Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Recent Changes to DOJ’s “Justice Manual” Addressing De-Facto Regulations and Agency Guidance Documents

Guidance Documents and De-Facto Regulations not Supported by Existing Statutes and Regulations are Not Binding(December 27, 2018):  On November 16, 2017, Attorney General Jeff Sessions issued a memorandum[1] (Sessions Memo) implementing the principles set out in President Trump’s Executive Order 13777.[2]  The Sessions Memo was addressed to all components of the U.S. Department of Justice (DOJ) and noted the fact that in the past, some DOJ guidance documents had not gone through the rulemaking process but had still been issued and used to bind private parties.  As the memorandum further noted:

“Effective immediately, Department components may not issue guidance documents that purport to create rights or obligations binding on persons or entities outside the Executive Branch (including state, local, and tribal governments).”

The purpose of this memorandum was fairly straight-forward.  Regulated parties should be able to rely on statutory and regulatory requirements that have been implemented in accordance with the legislative and rulemaking process. Guidance documents that have not gone through this formal process shouldn’t be used to establish obligations or rights with respect to regulated private parties. The Sessions Memo was intended to prevent DOJ components from “evading required rulemaking processes by using guidance memos to create de facto regulations.”[3] (emphasis added).

Several months after the issuance of Attorney General’s memorandum, Associate Attorney General Rachel Brand issued a related memorandum (Brand Memo) addressing this issue.[4]  The Brand Memo made it clear that the principles set out in the Attorney General’s memorandum should also be used by DOJ prosecutors when determining whether guidance documents issued by other federal agencies should be considered “binding” when the requirements set out in the guidance documents are not supported by existing statutes and / or regulations.  As the Brand Memo states:

“. . . the Department should not treat a party’s noncompliance with an agency guidance document as presumptively or conclusively establishing that the party violated the applicable statute or regulation.  That a party fails to comply with agency guidance expanding upon statutory or regulatory requirements does not mean that the party violated those underlying legal requirements; agency guidance documents cannot create any additional legal obligations.”   (emphasis added).

Although the Brand Memo was directed at the use of guidance documents in False Claims Act and other affirmative civil enforcement cases,[5]  as we will discuss in the sections below, the principles set out in the memorandum should also applicable to criminal enforcement actions.

Not surprisingly, the role of agency guidance when assessing a health care provider’s obligations under the law have been debated ever since the Sessions and Brand memoranda were first issued. Almost a year after the Brand Memo was released, the DOJ has recently expanded upon these principles in its revised issuance of the “Justice Manual.”[6]  This article reviews these new provisions and discusses how DOJ’s guidance may impact fraud cases brought against health care providers and suppliers.

I. Impact of the DOJ’s Position in Civil and Criminal Health Care Fraud Cases:

At this point, you may be thinking “Why should I care about these directives? As discussed below, the possible impact of the Sessions and Brand memos on health care providers and suppliers can be substantial.  Moreover, depending on the facts in your particular case, DOJ’s consideration of agency guidance (that is not based on an existing regulation or statute) may make, or break the government’s fraud case against a health care provider or supplier.  On or about December 18, 2018, the DOJ published its latest guidance in the Justice Manual (§§ 1-19.000[7] and 1-20.000[8]) on the limitations of issuance and use of agency guidance documents.  These Justice Manual provisions are discussed in more detail below.

II. Justice Manual, § 1-19.000 – Limitation on Issuance of Guidance Documents:

As § 1-19.000 of the Justice Manual provides, when issuing non-binding guidance documents, DOJ components should expressly identify the documents as guidance that does not carry the force or effect of law.  Moreover, DOJ components should clearly state that noncompliance with these voluntary standards will not, in itself, result in any enforcement action.”  It is important to note that DOJ components may still issue guidance documents that are intended as voluntary guidelines or standards for private entities to consider and follow.  However, such guidance documents must make it clear that the instructions set out in the guidance is not legally binding and may be beyond an entity’s legal obligations under existing statutes and regulations.

What constitutes an agency guidance document? Great question. As § 1-19.000 reflects, the term “guidance document” does not include:

  • Decisions, orders, or other documents issued in adjudicatory actions that do not purport to or have the effect of binding anyone beyond the parties to the adjudication. 
  • Documents informing the public of the agency’s enforcement priorities or factors the agency considers in exercising its prosecutorial discretion. 
  • Internal directives, memoranda, legal and strategy monographs, or training materials for agency personnel directing them on how to carry out their duties, positions taken by an agency in litigation, or legal advice provided by the Department.

III.  Justice Manual § 1-20.000 – Limitation on Use of Guidance Documents in Litigation:

In contrast to § 1-19.000 (which covers the ISSUANCE of guidance documents by DOJ components), § 1-20.000 of the Justice Manual focuses on the USE of guidance documents issued by other federal agencies in litigation.  As § 1-20.100 of the manual provides:

“Criminal and civil enforcement actions brought by the Department must be based on violations of applicable legal requirements, not mere noncompliance with guidance documents issued by federal agencies, because guidance documents cannot by themselves create binding requirements that do not already exist by statute or regulation.” (emphasis added).

Justice Manual § 1-20.201 notes that if an agency guidance document describes a statutory or regulatory provision, federal prosecutors are still permitted to use and rely on agency guidance documents to argue that a party’s awareness of the guidance document shows that the party had the requisite notice or knowledge of the law.  Justice Manual § 1-20.202 further provides that an agency guidance document can be used as probative evidence that:

“. . . a party has satisfied, or failed to satisfy, professional or industry standards or practices relating to applicable statutory or regulatory requirements.”[9]

This section of the Justice Manual further notes that this rationale applies “broadly” in the healthcare arena and expressly cites guidance documents issued by the Centers for Medicare and Medicaid Services (CMS) such as the agency’s Medicare Benefit Policy Manual and Local Coverage Determinations (LCDs) as relevant evidence that procedures may (or may not) be medically reasonable and necessary.[10] For example:

“. . . if a primary care physician writes prescriptions in excess of the CDC Guideline for Prescribing Opioids for Chronic Pain, which contain medical recommendations for primary care physicians, that fact may be offered as evidence that the prescriptions were made and opioids dispensed without any “legitimate medical purpose” and outside “the usual course of professional practice,” 21 C.F.R. § 1306.04(a), in violation of the Controlled Substances Act.”                                    ‘ 

Justice Manual § 1-20.204 further notes that DOJ may cite an agency guidance document “where a party’s compliance, or failure to comply, with the agency guidance is itself relevant to the claims at issue.”  For example, if a health care provider falsely certifies compliance with a guidance document AND the certification is material to a decision by CMS (including its contractors) to pay a claim, the false certification may be offered by DOJ prosecutors to establish the elements of falsity, materiality and knowledge. As the section further provides:

“. . . when a government contract or provider agreement requires compliance with some agency guidance document, it is the contract—not the agency guidance itself—that makes the agency guidance pertinent and, in these cases, violations of that guidance undertaken with the requisite mental state may expose individuals to liability.” 

IV. Conclusion:

From a practical standpoint, the Sessions and Brand memoranda and the recent updates to the Justice Manual will likely only come into play if the DOJ is directly involved in a case, either before or after a civil or criminal case has been filed.  Having said that, the DOJ is not the only government entity tasked with complying with Executive Order 13777.  All federal agencies, including those of the Department of Health and Human Services (such as the Centers for Medicare and Medicaid Services(CMS)) are required to identify and repeal existing guidance documents that are outdated, unnecessary, inconsistent with existing law, or otherwise improper.

In light of this mandate, CMS published its Proposed Rule entitled “Medicare and Medicaid Programs; Regulatory Provisions to Promote Program Efficiency, Transparency, and Burden Reduction,”[11] on September 20, 2018.  To its credit, CMS has issued a number of proposals that are intended to alleviate the regulatory burden on Ambulatory Surgical Centers, Hospices, Home Health Agencies, Hospitals, Transplant Centers, Community Mental Health Centers, Rural Health Clinics and various other types of health care provider and suppliers.

Unfortunately, almost all of the proposed changes have been aimed at specific types of health care providers and suppliers.  For the most part, CMS’s Proposed Rule does not touch upon the quasi-legal obligations that have been imposed on health care providers and suppliers in the form of National Coverage Determination rules (NCDs), Local Coverage Determination rules (LCDs), manual provisions (such as the Medicare Program Integrity Manual (PIM), Medicare Claims Processing Manual (MCPM), and Medicare Benefit Policy Manual (MBPM)), along with practically countless issuances of policy guidance memoranda and other documents.  Although some of this guidance is, in fact, based on already existing statutory and regulatory requirements that have been properly vetted through the rule-making process, much of this information would undoubtedly qualify as “de facto regulations” that are not statutorily based.       

Unless CMS takes further action in this regard, all health care providers and suppliers participating in Medicare, Medicaid and / or other federal health benefits providers should continue to comply with all applicable guidance that has been issued by federal or state sponsored health plans (or their contractors, such as Medicare Administrative Contractors) which set out the specific requirements that must be met in order for a health care service or item to qualify for coverage and payment.  These requirements include, but are not limited to specific guidance regarding the medical necessity of certain services, frequency and dosage restrictions, documentation mandates and billing / coding requirements.

Robert W. Liles represents health care providers and suppliers in UPIC and ZPIC audits of claims. Robert W. Liles serves as Managing Partner at the health law firm, Liles Parker, Attorneys and Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with UPIC audits, ZPIC audits, OIG audits and DOJ investigations of Medicare / Medicaid False Claims Act allegations.  Are your Medicare or Medicaid claims currently being audited or under investigation?  We can help.  For a free initial consultation regarding your situation, call Robert at:  1 (800) 475-1906.

[1] Memorandum dated November 16, 2017, titled Prohibition on Improper Guidance Documents.”

[2] On March 21, 2017, President Trump signed Executive Order 13777.  Simply put, pursuant to Executive Order 13777, federal agencies are required to identify and repeal existing guidance documents that are outdated, unnecessary, inconsistent with existing law, or other improper.  Citing Executive Order 13777  and the Sessions Memo, on December 21, 2018, Acting Attorney General Matthew Whitaker announced in a Press Release that the DOJ was rescinding an additional 69 guidance documents that were either “unnecessary, outdated, inconsistent with existing law, or otherwise improper.”  The Regulatory Task Force established by the DOJ pursuant to Executive Order 13777 has been active in its efforts to rescind guidance documents that have been determined to be unnecessary, inconsistent with existing law, or improper.  In December 2017, DOJ’s Regulatory Task Force identified 25 guidance documents to be repealed. The Task Force subsequently identified 24 additional guidance documents to be repealed in July 2018.

[3] See Press Release titled “Attorney General Sessions Ends the Department’s Practice of Regulation by Guidance” issued November 17, 2017.

[4] Memorandum dated January 25, 2018, titled “Limiting Use of Agency Guidance Documents in Affirmative Civil Enforcement Cases.

[5] The term “Affirmative Civil Enforcement” refers to the filing of “civil lawsuits on behalf of the United States. The purpose of these civil actions is to recover government money lost to fraud or other misconduct or to impose penalties for violations of Federal health, safety, civil rights or environmental laws.”

[6] The Justice Manual was previously known as the United States Attorneys’ Manual.  It was revised and renamed the Justice Manual in 2018.

[7] Justice Manual § 1-19.000 can be found at this link.

[8] Justice Manual § 1-20.000 can be found at this link.

[9] See Justice Manual § 1-20.202.

[10] As set out in United States ex rel Polukoff v. St. Mark’s Hospital, No. 17-4014, at 14-15 (10th Cir. July 7, 2017), the use of agency guidance documents “does not give these documents the force of law, but rather aids in demonstrating that the standards in the relevant statutory and regulatory requirements have been or have not been satisfied.”   

[11] Medicare and Medicaid Programs; Regulatory Provisions to Promote Program Efficiency, Transparency, and Burden Reduction,” September 20, 2018. 83 FR 47686.

Is ePHI Encryption Required? The Failure to Properly Protect ePHI Can be Quite Costly.

(June 27, 2018):  Violations of the Health Insurance Portability and Accountability Act (HIPAA), where a Covered Entity[3] has failed to utilize ePHI encryption can be quite costly. The loss of unencrypted electronic media containing Protected Health Information (PHI)[1] can result in big fines as one Texas medical center has recently learned the hard way.  As a case ruling issued earlier this month reflects, the University of Texas MD Anderson Cancer Center (MD Anderson) was fined $4.3 million for their loss of two unencrypted USB drives and theft of an unencrypted laptop.  This article examines this case in more detail and discusses your obligations to protect electronic PHI (ePHI) from improper disclosure or access by unauthorized persons.

I.  Is ePHI Encryption Required by Covered Entities?

The Department of Health and Human Services (HHS) oversees compliance and enforces HIPAA’s sanctions for noncompliance through its Office for Civil Rights (OCR).  In cases involving possible criminal conduct, the OCR works with the Department of Justice (DOJ).

