On Wednesday, October 2, the Centers for Medicare and Medicaid Services (“CMS”) issued its 2015 consultation guide for states to use when setting reimbursement rates with respect to any Medicaid managed care program subject to actuarial soundness requirements in 42 CFR 438.6 during rating periods starting January 1, 2015. The guide “describes information that CMS expects states to provide when developing the actuarial rate certifications.” Continue reading
Author Archives: David Nardolillo
A Massachusetts dermatology practice, APDerm, has agree to make a $150,000 payment and enter into a corrective action plan with the U.S. Department of Health and Human Services’ Office for Civil Rights in order to settle potential violations of HIPAA Privacy, Security, and Breach Notification Rules. According to HHS, this is the first settlement entered into by an entity for a failure to have breach notification policies and procedures in place under the HITECH Act.
According to the press release, an unencrypted thumb drive containing electronic protected health information (“ePHI”) of over 2,200 people was stolen from the vehicle of an APDerm employee in October 2011. After HHS was notified of the situation, its investigation revelaed that APDerm did not conduct an adequate risk assessment of the vulnerabilities to the confidentiality of the ePHI it maintained prior to the loss of the thumb drive. HHS also determined that APDerm did not qualify with the Breach Notification Rule by failing to have written policies and procedures in place to address such breaches, and by failing to train workers regarding the requirements of this rule. HHS also found that the failure to safeguard the unencrypted thumb drive amounted to an impermissible disclosure of ePHI when it was stolen from the APDerm employee’s car.
The corrective action plan entered into by APDerm requires it to perform a risk analysis, develop breach notification policies and procedures, and establish an implementation plan for those procedures, each of which must be reviewed and approved by HHS.
The HHS press release is available here: http://www.hhs.gov/news/press/2013pres/12/20131226a.html
The Resolution Agreement is here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf
Fourth Circuit Decision Addresses Constitutionality of Per-Claim Penalty under Federal False Claims Act
The decision delivered just before Christmas by the United States Court of Appeals for the Fourth Circuit in US ex rel. Kurt Bunk, et al., v. Gosselin Worldwide Moving, N.V., et al. is of value and of interest to all healthcare providers subject to the reach of the Federal False Claims Act (hereafter “FCA”). Although not dealing with the healthcare market, the decision serves as another illustration of the potential scope of per-claim civil penalties under the FCA and the vitality of such penalties when analyzed under the United States Constitution’s bar on excessive fines via the Eighth Amendment. Continue reading
On Monday, Kings County District Attorney Charles J. Hynes announced the creation of a new Healthcare Fraud division within his office. The 30-person team, headed by ADA Lauren Mack, will collaborate with federal authorities, including the United States Department of Health and Human Services Office of the Inspector General and the United States Attorney for the Eastern District of New York, to investigate and prosecute doctors and pharmacists accused of committing fraud against Medicaid and Medicare. The New York City Human Resources Administration will also work with this new unit. The press release for the new unit is available here.
Last week, Maplewood Manor, a nursing home owned and operated by Saratoga County and represented by Jeffrey J. Sherrin of O’Connell & Aronowitz, earned a major victory in its appeal of an audit conducted by the New York State Office of the Medicaid Inspector General (“OMIG”). In a Decision After Hearing dated January 16, 2013, an Administrative Law Judge overturned the OMIG audit, which originally concluded that Maplewood Manor had been improperly reimbursed for the capital costs of a $3.7 million cogeneration plant because the nursing home’s base year Medicaid reimbursement rate included duplicative utility costs. The decision is noteworthy because the ALJ refused to accept OMIG’s extension of the Daughters of Sarah case to Maplewood Manor.
Maplewood Manor is a 277-bed skilled nursing facility located in Ballston Spa, New York, and is governed by the Saratoga County Board of Supervisors. By the early 2000s, the boilers and air conditioners at Maplewood Manor, which first opened in 1973, needed replacement and the limitations of the lighting systems and back-up generators were beginning to negatively impact the nursing home’s ability to ensure the comfort and safety of its residents.
At that time, Saratoga County sought out proposals to upgrade Maplewood Manor and to reign in its energy costs. A committee of the Board of Supervisors eventually accepted a proposal for a “cogeneration project” which would construct a cogeneration plant at Maplewood Manor and improve the nursing home’s HVAC, lighting, and emergency backup generator systems. Continue reading
This afternoon, the Department of Health and Human Services posted a long-awaited, 563-page omnibus final rule under HIPAA, which will be published in the Federal Register on January 25, 2013, and which makes a variety of modifications to HIPAA’s Privacy, Security, Breach Notification, and Enforcement Rules. According to the executive summary of the rule, these modifications are necessary “to strengthen the privacy and security protections . . . for individual’s health information maintained in electronic health records and other formats. This final rule also makes changes to the HIPAA rules that are designed to increase flexibility for and decrease burden on the regulated entities, as well as to harmonize certain requirements with those under the Department’s Human Subjects Protections regulations.”
