Reclassification of Hydrocodone Takes Effect This Week

The U.S. Drug Enforcement Administration (“DEA”) published a Final Rule on August 22, 2014, which elevates hydrocodone-combination products (“HCPs”) to a Schedule II category of drugs under the Controlled Substances Act. That rule becomes effective this week – on October 6, 2014. While some hydrocodone products are already listed as Schedule II, some combination products (such as Vicodin, Norco, and Tussionex) were previously listed on the less-restrictive Schedule III. In determining whether rescheduling was necessary, the DEA considered multiple factors including the potential for abuse, likelihood of dependence, and the threat to public health posed by the drug.

How does the new rule affect prescribers?

According to DEA, HCPs prescriptions issued prior to October 6, 2014 and authorized to be filled or refilled may be dispensed if such dispensing occurs before April 8, 2015. In some cases, pharmacy dispensing software products may not be able to process existing refills starting on October 6, or pharmacies may simply choose not to dispense refills after the effective date.

Pursuant to the Final Rule, HCPs prescriptions written on or after October 6, may not be refilled. No refills are allowed by any practitioner for Schedule II controlled substances and Schedule II prescriptions may only be given for maximum of a 30-day supply. Commentators to the proposed rule worried that rescheduling would result in more trips to the doctor to receive appropriate pain control. In response to these concerns, the DEA noted in the Final Rule that prescribers may issue multiple prescriptions authorizing patients to receive up to a 90-day supply, provided certain regulatory requirements (established in 21 CFR 1306.12) are met.


In addition, in Kentucky, Schedule II controlled substance prescriptions may not be faxed or called in to a pharmacy except as provided for in 902 KAR 55:095. Schedule II controlled substance prescriptions that are electronically prescribed must use a system that has been audited for compliance with the regulations specified in 21 CFR 1311. Further, Schedule II controlled substance prescriptions are valid for 60 days from the date written and controlled substance prescriptions must be signed and dated on the date issued by the prescriber.

Kentucky prescribers should be aware that restrictions on prescribing existing Schedule II pure hydrocodone products remain under current Kentucky statutes and regulations because these products were not rescheduled to Schedule II.

Midlevel providers who operate under collaborative agreements or are limited in their ability to prescribe certain Schedules of medications may be particularly affected by the Final Rule. In Kentucky, KRS 314.011, Section 8 (a) limits APRN prescribing of Schedule II controlled substances to a 72 hour supply with no refills, except certified psychiatric-mental health nurses are permitted to prescribe up to a 30-day supply of a Schedule II psychostimulant with no refills. KRS 314.011, Section 8 (b) limits APRN prescribing of Schedule III controlled substances to a 30-day supply with no refills. Because KRS 314.011, Section 8 (b) was in effect March 19, 2013, all APRNs will continue to be permitted to prescribe a 30-day supply of Schedule II hydrocodone combination products if allowed under their DEA license.

Even if the Final Rule does not specifically affect a prescriber’s abilities, prescribers should be prepared to work with pharmacies in order to minimize dispensing disruptions after the effective date. They should also identify and inform patients who are currently receiving HCPs about the rescheduling and, if necessary, discuss alternative pain management options. And, as prescribers well know, any new regulatory framework also brings with it the expectation of greater scrutiny and oversight in the future from regulatory authorities and law enforcement agencies.

Chris Shaughnessy





Christopher J. Shaughnessy is an attorney at McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Mr. Shaughnessy concentrates his practice area in health care law and is located in the firm’s Lexington office.  He can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law activities and does not constitute legal advice.

Leave a comment

The Finalized Meaningful Use Rule – What Providers Need To Know

The Centers for Medicare and Medicaid Services (“CMS”) finalized a rule (“Final Rule”) on August 29, 2014, giving health care providers a bit more breathing room to comply with the Electronic Health Record (“EHR”) Incentive Program’s (“the Program’s”) meaningful use requirements. The Program began as a way to motivate health care providers to implement EHR systems. Hospitals and health care professionals can qualify through the Program for incentive payments from CMS for the “meaningful use” of certified EHR technology (“CEHRT”). What qualifies as “meaningful use” has been the source of much confusion. The Program is intended to be implemented in three stages, with each stage to be completed within one calendar or fiscal year.

