Should Health Care Providers Pay Attention to the Seventh Circuit’s New Definition of “Referral”? – Part Two

Tuesday’s post discussed the Seventh Circuit’s holding in United States v. Patel, broadly expanding the definition of “referring” under the Anti-Kickback Statute. Today’s post turns to the question of how other circuits have dealt with the issue.

A studio shot of a doctor with dollar banknotes and handcuffsThe interpretation of the Statute in Patel is somewhat distinct from other courts that have reviewed the issue. In United States v. Miles[1], for example, the Fifth Circuit reversed a conviction where a home health group paid a bonus to a local public relations firm for each Medicare patient that signed up as a result of the PR firm’s efforts. The court seemed to suggest in Miles that a decision on the part of at least one party with the power to do so (the patient, in this instance) was a necessary element of the Statute. Other courts have come to similar conclusions, such as the District Court for the Central District of Illinois in United States ex rel. Perales v. St. Margaret’s Hospital, which noted that a broad reading of the Statute would produce unwanted results:

“[A] physician could find himself criminally liable for the actions of another person where he did nothing more than write up a generic order for services that could have been performed anywhere in the country or simply because a patient took an order for services that the physician prepared and went to [the hospital at issue] completely of the patient’s own accord. This result would be absurd…”[2]

Time will tell whether this interpretation of the Statute’s definition of “referring” will ultimately be repeated in other courts. In the meantime, providers should evaluate any contractual arrangements where a physician is responsible for the certification or authorization of a patient’s care by another provider.

Contact your McBrayer health care attorney today to ensure that your provider arrangements are fully compliant.

Anne-Tyler MorganAnne-Tyler Morgan is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Morgan concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at atmorgan@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

[1] United States v. Alice Miles, Richard Miles and Carrie Hamilton, 360 F.3d 472 (5th Cir. Feb. 13, 2004)

[2] US Ex Rel Perales v. St. Margaret’s Hosp., 243 F. Supp. 2d 843 (C.D. Ill. 2003)

Leave a comment

Should Health Care Providers Pay Attention to the Seventh Circuit’s New Definition of “Referral”? – Part One

The Seventh Circuit Court of Appeals, in the case of United States v. Patel[1], just expanded the definition of “referring” under the federal Anti-Kickback Statute[2] (“Statute”). In light of this case, health care providers should again review any arrangements with their peers and colleagues, as previous arrangements may now be considered illegal under the Statute.

The Statute is a criminal statute that prohibits the exchange (or offer to exchange), of anything of value, in an effort to induce (or reward) the referral of federal health care program business.[3]. In Patel, Dr. Patel did not refer his patients to a specific provider. Rather, his staff presented his patients with the brochures of 10-20 home health care services. After the patient had made a choice, Dr. Patel (through his medical assistant) would then certify that the patient needed the care requested. One of these home health care providers, Grand Home Health Care (“Grand”), paid Patel every time that he certified or recertified a patient who then used Grand’s services. After a governmental investigation, Patel was convicted of six counts of violating the Statute and one count of conspiracy to violate the Statute. On appeal, the task of defining the term “referring” in the Statute fell to the Seventh Circuit.

The word Referral circled in a dictionary showing its definitionThe Seventh Circuit adopted a broad reading of the term, choosing to apply it to both the common reading of “referring” as well as to a doctor’s authorization of care by a particular provider. What mattered to the court was that Patel was ultimately the gatekeeper who provided certification and approval for a patient to receive treatment, even if the patient had selected the particular provider him- or herself. According to the court, “it does not matter who first identifies the care provider; what matters is whether the doctor facilitates or authorizes that choice.”[4]

Thursday’s post will evaluate how other circuits have viewed the same question.

Anne-Tyler MorganAnne-Tyler Morgan is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Morgan concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at atmorgan@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

[1] United States v. Kamal Patel, No. 14-cv-2607 (7th Cir. Feb. 10, 2015)

[2] See 42 USC § 1320a-7b

[3] Id.

[4] Patel, at 13.

Leave a comment

Lessons Learned from Recent Data Security Breaches, Part Two

In Tuesday’s post, I discussed how the recent data breaches at Anthem, Inc. and Target occurred. Today’s post will turn to the implications of these breaches under HIPAA/HITECH rules and what health providers can learn from them.

