare Advantage plans – i.e., Part C.

Nationally, the Medicare Advantage plans represent roughly 20% of the patient population of Medicare. In some areas the percentage is larger. Moreover, the error that CMS settled was repeated over the course of several years; specifically, for discharges from October 1, 2006 through September 30, 2011. Therefore, for most hospitals this is a potentially sizable category of underpayments by Medicare Advantage health plans.

If you have a hospital that has contracts with any Medicare Advantage plans that paid for inpatient services during the affected years based on a percentage of the rates owed by traditional Medicare under the Inpatient Prospective Payment System (IPPS), then the payments made by those Medicare Advantage plans could have been underpaid on Part C claims to the same extent that Medicare underpaid on Part A claims. This issue also can affect payments for noncontracted services paid by Medicare Advantage plans.

We have been evaluating for hospitals their respective Medicare Advantage contracts with various Medicare Advantage plans for the potential to pursue corrections of affected Part C claims.

We also have extensive experience handling the rural floor issues through our work on the settlements for the traditional Medicare program, having represented several hundred hospitals nationally, accounting for around $700 million of the settlement amounts being paid by the government.

If you would like more information about this issue, please contact Glenn Solomon at 310-551-8179, John Hellow at 310-551-8155, or Nina Adatia at 310.551.8153.

An Arizona cardiac surgery practice has agreed to pay $100,000 to settle allegations that it failed to comply with HIPAA privacy and security requirements. The HHS Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, announced the settlement in a press release issued April 17, and available here. The practice also agreed to a corrective action plan. It did not admit any liability.

This investigation should catch the attention of small providers who have not made a priority of HIPAA compliance. The target of this investigation was a small medical group, and the penalty – not to mention the likely costs of the investigation – was substantial. In announcing the settlement, OCR said, “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” The practice evidently came to OCR’s attention through a report that it was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.  HHS says that its investigation revealed ongoing deficiencies:

• Failure to provide and document workforce training.
• Failure to implement appropriate security safeguards; in particular– posting electronic health information on a publicly accessible, Internet-based calendar; transmitting health information from an Internet-based email account to workforce members’ personal Internet-based email accounts;
• Failure to identify a security official;
• Failure to conduct a proper security risk assessment;
• Failure to obtain the required business associate agreements from the provider of its Internet-based email account and calendar.

The one-year corrective action plan requires the practice to adopt and maintain policies and procedures to address the alleged deficiencies. The policies and procedures must be submitted to OCR for approval, and the practice must address changes recommended by OCR. The practice must distribute the policies and procedures to all affected members of its workforce, and to new hires, and must obtain a signed compliance certification from workforce members. The practice must review and, if necessary, revise its policies and procedures at least annually. The practice must also train its workforce in the policies and procedures, and obtain certifications from them that they have received the training. The practice must review and update its training annually.

Finally, the practice must report breaches of its policies and procedures to OCR.

OCR’s expectation that providers should be in full compliance with the Security Rule – which went into effect seven years ago – is not surprising. Like the  settlement that OCR announced last month , this one highlights the need to treat security compliance as a continuous process involving regular assessments of the security environment, review of policies and procedures, and workforce training.

Hooper, Lundy & Bookman assists clients with a range of HIPAA compliance activities, including policies and procedures, workforce training and managing data breaches.

For more information, please contact: In San Francisco, Paul Smith, Clark Stanton, Steve Phillips or Paul Deeringer at 415.875.8500; in Los Angeles, Hope Levy-Biehl at 310.551.8111; in Washington, D. C., Robert Roth at 202.587.2590.

On March 13, 2012 the HHS Office for Civil Rights (OCR) announced the settlement of what it says is the first enforcement action resulting from a report under the breach notification requirements of the HITECH Act. Under the settlement, Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay OCR $1,500,000 to settle potential HIPAA violations, and signed a corrective action plan.

The settlement arises from the theft of computer equipment from a locked closet, secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. However, BCBST staff had vacated the facility where the closet was located, and left building security in the hands of the property manager. The settlement is noteworthy because it shows OCR’s readiness to impose a substantial penalty on a company that was the victim of a break-in. It also emphasizes the need to keep current with risk assessments, security policies and procedures, and workforce training, particularly in the face of changing circumstances like facility closings or relocations.

The OCR press release about the settlement says:

This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program . . . . The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.

According to the press release, the investigation was triggered by a breach notice submitted by BCBST to HHS after the theft of 57 unencrypted computer hard drives from a facility in Tennessee.  The drives contained information from more than a million individuals, including member names, Social Security numbers, diagnosis codes, dates of birth, and health plan identification numbers. The release says that BCBST failed to perform the required security evaluation in response to operational changes (presumably the move), and to implement adequate facility access controls. The theft occurred in October of 2009.

In addition to the payment, BCBST entered into a Resolution Agreement with OCR. The agreement has a term of 450 days. Under the agreement, BCBST agrees to:

• Revise its HIPAA privacy and security polices to comply with HIPAA standards, submit them to HHS for approval, revise them if HHS so requests, and demonstrate that it has implemented them once they are approved. The policies must include a risk assessment and risk management plan, as well as a facility security plan including access controls and physical safeguards;
• Distribute the policies and procedures to all employees who have access to electronic protected health information, and obtain a written certification from the employees that they have read and understood the policies, and will abide by them. BCBST also agrees to notify HHS of workforce violations of the policies and procedures;
• Provide training for all BCBST employees in the policies and procedures, and obtain a certification from each employee that he or she has received the required training;
• Conduct reviews, including unannounced site visits and employee interviews, to confirm that employees are familiar with the policies and procedures, and are complying with them; and
• Submit two biannual reports to HHS documenting training, violations of policies and procedures, and compliance reviews.

Besides the cash payment, the settlement draws attention to the importance of ongoing risk analysis, maintaining current policies and procedures, and regular workforce training. Hooper, Lundy & Bookman assists clients with a range of HIPAA compliance activities, including policies and procedures, workforce training and managing data breaches.

For more information, please contact: In San Francisco, Paul Smith, Clark Stanton, Steve Phillips or Paul Deeringer; in Los Angeles, Hope Levy-Biehl.

View/Download PDF

View/Download PDF

View/Download PDF

2012 Southern California Super Lawyers: HLB is pleased to announce that Robert Lundy, Lloyd Bookman, Patrick Hooper, Charles Oppenheim and Bradley Tully have been selected as 2012 Southern California Super Lawyers

Effective January 1, 2012, California’s workers’ compensation self-referral law was
expanded to apply to pharmacy goods, defined to include any dangerous drug or device.
As a result, implantable medical devices requiring a physician’s order, are now covered
by the law, and questions have arisen regarding the impact this might have on physician
owners of a medical device company who perform surgeries on California workers’
compensation patients.

When enacting this change in the law, the Legislature made clear that it intended to
address arrangements in which physicians provide prescription medical foods for their
patients. There is no indication the Legislature gave any consideration to physicianowned
device companies. Nevertheless, as amended, the law would now prohibit a
physician from referring a patient for implants to a company that the physician owns or
has a financial relationship with, unless an exception were available.

However, it does not appear that patients would be viewed as being “referred” to a
medical device distributor, within the meaning of California’s self-referral law.
Therefore, this law does not appear to have any impact on physician-owned device
companies. Although the term “referral” is not defined in the statute, the California
Attorney General, for many years, has relied on the standard dictionary definition of a
referral for purposes of California’s closely related anti-kickback statute as follows:

• The verb ‘refer’ is defined as ‘to send or direct for treatment, aid,
  information, decision’ (Webster’s Third New Internat. Dict. (1971 ed.) at
  p. 1907, def. (2a)) and a ‘referral’ as ‘the process of directing. . . a patient .
  . . to an appropriate specialist or agency for definitive treatment’ (id., at p.
  1908, def (1b)). The phrase ‘referral of patients’ . . . may thus be thought
  of as the process whereby a third party independent entity who initially
  has contact with a person in need of health care first selects a professional
  to render the same and then in turn places the prospective patient in
  contact with that professional for the receipt of treatment. (65
  Ops.Cal.Atty.Gen. 252, 254 (1982).)

Accordingly, instead of the physician referring a patient to device distributor, the
physician is referring the patient to a hospital or surgery center, and the hospital (or
surgery center), upon the physician’s order, purchases the implant from the distributor.
The patient’s relationship is with the hospital or surgery center where the patient receives
care. There is no financial relationship or physical encounter between the patient and the
distributor, and the distributor has no direct relationship with the patient. Under these
circumstances, although the distributor sells an implant to the hospital upon a physician’s
order, we do not believe that there would be any prohibited referral of a patient to
distributor by its physician owners.

There would, however, still need to be an exception allowing the physician to refer the
patient to the hospital (because, through the distributor, the physician would have an
indirect financial relationship with the hospital). However, as before, the law contains an
exception allowing a physician to refer a patient to a hospital, so long as the physician is
not paid for that patient referral (and any equipment lease between the parties meets
certain requirements). This exception would continue to apply. For ambulatory surgery
centers, the analysis is the same, because a similar exception applies for these referrals.

For additional information, please contact Charles Oppenheim, Bradley Tully, David
Hatch, Karl Schmitz, or Eugene Ngai in Los Angeles at 310.551.8111; or Stephen
Phillips in San Francisco at 415.875.8500.

It has come to our attention that Aetna may be engaging in improper practices concerning out-of-network providers and physician-owned surgery centers. While the issues discussed below arise out of disputes with Aetna, they may very well also arise out of disputes with other insurers.

Restrictions on Right to Refer PPO Patients to Out-of-Network Providers

We believe that Aetna is improperly threatening physicians with rate adjustments or termination of their contracts where the physicians refer PPO patients to out-of-network providers. Attached hereto is an example of one of these letters.

We believe that this practice is improper for several reasons. Aetna markets to its PPO patients, and its PPO patients pay Aetna more for the right to access out-of-network providers. Imposing punitive sanctions on physicians who refer to out-of-network providers will limit the patients’ rights to access out-of-network providers, and therefore negates the benefits of their PPO benefits.

Furthermore, an insurer may not interfere with a patient and physician’s health care treatment decisions, unless the patient has agreed to restricted coverage, like that provided by a HMO.

We also believe that Aetna’s restrictions on referrals may amount to false advertising and unfair business practices, contrary to California and federal law. Finally, the language in the particular contract with Aetna might not actually prohibit referrals to out-of-network providers for members with out-of-network benefits. We encourage you to review Aetna’s payment practices and your contracts to make sure that Aetna is not improperly restricting your out-of-network referrals for members with out-of-network benefits.

Denial of Claims for Facility Charges at Physician-Owned ASCs

Aetna is disallowing claims for facility charges submitted by physician-owned ASCs when those ASCs are not either (1) licensed as freestanding ambulatory surgical facilities in California, or (2) certified as ASCs under 42 C.F.R. § 416. Attached is an example of letters Aetna has sent to physician-owned ASCs. We believe this may be an improper restriction against physician-owned ASCs that do not provide care to Medicare beneficiaries.

As you may know, due to recent changes in California law, physician-owned surgical facilities are no longer eligible for licensure as freestanding ASCs. This makes it impossible currently for physician-owned ASCs located in California to obtain the license purportedly called for by Aetna’s internal policy. California law allows ASCs to operate with either a Medicare certification, or an appropriate accreditation. Naturally, ASCs that do not provide Medicare services have no need to maintain Medicare certification, and many choose the accreditation option. Yet, Aetna is refusing to recognize these accredited ASCs as valid providers. It appears that Aetna hopes to create a de facto coverage exclusion of physician-owned ASCs in California through this policy. We believe that this practice improperly harms physician-owned ASCs, and deprives Aetna’s members of their right to obtain services at these ASCs.

We believe that Aetna’s strategy to exclude California physician-owned ASCs from payment for their claims may be contrary to several provisions of California law. We urge you to review Aetna’s disallowances to make sure that it is not disallowing charges on this basis.

Please click here for a link to examples of the Aetna’s letters.

We are considering filing actions against Aetna on these issues. If you are experiencing these or similar problems with Aetna or any other insurer, or you would like to find out more about these issues, please contact Daron Tooch at (310) 551-8192, Glenn Solomon at (310) 551-8179, or Katie Markowski at (310) 551-8107.

View/Download PDF

View/Download PDF

View/Download PDF

View/Download PDF

Successful Software Purchasing
EHR Webinar – December 7, 2011

Successful Software Purchasing by Healthcare Providers

By Stephen K. Phillips

The typical software purchase is a horrid affair for the healthcare provider, particularly the provider who does not have the business leverage or legal resources of a large healthcare system. With a detailed understand­ing of its product, extensive experience with how to price and sell it, and the cover of “industry standard” terms, the software vendor usually enters the sale cycle with an overwhelming advantage over the provider and no qualms using it. The most common result, either through ignorance or acquiescence by the provider, is a grossly one-sided deal no better than the click-wrap or online licensing terms a typical consumer purchases under.

But a healthcare provider using software in a clini­cal environment needs the vendor to be held to a higher standard. When an iPod breaks, damages are minimal. When software that controls imaging equipment fails or a vendor’s hosted electronic medical record system is breached or patient records get mismatched or cor­rupted, enormous damage can result, especially given the recent sharp increase in patient safety and privacy regulations and penalties. The military, faced with similar mission critical software needs, has never ac­cepted a consumer standard for purchasing software. Why should a healthcare provider?

This executive briefing outlines a strategy for pro­viders to fight for a fair and balanced set of software (and related service) terms. There is no secret process here: the key to a good result is foresight, prepara­tion and execution of strategies designed to enhance the provider’s leverage. I have learned through many years of experience with software licensing (including, I must confess, as general counsel for two health­care software companies) that in any contract negotia­tion, the skill of negotiators, much less the merits of the positions they advance, is of minimal importance compared to the business leverage each side brings to bear. The number one goal of a successful negotiat­ing strategy for providers, therefore, is to maximize negotiating leverage.

Creating Leverage

Leverage is best enhanced by aggregating demand and proactively orchestrating the purchasing process. This requires advanced planning and action.

Group Purchasing

Very few providers have sufficient purchasing power on their own to aggregate the demand needed for significant leverage with a vendor. For most pro­viders, therefore, participation in some form of group purchasing effort is the best way to aggregate demand and create leverage.

The most prevalent form of group purchasing in­volves a group purchasing organization (GPO). GPOs are a long-standing feature of the healthcare purchas­ing environment, yet very few meaningfully serve the health care software market. The beauty of GPOs from a provider’s perspective is that when properly structured they are safe harbored from noncompliance with antitrust and fraud and abuse law, two bodies of law that are often the chief obstacles to provider col­laboration. Moreover, GPOs are unlicensed entities, and therefore do not face the delays, cost and intrusive regulatory oversight typically associated with licensed entities. With proper legal structuring, providers are free to form with other like-minded providers a GPO to create negotiating leverage vis-a-vis software ven­dors. Similarly, providers are free to participate in the group purchasing programs of third parties, such as regional extension centers and community purchasing coalitions, organized specifically for provider group purchasing. The relative ease of forming a GPO makes either creating a new GPO or joining an existing one viable options, with the preferred option dependent on the particular circumstances of a provider and its market.

Bundling

Another way to aggregate demand is through bun­dling, whereby a provider agrees to buy a group of products from a vendor in exchange for more favorable terms. The most obvious bundling is of software and related services. Some services, such as implementa­tion and maintenance services, are almost always bun­dled. Others, such as extended training and support, are not. Vendors often sell software as modules and offer discounts for a bundled package of modules.

Orchestrating the Purchasing Process

Although the aggregation of demand is the most important part of an overall strategy for successful soft­ware purchasing by a provider, how the provider or­chestrates negotiations is also enormously important.

RFPs

The best orchestration is done through requests for proposals (RFP) from multiple vendors or other formalized solicitation process. The RFP process helps to tip the scale in the provider’s favor by creating com­petition among vendors for the provider’s business, setting the stage for vendors to play by the provider’s rules, and setting forth within those rules the critical purchasing and licensing terms for the provider.

Orchestrating competition among vendors allows the provider to compare each vendor’s product spec­ifications against the others and weigh the pros and cons of those specifications against the prices, services, warranties, legal terms of purchase, support, and other relevant terms of sale. With each competitor unsure of the other’s posture, the vendors are incentivized to offer better terms. In an RFP process it also becomes more feasible for providers to demand that vendors sell products based on the legal terms and conditions prof­fered by the provider. In the worst case scenario, no worthy vendors respond to the RFP, or more likely, they respond with less favorable terms than are pro­posed by the provider. In such instances, the terms demanded by the purchaser can then be adjusted to be more agreeable to vendors until more desirable ven­dors participate. This is far more preferable to nego­tiating with one vendor on their standard terms and conditions.

If a provider cannot use its own contractual terms, it should create a checklist of key provider-friendly terms and use it as a guide to revising the vendor’s terms. It should also demand fully editable versions of the vendor’s documents, not pdf files or locked Word documents designed to discourage changes. Finally, the provider should resist vendor requests to put all changes in an addendum to the contract. Such ad­denda obfuscate the terms and disguise their one-sided nature.

