Photo of Stephanie Willis

Stephanie Willis is a counsel in Crowell & Moring's Washington, D.C. office and a member of the firm's Health Care Group. Stephanie primarily works with health care clients seeking to comply with state and federal health care anti-fraud and abuse laws, privacy and security laws, and licensing laws.

Stephanie's work incorporates her Master of Public Health degree as well as her past experiences as an associate counsel in the Office of the Inspector General for the Department of Health and Human Services (HHS-OIG) and as an intern at the Massachusetts Division of Insurance, the Health Care Division of the Massachusetts Attorney General's Office, and the Massachusetts Health Care Connector, which was the first health care exchange in the nation.

On November 1, 2018, the Centers for Medicare & Medicaid Services (“CMS”) filed the pre-publication version of the CY 2019 Physician Fee Schedule Final Rule (“2019 PFS Final Rule”). Within this massive publication, CMS finalized two regulatory changes affecting the exceptions at 42 CFR § 411.357 to the Physician Self-Referral Law (also known as the “Stark Law”) for compensation arrangements. The 2019 PFS Final Rule reconciles the regulations with the statutory changes made to the Stark Law enacted by the Bipartisan Budget Act of 2018 (“2018 BBA”) with respect to (1) how arrangements may fulfill the “writing” requirement under the compensation exception and (2) how arrangements that initially proceed without a signed agreement may still meet the signature requirement of an applicable exception. Parties to financial arrangements in effect on or after February 9, 2018 that implicate the Stark Law may rely upon these new modifications.

The Stark Law generally prohibits a physician from making a referral of designated health services (“DHS”) to an entity with which he or she (or an immediate family member) has a financial relationship. Section 411.357 details several excepted compensation arrangements carved out from the “financial relationship” definition for the purposes of the Stark Law. These exceptions include arrangements for the rental of office space and equipment, bona fide employment relationships, group practice arrangements with hospitals, certain fair-market-value compensation arrangements, among others. Continue Reading 2019 Physician Fee Schedule Rule Modifies Stark Regulations to Reflect Statutory Changes

CMS has finalized the adoption of multiple CPT codes in the CY 2019 PFS that create more opportunities for providers and digital health companies to collaborate on chronic care management business models in the fee-for-service market.

Virtual Check-Ins

CMS finalized the creation of a new code to reimburse providers for brief “check-in” services conducted using communications technology by creating HCPCS code G2012, defined as “[b]rief communication technology-based service, e.g. virtual check-in.” Continue Reading Digital Health Updates in the 2019 Physician Fee Schedule (PFS) Rule

On October 3rd, the United States Senate passed a bipartisan opioids package with a sweeping vote of 98 to 1, after the U.S. House of Representatives passed the final version of the bill with a vote of 393 to 8. One of its components, the “Fighting the Opioid Epidemic with Sunshine Act,” expands the scope of reporting requirements under the Physician Payment Sunshine Act (known as the “Sunshine Act”), which will have immense implications for the pharmaceutical and medical device and supply industries.

Enacted at section 6002 of the Affordable Care Act in 2010 to increase transparency around the financial relationships between health care providers and drug manufacturers, the Sunshine Act requires “applicable group purchasing organizations” and “applicable manufacturers,” including pharmaceutical and medical device or supply companies with operations in the United States, to track and report payments and transfers of value that they make to “covered recipients,” currently defined to include physicians and teaching hospitals. These transfers of value include items such as consulting fees, honoraria for speaking events, and research grants.

The opioids legislation package expands the definition of “covered recipients” to include other types of health care professionals: physician assistants, nurse practitioners, clinical nurse specialists, registered nurse anesthetists, and certified nurse midwives. The new legislation additionally sunsets a prohibition in the Sunshine Act that prevents the inclusion of the National Provider Identifier on the CMS Open Payments website.