The HIPAA Omnibus Rule has changed the enforcement provisions.[2] Previously, the agency had discretion in choosing whether to investigate complaints or potential violation in cases where the Agency’s preliminary review reveals a possible violation due to willful neglect.  Now, the agency is required to initiate a formal investigation when a party appears to have exhibited willful neglect.  If an investigation is performed, it may include a review of pertinent policies, procedures, or practices of the Covered Entity and the circumstances of the alleged violation.  Documentation and evidence of compliance are key to ensuring no penalties are assessed by OCR.

Notably, the HIPAA Omnibus Rule modified HIPAA’s Privacy, Security and Enforcement Rules in order to implement the statutory amendments set out under the Health Information Technology for Economic and Clinical Health Act (HITECH).  Under HITECH, a Covered Entity is required to conduct a comprehensive “security risk analysis” of the administrative, physical, technical and operational aspects of your organization.  For each category, the Security Rule establishes both required and addressable implementation specifications.

Implementation specifications that are identified as required must be fulfilled by a Covered Entity.  The failure to implement required specifications will be automatically deemed to be a failure to fully comply with the requirements of the HIPAA Security Rule.  In contrast, specifications that are identified as addressable must only be implemented if, after a risk assessment, the Covered Entity has concluded that compliance with the specification is a reasonable and appropriate security risk safeguard for handling PHI and ePHI.

Contrary to popular belief, Covered Entities are not mandated by law to encrypt ePHI.  As the security risk assessment implementation specification covering encryption is expressly noted as an addressable specification, it is not required.  As 45 C.F.R. §164.312(a)(2)(iv)[4] expressly provides:

 “(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.”

Clear as mud?  If you are still confused as to your obligations, you aren’t alone.  Although you may determine that it would be reasonable for you to NOT encrypt a certain set of ePHI, you need to keep in mind that if there is a potential breach (through loss, theft, negligence, etc.) the OCR will be second-guessing your decision-making in this regard.

II.  The Encryption “Safe Harbor”:

Section 13402 of HITECH extended the privacy provisions of HIPAA by requiring that Covered Entities and their business associates notify affected individuals after discovering breaches of unsecured PHI.[5] Breach, in this case, means the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information.[6] Generally, incidents within the Covered Entity (between employees) or unintentional disclosure to a business associate are not breaches. Thus, if an employee sends an email inappropriately but in good faith containing PHI to a co-worker and neither employee shares it with others, it is not a breach. If the email goes to someone who is not an employee of the entity or a business associate, it may well be.

Furthermore, the breach notification requirements apply only to “unsecured PHI— meaning PHI that is not secured through the use of technology or methodology specified by the Secretary, such as encryption or destruction that renders the paper unusable, unreadable, or indecipherable.[7]  Therefore, if a Covered Entity encrypts information to comply with the Security Rule and subsequently discovers a breach of that information (through loss, theft, accidental delivery to the wrong person, etc.), the Covered Entity is not required to provide notice of the breach.  If the information is protected through a firewall or some other means not approved by the Secretary, then notification would be required for a breach.  To ensure encryption keys are not breached, they should be kept on a separate device from the data to which they apply.

III.  The MD Anderson Case:

In the MD Anderson case, the cancer center supposedly lost two unencrypted flash drives and experienced the theft of an unencrypted laptop.  Collectively, the devices were estimated to have contained the PHI of approximately 33,500 patients. The OCR alleged that the cancer center did not comply with regulatory requirements by:

“(1) failing to perform its self-imposed duty to encrypt electronic devices and data storage equipment; and (2) it allowed ePHI to be disclosed. “

Pursuant to 45 C.F.R. pt. 160 and 45 C.F.R. pt. 164, subpts. A, C, D, and E, Covered Entities are generally required to:

“ensure the confidentiality, integrity, and availability of all ePHI that the entities create, receive, maintain, or transmit; protect such information against any reasonably anticipated threats or hazards to its security; protect ePHI against any reasonably anticipated impermissible uses and disclosures; and ensure compliance with these requirements by their workforces.”

While the cancer center had policies and procedures for maintaining the safety of ePHI, it was alleged that they did not implement those as required by 45 C.F.R. § 164.312(a)(1).  MD Anderson argued that they satisfied this regulation because there were technically policies and procedures put in place to allow PHI to be encrypted.  MD Anderson’s procedures for protecting ePHI included:

  1. Password protection of all computers and portable computing devices accessing potentially confidential information;

  2. A requirement that confidential or protected data stored on portable computing devices must be encrypted and backed up to a network server in the event of a disaster or loss of information;

  3. Annual employee training event that provided its employees with training in areas that included ePHI transmission and proper disposal; a prohibition against password sharing; a discussion of password necessity and integrity; an explanation of authorized and proper use of information systems, and training about information security resources.

Unfortunately, MD Anderson’s policies and procedures in this regard were shown to be incompletely or ineffectively implemented. The laptop and two USB drives in question were not encrypted as required by the cancer center’s policies and procedures.  MD Anderson’s attempts to ensure implementation of its ePHI protection policies and procedures were characterized as “half-hearted” by the ALJ handling the case.  MD Anderson was found to have delayed the encryption of devices and, after years, only proceeded slowly with the implementation of the encryption policy claiming financial issues were to blame.

The laptop in question was being used by a telecommuting employee as work computer and it was neither encrypted nor password protected. The laptop was stolen from the home of the employee and the ePHI was vulnerable although no breeches in the security of the patients concerned in the PHI resulted.  The first USB concerned was lost by a trainee while on an employee shuttle bus. The second USB was lost by a visiting researcher.

The OCR considered the theft of the laptop and the losses of the USB flash drives to be unlawful disclosures of ePHI because these actions constituted the “release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.”

IV.  Defenses Raised by MD Anderson:

In its defense, the cancer center raised a number of arguments before the ALJ, several of which are outlined below.

  • As a State Entity, MD Anderson is Not a “Person” as Defined Under HIPAA.  In addition to arguing that the Secretary, HHS had acted beyond the authority of the position, MD Anderson also argued that as an entity of the State of Texas, it did not constitute a “person” and was therefore not covered under HIPAA.  The ALJ disagreed.
  • The Penalties Assessed by the Secretary Were Excessive.  Secondly, MD Anderson argued that any penalties assessed should be capped at $100,000 per year.  The cancer center also cited 45 C.F.R. § 160.546(b) and asked that the ALJ reduce the assessed penalties to below the statutory cap.  Notably, the ALJ refused to lower the penalties imposed by the Secretary, HHS, claiming that doing so would “constitute an end run around the Secretary’s intent as expressed in the regulation.”[8] The ALJ also cited 45 CFR 160.408 which allows aggravating factors such as the general pursuit of justice to dictate fine amounts.  Additionally, MD Anderson also claimed that the high penalties imposed were a violation of the excessive fines provision outlined in the 8th Amendment.  Not surprisingly, the ALJ responded that it did not have the authority to consider the constitutionality of the ruling.  Each of MD Anderson’s arguments were addressed in the ALJ’s decision.
  • The Theft and Loss of Devices Do Not Constitute a “Disclosure” Under HIPAA. MD Anderson further argued that stolen or lost property cannot constitute a “disclosure” of sensitive material mainly because there is no evidence the PHI was viewed by anyone. However, the mere fact that the PHI was compromised and rendered vulnerable to viewing by an unauthorized person was deemed enough to constitute a disclosure in violation of HIPAA. Finally, the cancer center argued that the behavior of the individuals who lost USB drives was unsanctioned along with the actions of the thief.  Therefore, there was no basis to hold MD Anderson responsible for these unauthorized acts.  Not surprisingly, the ALJ disagreed, holding that although the employees may have disobeyed MD Anderson’s policies, the actions of transporting the data were within the scope of their official duties.
  • The OCR Has Failed to Apply HIPAA’s Regulations Consistently.  Among concern by the Texas Cancer Center that their key arguments were not seriously considered, there was also concern that the OCR’s enforcement of HIPAA regulations is not transparent or consistent[9]. With the Texas Cancer Center’s fine being the 4th largest ever upheld, there seems to be merit to the claim that regulations are not being consistently or fairly enforced. For example, in a 2010 case involving Rite Aid, the large national drug store chain agreed to pay $1 million to settle HIPAA privacy violations after several of its pharmacies were videotaped disposing of prescription pill bottle labels which contained identifying information into dumpsters with public access[10]. It seems odd when comparing the two cases that one of the nation’s largest drug store chains was fined less than one quarter of the amount of fines assessed against MD Anderson for the violations discussed above.

V.  Next Steps for MD Anderson:

MD Anderson Cancer Center has expressed plans to appeal the ALJ’s ruling[11]. The cancer center feels not only that the $4.3 million in fines is too much but that the ruling does not take into account the policy and procedure the center had already created. At the end of the day, however, it isn’t the availability of a mechanism to keep ePHI safe that matters but that strong efforts are made to ensure ePHI is actually being protected. Failing to carry out policy and procedure can bring serious fines.

VI.  Steps You Can Take to Comply with Your Obligations Under HIPAA and HITECH:

  • Compliance Officer. Appoint a Compliance Officer for your organization.
  • Breach Insurance. Review your options for purchasing insurance to cover any damages and penalties that may result from an unintentional breach or unauthorized disclosure.
  • Notice of Privacy Practices. Ensure that an updated Notice of Privacy Practices is in place.
  • Patient Consent Form. Ensure that an appropriate “Patient Consent Form” is in place.
  • Business Associate Agreements. Ensure that an appropriate “Business Associate Agreement” is in place with each of the outside entities with whom you use or disclose PHI. Additionally, check with your business associates and verify that they understand their obligations and will only provide any subcontractors access to your ePHI with your permission. Will you require that your business associate obtain breach insurance?
  • Policies and Procedures. Review and update all of your policies and procedures required to meet your obligations under HIPAA and HITECH to comply with the law and implement safeguards to protect the integrity of the individually identifiable health information under your control:
    • Privacy Rule;
    • Security Rule;
    • Enforcement Rule;
    • As mandated in connection with your Security Risk Analysis;
    • Other policies and procedures needed to address risks involving social media, using your own cell phones, telecommuting, etc.
  • ePHI Encryption. Review your operational practices to ensure that ePHI is encrypted to prevent improper use or disclosure. Although encryption may not be mandated, it is essential if you are trying to reduce your organization’s level of risk.
  • Backup Procedures.  Review your backup procedures and ensure that in the event of a disaster or other unforeseen event, a complete encrypted copy of your patient’s ePHI is safely maintained.
  • Security Risk Analysis. Perform / update the Security Risk Analysis of your organization and assess any outstanding specifications that still need to be met. Additionally, review the risks and vulnerabilities of a potential breach and / or the wrongful disclosure of ePHI.
  • Employee Training. Ensure that all of your staff is trained on their obligations to comply with HIPAA’s requirements under the law.  Furthermore, ensure that all new members of your staff are trained on their obligations under the law within 30 days of entering on duty.
  • Minimum Necessary. Review your use and disclosure practices to ensure that the minimum necessary standard is being met.
  • Breach Response Plan. Develop a breach response plan (including, but not limited to breach notification when needed, analysis of the cause of the breach, remedial steps and any additional staff training that may be needed), to better ensure that your organization can effectively respond to a breach incident.

Robert Liles represents health care providers in RAC and ZPIC appeals.Robert W. Liles serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Is your organization dealing with a potential HIPAA breach or unauthorized disclosure?  For a free initial consultation, contact Robert or one of the other attorneys at Liles Parker.  1 (800) 475-1906.

 

[1] The term “Protected Health Information” (PHI) covers individually identifiable health information that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium. The rules do not include “de-identified information,” individually identifiable information where all 18 identifiers have been removed.  Such information can be used without restriction or patient authorization. The following table describes the identifiers that must be removed in order to qualify as de-identified information.

18 Individual Identifiers
1Names10Account numbers
2All geographic subdivisions smaller than a state, except for the initial three digits of a ZIP code if the geographic unit formed by combining all ZIP Codes with the same 3 digits contains more than 20,000 people. 

11

 Certificate or license numbers
3 

All elements of dates, except year, and all ages over 89 or elements indicative of such age

12Vehicle identifiers or serial numbers, including license plates
4Telephone numbers13Device identifiers and serial numbers
5Fax numbers14URLs
6E-mail addresses15IP addresses
7Social Security numbers16Biometric identifiers, like voice and fingerprints
8Medical record numbers17Fullface photography or comparable images
9Health plan beneficiary numbers

 

18 

Any other unique, identifying number, characteristic, or code, excepted as permitted for re-identification in the Privacy Rule

[2] 78 Fed. Reg 5566 (Jan. 25, 2013), available at https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf (last accessed June 2018).

[3] A “Covered Entity” is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a standard transaction

[4] 45 C.F.R. §164.312(a)(2)(iv). https://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-312.pdf

[5] For additional information, see the Breach Notification Final Rule Update, available at

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/finalruleupdate.html (last accessed April 2018).

[6] 45 C.F.R. § 164.404.

[7] 45 C.F.R. § 164.402.

