Colorado Receives $43 Million HHS Grant to Continue Building Exchange

Colorado was one of five states selected to receive a Level 1 funding grant this week from the Department of Health and Human Services.  The Level One Exchange Establishment Grant is a one-year grant designed to help states develop their health insurance exchanges.  Colorado applied for and received a $43 million grant which will "support planning activities, including the initial acquisition of technology services to begin building the online shopping portal."  This is Colorado's second Level 1 grant; it first received an award of $17.9 million in February 2012. 


What's the Cost of Losing a Laptop? $1.5 Million.

HHS announced today that it resolved a HIPAA security breach matter with two Massachusetts providers for $1.5 million.  In compliance with the Breach Notification Rule, the Massachusetts providers reported the theft of an unencrypted laptop containing ePHI.  Lest there be any lingering doubt as to the importance of compliance with the Security Rule, OCR Director Leon Rodriguez stated "In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices . . . This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”  In addition to the settlement payment, the Massachusetts providers agreed to a corrective action plan that will be overseen by an independent monitor for the next three years.


Supreme Court upholds the ACA

The Supreme Court issued it opinion today on the Affordable care Act.  In an opionion drafted by Chief Justuce Roberts, to which the other Justices, in various combinations, agreed in part and disagreed in part, the majority of the Court, in various combinations, ruled  on the key issues as follows:

1,  The individual "mandate" to purchase insurance was a valid exercise of the taxing power of Congress, a condition that if you do not buy an insurance policy with the minimum essential benefit package, you must pay the IRS money as an alternative.  Though the ACA called the payment a "shared responsibility payment" and a " penalty", not a "tax", C.J. Roberts wrote that Congress's choice of terms only affected whether the lawsuit was premature under the Anti-Injunction Act (which prevents lawsuits to stop a tax until such time as the tax has actually been assessed and paid -- Roberts saying that since Congress didn't call it a tax the AIA didn't apply), and was not determinative on the Constitutional question of whether the assessment of the penalty payment was a "tax" within the scope of Congressional powers.  Roberts concluded that it was such a tax and was therefore a constitutional exercis of Congresses enumerated taxing power.  Four other Justices agreed with that postion, while four opposed it.  Therefore the mandate to purchase insurance stands as being Constitutional.

     Though it was not necessary for C.J. Roberts to go any further, having decided the ACA was a Constitutuional exercise of taxing power, he wrote at length on the main arguments that had been made in the case:  whether the commerce clause or the "necessary and proper" clause permitted the "mandate."  His opinion stated that neither of these would be a Constitutional justification for the mandate provisiuon and that but for the taxing power of Congress, the mandate would have been unconstitutional and not permitted under those enumerated poweers.  Four Justuices agreed with that position (the four who did not agree with the taxing power ruling and who would have invalidated the entire ACA) and the other four did not.  Unfortunately, since this discussion was not a necessary part of the final opinion, the 5-4  agreement that the mandate was not a valid exercise of these two powers is not an actual decision on the merits of the scope of those Congressional powers, and it is likely to be an issue in the future in some other case.  Congress is not known for restricting its actions based on a non-precedential statement by the Court.

2. C.J. Roberts' opinion then held that the expansion of the Medicaid program, which he described as a major change in the purpose and scope of the program, was a permissible exercise of Congressional authority, but that it was not pernissible for Congress to threaten to take away current funding going to a State for the existing scope of Medicaid as a penalty if the State did not agree to expand its current Medicaid program.  Most of the other Justices agreed that this funding could not be withheld as a penalty for non-expansion, for a variety of reasons (some because they wanted to invalidate everything in the ACA and some because they  thought that to be an apprpriate restriction of the required expansion in the ACA).

So we end up with approval of the Constitutionality of the ACA because the individual mandate penalty is really a tax (one where an individual can choose to either buy insurance or pay the tax)  and a permissible "required " expansion of medicaid that may have no penalty to a State that chooses not to expand its program.  What happens if the next Congress decides to eliminate the tax penalty if an individual doesn't buy insurance - does the litigation start over?


