C&M Health Law

C&M Health Law

Analysis, commentary, and the latest developments in health care law and policy

GAO Finds HHS Exceeded Authority in Implementation of Transitional Reinsurance Program

Posted in Exchanges, Health Care Reform & ACA, Uncategorized
Joseph RecordsChristine M. Clements

The Government Accountability Office (GAO), in a letter to members of Congress, found that the implementation of the Transitional Reinsurance Program by the U.S. Department of Health and Human Services (HHS) violates the Affordable Care Act.

The Transitional Reinsurance Program is one of three premium stabilization programs authorized by the Affordable Care Act (ACA), commonly known as the “Three Rs.” These programs were designed to soften the impact of ACA reforms, such as guaranteed availability and the prohibition against preexisting condition limitations, that brought new health risks into the insurance markets.

Section 1341 of the ACA (42 U.S.C. § 18061) directs HHS to establish the Transitional Reinsurance Program and sets forth specific amounts for HHS to collect under the program. The statute states that the Program “shall be designed so that” HHS collects $10 billion for plan years beginning in 2014, $6 billion for 2015, and $4 billion for 2016. For each year, HHS would distribute the reinsurance amounts collected under the Program to health insurance issuers based on the number of “high-risk individuals” covered under the issuer’s commercial lines of business. In addition, the statute calls for $2 billion to be collected by HHS and paid to the Treasury for 2014, another $2 billion for 2015, and $1 billion for 2016, in addition to the costs of administering the Transitional Reinsurance Program.

HHS promulgated regulations and guidance to establish the Transitional Reinsurance Program, initially stating that, in the likely event of a shortfall, it would allocate funds on a pro rata basis to reinsurance claims, the Treasury, and administrative costs. HHS later adjusted its allocation scheme to pay reinsurance claims first and to reserve collected reinsurance amounts in excess of claims to pay reinsurance claims in future years. For example, for 2014, HHS aimed to collect $12.02 billion, but collected only $9.7 billion. It paid reinsurance claims in full, amounting to $7.9 billion, which left approximately $1.7 billion in collections under the Program. HHS remitted no funds to the Treasury, and reserved the $1.7 billion in collections that exceeded claims to be used to pay reinsurance claims in future years.

In April 2016, several members of Congress sent a letter to GAO requesting its opinion on whether HHS had exceeded its authority by declining to make a payment to the Treasury. HHS’ articulated position to GAO was that the statute failed to expressly address how HHS should allocate collected funds in the event of a shortfall, and that the amounts to be paid to the Treasury were described in the statute as “in addition” to reinsurance amounts, so the Secretary had discretion to prioritize future years’ reinsurance payments over contributions to the Treasury. GAO disagreed, concluding that HHS “lacks authority to ignore the statute’s directive to deposit amounts from collections under the transitional reinsurance program in the Treasury and instead make deposits to the Treasury only if its collections reach the amounts for reinsurance payments specified in section 1341.”

ONC Releases New Guidance on Electronic Health Record Vendor Contracting

Posted in Health IT
Jodi G. DanielAshley N. Southerland

On September 26, 2016, the Office of the National Coordinator for Health Information Technology (ONC) released guidance, entitled EHR Contracts Untangled, to help providers navigate the complexities of electronic health record (EHR) vendor contracting. The guidance breaks down important considerations for selecting EHR systems, and provides strategic pointers – including sample contract language – to help facilitate the contracting process. While the guidance is largely an attempt to level the playing field for providers in the EHR arena, it also has broader applicability to contract negotiations for a variety of other digital health tools.

For the most critical “need-to-know” points from ONC’s new guidance, see our recent client alert.

Blocking Access to Health Information May Violate HIPAA

Posted in Health IT, HIPAA & Privacy
Jodi G. DanielElliot GoldingStephanie Willis

The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.

Continue Reading

Mount Sinai Health System to Pay $2.95 Million in 60-Day Overpayment FCA Settlement

Posted in Fraud, Waste & Abuse, Health Care Reform & ACA, Litigation
Diana HuangBarbara H. Ryland

On August 24, 2016, Judge Edgardo Ramos of the Southern District of New York approved a settlement in which Mount Sinai Health System (Mount Sinai) will pay $2.95 million to New York and the federal government to resolve allegations that it violated the False Claims Act (FCA) by withholding Medicare and Medicaid overpayments in contravention of the 60-day overpayments provision of the Affordable Care Act (ACA).  The provision creates FCA liability for healthcare providers that identify overpayments but fail to return them within 60 days, and the Mount Sinai settlement is the first one that specifically resolves allegations of violations of the provision.

