Photo of Stephanie Willis

Stephanie Willis is a counsel in Crowell & Moring's Washington, D.C. office and a member of the firm's Health Care Group. Stephanie primarily works with health care clients seeking to comply with state and federal health care anti-fraud and abuse laws, privacy and security laws, and licensing laws.

Stephanie's work incorporates her Master of Public Health degree as well as her past experiences as an associate counsel in the Office of the Inspector General for the Department of Health and Human Services (HHS-OIG) and as an intern at the Massachusetts Division of Insurance, the Health Care Division of the Massachusetts Attorney General's Office, and the Massachusetts Health Care Connector, which was the first health care exchange in the nation.

The Centers for Medicare & Medicaid Services (CMS) recently proposed a rule to allow Medicare Advantage plans to expand telehealth benefit coverage. (See alert for more detail) This proposed rule implements the statutory provisions in section 50323 the Bipartisan Budget Act of 2018. What you might not know, however, is that the Bipartisan Budget Act of 2018 is only one of many legislative vehicles by which advocates for telehealth expansion have been able to move the needle definitively in their favor during this session of Congress.

Over the past two years, Congress has shown its support for the utilization of telehealth by introducing forty-one bills that, if passed, would require Medicare to reimburse providers for their use of telehealth to treat numerous health conditions such as stroke diagnosis, mental health, chronic care management and opioid addiction treatment. Of note, the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act of 2017 was the predecessor bill that passed out of the Senate in September of 2017 and became law on February 9, 2018 as a part of the Bipartisan Budget Act of 2018.
Continue Reading

On November 1, 2018, the Centers for Medicare & Medicaid Services (“CMS”) filed the pre-publication version of the CY 2019 Physician Fee Schedule Final Rule (“2019 PFS Final Rule”). Within this massive publication, CMS finalized two regulatory changes affecting the exceptions at 42 CFR § 411.357 to the Physician Self-Referral Law (also known as the “Stark Law”) for compensation arrangements. The 2019 PFS Final Rule reconciles the regulations with the statutory changes made to the Stark Law enacted by the Bipartisan Budget Act of 2018 (“2018 BBA”) with respect to (1) how arrangements may fulfill the “writing” requirement under the compensation exception and (2) how arrangements that initially proceed without a signed agreement may still meet the signature requirement of an applicable exception. Parties to financial arrangements in effect on or after February 9, 2018 that implicate the Stark Law may rely upon these new modifications.

The Stark Law generally prohibits a physician from making a referral of designated health services (“DHS”) to an entity with which he or she (or an immediate family member) has a financial relationship. Section 411.357 details several excepted compensation arrangements carved out from the “financial relationship” definition for the purposes of the Stark Law. These exceptions include arrangements for the rental of office space and equipment, bona fide employment relationships, group practice arrangements with hospitals, certain fair-market-value compensation arrangements, among others.
Continue Reading

CMS has finalized the adoption of multiple CPT codes in the CY 2019 PFS that create more opportunities for providers and digital health companies to collaborate on chronic care management business models in the fee-for-service market.

Virtual Check-Ins

CMS finalized the creation of a new code to reimburse providers for brief “check-in” services conducted using communications technology by creating HCPCS code G2012, defined as “[b]rief communication technology-based service, e.g. virtual check-in.”
Continue Reading

On October 3rd, the United States Senate passed a bipartisan opioids package with a sweeping vote of 98 to 1, after the U.S. House of Representatives passed the final version of the bill with a vote of 393 to 8. One of its components, the “Fighting the Opioid Epidemic with Sunshine Act,” expands the scope

On March 22, 2018, the Centers for Medicare and Medicaid Services (CMS) announced a notice of proposed rulemaking (NPRM) that would, if finalized, exempt states with high rates of Medicaid beneficiaries in managed care plans from monitoring and reporting requirements related to Medicaid service access set forth in 42 C.F.R. §§ 447.203 and

On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed

On November 2, 2016, the final rule with comment period (the “Final Rule”) implementing provisions of the Medicare Access and CHIP Reauthorization Act (MACRA) relating to the new Merit-Based Incentive Payment System (MIPS) and Alternative Payment Models (APMs) will be published in the Federal Register.  The Center for Medicare and Medicaid Services (CMS) also

The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.


Continue Reading