The vendors should be required to submit any changes to the provider’s proposed terms and condi­tions as part of their bids. The RFP directions should be as explicit as possible that terms and conditions of licensing set forth in the RFP, taking into account changes proposed by the vendor in its response, will be considered final unless the provider proposes fur­ther changes. An even stronger approach is to make certain elements of the RFP response a binding con­tract such that any attempt to re-negotiate such agreed upon terms after acceptance of an RFP response will be a breach of contract that subjects the vendor to con­tractual damages and disqualification. Although many vendors will bristle at this heavy-handed approach, it is important to fight the almost predictable effort by a vendor to re-negotiate terms and conditions once its bid has been accepted, often under the guise of a misunderstanding as to the nature of the RFP rules on this point or miscommunication with the vendor’s legal and/or finance departments. The more teeth put into this part of the process the better and well-worth the effort.

Timing

Either in conjunction with an RFP or without one, a provider can often increase its negotiating leverage by timing its software purchases to coincide with low demand. Software needs can spring suddenly from rapid operational, legal and administrative changes or from the collapse of existing software systems, and a provider may never feel it has the luxury of timing its software purchases. But the more a provider pro­actively surveys its operational environment and the software needs it generates, the better able it is to fore­cast future software purchasing needs and enhance its ability to initiate the purchasing of software at a time that enhances its leverage. Such periods of heightened leverage coincide with a slow sales period or a highly competitive period for vendors, such as the end of a fiscal quarter or year, the entry of new competing soft­ware offerings, or for a variety of reasons the loss of a product’s market appeal.

The flip-side to provider market timing is avoid­ing having to buy at periods of peak market demand and avoiding end of quarter sales pressures from the vendor. Oftentimes vendors offer discounts with a short-expiration period to coincide with the end of a sales quarter, a well-worn and artificial tactic to get a customer to agree to the vendor’s one-sided terms by threatening rescission of the discount. Stand firm, and the discount almost always magically reappears.

Key Terms and Conditions of Licensure and  Service

Although a complete discussion of desirable terms and conditions of licensure for a provider is beyond the scope of this briefing, some of the critical terms and conditions are discussed below. The most impor­tant points are: 

• Identifying the lifecycle cost of the product
• Properly allocating risk under the contract
• Providing for proper remedies for breach of the contract
• Providing for a viable exit strategy from the relationship.

Identifying Lifecycle Costs

Identifying the true costs to the provider of a ven­dor’s product over its lifecycle is tricky and requires much patience and persistence. Most vendors do their utmost to obscure the true costs in a number of ways. First, vendors often provide a byzantine fee schedule with all sorts of list costs, discounts, rebates and bun­dled rates so that the actual out of pocket cost is unclear. Second, vendors often obscure or fail to identify all ini­tial costs, often by failing to spell out all likely imple­mentation and training services beyond a low baseline of services. Third, vendors often add do not specify costs such as travel, lodging, and overtime, as well as future costs, except with vague references to “costs in­curred”, “at prevailing charges” or “then-current fees.”

Software is typically upgraded and updated peri­odically. The provider will want the option to obtain such new versions of the software at a predetermined price. The same is true with maintenance and support services throughout the lifecycle of the product. At the very least, future pricing should be subject to caps based on external benchmarks like a CPI index. Travel charges should be subject to prior approval and other cost controls (e.g., coach travel, no more than 8 hours billed for travel in one day, etc.).

Allocating Risk

Allocating risk under a contract requires under­standing the risks each side creates by doing business together and then addressing those risks appropriately under the sections of the license agreement dealing with representations and warranties, indemnification, insurance, limitations of liability and termination. All of these contractual provisions work together to appor­tion risk under a contract. Representations and war­ranties should include those made by the vendor dur­ing the sales cycle. If a vendor, for example, claims that its software is certified EHR Technology, the contract should expressly state that as a representation and war­ranty that remains in effect through the term of the agreement. If a representation by a sales representative is not in writing, it is likely not going to be enforceable, because almost all contracts contain contractual clauses providing that any oral representations during the sales process are not binding and the product’s representa­tions and warranties are limited to those expressly set forth in the contract.

Vendors typically insist on allocating risk under the contract predominantly to the customer. They do this in a number of key areas. They will typically seek to have a series of payments, for example, due on specified calendar dates rather than upon completion of a series of performance achievements. A date-driven payment schedule should be resisted.

Vendors may also unfairly allocate risk to the pro­vider by minimizing the representations and warran­ties they make about their product and services in the contract, refusing or limiting their indemnification obligations, inserting draconian limitation of liability clauses that limit their damages to the amount paid by the customer under the contract for a specific pe­riod of time and excluding recovery for damages other than direct damages. The limitation of liability clause is typically defended as a non-negotiable clause for the vendor, sometimes one required by external audi­tors for publicly traded companies. This position is defended regardless of the harm that the vendor’s ac­tions might inflict on the customer and without any attempt to subject the vendor to a reciprocal limitation of liability clause. Indemnity clauses are sometimes resisted as voiding insurance policies, but this concern can typically be addressed contractually without elimi­nating the vendor’s indemnity.

Providing Proper Remedies

Providing proper remedies for breach of the con­tract is tightly wound up with the allocation of risk under the contract. For example, a limitation of liabil­ity clause is, besides a means of allocating risk, a means of limiting a party’s breach remedies. Other breach remedies include the exclusion of damages other than direct damages, the limitation of the time period for representations and warranties to be effective and the discretion of the vendor to determine whether a prod­uct can be repaired, refurbished or replaced.

Exit Strategies

Providing for an exit from a vendor relationship is another critical element to the product lifecycle that needs to be addressed properly in the purchase contract. A vendor wants a sticky relationship (e.g., a dependence of the customer on the vendor) and de­velops that stickiness in part by license terms that do not provide for termination for convenience, do not provide for transition assistance upon termination of the contract, charge termination fees or impose non­refundable fees, and provide for a long initial term and automatic renewal terms, among other measures. The provider, logically, should resist all such terms and seek a contract that provides for termination for con­venience after a reasonable period without financial penalty coupled with the right to receive meaning­ful transition assistance at pre-determined rates. Such resistance is critical because the provider needs to have a meaningful ability to terminate the relationship and migrate to a new vendor’s products by being able to terminate the contract without excessive fees or any penalties and receive technical assistance in migrating to a new technology vendor without a discontinuance of patient care and operations.  

Other Important Terms and Conditions

In addition to the four key terms and conditions described above, there are several other lesser but still important terms and conditions that must typically be addressed in the license and service agreements govern­ing software purchases. These include the following.

IP Ownership

A vendor will always own the software it licenses, but the provider should, in many cases, own modifi­cations it makes to the software using the software’s templates and should always own the data it stores on a database connected to the software and carefully limit the vendor’s access to and use of it. Many vendors attempt a land-grab by granting themselves a right to de-identify the customer’s patient data and then assert full ownership over such de-identified data – without compensation or liability protection for the customer. This should be strongly opposed.

Embedded Third Party Software

The software systems of vendors may contain soft­ware from other vendors (i.e., third party software), and the vendor may refuse to make any representations or warranties about third party software or provide any con­tractual remedy for its failed performance. Such an ap­proach leaves the provider without a remedy should the third party software fail to perform or cause any liability for the provider (e.g., a court order enjoining the use of the software because it infringes upon the copyright rights of another party). 

Affiliates as Contracting Parties

Vendors will sometimes attempt to use an affiliate as the contracting party for software or services. If the af­filiate has few financial resources, any contractual claim the provider has against the affiliate may be meaningless because the affiliate does not have the financial resources to satisfy a claim. The only protection against this danger is to refuse to permit affiliate contracting, require a parent guarantee from the vendor’s parent company, or require adequate insurance provisions be put in place to protect against potential liability (e.g., require the vendor to main­tain insurance that is comprehensive with respect to claims and coverage amounts and names the provider as an ad­ditional insured).

Stability of the Vendor and Escrowing Source Code

The license agreement should protect the provider if the vendor becomes insolvent or files for bankruptcy. One means of doing so is to provide for the escrow of the soft­ware source code. Any escrow should be made with an independent third party, include not only the source code, but also the tools, logic diagrams, programmer notes, en­cryption keys, compilers and documentation necessary to operate the software, and require the vendor to escrow any updated version of the escrowed materials produced dur­ing the contract term. The escrow agent should be re­quired to verify that the escrowed materials are complete and up to date.

HIPAA Compliance

Vendors will typically need access to patient health information as part of their maintenance and support services. Providers should require the vendor to sign the provider’s form of business associate agreement (BAA) covering the responsibilities of the vendor with respect to data privacy and security and ensure that that BAA has state privacy law provisions, indemnification and cyber­insurance provisions, language requiring vendor compli­ance with breach notification requirements and other pri­vacy and security law requirements. Vendors should not be permitted to retain protected health information, use it for anything other than to provide services to the provider or, as noted above, create de-identified data out of it.

ASP and SaaS Model Software

Vendors are increasingly selling software under applica­tion service provider (ASP) and software as a service (SaaS) models, where the software is delivered to the provider as a service over the Internet. ASP and SaaS models hold the potential for lower-cost software that is easier to maintain and upgrade, but present special security concerns, because all patient and other provider data must be transmitted over the Internet and stored on the vendor’s servers. Many ASP and SaaS vendors use third-party hosting companies, such as Amazon and Dell, to host the software and data, creating yet another security risk to the data. The ASP and SaaS models, therefore, require special data security protec­tions to be addressed in the contract and in any vendor contract with a hosting company.

In addition, when software is categorized as a service instead of a product, the provider may be unable to obtain otherwise available protections under bankruptcy law if the vendor files for bankruptcy, and in litigation may not be af­forded certain rights and remedies available under product liability law. Finally, the ASP and SaaS models give the vendor the technical ability to immediately terminate the provider’s access to the software and its data. The provider should therefore insist on specific protections in the agree­ment to address bankruptcy, product liability and termina­tion rights that would otherwise be compromised without special contractual provisions.

Conclusion  

When it comes to purchasing software, the provider naturally starts at a huge disadvantage, but through proper planning, foresight and execution of strategies designed to enhance the provider’s leverage, a provider can greatly neu­tralize the vendor’s advantage. Joint purchasing, bundled purchases, creating competition amongst vendors through the use of RFPs, strategically timing purchases and fight­ing for the most critical contractual terms that enhance the provider’s leverage can result in a more balanced set of terms.

For additional information, please contact Stephen Phil­lips in San Francisco at 415.875.8500, Stephen Treadgold in San Diego at 619.744.7300, or Joseph Berkowitz in Los An­geles at 310.551.8111.

 Hooper, Lundy & Bookman Presents:

Electronic Health Record Incentive Programs:
What Providers Need to Know to Maximize Their Potential for
Medicare and Medicaid Incentive Payments

EHR Webinar

Wednesday, December 7, 2011
12 – 1 p.m. Pacific Time 3 – 4 p.m. Eastern Time

Register at: http://hlb-ehr-2011.eventbrite.com 

CLE Credit Will Be Offered For This Event

For registration questions, or for CLE registration, please contact Baron Kishimoto at bkishimoto@health-law.com.

Return to top

Supreme Court Hears Medi-Cal Rate Arguments
Physician Supervision Requirements
Eight HLB Attorneys Named Among “2012 Best Lawyers in America”
HLB Calendar

US Supreme Court Session Opens with Hearing on Medi-Cal Rate Litigation HLB Cases at Center of the Storm

By Lloyd A. Bookman

Several Hooper, Lundy, and Bookman attorneys were in attendance Monday, October 3, 2011, as the Supreme Court heard oral argument in the critically important Medi-Cal rate cases the firm has been han­dling.

Background

The firm’s cases include California Pharmacists As­sociation v. Douglas, No. 05-1158, in which the firm represents the plaintiff provider organizations and Independent Living Centers of Southern California v. Douglas, No. 09-958, in which the firm represents various providers that have intervened in the matter as plaintiffs. These cases were combined with two other California cases involving Medi-Cal rate issues.

These cases arose from various Medi-Cal rate cuts and limits implemented since 2008. The cuts at issue include the 10% across-the-board rate reduction im­plemented by California on July 1, 2008, a limitation of Medi-Cal rates for certain inpatient hospital services to 95% of the average rate paid to contracting hospi­tals effective October 1, 2008, and 5% and 1% cuts to other rates that went into effect March 1, 2009.

The Ninth Circuit Court of Appeals upheld prelimi­nary injunctions, and in one case reversed the lower court’s denial of a preliminary injunction, preventing these cuts from going into effect. The Ninth Circuit found that the state had improperly cut the rates for purely budgetary rea­sons, had failed to consider the impact of the rate cuts on access and quality, and had failed to consider the relationship of the proposed rates to providers’ actual costs. The Ninth Circuit also noted that there was evidence that the rate cuts were creating problems with beneficiaries obtaining access to services. The Court concluded that this indicated that the rate cuts would violate Section 30(A) of the Medicaid Act, which requires rates to be consistent with efficiency, economy, and quality of care, and sufficient to ensure that beneficiaries have equal access to services.

The Ninth Circuit ruled that Medi-Cal beneficiaries and providers could bring a claim for relief under the Su­premacy Clause of the United State Constitution, which in essence provides that federal law shall be the supreme law of the land. State law that is in conflict with federal law is pre­empted by the federal law and is invalid.

California asked the United State Supreme Court to review these cases. The Court agreed to hear only the fol­lowing issue:

Whether Medicaid recipients and providers may main­tain
a cause of action under the Supremacy Clause to enforce
Section 30(A) by asserting that the provision preempts
a state law that may reduce payments to pro­viders.

The Court declined to accept for review the question of whether the Ninth Circuit properly interpreted and applied Section 30(A).

Importance of Issue

The resolution of this issue is of vital importance to Medicaid recipients and providers. The ability of Medicaid recipients and providers to sue states where the state cuts Medicaid rates so much that the rates violate federal law would be placed in serious jeopardy if the state prevails. States are facing significant fiscal pressures, and Medicaid is a large component of most states’ budgets. In the absence of recipient and pro­vider litigation to ensure at least minimally adequate rates, or the threat of such litigation, states will likely feel free to balance their budgets by cutting Medicaid payment rates. This will inevitably lead to a lack of ac­cess for beneficiaries to necessary and critical services.

Further, as Medicaid patients cannot find access to phy­sicians and other practitioners who can no longer afford to care for them, the patients will end up in hospital emergency rooms, a much more costly site of care. Further, the already crowded emergency rooms will become overcrowded, and waiting times for services will increase. The financial well being of many hospitals will then be placed in jeopardy, as hospitals will see an influx of Medicaid patients while their payments are also being cut. This downward spiral could very well lead to hospital closures. The closure of a hospital affects the availability of health care services to everyone, not just Medicaid recipients.

Finally, the outcome of this case will likely have signifi­cant implications for health care reform. Health care reform under the Affordable Care Act depends on the enrollment of tens of millions of Americans in Medicaid in 2014. If California prevails and states starve their Medicaid program of necessary funding, these new beneficiaries will obtain coverage that may be largely illusory as they will not be able to find participating providers. This would place the success of health care reform in serious jeopardy.

The Supreme Court Hearing

We are cautiously optimistic from the comments of the Justices at the hearing Monday that the ability of beneficia­ries and providers to sue states when their Medicaid rates are so inadequate that they violate the federal Medicaid Act will be preserved.

The discussion at the Court was lively, with each Jus­tice except Justice Thomas peppering the lawyers for both sides with provocative questions. The questioning provided insight into the Justices’ views and the potential outcome.

Several of the Justices appeared to support a broad right to sue states under the Supremacy Clause to pursue a claim that state law violates federal law and is therefore pre-empt­ed and invalid. These Justices, including the Court’s new­est additions Justices Sotomayor and Kagan, were troubled by the state’s argument that the Supremacy Clause should be treated differently than virtually all other Constitutional provisions, which the courts have found create a private right of action to enforce their provisions.

Most of the Justices were very concerned with the fact that California had implemented the Medi-Cal rate cuts prior to even submitting them to the federal government for approval, let alone obtaining that approval, and continuing to implement the cuts even after they were disapproved by CMS. These Justices appeared to understand clearly that if beneficiaries and providers could not sue, the states could feel free to act in violation of federal law in order to balance their budgets without fear of significant consequences.

Justice Roberts seemed to be the most hostile to the po­sition of the beneficiaries and providers. His view appeared to be that allowing beneficiaries and providers to sue under the Supremacy Clause to contend that a state rate cut vio­lates Section 30(A) would effectively undo more than two decades of Supreme Court decisions that have substantially limited the rights of private parties to bring a claim under a federal statute. Justice Roberts appears to believe that a stat­ute must expressly confer a right to sue for a private party to be able to bring a claim for its enforcement, and he did not see any such language in Section 30(A).

Justice Breyer’s questioning provided a window into a possible middle ground that could garner at least five votes. This would be a ruling that would allow beneficiaries and providers to sue states under the Supremacy Clause, or per­haps more generally under the courts’ equitable powers, to seek an injunction prohibiting states from implementing rate cuts until CMS has had an opportunity to review the cuts and approve or disapprove. Under this approach, the avenue available to challenge a rate cut that has been ap­proved by CMS might be a suit against CMS under the Administrative Procedures Act, rather than a suit against the state under the Supremacy Clause.

We expect that the Court will issue its decision dur­ing the first quarter of 2012. This decision will certainly have enormous consequences for those who depend on state Medicaid programs for their health care, providers who open their doors to the poor, and ultimately our entire health care delivery system.