[8] https://www.hhs.gov/sites/default/files/alj-cr5111.pdf

[9] https://www.beckershospitalreview.com/cybersecurity/md-anderson-slapped-with-4-3m-penalty-for-hipaa-violations.html

[10] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/rite-aid/index.html

[11] http://www.modernhealthcare.com/article/20180619/NEWS/180619897

 

Sexual Harassment: Cases Against Texas Physicians in 2017

Sexual Harassment(January 26, 2018): From Churches to Congress, sexual harassment and assault charges have plagued many of the institutions that our society holds dear. As revelations of sexual misconduct continue to surface, we continue to learn of the many abuses of those in powerful positions; those whom we once revered.  The rise of the #MeToo Movement (“Movement”) in late 2017 has brought about a national conversation over sexual assault and harassment. Women and men from all industries have been revealing tragic stories of sexual assault and harassment. Not surprisingly, healthcare practices and organizations haven’t been immune to this societal crisis.  In fact, it now appears that sexual assault and harassment may be far more prevalent in medicine than has been previously acknowledged. Recent studies have exposed that sexual misconduct by physicians is not only more common than previously thought, but also poorly disciplined when acknowledged. 

In this article, we have collected data on disciplinary actions for sexual misconduct by physicians in Texas throughout 2017.[1] This article breaks down the 2017 disciplinary actions into (1) the different forms of sexual misconduct cited, (2) the physician specialties involved, (3) the time frame of the disciplinary actions, and (4) the severity of the disciplinary action taken by the Texas Medical Board (“Board”) against the subject physician. Prior to examining the data, let’s delve into the #MeToo Movement and the prevalence and discipline of sexual misconduct in medicine. 

I. What is the #MeToo Movement?

The #MeToo Movement as we know it today emerged out of the revelations last October of sexual abuse by powerful men in the Hollywood and entertainment industry.[2] Since the first allegations surfaced, more and more powerful people, particularly men, have been exposed and alleged to have committed various types of sexual assault, harassment or other improper conduct. To many, the sheer volume of sexual misconduct allegations exposed has come as a great shock. The #MeToo Movement has showed us that perpetrators of sexual misconduct can be practically anyone. Celebrities, athletes, government officials, and otherwise seemingly ordinary individuals have all been named as wrongdoers.  To the extent that there is one, the silver lining of the #MeToo Movement is that it has empowered women to stand up for their rights and it has initiated a national self-evaluation on what is (and isn’t) appropriate interpersonal conduct between adults in the workplace.  Ultimately, we will all benefit from this conversation.

II. An Overview of the Problem

At present, 1 in 5 women in the United States will be raped in their lifetime and nearly 1 in 2 women in the United States will be victims of sexual misconduct other than rape.[3] In accordance with the later statistic, 13% of women in the United States will be sexually coerced, 27.2% will be sexually assaulted, and 33.7% will be sexually harassed.[4] Despite the alarming prevalence, rape and sexual assault is the lowest reported crime, with an estimated 67% of victims not reporting their crime to the police.[5] In the workplace, the Equal Employment Opportunity Commission (EEOC) estimates that 75% of sexual harassment goes unreported.[6] This is often attributed to the stigma and lack of support that victims face in society. However, through raising awareness of the prevalence of this issue, the #MeToo Movement is expected to ignite social progress towards supporting victims and taking action against perpetrators. It is reasonably expected that this Movement will continue to empower many more victims to report to various authorities, whom will be expected to take further action to prevent and stop sexual misconduct.

III. What Constitutes Sexual Harassment / Sexual Misconduct? 

As you can imagine, there is no single definition of the terms “sexual harassment” or “sexual misconduct.” Moreover, there isn’t even agreement on when one of these specific terms should apply. Rather than get bogged down in semantics or spend all day comparing and contrasting how different courts have defined these terms, for the purposes of this article, we intend to utilize the terms interchangeably.

The term, “sexual harassment.” is defined at by the EEOC as the harassment of:

[A] person… because of that person’s sex. Harassment can include “sexual harassment” or unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature… Both victim and the harasser can be either a woman or a man, and the victim and harasser can be the same sex.”[7]  (emphasis added).

In contrast, the Federation of State Medical Boards has adopted a more specific definition of the term that is focused on the physician-patient relationship.  The Federation of State Medical Boards defines physician sexual misconduct as:

“[B]ehavior that exploits the physician-patient relationship in a sexual way. Sexual behavior between a physician and a patient is never diagnostic or therapeutic. This behavior may be verbal or physical, and may include expressions of thoughts and feelings or gestures that are sexual or that reasonably may be construed by a patient or patient’s surrogate as sexual.[8] (emphasis added).

According to sections 22.011 and 22.021 of Chapter 22 of the Texas Penal Code, sexual assault includes all physical contact of a sexual nature in which consent was not or could not be given.  Sexual misconduct is most often predicated on a power dynamic between the perpetrator and the victim.[9] In medicine, the physician holds power over their patients and subordinates. Thus, this power dynamic between perpetrator and victim makes it such that consent is not a defense for physicians.[10] The Texas Penal Code specifically addresses this dynamic in Chapter 22, Section 22.011 (b)(9), which states that the act is not consensual if:

[T]he actor is a mental health services provider or a health care services provider who causes the other person, who is a patient or former patient of the actor, to submit or participate by exploiting the other person’s emotional dependency on the actor;” (emphasis added).

How does your health care practice or organization define sexual harassment or sexual misconduct?  Regardless of the definition ultimately adopted, there are a number of examples of conduct that are generally recognized as problematic.  These include, but are limited to:

  • Sexual jokes, pranks or teasing. This conduct can expressly allude to sexual matter or can refer to sex by innuendo.  It can be made in person, over the phone by e-mail, or by some other method of communication.
  • Touching, grabbing or making pretend motions or gestures of a sexual nature.
  • Verbally engaging in sexually discussions or making sexually charged comments at the workplace.
  • Repeatedly standing too close to a person, brushing up against them or otherwise getting in their personal space and making them uncomfortable.
  • Showing or otherwise posting sexually demeaning or offensive pictures, cartoons, comments or other materials in the workplace.
  • Repeatedly asking someone to socialize during off-duty hours when he or she has already that he / she is not interested in engaging in social activities.
  • Giving gifts or leaving objects that are unwanted, regardless of whether they are sexually suggestive.
  • Asking about someone’s sexual experiences or preferences and / or discussing your own sexual experiences, activities and / or preferences.

IV. Generally Speaking, how Common is Sexual Misconduct in Medicine?

As an elite profession, physicians are revered and given an elevated status. As far back as Ancient Greece, physicians have sworn oaths that forbade engaging in any form of sexual misconduct.[11] Despite moral and ethical oaths, this “elite” status is easily manipulated by perpetrators, especially against patients. In a 2016 report, the Atlanta Journal-Constitution uncovered that hidden and pervasive nature of sexual misconduct in medicine. Since 1999, more than 3,100 physicians have been formally accused of sexual misconduct, with at least 2,400 of those physicians engaging in sexual misconduct with patients. It is important to note that this makes up an extreme minority within the over 950,000 physicians practicing in the United States. However, akin to prior sexual misconduct scandals, one perpetrator is capable of routinely victimizing patients. In one particular case, a pediatrician sexually assaulted at least 1,200 children over 15 years.[12] However, most of the 3,100 perpetrators did not target children, but rather young women.

In all, the actual details on the prevalence of sexual misconduct are difficult to accurately unearth for a multitude of reasons. Doctors are viewed as educated and credible, giving way to a predisposition by authorities to believe the word of the physician over an alleged victim. Additionally, most states do not post rather detailed public records related to sexual misconduct.[13] The details of allegations are often left out or obscured, leaving the public with little knowledge of what any given physician may have done. Some state medical boards choose not to publicly release information about a first-time offense. Additionally, when the evidence is discovered through a peer-review at the medical institution, state laws often prohibit that information from being shared. To make matters worse, inadequate screening procedures prevent some state medical boards from discovering prior allegations made against physicians, allowing some perpetrators to move to a new location and continue to victimize patients and coworkers.

V. How is Sexual Harassment and Misconduct Disciplined in Medicine?

While state medical boards claim to take sexual misconduct seriously, the Atlanta Journal-Constitution seems to tell another tale. Of the 3,100 physicians disciplined for sexual misconduct since 1999, 2/3 were permitted to continue practicing.[14] In the case of some serial predators, this meant they could continue to victimize their patients and coworkers with no serious repercussions. The report found that cases were obscured as were disciplines. Not all cases of sexual assault and harassment were labeled as such, many were marked in general terms such as crossing “boundaries” or having a “sexual relationship” with a patient. In most states, state medical boards and healthcare institutions choose to make compromises with the physician in order to avoid protracted legal battles. This is because state medical boards can only operate within the statutory authority given by that state’s legislature. Thus, patient protection may be a priority for state medical boards, but they can only work within the framework provided to them. In addition, some state medical boards view the physicians as a scarce public health resource. In some rural areas, state medical boards have weighed the implications of removing a physician’s license on the ability of the populace to seek out a physician.

The actual disciplinary actions taken seem to echo past sexual misconduct scandals. Disciplinary actions are overwhelmingly aimed at rehabilitation rather than punishment. Physicians are frequently seen not as criminals, but rather as individuals suffering from mental illness. These disciplinary actions aimed at educating physicians on sexual misconduct, legal repercussions, and their “boundaries” with patients and coworkers. Many have been sent to “treatment,” as state medical boards seek to salvage the value they see in physicians. Many are even given the restriction of a required chaperone while they are seeing patients of the opposite sex. Not all disciplinary actions are as bleak for patient protection. Many of these perpetrators have been fined, publicly reprimanded, had their license suspended or restricted, or lost their license all together. Voluntary surrender does unfortunately offer perpetrators the ability to avoid further investigation. However, some state medical boards have also adopted the policy of revoking a medical license if that individual surrenders their license in another state in lieu of sexual misconduct allegations.

VI. How Well Does Texas Protect its Patients?

In conjunction with their damning report, the Atlanta Journal-Constitution also created a “report card” for how well each state protects its patient from sexual misconduct by physicians. Each state received a numerical score from 0-100, averaged from a similar scale judging the state’s transparency, duty-to-report laws, board composition, criminal acts, and discipline laws. The best state was Delaware, while the worst state was Mississippi. Since our research focused on the Texas Medical Board, we will examine the Texas State Report Card.

The good news is that Texas ranked second, with an overall rating of 80. Texas ranked as the most transparent state, with a score of 90. Though hospital sanctions are not listed, the Texas Medical Board maintains an accessible public record for all Board orders that provides details as to why Board orders were taken.

Unfortunately, the “duty-to-report” laws in Texas were not adjudged by Atlanta Journal-Constitution to be quite as superb. Texas was given a score of only 52 due to insufficient reporting laws. Hospitals are required to report the details of a peer review that results in a more than 30-day suspension, or when a physician surrenders their clinical privileges in exchange for not conducting an investigation. However, if a physician is disciplined for 30 or fewer days, the details are not required to be released. Additionally, there is no deadline for how long a hospital can wait to report, nor are there legally established repercussions for a failure to do so. Courts are not required to notify the Board of criminal convictions. Fellow physicians, however, are required by law to report any behavior by peers that may pose a threat to the public welfare.

The Board composition score was slightly better, at 70. It is comprised of 19 total individuals including  7 consumers with no immediate or marital relation to medicine and 12 physicians. Only 3 of the 19 board members are female.

The criminal acts score for Texas is remarkably high, at 96. This is primarily because the Texas Medical Board requires a thorough background check for applicants, then continues to periodically monitor criminal records of licensed physicians. Additionally, state law requires that the board report criminal conduct to police. As mentioned earlier, Texas has also criminalized sexual misconduct by physicians by removing consent as a legal defense.

Lastly, Texas tied Delaware and Alaska for the highest score for discipline laws with a score of 90. As per state law, the Board must revoke any license for a felony conviction or a deferred adjudication involving sexual abuse of a child. However, this revocation is not permanent unless the physician agrees to that stipulation or permanently surrenders their license in lieu of further investigation. State law also requires that an applicant cannot be licensed if their license elsewhere is currently restricted, cancelled, suspended, or revoked. State law also prohibits licensing any applicant that is being prosecuted for a crime that, if prosecuted in Texas, would be felony or misdemeanor involving moral turpitude. In addition, the board may subpoena hospitals for peer review records and the standard of proof for board action is only a preponderance of evidence.

Overall, the Texas Medical Board is amongst the best in the nation at handling formally submitted complaints of sexual misconduct by physicians. However, that bar is still too low. Finding records of allegations remains difficult in Texas. Additionally, anonymous reporting is not permitted, likely contributing to some victims deciding not to report.

