Update: CMS Issues Revised Guidance on Hospice & Part D Prior Authorization Process

A few weeks ago, we discussed CMS’ newly-issued guidance establishing a prior authorization process for Hospice and Part D providers (read more here). As our previous blog post emphasized, soon after its March 10 implementation, advocacy groups, Hospice associations, and Members of Congress began urging CMS to suspend the process. According to opponents, the prior authorization requirement creates a barrier for beneficiaries to access necessary medications and leaves them to navigate complicated payor disputes in the midst of their terminal illnesses.

On July 18, 2014, CMS responded to this industry outcry with revised guidance (“RG”). The RG supersedes portions of CMS’ March 10 guidance to address operational and beneficiary access concerns raised by industry advocates. “Our goal for the policy we set forth in March was to ensure that the hospice and Part D programs correctly pay for prescription drugs covered under each respective Medicare benefit while ensuring timely access to needed prescription medications,” the RG states. “[W]e recognize that the operational challenges associated with prior authorizing all drugs for beneficiaries who have elected hospice to determine whether the drug is coverable under Part D have created difficulties for Part D sponsors and hospice providers, and in some cases, barriers to access for beneficiaries.”

The RG instructs Part D sponsors to require prior authorization for only four categories of drugs: analgesics, antinauseants, laxatives, and antianxiety drugs. According to CMS, medications in these four drug classes are generally related to the patient’s principal terminal diagnosis and will be paid by Hospice in most instances. In addition, the RG encourages the use    of a standardized form to replace the list of prior authorization data elements previously identified by CMS. Find a copy of the form here.Attentive doctor and nurse caring for an elderly hospital patien

 

 

 

 

 

While CMS indicates that these changes are effective immediately and strongly encourages plans to implement the RG as soon as possible, plans must implement the guidance by Oct. 1, 2014. If you are a Hospice provider and have questions about the RG or Medicare Part D, contact a McBrayer health care attorney today.

Anne-Tyler Morgan

 

 

 

 

 

Anne-Tyler Morgan is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Morgan concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at atmorgan@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

Labs & Referring Physicians Take Note of OIG’s Special Fraud Alert

Recently, the U.S. Department of Health & Human Services, Office of Inspector General (“OIG”) issued a Special Fraud Alert (“Alert”) entitled, “Laboratory Payments to Referring Physicians.” The Alert focuses on (1) Specimen Processing Arrangements and, (2) Registry Arrangements. These arrangements, according to the OIG, pose substantial risks for fraud and abuse under the federal Anti-Kickback Statute.

One purpose of the Anti-Kickback Statute is to protect patients from inappropriate medical referrals or recommendations by health care professionals who may be unduly influenced by financial incentives. When remuneration is paid purposefully to induce or reward referrals of items or services payable by a federal health care program, the statute is violated. Arrangements between referring physicians and laboratories have long been subject to scrutiny by the OIG for their potential to violate the Anti-Kickback Statute. [1]

Specimen Processing Arrangements typically involve payments from labs to physicians for certain specified duties, such as collecting, processing and packaging blood specimens. Generally, payments are made on a per-specimen or per-patient-encounter basis. When a lab pays a physician for services, the potential for Anti-Kickback Statute violations is always present and there are several characteristics that may evidence such an unlawful transaction, including:

  • Payment exceeds fair market value for services actually rendered by the party receiving payment;
  • Payment for services for which payment is also made by a third party, such as Medicare;
  • Payment is made directly to the ordering physician rather than to the ordering physician’s practice group, which may bear the cost of collecting and processing the specimen;
  • Payment is made on a per-specimen basis for more than one specimen collected during a single patient encounter or another basis that takes into account the volume or value of referrals;
  • Payment is offered on the condition that the physician order either a specified volume or type of tests or test panel, especially if the panel includes duplicative or unnecessary tests.
  • Payment is made to the physician or physician’s practice group, despite the specimen processing being performed by a phlebotomist placed in the physician’s office or lab by a third party.