For additional information, please contact Lloyd Bookman or Patric Hooper in Los Angeles at 310.551.8111; or Mark Reagan or Craig Cannizzo in San Francisco at 415.875.8500.

Return to top

More Changes Ahead to Physician Supervision Requirements for Hospital Outpatient Therapeutic Services

By Patricia H. Wirth

It has been hard for hospitals to stay abreast of all of the changes the Centers for Medicare & Medicaid Services (“CMS”) has made to the physician supervision require­ments for outpatient therapeutic services over the past few years, and it is not going to get any easier. In the 2012 Medicare outpatient prospective payment system (“OPPS”) proposed rule, CMS has proposed establishing an indepen­dent advisory process to review outpatient therapeutic ser­vices and to make recommendations to CMS to assign some services to higher or lower levels of supervision. While the changes CMS is proposing may result in less intensive su­pervision levels and more flexibility for some services, it may prove difficult for hospitals to implement the new supervi­sion levels as CMS announces them every six months. To understand the proposed changes, it is helpful to begin by looking at the evolution of the supervision requirements.

Direct Supervision Requirement for Outpatient Therapeutic Services

Medicare Part B covers therapeutic services fur­nished to hospital outpatients that are provided “inci­dent to” the services of a physician in the treatment of his or her patients. Therapeutic services generally in­clude all services or procedures that are not considered diagnostic in nature, such as clinic services, observation services and emergency room services.

When the hospital OPPS began in 2000, CMS ad­opted physician supervision policies as a condition of payment. CMS specified that direct supervision was required for most outpatient therapeutic services provided in hospitals and in provider-based departments (“PBDs”) of hospitals. Direct supervision meant that the physician had to be physically on the premises and immediately available to furnish assistance and direc­tion throughout the procedure. CMS emphasized that the direct supervision requirement applied to services provided at off-campus PBDs, but said it assumed the direct supervision requirement was met when the out­patient services were provided on campus.

In light of CMS’ “assumed” satisfaction of the di­rect supervision requirement for outpatient services provided on campus, many hospitals thought that it was unnecessary to designate or document specific physicians as the supervising physicians. Hospitals typically deemed their emergency department physi­cians to be functioning as the supervising physicians for all outpatient therapeutic services performed on campus.

The 2009 Final Rule’s “Clarification”

In the years after the initial OPPS regulations, CMS received many questions from hospitals that led CMS to believe hospitals were providing only general supervision or no supervision at all for outpatient therapeutic services provided on hospital premises. This prompted CMS in the preamble to the 2009 OPPS final rule to “clarify” that the supervising physician for services furnished in the hospital and in all PBDs of the hospital must be present in the de­partment and immediately available when outpatient ther­apeutic services were being provided. That meant hospitals could not rely on their emergency department physicians to supervise outpatient therapeutic services performed on campus, since the emergency department physicians were not physically present in the departments where the services were being provided.

The 2010 Final Rule Relaxed the Definition of Direct Supervision

In the 2010 OPPS final rule, CMS relaxed its di­rect supervision requirement for therapeutic outpa­tient services provided on hospital campuses by allow­ing the supervising physician to be physically present anywhere on the same campus. However, the super­vising physician still had to be immediately available, which CMS defined to mean that the physician was physically present, interruptible and able to furnish as­sistance and direction throughout the performance of the service.

CMS gave hospitals further flexibility by allow­ing physician assistants, nurse practitioners, clinical nurse specialists, certified registered nurse anesthetists, certified nurse-midwives and licensed clinical social workers to supervise outpatient therapeutic services if these non-physician practitioners personally furnished the services and the services were within the respec­tive practitioner’s scope of practice under State law and the privileges granted by their hospital (clinical psy­chologists were already allowed to supervise outpatient therapeutic services).

The 2011 Final Rule Deleted the Boundary Requirement

The 2011 OPPS final rule further redefined direct su­pervision to remove all requirements that the supervising physician be on the same campus or in the department of an off-campus PBD. While CMS removed the boundary requirement, it continued to require that the supervising physician be immediately available. CMS also established a new category of outpatient therapeutic services, “nonsurgi­cal extended duration therapeutic services,” that have a sub­stantial monitoring component. These services include ser­vices for observation, IV hydration and patient-controlled anesthesia pumps. Direct supervision is required for the initiation of these services; however, once the physician has determined the patient is stable, the service can continue under general supervision. (General supervision means the service is furnished under the overall direction and control of the physician, but the physician’s physical presence is not required.) The point of transition from direct to general supervision must be documented in the medical record.

The 2012 Proposed Rule’s Process to Establish New Supervision Requirements for Many Services

In the recent 2012 OPPS proposed rule, CMS has now proposed that an independent advisory entity, the existing Advisory Panel on Ambulatory Payment Clas­sification Groups (the “APC Panel”), evaluate individ­ual outpatient therapeutic services and make recommendations to CMS concerning the appropriate level of physician supervision for each of the services. The APC Panel may recommend that a particular service be assigned to a less intensive (general) level of supervi­sion or to a more intensive (personal) level of supervi­sion. As proposed, “personal” supervision would mean that a physician has to be in the room during the ser­vice or procedure.

CMS proposes that a “subregulatory” process that is not subject to formal notice and comment rulemak­ing be used for its final decisions on supervision re­quirements. According to CMS, this would allow for a more flexible and frequent process and allow CMS to take action more quickly to revise a supervision re­quirement if necessary. However, prior to finalizing any supervision requirements, CMS’ proposed deci­sions would be posted on the OPPS Web site with a period for public comment. Any new supervision re­quirements would be effective the following January or July. In addition, hospitals could request reevaluation of CMS’ decisions, but they would have to provide sig­nificant justifications to support such a request (such as new clinical evidence, new technology or new tech­niques in how patient care is provided).

When evaluating the appropriate level of super­vision for a particular service, the APC Panel would take into consideration any available clinical evidence and any know impacts of supervision on the quality of care. The APC Panel would also consider the varied environments in which the particular service may be delivered. The Panel will further assess the likelihood that the supervising physician would reassess the pa­tient and change the treatment or give guidance to the practitioner providing the service. In making this as­sessment, CMS proposes that the APC Panel consider: (1) the complexity of the service, (2) the patient’s acu­ity, (3) the probability that an unexpected or adverse patient event would occur, and (4) the likelihood that rapid clinical changes would occur during the service.

The APC Panel would be able to select which ser­vices it evaluates, but CMS could also request that the APC Panel review certain services. In addition, CMS plans to solicit services for evaluation from hospitals.

CMS has clarified that the direct supervision re­quirement also applies to critical access hospitals (“CAHs”), but issued a notice instructing its contrac­tors temporarily not to enforce the requirement with respect to CAHs. The nonenforcement notice was expanded to include small rural hospitals with 100 or fewer beds. While the new independent review pro­cess is being established, CMS expects it will extend the notice of nonenforcement for these hospitals through December 31, 2012.

Conclusion

CMS continues to state that the most appropriate level of supervision for most hospital outpatient therapeutic ser­vices is direct supervision, that is, the physician must be im­mediately available (present and interruptible) to furnish assistance and direction throughout the performance of a therapeutic service or procedure, but does not have to be present in the room where the service or procedure is be­ing performed. The proposed advisory process may result in more appropriate supervision levels for particular services which may enhance the quality of patient care. The new su­pervision levels may also allow for more flexibility and reduce costs when supervision levels are lowered.

However, the revised supervision levels may also prove to be of more form than substance. If a department performs several different outpatient services that have a mix of gen­eral and direct supervision levels, the hospital will need to provide the more intensive direct level of supervision for the department as a whole, even though some services require less supervision. While it is not known yet what impact new supervision requirements will have on hospitals, it is clear that when the process begins, hospitals will have to monitor the OPPS Web site frequently to keep up to date with the new requirements and then carefully track what supervision levels apply to which services.

For questions or additional information, please contact Tish Wirth in Washington, D.C. at 202.587.2590; Laurence Getzoff or John Hellow in Los Angeles at 310.551.8111; Mark Johnson in San Diego at 619.744.7300; or Paul Smith in San Francisco at 415.875.8500.

Return to top

HLB is proud to announce that

eight attorneys have been named among the

2012 Best Lawyers in America

Lloyd Bookman, John Hellow, Patric Hooper, Steven Lipton,
Robert Lundy, Cary Miller, Paul Smith and Bradley Tully
were all named among the best in the Health Care Law category. 
Cary Miller was also named in the Commercial Litigation category. 

Return to top

HLB Calendar

Return to top

California Focus

All Provider Types Affected

On August 18, 2011, the California Legislature passed Senate Bill 24 (“S.B. 24“), which amended California’s security breach notification law, Cal. Civil Code § 1798.82 (“Section 1798.82“), to include additional content and reporting requirements regarding breach notifications. Governor Brown signed these changes into law on August 31, 2011, and they become effective January 1, 2012. While some providers’ existing breach notification policies and procedures may comply with the new content requirements, which largely mirror the federal HITECH Act, Section 1798.82 also contains new reporting requirements that differ from existing federal and state laws, and with which providers will need to familiarize themselves as soon as possible. In addition, the changes to Section 1798.82 do not alter licensed health facilities’ breach notification obligations under Health & Safety Code § 1280.15 (“S.B. 541“).

Who Do These Changes Affect?

Section 1798.82 applies to all persons or businesses in California that own or license computerized data that includes “personal information.” Personal information includes an individual’s first name or first initial and last name, in combination with any one or more of a specified set of data elements,¹ when either the name or the data elements are not encrypted. Thus, the amendments to Section 1798.82 affect all persons or businesses that own or license electronic consumer records containing unencrypted data. This generally will include most, if not all, healthcare providers, and their “business associates” under HIPAA.

What Do the Changes Require?

S.B. 24 enacts four key changes to Section 1798.82:

Standardized contents of breach notifications. As amended, Section 1798.82(d) requires that security breach notifications be written in “plain language” and include, at a minimum, the following information:

• The name and contact information of the reporting person or business subject to Section 1798.82;
• A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
• If possible to determine at the time the notice is provided, the notice should include any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred.
• The date of the notice;
• Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided;
• A general description of the breach incident, if that information is possible to determine at the time the notice is provided; and
• The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.
• In addition, at the discretion of the reporting person or business, the security breach notification may also include: (A) information about what the person or business has done to protect individuals whose information has been breached; and/or (B) advice on steps that the person whose information has been breached may take to protect himself or herself.

HITECH Act compliance by HIPAA covered entities deemed compliance with new content requirements. In an effort to coordinate California’s breach notification law with federal law, new Section 1798.82(e) provides that a “covered entity” under HIPAA will be deemed to have complied with the new notice content requirements under Section 1798.82(d) “if it has complied completely” with the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act“) notice content requirements set forth at 42 U.S.C. § 17932(f).

However, HITECH Act compliance will not exempt a covered entity from any other provision of Section 1798.82; e.g., the new reporting requirements, covered below. In addition, even if breach notification is not required under the HITECH Act (e.g., because the covered entity has determined that the incident does not pose a significant risk of financial, reputational, or other harm to the individual), breach notification may still be required under Section 1798.82, because California law does not contemplate a “harm analysis” as the HITECH Act does. Finally, because revised Section 1798.82(e) only exempts “covered entities” from the new notice content requirements, “business associates” under HIPAA still will be required to fully comply with their obligations under both the HITECH Act and Section 1798.82.

Attorney General notice required if more than 500 residents affected. New Section 1798.82(f) provides that any person or business that is required to issue a security breach notification pursuant to Section 1798.82 to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. That copy shall not be considered to be a record of complaint or investigation exempt from disclosure under the California Public Records Act.

“Substitute notice” now requires notice to Office of Privacy Protection. In situations where direct notice to affected individuals would be overly expensive or ineffective,² the law allows for “substitute notice” to be given instead. As amended, the substitute notice provisions of Section 1798.82(j) now require additional notification to the Office of Privacy Protection within the State and Consumer Services Agency. Under revised Section 1798.82(j), substitute notice must consist of all of the following:

• E-mail notice when the person or business has an e-mail address for the subject persons; and
• Conspicuous posting of the notice on the Internet Web site page of the person or business, if the person or business maintains one; and
• Notification to major statewide media and the Office of Privacy Protection within the State and Consumer Services Agency.

There are no explicit penalties for failure to comply with Section 1798.82. However, the California Attorney General could prosecute violations of Section 1798.82 as unfair business practices under California’s Business and Professions Code.

Background to the Changes.

S.B. 24 attempts to fill a perceived “gap” in California’s breach notification laws, which the bill’s authors note are “silent on what information should be contained in the notification. As a result, [security breach notification] letters vary greatly in the information provided, leaving consumers confused and businesses exposed. S.B. 24 fills this gap by establishing standard, core content for the notification letters, thereby ensuring the notifications actually work.” The amendments in S.B. 24 stem from a growing body of federal and California breach notification requirements.

• Section 1798.82. Prior to S.B. 24, Section 1798.82 required any person or business covered by the statute to disclose a breach of the security of the system to any California resident whose unencrypted personal information was, or was reasonably believed to have been, acquired by an unauthorized person.³  The law requires that disclosure be made using either written notice, electronic notice, or substitute notice, and in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. Prior to S.B. 24, however, the law did not specify the information that notifications under Section 1798.82 must contain.
• S.B. 541. In addition, existing California law requires certain licensed healthcare facilities to provide notification if a patient’s medical information is accessed, used, or disclosed unlawfully or without authorization. S.B. 541 requires notification to be provided to the patient and to the Department of Public Health (“CDPH“) within five business days after the breach is detected, unless notification would impede law enforcement’s investigation of the incident. Failure to report within the reporting timeframe can result in fines of up to $100 per violation, per day for each calendar day beyond the five days that the facility failed to report the breach. S.B. 541 does not, however, specify the information that the notification must contain.⁴
• HITECH Act. Finally, existing federal law, the HITECH Act, requires HIPAA “covered entities,” such as healthcare providers, to notify a patient whose “unsecured protected health information” has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach. Unlike S.B. 541 and Section 1798.82, the regulations implementing the HITECH Act currently provide for a “harm analysis” in determining whether a breach has occurred; no breach notification is required if the covered entity determines that the acquisition, access, use, or disclosure of protected health information does not pose “a significant risk of financial, reputational, or other harm to the individual.” See 42 C.F.R. § 164.402. The HITECH Act requires that the notice of the breach include, to the extent possible, the following information: (1) a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (2) a description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code); (3) the steps individuals should take to protect themselves from potential harm resulting from the breach; (4) a brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches; and (5) contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. 42 U.S.C. § 17932(f).

Conclusions.

The attempt to align the amendments to Section 1798.82 with the HITECH Act provides some additional clarity regarding the information breach notifications must contain to comply with state law. However, even providers that comply with the HITECH Act’s substantive breach notification requirements will remain subject to Section 1798.82′s expanded reporting obligations to the Attorney General and the Office of Privacy Protection.

In addition, “business associates” under HIPAA will remain subject to the overlapping, but distinct, breach notification content requirements under both the HITECH Act and Section 1798.82, because business associates are not exempted under new Section 1798.82(e). Licensed health facilities subject to S.B. 541 reporting requirements will be subject to an additional layer of potentially overlapping breach notification requirements, and it is unclear whether a facility breach notification to CDPH that complies with the content requirements of the HITECH Act and/or Section 1798.82 will be viewed as sufficient for purposes of complying with S.B. 541.

Accordingly, despite the Legislature’s apparent attempt to coordinate Section 1798.82 with other federal and state laws, providers and business associates navigating breach notification issues remain subject to a patchwork of regulation and will need to ensure that breach notifications comply with the requirements of the HITECH Act, Section 1798.82, and S.B. 541, as applicable.

For more information, Paul Deeringer, Steve Phillips, Paul Smith, or Clark Stanton in San Francisco; or Hope Levy-Biehl in Los Angeles.

——————————————————————————–

¹  The data elements include (1) Social Security number; (2) driver’s license number of California Identification Card number; (3) account number, (4) credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (4) medical information (broadly defined as any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional); or (5) health insurance information.

²   Section 1798.82 permits substitute notice in three circumstances: (1) if the cost of providing notice would exceed $250,000; (2) if the affected class of subject persons to be notified exceeds 500,000; or (3) if the person or business does not have sufficient contact information.

³   Section 1798.82 also requires that any person or business that maintains such data notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was, or was reasonably believed to have been, acquired by an unauthorized person.

⁴   CDPH has, however, issued written guidance regarding recommended contents of S.B. 541 notifications. See Cal. Dept. Pub. Health, All Facilities Letter 09-03 (July 29, 2009) at p.2 (“When notifying the department, the facility should include the following information: [1] Date and time of reported incident; [2] Facility name; [3] Facility address/location; [4] Facility contact person; [5] Name of patient(s); [6] Name of the alleged violator(s); [7] General information about the circumstances surrounding the breach; [8] Any other information needed to make the determination for an onsite investigation”).

Court Rejects Qui Tam Relator’s Shotgun Approach
FDA Issues Mobile Medical Applications Draft Guidance
Proxy Credentialing Prohibited, CDPH Says
Webinar:  Alternatives to ACOs
HLB Calendar

By Paul A. Deeringer

As the mobile application market continues to expand into the medical and health and wellness arenas, “health-related” apps for mobile platforms like iPhone™ and Android™ are coming under increasing regulatory scrutiny.