The settlement stems from the qui tam action Kane v. Healthfirst, Inc., No. 1:11-cv-02325-ER, in which it was alleged that employee Robert Kane alerted Continuum Health Partners, Inc. (now a part of Mount Sinai) to hundreds of potential overpayments, and, instead of pursuing the refund of overpayments, Continuum fired Kane and delayed further inquiry.  Last year, as we discussed in a previous post, Judge Ramos denied Mount Sinai’s motion to dismiss and provided first-of-its-kind guidance on what it means to “identify” an overpayment and start the 60-day clock created by the ACA.  He opined that a provider has identified an overpayment if it has been “put on notice” that a certain claim may have been overpaid.  In February of this year, CMS released its final 60-day overpayment rule, largely adopting the same interpretation of “knowledge” and “identified” that Judge Ramos used.

Although the Kane court did not hold that the “mere existence” of an obligation under the ACA established an FCA violation, the 60-day period in the statute clearly carries a heightened risk of potential liability for providers that fail to carry out compliance activities or undertake an investigation once they have been given credible evidence of the existence of overpayments.  The settlement further signals to providers the importance of taking any allegation related to overpayments seriously, and to take swift action in order to be ready for the start of the 60-day clock deadline for returning any overpayments.

CMS Renews Focus on Third-Party Payment of Insurance Premiums Steering Medicaid & Medicare Eligibles into Marketplace Plans

Posted in Exchanges, Fraud, Waste & Abuse, Health Care Reform & ACA, Medicaid, Medicare
A. Xavier BakerTroy A. Barsky

On August 18, 2016, CMS issued a request for information on “inappropriate steering of people eligible for Medicare or Medicaid into Marketplace plans” by third parties. CMS voiced concern over “anecdotal reports” that Medicaid or Medicare eligibles received premium and cost-sharing assistance from third parties so they could enroll in Marketplace plans, enabling providers to receive higher reimbursement rates. In November 2013, CMS had issued guidance discouraging third-party payment of premiums because it has the propensity to “skew the insurance risk pool and create an unlevel field in the Marketplaces.” Almost three years later, it appears that CMS has determined that more decisive action may be necessary.

In July, UnitedHealthcare filed suit against American Renal Associates LLC in the United States District Court for the Southern District of Florida (complaint), alleging ARA violated Florida’s deceptive and unfair trade practices act, fraud, unjust enrichment, conspiracy, and other causes of action. The suit alleges that ARA coordinated with the American Kidney Foundation to pay premiums of low-income enrollees to switch from government health care programs to private insurance coverage. The suit alleges that by steering enrollees from Medicaid and Medicare to private insurance, ARA was able to increase billing from about $300 to $4,000 for the same services. The complaint also alleges that ARA did not collect copayments or deductibles from the enrollees after covering their premiums for private insurance and so committed negligent misrepresentation and tortious interference with a contract by misrepresenting the charges of claims submitted to UnitedHealthcare.

Continue Reading

OCR Announces Major HIPAA Enforcement Initiative

Posted in HIPAA & Privacy
Elliot GoldingStephanie Willis

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes, it is often only through investigations following a reported breach that OCR uncovers more widespread HIPAA compliance issues, and it is those additional issues that often lead to monetary settlements or fines. Particularly given this increased enforcement initiative, covered entities and business associates should continue to evaluate and, where appropriate, strengthen their HIPAA compliance efforts.

To read more about the announcement, please click here.

Upcoming Free Healthcare Event: Healthy Data Management Webinar

Posted in Health IT
Elliot Golding

On Thursday, September 8, 2016 from 1:00 PM to 2:00 PM ET Crowell & Moring’s Elliot Golding will be speaking as part of a 60-minute Bloomberg BNA Webinar on Healthy Data Management: Essential Strategies for Governing PHI, PII, and Highly Sensitive Data during an Acquisition or Divestiture.  The panel discussion will cover the information governance life cycle for health care, life sciences, and pharmaceutical companies, from identification of sensitive data to storing and protecting that data during mergers and divestitures.  The webinar is free and open to all.


  • Data management considerations for companies responsible for maintaining personally identifiable information (PII), protected health information (PHI), and confidential or sensitive data.
  • Unique issues that arise when highly sensitive data is involved during the merger and divestiture transaction process.
  • Strategies to develop effective policies and procedures for data life cycle management.