Registry Arrangements, the other suspect arrangement highlighted in the Alert, involve arrangements under which laboratories establish coordinate, or maintain databases on patients who have undergone, or who may undergo, certain tests. Labs that participate in Registry Arrangements often assert that the databases are intended to advance clinical research or to provide physicians with valuable knowledge, but the OIG is concerned that the arrangements “may induce physicians to order medical unnecessary or duplicate tests performed for the purpose of obtaining comparative data, and to order those tests from laboratories that offer Registry Arrangements in lieu of other, potentially clinically superior, laboratories.” Unlawful arrangements may be evidenced by the following:

  • The laboratory requires, encourages, or recommends that physicians who enter into Registry Arrangements perform the tests with a stated frequency (e.g., four times per year) to be eligible to receive, or to not receive a reduction in, compensation.
  •      The laboratory collects comparative data for the Registry from, and bills for, multiple tests that may be duplicative or that otherwise are not reasonable and necessary.
  • Compensation paid to physicians pursuant to Registry Arrangements is on a per-patient or other basis that takes into account the value or volume of referrals.
  •    Compensation paid to physicians pursuant to Registry Arrangements is not fair market value for the physicians’ efforts in collecting and reporting patient data.
  • Compensation paid to physicians pursuant to Registry Arrangements is not supported by documentation, submitted by the physicians in a timely manner, memorializing the physicians’ efforts.
  • The laboratory offers Registry Arrangements only for tests (or disease states associated with tests) for which it has obtained patents or that it exclusively performs.
  • When a test is performed by multiple laboratories, the laboratory collects data only from the tests it performs.
  • The tests associated with the Registry Arrangement are presented on the offering laboratory’s requisition in a manner that makes it more difficult for the ordering physician to make an independent medical necessity decision with regard to each test for which the laboratory will bill (e.g., disease-related panels).

The Alert does point out that the Anti-Kickback Statute does not prevent the payment of legitimate research activities. Registries which simply claim, however, they are intended to promote and support clinical research and treatment are not sufficient to disprove unlawful intent.

Both Specimen Processing and Registry Arrangements should be carefully and thoroughly drafted to avoid any hint of unlawfulness. The Anti-Kickback Statute ascribes criminal liability to both sides of an impermissible arrangement, meaning that both laboratories and physicians should take time to review their agreements to ensure payments are commercially reasonable and based on fair market value.

 

[1] See Special Fraud Alert: Arrangements for the Provision of Clinical Laboratory Services (Oct. 1994).

 

Chris Shaughnessy

 

 

 

 

 

Christopher J. Shaughnessy is an attorney at McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Mr. Shaughnessy concentrates his practice area in health care law and is located in the firm’s Lexington office.  He can be reached at cshaughnessy@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law activities and does not constitute legal advice.

Leave a comment

New Law Affecting APRNs Takes Effect Today

Today, Senate Bill 7, signed by Governor Beshear on February 26, 2014, becomes effective. The new law allows for an Advanced Practice Registered Nurse (“APRN”) to request to discontinue a Collaborative Agreement for Prescribing Authority for Non-Scheduled drugs (“CAPA-NS”) after having a CAPA-NS in place for four years. Specifically, the new law states:

After four (4) years of prescribing with a CAPA-NS in collaboration with a physician:

1.      An advanced practice registered nurse whose license is in good standing at that time with the Kentucky Board of Nursing and who will be prescribing nonscheduled legend drugs without a CAPA-NS shall notify that board that the four (4) year requirement has been met and that he or she will be prescribing nonscheduled legend drugs without a CAPA-NS;

2.      The advanced practice registered nurse will no longer be required to maintain a CAPA-NS and shall not be compelled to maintain a CAPA-NS as a condition to prescribe after the four (4) years have expired, but an advanced practice registered nurse may choose to maintain a CAPA-NS indefinitely after the four (4) years have expired; and

3.      If the advanced practice registered nurse’s license is not in good standing, the CAPA-NS requirement shall not be removed until the license is restored to good standing.

APRNs will still need a written agreement to prescribe controlled substances, but Kentuckians will now have improved access to medications such as antibiotics, cholesterol, and diabetes medicines. Further, pursuant to the new law, APRNs who have been prescribing routine medications in another state for at least four years, either independently or pursuant to a collaborative agreement, will also be eligible for independent prescribing in Kentucky. The law also creates a Collaborative Prescribing Agreement Joint Advisory Committee that will oversee a program to allow for improved collaboration between APRNs and practicing physicians.

Senate Bill 7 was the first bill to pass the General Assembly. Advocates say it necessary, given the influx of patients that that Affordable Care Act and expansion of Medicaid is bringing into the health care system coupled with the shortage of primary care providers in the state’s rural areas.

APRNs will be notified via email (if an email address was provided), US mail, the KBN Connection and by notices on the KBN website when the request implementation process will begin. If you are an APRN and have questions about your licensing authority, contact a McBrayer health care attorney today.