On July 19, 2011, the U.S. Food and Drug Administration (“FDA”) issued a draft guidance document, “Mobile Medical Applications” (the “draft Guidance”), to inform manufacturers, distributors, and other entities about how FDA intends to apply its regulatory authority to select software applications (“mobile apps”) intended for use on mobile platforms like smartphones, tablet computers, and personal digital assistants. See FDA, Draft Guidance for Industry and Food and Drug Administration Staff – Mobile Medical Applications, available at: http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments
/ucm263280.htm; 76 Fed. Reg. 43689 (July 21, 2011).

In particular, the draft Guidance addresses a subset of mobile apps – defined in the draft Guidance as “mobile medical apps” – that may impact the performance or functionality of currently regulated medical devices. For example, the interpretation of radiological images on a mobile device could be adversely affected by smaller screen size, lower contrast ratio, and uncontrolled ambient light of the mobile platform.

FDA characterizes the draft Guidance as applying only to a “small subset” of mobile medical apps. However, the draft Guidance contains ambiguities that will make it difficult for some manufacturers and distributors to determine whether or not their mobile apps will be regulated as “mobile medical apps.” In addition, the broad scope of the draft Guidance – including identification of several areas FDA intends to regulate in the future – indicates that the mobile medical app space will become increasingly regulated in both the near- and long-term. However, the draft Guidance provides little information about the direction such regulation is likely to take.

Key Draft Guidance Terms

The draft Guidance defines three key terms:

• “Mobile platforms” are commercial off-the-shelf (“COTS”) handheld computing platforms, with or without wireless connectivity (e.g., iPhone™, Blackberry™ and Android™ phones, tablets like the iPad™).
• “Mobile app” is a software application that can be executed (run) on a mobile platform, or a web-based software application that is tailored to a mobile platform but is executed on a server.
• “Mobile medical app” is a mobile app that meets the statutory definition of a “device,” and either
  • Is used as an “accessory” to a regulated medical device;
  • “Transforms” a mobile platform into a regulated medical device.

The “intended use” of a mobile app determines whether it meets the definition of a “device.” “Device intended use” can be shown by labeling claims, advertising materials, or oral or written statements by manufacturers or their representatives. When the intended use of a mobile app is for the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the body of man, the mobile app is a “device.” 21 U.S.C. § 321(h).

Who is Subject to the Draft Guidance?

The draft Guidance applies to “mobile medical app manufacturers,” which include any person or entity that manufactures mobile medical apps in accordance with applicable FDA regulations. This term includes persons or entities that engage in the following types of activities:

• Creating, designing, labeling, remanufacturing, or modifying software systems from multiple components (e.g., creating a mobile medical app using COTS software components).
• Providing mobile medical app functionality through a “web service” or “web support” for use on a mobile platform.
• Creating the original idea (initial specifications) for a mobile medical app, which may be subsequently developed or manufactured by third parties (who would not be the “mobile medical app manufacturer” in this situation).
• Creating a mobile medical app intended for use on a mobile platform, or manufacturing a mobile app to be supported by hardware attachments to a mobile platform with a device intended use.

The definition of “mobile medical app manufacturer” excludes:

• Mobile app marketplaces that exclusively distribute mobile medical apps without engaging in manufacturing functions (e.g., owners/operators of the Apple™ App Store, Blackberry™ App World).
• Mobile platform manufacturers that manufacture and distribute mobile platforms without any medical device intended use (i.e., the fact that a mobile platform could be used to run a mobile medical app does not mean that the mobile platform manufacturer is considered a medical device manufacturer).

What Does the Draft Guidance Regulate?

The draft Guidance is intended to oversee the safety and effectiveness only of “a small subset of mobile medical applications that present a potential risk to patients if they do not work as intended.” This approach focuses on a subset of mobile apps that either have traditionally been considered medical devices or affect the performance or functionality of a currently regulated medical device.

The draft Guidance identifies categories of mobile medical apps for which FDA will apply regulatory oversight and provides examples:

• Mobile apps used as an accessory to a medical device:
  • Mobile apps that control the intended use, function, modes, or energy source of the connected medical device (e.g., apps that control inflation/deflation of a blood pressure cuff through a mobile platform; apps that control delivery of insulin on an insulin pump by transmitting control signals to the pumps from the mobile platform).
  • Mobile apps that create alarms, recommendations, or new data by analyzing or interpreting medical device data (e.g., decision support software that analyzes blood glucose readings to help manage diabetes; automatic electronic blood pressure monitors).

“Accessories” to medical devices generally must comply with the same level of regulatory requirements and controls associated with the connected medical device. However, FDA acknowledges that this approach may be ill-suited to mobile medical apps that serve as accessories to another medical device because of the wide variety of functions mobile medical apps can potentially perform. Accordingly, FDA is seeking comment on how it should regulate “accessory” mobile medical applications.

• Mobile apps that transform a mobile platform into a medical device:
  • Mobile apps that use attachments, display screens, or sensors to provide or include functionalities similar to those of currently regulated medical devices. These mobile medical apps are required to comply with the device classification associated with the transformed platform (e.g., mobile app that uses internal or external sensors on a mobile platform for electronic stethoscope functions must comply with regulatory requirements for an Electronic Stethoscope);
  • Mobile apps that allow the user to input patient-specific information and, using formulas or processing algorithms, generate patient-specific output, such as a result, diagnosis, or treatment recommendation to be used in clinical practice or to assist in making clinical decisions (e.g., mobile apps that provide a questionnaire for collecting patient-specific lab results and compute the prognosis of a particular condition or disease, or that provide differential diagnosis tools that aid a clinician in making a diagnosis or selecting a specific treatment for a patient)

Appendix A to the draft Guidance provides additional examples of mobile medical apps.

The draft Guidance also provides that mobile medical apps that passively and electronically display, store, or transmit patient-specific medical device data in its original format (i.e., function as a secondary display to a regulated medical device and are not intended for providing primary diagnosis or treatment decisions) would be regulated as Medical Device Data Systems (“MDDS”) that are subject to Class I requirements (general controls) and which are exempt from premarket notification requirements.¹ Mobile app manufacturers are subject to the requirements described in the applicable device classification regulations; i.e., they must follow the same regulatory requirements as manufacturers of the medical devices with which the mobile apps are associated. These requirements may include device establishment registration and listing; Quality System Regulation (“QSR”); labeling requirements; premarket clearance or approval; investigational device exemptions (“IDEs”); adverse event reporting; and corrections or removals. FDA expects that distributors of mobile medical apps will cooperate with manufacturers in conducting corrections and removal actions. Appendix C to the draft Guidance provides additional descriptions of applicable regulatory requirements.

What is Excluded?

The draft Guidance expressly does not apply to certain mobile apps that FDA does not consider mobile medical apps, including:

• Medical textbooks, teaching aids, or reference materials, because these apps do not contain patient-specific information (e.g., Physician’s Desk Reference; flash cards or quizzes used for medical training purposes).
• General health and wellness decision tools, because these apps are solely used to log, record, track, evaluate, or make decisions or suggestions related to developing or maintaining general health and wellness, and are not intended to cure, treat, seek treatment for mitigating, or diagnose a specific disease, disorder, patient state, or any specific, identifiable health condition (e.g., dietary tracking logs, appointment reminders, posture or exercise suggestions).
• Administrative applications that automate general office functions, such as billing, inventory, appointments, or insurance transactions (e.g., apps that automate functions like collecting patient histories that replace paper-based entry; reminders for scheduled medical or blood donation appointments).
• Generic non-medical aids that assist users but are not commercially marketed for a specific medical indication (e.g., general purpose magnifying glass, audio recording, or note-taking apps).
• EHR/PHR apps that perform the functionality of an electronic health record system or personal health record system.

In addition, the draft Guidance expressly does not address certain topics, which FDA intends to address through separate guidance(s), including:

• Wireless safety considerations
• Classification and submission requirements  related to clinical decision support software
• Application of quality systems to software
• Mobile medical apps intended to analyze, process, or interpret medical device data (electronically collected or manually entered) from more than one medical device.

“Other Mobile Apps” Face Future Regulation

Some “other mobile apps” that do not meet the definition of a mobile medical app may still meet the statutory definition of a “device.” The draft Guidance provides that FDA intends to exercise its “enforcement discretion” toward these “other mobile apps” under the Federal Food, Drug & Cosmetic Act and applicable regulations. The draft Guidance notes several “other mobile apps” that FDA views as “outside” the scope of the draft Guidance, but which may meet the definition of a medical device and whose performance FDA intends to “monitor” to determine whether additional or different actions are necessary to protect the public health. Examples of these “other mobile apps” may include apps that either automate common medical knowledge available in the medical literature (e.g., allow for general dose over-the-counter drug lookups), or allow individuals to self-manage their disease or condition (e.g., apps that allow a user to log, track, and graph manually-entered data that lead to reminders or alarms).

The draft Guidance does not provide more specifics about which other mobile apps it will monitor, or how it will monitor them. Instead, the draft Guidance “strongly recommends” that manufacturers of these “other mobile apps” should consider following the Quality Systems Regulations (which include good manufacturing practices) for medical devices. The ambiguity in the draft Guidance’s comments regarding to “other mobile apps” creates regulatory uncertainty that may lead to unnecessary expense and increased development costs by mobile app developers who are unsure whether FDA will view their products as “med­ical devices” subject to regulation.

Comment Period and Public Workshop

FDA has requested that comments on the draft Guidance be submitted by October 19, 2011. In addition, on August 12, 2011, FDA announced that it will hold a public workshop entitled, “Mobile Medical Applications Draft Guidance,” to provide a forum for discussion with FDA and to encourage public com­ment on the following topics:

• The draft Guidance;
• How FDA should approach accessories and particularly mobile medical applications that are accessories to other medical devices; and
• Standalone software (mobile or traditional workstation) that provides clinical decision support.

76 Fed. Reg. 50231 (Aug. 12, 2011).

The public workshop will be held on September 12 and 13, 2011, at FDA White Oak Campus, 10903 New Hampshire Ave., Building 31 Conference Cen­ter, the Great Room (rm. 1503), Silver Spring, MD 20993-0002. This workshop will also be provided via webcast. Registration is free and will be on a first-come, first-served basis. Persons interested in attend­ing this workshop in person or via webcast must regis­ter online by 5 p.m. on September 9, 2011.

For additional information, please contact Paul Deeringer in San Francisco office at 415.875.8514 or Robert Roth or Tish Wirth in Washington, D.C. at 202.587.2590.

¹ Earlier this year, FDA on its own initiative issued a Final Rule reclassifying MDDSs from Class III (premarket ap­proval) into Class I (general controls), exempt from premar­ket notification requirements. See 76 Fed. Reg. 8637 (Feb. 15, 2011). FDA’s decision was based, in part, on its de­termination that because an MDDS does not provide new or unique algorithms or functions, general controls should suffice to provide sufficient regulatory control to mitigate any associated risks.

Return to top

Fifth Circuit Rejects Qui Tam Relator’s Shotgun Approach

By Greg Sherman

Fifth Circuit recently applied the public dis­closure bar in a manner that may significantly limit the ability of qui tam relators to maintain False Claims Act (“FCA”) actions against entities that operate in ar­eas where the government already suspects widespread fraud. U.S. ex rel. Jamison v. McKesson Corp., et al., — F.3d —- (5th Cir. 2011), 2011 WL 3370344 (Aug. 5, 2011) (“Jamison”). The Fifth Circuit strongly condemned the practice of relators filing complaints that list numerous defendants but only set forth a general description of a fraudulent scheme that is already known to the government, stating: “We do not countenance such relator lotteries, which are quintessentially ‘parasitic suits by opportunistic late-comers who add nothing to the exposure of fraud’ and which the public disclosure bar is designed to prevent.” Id. at *6 quoting U.S. ex rel. Reagan v. E. Tex. Med. Ctr. Reg’l Healthcare Sys., 384 F.3d 173, 174 (5th Cir. 2004).

Finding that the relevant complaint “included no al­legations specific to the defendants, but merely repeated a general description of fraud easily available in several government documents,” the Fifth Circuit Court of Ap­peals affirmed the district court decision dismissing the qui tam relator. 2011 WL 3370344 at *1.

The relator in Jamison filed his complaint in De­cember 2004 after learning that Beverly Enterprises (“Beverly”) and McKesson Corporation (“McKesson”) entered into a joint venture to supply Beverly’s nursing homes with Durable Medical Equipment (“DME”), and reviewing several government documents that in­dicated such arrangements may be fraudulent. Id. at *2. The complaint named 450 defendants but only described the fraudulent scheme generally, offering no specific allegations against any particular defendant. Id. Accordingly, the district court granted the defendants’ motion to dismiss based on the FCA’s public disclosure bar – 31 U.S.C. § 3730(e)(4) (2006)² – which deprives the district court of jurisdiction when a qui tam relator brings a FCA suit based on publicly available informa­tion. Id.

The defendants identified ten documents – includ­ing Office of Inspector General reports, a Government Accountability Office report and the National Sup­plier Clearinghouse Medicare Part B DMEPOS Sup­plier Directory – that purported to disclose the alleged fraud stated in the complaint. In evaluating whether the district court properly dismissed the relator pursu­ant to the public disclosure bar, the court applied the following three-part test: (1) whether there has been a “public disclosure” of allegations or transactions, (2) whether the qui tam action is “based upon” such pub­licly disclosed allegations, and (3) if so, whether the re­lator is the “original source” of the information. 2011 WL 3370344 at *3.

In determining whether the documents identified by the defendants publicly disclosed the purported fraud, the court recognized that the “public disclosure need not name particular defendants as long as they ‘alerted the government to the industry-wide nature of the fraud’ and enabled the government to readily identify wrongdoers.” Id. at *5 citing In re Natural Gas Royalties, 562 F.3d 1032, 1039 (10th Cir. 2009). Nevertheless, the court also cautioned that the mere disclosure of widespread fraud in a particular in­dustry does not necessarily implicate the public disclo­sure bar because often times the government is gener­ally aware that fraud exists but is still unable to identify all of the actors involved. 2011 WL 3370344 at *5 citing Cooper v. Blue Cross & Blue Shield of Fla., Inc., 19 F.3d 562, 566 (11th Cir. 1994). Applying Cooper, the court determined that “the defendants’ documents, considered alone, were not sufficient publically [sic] to disclose allegations specific to Beverly and McKesson” because nothing in the documents would “‘set the gov­ernment on the trail of’ Beverly or McKesson.” 2011 WL 3370344 at *5 (citation omitted).

Although the publicly available documents did not set the government “on the trail of” Beverly or McKes­son, neither did the relator’s complaint. The court clarified that it was “not examining the public disclo­sures in the abstract but rather [was] comparing them to the allegations in Jamison’s original complaint.” Id. at *6. Like the public disclosures, the original com­plaint contained “no information about any actions specific to Beverly or McKesson.” Id.

Indeed, the court noted that “one could have pro­duced the substance of the complaint merely by syn­thesizing the public disclosures’ description of the joint venture scheme in the DME supplier industry.” Id. Finally, while the complaint named particular defen­dants – which the publicly available materials did not – it listed 450 defendants encompassing a large por­tion of the DME industry in Mississippi. The court rejected this shotgun approach, noting that “[i]t takes no particular knowledge or effort to describe a general scheme of fraud and then list arbitrarily a large group of possible perpetrators.” Id. As a result, the Fifth Cir­cuit held that the relator was appropriately dismissed because the complaint was “based upon” the public disclosures identified by the defendants.

This decision suggests that courts may be wary of qui tam suits that seek to capitalize on government re­ports indicating the existence fraud in a particular in­dustry, but fail to bring any new information to light. Thus, courts may be particularly dubious of qui tam suits that name as defendants large swaths of a sus­pected industry. In such circumstances, courts may be particularly willing to apply the public disclosure bar or even dismiss such suits pursuant to Federal Rule of Civil Procedure 9(b), which requires plaintiffs to plead fraud with particularity.

However, it must also be emphasized that Con­gress recently amended the FCA to essentially allow the government to determine whether a relator should remain in an FCA action even if the allegations in an FCA complaint had been publicly disclosed previously and the relator is not the original source of the allega­tions. See 31 U.S.C. § 3730(e)(4)(A) (2010). Never­theless, it is unlikely the government will want to allow a purely parasitic relator to continue in a case where the government will have to share the proceeds of any settlement or judgment.

Hooper, Lundy and Bookman, P.C., is one of the counsel representing McKesson in this matter, which continues to go forward notwithstanding the absence of the relator, because the government has taken over the case.

For additional information, please contact Patric Hooper in Los Angeles at 310.551.8111; Greg Sherman in San Francisco at 415.875.8500 or Robert Roth or Tish Wirth in Washington, D.C. at 202.587.2590.

¹ The relator subsequently conducted additional investi­gation into the joint venture between Beverly and McKes­son and filed a First Amended Complaint in June 2006. Although the First Amended Complaint contained specific allegations against Beverly and McKesson, the court ap­plied the “long standing rule that the amendment process cannot ‘be used to create jurisdiction retroactively where it did not previously exist,’” and thus looked to the original complaint to determine whether the public disclosure bar applied. 2011 WL 3370344 at *4 quoting Aetna Cas. & Sur. Co. v. Hillman, 796 F.2d 770, 775 (5th Cir. 1986).