Addressing Health Privacy and Security Gaps in ONC Report

Posted in Health IT, HIPAA & Privacy
Jodi G. DanielElliot GoldingJennifer Williams

On July 19th, the Office of the National Coordinator for Health Information Technology (“ONC”) released a report expressing concerns about major gaps in policies and oversight surrounding the access to, security, and privacy of health information held by certain mobile health (“mHealth”) technology companies and health social media.  While the report frames the issue well, it largely punts to the private sector to develop solutions.  For recommendations on how to address the oversight gaps identified by ONC, see our recent article in Bloomberg BNA’s Health Care Policy Report.


FDA Finalizes Guidance on Low Risk “General Wellness Products”

Posted in Health IT
Jodi G. DanielJennifer Williams

In a final guidance document released July 29th, the U.S. Food and Drug Administration (“FDA”) officially confirmed that it does not intend to review or require regulatory compliance for fitness trackers and certain health apps, collectively termed “general wellness products.”  This guidance, which is largely unchanged from the draft guidance issued in January 2015, coincides with FDA’s narrowing oversight of mobile medical apps and related tools.

According to the guidance, general wellness products are:

  1. Products that are intended for “general wellness use” (e.g., weight management, physical activity trackers, and stress management tools); and
  2. Products that present a low risk to the safety of users and others persons.

The primary distinction between a general wellness product and a medical device, which FDA does regulate, is that the intended use of a general wellness product is either to maintain or encourage a general state of health or healthy activity or to support a healthy lifestyle to help reduce the risk or impact of certain chronic conditions where there is a well-known connection. The guidance further explained that although general wellness products may claim to help manage or reduce the risk of certain chronic diseases, they may not claim to treat or diagnose a specific disease or condition.  Products that make these claims are considered medical devices and are subject to FDA regulation.

As mentioned above, this guidance is in line with FDA’s recent policy to exercise enforcement discretion when dealing with products that may help consumers manage or prevent ill health and pose a minimal risk of harm.  The policy attempts to strike a balance between ensuring consumer safety while supporting the rapid pace of innovation that is directed at consumer health.  This guidance along with earlier guidance can help mobile medical app, fitness trackers, wellness tools, and health information technology developers determine how to market their products in light of existing law and should be considered in the early stages of product development and business strategy.

For more information, please contact the authors of this post or your regular Crowell & Moring contact.

Medicaid Managed Care Final Rule: Prevention of Fraud, Waste, and Abuse

Posted in Fraud, Waste & Abuse, Medicaid
Troy A. BarskyRoma Sharma

The Medicaid Managed Care Final Rule aims to align Medicaid regulations with those of other health coverage programs, modernizing the post-Affordable Care Act healthcare landscape. Among other goals, the Final Rule seeks to bolster the transparency, accountability, and integrity of Medicaid managed care by imposing and clarifying requirements meant to reduce fraud, waste, and abuse. The rule finalizes a number of changes that address two types of program integrity risks: fraud committed by Medicaid managed care plans and fraud by network providers. It also tightens standards for managed care organization (MCO) submission of certified data, information, and documentation used for program integrity oversight by state and federal agencies.

First, the Final Rule places new responsibilities on both states and managed care plans. State Medicaid programs will now be required to screen and enroll all network providers that order, refer, or furnish services to beneficiaries under the state plan unless a network provider is otherwise enrolled with the state to provide services to fee-for-service (FFS) Medicaid beneficiaries.[1] This requirement, which will take effect in July 2018, may delay the growth of provider networks; to address this concern the Final Rule allows programs to execute network provider agreements pending the outcome of the screening process of up to 120 days. However, upon notification from the state that a provider’s enrollment has been denied or terminated, or the expiration of the 120 day period without enrollment, the plan must terminate the network provider immediately and notify affected enrollees. In addition, the Final Rule requires states to periodically, but no less frequently than once every 3 years, audit patient encounter data and financial reports for accuracy, truthfulness, and completeness. States must also post on their website or otherwise publicize a range of programmatic data, including the results of past audits and information related to entity contracts.[2]

Second, beginning July 2017, managed care plans will also have to submit and certify a range of data—including data related to rate setting, compliance with Medical Loss Ratio (MLR) standards, accessibility of services, and recoveries of overpayments—to their respective states. In order to comply with this requirement, the Final Rules permits the executive leadership of an MCO to delegate the certification to an employee who reports directly to the plan’s CEO or CFO.[3]

Continue Reading