 Molly Lewis

Molly Nicol Lewis is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Lewis concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at mlewis@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

 

Leave a comment

New Part D Regulations Face Increased Scrutiny from Advocacy Groups & Congress

On March 10, 2014, the Centers for Medicare & Medicaid Services (“CMS”) issued a memorandum to Part D Plan Sponsors and Medicare Hospice Providers entitled, “Part D Payment for Drugs for Beneficiaries Enrolled in Hospice – Final 2014 Guidance” (“Guidance”).   The Guidance, effective since May 1, 2014, requires a prior authorization process for Hospice and Part D providers to determine their respective responsibility for drug coverage. The Guidance followed a 2012 OIG report entitled “Medicare Could Be Paying Twice for Prescription Drugs for Beneficiaries in Hospice,” which found that Medicare Hospice patients’ medications were sometimes paid for by Part D rather than by the patient’s Hospice program.

Now, when a Hospice patient or family caregiver attempts to fill a prescription at a pharmacy, the pharmacy must contact the prescriber to determine whether the medication is related to the patient’s terminal illness. If not, or if the cause of the patient’s need for the medication is unclear, the pharmacy cannot fill the prescription. Instead, the pharmacy must notify the patient of his or her appeal rights, thus placing the burden on the beneficiary to request a formal coverage determination from their Part D plan to access their prescribed medication. Hospices, too, feel the burden, as they are often left to help terminally ill patients and their families understand why certain prescriptions can no longer be filled during such a dire period in their lives.

Nearly 50 advocacy groups and Hospice associations have brought attention to this issue in recent weeks, urging CMS to suspend its current Part D payment policy. Over 200 members of the United States Senate and House of Representatives co-signed letters to CMS Administrator Marilyn Tavenner requesting the same and asking CMS to bring together all relevant stakeholders to develop a better policy. On June 25, the Medicare Payment Advisory Commission (MedPAC) also suggested that the current policy be suspended until a streamlined process without impact to the Medicare beneficiary can be implemented. While CMS has met with industry officials to discuss alternatives, the Guidance remains in effect for now. We will update you on any changes or suspension in the weeks ahead. If you have any questions, please do not hesitate to contact your McBrayer health care attorney.

Anne-Tyler Morgan

 

 

 

 

 

Anne-Tyler Morgan is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Morgan concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at atmorgan@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

Have You Reviewed Your Existing Business Associate Agreements?

Pursuant to the HIPAA Final Omnibus Rule (“Final Rule”), covered entities and their business associates were required to enter into new business associate agreements (“BAAs”) or modify existing BAAs by Sept. 23, 2013. However, existing BAAs that (i) were entered into on or before Jan. 25, 2013; (ii) met the requirements that were applicable prior to the promulgation of the Final Rule; and (iii) were not modified after March 26, 2013, have until Sept. 23, 2014 to be updated. That deadline is quickly approaching.

Revising and modifying existing BAAs can be a challenge, especially in light of the onerous requirements ushered in by the Final Rule, but covered entities and business associates must take the time to renegotiate terms governing their agreements. It is important to remember that a contract to do business is not the same as a BAA – they are separate. As with any contract, the BAA should reflect both parties’ specific needs and protect their interests. Relying on standardized forms is never recommended. The boilerplate language in these generally lacks the detail and specificity that most parties find necessary.

If a current BAA is based on a standardized form (such as the one accessible on the Office for Civil Rights’ website), now is the perfect time to think critically about the document’s provisions and make changes. There are several tailored terms that can be drafted into a BAA to further specify parties’ rights and responsibilities beyond what is required by the Final Rule. For example, many covered entities prefer to include notification procedures in the event of a breach. The HITECH Act requires business associates to notify covered entities of a breach of personal health information within 60 days of discovery. However, covered entities may want to allow for a much shorter notification period, such as 14 days, to protect relationships with patients and to allow for quicker remedial action. BAAs may also include provisions that may mitigate the costs of addressing a breach as well as indemnify against civil monetary penalties issued by the Office for Civil Rights. At minimum, the document should always address the specific purpose of the agreement and authorized used of the PHI.

The terms of any BAA will be highly dependent on the nature of the PHI involved, the accessibility to it, and the amount of it. These factors must be thoroughly contemplated by the parties in advance of the September 23rd deadline. If you would like assistance in negotiating or amending existing BAA agreements, contact a McBrayer health care attorney today.