Given the Administration’s focus on the opioid crisis, identified as a “national emergency,” the expansion of the Sunshine Act reflects the reality that prescriptions of opioids and other drugs to individuals may come from health professionals who are not physicians. State “sunshine laws” that imposed reporting requirements on payments to these professionals have existed for a number of years, but the changes passed in the opioids package would make this standard the baseline for reporting covered payments nationwide. By the time these changes would be effective on January 1, 2022, applicable group purchasing organizations and manufacturers will need to update their Sunshine Act compliance and monitoring activities to account for the greatly enlarged scope of individual health care professionals to whom they may be providing direct or indirect transfers of value.

The expansion of the Sunshine Act’s covered recipient definition was introduced in the Senate version of the opioids package, and remained in the overall legislation despite vigorous opposition. To become law, the bill requires the signature of President Trump.

On March 22, 2018, the Centers for Medicare and Medicaid Services (CMS) announced a notice of proposed rulemaking (NPRM) that would, if finalized, exempt states with high rates of Medicaid beneficiaries in managed care plans from monitoring and reporting requirements related to Medicaid service access set forth in 42 C.F.R. §§ 447.203 and 447.204. The regulations currently require states to analyze and document the impact of Medicaid fee-for-service (FFS) payment amounts on beneficiary access to covered health care services in access monitoring review plans (AMRPs) submitted to CMS.

States’ AMRPs must, using a data-driven process, address the impact of Medicaid FFS payments on beneficiaries’ access to the following categories of Medicaid services: primary care services, physician specialist services, behavioral health services, pre- and post-natal obstetric services, and home health. The state must update and submit the AMRP related to these service categories to CMS at least every three years. If a state reduces Medicaid FFS rates for services outside of these categories, the state must include those additional services in the AMRP and publicly monitor the rate reductions for three years.

Since the adoption of these requirements, several states have complained that the scheme imposes an undue administrative burden and that it is not an efficient use of limited state program resources. In response, the proposed rule’s changes to the regulations would allow the following:

  • An exemption from most access monitoring requirements for states with an overall Medicaid managed care penetration rate of 85% or greater (currently, 17 States).
  • An exemption from the specific access analysis for reductions to provider payments below the “nominal payment rate change” of 4% in overall service category spending during a state fiscal year (and 6% over two consecutive years).
  • A state to submit an assurance that its baseline data “indicates current access is consistent with requirements of the Social Security Act,” rather than be required to predict the effects of proposed Medicaid FFS rate reductions or restructurings on access to care.

This NPRM aligns with the Trump Administration’s push to “cut the red tape” and to generally reduce states’ administrative burdens under federal programs. The proposed changes are also consistent with CMS’s other efforts to enable states to focus on patient outcomes rather than processes in administering their Medicaid programs, as quantified in the agency’s estimates that the proposed changes will eliminate 561 administrative hours and save a total of $1.66 million for the affected states.

Comments on the proposed rule are due to CMS no later than May 22, 2018.

On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed an investigation that OCR undertook in response to a breach report that MCPN filed on January 27, 2012. While OCR found that MCPN took necessary corrective action in response to the reported breach, OCR determined that MCPN had never conducted a security risk analysis to assess the potential threats to its ePHI environment and concluded that MCPN did not have appropriate risk management policies in place at the time of the breach. OCR further found that the security risk analyses that MCPN ultimately did undertake following the breach were insufficient to satisfy the requirements of HIPAA’s Security Rule. Violations of the Security Rule have been a consistent focus of the OCR within the past year. The OCR’s willingness to go after a federally qualified health center, a safety net health care provider, in this settlement further underscores the importance of conducting robust security risk analyses to identify, assess, and address potential threats and vulnerabilities to a covered entity or business associate’s ePHI environments.

On November 2, 2016, the final rule with comment period (the “Final Rule”) implementing provisions of the Medicare Access and CHIP Reauthorization Act (MACRA) relating to the new Merit-Based Incentive Payment System (MIPS) and Alternative Payment Models (APMs) will be published in the Federal Register.  The Center for Medicare and Medicaid Services (CMS) also launched a new website with tools and updates to help MIPS-eligible clinicians learn and prepare for participation in MIPS and APMs.

