The HHS Office of Civil Rights (“OCR”) closed out the month of April with some updates to HIPAA civil monetary penalty (“CMP”) limits and clarifications to OCR’s stance on the Privacy Rule’s application to transfers of electronic protected health information (“ePHI”) to third-party applications and application programming interfaces (“APIs”).

Differential CMP Caps Based on Enforcement Discretion

Under the current HIPAA Enforcement Rule, HHS employs a four-tier level of culpability scale in line with the HITECH Act. These four tiers correspond to appropriate CMPs ranges for violations by covered entities and business associates of the HIPAA Privacy and Security Rules. These penalty tiers are adjusted for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

For instance, if a person did not know and, by exercising reasonable diligence, would not have known that the person violated the applicable HIPAA provision, the CMP range the person could be levied was $100-$50,000 for each identical violation, up to a maximum of $1.5 million for all such violations annually (before adjusted for inflation). The $1.5 million annual cap on CMPs for HIPAA violations applied across all four tiers, even though the minimum penalties for each tier increased in amount.

Since HHS began using this four-tier structure, however, there has been debate about whether the HITECH Act mandates different annual CMP caps for each of the tiers. OCR’s April 30, 2019 Federal Register Notice changes HHS’s prior position on this, and now imposes the following annual caps on CMPs for HIPAA violations:.

Continue Reading HIPAA Spring Cleaning! Tidying Up Penalty Limits and FAQs on Patients’ Right of Access

On March 27, 2019, the Centers for Medicare & Medicaid Services (CMS) announced a $1.65 million competition to accelerate development of AI solutions in health care. The Artificial Intelligence (AI) Health Outcomes challenge seeks innovative, AI-driven solutions that can predict unplanned hospital and skilled nursing facility (SNF) admissions and adverse events.

The challenge is a 1-year, three stage competition; the Launch State is open to the public and seeks to attract a wide range of ideas and solutions.

Stage 1 will be comprised of 20 participants and will focus on the development of algorithms that predict health outcomes using Medicare fee-for-service data as well as strategies for building clinician trust in the solutions. 5 participants will be awarded $80,000 and will advance to Stage 2.

Stage 2 will ask for finalists to refine their algorithm and run a number of analyses on more than 5 years of CMS claims data to demonstrate proof-of-concept. The grand prize winner will be awarded up to $1 million.

Economists have debated the use of prize systems for technological innovation. While some argue that the use of medical prize funds will lower prices and widen the availability of research results, others are skeptical of claims regarding the role of prize funds in inducing technological innovation. CMS is in a unique position to offer prizes for innovative solutions; as the country’s single largest payer for health care, it may be the one of the best entities to evaluate the efficacy of the proposals and can offer innovators with the data needed to develop their algorithms

Nearly 20,000 comments have been submitted in response to the Department of Health and Human Services January 31, 2019 notice of proposed rulemaking eliminating discount safe harbor protection for reductions in price to prescription pharmaceutical products (or rebates) provided by manufacturers to plan sponsors under Medicare Part D and Medicaid managed care organizations (MCOs), whether negotiated by the plan or by pharmacy benefit managers (PBM) or paid through a PBM to the plan or Medicaid MCO. Most of the comments appear to be relatively short, text box comments submitted by individuals through patient or business advocacy groups.  The following is a very high level summary of the several hundred comments posted (so far) from health plans, manufacturers, pharmacies, their respective associations, and policy oriented groups: Continue Reading Highlights from the Comments on the Proposed Elimination of Discount Safe Harbors for Rebates

Last week the Centers for Medicare & Medicaid Services (CMS) announced significant policy changes for Medicare Advantage (MA) and Part D programs. On April 1, 2019, CMS released the calendar year 2020 Rate Announcement and Call Letter, and on April 5, 2019, CMS release the unpublished version of a final rule revising the MA and Part D program regulations for 2020 and 2021 (scheduled to be published April 16, 2019). These documents include many important policy changes for MA plans—including opportunities to offer broadened supplemental benefits packages and expanded telehealth services.

Supplemental Benefits for the Chronically Ill

Traditionally, CMS has interpreted section 1853(a) of the Social Security Act to allow MA plans to offer supplemental benefits (items or services not covered by original Medicare) when they are “primarily health related,” offered uniformly to all enrollees, and result in the MA plan incurring a non-zero direct medical cost. “Primarily health related” means an item or service that is “used to diagnose, compensate for physical impairments, acts to ameliorate the functional/psychological impact of injuries or health conditions, or reduces avoidable emergency and healthcare utilization.” For 2019, CMS introduced new flexibility into the uniformity requirement by allowing MA plans to offer supplemental benefits to some—but not all—vulnerable enrollees. Continue Reading Medicare Advantage plans to offer expanded supplemental benefits and telehealth services

In Gresham v. Azar, United States District Court for the District of Columbia Judge James E. Boasberg “[found] its guiding principle in Yogi Berra’s aphorism, ‘It’s déjà vu all over again.’” No. CV 18-1900 (JEB), 2019 WL 1375241, at *7 (D.D.C. Mar. 27, 2019). In striking down the Department of Health and Human Services (“HHS”) approval of Arkansas’s Medicaid work requirements as “arbitrary and capricious,” Judge Boasberg noted that the agency’s failures were “nearly identical” to those in Stewart v. Azar I, 313 F.Supp.3d 237, 243 (D.D.C. 2018), where he vacated the agency’s approval of Kentucky’s Medicaid Work requirements back in June 2018. The same day the Court issued Gresham, Judge Boasburg declared “[t]he bell now rings for round two” and again vacated Kentucky’s Medicaid work requirements finding the agency’s reaproval “arbitrary and capricious” in Stewart v. Azar II. No. CV 18-152 (JEB), 2019 WL 1375496, at *1 (D.D.C. Mar. 27, 2019).