OIG Allows for Cost Sharing Arrangement between Ambulance Providers and Municipal Dispatch

Recently the OIG issued an advisory opinion in favor of a municipal fire department’s plan to share costs for dispatch-related EMS services with local hospitals’ ambulance providers. OIG explained that this arrangement did not warrant administrative sanctions, although it nonetheless has the potential to generate prohibited remuneration under the Anti-Kickback Statute if the requisite intent to induce referrals was present.

The city’s fire department administers the emergency medical services (“EMS”) component of the 911 dispatch system, including assisting with decisions on critical care for patients and ambulance transport destinations (the “Services”). Historically, the fire department was responsible for all of the costs associated with the Services. However, under the proposed arrangement, the local hospitals would bear a portion of the costs for personnel to administer the dispatch system. Specifically, the fire department would use data from the previous year on the costs for the Services and the number of scheduled tours to each hospital to determine each hospital’s pro rata share of the costs for the coming year.

The proposed arrangement implicates the Anti-Kickback Statute because it requires the hospitals—each potential referral recipients from the dispatch service—to pay a portion of the costs for the dispatch as a condition for providing EMS services in the city, some of which are reimbursable by Medicare and Medicaid. OIG concluded, however, that a number of factors helped to mitigate the risk of fraud and abuse.

First, OIG explained that the sharing of costs was part of a comprehensive scheme by the city to manage EMS services and that the arrangement would ensure that municipalities were flexible enough to organize local EMS systems efficiently and economically. Second, OIG determined that the arrangement would ensure that hospitals paid a proportionate share of the costs and therefore the hospitals would not be overpaying their referral sources.  Third, the amount due from a particular hospital would not be tied, directly or indirectly, to the volume or value of referrals it received because the costs would be pro-rata based on the number of scheduled tours.  Fourth, OIG found that the arrangement did not increase the risk of overutilization of services because it was limited to EMS and would not change the existing dispatch procedures.  Finally, the arrangement would not have an adverse impact on competition because it would permit all hospitals in the area to participate in the dispatch system.

Notably, OIG emphasized that it might have found the arrangement improper if the hospitals were paying the city or fire department anything not directly related to the provision of EMS, such as free or reduced cost equipment.

Let the Audits Begin . . .

Following the mandate set forth in HITECH, OCR has just announced that it's piloting a HIPAA compliance audit program beginning this month in order to assess HIPAA compliance efforts.  During this pilot phase, which is expected to last through December 2012, OCR will audit up to 150 covered entities from "as wide a range of types and sizes of covered entities as possible."  At least for now, Business Associates will not be included in the pilot program.  OCR has engaged KPMG LLP to conduct the audits, and has made public a sample initial notification letter.  

Each audit will include a request for documents and information, a site visit, and a draft audit report.  Covered entities will have the ability to comment on the auditor's report before its finalized.  While OCR states that it primarily will be using the audit reports to help develop technical assistance and evaluate the efficacy of corrective action plans, OCR is retaining the right to initiate a compliance review to evaluate any serious compliance issues uncovered during this process.  At the conclusion of the pilot program, OCR will "broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges."  What happens after the pilot program, however, remains to be seen.            

Supreme Court Sides with Pharma on Prescription Data Mining

The U.S. Supreme Court recently struck down a Vermont law restricting data mining of medical prescription information in Sorrell v. IMS Health. Although the Court ruled on this issue in June, it is an important opinion with widespread impact, and as this blog has addressed lower courts’ opinions on this issue in the past, it is notable that this question is now resolved.

The ruling, based on free speech grounds, allows pharmaceutical companies to purchase prescribing data and use that data to tailor marketing efforts to physicians. This data is commonly collected by pharmacies and sold to prescription drug intermediaries (“PDIs”), who then sell the information to prescription drug companies. The data generally contains information regarding the prescribing doctor and the medication itself and does not contain identifiable patient information.