Computer hacker stealing data from a laptop concept for networkBecause controlling access is essential to protecting privacy of PHI under HIPAA, the HITECH Security Rule essentially requires that a covered entity control physical and electronic access to the data system by implementing policies and procedures for ensuring that only authorized persons access the data system.[1] A covered entity also needs to be able to track the users accessing the system in order to identify potential security breaches, including stolen access information.

The Anthem and Target data security breaches indicate substantial challenges for all covered entities under the Security Rule. The Anthem and Target breaches reveal the security threats coming from unauthorized users targeting authorized users, especially employees, and the schemes, such as phishing campaigns or browser exploits, to obtain employees’ access information or virtual keys to the system. Once a hacker has stolen the keys to the system from an employee, he/she can be inside the system before being noticed. In addition, the Target breach underlines the importance of monitoring and restricting a third party vendor and its employees’ access to a covered entity’s data system.

Because the Anthem breach was targeted at stealing employees’ access information, covered entities need to review and improve their compliance policies and procedures regarding the prevention, detection and reporting of the theft of employees’ access keys (usernames, passwords). Moreover, covered entities also need to consider whether their employees need more intensive training on how to quickly detect and avoid hackers’ schemes and tools. Covered entities could also test their employees’ ability to recognize and delete a phishing email by sending fake phishing emails.

These security breaches illustrate the need to (a) carefully control access to systems with ePHI, (b) create meticulous and restrictive policies on access to these systems, and (c) rigorously train all applicable employees on compliance with these policies.

In my next post, I will discuss the actions that must be taken after a security breach to comply with legal requirements and mitigate the damages from the security breach.

For more information on compliance with the HIPAA Security Rule or to learn how your organization can conduct a security risk analysis to evaluate potential compliance problems, don’t hesitate to contact the attorneys of McBrayer.

Emily HordEmily M. Hord is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Hord concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at ehord@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice

[1] 45 CFR §164.312(a)(1)

Leave a comment

Lessons Learned from Recent Data Security Breaches, Part One

The recent series of security breaches at Target, Sony, Home Depot, and Anthem Inc. serve as stark reminders that all organizations, even the ones with most secure networks, face significant cybersecurity threats and challenges that could cause substantial financial costs and reputational damage. The Anthem security breach, in particular, should sound alarms about the need to improve the security of protected health information (“PHI”) for every covered entity. This week’s posts will discuss what health care providers can learn about preventing data breaches based on the breaches at Anthem and Target.

On February 4, 2015, the second largest healthcare insurance company in the U.S., Anthem Inc., reported a data security breach affecting 78.8 million customers. In January, hackers sent phishing emails to employees that allowed the hackers to steal at least five employees’ network credentials, usernames, and passwords. These hackers even obtained the information belonging to the system administrator account. The system administrator did not notice the breach until someone used his access codes and information and was inside the system. Although the final report on the Anthem data breach has not yet been issued, the fact that the hackers obtained five sets of access keys or credentials (log in and passwords) from authorized users indicates how dangerous an innocent mistake, such as opening a phishing email, can be to an entire data system.JACKSONVILLE, FL-FEBRUARY 18, 2014: A Target store  in Jacksonvi

During the 2013 holiday shopping season, Target suffered a substantial security breach of its credit and debit card system that impacted 70 million customers. In Target’s case, the hackers obtained access to customer information through hacking Fazio Mechanical, a refrigeration contractor of Target. Similar to the Anthem hacking scheme, an employee of Fazio Mechanical opened a malicious phishing email that installed a piece of malware, which recorded login credentials and gave the hackers access to a portal into Target’s internal systems. The hackers used the portal access to gain control of Target’s servers. Thus, the hackers gained access to Target’s system by hacking into the system of an outside contractor and using that contractor’s access information to get into Target’s system. The Target breach indicates that covered entities must closely monitor the security breaches of their contractors, because those outside security breaches can give hackers an indirect access point into the covered entity’s system.

Both the Anthem and Target security breaches were caused by simple human mistakes – opening the wrong email attachment, visiting the wrong web page, and/or opening a malicious email. Despite Anthem’s security protocols and safeguards, its employees failed to recognize suspicious phishing emails and unwittingly gave hackers their access information. In Target’s case, the contractor’s employees failed to recognize suspicious phishing emails and unwittingly gave hackers their access information and that information was used to gain access into Target’s system. These simple human mistakes led to the dissemination of confidential data for millions of insured members and customers.