Note that while the effective date of the final rules is March 26, 2013, covered entities have until September 23, 2013, to achieve compliance.
We will have further analysis on this final rule in the coming days.
When HIPAA Investigations Broaden To Scrutinize Unrelated Business Practices: The Settlement between the State of Minnesota and Accretive Health
Prosecutions involving breaches of protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”) are becoming more frequent; we have noted recent civil settlements involving providers in Massachusetts and Alaska, as well as a criminal prosecution in California. The latest prosecution, and resulting settlement, illustrates a new twist: the focus of a data breach investigation can broaden beyond the data breach and expose providers to liability for business practices unrelated to the data breach.
Late last month, the Minnesota Attorney General’s Office announced a settlement with Accretive Health, Inc., a Chicago-based debt collector that had been managing the revenue collection operations of several Minnesota hospitals. Under the settlement, Accretive must cease all operations in Minnesota and pay $2.5 million to a restitution fund. Minnesota had been investigating Accretive after it had learned that a laptop, containing the protected health information of over 23,000 patients of two Minnesota hospitals, was stolen from the rental car of an Accretive employee in July 2011. The information on the laptop not only contained protected health information, such as the patients’ names, addresses, and Social Security numbers, but it also included Accretive’s proprietary analysis of each patient’s medical condition and likelihood of hospitalization. It was also revealed that another Accretive laptop, containing similar information from a Minnesota hospital, was stolen under similar circumstances a year earlier in July 2010, although Accretive did not report that theft to the Minnesota hospitals. The hospitals only learned of the first theft through anonymous tips received after the second theft was reported. The Attorney General filed a lawsuit in federal court claiming violations of HIPAA, and the Minnesota Health Records Act (Minn. Stat. § 144.291 et seq.). The lawsuit also claimed that Accretive violated Minnesota’s debt collection and consumer protection statutes for an alleged failure to disclose its status as a debt collector to patients.
While the Attorney General was probing Accretive’s data security practices, the office learned that Accretive was in the debt collection business and immediately broadened its investigation to those practices. As a result of this fresh investigation, the Attorney General amended the lawsuit to include allegations that Accretive engaged in illegal aggressive collection practices in hospital emergency rooms. Sworn affidavits from about 60 patients alleged that Accretive, or others acting under its control or supervision, asked patients, most of whom had insurance coverage, to pay money in the hospital emergency room before being treated. According to the Attorney General’s press release, affidavits were obtained from:
- “A mother who was taken from the side of her teenage daughter who tried to overdose on a bottle of pills, made to give a credit card in the middle of the night and pay $500 before she could return to her daughter’s bedside.”
- “A mother who had just given birth who was told that her newborn baby could not be discharged from the hospital unless she coughed up a credit card and paid $800. As it turns out, the mother overpaid and had to fight for months to get the $800 back.”
- “A pregnant mother who was asked to pay money in the emergency room in the midst of miscarrying her first baby.”
Accretive’s settlement, which has been approved by the federal district court, requires it to pay $2.5 million to the State of Minnesota for a fund providing restitution to affected patients, with any remainder going to the State’s treasury. Accretive must also cease its operations in Minnesota, return to its client hospitals all health information, and hire an independent auditor, approved by the Attorney General, to confirm that it has done so. Finally, the Minnesota Attorney General noted that since it cannot enforce the federal Emergency Medical Treatment and Active Labor Act (“EMTALA”)—which requires a hospital to treat and stabilize a patient experiencing a medical emergency before asking for payment—it has referred the patient affidavits to the U.S. Centers for Medicare and Medicaid Services.
While the nature of the data breach in the Accretive case underscores the need for providers to remain diligent in monitoring their responsibility to secure the protected health information of their patients, the case also demonstrates how data breach investigations become broader inquiries into practices that are unrelated to data security.
On Wednesday, August 22, 2012, the New York State Department of Health (“DOH”) agreed to pay the owners of the Beechwood Nursing Home, located in Rochester, New York, $25 million dollars to settle litigation in which a federal jury had already determined that DOH officials had illegally revoked the operating license of the facility in 1999 in a retaliation against its owners, resulting in Beechwood’s closure. The jury was scheduled to decide how much to award in damages when the parties reached a settlement.
The Rochester Democrat and Chronicle filed this report on the settlement. According to that article, the presentation of provocative e-mails, written by DOH officials in the wake of Beechwood’s closure, was a key point in the case. Jurors in the case “pointed to the emails as the proof they needed of the state’s malice.” Although Beechwood’s owners sued multiple DOH officials at the outset of the litigation in 2002, five were eventually found liable for the illegal revocation of the operating license: current Health Department officials Susan Baker and Cynthia Francis, and former officials Laura Leeds, Sanford Rubin, and Sharon Carlo. These individuals will not be personally liable for the $25 million settlement; New York State will pay the award.