VII. Texas Medical Board Disciplinary Actions for Sexual Conduct in 2017:

In 2017, the Texas Medical Board took 18 total disciplinary actions against 17 physicians for sexual misconduct. Six physicians were disciplined for sexual assault, with 2 of the 6 also being disciplined for sexual harassment. The disciplinary action imposed by the Board in each of these actions except for one, was a suspension of the physician’s medical license. The one outlier was a physician who voluntarily surrendered his  license in lieu of investigation; this physician’s license had previously been suspended earlier in 2017 for sexual assault. Only one physician was disciplined for sexual harassment alone, which resulted in sanctions which including taking a medical jurisprudence exam and multiple educational courses. Two physicians were disciplined for sexual misconduct, though both actions were a result of actions by other institutions. In the first case, the Board found that one physician failed to report disciplinary action by his alma mater for sexual misconduct. This resulted in a fine and mandatory educational courses. The second case involved a physician licensed in Texas but practicing in Oklahoma. This individual’s license was revoked in Texas following the voluntary surrender of his license in Oklahoma due to pending sexual assault charges. The remaining sexual misconduct-related disciplinary actions were referred to as having a “sexual relationship with a patient.” All but one of these cases resulted in a punishment that included mandatory continuing education. Five of these disciplinary actions resulted in public reprimands. Other forms of disciplinary action taken in these cases included fines, chaperones while with female patients, a medical jurisprudence exam, psychiatric treatment, and a temporary license restriction.[15]

Sexual HarassmentFigure 1: Allegations that resulted in disciplinary actions taken by the Texas Medical Board in 2017.[16]

Sexual HarassmentTable 1: Types of disciplinary actions taken by the Texas Medical Board in 2017 for each type of allegation.[17]

There did not appear to be any large trends within the type of physician specialty. The most common specialty was internal medicine, with a total of 5 internists out of 17 total disciplined physicians. No significant geographical trend was observed, with the cases largely spread out amongst relatively populated areas of Texas. Over 50% of the disciplinary actions occurred in the first half of the year. Surprisingly, there was no particular increase in disciplinary actions following the rise of the #MeToo Movement in October 2017.

Sexual Harassment Table 2: Allegations that resulted in disciplinary action by physician specialty.[18]

Sexual HarassmentFigure 2: Sexual misconduct-related disciplinary actions taken each month by the Texas Medical Board in 2017.[19]

VIII. The Texas Medical Board Weighs In on Sexual Harassment Complaints:

In the January 2018 Texas Medical Board Bulletin, two interesting topics appear on Page 3 and 4: the use of chaperones and duty to report impairment. Each bulletin published offers news and reminders relevant to hot topics. Most bulletins in the last 5 years have covered topics related to prescription drugs, but none of those bulletins have covered either of these topics. It is worth noting that this is the first bulletin to be published since the #MeToo campaign began.

The first of the seemingly relevant topics is the use of chaperones. This section seeks to remind physicians that there are many ways to make patients feel comfortable during their visit,” highlighting the use of a chaperone as one particularly ethical method of doing so, in addition to providing gowns and using drapes. The second seemingly relevant topic was the duty to report impairment. As addressed earlier in this article, state medical boards frequently view perpetrators of sexual misconduct as mentally ill rather than criminals. This section of the January 2018 bulletin seems to echo that narrative, reminding physicians that they may report themselves and fellow physicians that pose a continuing threat to the public welfare. Additionally, it highlights that in certain circumstances, civil liability may be lifted from the reporting party.

While this was not a direct response to the #MeToo Movement, it does appear relevant, and perhaps anticipatory. This bulletin appears to remind physicians that patient comfort and safety is an ethical priority in medicine. Impairment does not automatically indicate sexual misconduct, though sexual misconduct has certainly been attributed to impairment by the board in the past.[20] Through this bulletin, it is plausible to say that the Board may be anticipating, and perhaps encouraging, more reports of sexual misconduct by physicians in the near future.

The #MeToo Movement seems to have struck a chord with the American public. It seems that society may finally begin to address the pervasive nature of sexual misconduct. All of this comes as we learn of tragic stories of abuses and cover ups. Like many other industries, medicine appears to have a dark past of turning a blind eye to physicians who abused patients and coworkers. While the number of physicians engaging in sexual misconduct may be far and few between, their actions have harmed, at the least, thousands of patients and coworkers. As the #MeToo Movement carries into 2018, perhaps we will learn more about the true scale of sexual misconduct in medicine as more victims come forward.

While no state medical board appears to be perfect at addressing sexual misconduct, the Texas Medical Board is currently one of the best. Their 2017 data shows that sexual misconduct appears to be rare amongst physicians in Texas, at least on the surface. Considering how Board investigations into these matters can take months, it is plausible that the 2017 does not reflect the societal shifts in reporting since the beginning of the #MeToo Movement. The Movement may have effectively changed the national environment that felt hostile to most victims. Some have likened its energy of the #MeToo Movement to that of the civil rights movement, hoping that the social media campaign will result in coordinated efforts to achieve legal and cultural reform.[21] With more victims feeling supported, it is almost certainly expected that reports of sexual misconduct will rise across.

If the Movement does translate to more reports of sexual misconduct generally, it is plausible that a better portrait of sexual misconduct in medicine may emerge. Thus, we will conduct this same assessment of the Texas Medical Board’s disciplinary actions against sexual misconduct at the conclusion of 2018. It is likely that more physicians are guilty of sexual misconduct than the Board is aware of or has taken action against. In comparing the 2018 and 2017 results, we will be able to determine how the #MeToo campaign has impacted medicine. We can expect to see more disciplinary action by the Board in 2018. The causes of the disciplinary actions may become less vague and the punishments more severe. For the time being, this is only speculation. Only time will tell how the #MeToo Movement will impact sexual misconduct in medicine.

IX. Healthcare Organizations Need to Conduct a Top-Down Review of Their Policies and Procedures:

Even as state medical boards enact stronger policies against sexual misconduct, it is important to note that the organizations and individuals who failed to adequately prevent, stop, or report sexual misconduct by a physician have been held liable, and will likely continue to be held liable into the future. In the case of the pediatrician who sexually assaulted hundreds of children, the hospital he sometimes worked for, a medical society, and doctors that referred patients to this physician were sued, which was resolved through a final settlement of $122 million for the defendant’s former patients.[22] Therefore, it is important for any organization hoping to avoid liability to create detailed policies and procedures on sexual harassment and sexual misconduct. In doing so, health care organizations should ensure that they are preemptively educating both patients and employees on what constitutes sexual harassment and sexual misconduct and what the ramifications are not only for perpetrators, but also bystanders who do not report. Health care organizations should require reporting such that allegations are not covered up nor overlooked.  A low-cost, comprehensive, anonymous reporting system such as that provided by ComplianceHotline.com can provide your practice or other health care organization with a full range of reporting options that can be made available to patients and employees alike if they are concerned about sexual harassment or misconduct.[23] Moreover, this anonymous hotline tracks the recommended steps recommended by HHS-OIG in its recent guidance, “Measuring Compliance Program Effectiveness: A Resource Guide.”  The bottom line is straightforward — encouraging the early reporting of sexual misconduct can significantly reduce your health care entity’s level of regulatory risk and improve the quality of work life for your staff.

Unfortunately, drafting the proper Policies and Procedures to be used in your health care organization can be tricky.  You need to take both federal and state requirements into account. Please feel free to contact us for assistance with both the policies and with staff training on these important issues.

Health care LawyerAshley Morgan, J.D., serves as Senior Associate Attorney at Liles Parker, PLLC.  Liles Parker is a health law firm health care providers and suppliers around the country in connection with compliance-related matters and Medicare / Medicaid / Private Payor audits.  For a complimentary consultation, give Ashley a call at: (202) 298-8750.

 

 

[1] Specifically, we reviewed Texas Medical Board Bulletins posted in April 2017, September 2017, and April 2017.

[2]https://www.theguardian.com/world/2017/oct/20/women-worldwide-use-hashtag-metoo-against-sexual-harassment

[3] https://www.nsvrc.org/sites/default/files/nsvrc_one_pager_0.pdf

[4] https://www.cdc.gov/ViolencePrevention/pdf/NISVS_Report2010-a.pdf

[5] https://www.bjs.gov/content/pub/pdf/rsarp00.pdf

[6]http://www.chicagotribune.com/business/ct-biz-metoo-sexual-harassment-future-20171214-story.html

[7] https://www.eeoc.gov/laws/types/sexual_harassment.cfm

[8]https://www.fsmb.org/Media/Default/PDF/FSMB/Advocacy/GRPOL_Sexual%20Boundaries.pdf

[9]https://www.psychologytoday.com/blog/close-encounters/201712/when-do-men-power-engage-in-sexual-harassment

[10] http://doctors.ajc.com/doctors_sex_abuse/

[11] http://www.pbs.org/wgbh/nova/body/hippocratic-oath-today.html

[12]http://doctors.ajc.com/why_abusive_doctors_not_caught/?ecmp=doctorssexabuse_microsite_stories

[13] http://doctors.ajc.com/states_discipline_sex_abuse/

[14] http://doctors.ajc.com/doctors_sex_abuse/?ecmp=doctorssexabuse_microsite_nav

[15] http://www.tmb.state.tx.us/dl/A1BB2B98-02FD-3A3C-9022-D99248F0EEBF;

http://www.tmb.state.tx.us/dl/B35F98D0-7F66-6F8B-8D5D-6A1520FF9C3F;

http://www.tmb.state.tx.us/dl/209310BC-7307-EF80-6049-3FDC28CF182D

[16] Id.

[17] Id.

[18] Id.

[19] Id.

[20] https://www.documentcloud.org/documents/2940026-combined-164-pdf.html

[21] http://www.cnn.com/2017/10/30/health/metoo-legacy/index.html

[22]https://www.usatoday.com/story/news/nation/2013/11/25/delaware-child-abuse-case-settlement/3720309/

[23] Paul Weidenfeld and Robert W. Liles established www.compliancehotline.com to provide health care providers and suppliers with a comprehensive anonymous complaint reporting system that could be incorporated into their overall Compliance Program.

Looking a Gift Horse in the Mouth (or how to deal with holiday gifts)

gift-present(December 8, 2015): Last month we discussed performing audits in your practice. With the winter holidays just around the corner, we are going to take a detour from our process through establishing a compliance program. November, December, January and February bring many holidays and parties. These are usually an opportunity for happiness and cheer, but they can also be present problems for physicians and practices. One of the biggest concerns at this time of year is whether to give or receive gifts. Many practices will receive gifts of food, such as cake, cookies or the ubiquitous popcorn tins. Some will come from grateful patients.  How should you react if a patient brings in a gift of food for you and / or your staff?

I.  Gifts of Food from Patients:

Assuming these are of nominal value, it is fine to accept such perishable gifts from patients. However, it is a very good idea to share such food gifts from patients with the office or departmental staff.

II.  Non-Perishable Gifts from Patients:

Non-perishable gifts from patients present a bit more of a problem. Often these gifts are hand-made. But by their very nature they often can’t be shared by office personnel. And refusing such gifts would offend, insult, or disappoint the patients, who have sometimes spent considerable time and effort on the gifts. In such cases, it is permissible to accept the gift from the patient. However, depending on the nature of the gift, the practice should consider donating the gift to a suitable charity. For example, a quilted wall hanging may be accepted and displayed. A crocheted shawl might be donated to a charity. In the case of something that might be donated and to avoid hurting patient feelings if they don’t see their handiwork later, practice personnel should be appreciative and thank the patient, but explain that the practice policy does not allow them to accept gifts of such value and that they will be donating it to an appropriate charity.

III. Gifts of Food or Perishables from Vendors, Suppliers, other Health Care Providers or Third-Parties:

Let me start this section by saying that any gifts from vendors, suppliers, other health care providers or entities or third-parties are more problematic than gifts from individual patients. Gifts from patients do not implicate the Anti-kickback Statute. Gifts from vendors, suppliers or other health care providers do. Remember that the Anti-kickback Statute prohibits the giving, offering, accepting or receiving any remuneration whether in cash or in kind, in exchange for the referral of services or patients whose care may be reimbursed by federally funded programs such as Medicare. The Anti-kickback statute has no exception for gifts of nominal value or for items such as cookies or cakes.

That said, no physician practice will be prosecuted solely for accepting a holiday gift of food items, provided certain guidelines are kept in mind. As with food gifts from patients, food gifts from non-patients should be of nominal value and should not be a routine event. The food item should be of nominal value. The food should be delivered to the office and not in the form of coupons or paid-for expensive meals at a fancy restaurant. Thus, a tin of popcorn or a platter of mixed cookies from a local deli might be acceptable.

IV.  Gifts of Non-Perishable Items from Vendors, Suppliers, other Health Care Providers or Third-Parties:

Gifts of non-perishable items should never be accepted. As noted above, there is no de minimis value of a “remuneration” that is acceptable. The history of Anti-kickback Statute cases is full of examples of “gifts” that were really meant to be payments for referrals. A number of years ago, I was involved in a case where a marketing rep for an ancillary health care provider meticulously documented the Christmas gifts purchased for physicians and nurses who referred to the ancillary care provider and submitted that documentation for reimbursement as a marketing expense. The gifts ranged from simple small gift baskets of cosmetics to video game units plus games to expensive jewelry for the female physicians or the male physicians’ wives. Unfortunately, the rep’s documentation also included explicit notes as to the expense of each gift and comments that the higher value gifts were for physicians and nurses who referred more business. Partially as a result of this documentation, the ancillary health care provider was forced to make a self-disclosure to the OIG and entered into a five-year Corporate Integrity Agreement, in addition to refunding significant amounts of Medicare reimbursements.