² This statute was amended effective July 22, 2010. Pub. L. No. 111-148, 124 Stat. 119, 901 § 10104(j)(2) (March 23, 2010). However, the court noted that the amendment does not apply retroactively to suits pending at the time it became effective. 2011 WL 3370344 at n.6 citing Graham Cnty. Soil & Water Conservation Dist. v. U.S. ex rel. Wilson, 130 S.Ct. 1396, 1400 n.1. (2010). Accordingly, the court applied the law as it existed prior to the 2010 amendments

Return to top

Proxy Credentialing Prohibited, CDPA Says

On August 13, 2011, the California Department of Public Health issued All Facilities Letter (“AFL”) 11-33 regarding telemedicine providers which prohib­its proxy credentialing in California.

Although CMS recently issued regulations permit­ting proxy credentialing and The Joint Commission even more recently issued standards also allowing it, CDPH has taken the position that proxy credentialing is inconsistent with Title 22 standards and is therefore prohibited.

On May 5, 2011, CMS issued final regulations ad­dressing the credentialing and privileging process for physicians and practitioners providing telemedicine services. With the stated purpose of removing the un­due hardship and financial burden of requiring hospi­tals to credential and privilege each practitioner who provides telemedicine services, the CMS regulations al­low medical staffs to rely upon information furnished by distant-site hospitals and telemedicine providers when privileging individual practitioners.

Following this action by CMS, The Joint Commis­sion in July issued standards that also allow hospitals to grant privileges to distant-site practitioners based on an originating site’s credentialing decisions under certain conditions.

Despite the position of CMS and The Joint Com­mission that proxy credentialing is allowable under ap­propriate conditions, the AFL conveys the position of CDPH that California hospitals must do their own cre­dentialing and cannot rely on credentialing performed by distant-site providers. The AFL also underscores that practitioners providing telemedicine services must have current and active California licenses.

The position of CDPH does not prohibit Califor­nia hospitals from using credentialing information pro­vided by the distant-site provider as part of their own credentialing and privileging process.

We have been informed that there are ongoing dis­cussions between the California Hospital Association and CDPH regarding this topic and its application to California Hospitals. Following is a link to the AFL: http://www.cdph.ca.gov/certlic/facilities/Documents/ LNC-AFL-11-33.pdf

For additional information, please contact Harry Shul­man or Clark Stanton in San Francisco at 415.875.8500; Laurence Getzoff in Los Angeles at 310.551.8111; or Jen­nifer Hansen in San Diego at 619.744.7300.

Return to top

ACO Alternatives: Payment Bundling,
Community-Based Care and More

Legal Challenges in Evaluating and Implementing Alternative Value-Based Models

An Interactive Webinar Featuring HLB Attorneys Tuesday, September 20, 2011

10 – 11:30 a. m. PDT       1 – 2:30 p.m. EDT

Addressing:

• Advantages of alternative models over the ACO model
• Key factors to consider when selecting an alternative model;
• Strategies for evaluation and implementation of alternative models

Presenters:

Lloyd Bookman, Partner, Hooper, Lundy & Bookman, P.C., Los Angeles
Robert Roth, Partner, Hooper, Lundy & Bookman, P.C., Washington, D.C.
Robert Minkin, Sr. Vice President, The Camden Group, Los Angeles

Sponsored by Strafford Webinars & TeleconferencesFor Registration & Information:

http://www.straffordpub.com/products/tlvh1a?utmsource=magnetmail&trk=HL2H51-PZJEZZ
&utm medium=email&utm content=&utm campaign=tlvh1a

Legal CLE Available

Return to top

HLB Calendar

Return to top

ADI Suppliers Face Accreditation
HLB Firm and Attorneys Recognized
HLB BRIEFS
HLB Calendar

ACCREDITATION IMMINENT FOR MEDICARE ADVANCED DIAGNOSTIC IMAGING SUPPLIERS

By Nina Adatia

Beginning January 1, 2012, all suppliers who intend to bill the Medicare program for the technical component of advanced diagnostic imaging (ADI) services that are paid under the Medicare physician fee schedule must be accredited by a CMS-approved national accrediting organization.

Section 135(a) of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) amended section 1834(e) of the Social Security Act and required the Secretary of the Department of Health and Human Services (the Secretary) to designate organizations to accredit suppliers that furnish the technical component of ADI services. Suppliers include, but are not limited to, physicians and non-physician practitioners, including clinics, and independent diagnostic testing facilities (IDTF). MIPAA specifically defines advanced diagnostic imaging procedures to include diagnostic magnetic resonance imaging, computed tomography, and nuclear medicine imaging, such as positron emission tomography. While the statute allows the Secretary to specify additional types of diagnostic imaging services that may require accreditation, it expressly excludes x-ray, ultrasound, and fluoroscopy procedures, as well as diagnostic and screening mammography, from the accreditation requirement.

Accreditation for ADI services is granted to suppliers of the images themselves and not to the physicians interpreting the images, and suppliers must be accredited for each ADI modality for which they intend to bill. In its implementing regulation, the Centers for Medicare and Medicaid Services (CMS) describes in detail some of the basic areas that must be reviewed for accreditation, including personnel qualifications for non-physician medical staff, medical directors, and supervising physicians, image quality, equipment performance, safety standards for staff and patients, and quality assurance and quality control. See 42 C.F.R. Section 414.68.

Accrediting Organizations Approved

To date, CMS has approved three national accrediting organizations, the American College of Radiology, the Intersocietal Accreditation Commission, and the Joint Commission, to grant accreditation to suppliers of ADI services. The specific quality standards, accreditation cycle, accreditation process and prices differ among these organizations, so suppliers are advised to contact each of the three designated organizations to determine which meets their specific business model and philosophy for patient care.

Existing suppliers who become accredited on or before January 1, 2012 need not submit any paperwork to CMS or its contractors to notify the agency of their accreditation status. The designated accreditation organizations are responsible for transmitting the findings of all accreditation decisions, including identifying information, the accreditation effective date, and the modalities that are included in the accreditation, to CMS or its contractor when those decisions become final.

Going forward, CMS expects to revise its 855 enrollment applications to allow suppliers enrolling in Medicare for the first time to provide their accreditation information directly on those applications.

Suppliers who receive accreditation after January 1, 2012 will only be eligible to receive Medicare reimbursement for ADI services as of the effective date of their accreditation. Thus, to avoid any gaps in reimbursement, suppliers who are already accredited by a designated accrediting organization should ensure that any required renewal information is timely submitted so that their accreditation continues to be effective as of January 1, 2012. Those suppliers that are not yet accredited should begin the accreditation process as soon as possible, if they have not done so already. Though processing times vary depending on the complexity of the supplier organization, the accreditation process is currently estimated to take approximately three to five months upon receipt of a complete application.

For additional information, please contact Stacie Neroni or Nina Adatia in Los Angeles at 310.551.8111; Kitty Juniper in in San Diego at 619.744.7300 or Robert Roth in Washington, D.C. at 202.587.2590.

Return to top

HLB RANKS IN TOP TIER OF LATEST CHAMBERS REVIEW OF LEADING HEALTH LAW FIRMS

Hooper, Lundy & Bookman, PC, has once again been named one of the top three health care law firms in California, according to the latest edition of Chambers USA. The directory is published by the prestigious Chambers & Partners, which produces law firm directories of top-rated law firms throughout the United States and Europe, ranking law firms primarily based on outside interviews with General Counsel, high-profile entrepreneurs and other significant purchasers of legal services.

In addition to the firm ranking, nine HLB attorneys were recognized as top performers in California, more than any other Chambers top-ranked firm. Three California attorneys – Lloyd Bookman, Stephen Lipton and Patric Hooper — were recognized as top performers in the country. In addition, Robert Roth was recognized as a top performer in Washington, D.C.

Following is the text of the firm’s profile, reprinted with permission of Chambers & Partners, USA. We thank all of our clients and friends who contributed to the Chambers review.

THE FIRM

This healthcare boutique receives widespread praise for its uniformly excellent lawyers. It serves a range of healthcare providers and suppliers, including hospitals, pharmacies and long-term care facilities. Transactional work, litigation and regulatory issues are all handled by the group, whose Medicare and Medicaid reimbursement expertise is particularly applauded. In addition to its strong California presence with offices in Los Angeles, San Diego and San Francisco, the firm opened a Washington, DC office in 2010. A recent spate of hires from Davis Wright Tremaine has further strengthened the outfit.

Sources say: “The lawyers have the full scope of services and are totally dedicated to healthcare – their breadth and depth makes it so easy for us to operate.”

KEY INDIVIDUALS

Robert Lundy is widely viewed as “one of the most respected healthcare lawyers in the country.” He continues to represent healthcare industry clients in various transactions including joint ventures, financings, M&A and licensing and certification matters.

Lloyd Bookman is a “first-class healthcare attorney” who is particularly noted for his expertise on reimbursement issues. Lately, he has worked extensively to ensure that clients have programs in place to fully comply with recent changes in legislation.

For over 30 years, Patric Hooper has specialized in litigation against the federal and state governments. Clients applaud his “practical approach.”

Bradley Tully “is superb at regulatory work and very quick at getting to the bottom of every issue.” In addition to his noted Medicare and Medicaid, fraud and abuse and antikickback expertise, he also represents providers in litigation involving regulatory compliance issues.

John Hellow chairs the firm’s regulatory practice group. Recently, his work has focused on defending providers in Medicare False Claims Act disputes involving cost reporting and antikickback-related issues. Clients say: “He is dependable and always makes us feel comfortable and pleased with the results.”

Charles Oppenheim has served as an expert on antikickback and Stark law issues in arbitration and litigation, in both civil and criminal proceedings.

Steven Lipton is a “go-to expert” on state regulatory matters including Stark and antikickback laws. Widely viewed as the “king of Emergency Medical Treatment and Active Labor Act matters,” he is
also praised as “timely, responsive and very easy to deal with.”

Clark Stanton is “a very responsive attorney with fabulous drafting skills.” His practice is focused on medical staff and health information privacy issues.

Paul Smith impresses clients with his ability to “integrate business needs along with the law,” and his skill at “taking very complex issues and breaking them down.”

Return to top

HLB BRIEFS

Recognition

Legal 500 Awards — HLB was recently named as one of the top 500 law firms the country by the Legal 500 United States Directory. In developing the directory, researchers interview CEOs, CFOs and General Counsel with a focus on the national capabilities of law firms.

Super Lawyers — Super Lawyers has recognized the following attorneys as 2011 Super Lawyers, based on peer recognition and professional achievement:

Southern California: Patric Hooper, Robert Lundy, Lloyd Bookman, Bradley Tully, John Hellow, Laurence Getzoff, David Henninger, Charles Oppenheim, Daron Tooch, Linda Kollar and Mark Hardiman.

San Francisco: Mark Reagan, Craig Cannizzo, Steven Lipton, Clark Stanton, Harry Shulman, and Paul Smith.

San Diego: Cary Miller

Rising Stars — HLB Attorneys David Hatch, Hope Levy-Biehl, Karl Schmitz and Devin Senelick have been recognized in the official Super Lawyers Rising Stars Edition for 2011, recognizing Southern California Rising Stars. Felicia Sze has received Rising Star recognition in Northern California.

Litigation Counsel of America — HLB Attorney Linda Kollar received a Spotlight feature in the June/July 2011 issue of LCA’s Litigation Commentary & Review.

Presentations

HLB Attorney Gregory Daniels recently presented a webinar on eDiscovery and EHRs for Progressive Health.

Return to top

HLB Calendar

Return to top

 As many of you are currently involved in contract negotiations, there are a few issues of which you should be aware.

 A.    Blue Distinction Program

        The Blue Cross Blue Shield Association is asking hospitals to sign contract amendments within 30 days requiring all hospital-based physicians and key specialists to have in-network status, except as prohibited by law.  Otherwise, the hospital is required to indemnify and hold BCBSA harmless from all amounts in excess of the in-network rate.  This new proposed amendment raises a number of legal issues, including possible Knox-Keene Act, federal anti-kickback, Stark, and anti-trust violations.  With the California Hospital Association’s permission, we are providing you with links to two letters  that CHA has sent to Blue Cross of California and Blue Shield of California raising concerns with this new requirement.  [CHA-Blue Cross Letter and CHA-Blue Shield Letter]

 B.    Tiering of Providers

         Anthem Blue Cross apparently tiers providers based upon the rates negotiated for certain services, and the amounts Blue Cross’ employer clients are willing to pay for such services.   For example, if a hospital negotiates a case rate for a hip replacement surgery, but Blue Cross’ employer client is only willing to pay a lesser amount for the hip surgery, Blue Cross will designate that hospital as a Tier Two provider.  As a result, the employees of that client will be disincentivized to receive hip replacement surgery at that Tier Two hospital due to higher copayments.

 C.    Q-HIP Agreements

        Anthem Blue Cross is attempting to tie contract rate increases to supposed quality criteria.  The proposed Quality-In-Sights Facility Incentive Program Agreement (Q-HIP Agreement”), however, is vague as to what criteria will be used to judge the quality of care provided by facilities, and it gives Blue Cross the ability to change the criteria unilaterally.

 D.    Other Language Issues

        There are many other issues we have identified in the new Blue Cross contract template.  Such issues include Other Payors, Risk Bearing Organizations, overpayment demands, disallowances of charges, chargemaster adjustments, etc.

 We urge you to carefully consider these issues prior to signing new agreements or amendments.  Please contact us if you require additional information about any of these issues.

 Daron Tooch   
dtooch@health-law.com

BNA Health Care Fraud Report - July 13, 2011

(1)   federal courts have jurisdiction to hear disputes regarding any final determination of the Provider Reimbursement Review Board (“the PRRB”);
and
(2)   the 180-day appeal period to the PRRB can be tolled for equitable reasons, such as when the government withholds information regarding program underpayments.

The Court, therefore, remanded this case to the District Court for further proceedings on the question of whether equitable tolling applies under the facts of this case. Hooper, Lundy & Bookman represents all of the Auburn plaintiffs.   

This decision is important not just because it provides an appeal avenue for providers that originally did not appeal Medicare’s DSH-related adjustments but because it establishes conclusively that jurisdictional dismissals by the PRRB are subject to judicial review.  Perhaps most importantly, however, it establishes that the time for filing an appeal with the PRRB and, perhaps, by extension to other Medicare appeal deadlines, can be tolled for equitable reasons. 

The Secretary has the right to:

• ask the panel that issued the decision for rehearing,
• seek en banc review by the full Court, or 
•  petition the Supreme Court to review this decision. 

At this point, it is unclear what future review, if any, the Secretary may seek.  Because all Medicare-participating hospitals have the right to seek review of agency action in the D.C. Circuit, this decision is potentially applicable to all such hospitals.

Auburn concerns the Medicare disproportionate share hospital (“DSH”) adjustment, which provides additional reimbursement to hospitals serving large numbers of low income patients.  The plaintiffs in this case, 18 Medicare-participating hospitals, allege that the Secretary calculated their DSH payments for fiscal years 1987-1994 using information hidden from the hospitals, which the Secretary knew was incomplete or incorrect, while unlawfully concealing that the information was, in fact, inaccurate.  After the inaccuracy of the concealed information was disclosed in 2006, many years after the close of the first fiscal year at issue, the hospitals filed administrative appeals seeking recalculation of their DSH payment, arguing that the 180-day time period for appealing Medicare payments should be equitably tolled.

The District Court dismissed the hospitals’ complaint for lack of subject matter jurisdiction, finding that the decision of the PRRB dismissing appeals that are filed after the 180-day deadline for filing such appeals are not “final decisions” for purposes of judicial review under 42 U.S.C. §1395oo(a)(1).  Auburn Regional Medical Center v. Sebelius, 686 F.Supp. 2d 55, 63-65 (D.D.C. 2010).  In addition, the District Court held that equitable tolling is not available to toll the 180-day requirement for filing Medicare appeals with the PRRB.  Id. at 70-71. 

 The Court of Appeals reversed the District Court on both counts.  With respect to the “final decision” issue, the Court said:

According to the Secretary and the district court, the Board’s dismissal
of an untimely claim is not a final decision.  We fail to see how this could
be the case.

Slip Op. at 4.   The Court went on to say:

Such a dismissal is final in any sense of the word.  It is not pending,
interlocutory, tentative, conditional, doubtful, unsettled, or otherwise indeterminate.  It is done.

Slip Op. at 5. 

With respect to the equitable tolling claim, the Court stated:

The district court rejected equitable tolling on the ground that “plaintiffs
have proffered nothing suggesting that . . . Congress intended to authorize
equitable tolling for provider claims.”

Slip Op. at 6. 

The Court pointed out that equitable tolling presumptively applies unless there is Congressional intent that it not apply.  Then, after several pages of analysis, the Court concluded “we find that equitable tolling is available under § 1395oo(a).” 

Slip Op. at 10. 

The Court, however, hastened to add that the question of whether tolling “is appropriate in this particular case . . . is a different question that cannot be answered without further factual development” and that “that question is for the District Court on remand.” 

Slip Op. at 10. 

To view the Court’s Opinion: 
 June 24, 2011 Opinion

If you would like more information about this decision and how it could be helpful to your hospital, please contact Bob Roth in Washington, D.C. at  202.587.2590; John Hellow or Mark Hardiman in Los Angeles at 310.551.8111; Mark Reagan in San Francisco at 415.875.8500; or Mark Johnson in San Diego at 619. 744.7300.