Tune in Thursday, as the next post will discuss will discuss these data breaches in the context of the HIPAA/HITECH rules.

Emily HordEmily M. Hord is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Hord concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at ehord@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

CMS Rule on Medicare Overpayments? Don’t Hold Your Breath

Since the Center for Medicare & Medicaid Services proposed a rule three years ago suggesting that providers could be liable for returning Medicare overpayments going back ten years, providers have been anxiously awaiting a final ruling. Unfortunately, providers’ anticipation for a final ruling will have to continue. On February 16th, CMS announced that it would delay the final rule on reporting and returning overpayment…by another full year!

At issue is part of the Patient Protection and Affordable Care Act (“ACA”), added to Section 1128J(d)(2) of the Social Security Act :

“(2) Deadline for reporting and returning overpayments.—An overpayment must be reported and returned under paragraph (1) by the later of—

(A) the date which is 60 days after the date on which the overpayment was identified; or

(B) the date any corresponding cost report is due, if applicable.”

The proposed rule defined the identification of an overpayment very broadly, but it also included a provision allowing for a ten-year look-back timeframe, something decried throughout the health care industry as untenable. This proposed rule would impose a heavier burden on providers, and was not explicitly enacted as part of the ACA.

Bill from the doctor concepts of rising medical costMaking the situation even more uncertain, the federal False Claims Act (“FCA”) would apply to any overpayments “retained” by the provider after the reporting and returning deadline, making them a false claims “obligation.” The penalties for violation of the FCA apply to anyone who knowingly conceals or avoids an obligation to pay money back to the government.

However, as stated above, providers will have to wait another full year to see if CMS will stick by the decision to hold providers responsible for ten years of potential overpayments. In the meantime, providers should review claims and be prepared in the event this rule is finalized.

If you have any questions regarding post review of claims, please contact the attorneys at McBrayer today to help with compliance and audit preparation.

Gina M. Riddell, MPA, is a Research and Compliance Analyst of McBrayer, McGinnis, Leslie & Kirkland, PLLC. Ms. Riddell concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at griddell@mmlk.com  or at (859) 231-8780.

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

Kentucky’s Evolving Behavioral Health Providers

Psychology TherapyOne of the most important effects of the Patient Protection and Affordable Care Act (“ACA”) is the profound change in the coverage of behavioral health services. Building on the Mental Health Parity and Addiction Equity Act of 2008, the ACA requires both Medicaid and Medicare to provide far more robust behavioral health benefits, especially in the area of substance abuse. This expansion of benefits is not without growing pains – health care providers are waking up to the new reality of a vastly expanded need for substance abuse and other mental health services as well as providers. As state Medicaid programs struggle to finance these new benefits, the need for behavioral health care providers and clinicians has become acute. This is especially true in Kentucky, where access to substance abuse care is crucial due to the epidemic of prescription drug and heroin addictions. Fortunately, however, the Cabinet for Health and Family Services has taken proactive steps to strengthen and expand behavioral health infrastructure to meet the ACA’s directives.

Prior to the ACA, Kentucky’s Medicaid program reimbursed behavioral health services through community health programs such as Bluegrass Comprehensive Care Services. Many behavioral therapists did not have the ability to bill Medicaid for their services and had to bill through another provider if their services were even covered at all. Now, however, the Commonwealth has recently finalized regulations that create a new class of providers that can receive payment from Medicare or Medicaid for the provision of behavioral health and substance abuse services. One of the most important new provider types, licensed under 902 KAR 20:430, is the Behavioral Health Services Organization (“BHSO”), which is authorized to provide a comprehensive array of varied services that may include physician, therapy, residential and other services. This new licensure category for BHSOs has created an opportunity for health care providers to provide a broad array of mental health and substance abuse services in a non-hospital outpatient setting that may be reimbursed by Medicaid and Medicare for the first time. In addition, Kentucky’s Medicaid program now recognizes a group practice of licensed therapists as providers, enabling these groups to receive reimbursement for covered therapy services as well.