As we describe in our client alert titled “CMS Releases Final Rules on MACRA Quality Payment Program Implementation for 2017-Onward,” the Final Rule makes several significant changes to the MIPS and APM tracks of the “Quality Payment Program” as they were proposed in the notice of proposed rulemaking.  We previously summarized the proposed rule in two previous alerts MACRA and MIPS: The Basics and Beyond and Medicare Quality Payment Program: Alternative Payment Models (APMs).  When compared to the proposed rule, the Final Rule increases flexibility for eligible clinicians or groups to participate in MIPS by creating several “choose-your-own-pace” options that would allow them to avoid negative payment adjustments.  The Final Rule also includes more value-based payment models that qualify as Advanced APMs.

Given the significant changes, the agency has published the Final Rule with a 60-day comment period for certain provisions that will end on December 19, 2016.

The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.

Continue Reading Blocking Access to Health Information May Violate HIPAA

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes, it is often only through investigations following a reported breach that OCR uncovers more widespread HIPAA compliance issues, and it is those additional issues that often lead to monetary settlements or fines. Particularly given this increased enforcement initiative, covered entities and business associates should continue to evaluate and, where appropriate, strengthen their HIPAA compliance efforts.

To read more about the announcement, please click here.

This month, the Centers for Medicare & Medicaid Services (CMS) announced the beginning of the second application cycle for its Next Generation ACO Model (Next Gen Model).  We discussed the goals of the Next Gen Model and how it compares to the Medicare Shared Savings Program and Pioneer ACO models in this post from last year.

The Next Gen Model, along with other value-based payment initiatives being run by CMS, advances the goals of the Affordable Care Act by moving providers away from fee-for-service reimbursement models. Since CMS began implementing its ACO-based initiatives in 2012, over 477 ACOs nationwide have partnered with the agency to test the theory that coordinated care provide higher quality at a lower cost for beneficiaries.

Twenty-one ACOs are currently participating in the Next Gen Model – more than the 15-20 CMS anticipated accepting. Like last year, the Centers for Medicare & Medicaid Innovation (“CMMI”) is holding a series of Open Door Forums to explain key aspects of the Next Gen Model on the following dates:

ACOs (including MSSP participants and Pioneer ACOs) have until May 2, 2015 to submit a Letter of Intent (LOI) using CMS’s designated portal.  Applicants must electronically complete the narrative portion of the Next Gen Model application by May 25, 2016 and submit their participating provider lists and geographic service areas no later than June 3, 2016.

This will be the final year for ACOs to participate in the Next Gen Model. It is hard to predict what will happen to the Medicare payment reforms tested in the Next Gen Model and other ACA-related programs as the United States enters into a new administration after the 2016 elections, but CMS is currently staying the course to reduce health care costs while improving quality.

The Office of the National Coordinator for Health Information Technology (“ONC”) began the month of March and the HIMSS Annual Conference with the announcement of an unexpected proposed rule, the Enhanced Oversight and Accountability Rule (the “Oversight Rule”). The Oversight Rule would expand ONC’s role in the ONC Health IT Certification Program (“Program”). Specifically, the Oversight Rule provides ONC with express powers to directly review health IT certified under the Program and employ review, suspension, and termination processes to address “non-conformities” found in certified health IT.  The ONC is seeking comment on key issues such as the scope of ONC’s proposed direct review authority, its processes for reviewing certified and uncertified health IT capabilities, and the agency’s potential overlap with the authority of other agencies.  All public comments will be due to ONC on or before May 1, 2016.

As stated in the ONC’s press release, the Oversight Rule focuses on three areas: Direct Review, Enhanced Oversight, and Greater Transparency and Accountability.

Continue Reading The ONC Proposes the Direct Review of Certified Health IT in Oversight Rule