Molly Lewis

 

 

 

 

 

Molly Nicol Lewis is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Lewis concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at mlewis@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

OCR Offers “Lessons Learned” Regarding HIPAA Compliance, Part II

On Tuesday, some of the details of OCR’s recently released Breach and Compliance Reports were discussed. In addition to detailing facts and figures from cases involving breaches in 2011 and 2012, the Breach Report includes an important “Lessons Learned” section that all covered entities and their business associates should review. Based upon reported breaches, the OCR has outlined some specific areas of concern, which include the following:

Risk Analysis and Risk Management

Covered entities should ensure that their security risk analysis is thorough and pay special attention to ePHI on hard drives, digital copies, USB drives, and mobile phones, etc.

Security Evaluation

Covered entities should conduct a security evaluation, whenever there are operational changes, such as facility or office moves or renovations, that could affect the security of PHI.

Security and Control of Portable Electronic Devices

Covered entities should ensure that any PHI that is stored and transported on portable electronic devices is properly safeguarded, including encryption when appropriate.

Proper Disposal

For electronic devices and equipment that store PHI, covered entities should ensure that the device or equipment is purged or wiped thoroughly before recycling or discarding the device or equipment.

Physical Access Controls

Covered entities should ensure that physical safeguards are in place to limit access to facilities and workstations that maintain PHI.

Training

Covered entities should ensure that employees are trained and are aware of the sanctions and other consequences for failure to follow the organization’s policies and procedures.

In the Compliance Report, OCR outlines its plan for future improved enforcement. OCR expressly stated that it will “work smarter” to cope with the increasing volume of complaints and will pay special attention to “high impact cases.” Compliance Report p. 23. In 2011 and 2012, OCR doubled the number of cases ending in Resolution Agreements, settlement, and corrective action plans and OCR promises to “continue this uncompromising enforcement posture in the future.”

If you are a covered entity or business associate and would like to know more about how to prevent a breach, contact the McBrayer health care attorneys today. Do not become a statistic! We can help you put OCR’s “Lessons Learned” into practice today!

Emily Hord

 

 

 

 

 

Emily M. Hord is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Hord concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at ehord@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of newly enacted federal and state law and does not constitute legal advice.

Leave a comment

OCR Offers “Lessons Learned” Regarding HIPAA Compliance

Two recent reports issued by the HHS Office for Civil Rights (“OCR”), pursuant to the HITECH Act, reveal some interesting information about HIPAA data breaches. The Annual Report to Congress on Breaches of Unsecured Protection Information (“Breach Report”) and the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance (“Compliance Report”) should remind covered entities and their business associates about the many risks associated with HIPAA and the importance of compliance.

The Breach Report describes the types and numbers of reported breaches for a two year period (2011 and 2012) and provides some cumulative data on breaches reported after the breach notification requirements went into effect. During this two year period, the OCR received reports of 458 big HIPAA breaches affecting 500 or more individuals and a staggering 46,899 small HIPAA breaches affecting less than 500 individuals. OCR investigated all of the 458 large HIPAA breaches and investigated a number of the smaller HIPAA breaches.

Interestingly, OCR imposed its first Resolution Agreement for a small breach, which affected 441 individuals, after the theft of an employee laptop at Hospice of North Idaho in December 2012. For the larger breaches, OCR has entered into Resolution Agreements with seven (7) of the covered entities. The Breach Report revealed that:

  • Under these agreements, the covered entities have agreed to pay more than $8 million.
  • Nearly two (2) million individuals were affected by these breaches;
  • Four (4) of these cases involved the theft of laptops or other electronic devices containing unsecured ePHI and the number one cause of security breaches in both years was theft; and,
  • In addition to the settlements, OCR has entered into corrective action plans (“CAPs”) that require specific corrective actions on the part of the covered entities.

Breach Report, p. 20

As the Breach Report points out, CAPs can require a variety of corrective actions, including:

  • Revising policies and procedures;
  • Training or retraining workforce members who handle PHI;
  • Conducting and documenting a risk assessment
  • Changing passwords;
  • Adopting encryption technologies; or,
  • Performing a new risk assessment, among other things.

Breach Report, p. 20-24.

Because investigations and the subsequent agreements, settlements, and corrective actions can be costly to finances and reputations, the Breach Report concludes with a “Lessons Learned” section meant to help covered entities avoid some of the more common type of breaches. To read about the “Lessons Learned” section, check back on Thursday.

Emily Hord

 

 

 

 

 

Emily M. Hord is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Hord concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at ehord@mmlk.com or at (859) 231-8780. 

This article is intended as a summary of newly enacted federal and state law and does not constitute legal advice.

Leave a comment

Follow

Get every new post delivered to your Inbox.