One of the more direct benefits of becoming a BHSO is that it may provide physician services for medically directed substance abuse treatments that include prescribing medications for opioid addiction as part of the continuum of care for individuals with substance abuse disorders. Prior to the ACA’s mandate, Kentucky’s Medicaid program would not reimburse a physician treating a patient with substance abuse disorders for the physician services necessary to treat a patient. Physicians may now also treat these patients in their practices and bill Medicaid for their services. Unfortunately, Medicaid and its MCOs have not reimbursed these services at a level that motivates physicians to provide these important services to patients with substance abuse disorders. The inadequacy of payment creates barriers to accessing treatment as physicians have no incentive to treat these often difficult patients. When federal limitations on the numbers of patients that can be treated by physicians with medications like suboxone is coupled with low reimbursement for physicians for their services, access to care for Medicaid patients is still limited – often preventing patients from obtaining the very treatment that will allow them to function. Now, medically directed treatment is a covered Medicaid service that BHSOs and physicians may provide, which should increase access for eligible patients who previously had to pay cash to get this important treatment.

In an effort to further develop and expand the infrastructure of behavioral health providers, Kentucky’s new regulations allow behavioral health providers to form provider groups that may participate in the Medicaid program. Unlike a BHSO, a Behavioral Health Multi-Specialty Group (“MSG”), does not require licensure by the Office of Inspector General to participate in the Medicaid program. In a certain respect, this provider group is similar to a multi-disciplinary physician group by allowing different types of therapy providers to form groups. To qualify, the MSG must be an entity like a professional services corporation or a limited liability company and requires that at least one of the providers be previously enrolled in Medicaid prior to the enrollment of the group. Other new group provider types include the Applied Behavior Analyst therapists, art therapy providers, marriage and family counselors and licensed clinical social workers and psychologists.

Kentucky’s Cabinet for Health and Family Services has cleared the way for Medicaid to provide a host of new covered mental health and substance abuse treatments that will address crucial needs in the Commonwealth. The health care industry is at the start of massive changes in how behavioral health is provided and in what settings. These new providers are Kentucky’s attempt to bolster existing infrastructure in behavioral health, particularly in the area of substance abuse treatment. While a step in the right direction, these organizations are far from a perfect solution. To make these important services available, Medicaid must pay for them at a level that motivates providers to provide them. What this calls for is not just increased reimbursement, but also a process that integrates the identification of behavioral health problems with primary care. Identification of behavioral health problems must be integrated into primary care through behavioral health screenings and the development of appropriate screening tools. Behavioral health screenings should be performed by primary care physicians with training so that important and appropriate referrals can be made.

Lisa HinkleLisa English Hinkle is a Member of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Hinkle concentrates her practice area in health care law and is located in the firm’s Lexington office.  She can be reached at lhinkle@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

The Unhappy Intersection of Hospital Mergers and Antitrust Laws

The rapidly-evolving field of health care has been moving lately towards a single-minded goal – coordination of patient care in the name of efficiency and efficacy. Hospital systems are more and more often merging with other medical practices to better achieve the standards and goals of the Patient Protection and Affordable Care Act (“ACA”). The Ninth Circuit Court of Appeals, however, recently provided a stark reminder that the ACA isn’t the only law hospitals need to consider compliance with in these mergers.Modern Hospital

Saltzer Medical Group in Nampa, Idaho, had been seeking to make a change from fee-for-service to risk-based reimbursement and approached St. Luke’s Health System in Boise in 2012about a formal partnership. They entered into a five-year professional service agreement that contained language about wanting to move away from fee-for-service reimbursement but without any clear language on making that change. Saltzer received a $9 million payment on the deal. Other hospital systems in the area, the FTC, and the Idaho Attorney General all filed suit to enjoin the merger.

The Ninth Circuit affirmed the district court’s holding that St. Luke’s violated state and federal antitrust laws when acquiring Saltzer. St. Luke’s argued that acquisition of the other provider would improve patient outcomes and care in the community of Nampa, Idaho, where Saltzer operates, but both courts agreed that the anticompetitive concerns surrounding the merger outweighed the benefits to quality care.

This case and other similar cases brought by the FTC provide a bleak outlook for health care providers looking to merge with other entities to provide care and efficiency under the aims of the ACA. While the court ultimately found that St. Luke’s aims were beneficial and not anticompetitive in and of themselves, antitrust laws only truly take the effect on competition into account, and courts are not ready to place quality of care under the ACA on equal footing.

Antitrust laws and the ACA provide a rocky path for health care practitioners to follow, but you can trust the attorneys of McBrayer to guide you.

Molly LewisMolly Nicol Lewis is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Lewis concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at mlewis@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

Follow

Get every new post delivered to your Inbox.

Join 25 other followers