V.  Gifts between Family Members who may be in a Referral Position:

Finally a question often arises is whether it is acceptable for an individual who is in a position to benefit from a physician’s referrals to give a gift to a family member who is a physician. This situation often arises with in-laws of physicians who are health care marketing personnel or ancillary or downstream health care providers, such as home health agencies or an imaging center.   For example, a home health care agency owner may wish to give his brother-in-law, a physician, a gift. If the gift is within reasonable limits, is not excessive in kind or value, and is of the kind typically exchanged by family members, and there are no other indications of an improper business relationship, I find it hard to believe that the government would prosecute such an act. Thus a sweater is likely acceptable, but a new car is not.

VI.  Final Remarks:

As with many subjects in this arena, intent is key. Accordingly, providers should have a policy in place that deals with gifts. If a practice chooses to accept gifts, a written policy incorporating the above aspects helps establish a lack of improper intent. It also provides staff members with cover when they refuse gifts. If this path is followed, all staff members will have a stress-free holiday season.

H-Kocher-photo-2-199x300Heidi Kocher, Esq. is a health law attorney with the firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Our attorneys represent health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects.  Need assistance?  For a free consultation, please call: 1 (800) 475-1906.

Cell Tower Ground Lease Renewals and Purchases

Call Andy ALynch for assistance with your cell towen ground lease or purchase.(September 15, 2015): A landowner/ground lessor considering a renewal or easement buyout of his cell tower lease is making a MAJOR financial decision. As a businessman (or woman), you understand that. You may also realize that information about what’s “market rent” or “market price” is hard to come by.

Your operator is likely one of the big three public tower companies, American Tower, Crown Castle or SBA Communications (Big Three) – well capitalized and extremely sophisticated in dealing with ground leases. Of course, your lessee is trying to make the best deal for itself.

What’s market? What is a fair or good deal for you the landowner? How can negotiations be positioned to your advantage? In a pinch, what might your lessee ACTUALLY BE WILLING TO PAY to secure your land for the long-term? In addition to price, what terms of a renewal lease are most important to the landowner?

Because data is not readily available about the current market, a landowner should seek industry insight. Andrew C. Lynch, a business attorney at Liles Parker PLLC, has years of experience in the cell tower industry, access to industry data and sources (for all states in the U.S.), and a specialized focus on ground lease renewals. By virtue of years of working collaboratively with clients, Mr. Lynch offers insight and strategic approaches that can position your renewal or buyout negotiations to your advantage.  To make an informed decision, a landowner should consider:

  • The rental stream that the cell tower on your land generates for its Big Three operator

  • What rents the Big Three have recently paid for ground lease renewals (ie. rent comparables) – the magnitude of price increases may surprise you

  • What amounts have the Big Three paid for lease or easement purchases – you might be pleasantly surprised

  • Whether the cell tower on your property might be relocated or de-commissioned

  • Industry standards for annual rent increases (escalators)

  • Tower industry economics

  • The value of the tower asset to your lessee – generally speaking, a very healthy multiple of net tower cash flow

  • The Big Three’s ROI (return on investment) model and its impact on ground lease renewals or purchases

  • Ground lease aggregators – a competitive threat to which the Big Three are responding

  • The corporate priority of the Big Three to securing tower sites for the long term and the substantial capital being allocated to that effort

  • Other key lease terms and conditions for a ground lease renewal

The landscape has changed dramatically in the tower industry since your cell tower was put in service. Your land is substantially more valuable to the tower operator than it was many years ago. The wireless industry has taken flight and your Big Three lessee and its dominant customers – AT&T, Verizon, Sprint, etc. – want to retain access to the tower and cellular antennas elevated thereon.

Third-party investment groups may have contacted you about purchasing your ground lease or an easement. These investors are also experienced and sophisticated in the cell tower industry and generally well capitalized. They represent A COMPETITIVE THREAT and the Big Three have responded. For each of the Big Three, securing its ground leases for the long-term, either by renewal or purchase, is a major corporate priority.

The result – IT’S A SELLER’S MARKET for an astute and informed landowner/ground lessor. If you arm yourself with INFORMATION AND A GOOD ADVISOR, you won’t be taken advantage of and can secure a fair and advantageous deal for yourself. And now is a good time, even if your ground lease has years to run.

Of course, if you are like most lessors, you appreciate the ultra dependable rent check that arrives every month — you don’t want to overplay your hand and jeopardize the income stream. We can help you understand and navigate the ample room that you now have to maximize the present value income from your tower site.

Lynch_AndyContact Andy Lynch at 202-298-8750 (office) or 703-447-4959 (mobile) for a no-obligation, free telephone consultation about your ground lease renewal or buyout. Or email Mr. Lynch at alynch@lilesparker.com. Or if you prefer, have your local attorney or advisor contact Mr. Lynch.

Pierce the Corporate Veil-Can Healthcare Owners Be Personally Liable?

Corporate Boardroom(March 13, 2015): Owners of healthcare companies often wonder whether the government can pierce the corporate veil and try to hold the owners personally liable for overpayment claims when facing ZPIC and MAC contractor audits. This rarely happens, but one way for these contractors to collect overpayment demands is by piercing the corporate veil.  A healthcare provider usually has one or more individual owners. The owners need to organize the provider into an entity such as a corporation or Limited Liability Company (LLC). This is specifically done to limit each individual owner’s personal liability. Owners of incorporated health care providers can only be found personally liable for their companies’ debts to the Centers for Medicare & Medicaid Services (“CMS”) in certain very narrow circumstances, one of which is “piercing the corporate veil.”

I.  Will the Government Seek to Pierce the Corporate Veil?

The legal doctrine of piercing the corporate veil allows creditors to reach through the corporate structure and collect their debts from shareholders or similar owners. This doctrine is not unique to healthcare. In fact it is a potential way for all creditors to collect debts from individual entity owners.

CMS and its contractors rarely seek to pierce the corporate veil, and courts also tend to disfavor the practice. Veil piercing depends on facts that by their nature are difficult to prove in court. The burden of proving the facts is always on the creditor. Even though it may be difficult for a creditor to prove these facts exist, it is still important to know how a creditor could pierce a healthcare corporation’s “veil” to prevent individual owner liability. Creditors must prove specific factors to justify imposing liability on owners for a provider’s debts to CMS, including the following:

  1. Defective Incorporation: If the legal statutory requirements for organizing the corporation or LLC are not met, no corporation exists to shield owners from liability.

  2. Ignoring the Separateness of the Corporation: Entering into contracts and otherwise transacting business variously in a corporate name and an individual name can justify piercing the corporate veil. Commingling corporate and individual assets, transferring assets between the provider and an owner without formalities, or transferring assets between the provider and a sister company, can also suggest the owners did not respect the separate nature of the entity, potentially allowing CMS to pierce the corporate veil.

  3. Significant Undercapitalization: A corporation must have a reasonably sufficient amount of capital to pay its expected debts. Undercapitalization is grounds to impose liability on the owners.

  4. Excessive Dividends or Other Payments to Owners: When owners are actually working for a corporation, they can usually pay themselves fair compensation, as long as it is clearly characterized as salary or wages. However, additional dividends and other non-compensation distributions can only be safely taken out by an owner to the extent the distributions reflect profits. If an owner takes non-compensation distributions exceeding profits, these distributions constitute a return of capital and can give rise to an undercapitalization claim by a corporate creditor. If such distributions are made when the corporation is insolvent, the creditors’ claims against the owner will be almost impossible to defend.

  5. Misrepresentation and other Unfair Dealings with Creditors: Deceptive practices such as dishonesty, false statements to corporate creditors, and asset concealment can make owners liable for corporate debts.

  6. Absence or Inaccuracy of Records: If corporate records are missing or inaccurate, this can form a basis to pierce the corporate veil, especially if they hinder a creditor’s collection efforts against the provider.

  7. Failure to Maintain Ongoing Legal Requirements: Each state’s statutes impose annual franchise fees and report-filing requirements on corporations and similar entities. These usually have grace periods and cure provisions, but if they are neglected long enough the corporation or LLC will legally cease to exist, resulting in owner liability.

II.  Case Example:

In United States v. Bridle Path Enterprises, Inc., a Massachusetts federal district court held the owners of a home health agency personally liable for the provider’s Medicare overpayment debt. The provider, Bridle Path, made payments toward the overpayment until they sold all of their assets to another provider. At the time of the sale, $64,807.84 was outstanding on the overpayment liability. The United States sought to hold Bridle Path’s owners personally liable for the Medicare overpayment, using the piercing the corporate veil doctrine. Due to the number of checks Bridle Path wrote to its owners, their home health agency, and their real-estate holding company, the court found that the owners did not treat Bridle Path as a separate corporate entity and pierced the corporate veil to hold the owners liable for the Medicare debt.

 III.  Final Remarks:

If any of the factors above exist, CMS and its Medicare contractors can seek to pierce the corporate veil of a healthcare provider’s company and collect debts from the provider’s owners. These circumstances are not typical for health care providers and are easily avoided by maintaining personal owner dealings separate from all entity business.  Do your practice’s day-to-day operations expose you to unnecessary liability?  If your business was assessed a huge fine and forced into bankruptcy, are you 100% confident that you, as the owner, will be free of individual liability? If you have any questions about this or any other health law issue, call 1-800-475-1906 for a complimentary consultation.

Robert W. Liles is a health care attorney experienced in handling prepayment reviews and audits.The attorneys at Liles Parker, Attorneys & Counselors at Law represent health care suppliers and providers around the country. We specialize in regulatory compliance reviews, Medicare audits, HIPAA Omnibus Rule risk assessments, privacy breach matters, and State Medical Board inquiries. If you have any questions about healthcare provider liability, contact us at:  1 (800) 475-1906.

False Claim Act Whistleblower Cases Are Rising

The number of False Claims Act whistleblower cases is increasing

(March 3, 2015): The federal False Claims Act (FCA), 31 U.S.C. §§ 3729 – 3733 is the primary civil enforcement tool utilized by the U.S. Department of Justice (DOJ). Enacted in 1863, this Civil War era statute was passed by Congress in an effort to address the fraudulent acts of government contractors providing goods and services to the Union Army. While originally passed to serve deter government military contracting fraud, the scope and use of the statute has greatly expanded over the last 150 years. False Claims Act whistleblower cases are rising, along the variety of allegations of health care fraud by individuals and entities . The purpose of this article is to examine the impact, if any, of the passage of the Patient Protection and Affordable Care Act (Affordable Care Act) on the number of health care “qui tam” (also commonly referred to as “whistleblower”) cases that have been filed under the federal False Claims Act

I.  Impact on the False Claims Act – Passage of the Affordable Care Act:

On March 23, 2010, President Obama signed the Affordable Care Act into law. While the primary purpose of the 906 page legislation was to make health care insurance accessible and affordable for millions of uninsured Americans, the law also introduced a number of fundamental changes to the False Claims Act. Several of these important changes are outlined below:

  • The Affordable Care Act Amended the Definition of Two Key Terms Under the False Claims Act.

Under the Affordable Care Act, the definition of the term “public disclosure” (as utilized under the False Claims Act) was amended to abolish the public disclosure bar. The definition of “public disclosure” was further revised to permit a qui tam relator to bring a whistleblower action that is based on allegations that have been previously disclosed in government or private litigation (as long as the relator meets the statutes “original source” requirements.

Prior to the passage of the Affordable Care Act, if a qui tam relator sought to bring an action based on public disclosures, the relator was required to qualify as an “original source” and have “direct and independent knowledge” of the facts alleged to constitute violations of the False Claims Act and have provided that information to the government prior to filing suit.   Under the Affordable Care Act, a qui tam relator is now only required to have “knowledge that is independent of and materially adds to the publicly disclosed allegations . . .”  As you can imagine, this change makes it significantly easier for an individual to meet the False Claims Act’s original source requirements.

Ultimately, the changes implemented under the Affordable Care Act to the False Claims Act’s public disclosure bar and the original source doctrine have made it easier for a relator to file a case involving public disclosure issues

  • The Affordable Care Act Defines Improperly Held Overpayments as an “Obligation,” Within the Meaning of the False Claims Act.

Under the Affordable Care Act, a health care provider’s liability under the False Claims Act was significantly broadened to cover identified “overpayments” that were improperly retained for more than 60 days. More specifically, 42 U.S.C. 1320a-7k(d) was revised to define “overpayments” as “Medicare funds received or retained to which a person is not entitled, after applicable reconciliation.” Overpayments must be reported and returned to the government (typically a Medicare Administrative Contractor) within 60 days of identification. Should a health care provider fail to return an overpayment within the statutorily required period, the overpayment then qualifies as an “obligation,” thereby subjecting the provider to liability under the False Claims Act.

  • The Affordable Care Act Makes it Clear that a Violation of the Federal Anti-Kickback Statute May Also Constitute a Violation of the False Claims Act.

As set out in §6402(f)(1) of the Affordable Care Act, any claims constituting a violation of the federal Anti-Kickback Statute (42 U.S.C. §1320a-7b(b)) qualify as “claims” for purposes of the False Claims Act (31 U.S.C. §§ 3729 et seq.). In addition to this fundamental change, the Affordable Care Act also arguably lowers the scienter and intent standards required for a violation of the Anti-Kickback Statute. As §6402(f)(2) of the Affordable Care Act provides, in order for an individual or entity to commit a violation of the federal health care Anti-Kickback Statute “a person need not have actual knowledge of this section or specific intent to commit a violation of this section.”