Medical doctors group at the hospital.

Pursuant to the Final Rule, providers that were unable to fully implement the 2014 Edition of CEHRT for the 2014 reporting year can continue to use the 2011 Edition of CEHRT, or a combination of the 2011 Edition and the 2014 Edition, for the applicable 2014 reporting period. This is important because many providers have faced difficulties in obtaining the 2014 Edition of CEHRT due to high demand and delays in certification.


In addition to reporting flexibility in 2014, Stage 2 of the Program has been extended for a full year. Prior to the Final Rule, a provider that first became a ‘meaningful user’ in 2011 or 2012 would begin Stage 3 on October 1, 2015 (if reporting in a fiscal year), or January 1, 2016 (if reporting in a calendar year) Those dates have now been pushed back to October 1, 2016, and January 1, 2017, respectively.

The Final Rule also modifies reporting requirements for clinical quality measures (“CQMs”) based on which edition of CEHRT a provider uses in 2014. All providers are required to select and report on CQMs from relevant data sets adopted in the Stage 2 Final Rule, regardless of the provider’s stage of meaningful use or year of participation.

To learn more about the Final Rule and how it may affect providers, check back on Thursday.

Anne-Tyler Morgan





Anne-Tyler Morgan is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Morgan concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.


Leave a comment

The Walmart List: Milk, Eggs, and a Doctor Visit?

By January 2015, Walmart will be operating dozen primary care clinics across the U.S. Six of these have already opened in South Carolina and Texas. Currently, some Walmart stores include acute care clinics that are operated through leases with local hospital operators. The new primary care clinics are distinct from the existing ones in several ways. The new clinics will be fully-owned by Walmart, offer a broader range of services, and be open seven days a week with longer operating hours. Walmart is partnering with QuadMed nationally to operate the clinics, rather than with local partners. The primary care clinics will be staffed primarily by nurse practitioners and medical assistants and will be supervised by a physician.

Walmart Store Exterior

Walmart’s move into primary care comes at ideal time, as the Affordable Care Act has expanded coverage to millions of Americans. Many individuals are seeking new, more convenient sources of care. Pricing at the primary care clinics is reported to be $40 per visit – a low cost alternative to a doctor’s office. For Walmart employees and their dependents the cost is even lower – just $4 a visit!


What does this mean for traditional primary care providers? It is just one example of how the health care industry is transforming. As more companies like Walmart, Kroger, and Walgreens push their way into the market, providers must find a way to stay competitive. This may mean weekend accessibility, expanding into telehealth, or simply marketing services in a way that increases a provider’s exposure. Walmart has long been for a one-stop shop for grocery lists – now it is becoming the same for health care. It may be time providers step up their competitive edge.

Molly Lewis






 Molly Nicol Lewis is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Lewis concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

Nursing Homes Agree To Pay $3.8 Million Settlement

Life Care Services, a Des Moines-based company that manages nursing homes across the United States, and ParkVista, a California nursing home company, have agreed to pay a $3.8 million settlement for the alleged overbilling of Medicare. The two companies were, according to Department of Justice officials, involved in an arrangement under which a therapy company provided “unreasonable and unnecessary” rehabilitation services to nursing home residents.

Caduceus Medical Symbol Chrome

The settlement further resolves allegations that Life Care Services and ParkVista failed to prevent other therapy care practices designed to inflate Medicare reimbursement, including:

  • in lieu of using individualized evaluations to determine the level of care most suitable for each patient’s clinical needs, presumptively placing patients in the highest reimbursement level unless it was shown that the patients could not tolerate that amount of therapy;
  • providing the minimum number of minutes of therapy required to bill at the highest reimbursement level while discouraging the provision of therapy in amounts beyond that minimum threshold, despite the Medicare requirement that the amount of care provided be determined by patients’ clinical needs;
  • arbitrarily shifting the number of minutes of planned therapy between therapy disciplines to ensure targeted reimbursement levels were achieved; and
  • reporting estimated or rounded minutes instead of reporting the actual minutes of therapy provided.