Chambers USA has once again ranked HLB in the top tier of California Health Law Firms. The directory is published by the prestigious Chambers & Partners, which produces law firm directories of top-rated law firms throughout the United States and Europe, ranking law firms primarily based on outside interviews with general counsel, high-profile entrepreneurs and other significant purchasers of legal services.

This year HLB is one of only three firms to receive top-tier recognition by Chambers. In addition, a number of HLB attorneys were recognized by Chambers as top health law attorneys in California, Washington, D.C. and nationally.

Robert Lundy, Lloyd Bookman, Patric Hooper, Bradley Tully, John Hellow, Charles Oppenheim, Steven Lipton, Clark Stanton and Paul Smith were all ranked as top California health law attorneys. Robert Roth was recognized as a top Washington, D.C. health law attorney. Additionally, Lloyd Bookman, Steven Lipton and Patric Hooper were recognized as top health law attorneys nationwide.

To view the full Chambers USA profile of the firm, go to: http://www.chambersandpartners.com/USA/Editorial/42795

Legal 500 Awards

HLB was also recently named as one of the top 500 law firms in the country by the Legal 500 United States Directory. In developing the directory, researchers interview CEOs, CFOs and general counsel with a focus on the national capabilities of law firms.

Super Lawyers

Super Lawyers has recognized the following attorneys as “2011 Super Lawyers,” based on peer recognition and professional achievement:

Southern California:  Patric Hooper, Robert Lundy, Lloyd Bookman, Bradley Tully, John Hellow, Laurence Getzoff, David Henninger, Charles Oppenheim, Daron Tooch, Linda Kollar and Mark Hardiman.

San Diego:  Cary Miller

Rising Stars

HLB Attorneys David Hatch, Hope Levy-Biehl, John Mills, Karl Schmitz and Devin Senelick have been recognized in the official Super Lawyers Rising Stars Edition for 2011, recognizing Southern California Rising Stars.

OIG Provides Roadmap For Future SNF Audits
CMS Proposes Changes to States’ Medicaid Access Process
HLB Calendar

OIG Provides Roadmap For Future SNF Audits

By Greg B. Sherman

In December 2010, the Department of Health and Human Services’ Office of Inspector General (OIG) released a report entitled “Questionable Billing By Skilled Nursing Facilities” (OEI-02-09-00202). This is the first report in a three-part series that focuses on Medicare Part A Payments to Skilled Nursing Facilities (SNFs).¹ The report analyzed SNF billing practices between 2006 and 2008, and identified three billing practices that it characterized as “questionable,” including: (1) billing ultra high therapy Resource Utilization Groups (RUGs) at a purportedly disproportionally high rate, (2) identifying a purportedly high number of residents as needing a high level of assistance with activities of daily living (ADLs), and (3) allegedly keeping residents in the facility longer than medically necessary as evidenced by unusually long average lengths of stay.

Accordingly, the Medicare program integrity contractors – such as Recovery Audit Contractors (RACs), Zone Program Integrity Contractors (ZPICs) and Medicare Administrative Contractors (MACs) – are likely to “mine” SNF billing data to identify SNFs that exhibit one or more of these “questionable billing practices” and subject them to audits.

The SNF Prospective Payment System

The OIG report identified two aspects of the SNF prospective payment system that SNFs supposedly utilized to achieve higher reimbursement rates. First, the report suggested that SNFs used “grace periods” – a mechanism that allows SNFs to extend the last dayof a look-back period – to capture additional thera­py minutes. The OIG report noted that SNFs used “grace periods” for 96 percent of high therapy RUGs, compared to 55 percent for other therapy RUGs. The OIG report suggested that SNFs were able to increase the number of beneficiaries classified as receiving an ultra high level of therapy through this practice. Sec­ond, the OIG report indicated that SNFs manipulated beneficiaries’ ADL scores in the Minimum Data Set (MDS) assessment tool to show that they needed a high level of assistance with ADLs.

OIG Findings and Recommendations

The OIG found that between 2006 and 2008, SNF billings for ultra high therapy increased substan­tially even though beneficiaries’ ages and diagnoses at admission were largely unchanged in the sample pe­riod. For example, 17 percent of all RUGs were for ultra high therapy in 2006, whereas the share of ultra high therapy RUGs increased to 28 percent in 2008. As a result, payments to SNFs for ultra high therapy rose from $5.7 billion in 2006 to $10.7 billion in 2008. Further, the report emphasized that for-profit SNFs were more likely to bill for higher paying RUGs than were non-profit and government operated SNFs. Among privately owned SNFs, those operated by large chains² were more likely to bill for ultra high therapy than SNFs that were part of a small chain or inde­pendently owned. In sum, the report suggested that SNFs, particularly for-profit SNFs operated by large chains, were gaming the system to bill the ultra high therapy RUGs more frequently than would otherwise be justified.

The OIG similarly found that between 2006 and 2008, the percentage of RUGs with high ADL scores increased even though beneficiaries’ ages and diagno­ses at admission were largely unchanged. The OIG found that 30 percent of RUGs had high ADL scores in 2006, whereas 34 percent of RUGs included high levels of assistance in 2008. Again, for-profit SNFs were more likely to bill for high ADLs than their non­profit and governmental counterparts, and SNFs that were part of large chains were more likely to bill for high ADLs than SNFs that were part of small chains or independently owned.

Finally, the OIG noted that for-profit SNFs were more likely to have longer average lengths of stay than nonprofit SNFs. Whereas the average length of stay at non-profit SNFs ranged from 23 days to 24 days, the average length of stay at for-profit SNFs ranged from 28 days to 31 days.

As a result of these findings, OIG made the following recommendation to CMS:

1. Monitor overall payments to SNFs and adjust RUG rates, if necessary, to ensure that overall payments to SNFs remain the same.
2. Change the current method for determining how much therapy is needed to ensure appropriate pay­ments. Specifically, the OIG recommended that CMS should look beyond the amount of therapy that the SNF provided during the look-back peri­od and take other factors – such as the beneficiary’s hospital diagnosis – into consideration when de­termining the amount Medicare pays for therapy. The OIG also encouraged CMS to consider developing guidance that would specify the types of pa­tients for whom each level of therapy is appropriate.
3. Strengthen monitoring of SNFs that are billing for higher paying RUGs. In addition to recommend­ing that CMS instruct its contractors to increase their monitoring of SNFs that bill for higher paying RUGs, OIG encouraged CMS to develop thresh­olds for each measure discussed in the report and instruct their contractors to conduct additional reviews of SNFs that exceed the thresholds.
4. Follow-up on the SNFs identified as having ques­tionable billing practices. The OIG indicated that it would refer a list of 348 SNFs it identified as having questionable billing practices to CMS for appropri­ate action.

CMS’ Response to OIG Recommendations

CMS responded to the OIG report by noting that it was also concerned with the increased utiliza­tion of the highest paying therapy RUGs and asserted that the changes it made in the fiscal year 2010 SNF Prospective Payment System Final Rule were designed to address these concerns. In the 2010 SNF Prospec­tive Payment System Final Rule, CMS made the fol­lowing changes: (1) it recalibrated the nursing case-mix indexes, (2) it finalized the Resource Utilization Group Version 4 (RUG-IV) classification system³, and (3) it finalized a new version of the MDS assessment instru­ment. CMS stated that it believes that these changes will result in more accurate SNF payments.

Nevertheless, CMS accepted three of the OIG’s recommendations. CMS agreed that overall payments to SNFs should be monitored and adjusted as necessary. Accordingly, CMS stated that it would assess the impact of its recent changes to the Prospective Payment System on overall SNF payments and would recalibrate RUG rates in future years, as appropriate. CMS also concurred with the recommendations that it should strengthen monitoring of SNFs that are billing for higher paying RUGs. As a result, MACs are likely to identify SNFs that are billing a disproportionately high number of ultra high therapy RUGs and subject them to additional scrutiny. Finally, CMS agreed to for­ward the list of SNFs that the OIG identified as having questionable claims to the RACs and MACs.

CMS did not agree with the OIG’s recommenda­tion to change the current method for determining how much therapy is needed in order to ensure appropriate payments. CMS set forth several concerns with the OIG’s recommendation that it rely on hospital diagnosis data for determining the appropriate amount of ther­apy services in a SNF. For example, CMS noted that SNFs do not always receive information from hospitals in a timely manner. Moreover, CMS recognized that the hospital diagnosis may not be the primary reason for post-acute SNF services. Finally, CMS stated that therapy utilization in acute care hospitals would not be an accurate indicator of post-acute care therapy needs because hospitals do not generally provide high levels of therapy.

Recommendations For Providers

Given the increased scrutiny that claims for therapy services are likely to receive, SNFs should be sure to review their Part A documentation as part of their ongoing compliance activities. Likewise, SNFs should also make the ongoing review of their Part B therapy billings a regular part of their compliance activities. Further, SNFs should use experienced billing consultants to conduct periodic audits of therapy claims and to otherwise work with in-house or contracted therapy providers to ensure that their documentation is fully compliant with Medicare coverage provisions. Moving forward, it will be particularly important for each beneficiary’s medical record to be complete and demonstrate the need for the therapy and assistance services provided. Finally, should a Provider have concerns about its past billing practices or find itself subject to audit by CMS or its contractors, it would be wise to consult experienced counsel.

For additional information, please contact Mark Reagan, Scott Kiepen or Greg Sherman in San Francisco at 415.875.8500; or Mark Johnson in San Diego at 619.744.7300.

¹ The forthcoming studies include: Medicare Part A Payments to Skilled Nursing Facilities (OEI-02-09-00200), which investi­gates the extent to which SNF claims meet Medicare require­ments under Medicare Part A, and Medicare Requirements for Quality of Care In Skilled Nursing Facilities (OEI 02-09- 00201), which assesses the extent to which SNFs meet certain federal requirements governing the quality of care provided to beneficiaries.

² The OIG defined a “large chain” as one that owned over 100 SNFs.

³ CMS finalized RUG-IV classification system in the 2010 SNF Prospective Payment System Final Rule. Under RUG-IV, the number of RUGs will increase from 53 to 66. 74 Fed.Reg. 40288, 40338 (Aug. 11, 2009).

Return to top

CMS Proposes Changes to States’ Medicaid Access Process

By Felcia Y Sze

On May 6, 2011, the United States Depart­ment of Health and Human Services, Centers for Medicare & Medicaid Services (CMS) published a proposed rule, entitled “Medicaid Program; Methods for Assuring Access to Covered Medicaid Servic­es.”

This proposed rule seeks to create a standardized, transparent process for States to follow as part of their broader efforts to assure that Medicaid payments are consistent with “efficiency, economy, and quality of care and are sufficient to enlist enough providers so that care and services are available [to Medicaid bene­fi ciaries]. . . to the extent that such care and services are available to the general population in the geographic area” as required by 42 U.S.C. section 1396(a)(30)(A) (Section 30(A)). CMS proposes amendments to 42 C.F.R. sections 447.203 (documentation of access to care and service payment rates), 447.204 (Medicaid provider participation and public process to inform access to care), and 447.205 (public notice of chang­es in Statewide methods and standards for setting payment rates).

The proposed rule attempts to establish steps for States to follow in demonstrating and monitor­ing Medicaid access. CMS proposes that States must conduct access reviews for a subset of services each calendar year and release the results through public records or a web site by January 1st of every year.¹ CMS further proposes that each service must be reviewed at least once every five years. Any such reviews would be required to include the specific measures that the State used to analyze access to care by geographic location, discuss the measures in the context of the MACPAC three-part framework², discuss any issues with access that were discovered as a result of the review, and make a recommendation about the consistency with the requirements of Section 30(A). CMS also intends to create a template for States to report and make pub­licly available the data analysis under the proposed rule. CMS currently believes that the reviews should minimally address the data elements reviewed under the MACPAC recommended framework, including the information gathered on beneficiary experience, and the Medicaid payment rate comparison.³

Special Rate Reduction Provisions Proposed

CMS also proposes special provisions for proposed provider rate reductions or restructuring, including: (1) the access review for the service in question must have been completed within the prior 12 months and have demonstrated sufficient access for any service for which the State proposes to reduce payment rates or restructure provider payments; (2) a State must develop procedures to monitor continued access to care after the implementation of the rate reduction or payment restructuring4; and (3) States would have to conduct a public process prior to submitting State plan amendments that propose Medicaid provider payment rate reductions or changes in the provider payment structure. CMS intends that this public process afford beneficiaries, providers and other interested parties a meaningful opportunity to provide input and feedback on the impact that the proposed rate reductions will have on efficiency, economy, and ac­cess to care. A State, in turn, would be required to maintain a record of the volume and nature of the response to any input it receives.

Lastly, the proposed rule amends 42 C.F.R. section 447.205 by permitting States to utilize electronic publication as a means to notify the public of payment policy changes.

Specific Comment Requests

In the proposed rulemaking, CMS specifically solicited comments on the following topics:

• Additional data measures that may be useful in measuring access.
• Any existing data sources that address general access to medical services.
• The content of the access template and the important areas that States should address in their reviews.
• Whether the data review should be required on an ongoing basis if the beneficiary data demonstrates adequate access to care.
• The most reliable ways to gather beneficiary input across diverse groups of people.
• Whether specific elements regarding the public process involving stakeholders should be required.
• What types of changes should require public notice.
• Whether it is appropriate for CMS to clarify the public notice requirement at this time.
• Possible national or State-specific access threshold tests.
• Whether there should be particular indicators that CMS should regard as an irreducible minimum standard for access review.
• Whether a single or small set of federally determined indicators is preferable administrative­ly to a broader set of State determined indicators of access.

Hooper, Lundy & Bookman, P.C. is currently assisting clients to develop comments to these proposed rules before the July 5, 2011, deadline. Please contact Lloyd Bookman or Jordan Keville in Los Angeles at 310.551.8111; Craig Cannizzo, Mark E. Reagan or Felicia Y Sze in San Francisco at 415.875.8500; Mark Johnson in San Diego at 619. 744.7300 or Tish Wirth in Washington D.C. at 202. 587.2590 to further discuss commenting on these proposed rules.

¹ While states would have an ongoing responsibility to perform such reviews, they would not be required directly by the proposed rule to adjust payment rates.

² CMS acknowledges that it is not aware of any standardized, transparent methodology that is broadly accepted to definitively measure access to health care and services. However, CMS in its proposed rulemaking relies heavily on a report issued in March 2011 by the Medicaid and CHIP payment and Access Commission (“MACPAC”). The MACPAC report set out a three-part framework for analyzing access to care, which considers: (1) enrollee needs; (2) the availability of care and providers; and (3) utilization of services.

³ CMS proposes that the access review include the following: (1) an estimate of the percentile, which Medicaid payment represents of the estimated average customary provider charges; (2) an estimate of the percentile, which Medicaid payment represents of one, or more, of the following: Medicare payment rates, the average commercial payment rates, or the applicable Medicaid allowable cost of the services; and (3) an estimate of the composite average percentage increase or decrease resulting from any proposed revision in payment rates.

⁴ CMS would permit states to identify access issues and submit a corrective action plan within 90 days of discovering the problem.

Return to top

HLB Calendar

Return to top

Changes to Medicare Provider/Supplier Enrollment Process
Regulatory Non-compliance Not Basis for FCA Liability
HLB Briefs
HLB Calendar

Mississippi District Court Finds that Regulatory Non-compliance is Not a Basis for False Claims Act Liability

By Tracy Jessner

A federal district court in Mississippi issued an opinion in United States of America, ex rel., Thomas F. Jamison v. McKesson Corporation, et al., granting partial summary judgment in favor of the defendants, finding that instances of alleged regulatory non-compliance alone do not create an objective falsehood for the purposes of False Claims Act liability, especially when the claimant acts in good faith.

At issue was a subsidiary company formed by Beverly Enterprises, Inc., to supply enteral nutrition, urological, and ostomy products to Beverly Enterprises’ 300 nursing facilities nationwide. In 2003, the supply company applied for, and received, a Medicare Part B DMEPOS supplier number. As part of the application process, Palmetto GBA National Supplier Clearinghouse inspected the supply company’s premises, reviewed documents, and declared it eligible to receive a supplier number. Three years later, upon re-enrollment, Palmetto re-inspected the supply company, and once again found the company to be compliant with Medicare standards.

Problems arose, about six months later, when Palmetto notified the supply company that it was in violation of one or more of the “21 Supplier Standards,” and later sent notice that the company’s supplier number would be revoked. Palmetto cited numerous violations, including failure to report changes in information, and failure to have DME licenses in every state in which the company dispensed supplies. In response, the company submitted documentation supporting its compliance with the standards. The supply company had a DME license in the state in which it was located, but because the products were only supplied to patients in nursing homes, the company did not believe the medical equipment license laws of other states applied to it. However, the company submitted a corrective action plan and applied for licensure or exemption in 14 states, but confirmed that licensure was not required in the remaining states where it operated. The company further filed a Notice of Appeal of the revocation of its supplier number. In 2008, CMS notified the company that, upon review of its corrective action, its supplier number was reinstated, retroactive to the date of revocation.