II.  False Claims Act Whistleblower Cases are Growing:

Collectively, the changes set out above make it much easier for both a relator and the government to bring a False Claims Act case against a health care provider or supplier. Notably, the number of new health care qui tam cases filed in 2010 (the Affordable Care Act was signed into law on March 23, 2010) rose to 385, a new high at that point in time. In FY 2013, the number of health care qui tam cases reached an all-time of 501 cases. While there was a slight drop (to 469 cases) in the number of health care qui tam cases filed in FY 2014, all indications are that FY 2015 may again challenge the record of cases filed in FY 2013.

III. Overview of the False Claims Act’s Qui Tam Provisions:

One of the most unique elements of the False Claims Act is that it authorizes private parties having direct knowledge of fraudulent conduct to bring a civil suit (on behalf of the government) against an individual or entity that has violated the statute. These civil suits are known as “qui tam” actions, and the private parties who initiate such actions are called “relators”. Qualified relators may share in any monies recovered as a result of their qui tam action.[1]

A qui tam action is initiated when a relator files a Complaint – along with supporting documentation – “under seal” in federal court. When a case is filed under seal, it means that all records associated with the whistleblower are maintained on a non-public docket by the Clerk of the Court. A copy of the complaint is given to the judge assigned to the case. The relator’s attorney also serves a copy of the complaint on the Attorney General in Washington, D.C. and on the U.S. Attorney in the federal judicial district in which the case has been filed.[2] By statute, the government is initially given 60 days to evaluate whether to “intervene” in the qui tam case that has been brought against the defendant. In almost all cases, the government will seek an extension to allow it an opportunity to further investigate the allegations. After showing “good cause” for an extension, most federal courts readily grant the government’s request for an extension. It is not at all uncommon for a qui tam to remain under seal for over a year (and often much longer) while the government reviews the allegations. The seal is important for several reasons:

  • The government can quietly investigate the allegations without the defendant knowing that their company is under investigation.

  • The mere existence of a government investigation can be devastating on the public’s view of a company. Moreover, if a company is publicly-traded, the publicity surrounding a government investigation can severely affect the price of a company’s stock—despite the fact that the allegations at issue have not been investigated or proven at this point in the process.

After concluding its evaluation, the government may elect to proceed with the complaint and intervene in the case or it may decline to intervene. If the government decides to intervene in the action, then the relator has the right to remain a party to the action. If the government decides not to intervene in the case, the qui tam relator may elect to proceed on his or her own against the defendant. Notably, the government always retains the ability to intervene in the case at a later time. From a practical standpoint, if the government decides not to intervene in a case, in all likelihood the relator will seek to dismiss the suit. Unlike the government, a relator’s ability to investigate a False Claims Act case is quite limited, both in terms of resources and in terms of investigative tools. As a result, the government’s decision to decline to intervene severely impacts a relator’s ability to move forward with the case.

IV.  What Can You Do to Reduce the Likelihood of a False Claims Act Whistleblower Case:

In light of the changes to the Affordable Care Act outlined above, it is imperative that health care providers and suppliers comply with all applicable medical necessity, documentation, coding and billing regulations. An effective Compliance Program can serve as an invaluable tool and can greatly assist providers and suppliers in their efforts to stay within the four corners of the law. As Supreme Court Justice Oliver Wendell Holmes wrote:

“Men must turn square corners when they deal with the Government.”[3]

Effectively, Justice Holmes’ comment serves as a continuing caution for individuals and entities who participate in government programs. Unfortunately, it isn’t always that easy for a health care provider or supplier to determine whether an overpayment exists, especially in complex cases where a patient has secondary insurance and/or the number of claims processed (as charges, credits, and corrections) may be quite large. Additionally, due to the complexity of Medicare coverage and payment rules, two reasonable individuals may disagree as to whether an overpayment is present. Despite the fact that two reasonable minds may disagree on whether an overpayment exists, the fact remains that a health care provider or supplier is ultimately responsible for repaying any overpayments due to the government. In order to avoid potential False Claims Act liability, it is imperative that you fully research any outstanding issues and determine the scope of any overpayment to be reported and repaid to the government.

V.  Final Remarks:

An effective compliance plan can assist in the identification and proper handling of overpayments, thereby reducing the provider’s risk of committing a violation of the False Claims Act. Health care providers and suppliers should review their current Compliance Plan to better ensure that internal audit and review mechanisms are in place so that any overpayments can be readily identified and repaid to the government within the 60-day deadline. The decision of whether to disclose and return an overpayment, whether to a MAC, the Department of Health and Human Services – Office of inspector General (HHS-OIG), or to the Department of Justice (DOJ), may differ depending on the facts. Depending on the size or complexity of an overpayment, a health care provider may need to contact legal counsel for advice on how to best handle a specific overpayment. Due to the 60-day deadline, if legal counsel is to be involved, they should be contacted as soon as possible.

Robert Liles represents health care providers in RAC and ZPIC appeals.Robert W. Liles serves as Managing Partner at Liles Parker. Robert has worked in health care administration since 1984 and previously served as “National Health Care Fraud Coordinator” for Executive Office of U.S. Attorneys, Department of Justice. Robert has extensive experience working on False Claims Act matters and cases. For a free consultation on your case, you may call Robert at: 1 (800) 475-1906.

[1] Relators can receive between 15% and 25% of any recovery in a qui tam action where the government has intervened in the case. In a non-intervened case, a relator may recover up to 30%. Consequently, there is a tremendous financial incentive to file and pursue these types of actions.

[2] The relator must also serve a “disclosure statement” on DOJ (normally, it is provided to the U.S. Attorney’s Office) which sets out the evidence that the relator has in support of the allegations set out in his/her Complaint. This statement is not filed with the Complaint.

[3] Rock I., Ark. & La. R.R. v. United States. 254 U.S. 141. 143 (1920). As Supreme Court Justice Felix Frankfurter commented, this statement “does not reflect a callous outlook. It merely expresses the duty of all courts to observe the conditions defined by Congress for charging the public treasury ” Federal Crop Ins. Corp. v. Merrill, 332 U.S. 380, 385 (1947).

OIG Proposes New Anti-Kickback Law Safe Harbors

(November 10, 2014): The U.S. Department of Health and Human Services Office of Inspector General (“OIG”) recently published a Proposed Rule that would amend the safe harbor regulations under the Federal Anti-Kickback statute[1] (“AKS”) as well as add new safe harbors. The Proposed Rule would also establish new exceptions to the Civil Monetary Penalty (“CMP”) statute related to the beneficiary inducement CMP.[2] OIG will accept comments on the Proposed Rule by mail or electronically until December 2, 2014 at 5 p.m. (Eastern).

I.  The Anti-Kickback Statute and Safe Harbor Regulations:

The AKS provides criminal penalties for individuals or entities that knowingly and willfully offer, pay, solicit, or receive remuneration in order to induce or reward the referral of business reimbursable under Federal health care programs. The types of remuneration covered specifically include, but are not limited to, kickbacks, bribes, and rebates, whether made directly or indirectly, overtly or covertly, in cash or in kind. Additionally, prohibited conduct includes not only the payment of remuneration intended to induce or reward referrals of patients, but also the payment of remuneration intended to induce or reward the purchasing, leasing, or ordering of, or arranging for or recommending the purchasing, leasing, or ordering of, any good, facility, service, or item reimbursable by any Federal health care program.

Due to the broad reach of the statute, interested parties expressed concern that some relatively innocuous commercial arrangements would be covered by the statute. This could, in turn, potentially subject entities to unwarranted criminal prosecution. As a result, Congress drafted certain “Safe Harbor” provisions. These regulations describe various payment and business practices that, although they potentially implicate the Federal AKS, are not treated as offenses under the statute.

II.  Changes to the Anti-Kickback Statute:

The Proposed Rule would modify certain existing safe harbors under the AKS as well as add new safe harbors that provide new protections or codify certain existing statutory protections. These changes include:

      • A technical correction to existing safe harbor for referral services;
      • Protection for certain cost-sharing waivers, including pharmacy waivers of cost-sharing for financially needy Medicare Part D beneficiaries and waivers for state- or municipality-owned emergency ambulance services;
      • Protection for certain remuneration between Medicare Advantage organizations and federally qualified health centers;
      • Protection for discounts by manufacturers on drugs furnished to beneficiaries under the Medicare Coverage Gap Discount Program; and
      • Protection for free or discounted local transportation services that meet specified criteria.

III.  Changes to the Beneficiary Inducement CMP:

The Beneficiary Inducement CMP statute generally prohibits any person or entity from offering remuneration to a Medicare or Medicaid beneficiary if that remuneration is likely to influence the beneficiary’s selection of a provider. The Proposed Rule would also amend and narrow the definition of “remuneration” to include certain exceptions for the following:

  • Copayment reductions for certain hospital outpatient department services
  • Certain remuneration that poses a low risk of harm and promotes access to care;
  • Coupons, rebates, or other retailer reward programs that meet specified requirements;
  • Certain remuneration to financially needy individuals; an
  • Copayment waivers for the first fill of generic drugs.

OIG also proposes to codify the gainsharing CMP[3]. The gainsharing CMP prohibits a hospital from knowingly paying, either directly or indirectly, a physician to induce the physician to reduce or limit the services provided to Medicare or Medicaid beneficiaries under the physician’s direct care. The Proposed Rule would narrow the prohibition in light of today’s health care landscape, which focuses on “accountability for providing high quality care at lower costs.”

IV.  Conclusion:

Health care providers should be interested in the Proposed Rule and make comments as necessary. The Proposed Rule makes pertinent changes to the AKS Safe Harbors and CMP laws that should give providers greater leeway to enter into beneficiary arrangements without fear that they will be subject to criminal penalties under the statutes. In a sense, the Proposed Rule follows OIG’s ongoing efforts to adopt regulations that promote lower costs and greater health care services while protecting patients and federal health care programs from fraud and abuse.

As a provider, if you have any questions about the current regulations found within the Anti-Kickback Statute or the proposed changes, please do not hesitate to give us a call today. We would be more than happy to assist you so that you remain compliant with all federal and statute regulations regarding potentially fraudulent activity.

Saltaformaggio, RobertRobert Saltaformaggio, Esq., serves as an Associate at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by RACs, ZPICs and other CMS-engaged specialty contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call Robert at:  1 (800) 475-1906

[1] 42 U.S.C. § 1320a-7b(b).

[2] 42 U.S.C. § 1320a-7a.

[3] 1128A(b)(1) of the Social Security Act.

The HIPAA / HITECH Omnibus Final Rule is Here! Is Your Health Care Organization Complying with the Rules?

Final HIPAA Omnibus Rule(September 23, 2013):  Effective today, all covered entities and business associates must comply with the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule. Please keep in mind, the Final Omnibus Rule is 138 pages long.

If you have not already read these new requirements, we strongly recommend that all covered entities, business associates and any affected subcontractors carefully review and adhere to these requirements.  Summaries of these modifications may not fully address specific points which apply to your organization.

I.          Overview:

The Omnibus Final Rule contains some of the most significant changes to the HIPAA Privacy and Security rules since their inception.  The new rule also strengthens the ability of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to enforce the rules and levy fines for any violations.  The following article is intended to provide a brief synopsis of this new rule and outline how covered entities (such as your Physician Practice, Home Health Agency or Hospice) need to review their actions to better ensure that they are fully complying with the privacy, security and breach notification requirements which are now required.

II.         HIPAA/HITECH Omnibus Final Rule: 

On January 25, 2013, HHS issued a final rule[1] to modify the HIPAA Privacy, Security, and Enforcement Rules.  This final rule implemented statutory amendments under the Health  Information Technology for Economic  and Clinical Health Act (HITECH) in order to strengthen the  privacy and security protection for individuals’ health information, modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act, modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA), and make other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.

More specifically, the final rule is comprised of four individual final rules.  These rules:

1.  Modify the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act, as well as certain other modifications that improve the Rules. These modifications:

  • Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements;
  • Strengthen the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization;
  • Expand individuals’ rights to receive electronic copies of their health information and restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full;
  • Require modifications to, and redistribution of, a covered entity’s notice of privacy practices (for examples, see Section VI below);
  • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others; and
  • Adopt additional HITECH Act enhancements to the Enforcement Rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

2.  Adopt changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act.

3.  Finalize the Breach Notification for Unsecured PHI under the HITECH Act, which replaces the breach notification rule’s ‘‘harm’’ threshold with a more    objective standard.

4.  Modify the HIPAA Privacy Rule as required by the GINA to prohibit most health plans from using or disclosing genetic information for underwriting purposes.

While the final rule took effect on March 26, 2013, all covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013.

III.              New HIPAA Rules Apply to Covered Entities and Business Associates:

Individuals, organizations, and agencies that meet the definition of a “covered entity”[2] under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.

More importantly, if a covered entity engages a “business associate” to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate.  This agreement must specifically state the work the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of PHI.

In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.  Specifically, business associates will be directly liable for:

  • Impermissible uses and disclosures of individual PHI (including using or disclosing more information than is minimally necessary);
  • Failing to comply with the Security Rule;
  • Failing to provide breach notification to the covered entity, or, if a subcontractor, to the business associate above;
  • Failing to provide electronic access as provided in the business associate agreement;
  • Failing to disclose PHI to HHS in response to compliance and enforcement actions; and
  • Failing to provide HITECH accounting, as necessary.