Life Care Services released a statement saying it disputed the government’s allegations, but “opted to settle to avoid the cost and uncertainty of protracted litigation.”

The pricey settlement serves as a reminder that when a facility contracts with an outside rehabilitation therapy provider, the facility has a continuing duty to ensure that the provider is not engaged in conduct prohibited by the False Claims Act. Since 2009, there has been a strong initiative by the Department of Justice to investigate and prosecute fraud committed by Skilled Nursing Facilities in the light of a November 2012 report by the Department of Health and Human Services claiming that some of them engaged in improper and fraudulent billing practices, resulting in $1.5 billion in Medicare overpayments in 2009.

If you offer long-term care facilities, skilled nursing facilities, or hospice facilities, it is critical that correct billing practices and procedures and strictly followed. If you have any questions about your current practices, contact a McBrayer health care attorney today.

Molly Lewis





Molly Nicol Lewis is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Lewis concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law and does not constitute legal advice.

Leave a comment

Reminder: Update Your “Grandfathered” HIPAA Business Associate Agreements Now!

In January 2013, the Department of Health and Human Services (“HHS”) published its Final Rule, which significantly increased the privacy and security responsibilities for the “business associates” of “covered entities,” as those terms are defined by HIPAA. A provision within the Final Rule mandated that all covered entities and their business associates revise their business associate agreements to reflect the new responsibilities. Specifically, a business associate must now, among other things:

  • Report breaches of unsecured protected health information (“PHI”) to the covered entity;
  • Comply with the HIPAA Security Rule;
  • Execute business associate agreements with subcontractors (who are now considered business associates under the Final Rule).

Business associate agreements that were in compliance with the HIPAA Privacy Rule prior to January 25, 2013 were considered “grandfathered” and permitted to remain in place until September 23, 2014 – if they were not updated prior to the September date. This date, however, is almost expired and now all business associate agreements must be updated to include the additional requirements created by the Final Rule. Business associate agreements that were put into place after January 25, 2013 should already comply with the Final Rule.

It is important to note that the Final Rule also expanded the definition of a BA to cover new entities and persons. Now, a BA includes health information organizations, e-prescribing gateways, data transmission entities that routinely access PHI, and vendors of PHI records, in addition to subcontractors of business associates that create, receive, maintain, or transmit PHI on behalf of the business associate.

Calendar September 2014



If you have any questions regarding updating grandfathered business associate agreements, contact a McBrayer Health Care Law attorney today. The deadline is rapidly approaching – let us help you ensure that you are operating in accordance with the Final Rule provisions.

Emily Hord





Emily M. Hord is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Ms. Hord concentrates her practice in healthcare law and is located in the firm’s Lexington office. She can be reached at or at (859) 231-8780. 

This article is intended as a summary of newly enacted federal and state law and does not constitute legal advice.

Leave a comment

A Recap of Part II of the Webinar, “Medicaid: Getting Paid and Keeping It”

On Wednesday, August 27, the McBrayer Health Care Group co-hosted Part II of a webinar entitled, “Medicaid: Getting Paid and Keeping It.” Co-hosts included Joe Smith from the Kentucky Primary Care Association and Barry Smith from Primary Care Centers of Eastern Kentucky. The series drew a large crowd of participants all wanting to know the same thing: how to navigate the Medicaid reimbursement and audit process. Part II focused on the following topics:

  • Federal Medicaid Audit Authority;
  • Overview of the Medicaid Integrity Contractors;
  • What to do if you are contacted by a MIC auditor;
  • Opportunities to contest a MIC Auditor’s adjustments/denials/identification of overpayment

In addition, panelists from McBrayer discussed the top issues that they encounter in practice, as well as emerging trends and questions. If you missed the webinar series, don’t worry! We have both the slides and the recording available for download. In addition, check out some of the questions that were addressed in the conversation below:

What are some of the ways that a Recovery Audit Contractor (RAC) and Medicaid Integrity Contractor (MIC) differ?