A year later, Palmetto notified the company that it was not in compliance with the supplier standards, once again asserting that the company did not have the necessary DME licenses in the states in which it was operating. Palmetto sent the company a notice of revocation, stating that the company failed to have DME licenses in 13 states. The company submitted another corrective action plan. It further responded by submitting copies of the licenses it did possess, confirming that it did not supply any facilities in 3 of the states cited, and contending that licensure was not necessary in the other states. Palmetto responded to the corrective action plan, maintaining that it would still revoke the company’s billing number. The company requested reconsideration, but a Medicare hearing officer upheld Palmetto’s decision. The company then appealed the decision, and subsequently reached a settlement with CMS. An ALJ dismissed the case, holding that CMS agreed that the company was in compliance with Medicare supplier standards, and reinstated its supplier number retroactive to the effective the date of its revocation.

In the meantime, the United States filed an action against the supply company, its parent companies and its billing agent, alleging that the defendants violated the False Claims Act and Anti-Kickback Statute by submitting claims to Medicare for DME that stemmed from illegal kickback arrangements concerning business referrals and discounts. The government also contended that the defendants set up the supply company as a sham DME provider, and that all claims presented under the company’s billing number were false, alleging that the company did not comply with the supplier standards.

The defendants filed a motion for partial summary judgment on the basis that the allegations of false claims due to non-compliance with the supplier standards were barred by the doctrines of res judicata or collateral estoppel. The government filed a motion for partial summary judgment, on the basis that the company violated the conditions of participation under Medicare. The defendants then filed a cross-motion for summary judgment, alleging that the government could not show violations of the False Claims Act, as no claim submitted was “false,” “knowingly made,” or “material.”

The court found in favor of the defendants, for four reasons: (1) the company was at all times entitled to payment by Medicare, (2) the government did not prove an objective falsehood necessary for a finding of a false claim, (3) the government failed to prove noncompliance with any particular supplier standard, and (4) the defendants acted in good faith reliance on Palmetto and CMS’s determinations of compliance.

The court noted that Palmetto, after investigating and reviewing the company, found it to be in compliance during its initial enrollment, as well as its re-enrollment three years later. Moreover, both times the company’s supplier number was revoked; it was reinstated, retroactive to its date of revocation. Therefore, at all relevant times, the company was a valid DMEPOS supplier, and entitled to payment under Medicare.

Furthermore, the court found that the government’s contentions were based on subjective interpretation of the defendants’ regulatory duties, and not an objective falsehood. The court cited to United States v. Southland Mgmt. Corp., 326 F.3d 669 (5th Cir. 2003), for the proposition that where there are legitimate grounds for disagreement over a regulatory provision, and the claimant acts in good faith, the claimant cannot be said to have knowingly presented a false claim. The company relied in good faith on Palmetto and CMS’s decisions. Although the Department of Justice may have a different interpretation of the regulations than Palmetto or CMS, that cannot support an allegation of a false claim violation.

The court also found that the government did not put forth sufficient evidence that the company did not comply with the supplier standards. To the contrary, Palmetto and CMS confirmed that the company was in compliance. Therefore, the court held that the defendants could not be found to have submitted false claims where the governmental agency charged with compliance certified that the company was, indeed, compliant with the regulations.

Lastly, the court held that the False Claims Act should not be used by the government as a vehicle for enforcing technical compliance with administrative regulations. It cited various federal appellate court cases, stating that the False Claims Act is not a general “enforcement device” for federal regulations, and was not designed for use as a “blunt instrument” to enforce compliance.

The case remains ongoing, to determine False Claims Act liability for other alleged violations, including the Anti-Kickback Statute, relating to allegations of discounts and referrals. Hooper, Lundy & Bookman is participating in this case as special health care counsel for McKesson.

For additional information, please contact Patric Hooper or Ms. Jessner in Los Angeles at 310.551.8111.

Return to top

Significant Changes Enacted to Medicare Provider and Supplier Enrollment Process

By Nina Adatia

The March 23, 2010 Affordable Care Act (ACA) called for a number of significant changes to the Medicare provider and supplier enrollment process, and on February 11, 2011, the Centers for Medicare and Medicaid Services (CMS) published a final rule that provided details about how some of these changes are to be implemented. Three of the most significant changes include the establishment of different levels of scrutiny for different types of Medicare providers and the institution of Medicare enrollment application fees, which went into effect on March 25, 2011, and the ability of CMS to impose temporary moratoria on enrollment.

Screening

The ACA calls for specific levels of screening and the use of specific screening procedures for providers and suppliers enrolling in Medicare, Medicaid, and Children’s Health Insurance Program (CHIP), effective March 25, 2011. In its final rule, CMS established three specific levels of risk — limited, moderate, and high — to which every provider and supplier type is assigned:

CMS also acknowledged that a particular provider or supplier (or group of providers or suppliers) may pose a higher fraud risk than the general level for its recognized category.

Accordingly, CMS declared that it may raise the risk category from “limited” or “moderate” to “high” under the following circumstances:

(1) CMS imposes a payment suspension on a provider or supplier at any time in the last 10 years;

(2) the provider or supplier (or an individual who maintains a 5 percent or greater direct or indirect ownership interest in such provider or supplier) has had a final adverse action-as that term is defined in 42 C.F.R. § 424.502-imposed against it within the previous 10 years; or

(3) CMS lifts a temporary moratorium for a particular provider or supplier type and such a provider or supplier applies for enrollment within 6 months of lifting the moratorium.

CMS requires the use of specific enrollment screening tools for each of the risk categories identified as follows:

Notably, the fingerprint-based criminal history record checks will be required of all individuals who maintain a 5% or greater direct or indirect ownership interest in the provider or supplier, but not for officers, directors, and managing employees who do not hold a 5% or greater ownership interest in the provider or supplier. However, CMS has declared that it plans to publish subregulatory guidance on the fingerprint-based record check process, and will delay implementation of this screening tool until 60 days following publication of the subregulatory guidance to allow for coordination of the policy with law enforcement agencies, address privacy concerns, and educate and prepare providers and contractors.

CMS specifically allows a State to rely on the results of the screening conducted by Medicare to fulfill provider screening requirements under Medicaid and CHIP; for Medicaid-only and CHIP-only providers, States are to follow the same screening procedures that CMS and its contractors follow for Medicare providers and suppliers.

Application Fees

The ACA also requires the Secretary to impose an application fee on each “institutional provider of medical or other items or services or supplier,” other than eligible professionals, to fund provider screening and other program integrity efforts. In its final rule, CMS declares that applications received on or after March 25, 2011 are required to include the application fee, set at $505 for FY 2011, or, in the alternative, a request for a hardship exception to the application fee.

CMS defines “institutional provider” (i.e. the providers subject to the application fee) as “any provider or supplier that submits a paper Medicare enrollment application using the CMS-855A, CMS-855B (not including physician and nonphysician practitioner organizations), CMS-855S or associated Internet-based Provider Enrollment, Chain, and Ownership System (PECOS) enrollment application. While the fee is not required for a physician or nonphysician practitioner (regardless of whether he/she is organized in a small group practice), the fee is required when a physician submits an application to enroll as another supplier type (i.e. as a supplier of durable medical equipment, prosthetics, orthotics and supplies). CMS requires the application fee for each application for initial enrollment, revalidation, or to establish a new practice location.

Providers are required to submit the application fee online at www.Pay.gov, whether the application itself is submitted electronically or in hard copy. The website is operated by the U.S. Department of Treasury and allows providers to make online payments by electronic check, credit card, or debit from a checking or savings account. The contractor will not begin processing an application until the fee has been paid or the hardship exception request has been approved. In the event a provider fails to submit the fee or hardship exception request, the Medicare contractor may reject the application entirely, or in the case of revalidation applications, revoke existing billing privileges.

CMS adopted special rules for providers and suppliers that participate in Medicare and Medicaid and/or CHIP. Specifically, a provider or supplier that participates in more than one of these programs is only subject to the application fee under Medicare, at the time of Medicare enrollment, and that fee covers screening activities for enrollment in all programs. Where a provider or supplier participates in Medicaid but not Medicare, the State may collect the application fee under the same criteria as the Medicare program, and the State will be responsible for conducting the provider screening activities for such providers.

Should a provider choose to submit a request for a hardship exception, such request must be submitted with the application, and will not be considered if submitted separately. The provider must make a strong argument to support its request, including providing comprehensive documentation, which may include cost reports, financial reports, cash flow statements, tax returns, and the like. CMS has 60 days to decide whether to grant or deny a hardship request; if CMS denies the request, the provider must either submit the application fee (within 30 days of the notice of denial) or submit a written reconsideration request (within 60 days of the notice of denial). Procedures for filing a reconsideration request are outlined in Chapter 15, Section 19 of the Program Integrity Manual.

Temporary Moratoria

The ACA allows CMS to impose temporary moratoria on enrollment to protect against a significant risk of fraud, waste, or abuse. CMS’s final rule establishes the parameters for the agency’s ability to impose such moratoria. According to the rule, CMS may implement a moratorium on the initial enrollment or establishment of new practice locations for certain types of Medicare providers and suppliers, either in a particular geographic area, or nationally. A moratorium would be imposed for a period of six months and could be extended in six-month increments if CMS deems it necessary. CMS is required to announce any moratoria, and the rationale for imposing such moratoria, in the Federal Register.

For initial and new location applications that involve the affected provider or supplier type, the moratorium will apply as follows:

In addition to the topics discussed in detail above, CMS’s final rule also discusses payment suspensions, compliance programs, and provider termination. Most notably, with respect to terminations, CMS specifically responded to provider concerns that arose in response to Section 6501 of the ACA, which requires State Medicaid plans to terminate the participation of any individual or entity if participation of such individual or entity is terminated under Medicare or another state’s Medicaid program.

Providers had become concerned over the potential for terminations of affiliated providers when one provider had been terminated in another State. CMS expressly responded to this concern, explaining that the ACA does not require the termination of affiliates of terminated entities, and accordingly, CMS would not require States at this time to terminate affiliates of those individuals or entities that have been terminated by another Medicaid program or had their billing privileges revoked by the Medicare program.

For additional information, please contact Stacie Neroni or Ms. Adatia at 310.551.8111.

Return to top

HLB Briefs

Elections

San Diego Partner Kitty Juniper has been elected to the Board of Directors of the San Diego Volunteer Lawyers Program. SDVLP is San Diego County’s oldest and largest pro bono legal services organization.

Return to top

HLB Calendar

Return to top

Medi-Cal Inpatient Rate Freeze Barred
Revised Medical Staff Bylaw Standard In Effect
Managed Care Update
HIPAA Violations Earn Record Penalties
HLB Calendar

Court Bars California from Implementing Inpatient Medi-Cal Rate Freeze

The State of California is prohibited from implementing a freeze on the rates paid under the Medi-Cal program to hospitals for inpatient services, pursuant to a preliminary injunction granted by the U.S. District Court for the Eastern District of California on March 4.

The preliminary injunction follows a temporary restraining order issued by the same court on January 28, which prevented the rate freeze from going into effect January 31, as had been planned by the California Department of Health Care Services.

Hooper, Lundy & Bookman (HLB) filed a complaint against the Director of the California Department of Health Care Services on behalf of the California Hospital Association (CHA), after the California Legislature enacted the rate freeze as part of the budget process for the 2010-2011 fiscal years. In that complaint, CHA alleged, among other things, that:

• California attempted to implement the rate freeze without prior approval of the federal Medicaid agency, which is required under federal law;
• Since the rate freeze expressly negated provisions in hospital contracts with the State that otherwise would have resulted in increased payment rates for the hospitals, the freeze impermissibly impaired hospitals’ contractual rights in violation of the United States and California Constitutions; and
• Because hospitals are barred from recovering damages in federal court due to the sovereign immunity afforded the State by the 11th Amendment to the United States Constitution, California hospitals would be irreparably harmed by the rate freeze, were it to go forward.

In a lengthy, detailed ruling, Judge Frank Darrell, Jr. effectively agreed with the earlier TRO ruling, finding that CHA was likely to prevail on the two legal arguments set forth above and that CHA had demonstrated that hospitals would suffer irreparable financial harm as a result of the freeze. Due to the preliminary injunction, the State remains barred from implementing the freeze.

For more information, please contact Lloyd Bookman or Jordan Keville in Los Angeles at 310.551.8111; Mark Reagan or Craig Cannizzo in San Francisco at 415.875.8500; or Mark Johnson in San Diego at 619.744.7300.

Return to top

Revised Medical Staff Bylaws Standard Goes Into Effect

A revised Medical Staff Bylaws Standard (MS.01.01.01) approved last year by the Joint Commission, will go into effect March 31. Originally proposed in 2004 (then known as MS.1.20) the standard ignited immediate controversy within the hospital industry.

Over the following years the standard was the subject of clarifications, retractions and revisions before finally being suspended altogether. The Joint Commission eventually formed a task force that drafted the standard now known as MS.01.01.01, which the Joint Commission approved and adopted in April, 2010.

The revised standard establishes new requirements regarding the content of medical staff bylaws and the processes for the proposal and approval of medical staff bylaws, rules and regulations, and policies. Although the degree of change needed to comply with the revised standard will vary from medical staff to medical staff, all medical staffs will need to make at least some revisions to their bylaws.

Elements of the revised standard that will likely require bylaw changes include the following:

• The bylaws must allow the organized medical staff to propose amendments to the medical staff bylaws, rules and regulations, and policies directly to the hospital’s governing body;
• The bylaws must describe the authority delegated to the medical executive committee to act on the medical staff’s behalf (e.g., to propose and approve new or revised rules and regulations); and how such authority is delegated or removed;
• In addition to the existing requirement that bylaws include a process for managing conflicts between the organized medical staff and the governing body (such as a joint conference committee), the bylaws must also include a process for addressing conflicts between the medical staff and the medical executive committee (e.g., over policies or rules and regulations);
• The bylaws must describe the process for recall of all members of the medical executive committee, not just the officers and department chairs;
• For the medical executive committee to be able to make any non-substantive changes to the bylaws without requiring approval of the organized medical staff (such as reorganization or renumbering, technical corrections needed due to errors in punctuation, spelling, grammar or syntax, or inaccurate or missing cross-references), there must be authorization for this in the bylaws; and
• The bylaws must include requirements for completing and documenting medical histories and physicals for hospital patients.

The revised standard allows some flexibility in meeting these requirements. For example, the bylaws may establish minimum thresholds of support from the organized medical staff for proposed amendments to bylaws, rules and regulations or policies before they could be presented directly to the governing body.

Hospitals undergoing CALS or Joint Commission surveys on or after March 31st will be expected to have their medical staff bylaws in compliance with the revised standard. Given that compliance requires some amount of bylaw revision, the process necessarily takes some time. Hospitals that have not yet completed the process are urged to do so as promptly as they can.

If you have any questions about the MS.01.01.01 standard or would like assistance with bylaw review or revision, please contact Larry Getzoff in Los Angeles at 310.551.8111; Harry Shulmanor Clark Stanton in San Francisco at 415.875.8500; Cary Miller in San Diego at 619.744.7300; Robert Roth or Tish Wirth in Washington, D.C. at 202.587.2590.

Return to top

Managed Care Update: When is Reasonable and Customary Neither Reasonable Nor Customary?

By Amanda Hayes

As more hospitals go out of network with health plans, health plans are employing “reasonable and customary” payment strategies that result in lower non-contracted payments in an apparent effort to force hospitals back into their networks.

Hooper, Lundy & Bookman’s (HLB) litigation department is currently handling cases for several California hospitals to challenge the use of such tactics. In those suits we have alleged that various reasonable and customary payment methodologies employed by California and out of state insurers violate the law because they neither follow the guidelines for such payments nor do they result in a reasonable payment for emergency and post-stabilization services.

Due in part to the growing number of disputes, California law is developing quickly in this area. Recent California court decisions have made it clear that health plans must pay for emergency and post-stabilization care rendered to their members, that such payments must be made directly to the providers and must result in a reasonable reimbursement. For example, the California Court of Appeals held that when a health plan member receives emergency care from a non-contracted provider, an implied contract arises between the non-contracted provider and the member’s health plan which requires the health plan to reimburse the provider for the services rendered to the member.¹ As a result of this implied contract, health insurers must pay a reasonable value for the medical services provided.

The California Supreme Court recently held that emergency medical providers could not “balance bill” patients for the difference between what they charged and the amount paid by the health plans.² The Supreme Court reasoned that:

billing disputes over emergency medical care must be resolved solely
between the emergency room doctors, who are entitled to a reasonable
payment for their services, and the HMO, which is obligated to make that
payment. A patient who is a member of an HMO may not be injected into
the dispute. Emergency room doctors may not bill the patient for the
disputed amount.³

The Supreme Court made it clear that patients should not be placed in the middle of billing disputes between insurers and providers. Even so, insurers have continued to have policies which say that patients are responsible for amounts above customary and reasonable payments made by the insurer. Insurance policies which make the member financially responsible for the balance the bill, and force non-contracted hospitals to balance bill patients for unpaid amounts appear to violate the law.

California regulations and case law require health plans to consider six factors when calculating reasonable and customary payments to non-contracted providers:

the payment of the reasonable and customary value for the health care
serrvices rendered based upon statistically credible information that is
updated at least annually and takes into consideration: (i) the provider’s
training, qualifications, and length of time in practice; (ii) the nature of
the services provided; (iii) the fees usually charged by the provider;
(iv) prevailing provider rates charged in the general geographic
area in which the services were rendered; (v) other aspects of the economics
of the medical provider’s practice that are relevant; and (vi) any unusual
circumstances in the case.⁴

These are the same factors that California courts have established to determine reasonable payments to health care providers.⁵ Therefore, all California health plans must pay non-contracted provider claims based on a methodology that takes these factors into account.