IV.        What is a “Business Associate”?

A “business associate”[3] is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A business associate also includes any subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

As discussed above, HIPAA Rules generally require that covered entities and business associates enter into contracts to ensure that the business associates will appropriately safeguard PHI.  These contracts also serve to clarify and limit, as necessary, the permissible uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.  A business associate may use or disclose PHI only as permitted or required by its business associate contract or as required by law.

Importantly, a business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.

V.         Business Associate Agreements Between Covered Entities and Business Associates:

Based on the new rules, all covered entities should check to ensure that an updated business associates agreement between the covered entity and any business associates that they might have been put into place.  It is appears that an updated business associate agreement has already been put into place, check it to ensure that it includes the following provisions:

  1. Establishes the permitted and required uses and disclosures of PHI by any business associates;
  2. Provides that business associates will not use or further disclose the information other than as permitted or required by the contract or as required by law;
  3. Requires that business associates implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
  4. Requires that business associates report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
  5. Requires business associates to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
  6. To the extent that a business associate is to carry out a covered entity’s obligation under the Privacy Rule, the agreement must require that the business associate comply with the requirements applicable to the obligation;
  7. Requires that business associates make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
  8. At termination of the contract, if feasible, requires that a business associate return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity;
  9. Requires that a business associate ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between a business associate and other business associates (that are essentially subcontractors) must also be subject to these same requirements

If an updated business associate agreement has not been implemented, please take steps to have one completed immediately.  A Sample Business Associate Agreement which incorporates the January 2013 changes has been published on OCR’s website. Furthermore, the rules allow a business associate to continue to operate under existing business associate agreements up and until 09/22/14, under conditions that:

  • Prior to the 01/25/13 publication date, the covered entity and its business associate had an existing written business associate agreement with prior HIPAA provisions; AND
  • The business associate agreement has not been renewed or modified between the 04/26/13 effective date and the 09/23/13 compliance date.

VI.        Notice of Privacy Practices (NPP):

If you have not already done so, it is imperative that you immediately update the “Notice of Privacy Practices” (45 CFR 164.520) being used by your practice or organization. To their credit, OCR recently published several examples of what they consider to be a “clear, accessible notice that. . . patients. . .can understand.”  OCR has published the following three examples that may be used by a covered entity to notify patients of their rights and the organization’s privacy practices.  These examples include:

NPP Booklet – HC Provider

NPP Layered – HC Provider

NPP Full Page – HC Provider

NPP HC Provider – Text Version

VII.       The  HIPAA Security Rule: 

The HIPAA Security Rule[4] requires that covered entities implement “administrative, technical, and physical safeguards” to ensure the confidentiality, integrity, and availability of electronic PHI.  The Rule also requires those entities to protect against anticipated disclosures and threats to the security of information.  “Electronic PHI,” or “ePHI” refers to all individually identifiable health information a covered entity or business associate creates, receives, maintains, or transmits in electronic form.

Under the new final rule, business associates are now directly liable themselves for complying with the Security Rule. Therefore, these organizations should review the Security Rule Guidance Material[5] provided by HHS and implement policies and procedures in much the same manner as a covered entity.

  • Security Risk Assessment

Like covered entities, business associates must assess their security risks. A business associate must perform its own security risk analysis[6] to determine what the organization must do to address our security policies, procedures, and workforce training under HIPAA.  The foundation for this process is compliance and is tailored to our legal practice.  Our size, complexity, capabilities, in addition to the risks and costs to conduct this analysis and take appropriate action, has all been considered.  This has allowed us to meet those standards that are “required” and determine whether an “addressable” standard applies.  For this assessment, covered entities and business associates should broadly inquire into:

  • Designing an appropriate personnel screening process;
  • Identifying specific data that must be backed up and how we can execute that process;
  • Implementing encryption methods for ePHI;
  • Classifying what data must be authenticated in particular situations in order to protect data integrity;
  • Designing written policies, procedures, and required notices; and
  • Developing requisite training tools for these purposes.

Based on this risk assessment, your organization needs to implement certain security standards that can be divided into administrative, physical, and technical safeguards.

  • Administrative Safeguards  

The Omnibus requirements mandate that business associates implement administrative safeguards in compliance with the HIPAA Security Rule.  Administrative safeguards[7] include “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”[8] Generally, these are the administrative functions that should be implemented to meet the fundamental security standards.  They focus on workforce training and contingency planning.

Business associates should keep in mind that the most important administrative safeguards are risk analysis and risk management.  Because both of these processes are “required,” a business associate should execute a critical and thorough risk analysis before undertaking subsequent regulatory compliance measures.  A business associate should also implement the following additional “required” administrative safeguards:

  • Sanction policy for employee noncompliance.
  • Tracking security “incidents” and documenting policies and procedures for dealing with incidents. Resulting harm must be mitigated.
  • Appointment of a security officer.
  • Allowing employee access to ePHI only where appropriate, and putting policies in place to prevent unauthorized persons from gaining access.
  • Training employees on security issues, scaled to our organizational size.
  • Implementing contingency plans for emergencies that damage systems with ePHI, including provisions for data backup, a recovery plan and a mode for continuing critical business processes for the protection of the security of ePHI during emergency operation.
  • Ensuring that periodic evaluations of security preparedness are conducted.

Again, these standards and implementation specifications pertain to administrative functions, such as policy and procedures that must be in place for management and execution of security measures, and are just the first set of safeguards that have been implemented.

  • Physical Safeguards  

Physical safeguards[9] incorporate mechanisms, policies, and procedures required to protect electronic systems, as well as equipment and the data contained therein, from threats, environmental hazards, and unauthorized intrusion.  These safeguards include restriction access to ePHI and retaining off-site computer backups.

Covered entities and business associates must ensure that ePHI and the computers which house that private information are protected from unauthorized access.  Covered entities and business associates should also recognize that some of the requirements to be implemented as physical safeguards can be accomplished through the use of electronic security systems.  Possible approaches include, but are not limited to:

  • Establishing a policy for the appropriate use, physical attributes of and security for workstations that access ePHI.
  • Establishing policies dictating the procedures for the addition, disposal, or reuse of hardware or electronic media that contains ePHI.

After successfully implementing these, and other, standards and protections, an organization will be able to protect those covered entities’ ePHI from natural and environmental hazards, as well as unauthorized intrusion.  

  • Technical Safeguards  

Finally, the new Omnibus Rule also requires that business associates implement technical safeguards[10].  Generally, these types of safeguards are the automated processes used to protect data and control access to data.  For example, they include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted.

Covered entities and business associates should review and implement the following “required” technical safeguards (as appropriate):

  • Policies that limit software program access to only those with authorized access. Organizations should also provide their employees with unique log-ins and ensure that automatic log-offs cannot be utilized.  Further, they should implement procedures for obtaining necessary ePHI during an emergency.
  • Maintaining activity logs (or “audit logs”) of all systems that contain ePHI.
  • Policies to protect ePHI from alteration and destruction.
  • Procedures to verify the identity of those seeking access to ePHI.
  • Protection for the transmission of ePHI over a network through technical security policies.
  • While encryption is only an “addressable” standard, a business associate should strongly consider using encryption to encrypt ePHI..

Importantly, each covered entity and business associate must also analyze their administrative, physical, and technical factors so that safeguards can be implemented to protect the integrity of PHI.   

  • Documentation Requirements

A proper risk assessment and all subsequent compliance measures must include proper documentation procedures.  Therefore, a business associate must ensure that all compliance activities be documented accordingly and be retained for six years.  Business associates need to recognize that policies and procedures are amendable as further regulations and policies require.  Therefore, business associates should conduct periodic reviews of its policies, document those review, and take any appropriate actions when changes in the environmental security of ePHI are needed.  

VIII.      Business Associates and the Privacy Rule: 

The HIPAA Privacy Rule restricts covered entities’ use and disclosure of an individual’s PHI.  For example, providers who transmit PHI electronically in a HIPAA Standard Transaction, such as by filing electronic claims or checking eligibility electronically even if they are using a third party such as a billing service or clearinghouse, become a “covered entity”.  They are then bound by HIPAA and its requirements. Under the final rule, certain privacy changes have been enacted that impact business associates.

However, the HITECH Act does not impose all of the Privacy Rule obligations on business associates.  A business associate is subject to direct enforcement of the HIPAA Privacy obligations and penalties in the same manner as a covered entity, but only to the extent required under the HITECH Act – not the HIPAA Privacy Rule itself.

Both covered entities and business associates must ensure that any disclosure of PHI is kept to limited data sets or minimum amounts of information as necessary.  Furthermore, those covered entities that a company has a business associate agreement with must honor any and all requests by an individual to restrict disclosure of PHI to a Health Plan if the individual pays for the associated service out-of-pocket in full.  The business associate must also acknowledge that the sale of PHI is prohibited unless authorized by the individual, and certain marketing communications require additional authorizations. 

IX.        The HIPAA Breach Notification Rule: 

The Breach Notification Rule requires covered physician practices to notify affected individuals, the Secretary of HHS and, in some cases, the media when they discover a breach of a patient’s unsecured PHI.

Business associates must now comply with breach notifications procedures under the new HIPAA Omnibus Rule.  If a breach of unsecured PHI occurs, a business associate must notify the covered entity following the discovery of the breach.  Discovery of a breach is when the business associate “knew or should have known” of the incident.

Furthermore, any business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.  To the extent possible, a business associate should also provide each covered entity with the identification of each individual affected by the breach, as well as any information required to be provided by the covered entity in its notification to the affected individual(s).

Under the new Omnibus rules, breaches are now presumed reportable unless, after an organization has completed a risk analysis, it is determined that there is a “low probability of PHI compromise.” To conduct this analysis, covered entities and business associates must consider the following four factors:

  1. The nature and extent of the PHI involved – an organization should consider issues such as the sensitivity of the information from a financial or clinical perspective and the likelihood the information can be re-identified;
  2. The person who obtained the unauthorized access and whether that person has an independent obligation under HIPAA to protect the confidentiality of the information;
  3. Whether the PHI was actually acquired or accessed, determined after conducting a forensic analysis; and
  4. The extent to which the risk has been mitigated, such as by obtaining a signed confidentiality agreement from the recipient.

Covered entities and business associates must keep in mind that this rebuttable presumption of breach and four-factor assessment of the “risk of PHI compromise” replaces HIPAA’s previous, more subjective “significant risk of financial, reputational or other harm” safe harbor analysis for establishing a breach. The organization also understands that the new rules further clarify that there is no need to have an independent entity conduct the risk assessment and indeed, no risk assessment need be conducted at all if the breach notification is made.  Nevertheless, a business associate must undertake an appropriate review and steps to mitigate the harm and reduce the likelihood of future breaches in any case as necessary.

Finally, both covered entities and business associates must implement “Breach Notification Policies and Procedures,” workforce training, and associated documentation procedures on how to document and handle breach incidents.

X.         Government Audits:

Under the new rule, HHS will be performing audits to ensure that covered entities and business associates are fully complying with the HIPAA Privacy, Security and Breach Notification requirements. Notably, HHS-OCR, the federal agency within HHS with oversight over HIPAA privacy, security and breach notification requirements, has established a comprehensive audit protocol that should be considered during reviews and updates to their HIPAA compliance plans. The OCR audit protocol contains 170 audit areas (79 Security Rule, 10 Breach Notification Rule and 80 Privacy Rule provisions) covering all of the following:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures;
  • Security Rule requirements for administrative, physical, and technical safeguards; and
  • Breach Notification Rule requirements.

The safeguards that covered entities and business associates ultimately implement should withstand the scrutiny of an HHS-OCR audit, if such an audit is ever conducted.[11]

XI.        Penalties: 

It is imperative that covered entities, business associates and their staffs understand that a failure to comply with HIPAA can result in significant civil and criminal penalties.

  • Civil Penalties

The HITECH Act established a tiered civil penalty structure for HIPAA violations. The Secretary HHS still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.  Nevertheless, the Secretary is still prohibited from imposing civil monetary penalties (CMPs) (except in cases of willful neglect) if the violation is corrected within 30 days (a time period that may be extended).  Furthermore, HHS may waive a CMP in whole or in part in some situations.  Moreover, HHS’s authority to impose a civil money penalty is prohibited if a criminal penalty has been imposed.

 

HIPAA Violation

 

 

Penalty Range

 

Annual Maximum

Individual   did not know (and by exercising reasonable diligence would not have known)   that he/she violated HIPAA.

 

$100 – $50,000 per   violation

 

$1.5 million

Individual   “knew, or by exercising reasonable diligence would have known” of the   violation, but did not act with willful neglect.

 

$1,000 – $50,000 per   violation

 

$1.5 million

HIPAA   violation due to willful neglect but violation is corrected within the   required time period.

 

$10,000 – $50,000 per violation

 

$1.5 million

HIPAA   violation is due to willful neglect and is not corrected.