RACs, established in 2012 under the ACA, are paid based on the amount of money in improper payments they identify. MICs, in contrast, are not paid a contingency fee. While MICs conduct postpayment auditing to identify overpayments, RACs are instructed to look for both overpayments and underpayments. In addition, RACs are overseen by the States, while the Centers for Medicare & Medicaid Services operates the MIC program.

My facility was recently audited. The Audit MIC concluded that there was a potential overpayment and prepared a report. Do I get a chance to respond to the report?

The MIC’s draft report will be shared with the State and the provider for comment. It is vital that you, as the provider, respond to the report. The report may be revised based on your input. It is important to note that once the report is final, the State will pursue collection of overpayment, not the Audit MIC.

What is the look-back period for MIC audits?

Audit MICs are now limited to a five year audit look-back period, beginning on the date of issuance of the notification letter to the provider. However, CMS stated that it retains the right to adjust the five year look-back period. There are currently no limits on the number of records that a MIC may request; therefore, if you are subject to an audit, it is important to make sure your staff is prepared to produce a voluminous amount of records in an organized and timely fashion.

What do I need to know about re-enrollment in Medicaid?

The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Based upon this requirement, States must complete the revalidation process of all provider types by March 24, 2016. A failure to re-enroll means that CMS will de-activate payment until a successful re-enrollment process is completed. Be sure to watch the mail for your re-enrollment notice and contact legal counsel should you have any questions about the process.

The McBrayer Health Care Group would like to thank Joe Smith and Barry Martin for co-hosting and we hope that attendees found the webinar insightful! If you are a provider and have questions about Medicaid, do not hesitate to contact us!

heap of dollars with stethoscope

Leave a comment

Health Care Industry Familiar with HIPAA Breaches, Not So Much Hackers

Community Health Systems (“Community”), which operates 206 hospitals in 29 states, recently notified 4.5 million of its patients that online hackers had stolen personal data information from its systems in a period between April and June 2014. The data included names, addresses, birthdates, telephone numbers and Social Security numbers—all of which are protected under HIPAA. According to Community, the data did not include financial or medical information.

Computer Crime Concept


It has been reported that the hackers responsible for the attack are a group of cybercriminals from China that traditionally go after intellectual property, including medical device and equipment development data.  They used malicious software to obtain the data, which has since been removed by Community from the network. Further remedial efforts are already underway, including notifying affected patients and offering them identity theft protection services.

Hospitals should be accustomed to protecting data against privacy breaches as part of their HIPAA obligations, but outright cybertheft is a threat that many providers have not likely considered. The FBI, which is now investigating the Community incident, said in April that health care providers typically do not use the same high levels of security technology as companies in other industries (such as banking or retail). This makes providers an easy target for hackers. If a leading hospital system like Community can be breached, then hospitals of every size are at risk.

It is crucial that HIPAA-covered entities (and their business associates) understand and identify potential threats to their secured information. The importance of HIPAA risk analysis cannot be stressed enough; in fact, a risk analysis is required as the first step in HIPAA Security Rule compliance. While it may be impossible to build an impenetrable fortress of secured online information, it is evident that health care providers must continue to make it a top priority to protect patient records – both from HIPAA breaches and hackers.

Chris Shaughnessy

Christopher J. Shaughnessy is an attorney at McBrayer, McGinnis, Leslie & Kirkland, PLLC.  Mr. Shaughnessy concentrates his practice area in health care law and is located in the firm’s Lexington office.  He can be reached at or at (859) 231-8780. 

This article is intended as a summary of federal and state law activities and does not constitute legal advice.

Leave a comment


Get every new post delivered to your Inbox.