On July 24, 2012, the office of the New York State Comptroller (“OSC”) released the results of three separate audits which identified a total of $33 million in Medicaid overpayments made by the New York State Department of Health (“DOH”) and an additional $24 million in missed drug rebate savings.
One audit found that, between 2005 and 2010, DOH had made $15.6 million in improper payments under the Medicaid managed care program on behalf of over 14,000 foster and long-term care recipients who were ineligible for enrollment in these programs under state law, because Medicaid provides “daily rate” reimbursement programs for care given to these populations. The vast majority of these overpayments ($13.4 million) resulted from “duplicate enrollments, which took place primarily in New York City. There, local officials used one Medicaid identification number to enroll a child in managed care and a different identification number to enroll the same child for [Medicaid] payments under the [foster care] daily rate program.”
Another audit found that DOH again overpaid Medicaid providers $17.3 million from 2007 through 2010 as a result of the assignment of multiple Medicaid identification numbers to nearly 10,000 enrollees. The audit cited a lack of awareness, by local social services personnel, of online tools which could have identified whether individuals were already enrolled in Medicaid.
In the third audit, OSC auditors determined that, between 2008 and 2011, DOH failed to maximize rebate collections through the physician-administered drug rebate program as a result of delays in DOH’s implementation of “necessary automated Medicaid system controls that enforce compliance with the rebate program.” These delays meant that DOH missed out on $8.5 million in drug rebate collections for physician-administered drugs. Other flaws in DOH’s collection process “prevented additional rebates of over $13.5 million.” The audit also found that another $2.3 million in savings on physician-administered drugs was missed because medical providers billed Medicaid more than the discounted acquisition costs of the drugs.
OSC has recommended that DOH, in addition to taking immediate steps to prevent the issuance of multiple Medicaid numbers, moves to to recover these overpayments and missed savings wherever possible.
No-Fault Insurance Medical Providers Take Notice: Emergency Rule for No-Fault Insurance Hearings Takes Effect
Providers who care for patients utilizing no-fault insurance should familiarize themselves with an emergency rule promulgated by the Department of Financial Services (“DFS”) that took effect on June 12, 2012. Authorized by Insurance Law § 5109(a) and issued in response to a growing number of law enforcement actions and private lawsuits targeting alleged abuses of the no-fault insurance system, the purpose of the emergency rule is to provide the Commissioners of the Department of Health (“DOH”) and the Department of Education (“DOE”), and the Superintendent of the DFS, with the ability “as soon as possible, to prohibit health service providers who engage in such activities from demanding or requesting payment from no-fault insurers.” The state’s no-fault insurance system was instituted to remove the majority of motor vehicle accident claims from New York courts and to establish an efficient system for obtaining compensation for losses suffered from those accidents. The DFS Superintendent’s Statement of Reasons for the emergency rule and the rule’s preamble cite growing abuse of these laws, including staged accidents, billing for unnecessary medical services, billing for medical services that were not rendered, and ownership of professional corporations by individuals that are not licensed to practice medicine.
The rule, which is now located at 11 NYCRR §§ 65-5.0 et seq., sets forth the procedures for administrative hearings to investigate reports of fraudulent activity in connection with no-fault insurance claim. These hearings could result in a final determination from any of these three agencies prohibiting a medical provider from “demanding or requesting any payment for medical services” in connection with any no-fault claim “and requiring the provider to refrain from subsequently treating, for remuneration, as a private patient, any person seeking medical treatment” for conditions covered by the no-fault law. Insurance Law § 5109(e) and the emergency rule also authorize these agencies, after the hearing, to temporarily prohibit the provider from demanding or requesting any payment for medical services under this article for up to ninety days, regardless of the initial determination by the hearing officer.
The administrative hearing regulations in the emergency rule, authorized by section 5109(a) of the Insurance Law, provide that DOH, DOE, or DFS may commence these hearings based on any information within the agency’s possession, and not just formal reports of fraud made pursuant to the Insurance Law. The provisions covering a notice of hearing, located at 11 NYCRR § 65-5.3, are worth particular attention as they do not require the noticing agency to give great detail and may require swift action by a provider. First, although the rules require that the notice to the provider lists “the applicable provisions of the law under which action is proposed to be taken and the grounds therefor,” the same section then notes that an agency’s “failure to make such reference shall not render the notice ineffective if the provider to whom it is addressed is thereby or otherwise reasonably apprised of such grounds.” 11 NYCRR § 65-5.3(a)(2) (emphasis supplied). Second, a provider may have to respond quickly after receiving a notice, in order to guarantee a hearing. The emergency rule provides that if “the noticed provider seeks a hearing, then the provider shall notify the superintendent or noticing commissioner in writing, within ten days of receipt of the notice, that a hearing is demanded.” 11 NYCRR § 65-5.3(b) (emphasis supplied).
Providers who receive these notices for hearings under Insurance Law § 5109 or 11 NYCRR §§ 65-5.0 et seq. should immediately contact an attorney.