Health plan methodologies for reimbursing non-contracted providers vary widely. Some health plans are use payment methodologies that do not appear to consider each of the six factors enumerated above. For example, Blue Cross of California’s methodology for calculating reasonable and customary payments starts with a provider’s cost-to-charge ratio, multiplied by an undisclosed numerical factor,⁶ which is then in turn applied to the amount of the claim.⁷

HLB is challenging this methodology, which uses provider costs rather than a market-based comparison of the provider charges to those of other providers in the general geographic region, as being illegal under California law. It is unclear how such a methodology takes into account the provider’s training and qualifications, the nature of the services provided, the fees usually charged by the provider, any other aspects of the economics of the provider’s practice or any unusual circumstances that may impact the calculation of a reasonable and customary reimbursement.

HLB is also challenging health plans’ payment of out-of-network benefits for emergency and post-stabilization claims, particularly when the health plan never transfers its members to contracted hospitals after stabilization. HLB believes that when a health plan authorizes care at a non-contracted hospital, the resulting claims should be treated as in-network. Health plans should not attempt to shift the cost of these services to the members by paying out-of-network rather than in-network benefits.

There are measures that providers can take to mitigate the risk of significant underpayments due to “reasonable and customary” payment methodologies that do not consider California’s six factor test and do not result in reasonable reimbursements. First, when negotiating new contracts with health plans, providers should consider a post-termination rate provision, and preferably one that will last for at least one to two years after the termination of the provider agreement. Such provisions may take a number of different forms, including payment at a percentage of charges.

Second, after going out of network with a health plan, providers should closely monitor “reasonable and customary” payments from insurers to see whether such payments appear to conform to the law, and whether they are in fact reasonable reimbursement. Finally, if providers are unable to obtain proper payments after continued appeals and efforts to work with the insurer, then providers should consult with experienced counsel to evaluate the available options for achieving more legally consistent reimbursement results.

For additional information, please contact Daron Tooch, Glenn Solomon or Amanda Hayes in Los Angeles at 310.551.811; Mark Reagan or Katherine Miller in SF at 415.875.8519; or Jennifer Hansen or Joe LaMagna in San Diego at 619.744.7300.

1 Bell v. Blue Cross of California (2005) 131 Cal.App.4th 211, 221.
2 Prospect Medical Group, Inc. v. Northridge Emergency Medical Group
(2009) 45 Cal.4th 497, 501, 504-511.
3 Id. at 502.
4 28 Cal. Code Regs. § 1300.71(a)(3)(B) (emphasis added).
5 Gould v. Workers’ Comp. Appeals Board (1992) 4 Cal. App. 4th 1059, 1071.
6 Insurers that are governed by the DMHC must submit their methodologies to the DMHC, and may request that certain portions of the filing be kept from public disclosure. Those parts referenced herein are part of Blue Cross’ publically filed submission to the DMHC.
7 Even though the DMHC receives health plan submissions of their reasonable and customary methodology, the DMHC only receives the information and does not approve or disapprove of the substance of the methodology.

 Return to top

A Tale of Two HIPAA Violations

On February 24, the U.S. Department of Health and Human Services announced that Massachusetts General Hospital agreed to enter into a Corrective Action Plan (CAP), encompassing not just the hospital, but its related health system, and to pay $1 million to settle potential HIPAA Privacy & Security rule violations. Two days earlier, HHS imposed its first ever HIPAA-related civil money penalty (CMP) on Maryland-based Cignet Health Center in the amount of $4.3 million.

These are not the first HIPAA investigations that have resulted in money settlements. They may, however, suggest a more aggressive enforcement approach in the wake of the increased penalties for violations in¬troduced by the HITECH Act in 2009. Though very different in nature and scope, these HIPAA enforce¬ment actions serve as a warning for HIPAA covered entities and business associates alike to re-examine their HIPAA policies, procedures, practices and employee training programs to ensure they are compliant.

The Massachusetts General Case

In the Massachusetts General Hospital case, an employee commuting to work accidentally left on a subway train scheduling documents containing the protected health information (PHI) of 192 patients from the hospital’s Infectious Disease Associates outpatient practice. The HHS press release can be read at:

http://www.hhs.gov/news/press/2011pres/02/20110224b.html

According to HHS, the documents contained information including patient names, medical record numbers, dates of birth, health insurer information, policy numbers, diagnosis and provider names. Some of the information related to patients with HIV/AIDS. The list was never recovered and a patient whose information was lost filed a complaint with HHS’ Office for Civil Rights.

As part of its corrective action plan, Massachusetts General agreed to:

• Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when it is taken from the hospital’s premises;
• Train employees on these policies and procedures; and
• Designate the Director of Internal Audit Services of Partners HealthCare System, Inc., of which Massachusetts General Hospital is a member, to serve as an internal monitor. The auditor will be required to conduct assessments of Massachusetts General’s compliance with the corrective action plan and provide semi-annual reports to HHS for three years.

This fine and settlement, including significant independent auditing and reporting obligations, highlights the importance of ensuring that both covered entities and business associates alike have developed adequate policies and procedures and are conducting the training and monitoring necessary to ensure that these policies and procedures are being followed and practices are HIPAA compliant.

The Cignet Case

In an extreme case of HIPAA missteps, OCR imposed a $4.3 million civil monetary penalty against Cignet Health Center, a Maryland clinic, for HIPAA violations. OCR found that Cignet first improperly denied 41 patients access to their medical records. The HHS press release can be found at:

http://www.hhs.gov/ocr/privacy/hipaa/news/cignetnews.html

According to documents on the OCR web site, the clinic failed to respond to repeated informal efforts from OCR to contact the clinic and to obtain the patients’ records. OCR eventually subpoenaed the records, and the clinic failed to respond to the subpoena. OCR obtained a court order to enforce the subpoena, in response to which OCR says the clinic delivered 59 boxes containing not only the records requested, but also records relating to approximately 4,500 individuals whose information OCR had not requested and the clinic had no legal basis for disclosing.

OCR imposed a civil money penalty of $1,351,600 for failing to provide the patients with access to their health records, calculated at $100 per day per patient after the 30-day period allowed by HIPAA to respond to an individual’s request for records. It imposed an additional penalty of $3 million for failure to cooperate with the OCR’s investigation. This was set at $50,000 per case per day, and would have totaled several hundred million dollars over two years of failure to cooperate but for the $1.5 million annual cap on penalties under the statute.

While the Cignet case may represent a seemingly unusual case of HIPAA non-compliance and lack of cooperation, it is an important reminder for all covered entities about the importance of responding to OCR and HHS deadlines when HIPAA privacy and security breaches are alleged.

HLB attorneys have been assisting covered entities and business associates with the development and amendment of HIPAA policies and procedures, conducting HIPAA training and education and advising on HIPAA compliance more generally since the HIPAA privacy regulations first went into effect in 2003.

For additional information, please contact Hope Levy-Biehl in Los Angeles at (310.551.8140; Paul Smith, Stephen Phillips or Clark Stanton in San Francisco at 415.875.8500; Kitty Juniper in San Diego at 619.744.7314; Robert Roth or Tish Wirth in Washington, D.C. at 202.587.2590.

Return to top

HLB Calendar

Return to top

March 31, 2011 – ACO Waiver Notice with  Comment Period

March 31, 2011 – Proposed FTC, DOJ ACO Rules

April 5, 2011 – IRS Proposed Tax-Exempt ACO Guidance

TRO Bars State from Freezing Medi-Cal Inpatient Rates
Amicus Briefs Challenge Court Decision on RAC “Good Cause” Requirements
Medi-Cal Budget Cut Proposals
HLB Calendar

Federal Court Issues TRO Barring State from Freezing Medi-Cal Inpatient Rates

A federal court has prohibited the California De­partment of Health Care Services (DHCS) from go­ing forward with the implementation of a freeze on Medi-Cal rates paid to hospitals for inpatient services, which was originally enacted in October 2010 as part of the State’s 2010-2011 budget legislation. Without the court’s injunction order, the rate freeze would have started impacting hospital claims processed after January 31, 2010.

In a case being argued by Hooper, Lundy & Book­man, PC (HLB), on behalf of the California Hospital As­sociation (CHA), Eastern District Judge Lawrence Karlton issued a temporary restraining order (TRO) January 28 to prohibit DHCS from applying the rate freeze to hospital claims for payment. The TRO will be in effect until February 25, when a hearing on whether the TRO should be converted into a longer term, preliminary in­junction against DHCS is scheduled to be entertained by the court. In issuing the TRO, Judge Karlton found that CHA’s request met the following criteria:

• Likelihood of Success on the Merits. CHA showed that the state has attempted to implement the rate freeze without first obtaining the required federal approval.
• Irreparable Injury. CHA demonstrated this through establishing that, because hospitals are barred by the State’s immunity from suit un­der the 11th Amendment to the United States Constitution, from retrospectively recovering damages in federal court, the reimbursement they are otherwise being deprived of as a result of the freeze is an irreparable monetary loss.
• Balance of Hardship. The judge recognized that the rate freeze will result in significant reimbursement losses to hospitals represented by CHA, which may in turn affect the quality of care provided to Medi-Cal patients and therefore offsets any hard­ship claimed by the State from not implementing the rate freeze.
• Public Interest. The judge found that the public in­terest favors enforcement of federal laws over those of the DHCS.

For more information, please contact Lloyd Bookman or Jordan Keville in Los Angeles at 310.551.8111; Mark Rea­gan or Craig Cannizzo in San Francisco at 415.875.8500; or Mark Johnson in San Diego at 619.744.7300.

Return to top

HLB Files Amicus Briefs on Behalf of Health Care Associations in California Case Challenging District Court Decision on RAC “Good Cause” Requirements

Expressing alarm that a federal district court recently effectively eliminated a long-standing right of Medicare providers to enforce private contractors’ compliance with a regulatory “good cause” limitation on the reopening and denial of old claims, Hooper, Lundy & Bookman, P.C. has filed amicus (friend of the court) briefs with the U.S. Court of Appeals for the Ninth Circuit. The first was filed on behalf of the Federation of American Hospitals (FAH), the American Hospital Association (AHA), and the American Health Care Association (AHCA). The second was filed on behalf of the California Hospital Association (CHA).

The briefs were filed in the appeal of an August, 2010 federal district court ruling in a case filed by Palomar Medical Center against the U.S. Department of Health and Human Services (DHHS). Specifically, HLB argued in the briefs that:

• CMS’ regulatory “good cause” limitation on a contractor’s reopening and denial of old paid Medicare claims is enforceable through the administrative appeal process; and
• CMS cannot deprive the federal courts of jurisdiction to enforce the agency’s compliance with its own regulatory “good cause” limitation.

At issue was a 2005 Medicare claim that Recovery Audit Contractor (RAC) PRG-Shultz reopened and denied. In accordance with regulations issued by the Centers for Medicare & Medicaid Services, Palomar appealed PRG-Shultz’s reopening and denial of the claim for inpatient rehabilitation services based on a lack of medical necessity.

Palomar argued that the services were necessary and that the RAC had failed to show “good cause” before reopening the claim, as required by Sect. 405.986 of federal Medicare regulations. The claim had initially been paid by the Medicare fiscal intermediary more than a year earlier. The regulations require “good cause” to be demonstrated for claims opened more than a year after original payment.

The Medicare administrative law judge (ALJ) ruled that the RAC had improperly reopened the claim without showing “good cause.” The Medicare Appeals Council (Council) overturned the ALJ’s decision and ruled that the ALJ had no jurisdiction to review and enforce a RAC’s compliance with DHHS’ non-discretionary regulatory limitation on a contractor’s reopening and revision of old paid claims. The federal district court upheld the Council’s decision, and further found that the federal courts have no jurisdiction to review the good cause issue.

California Experience Highlights Need for Enforcement

According to the briefs, this issue of reopening claims for “good cause” is of growing concern as CMS has unleashed a growing number of private contractors. In addition to RACs, CMS has recently engaged Medicare Administrative Contractors (MACs) and Zone Program Integrity Contractors (ZPICs) that are authorized to search for Medicare billing errors by hospitals, skilled nursing facilities and other providers, and to recover resulting overpayments.

The CHA brief further outlines the consequences of opening claims without “good cause,” based on California hospitals’ experiences with the RAC Demonstration Project. The California demonstration project RAC was PRG-Schultz (PRG). PRG was paid a contingency fee that appears to have been about 20 percent of the amount of the denied claims. PRG was allowed to retain its fee so long as the denial was not overturned at the first level of the appeal process. According to the brief, PRG clearly had an enormous incentive to deny claims.

PRG and the other RACs focused on claims for hospital services because these had the highest dollar values, although there was no evidence hospital claims were more likely to contain errors than other claims, according to the brief. Ninety-five percent of the amounts recovered were from hospitals, including services furnished by Inpatient Rehabilitation Facilities (IRFs). PRG directed much of its efforts at IRFs.

According to the brief, PRG’s reviews severely disrupted many IRFs and threatened their ability to operate. First, the payments on denied claims were recovered regardless of the filing of an appeal, and were returned without interest, only after the denials were overturned. This delay caused cash flow problems.

Second, the hospital resources required to handle appeals were substantial. Facilities were required to respond to PRG’s medical records requests, evaluate PRG’s determination, and pursue each appeal level for each claim. Facilities had to prepare a clinical analysis and an individualized appeal letter for each denial. Facilities were then required to submit evidence to support the appeal at each level, which usually included at least the complete medical record. The facility also had to track various deadlines, as one missed deadline usually was fatal.

Given the volume of PRG record requests and claim denials, this process created a tremendous burden, according to the brief. Many hospitals had 100 or more IRF claims denied by PRG. According to CHA, one hospital had approximately 400 denials. Many of these denials would likely not have occurred if PRG knew the reopening deadlines would be rigorously enforced and “good cause” would be required, the brief contends. Further, the brief argues that many of these denials could have been summarily disposed of at the ALJ level on just the “good cause” issue.

HLB reported that of the 852 IRF claims denied by PRG they handled at the ALJ level, 794 were overturned. Nationally, 64.4 percent of all denials appealed were over¬turned. PRG’s review of IRF claims was so questionable that CMS mandated a pause pending a validation review, according to the brief. An outside contractor reviewed a sample and determined that 40 percent of PRG’s denials were incorrect. CMS then required PRG to re-review the IRF claims it previously denied. PRG reversed 1,454 of its 5,237 denials.

Almost all claims reopened by PRG were initially paid between one and four years before the reopening. Accordingly, the CHA brief contends that PRG was obligated to show “good cause” and never made such a showing. Both briefs urge the appellate court to reverse the district court’s ruling and remand the case to the district court to determine whether the RAC contractor had the required “good cause” to reopen Palomar’s old Medicare claim.

For additional information, please contact Lloyd Bookman or Jodi Berlin in Los Angeles at 310.551.8111; Mark Reagan in San Francisco at 415.875.8500; Jennifer Hansen in San Diego at 619.744.7300; Robert Roth or Tish Wirth in Washington, D. C. at 202.587.2590.

Return to top

Brown Submits Trailer Bill Language for Proposed Medi-Cal Budget Cuts

As State budget hearings get under way in Sacramento, many of Governor Brown’s proposed cuts to Medi-Cal resemble failed efforts by Governor Schwarzenegger to enact similar cuts during his tenure. In particular, the health and human services budget subcommittees in both houses are considering the following budget cuts:

• Adult Day Care. Governor Brown proposes to eliminate Medi-Cal coverage for Adult Day Care services. If this proposal is enacted, elimination will be swift as the Governor’s proposed budget trailer language calls for the coverage to be eliminated on the first day of the first month following 90 days after enactment.
• Multi-Purpose Senior Services Program. The governor proposes to eliminate this program, which provides case management services for elderly Medi-Cal recipients who are eligible for nursing facility care, but choose to forego placement.
• Provider Cuts. Governor Brown proposes to reduce Medi-Cal payments to the following providers by 10 percent:
  • Non-contracting hospitals;
  • Skilled nursing facilities (SNFs), including distinct-part SNFs and subacute units;
  • Physicians;
  • Pharmacies;
  • Clinics (excludes federally qualified health centers and rural health clinics);
  • Home Health;
  • Adult Day Care (if program not eliminated); and
  • Medical transportation.

The state has been unable to institute previous years’ rate reductions as litigation preventing the cuts is pending (HLB represents providers in a number of pending cases). Governor Brown assumes that the state will ultimately prevail in the litigation.

• Medi-Cal Beneficiary Changes. Governor Brown proposes a number of changes for Medi-Cal recipients, including:
  • Limiting prescriptions and the number of allowable physician visits per year;
  • Mandatory co-payments for all beneficiaries;
  • Placing new caps on amounts payable for medical supplies and equipment; and
  • Eliminating vision coverage in the Healthy Families Program.

The governor also has proposed extending the hospital fee program through June 2011.

At press time, budget subcommittees had held initial hearings on the Medi-Cal proposed cuts, but have left the items open for future action. The governor has set an ambitious goal of having the budget finalized by the end of March – months earlier than the Legislature has acted in recent years.

Return to top

HLB Calendar

Return to top