 

$50,000 per violation

 

$1.5 million

Under the new HIPAA Omnibus Rule, HHS must conduct a formal investigation and impose civil monetary penalties in cases involving willful neglect.  HSS may also provide PHI to other government agencies for enforcement activities. The assessment of penalties must be based on five principal factors:

  1. The nature and extent of the violation, including the number of individuals affected,
  2. The nature and extent of the harm resulting from the violation, including reputational harm,
  3. The history and extent of prior compliance,
  4. The financial condition of the covered entity or business associate, and
  5. Such other matters as justice may require.

The number of violations may be based on the number of individuals affected or by the number of days of non-compliance. Finally the HIPAA Omnibus Rule clarifies that the 30-day cure period begins when the individual knew or should have known of the violation.

  • Criminal Penalties 

Both covered entities and business associates must recognize that criminal penalties under the new Omnibus Rule are quite severe.  Covered entities and specified individuals, as outlined below, whom “knowingly” obtain or disclose individual PHI in violation of the HIPAA requirements face a fine of up to $50,000, in addition to imprisonment up to one year. Furthermore, offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to 10 years.

  • Covered Entity and Specified Individuals

The DOJ has determined that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of “corporate criminal liability.” Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.

  • Knowingly

The DOJ interprets the “knowingly” element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense.  Specific knowledge of an action being in violation of the HIPAA statute is not required.

  • Exclusion

HHS has the authority to exclude from participation in Medicare any covered entity that was not compliant with the transaction and code set standards by October 16, 2003 (where an extension was obtained and the covered entity is not small.[12]

  • Enforcing Agencies

The HHS OCR enforces the privacy and security rules, while the Centers for Medicare & Medicaid Services (CMS) enforces the transaction and code set standards.

  • No Private Cause of Action

While HIPAA protects the health information of individuals, it does not create a private cause of action for those aggrieved (meaning an individual cannot take legal action against a covered entity for a HIPAA violation based on the HIPAA law). State law, however, may provide other theories of liability.

XII.       Conclusion: 

The new HIPAA Omnibus Rule includes a set of final regulations modifying the HIPAA Privacy, Security, and Enforcement Rules to implement various provisions of the HITECH Act. These rules are quite complex and mandate numerous new policies, procedures, and safeguards that both covered entities and business associates must implement in order to safeguard individuals’ PHI.  Both covered entities and business associates must thoroughly analyze the risks involved with maintaining and protecting the PHI they receive from patients (in the case of covered entities) and from covered entities (in the case of a business associate), so that they can fully comply with applicable statutory and regulatory requirements.

robert_w_lile-150x150Robert W. Liles is Managing Partner at the health law firm of Liles Parker PLLC.  Our firm represents physicians, home health agencies, hospices, skilled nursing facilities and other health care providers around the country in connection with HIPAA, compliance and a full range of other health care transactional projects.  Should you have a question, please feel free to give us a call.  For a complimentary initial consultation, please call Robert at: 1 (800) 475-1906.

 


[1] http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf 

[2] See 45 CFR 160.103 for the definition of a “covered entity”.

[3] See Id.

[4] See 45 CFR 160 and 164.

[5] http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html

[6] A business associate may utilize NIST SP 800-30 as an initial starting point.

[7] See 45 CFR § 164.308 for more detailed information on administrative safeguards.

[8] 45 CFR § 164.304

[9] See 45 CFR § 164.310 for more detailed information on physical safeguards.

[10] See 45 CFR § 164.312 for more detailed information on technical safeguards.

[11] HHS OCR’s HIPAA Audit Program Protocol is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html. 

[12] 68 FR 48805

Record FCA Recoveries Were Collected by the Government in 2012

FCA Recoveries in 2012 Were a New Record.(February 12, 2013): The civil False Claims Act is the primary civil enforcement tool used by the U.S. Department of Justice.  As discussed below, the False Claims Act is an extraordinarily useful statute for government prosecutors, both in terms of ease of use and in terms of the damages which may be recovered by the government

 

 

I.   Overview of the False Claims Act:

As set out below, the civil False Claims Act imposes civil monetary penalties and will expose a person to civil liability under the circumstances below:

Sec. 3729.  False claims 

(a) Liability for Certain Acts—any person who: 

(1) Knowingly presents, or causes to be presented, to an officer or employee of the United States Government or a member of the Armed Forces of the United States a false or fraudulent claim for payment or approval; 

(2) Knowingly makes, uses, or causes to be made or used, a false record or statement to get a false or fraudulent claim paid or approved by the Government; 

(3) Conspires to defraud the Government by getting a false or fraudulent claim allowed or paid; 

(4) Has possession, custody, or control of property or money used, or to be used, by the Government and, intending to defraud the Government or willfully to conceal the property, delivers, or causes to be delivered, less property than the amount for which the person receives a certificate or receipt; 

(5)  Authorized to make or deliver a document certifying receipt of property used, or to be used, by the Government and, intending to defraud the Government, makes or delivers the receipt without completely knowing that the information on the receipt is true; 

(6) Knowingly buys, or receives as a pledge of an obligation or debt, public property from an officer or employee of the Government, or a member of the Armed Forces, who lawfully may not sell or pledge the property; or 

(7) Knowingly makes, uses, or causes to be made or used, a false record or statement to conceal, avoid, or decrease an obligation to pay or transmit money or property to the Government, 

. . . is liable to the United States Government…  

II.  What is Not Covered Under the False Claims Act:

It is essential to keep in mind that the civil False Claims Act does not cover mistakes, accidents, or mere negligence.  Unfortunately, the line separating a billing “mistake” from a non-intentional wrongful billing, which could give rise to an action under the False Claims Act, is not always easy to discern.  In an effort to provide additional guidance to DOJ attorneys on the judicial use of the False Claims Act, guidance setting out a number of factors to be considered when pursuing a False Claims Act case.

III.  Damages Under the Civil False Claims Act:

A “person” (which would covers individuals, physician practices, home health agencies, hospice agencies, third-party billing companies, ambulance companies, hospitals, skilled nursing facilities and other health care providers)   found to have violated this statute is liable for civil penalties in an amount between $5,500 and not more than $11,000 per false claim, as well as up to three times the amount of damages sustained by the government.

IV.   What is the Involvement of the U.S. Department of Justice?

While attorneys in DOJ’s Civil Division in Washington, D.C. are likely to be involved in most of the larger, more complex cases under the False Claims Act, it is important to remember that a “Civil Health Care Fraud Coordinator” has been appointed in each of the 94 U.S. Attorney’s Offices around the country. Assistant U.S. Attorneys are highly trained and experienced in handling False Claims Act cases and will readily file a case against a health care provider in the event that improper conduct can be shown.

V.  Whistleblower or “Qui Tam” Provisions of the False Claims Act:

One of the most unique elements of the False Claims Act is that it authorizes private parties having direct knowledge of fraudulent conduct to bring a civil suit against the violator on behalf of the government.  These civil suits are known as qui tam actions, and the private parties who initiate such actions are called “relators.”  Relators may share in any monies recovered as a result of their qui tam action.[1] A qui tam action is initiated when a relator files a complaint – along with supporting documentation – “under seal” in federal court.  When a case is filed under seal, it means that all records associated with the whistleblower are maintained on a non-public docket by the Clerk of the Court.  A copy of the complaint is given to the judge assigned to the case.  The relator’s attorney also serves a copy of the complaint on the Attorney General in Washington, D.C. and on the U.S. Attorney in the federal judicial district in which the case was filed.[2]  Initially, the government will have 60 days to evaluate whether to proceed against the defendant.  In almost all cases, the government will seek an extension to allow it an opportunity to investigate the allegations.  After showing “good cause” for an extension, most federal courts will readily grant the request for an extension.  It is not at all uncommon for a qui tam to remain under seal for over a year (and often much longer) while the government reviews the allegations.  The seal is important for several reasons:

  • The government can quietly investigate the allegations without the defendant knowing that their company is under investigation.
  • The mere existence of a government investigation can be devastating on the public’s view of a company.  Moreover, if a company is publicly-traded, the publicity surrounding a government investigation can severely affect the price of a company’s stock—despite the fact that the allegations at issue have not been investigated or proven at this point in the process. 

After concluding its evaluation, the government may elect to proceed with the complaint and intervene in the case or it may decline to intervene.  If the government decides to intervene in the action, then the relator has the right to remain a party to the action.  If the government decides not to intervene in the case, the qui tam relator may elect to proceed on his or her own against the defendant.  Notably, the government always retains the ability to intervene in the case at a later time.  From a practical standpoint, if the government decides not to intervene in a case, in all likelihood the relator will seek to dismiss the suit.  Unlike the government, the relator’s ability to investigate a False Claims Act case is quite limited, both in terms of resources and in terms of investigative tools.  As a result, the government’s decision to decline to intervene severely impacts a relator’s ability to move forward with the case.  The government often asks the court to partially lift the seal solely for the purpose of advising the defendant of the existence of the case and to seek their cooperation in resolving the allegations.

Should the government choose not, to intervene, it will often ask that the Court remove the seal to the case.  Once the seal is removed, the case (and its allegations) will be part of the public record.  In cases where the government chooses to intervene, the case is often kept under seal until a settlement is worked out with the defendant.  There are a number of limitations placed on the filing of qui tam cases.  Two of the more commonly seen limitations include:

  • When the government has already initiated an action against a party for the same allegations that would form the basis of a qui tam suit; or
  • When the action is based on publicly-disclosed information[3] that was contained in an official hearing, report, investigation, audit, or information disseminated by the news media. 

VI.  Record Recoveries in 2012 Under the False Claims Act:

In recent years, False Claims Act recoveries resulting from whistleblower suits have exceeded most observers’ expectations.  Issues related to the False Claims Act should be at the top of the list of ongoing concerns for most health care Compliance Officers.  The potential damages a provider may face for violations of the False Claims Act cannot be understated.

In Fiscal Year 2012, the U.S. Department of Justice secured settlements and judgments in civil False Claims Act of $4.9 billion.  Notably, this includes a “record recovery for a single year” by more than $1.7 billion.  Over the last four years, $13.3 billion has been recoveries.  Notably, this represents more than a third of the total recoveries achieved since the False Claims Act was amended over 26 years ago.[4]

VII.  Are Physicians Being Targeted Under the False Claims Act:

While large pharmaceutical, durable medical equipment and hospital chain cases continue to dominate the press, physicians, dentists and other solo health care providers are increasingly finding themselves and their practices subject to whistleblower suits under the False Claims Act by former employees, competitors and others who believe that false claims are being submitted to the government for payment.

Notably, a recent whistleblower case pursued by the U.S. Department of Justice against an individual physician (a dermatologist) resulted in a $26.1 million settlement.  In this case, the physician was alleged to have accepted kickbacks from a pathology laboratory.  The physician was also accused of billing Medicare for medically unnecessary services. The whistleblower reportedly collected $4 million as part of the settlement.

VIII.  How Can You Prevent a False Claim Act from Being Filed Against You?

Ultimately, your ability to avoid the filing of a False Claims Act case against you or your practice rests on your ability to comply with state and federal laws, regulations and rules governing the provision, coding and billing of health care services. Without a doubt, the single most important step you can take in this regard is to develop, implement and adhere to the provisions and guidelines set out in an effective Compliance Plan.  While most hospitals and other institutional providers have had Compliance Plans in place for many years, very few physicians have taken this necessary preventative step.

Will a Compliance Plan prevent you from having a False Claims Act case brought against you or your practice?  No, not necessarily.  Instead, you should look at a Compliance Plan as being akin to a flu shot.  Just because you have received a flu shot does not mean that you will never catch the flu.  However, if you do come down with the flu, chances are that it won’t be as serious and it might otherwise have.  All of us make mistakes, and physicians are not immune to this risk.  Nevertheless, having an effective Compliance Plan in place is likely to greatly assist you in your efforts to stay within the four corners of the law.

Healthcare LawyerRobert W. Liles serves as Managing Partner at Liles Parker.  Robert and other attorneys at Liles Parker have extensive experience working on False Claims Act matters and case.  For a free consultation, please call Robert at:  1 (800) 475-1906.   

 


[1] Whistleblowers (also known as “Relators”) can receive between 15% and 25% of any recovery in a qui tam action where the government has intervened in the case.  In a non-intervened case, a relator may recover up to 30%.  Consequently, there is a tremendous financial incentive to file and pursue these types of actions.

[2] The relator must also serve a “disclosure statement” on DOJ (normally, it is provided to the U.S. Attorney’s Office) which sets out the evidence that the relator has in support of the allegations set out in his/her Complaint.  This statement is not filed with the Complaint and is not given to the defendant.

[3] This rule is known as the “public disclosure bar.” The Affordable Care Act modifies this rule in several respects.  First, a qui tam action will not be dismissed under the public disclosure rule if the government opposes dismissal.  Second, fraud disclosed in private legal actions will not activate the public disclosure bar; the government must have been a party to the action in order for the public disclosure rule to apply.  Third, information obtained from state proceedings or hearings likewise will not qualify under the public disclosure bar.  Finally, the public disclosure bar will not operate where the relator was the “original source” (e.g., has independent knowledge) of the fraud or false claim allegation.

[4] http://www.justice.gov/opa/pr/2012/December/12-ag-1439.html

 

Next Page »