Under Section 1115 of the Social Security Act, HHS may approve a state’s waiver application and allow a state to waive certain Medicaid program requirements. Such waivers include “experimental, pilot, or demonstration project[s]” that “in the judgment of the Secretary, [are] likely to assist in promoting the [Medicaid Act’s] objectives.” 42 U.S.C. § 1315(a). In March 2017, Seema Verma, the Administrator for the Centers for Medicare & Medicaid Services (“CMS”), along with HHS Secretary at the time, Thomas Price, sent a letter to state governors clarifying the agency’s “intent to use existing Section 1115 demonstration authority to review and approve” Medicaid work requirements. Heeding this call, the governor of Kentucky applied for a Section 1115 waiver to implement an experimental program which includes work requirements as a condition of Medicaid coverage. Under these work requirements, many adults must complete 80 hours of employment or other qualifying activities every month or lose their Medicaid coverage. These requirements primarily target the Medicaid expansion population (individuals who obtained coverage after states expanded eligibility under the Affordable Care Act). Arkansas’ program—which took effect last June as the first work requirements in the history of Medicaid—is substantially similar to the Kentucky program. The Kentucky work requirements had yet to take effect.

Continue Reading Federal District Court Judge Vacates Arkansas and Kentucky’s Medicaid Work Requirements

On March 22, 2019 CMS issued new guidance to State Medicaid Directors on implementation of the 2014 Home and Community Based Services (HCBS) rule. The 2014 HCBS rule required states to scrutinize facilities, including an assisted living facilities or group homes, receiving HCBS funding to make sure they met certain standards. The 2014 rule aimed to define the characteristic of “community based” to move these settings and facilities away from the qualities of an “institution.” In May of 2017, CMS delayed implementation of the rule and in response to concerns regarding the transition process, a three year extension was granted. The transition period for states to ensure provider compliance with the criteria for settings in which a transition period applies has now been extended to March 17, 2022 during which states may work with all existing HCBS providers to complete their remediation and be validated as fully complying with the settings criteria. Not meeting these standards could mean loss of Medicaid funding.

The new CMS guidance, issued as an FAQ, defines a setting that is isolating individuals as a facility that limits any opportunities for patients and residents to interact with the broader community. Certain settings are presumed under the regulations to have the qualities of an institution: Continue Reading CMS Issues New Guidance to States on Home and Community Based Services

In order to move health care organizations towards consistency in mitigating important cybersecurity threats to the health care sector, the Department of Health & Human Services (HHS) published multiple guidance documents on best practices for health care organizations to reduce cybersecurity risks (“HHS Cyber Guidance”). The HHS Cyber Guidance is the result of HHS’ public-private partnership with more than 150 cybersecurity and health care experts. While compliance is voluntary, this guidance serves as direction to health care entities on important practices that should be considered and implemented to reduce risk.

Why HHS has published this guidance

Continue Reading HHS Releases Voluntary Cybersecurity Practices Guidance

WANT TO KNOW HOW THE DOJ’S BRAND MEMO MAY GIVE HEALTH CARE CONTRACTORS A NEW AVENUE OF DEFENSE IN FCA LITIGATION? READ “DOJ: PUTTING LIMITS ON GUIDANCE” TO FIND OUT

Crowell & Moring has issued its seventh-annual “Litigation Forecast 2019: What Corporate Counsel Need to Know for the Coming Year.” 

The health care section of the Forecast, DOJ: Putting Limits On Guidance,” outlines how The DOJ’s Brand Memo may give health care contractors a new avenue of defense in FCA litigation, but how it will be interpreted is still unclear.

There is also an interesting discussion of how companies and law firms are leveraging technology to improve their legal operations and litigation strategy in the cover story, “Welcome to Your New War Room: How Technology Is Finding Its Way into Litigation Case Strategy.” It features interviews with in-house counsel at Cisco, Humana, United Airlines, and Lex Machina and discusses how technology is streamlining the collection and analysis of information to aid “data-driven” decision making along the continuum of litigation.

Be sure to follow the conversation on social media with #LitigationForecast.

 

On Nov. 29, 2018, Deputy Attorney General Rod J. Rosenstein announced several amendments to policies on individual accountability set forth in the 2015 Yates Memo. As a result, companies facing FCA actions—especially defendants in health care cases—should consider following three strategy tips:  (1) Establish clear benchmarks for cooperation.  (2) Advocate for individual releases.  And (3) Emphasize that litigation costs outweigh the potential recovery in appropriate cases.

To learn more please read this Bloomberg BNA article written by Partner William S.W. Chang and Associate Spencer Churchill.

 

On January 1, 2019, portions of the U.S. Department of Labor’s (DOL) Final Rule expanding the availability of Association Health Plans (AHPs) went into effect. AHPs allow small businesses to band together and negotiate better deals when buying insurance for their members.

The partial government shutdown hasn’t slowed the raging debate over how states are to implement the DOL’s final rule. On December 28, 2018, a federal judge ordered litigation concerning the rule to continue despite the shutdown.

States have reacted to the final rule in dramatically divergent ways. Some states believe that AHPs will make it finally possible for small employers to offer affordable healthcare options for their employees. Other states worry that AHPs will destabilize the individual insurance marketplace. They predict that healthy people will join AHPs because they are less expensive than other insurance options, and this shift will leave sicker people in a smaller pool with higher premiums.   Continue Reading Taking the Pulse of New Association Health Plans