The Vermont law directly prohibited the sale, licensing, or exchange of prescription data, and the state legislature advanced three objectives in passing the law: curtailing overprescription of drugs, controlling healthcare costs, and protecting physician privacy. The majority opinion by Justice Kennedy established that the law contained both a “content- and speaker-based restriction” on speech, which required the Court to apply “heightened judicial scrutiny” to assess its validity. Under this assessment, the Court rejected each of Vermont’s policy justifications and found the law unconstitutional because it was not narrowly tailored to these policies. 

Of note, the Court’s use of “heightened” scrutiny is somewhat ambiguous under free speech precedent. Typically, commercial speech is evaluated under an “intermediate scrutiny” test established in Central Hudson; however, “heightened” scrutiny has also been loosely used as a synonym for “strict scrutiny,” which requires a tighter correlation between the regulated speech and the government’s objectives. 

Critics of the opinion argue that state regulators will have “less latitude to make policy decisions” regarding healthcare data and that courts now have broad discretion to invalidate commercial regulations based on the effects on free speech. However, there may still be hope for existing and future data mining statutes, particularly if the restrictions specifically target important interests, such as patient privacy, and do not single out certain types of buyers and sellers of data. For example, a Maine data mining statute similar to Vermont’s is only triggered when a physician elects to opt-out of submitting prescriber data, thus making the law’s restrictions much narrower.  A number of state statutes are currently pending review in light of the Court’s opinion in Sorrell

To read the Court's opinion, click here.


Be Smart About Using Your Smart Phone in Practice: Understand and Manage the Risks Involved in Using Smart Phones and Tablets in Medical Practice

Thousands of people lose or have their smart phones and other portable devices stolen every day. While most people worry only about the irritation of replacing their phone in such a situation, when a health care professional loses a portable device containing patient information, the irritation of replacing the phone is the least of their worries. With the government handing out million dollar plus penalties for the mistreatment of patient information, now is the time to ensure your practice is best positioned to deal with the inevitable loss of a smart phone.

To view the presentation slides from speakers Erin McAlpin Eiselein, Partner at Davis Graham & Stubbs LLP, and Dr. Marion Jenkins, CEO of QSE Technologies, which were presented last Thursday, July 14th, at a seminar and cover best practices for health care providers who use smart phones and tablets in their medical practice, please click here. Learn how to minimize risk and avoid potential liability under the federal and state privacy and security laws so that the loss of a phone does not turn into the loss of your practice.

Improper Release of PHI Draws Criminal Indictment

A physician in Virginia has been criminally indicted and charged with three counts of violating HIPAA in connection with release of protected health information ("PHI") to a patient's employer.  This criminal charge is unique in that it does not allege that the physician released the PHI for personal gain.  Instead, the charges are based on the fact that improper release was made "under the false pretenses that the disclosure of said information was necessary . . . . "  Specifically, the physician knew that the patient was not a serious and imminent threat to the safety of the public, but used that as a basis upon which to release the PHI to the patient's employer.

This indictment demonstrates that the government will pursue criminal charges if it disagrees with a health care provider's rationale for releasing PHI.  Health care providers should continue to carefully adhere to their HIPAA privacy policies when releasing any PHI, and consult with legal counsel in the event that they are unsure whether a release of PHI is permitted under HIPAA.       

OIG Posts Health Care Compliance Training Videos

OIG recently posted a video of its Healthcare Fraud Prevention and Enforcement Action Team ("HEAT") training in Washington, D.C. on health care compliance and fraud prevention.  The training provides guidance to health care providers, compliance officers, and their legal counsel regarding health care fraud and abuse requirements and the fundamentals of compliance programs, as well as tips on navigating CMS when facing compliance issues and the government's various health care fraud enforcement initiatives.

Vermont Moves One Step to Closer to a Single-Payer System

All eyes turned to Vermont today as Governor Peter Schumlin signed into law a bill creating a board to oversee the planning and development of a state-sponsored insurance plan, Green Mountain Care.  With the stroke of a pen, Vermont  became the first state to move significantly toward a single-payer insurance system.  One hurdle standing in Vermont's way is the need to secure a waiver from PPACA, which won't be available until 2017 under current law.  Although there appears to be support for moving that deadline up to 2014, it remains to be seen how strong that support really is.